CN105812337A

CN105812337A - Radius and Diameter combined authentication authorization method and method

Info

Publication number: CN105812337A
Application number: CN201410854064.8A
Authority: CN
Inventors: 景阳; 张娜; 靳康
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2014-12-31
Filing date: 2014-12-31
Publication date: 2016-07-27
Also published as: WO2016107148A1

Abstract

The invention provides a Radius and Diameter combined authentication authorization method and method, and the method comprises the steps: obtaining a user authentication message, and determining the authentication type and authorization type during the access of a user according to the user information of the user authentication message, wherein the authentication type comprises the pre-configured radius authentication, diameter authentication and radius-diameter authentication under the authentication template, and the authorization type comprises the pre-configured radius authorization, diameter authorization and radius-diameter authorization under an authorization template; and respectively carrying out the authentication and authorization of an access user sending the user authentication message according to the authentication type and authorization type. According to the invention, the method carries out the authentication and authorization of the access user sending the user authentication message in a mode of combining a Radius server and a Diameter server, enables the user information recorded on the radius server not to be inputted into the diameter server, and also can add a new business for the user on the diameter server.

Description

A kind of Radius and Diameter combines the method for Certificate Authority and device

Technical field

The present invention relates to BRAS (Broadband Remote Access Server) field, particularly relate to a kind of Radius and Diameter and combine the method for Certificate Authority and device.

Background technology

Diameter is as Radius (RemoteAuthenticationDialInUserService, a kind of agreement of C/S structure) upgraded version of agreement, it is appointed as follow-on aaa protocol standard by AAA (authentication, authorization, accounting) working group of IETF (Internet Engineering Task group).Diameter supports interconnection protocol, network access server (NetworkAttachedStorage between mobile network, it is called for short NAS) ask and the certification of mobile agent, mandate, billing function, its realization is similar with Radius agreement, and primary attribute is all the attribute number of the Radius inherited, but overcome again a lot of defects of Radius agreement, be the aaa protocol of the applicable future mobile communication system of comparison.At home, Diameter application on NAS device is little, on the one hand, it is owing to the Policy Platform of Diameter configures complexity, on the other hand, be due to current operator or get used to use Radius server carry out managing user information, if want disposable replacing aaa server, again the typing of a large number of users information and the management of corresponding relation can expend great effort and time, so Diameter server does not obtain large-scale application at present.

Summary of the invention

It is an object of the invention to provide a kind of Radius and Diameter to combine the method for Certificate Authority and device, by adopting the mode that Radius server and Diameter server combine that the access user sending user authentication message is authenticated and is authorized, make original record user profile on radius server need not typing diameter server again, on diameter server, new business can be increased for user again.

In order to achieve the above object, a kind of Radius and Diameter of the present invention combines the method for Certificate Authority, including:

Obtaining user authentication message, auth type when confirming that user accesses according to the user profile of user authentication message and authorization type, wherein auth type includes radius certification, diameter certification and radius-diameter certification；Authorization type includes: radius authorizes, diameter authorizes and radius-diameter authorizes；And under certification template, be provided with radius certification, diameter certification and radius-diameter certification in advance；Authorize and be provided with radius mandate under template in advance, diameter authorizes and radius-diameter authorizes；

According to auth type and authorization type, respectively the access user sending user authentication message is authenticated and authorizes.

Wherein, obtaining user authentication message, the step of auth type when accessing according to the user profile of user authentication message confirmation user includes:

Certification template from domain name directly reads auth type；

Obtaining user authentication message, the step of authorization type when accessing according to the user profile of user authentication message confirmation user includes:

Obtain radius server or the successful message of diameter server authentication and authorization message；

Read the authorization type authorized under template.

Wherein, when auth type is radius certification, according to auth type, the step that the access user sending user authentication message is authenticated includes:

Radius certification group number is read from certification template；

Authentication information in user authentication message and radius certification group number are sent to radius assembly, make radius assembly configuring from radius certification group number, read the information of radius server；

Information according to the radius server read, sends authentication information to radius server, makes radius server be authenticated.

Wherein, when auth type is radius certification, when authorization type is radius mandate, include according to the step that authorization type carries out authorizing:

Receive authentication result and the radius authorization message of radius server feedback；

From authorizing, template reads radius authorization type；

Authorization message on the radius authorization message of radius server feedback and NAS device it is stored in casual user data field and sends to user, completing radius and authorize.

Wherein, when auth type is radius certification, when authorization type is diameter mandate, include according to the step that authorization type carries out authorizing:

From authorizing, template reads diameter authorization type；

The request message only authorizing not auth type is sent to diameter server；

Receive the diameter authorization message of diameter server feedback；

Authorization message on the diameter authorization message of diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing diameter and authorize.

Wherein, when auth type is radius certification, when authorization type is radius-diameter mandate, include according to the step that authorization type carries out authorizing:

From authorizing, template reads radius-diameter authorization type；

The radius authorization message of radius server feedback is stored in casual user data field；

Receive the diameter authorization message of diameter server feedback；

Authorization message on the diameter authorization message of diameter server feedback and NAS device is stored in casual user data field；

Authorization message on radius authorization message in casual user data field, diameter authorization message and NAS device is sent to user, completes radius diameter and authorize.

Wherein, when auth type is diameter certification, according to auth type, the step that the access user sending user authentication message is authenticated includes:

Diameter certification group number is read from certification template；

Authentication information in user authentication message and diameter certification group number are sent to diameter assembly, make diameter assembly configuring from diameter certification group number, read the information of diameter server；

Information according to the diameter server read, sends authentication information to diameter server, makes diameter server be authenticated.

Wherein, when auth type is diameter certification, when authorization type is radius mandate, include according to the step that authorization type carries out authorizing:

Receive authentication result and the diameter authorization message of diameter server feedback；

From authorizing, template reads radius authorization type；

Authorization message on NAS device it is stored in casual user data field and sends to user, completing radius and authorize.

