WO2007000120A1 - Systeme, procede et serveur d'acces pour authentification - Google Patents

Systeme, procede et serveur d'acces pour authentification Download PDF

Info

Publication number
WO2007000120A1
WO2007000120A1 PCT/CN2006/001500 CN2006001500W WO2007000120A1 WO 2007000120 A1 WO2007000120 A1 WO 2007000120A1 CN 2006001500 W CN2006001500 W CN 2006001500W WO 2007000120 A1 WO2007000120 A1 WO 2007000120A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
authentication
module
address
information
Prior art date
Application number
PCT/CN2006/001500
Other languages
English (en)
Chinese (zh)
Inventor
Weilong Ouyang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007000120A1 publication Critical patent/WO2007000120A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation

Definitions

  • the present invention relates to an authentication access system and an authentication access method and server.
  • the revenue of operators in broadband metropolitan area network services is not proportional to the number of network users.
  • operators continue to add new services to the network, so that network services involve all aspects of home network life, thereby generating value-added benefits.
  • services such as Voice over IP (Voice Protocol), Voice over IP (IPTV), and Internet games. It also promotes the transition of home networks into a multi-service network environment.
  • a home network of the prior art is shown in FIG. 1.
  • the home network includes: an access device that provides different services, such as a PC (Personal Computer) 111, a set top box (STB, Set Top Box) 112, IP phone 113, IP TV 114, etc.), the access device is connected to a digital subscriber line (DSL, Digital Subscriber Line) or a local Ethernet via a Remote Test Unit (RTU) 120 or a Routing Gateway 120 Access technologies such as a LAN (Local Area Network) are connected to a Layer 2 multiplexer (Multixer) 130 such as a Digital Subscriber Line Multiplexer (DSLAM, DAL Access Multiplexer), and the Multiplexer 130 extracts the Ethernet from the access medium.
  • a PC Personal Computer
  • STB Set Top Box
  • IP phone 113 IP TV 114
  • IP TV 114 IP TV 114
  • the packet is transparently transmitted to the broadband access server (BRAS, Broad Remote Access) through its own asynchronous transfer mode (ATM, Asynchronous Transfer Mode) or Ethernet uplink interface.
  • BRAS broadband access server
  • ATM Asynchronous Transfer Mode
  • Server 140 performs link termination and provides Internet (Internet) access and other value-added services for the access device.
  • IP phones must be online, so usually With the private line configuration (DHCP, Dynamic Host Configuration Protocol) and other private line access methods, IPTV does not need to continue online, only need to go online when watching, so you can use dial-up access, or dial-up and dedicated line hybrid access.
  • DHCP Dynamic Host Configuration Protocol
  • IPTV does not need to continue online, only need to go online when watching, so you can use dial-up access, or dial-up and dedicated line hybrid access.
  • the IP phone and the IPTV belong to the same user, the IP phone and the IPTV can only be charged separately according to the different access modes (for example, the IP phone adopts the monthly charging mode, and the IPTV adopts the traffic accounting method. ), it is impossible to use a variety of billing policies to perform unified billing management for this user.
  • the access modes of the access devices are different, so that the various charging devices in the network cannot perform unified charging management on the various access devices existing in the network.
  • the access authentication methods of the various access devices need to be unified, that is, the non-authenticated access mode is authenticated and accessed, and then unified management and charging are performed.
  • the authentication access process of the Point-to-Point over Ethernet (PPPOE) dial-up access method is as follows:
  • An access device 110 initiates a dial-up terminal, initiates a PPPoE request, the request is routed through a home network or a home gateway, and the Multiplexer bridges to the BRAS
  • the BRAS 140 peer-to-peer (PPP) protocol version 4/6 module 141 terminates the PPPoE message and creates a corresponding virtual link to notify the dial-up client (not shown) to initiate authentication;
  • PPP peer-to-peer
  • the access device 110 sends the account number and password to the BRAS 140 through a Password Authentication Protocol (PAP) or a challenge handshake authentication protocol (CHP);
  • PAP Password Authentication Protocol
  • CHP challenge handshake authentication protocol
  • the BPP 140 PPP Protocol Module 4/6 module 141 After receiving the account number and password sent by the client, the BPP 140 PPP Protocol Module 4/6 module 141 sends it to the proxy server 142 and constructs an authentication request accordingly. Thereafter, the authentication request is sent to the function server 150 for authentication;
  • the proxy server 142 notifies the dial-up client to apply for an IP address through the PPP protocol version 4/6 module 141;
  • the access device 110 applies for an IP address to the BRAS 140;
  • the PPP protocol version 4/6 module 141 of the BRAS 140 After receiving the address allocation request, the PPP protocol version 4/6 module 141 of the BRAS 140 requests the proxy server 142 for an IP address, and the proxy server 142 generally uses the dynamic of the shared address pool. Assigning, or the function server 150 specifies the static allocation mode to be delivered, and assigning an IP address to the dialing client;
  • the PFP protocol 4/6 module 141 informs the access device 110 of the IP address it has applied for;
  • the access device 110 uses the IP address to access the network through the virtual link.
  • the non-authenticated access modes used in the prior art mainly include: a DHCP access mode and an automatic address configuration access mode.
  • the access process of the DHCP access mode is as follows:
  • the PC After the user starts the PC, the PC automatically opens the Dynamic Address Configuration Protocol Client (DHCP Client) function and starts to apply for an IP address.
  • the DHCP client sends a search message (DHCP DISCOVER) to the interface link where the NIC is located to find an available DHCP server (DHCP Server).
  • DHCP Server After detecting the DHCP DISCOVER packet, the BRAS forwards the packet to the DHCP server by using its internal forwarding function (DHCP Relay).
  • DHCP Relay Dynamic Address Configuration Protocol Client
  • the DHCP server After receiving the message, the DHCP server confirms that the PC can be assigned an IP address, and then responds with a confirmation message.
  • the confirmation message is forwarded to the DHCP client of the PC through the BRAS. At this point, the PC finds an available DHCP Server.
  • the DHCP client sends a request to the DHCP server to allocate an IP address packet through the BRAS. After receiving the request, the DHCP server allocates an IP address and network related parameters to the PC, and sends a response packet to the user through the BRAS. Thereafter, the user PC accesses the network using the obtained IP address and associated network parameters.
  • the access process of the automatic address configuration access mode is as follows:
  • the access device After the user starts the access device, the access device automatically starts the automatic address configuration function of the IPv6 protocol.
  • the access device detects whether there is an interface ID with the same interface ID as the interface ID of the network interface, and the interface ID of the interface is configured by the MAC address of the network card of the access device.
  • the prior art provides an authentication access method based on Internet web page (WEB) authentication technology for a private line access mode such as DHCP. The process is as follows:
  • the steps before requesting the assignment of an IP address message to the BRAS are the same as the non-authentication access method described above.
