CN1798024A - Method and device for implementing multicast authentication and fee charging - Google Patents
Method and device for implementing multicast authentication and fee charging Download PDFInfo
- Publication number
- CN1798024A CN1798024A CN 200410093289 CN200410093289A CN1798024A CN 1798024 A CN1798024 A CN 1798024A CN 200410093289 CN200410093289 CN 200410093289 CN 200410093289 A CN200410093289 A CN 200410093289A CN 1798024 A CN1798024 A CN 1798024A
- Authority
- CN
- China
- Prior art keywords
- user
- multicast
- authentication
- terminal
- access device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The method is applicable to an access network. The access network includes access devices and users' terminals. The method includes following steps: step for building session in use for building session between user' terminal and access device; re- authenticating step in use for carrying out authentication again between user' terminal and access device so as to obtain authentication information of the user when access device receives request of joining multicast group and session is built at above step; authentication step of multicast service carries out authentication to see whether the user is allowed to join multicast group based on authentication information of the user obtained from re-authenticating step. The invention realizes function authentication, authorization and fee charging on access device for users in multicast services, as well as prevents attack of denial of service from malicious users for network bandwidth.
Description
Technical field
The present invention relates to the communications field, more particularly, the present invention relates to the method and apparatus of in Access Network, realizing multicast authentication and realizing on this basis chargeing.
Background technology
As a kind of communication mode arranged side by side with broadcasting with clean culture, multicasting technology has solved single-point effectively and has sent the problem that multiple spot receives, and conserve network bandwidth reduces network burden in a large number.The more important thing is, can utilize the multicast feature of network that some new value-added services are provided easily, for example online live, Web TV, long-distance education, tele-medicine, network radio station, real-time video meeting etc.
But also there is certain difficulty in the operation of multicast at present, mainly is to lack effective subscriber management function, mainly comprises:
Authentication question: because multicast protocol, as IGMP (Internet GroupManagement Protocol, IGMP), the authentification of user function is not provided, the user can optionally add or leave, and causes carrying out the access control of multicast service to the user, and the user can carry out denial of service (the Denial Of Service at the network bandwidth, DoS) attack, thus the waste network bandwidth;
Charging problem: IGMP does not relate to charging, because multicast source can't learn when the user adds or leave multicast group.
Though can be on the upper strata, for example application layer realizes chargeing, and for example multicast packet is encrypted and is realized management to the user by key management, and this mode realizes that difficulty is big, the cost height.Simultaneously, use this billing scheme, can't solve the user and carry out DoS attack, the problem of the waste network bandwidth at the network bandwidth.
The agreement that is used for multicast control of definition at present has the expansion at the IGMP second edition: the Internet group member authentication agreement (Internet Group Authentication protocol, IGAP), be characterized in that subscriber's main station is carrying out IGMP when communicating by letter with Designated Router, additional authentication information is provided, being forwarded to certificate server by router authenticates, authentication is by then can adding multicast group, otherwise it adds application and is left in the basket;
And at the expansion of IGMP the 3rd edition, be characterized in that the user at first needs to obtain the access token of a multicast group (Access Token), the user receiving after need add the request of a multicast group, IGMP message by expansion is obtained access token from the user, thereby the user is realized access authentication.
But, because above-mentioned two kinds of multicast access control technology expand the IGMP agreement, therefore need make amendment to the IGMP protocol software in IGMP such as router and the terminal relevant device for example, to upgrade, this causes cost very high.And, if these device extension the IGMP protocol software, also have the problem of and intercommunication whether compatible with miscellaneous equipment.
Summary of the invention
The purpose of this invention is to provide a kind of simple method and apparatus and be implemented in the Access Network authentication and charging multicast service.
To achieve these goals, the present invention proposes a kind of multicast service authentication and method of chargeing of in Access Network, realizing, this Access Network comprises access device and user's terminal, and this method comprises the steps: to set up the session step, is used for setting up session between user's terminal and access device; Again authenticating step is used for when access device is received the request that adds multicast group from user's terminal after, sets up the session of setting up in the session step by above-mentioned, authenticates again between user's terminal and access device, thereby obtains user's authentication information; The multicast service authenticating step is used for the basis user's of authenticating step acquisition authentication information again, whether can add multicast group to the user and authenticate.
The invention allows for a kind of access device that can carry out multicast service authentication and charge, comprising: the multicast management device is used for the multicast service of leading subscriber; Auxiliary multicast authenticate device, be used for setting up session with user's terminal, and receive the request of adding multicast group from user's terminal when the multicast management device after, request according to the multicast management device, again authenticate with user's terminal, thereby obtain the authentication information of user terminal, and this authentication information is sent to the multicast management device; And authenticate device, be used for authentication information according to the transmission of multicast management device, whether the user is had the qualification that adds multicast group authenticate.
The invention allows for a kind of access device that can carry out multicast service authentication and charge, comprising: the multicast management device is used for the multicast service of leading subscriber; Auxiliary multicast authenticate device, be used for setting up session with user's terminal, and receive the request of adding multicast group from user's terminal when the multicast management device after, request according to the multicast management device, again authenticate with user's terminal, thereby obtain the authentication information of user terminal, and this authentication information is sent to the multicast management device; And remote authentication Accounting Client device, the multicast management device is by this remote authentication Accounting Client device, send the multicast service authentication request to remote authentication server, by remote authentication server whether the user is had the qualification that adds multicast group and authenticate.
According to the present invention, can on access device, realize authentification of user, mandate and charging at multicast service, the prevention malicious user carries out the Denial of Service attack at the network bandwidth.Access device can also combine user's access interface information and user authentication information the user is authenticated, and realizes the binding of user account number and port, inserts that the user carries out that account number is shared and attack such as account embezzlement thereby stop.
Description of drawings
Preferred implementation of the present invention is described below with reference to the accompanying drawings, wherein:
Fig. 1 is a block diagram, shows the system that can carry out multicast authentication and charging according to of the present invention;
Fig. 2 is a flow chart, shows according to an embodiment of the invention multicast authentication success, and the process of multicast service having been carried out charging.
Embodiment
Fig. 1 is a block diagram, shows according to an embodiment of the invention, can carry out the system of multicast authentication and charging.
As described in Figure 1, this system 10 for example comprises Digital Subscriber Line Access Multiplexer (the Internet Protocol Digital Subscriber Line AccessMultiplexer based on the Internet, and so on access device 11 such as IP-DSLAM), user's terminal 12 and network 13.
Access device 11 comprises multicast management device 111.This multicast management device 111 has igmp proxy (Proxy) or intercepts (Snoop) function, perhaps at the termination IGMP of its place.
The IGMP agreement runs between the multicast router of the user's of PC and so on for example terminal 12 and this terminal, terminal tells this multicast router to wish to add and accept the information of certain particular group multicast by this agreement, whether the member that the while router is periodically inquired about certain known group in the local area network (LAN) by this agreement is in active state, realizes the network group membership's that networks collection and maintenance.
The basic principle of IGMP SNOOP agreement is: switch, for example access device 11, be sent to the mode of the IGMP Report Message of router by the terminal 12 of listen for user, form for example corresponding relation of the media access control layer of user's terminal (MAC) address and multicast ip address; Switch will receive that according to this corresponding relation multicast packet only is given to the group membership.
IGMP Proxy agreement realizes and IGMP SNOOP agreement identical function, but mechanism difference: IGMP SNOOP just obtains for information about by the message of intercepting IGMP, the IGMP request that IGMPProxy has then tackled user's terminal is gone forward side by side after line correlation handles, and again it is transmitted to router.
Access device 11 also comprises auxiliary multicast authenticate device 113.According to the present invention, before the user wishes access to multicast service, set up session by the auxiliary multicast authenticate device 113 of its terminal 12 elder generations and access device 11.Certainly, also can realize the authentication of multicast, at this moment, just needn't set up session with auxiliary multicast authenticate device 113 again by the multiplexing session that has existed.When the multicast management device 111 of access device 11 listens to the user when adding the request of a certain particular multicast group, the authentication again that the auxiliary multicast authenticate device 113 of these multicast management device 111 notices is initiated the user.
Above-mentioned session of setting up earlier also can be used as other purposes, and for example unicast service also can be used for supporting the authentication of multicast service specially.Authentication and multicast authentication when more particularly, the auxiliary multicast authenticate device 113 of elder generation and access device 11 is set up session are regarded independently double probate as.
Auxiliary multicast authenticate device 113 obtains authentication information by authentication again from user's terminal 12, information such as username and password for example, and the authentication information that obtains returned to multicast management device 111.
If by to the authentication of user's multicast service, then multicast management device 111 adds the user list of this multicast group with the user, otherwise, ignore user's multicast request.
The authentication result that auxiliary multicast authenticate device 113 returns multicast management device 111 sends to user's terminal 12.In order to guarantee that the above-mentioned session that begins to set up does not disconnect, even the multicast authentication failure, auxiliary multicast authenticate device 113 still sends authentication success message, still, can comprise the information of multicast authentication failure in this message.
When authentication is passed through, multicast management device 111 or notify local message accounting 115 (this moment realize local charge), perhaps by remote authentication Accounting Client device 112, notify long-range accounting server, for example the radius server (not shown) begins user's multicast service is chargeed.
Certainly, above-mentioned local authentication device 114 and message accounting 115 can be positioned at same equipment.Correspondingly, above-mentioned remote authentication server and long-range accounting server also can be positioned at same equipment.
Whether multicast management device 111 can send IGMP by the terminal 12 that detects the user is left (Leave) message and determines whether the user wishes to withdraw from multicast group (when user's terminal 12 and the multicast management device support IGMP second edition or the third edition).
When multicast management device 111 determines that the user has left multicast group, perhaps notify local message accounting 115, perhaps by remote authentication Accounting Client device 112, notify long-range accounting server, for example the radius server (not shown) stops user's multicast service is chargeed.
Should be noted that the application multicast service the user terminal and communicate with assistant authentification device 113, with the user's that finishes authentication terminal, for example above-mentioned and assistant authentification device 113 is at first set up the terminal of session, can be different terminals.
Shall also be noted that above-mentioned assistant authentification device 113 and multicast management device 111 are in same physical equipment.Certainly, they also can at this moment, need provide communication mechanism between the two not in same physical equipment, radius proxy device etc. for example is provided.
In an embodiment of the invention, above-mentioned user's terminal 12 be support point-to-point (Point to Point, PPP)/point-to-point (Point to Point overEthernet, PPPoE) terminal of agreement and PPP/PPPoE authentication on Ethernet.Correspondingly, above-mentioned auxiliary multicast authenticate device 113 is supported PPP/PPPoE session termination function and PPP/PPPoE authentication.
Below with reference to Fig. 2, detailed description is to support the terminal of PPP/PPPoE agreement and PPP/PPPoE authentication at the terminal 12 as the user, and correspondingly, when above-mentioned auxiliary multicast authenticate device 113 is supported PPP/PPPoE session termination functions and PPP/PPPoE authentication, the process of between user's terminal 12 and access device 11, carrying out the multicast service authentication and chargeing.
At first, as shown in FIG. 2, in step 201, between the assistant authentification device 113 of user's terminal 12 and access device, set up a PPP/PPPoE session earlier, this session can be used as other purposes, and for example unicast service also can be used for supporting the authentication of multicast service specially.
Secondly, in step 202, user's terminal 12 sends the message that adds certain particular multicast group to multicast management device 111, and for example IGMP adds (Join) message.
Next, in step 203, detect the message of certain particular multicast group of adding that user's terminal 12 sends when multicast management device 111 after, whether the message to the terminal 12 of assisting the 113 transmission requests of multicast authenticate device to the user authenticates again has the qualification of participating in certain particular multicast group to determine it.
Next, in step 204, authenticate again between auxiliary multicast authenticate device 113 and user's the terminal 12.
In one embodiment according to the present invention, (Challenge HandshakeAuthentication Protocol CHAP) authenticates to adopt the PPP challenge handshake authentication protocol between user's terminal 12 and auxiliary multicast authenticate device 113.
About the detail of CHAP agreement, can be with reference to request comment (RFC) 1994 that formulates by the Internet engineering duty group (IETF).Purpose for simplicity is not described in detail this agreement here.
When adopting the CHAP agreement, the verification process again between auxiliary multicast authenticate device 113 and user's the terminal 12 is such.
At first, assist multicast authenticate device 113 to send the CHALLENGE message of chap authentications to user's terminal 12.In CHALLENGE message, can in the NAME field, transmit null character string or system identifier according to the regulation of chap authentication.According to the present invention, auxiliary multicast authenticate device 113 can use this field or not use this field to transmit the information of multicast authentication, and the information of the multicast group that need add as the user etc. are so that the user can select correct account number to carry out follow-up authentication.When multicast authentication and access authentication use different account numbers, the account number that auxiliary multicast authenticate device 113 preferably can come identifying user to select by the NAME field in the CHALLENGE message.
User's terminal 12 receives after the CHALLENGE message, with RESPONSE message this authentication request is replied.If comprise the NAME field in the CHALLENGE message, then user's terminal 12 should select suitable account number so that make correct replying to finish whole authentication process according to the NAME field.
So just finished verification process again.
In according to another implementation of the invention, (ExtensibleAuthentication Protocol EAP) authenticates to adopt the PPP Extensible Authentication Protocol between user's terminal 12 and auxiliary multicast authenticate device 113.
About the detail of EAP agreement, can be with reference to request comment (RFC) 2284 that formulates by the Internet engineering duty group (IETF).Purpose for simplicity is not described in detail this agreement here.
When adopting the EAP agreement, the verification process again between auxiliary multicast authenticate device 113 and user's the terminal 12 is such.
Auxiliary multicast authenticate device 113 preferably at first sends EAP-NOTIFICATION message to user's terminal 12, and notifying the user at present ongoing is multicast authentication.This announcement information transmits at the data field of EAP-NOTIFICATION.
Next, auxiliary multicast authenticate device 113 sends the EAP-REQUEST message of EAP authentication to user's terminal 12.
Next, user's terminal 12 receives after the EAP-REQUEST message, with RESPONSE message authentication request is replied.In verification process, can contain a plurality of EAP-REQUEST and EAP-RESPONSE.
So just finished verification process again.
Return Fig. 2, next, in step 205, auxiliary multicast authenticate device 113 passes to multicast management device 111 with the authentication information that receives.
In execution mode shown in Figure 2, multicast management device 111 is by remote authentication Accounting Client device 112, and by remote authentication server, for example the radius server (not shown) is finished multicast authentication.
Promptly in step 206, multicast management device 111 is by remote authentication Accounting Client device 112, the remote authentication server (not shown in figure 1) of for example radius server in network 13 for example etc. and so on sends and inserts request message, and this access request message comprises the group address of multicast for example, the authentication information that above-mentioned verification process again obtains etc.
Next, in step 207, multicast management device 111 receives the multicast authentication result from remote authentication server by remote authentication Accounting Client device 112, may be to insert to ask to be rejected or to insert to ask to be accepted.
No matter the request of access is rejected or is accepted, in step 208, multicast management device 111 sends the multicast authentication result who receives to auxiliary multicast authenticate device 113.
When the request that inserts is accepted, in step 209, when adopting as mentioned above PPP CHAP agreement, auxiliary multicast authenticate device 113 sends authentication result, promptly sends the terminal 12 of the SUCCESS message of PPP chap authentication to the user, so that the PPP session keeps the preceding state of authentication, and, alternatively, auxiliary multicast authenticate device 113 can be notified user's terminal 12 multicast authentications success simultaneously in the MESSAGE of SUCCESS message field, added the multicast group that needs insert; When adopting aforesaid PPP EAP agreement, auxiliary multicast authenticate device 113 sends authentication result, promptly send the terminal 12 of PPP EAP-SUCCESS message to the user, so that the PPP session keeps the preceding state of authentication, and, alternatively, send the terminal 12 of PPPEAP-NOTIFICATION message to the user, the authentication of notifying the user successfully to pass through to add a certain multicast group, wherein this announcement information is in the data field transmission of EAP-NOTIFICATION message.
When the request that inserts is rejected, in step 209, when adopting as mentioned above PPP CHAP agreement, auxiliary multicast authenticate device 113 sends authentication result, promptly send the terminal 12 of the SUCCESS message of PPP chap authentication to the user, so that the PPP session keeps the preceding state of authentication, alternatively, auxiliary multicast authenticate device 113 can notify user's terminal 12 multicast authentication refusing user's to add the multicast group that needs access in the MESSAGE of SUCCESS message field simultaneously, also can notify the reason of IGMP authentification failure simultaneously; When adopting aforesaid PPP EAP agreement, auxiliary multicast authenticate device 113 sends authentication result, promptly send the terminal 12 of PPPEAP-SUCCESS message to the user, so that the PPP session keeps the preceding state of authentication, and, alternatively, auxiliary multicast authenticate device 113 sends the terminal 12 of EAP-NOTIFICATION message to the user, the reason of notifying the user not fail by the authentication and the multicast authentication of a certain multicast group of adding, this announcement information is in the data field transmission of EAP-NOTIFICATION message.
Those skilled in the art is understood that, flow chart shown in Fig. 2 is under the multicast authentication case of successful, and user's terminal 12 and the reciprocal process between the access device 11 are when in step 207, what return is when inserting the request refuse information, below the step of describing is no longer taken place certainly.
After authentication was passed through, in step 210, the router (not shown in figure 1) of multicast management device 111 in network 13 for example sent IGMP Join message.
It should be noted that, the multicast group that this step only asks to insert the user does not just need when arriving access device 11, if multicast data flow has arrived access device 11 then has not needed, before in step 203, there has been user terminal receiving this multicast data flow, at this moment, after authentication is passed through, directly transmit the multicast traffic stream of request to the user terminal of authorizing.
Next, in step 211, router sends multicast data flow to multicast management device 111.Should be appreciated that router can send to multicast data flow the multicast management device before this step, step as described herein is a kind of situation.
Next, in step 212, multicast management device 111 is transmitted the multicast data flow of receiving from router to user's terminal 12.
Next, in step 213, multicast management device 111 is by remote authentication Accounting Client device 112, and to long-range accounting server, for example radius server sends to charge and begins request.
Certainly, it will be understood by those of skill in the art that this is a kind of execution mode, multicast management device 111 also can send to charge and begin request to local message accounting 115.
Certainly, the prerequisite that sends the request of charging is that the user crosses multicast authentication, if not by multicast authentication, then multicast management device 111 should not send the request of charging to message accounting.
Next, in step 214, long-range accounting server, for example radius server sends the beginning response message that charges to multicast management device 111, and the affirmation accounting server has received the request of charging and has begun to charge to the user.
In the transmission course of multicast service, multicast management device 111 is according to configuration, and regularly the terminal 12 to the user who has multicast service to receive sends IGMP Query message.
User's terminal 12 according to the requirement of IGMP agreement, can send response message IGMP Report after receiving IGMP Query message, because Query message can regularly send, so this response message also can regularly send.
Purpose for simplicity only shows IGMP Query process of transmitting one time in Fig. 2, shown in step 215, and IGMP Report process of transmitting correspondingly, shown in step 216.
According to an embodiment of the invention, multicast management device 111 sends IGMP Query message by the terminal 12 to the user regularly, whether responds this message according to user's terminal 12 and determines whether the user has left multicast group.When these message of terminal 12 response of user, determine that then the user does not also withdraw from multicast group, when user's terminal 12 continuously several times, for example 5 times, when not responding this message, determine that then user's terminal 12 has been left multicast group.
As selection, for when user's terminal 12 and multicast management device are supported the IGMP second edition or the IGMP third edition, whether multicast management device 111 can send IGMP by the terminal 12 that detects the user is left (Leave) message and determines whether the user wishes to withdraw from multicast group, shown in step 217.
Certainly, the terminal 12 for the user who supports the IGMP second edition or the IGMP third edition also can not send IGMP LEAVE message when leaving multicast group.
When multicast management device 111 detects the multicast service recipient and has rolled off the production line, for example, user's terminal 12 has sent IGMPG LEAVE message to the multicast management device, perhaps user's terminal 12 continuously several times, for example 5 times, the IGMP Query message of multicast management device 111 is not made response, multicast management device 111 is by remote authentication Accounting Client device 112, to long-range accounting server, for example radius server sends to charge and stops request message, stop charging, shown in step 218 to the user.
When receive above-mentioned stop charging request message after, long-range accounting server, radius server for example sends to charge to multicast management device 111 and stops response message, confirms that accounting server has received to charge to stop request and stopped chargeing to the user.
In yet another embodiment of the present invention, above-mentioned user's terminal 12 is to support the terminal of 802.1x agreement and 802.1x authentication.Correspondingly, above-mentioned auxiliary multicast authenticate device 113 is supported 802.1x termination and 802.1x authentication.
It should be noted that, by (the The Institute ofElectrical and Electronic Engineers of international institute of Electrical and Electronic Engineers, IEEE) the 802.1x agreement of Zhi Dinging is not supported chap authentication and Password Authentication Protocol (Password Authentication Protocol, PAP) the EAP authentication is just supported in authentication.Yet, in the present invention, employing be the Extended Protocol of EAP, thereby make 802.1x also support to adopt CHAP and PAP to authenticate.
About the detail of PAP, can be with reference to the RFC 1334 that formulates by IETF, purpose for simplicity is not described in detail here.
802.1x the characteristics of authentication are only to pay close attention to opening and closing of port, when inserting for validated user (according to number of the account and password etc.), this port is opened, and for disabled user access or when not having the user to insert, then this port is in closed condition.Authentication result is the change of port status.
At the terminal 12 as the user is to support the terminal of 802.1x session and 802.1x authentication, and correspondingly, when above-mentioned auxiliary multicast authenticate device 113 is supported 802.1x session termination function and 802.1x authentication, between user's terminal 12 and access device 11, carry out multicast service authentication and the process of chargeing and describe with reference to figure 2, at the terminal 12 as the user is to support the terminal of PPP/PPPoE agreement and PPP/PPPoE authentication, and correspondingly, when above-mentioned auxiliary multicast authenticate device 113 is supported PPP/PPPoE session termination function and PPP/PPPoE authentication, the process of carrying out the multicast service authentication and chargeing between user's terminal 12 and access device 11 is identical basically, except what set up in step 201 is the 802.1x session, what carry out in authenticating step 204 again is the 802.1x authentication, and in step 209, according to the difference of the agreement that adopts, the message that is adopted or the mode of notification authentication success or failure are different.
For example, the verification process again that carries out in authenticating step 204 again is such.
At first, auxiliary multicast authenticate device 113 preferably (encapsulates by the EAP online to local (EAPOL) to user's terminal 12 transmission EAP-NOTIFICATION message, below identical), notifying user's terminal 12 at present ongoing is multicast authentication, and information that wherein should notice transmits at the data field of EAP-NOTIFICATION.
Then, auxiliary multicast authenticate device 113 sends the EAP-REQUEST message of EAP authentication to user's terminal 12.
User's terminal 12 receives after the EAP-REQUEST message, with RESPONSE message authentication request is replied.
Certainly, according to different authentication protocols, in verification process, can contain a plurality of EAP-REQUEST and EAP-RESPONSE.
So just finished authentication again.
In step 209, when the multicast authentication success, auxiliary multicast authenticate device 113 sends authentication result, promptly send the terminal 12 of EAPOL-SUCCESS message to the user, so that the 802.1x session keeps the preceding state of authentication, and, alternatively, auxiliary multicast authenticate device 113 sends the terminal 12 of EAP-NOTIFICATION message to the user, has notified user's success and has passed through to add the authentication of a certain multicast group, and this announcement information is in the data field transmission of EAP-NOTIFICATION message; When multicast authentication is failed, auxiliary multicast authenticate device 113 sends authentication result, promptly send the terminal 12 of EAPOL-SUCCESS message to the user, so that the 802.1x session keeps the preceding state of authentication, and alternatively, auxiliary multicast authenticate device 113 sends the terminal 12 of EAP-NOTIFICATION message to the user, the reason of notifying the user not fail by the authentication and the multicast authentication of a certain multicast group of adding, this announcement information is in the data field transmission of EAP-NOTIFICATION message.
In yet another embodiment of the present invention, user's terminal 12 is terminals of supporting ring net (WEB) browser and WEB authentication, and correspondingly, above-mentioned auxiliary multicast authenticate device 113 is supported the WEB authentication.
WEB authentication be the user by using the WEB browser, for example the Internet surveyor that carries of the form of Microsoft (Windows) operating system (Internet Explorer, IE), perhaps Netscape (Netscape) etc. is carried out authentication.Be characterized in, more acceptant and safeguard simply for the user, need not to install extra software; For the operator, then reduced their maintenance workload greatly.
At the terminal 12 as the user are terminals of supporting ring net (WEB) browser and WEB authentication, and correspondingly, when above-mentioned auxiliary multicast authenticate device 113 is supported the WEB authentication, between user's terminal 12 and access device 11, carry out multicast service authentication and the process of chargeing and describe with reference to figure 2, at the terminal 12 as the user is to support the terminal of PPP/PPPoE agreement and PPP/PPPoE authentication, and correspondingly, when above-mentioned auxiliary multicast authenticate device 113 is supported PPP/PPPoE session termination function and PPP/PPPoE authentication, the process of carrying out the multicast service authentication and chargeing between user's terminal 12 and access device 11 is identical basically, except what set up in step 201 is the WEB session, what carry out in authenticating step 204 again is the WEB authentication, and in step 209, the message that is adopted or the mode of notification authentication success or failure are different.
For example, when adopting the WEB authentication, the verification process again that carries out in authenticating step 204 again is such.
At first, assist multicast authenticate device 113 to send the WEB certification pages and notify user's the terminal 12 at present ongoing IGMP of being to authenticate to user's terminal 12.
Then, user's terminal 12 is filled in relevant authentication information and is submitted to auxiliary multicast authenticate device 113 at the WEB page or leaf.
So just finished authentication again.
In step 209, when multicast authentication when success, auxiliary multicast authenticate device 113 sends the terminal 12 of the authentication result WEB pages to the user, has notified user's success and has passed through to add the authentication of a certain multicast group; When multicast authentication was failed, auxiliary multicast authenticate device 113 sent the authentication result WEB page to user terminal 12, notified the user not by the authentication of a certain multicast group of adding and the reason of IGMP authentification failure.
Do not break away from design of the present invention and scope and can make many other changes and remodeling.Should be appreciated that to the invention is not restricted to specific execution mode, scope of the present invention is defined by the following claims.
Claims (30)
1. realize multicast service authentication and the method for chargeing for one kind in Access Network, this Access Network comprises access device and user's terminal, and this method comprises the steps:
Set up the session step, be used between user's terminal and access device, setting up session;
Again authenticating step is used for when access device is received the request that adds multicast group from user's terminal after, sets up the session of setting up in the session step by above-mentioned, authenticates again between user's terminal and access device, thereby obtains user's authentication information;
The multicast service authenticating step is used for the basis user's of authenticating step acquisition authentication information again, whether can add multicast group to the user and authenticate.
2. method according to claim 1 also comprises:
The beginning charging step, be used for when at the multicast service authenticating step by to user's authentication, thereby when the user can add multicast group, begin user's multicast service is chargeed.
3. method according to claim 2 also comprises:
Stop charging step, be used for when the user withdraws from multicast group, stop user's multicast service is chargeed.
4. method according to claim 1, wherein at the multicast service authenticating step, whether the user's who obtains according to authenticating step again the authentication information and the access interface information of its terminal can add multicast group to the user authenticates.
5. according to each described method among the claim 1-4, wherein setting up what set up in the session step is point-to-point or the point-to-point session on Ethernet, and what carry out in the authenticating step again is point-to-point or the authentication of the point-to-point on Ethernet.
6. according to each described method among the claim 1-4, wherein setting up what set up in the session step is the 802.1x session, and what carry out in the authenticating step again is the 802.1x authentication.
7. according to each described method among the claim 1-4, wherein setting up what set up in the session step is the WEB session, and what carry out in the authenticating step again is the WEB authentication.
8. method according to claim 5, wherein adopt challenge handshake authentication protocol (CHAP) in the authenticating step again, access device transmits the information of multicast authentication by using or do not use name field in the challenge message, and after user's terminal receives this challenge message, authentication request is replied with response message.
9. method according to claim 8, wherein when the multicast authentication success, access device sends the success message of challenge handshake authentication protocol to user's terminal, so that set up the preceding state of session maintenance authentication that the session step is set up, when multicast authentication is failed, access device sends the success message of challenge handshake authentication protocol to user's terminal, so that set up the preceding state of session maintenance authentication that the session step is set up.
10. method according to claim 9 wherein also comprises, when multicast authentication when success, access device is notified user's terminal multicast authentication success by the message field of success message, has added the multicast group of needs accesses; When multicast authentication was failed, access device notified user's terminal multicast authentication refusing user's to add the multicast group that needs access by the message field of success message, and the reason of notice multicast authentification failure.
11. method according to claim 5 wherein adopts Extensible Authentication Protocol in the authenticating step again, comprises the steps:
Access device sends the Extensible Authentication Protocol request message to user's terminal;
User's terminal is replied the Extensible Authentication Protocol response message to access device after receiving this Extensible Authentication Protocol request message, thereby finishes verification process again.
12. method according to claim 11, also comprised before user's terminal sends Extensible Authentication Protocol request message step at described access device:
Access device sends the notification message of Extensible Authentication Protocol to user's terminal, and notifying user's terminal at present ongoing is multicast authentication.
13. method according to claim 11, wherein when the multicast authentication success, access device sends the Extensible Authentication Protocol success message to user's terminal, so that set up the preceding state of session maintenance authentication that the session step is set up, when multicast authentication is failed, access device sends the Extensible Authentication Protocol success message to user's terminal, so that set up the preceding state of session maintenance authentication that the session step is set up.
14. method according to claim 13, when multicast authentication when success, access device is notified user's terminal multicast authentication success by the Extensible Authentication Protocol notification message, has added the multicast group of needs accesses; When multicast authentication was failed, access device notified user's terminal multicast authentication refusing user's to add the multicast group that needs access by the Extensible Authentication Protocol notification message, and the reason of notice multicast authentification failure.
15. method according to claim 6 wherein adopts Extensible Authentication Protocol in the authenticating step again, comprises the steps:
Access device sends the Extensible Authentication Protocol request message to user's terminal;
User's terminal is replied the Extensible Authentication Protocol response message to access device after receiving this Extensible Authentication Protocol request message, thereby finishes verification process again.
16. method according to claim 15, also comprised before user's terminal sends Extensible Authentication Protocol request message step at described access device:
Access device sends the notification message of Extensible Authentication Protocol to user's terminal, and notifying user's terminal at present ongoing is multicast authentication.
17. method according to claim 15, wherein when the multicast authentication success, access device is sent in Extensible Authentication Protocol success message on the local area network (LAN) to user's terminal, so that set up the preceding state of session maintenance authentication that the session step is set up, when multicast authentication is failed, access device is sent in Extensible Authentication Protocol success message on the local area network (LAN) to user's terminal, so that set up the preceding state of session maintenance authentication that the session step is set up.
18. method according to claim 17, when multicast authentication when success, access device is notified user's terminal multicast authentication success by the Extensible Authentication Protocol notification message, has added the multicast group of needs accesses; When multicast authentication was failed, access device notified user's terminal multicast authentication refusing user's to add the multicast group that needs access by the Extensible Authentication Protocol notification message, and the reason of notice multicast authentification failure.
19. method according to claim 7, wherein authenticating step comprises the steps: again
Access device sends the WEB certification page to user's terminal, and notifying user's terminal at present ongoing is multicast authentication;
User's terminal is filled in relevant authentication information at the WEB page, and this WEB page is submitted to access device.
20. method according to claim 19, wherein when the multicast authentication success, access device sends the terminal of the authentication result WEB page to the user, notifies the user successfully to pass through to add the authentication of multicast group; When multicast authentication was failed, access device sent the terminal of the authentication result WEB page to the user, the authentication of notifying the user not pass through to add multicast group, and the reason of notice user multicast authentification failure.
21. method according to claim 1 applies for that wherein the user's of multicast service terminal is different terminals with the terminal of setting up the user of session with access device in setting up the session step.
22. the access device that can carry out the multicast service authentication and charge comprises:
The multicast management device is used for the multicast service of leading subscriber;
Auxiliary multicast authenticate device, be used for setting up session with user's terminal, and receive the request of adding multicast group from user's terminal when the multicast management device after, request according to the multicast management device, again authenticate with user's terminal, thereby obtain the authentication information of user terminal, and this authentication information is sent to the multicast management device; And
Authenticate device is used for the authentication information according to the transmission of multicast management device, whether the user is had the qualification that adds multicast group authenticate.
23. access device according to claim 22, also comprise message accounting, be used for request according to the multicast management device, when the authentication of passing through the user, when thereby user's terminal adds multicast group, realization begins the multicast service of user terminal is chargeed, and when user's terminal withdraws from multicast group, realizes stopping user's multicast service is chargeed.
24. access device according to claim 23, wherein authenticate device and message accounting are positioned at same equipment.
25. the access device that can carry out the multicast service authentication and charge comprises:
The multicast management device is used for the multicast service of leading subscriber;
Auxiliary multicast authenticate device, be used for setting up session with user's terminal, and receive the request of adding multicast group from user's terminal when the multicast management device after, request according to the multicast management device, again authenticate with user's terminal, thereby obtain the authentication information of user terminal, and this authentication information is sent to the multicast management device; And
Remote authentication Accounting Client device, multicast management device send the multicast service authentication request by this remote authentication Accounting Client device to remote authentication server, by remote authentication server whether the user are had the qualification that adds multicast group and authenticate.
26. access device according to claim 25, wherein the multicast management device is also by remote authentication Accounting Client device, send request to long-range accounting server, make when the authentication of passing through the user, when thereby user's terminal adds multicast group, realization begins user's multicast service is chargeed, and when user's terminal withdraws from multicast group, realizes stopping user's multicast service is chargeed.
27. according to each described access device among the claim 22-26, wherein auxiliary multicast authenticate device and multicast management device not in same physical equipment, between them by agent apparatus communication.
28. according to each described access device among the claim 22-26, wherein auxiliary multicast authenticate device support point-to-point/in point-to-point session termination function and point-to-point on the Ethernet/point-to-point authentication on Ethernet.
29. according to each described access device among the claim 22-26, wherein auxiliary multicast authenticate device is supported WEB termination and WEB authentication.
30. according to each described access device among the claim 22-26, wherein auxiliary multicast authenticate device is supported 802.1x termination and 802.1x authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410093289 CN1798024A (en) | 2004-12-20 | 2004-12-20 | Method and device for implementing multicast authentication and fee charging |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410093289 CN1798024A (en) | 2004-12-20 | 2004-12-20 | Method and device for implementing multicast authentication and fee charging |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1798024A true CN1798024A (en) | 2006-07-05 |
Family
ID=36818827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410093289 Pending CN1798024A (en) | 2004-12-20 | 2004-12-20 | Method and device for implementing multicast authentication and fee charging |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1798024A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009036685A1 (en) * | 2007-09-17 | 2009-03-26 | Huawei Technologies Co., Ltd. | A method and apparatus for implementing multicast authentication |
| CN101166084B (en) * | 2006-10-17 | 2010-09-29 | 中兴通讯股份有限公司 | Secure method for preventing multicast user from attacking |
| CN101447879B (en) * | 2009-01-13 | 2011-09-28 | 杭州华三通信技术有限公司 | Charging method and access equipment therefor |
| CN101309157B (en) * | 2007-05-16 | 2011-12-28 | 上海贝尔阿尔卡特股份有限公司 | Multicast service management method and apparatus thereof |
| CN103139138A (en) * | 2011-11-22 | 2013-06-05 | 飞塔公司 | Application layer denial of service (DoS) protective method and system based on client detection |
| CN101953137B (en) * | 2007-12-20 | 2014-07-30 | 诺基亚西门子通信公司 | Providing a download service in communications system |
| CN104869121A (en) * | 2015-05-26 | 2015-08-26 | 杭州华三通信技术有限公司 | 802.1x-based authentication method and device |
| CN106031089A (en) * | 2014-02-28 | 2016-10-12 | 阿尔卡特朗讯公司 | Internet protocol television via public Wi-Fi network |
| CN110798812A (en) * | 2018-08-02 | 2020-02-14 | 华为技术有限公司 | Group communication method and device |
| CN111131911A (en) * | 2019-12-26 | 2020-05-08 | 视联动力信息技术股份有限公司 | Multicast method and device |
-
2004
- 2004-12-20 CN CN 200410093289 patent/CN1798024A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101166084B (en) * | 2006-10-17 | 2010-09-29 | 中兴通讯股份有限公司 | Secure method for preventing multicast user from attacking |
| CN101309157B (en) * | 2007-05-16 | 2011-12-28 | 上海贝尔阿尔卡特股份有限公司 | Multicast service management method and apparatus thereof |
| WO2009036685A1 (en) * | 2007-09-17 | 2009-03-26 | Huawei Technologies Co., Ltd. | A method and apparatus for implementing multicast authentication |
| CN101953137B (en) * | 2007-12-20 | 2014-07-30 | 诺基亚西门子通信公司 | Providing a download service in communications system |
| CN101447879B (en) * | 2009-01-13 | 2011-09-28 | 杭州华三通信技术有限公司 | Charging method and access equipment therefor |
| CN103139138A (en) * | 2011-11-22 | 2013-06-05 | 飞塔公司 | Application layer denial of service (DoS) protective method and system based on client detection |
| CN103139138B (en) * | 2011-11-22 | 2016-02-03 | 飞塔公司 | A kind of application layer denial of service means of defence based on client detection and system |
| CN106031089B (en) * | 2014-02-28 | 2019-05-10 | 阿尔卡特朗讯公司 | Method and apparatus for receiving multicast channel |
| CN106031089A (en) * | 2014-02-28 | 2016-10-12 | 阿尔卡特朗讯公司 | Internet protocol television via public Wi-Fi network |
| CN104869121A (en) * | 2015-05-26 | 2015-08-26 | 杭州华三通信技术有限公司 | 802.1x-based authentication method and device |
| CN104869121B (en) * | 2015-05-26 | 2018-09-04 | 新华三技术有限公司 | A kind of authentication method and device based on 802.1x |
| CN110798812A (en) * | 2018-08-02 | 2020-02-14 | 华为技术有限公司 | Group communication method and device |
| CN111131911A (en) * | 2019-12-26 | 2020-05-08 | 视联动力信息技术股份有限公司 | Multicast method and device |
| CN111131911B (en) * | 2019-12-26 | 2022-11-08 | 视联动力信息技术股份有限公司 | Multicast method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1192574C (en) | Controlled group broadcasting system and its realizing method | |
| CN1186906C (en) | Wireless LAN safety connecting-in control method | |
| CN100341305C (en) | Protocol 802.1X based multicast control method | |
| US7872994B2 (en) | SIP out-of-dialog REFER mechanism for handoff between front-end and back-end services | |
| CN1152333C (en) | Method for realizing portal authentication based on protocols of authentication, charging and authorization | |
| CN1918885A (en) | System and method for user authorization access management at the local administrative domain during the connection of a user to an ip network | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| WO2012103726A1 (en) | Method, apparatus, and system for transmitting media data based on over the top (ott) | |
| CN1553691A (en) | High-capacity wide-band inserting method and system | |
| CN101465856A (en) | Method and system for controlling user access | |
| CN1691603A (en) | A method for implementing equipment group and intercommunication between grouped equipments | |
| CN1142662C (en) | Authentication method for supporting network switching in based on different devices at same time | |
| WO2012034413A1 (en) | Method for dual stack user management and broadband access server | |
| CN101064605A (en) | AAA framework of multi-host network and authentication method | |
| CN1798024A (en) | Method and device for implementing multicast authentication and fee charging | |
| CN1835514A (en) | Management method of broadband access of DHCP customer's terminal mode | |
| CN1790985A (en) | Method for realizing synchronous identification between different identification control equipments | |
| CN1149785C (en) | Business node-controlling multicasting method | |
| CN1802817A (en) | Method and network for WLAN session control | |
| CN1922831A (en) | Method for inserting a new device in a community of devices | |
| CN1527557A (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN1728663A (en) | Mobile access controller, mobile locak area network and metropolitan area network, and access method | |
| CN1567887A (en) | Method for triggering user IP address assignment | |
| CN1223155C (en) | Method for realizing 802.1 X communication based on group management | |
| CN1225870C (en) | Method and apparatus for VLAN based network access control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20060705 |