Wherein, when auth type is diameter certification, when authorization type is diameter mandate, include according to the step that authorization type carries out authorizing:

From authorizing, template reads diameter authorization type；

Wherein, when auth type is diameter certification, when authorization type is radius-diameter mandate, include according to the step that authorization type carries out authorizing:

From authorizing, template reads radius-diameter authorization type；

Authorization message on the diameter authorization message of diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing radius-diameter and authorize.

Wherein, when auth type is radius-diameter certification, according to auth type, the step that the access user sending user authentication message is authenticated includes:

Radius certification group number is read from certification template；

Information according to the radius server read, sends authentication information to radius server, makes radius server be authenticated；

Diameter certification group number is read from certification template；

Wherein, when auth type is radius-diameter certification, when authorization type is radius mandate, include according to the step that authorization type carries out authorizing:

From authorizing, template reads radius authorization type；

Authorization message on NAS device is stored in casual user data field, and the radius authorization message in casual user data field and the authorization message on NAS device are sent to user, complete radius and authorize.

Wherein, when auth type is radius-diameter certification, when authorization type is diameter mandate, include according to the step that authorization type carries out authorizing:

From authorizing, template reads diameter authorization type；

Wherein, when auth type is radius-diameter certification, when authorization type is radius-diameter mandate, include according to the step that authorization type carries out authorizing:

From authorizing, template reads radius-diameter authorization type；

Authorization message on radius authorization message in casual user data field, diameter authorization message and NAS device is sent to user, completes radius-diameter and authorize.

Wherein, after the access user sending user authentication message is authenticated and is authorized, the method also includes:

Accounting request message is sent to radius server or diameter server；

Receive the charging response message of radius server or diameter server response.

The embodiment of the present invention also provides for a kind of Radius and Diameter and combines the device of Certificate Authority, and this device includes:

First processing module, is used for obtaining user authentication message, auth type when confirming that user accesses according to the user profile of user authentication message and authorization type, and wherein auth type includes radius certification, diameter certification and radius-diameter certification；Authorization type includes: radius authorizes, diameter authorizes and radius-diameter authorizes；And under certification template, be provided with radius certification, diameter certification and radius-diameter certification in advance；Authorize and be provided with radius mandate under template in advance, diameter authorizes and radius-diameter authorizes；

Second processing module, for according to auth type and authorization type, being authenticated the access user sending user authentication message and authorize respectively.

Wherein, this device also includes:

Charging sending module, for sending accounting request message to radius server or diameter server；

Charging receiver module, for receiving the charging response message of radius server or diameter server response.

Beneficial effects of the present invention: by obtaining user authentication message, user profile according to user authentication message confirms auth type when user accesses and authorization type, and according to auth type and authorization type, respectively the access user sending user authentication message is authenticated and authorizes.The present invention adopts the mode that Radius server and Diameter server combine that the access user sending user authentication message is authenticated and is authorized, make original record user profile on radius server need not typing diameter server again, new business can be increased for user again, it is possible to reach progressively to replace the purpose of former radius server with diameter server on diameter server.

Accompanying drawing explanation

Fig. 1 represents embodiment of the present invention network topology schematic diagram；

Fig. 2 represents that embodiment of the present invention Radius and Diameter combines the method step flow chart of Certificate Authority；

Fig. 3 represents that the user that accesses sending user authentication message is carried out the flow chart of steps of radius certification by the embodiment of the present invention；

Fig. 4 represents that the user that accesses sending user authentication message is carried out the radius certification+radius flow chart of steps authorized by the embodiment of the present invention；

Fig. 5 represents that the user that accesses sending user authentication message is carried out the radius certification+diameter flow chart of steps authorized by the embodiment of the present invention；

Fig. 6 represents that the user that accesses sending user authentication message is carried out the radius certification+radius-diameter flow chart of steps authorized by the embodiment of the present invention；

Fig. 7 represents that the user that accesses sending user authentication message is carried out the flow chart of steps of diameter certification by the embodiment of the present invention；

Fig. 8 represents that the user that accesses sending user authentication message is carried out the diameter certification+radius flow chart of steps authorized by the embodiment of the present invention；

Fig. 9 represents that the user that accesses sending user authentication message is carried out the diameter certification+diameter flow chart of steps authorized by the embodiment of the present invention；

Figure 10 represents that the user that accesses sending user authentication message is carried out the diameter certification+radius-diameter flow chart of steps authorized by the embodiment of the present invention；

Figure 11 represents that the user that accesses sending user authentication message is carried out the flow chart of steps of radius-diameter certification by the embodiment of the present invention；

Figure 12 represents that the user that accesses sending user authentication message is carried out the radius-diameter certification+radius flow chart of steps authorized by the embodiment of the present invention；

Figure 13 represents that the user that accesses sending user authentication message is carried out the radius-diameter certification+diameter flow chart of steps authorized by the embodiment of the present invention；

Figure 14 represents that the user that accesses sending user authentication message is carried out the radius-diameter certification+radius-diameter flow chart of steps authorized by the embodiment of the present invention；

Figure 15 represents embodiment of the present invention schematic flow sheet.

Detailed description of the invention

For making the technical problem to be solved in the present invention, technical scheme and advantage clearly, it is described in detail below in conjunction with the accompanying drawings and the specific embodiments.

As it is shown in figure 1, be embodiment of the present invention network topology schematic diagram, user sends user authentication message to NAS device, and the access user sending user authentication message is authenticated and authorizes by NAS device.Wherein in the process of certification and mandate, the authentication information in user authentication message is sent to radius server or diameter server and carry out corresponding certification and receive the authorization message of radius server or diameter server feedback and send to user and authorize accordingly.Authentication information obtains from user authentication message, at least includes: user name, domain name and password.

As in figure 2 it is shown, the present invention provides a kind of Radius and Diameter method combining Certificate Authority, including:

Step S100, obtaining user authentication message, auth type when confirming that user accesses according to the user profile of user authentication message and authorization type, wherein auth type includes radius certification, diameter certification and radius-diameter certification；Authorization type includes: radius authorizes, diameter authorizes and radius-diameter authorizes；And under certification template, be provided with radius certification, diameter certification and radius-diameter certification in advance；Authorize and be provided with radius mandate under template in advance, diameter authorizes and radius-diameter authorizes；

Step S200, according to auth type and authorization type, respectively the access user sending user authentication message is authenticated and authorizes.

Concrete, NAS device obtains user authentication message, user profile according to user authentication message confirms auth type when user accesses and authorization type, according to auth type and authorization type, respectively the access user sending user authentication message is authenticated and is authorized.Adopt the mode that Radius server and Diameter server combine that the access user sending user authentication message is authenticated and is authorized, both can ensure that the user profile originally existed on radius server need not change, on new diameter server, new business can have been increased for user again.It should be noted that user profile obtains from user authentication message, at least include: the address of user.

In the above embodiment of the present invention, obtaining user authentication message, the step of auth type when accessing according to the user profile of user authentication message confirmation user includes:

Certification template from domain name directly reads auth type；

Accordingly, obtaining user authentication message, the step of authorization type when accessing according to the user profile of user authentication message confirmation user includes:

Read the authorization type authorized under template.

Concrete, under certification template, auth type supports radius certification, diameter certification, radius-diameter certification；Authorize authorization type under template to support radius to authorize, diameter authorizes, radius-diameter authorizes, and the access user sending user authentication message is authorized sending accessing after user is authenticated of user authentication message completing again.The Certificate Authority mode of NAS device support includes: radius certification+radius authorizes, radius certification+diameter authorizes, radius certification+radius-diameter authorizes, diameter certification+radius authorizes, diameter certification+diameter authorizes, diameter certification+radius-diameter authorizes, radius-diameter certification+radius authorizes, radius-diameter certification+diameter authorizes and radius-diameter certification+radius-diameter authorizes.

In the above embodiment of the present invention, as it is shown on figure 3, when auth type is radius certification, according to auth type, the step that the access user sending user authentication message is authenticated includes:

Step S301, from certification template read radius certification group number；

Step S302, the authentication information in user authentication message and radius certification group number are sent to radius assembly, make radius assembly configuring from radius certification group number, read the information of radius server；

Step S303, information according to the radius server read, send authentication information to radius server, make radius server be authenticated.

Concrete, in the upper line process of user, user authentication message is through the AIM assembly of NAS device, certification template from domain name reads auth type, what find configuration is radius certification, radius certification group number is read again from certification template, by the authentication information in user authentication message and radius certification group number, it is sent to the radius assembly of NAS device, radius assembly reads the information of radius server from radius certification group number configuring, authentication information is issued radius server, make radius server that the access user sending user authentication message is carried out radius certification.

In the above embodiment of the present invention, as shown in Figure 4, when auth type is radius certification, when authorization type is radius mandate, include according to the step that authorization type carries out authorizing:

Step S310, the authentication result receiving radius server feedback and radius authorization message；

Step S311, template reads radius authorization type from authorizing；

Step S312, the authorization message in the radius authorization message of radius server feedback and NAS device it is stored in casual user data field and sends to user, completing radius and authorize.

Concrete, NAS device receives the response message that radius server sends, and wherein response message includes: the authentication result of radius server feedback and radius authorization message.After the response message of radius server issues NAS device, response message is received at first by the radius module of NAS device, after response message is processed, it is sent to the AIM assembly of NAS device, it is responsible for analyzing and use authentication result and the radius authorization message that radius server returns by AIM assembly, if the authentication result that AIM assembly obtains is successfully, AIM assembly can read the authorization type authorized under template from casual user data field, what find configuration is that radius authorizes, will the authorization message on the radius authorization message of radius server feedback and NAS device be stored in casual user data field and send to user, radius certification+radius authorization flow terminates.

In the above embodiment of the present invention, as it is shown in figure 5, when auth type is radius certification, when authorization type is diameter mandate, include according to the step that authorization type carries out authorizing:

Step S320, the authentication result receiving radius server feedback and radius authorization message；

Step S321, template reads diameter authorization type from authorizing；

Step S322, send to diameter server and only authorize the request message of not auth type；

Step S323, receive diameter server feedback diameter authorization message；

Step S324, the authorization message in the diameter authorization message of diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing diameter and authorize.

nullConcrete，NAS device receives the response message that radius server sends，After the response message of radius server issues NAS device，Response message is received at first by the radius module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the radius authorization message that radius server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，What AIM assembly can read the authorization type discovery configuration authorized under template from casual user data field is that diameter authorizes，The radius authorization message that radius server issues would not be read，The request message only authorizing not auth type is sent to diameter server，And receive the diameter authorization message of diameter server feedback.Being stored in casual user data field by the authorization message on the diameter authorization message of diameter server feedback and NAS device and send to user, radius certification+diameter authorization flow terminates.

In the above embodiment of the present invention, as shown in Figure 6, when auth type is radius certification, when authorization type is radius-diameter mandate, include according to the step that authorization type carries out authorizing:

Step S330, the authentication result receiving radius server feedback and radius authorization message；

Step S331, template reads radius-diameter authorization type from authorizing；

Step S332, the radius authorization message of radius server feedback is stored in casual user data field；

Step S333, send to diameter server and only authorize the request message of not auth type；

Step S334, receive diameter server feedback diameter authorization message；

Step S335, the authorization message in the diameter authorization message of diameter server feedback and NAS device is stored in casual user data field；

Authorization message on step S336, radius authorization message by casual user data field, diameter authorization message and NAS device sends to user, completes radius diameter and authorizes.

nullConcrete，NAS device receives the response message that radius server sends，After the response message of radius server issues NAS device，Response message is received at first by the radius module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the radius authorization message that radius server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，AIM assembly can read the authorization type authorized under template from casual user data field，What find configuration is that radius-diameter authorizes，The radius authorization message of radius server feedback is stored in casual user data field，The request message only authorizing not auth type is sent to diameter server，At this moment diameter server will not do certification，Only return to NAS device diameter authorization message，What first receive diameter server response message on NAS device is diameter assembly，After response message is processed by diameter assembly，Diameter authorization message is issued the AIM assembly of NAS device，AIM assembly also can read the authorization type authorized under template again from casual user data field，What find configuration is that radius-diameter authorizes，Authorization message on the diameter authorization message of diameter server feedback and NAS device is stored in casual user data field，By the radius authorization message in casual user data field、Authorization message in diameter authorization message and NAS device sends to user，Radius certification+radius-diameter authorization flow terminates.

In the above embodiment of the present invention, as it is shown in fig. 7, when auth type is diameter certification, according to auth type, the step that the access user sending user authentication message is authenticated includes:

S401, from certification template read diameter certification group number；

S402, the authentication information in user authentication message and diameter certification group number are sent to diameter assembly, make diameter assembly configuring from diameter certification group number, read the information of diameter server；

S403, information according to the diameter server read, send authentication information to diameter server, make diameter server be authenticated.

nullConcrete，In the upper line process of user，User authentication message is through the AIM assembly of NAS device，Certification template from domain name reads auth type，What find configuration is diameter certification，Diameter certification group number is read again from certification template，By the authentication information in user authentication message and diameter certification group number，It is sent to the diameter assembly of NAS device，Diameter assembly reads diameterlink information configuring from diameter certification group number，Each diameter group can configure multiple link information (corresponding diameter server of link，But want labelling primary and secondary link information)，Diameter assembly preferentially selects main link information，If main link is unreachable, select time link，Then from link information, read diameter server info，Authentication information is issued diameter server，Make diameter server that the access user sending user authentication message is carried out diameter certification.

In the above embodiment of the present invention, as shown in Figure 8, when auth type is diameter certification, when authorization type is radius mandate, include according to the step that authorization type carries out authorizing:

S410, the authentication result receiving diameter server feedback and diameter authorization message；

S411, template reads radius authorization type from authorizing；

S412, the authorization message on NAS device is stored in casual user data field and send to user, complete radius authorize.

nullConcrete，NAS device receives the response message of diameter server，After the response message of diameter server issues NAS device，Response message is received at first by the diameter module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the diameter authorization message that diameter server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，AIM assembly can read the authorization type authorized under template from casual user data field，What find configuration is that radius authorizes，Will the authorization message on NAS device be stored in casual user data field and send to user，Diameter certification+radius authorization flow terminates.

In the above embodiment of the present invention, as it is shown in figure 9, when auth type is diameter certification, when authorization type is diameter mandate, include according to the step that authorization type carries out authorizing:

S420, the authentication result receiving diameter server feedback and diameter authorization message；

S421, template reads diameter authorization type from authorizing；

S422, the authorization message in the diameter authorization message of diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing diameter and authorize.

nullConcrete，NAS device receives the response message of diameter server，After the response message of diameter server issues NAS device，Response message is received at first by the diameter module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the diameter authorization message that diameter server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，AIM assembly can read the authorization type authorized under template from casual user data field，What find configuration is that diameter authorizes，Authorization message on the diameter authorization message of diameter server feedback and NAS device is stored in casual user data field and sends to user，Diameter certification+diameter authorization flow terminates.

In the above embodiment of the present invention, as shown in Figure 10, when auth type is diameter certification, when authorization type is radius-diameter mandate, include according to the step that authorization type carries out authorizing:

Step S430, the authentication result receiving diameter server feedback and diameter authorization message；

Step S431, template reads radius-diameter authorization type from authorizing；

Step S432, the authorization message in the diameter authorization message of diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing radius-diameter and authorize.

nullConcrete，NAS device receives the response message of diameter server，After the response message of diameter server issues NAS device，Response message is received at first by the diameter module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the diameter authorization message that diameter server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，AIM assembly can read the authorization type authorized under template from casual user data field，Find configuration be find configuration be radius-diameter authorize，Radius server will not be gone to do Certificate Authority again，Then directly the authorization message on diameter authorization message and NAS device it is stored in casual user data field and sends to user，Diameter certification+radius-diameter authorization flow terminates.

In the above embodiment of the present invention, as shown in figure 11, when auth type is radius-diameter certification, according to auth type, the step that the access user sending user authentication message is authenticated includes:

S501, from certification template read radius certification group number；

S502, the authentication information in user authentication message and radius certification group number are sent to radius assembly, make radius assembly configuring from radius certification group number, read the information of radius server；

S503, information according to the radius server read, send authentication information to radius server, make radius server be authenticated；

S504, from certification template read diameter certification group number；

S505, the authentication information in user authentication message and diameter certification group number are sent to diameter assembly, make diameter assembly configuring from diameter certification group number, read the information of diameter server；

S506, information according to the diameter server read, send authentication information to diameter server, make diameter server be authenticated.

Concrete, in the upper line process of user, user authentication message is through the AIM assembly of NAS device, certification template from domain name reads auth type, what find configuration is radius-diameter certification, from certification template, first read radius certification group number, by the authentication information in user authentication message and radius certification group number, it is sent to the radius assembly of NAS device, radius assembly reads the information of radius server from radius certification group number configuring, authentication information is issued radius server, make radius server that the access user sending user authentication message is carried out radius certification.

nullDiameter certification group number is read again from certification template，By the authentication information in user authentication message and diameter certification group number，It is sent to the diameter assembly of NAS device，Diameter assembly reads diameterlink information configuring from diameter certification group number，Each diameter group can configure multiple link information (corresponding diameter server of link，But want labelling primary and secondary link information)，Diameter assembly preferentially selects main link information，If main link is unreachable, select time link，Then from link information, read diameter server info，By authentication information (user name、Domain name、Password etc.) issue diameter server，Make diameter server that the access user sending user authentication message is carried out diameter certification.

In the above embodiment of the present invention, as shown in figure 12, when auth type is radius-diameter certification, when authorization type is radius mandate, include according to the step that authorization type carries out authorizing:

S510, the authentication result receiving radius server feedback and radius authorization message；

S511, template reads radius authorization type from authorizing；

S512, the radius authorization message of radius server feedback is stored in casual user data field；

S513, the authentication result receiving diameter server feedback and diameter authorization message；

S514, template reads radius authorization type from authorizing；

S515, the authorization message on NAS device is stored in casual user data field, and the radius authorization message in casual user data field and the authorization message on NAS device are sent to user, complete radius and authorize.

Concrete, after the access user sending user authentication message is carried out radius certification by radius server, the response message of radius server issues NAS device, response message is received at first by the radius module of NAS device, after response message is processed, it is sent to the AIM assembly of NAS device, it is responsible for analyzing and use authentication result and the radius authorization message that radius server returns by AIM assembly, if the authentication result that AIM assembly obtains is successfully, AIM assembly can read the authorization type authorized under template from casual user data field, what find configuration is that radius authorizes, the radius authorization message of radius server feedback will be stored in casual user data field.

nullAfter the access user sending user authentication message is carried out diameter certification by following diameter server，After the response message of diameter server issues NAS device，Response message is received at first by the diameter module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the diameter authorization message that diameter server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，AIM assembly can read the authorization type authorized under template from casual user data field，What find configuration is that radius authorizes，The diameter authorization message that diameter server issues would not be taken，Authorization message on NAS device is stored in casual user data field，And the radius authorization message in casual user data field and the authorization message on NAS device are sent to user，Send to user，Radius diameter certification+radius authorization flow terminates.

In the above embodiment of the present invention, as shown in figure 13, when auth type is radius-diameter certification, when authorization type is diameter mandate, include according to the step that authorization type carries out authorizing:

S520, the authentication result receiving radius server feedback and radius authorization message；

S521, template reads diameter authorization type from authorizing；

S522, the authentication result receiving diameter server feedback and diameter authorization message；

S523, template reads diameter authorization type from authorizing；

S524, the authorization message in the diameter authorization message of diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing diameter and authorize.

Concrete, after the access user sending user authentication message is carried out radius certification by radius server, the response message of radius server issues NAS device, response message is received at first by the radius module of NAS device, after response message is processed, it is sent to the AIM assembly of NAS device, it is responsible for analyzing and use authentication result and the radius authorization message that radius server returns by AIM assembly, if the authentication result that AIM assembly obtains is successfully, AIM assembly can read the authorization type authorized under template from casual user data field, what find configuration is that diameter authorizes, the radius authorization message that radius server issues would not be taken.

nullAfter the access user sending user authentication message is carried out diameter certification by following diameter server，After the response message of diameter server issues NAS device，Response message is received at first by the diameter module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the diameter authorization message that diameter server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，AIM assembly can read the authorization type authorized under template from casual user data field，What find configuration is that diameter authorizes，Authorization message on the diameter authorization message of diameter server feedback and NAS device is stored in casual user data field and sends to user，Radius diameter certification+diameter authorization flow terminates.

In the above embodiment of the present invention, as shown in figure 14, when auth type is radius-diameter certification, when authorization type is radius-diameter mandate, include according to the step that authorization type carries out authorizing:

S530, the authentication result receiving radius server feedback and radius authorization message；

S531, template reads radius-diameter authorization type from authorizing；

S532, the radius authorization message of radius server feedback is stored in casual user data field；

S533, the authentication result receiving diameter server feedback and diameter authorization message；

S534, template reads radius-diameter authorization type from authorizing；

S535, the authorization message in the diameter authorization message of diameter server feedback and NAS device is stored in casual user data field；

Authorization message on S536, radius authorization message by casual user data field, diameter authorization message and NAS device sends to user, completes radius-diameter and authorizes.

Concrete, after the access user sending user authentication message is carried out radius certification by radius server, the response message of radius server issues NAS device, response message is received at first by the radius module of NAS device, after response message is processed, it is sent to the AIM assembly of NAS device, it is responsible for analyzing and use authentication result and the radius authorization message that radius server returns by AIM assembly, if the authentication result that AIM assembly obtains is successfully, AIM assembly can read the authorization type authorized under template from casual user data field, what find configuration is that radius-diameter authorizes, the radius authorization message of radius server feedback is stored in casual user data field.

nullAfter the access user sending user authentication message is carried out diameter certification by following diameter server，After the response message of diameter server issues NAS device，Response message is received at first by the diameter module of NAS device，After response message is processed，It is sent to the AIM assembly of NAS device，It is responsible for analyzing and use authentication result and the diameter authorization message that diameter server returns by AIM assembly，If the authentication result that AIM assembly obtains is successfully，AIM assembly can read the authorization type authorized under template from casual user data field，What find configuration is that radius diameter authorizes，Authorization message on the diameter authorization message of diameter server feedback and NAS device is stored in casual user data field，By the radius authorization message in casual user data field、Authorization message in diameter authorization message and NAS device sends to user，Complete radius-diameter certification+radius-diameter to authorize.

As shown in figure 15, for embodiment of the present invention schematic flow sheet:

Step S101, confirm the domain name at user place according to the user profile of user authentication message.

Step S102, the certification template obtained under domain name.

Radius auth type under step S103, access authentication template, radius-diameter auth type or diameter auth type.

Radius Certificate Authority or radius-diameter Certificate Authority part flow process:

Step S111, when auth type is radius certification or radius-diameter certification, from certification template, obtain radius certification group number.

Step S112, authentication information and radius certification group number are sent jointly to radius assembly.

Authentication information is issued radius server according to the radius server info of configuration under this group number and is done certification by step S113, radius assembly.

Step S114, radius assembly receive the authentication result of server and authorization message passes to AIM assembly.

Whether successfully authentification failure result, if success AIM assembly is according to user place domain name lookup mandate template, is notified user, process ends if unsuccessful by step S115, certification.

Step S116, the radius authorization type obtained under mandate template or radius-diameter authorization type.This step performs on step S115 certification successfully basis.

Step S117, when authorizing for radius, by radius authorization message write casual user data field preserve.

Step S118, when authorizing for radius-diameter, by radius authorization message write casual user data field preserve.

Step S119, from certification template, obtain diameter certification group number.This step is perform on the radius-diameter basis authorized in the step S118 authorization type determined.

Step S120, authentication information is issued diameter assembly together with diameter certification group number.

Step S121, diameter assembly select suitable link according to group number, obtain diameter server info from link.

Step S122, authentication information is issued correspondence diameter server.

Diameter certification:

Step S130, when auth type is diameter certification, from certification template, obtain diameter group number.

Step S131, authentication information is issued diameter assembly together with diameter certification group number.

Step S132, diameter assembly select suitable link according to group number, obtain diameter server info from link.

Step S133, authentication information is issued correspondence diameter server, complete diameter certification.

Total authorization flow:

Authentication result and authorization message that server is returned by step S140, diameter assembly notify AIM assembly.

If step S141 certification success, diameter authorization message is stored in casual user data field and preserves, the authorization message in successful authentication result and all authorization messages and NAS device is returned to user, process ends；If certification is unsuccessful, needs check whether to have done radius certification, if not carrying out radius certification, authentification failure result is notified user's process ends, if having carried out radius certification only the authorization message in the authorization message of radius and authentication result and NAS device is returned to user, process ends.

In the above embodiment of the present invention, after the access user sending user authentication message is authenticated and is authorized, the method also includes:

Accounting request message is sent to radius server or diameter server；

Concrete, user configured is radius-diameter charging way, so the accounting request message of NAS device can preferentially be sent to radius server, if radius server response charging response message, then need not send accounting request message to diameter server again, otherwise send accounting request message to diameter server.Radius-diameter charging way only can select a kind of server as accounting server, and once will not change server after chosen successfully again.

User configured when being radius charging way, charging message is sent to radius server by NAS device.

User configured when being diameter charging way, charging message is sent to diameter server by NAS device.

In the above embodiment of the present invention, the first processing module includes:

First processes submodule, for directly reading auth type from the certification template domain name；

Second processes submodule, is used for obtaining radius server or the successful message of diameter server authentication and authorization message；

3rd processes submodule, for reading the authorization type authorized under template.

In the above embodiment of the present invention, the second processing module also includes: the first authentication sub module, the second authentication sub module and the 3rd authentication sub module, and wherein, the first authentication sub module includes:

Unit is read in first certification, for reading radius certification group number from certification template；

First authentication processing unit, for the authentication information in user authentication message and radius certification group number are sent to radius assembly, makes radius assembly read the information of radius server from radius certification group number configuring；

First certification transmitting element, for the information according to the radius server read, sends authentication information to radius server, makes radius server be authenticated.

In the above embodiment of the present invention, the second processing module also includes first corresponding with the first authentication sub module and authorizes submodule, and second authorizes submodule and the 3rd to authorize submodule, and wherein, first authorizes submodule to include:

First authorizes reception unit, for receiving authentication result and the radius authorization message of radius server feedback；

First authorizes reading unit, for from authorizing reading radius authorization type template；

First authorisation process unit, for being stored in casual user data field by the authorization message on the radius authorization message of radius server feedback and NAS device and sending to user, completes radius and authorizes.

In the above embodiment of the present invention, second authorizes submodule to include:

First receives unit, for receiving authentication result and the radius authorization message of radius server feedback；

Second authorizes reading unit, for from authorizing reading diameter authorization type template；

Second authorizes transmitting element, for sending the request message only authorizing not auth type to diameter server；

Second receives unit, for receiving the diameter authorization message of diameter server feedback；

Second authorisation process unit, for being stored in casual user data field by the authorization message on the diameter authorization message of diameter server feedback and NAS device and sending to user, completes diameter and authorizes.

In the above embodiment of the present invention, the 3rd authorizes submodule to include:

First module, for receiving authentication result and the radius authorization message of radius server feedback；

3rd authorizes reading unit, for from authorizing reading radius-diameter authorization type template；

First memory element, for being stored in the radius authorization message of radius server feedback in casual user data field；

First transmitting element, sends the request message only authorizing not auth type to diameter server；

Second unit, for receiving the diameter authorization message of diameter server feedback；

Second memory element, for being stored in the authorization message on the diameter authorization message of diameter server feedback and NAS device in casual user data field；

Second transmitting element, sends the authorization message on the radius authorization message in casual user data field, diameter authorization message and NAS device to user, completes radius diameter and authorizes.

In the above embodiment of the present invention, the second authentication sub module includes:

Unit is read in second certification, for reading diameter certification group number from certification template；

Second authentication processing unit, for the authentication information in user authentication message and diameter certification group number are sent to diameter assembly, makes diameter assembly read the information of diameter server from diameter certification group number configuring；

Second certification transmitting element, for the information according to the diameter server read, sends authentication information to diameter server, makes diameter server be authenticated.

In the above embodiment of the present invention, the second processing module also includes: fourth corresponding with the second authentication sub module authorizes submodule, and the 5th authorizes submodule and the 6th to authorize submodule, and wherein, the 4th authorizes submodule to include:

4th authorizes reception unit, for receiving authentication result and the diameter authorization message of diameter server feedback；

4th authorizes reading unit, for from authorizing reading radius authorization type template；

4th authorisation process unit, for being stored in casual user data field by the authorization message on NAS device and sending to user, completes radius and authorizes.

In the above embodiment of the present invention, the 5th authorizes submodule to include:

5th authorizes reception unit, for receiving authentication result and the diameter authorization message of diameter server feedback；

5th authorizes reading unit, for from authorizing reading diameter authorization type template；

5th authorisation process unit, for being stored in casual user data field by the authorization message on the diameter authorization message of diameter server feedback and NAS device and sending to user, completes diameter and authorizes.

In the above embodiment of the present invention, the 6th authorizes submodule to include:

6th authorizes reception unit, for receiving authentication result and the diameter authorization message of diameter server feedback；

6th authorizes reading unit, for from authorizing reading radius diameter authorization type template；

6th authorisation process unit, for being stored in casual user data field by the authorization message on the diameter authorization message of diameter server feedback and NAS device and sending to user, completes radius-diameter and authorizes.

In the above embodiment of the present invention, the 3rd authentication sub module includes:

A unit is read in certification, for reading radius certification group number from certification template；

Authentication processing one unit, for the authentication information in user authentication message and radius certification group number are sent to radius assembly, makes radius assembly read the information of radius server from radius certification group number configuring；

Certification sends a unit, for the information according to the radius server read, sends authentication information to radius server, makes radius server be authenticated；

Unit two are read in certification, for reading diameter certification group number from certification template；

Authentication processing two unit, for the authentication information in user authentication message and diameter certification group number are sent to diameter assembly, makes diameter assembly read the information of diameter server from diameter certification group number configuring；

Certification sends Unit two, for the information according to the diameter server read, sends authentication information to diameter server, makes diameter server be authenticated.

In the above embodiment of the present invention, the second processing module also includes seventh corresponding with the 3rd authentication sub module and authorizes submodule, and the 8th authorizes submodule and the 9th to authorize submodule, and wherein, the 7th authorizes submodule to include:

Authorize and receive a unit, for receiving authentication result and the radius authorization message of radius server feedback；

Authorize and read a unit, for from authorizing reading radius authorization type template；

Authorize storage Unit one, for the radius authorization message of radius server feedback being stored in casual user data field；

Authorize and receive Unit two, for receiving authentication result and the diameter authorization message of diameter server feedback；

Authorize and read Unit two, for from authorizing reading radius authorization type template；

Authorisation process one unit, for the authorization message on NAS device being stored in casual user data field, and sends the radius authorization message in casual user data field and the authorization message on NAS device to user, completes radius and authorize.

In the above embodiment of the present invention, the 8th authorizes submodule to include:

Authorize and receive Unit three, for receiving authentication result and the radius authorization message of radius server feedback；

Authorize and read Unit three, for from authorizing reading diameter authorization type template；

Authorize and receive Unit four, for receiving authentication result and the diameter authorization message of diameter server feedback；

Authorize and read Unit four, from authorizing, template reads diameter authorization type；

Authorisation process two unit, is stored in casual user data field by the authorization message on the diameter authorization message of diameter server feedback and NAS device and sends to user, completes diameter and authorizes.

In the above embodiment of the present invention, the 9th authorizes submodule to include:

Authorize and receive Unit five, for receiving authentication result and the radius authorization message of radius server feedback；

Authorize and read Unit five, for from authorizing reading radius-diameter authorization type template；

Authorize storage Unit two, for the radius authorization message of radius server feedback being stored in casual user data field；

Authorize and receive Unit six, for receiving authentication result and the diameter authorization message of diameter server feedback；

Authorize and read Unit six, for from authorizing reading radius-diameter authorization type template；

Authorize storage Unit three, for the authorization message on the diameter authorization message of diameter server feedback and NAS device being stored in casual user data field；

Authorize transmitting element, for the authorization message on the radius authorization message in casual user data field, diameter authorization message and NAS device is sent to user, complete radius-diameter and authorize.

In the above embodiment of the present invention, this device also includes:

Embodiment of the present invention Radius and Diameter combine Certificate Authority method in, by obtaining user authentication message, user profile according to user authentication message confirms auth type when user accesses and authorization type, and according to auth type and authorization type, respectively the access user sending user authentication message is authenticated and authorizes.The present invention adopts the mode that Radius server and Diameter server combine that the access user sending user authentication message is authenticated and is authorized, make original record user profile on radius server need not typing diameter server again, new business can be increased for user again, it is possible to reach progressively to replace the purpose of former radius server with diameter server on diameter server.

It should be noted that Radius and Diameter provided by the invention combines the device of Certificate Authority be should device in aforementioned manners, then all embodiments of said method are all suitable in this device, and all can reach same or analogous beneficial effect.

Above-described is the preferred embodiment of the present invention; should be understood that the ordinary person for the art; can also making some improvements and modifications under without departing from principle premise of the present invention, these improvements and modifications are also in protection scope of the present invention.

Claims

1. Radius and Diameter combines the method for Certificate Authority, it is characterised in that described method includes:

Obtaining user authentication message, auth type when confirming that user accesses according to the user profile of described user authentication message and authorization type, wherein said auth type includes radius certification, diameter certification and radius-diameter certification；Described authorization type includes: radius authorizes, diameter authorizes and radius-diameter authorizes；And under certification template, be provided with radius certification, diameter certification and radius-diameter certification in advance；Authorize and be provided with radius mandate under template in advance, diameter authorizes and radius-diameter authorizes；

According to described auth type and described authorization type, respectively the access user sending described user authentication message is authenticated and authorizes.

2. Radius and Diameter as claimed in claim 1 combines the method for Certificate Authority, it is characterised in that described acquisition user authentication message, and the step of auth type when confirming that user accesses according to the user profile of described user authentication message includes:

Described certification template from domain name directly reads auth type；

Described acquisition user authentication message, the step of authorization type when accessing according to the user profile of described user authentication message confirmation user includes:

Read the authorization type under described mandate template.

3. Radius and Diameter as claimed in claim 1 combines the method for Certificate Authority, it is characterized in that, when described auth type is radius certification, according to described auth type, the step that the access user sending described user authentication message is authenticated includes:

Radius certification group number is read from certification template；

Authentication information in described user authentication message and described radius certification group number are sent to radius assembly, make described radius assembly configuring from described radius certification group number, read the information of radius server；

Information according to the described radius server read, sends described authentication information to described radius server, makes described radius server be authenticated.

4. Radius and Diameter as claimed in claim 3 combines the method for Certificate Authority, it is characterised in that described authorization type is radius when authorizing, and includes according to the step that described authorization type carries out authorizing:

Receive authentication result and the radius authorization message of described radius server feedback；

From authorizing, template reads radius authorization type；

Authorization message on the described radius authorization message of described radius server feedback and NAS device it is stored in casual user data field and sends to user, completing radius and authorize.

5. Radius and Diameter as claimed in claim 3 combines the method for Certificate Authority, it is characterised in that described authorization type is diameter when authorizing, and includes according to the step that described authorization type carries out authorizing:

From authorizing, template reads diameter authorization type；

Receive the diameter authorization message of described diameter server feedback；

Authorization message on the described diameter authorization message of described diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing diameter and authorize.

6. Radius and Diameter as claimed in claim 3 combines the method for Certificate Authority, it is characterised in that described authorization type is radius-diameter when authorizing, and includes according to the step that described authorization type carries out authorizing:

From authorizing, template reads radius-diameter authorization type；

The described radius authorization message of described radius server feedback is stored in casual user data field；

Authorization message on the described diameter authorization message of described diameter server feedback and NAS device is stored in described casual user data field；

Authorization message on described radius authorization message in described casual user data field, described diameter authorization message and described NAS device is sent to user, completes radius diameter and authorize.

7. Radius and Diameter as claimed in claim 1 combines the method for Certificate Authority, it is characterized in that, when described auth type is diameter certification, according to described auth type, the step that the access user sending described user authentication message is authenticated includes:

Diameter certification group number is read from certification template；

Authentication information in described user authentication message and described diameter certification group number are sent to diameter assembly, make described diameter assembly configuring from described diameter certification group number, read the information of diameter server；

Information according to the described diameter server read, sends described authentication information to described diameter server, makes described diameter server be authenticated.

8. Radius and Diameter as claimed in claim 7 combines the method for Certificate Authority, it is characterised in that described authorization type is radius when authorizing, and includes according to the step that described authorization type carries out authorizing:

Receive authentication result and the diameter authorization message of described diameter server feedback；

From authorizing, template reads radius authorization type；

9. Radius and Diameter as claimed in claim 7 combines the method for Certificate Authority, it is characterised in that described authorization type is diameter when authorizing, and includes according to the step that described authorization type carries out authorizing:

From authorizing, template reads diameter authorization type；

10. Radius and Diameter as claimed in claim 7 combines the method for Certificate Authority, it is characterised in that described authorization type is radius-diameter when authorizing, and includes according to the step that described authorization type carries out authorizing:

From authorizing, template reads radius-diameter authorization type；

Authorization message on the described diameter authorization message of described diameter server feedback and NAS device it is stored in casual user data field and sends to user, completing radius-diameter and authorize.

The method of Certificate Authority 11. Radius and Diameter as claimed in claim 1 combines, it is characterized in that, when described auth type is radius-diameter certification, according to described auth type, the step that the access user sending described user authentication message is authenticated includes:

Radius certification group number is read from certification template；

Information according to the described radius server read, sends described authentication information to described radius server, makes described radius server be authenticated；

Diameter certification group number is read from described certification template；

The method of Certificate Authority 12. Radius and Diameter as claimed in claim 11 combines, it is characterised in that when described authorization type is radius mandate, include according to the step that described authorization type carries out authorizing:

From authorizing, template reads radius authorization type；

Described radius authorization type is read from described mandate template；

Authorization message on NAS device is stored in described casual user data field, and the described radius authorization message in described casual user data field and the authorization message on described NAS device are sent to user, complete radius and authorize.

The method of Certificate Authority 13. Radius and Diameter as claimed in claim 11 combines, it is characterised in that when described authorization type is diameter mandate, include according to the step that described authorization type carries out authorizing:

From authorizing, template reads diameter authorization type；

Described diameter authorization type is read from described mandate template；

The method of Certificate Authority 14. Radius and Diameter as claimed in claim 11 combines, it is characterised in that when described authorization type is radius-diameter mandate, include according to the step that described authorization type carries out authorizing:

From authorizing, template reads radius-diameter authorization type；

Described radius-diameter authorization type is read from described mandate template；

Authorization message on described radius authorization message in described casual user data field, described diameter authorization message and described NAS device is sent to user, completes radius-diameter and authorize.

The method of Certificate Authority 15. Radius and Diameter as claimed in claim 1 combines, it is characterised in that after the access user sending described user authentication message is authenticated and is authorized, described method also includes:

Accounting request message is sent to radius server or diameter server；

Receive the charging response message of described radius server or diameter server response.

The device of Certificate Authority 16. Radius and Diameter combines, it is characterised in that described device includes:

First processing module, for obtaining user authentication message, user profile according to described user authentication message confirms auth type when user accesses and authorization type, and wherein said auth type includes radius certification, diameter certification and radius-diameter certification；Described authorization type includes: radius authorizes, diameter authorizes and radius-diameter authorizes；And under certification template, be provided with radius certification, diameter certification and radius-diameter certification in advance；Authorize and be provided with radius mandate under template in advance, diameter authorizes and radius-diameter authorizes；

Second processing module, for according to described auth type and described authorization type, being authenticated the access user sending described user authentication message and authorize respectively.

The device of Certificate Authority 17. Radius and Diameter as claimed in claim 16 combines, it is characterised in that described device also includes:

Charging receiver module, for receiving the charging response message of described radius server or diameter server response.