CN114650304B - Authentication and authorization method and device - Google Patents
Authentication and authorization method and device Download PDFInfo
- Publication number
- CN114650304B CN114650304B CN202011499207.XA CN202011499207A CN114650304B CN 114650304 B CN114650304 B CN 114650304B CN 202011499207 A CN202011499207 A CN 202011499207A CN 114650304 B CN114650304 B CN 114650304B
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- internet
- things platform
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 73
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000001360 synchronised effect Effects 0.000 claims description 45
- 230000004044 response Effects 0.000 claims description 30
- 230000003068 static effect Effects 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims 1
- 239000010978 jasper Substances 0.000 description 34
- 238000013508 migration Methods 0.000 description 8
- 230000005012 migration Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000009825 accumulation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/141—Indication of costs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The application provides a method and a device for authentication and authorization, wherein the method comprises the following steps: when receiving an access request sent by a user, a server of the first platform forwards an authentication request to the internet of things platform based on user state information, wherein the user state information is used for indicating whether the internet of things platform stores user information of the user or not; the server receives an authentication result of an authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection; and when the authentication result is that the authentication is successful, the server sends authorization information to the user. According to the technical scheme, based on whether the user information is stored in the internet of things platform, the users are divided into stored and non-stored types, so that the internet of things platform provides services for stored new/old VPDN users, the internet of things platform is ensured to provide services for users in a province, and the reliability and convenience of an authentication and authorization function are improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for authentication and authorization.
Background
In the standard networking architecture (e.g. fig. 1) of the currently existing communication provincial virtual private dial-up network (virtual private dial network, VPDN) platform, standard authentication, authorization and charging services are typically provided for the terminal by the AAA (authentication, authorization, accounting) server of the provincial VPDN platform.
However, with the application and development of the internet of things platform (for example, JASPER internet of things platform), the VPDN user is migrated to the internet of things platform, and the internet of things platform provides more reliable and convenient AAA service for the VPDN user, which is a problem that is increasingly focused at present. However, after the migration, the old VPDN users can use the new service only by replacing the internet of things card, otherwise, even if the old VPDN users migrate to the internet of things platform, the old VPDN users cannot provide corresponding services through the internet of things platform, so that the migration scheme is time-consuming and labor-consuming, and has a certain cost pressure.
Disclosure of Invention
In view of this, the embodiments of the present application provide a method and apparatus for authentication and authorization, which solve the problem that the old VPDN user cannot conveniently and rapidly enjoy the high-quality service provided by the internet of things platform.
In a first aspect, embodiments of the present application provide a method of authentication and authorization, comprising: when receiving an access request sent by a user, a server of the first platform forwards an authentication request to the internet of things platform based on user state information, wherein the user state information is used for indicating whether the internet of things platform stores user information of the user or not; the server receives an authentication result of an authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection; and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
In some embodiments of the present application, before the server of the first platform receives the access request sent by the user and forwards the authentication request to the internet of things platform based on the user state information, the method further includes: dividing the user state information into synchronized and unsynchronized according to whether the user information is synchronously stored in the internet of things platform, wherein forwarding the authentication request to the internet of things platform based on the user state information comprises: and when the user state information is synchronized, forwarding an authentication request to the Internet of things platform.
In some embodiments of the present application, the method further includes the step that when the user state information is not synchronized, the server sends an authentication result to the user based on the authentication request.
In some embodiments of the present application, forwarding an authentication request to an internet of things platform based on user state information includes a server forwarding an authentication request based on access of an original provincial gateway of a network platform to the internet of things platform based on the user state information; transmitting, by the server, authorization information to the user includes: the server sends authorization information to the user through the intra-provincial gateway.
In some embodiments of the present application, the first platform is a virtual private dial-up network platform, and the authorization information includes a static IP address and a domain name system.
In some embodiments of the present application, after the server sends the authorization information to the user when the authentication result is that the authentication is successful, the method further includes: the server forwards a charging request to the Internet of things platform based on the user state information; the server receives a charging response of the charging request sent by the Internet of things platform; the server sends a charging response to the user.
In certain embodiments of the present application, further comprising: dividing the user state information into synchronized and unsynchronized according to whether the user information is synchronously stored in the internet of things platform, wherein the server forwarding the charging request to the internet of things platform based on the user state information comprises: and when the user state information is synchronized, the server forwards the charging request to the Internet of things platform.
In some embodiments of the present application, forwarding, by the server, the charging request to the internet of things platform based on the user status information includes: the server forwards the charging request based on the original intra-provincial gateway access of the network platform to the Internet of things platform based on the user state information; wherein the server sending the charging response to the user comprises: the server sends a billing response to the user through the intra-provincial gateway.
In a second aspect, embodiments of the present application provide an apparatus for authentication and authorization, the apparatus comprising: the receiving and forwarding module is used for forwarding an authentication request to the internet of things platform based on user state information when receiving an access request sent by a user, wherein the user state information is used for indicating whether the internet of things platform stores user information of the user or not; the receiving module is used for receiving an authentication result of the authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection; and the sending module is used for sending authorization information to the user when the authentication result is that the authentication is successful.
In a third aspect, embodiments of the present application provide an electronic device, including: a processor; a memory for storing processor-executable instructions, wherein the processor is configured to perform the method of authentication and authorization described in the first aspect above.
The embodiment of the application provides a method and a device for authentication and authorization, which are used for dividing users into two types, namely stored and non-stored, based on whether user information is stored in an internet of things platform, so that the internet of things platform provides services for stored new/old VPDN users. The aim of batch migration of the VPDN users is achieved, and the internet of things platform is ensured to provide authentication and authorization services for new/old VPDN users.
Drawings
Fig. 1 is a schematic architecture diagram of a VPDN platform.
Fig. 2 is a flow diagram of a standard authentication, authorization, and accounting service.
Fig. 3 is a flow chart of a method of authentication and authorization provided in an exemplary embodiment of the present application.
Fig. 4 is a flow chart of a method of authentication and authorization provided in another exemplary embodiment of the present application.
Fig. 5 is a flow chart of a method for authenticating, authorizing and billing services provided by an exemplary embodiment of the present application.
Fig. 6 is a flow chart of a method of authenticating, authorizing, and billing services provided by another exemplary embodiment of the present application.
Fig. 7 is a flow chart of a method of authenticating, authorizing, and billing services provided by another exemplary embodiment of the present application.
Fig. 8 is a schematic structural diagram of an authentication and authorization apparatus according to an exemplary embodiment of the present application.
Fig. 9 is a block diagram of an electronic device for authentication and authorization provided in an exemplary embodiment of the present application.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The application scenario of the application is described below by taking migration of a VPDN user to a JASPER internet of things platform as an example. In the process of actually migrating a VPDN user to an internet of things platform, two schemes are generally adopted at present:
scheme one: and discarding the VPDN platform, and directly migrating the VPDN user to an Internet of things platform (for example, a JASPER Internet of things platform). In the subsequent business processing process, the RADIUS message is directly accessed through a group private network PGW which is in butt joint with the JASPER Internet of things platform, and the JASPER Internet of things platform provides AAA service. However, this solution has the problem that: 1. the VPDN user can use new service only by replacing the Internet of things card, and the large-scale VPDN user can replace the card, so that the VPDN user has certain cost pressure, and time consumption can be generated in the card replacing operation, and the service experience of the user is influenced. 2. The VPDN user abandons the original intra-provincial PGW and changes the intra-provincial PGW into the group private network PGW for access, and the operation needs to technically reform network element equipment such as wireless side, home subscriber server (home subscriber server, HSS) and the like, and the cost pressure is also generated.
Scheme II: the VPDN platform is reserved, and the VPDN user still provides AAA service by using the VPDN platform; the newly added Internet of things user goes to the Internet of things platform to open an account, and the newly added Internet of things user uses the Internet of things platform to provide AAA service. In short, "old user, old platform; new users, new platforms). The scheme partially compensates the defect of the scheme one through the service strategy of the coexistence mode. However, the scheme only ensures that the service scene of the newly added internet of things user meets the current migration requirement, but a plurality of VPDN users do not improve the AAA service quality through the JASPER internet of things platform, and also do not meet the original purpose of unified management.
Fig. 2 is a flow diagram of a prior art authentication, authorization, and accounting service providing standards. A specific procedure related to AAA services, for example, the operation procedure of fig. 2 based on the AAA server and the packet data gateway (packet data network gateway, PGW), includes the following:
step 210: transmitting a remote user dial-up authentication service (remote authentication dial in user service, RADIUS) authentication request to the AAA server based on the PGW gateway;
step 220: the AAA server returns a RADIUS authorization response to the PGW gateway;
step 230: the PGW gateway sends a RADIUS accounting request to the AAA server;
step 240: the AAA server returns a RADIUS accounting response to the PGW gateway.
Fig. 3 is a flow chart of a method of authentication and authorization provided in an exemplary embodiment of the present application. The method of fig. 3 is performed by a computing device, e.g., a server. As shown in fig. 3, the authentication and authorization method includes the following.
310: and when receiving an access request sent by a user, the server of the first platform forwards an authentication request to the Internet of things platform based on the user state information.
In an embodiment, the user status information is used to indicate whether the internet of things platform stores user information of the user.
In one embodiment, the first platform is a VPDN platform.
The server may be an AAA server in a VPDN platform, and the access request may be a request issued by the user when the terminal dials. That is, the AAA server forwards the authentication request to the internet of things platform based on the user status information when the user performs the dialing. The authentication request may be an AAA authentication request.
In an example, the internet of things platform may be a JASPER internet of things platform, and the type of the internet of things platform is not specifically limited in the embodiments of the present application. It should be understood that the internet of things platform may also refer to one or more servers.
The user state information can divide the VPDN user into two user states of synchronous and unsynchronized according to whether the user information of the VPDN user is synchronously stored in the JASPER Internet of things platform. The user information of the VPDN user is synchronized to the JASPER Internet of things platform, and the VPDN platform and the JASPER Internet of things platform both store the user information of the VPDN user at the moment. The user information of the VPDN user is not synchronized to the JASPER Internet of things platform, and the user information of the VPDN user is only stored in the VPDN platform.
When the user information of the VPDN user is synchronized to the JASPER Internet of things platform, the AAA server forwards an authentication request sent by the VPDN user to the JASPER Internet of things platform for AAA authentication; otherwise, the AAA server directly performs local authentication. That is, the AAA server decides whether the current user is forwarded to the JASPER internet of things platform authentication or directly authenticated locally according to different states of the user.
It should be appreciated that the authentication request may be a RADIUS authentication request. The authentication of the user in different states by different platforms (i.e. VPDN platform or internet of things platform) can be accomplished by the RADIUS protocol.
It should also be appreciated that the authentication method can ensure that the "synchronized" VPDN user can use the highly reliable authentication service of the JASPER internet of things platform, and can also ensure that the "unsynchronized" VPDN user uses the basic authentication service provided by the AAA server of the local VPDN platform.
320: and the server receives an authentication result of the authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection.
Specifically, the AAA server receives an authentication result sent by the JASPER Internet of things platform. The authentication result may be authentication success or authentication rejection (i.e., authentication failure).
It should be understood that after the JASPER internet of things platform receives the authentication request, the authentication request sent by the AAA server may be compared and analyzed with database information in the JASPER internet of things platform. If the authentication is successful, returning an authentication result of successful authentication to the AAA server; and otherwise, sending an authentication result of the authentication rejection to the AAA server.
330: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
In an embodiment, the authorization information may include a static IP address and domain name system (domain name system, DNS).
Specifically, for the VPDN user successfully authenticated by the AAA of the Internet of things platform, the AAA server uniformly performs local authorization, and issues static IP address, DNS and other information for the VPDN user.
It should be understood that the original AAA authorization service of the JASPER internet of things platform is weak, and cannot support authorization of information such as static IP address and DNS; in view of management and security of the ue, some VPDN users have explicit requirements for static IP addresses, so that a local authorization method is adopted to consider the needs of some VPDN users.
Further, the method further comprises: when the user state information is unsynchronized, the server sends an authentication result to the user based on the authentication request.
Specifically, when the user information of the VPDN user is not synchronized to the JASPER internet of things platform, the AAA server does not forward the authentication request and directly performs local authentication in the AAA server. And the AAA server of the VPDN platform issues authorization information.
Therefore, according to the embodiment of the application, the users are classified into the stored type and the non-stored type based on whether the user information is stored in the internet of things platform, so that the internet of things platform provides services for the stored new/old VPDN users. The method not only achieves the aim of batch migration of the VPDN users, but also ensures that the platform of the Internet of things can provide authentication and authorization services for new/old VPDN users.
Fig. 4 is a flow chart of a method of authentication and authorization provided in another exemplary embodiment of the present application. Fig. 4 is an example of the embodiment of fig. 1, and the same points are not repeated, and the differences are emphasized here. The authentication and authorization method includes the following.
410: and dividing the user state information into synchronized and unsynchronized states according to whether the user information is synchronously stored in the Internet of things platform or not.
Specifically, according to whether the user information of the VPDN user is synchronized to the JASPER internet of things platform, the VPDN user is divided into two user states of synchronized and unsynchronized. And taking the identification as the identification, determining whether the subsequent AAA service is provided by the JASPER Internet of things platform (i.e. provides service for synchronized VPDN users) or is provided locally by an AAA server of the VPDN platform (i.e. provides service for unsynchronized VPDN users).
Compared with the prior art, namely the migration mode of the internet of things platform and the VPDN platform, the synchronized VPDN user has the user information commonly held in the VPDN platform and the JASPER internet of things platform.
420: and when the user state information is synchronized, forwarding an authentication request to the Internet of things platform.
Specifically, when the user information of the VPDN user is synchronized to the JASPER Internet of things platform, the AAA server forwards the authentication request sent by the VPDN user to the JASPER Internet of things platform for AAA authentication.
Details of the specific process are described in the embodiment of fig. 1, and are not repeated here.
430: and the server receives an authentication result of the authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection.
440: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
Therefore, according to the embodiment of the application, as the accurate state division is performed on the VPDN user to provide authentication services of different platforms, the embodiment of the application can support batch synchronization operation of user information with unlimited time limit and unlimited scale so as to ensure that the business is stably performed.
In an embodiment of the present application, forwarding the authentication request to the internet of things platform based on the user status information includes: the server forwards an authentication request based on the original intra-provincial gateway access of the network platform to the Internet of things platform based on the user state information; transmitting, by the server, authorization information to the user includes: the server sends authorization information to the user through the intra-provincial gateway.
Specifically, the authentication request initiated by the VPDN user is still accessed through the original provincial PGW gateway, and even the VPDN user in the "synchronized" state is accessed through the original provincial PGW gateway.
In an example, referring to fig. 5, the execution principals are an intra-provincial PGW gateway, a server (e.g., AAA server), and an internet of things platform (e.g., JASPER internet of things platform), respectively. Step 510: sending an authentication request to a server based on the intra-provincial PGW gateway; step 520: the server forwards an authentication request to the internet of things platform (namely, the user state information of the VPDN user is synchronized); step 530: the server receives an authentication result sent by the Internet of things platform; step 540: the server sends the authentication result to the user based on the intra-provincial PGW gateway, wherein if the authentication result is authentication success, authorization information is also issued.
The authentication request may be a RADIUS authentication request, and the returned authentication result may be a RADIUS authentication result, for example.
Therefore, the embodiment of the application can ensure that the access service can reuse network element equipment such as the original wireless side, the home subscriber server (home subscriber server, HSS) and the like in the province. Meanwhile, the VPDN user does not need to execute operations such as replacing the Internet of things card, changing domain name information and the like.
Fig. 6 is a flow chart of a method of authenticating, authorizing, and billing services provided by another exemplary embodiment of the present application. Fig. 6 is an example of the embodiment of fig. 1, and is not repeated here, and the differences are noted here, and the method of authentication, authorization, and accounting service (i.e., AAA service) includes the following.
610: and when receiving an access request sent by a user, the server of the first platform forwards an authentication request to the Internet of things platform based on the user state information.
620: and the server receives an authentication result of the authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection.
630: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
640: the server forwards the charging request to the internet of things platform based on the user state information.
Specifically, the server may be an AAA server in the VPDN platform, and the user state information may divide the VPDN user into two user states of "synchronized" and "unsynchronized" according to whether the user information of the VPDN user is already synchronized to the internet of things platform. The detailed description of the user status information is substantially the same as that described in fig. 3, and details referring to the description of fig. 3 are not repeated here.
In an example, the internet of things platform may be a JASPER internet of things platform.
And the AAA server performs AAA accounting of different platforms (namely the first platform and the Internet of things platform) according to the user state information of the VPDN user. If the user is the VPDN user in the synchronous state, the AAA server directly forwards the user to the JASPER Internet of things platform for AAA accounting; otherwise, the AAA server directly performs local charging.
It should be appreciated that the accounting request may be a RADIUS accounting request. The AAA accounting method adopted above may be to complete the forwarding operation through the standard of the RADIUS protocol itself.
The AAA accounting method can ensure that the synchronized VPDN user uses the accounting service with the flexibility of the JASPER Internet of things platform, and also can ensure that the unsynchronized VPDN user uses the basic accounting service provided by the AAA server of the local VPDN platform.
The charging request may be charging start, charging end, or intermediate accumulation charging, which is not specifically limited in the embodiment of the present application.
650: and the server receives the charging response of the charging request sent by the Internet of things platform.
Specifically, the AAA server receives an accounting response for the accounting request sent by the JASPER internet of things platform.
The charging response may include charging success or charging failure. It will be appreciated that whether the charging request is a charging start, a charging end or an intermediate accumulated charging, the corresponding charging response is a charging success or a charging failure.
660: the server sends a charging response to the user.
Specifically, the server may send the charging response based on the original intra-provincial gateway of the VPDN platform.
Therefore, the embodiment of the application combines the AAA service characteristics of the VPDN platform and the Internet of things platform on the premise of carrying out very little technical transformation on the VPDN platform. User information is synchronized to the Internet of things platform in batches, an authentication request is accessed and forwarded by the intra-provincial PGW, the Internet of things platform authenticates, an AAA server of the VPDN platform is authorized locally, and service combination of charging of the Internet of things platform is forwarded, so that the Internet of things platform can provide AAA service for intra-provincial VPDN users.
In an embodiment of the present application, forwarding, by the server, a charging request to the internet of things platform based on the user status information includes: the server forwards the charging request based on the original intra-provincial gateway access of the network platform to the Internet of things platform based on the user state information; wherein the server sending the charging response to the user comprises: the server sends a billing response to the user through the intra-provincial gateway.
Specifically, the charging request initiated by the VPDN user is still accessed through the original provincial PGW gateway, and even the VPDN user in the "synchronized" state is accessed through the original provincial PGW gateway.
In an example, referring to fig. 5, the execution principals are an intra-provincial PGW gateway, a server (e.g., AAA server), and an internet of things platform (e.g., JASPER internet of things platform), respectively. Step 550: sending a charging request to a server based on the intra-provincial PGW gateway; step 560: the server transmits a charging request to the internet of things platform (namely, the user state information of the VPDN user is synchronized); step 570: the server receives a charging response sent by the Internet of things platform; step 580: the server sends the charging response to the user based on the intra-provincial PGW gateway.
The accounting request may be, for example, a RADIUS accounting request, and the returned accounting response may be a RADIUS accounting response, respectively.
Therefore, the embodiment of the application can ensure that the access service can reuse the original network element equipment such as a wireless side, an HSS and the like in the province. Meanwhile, the VPDN user does not need to execute operations such as replacing the Internet of things card, changing domain name information and the like.
Fig. 7 is a flow chart of a method of authenticating, authorizing, and billing services provided by another exemplary embodiment of the present application. Fig. 7 is an example of the embodiment of fig. 4 and 6, and the description of the differences is focused on, and the method of authentication, authorization and accounting services (i.e., AAA services) includes the following.
710: and dividing the user state information into synchronized and unsynchronized states according to whether the user information is synchronously stored in the Internet of things platform or not.
720: and when the user state information is synchronized, forwarding an authentication request to the Internet of things platform.
730: and the server receives an authentication result of the authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection.
740: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
750: and when the user state information is synchronized, the server forwards the charging request to the Internet of things platform.
Specifically, when the user information of the VPDN user is synchronized to the JASPER internet of things platform, the AAA server forwards the accounting request sent by the VPDN user to the JASPER internet of things platform to perform AAA accounting service.
It should be understood that the operation steps of the AAA accounting service are substantially the same as those of the AAA authentication service described in fig. 3, and the details of the AAA accounting service are described in fig. 3 and the above embodiments, so that the details are not repeated here.
760: and the server receives the charging response of the charging request sent by the Internet of things platform.
770: the server sends a charging response to the user.
Further, the method further comprises: when the user state information is unsynchronized, the server sends a charging response to the user based on the charging request.
Specifically, when the user information of the VPDN user is not synchronized to the JASPER internet of things platform, the AAA server does not forward the accounting request and directly performs local accounting in the AAA server. And an accounting response is sent by the AAA server of the VPDN platform.
Therefore, according to the embodiment of the application, as the accurate state division is performed on the VPDN user to provide authentication services of different platforms, the embodiment of the application can support batch synchronization operation of user information with unlimited time limit and unlimited scale so as to ensure that the business is stably performed.
Fig. 8 is a schematic structural diagram of an authentication and authorization apparatus according to an exemplary embodiment of the present application. As shown in fig. 8, the authentication and authorization apparatus 800 includes: a receive forwarding module 810, a receive module 820, and a transmit module 830.
The receiving and forwarding module 810 is configured to forward, when receiving an access request sent by a user, an authentication request to an internet of things platform based on user state information, where the user state information is used to indicate whether the internet of things platform stores user information of the user; the receiving module 820 is configured to receive an authentication result of the authentication request sent by the internet of things platform, where the authentication result includes authentication success or authentication rejection; and a sending module 830, configured to send authorization information to the user when the authentication result is that the authentication is successful.
The embodiment of the application provides an authentication and authorization device, which divides users into two types, namely stored and non-stored, based on whether user information is stored in an internet of things platform, so that the internet of things platform provides services for stored new/old VPDN users. The method not only achieves the aim of batch migration of the VPDN users, but also ensures that the platform of the Internet of things can provide authentication and authorization services for new/old VPDN users.
In an embodiment of the present application, further includes: the user status information is divided into synchronized and unsynchronized according to whether the user information is synchronously stored in the internet of things platform, and the receiving and forwarding module 810 is configured to forward the authentication request to the internet of things platform when the user status information is synchronized.
In an embodiment of the present application, the method further includes the step that when the user status information is not synchronized, the server sends an authentication result to the user based on the authentication request.
In an embodiment of the present application, a receiving and forwarding module 810 is configured to forward, to an internet of things platform, an authentication request based on access of an original provincial gateway of the network platform based on user status information; and a sending module 830, configured to send authorization information to the user through the intra-provincial gateway.
In one embodiment of the present application, the first platform is a virtual private dial-up network platform, and the authorization information includes a static IP (internet protocol) address and domain name system.
In an embodiment of the present application, further includes: the server forwards a charging request to the Internet of things platform based on the user state information; the server receives a charging response of the charging request sent by the Internet of things platform; the server sends a charging response to the user.
In an embodiment of the present application, further includes: dividing the user state information into synchronized and unsynchronized according to whether the user information is synchronously stored in the internet of things platform, wherein the server forwarding the charging request to the internet of things platform based on the user state information comprises: and when the user state information is synchronized, the server forwards the charging request to the Internet of things platform.
In an embodiment of the present application, forwarding, by the server, a charging request to the internet of things platform based on the user status information includes: the server forwards the charging request based on the original intra-provincial gateway access of the network platform to the Internet of things platform based on the user state information; wherein the server sending the charging response to the user comprises: the server sends a billing response to the user through the intra-provincial gateway.
It should be understood that the receiving forwarding module 810, the receiving module 820, and the transmitting module 830 in the above embodiments. The specific working process and function of (a) may refer to the description in the authentication and authorization method provided in the embodiments of fig. 4 to 7, and in order to avoid repetition, a description is omitted here.
Fig. 9 is a block diagram of an electronic device 900 for authentication and authorization provided in an exemplary embodiment of the present application.
Referring to fig. 9, the electronic device 900 includes a processing component 910 that further includes one or more processors, and memory resources represented by memory 920, for storing instructions, such as applications, executable by the processing component 910. The application program stored in memory 920 may include one or more modules each corresponding to a set of instructions. Further, the processing component 910 is configured to execute instructions to perform the methods of authentication and authorization described above.
The electronic device 900 may also include a power component configured to perform power management of the electronic device 900, a wired or wireless network interface configured to connect the electronic device 900 to a network, and an input output (I/O) interface. The electronic device 900 may be operated based on an operating system stored in the memory 920, such as Windows Server TM ,Mac OS X TM ,Unix TM ,Linux TM ,FreeBSD TM Or the like.
A non-transitory computer readable storage medium, which when executed by a processor of the electronic device 900, causes the electronic device 900 to perform a method of authentication and authorization, comprising: when receiving an access request sent by a user, a server of the first platform forwards an authentication request to the internet of things platform based on user state information, wherein the user state information is used for indicating whether the internet of things platform stores user information of the user or not; the server receives an authentication result of an authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection; and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
All the above optional solutions may be combined arbitrarily to form an optional embodiment of the present application, which is not described here in detail.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program verification codes.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (8)
1. A method of authentication and authorization, comprising:
dividing user state information into synchronized and unsynchronized according to whether the user information is synchronized to the Internet of things platform;
when receiving an access request sent by a user, a server of a first platform forwards an authentication request to the internet of things platform based on user state information of the user, wherein the user state information is used for indicating whether the internet of things platform stores the user information of the user or not, and the first platform is a virtual private dial-up network platform;
the server receives an authentication result of the authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection;
when the authentication result is that the authentication is successful, the server sends authorization information to the user;
the forwarding the authentication request to the internet of things platform based on the user state information of the user includes:
when the user state information of the user is the synchronized, forwarding the authentication request to the internet of things platform;
and when the user state information of the user is the unsynchronized state, the server sends the authentication result to the user based on the authentication request.
2. The method of authentication and authorization of claim 1, wherein forwarding an authentication request to the internet of things platform based on user state information of the user comprises:
the server forwards the authentication request based on the original provincial gateway access of the network platform to the Internet of things platform based on the user state information of the user;
the sending, by the server, authorization information to the user includes:
and the server sends the authorization information to the user through the intra-provincial gateway.
3. A method of authentication and authorization according to claim 1 or 2, characterized in that the authorization information comprises a static IP address and a domain name system.
4. The authentication and authorization method according to claim 1, further comprising, after the server sends authorization information to the user when the authentication result is authentication success:
the server forwards a charging request to the internet of things platform based on the user state information;
the server receives a charging response of the charging request sent by the Internet of things platform;
the server sends the charging response to the user.
5. The method of authentication and authorization of claim 4, wherein the server forwarding a billing request to the internet of things platform based on the user status information comprises:
and when the user state information is the synchronized, the server forwards the charging request to the internet of things platform.
6. The method of authentication and authorization of claim 4, wherein the server forwarding a billing request to the internet of things platform based on the user status information comprises:
the server forwards the charging request based on the original intra-provincial gateway access of the network platform to the Internet of things platform based on the user state information;
wherein the server sending the charging response to the user comprises:
the server sends the charging response to the user through the intra-provincial gateway.
7. An authentication and authorization device is characterized in that the device is used for a first platform, the first platform is a virtual private dial-up network platform,
wherein the device comprises:
the information preprocessing module is used for dividing the user state information into synchronized and unsynchronized according to whether the user information is synchronized to the Internet of things platform or not;
the receiving and forwarding module is used for forwarding an authentication request to the internet of things platform based on user state information of a user when receiving an access request sent by the user, wherein the user state information is used for indicating whether the internet of things platform stores the user information of the user, and the receiving and forwarding module forwards the authentication request to the internet of things platform when the user state information is synchronized; when the user state information is not synchronous, the receiving and forwarding module sends the authentication result to the user based on the authentication request;
the receiving module is used for receiving an authentication result of the authentication request sent by the internet of things platform, wherein the authentication result comprises authentication success or authentication rejection;
and the sending module is used for sending authorization information to the user when the authentication result is that the authentication is successful.
8. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions,
wherein the processor is adapted to perform the method of authentication and authorization of any of the preceding claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011499207.XA CN114650304B (en) | 2020-12-17 | 2020-12-17 | Authentication and authorization method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011499207.XA CN114650304B (en) | 2020-12-17 | 2020-12-17 | Authentication and authorization method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114650304A CN114650304A (en) | 2022-06-21 |
| CN114650304B true CN114650304B (en) | 2024-03-15 |
Family
ID=81990829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011499207.XA Active CN114650304B (en) | 2020-12-17 | 2020-12-17 | Authentication and authorization method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114650304B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007033519A1 (en) * | 2005-09-20 | 2007-03-29 | Zte Corporation | A method for updating the access of virtual private dial-network dynamically |
| CN106714167A (en) * | 2016-12-30 | 2017-05-24 | 北京华为数字技术有限公司 | Authentication method and network access server |
| CN108462710A (en) * | 2018-03-20 | 2018-08-28 | 新华三技术有限公司 | Authentication authority method, device, certificate server and machine readable storage medium |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN109450657A (en) * | 2019-01-15 | 2019-03-08 | 深圳联想懂的通信有限公司 | A kind of Intelligent internet of things communications service system and method |
| CN109889551A (en) * | 2019-04-16 | 2019-06-14 | 湖南树华环保科技有限公司 | A kind of method of the Internet of Things cloud platform of Intelligent hardware access |
| CN110753023A (en) * | 2018-07-24 | 2020-02-04 | 阿里巴巴集团控股有限公司 | Equipment authentication method, equipment access method and device |
| CN111147527A (en) * | 2020-03-09 | 2020-05-12 | 深信服科技股份有限公司 | Internet of things system and equipment authentication method, device, equipment and medium thereof |
-
2020
- 2020-12-17 CN CN202011499207.XA patent/CN114650304B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007033519A1 (en) * | 2005-09-20 | 2007-03-29 | Zte Corporation | A method for updating the access of virtual private dial-network dynamically |
| CN106714167A (en) * | 2016-12-30 | 2017-05-24 | 北京华为数字技术有限公司 | Authentication method and network access server |
| CN108462710A (en) * | 2018-03-20 | 2018-08-28 | 新华三技术有限公司 | Authentication authority method, device, certificate server and machine readable storage medium |
| CN110753023A (en) * | 2018-07-24 | 2020-02-04 | 阿里巴巴集团控股有限公司 | Equipment authentication method, equipment access method and device |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN109450657A (en) * | 2019-01-15 | 2019-03-08 | 深圳联想懂的通信有限公司 | A kind of Intelligent internet of things communications service system and method |
| CN109889551A (en) * | 2019-04-16 | 2019-06-14 | 湖南树华环保科技有限公司 | A kind of method of the Internet of Things cloud platform of Intelligent hardware access |
| CN111147527A (en) * | 2020-03-09 | 2020-05-12 | 深信服科技股份有限公司 | Internet of things system and equipment authentication method, device, equipment and medium thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114650304A (en) | 2022-06-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| CN102014361B (en) | Authentication authorization accounting (AAA) session updating method, device and system | |
| WO2004036823A1 (en) | Method and apparatus for providing authentication, authorization and accounting roaming nodes | |
| US8601568B2 (en) | Communication system for authenticating or relaying network access, relaying apparatus, authentication apparatus, and communication method | |
| CN111132305B (en) | Method for 5G user terminal to access 5G network, user terminal equipment and medium | |
| CN115189913B (en) | Data message transmission method and device | |
| CN104735027A (en) | Safety authentication method and authentication certification server | |
| EP2640045A1 (en) | Method and System for Transferring Mobile Device Contact Information | |
| CN102238159A (en) | Access control method, equipment and system based on point-to-point protocol (PPP) | |
| EP2264992A1 (en) | Communication system and communication method | |
| EP1687934B1 (en) | Apparatus for mediating in management orders | |
| JP2009118267A (en) | Communication network system, communication network control method, communication control apparatus, communication control program, service control device and service control program | |
| CN114650304B (en) | Authentication and authorization method and device | |
| CN103873585A (en) | Radius authentication device and method | |
| US20020042820A1 (en) | Method of establishing access from a terminal to a server | |
| WO2005111826A1 (en) | Communication system | |
| CN115529154A (en) | Login management method, login management device, electronic device and readable storage medium | |
| CN114338762A (en) | Same city data open system, method, electronic equipment and storage medium | |
| WO2011160384A1 (en) | Telecommunication method and gateway apparatus | |
| KR100545078B1 (en) | Wireless LAN connection apparatus and method for net connection certification in public wireless LAN system | |
| KR20030040619A (en) | Method of Identifying Account Session of RADIUS Server in Mobile Telephone Packet Data Network | |
| CN115086276B (en) | Address management method, device, equipment and system | |
| CN112069486B (en) | Multi-device account login method, account platform and first device | |
| CN110519130B (en) | Equipment network access method and system | |
| KR100440061B1 (en) | Method For Relaying RADIUS Message In The Packet Data Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |