CN1356812A - Distributed authentication/charge server system and its implementation method - Google Patents
Distributed authentication/charge server system and its implementation method Download PDFInfo
- Publication number
- CN1356812A CN1356812A CN02100025A CN02100025A CN1356812A CN 1356812 A CN1356812 A CN 1356812A CN 02100025 A CN02100025 A CN 02100025A CN 02100025 A CN02100025 A CN 02100025A CN 1356812 A CN1356812 A CN 1356812A
- Authority
- CN
- China
- Prior art keywords
- server
- authentication
- distributed authentication
- basic radius
- servers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
A distributed authentication/charge server system is composed of the basic radius server directly connected to remove access server for implementing the client-orientated receiving/transmitting of data packets, encoding/decoding data packets and forwarding data packets to other servers, in-line user manager connected to said basic Radius server and able to perform individual logic processing function, IPDR collector connected to more charge servers, and multiple authentication/authorization servers. Its advantages include hot connection/dis-connection of services, in-line upgrade, and high scalability and stability.
Description
Technical field
The present invention relates to a kind of distributed authentication/charge server system and its implementation, belong to the Verification System technical field of IP communication network.
Background technology
Authentication/charge system of using on the telecommunications network mainly adopts remote dial authentification of user service (Radius-Remote Authentication Dial In User Service) agreement (hereinafter to be referred as the Radius agreement) now.Stipulated the transmission means of verify data and the form of packet in this agreement, and realized being referred to as the Radius server usually by the service end software of this agreement.
In the telecommunication network system that uses at present, the Radius server adopts total accepted way of doing sth structure usually, and referring to Fig. 1, its work of bearing includes: 1, reception/transmission Radius protocol data bag; 2, encode the data into and be Radius protocol data bag; 3, Radius protocol data bag is decoded; 4, utilize decoded data to carry out the service logic authentication; 5, according to the corresponding business regulation, utilize decoded data to subscriber authorisation or authentication; 6, utilize decoded data to charge.This miscellaneous service logics such as all business authentications, mandate, charging totally are all concentrated on a system configuration and an operational mode in the Radius server processes, under the situation single in business, that number of users is less relatively, it still is fairly simple, convenient and effective implementing.But, along with being growing more intense of teledata Communications Market competition, emerging data service emerges in an endless stream and complicated day by day, number of users is under the situation of high speed development, above-mentioned prevailing system framework just exposes following shortcomings gradually: 1, when new business of system's introducing, when perhaps existing business being made amendment, must revise whole code server, cause service disruption, perhaps introduce new unknowable system defect, reduce the stability of Radius server, and existing professional normally the carrying out of influence.2, along with the increase of number of users, when having exceeded the maximum load of single machine, when increasing machine in order to improve performance, operate in two Radius servers on the machine can't be synchronously each other data, cause some logic determines to make mistakes.For example: can only be simultaneously online one time the time when certain business for each user, will can't cause the failure of this traffic limits owing to two Radius servers effectively synchronously.In addition, existing Radius server centered all business processing logic programs, wherein any one part goes wrong and all can cause can not moving of whole system; Promptly the Radius server that uses now in case break down, just makes whole service stopping, thereby has increased the difficulty of system maintenance greatly.
Summary of the invention
The purpose of this invention is to provide and a kind ofly can overcome distributed authentication/charge server system that there is number of drawbacks in existing Verification System, this system can realize professional hot plug, promptly new professional or when existing business made amendment when introducing, can not influence other business of moving, can realize the online upgrading of system.And can improve the retractility and the job stability of systematic function, when systematic function is not enough, only need to increase new server, system is carried out simple necessary configuration can come into force, and does not need update routine.
Another object of the present invention provides the implementation method of a kind of distributed authentication/charging service system.
The object of the present invention is achieved like this: a kind of distributed authentication/charge server system, it is characterized in that: this system includes: directly and the remote dial user continue, be used to realize the reception/transmission packet of curstomer-oriented end, finish the encoding/decoding data bag and the basic Radius server of other server forwards packet functions in system, be connected respectively with this basic Radius server, and can independently finish user's online management device of Different Logic processing capacity separately, IPDR collector and a plurality of authentication/authorization services device, IPDR collector fork wherein is connected with a plurality of accounting servers.
Described user's online management device is mainly born all user's Internet data that focus on this Radius server, with leading subscriber login times, time; And can be according to service needed, the function that the number of times that same user account is surfed the Net simultaneously limits.
Described IPDR collector is finished and is filtered the function that arrangement is chargeed and wrapped, in unstable networks, might receive that to described basic Radius server a plurality of copies of same charging bag delete the data of repetition by this IPDR collector, and remove the processing of abnormal data.
Described a plurality of authentication/authorization services device by a plurality of separately independently, respectively different business logic is separately carried out the server that authenticated/authorized handles and is formed.
Described a plurality of accounting server by a plurality of separately independently, respectively the server of handling that charges of the metering data of different business is separately formed.
In above-mentioned each server except the user's online management device and IPDR collector that are used for shared data, other each server can be looked business demand and dispose many machines arbitrarily, so this system possesses extremely strong scalability, this systematic function only is subjected to the restriction of the network bandwidth.
The implementation method of distributed authentication of the present invention/charging service system is such: adopt common object proxy requests framework CORBA (Common Object Request BrokerArchitecture) as communications protocol in this internal system, wherein basic Radius server is as the CORBA client, described user's online management device, the IPDR collector, a plurality of authentication/authorization services devices and a plurality of accounting server are respectively as CORBA server and independent operating, and each server is only handled single business demand, differentiate different business by basic Radius server according to domain name, according to business various requests are forwarded to each different server again and handle respectively; By the CORBA agreement, basic Radius server is sought the related service logical process operation that 1~N normal server carries out authenticated/authorized, charging class automatically.
When certain certificate server broke down, the basic Radius server of this system can use automatically that other available certificate servers authenticate in this system; When all certificate servers are all unavailable, basic Radius server will allow all user's online.
When the IPDR collector broke down, the basic Radius server of this system was retained in this locality to all metering datas, treated that this IPDR collector recovers just often to resend.
When certain accounting server broke down, the IPDR collector of this system can automatically be sent to other available accounting servers in this system to metering data; When all accounting servers are all unavailable, just all metering datas are retained in this locality, treat that accounting server recovers just often to resend.
The present invention existing authentication/charge system had relatively advantage and effect are: at first, the function that basic Radius server in the system of the present invention is provided is the part of existing Radius server just--and be the function of basic reception/transmission, coding/decoding and forwarding packet, code is simple, good stability, the probability that breaks down greatly reduces, for good basis has been established in the stable operation of whole system; And all make independently server with each professional relevant module: authentication/authorization services device, IPDR collector, accounting server are formed system's each several part and are complete loose coupling structure.As long as basic Radius server normally moves, just can be for the user provide service, and all metering data during the retention fault, make the ISP exempt from loss.Moreover, because authentication/authorization services device, accounting server and IPDR collector are divided into a plurality of independently servers according to business, fundamentally eliminated of the influence of a certain business of increase/modification to other business.When increasing new business, only need to increase corresponding service routine, increase the forwarding rule of domain name at basic Radius server to service server, can under level and smooth fully situation, increase support to new business.In addition, because this internal system adopts the CORBA agreement to communicate, can walk around the CORBA server of inefficacy automatically as the basic Radius server of CORBA client, the normal server of job search carries out operations such as authentication.And by simple configuration, a CORBA client can connect the CORBA server of any amount, and obtains corresponding service.The operation method of this kind communication protocol when system maintenance, upgrading, increase machine, can not produce at all influence to the whole system framework; Several configuration files are just revised in all work, make fault-tolerance, stability and the autgmentability of this system be able to great raising.
Description of drawings
Fig. 1 is that the remote dial authentification of user of finishing that uses is now served server of (Radius) agreement and the system schematic that client is formed.
Fig. 2 is the structure composition of distributed authentication/accounting server of the present invention and the system schematic of forming with client thereof.
Embodiment
Referring to distributed authentication/charge server system of the present invention shown in Figure 2, this system includes: directly and remote access server continue, be used to realize reception/transmission packet towards the Radius client, finish the encoding/decoding data bag and the basic Radius server 1 of other server forwards packet functions in system, be connected respectively with this basic Radius server 1, and can independently finish user's online management device 2 of Different Logic processing capacity separately, IPDR (IP Detail Record, the IP transaction is detailed single) collector 3 and a plurality of authentication/authorization services device 4, IPDR collector 3 wherein is connected with a plurality of accounting servers 5 again.User's online management device 2 is here mainly born the data that all users that focus on this basic Radius server surf the Net and login, with number of times, the time of leading subscriber login; And can be according to service needed, the function that the number of times that same user account is surfed the Net simultaneously limits.3 of IPDR collectors are finished and are filtered the function that arrangement is chargeed and wrapped, in unstable networks, might receive that by 3 pairs of basic Radius servers 1 of this IPDR collector a plurality of copies of same charging bag delete the data of repetition, and remove the processing of abnormal data.A plurality of authentication/authorization services devices 4 by a plurality of separately independently, respectively different business logic is separately carried out the server N that server 1... authenticated/authorized that authenticated/authorized handles handles and is formed.Similarly, a plurality of accounting servers 5 by a plurality of separately independently, respectively the accounting server 1... accounting server N that handles that charges of the metering data of different business is separately formed.
1 of basic Radius server among the present invention is finished basic Radius protocol function, and with functions such as the authentication of different business, mandate, charging by separately independently, respectively to different business logic separately authenticate, authorize, the server of respective handling such as charging realizes.Need to prove that the data extract that the present invention will need to share is come out, manage with independent server.According to present telecommunication service demand, the present invention has designed the Service Process Server of two shared data, be user's online management device and IPDR collector, in addition, other each server can be looked business demand and dispose many machines arbitrarily, so system of the present invention has extremely strong professional retractility, the expansion performance of this system only is subjected to the restriction of the network bandwidth.
The implementation method of distributed authentication of the present invention/charging service system is to adopt common object proxy requests framework CORBA (Common Object Request Broker Architecture) as communications protocol in this internal system, wherein basic Radius server is as the CORBA user side, described other each servers are respectively as CORBA server and independent operating, and each server is only handled single business demand, differentiate different business by basic Radius server according to domain name, according to business various requests are forwarded to different servers again and handle respectively; By the CORBA agreement, basic Radius server is sought the related service logical process operation that 1~N normal server carries out authenticated/authorized, charging class automatically.
Expansion needs along with data service need prevailing system is made amendment probably, cause the influence to systematic jitters in order to reduce the modification system as much as possible, and the present invention adopts following three kinds of modes:
1, when certain certificate server breaks down, the basic Radius server of this system automatically interior other the available certificate servers of using system authenticates; Have only when all certificate servers and all break down and when unavailable, basic Radius server will allow all users to surf the Net.
2, when the IPDR collector breaks down, the basic Radius server of this system is retained in this locality to all metering datas, treats that this IPDR collector recovers just often to resend.
3, when certain accounting server breaks down, the IPDR collector of this system can automatically be sent to other available accounting servers in the system to metering data; Have only when all accounting servers are all unavailable, just all metering datas are retained in this locality, treat that this accounting server recovers just often to resend.
The present invention has utilized many computers to be built into the enforcement test that model carried out analogue simulation as different servers respectively, and in Guangdong Province's 163 centralized chargings of net and business management system, implement test, the result of test is gratifying, has realized goal of the invention.
Claims (10)
1, a kind of distributed authentication/charge server system, it is characterized in that: this system includes: directly be connected with remote access server, be used to realize the reception/transmission packet of curstomer-oriented end, finish the encoding/decoding data bag and the basic Radius server of other server forwards packet functions in system, be connected respectively with this basic Radius server, and can independently finish user's online management device of Different Logic processing capacity separately, IPDR collector and a plurality of authentication/authorization services device, IPDR collector wherein is connected with a plurality of accounting servers again.
2, distributed authentication/charge server system according to claim 1 is characterized in that: described user's online management device is mainly born all user's Internet data that focus on this Radius server, with leading subscriber login times, time; And can be according to service needed, the function that the number of times that same user account is surfed the Net simultaneously limits.
3, distributed authentication/charge server system according to claim 1, it is characterized in that: described IPDR collector is finished and is filtered the function that arrangement is chargeed and wrapped, in unstable networks, might receive that to described basic Radius server a plurality of copies of same charging bag delete the data of repetition by this IPDR collector, and remove the processing of abnormal data.
4, distributed authentication/charge server system according to claim 1 is characterized in that: described a plurality of authentication/authorization services devices by a plurality of separately independently, respectively different business logic is separately carried out the server that authenticated/authorized handles and is formed.
5, distributed authentication/charge server system according to claim 1 is characterized in that: described a plurality of accounting servers by a plurality of separately independently, respectively the server of handling that charges of the metering data of different business is separately formed.
6, distributed authentication/charge server system according to claim 1, it is characterized in that: except the user's online management device and IPDR collector that are used for shared data, other each server can be looked business demand and be provided with many machines arbitrarily in above-mentioned each server.
7, the implementation method of a kind of distributed authentication/charging service system, it is characterized in that: adopt common object proxy requests framework CORBA (Common Obiect Request BrokerArchitecture) as communications protocol in this internal system, wherein basic Radius server is as the CORBA client, described user's online management device, the IPDR collector, a plurality of authentication/authorization services devices and a plurality of accounting server are respectively as CORBA server and independent operating, and each server is only handled single business demand, differentiate different business by basic Radius server according to domain name, according to business various requests are forwarded to each different server again and handle respectively; By the CORBA agreement, basic Radius server is sought the related service logical process operation that 1~N normal server carries out authenticated/authorized, charging class automatically.
8, the implementation method of distributed authentication according to claim 7/charging service system, it is characterized in that: when certain certificate server broke down, the basic Radius server of this system can use automatically that other available certificate servers authenticate in this system; When all certificate servers are all unavailable, basic Radius server will allow all user's online.
9, the implementation method of distributed authentication according to claim 7/charging service system, it is characterized in that: when the IPDR collector breaks down, the basic Radius server of this system is retained in this locality to all metering datas, treats that this IPDR collector recovers just often to resend.
10, the implementation method of distributed authentication according to claim 7/charging service system, it is characterized in that: when certain accounting server broke down, the IPDR collector of this system can automatically be sent to other available accounting servers in this system to metering data; When all accounting servers are all unavailable, just all metering datas are retained in this locality, treat that accounting server recovers just often to resend.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021000255A CN1141822C (en) | 2002-01-08 | 2002-01-08 | Distributed authentication/charge server system and its implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021000255A CN1141822C (en) | 2002-01-08 | 2002-01-08 | Distributed authentication/charge server system and its implementation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1356812A true CN1356812A (en) | 2002-07-03 |
| CN1141822C CN1141822C (en) | 2004-03-10 |
Family
ID=4739146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021000255A Expired - Fee Related CN1141822C (en) | 2002-01-08 | 2002-01-08 | Distributed authentication/charge server system and its implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1141822C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1307552C (en) * | 2003-01-21 | 2007-03-28 | 英业达股份有限公司 | Hot plug circuit and method in accessories management system |
| CN100353763C (en) * | 2003-11-21 | 2007-12-05 | 华为技术有限公司 | Charging lot price system |
| CN100464550C (en) * | 2006-02-27 | 2009-02-25 | 东南大学 | Network architecture of backward compatible authentication, authorization and accounting system and implementation method |
| CN100525378C (en) * | 2006-11-17 | 2009-08-05 | 华为技术有限公司 | Management method, system and device to update distributed set top box |
| US7623636B2 (en) | 2004-05-26 | 2009-11-24 | Nokia Siemens Networks Gmbh & Co. Kg | System for generating service-oriented call-charge data in a communication network |
| WO2011009268A1 (en) * | 2009-07-22 | 2011-01-27 | 中兴通讯股份有限公司 | Wapi (wlan authentication and privacy infrastructure) -based authentication system and method |
| CN101662390B (en) * | 2009-09-24 | 2012-10-10 | 中兴通讯股份有限公司 | Upgrade protecting method and device thereof |
-
2002
- 2002-01-08 CN CNB021000255A patent/CN1141822C/en not_active Expired - Fee Related
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1307552C (en) * | 2003-01-21 | 2007-03-28 | 英业达股份有限公司 | Hot plug circuit and method in accessories management system |
| CN100353763C (en) * | 2003-11-21 | 2007-12-05 | 华为技术有限公司 | Charging lot price system |
| US7623636B2 (en) | 2004-05-26 | 2009-11-24 | Nokia Siemens Networks Gmbh & Co. Kg | System for generating service-oriented call-charge data in a communication network |
| CN100464550C (en) * | 2006-02-27 | 2009-02-25 | 东南大学 | Network architecture of backward compatible authentication, authorization and accounting system and implementation method |
| CN100525378C (en) * | 2006-11-17 | 2009-08-05 | 华为技术有限公司 | Management method, system and device to update distributed set top box |
| WO2011009268A1 (en) * | 2009-07-22 | 2011-01-27 | 中兴通讯股份有限公司 | Wapi (wlan authentication and privacy infrastructure) -based authentication system and method |
| CN101662390B (en) * | 2009-09-24 | 2012-10-10 | 中兴通讯股份有限公司 | Upgrade protecting method and device thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1141822C (en) | 2004-03-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6938080B1 (en) | Method and computer system for managing data exchanges among a plurality of network nodes in a managed packet network | |
| CN1692616B (en) | Network traffic control in peer-to-peer environments | |
| CN100382072C (en) | Method and system for providing contents | |
| AU2002330421B2 (en) | System and implementation method of controlled multicast | |
| CN100364281C (en) | Distribtive flow managing method based on counter network | |
| WO2000031661A1 (en) | A comprehensive information service platform system and method thereof | |
| CN1197297C (en) | A platform information switch | |
| CN1932875A (en) | Prepositional system based on finance industry | |
| CN100517291C (en) | On demand session provisioning of IP flows | |
| US7793352B2 (en) | Sharing network access capacities across internet service providers | |
| CN112132942B (en) | Three-dimensional scene roaming real-time rendering method | |
| CN1141822C (en) | Distributed authentication/charge server system and its implementation method | |
| CN1859114A (en) | Method for access internet by data card | |
| KR100703567B1 (en) | Online contents access control system and method thereof | |
| CN101030866A (en) | Distributed network controllable transmission and hard software device | |
| WO2008151491A1 (en) | A p2p network system and application method thereof | |
| CN1197296C (en) | An information switch | |
| CN108833554A (en) | A kind of real-time highly reliable message distributing system and its method towards large scale network | |
| CN1148032C (en) | Signaling system of broadband multi-service communication network | |
| CN101262470B (en) | A north interface for peeling the interface and its interaction method with users | |
| WO2009006770A1 (en) | Method of p2p node management | |
| CN1484412A (en) | Method for realizing 802.1 X communication based on group management | |
| CN101447878B (en) | Charging method for prepayment service and system thereof | |
| CN1291572C (en) | Media content distributing method and system thereof | |
| CN112491577B (en) | Bandwidth acceleration method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20040310 Termination date: 20150108 |
|
| EXPY | Termination of patent right or utility model |