CN111405555A - Network authentication method and device - Google Patents

Network authentication method and device Download PDF

Info

Publication number
CN111405555A
CN111405555A CN202010170753.2A CN202010170753A CN111405555A CN 111405555 A CN111405555 A CN 111405555A CN 202010170753 A CN202010170753 A CN 202010170753A CN 111405555 A CN111405555 A CN 111405555A
Authority
CN
China
Prior art keywords
authentication
network
accessed
apn
basic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010170753.2A
Other languages
Chinese (zh)
Other versions
CN111405555B (en
Inventor
李政伟
张建
徐超
史翔龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Lenovo Connect Co ltd
Original Assignee
Shenzhen Lenovo Connect Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Lenovo Connect Co ltd filed Critical Shenzhen Lenovo Connect Co ltd
Priority to CN202010170753.2A priority Critical patent/CN111405555B/en
Publication of CN111405555A publication Critical patent/CN111405555A/en
Application granted granted Critical
Publication of CN111405555B publication Critical patent/CN111405555B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a network authentication method and a device, the network authentication method is applied to a network authentication device terminal, and comprises the following steps: receiving an online request of an object to be networked, wherein the online request carries basic information of the object to be networked; responding to the online request, and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries basic information of the object to be accessed; receiving a judgment result of authentication and authorization of the object to be accessed, which is judged by the network server according to the basic information; and performing network access authentication on the object to be accessed according to the judgment result. The embodiment of the invention effectively improves the network access efficiency and the network connection reliability of the equipment, and effectively solves the problems that the 3A system takes a mobile operator as network load bearing, the capability and the information of the existing network cannot be opened to the existing client, and the customization of the 3A system cannot be realized.

Description

Network authentication method and device
Technical Field
The present invention relates to the field of radio access network technologies, and in particular, to a network authentication method and apparatus.
Background
Along with the development of the internet of things, the terminals of the internet of things are more and more diversified, the problem that more equipment frequently goes up and down or cannot be connected with a network is solved, and in addition, part of industries have high management and control requirements and safety requirements on the terminals of the equipment of the internet of things.
At present, a 3A (Authentication, Authorization, Accounting, short for Authentication, Authorization, and charging, which is a network security Authentication system) system is mostly used to perform network security management of the internet of things. However, the existing 3A systems all use the mobile operator as a network bearer, and cannot open the capability and information of the existing network to the existing customers, and cannot realize the customization of the customized 3A system, and the existing 3A systems are all standalone software or standalone devices.
Disclosure of Invention
The embodiment of the invention provides a network authentication method and device for solving the problems that the existing 3A system uses a mobile operator as a network bearer, the capability and information of the existing network cannot be opened to the existing client, and the customization of the existing 3A system cannot be realized.
According to a first aspect of the present invention, a network authentication method is provided, which is applied to a network authentication device, and the method includes: receiving an online request of an object to be networked, wherein the online request carries basic information of the object to be networked; responding to the online request, and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries basic information of the object to be accessed; receiving a judgment result of authentication and authorization of the object to be accessed, which is judged by the network server according to the basic information; and performing network access authentication on the object to be accessed according to the judgment result.
According to an embodiment of the present invention, the performing network access authentication on the object to be accessed according to the determination result includes: and when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed opens a redundancy mode, receiving an IP address set which is sent by the network server and corresponds to the APN of the object to be accessed so as to carry out authentication for the object to be accessed for multiple times.
According to an embodiment of the present invention, the performing network access authentication on the object to be networked according to the determination result includes: and when the judgment result shows that the object to be accessed to the network is a multi-APN object, receiving an authentication result of the authentication of the object to be accessed to the network by the network server according to the APN information.
According to an embodiment of the present invention, the receiving an authentication result of the authentication and authorization performed by the network server on the object to be accessed according to the APN information includes: and when the authentication result shows that the network server successfully authenticates the object to be accessed, receiving an IP address distributed by the network server for the object to be accessed.
According to the second aspect of the present invention, there is also provided a network authentication method applied to a network authentication server, the method including: receiving an authentication and authorization request sent by the network authentication equipment end in response to an online request of an object to be accessed, wherein the online request carries basic information of the object to be accessed, and the authentication and authorization request carries the basic information; according to the basic information, carrying out authentication and verification on the object to be accessed to the network; and sending the judgment result of the authentication to a network authentication equipment terminal.
According to an embodiment of the present invention, the authenticating and authenticating the object to be accessed according to the basic information includes: determining an access point APN mode of the object to be accessed according to the basic information; when the APN mode shows that the object to be accessed to the network is a single APN object, judging whether the object to be accessed to the network starts a redundancy mode; and if the object to be accessed to the network starts a redundancy mode, sending an IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal so that the network service equipment terminal performs multiple authentication and authentication on the object to be accessed to the network.
According to an embodiment of the present invention, the basic information includes APN information of the object to be networked, and the performing network access authentication on the object to be networked according to the determination result further includes: when the APN mode shows that the object to be accessed to the network is a multi-APN object; and carrying out authentication and verification on the object to be accessed according to the APN information.
According to an embodiment of the present invention, the authenticating and authenticating the object to be accessed according to the APN information includes: judging whether the APN information is consistent with APN information pre-configured in the network server; if the authentication result is consistent with the authentication result, the authentication on the object to be accessed is judged to be successful, and the IP address distributed to the object to be accessed is sent to the network service equipment terminal.
According to the third aspect of the present invention, there is also provided a network authentication apparatus, applied to a network authentication device, the apparatus including: the device comprises a first request receiving module, a second request receiving module and a third request sending module, wherein the first request receiving module is used for receiving an online request of an object to be networked, and the online request carries basic information of the object to be networked; the response module is used for responding to the online request and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries the basic information; a result receiving module, configured to receive a determination result of authentication of the object to be networked, which is determined by the network server according to the basic information; and the authentication module is used for carrying out network access authentication on the object to be accessed according to the judgment result.
According to an embodiment of the present invention, the authentication module includes: and the first authentication submodule is used for receiving an IP address set which is sent by the network server and corresponds to the APN of the object to be accessed when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed starts a redundancy mode, so as to carry out authentication for the object to be accessed for multiple times.
According to an embodiment of the present invention, the basic information includes APN information of the object to be networked, and the authentication module includes: and the second authentication submodule is used for receiving an authentication result of the authentication and authentication of the object to be accessed by the network server according to the APN information when the judgment result shows that the object to be accessed is a multi-APN object.
According to an embodiment of the present invention, the second authentication sub-module is further configured to receive an IP address allocated by the network server to the object to be accessed when the authentication result shows that the network server successfully authenticates the object to be accessed.
According to the fourth aspect of the present invention, there is also provided a network authentication apparatus applied to a network authentication server, the apparatus including: a second request receiving module, configured to receive an authentication and authorization request sent by the network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information; the authentication module is used for authenticating and authenticating the object to be accessed to the network according to the basic information; and the result sending module is used for sending the judgment result of the authentication to the network authentication equipment terminal.
According to an embodiment of the present invention, the authentication module includes: the mode judgment submodule is used for determining the APN mode of the access point of the object to be accessed according to the basic information; the redundancy judgment submodule is used for judging whether the object to be accessed to the network starts a redundancy mode or not when the APN mode shows that the object to be accessed to the network is a single APN object; and the first authentication sub-module is used for sending an IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal when judging that the object to be accessed starts the redundancy mode, so that the network service equipment terminal performs multiple authentication and authentication on the object to be accessed.
According to an embodiment of the present invention, the authentication module further includes: and the second authentication submodule is used for authenticating and authenticating the object to be accessed according to the APN information when the APN mode shows that the object to be accessed is a multi-APN object.
According to an embodiment of the present invention, the root second authentication sub-module is configured to, when the APN information is consistent with APN information preconfigured in the network server, determine that the authentication of the object to be networked is successful, and send an IP address allocated to the object to be networked to the network service device.
According to a fifth aspect of the present invention, there is also provided a computer-readable storage medium comprising a set of computer-executable instructions which, when executed, are operable to perform any of the network authentication methods described above.
According to the network authentication method, the network authentication device and the computer readable storage medium, the authentication of the object to be accessed is carried out by responding to the online request of the object to be accessed according to the basic information carried in the online request of the object to be accessed and the information of the object to be accessed, which is pre-configured in the network server; furthermore, for the network access object in the single APN mode, an IP address set is configured so that the network authentication equipment terminal can directly authenticate the equipment to be accessed to the network, and the network access efficiency and the network connection reliability of the equipment are effectively improved. Meanwhile, the problem that the 3A system can not open the capability and information of the existing network to the existing customers and can not realize the customization of the 3A system because the mobile operator is used as the network for carrying is effectively solved.
It is to be understood that the teachings of the present invention need not achieve all of the above-described benefits, but rather that specific embodiments may achieve specific technical results, and that other embodiments of the present invention may achieve benefits not mentioned above.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Fig. 1 is a first schematic flow chart illustrating an implementation flow of a network authentication method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a flow chart of implementing the network authentication method according to the embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a third implementation flow of the network authentication method according to the embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a first structural diagram of a network authentication device according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a second configuration of a network authentication device according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating a service architecture of a 3A system on which the network authentication method according to the embodiment of the present invention is based;
fig. 7 is a flowchart illustrating a specific application example of the network authentication method according to the embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given only to enable those skilled in the art to better understand and to implement the present invention, and do not limit the scope of the present invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The technical solution of the present invention is further elaborated below with reference to the drawings and the specific embodiments.
Fig. 1 is a schematic diagram illustrating a first implementation flow of a network authentication method according to an embodiment of the present invention.
Referring to fig. 1, a network authentication method according to an embodiment of the present invention is applied to a network authentication device, and at least includes the following operation flows: operation 101, receiving an online request of an object to be networked, where the online request carries basic information of the object to be networked; an operation 102, responding to the online request, sending an authentication and authorization request of an object to be accessed to a network server, wherein the authentication and authorization request carries basic information; operation 103, receiving a determination result of authentication of the object to be accessed, which is determined by the network server according to the basic information; and operation 104, performing network access authentication on the object to be accessed according to the judgment result.
In an embodiment of the present invention, L NS (L ook n Stop, firewall) or operator PGW (PDN gateway, a PDN gateway, which is an important network element in a mobile communication network) devices may be used as the network authentication device side, where PDN (public Data network) refers to a public Data network.
In operation 101, the object to be networked may include a user Of a POS (Point Of Sale), CPE (customer premise Equipment), etc. type device, when the user goes online through the POS/CPE, etc., the operator receives an online request Of the user, and forwards the online request to L NS/PGW device.
In an embodiment of the present invention, the basic information of the object to be networked includes user name information, for example: SIM (Subscriber Identity Module) card information.
In operation 102, in response to the online request, an authentication and authorization request of the object to be accessed is sent to the network server, where the authentication and authorization request carries basic information of the object to be accessed.
In an embodiment of the invention, L the authentication and authorization request sent by the NS/operator PGW device is sent to any server in the 3A-client cluster, wherein, the 3A-client cluster as the network server interacts with the CRM in advance, receives and stores the basic information of the object to be accessed to the network and the information such as the network service authority.
Specifically, first, CRM (Customer Relationship Management, Customer Management system) can send the following information of the objects to be networked (for example, users of devices such as POS/CPE) managed and controlled by CRM to the 3A system according to the API interface provided by the 3A system: the information of the SIM card (for example, a user Name), the APN (Access Point Name, Access Point) information (for example, a user account password), whether to allow internet Access, the IP address corresponding to the APN, whether to start a redundancy mode, and the like. Alternatively, the information of the object to be networked managed and controlled by CRM can be directly operated through a 3A web portal interface, such as: adding, changing and deleting information of the object to be accessed. In the present invention, the information of the object to be networked managed and controlled by the CRM is referred to as user information unless otherwise specified.
Secondly, after receiving the user information sent by the CRM, the 3A system sends the user information to a 3A core server for processing, firstly sends the user information to a 3A client (a client, a customer and a client), and stores the user information into a 3A system database Mysql after the successful sending is determined; otherwise, go back to CRM.
In operation 103, a determination result of the network server performing authentication on the object to be accessed, which is determined according to the basic information, is received.
In an embodiment of the present invention, any client RADIUS (remote authentication Dial In User Service, remote User Dial authentication system, defined by RFC2865 and RFC2866, which are the most widely used 3A protocols) In a 3A client cluster performs authentication judgment, determines whether User information, information of an APN used by User on-line dialing, and the like are available In a RADIUS library, and sends a judgment result to L NS devices or PGW devices of an operator.
In operation 104, network access authentication is performed on the object to be networked according to the determination result.
Specifically, the first authentication result of the 3A system server for the user information includes: and whether the user information corresponding to the received basic information exists in the 3A system or not. If the user information corresponding to the basic information exists, further judgment and confirmation are needed according to the user information corresponding to the basic information, whether the object to be accessed to the network corresponding to the basic information is allowed to access the network, whether the APN mode of the object to be accessed to the network is confirmed, whether the object to be accessed to the network is started to be a redundant mode or not is judged, and the like.
In an embodiment of the present invention, when the determination result shows that the object to be accessed is a single access point APN object and the object to be accessed starts a redundancy mode, an IP address set corresponding to an APN of the object to be accessed, which is sent by a network server, is received, so as to perform multiple authentication and authentication on the object to be accessed.
Specifically, if the object to be accessed is a single APN object and the redundancy mode is opened, the authentication authority of the object to be accessed can be transferred to L NS equipment/operator PGW equipment, thus, the authentication authority of the object to be accessed can be realized at the equipment end of network authentication, the pressure of a 3A system server is greatly reduced, and the authentication efficiency and reliability of the 3A system are improved.
In another embodiment of the present invention, the basic information carried in the authentication request includes APN information of the object to be accessed, and when the determination result shows that the object to be accessed is a multi-APN object, the authentication result of the authentication and authorization performed on the object to be accessed by the network server according to the APN information is received.
Specifically, if the object to be accessed is a multi-APN object, the 3A system needs to further confirm APN information of the object to be accessed, perform authentication, and feed back the obtained authentication result to L NS device/operator PGW device.
In an embodiment of the present invention, when the authentication result of the to-be-accessed object in the 3A system shows that the authentication of the to-be-accessed object by the network server is successful, the IP address allocated to the to-be-accessed object by the network server is received.
Specifically, for a multi-APN object, the 3A system further authenticates the object to be accessed according to the APN information, and when the APN information is consistent with information preconfigured in the 3A system, the authentication is determined to be successful, and at this time, an IP address allocated by the 3A system to the object to be accessed according to the APN information is received.
Fig. 2 shows a schematic flow chart of implementing the network authentication method according to the embodiment of the present invention.
Referring to fig. 2, a network authentication method provided in an embodiment of the present invention is applied to a network authentication server, and at least includes: operation 201, receiving an authentication and authorization request sent by a network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information; operation 202, according to the basic information, performing authentication and authorization on the object to be accessed to the network; operation 203, sending the judgment result of the authentication to the network authentication device.
In operation 201, an authentication request sent by a network authentication device end in response to an online request of an object to be networked is received, where the online request carries basic information of the object to be networked, and the authentication request carries the basic information of the object to be networked.
In an embodiment of the present invention, the network authentication device includes L NS device/operator PGW device, and after receiving the access request of the object to be accessed, L NS device/operator PGW device sends an authentication request of the device to be accessed to the network server, and forwards the received basic information of the object to be accessed to the network server, for example, a 3A system, when sending the authentication request.
Specifically, the 3A system determines whether APN information carried in the received basic information of the object to be accessed is consistent with user information pre-configured by CRM in the 3A system, if so, determines that the authentication of the object to be accessed is successful, and allocates an IP address to the object to be accessed corresponding to the received basic information, and if not, determines that the authentication is failed, and feeds back a result of the authentication failure to L NS device/operator PGW device.
In operation 203, the determination result of the authentication is sent to the network authentication device.
Fig. 3 is a schematic diagram illustrating a third implementation flow of the network authentication method according to the embodiment of the present invention.
Referring to fig. 3, in an embodiment of the present invention, based on the operations 201 and 203, the above operation 202 includes: operation 301, determining an APN mode of an access point in an object to be accessed according to basic information; operation 302, when the APN mode shows that the object to be networked is a single APN object, determining whether the object to be networked starts a redundancy mode; in operation 303, if the object to be networked starts the redundancy mode, an IP address set corresponding to the APN of the object to be networked is sent to the network service device, so that the network service device performs multiple authentication on the object to be networked.
Specifically, if the object to be accessed is in a single APN mode, an IP address set is allocated to the object to be accessed, and the allocated IP address set is sent to a network authentication device end (for example, L NS equipment/operator PGW equipment) so that the network authentication device end can perform multiple authentication on the object to be accessed.
In an embodiment of the present invention, the basic information includes APN information of an object to be networked, and when the APN mode shows that the object to be networked is a multi-APN object; and carrying out authentication and authentication on the object to be accessed to the network according to the APN information.
Specifically, when the object to be accessed to the network is a multi-APN object, APN information of the object to be accessed to the network is further acquired, and authentication is further performed on the object to be accessed to the network according to the APN information, so that the problem that the IP address in a single-card multi-APN scene cannot be controlled in the existing 3A system is effectively solved.
In an embodiment of the present invention, the aforementioned operation of performing authentication and verification on an object to be accessed according to APN information includes: judging whether the APN information is consistent with APN information pre-configured in a network server; if the authentication is consistent with the authentication request, the authentication of the object to be accessed is judged to be successful, and the IP address distributed for the object to be accessed is sent to the network service equipment terminal.
Specifically, when the object to be accessed to the network is determined to be a multi-APN object, authentication and authentication are performed on a user name and APN information included in basic information received by a network server, if the information such as the user name and the APN is consistent with information pre-configured in the network server (for example, a 3A system server), the authentication is judged to be successful, and an IP address allocated to the object to be accessed to the network service equipment is sent to the network service equipment so that the device to be accessed to the network can be connected to the network. And if the authentication result is inconsistent with the authentication result, the authentication result is fed back to the network authentication equipment terminal.
Thus, the invention responds to the online request of the object to be accessed, and carries out authentication and authentication on the object to be accessed according to the basic information carried in the online request of the object to be accessed and the information of the object to be accessed, which is pre-configured in the network server; furthermore, for the network access object in the single APN mode, an IP address set is configured so that the network authentication equipment terminal can directly authenticate the equipment to be accessed to the network, and the network access efficiency and the network connection reliability of the equipment are effectively improved. Meanwhile, the problem that the 3A system can not open the capability and information of the existing network to the existing customers and can not realize the customization of the customized 3A system because the mobile operator is used as the network for carrying is effectively solved.
Similarly, based on the above network authentication method, an embodiment of the present invention further provides a computer-readable storage medium, where a program is stored, and when the program is executed by a processor, the processor is caused to perform at least the following operation steps: operation 101, receiving an online request of an object to be networked, wherein the online request carries basic information of the object to be networked; operation 102, responding to the online request, sending an authentication and authorization request of the object to be accessed to the network to a network server, wherein the authentication and authorization request carries basic information; operation 103, receiving a judgment result of the authentication of the object to be accessed, which is judged by the network server according to the basic information; and operation 104, performing network access authentication on the object to be accessed according to the judgment result.
Further, based on the above network authentication method, an embodiment of the present invention further provides a network authentication apparatus, which is applied to a network authentication device, as shown in fig. 4, where the apparatus 40 includes: a first request receiving module 401, configured to receive an online request of an object to be networked, where the online request carries basic information of the object to be networked; a response module 402, configured to send, in response to the online request, an authentication and authorization request of the object to be networked to the network server, where the authentication and authorization request carries basic information; a result receiving module 403, configured to receive a determination result of authentication of the object to be accessed, which is determined by the network server according to the basic information; and the authentication module 404 is configured to perform network access authentication on the object to be accessed according to the determination result.
According to an embodiment of the invention, the authentication module 404 includes: and the first authentication submodule is used for receiving an IP address set which is sent by a network server and corresponds to the APN of the object to be accessed when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed starts a redundancy mode so as to carry out authentication for the object to be accessed for multiple times.
According to an embodiment of the present invention, the basic information includes APN information of the object to be networked, and the authentication module 404 includes: and the second authentication submodule is used for receiving an authentication result of the network server for authenticating the object to be accessed according to the APN information when the judgment result shows that the object to be accessed is the multi-APN object.
According to an embodiment of the present invention, the second authentication sub-module is further configured to receive an IP address allocated by the network server to the object to be accessed when the authentication result shows that the network server successfully authenticates the object to be accessed.
Further, the present invention provides a network authentication device based on the above network authentication method, which is applied to a network authentication server, as shown in fig. 5, the device 50 includes: a second request receiving module 501, configured to receive an authentication and authorization request sent by a network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information; the authentication module 502 is configured to authenticate and authenticate the object to be accessed to the network according to the basic information; and a result sending module 503, configured to send the determination result of authentication to the network authentication device.
According to an embodiment of the present invention, the authentication module 502 includes: the mode judgment submodule is used for determining an access point APN mode of an object to be accessed to the network according to the basic information; the redundancy judgment submodule is used for judging whether the object to be accessed to the network starts a redundancy mode or not when the APN mode shows that the object to be accessed to the network is a single APN object; and the first authentication sub-module is used for sending the IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal when judging that the object to be accessed starts the redundancy mode, so that the network service equipment terminal can carry out multiple authentication and authentication on the object to be accessed.
According to an embodiment of the present invention, the authentication module 502 further includes: and the second authentication submodule is used for authenticating and authenticating the object to be accessed to the network according to the APN information when the APN mode shows that the object to be accessed to the network is a multi-APN object.
According to an embodiment of the present invention, the root second authentication sub-module is configured to, when the APN information is consistent with APN information preconfigured in the network server, determine that the authentication of the object to be accessed is successful, and send the IP address allocated to the object to be accessed to the network service device.
Here, it should be noted that: the above description of the embodiment of the network authentication apparatus is similar to the description of the method embodiments shown in fig. 1 to 3, and has similar beneficial effects to the method embodiments shown in fig. 1 to 3, and therefore, the description thereof is omitted. For technical details not disclosed in the embodiment of the display device for configuration information of the present invention, please refer to the description of the method embodiment shown in fig. 1 to 3 of the present invention for understanding, and therefore, for brevity, will not be described again.
Fig. 6 is a schematic view of a service architecture of a 3A system on which the network authentication method according to the embodiment of the present invention is based, and referring to fig. 6, in this application example, the 3A system adopts clustered management, and the authentication and authentication service of the 3A system shown in an oval frame is executed by a 3A client cluster. The RADIUS authentication and authentication service is deployed at the 3A client side, and the 3A client side can process actual authentication and authentication processing operation. A RADIUS memory bank is pre-configured in the 3Aclient cluster to store user information configured by the CRM pre-3A system, and the high-speed authentication of the RADIUS is processed, so that the processing efficiency of authentication of the 3A system can be practically guaranteed by using the memory bank, the authentication efficiency is improved, and the network connection speed and the reliability of the equipment to be networked are effectively improved.
While other service modules in the 3A system are still executed by the 3A system core server, other functional modules or service contents of the 3A system are shown in block form in fig. 6, such as: 3A service gateway, firewall/basic connection management, service monitoring, 3A API server gateway (load balancer), 3A core service, 3A database Mysql.
The 3A API server gateway (server gateway) provides a mode of managing the 3A system by adopting API, the specific function of the mode is consistent with the 3A service portal function, firewall/basic connection Management (L NS/BASE connect Management) provides a L/NS connection Management mode, the mode is responsible for collecting L NS/BASE online equipment, the Management of the online equipment is provided (for example, network connection is cancelled, network connection use state and the like), the 3A database MySQ L is used for storing data of the 3A system and inquiring recent operation logs of the 3A system, the service monitoring refers to monitoring and managing the running state of the 3A active, the 3A core service refers to the main monitoring and managing service of the 3A core, the authentication service of the 3A core provides APN, and the authentication service processing function of the authentication server, and the like, and the security processing system of the 3A authentication server provides APN for the authentication service.
Fig. 7 is a flowchart illustrating a specific application example of the network authentication method according to the embodiment of the present invention.
Referring to fig. 7, in a specific application example of the network authentication method according to the embodiment of the present invention, the network authentication method may include the following steps:
s100, CRM sends user information (including SIM card information, APN information, whether to allow to surf the Internet, IP corresponding to APN, whether to start a redundancy mode and the like) to a 3A system, wherein the 3A system comprises a 3A core server and a 3A client cluster (a cluster formed by a plurality of 3A clients is configured for L NS/PGW in advance)
S200, an object to be networked (for example, a user of a POS/CPE and other types of equipment) sends an online request, wherein the online request carries basic information of the object to be networked, such as: user name and APN information.
S300, the operator receives the online request sent by the object to be networked, and forwards the online request to L NS PGW equipment of the operator.
S400, L, the NS device/operator PGW device sends an authentication and authorization request to the 3A system in response to the received online request.
S500, the 3A system Radius performs authentication judgment. Specifically, S500 may include steps S510, S511, S512, S521, S522, S523.
S510, the 3A system judges the APN mode of the user equipment (namely the equipment corresponding to the object to be accessed).
And S511 and the 3A system judge whether the user equipment (namely the equipment corresponding to the object to be accessed) starts a redundancy mode when judging that the APN mode of the user equipment is a single APN mode.
And S512, when the system of 3A judges that the user starts the redundancy mode, sending the equipment of the single APN to allocate an IP address pool for L NS equipment/operator PGW equipment to authenticate the equipment of the single APN for multiple times.
When the S521 and 3A systems determine that the user mode is the multi-APN mode (taking the dual-APN mode as an example), the system further authenticates the user equipment.
S522, the 3A system further authenticates the user equipment, namely, strong authentication is performed, if the authentication is successful (the user name and the APN information are consistent with those in the 3A system), the information of the successful authentication is fed back to L NS/PGW equipment, and an IP address is allocated for the object to be accessed to perform network connection.
S523, if the 3A system fails to authenticate the ue, that is, if the ue fails to authenticate the ue (i.e., if the user name and APN information are inconsistent with those in the 3A system), feeding back information of authentication failure to the L NS/PGW device.
S600, feeding back an authentication judgment result (including whether user information exists in a radius library, which APN is used by a user online for dialing, IP address allocation and the like).
The application example of the invention adopts a control mode combining cluster and control, and has higher availability. The separation of the service interface and the authentication service is realized, and the high-speed operation of the service served by the 3A system can be guaranteed with high quality, such as: the PGW client can be effectively ensured to carry out large-batch account opening and smooth execution of business operation. Meanwhile, the performance of the 3A system is improved: practice proves that the performance and the efficiency of the network authentication method provided by the embodiment of the invention are greatly improved.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as a removable Memory device, a Read Only Memory (ROM), a magnetic disk, or an optical disk.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a magnetic or optical disk, or other various media that can store program code.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (10)

1. A network authentication method is applied to a network authentication device, and comprises the following steps:
receiving an online request of an object to be networked, wherein the online request carries basic information of the object to be networked;
responding to the online request, and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries the basic information;
receiving a judgment result of authentication and authorization of the object to be accessed, which is judged by the network server according to the basic information;
and performing network access authentication on the object to be accessed according to the judgment result.
2. The method according to claim 1, wherein the performing network access authentication on the object to be accessed according to the determination result comprises:
and when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed opens a redundancy mode, receiving an IP address set which is sent by the network server and corresponds to the APN of the object to be accessed so as to carry out authentication for the object to be accessed for multiple times.
3. The method of claim 1, wherein the basic information includes APN information of the to-be-networked object, and wherein performing network access authentication on the to-be-networked object according to the determination result includes:
and when the judgment result shows that the object to be accessed to the network is a multi-APN object, receiving an authentication result of the authentication of the object to be accessed to the network by the network server according to the APN information.
4. The method of claim 3, wherein the receiving the authentication result of the authentication and authorization of the network server for the object to be networked according to the APN information comprises:
and when the authentication result shows that the network server successfully authenticates the object to be accessed, receiving an IP address distributed by the network server for the object to be accessed.
5. A network authentication method is applied to a network authentication server, and comprises the following steps:
receiving an authentication and authorization request sent by the network authentication equipment end in response to an online request of an object to be accessed, wherein the online request carries basic information of the object to be accessed, and the authentication and authorization request carries the basic information;
according to the basic information, carrying out authentication and verification on the object to be accessed to the network;
and sending the judgment result of the authentication to a network authentication equipment terminal.
6. The method according to claim 5, wherein said authenticating and authenticating the object to be accessed according to the basic information comprises:
determining an access point APN mode of the object to be accessed according to the basic information;
when the APN mode shows that the object to be accessed to the network is a single APN object, judging whether the object to be accessed to the network starts a redundancy mode;
and if the object to be accessed to the network starts a redundancy mode, sending an IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal so that the network service equipment terminal performs multiple authentication and authentication on the object to be accessed to the network.
7. The method according to claim 6, wherein the basic information includes APN information of the object to be networked, and the performing network access authentication on the object to be networked according to the determination result further includes:
when the APN mode shows that the object to be accessed to the network is a multi-APN object;
and carrying out authentication and verification on the object to be accessed according to the APN information.
8. The method of claim 7, wherein the authenticating and authenticating the object to be networked according to the APN information comprises:
judging whether the APN information is consistent with APN information pre-configured in the network server;
if the authentication result is consistent with the authentication result, the authentication on the object to be accessed is judged to be successful, and the IP address distributed to the object to be accessed is sent to the network service equipment terminal.
9. A network authentication device is applied to a network authentication equipment terminal, and the device comprises:
the device comprises a first request receiving module, a second request receiving module and a third request sending module, wherein the first request receiving module is used for receiving an online request of an object to be networked, and the online request carries basic information of the object to be networked;
the response module is used for responding to the online request and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries the basic information;
a result receiving module, configured to receive a determination result of authentication of the object to be networked, which is determined by the network server according to the basic information;
and the authentication module is used for carrying out network access authentication on the object to be accessed according to the judgment result.
10. A network authentication apparatus, applied to a network authentication server, the apparatus comprising:
a second request receiving module, configured to receive an authentication and authorization request sent by the network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information;
the authentication module is used for authenticating and authenticating the object to be accessed to the network according to the basic information;
and the result sending module is used for sending the judgment result of the authentication to the network authentication equipment terminal.
CN202010170753.2A 2020-03-12 2020-03-12 Network authentication method and device Active CN111405555B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010170753.2A CN111405555B (en) 2020-03-12 2020-03-12 Network authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010170753.2A CN111405555B (en) 2020-03-12 2020-03-12 Network authentication method and device

Publications (2)

Publication Number Publication Date
CN111405555A true CN111405555A (en) 2020-07-10
CN111405555B CN111405555B (en) 2021-09-07

Family

ID=71436168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010170753.2A Active CN111405555B (en) 2020-03-12 2020-03-12 Network authentication method and device

Country Status (1)

Country Link
CN (1) CN111405555B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101163085A (en) * 2007-11-16 2008-04-16 中国联合通信有限公司 Method and system for implementing CDMA1xLNS load balancing
CN101867476A (en) * 2010-06-22 2010-10-20 杭州华三通信技术有限公司 3G virtual private dialing network user safety authentication method and device thereof
WO2011057659A1 (en) * 2009-11-10 2011-05-19 Nokia Siemens Networks Oy Network device in a communication network and method for providing communications traffic breakout
CN103517254A (en) * 2012-06-27 2014-01-15 中兴通讯股份有限公司 Multiple access point connection processing method and apparatus thereof
CN109151916A (en) * 2018-08-28 2019-01-04 北京佰才邦技术有限公司 The network transfer method of mobile network's business, device and system
CN109831752A (en) * 2019-04-03 2019-05-31 深圳联想懂的通信有限公司 A kind of communication flow rate control method and system
CN109981373A (en) * 2019-04-03 2019-07-05 深圳联想懂的通信有限公司 A kind of communication flux accounting method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101163085A (en) * 2007-11-16 2008-04-16 中国联合通信有限公司 Method and system for implementing CDMA1xLNS load balancing
WO2011057659A1 (en) * 2009-11-10 2011-05-19 Nokia Siemens Networks Oy Network device in a communication network and method for providing communications traffic breakout
CN101867476A (en) * 2010-06-22 2010-10-20 杭州华三通信技术有限公司 3G virtual private dialing network user safety authentication method and device thereof
CN103517254A (en) * 2012-06-27 2014-01-15 中兴通讯股份有限公司 Multiple access point connection processing method and apparatus thereof
CN109151916A (en) * 2018-08-28 2019-01-04 北京佰才邦技术有限公司 The network transfer method of mobile network's business, device and system
CN109831752A (en) * 2019-04-03 2019-05-31 深圳联想懂的通信有限公司 A kind of communication flow rate control method and system
CN109981373A (en) * 2019-04-03 2019-07-05 深圳联想懂的通信有限公司 A kind of communication flux accounting method and system

Also Published As

Publication number Publication date
CN111405555B (en) 2021-09-07

Similar Documents

Publication Publication Date Title
JP4817322B2 (en) Remote SIM card replacement and activation process
CN106716956B (en) Method, related device and system for sharing cloud operation interface
CN110225002B (en) Business handling method and related product
CA2830044A1 (en) A system and method for conducting financial transactions using a mobile device
EP2364042A1 (en) Reassigned mobile message notifications
US20140066110A1 (en) Valet Parking System and Method
US20090305669A1 (en) Transaction method between two servers including a prior validating step using two mobile telephones
CN107172194B (en) Virtual SIM card management method and device and communication terminal
CN110730446A (en) Login method, terminal and computer storage medium
CN109819023B (en) Distributed transaction processing method and related product
CN111669745A (en) Security verification method and device based on 5G information, storage medium and equipment
CN111552942A (en) Identity authentication method, system, device and computer storage medium
CN108696864B (en) Virtual number request and transmission method, device and storage medium
CN114707976A (en) Payment method, user terminal, device, equipment, system and medium
CN105991619A (en) Safety authentication method and device
CN111405555B (en) Network authentication method and device
JP2002044251A (en) Method for radio terminal procedure and radio terminal system
EP1641201B1 (en) Electronic mail charging system and method
KR101357949B1 (en) Method for provisioning service onto smart-card in user mobile handset and provision system using the same
CN104753774A (en) Distributed enterprise integrated access gateway
CN112350982B (en) Resource authentication method and device
CN106936602A (en) Network charging method and device based on internet of things equipment
CN101867918A (en) Real-name system registration state acquiring method, device and terminal
JP2000268104A (en) Security check method, card customer management device, card with radio transmission function and mobile object exchange
CN104519470B (en) Short message processing method and device and prepayment authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant