201201601 六、發明說明: 種閘道器群組統一認證 器0 【發明所屬之技術領威】 [0001]本發明涉及閘道器,尤其涉及 的方法、認證閘道器及資料閘道 【先前技術] _2]隨著無線通訊產業及技術的發展,越來越?的閘道益支 援無線熱點的功能,使客戶端4以在支援無線熱點的閘 道器群組中漫遊。然而,由於閘道器皆是進行獨立認證 ,因此,客戶端在閘道器群組中漫遊時存在需要重複認 證的問題,甚至可能會被誤判為重複登錄。因此,如何 實現客戶端在閘道器群組中便捷的漫遊則成為無線領域 的一個新的課題。 【發明内容】 [0003] 有鑒於此,有必要提供閘道器群組統一認證的方法’可 以實現客戶端便捷的漫遊。 [0004] 此外,還需提供一種認證閘道器,可以實現客戶端便捷 〇 的漫遊。 [0005] 還需提供一種資料閘道器,可以實現客戶端便捷的漫遊 [0006] 包祜 不發明貫施万式干的閘道器群組統一認證的方法 以下步驟:認證閘道器存蝕分β 于1¾客戶端在閘道器群組内的認 證記錄,認證記錄包括客戶 的記錄1料閘道器錢到客岐器群組内通過認證 詢請求;認㈣道$接*端的連騎求後發送查 轉間道器的查詢請求,並查 099121122 表單編號A0101 第3頁/共19貢 0992037246-0 201201601 詢是否有客戶端對應的認證記錄;及若有對應的認證記 錄,則認證閘道器回覆同意接入至資料閘道器,以通知 資料閘道器為客戶端提供接入服務。 [0007] 本發明實施方式中的認證閘道器,用於在閘道器群組中 為客戶端提供認證,問道器群組還包括支援無線熱點的 複數資料閘道器。認證閘道器包括存儲模組、查詢模組 與第-接人模組。存儲模組用於存儲客戶端在閘道器群 組内的認證記錄’認證記錄包括客戶端在閘道器群組内 通過認證的記錄。查詢模組用於接收資料閘道器發送的 查詢請求’並查詢存儲模組中是否有客戶端對應的認證 記錄’其中資料閘道器在接收到客戶端的連接請求時發 送查詢請求到認證閘道器。第一接入模組用於當查詢到 對應認證記錄時,回覆同意接入至資料閘道器,以通知 資料閘道器為客戶端提供接入服務。 [0008] 本發明實施方式中的資料閘道器’用於在閘道器群組中 為客戶端提供接入服務,閘道器群組還包括支援無線熱 點的複數資料閘道器與一認證閘道器,資料閘道器包括 轉發模組、第二接收模組、第二接入模組與第二拒絕模 組。轉發模組用於接收客戶端的連接請求,並發送查詢 請求至認證閘道器。第二接收模組用於接收認證閘道器 的回覆,包括同意接入與拒絕接入。第二接入模組用於 當回覆是同意接入時,為客戶端提供接入服務。第二拒 絕模組用於當回覆是拒絕接入時’拒絕客戶端的連接請 求。 [0009] 藉由以下對具體實施方式詳細的描述並結合附圖,將可 099121122 表單編號 A0101 第 4 頁/共 19 頁 0992037246-0 201201601 [0010] ο [0011] [0012] [0013] Ο 輕易地了解上述内容及此項發明之技術效果。 方式】 請參閱圖1 ’所示為本發明閘道器群組10的環境圖。在本 實施方式中’閘道器群組10包括支持無線熱點的一認證 間道器11與複數資料閘道器12。客戶端30漫遊於閘道器 群組10的無線熱點覆蓋範圍内,並發送連接請求。認證 授權言己帳(Authentication Authorization Ac-c〇unting,AAA)伺服器20接收認證請求,並發送客戶端 30是否通過認證的結果。 請參閲圖’所示為本發明在閉道器群’組’1 〇中統一認證的 方法流程圖。 在少驟S201中’閘道器群組1〇接收客戶端3〇發送的連接 請求。在本實施方式中,閘道器群組10包括支持無線熱 點的一認證閘道器11與複數資料閘道器丨2。 在步驟S202中,認證閘道器π接收客戶端3〇的連接請求 或由資料閘道器12的查s句讀求。在本實施方式中,若認 證閘道器11是距離客戶端30最近的無線熱點,則由認證 閘道器11直接接收客戶端30的連接請求。若資料閘道器 12是距離客戶端30最近的無線熱點,則由資料閘道器12 接收客戶端3G的連接請求,並發送查詢請求至認證問道 器"。 在步驟S2G3中,認證閘道叫查詢是否有客戶端3〇對應 的認證記錄。認證記錄包括客戶端3〇在閘道器群組1〇内 通過認證的記錄。在本實施方式中,藉由統—存儲客戶 099121122 表單編號A0101 0992037246-0 [0014] 201201601 [0015] [0016] [0017] [0018] [0019] [0020] [0021] [0022] 私3 0的認證記錄,客戶端3 〇在漫遊時僅需要在閘道器群 、、、10中發送連接請求’並在認證閘道器11中進行查詢, 而不而要連接到認證授權記帳词服器2 0進行重複認證, 節省時間’且不會造成重複登錄的現象。 若有對應的認證記錄,則執行步驟S204,認證閘道器11 判斷接收的是否為客戶端30的連接請求。 若是連接請求,則執行S205,認證閘道器η為客戶端30 提供接入服務。 若不是連接請求,則接收的是查詢請求,執行S206,資 料閘道器12為客戶端30提供接入服務。 在步驟S207中,認證閘道器11為客戶端30統一授權與記 帳。在本實施方式申’由認證閘道器11對客戶端30進行 统—的認證、授權與記帳,可以使客戶端3〇便捷的漫遊 ’而無需再次認證’避免漫遊中斷線、重複登錄或記帳 混亂的現象。 若無對應的認證記錄,則執行步螂S208,認證閘道器11 發送認證請求至認證授權記帳伺服器20。 在步驟S209中’認證閘道器11接收認證授權記帳伺服器 20的認證結果。 在步驟S210中,認證閘道器11根據認證結果,判斷客戶 端30是否通過認證。在本實施方式中,若已通過認證, 則執行步驟S211 ’若未通過認證,則執行步驟S212。 在步驟S211中,認證閘道器11存儲客戶端3〇的認證記錄 099121122 表單編號Α0101 第6頁/共19頁 0992037246-0 201201601 ’並返回步驟S204。 [0023] 在步驟S212中,認證閘道器11判斷接收的是否為客戶端 30的連接請求。在本實施方式中,若不是連接請求,則 是回應查詢請求,執行步驟S21 3。若是回應連接請求, 則執行步驟S214。 [0024] 在步驟S213 ’資料閘道器12拒絕客戶端30的連接請求。 [0025] 在步驟S214 ’認證閘道器丨丨拒絕客戶端3〇的連接請求。 [0026] 請參閱圖3 ’所示為本發明實施方式中認證閘道器丨丨的模 組圖。認證閘道器Π用於在圖)中所示的閘道器群組1〇中 為客戶端30提供認證。 [0027] 認證閘道器11包括存儲模組111、查詢模組112、第一接 入模組113、認證模組114、第一接收模組115、判斷模 組116、第一拒絕模組u7、授權記帳模組^8及第一處 理器119。 [0028] 存儲模組U1存儲客戶端3〇的認證記錄。認證記錄包括客 戶端30在閉道器群組1〇内通過認證的記錄。在本實施方 式中’藉由統—存儲認證記錄,在漫遊時客戶端30僅需 要在認證問道器!〗中進行查詢,而不需要連接到認證授 權s己帳伺服器20進行用重複認證,節省時間,且不會造 成重複登錄的現象。 [0029] 查詢模組11 2接收客戶端30的連接請求與資料閘道器12的 查询请求,並查詢存儲模組111中是否有客戶端30對應的 認證記錄。在本實施方式卜若客戶端3G是第-次登錄 099121122 表單編號A0101 第7頁/共19頁 0992037246-0 201201601 [0030] [0031] ,則無對應的認證記錄。若是已經登錄,且處於漫遊中 ’則可以在存儲模組1 1 1中查詢到對應的認證記錄。 認證模組114當查詢模組112查詢到無對應認證記錄時, 發送認證請求至認證授權記帳伺服器2〇。 第一接收模組115接收認證授權記帳伺服器2〇的認證回覆 ,包括通過認證與未通過認證。 [0032] [0033] [0034] 判斷模組116判斷認證閘道器11接收的是否為客戶端3 〇連 接請求。在本實施方式中,若不是客戶端3〇的連接請求 ,則是資料閘道器12的:查詢請求_。 第一接入模組11 3用於當查詢到對應認證記錄時或客戶端 30通過認證後,為客戶端30提供接入服務。在本實施方 式中,第一接入模組11 3接收判斷模組116的判斷結果, 當判斷結果為連接請求時,為客戶端3〇提供接入服務, 以及通過認證且是查詢請求時,回覆同意接入給資料閘 道器12,以通知資料閘道器12為客戶端3〇提供接入服務 ..丨 : : 〇 第一拒絕模組117在客戶端30沒有通過認證時,拒絕為客 戶端30提供接入服務,在本實施方式中,第—拒絕模組 117接收判斷模組116的判斷結果,當判斷結果為連接請 求時,拒絕為客戶端3〇提供接入服務。當判斷結果為查 詢請求時,回覆拒絕接入給資料閘道器12,以通知資料 閘道器12拒絕為客戶端30提供接入服務。 [0035] 099121122 授權記帳模組118用於對客戶端3〇進行統一授權與記帳。 在本實施方式中,由認證閘道器丨丨對客戶端3〇進行統一 表單編號A0101 第8頁/共19頁 0992037246-0 201201601 [0036]201201601 VI. Description of the invention: a type of gateway group unified authenticator 0 [Technical leader of the invention] [0001] The present invention relates to a gateway, in particular to a method, an authentication gateway and a data gateway [Prior Art ] _2] With the development of wireless communication industry and technology, more and more? The gateway benefits the wireless hotspot feature, allowing the client 4 to roam in a group of gateways that support wireless hotspots. However, since the gateways are independently authenticated, there is a problem that the client needs to be repeatedly authenticated when roaming in the gateway group, and may even be mistakenly referred to as repeated login. Therefore, how to achieve convenient roaming of the client in the gateway group has become a new topic in the wireless field. SUMMARY OF THE INVENTION [0003] In view of this, it is necessary to provide a method for unified authentication of a gateway group to enable convenient roaming of a client. [0004] In addition, it is also necessary to provide an authentication gateway that can facilitate the roaming of the client. [0005] There is also a need to provide a data gateway device, which can realize convenient roaming of the client [0006]. The method for the unified authentication of the gateway group without inventing the universal method is as follows: the following steps are performed: the authentication gateway is saved. The authentication record of the beta in the 13⁄4 client in the gateway group, the authentication record includes the customer's record 1 material gateway money to the client group through the authentication request; the (four) road $ connected to the end of the company After request, send a query request for the interrogation device, and check 099121122 Form No. A0101 Page 3 / Total 19 Gong 0992037246-0 201201601 Ask if there is a client corresponding to the certification record; and if there is a corresponding certification record, the certification gate The router replies to the access to the data gateway to inform the data gateway to provide access services for the client. [0007] The authentication gateway in the embodiment of the present invention is configured to provide authentication for the client in the gateway group, and the requester group further includes a plurality of data gateways supporting the wireless hotspot. The authentication gateway includes a storage module, a query module and a first-to-connect module. The storage module is used to store the client's authentication record within the gateway group. The authentication record includes a record of the client's authentication within the gateway group. The query module is configured to receive the query request sent by the data gateway device and query whether there is a client corresponding authentication record in the storage module. The data gateway sends a query request to the authentication gateway when receiving the connection request of the client. Device. The first access module is configured to reply to the data gateway when the corresponding authentication record is queried, to notify the data gateway to provide an access service for the client. [0008] The data gateway device in the embodiment of the present invention is configured to provide an access service for a client in a gateway group, and the gateway group further includes a plurality of data gateways supporting a wireless hotspot and an authentication. The gateway device includes a forwarding module, a second receiving module, a second access module and a second rejecting module. The forwarding module is configured to receive a connection request from the client and send a query request to the authentication gateway. The second receiving module is configured to receive a reply of the authentication gateway, including agreeing to access and denying access. The second access module is configured to provide an access service for the client when the reply is an agreed access. The second rejection module is used to reject the client's connection request when the reply is to deny access. [0009] By the following detailed description of the specific embodiments and the accompanying drawings, FIG. 099121122 Form No. A0101 Page 4/19 pages 0992037246-0 201201601 [0010] [0012] [0013] 轻易 Easy The above contents and the technical effects of the invention are known. Modes Referring to Figure 1 ', an environmental diagram of the gateway group 10 of the present invention is shown. In the present embodiment, the gateway group 10 includes an authentication inter-channel device 11 and a plurality of data gateways 12 that support wireless hotspots. The client 30 roams within the coverage of the wireless hotspot of the gateway group 10 and sends a connection request. The Authentication Authorization Ac-c〇unting (AAA) server 20 receives the authentication request and transmits a result of whether the client 30 has passed the authentication. Referring to the figure </ RTI> shown is a flow chart of the method for unified authentication in the 'group' of the closed-loop group. In a few steps S201, the "gate group 1" receives the connection request sent by the client 3. In the present embodiment, the gateway group 10 includes an authentication gateway 11 and a plurality of data gateways 2 that support wireless hotspots. In step S202, the authentication gateway π receives the connection request from the client 3 or is read by the data tracker 12. In the present embodiment, if the authentication gateway 11 is the closest wireless hotspot to the client 30, the authentication gateway 11 directly receives the connection request from the client 30. If the data gateway 12 is the closest wireless hotspot to the client 30, the data gateway 12 receives the connection request from the client 3G and sends a query request to the authentication requester. In step S2G3, the authentication gateway is called to query whether there is an authentication record corresponding to the client 3〇. The authentication record includes a record of the client 3's passing authentication in the gateway group 1〇. In the present embodiment, by the storage-storage client 099121122, the form number A0101 0992037246-0 [0014] [0016] [0018] [0019] [0020] [0022] [0022] Private 3 0 The authentication record, the client 3 仅 only needs to send a connection request in the gateway group, , 10 when roaming and query in the authentication gateway 11, instead of connecting to the authentication and authorization billing machine 2 0 Repeated authentication, saving time 'does not cause repeated logins. If there is a corresponding authentication record, step S204 is executed, and the authentication gateway 11 determines whether the received connection request is the client 30. If it is a connection request, then S205 is executed, and the authentication gateway η provides an access service for the client 30. If it is not a connection request, it receives a query request, and in S206, the resource gateway 12 provides an access service for the client 30. In step S207, the authentication gateway 11 uniformly authorizes and bills the client 30. In the present embodiment, the authentication, authorization, and accounting of the client 30 by the authentication gateway 11 enable the client to conveniently roam 'without re-authentication' to avoid roaming interruption lines, repeated logins, or The phenomenon of accounting confusion. If there is no corresponding authentication record, step S208 is executed, and the authentication gateway 11 sends an authentication request to the authentication and authorization accounting server 20. The authentication gateway 11 receives the authentication result of the authentication authorization billing server 20 in step S209. In step S210, the authentication gateway 11 determines whether the client 30 has passed the authentication based on the authentication result. In the present embodiment, if the authentication has been passed, step S211' is executed, and if the authentication is not passed, step S212 is executed. In step S211, the authentication gateway 11 stores the authentication record 099121122 of the client 3〇 Form No. Α0101, page 6/19 pages 0992037246-0 201201601' and returns to step S204. [0023] In step S212, the authentication gateway 11 determines whether the received connection request is the client 30. In the present embodiment, if it is not a connection request, it is a response to the inquiry request, and step S21 3 is executed. If it is a response to the connection request, step S214 is performed. [0024] The data gateway 12 rejects the connection request of the client 30 in step S213. [0025] At step S214', the gateway is authenticated to reject the connection request from the client 3. Please refer to FIG. 3' for a schematic diagram of an authentication gateway device in the embodiment of the present invention. The authentication gateway Π is used to provide authentication to the client 30 in the gateway group 1〇 shown in the figure). [0027] The authentication gateway 11 includes a storage module 111, an inquiry module 112, a first access module 113, an authentication module 114, a first receiving module 115, a determining module 116, and a first rejecting module u7. And authorizing the billing module ^8 and the first processor 119. [0028] The storage module U1 stores the authentication record of the client 3〇. The authentication record includes a record of the client 30 passing the authentication within the closed loop group 1〇. In the present embodiment, by means of a unified storage certificate, the client 30 only needs to be in the authentication messenger when roaming! In the query, there is no need to connect to the authentication authority s account server 20 to perform repeated authentication, which saves time and does not cause repeated login. The query module 11 2 receives the connection request from the client 30 and the query request of the data gateway 12, and queries the storage module 111 for the authentication record corresponding to the client 30. In the present embodiment, if the client 3G is the first-time login 099121122, the form number A0101, page 7 / 19 pages 0992037246-0 201201601 [0030] [0031], there is no corresponding authentication record. If it is already logged in, and is in roaming, then the corresponding authentication record can be queried in the storage module 111. When the query module 112 queries the non-corresponding authentication record, the authentication module 114 sends an authentication request to the authentication and authorization accounting server 2 . The first receiving module 115 receives the authentication reply of the authentication and authorization billing server 2, including passing the authentication and failing the authentication. [0033] The judging module 116 judges whether the authentication gateway 11 receives a client 3 connection request. In the present embodiment, if it is not the connection request of the client 3, it is the query gateway_12: query request_. The first access module 113 is configured to provide an access service for the client 30 when the corresponding authentication record is queried or the client 30 passes the authentication. In this embodiment, the first access module 113 receives the determination result of the determination module 116, and when the determination result is a connection request, provides an access service for the client 3, and passes the authentication and is a query request. The reply agrees to access the data gateway 12 to notify the data gateway 12 to provide access services for the client 3:.:: 〇 The first rejection module 117 rejects when the client 30 fails to pass the authentication. The client 30 provides an access service. In the present embodiment, the first-rejecting module 117 receives the determination result of the determination module 116, and when the determination result is a connection request, refuses to provide an access service for the client. When the result of the judgment is a query request, the reply refuses to access the data gateway 12 to notify the data gateway 12 to refuse to provide the access service to the client 30. [0035] 099121122 The authorization accounting module 118 is configured to perform unified authorization and accounting for the client. In the present embodiment, the client 3〇 is unified by the authentication gateway Form No. A0101 Page 8 of 19 0992037246-0 201201601 [0036]
[0037] [0038] [0039] 〇 [0040] [0041] 099121122 的認證、授權與記帳,可以使客戶端30便捷的漫遊,而 無需再次認證,避免漫遊中斷線、重複登錄或記帳混亂 的現象。 請參閱圖4,所示為本發明實施方式中資料閘道器12的模 組圖。在本實施方式中,資料閘道器丨2用於在閘道器群 組10中為客戶端30提供接入服務,閘道器群組1〇包括支 援無線熱點的複數資料閘道器12與一認證閘道器η ^資 料閘道器12包括轉發模組121、第二接收模組122、第二 接入模組123、第二拒絕模組124與第二處理器125。 轉發模組121接收客戶端3 0的連接請米,並根據連接請求 發送查詢請求至認證閘道器11。 第二接收模組122接收認證閘道器11的回覆,包括同意接 入與拒絕接入。 第一接入模組123當回覆是同意接入時,為客戶端3〇提供 接入服務。 第二拒絕模組124當回覆是攀絕接,時,拒絕客戶端30的 連接請求。 在本實施方式中,當客戶端3 〇漫遊到資料閘道器12時, >料閉道器12僅需要向認證閘道器11發送查詢請求,並 當查詢到客戶端30的認證記錄後,即可提供接入服務β 當客戶端30漫遊到認證閘道器11時’資料閘道器查詢是 否有存儲的認證記錄,若查詢到認證記錄,則提供接入 服務。因此客戶端3〇可以便捷的漫遊,而無需再次認證 也可以避免漫遊中斷線以及重複登錄等問題。 表軍蜗號Α0101 第9頁/共19頁 0992037246-0 201201601 [0042] 綜上所述,本發明符合發明專利要件,爰依法提出專利 申請。惟,以上所述者僅為本發明之較佳實施方式,舉 凡熟悉本案技藝之人士,在爰依本案發明精神所作之等 效修飾或變化,皆應包含於以下之申請專利範圍内。 【圖式簡單說明】 [0043] 圖1為本發明一實施方式中閘道器群組的環境圖。 [0044] 圖2為本發明一實施方式中在閘道器群組中進行統一認證 的方法流程圖。 [0045] 圖3為本發明一實施方式中認證閘道器的模組圖。 [0046] 圖4為本發明一實施方式中資料閘道器的模組圖。 【主要元件符號說明】 [0047] 閘道器群組:1 0 [0048] 認證閘道器:11 [0049] 資料閘道器:12 [0050] 認證授權記帳伺服器:20 [0051] 客戶端:30 [0052] 存儲模組:111 [0053] 查詢模組:11 2 [0054] 第一接入模組:113 [0055] 認證模組:114 [0056] 第一接收模組:115 099121122 表單編號A0101 第10頁/共19頁 0992037246-0 201201601 [0057] [0058] [0059] [0060] [0061] [0062] [0063] Ο [0064] [0065] 判斷模組:116 第一拒絕模組:117 授權記帳模組:118 第一處理器:119 轉發模組:121 第二接收模組:122 第二接入模組:123 第二拒絕模組:124 第二處理器:125 ❹ 099121122 表單編號Α0101 第11頁/共19頁 0992037246-0[0039] [0040] [0041] 099121122 authentication, authorization and billing, the client 30 can be easily roamed without re-authentication, avoid roaming interruption lines, repeated login or billing confusion phenomenon. Referring to Figure 4, there is shown a block diagram of a data gateway 12 in accordance with an embodiment of the present invention. In the present embodiment, the data gateway 丨 2 is used to provide access services for the client 30 in the gateway group 10, and the gateway group 1 includes a plurality of data gateways 12 supporting wireless hotspots. The authentication gateway η ^ data gateway 12 includes a forwarding module 121 , a second receiving module 122 , a second access module 123 , a second rejection module 124 , and a second processor 125 . The forwarding module 121 receives the connection request number of the client 30, and sends a query request to the authentication gateway 11 according to the connection request. The second receiving module 122 receives the reply of the authentication gateway 11, including agreeing to access and rejecting the access. The first access module 123 provides an access service for the client 3 when the reply is a consent access. The second reject module 124 rejects the connection request of the client 30 when the reply is a climb. In the present embodiment, when the client 3 〇 roams to the data gateway 12, the ' material closed device 12 only needs to send a query request to the authentication gateway 11, and after querying the authentication record of the client 30, The access service can be provided. When the client 30 roams to the authentication gateway 11, the data gateway queries whether there is a stored authentication record. If the authentication record is queried, the access service is provided. Therefore, the client can easily roam without having to re-authenticate to avoid roaming interruptions and repeated logins.军军蜗Α0101 Page 9 of 19 0992037246-0 201201601 [0042] In summary, the present invention meets the requirements of the invention patent, and patent application is filed according to law. However, the above-mentioned embodiments are merely preferred embodiments of the present invention, and those skilled in the art will be able to incorporate the equivalent modifications and variations in the spirit of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS [0043] FIG. 1 is an environmental diagram of a group of gateways according to an embodiment of the present invention. 2 is a flow chart of a method for performing unified authentication in a gateway group according to an embodiment of the present invention. 3 is a block diagram of an authentication gateway according to an embodiment of the present invention. 4 is a block diagram of a data gateway according to an embodiment of the present invention. [Main component symbol description] [0047] Gateway group: 1 0 [0048] Authentication gateway: 11 [0049] Data gateway: 12 [0050] Authentication and authorization accounting server: 20 [0051] Client : 30 [0052] Storage module: 111 [0053] Query module: 11 2 [0054] First access module: 113 [0055] Authentication module: 114 [0056] First receiving module: 115 099121122 Form No. A0101 Page 10/19 pages 0992037246-0 201201601 [0058] [0060] [0063] [0063] [0065] [0065] Judgement Module: 116 First Rejection Mode Group: 117 Authorized Accounting Module: 118 First Processor: 119 Forwarding Module: 121 Second Receiving Module: 122 Second Access Module: 123 Second Rejection Module: 124 Second Processor: 125 ❹ 099121122 Form No. 1010101 Page 11 / Total 19 Page 0992037246-0