CN107124398B - Method, device and system for authenticating terminal equipment - Google Patents

Abstract

The embodiment of the invention provides a method, a device and a system for authenticating terminal equipment, relates to the technical field of communication, and can successfully finish authentication of the terminal equipment. The method comprises the following steps: the BRAS receives an authentication request message sent by the terminal equipment, wherein the authentication request message comprises first authentication information and is used for requesting an authentication server to authenticate the terminal equipment according to the first authentication information; when the BRAS determines that the authentication server is in an abnormal state, the BRAS authenticates the terminal equipment according to the first authentication information; and the BRAS sends an authentication response message for indicating that authentication of the terminal equipment is completed to the terminal equipment.

Description

Method, device and system for authenticating terminal equipment

Technical Field

The embodiment of the invention relates to the technical field of communication, in particular to a method, a device and a system for authenticating terminal equipment.

Background

In a communication system, a terminal device can access a network after completing authentication at an authentication server in the network and communicate with other devices in the network.

Currently, in the process of authenticating a terminal device, the terminal device may send an authentication request message to a Broadband Remote Access Server (BRAS) in a network, and after the BRAS receives the authentication request message sent by the terminal device, the BRAS sends the authentication request message to an authentication Server in the network, and the authentication Server completes authentication of the terminal device. Generally, a main authentication server and a standby authentication server are deployed in a network, and when the main authentication server fails, the standby authentication server can replace the main authentication server to complete authentication of terminal equipment.

However, when the network status is poor or both the main authentication server and the standby authentication server in the network fail, the authentication server in the network may not successfully receive the authentication request message of the terminal device, and thus the authentication of the terminal device may not be completed.

Disclosure of Invention

The application provides a method, a device and a system for authenticating a terminal device, which can successfully finish the authentication of the terminal device.

In order to achieve the purpose, the technical scheme is as follows:

in a first aspect, the present application provides a method for authenticating a terminal device, which may include: the BRAS receives an authentication request message sent by the terminal equipment, wherein the authentication request message comprises first authentication information and is used for requesting an authentication server to authenticate the terminal equipment according to the first authentication information; when the BRAS determines that the authentication server is in an abnormal state, the BRAS authenticates the terminal equipment according to the first authentication information; and the BRAS sends an authentication response message for indicating completion of authentication of the terminal equipment to the terminal equipment.

According to the method for authenticating the terminal equipment, when the BRAS determines that the states of the authentication servers (including the main authentication server and the standby authentication server) in the network are abnormal, the BRAS can replace the authentication server to process the authentication request message sent by the terminal equipment, so that the BRAS does not need to send the authentication request message of the terminal equipment to the authentication server, and even if the states of the authentication servers in the network are abnormal, the terminal equipment can be successfully authenticated.

In a first optional implementation manner of the first aspect, the method for the BRAS to authenticate the terminal device according to the first authentication message may include: the BRAS compares the first authentication information with at least one group of authentication information sent to the BRAS by an authentication server; and the BRAS completes the authentication of the terminal equipment under the condition that the first authentication information is the same as second authentication information in the at least one group of authentication information, wherein the second authentication information is one group of authentication information in the at least one group of authentication information.

In the application, when the BRAS determines that the authentication server in the network is in an abnormal state, in order to ensure that the terminal device successfully passes the authentication and accesses the network, the BRAS does not send the received authentication request message to the authentication server any more, but completes the authentication of the terminal device. Specifically, the BRAS may compare the first authentication information with at least one group of authentication information sent to the BRAS by the authentication server, and determine whether the terminal device passes authentication according to a comparison result of the first authentication information and the at least one group of authentication information.

In a second optional implementation manner of the first aspect, the method for the BRAS to determine that the authentication server is in an abnormal state may include: the BRAS reads the value of the first identifier in the BRAS; in the case that the value of the first identifier is a first value used for indicating that the authentication server is in an abnormal state, the BRAS determines that the authentication server is in the abnormal state.

In the application, after receiving an authentication request message sent by a terminal device, a BRAS may read an identifier (hereinafter, referred to as a first identifier) value that is stored in the BRAS and may be used to indicate whether a state of an authentication server in a network is normal, and determine whether the authentication server is in a normal state according to the value of the first identifier, thereby selecting a suitable method for authenticating the terminal device according to the state of the authentication server.

In a third optional implementation manner of the first aspect, before the BRAS reads the value of the first identifier stored in the BRAS, the method for authenticating the terminal device provided by the present application may further include: the BRAS detects the state of the authentication server; in the case that the BRAS detects that the authentication server is in an abnormal state, the BRAS sets the value of a first identifier in the BRAS as a first value; in the case that the BRAS detects that the authentication server is in a normal state, the BRAS sets the value of the first identifier in the BRAS to a second value indicating that the authentication server is in a normal state.

In the application, the BRAS may detect a state of an authentication server in the network, and set a value of the first identifier in the BRAS according to a detection result, so that after the BRAS reads the value of the first identifier, the BRAS may obtain the state of the authentication server in the current network, and determine which device in the network authenticates the terminal device according to the state of the authentication server (i.e., whether the terminal device is authenticated by the authentication server or the BRAS).

In a fourth optional implementation manner of the first aspect, the method for the BRAS to detect the status of the authentication server may include: the BRAS sends a detection message for detecting the state of the authentication server to the authentication server; if the BRAS does not receive the response message of the detection message sent by the authentication server within the preset time period, the BRAS detects that the authentication server is in an abnormal state.

In the application, the BRAS sends the detection message to the authentication server for the BRAS to send the detection message to the authentication server for multiple times, so that the real state of the authentication server can be determined, and the problem that the state of the authentication server detected by the BRAS is low in accuracy due to the influence of accidental factors in a network can be solved.

In a fifth optional implementation manner of the first aspect, after the BRAS sends the authentication response message to the terminal device, the method for authenticating the terminal device provided by the present application may further include: counting the charging information of the terminal equipment by the BRAS, wherein the charging information comprises the flow information consumed by the terminal equipment in a preset time period; and the BRAS sends the accounting information to the authentication server.

In the application, after the terminal device accesses the network, in the process of transmitting data between the terminal device and other devices in the network (in the process of transmitting data, the terminal device may consume traffic in the network), the BRAS may count traffic information consumed by the terminal device within a preset time period, so as to calculate a cost generated by the traffic consumed after the terminal device accesses the network.

In a sixth optional implementation manner of the first aspect, the first authentication information may include at least one of a user name of a network to which the terminal device is to access, a password of the network, and location information of the terminal device, or the first authentication information may include at least one of a user name of the terminal device, a password of the terminal device, and location information of the terminal device.

In this application, when the terminal device authentication information (i.e., the first authentication information) includes at least one of a user name of a network to which the terminal device is to access, a password of the network, and location information of the terminal device, the terminal device may be authenticated according to any one, two, or three of the 3 types of information of the terminal device; when the first authentication information includes at least one of a user name of the terminal device, a password of the terminal device, and location information of the terminal device, the terminal device may be authenticated according to any one, two, or three of the 3 types of information of the terminal device.

In a seventh optional implementation manner of the first aspect, when the BRAS determines that the authentication server is in a normal state, the method for authenticating the terminal device provided by the present application may further include: the BRAS sends an authentication request message of the terminal equipment to an authentication server.

In the application, under the condition that the BRAS determines that the authentication server is in a normal state, the BRAS can send the authentication request message of the terminal equipment to the authentication server, and the authentication server completes authentication of the terminal equipment, so that the terminal equipment can access a network after the terminal equipment is successfully authenticated on the authentication server.

In a second aspect, the present application provides a method of authenticating a terminal device, which may include: the authentication server determines an Internet Protocol (IP) address of the BRAS, and the authentication server may send at least one set of authentication information for authenticating the terminal device to the BRAS according to the IP address of the BRAS, where the at least one set of authentication information is stored in the authentication server.

According to the method for authenticating the terminal equipment, the authentication server can send at least one group of authentication information stored in the authentication server to the BRAS according to the IP address of the BRAS, so that when the state of the authentication server is abnormal, the BRAS can compare the first authentication information in the authentication request message received by the BRAS with the at least one group of authentication information to finish the authentication of the terminal equipment, namely the BRAS can replace the authentication server to finish the authentication of the terminal equipment.

In a first optional implementation manner of the second aspect, when the BRAS determines that the authentication server is in a normal state, the method for authenticating the terminal device provided by the present application may further include: the method comprises the steps that an authentication server receives an authentication request message of terminal equipment sent by a BRAS, wherein the authentication request message is sent to the BRAS by the terminal equipment and comprises first authentication information; the authentication server authenticates the terminal equipment according to the first authentication information; and the authentication server transmitting an authentication response message for indicating completion of authentication of the terminal device to the terminal device.

According to the method for authenticating the terminal, when the BRAS determines that the authentication server in the network is in a normal state, the BRAS can send the authentication request message of the terminal equipment to the authentication server in the network, after the authentication server receives the authentication request message of the terminal equipment sent by the BRAS, the authentication server can authenticate the terminal equipment according to the first authentication information in the authentication request message, then the authentication server sends the authentication response message used for indicating that the authentication of the terminal equipment is finished to the terminal equipment, and therefore after the terminal equipment receives the authentication response message sent by the authentication server, the terminal equipment has the authority of accessing the network, and further the terminal equipment can access the network and communicate with other equipment in the network.

In a third aspect, the present application provides a BRAS, which may include: the device comprises a receiving module, a determining module, an authenticating module and a sending module. The receiving module is used for receiving an authentication request message sent by the terminal equipment, wherein the authentication request message comprises first authentication information and is used for requesting the authentication server to authenticate the terminal equipment according to the first authentication information; the determining module is used for determining that the authentication server is in an abnormal state; the authentication module is used for authenticating the terminal equipment according to the first authentication information in the authentication request message received by the receiving module; the sending module is used for sending an authentication response message to the terminal equipment, and the authentication response message is used for indicating that the terminal equipment is authenticated.

In a first optional implementation manner of the third aspect, the authentication module is specifically configured to compare the first authentication information with at least one group of authentication information sent by the authentication server to the BRAS, and the BRAS completes authentication on the terminal device when the first authentication information is identical to second authentication information in the at least one group of authentication information, where the second authentication information is one group of authentication information in the at least one group of authentication information.

In a second optional implementation manner of the third aspect, the determining module is specifically configured to read a value of the first identifier in the BRAS, and determine that the authentication server is in an abnormal state when the value of the first identifier is a first value used to indicate that the authentication server is in the abnormal state.

In a third optional implementation manner of the third aspect, the BRAS provided by the present application may further include a detection module, where the detection module is configured to detect a status of the authentication server before the determination module reads a value of the first identifier in the BRAS, and in a case where the detection module detects that the authentication server is in an abnormal state, the BRAS sets the value of the first identifier in the BRAS to a first value, and in a case where the detection module detects that the authentication server is in a normal state, the BRAS sets the value of the first identifier in the BRAS to a second value indicating that the authentication server is in a normal state.

In a fourth optional implementation manner of the third aspect, the detection module is specifically configured to send a probe packet for detecting a state of the authentication server to the authentication server, and if the detection module does not receive a response packet of the probe packet sent by the authentication server within a preset time period, the detection module detects that the authentication server is in an abnormal state.

In a fifth optional implementation manner of the third aspect, the authentication module may be further configured to count charging information of the terminal device after the sending module sends the authentication response message to the terminal device, where the charging information includes traffic information consumed by the terminal device within a preset time period; the sending module may be further configured to send the charging information to the authentication server.

In a sixth optional implementation manner of the third aspect, the first authentication information may include at least one of a user name of a network to which the terminal device is to access, a password of the network, and location information of the terminal device, or the first authentication information may include at least one of a user name of the terminal device, a password of the terminal device, and location information of the terminal device.

In a seventh optional implementation manner of the third aspect, when the determining module determines that the authentication server is in a normal state, the sending module may further be configured to send an authentication request message of the terminal device to the authentication server.

For technical effects of the third aspect and various alternative implementations thereof, reference may be made to the above description of the technical effects of the first aspect and various alternative implementations thereof, and details are not described here.

In a fourth aspect, the present application provides an authentication server that may include a determining module and a sending module. The determining module is used for determining the IP address of the BRAS; the sending module is used for sending at least one group of authentication information used for authenticating the terminal equipment to the BRAS according to the IP address of the BRAS, and the at least one group of authentication information is the authentication information stored in the authentication server.

In a first optional implementation manner of the fourth aspect, the authentication server provided by the present application may further include a receiving module and an authentication module. The receiving module is used for receiving an authentication request message of the terminal equipment sent by the BRAS when the BRAS determines that the authentication server is in a normal state, wherein the authentication request message is sent to the BRAS by the terminal equipment and comprises first authentication information; the authentication module is used for authenticating the terminal equipment according to the first authentication information; the sending module may be further configured to send, to the terminal device, an authentication response message indicating that authentication of the terminal device is completed.

For technical effects of the fourth aspect and various alternative implementations thereof, reference may be made to the above description of the technical effects of the second aspect and various alternative implementations thereof, which is not described herein again.

In a fifth aspect, the present application provides a BRAS that may include a processor and a memory coupled to the processor. The memory may be used to store computer instructions. When the BRAS is running, the processor executes the computer instructions stored by the memory to cause the BRAS to perform the method of authenticating a terminal device according to any one of the first aspect and its various alternative implementations.

In a sixth aspect, the present application provides a computer-readable storage medium that may include computer instructions. When the computer instructions are run on a BRAS, the BRAS is caused to perform the method of authenticating a terminal device as described in any one of the first aspect and its various alternative implementations.

In a seventh aspect, the present application provides a computer program product comprising computer instructions, which, when run on a BRAS, causes the BRAS to perform the method for authenticating a terminal device according to any one of the first aspect and its various alternative implementations.

For the description of the related contents and technical effects of the fifth aspect to the seventh aspect, reference may be made to the above description of the related contents and technical effects of the first aspect and various optional implementations thereof, and details are not repeated here.

In an eighth aspect, the present application provides an authentication server that may include a processor and a memory coupled to the processor. The memory may be used to store computer instructions. When the authentication server is running, the processor executes the computer instructions stored by the memory to cause the authentication server to perform the method of authenticating a terminal device as described in any one of the second aspect and its various alternative implementations.

In a ninth aspect, the present application provides a computer readable storage medium, which may include computer instructions. The computer instructions, when executed on an authentication server, cause the authentication server to perform the method of authenticating a terminal device as set forth in any one of the second aspect and its various alternative implementations above.

In a tenth aspect, the present application provides a computer program product comprising computer instructions which, when run on an authentication server, cause the authentication server to perform the method of authenticating a terminal device as described in the second aspect above and any of its various alternative implementations.

For the descriptions of the relevant contents and technical effects of the eighth aspect to the tenth aspect, reference may be made to the above description of the relevant contents and technical effects of the second aspect and various optional implementations thereof, which are not described herein again.

In an eleventh aspect, the present application provides a communication system, which may include a terminal device, a BRAS as described in any one of the above third aspect and its various optional implementations, and an authentication server as described in any one of the above fourth aspect and its various optional implementations.

Alternatively, the communication system may include a terminal device, the BRAS in the fifth aspect, and the authentication server in the eighth aspect.

For the related contents and technical effects of the eleventh aspect, reference may be made to the above-mentioned related descriptions of the third aspect and various alternative implementations thereof, and the related contents and technical effects of the fourth aspect and various alternative implementations thereof, which are not described herein again.

Drawings

Fig. 1 is a schematic architecture diagram of a communication system according to an embodiment of the present invention;

fig. 2 is a schematic diagram of a method for authenticating a terminal device according to an embodiment of the present invention;

fig. 3 is a schematic diagram illustrating a method for detecting a status of an authentication server according to an embodiment of the present invention;

fig. 4 is a first schematic structural diagram of a BRAS according to an embodiment of the present invention;

fig. 5 is a second schematic structural diagram of a BRAS according to an embodiment of the present invention;

fig. 6 is a first schematic structural diagram of an authentication server according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of an authentication server according to an embodiment of the present invention;

fig. 8 is a hardware schematic diagram of a BRAS according to an embodiment of the present invention;

fig. 9 is a hardware schematic diagram of an authentication server according to an embodiment of the present invention.

Detailed Description

The terms "first" and "second," and the like, in the description and in the claims of embodiments of the present invention are used for distinguishing between different objects and not for describing a particular order of the objects. For example, the first authentication information and the second authentication information are for distinguishing different authentication information, not for describing a specific order of the authentication information.

In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

In the description of the embodiments of the present invention, the meaning of "a plurality" means two or more unless otherwise specified. For example, the plurality of authentication servers refers to two or more authentication servers.

Currently, in the process of authenticating the terminal device, an authentication server in the network may process an authentication request message of the terminal device to complete authentication of the terminal device. Generally, a main authentication server and a standby authentication server are deployed in a network, and when the main authentication server fails, the standby authentication server can replace the main authentication server to complete authentication of terminal equipment. However, when the network status is poor or both the main authentication server and the standby authentication server in the network fail, the authentication server may not receive the authentication request message of the terminal device, and thus, the authentication of the terminal device may not be completed.

In order to solve the above problem, embodiments of the present invention provide a method, an apparatus, and a system for authenticating a terminal device, where a BRAS may receive an authentication request message sent by a terminal device, and when the BRAS determines that an authentication server in a network is in an abnormal state, the BRAS may authenticate the terminal device according to first authentication information in the authentication request message, and then send an authentication response message indicating that authentication of the terminal device is completed to the terminal device. Compared with the prior art, in the embodiment of the invention, when the BRAS determines that the states of the authentication servers (including the main authentication server and the standby authentication server) in the network are abnormal, the BRAS can process the authentication request message of the terminal equipment instead of the authentication server, so that the BRAS does not need to send the authentication request message of the terminal equipment to the authentication server, and the terminal equipment can be successfully authenticated even if the states of the authentication servers in the network are abnormal.

The method for authenticating a terminal device according to the embodiment of the present invention may be applied to a communication system, and as shown in fig. 1, is an architecture diagram of a communication system according to the embodiment of the present invention, where the communication system includes a terminal device 10, a BRAS 11, a master authentication server 12, a slave authentication server 13, and an access network device 14. The terminal device 10 is connected with the BRAS 11 through the access network device 14, and the BRAS 11 is connected with the main authentication server 12 and the standby authentication server 13. In general, BRAS 11 in the communication system may transmit an authentication request message, which it receives from terminal device 10, to primary authentication server 12, where primary authentication server 12 processes the authentication request message of terminal device 10. In the case of a failure of the primary authentication server 12, the secondary authentication server 13 may process the authentication request message of the terminal device 10 to complete the authentication of the terminal device; in the case of a poor network state or a failure in both the main authentication server 12 and the standby authentication server 13 (i.e. both the main authentication server 12 and the standby authentication server 13 are in an abnormal state), the BRAS 11 may process the authentication request message of the terminal device 10 to complete the authentication of the terminal device, so that the terminal device 10 may access the network to be accessed.

In this embodiment of the present invention, the access network device in the communication system shown in fig. 1 may include access network devices such as Customer Premises Equipment (CPE), an Optical Network Terminal (ONT), and an Optical Line Terminal (OLT).

It should be noted that, in the embodiment of the present invention, the communication system may include a plurality of BRAS, specifically, the number of BRAS in the communication system may be determined according to actual usage requirements, and the embodiment of the present invention is not limited.

In this embodiment of the present invention, the terminal device 10 shown in fig. 1 may be a mobile phone, a tablet computer, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, a Personal Digital Assistant (PDA), or the like.

In this embodiment of the present invention, the BRAS 11 in the communication system shown in fig. 1 may be an entity device or a virtual device, and may specifically be determined according to actual use requirements, which is not limited in this embodiment of the present invention.

In the following embodiments, each constituent component of the BRAS provided in the embodiments of the present invention will be described in detail.

In the embodiment of the present invention, the main authentication server 12 and the standby authentication server 13 shown in fig. 1 may be devices having the same configuration, or may be devices having different configurations. Assuming that the main authentication server 12 and the sub-authentication server 13 are devices having the same structure, the hardware structure of the authentication server according to the embodiment of the present invention will be described in detail in the following embodiments.

The method for authenticating a terminal device according to the embodiment of the present invention may be applied to a case where both a main authentication server and a standby authentication server (hereinafter, collectively referred to as an authentication server) in a network are in an abnormal state, and the following describes in detail the technical solution according to the embodiment of the present invention with reference to the communication system shown in fig. 1.

With reference to fig. 1 and as shown in fig. 2, a method for authenticating a terminal device according to an embodiment of the present invention may include:

s101, the terminal equipment sends an authentication request message to the BRAS.

In the embodiment of the invention, when a terminal device needs to access a network, after an authentication server in the network completes authentication of the terminal device, the terminal device has the authority of accessing the network, and further the terminal device can access the network and communicate with other devices in the network. In the process of authenticating the terminal device, the terminal device may carry the authentication information (i.e., the first authentication information) of the terminal device in an authentication request message and send the authentication request message to the BRAS in the network, and in the case that the authentication server in the network is in a normal state, the BRAS may send the authentication request message to the authentication server in the network, and the authentication server completes the authentication of the terminal device; in the case where the authentication server in the network is in an abnormal state, the BRAS may complete authentication of the terminal device instead of the authentication server.

The authentication request message includes authentication information of the terminal device (hereinafter, referred to as first authentication information), where the first authentication information includes at least one of a user name of a network to which the terminal device is to access, a password of the network, and location information of the terminal device, or the first authentication information may also be at least one of a user name of the terminal device, a password of the terminal device, and location information of the terminal device. The authentication request message may be used to request the authentication server to authenticate the terminal device according to the first authentication information.

S102, the BRAS receives the authentication request message sent by the terminal equipment.

S103, the BRAS determines whether the authentication server is in an abnormal state.

In the embodiment of the invention, after receiving an authentication request message sent by a terminal device, a BRAS can determine whether an authentication server in a network is in a normal state, and under the condition that the BRAS determines that the authentication server is in the normal state, the BRAS can send the authentication request message sent by a first terminal device to the authentication server, and the authentication server completes the authentication of the terminal device; in the case where the BRAS determines that the authentication server is in an abnormal state, the BRAS may complete authentication of the terminal device in place of the authentication server.

The following describes an exemplary method for authenticating a terminal device according to an embodiment of the present invention with an authentication server in an abnormal state and a normal state, respectively.

In the embodiment of the present invention, when the BRAS determines that the authentication server is in an abnormal state, as shown in fig. 2, the method for authenticating the terminal device according to the embodiment of the present invention may continue to execute the following S104 to S105 after the above S103; in the case where the BRAS determines that the authentication server is in the normal state, S106 to S109 described below may be continuously performed after S103 described above.

And S104, the BRAS authenticates the terminal equipment according to the first authentication information in the authentication request message.

In the embodiment of the invention, when the BRAS determines that the authentication server in the network is in an abnormal state, in order to ensure that the terminal equipment passes the authentication smoothly and accesses the network, the BRAS does not send the received authentication request message to the authentication server any more, but completes the authentication of the terminal equipment. Specifically, a module having the function of an authentication server (hereinafter referred to as an authentication module) may be provided in the BRAS, so that the authentication of the terminal device may be performed by the authentication module in the BRAS.

In the embodiment of the present invention, after receiving an authentication request message sent by a terminal device, a BRAS determines that an authentication server in a network is in an abnormal state, an authentication, authorization, and accounting (AAA) functional module in the BRAS may send a message (which may be referred to as a first request message for short) for requesting to start authentication to an authentication module in the BRAS, and the authentication module receives the first request message sent by the AAA functional module, and may reply a response message for accepting authentication to the AAA functional module, so that the authentication module in the BRAS may start to authenticate the terminal device according to the first authentication information.

S105, the BRAS sends an authentication response message to the terminal equipment.

In the embodiment of the invention, after the BRAS finishes the authentication of the terminal equipment according to the first authentication information, the BRAS can send an authentication response message for indicating that the authentication of the terminal equipment is finished to the terminal equipment, so that after the terminal equipment receives the authentication response message, the terminal equipment can know that the terminal equipment passes the authentication, and the terminal equipment can access the network and communicate with other equipment in the network.

In the method for authenticating the terminal device provided by the embodiment of the invention, the BRAS in the network can receive the authentication request message sent by the terminal device, and when the BRAS determines that the authentication server in the network is in an abnormal state, the BRAS can authenticate the terminal device according to the first authentication information in the authentication request message, and then the BRAS sends the authentication response message for indicating that the authentication of the terminal device is finished to the terminal device. Compared with the prior art, in the embodiment of the invention, when the BRAS determines that the states of the authentication servers (including the main authentication server and the standby authentication server) in the network are abnormal, the BRAS can process the authentication request message sent by the terminal equipment instead of the authentication server, so that the BRAS does not need to send the authentication request message sent by the terminal equipment to the authentication server any more, and the authentication of the terminal equipment can be successfully completed even if the states of the authentication servers in the network are abnormal.

Optionally, with reference to fig. 2, in the embodiment of the present invention, the S104 may be specifically implemented by S104a-S104 b:

s104a, the BRAS compares the first authentication information with at least one set of authentication information sent to the BRAS by the authentication server.

In the embodiment of the present invention, the method for the BRAS to authenticate the terminal device may be: the BRAS compares the first authentication information with at least one group of authentication information sent to the BRAS by the authentication server, and determines whether the terminal equipment passes the authentication according to the comparison result of the first authentication information and the at least one group of authentication information.

In an embodiment of the present invention, each of the at least one set of authentication information may include at least one of a user name of a network, a password of the network, and location information, or each set of authentication information may include at least one of a user name of a terminal device, a password of the terminal device, and location information, where the location information is location information of a terminal device allowed to access the network. For example, it is assumed that 5 sets of authentication information are stored in the authentication server, and each set of authentication information includes a user name of a network, a password of the network, and location information allowed by the network for the terminal device to access, and table 1 shows an example of at least one set of authentication information.

TABLE 1

	User name	Cipher code	Location information
				Group 1 authentication information	Name1	Password1	Region1
Group 2 authentication information	Name2	Password2	Region2
				Group 3 authentication information	Name3	Password3	Region3
Group 4 authentication information	Name4	Password4	Region4
				Group 5 authentication information	Name5	Password5	Region5

And S104b, in the case that the first authentication information is the same as the second authentication information in at least one group of authentication information, the BRAS completes the authentication of the terminal equipment.

The second authentication information is one group of authentication information in at least one group of authentication information sent to the BRAS by an authentication server in the network.

In the embodiment of the present invention, the BRAS compares the first authentication information with at least one group of authentication information sent to the BRAS by the authentication server, and when the first authentication information is the same as a certain group of authentication information (for example, the second authentication information) in the at least one group of authentication information, the BRAS completes authentication on the terminal device, that is, the terminal device passes authentication.

For example, in the embodiment of the present invention, if the first authentication information includes any one of a user name of a network (i.e., a network to which the terminal device is to access), a password of the network, and location information of the network, for example, the first authentication information includes a user name of the network, the BRAS completes authentication on the terminal device when the user name of the network in the first authentication information is the same as the user name of the network in the second authentication information. If the first authentication information includes any two items of the user name of the network, the password of the network and the location information of the network, for example, the first authentication information includes the user name of the network and the password of the network, the BARS completes the authentication of the terminal device when the user name of the network and the password of the network in the first authentication information are the same as those in the second authentication information. If the first authentication information comprises the user name of the network, the password of the network and the position information of the network, the BRAS completes the authentication of the terminal equipment when the user name of the network, the password of the network and the position information of the network in the first authentication information are the same as the user name of the network, the password of the network and the position information of the network in the second authentication information.

Optionally, in this embodiment of the present invention, when the first authentication information includes at least one of a user name of the terminal device, a password of the terminal device, and location information of the terminal device, each group of authentication information in at least one group of authentication information sent to the BRAS by the authentication server includes a user name of the terminal device, a password of the terminal device, and location information, the BRAS authenticates the terminal device according to the first authentication information, and the BRAS may determine that the terminal device is a terminal device that can access a certain network (i.e., the BRAS completes authentication of the terminal device), so that the terminal device can smoothly access the network. The method for the BRAS to authenticate the terminal device may refer to the method for authenticating the terminal device by using at least one of the user name of the network, the password of the network, and the location information, and is not described herein again.

In the embodiment of the present invention, when the BRAS determines that the authentication server is in the normal state, the method for authenticating the terminal device according to the embodiment of the present invention may continue to execute the following S106 to S109 after the step S103:

s106, the BRAS sends the authentication request message of the terminal equipment to the authentication server.

In the embodiment of the invention, when the authentication server in the network is in a normal state, the BRAS sends the received authentication request message sent by the terminal equipment to the authentication server, and the authentication server completes the authentication of the terminal equipment.

S107, the authentication server receives the authentication request message of the terminal equipment.

S108, the authentication server authenticates the terminal equipment according to the first authentication information in the authentication request message.

In the embodiment of the present invention, after the authentication server receives the authentication request message of the terminal device sent by the BRAS, the authentication server may compare the authentication information (i.e. the first authentication information) in the authentication request message with at least one set of authentication information stored in the authentication server, and when the first authentication information is the same as the second authentication information in the at least one set of authentication information, the authentication server completes the authentication of the terminal device.

It should be noted that, in the embodiment of the present invention, a method for the authentication server to authenticate the terminal device according to the first authentication information is similar to a method for the BRAS to authenticate the terminal device according to the first authentication information, and for other descriptions of S108, reference may be specifically made to the above description of S104, which is not described herein again.

S109, the authentication server sends an authentication response message to the terminal equipment.

In this embodiment of the present invention, the authentication response message is used to indicate that authentication of the terminal device is completed, the terminal device receives the authentication response message sent by the authentication server, and after accessing the network, during a data transmission process between the terminal device and a device in the network (during the data transmission process, the terminal device may consume traffic in the network), the authentication server may count traffic information consumed by the terminal device within a preset time period, so as to calculate a cost generated by the traffic consumed after the terminal device accesses the network.

In the method for authenticating the terminal device provided by the embodiment of the invention, the BRAS can receive the authentication request message sent by the terminal device, and when the BRAS determines that the authentication server in the network is in a normal state, the BRAS can send the authentication request message to the authentication server in the network, the authentication server can authenticate the terminal device according to the first authentication information in the authentication request message, and then the authentication server sends the authentication response message used for indicating that the authentication of the terminal device is completed to the terminal device, so that after the terminal device receives the authentication response message sent by the authentication server, the terminal device has the authority of accessing the network, and further the terminal device can access the network and communicate with other devices in the network.

In summary, in the embodiment of the present invention, whether the authentication server in the network is in the normal state or the abnormal state, the method for authenticating the terminal device provided in the embodiment of the present invention can successfully complete the authentication of the terminal device, so that the terminal device can be ensured to be successfully accessed to the network.

Optionally, with reference to fig. 2, in the embodiment of the present invention, the step S103 may be specifically implemented by steps S103a to S103 b:

s103a, the BRAS reads the value of the first identifier stored in the BRAS.

In the embodiment of the present invention, the BRAS stores an identifier (hereinafter, referred to as a first identifier) that can be used to indicate whether the status of the authentication server in the network is normal, and after the BRAS receives the authentication request message sent by the terminal device, the BRAS may read the value of the first identifier, and determine whether the authentication server is in the normal status according to the value of the first identifier.

S103b, BRAS determines whether the authentication server is in abnormal state according to the value of the first identifier.

In this embodiment of the present invention, the first value may be used to indicate that the authentication server is in an abnormal state, and when the value of the first identifier read by the BRAS is the first value, the BRAS may determine that the authentication server is in the abnormal state, and then the BRAS does not need to send the authentication request message of the terminal device to the authentication server, but the BRAS processes the authentication request message, for example, the BRAS completes authentication on the terminal device according to the first authentication information in the authentication request message.

Optionally, before the step S103a (that is, the BRAS reads the value of the first identifier in the BRAS), the method for authenticating the terminal device according to the embodiment of the present invention may further include steps S110 to S111:

s110, the BRAS detects the status of the authentication server in the network.

In the embodiment of the invention, the BRAS can detect the state of the authentication server in the network and determine which equipment in the network authenticates the terminal equipment according to the state of the authentication server. Specifically, when the BRAS detects that the authentication server is in a normal state, the BRAS sends an authentication request message of the terminal equipment to the authentication server, and the authentication server completes authentication of the terminal equipment; in the case that the BRAS detects that the authentication server is in an abnormal state, the BRAS can replace the authentication server to finish the authentication of the terminal equipment.

In the embodiment of the invention, because the state of the network may change and the state of the authentication server in the network may also change along with the change of the state of the network, in order to accurately determine the state of the authentication server, the BRAS can periodically detect the state of the authentication server, so that the BRAS can accurately decide the method for authenticating the terminal device according to the real-time state of the authentication server (namely, determine whether the terminal device is authenticated by the authentication server or the BRAS replaces the authentication server to authenticate the terminal device).

S111 and BRAS sets the value of the first identifier.

In the embodiment of the invention, the BRAS can set the first identifier in the BRAS according to the result of the state of the authentication server detected by the BRAS, so that after the BRAS receives the authentication request message sent by the terminal equipment, the BRAS can determine the state of the authentication server in the network by reading the value of the first identifier stored in the current BRAS.

It should be noted that the execution order of S101-S102 and S110-S111 may not be limited in the embodiments of the present invention. That is, in the embodiment of the present invention, S101 to S102 may be executed first, and then S110 to S111 may be executed; or S110-S111 can be executed first, and then S101-S102 can be executed; S101-S102 and S110-S111 may also be performed simultaneously.

In the embodiment of the invention, in the following two different cases (respectively marked as S111a and S111b), the BRAS can set the value of the first identifier to two different values, namely the S111 can be replaced by S111a or S111 b.

S111a, in case the BRAS detects that the authentication server is in an abnormal state, the BRAS sets the value of the first flag in the BRAS to a first value.

In the embodiment of the invention, the BRAS sets the value of the first identifier as the first value, so that when the BRAS reads that the value of the first identifier is the first value, the BRAS can determine that the authentication server in the network is in an abnormal state.

For example, in the embodiment of the present invention, the first value may be set to "0" or "1". For example, the first value may be set to "0", and when the value of the first identifier read by the BRAS is "0", it indicates that the authentication server in the network is in an abnormal state; the first value may also be set to "1", and when the value of the first identifier read by the BRAS is "1", it indicates that the authentication server in the network is in an abnormal state. Of course, the first value may be set by using other values meeting the actual use requirement in the embodiment of the present invention, which is not listed in the embodiment of the present invention.

S111b, in case the BRAS detects that the authentication server is in a normal state, the BRAS sets the value of the first identifier in the BRAS to a second value.

The second value may be used to indicate that the authentication server is in a normal state.

In the embodiment of the invention, the BRAS sets the value of the first identifier as the second value, so that when the BRAS reads that the value of the first identifier is the second value, the BRAS can determine that the authentication server in the network is in an abnormal state.

For example, in the embodiment of the present invention, the second value may be set to "0" or "1". For example, the second value may be set to "0", and when the value of the first identifier read by the BRAS is "0", it indicates that the authentication server in the network is in a normal state; the second value may also be set to "1", and when the value of the first identifier read by the BRAS is "1", it indicates that the authentication server in the network is in a normal state. Of course, the embodiment of the present invention may also use other values meeting the actual use requirement to set the second value, and the embodiments of the present invention are not listed one by one.

It should be noted that, in the embodiment of the present invention, the first value and the second value may be set to different values. For example, in conjunction with the above description of S111a and S111b, if the first value is set to "0" indicating that the authentication server is in an abnormal state, the second value may be set to "1" indicating that the authentication server is in a normal state; if the first value is set to "1" indicating that the authentication server is in an abnormal state, the second value may be set to "0" indicating that the authentication server is in a normal state.

In this embodiment of the present invention, S110 may specifically be implemented by S110 a:

s110a, BRAS sends detection message to authentication server.

In the embodiment of the present invention, the method for detecting the state of the authentication server by the BRAS may be: the BRAS sends a detection message to the authentication server, and determines whether the authentication server is in a normal state or an abnormal state according to whether the BRAS receives a response message of the detection message.

For example, after the BRAS sends the probe message to the authentication server, if the BRAS does not receive a response message of the probe message sent by the authentication server within a preset time period, the BRAS detects that the authentication server is in an abnormal state, so that the BRAS sets a value of a first identifier in the BRAS to be a first value; if the BRAS receives a response message of the detection message sent by the authentication server within a preset time period, the BRAS detects that the authentication server is in a normal state, and therefore the BRAS sets the value of the first identifier in the BRAS to be a second value.

Optionally, in the embodiment of the present invention, in the process of detecting the state of the authentication server each time, after the BRAS sends the probe packet to the authentication server, if the BRAS does not receive the response message of the probe message within a preset time period (hereinafter referred to as a first preset time period), the BRAS may resend the probe message to the authentication server for multiple times (for example, N times, where N is greater than or equal to 1), after the BRAS resends the probe message to the authentication server every time, the BRAS does not receive the response message of the authentication server within a certain time period (which can be a time period set according to actual use requirements and is less than the first preset time period) until the nth time, after the BRAS resends the detection message to the authentication server, if the BRAS still does not receive the response message sent by the authentication server, the BRAS can determine that the authentication server is in an abnormal state.

It should be noted that, in the embodiment of the present invention, in the process that the BRAS retransmits the probe packet to the authentication server N times, after the BRAS retransmits the probe packet to the authentication server each time, a time for the BRAS to wait for a response packet of the probe packet may be a period of time smaller than the first preset time period, which may be specifically set according to actual use requirements, and the embodiment of the present invention is not limited.

For example, as shown in fig. 3, assuming that the BRAS does not receive a response message of the probe message within a first preset time period (assuming that the first preset time period is 60 seconds (s)) after the BRAS sends the probe message to the authentication server, the BRAS may resend the probe message to the authentication server (as illustrated in fig. 3 by M0). Assuming that the number of times that the BRAS retransmits the probe packet to the authentication server is 5, a process of the BRAS retransmitting the probe packet to the authentication server is specifically described below with reference to fig. 3:

1 st retransmission: the BRAS may wait for 2s again if the BRAS does not receive the response message within the first preset time period, and if the BRAS does not receive the response message within the 2s yet, the BRAS resends the probe message to the authentication server 1 st time after 2s (fig. 3 is exemplified by M1).

2 nd retransmission: after the BRAS resends the probe message to the authentication server for the 1 st time, if the BRAS does not receive the response message within 4s, the BRAS resends the probe message to the authentication server for the 2 nd time after 4s (fig. 3 is exemplified by M2).

Retransmission at 3 rd time: after the BRAS resends the probe message to the authentication server 2 nd time, if the BRAS does not receive the response message within 8s, the BRAS resends the probe message to the authentication server 3 rd time after 8s (illustrated in fig. 3 as M3).

4 th retransmission: after the BRAS resends the probe message to the authentication server 3 rd time, if the BRAS does not receive the response message within 16s, the BRAS resends the probe message to the authentication server 4 th time after 16s (illustrated in fig. 3 as M4).

Retransmission at 5: after 4 th time, if the BRAS does not receive the response message in 32s, the BRAS resends the probe message to the authentication server 5 th time after 32s (fig. 3 is exemplified by M5).

Within 2s after the BRAS resends the probe message to the authentication server for the 5 th time, if the BRAS still does not receive a response message of the probe message, the BRAS may determine that the authentication server is in an abnormal state (illustrated as M6 in fig. 3).

It should be noted that in the embodiment of the present invention, in the process that the BRAS retransmits the probe packet to the authentication server, after any one of the BRAS retransmits the probe packet to the authentication server, in a time period in which the BRAS waits for a response packet of the probe packet, if the BRAS receives the response packet of the probe packet, the BRAS determines that the authentication server is in a normal state, and the BRAS stops retransmitting the probe packet to the authentication server.

In the embodiment of the present invention, in the process of detecting the state of the authentication server each time, because some accidental factors may exist in the network (for example, congestion temporarily occurs in the network), the BRAS may not receive the response packet of the probe packet within a preset time period, but the BRAS may receive the response packet of the probe packet within a period of time exceeding the preset time period, in this case, because the state of the authentication server in the network is not abnormal, in order to accurately detect the state of the authentication server, in the embodiment of the present invention, the BRAS may send the probe packet to the authentication server multiple times to determine the true state of the authentication server, so that a problem that the accuracy of the state of the authentication server detected by the BRAS is low due to the influence of the accidental factors in the network may be avoided.

Optionally, in the embodiment of the present invention, with reference to fig. 2, in a case that the BRAS determines that the authentication server is in an abnormal state, after the above S105, the method for authenticating the terminal device according to the embodiment of the present invention may further include S112 to S113:

and S112, the BRAS counts the charging information of the terminal equipment.

The charging information comprises flow information consumed by the terminal equipment in a preset time period.

In the embodiment of the invention, after the terminal device accesses the network, in the process of transmitting data between the terminal device and other devices in the network (in the process of transmitting data, the terminal device consumes the traffic in the network), the BRAS can count the traffic information consumed by the terminal device within a preset time period, so as to calculate the cost generated by the traffic consumed after the terminal device accesses the network. Specifically, after the terminal device accesses the network, the AAA functional module in the BRAS may send a message (which may be referred to as a second request message for short) to the authentication module in the BRAS, where the message is used to request the authentication module to start charging, the authentication module receives the second request message sent by the AAA functional module, and the authentication module receives a response message returned by the AAA functional module and accepting charging, so that the authentication module in the BRAS may start accounting the charging information of the terminal device.

It should be noted that, in the embodiment of the present invention, the BRAS may count the charging information of the terminal device in a period of time from when the terminal device accesses the network to when the terminal device exits the network.

In the embodiment of the present invention, the preset time period may be set according to actual requirements, and the embodiment of the present invention is not particularly limited.

Optionally, in this embodiment of the present invention, the charging information of the terminal device further includes other information, such as a charging identifier of the terminal device, a Media Access Control (MAC) address of the terminal device, and location information of the terminal device, which is not listed in this embodiment of the present invention.

S113, BRAS sends charging information to the authentication server.

In the embodiment of the invention, the BRAS can temporarily store the statistical charging information in the BRAS, when the BRAS detects that the state of the authentication server in the network is normal, the BRAS can send the charging information to the authentication server, and the authentication server sends the charging information to the server of the operator, so that the server of the operator can calculate the cost generated by the consumed flow after the terminal equipment is accessed into the network.

Optionally, in the embodiment of the present invention, after counting the charging information of the terminal device, the BRAS may send the charging information to the authentication server. Specifically, the following three cases (these three cases are respectively referred to as A, B and C) respectively describe the process of the BRAS sending the charging information to the authentication server.

A. Before the terminal equipment does not exit the network, the BRAS detects that the authentication server is in a normal state.

In the embodiment of the present invention, in the case that the BRAS detects that the authentication server is in a normal state before the terminal device has not exited the network, the method for the BRAS to send the charging information to the authentication server may be any one of the following a1, a2, and A3.

A1: the BRAS immediately sends the accounting information which the BRAS has counted to the authentication server.

A2: the BRAS sends the accounting information counted by the BRAS to the authentication server at intervals.

A3: after the terminal equipment exits the network, the BRAS sends the accounting information of a period of time from the time when the terminal equipment starts accessing the network to the time when the terminal equipment exits the network to the authentication server.

B. Before the terminal equipment exits the network, the BRAS detects that the authentication server is in an abnormal state, and after the terminal equipment exits the network, the BRAS detects that the authentication server is in a normal state.

In the embodiment of the present invention, in the case described in B, when the authentication server is in a normal state, the BRAS may send the accounting information of a period of time from when the terminal device starts accessing the network to when the terminal device exits the network, to the authentication server.

C. After the terminal equipment exits the network, the BRAS detects that the authentication server is still in an abnormal state.

In the embodiment of the present invention, after the terminal device exits the network, when the BRAS detects that the authentication server is still in an abnormal state, the method for the BRAS to send the charging information may be C1 or C2 described below.

C1: the BRAS temporarily stores the accounting information of a period of time from the time when the BRAS accesses the network to the time when the terminal equipment exits the network, and when the BRAS detects that the authentication server is in a normal state, the BRAS sends the accounting information to the authentication server.

C2: the BRAS sends the accounting information of the terminal device counted by the BRAS to a server of an operator in a period from the time when the BRAS accesses the network to the time when the BRAS exits the network.

It should be noted that, in the embodiment of the present invention, after the BRAS detects that the authentication server recovers to the normal state, when the BRAS receives the authentication request message sent by another terminal device, the BRAS may not need to replace the authentication server to authenticate the terminal devices, that is, the BRAS may send the authentication request message of the terminal devices to the authentication server, the authentication server completes authentication of the terminal devices, and the authentication server may count the charging information of the terminal devices.

Optionally, the method for authenticating the terminal device provided in the embodiment of the present invention may further include S201 to S203:

s201, the authentication server determines the IP address of the BRAS.

S202, the authentication server sends at least one group of authentication information to the BRAS according to the IP address of the BRAS.

S203, the BRAS receives at least one group of authentication information sent by the authentication server.

In the embodiment of the invention, before the BRAS takes the place of the authentication server to authenticate the terminal equipment, when the authentication server is in a normal state, the authentication server can send at least one group of authentication information stored in the authentication server to the BRAS according to the IP address of the BRAS stored in the authentication server, so that when the state of the authentication server is abnormal, the BRAS can compare the first authentication information in the authentication request message received by the BRAS with the at least one group of authentication information to finish the authentication of the terminal equipment, namely the BRAS can take the place of the authentication server to finish the authentication of the terminal equipment.

In this embodiment of the present invention, at least one set of authentication information stored in the authentication server may be stored in the authentication server for the user, or may be sent to the authentication server by the server of the operator (the server of the operator stores the authentication information registered by the terminal device).

It should be noted that, in the embodiment of the present invention, when the authentication information in the authentication server is updated, the authentication server may further send the updated authentication information to the BRAS. For example, when a certain group or groups of authentication information in the authentication server changes (for example, when the password of the network in the certain group or groups of authentication information is modified), the authentication server may send the group or groups of authentication information to the BRAS; or one or more groups of new authentication information are added in the authentication server, and the authentication server can send the added group or groups of new authentication information to the BRAS.

Optionally, in the embodiment of the present invention, an IP address of a BRAS may be stored in an authentication server in advance, and an IP address of the authentication server is stored in a BRAS at the same time, so that the authentication server may send data to the BRAS according to the IP address of the BRAS, when the BRAS determines that the IP address of the authentication server is stored in the BRAS, the BRAS receives and processes the data sent by the authentication server, and when the BRAS does not store the IP address of the authentication server, the BRAS rejects to receive the data sent by the authentication server, and the BRAS does not need to process the data sent by the authentication server, so that resources of the BRAS may be saved; similarly, the BRAS can send data to the authentication server according to the IP address of the authentication server, when the authentication server determines that the IP address of the BRAS is stored in the authentication server, the authentication server receives and processes the data sent by the BRAS, and when the IP address of the BRAS is not stored in the authentication server, the authentication server refuses to receive the data sent by the BRAS, the authentication server does not need to process the data sent by the BRAS, so that the resources of the authentication server can be saved.

It should be noted that, in the embodiment of the present invention, the communication system may include multiple BRASs and multiple authentication servers, and the multiple BRASs and the multiple authentication servers may authenticate different terminal devices. For example, it is assumed that there are 10 terminal devices (respectively denoted as terminal device 1, terminal device 2, …, and terminal device 10), 2 BRAS (which may be respectively denoted as a first BRAS and a second BRAS), and 3 authentication servers (which may be respectively denoted as a first authentication server, a second authentication server, and a third authentication server, where the first authentication server and the second authentication server are master authentication servers, and the third authentication server is a slave authentication server) in the communication system. Assuming that the first BRAS is responsible for receiving authentication request messages of the terminal devices 1 to 5, the terminal devices 1 to 5 may send respective authentication request messages to the first BRAS, the first BRAS sends the authentication request messages received by the first BRAS to the first authentication server, and the authentication request messages are processed by the first authentication server, and the first authentication server stores authentication information of the terminal devices 1 to 5, and when states of the main authentication server and the standby authentication server in the network are abnormal, in order to ensure that the terminal devices successfully complete authentication of the terminal devices, the first authentication server may send the authentication information of the terminal devices 1 to 5 to the first BRAS, so that the first BRAS may replace the first authentication server to complete authentication of the terminal devices 1 to 5.

Assuming that the second BRAS is responsible for receiving the authentication request messages from the terminal device 6 to the terminal device 10, the terminal device 6 to the terminal device 10 may send the respective authentication request messages to the second BRAS, the second BRAS sends the authentication request messages received by the second BRAS to the second authentication server, and the second authentication server processes the authentication request messages, and the authentication information from the terminal device 6 to the terminal device 10 is stored in the second authentication server, and when the states of the master authentication server and the slave authentication server in the network are abnormal, in order to ensure that the terminal device successfully completes the authentication of the terminal device, the second authentication server may send the authentication information from the terminal device 6 to the terminal device 10 to the second BRAS, so that the second BRAS may replace the second authentication server to complete the authentication of the terminal device 6 to the terminal device 10.

It should be noted that, in the embodiment of the present invention, in the process of authenticating the terminal device, when the main authentication server fails, the standby authentication server may be used to complete authentication of the terminal device instead of the main authentication server.

The above-mentioned scheme provided by the embodiment of the present invention is introduced mainly from the perspective of interaction between network elements. It is to be understood that each network element, for example, BRAS, authentication server, etc., contains corresponding hardware structures and/or software modules for performing each function in order to implement the above functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

According to the method, functional modules of the BRAS, the authentication server and the like can be divided, for example, the functional modules can be divided corresponding to the functions, or two or more functions can be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, the division of the modules in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation.

In the case of dividing each functional module by corresponding functions, fig. 4 shows a possible structural diagram of the BRAS involved in the above embodiment. As shown in fig. 4, the BRAS may include: a receiving module 20, a determining module 21, an authenticating module 22 and a sending module 23. The receiving module 20 may be configured to support the BRAS to perform S102 and S203 in the foregoing method embodiment; the determination module 21 may be configured to support the BRAS to perform S103 (including S103a-S103b) in the above method embodiments; the authentication module 22 may be used to support the BRAS to perform the S104 (including S104a-S104b) and S112 in the above-described method embodiments; the sending module 23 is configured to support the BRAS to perform S105, S106, and S113 in the foregoing method embodiment. As shown in fig. 4, the BRAS provided in the embodiment of the present invention may further include a detection module 24, where the detection module 24 may be configured to support the BRAS to perform S110 (including S110a) and S111 (including S111a or S111b) in the foregoing method embodiment. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, which is not described herein again.

In the case of an integrated unit, fig. 5 shows a schematic diagram of a possible structure of the BRAS involved in the above-described embodiment. As shown in fig. 5, a BRAS may include: a processing module 30 and a communication module 31. The processing module 30 may be used to control and manage the actions of the BRAS, for example, the processing module 30 may be used to support the BRAS to perform S103 (including S103a-S103b), S104 (including S104a-S104b), S110 (including S110a), S111 (including S111a or S111b), and S112 in the above-described method embodiments, and/or other processes for the techniques described herein. The communication module 31 may be used to support the BRAS to communicate with other network entities, for example, the communication module 31 may be used to support the BRAS to perform S102, S105, S106, S113 and S203 in the above method embodiments. Optionally, as shown in fig. 5, the BRAS may further include a storage module 32 for storing program codes and data of the BRAS.

The processing module 30 may be a processor or a controller, and may be, for example, a Central Processing Unit (CPU), a general purpose processor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with the embodiment disclosure. The processor described above may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs and microprocessors, and the like. The communication module 31 may be a transceiver, a transceiving circuit or a communication interface, etc. The storage module 32 may be a memory.

Fig. 6 shows a possible structure diagram of the authentication server in the above embodiment, in the case of dividing each functional module by corresponding functions. As shown in fig. 6, the authentication server may include: a determination module 40 and a sending module 41. The determining module 40 may be configured to support the authentication server to execute S201 in the foregoing method embodiment; the sending module 41 may be configured to support the authentication server to execute S109 and S202 in the above method embodiment. Optionally, as shown in fig. 6, the authentication server may further include a receiving module 42 and an authentication module 43. The receiving module 42 may be configured to support the authentication server to execute S107 in the above method embodiment; the authentication module 42 is used to support the authentication server to execute S108 in the above method embodiment. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, which is not described herein again.

In the case of an integrated unit, fig. 7 shows a schematic diagram of a possible configuration of the authentication server involved in the above-described embodiment. As shown in fig. 7, the authentication server may include: a processing module 50 and a communication module 51. The processing module 50 may be used to control and manage the actions of the authentication server, for example, the processing module may be used to support the authentication server to execute S108 and S201 in the above method embodiments. The communication module 51 may be used to support the authentication server to communicate with other network entities, for example, the communication module 51 may be used to support the authentication server to perform S107, S109 and S202 in the above-described method embodiments. Optionally, as shown in fig. 7, the authentication server may include a storage module 52 for storing program codes and data of the authentication server.

The processing module 50 may be a processor or controller, and may be, for example, a CPU, a general purpose processor DSP, an ASIC, an FPGA, or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with the embodiment disclosure. The processor described above may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs and microprocessors, and the like. The communication module 51 may be a transceiver, a transceiving circuit or a communication interface, etc. The storage module 52 may be a memory.

In the embodiment of the present invention, the terminal device may also adopt each functional module divided corresponding to each function or adopt an integrated unit to implement, and specifically, each functional module or integrated unit may execute each method step executed by the terminal device in the above method embodiments, and details are not described here.

Fig. 8 shows a hardware schematic diagram of a BRAS (when the BRAS is an entity device) in the foregoing embodiment, and as shown in fig. 8, the BRAS provided in the embodiment of the present invention includes: processor 60, memory 61, and interface 62. The various component parts of the BRAS are illustratively described below.

The processor 60 is used for the BRAS to process the access protocol, process the data packet received by the BRAS and manage each interface module, and can complete the authentication of the terminal device when the terminal device accesses the network. In the embodiment of the present invention, the processor 60 may be configured to support the BRAS to perform S103 (including S103a-S103b), S104 (including S104a-S104b), S110 (including S110a), S111 (including S111a or S111b), and S112 in the foregoing method embodiment, and/or other processes for the technology described herein, that is, the processor 60 may complete all the steps performed by the processing module 30 shown in fig. 5.

The memory 61 is used for storing the configuration of the BRAS, the operating system, protocol software and the like. The BRAS may include various memories such as Read Only Memory (ROM), Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), and flash Memory (flash).

The interface 62 is used for BRAS to send and receive data messages. The types of commonly used interfaces in the BRAS at present include an ethernet interface, an Asynchronous Transfer Mode (ATM) interface, and the like. In this embodiment of the present invention, the interface 62 may be configured to support the BRAS to perform S102, S105, S106, S113, and S203 in the foregoing method embodiment, that is, the interface 62 may complete all the steps performed by the communication module 31 shown in fig. 5.

Fig. 9 shows a hardware schematic diagram of the authentication server in the foregoing embodiment, and as shown in fig. 9, the authentication server provided in the embodiment of the present invention may include: a processor 70, a memory 71 and a communication interface 72.

The processor 70 is a core component of the authentication server and is used for running an operating system of the authentication server and application programs (including system application programs and third party application programs) installed on the authentication server. In this embodiment of the present invention, the processor 70 may support the authentication server to execute S108 and S201 in the above method embodiment, that is, the processor 70 may complete all the steps executed by the processing module 50 shown in fig. 7.

In this embodiment of the present invention, the processor 70 may specifically be a CPU, a general-purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof, which may implement or execute various exemplary logic blocks, modules and circuits described in the disclosure of this embodiment of the present invention; a processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like.

The memory 71 is used to store program codes and data of the authentication server.

In the embodiment of the present invention, the memory 71 may specifically include a volatile memory (volatile memory), such as a RAM; the memory may also include a non-volatile memory (non-volatile memory), such as a ROM, a flash memory (flash memory), a hard disk (HDD) or a solid-state disk (SSD); the memory may also comprise a combination of memories of the kind described above.

The communication interface 72 is an interface circuit for the authentication server to communicate with other devices, and may be a transceiver, a transceiver circuit, or other structures having a transceiver function, and includes a serial communication interface and a parallel communication interface. In this embodiment of the present invention, the communication interface 72 may be configured to support the authentication server to perform S107, S109, and S202 in the above method embodiment, that is, the communication interface 72 may complete all the steps performed by the communication module 51 in fig. 7.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the flow or functions according to embodiments of the invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device including one or more available media integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy disk, magnetic tape), an optical medium (e.g., Digital Video Disk (DVD)), or a semiconductor medium (e.g., SSD)), among others.

Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a processor to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: flash memory, removable hard drive, read only memory, random access memory, magnetic or optical disk, and the like.

The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (11)

1. A method of authenticating a terminal device, comprising:

the broadband remote access server BRAS detects the state of an authentication server in a network;

the BRAS sets the value of a first identifier in the BRAS to be a first value when the BRAS detects that the authentication server is in an abnormal state;

under the condition that the BRAS detects that the authentication server is in a normal state, the BRAS sets the value of the first identifier in the BRAS to be a second value, and the second value is used for indicating that the authentication server is in the normal state;

the BRAS receives an authentication request message sent by terminal equipment, wherein the authentication request message comprises first authentication information and is used for requesting an authentication server to authenticate the terminal equipment according to the first authentication information;

when the BRAS determines that the numerical value of the first identifier is the first numerical value, the BRAS authenticates the terminal equipment according to the first authentication information;

the BRAS sends an authentication response message to the terminal equipment, wherein the authentication response message is used for indicating that the terminal equipment is authenticated;

the BRAS detects the status of the authentication server, including:

the BRAS sends a detection message to the authentication server, and the detection message is used for detecting the state of the authentication server;

the method for the BRAS to detect that the authentication server is in an abnormal state comprises the following steps:

if the BRAS does not receive the response message of the detection message sent by the authentication server within a preset time period, the BRAS detects that the authentication server is in an abnormal state.

2. The method of claim 1, wherein the BRAS authenticates the terminal device according to the first authentication information, and comprises:

the BRAS compares the first authentication information with at least one group of authentication information, and the at least one group of authentication information is the authentication information sent to the BRAS by the authentication server;

and under the condition that the first authentication information is the same as second authentication information in the at least one group of authentication information, the BRAS completes authentication on the terminal equipment, wherein the second authentication information is one group of authentication information in the at least one group of authentication information.

3. The method according to claim 1 or 2, characterized in that after the BRAS sends an authentication response message to the terminal device, the method further comprises:

the BRAS counts the charging information of the terminal equipment, wherein the charging information comprises the flow information consumed by the terminal equipment in a preset time period;

and the BRAS sends the charging information to the authentication server.

4. The method according to claim 1 or 2,

the first authentication information includes at least one of a user name of a network to which the terminal device is to access, a password of the network, and location information of the terminal device, or,

the first authentication information includes at least one of a user name of the terminal device, a password of the terminal device, and location information of the terminal device.

5. A broadband remote access server, BRAS, comprising: the device comprises a detection module, a receiving module, a determining module, an authentication module and a sending module;

the detection module is used for detecting the state of an authentication server, and the BRAS sets the value of a first identifier in the BRAS to be a first value when the detection module detects that the authentication server is in an abnormal state, and sets the value of the first identifier in the BRAS to be a second value when the detection module detects that the authentication server is in a normal state, wherein the second value is used for indicating that the authentication server is in a normal state;

the receiving module is configured to receive an authentication request message sent by a terminal device, where the authentication request message includes first authentication information, and the authentication request message is used to request an authentication server to authenticate the terminal device according to the first authentication information;

the determining module is used for determining that the authentication server is in an abnormal state;

the authentication module is used for authenticating the terminal equipment according to the first authentication information in the authentication request message received by the receiving module when the determining module determines that the authentication server is in an abnormal state;

the sending module is configured to send an authentication response message to the terminal device, where the authentication response message is used to indicate that authentication of the terminal device is completed;

the determining module is specifically configured to read a numerical value of a first identifier in the BRAS, and determine that the authentication server is in an abnormal state when the numerical value of the first identifier is a first numerical value, where the first numerical value is used to indicate that the authentication server is in the abnormal state;

the detection module is specifically configured to send a detection message to the authentication server, and if the detection module does not receive a response message of the detection message sent by the authentication server within a preset time period, the detection module detects that the authentication server is in an abnormal state, where the detection message is used to detect a state of the authentication server.

6. The BRAS of claim 5,

the authentication module is specifically configured to compare the first authentication information with at least one group of authentication information, and when the first authentication information is the same as second authentication information in the at least one group of authentication information, the BRAS completes authentication on the terminal device, where the at least one group of authentication information is sent to the BRAS by the authentication server, and the second authentication information is one group of authentication information in the at least one group of authentication information.

7. The BRAS of claim 5 or 6,

the authentication module is further configured to count charging information of the terminal device after the sending module sends an authentication response message to the terminal device, where the charging information includes traffic information consumed by the terminal device within a preset time period;

the sending module is further configured to send the charging information to the authentication server.

8. The BRAS of claim 5 or 6,

the first authentication information includes at least one of a user name of a network to which the terminal device is to access, a password of the network, and the terminal device location information, or,

the first authentication information includes at least one of a user name of the terminal device, a password of the terminal device, and location information of the terminal device.

9. A Broadband Remote Access Server (BRAS) is characterized by comprising a processor and a memory coupled with the processor;

the memory is used for storing computer instructions, and when the BRAS runs, the processor executes the computer instructions stored by the memory so as to cause the BRAS to execute the method for authenticating the terminal equipment according to any one of claims 1 to 4.

10. A computer readable storage medium, comprising computer instructions which, when run on a broadband remote access server, BRAS, cause the BRAS to perform the method of authenticating a terminal device according to any one of claims 1 to 4.

11. A communication system, characterized in that it comprises terminal equipment, a broadband remote access server BRAS according to any of claims 5 to 8 or claim 9.

Images