  • the BRAS Before the BRAS receives the notification confirming that the user is authenticated by WEB, it does not allow the user to use the network, and discards the user other than the Hypertext Transfer Protocol (HTTP) message. After that, the HTTP packet is redirected to the WEB server.
  • HTTP Hypertext Transfer Protocol
  • the WEB Server forcibly sends an authentication page to the user. After receiving the authentication page, the user manually inputs a pre-assigned account number and password in the web page, and then sends an HTTP-based authentication request to the BRAS. The BRAS forwards the authentication request to the WEB Server.
  • the WEB Server sends the user's account and password to the authentication server for authentication. After the authentication server identifies the authentication result, the WEB Server is notified of the authentication result. If the authentication is passed, the WEB Server notifies the BRAS that the user can use the network normally, and forcibly sends the authentication pass page to the user, prompting the user to access the Internet normally. Otherwise, inform the user that the authentication failed.
  • the purpose of the non-authenticated access mode can be unified into the authentication access mode by using the WEB authentication technology, thereby achieving unified charging and management for devices with different access modes.
  • the method needs to set a processing module corresponding to the WEB technology in the BRAS, and the WEB device such as the WEB Server needs to be added in cooperation with the BRAS and the authentication server to provide the authentication function for the non-authenticated access mode.
  • non-PC terminals are required to support the HTTP protocol, the Secure Hypertext Transfer Protocol (HTTPS) protocol, and the WEB authentication protocol.
  • HTTPS Secure Hypertext Transfer Protocol
  • WEB authentication technology requires pre-allocation of accounts and passwords, but information appliances based on IPv6 protocols need to be plug-and-play, so this method cannot be implemented for terminal devices that do not integrate multiple protocols and/or require plug-and-play.
  • the WEB authentication technology cannot also bind the user's IP address to the access location. This is vulnerable to attack in the actual working environment.
  • the present invention provides an authentication access system, an authentication access method, and a server, which can conveniently implement authentication access of a client supporting a non-authenticated access mode.
  • an authentication access system includes: a broadband access server BRAS connected to an access device, and a function server connected to the BRAS;
  • the BRAS includes: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device, and a proxy module, configured to construct a request message; the BRAS further includes: a scheduling module A3S, which is connected to the protocol termination Between the module and the proxy module, configured to construct authentication information for the non-dial access mode and send to the proxy module, and forward the address allocation information and the charging information; or directly forward the authentication information of the dialing access mode to the proxy module, and forward the Address allocation information and billing information.
  • a protocol termination module configured to receive and terminate a protocol packet sent by the access device
  • a proxy module configured to construct a request message
  • the BRAS further includes: a scheduling module A3S, which is connected to the protocol termination Between the module and the proxy module, configured to construct authentication information for the non-dial access mode and send to the proxy module, and forward the address allocation information and the charging information; or directly forward the authentication information of the dialing access mode to the proxy module, and forward the Address allocation information and billing information.
  • the proxy module includes: an authentication proxy module, an address assignment proxy module, and a charging proxy module, which are respectively connected to the A3S; and the address allocation proxy module is configured to construct an address according to location information of the access device And an authentication requesting module, configured to: according to the location information of the access device, and the authentication information, an authentication request message; the charging proxy module, configured to use the location information of the access device And the authentication information constructs a charging request message.
  • the function server includes: an authentication module, which is connected to the authentication proxy module, and configured to authenticate the sent authentication request message; and an address allocation module, which is connected to the address allocation proxy module, for authenticating The access device allocates an IP address; and the charging module is connected to the charging proxy module for charging the service.
  • the protocol termination module includes: a dynamic host configuration protocol (DHCP) module, which is used to terminate DHCP protocol packets; a point-to-point protocol (PPP) module, which is used to terminate PPP protocol packets; and an auto configuration (Auto config) module. Protocol packet used to terminate stateless address configuration.
  • DHCP dynamic host configuration protocol
  • PPP point-to-point protocol
  • Auto config auto configuration
  • an access request message initiated by an access device to authenticate an access mode and a non-authentication access mode is received by a broadband access server (BRAS), and the access is authenticated.
  • the mode-initiated access request message is forwarded directly to the function server for authentication.
  • the BRAS obtains the location information of the access device to construct authentication information, and sends the authentication information to the function server. Send and carry The authentication request message of the authentication information is authenticated by the function server, and the BRAS determines whether the user is allowed to access according to the authentication result.
  • the non-authenticated access mode is a dynamic host configuration access mode, or the automatic access mode is configured; the authentication access mode is a point-to-point access mode.
  • the obtaining the location information of the access device is: obtaining the access request message sent by the access device, or sending, by the BRAS, a query request to the digital subscriber line multiplexer (DSLAM) where the access device is located to obtain .
  • DSLAM digital subscriber line multiplexer
  • the authentication information constructed by BRAS includes: account number and / or password.
  • the account is constructed according to the port number of the DSLAM and the BRAS port number where the access device is located, and the password is constructed according to the BRAS port number; or, according to the DSLAM port number and/or the connection where the access device is located
  • the account and password are constructed by entering a media access control (MAC) address of the device; or the password is constructed based on the BRAS port number and/or the IP address of the interface.
  • MAC media access control
  • the DSLAM port number includes: a device number of the DSLAM and a port number of the access device;
  • the BRAS port number includes: a device number of the BRAS and a port number of the access device.
  • the IP address assigned to the user is bound to the access device. And binding the IP address to the access device according to the port information of the BRAS and the MAC address of the access device; or binding the IP address to the access device according to the DSLAM port number where the access device is located.
  • the access device After the access device initiates the access request by using the non-authentication access mode and assigns the IP address to the device, the following steps are also included: After receiving the access packet sent by the access device, the BRAS starts to charge the access packet. . After the charging starts, the access information of the access device is periodically detected, and when the access information is not detected, the charging is terminated.
  • the access information is an address resolution protocol (ARP) packet, a neighbor discovery protocol (ND) packet, or a global link IP address applied by the user.
  • ARP address resolution protocol
  • ND neighbor discovery protocol
  • a broadband access server including: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device; a proxy module, configured to construct a request message; a scheduling module A3S, which is connected between the protocol termination module and the proxy module, configured to construct authentication information for the non-dial access mode and send it to the proxy module Block, and forwarding address allocation information and charging information; or directly forwarding the authentication information of the dialing access mode to the proxy module, and forwarding the address allocation information and the charging information.
  • the proxy module includes: an authentication proxy module, an address assignment proxy module, and a charging proxy module, which are respectively connected to the A3S;
  • the address allocation proxy module is configured to construct an address allocation request message according to the location information of the access device
  • the authentication proxy module is configured to construct an authentication request message according to the location information of the access device and the authentication information;
  • the charging proxy module is configured to construct a charging request message according to the location information of the access device and the authentication information.
  • the broadband access server further includes: an address allocation module connected to the address assignment proxy module, configured to allocate an address for the authenticated access device.
  • the protocol termination module includes:
  • the dynamic host configuration protocol is used to terminate the protocol packets of the DHCP protocol.
  • the PPP module is used to terminate the PPP protocol packets.
  • the Auto config module is automatically configured to terminate the association of stateless address configurations.
  • the authentication access system of the present invention can construct the authentication information for the non-authentication access mode, so that the non-authentication access mode is unified into the authentication access mode. After the access is successful, the accounting information is constructed by using the authentication information to charge the access device.
  • the problem that the access device supports multiple protocols is solved, and the difficulty of protocol configuration of the access device and the cost of the access device are reduced.
  • the system using the present invention only needs to add a scheduling module to the system, which reduces the system cost.
  • the invention does not need to allocate an account number and a password in advance, but the scheduling module automatically constructs a globally unique account and password according to the location information of the access device, so the invention can be compatible with all IP devices and realize plug and play function. .
  • the invention unifies the address allocation of various access modes into the address allocation module, which facilitates unified management and planning of addresses. Further, according to the location information of the access device, the device is Binding to its corresponding IP address ensures that the device can apply for the same IP address each time, simplifying the operation and reducing the cost.
  • the invention provides an effective supporting means for the long-term coexistence of the IPv4 protocol and the IPv6 protocol by separating the access mode and the authentication mode.
  • a unified charging policy can be used for charging for various access modes, which facilitates implementing multiple charging policies in the system, so that operators can obtain greater benefits.
  • FIG. 1 is a schematic diagram of a prior art home network
  • FIG. 2 is a network diagram of a system for dial-up access in the prior art
  • FIG. 3 is a networking diagram of an embodiment of a system of the present invention.
  • FIG. 4 is a flow chart of an embodiment of a method of the present invention.
  • the system can implement the authentication function for the non-authenticated access mode, so that the system does not need to support multiple protocols, so that the system can implement the binding of the IP address and the access location, and
  • a scheduling module A3S
  • the access authentication system which is used to construct the authentication information for the non-authenticated access mode, so that the non-authenticated access mode can be normalized into the authentication mode.
  • the network of the authentication access system of the present invention is shown in FIG. 3.
  • the system includes: a broadband access server (BRAS) 400 connected to the access device 300, and a function server 500 connected to the BRAS 400.
  • BRAS broadband access server
  • the BRAS 400 includes:
  • the protocol termination module 410 connected to the access device 300 includes a Dynamic Host Configuration Protocol (DHCP) module 411, a Point-to-Point Protocol Module (PPP) module 412, and an Auto Config module 413, and protocols of other protocols.
  • DHCP Dynamic Host Configuration Protocol
  • PPP Point-to-Point Protocol Module
  • Auto Config an Auto Config module 413, and protocols of other protocols.
  • a module (not shown), wherein the automatic configuration module 413 may be a stateless automatic address configuration module based on an IPv6 protocol;
  • A3S scheduling module
  • the proxy module 430 connected to the A3S 420 includes an address assignment proxy module 431, an authentication proxy module 432, and a billing proxy module 433.
  • the function server 500 includes an authentication module 520 connected to the authentication proxy module, an address assignment module 510 connected to the address assignment proxy module, and a billing module 530 connected to the billing proxy module.
  • the BRAS 400 is configured to receive an access request message sent by the access device 300, and perform access processing on the request message.
  • the BRAS 400 :
  • the protocol termination module 410 is configured to receive and terminate the protocol packet from the access device 300.
  • the DHCP module 411 is used to terminate the DHCP protocol packet;
  • the PPP module 412 is used to terminate the PPP protocol packet; and
  • the Auto config module 413 is used to terminate the protocol for the stateless address configuration.
  • the A3S 420 is configured to construct an account and a password for a non-authenticated access mode (for example, a private line access mode), and forward the account and the password, or directly forward the account of the authenticated access method sent by the user. And password; and forwarding address allocation information and billing information after the authentication is passed.
  • a non-authenticated access mode for example, a private line access mode
  • the authentication proxy module 432 inside the proxy module 430 is configured to construct an authentication request message according to the location information of the access device and/or the media access control address, and the account and password configured by the A3S 420;
  • the address allocation proxy module 431 is configured to construct an address allocation request message according to the location information and/or the MAC address of the access device;
  • the charging proxy module 433 is configured to use location information and/or MAC according to the access device. The address is used to construct an accounting request message.
  • the authentication module 520 is configured to authenticate the authentication request information sent by the authentication proxy module.
  • the address allocation module 510 is configured to allocate an IP address to the authenticated access device. 530 is used to charge the service.
  • the above address allocation module can also be set in the BRAS, and the connection relationship and function are unchanged.
  • the broadband access server provided by the embodiment of the present invention can provide a unified authentication, address, and charging mechanism for multiple access modes.
  • the broadband access server constructs authentication messages and processes them.
  • the certificate process, address allocation and billing according to the authentication result.
  • the broadband access server relays the authentication message, the address message, and the charging message to the function server, where the transfer refers to the account and password, the address, and the charging message that will extract the authentication message of the dialing mode.
  • Interface protocol forwarding of the function server.
  • the A3S may be configured to perform an authentication message according to the foregoing message proxy user when the user accesses the application address or the check address overlap message in a non-dial manner; after collecting the authentication and the address assignment succeeding, the A3S is responsible for collecting and reporting the charging proxy module.
  • the corresponding charging information for example, according to the charging policy delivered by the authentication band module, constructs an accounting message for the charging event of the protocol termination module.
  • the method of the present invention normalizes the non-authenticated access method into the authenticated access method by constructing authentication information for the non-authenticated access method in the system.
  • the flow of the embodiment of the method of the present invention is shown in Figure 4, and includes the following steps:
  • the access device sends an access request message to the BRAS by using an authenticated access mode or a non-authenticated access mode.
  • the BRAS determines the manner in which the access request message is initiated, if initiated in the authenticated access mode, then proceeds to step S5; if initiated in the non-authenticated access mode, proceeds to step S3;
  • the BRAS constructs authentication information according to the location information of the access device.
  • the BRAS sends an authentication request message carrying the authentication information to the function server.
  • the function server authenticates the user; if there is access permission, then proceeds to step S7; otherwise, proceeds to step S6;
  • the function server allocates an IP address to the access device.
  • the access work is completed by the BRAS.
  • Example 1 The DHCP access mode is authenticated and accessed.
  • the access device initiates an access request using a DHCP version 4 or 6 (v4/v6) protocol, and the access request message is bridged to the BRAS device through the RTU, and the Multiplexer or DSLAM.
  • the protocol termination module in the BRAS determines the protocol format of the request access message, and concludes that the message is initiated by the DHCP v4/v6 protocol. Then, the message is transferred to the DHCP module in the protocol termination module to terminate the DHCP protocol packet of the user. After the above operation is completed, the processed request access message is sent to the A3S module to apply for an IP address from the system.
  • the A3S sends an acknowledgment message to the system to confirm whether the corresponding address allocation server and authentication server are configured on the interface where the access device is located. After confirming that the device is set, the A3S obtains the location information in the access request message sent by the access device, or the BRAS sends a query request to the DSLAM where the access device is located to obtain the location information of the access device, To construct authentication information. That is, the account is constructed according to the DSLAM port number and the BRAS port number where the access device is located, and the password is constructed according to the BRAS port number.
  • the DSLAM port number includes: a DSLAM device number and a user access port number (for example, an asymmetric digital subscriber line (ADSL, Asymmetric) port number);
  • the BRAS port number includes: a BRAS device number and a user connection Incoming port number (for example: physical port number, virtual local area network identifier (VLAN, Virtual LAN)).
  • the account number and password may also be constructed according to the DSLAM port number of the access device and/or the media access control address of the access device, or according to the BRAS port number and/or the IP address of the interface.
  • the A3S After the authentication information such as the password and the account is configured for the access device, the A3S sends the authentication information to the authentication proxy module, where the authentication proxy module is based on the location information of the access device and/or the media access control address. And an account and password constructed by the A3S to construct an authentication request message, and send the authentication request message to the authentication module.
  • the authentication module After receiving the authentication request message, the authentication module parses the account and password of the access device, and authenticates the authentication information.
  • the authentication module records the corresponding information of the user, and simultaneously issues the corresponding policy, and feeds the authentication result to the A3S through the authentication proxy module. If the A3S confirms that the user authentication fails, the information of the corresponding server cannot be directly returned to the access device; otherwise, the A3S informs the address allocation proxy module that the authentication is passed.
  • the address allocation proxy module After receiving the message of the authentication, the address allocation proxy module constructs an address allocation request message according to the location information and/or the MAC address of the access device, and sends the message to the address allocation module.
  • the location information includes: a port number of a digital subscriber line multiplexer where the access device is located And BRAS port number.
  • the address allocation module allocates a corresponding IP address and corresponding lease period to the device according to the port information and the MAC address of the user, and establishes a binding relationship between the MAC address, the port information, and the IP address. Thereafter, the assigned IP address and the corresponding lease are fed back to the A3S through the address assignment agent module.
  • the A3S Based on the obtained IP address, the A3S establishes a mapping relationship between the IP address and the policy of the user that is delivered. After that, the DHCP module notifies the user that the address allocation is successful, and the BRAS completes the subsequent access work. This is the end of the process.
  • Example 2 Authenticate the automatic configuration access mode and access it.
  • the automatic configuration mode is proposed in the IP version 6 protocol. This access mode is stateless, and the access mode will automatically configure the address for the access device.
  • the method is as follows: The access device creates an IP address of the local link network segment to which the interface belongs, and then sends a link detection message to the system to detect whether the created address is a duplicate address. After receiving the Duplicated Address Detection (DAD), the protocol termination module in the BRAS transfers the duplicated address detection (DAD) to the automatic configuration module. After confirming that the address does not currently conflict, the protocol termination module initiates the A3S. Authentication request.
  • DAD Duplicated Address Detection
  • DAD duplicated address detection
  • the A3S sends an acknowledgment message to the system to confirm whether the corresponding address allocation server and authentication server are configured on the interface where the access device is located. After confirming that the device is set, the A3S obtains the location information in the access request message sent by the access device, or the BRAS sends a query request to the DSLAM where the access device is located to obtain the location information of the access device, To construct authentication information. That is, the account is constructed according to the DSLAM port number and the BRAS port number where the access device is located; and the password is constructed according to the BRAS port number. Or use other location information to construct authentication information.
  • the A3S After the authentication information such as the password and the account is configured for the access device, the A3S sends the authentication information to the authentication proxy module, where the authentication proxy module is based on the location information of the access device and/or the media access control address. And an account and password constructed by the A3S to construct an authentication request message, and send the authentication request message to the authentication module.
  • the authentication module After receiving the authentication request message, the authentication module parses the account and password of the access device, and authenticates the authentication information. The authentication module records the corresponding information of the user, and at the same time The corresponding policy is issued, and the authentication result is fed back to the A3S through the authentication agent module. If the A3S confirms that the user authentication fails, the access device directly returns to the access device cannot use the address or address overlap information; otherwise, the A3S informs the distribution agent module that the authentication is passed and the created address does not overlap.
  • the distribution agent module constructs an address allocation request message according to the location information and/or the MAC address of the access device, and sends the message to the address allocation module.
  • the location information includes: a port number of the digital subscriber line multiplexer where the access device is located, and a BRAS port number.
  • the address allocation module allocates a local link IP address and a corresponding lease period created by the access device according to the port information and the MAC address of the user, and establishes a binding between the MAC address, the port information, and the IP address. relationship. Thereafter, the assigned IP address and the corresponding lease are fed back to the A3S through the address assignment proxy module. Complete access to the local link.
  • the A3S applies to the address allocation proxy module for the global address network segment information corresponding to the interface where the access device is located.
  • the authentication and access procedures are the same as the above process.
  • the BRAS completes the subsequent access work. This is the end of the process.
  • the access mode requiring authentication can also be implemented by using the authentication access system of the present invention.
  • Example 3 Point-to-point access.
  • the access device uses the PPPoE protocol to apply for access to the network.
  • the request access message is bridged to the BRAS device through the RTU and the Multiplexer.
  • the protocol termination module in the BRAS device determines the protocol format of the request access message, and the message is initiated by the PPPoE protocol. Then, the message is transferred to the PPP protocol module inside the protocol termination module, and the PPPoE protocol is terminated and a corresponding virtual link is created. Afterwards, the access device is notified to initiate an authentication request in the virtual link. If the access device accesses the network using the Point-to-Point Protocol (PPPoA) protocol based on the asynchronous transfer mode, the process directly jumps to step b;
  • PPPoA Point-to-Point Protocol
  • the PPP protocol module extracts the account and password input by the user from the request message and sends it to the A3S.
  • A3S no longer constructs authentication information for the access device, but directly sends the authentication information input by the user to the authentication proxy module.
  • the authentication agent module constructs an authentication request message according to the authentication information and the location information, and sends the authentication request message to the authentication module.
  • the A3S When the authentication module fails to respond to the authentication, the A3S notifies the PPP protocol module to the access device. Initiating a broken link request and tearing down the corresponding virtual connection; otherwise, the A3S notifies the PPP protocol module to initiate an address allocation request to the access device, and requests the corresponding IP address from the address allocation proxy module.
  • Subsequent allocation and binding BP address processing is consistent with the DHCP access mode.
  • the A3S obtains the assigned IP address
  • the PPPv4 user initiates the access request the A3S feeds back the corresponding IP address to the PPP protocol module; if the PPPv6 user initiates the access request, the user is located
  • the pre-configured IP address prefix of the interface is returned to the access device, and the IP address prefix of the virtual link is saved.
  • the user initiates the automatic address configuration, the user automatically returns a corresponding IP address prefix to the system, thereby enabling the access device. Get a real IP address.
  • the charging step is started, and the following is the corresponding authentication access method, which is specifically described by three examples.
  • Example 1-1 The charging method corresponding to the DHCP access method.
  • the DHCP protocol module in the protocol termination module waits for the ARP or ND packet sent by the user.
  • the access device accesses the Internet using the assigned IP address, and the DHCP module receives the message, it determines that the user is online, and reports the user to the A3S module to go online. Thereafter, the A3S module initiates a charging start request to the charging module through the charging proxy module, and starts charging for the user.
  • the DHCP protocol module checks whether there is an ARP (Address Resolution Protocol) or ND (Neighbor Discovery) packet of the user.
  • ARP Address Resolution Protocol
  • ND Neighbor Discovery
  • Example 2-1 Automatically configure the accounting method corresponding to the access method.
  • the automatic configuration module in the protocol termination module waits for the global link IP address information sent by the access device.
  • the automatic configuration module detects the global link IP address information of the user, it determines that the user goes online and sends the A3S module to the A3S module. Report the user online. Thereafter, the A3S module initiates a charging start request to the charging module through the charging proxy module, and starts charging for the user.
  • the automatic configuration module detects whether there is a global link IP address every certain period of time.
  • the automatic configuration module detects that the global link IP address of the access device is not in the state, the user is determined to go offline, and reports the user to the A3S module to go offline. Then the A3S passes the charging proxy module to the charging module. A termination charging request is sent and the user is charged.
  • Example 3-1 Point-to-point PPP access mode
  • the charging method is similar to the above two charging method examples.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

Système, procédé et serveur d'accès pour authentification permettant de résoudre les problèmes que doit résoudre aujourd'hui l'utilisateur pour ajouter des dispositifs WEB au système, à savoir utilisation de protocoles multiples, impossibilité de relier l'adresse IP au point d'accès, et impossibilité de brancher et d'utiliser des dispositifs. Le présent système comprend les éléments suivants: serveur d'accès à large bande (BRAS) connecté au dispositif d'accès, et serveur de fonction connecté au BRAS. Le BRAS comprend les éléments suivants: module de terminaison de protocole pour la réception et la clôture de messages de protocole transmis par le dispositif d'accès, et module agent pour l'élaboration du message. De plus, le BRAS comprend un module de planification pour l'élaboration d'informations d'authentification pour le mode d'accès sans composition d'un numéro et la transmission de l'information d'authentification au module agent et pour la communication d'information d'attribution d'adresse et de facturation, ou pour la transmission directe de l'information d'authentification ou du mode d'accès par composition d'un numéro au module agent et communication de l'information d'attribution d'adresse et de facturation.
PCT/CN2006/001500 2005-06-29 2006-06-29 Systeme, procede et serveur d'acces pour authentification WO2007000120A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2005100801119A CN100421403C (zh) 2005-06-29 2005-06-29 一种认证接入系统及其认证接入方法
CN200510080111.9 2005-06-29

Publications (1)

Publication Number Publication Date
WO2007000120A1 true WO2007000120A1 (fr) 2007-01-04

Family

ID=37578744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/001500 WO2007000120A1 (fr) 2005-06-29 2006-06-29 Systeme, procede et serveur d'acces pour authentification

Country Status (2)

Country Link
CN (1) CN100421403C (fr)
WO (1) WO2007000120A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520737A (zh) * 2022-01-26 2022-05-20 北京华信傲天网络技术有限公司 一种无线用户的二层数据访问控制方法及系统
CN115001745A (zh) * 2022-04-24 2022-09-02 四川天邑康和通信股份有限公司 一种基于政企网关的内网用户本地认证的系统及方法
WO2024098948A1 (fr) * 2022-11-09 2024-05-16 华为技术有限公司 Procédés de communication, support d'enregistrement et produit programme

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025475A (zh) * 2009-09-23 2011-04-20 中兴通讯股份有限公司 热备份场景下的地址分配方法、装置和系统
CN102244867B (zh) * 2010-05-14 2013-05-01 新浪网技术(中国)有限公司 一种网络接入控制方法和系统
CN102413199B (zh) * 2011-10-20 2013-12-04 江苏省邮电规划设计院有限责任公司 一种宽带接入服务器创建和上报地址映射关系的系统和方法
CN103108324A (zh) * 2011-11-09 2013-05-15 中兴通讯股份有限公司 一种接入认证方法及系统
CN102420818A (zh) * 2011-11-28 2012-04-18 中国联合网络通信集团有限公司 网络访问控制方法、装置和系统
CN103516671B (zh) * 2012-06-21 2018-08-07 中兴通讯股份有限公司 一种用户业务的接入处理方法及接入设备及接入终端
CN103856469A (zh) * 2012-12-06 2014-06-11 中国电信股份有限公司 支持dhcp认证溯源的方法、系统与dhcp服务器
CN107124398B (zh) * 2017-03-29 2021-12-03 华为技术有限公司 一种认证终端设备的方法、装置及系统
CN111510394B (zh) 2019-01-31 2022-04-12 华为技术有限公司 一种报文调度方法、相关设备及计算机存储介质
CN111314503B (zh) * 2020-03-31 2022-03-29 新华三信息安全技术有限公司 IPoE用户表的恢复方法及装置

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010039244A1 (en) * 1998-03-10 2001-11-08 Fuji Photo Film Co., Ltd. Recording sheet package, correction information sheet for the same, and thermal printer for use therewith

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7088708B2 (en) * 2001-09-20 2006-08-08 The Directv Group, Inc. System and method for remotely communicating with a broadband modem
ES2279078T3 (es) * 2003-06-24 2007-08-16 Alcatel Lucent Red de acceso a linea de abonado digital con un control mejorado de la autenticacion, autorizacion, contabilidad y configuracion para servicios de emision multiple.
CN1286297C (zh) * 2003-09-25 2006-11-22 华为技术有限公司 一种实现用户位置标识传递的方法

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010039244A1 (en) * 1998-03-10 2001-11-08 Fuji Photo Film Co., Ltd. Recording sheet package, correction information sheet for the same, and thermal printer for use therewith

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ZHOU X.: "BRIEF INTRODUCTION OF BROADBAND USER ACCESS AUTHENTICATION TECHNOLOGY (1)", CATV TECHNOLOGY, no. 20, 2004, pages 18 *
ZHOU X.: "BRIEF INTRODUCTION OF BROADBAND USER ACCESS AUTHENTICATION TECHNOLOGY (2)", CATV TECHNOLOGY, no. 21, 2004, pages 18 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520737A (zh) * 2022-01-26 2022-05-20 北京华信傲天网络技术有限公司 一种无线用户的二层数据访问控制方法及系统
CN114520737B (zh) * 2022-01-26 2024-04-02 北京华信傲天网络技术有限公司 一种无线用户的二层数据访问控制方法及系统
CN115001745A (zh) * 2022-04-24 2022-09-02 四川天邑康和通信股份有限公司 一种基于政企网关的内网用户本地认证的系统及方法
CN115001745B (zh) * 2022-04-24 2024-01-30 四川天邑康和通信股份有限公司 一种基于政企网关的内网用户本地认证的系统及方法
WO2024098948A1 (fr) * 2022-11-09 2024-05-16 华为技术有限公司 Procédés de communication, support d'enregistrement et produit programme

Also Published As

Publication number Publication date
CN1889484A (zh) 2007-01-03
CN100421403C (zh) 2008-09-24

Similar Documents

Publication Publication Date Title
WO2007000120A1 (fr) Systeme, procede et serveur d'acces pour authentification
EP1876754B1 (fr) Procede, systeme et serveur pour mettre en oeuvre l'attribution de securite d'adresse dhcp
US7733859B2 (en) Apparatus and method for packet forwarding in layer 2 network
JP4541848B2 (ja) ユーザ端末接続制御方法および装置
JP5674934B2 (ja) ネットワークを自動的に切り換えるための方法およびデバイス、ワイヤレスアクセスデバイスならびに中間デバイス
RU2518186C2 (ru) Обработка трафика локального непосредственного соединенения в домашней базовой станции
WO2004105319A1 (fr) Procede d'acces a large bande et grande capacite et systeme associe
KR101620479B1 (ko) 다중 인터넷 액세스를 제공하기 위한 방법 및 게이트웨이
WO2012088982A1 (fr) Procédé, appareil et système de réseau privé virtuel pour émettre des informations de routage
WO2008006317A1 (fr) Système et procédé pour accès multiservice
WO2012103726A1 (fr) Procédé, appareil et système de transmission de données multimédias basé sur « over the top » (ott)
WO2013107136A1 (fr) Procédé d'authentification d'accès de terminal et équipement des locaux d'abonné
WO2012034413A1 (fr) Procédé de gestion d'utilisateur de double pile et serveur d'accès à large bande
WO2005119968A1 (fr) Procede de transmission des informations contenant des principes directeurs entre des dispositifs de reseau
WO2008106881A1 (fr) Procédé d'accès ppp, système correspondant et dispositif à noeud d'accès
EP1898594A2 (fr) Procédé pour la fourniture de services de communication à bande passante
WO2008138274A1 (fr) Procédé et dispositif correspondant et système servant à accéder à un service distant
WO2016192608A2 (fr) Procédé d'authentification, système d'authentification et dispositif associé
WO2006063511A1 (fr) Procede permettant de realiser une authentification synchrone parmi differents dispositifs de commande d'authentification
WO2014176964A1 (fr) Procédé de gestion de communication et système de communication
US9450920B2 (en) Method for providing access of an user end device to a service provided by an application function within a network structure and a network structure
WO2017088101A1 (fr) Procédé d'acquisition d'informations d'accès au réseau, et routeur
WO2008151548A1 (fr) Procédé et appareil pour empêcher l'usurpation de l'adresse de commande d'accès au support (mac) côté réseau
WO2014153860A1 (fr) Procédé d'accès réseau, passerelle et système
WO2007028330A1 (fr) Procede et systeme de distribution automatique d'un service au terminal d'acces ppp

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06753065

Country of ref document: EP

Kind code of ref document: A1