Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
In order to solve the problems, such as that user experience existing in the prior art is poor, one is provided in the application following embodiment
Kind connection control method, and a kind of access control apparatus that can apply this method.
As shown in Fig. 2, the connection control method of the embodiment of the present application the following steps are included:
Step S101, BRAS equipment record the authentication information of user;
Wherein, in step s101, BRAS equipment can record the authentication information of user in user authentication process, can also
Just to record the authentication information of user after certification passes through, the embodiment of the present application is not limited this.
Step S102, when detecting that communication failure between this equipment and aaa server restores, BRAS equipment is by user
Authentication information be sent to aaa server;
Step S103, aaa server authenticate user using the authentication information received, and after certification passes through,
Corresponding online user's information is recorded in online user's table.
In addition, in the methods described above, BRAS equipment can also record the landing time of user, also, detect this
When communication failure between equipment and aaa server restores, which is sent to aaa server, in this way, AAA is serviced
Landing time in online user's information can be recorded as the landing time received by device.
In the actual implementation process, BRAS equipment can count the authentication information of user and the carrying of the landing time of user
Expense, which updates in message, is sent to aaa server;The authentication information of user and logging in for user can also be sent by other messages
Time, at this point, BRAS equipment, which can first pass through other messages, is sent to AAA for the landing time of the authentication information of user and user
Server, then retransmits billing update packet, and the embodiment of the present application does not limit this.
It authenticates the authentication information and logon information for employing family by postscript for the first time in user with BRAS equipment, also, records
Authentication information and logon information carry in billing update packet for be illustrated.At this point, BRAS equipment and aaa server
Between interaction flow it is as shown in Figure 3, comprising the following steps:
Step S201, after user authentication passes through, BRAS equipment sends charging starting request message to aaa server;
Step S202, aaa server are responded after receiving the charging starting request message of the user to BRAS equipment
The charging of the user begins to respond to message;
Step S203, BRAS equipment record recognizing for the user after the charging for receiving the user begins to respond to message
Demonstrate,prove information and landing time;
For example, BRAS equipment can record the authentication information and landing time of the user in key information table, this is logged in
Time is the time that user authentication passes through in step S201.
When the communication disruption between BRAS equipment and aaa server, which still can normally access network.This
When, BRAS equipment can still count the flow and log in duration that the user uses according to the prior art, and online user is recorded
In table in corresponding online user's information.Also, BRAS equipment still periodically can send charging to aaa server and update report
Text.
Step S204, when detecting that communication failure between this equipment and aaa server restores, BRAS equipment is to AAA
Server sends the billing update packet of the user, wherein this recorded in step S203 is carried in the billing update packet
The authentication information and landing time of user;
Step S205, aaa server use what is carried in the message after receiving the billing update packet of the user
Authentication information authenticates the user, and after certification passes through, corresponding online user's information is recorded in online user's table,
And the landing time in online user's information is recorded as the landing time carried in the message.
During due to communication disruption between BRAS equipment and aaa server, BRAS equipment can still be counted simultaneously
The flow and log in duration that the user uses are recorded, therefore, in step S204, in the billing update packet that BRAS equipment is sent
Also it carries the flow of record and logs in duration, thus, in step S205, aaa server is in the charging for receiving the user
After updating message, when can record the flow carried in the billing update packet in corresponding online user's information and log in
It is long, also, according to the flow carried in the message and duration is logged in, charging is carried out to the user, so as to set in BRAS
Expense during the standby communication disruption with aaa server carries out charging, reduces the economic loss of operator.
By method as shown in Figure 3, the authentication information of the pre-recorded online user of BRAS equipment, with aaa server
Between communication failure restore after, the authentication information of record is sent to aaa server, aaa server can be recognized using this
Card information again authenticates user, and online user's information is recorded after certification passes through, in this way, leading to after communication recovery
It crosses BRAS equipment and acts on behalf of online user's progress re-authentication, so that aaa server is again authenticated user, AAA service
Device will not reinform BRAS equipment and allow user offline, will not influence subscriber's main station and normally access network, the user experience is improved.
In addition, in method as shown in Figure 3, since aaa server weighs online user in step S205
New certification, therefore, after certification passes through can mistake the landing time in online user's information be recorded as re-authentication pass through
Time, can be with by carrying landing time when certification for the first time in billing update packet in the method for the embodiment of the present application
So that aaa server accurately records the landing time in online user's information after carrying out re-authentication to user and passing through
Landing time when to authenticate for the first time, can be to avoid billing error the problem of.
In the actual implementation process, after step S203, BRAS equipment is in the authentication information for having recorded the user and steps on
After the time of land, record can also be responded to aaa server and complete message, in this way, aaa server can determine recognizing for the user
Demonstrate,prove information and landing time recorded completion.
Obviously, in method as shown in Figure 3, BRAS equipment can also just be remembered immediately after user authenticates pass through for the first time
Employ the authentication information and landing time at family.
It in the actual implementation process, can be for all methods used and use above-described embodiment per family, alternatively, can also be with needle
To the method that certain customers use above-described embodiment, when using the method for above-described embodiment only for certain customers, for side
Just it describes, such user can be known as special user.
In addition, the mode that aaa server carries out re-authentication to user can use pin mode, non-password can also be used
Mode.It include: username and password in the authentication information of user when using pin mode;When using non-pin mode, use
May include in the authentication information at family user name, the MAC Address of subscriber's main station, subscriber's main station one of access information or more
Kind combination.In the actual implementation process, which kind of authentication mode is specifically used, can be negotiated by BRAS equipment and aaa server true
It is fixed, manual configuration can also be carried out, alternatively, being notified by aaa server to BRAS equipment;Also, when using non-pin mode,
Which authentication information specifically needed to record, can negotiate to determine by BRAS equipment and aaa server, can also be matched manually
It sets, alternatively, notifying that, to BRAS equipment, the embodiment of the present application does not limit this by aaa server.
It is described in detail below by two specific embodiments.
In a kind of embodiment, as shown in Figure 1, the entitled user of the user of a certain user, password password, the user make
The MAC Address of subscriber's main station 1 is PC-MAC, and it is special user that the user is recorded on aaa server, and aaa server uses
Re-authentication mode be pin mode.Specific process flow at this time is as shown in Figure 4, comprising the following steps:
Step S301, after user authentication passes through, BRAS equipment sends charging starting request message to aaa server;
Whether step S302, aaa server judge the user after receiving the charging starting request message of the user
For special user, judging result be it is yes, then responded to BRAS equipment and carry the charging of Remark (label) attribute and begin to respond to
The value of message, the Remark attribute is set to predetermined value;
When the value of Remark attribute is set to predetermined value, for indicate the user need BRAS equipment and AAA equipment it
Between communication failure restore after, by BRAS equipment act on behalf of the user carry out re-authentication.For example, the predetermined value can be 1.
Step S303, BRAS equipment are set after receiving the charging and beginning to respond to message according to what is carried in the message
For the Remark attribute of predetermined value, special user is determined that the user is, the user name, close of the user is recorded in key information table
Code and landing time, as shown in table 1;
Table 1
User name |
Password |
Landing time |
user |
password |
Jun 28 16:17:12:482 |
In addition, can further include in the authentication information of user: the MAC of subscriber's main station 1 when using pin mode
Address, subscriber's main station 1 the information such as access information.Wherein, which can specifically include: user is connected in BRAS equipment
VLAN belonging to the port of host 1 and subscriber's main station 1.
Since in the prior art, BRAS equipment not will record the password of user, therefore, in the embodiment of the present application, BRAS
Equipment can keep in the password of user in user authentication phase, if determining that the user is special user in step S303,
The password is recorded in table 1, and deletes temporary password;And if determining that the user is not special use in step S303
Family then can directly delete temporary password.This way it is possible to avoid committed memory space, and avoid thus bring information peace
Full blast danger.
In the actual implementation process, consider for information security, the password recorded in table 1 can be the ciphertext by encryption
Password, encrypting used Encryption Algorithm can preset, and can also negotiate to determine by BRAS equipment and aaa server.
Step S304, after the recording is completed, BRAS equipment are set to pre- to the Remark attribute that aaa server responds carrying
The record of definite value completes message;
When the communication disruption between BRAS equipment and aaa server, which still can normally access Internet.
At this point, BRAS equipment can still count the flow and log in duration that the user uses according to the prior art, and online use is recorded
In the table of family in corresponding online user's information, also, still billing update packet periodically can be sent to aaa server.
Step S305, when detecting that communication failure between this equipment and aaa server restores, BRAS equipment is to AAA
Server sends the billing update packet of the user, wherein carries the user's recorded in table 1 in the billing update packet
User name, password and landing time;
Specifically, BRAS equipment is first by the use when detecting that the communication failure between this equipment and aaa server restores
Then family, the billing update packet of the user is sent to aaa server, carried in the billing update packet labeled as to be sent
There are Remark attribute, Proxy-Authorization (proxy authentication) attribute, user name and landing time, wherein the Remark
The value of attribute is set to predetermined value, and the password of the user is carried in the Proxy-Authorization attribute.
Step S306, after receiving the billing update packet, the Remark parsed in the message belongs to aaa server
Property value be predetermined value, then using the user name user and password password carried in the message, which is authenticated,
And after certification passes through, corresponding online user's information is recorded in online user's table of this equipment, and the online user is believed
Landing time in breath is recorded as 28 16:17:12:482 of landing time Jun carried in the message;
Wherein, if the password password carried in the billing update packet is ciphertext password, aaa server needs
First it is decrypted, is then authenticated again.
Step S307, aaa server respond the charging update that the Remark attribute carried is set to predetermined value to BRAS equipment
Response message.
After BRAS equipment receives charging update response message, the label to be sent of the user, rear supervention can be removed
The billing update packet sent is normal billing update packet, no longer carrying Remark attribute.
In addition, BRAS equipment according to the prior art in addition to that can delete pair in online user's table after user is actively offline
It answers other than online user's information, also will be deleted table 1.
In another embodiment, as shown in Figure 1, the entitled user of the user of a certain user, password password, the user make
The MAC Address of subscriber's main station 1 is PC-MAC, and it is special user that the user is recorded on aaa server, and aaa server uses
Re-authentication mode be non-pin mode, the authentication information for needing to record in such mode includes: user name, subscriber's main station
The access information of MAC Address and subscriber's main station.Specific process flow at this time is as shown in Figure 5, comprising the following steps:
Step S401, aaa server authenticate user, and after certification passes through, by the user name user of the user,
Local data base is recorded in the MAC Address PC-MAC of subscriber's main station 1 and the access information PortA and VLAN10 of subscriber's main station 1
In;
Step S402, BRAS equipment send charging starting request message to aaa server;
Whether step S403, aaa server judge the user after receiving the charging starting request message of the user
For special user, judging result be it is yes, then responded to BRAS equipment and carry the charging of Remark attribute and begin to respond to message, should
The value of Remark attribute is set to predetermined value;
Step S404, BRAS equipment are set after receiving the charging and beginning to respond to message according to what is carried in the message
For the Remark attribute of predetermined value, special user is determined that the user is, the user name of the user is recorded in key information table, is used
MAC Address, the access information of subscriber's main station 1 and the landing time of user of householder's machine 1, as shown in table 2;
Table 2
User name |
MAC Address |
Access information |
Landing time |
user |
PC-MAC |
PortA、VLAN10 |
Jun 28 16:17:12:482 |
Step S405, after the recording is completed, BRAS equipment are set to pre- to the Remark attribute that aaa server responds carrying
The record of definite value completes message;
When the communication disruption between BRAS equipment and aaa server, which still can normally access Internet.
At this point, BRAS equipment can still count the flow and log in duration that the user uses according to the prior art, and online use is recorded
In the table of family in corresponding online user's information, also, still billing update packet periodically can be sent to aaa server.
Step S406, when detecting that communication failure between this equipment and aaa server restores, BRAS equipment is to AAA
Server sends the billing update packet of the user, wherein carried in the billing update packet user name recorded in table 2,
MAC Address, the access information of subscriber's main station 1 and the landing time of user of subscriber's main station 1;
Specifically, BRAS equipment is first by the use when detecting that the communication failure between this equipment and aaa server restores
Then family, the billing update packet of the user is sent to aaa server, carried in the billing update packet labeled as to be sent
There is Remark attribute, the value of the Remark attribute is set to predetermined value.
Step S407, after receiving the billing update packet, the Remark parsed in the message belongs to aaa server
Property value be predetermined value, then by the user name user carried in the message, MAC Address PC-MAC, the subscriber's main station of subscriber's main station 1
1 access information PortA and VLAN10, is matched with the corresponding informance recorded in local data base respectively, if matching,
It determines that the user authentication passes through, records corresponding online user's information in online user's table of this equipment, and by the online use
Landing time in the information of family is recorded as 28 16:17:12:482 of landing time Jun carried in the message;
Step S408, aaa server respond the charging update that the Remark attribute carried is set to predetermined value to BRAS equipment
Response message.
After BRAS equipment receives charging update response message, the label to be sent of the user, rear supervention can be removed
The billing update packet sent is normal billing update packet, no longer carrying Remark attribute.
In addition, BRAS equipment according to the prior art in addition to that can delete pair in online user's table after user is actively offline
It answers other than online user's information, also will be deleted table 2.
In above two specific embodiment, aaa server is after receiving billing update packet, more due to the charging
Newest flow and duration are also carried in new message, aaa server can also be according to the newest flow and duration, to user
Carry out charging.
Therefore in the method for the embodiment of the present application, BRAS equipment needs to record the authentication information of user;Work as detection
When restoring to the communication failure between this equipment and aaa server, the authentication information of user is sent to aaa server, so that
Aaa server authenticates user using the authentication information, and after certification passes through, and corresponding online user's information is recorded
Into online user's table.It wherein, include: username and password in the authentication information of user;Alternatively, being wrapped in the authentication information of user
Include one of following information or multiple combinations: user name, the MAC Address of subscriber's main station, subscriber's main station access information.
In addition, BRAS equipment also records the landing time of user, by user when logging in a wherein embodiment
Between be sent to aaa server so that aaa server by the landing time in online user's information be recorded as send when logging in
Between.
In a wherein embodiment, the authentication information carrying of user is sent to AAA service in billing update packet
Device.
In the method for the embodiment of the present application, aaa server needs to receive the authentication information for the user that BRAS equipment is sent;
User is authenticated using the authentication information, and after certification passes through, online use is recorded in corresponding online user's information
In the table of family.It wherein, include: username and password in the authentication information of user;Alternatively, including following letter in the authentication information of user
Breath one of or multiple combinations: user name, the MAC Address of subscriber's main station, subscriber's main station access information.
When including one of following information or multiple combinations: the MAC of user name, subscriber's main station in the authentication information of user
Address, subscriber's main station access information when, aaa server is before receiving the authentication information of user that BRAS equipment is sent, also
The authentication information of user can be recorded in local data base after passing through to user authentication;To which aaa server is using
It, can be by the authentication information in the authentication information and local data base that receive when the authentication information received authenticates user
It is matched, if matching, it is determined that user authentication passes through, and passes through otherwise, it determines user does not authenticate.
In addition, aaa server also receives when the logging in of user that BRAS equipment is sent in a wherein embodiment
Between, the landing time in online user's information is recorded as to the landing time received.At this point, for being carried out according to online hours
The mode of charging can carry out accurate billing to user's service condition.
Corresponding with the embodiment of aforementioned connection control method, present invention also provides a kind of applied in BRAS equipment
The embodiment of access control apparatus and a kind of embodiment applied to the access control apparatus in aaa server.
In a kind of embodiment, the embodiment of the application access control apparatus 60 can be applied in BRAS equipment.Device is real
Applying example can also be realized by software realization by way of hardware or software and hardware combining.Taking software implementation as an example, make
For the device on a logical meaning, being will be right in nonvolatile memory 505 by the processor 501 of BRAS equipment where it
The computer program instructions answered read what operation in memory 504 was formed.For hardware view, as shown in fig. 6, being the application
A kind of hardware structure diagram of 60 place BRAS equipment of access control apparatus, in addition to processor 501 shown in fig. 6, internal bus
502, except network interface 503, memory 504 and nonvolatile memory 505, the BRAS equipment in embodiment where device
Generally according to the actual functional capability of the BRAS equipment, it can also include other hardware, this is repeated no more.
Referring to FIG. 7, including with lower unit in the access control apparatus 60 of the embodiment of the present application: recording unit 601, detection
Unit 602 and transmission unit 603, in which:
Recording unit 601, for recording the authentication information of user;
Detection unit 602, for detecting the communications status between this equipment and aaa server;
Transmission unit 603, for detecting that the communication failure between this equipment and aaa server is extensive when detection unit 602
When multiple, the authentication information for the user that recording unit 601 records is sent to aaa server, so that aaa server uses the certification
Information authenticates user, and after certification passes through, and corresponding online user's information is recorded in online user's table.
It wherein, include: username and password in the authentication information for the user that recording unit 601 records;Alternatively, recording unit
It include one of following information or multiple combinations: the MAC of user name, subscriber's main station in the authentication information of the user of 601 records
Address, subscriber's main station access information.
In a wherein embodiment, recording unit 601 is also used to record the landing time of user;
Transmission unit 603 is also used to the landing time for the user that recording unit 601 records being sent to aaa server, with
Make aaa server that the landing time in online user's information to be recorded as to the landing time sent.
In a wherein embodiment, the authentication information for the user that transmission unit 603 is sent is carried to update in charging and be reported
Wen Zhong.
In another embodiment, the embodiment of the application access control apparatus 70 can be applied on aaa server.Device
Embodiment can also be realized by software realization by way of hardware or software and hardware combining.Taking software implementation as an example,
It is by the processor 801 of aaa server where it by nonvolatile memory 805 as the device on a logical meaning
In corresponding computer program instructions read in memory 804 what operation was formed.For hardware view, as shown in figure 8, for this
A kind of hardware structure diagram for applying for 70 place aaa server of access control apparatus, in addition to processor 801 shown in Fig. 8, inside are total
AAA service except line 802, network interface 803, memory 804 and nonvolatile memory 805, in embodiment where device
Device can also include other hardware, repeat no more to this generally according to the actual functional capability of the aaa server.
Referring to FIG. 9, including with lower unit in the access control apparatus 70 of the embodiment of the present application: receiving unit 701 and recognizing
Demonstrate,prove unit 702, in which:
Receiving unit 701, for receiving the authentication information for the user that BRAS equipment is sent;
Authentication unit 702, for using the authentication information after receiving unit 701 receives the authentication information of user
User is authenticated, and after certification passes through, corresponding online user's information is recorded in online user's table.
It wherein, include username and password in the authentication information for the user that receiving unit 701 receives;Alternatively, receiving single
It include one of following information or multiple combinations in the authentication information for the user that member 701 receives: user name, subscriber's main station
The access information of MAC Address, subscriber's main station.
It wherein, include one of following information or a variety of in the authentication information of the user received when receiving unit 701
Combination: user name, the MAC Address of subscriber's main station, subscriber's main station access information when, as shown in Figure 10, above-mentioned access control dress
It sets in 70 further include: recording unit 703, in which:
Recording unit 703, for before the authentication information of user that receiving unit 701 receives that BRAS equipment is sent,
After passing through to user authentication, the authentication information of user is recorded in local data base;That is, being authenticated for the first time in user
Cheng Zhong, after receiving unit 701 receives the authentication request packet for the user that BRAS equipment is sent, authentication unit 702 uses should
The username and password carried in authentication request packet, authenticates user, and recording unit 703 can will be used after certification passes through
The authentication information at family is recorded in local data base;
The authentication information that authentication unit 702 is specifically used for receiving using receiving unit 701 in the following manner is to user
It is authenticated: the authentication information that receiving unit 701 receives is matched with the authentication information in local data base, if
Match, it is determined that user authentication passes through, and passes through otherwise, it determines user does not authenticate.
Wherein, receiving unit 701 are also used to receive the landing time for the user that BRAS equipment is sent;Recording unit 703,
It is also used to the landing time in online user's information being recorded as the landing time that receiving unit 701 receives.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.