CN109936515B - Access configuration method, information providing method and device - Google Patents

Access configuration method, information providing method and device Download PDF

Info

Publication number
CN109936515B
CN109936515B CN201711365123.5A CN201711365123A CN109936515B CN 109936515 B CN109936515 B CN 109936515B CN 201711365123 A CN201711365123 A CN 201711365123A CN 109936515 B CN109936515 B CN 109936515B
Authority
CN
China
Prior art keywords
configuration information
information
controller
access
customer premises
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711365123.5A
Other languages
Chinese (zh)
Other versions
CN109936515A (en
Inventor
季叶一
臧亮
朱宏浩
张玉磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
XFusion Digital Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201711365123.5A priority Critical patent/CN109936515B/en
Priority to PCT/CN2018/121448 priority patent/WO2019120160A1/en
Publication of CN109936515A publication Critical patent/CN109936515A/en
Application granted granted Critical
Publication of CN109936515B publication Critical patent/CN109936515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Abstract

The disclosure provides an access configuration method, an information providing method and an information providing device, and belongs to the technical field of communication. The method comprises the following steps: the gateway receives an access request, wherein the access request carries identification information and authentication type information of customer premises equipment; the gateway sends an information acquisition request to the controller, wherein the information acquisition request is used for indicating the controller to return configuration information; the gateway receives configuration information sent by the controller; and the gateway performs access configuration on the customer premises equipment according to the configuration information. According to the access configuration method and device, when the gateway receives the access request of the customer premises equipment, the configuration information with timeliness is obtained from the controller in real time, and access configuration is carried out on the customer premises equipment, so that the phenomenon of access failure possibly caused by the fact that the configuration information of the customer premises equipment in the gateway cannot be updated in real time can be effectively avoided.

