CN117478372A - Authentication method, equipment, device and medium based on authentication authorization charging system - Google Patents
Authentication method, equipment, device and medium based on authentication authorization charging system Download PDFInfo
- Publication number
- CN117478372A CN117478372A CN202311412756.2A CN202311412756A CN117478372A CN 117478372 A CN117478372 A CN 117478372A CN 202311412756 A CN202311412756 A CN 202311412756A CN 117478372 A CN117478372 A CN 117478372A
- Authority
- CN
- China
- Prior art keywords
- authentication
- online
- broadband
- account
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 94
- 238000013475 authorization Methods 0.000 title claims abstract description 72
- 238000012545 processing Methods 0.000 claims description 33
- 230000008569 process Effects 0.000 claims description 29
- 230000015654 memory Effects 0.000 claims description 25
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 230000004044 response Effects 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 24
- 238000010586 diagram Methods 0.000 description 13
- 238000012795 verification Methods 0.000 description 13
- 238000012986 modification Methods 0.000 description 9
- 230000004048 modification Effects 0.000 description 9
- 230000006399 behavior Effects 0.000 description 4
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 230000026676 system process Effects 0.000 description 3
- 239000002699 waste material Substances 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- XDDAORKBJWWYJS-UHFFFAOYSA-N glyphosate Chemical compound OC(=O)CNCP(O)(O)=O XDDAORKBJWWYJS-UHFFFAOYSA-N 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- OYYYPYWQLRODNN-UHFFFAOYSA-N [hydroxy(3-methylbut-3-enoxy)phosphoryl]methylphosphonic acid Chemical compound CC(=C)CCOP(O)(=O)CP(O)(O)=O OYYYPYWQLRODNN-UHFFFAOYSA-N 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000005764 inhibitory process Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000000131 plasma-assisted desorption ionisation Methods 0.000 description 1
- 230000001629 suppression Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000011282 treatment Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/54—Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users
Abstract
The application discloses an authentication method, equipment, device and medium based on an authentication authorization charging system. The authentication authorization accounting system at least comprises a client, a broadband access server and a prompt locking module, and the method comprises the following steps: receiving a first request message sent by a broadband access server in response to the operation of configuring a broadband account number and a password at a client by a user; the first request message is a message generated by the broadband access server according to the broadband account number and the password; the first request message at least comprises a broadband account number, a password and the number of online sessions; according to the first request message, an authentication online record is generated and sent to the prompt locking module, so that the prompt locking module locks the broadband account in a preset time, verifies the broadband account, the password and the online session number, and obtains a target authentication result. The method and the device can be applied to the technical field of broadband authentication.
Description
Technical Field
The application relates to the technical field of broadband authentication, in particular to an authentication method, equipment, a device and a storage medium based on an authentication authorization charging system.
Background
In the prior art, the broadband authentication mainly comprises the following processes: after the user terminal establishes session connection with the broadband access server, the system may enter an authentication phase. After receiving the authentication request message generated by the user side through the configuration account number and the password, the broadband access server encapsulates the authentication request message into a request message and sends the request message to the authentication subsystem of 3A. The authentication subsystem checks the broadband account number, the password, the line information and the N-only property, returns a check result to the broadband access server after the check is completed, and returns an authentication result to the user terminal after the broadband access server analyzes the check result to complete the integral authentication.
However, in the authentication process, when the user dials for a plurality of times in a very short time by means of a router, a VPS virtual machine, dialing software and other tools, bandwidth superposition and multi-IP occupation are caused, bandwidth and IP resources are wasted, and continuous dialing generates a large amount of requests to bring pressure to a service bearing system, so that the system log amount and the internet phone bill amount are increased, and storage resource waste is caused. Accordingly, there still exists a technical problem in the related art that needs to be solved.
Disclosure of Invention
The object of the present application is to solve at least one of the technical problems existing in the prior art to a certain extent.
Therefore, an object of the embodiments of the present application is to provide an authentication method, device, apparatus and storage medium based on an authentication authorization accounting system, where the method, device, apparatus and storage medium can reduce the system log amount and the internet ticket amount, and save storage resources.
In order to achieve the technical purpose, the technical scheme adopted by the embodiment of the application comprises the following steps: an authentication method based on an authentication authorization accounting system, the authentication authorization accounting system comprises a client, a broadband access server and a prompt locking module, the method comprises: responding to the operation of configuring a broadband account number and a password at the client by a user, receiving a first request message sent by the broadband access server and acquiring the number of online sessions in a database; the first request message is a message generated by the broadband access server according to the broadband account number and the password; and generating an authentication online record according to the first request message, and sending the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account in a preset time, and verifies the broadband account, the password and the online session number to obtain a target authentication result.
In addition, the method for authentication based on the authentication authorization accounting system according to the above embodiment of the present invention may further have the following additional technical features:
further, in the embodiment of the present application, in response to an operation of configuring a broadband account number and a password at the client by a user, a first demand packet is generated by the client and sent to the broadband access server; and packaging the first demand message into a first request message through the broadband access server.
Further, in this embodiment of the present application, the first request packet further includes first link layer information and first identity information, and the steps of generating an authentication online record according to the first request packet and sending the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account in a preset time, and verifies the broadband account, the password and the online session number, to obtain a target authentication result include: extracting second account information, second link layer information and second identity information in an online information base; and determining that the broadband account is the same as any account in the second account information, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, and obtaining the target authentication result according to the online session number.
Further, in this embodiment of the present application, the step of obtaining the target authentication result according to the number of online sessions specifically includes: determining a size relationship between the number of online sessions and a maximum number of online restrictions for the user; and when the online session number is smaller than or equal to the maximum online limit number of the user, determining that the target authentication result is authentication passing.
Further, in this embodiment of the present application, generating an authentication online record according to the first request packet and sending the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account in a preset time, verifies the broadband account, the password, and the online session number, and obtaining a target authentication result further includes: determining that any account in the broadband account information is different from any account in the second account information, or that the first link layer information is different from the second link layer information, or that the first identity information is different from the second identity information, and determining that the target authentication result is authentication failure; or determining that the broadband account is the same as any account in the second account information, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, the number of online sessions is greater than the maximum online limit number of users, and determining that the target authentication result is authentication failure.
Further, in this embodiment of the present application, the step of enabling the prompt dial locking module to lock the broadband account within a preset time specifically includes: extracting a first authentication time of successful last authentication in the authentication online record; and when the time difference between the first authentication time and the authentication time of the current authentication process is smaller than the preset time, locking the broadband account.
Further, in an embodiment of the present application, the method further includes: and sending the target authentication result to the broadband access server so that the prompt locking module deletes the authentication online record.
On the other hand, the embodiment of the application also provides an authentication device based on an authentication authorization accounting system, wherein the authentication authorization accounting system comprises a client, a broadband access server and a prompt locking module, and the authentication device comprises:
the first processing unit is used for responding to the operation of configuring the broadband account number and the password at the client by a user, receiving a first request message sent by the broadband access server and acquiring the number of online sessions in a database; the first request message is a message generated by the broadband access server according to the broadband account number and the password; the second processing unit is used for generating an authentication online record according to the first request message and sending the authentication online record to the prompt locking module so that the prompt locking module locks the broadband account in a preset time and verifies the broadband account, the password and the online session number to obtain a target authentication result.
On the other hand, the application also provides an authentication device based on the authentication authorization charging system, which comprises:
at least one processor;
at least one memory for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement an authentication method based on an authentication authorization accounting system as previously described.
Further, the present application provides a computer readable storage medium having stored therein processor executable instructions which when executed by a processor are for performing an authentication method based on an authentication authorization accounting system as described in the foregoing.
The advantages and benefits of the present application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the present application.
After session connection between a client and a broadband access server is established, a first request message including a broadband account number, a password and an online session number, which is generated and transmitted by the broadband access server according to the broadband account number and the password, is received in response to the broadband account number and the password configured by a user at the client, and then an authentication online record is generated and transmitted to the instant dial locking module according to the first request message, so that the instant dial locking module locks the broadband account number within a preset time, and can verify the broadband account number, the password and the online session number to obtain a target authentication result.
Drawings
FIG. 1 is a flow chart of an authentication method based on an authentication authorization accounting system in the prior art;
FIG. 2 is a schematic diagram illustrating steps of an authentication method based on an authentication authorization accounting system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating steps for obtaining a first request message according to an embodiment of the present invention;
fig. 4 is a schematic step diagram of generating an authentication online record and sending the authentication online record to a prompt locking module according to a first request message in an embodiment of the present invention, so that the prompt locking module locks a broadband account in a preset time, and verifies the broadband account, a password and the online session number to obtain a target authentication result;
FIG. 5 is a schematic diagram illustrating steps for obtaining a target authentication result according to the number of online sessions in an embodiment of the present invention;
fig. 6 is a schematic diagram of a step of locking a broadband account by a dial locking module in a preset time according to an embodiment of the present invention;
FIG. 7 is a flowchart of a lock process according to another embodiment of the present invention;
FIG. 8 is a flowchart of an authentication method based on an authentication authorization accounting system according to another embodiment of the present invention;
FIG. 9 is a flow chart of an N-only verification process before modification according to another embodiment of the invention;
FIG. 10 is a flow chart of an improved N-only verification process according to another embodiment of the invention;
FIG. 11 is a schematic diagram of an authentication device based on an authentication authorization accounting system according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of an authentication device based on an authentication authorization accounting system according to an embodiment of the present invention.
Detailed Description
The following describes in detail the principles and procedures of an authentication method, apparatus, device and storage medium based on an authentication authorization accounting system in the embodiments of the present invention with reference to the accompanying drawings.
First, terms appearing in the present application will be described as necessary:
authentication authorization accounting system: also called AAA systems or 3A systems, including Authentication (Authentication) to verify the identity of the user and the network services available; authorization (Authorization) to open a network service to a user according to the authentication result; charging (Accounting), recording the usage of various network services by users and providing the usage to a charging system.
Illegal second dialing: dialing equipment such as a special router or a batch of VPS virtual machines initiates multiple dialing to the same account number at short time intervals (within 1 second), so that the purposes of overlapping bandwidths or obtaining multiple IP addresses are realized.
Illegal dialing: and under the condition that the broadband account is on line, the special dialing equipment initiates multiple dialing again by using the same terminal.
BAS device: (Broadband Access Server: broadband access server), which is a novel access gateway for broadband network applications, is located at the edge layer of the backbone network, and can complete the data access of the user bandwidth IP/ATM network (access means is mainly based on xDSL/Cable Modem/high-speed ethernet technology (LAN)/wireless broadband data access (WLAN)/FTTx, etc.), to realize broadband internet surfing for commercial building and residential housing estate households, IP VPN service based on IPSec (IP Security Protocol), and to construct an enterprise internal Intranet.
RADIUS: remote Authentication Dial In User Service, remote user dial authentication system. The system is defined by RFC2865 and RFC2866, and is the most widely applied authentication, authorization and accounting protocol. AAA (authentication authorization accounting) 0 is also a management framework, and thus it can be implemented with various protocols. In practice, AAA (authentication authorization accounting) is most often implemented by people using Remote Access Dial In User Service (RADIUS).
Next, a control flow of the conventional 3A system and defects of the conventional art will be described.
Referring to fig. 1, the existing control flow includes the following stages:
discovery (Discovery) phase: the user terminal (PC, router) searches the broadband access server (BRAS) by sending broadcast PADI message, and establishes session connection with the broadband access server (BRAS). The broadband access server (BRAS) generates a unique session ID (Session ID) identifying this session.
LCP negotiation phase: the user terminals (PC, router) and broadband access server (BRAS) perform LCP parameter negotiation. The negotiation content comprises the options of a maximum receiving unit MRU, an authentication mode, a Magic word (Magic Number) and the like. After the LCP parameter negotiation is successful, the LCP parameter negotiation enters an open state, which indicates that the bottom link is established.
Authentication: the user configures the broadband account number and password at the terminal, and the user terminal sends the configured account number and password information to a broadband access server (BRAS) by using an authentication-Request message. After receiving the authentication Request message, the broadband Access server (BRAS) encapsulates the authentication Request message into an Access-Request message, and sends the Access-Request message to an authentication subsystem (RADIUS) of an authentication authorization accounting system.
The authentication subsystem (RADIUS) checks the broadband account number, the password, the line information and the N-only property, returns a checking result to the broadband access server (BRAS) after the checking is completed, and returns an authentication result to the user terminal after the broadband access server (BR AS) analyzes.
IPCP negotiation phase: the user terminal (PC, router) and broadband access server (BRAS) carry on the dynamic IP address negotiation, the broadband access server (BRAS) distributes the IP address to user terminal through the dhcp protocol, the user terminal obtains the internet access authority after obtaining the IP address, begin to visit the network resource.
