CN1545241A - Full-matching certification method for broad band switch-in server - Google Patents
Full-matching certification method for broad band switch-in server Download PDFInfo
- Publication number
- CN1545241A CN1545241A CNA2003101035777A CN200310103577A CN1545241A CN 1545241 A CN1545241 A CN 1545241A CN A2003101035777 A CNA2003101035777 A CN A2003101035777A CN 200310103577 A CN200310103577 A CN 200310103577A CN 1545241 A CN1545241 A CN 1545241A
- Authority
- CN
- China
- Prior art keywords
- user
- coupling
- weights
- authenticated user
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000008878 coupling Effects 0.000 claims description 53
- 238000010168 coupling process Methods 0.000 claims description 53
- 238000005859 coupling reaction Methods 0.000 claims description 53
- 238000013480 data collection Methods 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 abstract 1
- 238000003672 processing method Methods 0.000 abstract 1
- 238000012795 verification Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
Abstract
The invention discloses a broad band access server full-matching identifying method, including the following procedure: step 1, organizing a user data set into many matching identifying user sets for priority; step 2, according to user multielement array, searching corresponding matching identifying set and by user attribute, confirming if the identification is passed. By this method, it can adapt itself to various application requirements, its algorithm is high-efficiency and its maintenance is simple. And for a new identifying course, it only need change user set data in BNAS to meet various binding demands without a new additional special processing method, convenient for application and simple to configure.
Description
Technical field
The present invention relates to INTERNET and insert the field, the user group and the authentication method of a kind of full coupling authentication on the BAS Broadband Access Server (BNAS) relate in particular to the Access Network part in INTERNET field.
Background technology
The coupling authentication is exactly one group of data, and data have a lot of, has shown the identity that inserts the user, and the legitimacy of these data is confirmed in request.In the broadband access field, this is an inevitable link of access procedure.And the coupling verification process is exactly the data centralization of setting up in advance at, searches the process of match user data.Therefore, for BAS Broadband Access Server, the tissue of user data set is its key technology with the coupling verification process.
Coupling authentication and route querying algorithm have close part, but different.
The IP address is regular in the route querying, 4 byte longs, and the tissue of routing table can be organized according to the figure place of address mask.When searching route, in order to find the purpose outlet of an IP address, from the longest list item of mask, according to the order that mask successively decreases, the optimum Match item that finds is exactly the route outlet.And the coupling verify data is one polynary group, does not have rule, does not also have fixing word length.But, also can be the same by routing algorithm, look for a kind of optimum match method, the tissue and the authentication of mating list item separated, no matter adopt which type of authentication mode, verification process becomes the process of looking for the optimum Match item in table as the route querying algorithm.
The verification process of radius server is a kind of verification process based on user name, during authentication, in user's the verify data user name must be arranged, user's list item is organized by the user name unique index, during authentication, as long as user name is passed through the HASH index, if can in table, find with the identical list item of user name, just compare other verify datas, these data are legal, and just authentication is passed through.If in table, can not find with the identical list item of user name, just declare authentification failure.But, now in the broadband access field, the various binding authentication processes of demand, have IP address and MAC Address binding, binding of IP address and VLAN or the like is arranged, such binding relationship is a lot.Binding authentication also is a kind of authentication, is name in an account book of no use.A lot of producers treat with a certain discrimination when handling these application demands and based on the verification process of user name, take special processing.It is complicated that the cost that causes like this is exactly that verification process becomes, and verification process can not adapt to various application demands, and newly-increased a kind of verification process will increase a kind of special treatment method newly, safeguard also complicated, inefficiency.
Summary of the invention
The technical problem that the present invention solves is to find a kind of broad band access server full-matching authentication method that various verification process are united.
Broad band access server full-matching authentication method of the present invention comprises following processing procedure:
Step 1, the user's data collection varied in size according to priority is organized into a plurality of coupling authenticated user collection;
1) according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2 ..., Bm), wherein Ai represents keyword, the Bi representation attribute; Each Ai and Bi are set, and an element can be arranged in the set, also a plurality of elements can be arranged;
2) weights according to priority just determined in each keyword and attribute, the weights that priority is high are also high; Weights distribute according to following method:
A. if Ai or Bi are multielement set, then weights are 0;
B. if Ai or Bi are singleton, then weights are 2^ (i-1), wherein i>=1;
3) set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication;
Step 2 according to user's the polynary group of authenticated user collection of searching coupling, and determines that by the attribute of user value whether authentication pass through.
4) definite authenticated user collection that mates with user key words is if user to be certified is polynary group of (A11, A12, ..., A1n, B11, B12 ..., each elements A 1i B1m) is polynary group of (A21 of authenticated user collection, A22 ..., A2n, B21, B22 ..., B2m) subclass of each elements A 2i, then coupling is set up;
5) the coupling authenticated user of finding out in described step 4) is concentrated, and has the tuple coupling of a plurality of authenticated user collection, selects the coupling authenticated user subclass of tuple weights maximum, rejects other tuples;
6) determine maximum attribute weights coupling authenticated user collection, the maximum weights matches authenticated user collected works of finding out in described step 5) are concentrated, the a plurality of tuple couplings that have a plurality of authenticated user subclass, select the coupling authenticated user subclass of match attribute weights sum maximum, play except that other tuple;
7) determine the coupling authentication result, in the coupling authenticated user subclass of in described step 6), selecting, may also have a plurality of tuple couplings, in these tuples, as long as finding the attribute weights sum that do not match of a tuple is 0, then mate authentication success, the authentication of declaration coupling is passed through; If no one finds, then mate authentification failure, authentication is not passed through.
Match attribute weights sum is the weights sum of the attribute item that mates in the authenticated user tuple, and the attribute weights sum that do not match is the weights sum of unmatched attribute item in the authenticated user tuple.
Adopt broad band access server full-matching authentication method of the present invention can be adaptive to various application demands, algorithm is efficient, safeguards simple.And,, just can satisfy the various binding demands that propose as long as change user set data among the BNAS for newly-increased verification process, and do not need newly-increased a kind of special treatment method, it is convenient to use, and configuration is simple.
Description of drawings
Fig. 1 is the process chart of broad band access server full-matching authentication method of the present invention.
Embodiment
The handling process of full matching authentication method as shown in Figure 1 comprises following processing procedure:
1) according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2 ..., Bm), wherein Ai represents keyword, the Bi representation attribute; Each Ai and Bi are set, and an element can be arranged in the set, also a plurality of elements can be arranged;
2) weights according to priority just determined in each keyword and attribute, the weights that priority is high are also high;
3) set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication;
4) definite authenticated user collection that mates with user key words is if user to be certified is polynary group of (A11, A12, ..., A1n, B11, B12 ..., each elements A 1i B1m) is polynary group of (A21 of authenticated user collection, A22 ..., A2n, B21, B22 ..., B2m) subclass of each elements A 2i, then coupling is set up;
5) the coupling authenticated user of finding out in described step 4) is concentrated, and has the tuple coupling of a plurality of authenticated user collection, selects the coupling authenticated user subclass of tuple weights maximum, rejects other tuples;
6) determine maximum attribute weights coupling authenticated user collection, the maximum weights matches authenticated user collected works of finding out in described step 5) are concentrated, the a plurality of tuple couplings that have a plurality of authenticated user subclass, select the coupling authenticated user subclass of match attribute weights sum maximum, play except that other tuple;
7) determine the coupling authentication result, in the coupling authenticated user subclass of in described step 6), selecting, may also have a plurality of tuple couplings, in these tuples, as long as finding the attribute weights sum that do not match of a tuple is 0, then mate authentication success, the authentication of declaration coupling is passed through; If no one finds, then mate authentification failure, authentication is not passed through.
Be that example is introduced realization of the present invention in detail with the coupling authentication based on the user of user name and binding relationship among the built-in BNAS below.
In this verification process, the user is for polynary group:
(PORT,VLAN,MAC,USERNAME,IP,PASSWORD)
Wherein keyword is respectively:
PORT: access interface, when getting default value, represent all ports, be a multielement set, weights are 0.When getting the single port value, be singleton, weights are 1.
VLAN: user's VLAN, when getting default value, represent all VLAN, be a multielement set, weights are 0.When getting non-default value (1-4095), be singleton, weights are 2.
MAC: two layers of physical address of subscriber's main station, when getting default value, represent MAC Address arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 4.
USERNAME: user name, when getting default value, represent all users, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 8.
Attribute is respectively:
IP: user's IP address, when getting default value, represent IP address arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 1.
PASSWORD: user's password, when getting default value, represent password arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 2.
Because user's tuple of this example is one 6 tuple, therefore when setting up the match user collection, user group is become 5 class HASH chains, each user can only be present on the class HASH chain.This 5 class chain is respectively:
The USERNAME chain: all user names be not the match user of default value entirely on this class chain, USERNAME is as the HASH keyword;
The MAC chain: all USERNAME are default values, MAC be not the user of default value on this class chain, MAC Address is as the HASH keyword;
The VLAN chain: all USERNAME and MAC are default value, and VLAN be not the user of default value all on this class chain, VLAN is as the HASH keyword;
The PORT chain: all USERNAME, MAC and VLAN are default value, and PORT be not the user of default value all on this class chain, PORT is as the HASH keyword;
Complete default chain: all USERNAME, MAC, VLAN and PORT all be the user of default value entirely on this class chain, do not have the HASH keyword, all such users are on a chain.
The height of the weights sum of tuple is respectively in proper order on this 5 class chain: USERNAME chain, MAC chain, VLAN chain, PORT chain, complete default chain.Therefore, after building up the HASH chain of match user collection, when user's request authentication, on 5 class chains, look for the subclass of keyword coupling successively according to the height order of weights, at first finding the chain of coupling subclass is the highest chain of weights naturally, also be the highest subclass of weights, the chain of back has been kept the change again.The method of saying according to the front is determined maximum attribute weights set of matches then, and attribute is IP and PASSWORD here, judges that according to the attribute weights that do not match whether mate authentication passes through again.In last set, can find the attribute weights that do not match is 0 tuple, and then authentication is passed through, otherwise authentification failure is exactly that IP and PASSWORD correctly mate here, with regard to authentication success, does not match with regard to authentification failure.If all do not find on all chains, also be that the coupling authentication is not passed through naturally.
The verification process of this BNAS is organized and implemented according to the method for the invention exactly, and efficient is very high, makes this BNAS can adapt to various authentication demands.
Claims (6)
1. a broad band access server full-matching authentication method is characterized in that, described method comprises following processing procedure:
Step 1, the user's data collection varied in size according to priority is organized into a plurality of coupling authenticated user collection;
Step 2 according to user's the polynary group of authenticated user collection of searching coupling, and determines that by the attribute of user value whether authentication pass through.
2. broad band access server full-matching authentication method according to claim 1 is characterized in that, described step 1 specifically comprises following treatment step:
1) according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2 ..., Bm), wherein Ai represents keyword, the Bi representation attribute;
2) weights according to priority just determined in each keyword and attribute, the weights that priority is high are also high;
3) set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication.
3. broad band access server full-matching authentication method according to claim 1 and 2 is characterized in that, described step 2 specifically comprises following treatment step:
4) definite authenticated user collection that mates with user key words is if user to be certified is polynary group of (A11, A12, ..., A1n, B11, B12 ..., each elements A 1i B1m) is polynary group of (A21 of authenticated user collection, A22 ..., A2n, B21, B22 ..., B2m) subclass of each elements A 2i, then coupling is set up;
5) the coupling authenticated user of finding out in described step 4) is concentrated, and has the tuple coupling of a plurality of authenticated user collection, selects the coupling authenticated user subclass of tuple weights maximum, rejects other tuples;
6) determine maximum attribute weights coupling authenticated user collection, the maximum weights matches authenticated user collected works of finding out in described step 5) are concentrated, the a plurality of tuple couplings that have a plurality of authenticated user subclass, select the coupling authenticated user subclass of match attribute weights sum maximum, play except that other tuple;
7) determine the coupling authentication result, in the coupling authenticated user subclass of in described step 6), selecting, may also have a plurality of tuple couplings, in these tuples, as long as finding the attribute weights sum that do not match of a tuple is 0, then mate authentication success, the authentication of declaration coupling is passed through; If no one finds, then mate authentification failure, authentication is not passed through.
4. broad band access server full-matching authentication method according to claim 2 is characterized in that, each Ai and Bi are set in the described step 1), and an element can be arranged in the set, also a plurality of elements can be arranged.
5. broad band access server full-matching authentication method according to claim 4 is characterized in that, described step 2) in, weights distribute according to following method:
A. if Ai or Bi are multielement set, then weights are 0;
B. if Ai or Bi are singleton, then weights are 2^ (i-1), wherein i>=1.
6. broad band access server full-matching authentication method according to claim 3, it is characterized in that, described match attribute weights sum is the weights sum of the attribute item that mates in the authenticated user tuple, and the described attribute weights sum that do not match is the weights sum of unmatched attribute item in the authenticated user tuple.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2003101035777A CN100338904C (en) | 2003-11-11 | 2003-11-11 | Full-matching certification method for broad band switch-in server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2003101035777A CN100338904C (en) | 2003-11-11 | 2003-11-11 | Full-matching certification method for broad band switch-in server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1545241A true CN1545241A (en) | 2004-11-10 |
CN100338904C CN100338904C (en) | 2007-09-19 |
Family
ID=34333320
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2003101035777A Expired - Lifetime CN100338904C (en) | 2003-11-11 | 2003-11-11 | Full-matching certification method for broad band switch-in server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100338904C (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111212066A (en) * | 2019-12-31 | 2020-05-29 | 浙江工业大学 | Dynamic allocation request verification method |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3671611B2 (en) * | 1997-08-05 | 2005-07-13 | 富士ゼロックス株式会社 | Access credential authentication apparatus and method |
JP2002252620A (en) * | 2001-02-23 | 2002-09-06 | Toshiba Corp | Communication setting method and electronic device |
-
2003
- 2003-11-11 CN CNB2003101035777A patent/CN100338904C/en not_active Expired - Lifetime
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111212066A (en) * | 2019-12-31 | 2020-05-29 | 浙江工业大学 | Dynamic allocation request verification method |
CN111212066B (en) * | 2019-12-31 | 2022-04-01 | 浙江工业大学 | Dynamic allocation request verification method |
Also Published As
Publication number | Publication date |
---|---|
CN100338904C (en) | 2007-09-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109766389B (en) | Block chain light client verification query method based on bitmap index | |
US7702630B2 (en) | Longest prefix match lookup using hash function | |
US20090132554A1 (en) | Data processing system | |
US20090132509A1 (en) | Communication control device and communication control system | |
CN1270487C (en) | Method and apparatus for ternary content addressable meomry (TCAM) table management | |
US7191468B2 (en) | System and method for multidimensional data compression | |
CN101248613B (en) | Authentic device admission scheme for a secure communication network, especially a secure ip telephony network | |
CN1756156A (en) | Be used for coming at access to netwoks the equipment and the method for authenticated user in communication system | |
KR20080113227A (en) | Method and communication system for the computer-aided detection and identification of copyrighted contents | |
CN1913527A (en) | Apparatus and methods for processing filter rules | |
US9703869B2 (en) | Stream recognition and filtering | |
CN108197499B (en) | Verifiable ciphertext data range query method | |
US20070201458A1 (en) | System and method for implementing ACLs using multiple hash-trie-key tables | |
KR101311031B1 (en) | A multi bloom filter including a detecting bloom filter | |
CN100338904C (en) | Full-matching certification method for broad band switch-in server | |
CN1176540C (en) | Method for realizing switch in with mixed multiple users'types in Ethernet network switch in devices | |
CN1585408A (en) | Supplicant and authenticator intercommunication mechanism | |
CN108365962B (en) | Certificate revocation list query method and device | |
US8873555B1 (en) | Privilege-based access admission table | |
US20050144203A1 (en) | Pattern matching | |
CN106789137A (en) | The comparative approach and device of IP scopes | |
CN102014174A (en) | Network access method and network equipment | |
CN109729082B (en) | Firewall rule matching method based on characteristic value generation and retrieval | |
US11216558B2 (en) | Detecting malwares in data streams | |
US20190207958A1 (en) | Multi-pattern policy detection system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CX01 | Expiry of patent term |
Granted publication date: 20070919 |
|
CX01 | Expiry of patent term |