Description

Access configuration method, information providing method and device
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an access configuration method, an information providing method, and an apparatus.
Background
With the development of communication technology, Customer Premises Equipment (CPE) may access a Gateway (GW) through an Internet Protocol Security (IPSec), and a GW establishes an IPSec tunnel for the CPE, so as to facilitate communication between the CPE and the GW.
Currently, configuration information required when each CPE establishes an IPSec tunnel with a gateway is generally statically configured on a GW. For example, the CPE and the GW communicate via the established IPSec tunnel, and thus, an authentication key, Quality of Service (Qos), Virtual Private Network (VPN) information required for forwarding data to another GW, an authentication type, a key, and a keep-alive time are required, where the authentication key, the Qos, and the VPN information relate to communication security and communication Quality of the CPE, and are key configuration information of the CPE. When a CPE needs to access a GW, the CPE may send an access request to the GW, and a Load Balance (LB) allocates the access request sent by the CPE to a certain GW in real time, so that when the GW receives the access request, the GW may extract configuration information of the CPE, perform access configuration for the CPE, and establish an IPSec tunnel between the CPE and the GW, thereby implementing communication between the CPE and the GW.
In the course of implementing the present disclosure, the inventors found that the prior art has at least the following problems:
because the number of GWs is large, when a CPE wants to access a GW, it may be allocated in real time by a load balancer, so the GW accessed by the CPE is not fixed, and in this scenario, once the configuration information of the CPE is updated, it is not possible to update the configuration information of the CPE on each GW in real time, which may cause access failure when the CPE accesses a GW that is not updated in real time.
Disclosure of Invention
The embodiment of the disclosure provides an access configuration method, an information providing method and an information providing device, which can solve the problem of access failure in the prior art. The technical scheme is as follows:
in a first aspect, an access configuration method is provided, where the method includes:
the GW receives an access request, wherein the access request carries identification information of the UE;
the GW sends an information acquisition request to a controller, wherein the information acquisition request is used for indicating the controller to return configuration information;
the GW receives configuration information sent by the controller;
and the GW performs access configuration on the UE according to the configuration information.
The identification information of the CPE carried by the access request may be an Internet Protocol (IP) address, or may also be user identity information of the CPE, which is not limited in this disclosure.
The configuration information may include static configuration information and key configuration information, where the static configuration information may be a generic access template, the generic access template may include the above negotiation mode, encryption authentication algorithm, authentication type, key, keep-alive time, and the like, and the key configuration information is authentication key, Qos, and VPN information.
According to the embodiment of the disclosure, when the access request of the CPE is received, the configuration information of the CPE stored in the controller is acquired in real time to perform access configuration on the CPE, and since the configuration information of the CPE stored in the controller in a centralized manner can be updated in real time, the configuration information acquired by the GW has timeliness, thereby effectively avoiding the phenomenon of access failure possibly caused by the fact that the configuration information of the CPE in the GW cannot be updated in real time. The controller manages the key configuration information in the configuration information of the CPE in a centralized manner, and further can reduce the risk of leakage of the key configuration information of the CPE, so that the access safety of the CPE is improved, and the centralized management mode is more convenient for reasonably allocating the bandwidth and managing the user access.
In a possible design, the performing, for the UE, the access configuration corresponding to the configuration information includes:
the GW comparing the configuration information with static configuration information in the GW;
and when the static configuration information is updated, the GW modifies the static configuration information and correspondingly stores the static configuration information and the identification information of the UE.
The embodiment of the disclosure can make up for the defect that the static configuration information of the CPE is updated and the GW does not have real-time update, so that the GW can perform access configuration according to the updated static configuration information and the key configuration information, thereby effectively avoiding an access failure phenomenon possibly caused by the fact that the static configuration information in the GW cannot be updated in real time.
In one possible design, after the GW sends an information acquisition request to a controller, the method further includes:
and when receiving an authentication failure message sent by the controller, the GW sends an access failure message to the UE.
The embodiment of the disclosure can perform identity authentication on the CPE by the controller and perform centralized management on the access condition of the CPE by setting an authentication failure mechanism.
In one possible design, after the GW sends an information acquisition request to a controller, the method further includes:
and when the configuration information is not received within the preset time length, the GW sends an access failure message to the UE.
By setting the overtime authentication failure mechanism, the authentication failure can be determined when the request is not responded for a long time, and the condition that the processing process is abnormal and the resources are always occupied can be avoided.
In one possible design, after the GW performs access configuration for the UE according to the configuration information, the method further includes:
after the access configuration is completed, the GW sends a response message to the controller, where the response message is used to inform the controller that the configuration information has been received and complete the access configuration.
In one possible design, after the GW performs access configuration for the UE according to the configuration information, the method further includes:
when receiving a disconnection request, the GW deletes the configuration information from a cache according to the identification information of the UE carried by the disconnection request, and releases connection resources; or the like, or, alternatively,
and when detecting that the UE is disconnected, the GW deletes the configuration information from the cache according to the identification information of the UE and releases connection resources.
In the embodiment of the present disclosure, by setting a keep-alive mechanism and a mechanism for deleting dynamic configuration, when the CPE normally disconnects or the keep-alive detects that there is no interaction in the specified keep-alive time with the CPE, the dynamic configuration information is deleted, so that a network blocking phenomenon can be avoided, and a storage burden of the GW is reduced.
In one possible design, the access request is sent by the UE to the GW via an Internet Key Exchange (IKE) protocol, and the information acquisition request is sent by the GW to the controller via a Network Configuration (Netconf) or a Yang protocol.
In one possible design, the configuration information includes an authentication key, a quality of service Qos, and virtual private network VPN information.
In one possible design, when the current configuration information of the GW can meet the authentication access requirement, the GW performs access configuration for the UE according to the current configuration information of the GW.
In a second aspect, an information providing method is provided, the method comprising:
the method comprises the steps that a controller receives an information acquisition request sent by a GW, wherein the information acquisition request carries identification information of UE;
the controller performs identity authentication on the UE according to the identification information of the UE;
when the authentication is successful, the controller acquires configuration information corresponding to the identification information of the UE according to the corresponding relation between the identification information and the configuration information;
the controller sends the configuration information to a GW.
In one possible design, the controller performs identity authentication on the UE according to the identification information of the UE, including:
the controller searches the identification information of the UE in a user database;
when the user database comprises the identification information of the UE, the controller extracts user data corresponding to the identification information of the UE from the user database;
when the user data indicates that the UE has access rights, the controller determines that authentication is successful;
when the identification information of the UE is not found in the user database or the user data indicates that the UE has no access right, the controller determines that authentication fails.
In one possible design, the method further includes: when authentication fails, the controller transmits an authentication failure message to the GW.
In one possible design, after the controller sends the configuration information to the GW, the method further includes: and receiving a response message returned by the GW.
In one possible design, the authentication request is sent by the UE to the GW via an IKE protocol, and the information acquisition request is sent by the GW to the controller via a Netconf or Yang protocol.
In one possible design, the obtaining of the configuration information of the UE includes:
the controller interacts with at least one server to acquire the identification information and the configuration information of the UE stored in the at least one server;
and the controller correspondingly stores the identification information and the configuration information of the UE.
In a third aspect, an access configuration apparatus is provided, which is applied to a GW, and the apparatus includes a plurality of functional modules to implement the above first aspect and any one of the possible designed access configuration methods of the first aspect.
In a fourth aspect, an information providing apparatus is provided, which is applied to a controller and includes a plurality of functional modules to implement the second aspect and any one of the possible designs of the information providing method of the second aspect.
In a fifth aspect, a GW is provided, comprising a memory and a processor, the memory having stored thereon a plurality of instructions adapted to be used by the processor to load and execute the access configuration method of the first aspect and any one of the possible designs of the first aspect.
In a sixth aspect, there is provided a controller comprising a memory and a processor, the memory having stored thereon a plurality of instructions adapted to be used by the processor to load and execute the information providing method of the second aspect described above and any one of the possible designs of the second aspect.
In a seventh aspect, a computer-readable storage medium is provided, where instructions are stored on the computer-readable storage medium, and the instructions are executed by a processor to perform any one of the above-mentioned first aspect and any one of the possible designed access configuration methods of the first aspect or any one of the second aspect and any one of the possible designed information providing methods of the second aspect.
In an eighth aspect, a communication system is provided, which includes a GW configured to perform the access configuration method in any one of the possible designs of the first aspect and the first aspect, and a controller configured to perform the information providing method in any one of the possible designs of the second aspect and the second aspect.
Drawings
Fig. 1 is a schematic diagram of an implementation environment of an access configuration method and an information providing method according to an embodiment of the present disclosure;
fig. 2 is a block diagram of a GW200 according to an embodiment of the present disclosure;
fig. 3 is a block diagram of a controller 300 according to an embodiment of the disclosure;
fig. 4 is a flowchart of an access configuration method provided in an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a message transmission in an access configuration flow according to an embodiment of the present disclosure;
fig. 6 is a flowchart of an access configuration method provided in an embodiment of the present disclosure;
fig. 7 is a flowchart of an access configuration method provided in an embodiment of the present disclosure;
fig. 8 is a flowchart of an access configuration method provided in an embodiment of the present disclosure;
fig. 9 is a flowchart of an access configuration method provided in an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of an access configuration apparatus provided in an embodiment of the present disclosure;
fig. 11 is a schematic structural diagram of an access configuration apparatus according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of an information providing apparatus provided in an embodiment of the present disclosure;
fig. 13 is a schematic structural diagram of an information providing apparatus according to an embodiment of the present disclosure.
Detailed Description
For the convenience of understanding the present disclosure, an implementation environment of the access configuration method and the information providing method is described herein, and referring to fig. 1, the implementation environment includes a customer premises equipment CPE, a gateway GW, and a Controller (Controller).
The CPE is customer premises equipment which can generally perform IKE negotiation with the GW based on the statically configured IPSec interface, the GW configures an IPSec tunnel required by normal communication for the CPE based on the statically configured IPSec interface, and then the GW is accessed through the IPSec tunnel, so that a large amount of cloud data can be acquired in a cloud data center, and network communication service is provided for users.
The GW is an access device, which is located at an edge access layer in a software switching architecture and provides an access interface for the CPE. The basic function of the GW is data forwarding, and also has functions of performing access authentication for the CPE, establishing a communication tunnel, and the like.
The controller is a network management device, which may be deployed in each data center, and the GW may obtain information through communication with the controller, and the controller may analyze information sent by the GW or information obtained through communication with other controllers, so as to implement network control management. In an embodiment of the present disclosure, the controller may be a Software Defined Network (SDN) controller, or may be another server installed with a Network management system, and this disclosure is not limited in this respect.
Referring to fig. 1, a CPE may perform IKE negotiation with a GW through an IPSec interface configured statically, and the GW configures an IPSec tunnel for the CPE, where on the IPSec tunnel configured successfully, the CPE is one end of the IPSec tunnel, and the GW is the other end of the IPSec tunnel. The CPE and the GW can also comprise LB, and the LB distributes GW for the CPE. The CPE and the GW can interact through IKE, and the GW and the controller can interact through Netconf or Yang protocol. Of course, the interaction protocol between the CPE and the GW or between the GW and the controller includes, but is not limited to, the above protocols, which is not specifically limited by this disclosure.
Fig. 2 is a block diagram of a GW200 according to an embodiment of the present disclosure. Referring to fig. 2, the GW includes: the access configuration system comprises a transceiver 201, a memory 202 and a processor 203, wherein the transceiver 201 and the memory 202 are respectively connected with the processor 203, the memory 202 stores program codes, and the processor is used for calling the program codes to realize the access configuration method in the following embodiments.
For example, the transceiver 201 may be a physical interface card through which the GW may receive requests or messages sent by other devices and may send requests or messages to other devices.
The processor 203 may be a network processor or a central processing unit, and after receiving the request, the physical interface card may send the request or the message to the network processor, and the network processor checks the request, searches and distributes the table entry to the central processing unit, and the central processing unit processes the request.
The memory 202 may be a forwarding table entry memory for storing the forwarding table entries of the network processor.
Fig. 3 is a block diagram of a controller 300 according to an embodiment of the disclosure. For example, the apparatus 300 may be provided as a server. Referring to fig. 3, the controller 300 includes: the information providing device comprises a transceiver 301, a memory 302 and a processor 303, wherein the transceiver 301 and the memory 302 are respectively connected with the processor 303, the memory 302 stores program codes, and the processor 303 is used for calling the program codes to realize the information providing method in the following embodiments.
For example, the transceiver 301 may be a physical interface card through which requests or messages sent by other devices may be received and through which requests or messages may be sent to other devices.
The processor 303 may be a network processor or a central processing unit, and after receiving the request, the physical interface card may send the request or the message to the network processor, where the network processor checks the request, searches and distributes the table entry to the central processing unit, and the central processing unit processes the request.
The memory 302 may be a forwarding table entry memory for storing the forwarding table entries of the network processor.
In an exemplary embodiment, a computer readable storage medium, such as a memory, is also provided that includes instructions executable by a processor in a GW to perform an access configuration method in the embodiments described below or by a processor in a controller to perform an information provision method in the embodiments described below. For example, the computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, a communication system is further provided, where the communication system includes the GW200 shown in fig. 2 and the controller 300 shown in fig. 3, where the GW200 communicates with the controller 300 through the transceiver 201 and the transceiver 301, a memory 202 on the GW200 stores a program code, and a processor 203 on the GW200 is configured to call the program code, so as to implement method steps on the GW side in the access configuration method in the following embodiments. The memory 302 of the controller 300 stores a program code, and when the processor 303 of the controller 300 calls the program code, the method steps of the controller side in the access configuration method in the following embodiments are implemented.
In the embodiment of the present disclosure, the CPE performs IKE negotiation with the GW through the statically configured IPSec interface, and configures an IPSec tunnel between the CPE and the GW through the IKE negotiation process, so as to perform normal communication between the subsequent CPE and the GW and transmit communication data. The IKE negotiation process may use an IKEV1 protocol, or an IKEV2 protocol, and when the IKEV1 protocol is used, the IKE negotiation process may further include two different negotiation modes, namely a main negotiation mode and a wild negotiation mode, and the embodiment of the present disclosure only takes the use of the IKEV2 protocol for negotiation as an example. In the IKE negotiation process, the GW needs to perform IKE negotiation with the CPE based on the configuration information of the CPE, thereby establishing an IPSec tunnel. The configuration information of the CPE includes static configuration information and key configuration information, where the static configuration information may be a generic access template, the generic access template may include the above negotiation mode, encryption authentication algorithm, authentication type, key, keep-alive time, and the like, and the key configuration information is an authentication key, Qos, and VPN information.
Fig. 4 is a flowchart of an access configuration method provided in an embodiment of the present disclosure, where the access configuration method is applied to a GW, for example, the GW shown in fig. 2, and the GW may acquire configuration information from the controller in real time by interacting with a controller, so as to perform access configuration for a CPE, in this process, the controller is configured to execute an information providing method in the access configuration method, and provide configuration information required by the GW for the GW, referring to fig. 4, where the access configuration process specifically includes the following steps:
401. the CPE sends an access request to the GW, wherein the access request carries identification information of the CPE.
In a specific embodiment, before this step 401, the CPE and the GW may complete an initial exchange, in which an encryption authentication algorithm, an authentication type and a key are negotiated between the CPE and the GW, and the key is used to encrypt or decrypt a request or a message transmitted when performing a subsequent negotiation between the CPE and the GW. The authentication type is an authentication type configured in advance in the CPE, and the authentication type may be PSK, Public Key Infrastructure (PKI), or other authentication types.
After the initial exchange is completed, the CPE sends an access request to the GW, where the identification information of the CPE carried by the access request may be an IP address or user identity information of the CPE, which is not limited in this disclosure. For example, the access request carries identification information of the CPE: the CPE is characterized by comprising a CPE Fully Qualified Domain Name (FQDN)/a User Fully Qualified Domain Name (U-FQDN), wherein the CPE FQDN/U-FQDN is the Domain Name of the CPE and is used for uniquely identifying the CPE.
402. Upon receiving the access request, the GW determines whether the current configuration information satisfies the authentication access requirement, and if not, performs step 403.
The GW is usually statically configured with a general access template, but some GWs may also be configured with key configuration information of the CPE in advance, so that the GW, upon receiving the access request, may determine whether the current configuration information in the GW already includes information that needs to be exchanged in the current authentication access process, where the information that needs to be exchanged is the configuration information of the CPE. If the current configuration information in the GW already includes static configuration information and key configuration information, that is, when the current configuration information of the GW can meet the authentication access requirement, the GW may directly perform access configuration for the CPE according to the configuration information of the CPE without interacting with the controller, which is the same as the access configuration method in the prior art, and is not described herein again.
If the current configuration information in the GW does not include key configuration information such as an authentication key, Qos, VPN information, etc., that is, the current configuration information only includes static configuration information and cannot satisfy the authentication access requirement, the GW may execute step 403 below.
In a specific embodiment, when the GW receives the access request, it may decrypt the access request based on the key exchanged in step 401, and perform integrity check, and when the decryption is successful and it is determined that the content included in the request is complete, step 402 may be performed. Of course, the GW may also perform other validity checks on it, and the disclosure does not limit this.
403. When the current configuration information of the GW can not meet the authentication access requirement, the GW sends an information acquisition request to the controller.
In a specific embodiment, the information obtaining request carries identification information of the CPE, and the information obtaining request is used to instruct the controller to return configuration information. The configuration information may include the above key configuration information, that is, the authentication key, Qos, and VPN information. For example, the information acquisition request may be a Netconf standard message or a Yang standard message, and the information in the message may include identification information of the CPE.
It should be noted that, in the prior art, the GW sends a response message to the CPE in step 402 to continue negotiation, but in the embodiment of the present disclosure, since the GW lacks key configuration information, it needs to send an information acquisition request to the controller to acquire the key configuration information, and if the GW does not send an information acquisition request to the server and continues negotiation with the CPE, the final negotiation may fail because of the lack of the key configuration information.
This step 403 is a relevant method step performed in the above step 402 when the information exchanged for the authenticated access requirement of the access request of this time already exists in the GW if the current configuration information does not satisfy the authenticated access requirement in the above step 402, and if so, the information is exchanged.
404. When the information acquisition request is received, the controller performs identity authentication on the CPE according to the identification information of the CPE carried by the information acquisition request.
In a specific embodiment, the controller may obtain the configuration information of the CPE out-of-band, and specifically, the controller may obtain the identification information and the configuration information of the CPE stored in the at least one server by interacting with the at least one server, and then store the identification information and the configuration information of the CPE correspondingly. For example, when a user applies for an IP address to a service provider, the service provider may allocate an IP address to the user, allocate information about Qos, VPN, and the like to the user according to the requirement of the user, store the configuration information and the IP address in a server, and acquire the IP address and the configuration information by interacting with the server, and store the IP address and the configuration information correspondingly.
It should be noted that, when the controller acquires the configuration information of the CPE, the controller may acquire the key configuration information of the CPE, or may acquire the key configuration information and the static configuration information of the CPE. The controller may store a correspondence relationship between the configuration information of each CPE and the identification information of the CPE as a user data correspondence of each CPE in a user database of the controller. When the configuration information of the CPE device is updated, the controller may obtain the updated configuration information in real time, and update corresponding user data in the user database.
In a specific embodiment, after the controller extracts the identification information of the CPE from the information acquisition request, the following steps (1) to (4) may be performed to authenticate the CPE and determine whether to allow the CPE to access:
(1) and the controller searches the identification information of the CPE in a user database.
(2) And when the identification information of the CPE is included in the user database, the controller extracts the user data corresponding to the identification information of the CPE from the user database.
(3) And when the user data indicates that the CPE has the access right, the controller determines that the authentication is successful.
(4) And when the identification information of the CPE is not found in the user database or the user data indicates that the CPE has no access right, determining that the authentication fails.
In a specific implementation, the identity authentication process may further include authentication manners such as validity verification of information of the CPE and certificate authentication, which is not limited in this disclosure.
405. And when the authentication is successful, the controller acquires the configuration information corresponding to the identification information of the CPE according to the corresponding relation between the identification information and the configuration information.
When the authentication is successful, the controller determines that the CPE is allowed to access the GW, and then the configuration information of the CPE may be sent to the GW, and the GW performs subsequent access configuration. The configuration information includes an authentication key, quality of service Qos, and virtual private network VPN information, i.e. key configuration information of the CPE.
In one embodiment, the controller may obtain the static configuration information of the CPE in addition to the critical configuration information of the CPE.
406. The controller sends configuration information to the GW.
Consistent with step 405, when the configuration information acquired by the controller is the key configuration information, the controller sends the key configuration information to the GW; and when the configuration information acquired by the controller is the key configuration information and the static configuration information, the controller sends the key configuration information and the static configuration information to the GW.
In a specific embodiment, in the sending process, the configuration information may also be in the form of the Netconf standard message or the Yang standard message, information in the message includes configuration information of the CPE and identification information of the CPE, and a protocol for interaction between the controller and the GW may also be another protocol, which is not limited in this disclosure.
407. When receiving the configuration information sent by the controller, the GW performs access configuration for the CPE according to the configuration information.
When the received configuration information is the key configuration information, the GW may perform access configuration such as routing configuration, bandwidth configuration, and the like for the CPE.
In a specific embodiment, when the received configuration information is the key configuration information and the static configuration information, the GW may compare the configuration information with the static configuration information in the GW, and when the static configuration information is updated, the GW may modify the static configuration information and store the modified static configuration information and the identification information of the CPE correspondingly, so as to make up for the defect that the static configuration information of the CPE is updated and the GW does not have real-time update.
In a specific implementation, when receiving the configuration information, the GW may send a response message to the controller, which informs the controller that the configuration information has been successfully received.
408. After the GW completes the access configuration, a response message is sent to the controller.
The response message is used to inform the server that the configuration information has been received and to complete the access configuration.
409. After the GW completes the access configuration, the GW sends an access configuration success message to the CPE.
The access configuration success message is used for informing the CPE to complete corresponding access configuration according to the configuration information. In practical application, the GW may further perform negotiation with the CPE, and finally establish an IPSec tunnel to access the CPE to the GW.
In a specific implementation, the step 408 and the step 409 may be performed simultaneously, or the step 409 may be performed first, and then the step 408 is performed, that is, after the GW completes the access configuration, the GW may send a response message to the controller, and simultaneously send an access configuration success message to the CPE, and after the GW completes the access configuration, the GW may send an access configuration success message to the CPE first, and then send a response message to the controller, which is not specifically limited in this embodiment of the present disclosure.
410. The controller receives the response message.
411. The CPE receives the access configuration success message.
The above is a description of a flow of the access configuration method, and details of a specific situation of request and message transmission in the access configuration process are described below by using the embodiment shown in fig. 5. Fig. 5 is a schematic diagram of message transmission in an access configuration flow according to an embodiment of the present disclosure, where both parties of the message transmission shown in fig. 5 may be the GW shown in fig. 2 and the controller shown in fig. 3, and fig. 5 mainly illustrates a message transmission situation, and the present disclosure does not specifically limit a format and specific content of a message. Referring to fig. 5, the noun explanations referred to in this fig. 5 are shown in table 1 below:
TABLE 1
Figure BDA0001512710230000081
Figure BDA0001512710230000091
The CPE sends IKE _ SA _ INIT HDR, Sai1, KEi, Ni to GW, the GW receives the message and returns IKE _ SA _ INIT HDR, Sar1, KEr, Nr completes the initial exchange, negotiates with decryption authentication algorithm, key and authentication type, then the CPE sends the first message of authentication exchange to GW, namely IKE _ AUTH HDR, SK { Idi, AUTH, Sai2, TSi, TSr }, the content of the message is: if IDi is CPE FQDN/U-FQDN, the identity Information (ID) of the CPE is CPEFQDN/U-FQDN, which is the identification information of the CPE, and after receiving the authentication message, the GW sends a Notification message to the controller to notify the controller that the ID of the controller is the user on-line of the CPE FQDN/U-FQDN, which can be access-controlled by the controller, where the specific access control process is: and searching an authentication key, Qos and VPN information corresponding to the ID from the stored information by taking the ID of the CPE as a key word, performing identity authentication on the CPE, and transmitting the authentication key, the Qos and the VPN information to the GW when the authentication is passed. When receiving the configuration information, the GW performs access configuration, and after completing the configuration, replies a response message, that is, a REPLY message, where the content of the REPLY message is OK. The GW sends a response message IKE _ AUTH: HDR, SK { Idr, AUTH, Sar2, TSi, TSr } of the first message of the authentication messages to the CPE, at this time, the AUTH authentication exchange is completed, and other negotiation processes may be performed subsequently.
According to the embodiment of the disclosure, when the access request of the CPE is received, the configuration information of the CPE stored in the controller is acquired in real time, and the access configuration is performed for the CPE. The controller manages the key configuration information in the configuration information of the CPE in a centralized manner, and further can reduce the risk of leakage of the key configuration information of the CPE, so that the access safety of the CPE is improved, and the centralized management mode is more convenient for reasonably allocating the bandwidth and managing the user access.
The above embodiment only takes the case that the authentication in step (3) in step 404 is successful as an example for description, in step (4) in step 404, the controller determines that the authentication is failed, that is, determines that the CPE is not allowed to access the GW, and thus it is not necessary to send configuration information to the GW, and in the case that the authentication is failed, the controller does not execute step 405, and there are no following steps 406 to 410, and the case that the authentication is failed will be described in detail with the embodiment shown in fig. 6.
Fig. 6 is a flowchart of an access configuration method provided in an embodiment of the present disclosure, where the access configuration method is applied to a GW, for example, may be applied to the GW shown in fig. 2, and the embodiment of the present disclosure provides a flowchart of the access configuration method when identity authentication fails, where referring to fig. 6, a specific process of the access configuration includes the following steps:
601. the CPE sends an access request to the GW, wherein the access request carries identification information of the CPE.
602. Upon receiving the access request, the GW determines whether the current configuration information satisfies the authentication access requirement, and if not, performs step 603.
603. When the current configuration information of the GW can not meet the authentication access requirement, the GW sends an information acquisition request to the controller.
604. When the information acquisition request is received, the controller performs identity authentication on the CPE according to the identification information of the CPE carried by the information acquisition request.
Steps 601 to 604 are similar to steps 401 to 404, and are not described herein again.
605. When authentication fails, the controller transmits an authentication failure message to the GW.
When authentication fails, the controller determines that the CPE is not allowed to access, and thus does not send configuration information to the GW, but instead sends an authentication failure message to the GW, having informed the GW that access configuration is not necessary for the CPE.
606. When receiving the authentication failure message, the GW transmits an access failure message to the CPE.
607. The CPE receives the access failure message.
The access failure message is used to inform the CPE of the current access failure, and in practical application, the access failure message may also carry an access failure reason: the authentication fails.
The embodiment of the disclosure can perform identity authentication on the CPE by the controller and perform centralized management on the access condition of the CPE by setting an authentication failure mechanism.
In step 407 of the embodiment shown in fig. 4, there may be another possible scenario for the GW receiving the configuration information in practical application: the configuration information is not received within a preset time length. This scenario is also a case of authentication failure, and will be explained in the embodiment shown in fig. 7.
Fig. 7 is a flowchart of an access configuration method provided in an embodiment of the present disclosure, where the access configuration method is applied to a GW, for example, the GW shown in fig. 2, and the embodiment of the present disclosure provides a flowchart of the access configuration method when a timeout authentication fails, where referring to fig. 7, the method includes the following steps:
701. the CPE sends an access request to the GW, wherein the access request carries identification information of the CPE.
702. Upon receiving the access request, the GW determines whether the current configuration information meets the authentication access requirement, and if not, performs step 703.
703. When the current configuration information of the GW can not meet the authentication access requirement, the GW sends an information acquisition request to the controller.
704. When the information acquisition request is received, the controller performs identity authentication on the CPE according to the identification information of the CPE carried by the information acquisition request.
705. And when the authentication is successful, the controller acquires the configuration information corresponding to the identification information of the CPE according to the corresponding relation between the identification information and the configuration information.
706. The controller sends configuration information to the GW.
Steps 701 to 706 are similar to steps 401 to 406, and are not described herein again.
707. And when the configuration information is not received within the preset time length, the GW sends an access failure message to the CPE.
The GW may set a timeout authentication failure mechanism: when the configuration information sent by the controller is not received within the preset time length, the access is considered to fail due to the configuration information of the irrelevant key. The access failure message is used to inform the CPE of the access failure, and in practical application, the access failure message may also carry a reason for the access failure: the timeout is not responded to.
708. The CPE receives the access failure message.
By setting the overtime authentication failure mechanism, the authentication failure can be determined when the request is not responded for a long time, and the condition that the processing process is abnormal and the resources are always occupied can be avoided.
After the GW performs access configuration for the CPEs, the CPEs successfully access the GW through establishing a successful IPSec tunnel, and may acquire data from an accessed cloud data center or upload data to the cloud data center. The CPE may also disconnect actively or detect that the connection has been disconnected through a keep-alive mechanism, and the GW may also delete the access configuration performed for the CPE, which specifically includes the following two specific embodiments:
in a first embodiment, when the GW receives a disconnection request, the GW deletes the configuration information from the cache according to the identification information of the CPE carried in the disconnection request, and releases the connection resource.
In a second embodiment, when the GW detects that the CPE has disconnected, it deletes the configuration information from the cache according to the identification information of the CPE, and releases the connection resource.
These two embodiments are described in detail below with reference to fig. 8 and 9, respectively:
fig. 8 is a flowchart of an access configuration method provided in an embodiment of the present disclosure, where the access configuration method is applied to a GW, for example, the GW shown in fig. 2 above. The embodiment of the present disclosure is the first specific embodiment, that is, the GW performs access configuration for the CPE, so that the CPE normally accesses to the GW, and after a period of time, when the CPE actively disconnects, the GW deletes a specific flow of the access configuration, referring to fig. 8, the method includes the following steps:
801. the CPE sends an access request to the GW, wherein the access request carries identification information of the CPE.
802. Upon receiving the access request, the GW determines whether the current configuration information satisfies the authentication access requirement, and if not, performs step 803.
803. When the current configuration information of the GW can not meet the authentication access requirement, the GW sends an information acquisition request to the controller.
804. When the information acquisition request is received, the controller performs identity authentication on the CPE according to the identification information of the CPE carried by the information acquisition request.
805. And when the authentication is successful, the controller acquires the configuration information corresponding to the identification information of the CPE according to the corresponding relation between the identification information and the configuration information.
806. The controller sends configuration information to the GW.
807. When receiving the configuration information sent by the controller, the GW performs access configuration for the CPE according to the configuration information.
808. After the GW completes the access configuration, a response message is sent to the controller.
809. After the GW completes the access configuration, the GW sends an access configuration success message to the CPE.
810. The controller receives the response message.
811. And the CPE receives an access configuration success message.
Steps 801 to 811 are similar to steps 401 to 411, and are not described herein.
812. The CPE sends a disconnection request to the GW, wherein the disconnection request carries identification information of the CPE.
When a CPE wishes to disconnect, (e.g., the CPE normally goes offline), a disconnection request may be sent to the GW, where the disconnection request is used to instruct the GW to delete the IPSec tunnel established for the CPE, so that the CPE cannot perform normal communication through the GW.
813. When receiving the disconnection request, the GW deletes the configuration information from the cache according to the identification information of the CPE, and releases the connection resource.
The configuration information is acquired by the GW from the controller, and when the CPE is disconnected, the configuration information may be deleted, and connection resources generated in the process of establishing the IPSec tunnel for the CPE by the GW are released, and the configuration corresponding to the CPE is restored to the static configuration before the CPE sends the access request.
The configuration information and connection resources acquired from the controller may be referred to as dynamic configuration information of the CPE, and the dynamic configuration information is generally stored in a cache. The GW deletes the configuration information and releases the connection resources, thereby avoiding network congestion possibly caused by occupying the connection resources and reducing the storage burden of the GW.
814. The GW transmits a disconnection response message for informing the CPE that the connection is disconnected to the CPE.
According to the embodiment of the disclosure, when the CPE is disconnected normally, the dynamic configuration information is deleted, so that the network blocking phenomenon can be avoided, and the storage burden of the GW is reduced.
Fig. 9 is a flowchart of an access configuration method provided in an embodiment of the present disclosure, where the access configuration method is applied to a GW, for example, the GW shown in fig. 2 above. The embodiment of the present disclosure is the second specific embodiment, that is, the GW performs access configuration for the CPE, so that the CPE normally accesses to the GW, and then, in a specified keep-alive time, when the GW detects that there is no interaction between the CPE and the CPE communicating with the CPE, the GW deletes a specific flow of the access configuration, referring to fig. 9, where the method includes the following steps:
901. the CPE sends an access request to the GW, wherein the access request carries identification information of the CPE.
902. Upon receiving the access request, the GW determines whether the current configuration information meets the authentication access requirement, and if not, executes step 903.
903. When the current configuration information of the GW can not meet the authentication access requirement, the GW sends an information acquisition request to the controller.
904. When the information acquisition request is received, the controller performs identity authentication on the CPE according to the identification information of the CPE carried by the information acquisition request.
905. And when the authentication is successful, the controller acquires the configuration information corresponding to the identification information of the CPE according to the corresponding relation between the identification information and the configuration information.
906. The controller sends configuration information to the GW.
907. When receiving the configuration information sent by the controller, the GW performs access configuration for the CPE according to the configuration information.
908. After the GW completes the access configuration, a response message is sent to the controller.
909. After the GW completes the access configuration, the GW sends an access configuration success message to the CPE.
910. The controller receives the response message.
911. The CPE receives the access configuration success message.
Steps 901 to 911 are similar to steps 401 to 411, or steps 801 to 811, and are not described herein again.
912. When detecting that the CPE is disconnected, the GW deletes the configuration information from the cache according to the identification information of the CPE and releases the connection resources.
The GW may be provided with a keep-alive mechanism, which may periodically detect whether there is any interaction in the specified keep-alive time for a CPE connected through the GW, and when detecting that there is no interaction in the specified keep-alive time for the CPE, the GW may consider that the CPE has disconnected, so that the GW may delete the dynamic configuration information generated by establishing the IPSec tunnel for the CPE.
The embodiment of the disclosure deletes the dynamic configuration information of the CPE which occupies the connection resources without the data interaction requirement by setting the keep-alive mechanism, thereby avoiding the network blocking phenomenon possibly caused by excessive occupation of the connection resources and reducing the storage burden of the GW.
All the above optional technical solutions may be combined arbitrarily to form the optional embodiments of the present disclosure, and are not described herein again.
Fig. 10 is a schematic structural diagram of an access configuration apparatus provided in an embodiment of the present disclosure, and in a specific embodiment, the access configuration apparatus is a GW described in the foregoing embodiment, referring to fig. 10, the access configuration apparatus includes:
a receiving module 1001, configured to execute the process of receiving an access request in step 402, step 602, step 702, step 802, or step 902;
a sending module 1002, configured to execute step 403, step 603, step 703, step 803, or step 903;
the receiving module 1001 is further configured to execute the process of receiving the configuration information sent by the controller in step 407, step 807, or step 907;
a configuring module 1003, configured to execute the process of performing access configuration for the CPE according to the configuration information in the above step 407, step 807, and step 907.
In a specific embodiment, the configuration module 1003 is configured to perform the process of modifying the static configuration information in step 407, step 807 or step 907.
In a specific embodiment, the sending module 1002 is further configured to execute the step 606.
In a specific embodiment, the sending module 1002 is further configured to execute the step 707.
In a specific embodiment, the sending module 1002 is further configured to execute the step 408, the step 808, or the step 908.
In a specific embodiment, as shown in fig. 11, the apparatus further comprises:
a deleting module 1004, configured to execute the step 813 or the step 912.
In a specific embodiment, the access request is sent by a CPE to the GW via an IKE protocol, and the information acquisition request is sent by the GW to the controller via a Netconf or Yang protocol.
In a particular embodiment, the configuration information includes authentication keys, quality of service Qos, and virtual private network VPN information.
In a specific embodiment, the configuration module 1003 is further configured to perform a process of performing access configuration on the CPE according to the configuration information of the CPE when the current configuration information of the GW meets the authenticated access requirement in step 402.
According to the device provided by the embodiment of the disclosure, when the access request of the CPE is received, the configuration information of the CPE stored in the controller is acquired in real time, and the access configuration is performed on the CPE.
It should be noted that: in the access configuration device provided in the foregoing embodiment, when performing access configuration, only the division of the functional modules is illustrated, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the access configuration device and the access configuration method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Fig. 12 is a schematic structural diagram of an information providing apparatus provided in an embodiment of the present disclosure, and in a specific embodiment, the access configuration apparatus is a controller described in the foregoing embodiment, referring to fig. 12, the apparatus includes:
a receiving module 1201, configured to perform a process of receiving an information acquisition request in step 404, step 604, step 704, step 804, or step 904;
an authentication module 1202, configured to perform a process of authenticating an identity of the CPE in the above step 404, step 604, step 704, step 804, or step 904;
an obtaining module 1203, configured to perform step 405, step 705, step 805, or step 905;
a sending module 1204, configured to perform step 406, step 706, step 806, or step 906.
In a specific embodiment, as shown in fig. 13, the apparatus further comprises:
a searching module 1205, configured to perform a process of searching the identification information of the CPE device in the user database in step 404, step 604, step 704, step 804, or step 904;
an extracting module 1206, configured to perform a process of extracting user data in the above step 404, step 604, step 704, step 804, or step 904;
a determining module 1207, configured to perform the process of determining that the authentication is successful in step 404, step 604, step 704, step 804, or step 904;
the determining module 1207 is further configured to perform the process of determining that the authentication has failed in step 404, step 604, step 704, step 804, or step 904.
In a specific embodiment, the sending module 1204 is further configured to execute the step 605.
In a specific embodiment, the receiving module 1201 is further configured to perform the step 410, the step 810, or the step 910.
In a specific embodiment, the authentication request is sent by a CPE to the GW via an IKE protocol, and the information acquisition request is sent by the GW to the controller via a Netconf or Yang protocol.
In a specific embodiment, the obtaining module is further configured to perform the process of obtaining the configuration information of the CPE out-of-band, as shown in step 404.
The device provided by the embodiment of the disclosure can reduce the risk of leakage of the configuration information of the CPE by centrally managing the configuration information of the CPE and providing the configuration information for the GW when the GW needs the configuration information, thereby improving the access security of the CPE, and the centrally managed mode is more convenient for reasonably allocating the bandwidth and managing the user access.
It should be noted that: in the information providing apparatus provided in the above embodiment, when providing information, only the division of the above functional modules is exemplified, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to complete all or part of the above described functions. In addition, the information providing apparatus provided in the foregoing embodiment and the information providing method embodiment included in the access configuration method embodiment belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment and are not described herein again.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing is considered as illustrative of the embodiments of the disclosure and is not to be construed as limiting thereof, and any modifications, equivalents, improvements and the like made within the spirit and principle of the disclosure are intended to be included within the scope of the disclosure.

Claims (31)

1. An access configuration method, the method comprising:
the gateway receives an access request, wherein the access request carries identification information of customer premises equipment;
the gateway determines whether the current configuration information meets the authentication access requirement, and sends an information acquisition request to the controller in response to the authentication access requirement not being met, wherein the information acquisition request is used for indicating the controller to return the configuration information;
the gateway receives configuration information sent by the controller;
and the gateway performs access configuration on the customer premises equipment according to the configuration information.
2. The method of claim 1, further comprising:
the gateway compares the configuration information with static configuration information in the gateway;
and when the static configuration information is updated, the gateway modifies the static configuration information and correspondingly stores the static configuration information and the identification information of the customer premises equipment.
3. The method of claim 1, wherein after the gateway sends the information acquisition request to the controller, the method further comprises:
and when receiving the authentication failure message sent by the controller, the gateway sends an access failure message to the customer premises equipment.
4. The method of claim 1, wherein after the gateway sends the information acquisition request to the controller, the method further comprises:
and when the configuration information is not received within the preset time, the gateway sends an access failure message to the customer premises equipment.
5. The method of claim 1, wherein after the gateway performs access configuration for the customer premises equipment according to the configuration information, the method further comprises:
and after the access configuration is finished, the gateway sends a response message to the controller, wherein the response message is used for informing the controller that the configuration information is received and finishing the access configuration.
6. The method of claim 1, wherein after the gateway performs access configuration for the customer premises equipment according to the configuration information, the method further comprises:
when the gateway receives a disconnection request, the gateway deletes the configuration information from the cache according to the identification information of the customer premises equipment carried by the disconnection request, and releases connection resources; or the like, or, alternatively,
and when the gateway detects that the customer premises equipment is disconnected, the gateway deletes the configuration information from the cache according to the identification information of the customer premises equipment and releases connection resources.
7. The method of claim 1, wherein the access request is sent by the customer premises equipment to the gateway via a network key exchange (IKE) protocol, and wherein the information acquisition request is sent by the gateway to the controller via a network configuration (Netconf) or a Yang protocol.
8. The method of claim 1, wherein the configuration information comprises authentication keys, quality of service (Qos) and Virtual Private Network (VPN) information.
9. The method of claim 1, further comprising:
and when the current configuration information of the gateway can meet the authentication access requirement, the gateway performs access configuration on the customer premises equipment according to the current configuration information of the gateway.
10. An information providing method, characterized in that the method comprises:
the method comprises the steps that a controller receives an information acquisition request sent by a gateway, wherein the information acquisition request carries identification information of customer premises equipment, the information acquisition request is used for indicating the controller to return configuration information, and the information acquisition request is sent by the gateway when the current configuration information is determined not to meet an authentication access requirement;
the controller performs identity authentication on the customer premises equipment according to the identification information of the customer premises equipment;
when the authentication is successful, the controller acquires configuration information corresponding to the identification information of the customer premises equipment according to the corresponding relation between the identification information and the configuration information;
and the controller sends the configuration information to a gateway, and the gateway performs access configuration on the customer premises equipment based on the configuration information.
11. The method of claim 10, wherein the controller performs identity authentication on the customer premises equipment according to the identification information of the customer premises equipment, and the method comprises:
the controller searches the identification information of the customer premises equipment in a customer database;
when the user database comprises the identification information of the customer premises equipment, the controller extracts user data corresponding to the identification information of the customer premises equipment from the user database;
when the user data indicate that the customer premises equipment has access right, the controller determines that authentication is successful;
and when the controller does not find the identification information of the customer premises equipment in the user database or the user data indicates that the customer premises equipment has no access right, the controller determines that authentication fails.
12. The method according to claim 10 or 11, characterized in that the method further comprises:
when authentication fails, the controller sends an authentication failure message to the gateway.
13. The method of claim 10, wherein after the controller sends the configuration information to a gateway, the method further comprises: and the controller receives a response message returned by the gateway.
14. The method of claim 10, wherein the authentication request is sent by the customer premises equipment to the gateway via an IKE protocol, and wherein the information acquisition request is sent by the gateway to the controller via a Netconf or Yang protocol.
15. The method of claim 10, wherein the obtaining of the configuration information of the customer premises equipment comprises:
the controller interacts with at least one server to acquire identification information and configuration information of the customer premises equipment stored on the at least one server;
and the controller correspondingly stores the identification information and the configuration information of the customer premises equipment.
16. An access configuration apparatus, applied to a gateway, the apparatus comprising:
the system comprises a receiving module, a judging module and a sending module, wherein the receiving module is used for receiving an access request, and the access request carries identification information and authentication type information of customer premises equipment;
the sending module is used for determining whether the current configuration information meets the authentication access requirement, responding to the situation that the authentication access requirement is not met, and sending an information acquisition request to the controller, wherein the information acquisition request is used for indicating the controller to return the configuration information;
the receiving module is further configured to receive configuration information sent by the controller;
and the configuration module is used for performing access configuration on the customer premises equipment by the gateway according to the configuration information.
17. The apparatus of claim 16, wherein the configuration module is configured to:
comparing the configuration information with static configuration information in the gateway;
and when the static configuration information is updated, modifying the static configuration information and correspondingly storing the static configuration information and the identification information of the customer premises equipment.
18. The apparatus of claim 16, wherein the transmitting module is further configured to transmit an access failure message to the customer premises equipment when receiving the authentication failure message transmitted by the controller.
19. The apparatus of claim 16, wherein the sending module is further configured to send an access failure message to the customer premises equipment when the configuration information is not received within a preset time period.
20. The apparatus of claim 16, wherein the sending module is further configured to send a response message to the controller after the access configuration is completed, and the response message is used to inform the controller that the configuration information has been received and the access configuration is completed.
21. The apparatus of claim 16, further comprising:
the deleting module is used for deleting the configuration information from the cache and releasing connection resources according to the identification information of the customer premises equipment carried by the disconnection request when the disconnection request is received; or the like, or, alternatively,
and the deleting module is used for deleting the configuration information from the cache according to the identification information of the customer premises equipment and releasing connection resources when the fact that the customer premises equipment is disconnected is detected.
22. The apparatus of claim 16, wherein the access request is sent by the customer premises equipment to the gateway via an IKE protocol, and wherein the information acquisition request is sent by the gateway to the controller via a Netconf or Yang protocol.
23. The apparatus of claim 16, wherein the configuration information comprises authentication keys, quality of service (Qos) and Virtual Private Network (VPN) information.
24. The apparatus of claim 16, wherein the configuration module is further configured to perform access configuration for the customer premises equipment according to the current configuration information of the gateway when the current configuration information of the gateway can meet the authenticated access requirement.
25. An information providing apparatus, applied to a controller, the apparatus comprising:
the receiving module is used for receiving an information acquisition request, wherein the information acquisition request carries identification information of customer premises equipment, the information acquisition request is used for indicating the controller to return configuration information, and the information acquisition request is sent by a gateway when the current configuration information is determined not to meet the authentication access requirement;
the authentication module is used for performing identity authentication on the customer premises equipment according to the identification information of the customer premises equipment;
the acquisition module is used for acquiring the configuration information corresponding to the identification information according to the corresponding relation between the identification information and the configuration information when the authentication is successful;
and the sending module is used for sending the configuration information to a gateway, and the gateway performs access configuration on the customer premises equipment based on the configuration information.
26. The apparatus of claim 25, further comprising:
the searching module is used for searching the identification information of the customer premises equipment in a customer database;
the extraction module is used for extracting user data corresponding to the identification information of the customer premises equipment from the user database when the identification information of the customer premises equipment is included in the user database;
the determining module is used for determining that the authentication is successful when the user data indicate that the customer premises equipment has the access right;
the determining module is further configured to determine that authentication fails when the identification information of the customer premises equipment is not found in the user database or the user data indicates that the customer premises equipment has no access right.
27. The apparatus according to claim 25 or 26, wherein the sending module is further configured to send an authentication failure message to the gateway when the authentication fails.
28. The apparatus of claim 25, wherein the receiving module is further configured to receive a response message returned by the gateway.
29. The apparatus of claim 25, wherein the authentication request is sent by the customer premises equipment to the gateway via an IKE protocol, and wherein the information acquisition request is sent by the gateway to the controller via a Netconf or Yang protocol.
30. The apparatus of claim 25, wherein the obtaining module is further configured to obtain, through interaction with at least one server, identification information and configuration information of the customer premises equipment stored on the at least one server; and correspondingly storing the identification information and the configuration information of the customer premises equipment.
31. A communication system, characterized in that the communication system comprises a gateway for performing the method steps of any of claims 1-9 and a controller for performing the method steps of any of claims 10-15.
CN201711365123.5A 2017-12-18 2017-12-18 Access configuration method, information providing method and device Active CN109936515B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201711365123.5A CN109936515B (en) 2017-12-18 2017-12-18 Access configuration method, information providing method and device
PCT/CN2018/121448 WO2019120160A1 (en) 2017-12-18 2018-12-17 Method and device for data storage, and distributed storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711365123.5A CN109936515B (en) 2017-12-18 2017-12-18 Access configuration method, information providing method and device

Publications (2)

Publication Number Publication Date
CN109936515A CN109936515A (en) 2019-06-25
CN109936515B true CN109936515B (en) 2021-06-04

Family

ID=66982589

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711365123.5A Active CN109936515B (en) 2017-12-18 2017-12-18 Access configuration method, information providing method and device

Country Status (2)

Country Link
CN (1) CN109936515B (en)
WO (1) WO2019120160A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112399130B (en) * 2019-08-16 2023-04-07 北京紫荆视通科技有限公司 Processing method and device of cloud video conference information, storage medium and communication equipment
CN111314355B (en) * 2020-02-20 2022-09-30 深信服科技股份有限公司 Authentication method, device, equipment and medium of VPN (virtual private network) server
CN114006807A (en) * 2020-07-14 2022-02-01 青岛海信电子产业控股股份有限公司 Client terminal equipment, configuration method thereof and configuration server
CN113794583B (en) * 2021-08-15 2023-12-29 新华三信息安全技术有限公司 Configuration method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227415A (en) * 2008-02-04 2008-07-23 华为技术有限公司 Multi business resource allocation method, system, gateway equipment and authentication server
CN101621433A (en) * 2008-07-02 2010-01-06 上海华为技术有限公司 Method, device and system for configuring access equipment
KR20170017860A (en) * 2016-12-30 2017-02-15 주식회사 모바일컨버전스 Network virtualization system based of network vpn
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297353B (en) * 2012-02-22 2022-05-31 华为技术有限公司 Access method and system of user terminal equipment and broadband network gateway
EP2887580A1 (en) * 2013-12-23 2015-06-24 Telefonica S.A. Method and system for modifying configuration parameters on a user equipment and an Auto Configuration Server-Gateway
CN104917849B (en) * 2014-03-11 2018-09-07 华为技术有限公司 A kind of message treatment method, access controller and network node

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227415A (en) * 2008-02-04 2008-07-23 华为技术有限公司 Multi business resource allocation method, system, gateway equipment and authentication server
CN101621433A (en) * 2008-07-02 2010-01-06 上海华为技术有限公司 Method, device and system for configuring access equipment
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof
KR20170017860A (en) * 2016-12-30 2017-02-15 주식회사 모바일컨버전스 Network virtualization system based of network vpn

Also Published As

Publication number Publication date
CN109936515A (en) 2019-06-25
WO2019120160A1 (en) 2019-06-27

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
CN109936515B (en) Access configuration method, information providing method and device
WO2021115449A1 (en) Cross-domain access system, method and device, storage medium, and electronic device
CN110933084B (en) Cross-domain shared login state method, device, terminal and storage medium
RU2009138223A (en) USER PROFILE, POLICY, AND PMIP KEY DISTRIBUTION IN A WIRELESS COMMUNICATION NETWORK
US8914867B2 (en) Method and apparatus for redirecting data traffic
AU2014410591B2 (en) Connection establishment method, device, and system
WO2020083288A1 (en) Safety defense method and apparatus for dns server, and communication device and storage medium
CN108307391B (en) Terminal access method and system
CN110784434B (en) Communication method and device
CN108990062B (en) Intelligent security Wi-Fi management method and system
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
WO2016193823A1 (en) Method of creating and deleting vwlan dynamically in a fixed access network sharing environment
CN108966363B (en) Connection establishing method and device
WO2009082910A1 (en) Method and device for network configuration to user terminal
WO2014127615A1 (en) Method and device for implementing instant messaging of mobile user equipment
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
US10931662B1 (en) Methods for ephemeral authentication screening and devices thereof
WO2016050133A1 (en) Authentication credential replacement method and apparatus
WO2021002180A1 (en) Relay method, relay system, and relay program
CN110336793B (en) Intranet access method and related device
KR20180081965A (en) Apparatus and methdo for providing network service
WO2017124231A1 (en) Internet protocol (ip) address allocation method, control plane gateway and user plane gateway
WO2022068669A1 (en) Session establishment method and apparatus, access network device and storage medium
CN110324826B (en) Intranet access method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20211222

Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province

Patentee after: Super fusion Digital Technology Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right