After a broadband access server (BRAS) sends a charging START message (ACCT-START) to an authentication subsystem (RADIUS), the authentication subsystem (RADIUS) can generate user online information, and authentication authorization charging performs terminal online data control according to the user online information.
The second dialing user initiates a plurality of authentication requests due to millisecond time difference, and the authentication succeeds when the authentication authorization charging system does not generate the online information, so that the control framework of the existing authentication authorization charging system can not realize second dialing control and needs to be optimized and improved.
In addition, the authentication authorization charging system has an anti-hang-up function, namely, when a user is abnormally off line, a downlink message is not sent to the authentication authorization charging system, the authentication authorization charging system is abnormally on line, the user initiates authentication again, the authentication authorization charging system can judge whether NASIP and MAC of the user are the same as NASIP and MAC in the on-line information or not, if the NASIP and MAC are the same, the authentication user is a hang-up user, an authentication request of the user can pass authentication, for a normal user, a terminal device can send an authentication request only when the user is off line, but for an illegal user, if special dialing equipment is used, multiple authentications can be initiated again under the condition that the user is on line, because of the same equipment, NASIP and MAC are the same, the authentication authorization charging system considers the user to be the hang-up user, and allows the authentication to pass, and therefore multiple dialing can be carried out.
IP stage: during the network access of the user terminal, a broadband access server (BRAS) sends an accounting intermediate message to an authentication subsystem (RADIUS), and the authentication subsystem (RADIUS) analyzes and stores the accounting intermediate message.
User disconnecting phase: after the user surfing end, the user terminal initiates a terminal request to a broadband access server (BRAS), and the BRAS encapsulates and processes the terminal request into a charging end message (Acct-Stop) and sends the charging end message to an authentication subsystem (RADIUS) for authentication, authorization and charging.
An authentication subsystem (RADIUS) for authentication, authorization and accounting receives the accounting end message, deletes the online information generated when the terminal is online, and calculates and stores the information such as the account number, the BAS equipment IP, the user IP, the network resource usage amount and the like in the accounting end message.
However, in the authentication process, when the user continuously dials, that is, continuously inputs the account number and the password, the bandwidth is overlapped and occupied by multiple IPs, which causes waste of bandwidth and IP resources, and the continuous dialing generates a large amount of requests to bring pressure to the service bearer authentication and authorization charging system, so that the log amount and the internet surfing bill amount of the authentication and authorization charging system are increased, and waste of storage resources is caused.
In view of the above technical drawbacks, referring to fig. 2, fig. 2 is a schematic step diagram of an authentication method based on an authentication authorization accounting system according to an embodiment of the present application. The authentication system may at least comprise a client, a broadband access server and a dial-up locking module, wherein the client is connected with the broadband access server, and the band access server may be connected with the dial-up locking module. In fig. 2, the authentication method based on the authentication authorization accounting system may include, but is not limited to, steps S101 to S102.
S101, responding to the operation of configuring a broadband account number and a password at a client by a user, receiving a first request message sent by a broadband access server and acquiring the number of online sessions in a database; the first request message is a message generated by the broadband access server according to the broadband account number and the password.
It will be appreciated that the first request message may be generated by an internal setup algorithm of the broadband access server. The first request message may include at least a broadband account number, a number of previous sessions, and a password. And a request message can be generated each time the user dials; the number of online sessions may be that when a service is opened, the foreground is opened to an authentication authorization accounting system, the authentication authorization accounting system may write in a user information table and store the user information table in a database, and the system may call the data from the database during authentication. The first request message may include information such as session ID, broadband account number, password, authentication mode, broadband access server IP, NAS-PORT-ID, client MAC address, etc.
In some possible embodiments of the present application, a user may configure a broadband account and password for broadband internet surfing on a client. After the user performs the operations of inputting the account number and the password, the broadband access server may generate a first request packet and send the first request packet to the authentication subsystem. The authentication subsystem may receive a first request message sent by the broadband access server.
It should be noted that, the authentication subsystem may establish a wired or wireless connection with the broadband access server. After the wired or wireless connection is established, the authentication subsystem can perform data transmission with the broadband access server. The wired connection mode can comprise connection between the mobile device and the processing module, connection between the processing module and the hardware device, and wired connection between other now known or future developed devices and the processing module; the wireless connection may include, but is not limited to, 3G/4G/5G connection, wiFi connection, bluetooth connection, wiMAX connection, zigbee connection, UWB (Ultra Wide Band) connection, and other now known or later developed wireless connection.
S102, generating an authentication online record according to the first request message and sending the authentication online record to the prompt locking module so that the prompt locking module locks the broadband account in a preset time, and verifies the broadband account, the password and the online session number to obtain a target authentication result.
It will be appreciated that the target authentication result may be one of successful authentication, passing authentication or failing authentication, and the result may be sent from the sub-authentication system to the client and displayed on the client in the form of a message or in the form of encrypted data. The preset time may be any time, such as 1 second, 2 seconds, or other time.
In some possible embodiments of the present application, the sub-authentication system may generate an authentication online record according to the first request message and send the authentication online record to the dial-in locking module. After receiving the authentication online record, the instant dialing locking module can lock the broadband account within 10 seconds or other time, and after locking, if a subsequent user continuously dials for a short time, the authentication authorization charging system can not continuously process the rest identical authentication information of the broadband account, and meanwhile, the sub-authentication system can verify the broadband account, the password and the online session number to obtain a target authentication result.
In summary, in this embodiment, after adding the instant dialing control module, when processing authentication, a step of inserting the instant dialing control module is added, the account is locked after the authentication online information is inserted until the authentication information is processed, the authentication authorization charging system does not continue to process the rest identical authentication information of the broadband account, the process is completed at the millisecond level at the authentication authorization charging system side, and the second dialing and the multi-dialing actions can be effectively inhibited.
Further, referring to fig. 3, fig. 3 is a schematic diagram illustrating specific steps for obtaining the first request message in the embodiment of the present application, and the specific steps for obtaining the first request message in fig. 3 may include, but are not limited to, steps S201 to S202.
S201, responding to a broadband account number and a password configured by a user at a client, and generating a first demand message by the client and sending the first demand message to a broadband access server;
s202, the broadband access server packages the first demand message into a first request message.
In some possible embodiments of the present application, the client may generate a first demand packet and send the first demand packet to the broadband access server in response to a broadband account number and a password configured by the user at the client. After receiving the first demand message, the broadband access server encapsulates the first demand message into a first request message through an internal preset protocol or algorithm.
It can be understood that the first request message is a request message sent by the client to the broadband access server, and the first request message is a message obtained by encapsulating the broadband access server by an encapsulation protocol and sent to the sub-authentication system.
Further, referring to fig. 4, fig. 4 is a schematic step diagram of generating an authentication online record according to a first request message and sending the authentication online record to a prompt locking module in the embodiment of the present application, so that the prompt locking module locks a broadband account in a preset time, and verifies the broadband account, a password and the online session number to obtain a target authentication result. In fig. 4, the first request message may include first link layer information and first identity information. This step may include, but is not limited to, step S301-step S302.
S301, extracting second account information, second link layer information and second identity information in an online information base;
s302, determining that any account in the broadband account information is the same as any account in the second account information, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, and obtaining a target authentication result according to the number of online sessions.
It may be understood that the first identity information may be NAS-PORT-ID corresponding to the current broadband account in the first request packet, and the first link layer information corresponds to mac information corresponding to the current broadband account. The presence information repository may be a database that may include at least account information, mac information, and NAS-PORT-ID. The second account information may be a plurality of account sets already existing in the online information base. And the second link layer information may be one mac information already existing in the presence repository. And the second identity information may be a NAS-PORT-ID already present in the presence repository.
In some possible embodiments of the present application, the sub-authentication system may extract the second account information, the second link layer information, and the second identity information in the online information base; comparing the second account information with the broadband account, the second link layer information with the first link layer information, and comparing the first identity information with the second identity information, determining that any one account in the broadband account and the second account information is the same, the broadband account is different from any one account in a preset account list, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, and obtaining a target authentication result according to the number of online sessions.
Further, referring to fig. 5, fig. 5 is a schematic diagram of steps for obtaining a target authentication result according to the number of online sessions in the embodiment of the present application. In fig. 5, this step may include, but is not limited to, step S401-step S402.
S401, determining the size relation between the online session number and the maximum online limit number of the user;
s402, when the number of online sessions is smaller than or equal to the maximum online limit number of users, determining that the target authentication result is authentication passing.
It will be appreciated that the maximum number of online restrictions for a user may be any number, and that the particular number may be adjusted according to the application.
In some possible embodiments of the present application, the sub-authentication system may first determine a size relationship between the number of online sessions and the maximum number of online restrictions for the user. And when the number of online sessions is smaller than or equal to the maximum online limit number of the users, determining that the target authentication result is authentication passing.
Further, according to the first request message, the steps of generating an authentication online record and sending the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account in a preset time, verifies the broadband account, the password and the online session number, and obtains a target authentication result may further include, but are not limited to, step S403 or step S404.
S403, determining that any account in the broadband account information is different from any account in the second account information, or that the first link layer information is different from the second link layer information, or that the first identity information is different from the second identity information, and determining that the target authentication result is authentication failure;
or,
s404, determining that any account in the broadband account information and the second account information is the same, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, the number of online sessions is greater than the maximum online limit number of users, and determining that the target authentication result is authentication failure.
In some possible embodiments of the present application, when the sub-authentication system determines that any one of the broadband account number and the second account number information is different, or the first link layer information is different from the second link layer information, or the first identity information is different from the second identity information, the final sub-authentication system may determine that the target authentication result is authentication failure; or when the sub-authentication system determines that any account in the broadband account information is the same as any account in the second account information, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, the number of online sessions is greater than the maximum online limit number of users, the sub-authentication system can determine that the target authentication result is authentication failure.
Further, referring to fig. 6, fig. 6 is a schematic diagram of a step of locking a broadband account by the dial locking module in a preset time. In fig. 6, this step may include, but is not limited to, steps S601-S602.
S601, extracting a first authentication time of last authentication success in an authentication online record;
s602, locking the broadband account when the time difference between the first authentication time and the authentication time of the current authentication process is smaller than the preset time.
It can be understood that the authentication online record at least can include information such as an online account number, a password, an authentication time, whether authentication is successful, and the current authentication process can also include the online account number, the password, and the authentication time. The preset time can be any value, and the specific value can be adjusted according to practical application.
In some possible embodiments of the present application, the prompt locking module extracts a first authentication time for successful last authentication in the authentication online record; when the time difference between the first authentication time and the authentication time of the current authentication process is smaller than the preset time, the broadband account is locked, and the same broadband account can not be dialed in the locked time after the account is locked.
Further, the authentication method may further include a step of transmitting a target authentication result to the broadband access server, so that the dial-in locking module deletes the authentication online record.
In some possible embodiments of the present application, the sub-authentication system may send the target authentication result to the broadband access server, while the transient dial lock module may delete the authentication online record.
The following describes the specific implementation principle of the present application with reference to the drawings:
firstly, the illegal second dialing inhibition implementation steps are described, and the implementation steps mainly comprise the steps 2.2-2.6.
Step 2.2-overall introduction of the scheme implemented in step 2.6:
the authentication authorization accounting system establishes a centralized repository, adds a prompt dial locking module, correspondingly reforms an authentication subsystem (RADIUS) and a management platform, and adds locking verification after the validity of the user name and the domain name is verified.
When the authentication authorization accounting system processes the authentication message, firstly calculating the time difference between the time when the authentication message is received and the time when the authentication message is received last time in the memory bank, if the authentication is failed in the configured time interval, the reason of the authentication failure is that dialing is too frequent; if outside the configured time interval, verification of other user attributes such as passwords, account validity periods, account status, online limit numbers, etc., is continued.
2.1, new centralized repository
The memory bank is realized by REDIS, which is a key-value storage system. Like Memcached, it supports relatively more stored value types, including string, list, set, zset (sorted set-ordered set), and hash (hash type). These data types all support pus h/pop, add/remove, and take intersection union and difference sets and richer operations, and these operations are all atomic. On this basis, redis supports various different ways of ordering. Like memcached, data is cached in memory to ensure efficiency. Except that redis will periodically write updated data to disk or modify operations to additional record files, and on this basis, master r-slave synchronization is implemented.
2.2, increase second and dial locking module
The second dialing locking module can be used for locking the account number in authentication to inhibit illegal second dialing behavior.
The hardware add second dial lock module needs to add control items authlock and authlocktime in the system control table bd_sys_con FIG in the database table at the same time. Wherein, the authlock is unlocked when 0; the lock is locked when authlock is 1. authlocktime is a positive integer that represents the lock time in seconds. Key and value are added in the memory record table, wherein Key=user name+service type, and value=authentication time.
The implementation method of the second dial locking comprises the steps a) -c).
a) And storing the last Internet surfing record of the user by adopting a memory database, wherein a main key is a user name and a service type, and the content is authentication time.
b) The memory record list calculates a hash sub-list according to the user name, and 1 sub-list can only be processed by one thread at the same time.
c) Locking the process flow.
The lock processing flow may refer to fig. 7. In fig. 7, after receiving the lock check request, the sub authentication system queries the user record: if not, insert and return "unlocked"; if so, comparing the current authentication time with the interval of the authentication time in the record, if within n seconds (including n seconds, if the authlocktime in the system control table is greater than 0, then n=authlocktime; otherwise, n defaults for 10 seconds, n can be correspondingly adjusted according to the situation of the site), returning to 'locked', if above n seconds, updating the authentication time of the authentication record, and returning to 'unlocked'.
2.3 authentication subsystem modification
The authentication subsystem after transformation can transform the authentication and authorization process, and the calling and processing processes of the authentication and locking module are increased. And adding a new error type identification prompt verification error to provide a prompt module timeout abnormality monitoring function.
The authentication subsystem is modified by adding an authl lock and an authlocktimeout to the system control table BD_SYS_CONFIG, wherein the authlock is not locked when the value of the authlock is 0; the lock is achieved when the value is 1. authlocktimeout is a positive integer, whose specific value is the lock authentication timeout time in milliseconds.
The implementation method can comprise the following steps:
if the service types are 801 (adsl) and 812 (ultra wide of the cloud network), the sub-authentication system calls an authentication locking subsystem, and if the locking is returned, the authentication fails (locking error); if other or overtime or abnormality is returned, the subsequent authentication is ignored, and the subsequent authentication is the same as the original flow.
In order not to affect normal authentication, when authentication lock is called, if connection is impossible, connection overtime (if authlocktimeout in the system configuration table is greater than or equal to 0, this is taken as overtime; otherwise, default overtime is 10 ms), unlock or other unlock values and other abnormal conditions are returned, subsequent authentication is continued, but alarm logs need to be recorded.
If the service type is not 801 (adsl) or 805 (wlan), the authentication lock is not invoked and the processing continues according to the original authentication flow.
2.4 modification of management platform
The authentication failure code table is added with a second dialing authentication failure configuration item, and is used for managing the platform authentication record inquiry page to display the authentication failure reason. For the second dial case, the authentication failure query page is displayed as "checking LM, muti-dial-2, reject". The system administrator and customer service personnel can process user complaints according to failure reasons and count the information such as broadband accounts, terminals, second dialing request amounts and the like which fail to authenticate due to second dialing.
2.5 post-transformation business process
The embodiment optimizes the existing business process and increases the instantaneous dialing locking process. Referring to FIG. 8, in FIG. 8, the authentication subsystem (RADIUS) and transient dial lock module interaction process is essentially changed from the existing process as follows:
a. the sub authentication system newly adds a second dialing memory bank buffer and sends the second dialing memory bank buffer to the instantaneous dialing locking module, and when a user authenticates, an authentication online record is temporarily added into the temporary memory bank;
b. the sub-authentication system processes the authentication record and compares whether the broadband account number, the password, the maximum online number, the binding information and the like sent by the user are consistent with the user information in the database;
c. if the data information is consistent, the user is put through to surf the internet, and the information of successful authentication is returned to the BRAS;
d. and deleting the authentication online record in the temporary repository, and inserting the real online record of the user into the online list of the current network.
It should be noted that after the instant dialing control module is added, a step of inserting a temporary repository is added during authentication, the account is locked after the authentication online information is inserted until the authentication information is processed, the authentication authorization charging system does not continue to process the rest identical authentication information of the broadband account (the authentication of the account is returned to authentication failure temporarily later), the process is completed at the millisecond level at the authentication authorization charging system side, and the second dialing and the multi-dialing actions can be effectively restrained through multiple times of verification.
Next, an illegal multi-dialing suppression implementation procedure will be described. Which mainly comprises the steps of 3.1 to 3.9.
General introduction to the scheme implemented in Steps 3.1-3.9
And (3) creating an online scanning program, scanning the online table at regular time per hour, extracting account numbers with online numbers larger than online limit numbers of the user table, and recording the account numbers and online overrun days. If the online number has xx days (configuration items) and more within one week, the online number is considered as an illegal multi-dialing account, and the illegal multi-dialing account is put into an illegal multi-dialing blacklist. Meanwhile, an N-only verification process of the authentication subsystem is modified, the account numbers in the illegal multi-dialing blacklist are not verified to prevent hanging, only the number of online sessions is verified, and if the number of online sessions is larger than the maximum online limit number of users, authentication failure is directly returned. The illegal multi-dialing blacklist of the newly built memory bank and the synchronization program thereof are used for multi-dialing blacklist users from the database synchronization method to the memory bank. And (5) creating an illegal multi-dialing blacklist management page of a management platform, and managing the illegal multi-dialing blacklist.
3.1 modifying memory synchronization
Specifically, the memory synchronization is adjusted, and illegal multi-dialing blacklist synchronization can be increased. Wherein the data includes an illegitimate multi-dial BLACKLIST b_multi_blacklist and an illegitimate multi-dial BLACKLIST synchronization b_multi_blacklist_syn.
3.2 modifying the N-only authentication Module
Specifically, the N-only authentication is adjusted, and illegal multi-dialing blacklist verification is increased. The required database table comprises an illegal multi-dialing BLACKLIST table B_multi_blacklist and an illegal multi-dialing BLACKLIST synchronization table B_multi_blacklist_SYN
The implementation method can comprise the following steps:
a) And adjusting the N-only authentication flow of the broadband service, and increasing the illegal multi-dialing blacklist authentication flow.
Referring to fig. 9 and 10, the N-only authentication procedure before modification directly authenticates by judging that the current account exists in the online information base and that the MAC and NAS-PORT-ID in the authentication message are the same, and the N-only authentication procedure after modification adds a judging procedure between judging that the current account exists in the online information base and that the MAC and NAS-PORT-ID in the authentication message are the same, that is, judging whether the account is in the blacklist or not, and judging the MAC and NAS-PORT-ID only if the account is not in the blacklist, otherwise, if the user is in the illegally multi-dialing blacklist, the anti-lock is not verified, and only the online number is verified, and if the online number is greater than or equal to the online maximum limit number of the broadband user, the direct authentication is failed (using new error definition "illegally multi-dialing error" is distinguished from other limit numbers). If the user is not in the illegal multi-dialing blacklist, the user is verified according to the original anti-hanging-up flow.
b) And if the number of the online verification is cancelled to be more than 9, the control of the number of the online verification is not checked, and if the number of the online verification exceeds 9, the normal N-only authentication flow is processed after adjustment.
3.3, newly added multiple dialing blacklist scanning procedure
Specifically, a new multi-dialing BLACKLIST scanning program, a fixed network BROADBAND ONLINE USER table B_BROADBA ND_ONLINE 00-05, a fixed network BROADBAND USER table B_BROADBAND_USER 00-05, an ONLINE overrun record table B_BBONLINE_OUTNUM_USER and an illegal multi-dialing BLACKLIST table B_MULTIDIA L_BLACK LIST are added.
The following parameter configuration is supported particularly when configuring parameters of the blacklist scanning procedure. Parameters include an online hyper-limit statistics period in days, and an online hyper-limit days threshold, in days, such as 6 days.
The implementation method can comprise the following steps:
newly-built multi-dialing blacklist online scanning program. The online list is scanned at regular time per hour, the online user number is counted according to the user and service type group, and compared with the online limit number of the broadband user list, the online limit number is processed as follows:
if the online number exceeds the online limit number (0 indicates no limit) of the user table and the online overrun record table does not have the same account record. Data is inserted in the online overrun record table. The new date and the updated date are the date of the day (yyyy-mm-dd), and the overrun day is 1.
If the online overrun record table has the same account record and (the date of the day-the new date of the online overrun record table) > = online overrun statistical period (configurable, for example, 7 days), the new date and the updated date are both the date of the day (yyyyyy-mm-dd), and the overrun day is 1.
If (date of day-new date of online overrun record table) < online overrun statistical period (7 days), if the update date of online overrun record table is the same day, no processing is performed; if not, the update overrun days are overrun days+1, and the update time is the current day. The overrun record table is shown in table 1.
TABLE 1
If the number of online does not exceed the number of online limits of the user table, the processing is not performed.
After the online scanning is completed, an illegal blacklist identification scanning program is required to be executed, and the online overrun record table data generated by scanning is processed as follows:
if the number of overrun days is greater than or equal to the threshold of on-line limit days (configurable, such as 6 days), and the illegal multi-dialing blacklist is not recorded by the same service user. And (3) the record of the service user is newly added in the table with illegal multi-dialing black names, and the newly added date and the updated date are the date of the day. The administrator is collectively set to "auto_scan".
If the illegal multi-dialing blacklist has the same service user record and the updating date of the illegal multi-dialing blacklist is less than the newly built date of the online overrun record list, the updating date is modified to be the current date.
If the time overrun days are smaller than the threshold of the on-line limit days, inserting the time before one week (on-line overrun statistical period) and deleting the records of the same account number of the on-line overrun record table.
3.4, newly added plectrum kick down thread sequence
Specifically, the new dial-up suppressing kick-down scanning program can be configured with the fixed network BROADBAND ONLINE USER table b_broadcast_online 00-05, the fixed network BROADBAND USER table b_broadcast_user 00-05 and the illegal multi-dial BLACKLIST table b_multi_blacklist.
The implementation method specifically comprises the following steps: newly-built multi-kick off-line scanning procedure. Timing (every 5 minutes) was performed. A new scan level configuration is added, wherein a configuration value of 1 represents a scan level low, and wherein a value of 2 represents a scan level high. Scanning a broadband user online table: if the scanning level is low, scanning the online of all broadband users (801/812), and extracting users with online numbers greater than 5 to kick off; if the scanning level is high, only scanning broadband users in the multi-dialing blacklist, and extracting users with the online number larger than 5 to kick off.
3.5, newly added DM kicking off line function
And ordering the users meeting the requirements extracted online by scanning according to time, and putting the last online N online users off the line by calling a DM interface, wherein N=online list number-limit of the broadband users (N is less than or equal to 0 and no longer put off the line). If the users are online at the same time, randomly taking N online users to kick off the online. If the kick-off fails, other online DM operations are ignored, and the operation log of the relevant user is recorded.
3.6 New added illegal Multi-dialing blacklist management
An illegal multi-dialing blacklist management function is added. The table to be configured is an illegal multi-dialing BLACKLIST b_mu-dialing BLACKLIST and an illegal multi-dialing BLACKLIST history b_multi-dialing BLACKLIST t_his.
The implementation method specifically comprises the following steps: and providing illegal multi-dialing blacklist management functions including new adding, deleting and inquiring functions. Wherein the new function may add a new user name, service type (temporary 801/812), and new date=update date=current date. The deleting function can display the blacklist meeting the conditions according to the query conditions, and can select the blacklist to be deleted for deleting operation. Before deletion, confirmation needs to be displayed, and deletion is performed after confirmation. The query function may adjust query conditions such as user name, service type, and query presentation: if the user name is not input for inquiry, firstly checking the number of blacklist users meeting the condition, and if the number of blacklist users is less than or equal to 10000, displaying the inquiry result on page pages; if the number is more than 10000, prompting the user to exceed the limit of single query, only providing export download, after confirmation, exporting to an excel file, providing a link, and clicking a download button to download directly.
3.7 adding illegal Multi-dialing blacklist historical query function
The query condition of illegal multi-dialing blacklist historical query can be user name and service type. The query result is as follows: and inquiring a plurality of illegal multi-dialing blacklist historical information which accords with the condition and is in descending order according to the record insertion time. And manual addition and manual deletion of the blacklist require recording of an administrator operation log table. The illegal multi-dialing blacklist table may refer to table 2 and the illegal multi-dialing blacklist history table may refer to table 3.
TABLE 2
/>
TABLE 3 Table 3
3.8, newly added sequence number
The sequence number S_B_MULTIDIAL_BLACK_HIS and S_B_MULTIDIAL_BLACK_SYN are newly added.
3.9, new trigger
The new trigger of B_MULTIDIAL_BLACK LIST table is used to synchronize the new addition, modification and deletion to the history and synchronization table. Reference may be made to existing broadband user table triggers.
In summary, the present application may implement the following functions:
1. inhibit illegal second dialing. Optimizing broadband authentication mechanism and strategy: and adjusting a broadband dialing authentication mechanism, setting authentication locking time length, and processing a second dialing user according to the authentication locking timeout time length (currently 3 seconds) configured by the system. And when the interval between the dialing of the user and the last dialing is less than 3 seconds, returning a second dialing error, and setting the user to be in a locking state, wherein the locking time is 3 seconds. Policy optimization: after receiving the locking verification request, the authentication communication terminal inquires the user record in the memory database: if not, inserting the authentication record, and returning to 'unlocked'; if so, the present authentication time is compared with the interval of the authentication time in the record, if within n seconds (currently 3 seconds), the "locked" is returned, if above n seconds, the authentication time of the authentication record is updated, and the "unlocked" is returned.
2. Inhibit illegal dialing. And newly establishing a multi-dialing blacklist in the authentication authorization charging system, and dynamically incorporating the broadband account number meeting the multi-dialing scene into the multi-dialing blacklist for monitoring. When a user in the blacklist is authenticated, the authentication subsystem does not check the anti-hanging, only checks the number of online sessions, and directly returns authentication failure as long as the number of online sessions is larger than the maximum online limit number of the user; if the user is not in the illegal multi-dialing blacklist, the user is verified according to the original anti-hanging-up flow.
3. The blacklist scanning procedure is newly increased. And (3) according to the configured online overrun statistical period (7 days at present) and online overrun day threshold (6 days at present), the online list is scanned at regular time per hour, and the broadband account number with the online connection number larger than the maximum connection allowed by the user is inserted into the illegal multi-dialing blacklist.
4. And adjusting the N-only checking flow. When checking the N-only property, if the user is in the illegal multi-dialing blacklist, the anti-hang-up is not checked, only the number of the online terminals is checked, and if the current number of the online terminals is equal to the online maximum limit number of the broadband user, the authentication failure is directly returned. If the user is not in the illegal multi-dialing blacklist, the user is verified according to the original anti-hanging-up flow.
In summary, the present application has the following advantages:
1. the second dialing user can be effectively processed, and the safety and user experience of the broadband authentication system are improved. When the interval between the dialing of the user and the last dialing is smaller than the set authentication locking timeout period, the authentication system processes the user, and adverse effects on the system caused by frequent second dialing behaviors are avoided.
2. The method optimizes the existing authentication authorization charging system, increases an illegal second dialing/multiple dialing pre-precaution function module, and accesses authentication through an interface bypass. And adding a multi-dialing limiting link at the front end of the authentication flow, finding out abnormal multi-dialing behavior, immediately blocking processing, and ending the normal business flow.
3. The method and the device can solve the problem that the second dialing and the multiple dialing illegally occupy the telecommunication IP resources and the bandwidth resources, and effectively assist the healthy and safe development of the broadband business of the company.
4. The method and the device can reduce a large number of system logs and internet surfing bill generated by illegal second dialing/multi-dialing, improve the operation efficiency of the authentication authorization charging system and save storage resources.
5. The monitoring and processing mechanism of the multi-dialing blacklist user can be used for effectively preventing the influence of multi-dialing actions on the system and guaranteeing the normal authentication of other users.
6. The method and the device can realize the function of regularly scanning the online list by the multi-dialing blacklist scanning program, and insert the broadband account number with the online connection number exceeding the maximum connection number allowed by the user into the illegal multi-dialing blacklist. Therefore, the multi-dialing behavior can be found and processed in time, and the normal operation of the system is ensured.
7. The N-only verification of the method and the device can be used for carrying out different treatments according to whether the user is in the illegal multi-dialing blacklist. Therefore, for illegal multi-dialing users, only the online quantity is checked, and the influence of anti-hang-up check on the illegal multi-dialing users is avoided; and for other users, verifying according to the original anti-hanging process.
In addition, referring to fig. 11, corresponding to the method of fig. 2, an authentication device based on an authentication authorization accounting system is further provided in an embodiment of the present application, where the authentication device may include a first processing unit 1001 and a second processing unit 1002. The first processing unit 1001 may be configured to receive a first request packet sent by the broadband access server and obtain the number of online sessions in the database in response to an operation of configuring a broadband account number and a password by a user at the client; the first request message is a message generated by the broadband access server according to the broadband account number and the password; the second processing unit 1002 may be configured to generate an authentication online record according to the first request packet, and send the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account in a preset time, and verifies the broadband account, the password, and the online session number to obtain a target authentication result.
It should be noted that, the first processing unit may be any integrated circuit unit or a micro processor unit obtained by integrating a chip with a processing function and its peripheral circuits through a conventional integration technology. The second processing unit may be any integrated circuit module or micro-processor module obtained by integrating a chip with a processing function and its peripheral circuits in the prior art. And the second processing unit and the third processing unit may further comprise one or more memories. One or more memories may be used to store the specific algorithms used for the identification process in this application.
In some embodiments of the present application, the first processing unit 1001 and the second processing unit 1002 may be disposed in a device having a processing function. The specific device connection manner and device arrangement of the first processing unit 1001 and the second processing unit 1002 are not limited, and if the first processing unit 1001 and the second processing unit 1002 adopt a wireless connection, the wireless connection may include, but is not limited to, a 3G/4G/5G connection, a WiFi connection, a bluetooth connection, a WiMAX connection, a Zigbee connection, a UWB (Ultra Wide Band) connection, and other now known or future developed wireless connection manners.
Corresponding to the method of fig. 1, the embodiment of the present application further provides an authentication device based on an authentication authorization accounting system, with reference to fig. 12, and the specific structure of the authentication device includes:
at least one processor 1011;
at least one memory 1012 for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement the authentication method based on the authentication authorization accounting system.
Corresponding to the method of fig. 1, the embodiment of the present application further provides a computer readable storage medium having stored therein processor executable instructions which, when executed by a processor, are for performing the authentication method based on the authentication authorization accounting system.
The content in the authentication method embodiment based on the authentication authorization accounting system is applicable to the storage medium embodiment, the function specifically realized by the storage medium embodiment is the same as that of the authentication method embodiment based on the authentication authorization accounting system, and the achieved beneficial effects are the same as that of the authentication method embodiment based on the authentication authorization accounting system.
In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of this application are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.
Furthermore, while the present application is described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the functions and/or features may be integrated in a single physical device and/or software module or one or more of the functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present application. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Thus, those of ordinary skill in the art will be able to implement the present application as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the application, which is to be defined by the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several programs for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable programs for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with a program execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the programs from the program execution system, apparatus, or device and execute the programs. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the program execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable program execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the foregoing description of the present specification, descriptions of the terms "one embodiment/example", "another embodiment/example", "certain embodiments/examples", and the like, are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present application have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the principles and spirit of the application, the scope of which is defined by the claims and their equivalents.
While the preferred embodiment of the present invention has been described in detail, the present invention is not limited to the embodiments described above, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present invention, and these equivalent modifications and substitutions are intended to be included in the scope of the present invention as defined in the appended claims.
Claims (10)
1. An authentication method based on an authentication authorization accounting system is characterized in that the authentication authorization accounting system comprises a client, a broadband access server and a prompt locking module, and the method comprises the following steps:
responding to the operation of configuring a broadband account number and a password at the client by a user, receiving a first request message sent by the broadband access server and acquiring the number of online sessions in a database; the first request message is a message generated by the broadband access server according to the broadband account number and the password;
and generating an authentication online record according to the first request message, and sending the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account in a preset time, and verifies the broadband account, the password and the online session number to obtain a target authentication result.
2. The authentication method based on the authentication authorization accounting system of claim 1, wherein the first request message is obtained by:
responding to the operation of configuring a broadband account number and a password at the client by a user, generating a first demand message through the client and sending the first demand message to the broadband access server;
And packaging the first demand message into a first request message through the broadband access server.
3. The authentication method based on the authentication authorization accounting system according to claim 1, wherein the first request message further includes first link layer information and first identity information, and the steps of generating an authentication online record according to the first request message and sending the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account within a preset time, and verifies the broadband account, the password and the online session number to obtain a target authentication result include:
extracting second account information, second link layer information and second identity information in an online information base;
and determining that the broadband account is the same as any account in the second account information, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, and obtaining the target authentication result according to the online session number.
4. The authentication method based on the authentication, authorization and accounting system according to claim 3, wherein the step of obtaining the target authentication result according to the online session number specifically comprises:
Determining a size relationship between the number of online sessions and a maximum number of online restrictions for the user;
and when the online session number is smaller than or equal to the maximum online limit number of the user, determining that the target authentication result is authentication passing.
5. The authentication method based on the authentication authorization accounting system of claim 4, wherein the generating an authentication online record according to the first request message and sending the authentication online record to the prompt locking module, so that the prompt locking module locks the broadband account within a preset time, and verifying the broadband account, the password and the online session number, and obtaining a target authentication result further comprises:
determining that any account in the broadband account information is different from any account in the second account information, or that the first link layer information is different from the second link layer information, or that the first identity information is different from the second identity information, and determining that the target authentication result is authentication failure; or,
and determining that the broadband account is the same as any account in the second account information, the first link layer information is the same as the second link layer information, the first identity information is the same as the second identity information, the number of online sessions is greater than the maximum online limit number of users, and determining that the target authentication result is authentication failure.
6. The authentication method based on the authentication authorization accounting system of claim 3, wherein the step of enabling the instant dialing locking module to lock the broadband account number within a preset time specifically comprises:
extracting a first authentication time of successful last authentication in the authentication online record;
and when the time difference between the first authentication time and the authentication time of the current authentication process is smaller than the preset time, locking the broadband account.
7. The authentication method based on an authentication-authorization-accounting system of claim 1, wherein the method further comprises: and sending the target authentication result to the broadband access server so that the prompt locking module deletes the authentication online record.
8. An authentication device based on an authentication authorization accounting system, wherein the authentication authorization accounting system comprises a client, a broadband access server and a prompt locking module, the authentication device comprises:
the first processing unit is used for responding to the operation of configuring the broadband account number and the password at the client by a user, receiving a first request message sent by the broadband access server and acquiring the number of online sessions in a database; the first request message is a message generated by the broadband access server according to the broadband account number and the password;
The second processing unit is used for generating an authentication online record according to the first request message and sending the authentication online record to the prompt locking module so that the prompt locking module locks the broadband account in a preset time and verifies the broadband account, the password and the online session number to obtain a target authentication result.
9. An authentication apparatus based on an authentication-authorization-accounting system, comprising:
at least one processor;
at least one memory for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement an authentication method based on an authentication authorization accounting system as claimed in any one of claims 1-7.
10. A computer readable storage medium having stored therein processor executable instructions which, when executed by a processor, are for performing an authentication method based on an authentication authorization accounting system according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311412756.2A CN117478372A (en) | 2023-10-27 | 2023-10-27 | Authentication method, equipment, device and medium based on authentication authorization charging system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311412756.2A CN117478372A (en) | 2023-10-27 | 2023-10-27 | Authentication method, equipment, device and medium based on authentication authorization charging system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117478372A true CN117478372A (en) | 2024-01-30 |
Family
ID=89637177
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311412756.2A Pending CN117478372A (en) | 2023-10-27 | 2023-10-27 | Authentication method, equipment, device and medium based on authentication authorization charging system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117478372A (en) |
-
2023
- 2023-10-27 CN CN202311412756.2A patent/CN117478372A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3924465B2 (en) | Method and apparatus for checking the validity of a first communication participant in a communication network | |
| US9027079B2 (en) | Method and system for dynamic security using authentication servers | |
| US9125055B1 (en) | Systems and methods for authenticating users accessing unsecured WiFi access points | |
| US7640581B1 (en) | Method and system for providing secure, centralized access to remote elements | |
| KR101265305B1 (en) | Preventing fraudulent internet account access | |
| JP4728258B2 (en) | Method and system for managing access authentication for a user in a local management domain when the user connects to an IP network | |
| US20020188738A1 (en) | Data networks | |
| CN101986598B (en) | Authentication method, server and system | |
| CN101714918A (en) | Safety system for logging in VPN and safety method for logging in VPN | |
| EP1683388A2 (en) | Method for managing the security of applications with a security module | |
| WO2005104425A2 (en) | Method and system for verifying and updating the configuration of an access device during authentication | |
| US20040010713A1 (en) | EAP telecommunication protocol extension | |
| CN109104475B (en) | Connection recovery method, device and system | |
| CN109067937A (en) | Terminal admittance control method, device, equipment, system and storage medium | |
| CN111355713A (en) | Proxy access method, device, proxy gateway and readable storage medium | |
| US9143494B2 (en) | Method and apparatus for accessing a network | |
| US20080168547A1 (en) | Method for provisioning policy on user devices in wired and wireless networks | |
| US8954547B2 (en) | Method and system for updating the telecommunication network service access conditions of a telecommunication device | |
| US7631344B2 (en) | Distributed authentication framework stack | |
| CN117478372A (en) | Authentication method, equipment, device and medium based on authentication authorization charging system | |
| CN1265579C (en) | Method for network access user authentication | |
| CN114615309B (en) | Client access control method, device, system, electronic equipment and storage medium | |
| CN114978773A (en) | Single package authentication method and system | |
| CN100596070C (en) | Method, system and identification server for configuring service channel after identification failure | |
| EP3041192B1 (en) | Authentication infrastructure for ip phones of a proprietary toip system by an open eap-tls system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |