WO2007131426A1 - Aaa system and authentication method of multi-hosts network - Google Patents
Aaa system and authentication method of multi-hosts network Download PDFInfo
- Publication number
- WO2007131426A1 WO2007131426A1 PCT/CN2007/001398 CN2007001398W WO2007131426A1 WO 2007131426 A1 WO2007131426 A1 WO 2007131426A1 CN 2007001398 W CN2007001398 W CN 2007001398W WO 2007131426 A1 WO2007131426 A1 WO 2007131426A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- bridge
- gateway
- host
- aaa
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
Definitions
- the present invention relates to mobile communication technologies, and in particular to broadband wireless access technologies, and more particularly to an AAA system and an authentication method for a multi-host network.
- AAA refers to authentication, authorization, and accounting. After the AAA authentication is performed on the user, the accounting authority grants the corresponding permission according to the service type that the user applies when opening the account. When the user uses the network resource, The corresponding device in the AAA system counts the resources occupied by the user and charges the corresponding fee.
- FIG. 1 is a network architecture of a WiMAX (World Interoperability for Microwave Access) system based on a mobile station (MS, Mobile Station).
- the MS11 passes through an R1 reference point and an access service network (ASN).
- a base station (BS, Base Station, not shown) is connected to connect to the ASN, and R1 uses 802.16e wireless transmission technology.
- the ASN 12 is connected to the Access Service Network (CSN) of the Visited-Network Service Provider 13 (CSN) through an R3 reference point, and the CSN 14 of the V-NSP and the home network service are provided.
- the CSNs 16 of the H-NSP (Home-Network Service Provider) 15 are connected by an R5 reference point.
- CSN Access Service Network
- H-NSP Home-Network Service Provider
- the RFC2094 AAA Authorization Framework provides three configuration AAA framework models, including: Agent Order/Model, Pull Order/Model, Push Order/Model. The main differences between the three models are: 1 how the requester communicates with the authentication server; 2 how the control messages such as keys and policies are configured to the bearer device.
- the WiMAX Forum recommends using a pull sequence/model to define the AAA architecture of the WiMAX system shown in Figure 1 as shown in Figures 2 through 5:
- FIG. 2 shows a non-roaming AAA architecture that is not compatible with traditional CSN.
- the operator (NSP, Network Service Provider) is divided into an access service network (ASN) 21 and a connection service network (CSN) 22.
- the service equipment of the ASN becomes a network access server (NAS, Network Access Server). twenty three.
- the CSN 22 includes one or more AAA servers 24.
- AAA server supports three-party authentication Certification mechanism - "Supplicant", "Authenticator” and "Authentication Server”.
- the three-party authentication mechanism supports multiple authentication methods based on the EAP (Extensible Authentication Protocol) protocol, such as: EAP-TLS, (EAP-Transport Layer Security, EAP Transport Layer Security) EAP-TTLS (EAP-Trivered TLS) , EAP Tunneling Layer Security), PEAP (Protected EAP, Protected Extensible Authentication Protocol), EAP-SIM (EAP-Service Identity Module, EAP Service Identification) module, EAP-AKA (EAP- Authentication and Key Agreement, EAP authentication and key agreement, etc., can support strong key derivation methods.
- EAP-TLS EAP-Transport Layer Security, EAP Transport Layer Security
- EAP-TTLS EAP-Trivered TLS
- PEAP Protected EAP, Protected Extensible Authentication Protocol
- EAP-SIM EAP-Service Identity Module, EAP Service Identification
- EAP-AKA EAP- Authentication and Key Agreement, EAP authentication and key agreement, etc.
- the MS is the applicant; the service device of the NAS is used to implement the authenticator; and the AAA server is the authentication server.
- the ASN includes one or more network access servers, that is, the ASN may include one or more authenticators/AAA clients.
- the AAA protocol is adopted between the NAS and the AAA server.
- the AAA protocol includes: Dimeter and RADIUS (Remote Authentication Dial In User Service).
- the authentication process for users under this architecture is as follows:
- the MS connects to the NAS to send an access network request, and the NAS collects the access authentication request sent by the MS, and transmits the access authentication request to the CSN's AAA server.
- the AAA server After the AAA server is authenticated, it sends permission or rejection information to the NAS. If the authentication succeeds, the allowed information also includes 4 authorized information, and the related charging function is started.
- the NAS After receiving the response from the AAA server, the NAS notifies the MS to allow access or deny access.
- FIG 3 shows a non-roaming AAA architecture compatible with the traditional CSN.
- the connection service network 32 of the operator belongs to the traditional NSP, and the authentication and authorization backends are not compatible with the AAA protocol. Therefore, the authentication request transmitted by NAS23 to the CSN needs to be transmitted through the added Internet Gateway (IWG) 34 in the CSN, the AAA protocol and attributes are mapped to the specific protocols and attributes of the traditional carrier, and then the authentication and authorization process is performed. .
- the carrier's permission and rejection messages are then mapped to the AAA protocol by the IWG and transmitted to the NAS.
- IWG Internet Gateway
- FIG. 4 and FIG. 5 are respectively a roaming AAA architecture that is incompatible with CSN and CSN.
- the AAA server 43 in the V-NSP 41 acts as an AAA proxy (AAA Proxy), and passes the authentication request sent by the NAS 23 to the H. - NSP42 AAA server 44.
- the authentication request transmitted by NAS 23 to CSN 52 also needs to pass through IGW 54 in CSN 52, and the AAA protocol and attributes are mapped. Shoot the specific protocols and attributes of the traditional carrier and then perform the authentication and authorization process.
- the AAA proxy of the V-NSP receives an allow or reject message from the CSN of the H-NSP, it transmits it to the NAS 23.
- AAA Brokers and AAA Agents there may be one or more AAA Brokers and AAA Agents between the NAS and the AAA server.
- an AAA session always exists between the NAS and the AAA server, and an AAA manager that provides a NAI (NAI, Network Access Identity) based routing pipeline is optional.
- NAI Network Access Identity
- MS authentication includes: device authentication and user authentication.
- both device authentication and user authentication can be performed; or only device authentication, or only MS user authentication.
- both device authentication and user authentication are performed, the device authentication of the MS is performed prior to the user authentication.
- the MS device authentication uses a digital certificate, such as X.509
- a digital certificate such as X.509
- an EAP method that supports digital certificates such as EAP-TLS
- the MS shortens the round-trip delay of the device authentication.
- the authentication server in the AAA architecture is merged with the authenticator, and the MS uses the MAC (Mdium Access Control) address as Device flag, device authentication at the ASN's NAS, but not at the CSN.
- MAC Medium Access Control
- the PSK-based EAP method is used to perform device authentication, such as EAP PSK.
- the device authentication of the MS runs between the G-Host (Gateway-Host) and the V-CSN/H-CSN.
- G-Host Gateway-Host
- the MS device uses the NAI as the device identifier.
- the MS accesses the local network. According to the NAI, the MS requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN.
- the dual EAP mode is used for authentication; if the device authentication and user authentication of the MS are terminated by the same authentication.
- the MS uses the dual EAP mode, or combines the device authentication and the user authentication in a single EAP mode. If only the device authentication or user authentication of the MS is performed, the single EAP mode is adopted.
- the MS is the applicant
- the NAS of the ASN is the authenticator
- the AAA server of the CSN is the authentication server
- the BS is the authentication relay
- the other AAA agents/managers are optional in the roaming state.
- MS user-certified EAP The packet authentication ends on the AAA server.
- the EAP packet between the MS and the BS is carried in the PKMv2 (referred to as EAPoP for short, and the EAP packet is carried in PKM (Privacy Key Management)), and is transmitted to the BS through the air interface of 802.16.
- PKMv2 also supports three-party authentication mechanisms and multiple EAP authentication methods.
- PKMv2 is specified by IEEE 802.16-2004 and 802.16e with EAP to support user authentication and device authorization.
- IEEE 802.16-2004 and 802.16e also specify PKMvl with EAP, which only provides support for device authentication and authorization, and supports fixed users in mobile networks.
- the EAP text 7 between the BS and the authenticator is contained in the authentication relay protocol and is transmitted to the ASN through the link between the BS and the ASN.
- the ASN NAS is the Authenticator.
- the EAP packet between the NAS and the AAA server is carried on the AAA protocol, and the AAA packet is carried in the UDP/IP (User Datagram Protocol/IP) protocol. User information is verified on the AAA server that is passed to the CSN on the transport layer protocol.
- UDP/IP User Datagram Protocol/IP
- FIG 7 and Figure 8 show the flow chart of the device authentication using the EAP-TLS authentication method during the authentication process.
- both the device authentication and the user authentication of the MS perform authentication, and the MS adopts the dual EAP mode.
- the MS performs device authentication first. Since the authentication server is merged with the authenticator, the MS device authentication ends with the ASN. After the MS device authentication ends, the MS performs user authentication, and the user authentication ends in the CSN. In Figure 8, the MS only performs device authentication, and the device authentication of the MS ends with the ASN.
- the ASN carries the device identifier (MAC address) of the MS to the AAA protocol and passes it to the CSN to inform the AAA server that the MS device authentication has passed. In this case, the AAA server can further authorize the MS to access the corresponding ASN. Business.
- MAC address device identifier
- Figure 9 and Figure 10 show the flow chart of the device authentication using the EAP-PSK authentication method during the authentication process.
- the device authentication and user authentication of the MS are performed.
- the MS uses the dual EAP mode.
- the device authentication and user authentication of the MS terminates on the same authentication server.
- the device authentication and user authentication of the MS are terminated on the same AAA server.
- the MS adopts the single EAP mode to jointly perform MS device authentication and user authentication, and terminates in the CSN.
- a gateway device/bridge device can support multiple host devices.
- a gateway relay station/gateway mobile station (G-RS/G-MS) 110 using a gateway device provides multiple hosts (Multiple Hosts) support, and if a bridge device is used to provide multiple hosts, For support, you can use the bridge relay station/bridge mobile station instead of the G-RS/G-MS in Figure 11.
- the host device is a network.
- the host 101, 102, the G-RS/G-MS is connected to the plurality of gateway hosts through the first interface, and the G-RS/G-MS is connected to the BS (not shown) through the second interface to connect to the ASN 111;
- the first interface is a G interface, the G interface uses 802.3, 802.16, or 802.11 transmission technology; the second interface is an R1 interface, and the R1 uses an 802.16e wireless transmission technology.
- the ASN 111 and the CSN 112 are connected by an R3 reference point, and the CSN 113 of the NAP+V-NSP and the CSN 112 of the H-NSP are connected by an R5 reference point.
- the gateway device/bridge device and the host device are added to the WiMAX network in Figure 11, the existing AAA architecture and authentication method are only for the MS authentication in the original network. Therefore, a new AAA architecture and corresponding authentication method are needed to support the authentication of gateway devices/bridge devices and host devices in a multi-host WiMAX network.
- the embodiment of the invention provides an AAA system and an authentication method for supporting a multi-host network, and can flexibly select a location of the NAS in the AAA system, and authenticate the gateway device/bridge device and the host device.
- An embodiment of the present invention provides an AAA system of a multi-host network, including: an access service network and a connection service network, where a network access server is set in the access service network, and at least one AAA server is set in the connection service network, where
- the AAA system of the multi-host network further includes: a gateway device/bridge device and a host device; the host device is connected with the gateway device/bridge device; the gateway device/bridge device is provided with the network access server; the host device authentication Performing separately from the gateway device/bridge device authentication; the gateway device/bridge device and the network access server in the access service network, and the AAA server, performing device authentication and/or user authentication of the gateway device/bridge device Three-party authentication; the network access server in the host device and the gateway device/bridge device, and the AAA server perform the three-party authentication of the device authentication and/or user authentication of the host device.
- the embodiment of the present invention further provides an AAA system authentication method for a multi-host network, wherein when the host device is connected to the gateway device/bridge device, the AAA system authenticates the gateway device/bridge device and the host device respectively;
- the device/bridge device first transmits the authentication information of the gateway device/bridge device to the AAA server connected to the service network through the network access server in the access service network, where the gateway device/bridge device and the access service network
- the network access server, the AAA server, and the three-party authentication of the device authentication and/or user authentication of the gateway device/bridge device after the device authentication and/or user authentication of the gateway device/bridge device is completed, the host device authenticates the device Information through the gateway device /
- the network access server in the bridge device transmits to the AAA server connected to the service network; the network access server in the host device, the gateway device/bridge device, the AAA server, performs device authentication and/or user authentication of the host device Three-party certification.
- the embodiment of the present invention further provides an AAA system of a multi-host network, including an access service network and a connection service network, where the access service network is provided with a network access server, and the connection service network is set by at least one AAA server, wherein
- the AAA system also includes: a gateway device/bridge device and a host device; a host device connected to the gateway device/bridge device; a gateway device/bridge device connected to the access service network; a host device authentication and a gateway device/bridge Device authentication is performed separately and independently; the gateway device/bridge device and the network access server in the access service network, and the AAA server perform the three-party authentication of the device authentication and/or user authentication of the gateway device/bridge device;
- the network access server and the AAA server in the access service network perform the three-party authentication of the device authentication and/or the user authentication of the host device.
- the embodiment of the present invention further provides an AAA system authentication method for a multi-host network, wherein when the host device is connected to the gateway device/bridge device, the AAA system authenticates the gateway device/bridge device and the host device respectively;
- the device/bridge device first authenticates the gateway device/bridge device to the gateway device/bridge device, the network access server in the access service network, and the AAA server, and performs device authentication of the gateway device/bridge device and/or Or user-authenticated three-party authentication; after the device authentication and/or user authentication of the gateway device/bridge device is completed, the host device transmits its authentication information to the AAA server connected to the service network through the network access server of the access service network.
- the host device, the network accessing the service network, the server, and the AAA server perform the three-party authentication of the device authentication and/or user authentication of the host device.
- the embodiment of the present invention provides an AAA system for a multi-host WiMAX network, and solves the support for authentication and authorization of the gateway device/bridge device and the host device from the mechanism and protocol flow level.
- the network access server can be flexibly set in the gateway device/bridge device or the ASN.
- the location of the network access server can be the gateway device/bridge device and the host. The provision of authentication of the device makes it possible to authorize and bill the host device in the multi-host WiMAX network.
- DRAWINGS 1 is a schematic diagram of an existing WiMAX network
- Figure 2 shows a non-roaming AAA architecture that is not compatible with traditional connection service networks
- Figure 3 shows an existing non-roaming AAA architecture compatible with a traditional connection service network
- Figure 4 shows the existing roaming AAA architecture that is not compatible with the traditional connection service network
- Figure 5 shows an existing roaming AAA architecture compatible with a traditional connection service network
- FIG. 7 is a flowchart of an embodiment of performing MS device authentication and user authentication in the prior art
- FIG. 8 is a flowchart of an embodiment in which the MS performs device authentication only in the prior art
- FIG. 9 is a flowchart of another embodiment of performing MS device authentication and user authentication in the prior art.
- FIG. 10 is a flowchart of joint authentication of MS device authentication and user authentication in the prior art;
- FIG. 11 is a prior art Schematic diagram of a multi-host network structure based on a gateway device;
- FIG. 13 is a non-roaming AAA system compatible with a traditional connection service network based on a multi-host network according to an embodiment of the present invention
- 15 is a roaming AAA system compatible with a traditional connection service network based on a multi-host network according to an embodiment of the present invention
- 16 is a user authentication protocol stack of an embodiment of a gateway host in a state in which the access network server is set in the gateway transit station/gateway mobile station in the system according to the embodiment of the present invention
- 17 is a user authentication protocol stack of another embodiment of a gateway host in a state in which the access network server is set in the gateway transfer station/gateway mobile station in the system according to the embodiment of the present invention
- Figure 18 is a flow diagram of an embodiment of both gateway host device authentication and user authentication based on Figures 16 and 17;
- Figure 19 is a flow diagram of an embodiment of performing only gateway host device authentication based on Figures 16 and 17;
- Figure 20 is a flow diagram of another embodiment of gateway host device authentication and user authentication based on Figures 16 and 17;
- FIG. 21 is another embodiment of an embodiment of performing gateway host device authentication based on FIGS. 16 and 17.
- 22 is a user authentication protocol stack of an embodiment of a gateway server in an access service network and a gateway host in the system according to an embodiment of the present invention
- FIG. 23 is a user authentication protocol stack of another embodiment of a network access server in an access service network in a system according to an embodiment of the present invention.
- Figure 24 is a flow chart of the conversion of EAPOL and ⁇ in Figure 23;
- Figure 25 is a flow diagram of an embodiment of both gateway host device authentication and user authentication based on Figures 23 and 24;
- Figure 26 is a flow diagram of an embodiment of performing gateway host device authentication based on Figures 23 and 24;
- Figure 27 is a flow diagram of another embodiment of device authentication and user authentication based on the gateway hosts of Figures 23 and 24;
- Figure 28 is a flow diagram of another embodiment of an embodiment of performing only gateway host device authentication based on Figures 23 and 24.
- FIG. 12 a schematic diagram of an AAA system embodiment of a network supporting a WiMAX multi-host network by a G-RS/G-MS (Gateway Transfer Station/Gateway Mobile Station) in a non-roaming state.
- the operator is divided into G-MS/G-RS+ASN and CSN.
- the gateway host 121 is connected to the G-RS/G-MS through the gateway interface as the first interface.
- the G-MS/G-RS is connected to the base station of the ASN by using the R1 interface as a second interface (not shown).
- the service device of the G-MS/G-RS + ASN is the network access server 122, that is, in addition to setting the service device of the ASN as the network access server NAS, the service device of the G-RS/G-MS can also be set as Network access server NAS.
- G-MS/G-RS or ASN can be set to include one or more NASs, that is, set up multiple Authenticator/AAA clients (not shown), such as: Multiple RADIUS clients or DIAMETER Client, 0 or more AAA Proxy (proxy).
- the AAA server 124 is included in the connection service network 123.
- FIG. 13 is a diagram showing another embodiment of an AAA system supporting a WiMAX multi-master network with G-RS/G-MS in a non-roaming state.
- the CSN belongs to the traditional carrier, the authentication and authorization backends are not compatible with the AAA protocol, so the AAA protocol and attributes need to be mapped to the specific protocols of the traditional NSP through the added IWG 134 function in the CSN. Attributes. Operation The authentication message of the feedback is then mapped to the AAA protocol through the IWG and transmitted to the AAA Client.
- FIG. 14 and FIG. 15 respectively show an incompatible CSN and a CSN-compliant roaming AAA system supporting a WiMAX multi-master network by G-RS/G-MS.
- the AAA server 143 in the V-NSP 141 is shown.
- the message sent by the NAS in the G-MS/G-RS + ASN is delivered to the AAA server 144 of the H-NSP 142.
- the CSN 151 belongs to the traditional carrier, the authentication and authorization backends are not compatible with the AAA protocol. Therefore, the AAA protocol and attributes need to be mapped to the specific protocols and attributes of the traditional NSP through the IWG 152 function added in the CSN 151.
- the authentication message fed back by the operator is then mapped to the AAA server 143 through the IWG mapping to the AAA protocol.
- AAA proxy of the V-NSP When the AAA proxy of the V-NSP receives the permission or rejection message from the HSN of the H-NSP, it forwards it to the G-MS/G-RS + ASN.
- one or more AAA managers and AAA agents may exist between the NAS and the AAA server. All AAA sessions are always present between the NAS and the AAA server, and AAA managers that provide routing pipes based on the NAI domain are optional.
- both the gateway host and the G-RS/G-MS need to be authenticated.
- the authentication and authorization methods based on the WiMAX network AAA system embodiments supporting multi-hosts in Figures 12 to 15 are as follows: Do not perform, the two are independent of each other.
- G-RS/G-MS and ASN's NAS, and AAA server perform three-party authentication of G-RS/G-MS device authentication and/or user authentication.
- G-RS/G-MS device authentication and user authentication can be performed; or only G-RS/G-MS device authentication, or only G-RS/G-MS user authentication. If the device authentication and user authentication of the G-RS/G-MS are performed, but terminate in different authentication servers (including AAA servers ending in different CSNs or different AAA servers ending in the same CSN), then G-RS/G- The MS adopts the dual EAP mode for authentication.
- the G-RS/G-MS adopts Dual EAP mode, or single EAP mode, combines device authentication and user authentication of G-RS/G-MS. If only G-RS/G-MS device authentication or G-RS/G-MS user authentication is performed, the G-RS/G-MS adopts the single EAP mode. 3) The device authentication of the gateway host precedes the user authentication. The gateway host can perform the three-party authentication of the device authentication and/or user authentication of the gateway host with the NAS of the G-RS/G-MS + ASN and the AAA server.
- Both the gateway host device authentication and user authentication are performed, or only the gateway host device authentication is performed, or only the gateway host user authentication is performed. If both the gateway host device authentication and the user authentication are performed but are terminated by different authentication servers (including AAA servers belonging to different CSNs and different AAA servers of the same CSN), the gateway host adopts dual EAP mode. If the gateway host device authentication and user authentication are both performed and terminated on the same authentication server (same AAA server), the gateway host adopts dual EAP mode, or adopts single EAP mode to authenticate the device and user of the G-RS/G-MS. Certification is carried out jointly. If the gateway host only performs device authentication or user authentication, the gateway host adopts the single EAP mode.
- G-RS/G-MS authentication precedes gateway host authentication.
- G-RS/G-MS when the service device of the G-RS/G-MS is also set as the network access server, in the AAA system, when G-RS/G-MS authentication is performed, G- RS/G-MS is the "applicant", the NAS in the ASN is the "authenticator” of the G-RS/G-MS, and the AAA server in the CSN is the "authentication server”; when the gateway host t is authenticated, the gateway host is "Applicant”, the NAS in the GR-RS/G-MS is the "authenticator” of the gateway host t; the AAA server in the CSN is still the “authentication server”.
- the authentication of the G-RS/G-MS and the gateway host t is performed separately, and the authentication of the gateway host is performed after the authentication of the G-RS/G-MS is completed.
- G-RS/G-MS and ASN's NAS, and AAA server perform G-RS/G-MS device authentication and/or user authentication for three-party authentication.
- G-RS/G-MS uses digital certificates to perform device authentication. To avoid CSN intervention, the round-trip delay of G-RS/G-MS device authentication is shortened.
- the authentication server in the AAA system is merged with the authenticator, G-RS/ The G-MS uses the MAC address as the device identifier and performs device authentication on the ASN's NAS.
- the ASN transmits the device identification MAC address to the AAA server, and informs the AAA server of the G-RS/G-MS device authentication. If yes, the AAA server further authorizes the ASN to allow the G-RS/G-MS to access the corresponding service.
- the G-RS/G-MS device authentication runs between the gateway host and the V-CSN/H-CSN, G-RS/G- The MS uses the Network Access Identity (NAI) as the device identifier. According to the NAI, the G-RS/G-MS requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN.
- NAI Network Access Identity
- G-RS/G-MS device authentication After the G-RS/G-MS device authentication is completed, G-RS/G-MS user authentication is performed, and G-RS/G-MS is used. User authentication only uses a pre-shared key.
- the device authentication and user authentication authentication process of the G-RS/G-MS is the same as the device authentication and user authentication of the existing MS.
- the AAA system authenticates the gateway host t.
- the gateway host t authentication if the gateway host performs device authentication using a digital certificate, such as X.509, it supports digital authentication. EAP methods, such as EAP-TLS.
- the gateway host avoids the intervention of the CSN to shorten the round-trip delay.
- the Authenticator merges with the authentication server.
- the gateway host uses the MAC address of the device as the device identifier.
- the gateway host performs the device authentication of the gateway host on the NAS of the G-RS/G-MS.
- the device authentication of the gateway host is terminated by G-RS/G-MS.
- the G-RS/G-MS sends the MAC address of the gateway host to the CSN through the AAA protocol.
- the CSN checks the gateway host device digital certificate according to the received MAC address of the gateway host device, such as X. 509 certificate, is it valid?
- NAI cannot be used as the device identifier to prevent the authentication of the gateway host from extending to other management domains.
- the EAP method runs between the gateway host and the V-CSN/H-CSN.
- the gateway host device authentication ends in the CSN, and the gateway host confirms H-with the NAI as the device identifier. CSN.
- the gateway host accesses the local network, the gateway host requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN according to the NAI.
- FIG 16 is a PKMv2-based gateway host user authentication protocol stack.
- the gateway host is the applicant, the G-RS/G-MS is the authenticator, the AAA server is the authentication server, and the BS is the authentication relay.
- ASN and V-NSP The CSN can act as an AAA proxy and the AAA manager is an optional device.
- PKMv2 delivers EAP packets through the gateway host and the G-RS/G-MS, and the 802.16 air interface between the NAS of the G-RS/G-MS and the BS in the ASN, and the EAP packet is carried in PKMv2, that is, EAP over PKMv2 ( Hereinafter referred to as EAPoP).
- G-RS/G-MS acts as the authenticator and uses the AAA protocol with the AAA server.
- the embodiment of the present invention sets the message type of the PKM-REQ/RSP message of the PKMv2 protocol carrying the AAA message, so that the PKM-REQ/RSP message supports the transmitted AAA message.
- the Access-Challenge message is accessed; the Access-Request message is spoofed; the Access-Accept message is spoofed; the Access-Reject message is ⁇ Text.
- the PKM message type can be set to: AAA-Transfer, or Radius-Transfer, or Diameter-Transfer.
- the AAA message is carried on PKMv2, referred to as AAAoP.
- the EAP packet is transmitted between the G-RS/G-MS and the BS through AAAoP.
- the AAA packet between the BS and the AAA server is carried in the transport layer protocol, such as UDP (User Datagram Protocol), TCP (Transmission Control Protocol), or SCTP (Stream Control Transmission Protocol). On the transport protocol), referred to as AAAoT.
- the BS converts AAAoP packets and AAAoT packets.
- FIG 17 shows the gateway host user authentication protocol stack based on 802.3/802.11.
- EAPoL EAP over LAN
- the AAA packets between the NAS of the G-RS/G-MS and the ASN are carried in PKMv2, which is AAAOP.
- the AAA packets between the BS and the AAA server are carried in the transport layer protocol (eg UDP, TCP). Or SCTP protocol), referred to as AAAoT message.
- the BS still needs to convert the AAAoP message with the AAAoT message.
- the gateway host when the gateway host terminates in G-RS/G-MS, the BS does not need to perform AAAoP and AAAoT conversion.
- FIG 18 is a flow chart of the gateway host using the digital certificate for device authentication and the pre-shared key to perform user authentication.
- both the device authentication and the user authentication of the gateway host perform authentication.
- the gateway host adopts dual EAP mode, and the gateway host performs device authentication first. Because the authentication server merges with the authenticator, the gateway host device authentication ends with G-RS/G- MS. After the gateway host device authentication is completed, user authentication is performed, and user authentication ends in the CSN.
- Figure 19 shows the flow chart of the gateway host using digital certificates and only performing device authentication. The device authentication of the gateway host is terminated by G-RS/G-MS. After the gateway host device is authenticated, the G-RS/G-MS carries the device identifier (MAC address) of the gateway host to the AAA protocol and passes it to the CSN.
- MAC address device identifier
- FIG 20 and Figure 21 are flow diagrams of the gateway host performing device authentication and user authentication using a pre-shared key.
- gateway host device authentication and user authentication are performed separately, and the gateway host adopts dual EAP mode. After the device authentication of the gateway host is completed, the gateway host performs user authentication, and the gateway host device authentication and user authentication are terminated by the same authentication server. .
- the gateway host uses a single EAP mode to jointly perform device authentication and user authentication, and terminates in the CSN.
- AAA system of FIG. 12 to FIG. 15 only the service device of the ASN is the NAS, the G-RS/G-MS and the gateway host are both "applicants", and the NAS in the ASN is the G-RS/G-MS and The "authenticator” of the gateway host, the AAA server in the CSN is still the “authentication server”.
- AAA system to G-RS/G-MS and gateway The host is authenticated separately. The certification of G-RS/G-MS is performed first.
- G-RS/G-MS and ASN NAS, and AAA server perform G-RS/G-MS device authentication and/or user authentication, and G-RS/G-MS device authentication and user authentication.
- the process is consistent with the device authentication and user authentication authentication process of the G-RS/G-MS service device as the gateway host certifier.
- the gateway host After the authentication of the G-RS/G-MS is completed, the gateway host is authenticated. If the gateway host uses the digital certificate to perform device authentication, the authenticator merges with the authentication server. The gateway host uses the device's MAC address as the device identifier, and the gateway host is in the ASN. The NAS performs device authentication of the gateway host, and the device authentication of the gateway host ends with the ASN. After the gateway host device is authenticated, the ASN sends the MAC address of the gateway host to the CSN through the AAA protocol. The CSN checks whether the digital certificate of the gateway host device, such as the X.509 certificate, is valid according to the MAC address of the received gateway host device. When the gateway host uses the digital certificate to perform device authentication, it can prevent the G-Host authentication from extending to other management domains due to the use of NAI.
- the gateway host uses the digital certificate to perform device authentication, it can prevent the G-Host authentication from extending to other management domains due to the use of NAI.
- the EAP method runs between the gateway host and the V-CSN/H-CSN.
- the gateway host device authentication ends in the CSN, and the gateway host confirms H-with the NAI as the device identifier. CSN.
- the gateway host accesses the local network, the gateway host requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN according to the NAI.
- FIG 22 shows the gateway host user authentication protocol stack based on PKMv2.
- the gateway host is the applicant, the NAS of the ASN is the authenticator, the AAA server is the authentication server, and the BS is the authentication relay.
- the ASN and V-NSP CSN can act as AAA agents.
- the gateway host and the G-RS/G-MS (not shown), and the E-AP packets between the G-RS/G-MS and the ASN are carried on the PKMv2, referred to as EAPoP; the gateway host and the G-RS/G -MS, and G-RS/G-MS and BS pass EAP messages through the 802.16 air interface. After receiving the EAP packet, the BS forwards the EAP packet to the NAS.
- the AAA protocol is used between the NAS and the AAA server.
- EAP packets between the gateway host and the G-RS/G-MS are used to deliver EAP packets to the G-RS/G-MS through EAPoL.
- the EAP packet between the G-RS/G-MS and the BS in the ASN is PKMv2, that is, EAPoP, and the E-AP is transmitted between the G-RS/G-MS and the BS through the 802.16 air interface. Message.
- the G-RS/G-MS needs to convert the EAP bearer EAPoL between the gateway host and the G-RS/G-MS, and the EAPoP between the G-RS/G-MS and the BS, by G-RS/G- The MS converts the EAPoL packet and the EAPoP packet.
- the G-RS/G-MS converts the EAPoL packet and the EAPoP packet: 1 After the 802.11/802.3 basic link between the gateway host and the G-RS/G-MS is established, The gateway host starts the EAP-Start message of the EAPoL and applies for EAP authentication to the G-RS/G-MS.
- the G-RS/G-MS After receiving the EAP-Start (EAS Start) message of the EAPoL, the G-RS/G-MS generates a PKM-Request (PKM Request) message, and sets the message type of the PKM-Request to EAP-Start, which means the PKM-Request message. Used to transmit EAP-Start messages.
- the G-RS/G-MS sends a PKM-Request message to the BS, and the BS delivers the EAP-Start message in the PKM-Request message to the NAS of the ASN, that is, the authenticator.
- the Authenticator After receiving the EAP-Start message, the Authenticator sends an EAP-Request/Identity (EAP Request/Identity) identity query request to the gateway host; the EAP-Start message is between the BS and the G-RS/G-MS.
- EAP Request/Identity EAP Request/Identity
- PKM-Response (PKM response) message message carrying, set the message type of the PKM-Response message to EAP-Transfer (EAP-transfer), that is, the PKM-Response message is used to transmit EAP packets.
- EAP-transfer EAP-Transfer
- the G-RS/G-MS After receiving the EAP-Request/Identity identity query request from the EAPoP, the G-RS/G-MS encapsulates the EAP-Request/Identity identity query request in the EAP-Packet (EAP packet) of the EAPoL and sends it to the gateway host.
- EAP packet EAP packet
- the gateway host uses the EAP-Packet packet of the EAPoL to send EAP-Response/Identity response packets.
- G-RS/G-MS encapsulates the EAP-Response/Identity in the PKM-Request message, and the message type is EAP-Transfer, which is forwarded to the BS.
- the EAP-Response/Identity is sent to the Authenticator by the BS.
- the gateway host uses EAP-Packet packets to send EAP-REP/RSP Method-Negotiation (EAP-REP/RSP method negotiation) packets to perform EAP authentication method negotiation.
- the gateway relay station/gateway mobile station will EAP-REP/ The RSP Method-Negotiation message is encapsulated in the PKM-REP/RSP message, and the message type is EAP-Transfer, which is forwarded to the BS.
- the EAP-REP/RSP Method-Negotiatioi message is sent to the NAS by the BS to perform EAP authentication method negotiation.
- the gateway host uses EAP-Packet packets to send EAP-REP/RSP Method.
- EAP-REP/RSP method EAP authentication method exchange
- the gateway relay station/gateway mobile station encapsulates the EAP-REP/RSP Method message in the PKM-REP RSP message, and the message type is EAP- Transfer, forwarded to the base station, and the EAP-REP/RSP Method message is sent by the base station to the NAS certifier for EAP authentication method exchange.
- the NAS sends an EAP-Success message to the gateway host.
- the gateway transit station/gateway mobile station encapsulates the EAP-Success in the EAP-Packet and sends it to the EAP-Packet. Gateway host.
- the BS and G-RS/G-MS use PKM-Request/Response message interaction, the message type is EAP-Transfer; in the gateway host and G-RS/G - The EAPoL EAP-Packet packets are exchanged between the MSs; until the EAP authentication process ends.
- the AAA server sends the relevant key to the G-RS/G-MS, such as the session key between the gateway host and the G-RS/G-MS.
- the embodiment of the present invention uses a PKM message packet to carry an 8Q2.11 key to be transmitted.
- the G-RS/G-MS detects that the gateway host is offline or abnormal. (There may be multiple reasons and detection methods, such as: gateway host deregistration, gateway host shutdown, and air interface signal quality are unavailable. However, the G-RS/G-MS will initiate an EAP-Logoff (EAP offline) message and encapsulate the EAP-Logoff in a PKM-Request message. The message type is EAP. -Transfer, instructs the NAS Authenticator to modify the corresponding authorization status.
- EAP offline EAP offline
- FIG 25 is a flow chart of the gateway host using the digital certificate for device authentication and the pre-shared key to perform user authentication. Both the device authentication and the user authentication of the gateway host are performed.
- the gateway host adopts the dual EAP mode.
- the gateway host performs the device authentication.
- the authentication server is merged with the authenticator.
- the gateway host device authentication is terminated in the ASN. After the gateway host device authentication is completed, the gateway host device performs the authentication.
- User authentication, and user authentication ends in CSN.
- the gateway host uses a digital certificate to perform only device authentication.
- the device authentication of the gateway host is terminated in the ASN.
- the ASN carries the device ID (MAC address) of the gateway host to the AAA. On the agreement, pass to the CSN.
- FIG. 27 and FIG. 28 are flowcharts of the gateway host performing device authentication and user authentication by using a pre-shared key.
- gateway host device authentication and user authentication are performed separately, and the gateway host adopts the Han EAP mode.
- the gateway host performs user authentication, and the gateway host device authenticates and User authentication ends on the same authentication server.
- the gateway host adopts a single EAP mode, which will be described below.
- MS device authentication and user authentication are combined and terminated at CSN.
- the bridge device supports multiple host devices in the WiMAX network of Figure 11, the operator is separated into bridge relay station/bridge mobile stations + ASN and CSN.
- the host device is connected to the bridge relay station/bridge mobile station via the interface.
- the bridge relay station/bridge mobile station is connected to a plurality of host devices through a first interface (such as a gateway interface), and the bridge relay station/bridge mobile station passes through a second interface (such as an R1 interface) and
- the service device of the bridge transfer station/bridge mobile station + ASN is a network access server, that is, in addition to setting the ASN service device as a network access server, the service device setting of the bridge transfer station/bridge mobile station can also be set. For the network access server.
- the difference between the AAA system using the bridge relay station/bridge mobile station and the AAA system using the gateway relay station/gateway mobile station is:
- the second-layer bridge relay station/bridge mobile station is used instead of the three-layer gateway relay station/ Gateway mobile station, when the NAS is set in the bridge relay station/bridge mobile station, the bridge relay station/bridge mobile station can become the authenticator of the host device authentication.
- the setting of other network elements in the AAA system does not change.
- the bridge relay station/bridge mobile station supports the authentication and authorization method of the multi-host WiMAX network AAA system and the gateway relay station/gateway mobile station supports the multi-host WiMAX network.
- the process of authentication and authorization methods of the AAA system is identical. The steps may be completed by a program instructing related hardware, and the program may be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like.
- the embodiment of the present invention provides an AAA system for a multi-host WiMAX network, and solves the support for authentication and authorization of the gateway device/bridge device and the host device from the mechanism and protocol flow level.
- the network access server can be flexibly set in the gateway device/bridge device or the ASN.
- the location of the network access server can be the gateway device/bridge device and the host. Certification of the equipment provided. Authorization and billing of host devices in a multi-host WiMAX network is made possible.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
An AAA system and authentication method of multi-hosts network include: gateway device/bridge device, access server in access service network and AAA server process three parts authentication of device authentication and/or user authentication of gateway device/bridge device; after finishing the device authentication and/or user authentication of gateway device/bridge device, host device, network access server in gateway device/bridge device and AAA server process three parts authentication of device authentication and/or user authentication of host device. The invention enables to license and charge to the host device in WiMAX network of multi-hosts. It supports the authentication and authorization of the host device on the lay of a mechanism and protocol process. In AAA system, network access server can be neatly set in the gateway device/bridge device or the access server network.
Description
一卜 One
一种多主机网络的 AAA系统及认证方法 AAA system and authentication method for multi-host network
本申请要求于 2006 年 4 月 29 日提交中国专利局、 申请号为 200610078076. K 发明名称为"一种多主机网络的 AAA架构及认证方法"的中 国专利申请的优先权, 其全部内容通过引用结合在本申请中。 This application claims priority to Chinese Patent Application No. 200610078076. K, entitled "AAA Architecture and Authentication Method for Multi-Host Network", filed on April 29, 2006, the entire contents of which are hereby incorporated by reference. Combined in this application.
技术领域 Technical field
本发明涉及移动通信技术,特别涉及宽带无线接入技术, 具体地讲是一种 多主机网络的 AAA系统及认证方法。 The present invention relates to mobile communication technologies, and in particular to broadband wireless access technologies, and more particularly to an AAA system and an authentication method for a multi-host network.
背景技术 Background technique
AAA是指认证 (Authentication), 授权 (Authorization), 计费 (Accounting^ 运营商通过 AAA架构对用户进行身份认证后, 根据用户开户时申请的服务类 别授予相应的权限。 当用户使用网络资源时, AAA 系统中的相应的设备统计 用户占用的资源, 并收取相应的费用。 AAA refers to authentication, authorization, and accounting. After the AAA authentication is performed on the user, the accounting authority grants the corresponding permission according to the service type that the user applies when opening the account. When the user uses the network resource, The corresponding device in the AAA system counts the resources occupied by the user and charges the corresponding fee.
图 1为基于移动台(MS, Mobile Station)的 WiMAX(World Interoperability for Microwave Access, 微波接入全球互联)网络架构, MS11通过 R1参考点与 接入服务网络 (ASN, ccess Service Network)12中的基站(BS, Base Station, 图中未示)连接, 以连接到 ASN, R1采用 802.16e无线传送技术。 ASN12与拜 访地网络服务提供商 (V-NSP, Visited-Network Service Provider) 13的连接服务 网络 (CSN, Connectivity Service Network)14间通过 R3参考点连接, V-NSP的 CSN14与归属地网络服务提供商 (H-NSP, Home-Network Service Provider) 15 的 CSN16间通过 R5参考点连接。 FIG. 1 is a network architecture of a WiMAX (World Interoperability for Microwave Access) system based on a mobile station (MS, Mobile Station). The MS11 passes through an R1 reference point and an access service network (ASN). A base station (BS, Base Station, not shown) is connected to connect to the ASN, and R1 uses 802.16e wireless transmission technology. The ASN 12 is connected to the Access Service Network (CSN) of the Visited-Network Service Provider 13 (CSN) through an R3 reference point, and the CSN 14 of the V-NSP and the home network service are provided. The CSNs 16 of the H-NSP (Home-Network Service Provider) 15 are connected by an R5 reference point.
RFC2094 AAA授权框架提供了三种配置 AAA框架模型, 包括: 代理顺 序 /模型、 拉顺序 /模型、 推顺序 /模型。 三种模型的主要区别在于: ①请求方与 认证服务器间的通信方式; ②密钥和策略等控制消息如何配置到承载面设备。 WiMAX论坛建议采用拉顺序 /模型, 定义图 1中所示的 WiMAX系统的 AAA 架构如图 2至图 5所示: The RFC2094 AAA Authorization Framework provides three configuration AAA framework models, including: Agent Order/Model, Pull Order/Model, Push Order/Model. The main differences between the three models are: 1 how the requester communicates with the authentication server; 2 how the control messages such as keys and policies are configured to the bearer device. The WiMAX Forum recommends using a pull sequence/model to define the AAA architecture of the WiMAX system shown in Figure 1 as shown in Figures 2 through 5:
图 2为不兼容传统 CSN的非漫游 AAA架构。运营商 (NSP , Network Service Provider)分割为接入服务网络 (ASN)21和连接服务网络 (CSN)22, ASN的业务 设备 (Service Equipment)则成为一个网络接入服务器 (NAS , Network Access Server)23。 CSN22包括一个或多个 AAA服务器 24。 AAA服务器支持三方认
证机制 - "申请者(Supplicant)" , "认证者 (Authenticator)"和 "认证服务器 (Authentication Server)"。 三方认证机制可支持多种基于 EAP(Extensible Authentication Protocol , 可扩展认证协议)协议的认证方法, 如: EAP-TLS, (EAP-Transport Layer Security, EAP传输层安全) EAP-TTLS(EAP- Tunneled TLS, EAP隧道传输层安全), PEAP(Protected EAP , 受保护的可扩展认证协议), EAP-SIM(EAP-Service Identity Module , EAP 业 务 识 另' j 模 块 ;), EAP-AKA(EAP- Authentication and Key Agreement, EAP认证与密钥协定)等, 可以支持强壮的密钥推导方法。 Figure 2 shows a non-roaming AAA architecture that is not compatible with traditional CSN. The operator (NSP, Network Service Provider) is divided into an access service network (ASN) 21 and a connection service network (CSN) 22. The service equipment of the ASN becomes a network access server (NAS, Network Access Server). twenty three. The CSN 22 includes one or more AAA servers 24. AAA server supports three-party authentication Certification mechanism - "Supplicant", "Authenticator" and "Authentication Server". The three-party authentication mechanism supports multiple authentication methods based on the EAP (Extensible Authentication Protocol) protocol, such as: EAP-TLS, (EAP-Transport Layer Security, EAP Transport Layer Security) EAP-TTLS (EAP-Trivered TLS) , EAP Tunneling Layer Security), PEAP (Protected EAP, Protected Extensible Authentication Protocol), EAP-SIM (EAP-Service Identity Module, EAP Service Identification) module, EAP-AKA (EAP- Authentication and Key Agreement, EAP authentication and key agreement, etc., can support strong key derivation methods.
在图 2的 AAA架构中, MS为申请者; NAS的业务设备用于实现认证者; AAA服务器为认证服务器。其中, ASN包括一个或多个网络接入服务器, 即, ASN可以包括一个或多个认证者 /AAA客户(client)。 NAS与 AAA服务器间采 用 AAA协议, AAA协议包括了: Dimeter和 RADIUS(Remote Authentication Dial In User Service, 远程拨号用户鉴权服务)。 In the AAA architecture of FIG. 2, the MS is the applicant; the service device of the NAS is used to implement the authenticator; and the AAA server is the authentication server. The ASN includes one or more network access servers, that is, the ASN may include one or more authenticators/AAA clients. The AAA protocol is adopted between the NAS and the AAA server. The AAA protocol includes: Dimeter and RADIUS (Remote Authentication Dial In User Service).
这种架构下对用户的认证过程如下: The authentication process for users under this architecture is as follows:
MS连接 NAS发出接入网络请求 , NAS收集 MS发出的接入认证请求, 将接入认证请求传送给 CSN的 AAA服务器。 AAA服务器经过认证后向 NAS 发出允许或者拒绝信息, 若认证成功, 则允许信息中还包含 4受权信息, 同时启 动相关的计费功能。 NAS收到 AAA服务器送来的响应后, 通知 MS允许接入 或者拒绝接入。 The MS connects to the NAS to send an access network request, and the NAS collects the access authentication request sent by the MS, and transmits the access authentication request to the CSN's AAA server. After the AAA server is authenticated, it sends permission or rejection information to the NAS. If the authentication succeeds, the allowed information also includes 4 authorized information, and the related charging function is started. After receiving the response from the AAA server, the NAS notifies the MS to allow access or deny access.
图 3为兼容传统 CSN的非漫游 AAA架构,与图 2所示架构不同的是, 由 于运营商的连接服务网络 32属于传统的 NSP, 认证和授权后端不兼容 AAA 协议。 因此 NAS23传送给 CSN的认证请求需要通过 CSN中增加的互联网关 (IWG, Interwork Gateway)34来传送, 将 AAA协议和属性映射到传统运营商 的特定协议和属性, 然后, 再执行认证、 授权过程。 运营商的允许和拒绝消息 再通过 IWG映射为 AAA协议, 传送给 NAS。 Figure 3 shows a non-roaming AAA architecture compatible with the traditional CSN. Unlike the architecture shown in Figure 2, the connection service network 32 of the operator belongs to the traditional NSP, and the authentication and authorization backends are not compatible with the AAA protocol. Therefore, the authentication request transmitted by NAS23 to the CSN needs to be transmitted through the added Internet Gateway (IWG) 34 in the CSN, the AAA protocol and attributes are mapped to the specific protocols and attributes of the traditional carrier, and then the authentication and authorization process is performed. . The carrier's permission and rejection messages are then mapped to the AAA protocol by the IWG and transmitted to the NAS.
图 4与图 5分别为不兼容 CSN和兼容 CSN的漫游 AAA架构, 在图 4与 图 5中, V-NSP41中 AAA服务器 43充当 AAA代理 (AAA Proxy),将 NAS23 发送的认证请求传递到 H-NSP42的 AAA服务器 44。 在图 5中, NAS23传送 给 CSN52的认证请求还需要通过 CSN52中的 IGW54, 将 AAA协议和属性映
射到传统运营商的特定协议和属性, 然后执行认证、 授权过程。 当 V-NSP的 AAA 代理接收到来自 H-NSP 的 CSN 的允许或拒绝消息时, 将其传送给 NAS23。 在漫游情况下, NAS和 AAA服务器之间可能存在一个或多个 AAA 经理( AAA Broker )和 AAA代理。 但是, AAA会话总存在于 NAS和 AAA 服务器之间, 而提供基于 NAI ( NAI, Network Access Identity )域路由管道的 AAA经理是可选的。 4 and FIG. 5 are respectively a roaming AAA architecture that is incompatible with CSN and CSN. In FIG. 4 and FIG. 5, the AAA server 43 in the V-NSP 41 acts as an AAA proxy (AAA Proxy), and passes the authentication request sent by the NAS 23 to the H. - NSP42 AAA server 44. In FIG. 5, the authentication request transmitted by NAS 23 to CSN 52 also needs to pass through IGW 54 in CSN 52, and the AAA protocol and attributes are mapped. Shoot the specific protocols and attributes of the traditional carrier and then perform the authentication and authorization process. When the AAA proxy of the V-NSP receives an allow or reject message from the CSN of the H-NSP, it transmits it to the NAS 23. In the case of roaming, there may be one or more AAA Brokers and AAA Agents between the NAS and the AAA server. However, an AAA session always exists between the NAS and the AAA server, and an AAA manager that provides a NAI (NAI, Network Access Identity) based routing pipeline is optional.
在上述四种不同的 AAA架构中, MS的认证包括: 设备认证和用户认证 两个部分。 MS执行认证时, 可以设备认证和用户认证都进行; 或只进行设备 认证、 或只进行 MS的用户认证。 当设备认证和用户认证都进行时, MS的设 备认证先于用户认证执行。 In the above four different AAA architectures, MS authentication includes: device authentication and user authentication. When the MS performs authentication, both device authentication and user authentication can be performed; or only device authentication, or only MS user authentication. When both device authentication and user authentication are performed, the device authentication of the MS is performed prior to the user authentication.
若 MS设备认证采用数字证书, 如 X.509, 即采用支持数字证书的 EAP 方法, 如 EAP-TLS。 MS为避免 CSN的干预, 缩短设备认证的往返时延, MS 的设备认证执行三方认证时, AAA 架构中的认证服务器与认证者合并, MS 以 MAC(Mdium Access Control, 媒体接入控制)地址为设备标志, 在 ASN的 NAS处进行设备认证, 而不终结于 CSN。 If the MS device authentication uses a digital certificate, such as X.509, an EAP method that supports digital certificates, such as EAP-TLS, is used. In order to avoid the intervention of the CSN, the MS shortens the round-trip delay of the device authentication. When the device authentication of the MS performs the three-party authentication, the authentication server in the AAA architecture is merged with the authenticator, and the MS uses the MAC (Mdium Access Control) address as Device flag, device authentication at the ASN's NAS, but not at the CSN.
若 MS的设备认证采用预共享密钥(PSK ), 即采用基于 PSK的 EAP方法 执行设备认证, 如 EAP PSK。 MS的设备认证运行于 G- Host(Gateway-Host, 网关主机)和 V-CSN/H-CSN之间, MS设备认证执行三方认证时, MS采用 NAI 作为设备标识, 当 MS接入本地网络时, MS根据 NAI, 通过 V-CSN中 AAA 代理, 向 H-CSN中 AAA服务器请求认证。 If the device authentication of the MS adopts the pre-shared key (PSK), the PSK-based EAP method is used to perform device authentication, such as EAP PSK. The device authentication of the MS runs between the G-Host (Gateway-Host) and the V-CSN/H-CSN. When the MS device performs the three-party authentication, the MS uses the NAI as the device identifier. When the MS accesses the local network. According to the NAI, the MS requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN.
MS与 ASN中的 NAS、 以及 AAA服务器执行 MS的三方认证时, 如果 服务器或终结于同一 CSN的不同 AAA服务器),则采用双 EAP模式进行认证; 如果 MS的设备认证和用户认证终结于同一认证服务器, 则 MS釆用双 EAP 模式, 或釆用单 EAP模式将设备认证和用户认证联合进行; 如果只进行 MS 的设备认证或用户认证时, 采用单 EAP模式。 If the MS and the AAA server perform the three-party authentication of the MS, if the server or the different AAA servers of the same CSN are used, the dual EAP mode is used for authentication; if the device authentication and user authentication of the MS are terminated by the same authentication. For the server, the MS uses the dual EAP mode, or combines the device authentication and the user authentication in a single EAP mode. If only the device authentication or user authentication of the MS is performed, the single EAP mode is adopted.
下面参照 MS的用户认证协议栈对认证过程进行说明。 如图 6所示, MS 为申请者, ASN的 NAS为认证者, CSN的 AAA服务器为认证服务器, BS 为认证中转, 其它的 AAA代理 /经理在漫游状态下可选。 MS用户认证的 EAP
报文认证终结于 AAA服务器。 MS与 BS间的 EAP报文承载在 PKMv2 (简称 EAPoP, EAP报文承载在 PKM ( Privacy Key Management, 保密密钥管理)), 通过 802.16的空中接口传递至 BS。 PKMv2同样支持三方认证机制及多种 EAP 认证方法。 PKMv2由 IEEE802.16-2004和 802.16e用 EAP规定, 用于支持用 户认证和设备授权。 IEEE802.16-2004和 802.16e还用 EAP规定了 PKMvl, 只 提供对设备认证授权的支持, 可支持移动网络中的固定用户。 BS与认证者间 的 EAP 文 7 载在认证中转协议, 通过 BS与 ASN间链路传递至 ASN。 而 ASN的 NAS为认证者, NAS与 AAA服务器间的 EAP报文承载在 AAA协议 上 , 再将 AAA报文承载在 UDP/IP ( User Datagram Protocol/IP, 用户数据报文 协议 /因特网协议 )协议等传输层协议上传递到 CSN的 AAA服务器上进行用 户信息验证。 The authentication process will be described below with reference to the user authentication protocol stack of the MS. As shown in Figure 6, the MS is the applicant, the NAS of the ASN is the authenticator, the AAA server of the CSN is the authentication server, the BS is the authentication relay, and the other AAA agents/managers are optional in the roaming state. MS user-certified EAP The packet authentication ends on the AAA server. The EAP packet between the MS and the BS is carried in the PKMv2 (referred to as EAPoP for short, and the EAP packet is carried in PKM (Privacy Key Management)), and is transmitted to the BS through the air interface of 802.16. PKMv2 also supports three-party authentication mechanisms and multiple EAP authentication methods. PKMv2 is specified by IEEE 802.16-2004 and 802.16e with EAP to support user authentication and device authorization. IEEE 802.16-2004 and 802.16e also specify PKMvl with EAP, which only provides support for device authentication and authorization, and supports fixed users in mobile networks. The EAP text 7 between the BS and the authenticator is contained in the authentication relay protocol and is transmitted to the ASN through the link between the BS and the ASN. The ASN NAS is the Authenticator. The EAP packet between the NAS and the AAA server is carried on the AAA protocol, and the AAA packet is carried in the UDP/IP (User Datagram Protocol/IP) protocol. User information is verified on the AAA server that is passed to the CSN on the transport layer protocol.
图 7与图 8为 MS在认证过程中, 采用 EAP-TLS认证方法进行设备认证 的流程图。 图 7中, MS的设备认证与用户认证都执行认证, MS采用双 EAP 模式。 MS先执行设备认证, 由于认证服务器与认证者合并, MS设备认证终 结于 ASN。 MS设备认证结束后, MS执行用户认证,并且用户认证终结于 CSN。 图 8中, MS只执行设备认证, MS的设备认证终结于 ASN。 MS设备认证结 束后, ASN将 MS的设备标识( MAC地址)承载到 AAA协议上,传递至 CSN, 告知 AAA服务器 MS设备认证已通过, 这时, AAA服务器可进一步对 ASN 授权允许 MS接入相应的业务。 Figure 7 and Figure 8 show the flow chart of the device authentication using the EAP-TLS authentication method during the authentication process. In Figure 7, both the device authentication and the user authentication of the MS perform authentication, and the MS adopts the dual EAP mode. The MS performs device authentication first. Since the authentication server is merged with the authenticator, the MS device authentication ends with the ASN. After the MS device authentication ends, the MS performs user authentication, and the user authentication ends in the CSN. In Figure 8, the MS only performs device authentication, and the device authentication of the MS ends with the ASN. After the MS device is authenticated, the ASN carries the device identifier (MAC address) of the MS to the AAA protocol and passes it to the CSN to inform the AAA server that the MS device authentication has passed. In this case, the AAA server can further authorize the MS to access the corresponding ASN. Business.
图 9与图 10为 MS在认证过程中,采用 EAP-PSK认证方法进行设备认证 的流程图。 图 9中 MS的设备认证与用户认证都执行认证, MS采用双 EAP 模示, MS的设备认证与用户认证终结于相同的认证服务器。 图 10中, MS的 设备认证与用户认证终结于同一 AAA服务器, MS采用单 EAP模式, 将 MS 设备认证和用户认证联合进行, 并终结于 CSN。 Figure 9 and Figure 10 show the flow chart of the device authentication using the EAP-PSK authentication method during the authentication process. In Figure 9, the device authentication and user authentication of the MS are performed. The MS uses the dual EAP mode. The device authentication and user authentication of the MS terminates on the same authentication server. In Figure 10, the device authentication and user authentication of the MS are terminated on the same AAA server. The MS adopts the single EAP mode to jointly perform MS device authentication and user authentication, and terminates in the CSN.
现 WiMAX论坛定义了一种基于网关设备 /网桥设备的多主机网络, 在网 络中, 网关设备 /网桥设备可以支持多个主机设备。 如图 11 所示, 多主机 WiMAX网络中, 采用网关设备的网关中转站 /网关移动站 (G-RS/G-MS)110提 供多主机 (Multiple Hosts)支持, 若采用网桥设备提供多主机支持, 则可以使用 网桥中转站 /网桥移动站代替图 11中的 G-RS/G-MS。 图 11中, 主机设备为网
关主机 101、 102, G-RS/G-MS通过第一接口连接到多个网关主机, G-RS/G-MS 通过第二接口与 BS (图中未示)连接, 以连接到 ASN111; 其中, 第一接口为 G 接口, G接口采用 802.3、 802.16或 802.11传送技术; 第二接口为 R1接口, R1采用 802.16e无线传送技术。 ASN111和 CSN112间通过 R3参考点连接, NAP+V-NSP的 CSN113与 H-NSP的 CSN112间通过 R5参考点连接。 The WiMAX Forum now defines a multi-host network based on gateway devices/bridge devices. In a network, a gateway device/bridge device can support multiple host devices. As shown in Figure 11, in a multi-host WiMAX network, a gateway relay station/gateway mobile station (G-RS/G-MS) 110 using a gateway device provides multiple hosts (Multiple Hosts) support, and if a bridge device is used to provide multiple hosts, For support, you can use the bridge relay station/bridge mobile station instead of the G-RS/G-MS in Figure 11. In Figure 11, the host device is a network. The host 101, 102, the G-RS/G-MS is connected to the plurality of gateway hosts through the first interface, and the G-RS/G-MS is connected to the BS (not shown) through the second interface to connect to the ASN 111; The first interface is a G interface, the G interface uses 802.3, 802.16, or 802.11 transmission technology; the second interface is an R1 interface, and the R1 uses an 802.16e wireless transmission technology. The ASN 111 and the CSN 112 are connected by an R3 reference point, and the CSN 113 of the NAP+V-NSP and the CSN 112 of the H-NSP are connected by an R5 reference point.
由于图 11的 WiMAX网络中增加了网关设备 /网桥设备和主机设备两类网 元, 而现有的 AAA架构和认证方法只是针对原有网络中 MS认证。 因此需要 一种新的 AAA架构及相应的认证方法, 支持多主机 WiMAX网络中对网关设 备 /网桥设备与主机设备的认证。 Since the gateway device/bridge device and the host device are added to the WiMAX network in Figure 11, the existing AAA architecture and authentication method are only for the MS authentication in the original network. Therefore, a new AAA architecture and corresponding authentication method are needed to support the authentication of gateway devices/bridge devices and host devices in a multi-host WiMAX network.
发明内容 Summary of the invention
本发明实施例提供了一种支持多主机网络的 AAA系统及认证方法, 可以 在 AAA系统中灵活选 ί殳置 NAS的位置, 并对网关设备 /网桥设备与主机设 备进行认证。 The embodiment of the invention provides an AAA system and an authentication method for supporting a multi-host network, and can flexibly select a location of the NAS in the AAA system, and authenticate the gateway device/bridge device and the host device.
本发明实施例提供了一种多主机网络的 AAA系统, 包括: 接入服务网络 和连接服务网络,接入服务网络中设置有网络接入服务器, 连接服务网络中设 置有至少一个 AAA服务器, 其中, 多主机网絡的 AAA系统还包括: 网关设 备 /网桥设备及主机设备; 主机设备与网关设备 /网桥设备连接; 网关设备 /网桥 设备中设置有所述网络接入服务器; 主机设备认证与网关设备 /网桥设备认证 分开独立执行; 网关设备 /网桥设备与接入服务网络中的网络接入服务器, 及 AAA服务器, 执行网关设备 /网桥设备的设备认证和 /或用户认证的三方认证; 主机设备与网关设备 /网桥设备中的网络接入服务器, 及 AAA服务器,执行主 机设备的设备认证和 /或用户认证的三方认证。 An embodiment of the present invention provides an AAA system of a multi-host network, including: an access service network and a connection service network, where a network access server is set in the access service network, and at least one AAA server is set in the connection service network, where The AAA system of the multi-host network further includes: a gateway device/bridge device and a host device; the host device is connected with the gateway device/bridge device; the gateway device/bridge device is provided with the network access server; the host device authentication Performing separately from the gateway device/bridge device authentication; the gateway device/bridge device and the network access server in the access service network, and the AAA server, performing device authentication and/or user authentication of the gateway device/bridge device Three-party authentication; the network access server in the host device and the gateway device/bridge device, and the AAA server perform the three-party authentication of the device authentication and/or user authentication of the host device.
本发明实施例还提供了一种多主机网络的 AAA系统认证方法, 其中, 当 主机设备与网关设备 /网桥设备连接时, AAA系统分别对网关设备 /网桥设备及 主机设备进行认证; 网关设备 /网桥设备先将网关设备 /网桥设备的认证信息通 过接入服务网络中的网络接入服务器传送至连接服务网络的 AAA服务器, 由 网关设备 /网桥设备、 接入服务网络中的网络接入服务器、 AAA服务器, 执行 网关设备 /网桥设备的设备认证和 /或用户认证的三方认证; 网关设备 /网桥设备 的设备认证和 /或用户认证认证结束后, 主机设备将其认证信息通过网关设备 /
网桥设备中的网络接入服务器传送到连接服务网络的 AAA服务器; 由主机设 备、 网关设备 /网桥设备中的网络接入服务器、 AAA服务器, 执行主机设备的 设备认证和 /或用户认证的三方认证。 The embodiment of the present invention further provides an AAA system authentication method for a multi-host network, wherein when the host device is connected to the gateway device/bridge device, the AAA system authenticates the gateway device/bridge device and the host device respectively; The device/bridge device first transmits the authentication information of the gateway device/bridge device to the AAA server connected to the service network through the network access server in the access service network, where the gateway device/bridge device and the access service network The network access server, the AAA server, and the three-party authentication of the device authentication and/or user authentication of the gateway device/bridge device; after the device authentication and/or user authentication of the gateway device/bridge device is completed, the host device authenticates the device Information through the gateway device / The network access server in the bridge device transmits to the AAA server connected to the service network; the network access server in the host device, the gateway device/bridge device, the AAA server, performs device authentication and/or user authentication of the host device Three-party certification.
本发明实施例还提供了一种多主机网络的 AAA系统, 包括接入服务网络 和连接服务网络,接入服务网络中设置有网络接入服务器,连接服务网络中设 置由至少一个 AAA服务器, 其中, AAA系统中还包括: 网关设备 /网桥设备 及主机设备; 主机设备与网关设备 /网桥设备连接; 网关设备 /网桥设备与接入 服务网络连接; 主机设备认证与网关设备 /网桥设备认证分开独立执行; 网关 设备 /网桥设备与接入服务网络中的网络接入服务器、及 AAA服务器, 执行网 关设备 /网桥设备的设备认证和 /或用户认证的三方认证; 主机设备与接入服务 网络中的网络接入服务器、及 AAA服务器,执行主机设备的设备认证和 /或用 户认证的三方认证。 The embodiment of the present invention further provides an AAA system of a multi-host network, including an access service network and a connection service network, where the access service network is provided with a network access server, and the connection service network is set by at least one AAA server, wherein The AAA system also includes: a gateway device/bridge device and a host device; a host device connected to the gateway device/bridge device; a gateway device/bridge device connected to the access service network; a host device authentication and a gateway device/bridge Device authentication is performed separately and independently; the gateway device/bridge device and the network access server in the access service network, and the AAA server perform the three-party authentication of the device authentication and/or user authentication of the gateway device/bridge device; The network access server and the AAA server in the access service network perform the three-party authentication of the device authentication and/or the user authentication of the host device.
本发明实施例还提供了一种多主机网络的 AAA系统认证方法, 其中, 当 主机设备与网关设备 /网桥设备连接时, AAA系统分别对网关设备 /网桥设备、 主机设备进行认证; 网关设备 /网桥设备先将网关设备 /网桥设备的认证信息通 网关设备 /网桥设备、 接入服务网络中的网络接入服务器、 AAA服务器, 执行 网关设备 /网桥设备的设备认证和 /或用户认证的三方认证; 网关设备 /网桥设备 的设备认证和 /或用户认证认证结束后, 主机设备将其认证信息通过接入服务 网络的网络接入服务器传送到连接服务网络的 AAA服务器, 由主机设备、 接 入服务网络的网^ ί矣入服务器、 AAA服务器, 执行主机设备的设备认证和 /或 用户认证的三方认证。 The embodiment of the present invention further provides an AAA system authentication method for a multi-host network, wherein when the host device is connected to the gateway device/bridge device, the AAA system authenticates the gateway device/bridge device and the host device respectively; The device/bridge device first authenticates the gateway device/bridge device to the gateway device/bridge device, the network access server in the access service network, and the AAA server, and performs device authentication of the gateway device/bridge device and/or Or user-authenticated three-party authentication; after the device authentication and/or user authentication of the gateway device/bridge device is completed, the host device transmits its authentication information to the AAA server connected to the service network through the network access server of the access service network. The host device, the network accessing the service network, the server, and the AAA server perform the three-party authentication of the device authentication and/or user authentication of the host device.
本发明实施例为多主机的 WiMAX网络提供了 AAA系统, 从机制和协议 流程层面, 解决了对网关设备 /网桥设备与主机设备的认证和授权的支持。 在 该 AAA系统中,网络接入服务器可灵活设置于网关设备 /网桥设备或 ASN中, 当主机设备访问网络资源时, 可以针对网络接入服务器的位置, 为网关设备 / 网桥设备与主机设备的提供认证,使得多主机的 WiMAX网络中对主机设备的 授权以及计费成为可能。 The embodiment of the present invention provides an AAA system for a multi-host WiMAX network, and solves the support for authentication and authorization of the gateway device/bridge device and the host device from the mechanism and protocol flow level. In the AAA system, the network access server can be flexibly set in the gateway device/bridge device or the ASN. When the host device accesses the network resource, the location of the network access server can be the gateway device/bridge device and the host. The provision of authentication of the device makes it possible to authorize and bill the host device in the multi-host WiMAX network.
附图说明
图 1为现有 WiMAX网络示意图; DRAWINGS 1 is a schematic diagram of an existing WiMAX network;
图 2为现有不兼容传统连接服务网络的非漫游 AAA架构; Figure 2 shows a non-roaming AAA architecture that is not compatible with traditional connection service networks;
图 3为现有的兼容传统连接服务网络的非漫游 AAA架构; Figure 3 shows an existing non-roaming AAA architecture compatible with a traditional connection service network;
图 4为现有的不兼容传统连接服务网络的漫游 AAA架构; Figure 4 shows the existing roaming AAA architecture that is not compatible with the traditional connection service network;
图 5为现有的兼容传统连接服务网络的漫游 AAA架构; Figure 5 shows an existing roaming AAA architecture compatible with a traditional connection service network;
图 6为现有的基于 PKMv2的移动站用户认证协议栈; 6 is an existing PKMv2-based mobile station user authentication protocol stack;
图 7为现有技术中 MS设备认证和用户认证都执行的一实施例的流程图; 图 8为现有技术中 MS只执行设备认证的一实施例的流程图; 7 is a flowchart of an embodiment of performing MS device authentication and user authentication in the prior art; FIG. 8 is a flowchart of an embodiment in which the MS performs device authentication only in the prior art;
图 9为现有技术中 MS设备认证与用户认证都执行的另一实施例的流程图; 图 10为现有技术中 MS设备认证与用户认证联合认证的流程图; 图 11是现有技术中基于网关设备的多主机网络结构示意图; 9 is a flowchart of another embodiment of performing MS device authentication and user authentication in the prior art; FIG. 10 is a flowchart of joint authentication of MS device authentication and user authentication in the prior art; FIG. 11 is a prior art Schematic diagram of a multi-host network structure based on a gateway device;
图 12为本发明实施例基于多主机网络的不兼容传统连接服务网络的非漫 游 AAA系统; 12 is a non-roaming AAA system that is not compatible with a traditional connection service network based on a multi-host network according to an embodiment of the present invention;
图 13为本发明实施例基于多主机网絡的兼容传统连接服务网络的非漫游 AAA系统; 13 is a non-roaming AAA system compatible with a traditional connection service network based on a multi-host network according to an embodiment of the present invention;
图 14为本发明实施例基于多主机网络的不兼容传统连接服务网络的漫游 AAA系统; 14 is a roaming AAA system that is not compatible with a traditional connection service network based on a multi-host network according to an embodiment of the present invention;
图 15 为本发明实施例基于多主机网络的兼容传统连接服务网络的漫游 AAA系统; 15 is a roaming AAA system compatible with a traditional connection service network based on a multi-host network according to an embodiment of the present invention;
图 16为本发明实施例的系统中接入网络服务器设置于网关中转站 /网关移 动站状态下, 网关主机一实施例的用户认证协议栈; 16 is a user authentication protocol stack of an embodiment of a gateway host in a state in which the access network server is set in the gateway transit station/gateway mobile station in the system according to the embodiment of the present invention;
图 17为本发明实施例的系统中接入网络服务器设置于网关中转站 /网关移 动站状态下, 网关主机另一实施例的用户认证协议栈; 17 is a user authentication protocol stack of another embodiment of a gateway host in a state in which the access network server is set in the gateway transfer station/gateway mobile station in the system according to the embodiment of the present invention;
图 18为基于图 16和 17的网关主机设备认证和用户认证都执行的实施例 的流程图; Figure 18 is a flow diagram of an embodiment of both gateway host device authentication and user authentication based on Figures 16 and 17;
图 19为基于图 16和 17的只执行网关主机设备认证实施例的流程图; 图 20为基于图 16和 17的网关主机设备认证和用户认证都执行的另一实 施例的流程图; Figure 19 is a flow diagram of an embodiment of performing only gateway host device authentication based on Figures 16 and 17; Figure 20 is a flow diagram of another embodiment of gateway host device authentication and user authentication based on Figures 16 and 17;
图 21为基于图 16和 17只执行网关主机设备认证实施例的另一实施例的
流程图; 21 is another embodiment of an embodiment of performing gateway host device authentication based on FIGS. 16 and 17. Flow chart
图 22为本发明实施例的系统中网 妻入服务器设置于接入服务网络, 网 关主机一实施例的用户认证协议栈; 22 is a user authentication protocol stack of an embodiment of a gateway server in an access service network and a gateway host in the system according to an embodiment of the present invention;
图 23为本发明实施例的系统中网络接入服务器设置于接入服务网络, 网 关主机另一实施例的用户认证协议栈; FIG. 23 is a user authentication protocol stack of another embodiment of a network access server in an access service network in a system according to an embodiment of the present invention;
图 24为图 23中 EAPOL与 ΕΑΡΟΡ的转换流程图; Figure 24 is a flow chart of the conversion of EAPOL and ΕΑΡΟΡ in Figure 23;
图 25为基于图 23和 24的网关主机设备认证和用户认证都执行的实施例 的流程图; Figure 25 is a flow diagram of an embodiment of both gateway host device authentication and user authentication based on Figures 23 and 24;
图 26为基于图 23和 24只执行网关主机设备认证实施例的流程图; 图 27为基于图 23和 24网关主机的设备认证和用户认证都执行的另一实 施例的流程图; Figure 26 is a flow diagram of an embodiment of performing gateway host device authentication based on Figures 23 and 24; Figure 27 is a flow diagram of another embodiment of device authentication and user authentication based on the gateway hosts of Figures 23 and 24;
图 28为基于图 23和 24的只执行网关主机设备认证实施例的另一实施例 的流程图。 Figure 28 is a flow diagram of another embodiment of an embodiment of performing only gateway host device authentication based on Figures 23 and 24.
具体实施方式 detailed description
如图 12所示为,非漫游状态下,以 G-RS/G-MS (网关中转站 /网关移动站) 支持 WiMAX多主机网络的网络的 AAA系统实施例的示意图。 运营商被分隔 成 G- MS/G-RS+ASN与 CSN。 网关主机 121 通过网关接口作为第一接口与 G-RS/G-MS连接。 G-MS/G-RS通过采用 R1接口作为第二接口与 ASN的基站 连接(图中未示)。 G-MS/G-RS +ASN的业务设备为网络接入服务器 122, 即, 除了将 ASN的业务设备设置为网络接入服务器 NAS, 还可以将 G-RS/G- MS 的业务设备设置为网络接入服务器 NAS。 As shown in FIG. 12, a schematic diagram of an AAA system embodiment of a network supporting a WiMAX multi-host network by a G-RS/G-MS (Gateway Transfer Station/Gateway Mobile Station) in a non-roaming state. The operator is divided into G-MS/G-RS+ASN and CSN. The gateway host 121 is connected to the G-RS/G-MS through the gateway interface as the first interface. The G-MS/G-RS is connected to the base station of the ASN by using the R1 interface as a second interface (not shown). The service device of the G-MS/G-RS + ASN is the network access server 122, that is, in addition to setting the service device of the ASN as the network access server NAS, the service device of the G-RS/G-MS can also be set as Network access server NAS.
G-MS/G-RS或 ASN中可以设置包括一个或多个 NAS,即设置多个认证者 (Authenticator)/AAA客户(Client)(图中未示), 如: 多个 RADIUS 客户端或 DIAMETER客户端, 0个或多个 AAA Proxy (代理)。连接服务网络 123中包括 AAA服务器 124。 G-MS/G-RS or ASN can be set to include one or more NASs, that is, set up multiple Authenticator/AAA clients (not shown), such as: Multiple RADIUS clients or DIAMETER Client, 0 or more AAA Proxy (proxy). The AAA server 124 is included in the connection service network 123.
图 13所示为,非漫游状态下, 以 G-RS/G-MS支持 WiMAX多主机网络的 另一 AAA系统实施例的示意图。 与图 12所示实施例不同的是, 由于 CSN属 于传统运营商,认证和授权后端不兼容 AAA协议, 因此需要通过 CSN中增加 的 IWG134功能将 AAA协议和属性映射到传统 NSP的特定协议和属性。运营
商反馈的认证消息再通过 IWG映射为 AAA协议, 传送给 AAA Client。 Figure 13 is a diagram showing another embodiment of an AAA system supporting a WiMAX multi-master network with G-RS/G-MS in a non-roaming state. Different from the embodiment shown in FIG. 12, since the CSN belongs to the traditional carrier, the authentication and authorization backends are not compatible with the AAA protocol, so the AAA protocol and attributes need to be mapped to the specific protocols of the traditional NSP through the added IWG 134 function in the CSN. Attributes. Operation The authentication message of the feedback is then mapped to the AAA protocol through the IWG and transmitted to the AAA Client.
图 14与图 15分别为以 G-RS/G-MS支持 WiMAX多主机网络的不兼容 CSN和兼容 CSN的漫游 AAA系统,与图 12所示实施例不同的是, V-NSP141 中 AAA服务器 143充当 AAA代理, 将 G-MS/G-RS +ASN中 NAS发送的消 息报文传递到 H-NSP142的 AAA服务器 144。 在图 15中, 由于 CSN151属于 传统运营商, 认证和授权后端不兼容 AAA协议, 因此需要通过 CSN151中增 加的 IWG152功能将 AAA协议和属性映射到传统 NSP的特定协议和属性。运 营商反馈的认证消息再通过 IWG映射为 AAA协议,传送给 AAA服务器 143。 14 and FIG. 15 respectively show an incompatible CSN and a CSN-compliant roaming AAA system supporting a WiMAX multi-master network by G-RS/G-MS. Unlike the embodiment shown in FIG. 12, the AAA server 143 in the V-NSP 141 is shown. As an AAA proxy, the message sent by the NAS in the G-MS/G-RS + ASN is delivered to the AAA server 144 of the H-NSP 142. In Figure 15, since the CSN 151 belongs to the traditional carrier, the authentication and authorization backends are not compatible with the AAA protocol. Therefore, the AAA protocol and attributes need to be mapped to the specific protocols and attributes of the traditional NSP through the IWG 152 function added in the CSN 151. The authentication message fed back by the operator is then mapped to the AAA server 143 through the IWG mapping to the AAA protocol.
当 V-NSP的 AAA代理接收到来自 H-NSP的 CSN的允许或拒绝消息时, 再将其转发给 G-MS/G-RS +ASN。 在图 15所示的漫游情况下, NAS和 AAA 服务器之间可以存在一个或多个 AAA经理和 AAA代理(图中未示)。所有 AAA 会话总是存在于 NAS和 AAA服务器之间, 用来提供基于 NAI域路由管道的 AAA经理是可选的。 When the AAA proxy of the V-NSP receives the permission or rejection message from the HSN of the H-NSP, it forwards it to the G-MS/G-RS + ASN. In the roaming scenario shown in Figure 15, one or more AAA managers and AAA agents (not shown) may exist between the NAS and the AAA server. All AAA sessions are always present between the NAS and the AAA server, and AAA managers that provide routing pipes based on the NAI domain are optional.
当网关主机与连接 G-MS/G-RS 连接访问网络资源时, 网关主机与 G-RS/G-MS都需要进行进行认证。 基于图 12至 15中支持多主机的 WiMAX 网络 AAA系统实施例的认证、 授权方法如下: 别进行, 两者彼此独立。 When the gateway host and the connected G-MS/G-RS connect to access network resources, both the gateway host and the G-RS/G-MS need to be authenticated. The authentication and authorization methods based on the WiMAX network AAA system embodiments supporting multi-hosts in Figures 12 to 15 are as follows: Do not perform, the two are independent of each other.
2 ) G-RS/G-MS的设备认证先于用户认证。 G-RS/G-MS与 ASN的 NAS, 及 AAA服务器, 执行 G-RS/G-MS 设备认证和 /或用户认证的三方认证。 G-RS/G-MS的设备认证和用户认证可以都进行;或只做 G-RS/G- MS设备认证, 或只做 G-RS/G-MS用户认证。如果 G-RS/G-MS的设备认证和用户认证都进行, 但终结于不同认证服务器 (包括终结于不同 CSN的 AAA服务器或终结于同一 CSN的不同 AAA服务器), 则 G-RS/G-MS采用双 EAP模式进行认证; 如果 G-RS/G-MS的设备认证和用户认证都进行,并终结于属于同一认证服务器(同 一 CSN的相同 AAA服务器), 则 G-RS/G-MS采用双 EAP模式, 或采用单 EAP 模式, 将 G-RS/G-MS 的设备认证和用户认证联合进行。 如果只执行 G-RS/G-MS设备认证或只进行 G-RS/G-MS用户认证, 则 G-RS/G-MS采用单 EAP模式。
3 )网关主机的设备认证先于用户认证。网关主机可以与 G-RS/G-MS +ASN 的 NAS, 及 AAA服务器, 执行网关主机的设备认证和 /或用户认证的三方认 证。 网关主机设备认证和用户认证都进行, 或只做网关主机设备认证, 或只做 网关主机用户认证。若网关主机设备认证和用户认证都进行,但终结于不同认 证服务器时(包括分属不同 CSN的 AAA服务器及同一 CSN的不同 AAA服务 器),则网关主机采用双 EAP模式。如果网关主机设备认证和用户认证都进行, 并终结于同一认证服务器(同一 AAA服务器) 时, 网关主机采用双 EAP模 式, 或采用单 EAP模式, 将 G-RS/G-MS的设备认证和用户认证联合进行。 若 网关主机只进行设备认证或用户认证, 则网关主机采用单 EAP模式。 2) Device authentication of G-RS/G-MS precedes user authentication. G-RS/G-MS and ASN's NAS, and AAA server, perform three-party authentication of G-RS/G-MS device authentication and/or user authentication. G-RS/G-MS device authentication and user authentication can be performed; or only G-RS/G-MS device authentication, or only G-RS/G-MS user authentication. If the device authentication and user authentication of the G-RS/G-MS are performed, but terminate in different authentication servers (including AAA servers ending in different CSNs or different AAA servers ending in the same CSN), then G-RS/G- The MS adopts the dual EAP mode for authentication. If the device authentication and user authentication of the G-RS/G-MS are performed and are terminated by the same authentication server (the same AAA server of the same CSN), the G-RS/G-MS adopts Dual EAP mode, or single EAP mode, combines device authentication and user authentication of G-RS/G-MS. If only G-RS/G-MS device authentication or G-RS/G-MS user authentication is performed, the G-RS/G-MS adopts the single EAP mode. 3) The device authentication of the gateway host precedes the user authentication. The gateway host can perform the three-party authentication of the device authentication and/or user authentication of the gateway host with the NAS of the G-RS/G-MS + ASN and the AAA server. Both the gateway host device authentication and user authentication are performed, or only the gateway host device authentication is performed, or only the gateway host user authentication is performed. If both the gateway host device authentication and the user authentication are performed but are terminated by different authentication servers (including AAA servers belonging to different CSNs and different AAA servers of the same CSN), the gateway host adopts dual EAP mode. If the gateway host device authentication and user authentication are both performed and terminated on the same authentication server (same AAA server), the gateway host adopts dual EAP mode, or adopts single EAP mode to authenticate the device and user of the G-RS/G-MS. Certification is carried out jointly. If the gateway host only performs device authentication or user authentication, the gateway host adopts the single EAP mode.
4 ) G-RS/G-MS的认证先于网关主机认证。 4) G-RS/G-MS authentication precedes gateway host authentication.
基于图 12至图 15所示的 AAA系统, 当 G-RS/G-MS的业务设备也设置为网 络接入服务器时, 在 AAA系统中, 执行 G-RS/G-MS认证时, G-RS/G-MS为"申 请者", ASN中的 NAS为 G-RS/G-MS的"认证者", CSN中的 AAA服务器为"认 证服务器"; 执行网关主机 t认证时, 网关主机为"申请者", G-R-RS/G-MS中的 NAS为网关主机 t的"认证者"; CSN中的 AAA 服务器仍为"认证服务器"。 G-RS/G-MS与网关主机 t的认证单独进行, G-RS/G-MS的认证结束后再执行网 关主机的认证。 Based on the AAA system shown in FIG. 12 to FIG. 15, when the service device of the G-RS/G-MS is also set as the network access server, in the AAA system, when G-RS/G-MS authentication is performed, G- RS/G-MS is the "applicant", the NAS in the ASN is the "authenticator" of the G-RS/G-MS, and the AAA server in the CSN is the "authentication server"; when the gateway host t is authenticated, the gateway host is "Applicant", the NAS in the GR-RS/G-MS is the "authenticator" of the gateway host t; the AAA server in the CSN is still the "authentication server". The authentication of the G-RS/G-MS and the gateway host t is performed separately, and the authentication of the gateway host is performed after the authentication of the G-RS/G-MS is completed.
G-RS/G-MS与 ASN的 NAS, 及 AAA服务器, 执行 G-RS/G- MS设备认证和 / 或用户认证的三方认证。 G-RS/G-MS采用数字证书执行设备认证, 为避免 CSN 的干预, 缩短 G-RS/G-MS设备认证的往返时延, AAA系统中的认证服务器与 认证者合并, G-RS/G-MS以 MAC地址为设备标识, 在 ASN的 NAS处进行设备 认证。 若 G-RS/G-MS只进行设备认证, 当 G-RS/G-MS的设备认证结束后, ASN 将设备标识 MAC地址传送至 AAA服务器, 告知 AAA服务器 G- RS/G-MS设备认 证已通过, 则 AAA服务器进一步对 ASN授权允许 G-RS/G- MS接入相应的业务。 G-RS/G-MS and ASN's NAS, and AAA server, perform G-RS/G-MS device authentication and/or user authentication for three-party authentication. G-RS/G-MS uses digital certificates to perform device authentication. To avoid CSN intervention, the round-trip delay of G-RS/G-MS device authentication is shortened. The authentication server in the AAA system is merged with the authenticator, G-RS/ The G-MS uses the MAC address as the device identifier and performs device authentication on the ASN's NAS. If the G-RS/G-MS only performs device authentication, after the device authentication of the G-RS/G-MS is completed, the ASN transmits the device identification MAC address to the AAA server, and informs the AAA server of the G-RS/G-MS device authentication. If yes, the AAA server further authorizes the ASN to allow the G-RS/G-MS to access the corresponding service.
若 G-RS/G-MS的设备认证采用预共享密钥(PSK ), G-RS/G-MS设备认证 运行于网关主机和 V-CSN/H-CSN之间, G-RS/G-MS采用网络接入标识 (NAI, Network Access Identity)作为设备标识, 根据 NAI, G-RS/G-MS通过 V-CSN中 AAA代理, 向 H-CSN中 AAA服务器请求认证。 If the device authentication of the G-RS/G-MS adopts the pre-shared key (PSK), the G-RS/G-MS device authentication runs between the gateway host and the V-CSN/H-CSN, G-RS/G- The MS uses the Network Access Identity (NAI) as the device identifier. According to the NAI, the G-RS/G-MS requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN.
G-RS/G-MS设备认证结束后, 执行 G-RS/G-MS用户认证, G-RS/G-MS用
户认证只采用预共享密钥。 G-RS/G-MS的设备认证和用户认证的认证过程与现 有的 MS的设备认证和用户认证相同。 After the G-RS/G-MS device authentication is completed, G-RS/G-MS user authentication is performed, and G-RS/G-MS is used. User authentication only uses a pre-shared key. The device authentication and user authentication authentication process of the G-RS/G-MS is the same as the device authentication and user authentication of the existing MS.
G-RS/G-MS认证结束后, AAA系统对网关主机 t进行认证, 网关主机 t认证 的认证过程中, 若网关主机采用数字证书执行设备认证, 如 X.509时, 则采用 支持数字认证的 EAP方法, 如 EAP-TLS。 网关主机为避免 CSN的干预, 以缩短 往返时延, 认证者与认证服务器合并, 网关主机以设备的 MAC地址作为设备 标识, 网关主机在 G-RS/G-MS的 NAS执行网关主机的设备认证, 网关主机的设 备认证终结于 G-RS/G-MS。 网关主机设备认证结束后 , G-RS/G-MS要将网关主 机的 MAC地址通过 AAA协议发送到 CSN, CSN根据接收到的网关主机设备的 MAC地址, 检验网关主机设备数字证书, 如 X.509证书, 是否有效。 网关主机 采用数字证书执行设备认证时, 不可使用 NAI作为设备标识, 以防止网关主机 的认证不能延伸到其它管理域。 After the G-RS/G-MS authentication is completed, the AAA system authenticates the gateway host t. In the authentication process of the gateway host t authentication, if the gateway host performs device authentication using a digital certificate, such as X.509, it supports digital authentication. EAP methods, such as EAP-TLS. The gateway host avoids the intervention of the CSN to shorten the round-trip delay. The Authenticator merges with the authentication server. The gateway host uses the MAC address of the device as the device identifier. The gateway host performs the device authentication of the gateway host on the NAS of the G-RS/G-MS. The device authentication of the gateway host is terminated by G-RS/G-MS. After the gateway host device is authenticated, the G-RS/G-MS sends the MAC address of the gateway host to the CSN through the AAA protocol. The CSN checks the gateway host device digital certificate according to the received MAC address of the gateway host device, such as X. 509 certificate, is it valid? When the device is authenticated by a digital certificate, NAI cannot be used as the device identifier to prevent the authentication of the gateway host from extending to other management domains.
若网关主机采用预共享密钥(PSK )进行设备认证, EAP方法运行于网关 主机和 V-CSN/H-CSN之间, 网关主机设备认证终结于 CSN, 网关主机以 NAI 为设备标识确认 H-CSN。 当网关主机接入本地网络时, 网关主机根据 NAI, 通 过 V-CSN中 AAA代理, 向 H-CSN中 AAA服务器请求认证。 If the gateway host uses the pre-shared key (PSK) for device authentication, the EAP method runs between the gateway host and the V-CSN/H-CSN. The gateway host device authentication ends in the CSN, and the gateway host confirms H-with the NAI as the device identifier. CSN. When the gateway host accesses the local network, the gateway host requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN according to the NAI.
以下结合附图, 对网关主机的认证过程进行说明: The following describes the authentication process of the gateway host in conjunction with the following figures:
图 16为基于 PKMv2的网关主机用户认证协议栈, 网关主机为申请者 , G-RS/G-MS为认证者, AAA服务器为认证服务器, BS为认证中转; 漫游状态 下, ASN与 V-NSP的 CSN可作为 AAA代理, AAA经理为可选设备。 Figure 16 is a PKMv2-based gateway host user authentication protocol stack. The gateway host is the applicant, the G-RS/G-MS is the authenticator, the AAA server is the authentication server, and the BS is the authentication relay. In the roaming state, ASN and V-NSP The CSN can act as an AAA proxy and the AAA manager is an optional device.
PKMv2通过网关主机与 G-RS/G-MS、 以及 G-RS/G-MS的 NAS与 ASN中 BS 间的 802.16空中接口传递 EAP报文, 将 EAP报文承载于 PKMv2, 即 EAP over PKMv2 (以下简称 EAPoP ) 。 G-RS/G-MS作为认证者, 与 AAA服务器间的采 用 AAA协议。 在 G-RS/G-MS与 BS间, 本发明实施例设置了承载 AAA报文的 PKMv2协议的 PKM-REQ/RSP消息的消息类型, 使得 PKM-REQ/RSP消息支持 传送的 AAA才艮文,如 Access-Challenge (访问4兆战))消息艮文; Access-Request (访问请求) 消息才艮文; Access- Accept (访问接受) 消息才艮文; Access-Reject (访问拒绝) 消息 4艮文。 PKM消息类型可以设置为: AAA-Transfer , 或 Radius-Transfer,或 Diameter-Transfer, AAA报文承载在 PKMv2上,简称 AAAoP。
G-RS/G-MS与 BS间通过 AAAoP传递 EAP报文。而 BS和 AAA服务器之间 AAA报 文承载在传输层协议, 如: UDP ( User Datagram Protocol, 用户数据报协议)、 TCP ( Transmission Control Protocol, 传输控制协议)或 SCTP ( Stream Control Transmission Protocol, 流控传输协议)上, 简称 AAAoT。 BS将 AAAoP报文与 AAAoT报文进行转换。 PKMv2 delivers EAP packets through the gateway host and the G-RS/G-MS, and the 802.16 air interface between the NAS of the G-RS/G-MS and the BS in the ASN, and the EAP packet is carried in PKMv2, that is, EAP over PKMv2 ( Hereinafter referred to as EAPoP). G-RS/G-MS acts as the authenticator and uses the AAA protocol with the AAA server. Between the G-RS/G-MS and the BS, the embodiment of the present invention sets the message type of the PKM-REQ/RSP message of the PKMv2 protocol carrying the AAA message, so that the PKM-REQ/RSP message supports the transmitted AAA message. For example, the Access-Challenge message is accessed; the Access-Request message is spoofed; the Access-Accept message is spoofed; the Access-Reject message is 艮Text. The PKM message type can be set to: AAA-Transfer, or Radius-Transfer, or Diameter-Transfer. The AAA message is carried on PKMv2, referred to as AAAoP. The EAP packet is transmitted between the G-RS/G-MS and the BS through AAAoP. The AAA packet between the BS and the AAA server is carried in the transport layer protocol, such as UDP (User Datagram Protocol), TCP (Transmission Control Protocol), or SCTP (Stream Control Transmission Protocol). On the transport protocol), referred to as AAAoT. The BS converts AAAoP packets and AAAoT packets.
图 17为基于 802.3/802.11的网关主机用户认证协议栈 , 对于以太网 802.3/802.11上的 EAP认证, IEEE 802.1x定义的标准的 EAP承载在以太网 802.3/802.11上的协议 , 即 EAP over LAN (以下简称 EAPoL ) 。 在图 17中, G-RS/G-MS的 NAS与 ASN的 BS间的 AAA报文承载在 PKMv2, 为 AAAOP; BS 和 AAA服务器之间 AAA报文承载在传输层协议(如: UDP、 TCP或 SCTP协议 ) 上, 简称 AAAoT报文。 BS仍需将 AAAoP报文与 AAAoT报文进行转换。 Figure 17 shows the gateway host user authentication protocol stack based on 802.3/802.11. For EAP authentication on Ethernet 802.3/802.11, the standard EAP defined by IEEE 802.1x is carried over Ethernet 802.3/802.11, ie EAP over LAN ( Hereinafter referred to as EAPoL). In Figure 17, the AAA packets between the NAS of the G-RS/G-MS and the ASN are carried in PKMv2, which is AAAOP. The AAA packets between the BS and the AAA server are carried in the transport layer protocol (eg UDP, TCP). Or SCTP protocol), referred to as AAAoT message. The BS still needs to convert the AAAoP message with the AAAoT message.
在基于 PKMv2或 802.3/802.11的网关主机设备认证协议栈, 当网关主机终 结在 G-RS/G-MS时, BS无需进行 AAAoP与 AAAoT的转换。 In the PKMv2 or 802.3/802.11-based gateway host device authentication protocol stack, when the gateway host terminates in G-RS/G-MS, the BS does not need to perform AAAoP and AAAoT conversion.
图 18为网关主机分别采用数字证书进行设备认证, 预共享密钥执行用户 认证的流程图。 图 18中, 网关主机的设备认证与用户认证都执行认证, 网关 主机采用双 EAP模式, 网关主机先执行设备认证, 由于认证服务器与认证者 合并, 网关主机设备认证终结于 G-RS/G-MS。 网关主机设备认证结束后, 执 行用户认证, 并且用户认证终结于 CSN。 图 19为网关主机采用数字证书, 只 执行设备认证的流程图, 网关主机的设备认证终结于 G- RS/G-MS。 当网关主 机设备认证结束后, G-RS/G-MS将网关主机的设备标识( MAC地址)承载到 AAA协议上, 传递至 CSN。 Figure 18 is a flow chart of the gateway host using the digital certificate for device authentication and the pre-shared key to perform user authentication. In Figure 18, both the device authentication and the user authentication of the gateway host perform authentication. The gateway host adopts dual EAP mode, and the gateway host performs device authentication first. Because the authentication server merges with the authenticator, the gateway host device authentication ends with G-RS/G- MS. After the gateway host device authentication is completed, user authentication is performed, and user authentication ends in the CSN. Figure 19 shows the flow chart of the gateway host using digital certificates and only performing device authentication. The device authentication of the gateway host is terminated by G-RS/G-MS. After the gateway host device is authenticated, the G-RS/G-MS carries the device identifier (MAC address) of the gateway host to the AAA protocol and passes it to the CSN.
图 20与图 21为网关主机采用预共享密钥执行设备认证与用户认证的流程 图。 图 20中, 网关主机设备认证与用户认证分别执行, 网关主机采用双 EAP 模示, 当网关主机的设备认证结束后, 网关主机执行用户认证, 网关主机设备 认证与用户认证终结于相同的认证服务器。 图 21中, 网关主机釆用单 EAP模 示, 将设备认证和用户认证联合进行, 终结于 CSN。 Figure 20 and Figure 21 are flow diagrams of the gateway host performing device authentication and user authentication using a pre-shared key. In Figure 20, gateway host device authentication and user authentication are performed separately, and the gateway host adopts dual EAP mode. After the device authentication of the gateway host is completed, the gateway host performs user authentication, and the gateway host device authentication and user authentication are terminated by the same authentication server. . In Figure 21, the gateway host uses a single EAP mode to jointly perform device authentication and user authentication, and terminates in the CSN.
若图 12至图 15的 AAA系统中, 仅以 ASN的业务设备为 NAS, G-RS/G-MS 和网关主机均为"申请者" , ASN中的 NAS为 G-RS/G-MS和网关主机的 "认证 者", CSN中的 AAA服务器仍为"认证服务器"。 AAA系统对 G-RS/G-MS与网关
主机分别进行认证。 G-RS/G-MS的认证先执行。 In the AAA system of FIG. 12 to FIG. 15, only the service device of the ASN is the NAS, the G-RS/G-MS and the gateway host are both "applicants", and the NAS in the ASN is the G-RS/G-MS and The "authenticator" of the gateway host, the AAA server in the CSN is still the "authentication server". AAA system to G-RS/G-MS and gateway The host is authenticated separately. The certification of G-RS/G-MS is performed first.
G-RS/G-MS与 ASN的 NAS, 及 AAA服务器, 执行 G-RS/G-MS设备认 证和 /或用户认证的三方认证, G-RS/G-MS的设备认证和用户认证的认证过程, 与 G-RS/G-MS业务设备作为网关主机认证者的设备认证和用户认证的认证过 程一致。 G-RS/G-MS and ASN NAS, and AAA server, perform G-RS/G-MS device authentication and/or user authentication, and G-RS/G-MS device authentication and user authentication. The process is consistent with the device authentication and user authentication authentication process of the G-RS/G-MS service device as the gateway host certifier.
G-RS/G-MS 的认证完成后, 执行网关主机的认证, 若网关主机采用数字 证书执行设备认证, 认证者与认证服务器合并, 网关主机以设备的 MAC地址 作为设备标识, 网关主机在 ASN的 NAS执行网关主机的设备认证, 网关主机 的设备认证终结于 ASN。 网关主机设备认证结束后, ASN要将网关主机的 MAC地址通过 AAA协议发送到 CSN, CSN根据接收到的网关主机设备的 MAC地址, 检验网关主机设备数字证书, 如 X.509证书, 是否有效。 网关主 机采用数字证书执行设备认证时, 可以防止因使用 NAI导致 G-Host的认证不 能延伸到其它管理域。 After the authentication of the G-RS/G-MS is completed, the gateway host is authenticated. If the gateway host uses the digital certificate to perform device authentication, the authenticator merges with the authentication server. The gateway host uses the device's MAC address as the device identifier, and the gateway host is in the ASN. The NAS performs device authentication of the gateway host, and the device authentication of the gateway host ends with the ASN. After the gateway host device is authenticated, the ASN sends the MAC address of the gateway host to the CSN through the AAA protocol. The CSN checks whether the digital certificate of the gateway host device, such as the X.509 certificate, is valid according to the MAC address of the received gateway host device. When the gateway host uses the digital certificate to perform device authentication, it can prevent the G-Host authentication from extending to other management domains due to the use of NAI.
若网关主机采用预共享密钥(PSK )进行设备认证, EAP方法运行于网关 主机和 V-CSN/H-CSN之间, 网关主机设备认证终结于 CSN, 网关主机以 NAI 为设备标识确认 H-CSN。 当网关主机接入本地网络时, 网关主机根据 NAI, 通 过 V-CSN中 AAA代理, 向 H-CSN中 AAA服务器请求认证。 If the gateway host uses the pre-shared key (PSK) for device authentication, the EAP method runs between the gateway host and the V-CSN/H-CSN. The gateway host device authentication ends in the CSN, and the gateway host confirms H-with the NAI as the device identifier. CSN. When the gateway host accesses the local network, the gateway host requests authentication from the AAA server in the H-CSN through the AAA proxy in the V-CSN according to the NAI.
以下结合附图, 说明网关主机在 ASN的业务设备为 NAS的 AAA系统中的 认证过程: The following describes the authentication process of the gateway host in the AAA system where the ASN service device is NAS:
图 22为基于 PKMv2的网关主机用户认证协议栈, 网关主机为申请者, ASN 的 NAS为认证者, AAA服务器为认证服务器, BS为认证中转。 漫游状态下, ASN与 V-NSP的 CSN可作为 AAA代理。 Figure 22 shows the gateway host user authentication protocol stack based on PKMv2. The gateway host is the applicant, the NAS of the ASN is the authenticator, the AAA server is the authentication server, and the BS is the authentication relay. In the roaming state, the ASN and V-NSP CSN can act as AAA agents.
网关主机与 G-RS/G-MS (图中未示)、 以及 G-RS/G-MS与 ASN中 BS间 EAP 报文的承载在 PKMv2上, 简称 EAPoP; 网关主机与 G-RS/G-MS , 以及 G-RS/G-MS与 BS间通过 802.16空中接口传递 EAP报文。 BS接收到 EAP报文后, 将 EAP报文转发至 NAS。 NAS与 AAA服务器间采用 AAA协议。 The gateway host and the G-RS/G-MS (not shown), and the E-AP packets between the G-RS/G-MS and the ASN are carried on the PKMv2, referred to as EAPoP; the gateway host and the G-RS/G -MS, and G-RS/G-MS and BS pass EAP messages through the 802.16 air interface. After receiving the EAP packet, the BS forwards the EAP packet to the NAS. The AAA protocol is used between the NAS and the AAA server.
如图 23所示, 在以太网中, 网关主机与 G-RS/G-MS间的 EAP报文通过 EAPoL将 EAP报文传递至 G-RS/G-MS。 G-RS/G-MS与 ASN中 BS间的 EAP报文 承载为 PKMv2, 即 EAPoP, G-RS/G-MS与 BS间通过 802.16空中接口传递 EAP
报文。 G-RS/G-MS需要将网关主机与 G-RS/G-MS间的 EAP承载 EAPoL , 与 G-RS/G-MS与 BS间的 载 EAPoP进行相互转换, 由 G-RS/G-MS将 EAPoL 报文与 EAPoP的报文进行转换。 As shown in Figure 23, in the Ethernet, EAP packets between the gateway host and the G-RS/G-MS are used to deliver EAP packets to the G-RS/G-MS through EAPoL. The EAP packet between the G-RS/G-MS and the BS in the ASN is PKMv2, that is, EAPoP, and the E-AP is transmitted between the G-RS/G-MS and the BS through the 802.16 air interface. Message. The G-RS/G-MS needs to convert the EAP bearer EAPoL between the gateway host and the G-RS/G-MS, and the EAPoP between the G-RS/G-MS and the BS, by G-RS/G- The MS converts the EAPoL packet and the EAPoP packet.
如图 24所示 , G-RS/G-MS将 EAPoL报文与 EAPoP报文进行转换的过程: ①当网关主机与 G-RS/G-MS间的 802.11/802.3基本的链路建立后, 网关主 机启动 EAPoL的 EAP-Start消息报文, 向 G-RS/G-MS申请进行 EAP认证。 As shown in Figure 24, the G-RS/G-MS converts the EAPoL packet and the EAPoP packet: 1 After the 802.11/802.3 basic link between the gateway host and the G-RS/G-MS is established, The gateway host starts the EAP-Start message of the EAPoL and applies for EAP authentication to the G-RS/G-MS.
② G-RS/G-MS接收到 EAPoL的 EAP-Start ( EAP开始) 消息后, 生成 PKM-Request ( PKM请求) 消息, 设置 PKM-Request的消息类型为 EAP-Start, 即表示 PKM-Request消息用于传送 EAP-Start报文。 G-RS/G-MS将 PKM-Request 消息发送到 BS , BS将 PKM-Request消息中 EAP-Start报文送达至 ASN的 NAS , 即认证者。 2 After receiving the EAP-Start (EAS Start) message of the EAPoL, the G-RS/G-MS generates a PKM-Request (PKM Request) message, and sets the message type of the PKM-Request to EAP-Start, which means the PKM-Request message. Used to transmit EAP-Start messages. The G-RS/G-MS sends a PKM-Request message to the BS, and the BS delivers the EAP-Start message in the PKM-Request message to the NAS of the ASN, that is, the authenticator.
③认证者接收到 EAP-Start报文后, 向网关主机发出 EAP-Request/Identity ( EAP请求 /一致) 身份查询请求; EAP-Start报文在 BS和 G-RS/G-MS之间由 3 After receiving the EAP-Start message, the Authenticator sends an EAP-Request/Identity (EAP Request/Identity) identity query request to the gateway host; the EAP-Start message is between the BS and the G-RS/G-MS.
PKM-Response ( PKM响应) 消息报文承载 , 设置 PKM-Response消息的消息 类型为 EAP-Transfer ( EAP转移) , 即 PKM-Response消息用于传送 EAP报文。 PKM-Response (PKM response) message message carrying, set the message type of the PKM-Response message to EAP-Transfer (EAP-transfer), that is, the PKM-Response message is used to transmit EAP packets.
④ G-RS/G-MS接收到 EAPoP的 EAP-Request/Identity身份查询请求后, 将 EAP-Request/Identity身份查询请求封装在 EAPoL 的 EAP-Packet ( EAP包)中, 发送给网关主机。 4 After receiving the EAP-Request/Identity identity query request from the EAPoP, the G-RS/G-MS encapsulates the EAP-Request/Identity identity query request in the EAP-Packet (EAP packet) of the EAPoL and sends it to the gateway host.
⑤网关主机采用 EAPoL的 EAP-Packet报文, 发送 EAP-Response/Identity 应答报文。 The gateway host uses the EAP-Packet packet of the EAPoL to send EAP-Response/Identity response packets.
⑥ G-RS/G-MS将 EAP-Response/Identity封装在 PKM-Request 消息报文中, 消息类型为 EAP-Transfer, 转发给 BS, 由 BS将 EAP-Response/Identity再送达认 证者。 6 G-RS/G-MS encapsulates the EAP-Response/Identity in the PKM-Request message, and the message type is EAP-Transfer, which is forwarded to the BS. The EAP-Response/Identity is sent to the Authenticator by the BS.
⑦网关主机采用 EAP-Packet报文,发送 EAP-REP/RSP Method-Negotiation ( EAP-REP/RSP方法协商)报文, 进行 EAP的认证方法协商, 网关中转站 /网 关移动站将 EAP-REP/RSP Method-Negotiation报文封装在 PKM-REP/RSP消息 文中, 消息类型为 EAP-Transfer, 转发给 BS , 由 BS将 EAP-REP/RSP Method-Negotiatioi ^文送达 NAS , 进行 EAP认证方法协商。 7 The gateway host uses EAP-Packet packets to send EAP-REP/RSP Method-Negotiation (EAP-REP/RSP method negotiation) packets to perform EAP authentication method negotiation. The gateway relay station/gateway mobile station will EAP-REP/ The RSP Method-Negotiation message is encapsulated in the PKM-REP/RSP message, and the message type is EAP-Transfer, which is forwarded to the BS. The EAP-REP/RSP Method-Negotiatioi message is sent to the NAS by the BS to perform EAP authentication method negotiation.
⑧网 关主机采用 EAP-Packet 报文, 发送 EAP-REP/RSP Method
( EAP-REP/RSP方法)报文, 进行 EAP的认证方法交换, 网关中转站 /网关移 动站将 EAP-REP/RSP Method报文封装在 PKM-REP RSP消息报文中, 消息类型 为 EAP-Transfer, 转发给基站, 由基站将 EAP-REP/RSP Method报文送达 NAS 认证者, 进行 EAP认证方法交换。 8 The gateway host uses EAP-Packet packets to send EAP-REP/RSP Method. (EAP-REP/RSP method) message, EAP authentication method exchange, the gateway relay station/gateway mobile station encapsulates the EAP-REP/RSP Method message in the PKM-REP RSP message, and the message type is EAP- Transfer, forwarded to the base station, and the EAP-REP/RSP Method message is sent by the base station to the NAS certifier for EAP authentication method exchange.
⑨ NAS完成 EAP认证后, 向网关主机发出 EAP-Success ( EAP成功)报文; 网关中转站 /网关移动站接收到 EAP-Success报文后, 将 EAP-Success封装在 EAP-Packet中, 发送给网关主机。 9 After the EAP authentication is completed, the NAS sends an EAP-Success message to the gateway host. After receiving the EAP-Success message, the gateway transit station/gateway mobile station encapsulates the EAP-Success in the EAP-Packet and sends it to the EAP-Packet. Gateway host.
在认证方法协商与认证方法交换这些过程中, BS和 G-RS/G-MS之间均采 用 PKM-Request/Response消息交互, 消息类型均为 EAP-Transfer; 在网关主机和 G-RS/G-MS之间均采用 EAPoL EAP-Packet报文进行交互; 直到 EAP认证过程结束。 In the process of authentication method negotiation and authentication method exchange, the BS and G-RS/G-MS use PKM-Request/Response message interaction, the message type is EAP-Transfer; in the gateway host and G-RS/G - The EAPoL EAP-Packet packets are exchanged between the MSs; until the EAP authentication process ends.
在 EAP认证过程中, 对于 802.11 , AAA服务器会为合法的网关主机下发 相关的密钥到 G-RS/G-MS,如网关主机和 G-RS/G-MS之间的会话密钥。本发明 实施例采用 PKM消息报文携带需要传送的 8Q2.11密钥。 In the EAP authentication process, for 802.11, the AAA server sends the relevant key to the G-RS/G-MS, such as the session key between the gateway host and the G-RS/G-MS. The embodiment of the present invention uses a PKM message packet to carry an 8Q2.11 key to be transmitted.
网关主机认证后, G-RS/G-MS如果检测到网关主机下网或异常情况(可能 有多种原因和检测方式, 比如: 网关主机取消注册、 网关主机关机、 空口信号 质量不可用等, 但不属于本发明描述的范围) , 则 G-RS/G-MS会主动发起 EAP-Logoff ( EAP下网)消息, 并将 EAP-Logoff封装在 PKM-Request 消息报文 中, 消息类型为 EAP-Transfer, 指示 NAS认证者修改相应的授权状态。 After the gateway host is authenticated, the G-RS/G-MS detects that the gateway host is offline or abnormal. (There may be multiple reasons and detection methods, such as: gateway host deregistration, gateway host shutdown, and air interface signal quality are unavailable. However, the G-RS/G-MS will initiate an EAP-Logoff (EAP offline) message and encapsulate the EAP-Logoff in a PKM-Request message. The message type is EAP. -Transfer, instructs the NAS Authenticator to modify the corresponding authorization status.
图 25为网关主机分别采用数字证书进行设备认证,预共享密钥执行用户认 证的流程图。 网关主机的设备认证与用户认证都执行认证, 网关主机采用双 EAP模式, 网关主机先执行设备认证, 由于认证服务器与认证者合并, 网关主 机设备认证终结于 ASN, 网关主机设备认证结束后, 执行用户认证, 并且用户 认证终结于 CSN。 Figure 25 is a flow chart of the gateway host using the digital certificate for device authentication and the pre-shared key to perform user authentication. Both the device authentication and the user authentication of the gateway host are performed. The gateway host adopts the dual EAP mode. The gateway host performs the device authentication. The authentication server is merged with the authenticator. The gateway host device authentication is terminated in the ASN. After the gateway host device authentication is completed, the gateway host device performs the authentication. User authentication, and user authentication ends in CSN.
图 26所示为网关主机采用数字证书, 只执行设备认证的流程图, 网关主机 的设备认证终结于 ASN, 当网关主机设备认证结束后, ASN将网关主机的设备 标识(MAC地址)承载到 AAA协议上, 传递至 CSN。 As shown in Figure 26, the gateway host uses a digital certificate to perform only device authentication. The device authentication of the gateway host is terminated in the ASN. After the gateway host device is authenticated, the ASN carries the device ID (MAC address) of the gateway host to the AAA. On the agreement, pass to the CSN.
图 27与图 28为网关主机采用预共享密钥执行设备认证与用户认证的流程 图。图 27中网关主机设备认证与用户认证分别执行,网关主机采用汉 EAP模示, 当网关主机的设备认证结束后, 网关主机执行用户认证, 网关主机设备认证与
用户认证终结于相同的认证服务器。 图 28中, 网关主机采用单 EAP模示, 将FIG. 27 and FIG. 28 are flowcharts of the gateway host performing device authentication and user authentication by using a pre-shared key. In Figure 27, gateway host device authentication and user authentication are performed separately, and the gateway host adopts the Han EAP mode. After the device authentication of the gateway host is completed, the gateway host performs user authentication, and the gateway host device authenticates and User authentication ends on the same authentication server. In Figure 28, the gateway host adopts a single EAP mode, which will
MS设备认证和用户认证联合进行, 终结于 CSN。 MS device authentication and user authentication are combined and terminated at CSN.
若在图 11的 WiMAX网络中, 采用网桥设备支持多个主机设备, 则将运营 商被分隔成网桥中转站 /网桥移动站 +ASN与 CSN。 主机设备通过接口与网桥中 转站 /网桥移动站连接。 网桥中转站 /网桥移动站通过第一接口 (如网关接口) 与多个主机设备连接, 网桥中转站 /网桥移动站通过第二接口 (如 R1接口)与 If the bridge device supports multiple host devices in the WiMAX network of Figure 11, the operator is separated into bridge relay station/bridge mobile stations + ASN and CSN. The host device is connected to the bridge relay station/bridge mobile station via the interface. The bridge relay station/bridge mobile station is connected to a plurality of host devices through a first interface (such as a gateway interface), and the bridge relay station/bridge mobile station passes through a second interface (such as an R1 interface) and
ASN的基站连接。 网桥中转站 /网桥移动站 +ASN的业务设备为网络接入服务 器, 即除了将 ASN的业务设备设置为网络接入服务器, 还可以将网桥中转站 / 网桥移动站的业务设备设置为网络接入服务器。 Base station connection of ASN. The service device of the bridge transfer station/bridge mobile station + ASN is a network access server, that is, in addition to setting the ASN service device as a network access server, the service device setting of the bridge transfer station/bridge mobile station can also be set. For the network access server.
采用网桥中转站 /网桥移动站的 AAA系统, 与采用网关中转站 /网关移动站 的 AAA系统的区别在于: 采用二层网桥中转站 /网桥移动站代替了三层网关中 转站 /网关移动站, NAS设置于网桥中转站 /网桥移动站时, 网桥中转站 /网桥移 动站可成为主机设备认证的认证者。 The difference between the AAA system using the bridge relay station/bridge mobile station and the AAA system using the gateway relay station/gateway mobile station is: The second-layer bridge relay station/bridge mobile station is used instead of the three-layer gateway relay station/ Gateway mobile station, when the NAS is set in the bridge relay station/bridge mobile station, the bridge relay station/bridge mobile station can become the authenticator of the host device authentication.
而 AAA系统中的其它网元的设置并不发生变化, 网桥中转站 /网桥移动站 支持多主机 WiMAX网络 AAA系统的认证、授权方法过程与网关中转站 /网关移 动站支持多主机 WiMAX网络 AAA系统的认证、 授权方法的过程完全相同。 骤是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于一计算机 可读取存储介质中, 所述的存储介质, 如: ROM/RAM、 磁碟、 光盘等。 The setting of other network elements in the AAA system does not change. The bridge relay station/bridge mobile station supports the authentication and authorization method of the multi-host WiMAX network AAA system and the gateway relay station/gateway mobile station supports the multi-host WiMAX network. The process of authentication and authorization methods of the AAA system is identical. The steps may be completed by a program instructing related hardware, and the program may be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like.
可见, 本发明实施例为多主机的 WiMAX网络提供了 AAA系统, 从机制和 协议流程层面, 解决了对网关设备 /网桥设备与主机设备的认证和授权的支持。 在该 AAA系统中,网络接入服务器可灵活设置于网关设备 /网桥设备或 ASN中, 当主机设备访问网络资源时, 可以针对网络接入服务器的位置, 为网关设备 / 网桥设备与主机设备的提供认证。 使得多主机的 WiMAX网络中对主机设备的 授权以及的计费成为可能。 It can be seen that the embodiment of the present invention provides an AAA system for a multi-host WiMAX network, and solves the support for authentication and authorization of the gateway device/bridge device and the host device from the mechanism and protocol flow level. In the AAA system, the network access server can be flexibly set in the gateway device/bridge device or the ASN. When the host device accesses the network resource, the location of the network access server can be the gateway device/bridge device and the host. Certification of the equipment provided. Authorization and billing of host devices in a multi-host WiMAX network is made possible.
以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局 限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易 想到的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应该以权利要求的保护范围为准。
The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
Claims
1.一种多主机网络的 AAA系统, 包括接入服务网络和连接服务网络, 所 述接入服务网络中设置有网络接入服务器,所述连接服务网络中设置有至少一 个 AAA服务器, 其特征在于, 所述 AAA系统还包括: 网关设备 /网桥设备及 主机设备; An AAA system of a multi-host network, comprising an access service network and a connection service network, wherein the access service network is provided with a network access server, and the connection service network is provided with at least one AAA server, and features thereof The AAA system further includes: a gateway device/bridge device and a host device;
所述主机设备与所述网关设备 /网桥设备连接; 所述网关设备 /网桥设备中 设置有所述网络接入服务器; 所述主机设备的认证与所述网关设备 /网桥设备 的认证分开独立执行; 述连接服务网络中的 AAA服务器,执行所述网关设备 /网桥设备的设备认证和 /或用户认证的三方认 i正; 接服务网络中的 AAA服务器,执行所述主机设备的设备认证和 /或用户认证的 三方认证。 The host device is connected to the gateway device/bridge device; the gateway device/bridge device is provided with the network access server; the authentication of the host device and the authentication of the gateway device/bridge device Separately performing separately; the AAA server in the connection service network, performing the device authentication and/or user authentication of the gateway device/bridge device; receiving the AAA server in the service network, executing the host device Three-party certification for device certification and/or user authentication.
2.根据权利要求 1所述的多主机网络的 AAA系统, 其特征在于, 所述网 关设备 /网桥设备与所述接入服务网络中的网络接入服务器, 及所述连接服务 网络中的 AAA服务器, 执行所述网关设备 /网桥设备的设备认证和 /或用户认 证的三方认证时, The AAA system of the multi-master network according to claim 1, wherein the gateway device/bridge device and a network access server in the access service network, and the connection service network When the AAA server performs the three-party authentication of the device authentication and/or user authentication of the gateway device/bridge device,
所述网关设备 /网桥设备为申请者, 所述接入服务网络中的网络接入服务 器为认证者, 所述连接服务网络中的 AAA服务器为认证服务器; The gateway device/bridge device is an applicant, the network access server in the access service network is an authenticator, and the AAA server in the connection service network is an authentication server;
若所述网关设备 /网桥设备的设备认证和用户认证都执行, 但终结于不同 的认证服务器, 则所述网关设备 /网桥设备采用双 EAP模式认证; 或者 If the device authentication and the user authentication of the gateway device/bridge device are performed but terminated in different authentication servers, the gateway device/bridge device adopts dual EAP mode authentication; or
若所述网关设备 /网桥设备的设备认证和用户认证都进行, 并终结于同一 认证服务器,则所述网关设备 /网桥设备采用双 EAP模式认证;或者采用单 EAP 模式, 执行设备认证和用户认证的联合认证; 或者 If the device authentication and the user authentication of the gateway device/bridge device are performed and terminated in the same authentication server, the gateway device/bridge device adopts dual EAP mode authentication; or adopts a single EAP mode to perform device authentication and Joint authentication for user authentication; or
若所述网关设备 /网桥设备只执行设备认证或只执行用户认证, 则所述网 关设备 /网桥设备采用单 EAP模式。 If the gateway device/bridge device only performs device authentication or only performs user authentication, the gateway device/bridge device adopts a single EAP mode.
3.根据权利要求 1所述的多主机网络的 AAA系统, 其特征在于, 所述主 机设备与所述网关设备 /网桥设备中的网络接入服务器, 及所述连接服务网络
中的 AAA服务器, 执行所述主机设备的设备认证和 /或用户认证的三方认证 时, 所述主机设备为申请者, 所述网关设备 /网桥设备中的网络接入服务器为 认证者, 所述连接服务网络中的 AAA服务器为认证服务器; The AAA system of the multi-host network according to claim 1, wherein the host device and the network access server in the gateway device/bridge device, and the connection service network When the AAA server performs the device authentication of the host device and/or the three-party authentication of the user authentication, the host device is an applicant, and the network access server in the gateway device/bridge device is an authenticator. The AAA server in the connection service network is an authentication server;
若所述主机设备的设备认证和用户认证都执行,但终结于不同的认证服务 器, 所述主机设备采用双 EAP模式认证; 或者 If both the device authentication and the user authentication of the host device are performed but terminated in different authentication servers, the host device adopts dual EAP mode authentication; or
若所述主机设备的设备认证和用户认证都执行, 并终结于同一认证服务 器, 所述主机设备采用双 EAP模式认证; 或所述主机设备采用单 EAP模式, 执行设备认证和用户认证联合认证; 或者 If the device authentication and the user authentication are performed on the host device, and the terminal device is terminated in the same authentication server, the host device adopts dual EAP mode authentication; or the host device adopts a single EAP mode, and performs device authentication and user authentication combined authentication; Or
若所述主机设备只执行设备认证或只进行用户认证,所述主机设备采用单 EAP模式。 If the host device performs only device authentication or only user authentication, the host device adopts a single EAP mode.
4.根据权利要求 3所述的多主机网络的 AAA系统, 其特征在于, 所述接 入服务网络中还设置有基站; 所述基站对所述网关设备 /网桥设备与所述基站 间的 AAA报文的承载 , 和所述基站与所述认证服务器间的 AAA报文的承载 进行转换。 The AAA system of the multi-host network according to claim 3, wherein the access service network is further provided with a base station; the base station is between the gateway device/bridge device and the base station The bearer of the AAA packet is converted, and the bearer of the AAA packet between the base station and the authentication server is converted.
5.根据权利要求 4所述的多主机网络的 AAA系统, 其特征在于, 所述网 关设备 /网桥设备通过第一接口与每一主机设备相连, 所述网关设备 /网桥设备 通过第二接口与所述接入服务网络相连; 所述第一接口采用: 802.3或 802.11 或 802.16传送技术; 所述第二接口采用 802.16无线传送技术; The AAA system of the multi-master network according to claim 4, wherein the gateway device/bridge device is connected to each host device through a first interface, and the gateway device/bridge device passes the second The interface is connected to the access service network; the first interface adopts: 802.3 or 802.11 or 802.16 transmission technology; and the second interface uses 802.16 wireless transmission technology;
所述主机设备与所述网关设备 /网桥设备间通过空中接口的 PKMv2传送 可扩展认证协议 EAP报文, 所述主机设备与所述网关设备 /网桥设备间的 EAP 报文承载为 EAPoP; 或者 The EAP packet is transmitted between the host device and the gateway device/bridge device through the air interface PKMv2, and the EAP packet between the host device and the gateway device/bridge device is EAPoP; Or
所述主机设备与所述网关设备 /网桥设备间通过 802.3或 802.11传送 EAP Transmitting EAP between the host device and the gateway device/bridge device through 802.3 or 802.11
6.根据权利要求 5所述的多主机网络的 AAA系统, 其特征在于, 所述网 关设备 /网桥设备与所述基站间的 AAA报文承载在 PKMv2协议上, 报文承载 报文承载为 AAAoT; The AAA system of the multi-master network according to claim 5, wherein the AAA message between the gateway device/bridge device and the base station is carried on the PKMv2 protocol, and the packet bearer message is carried as AAAoT;
所述基站对所述网关设备 /网桥设备与所述基站间的 AAA报文的承载,和 所述基站与所述认证服务器间的 AAA报文的承载进行转换是指, 基站将
AAAoP的^ =艮文转换为 AAAoT的^艮文。 The base station converts the bearer of the AAA message between the gateway device/bridge device and the base station, and the bearer of the AAA message between the base station and the authentication server, that the base station will AAAoP's ^=艮文 is converted to AAAoT's ^艮文.
7.根据权利要求 6所述的多主机网络的 AAA系统, 其特征在于, 所述网 关设备 /网桥设备与所述基站间通过设置的 PKMv2的 PKM-REQ/RSP消息类型 承载 AAA报文。 The AAA system of the multi-master network according to claim 6, wherein the gateway device/bridge device and the base station carry an AAA message by using a PKM-REQ/RSP message type of the PKMv2.
8.—种多主机网络的 AAA系统认证方法, 其特征在于, 当主机设备与网 关设备 /网桥设备连接时, AAA系统分别对所述网关设备 /网桥设备及所述主机设 备进行认证; 8. The AAA system authentication method of the multi-host network, wherein the AAA system authenticates the gateway device/bridge device and the host device respectively when the host device is connected to the gateway device/bridge device;
所述网关设备 /网桥设备先将所述网关设备 /网桥设备的认证信息通过接入 服务网络中的网络接入服务器传送至连接服务网络的 AAA服务器, 由所述网 关设备 /网桥设备、 所述接入服务网络中的网络接入服务器、 AAA服务器, 执 行所述网关设备 /网桥设备的设备认证和 /或用户认证的三方认证; The gateway device/bridge device first transmits the authentication information of the gateway device/bridge device to the AAA server connected to the service network through the network access server in the access service network, and the gateway device/bridge device The network access server and the AAA server in the access service network perform three-party authentication of device authentication and/or user authentication of the gateway device/bridge device;
所述网关设备 /网桥设备的设备认证和 /或用户认证认证结束后, 所述主机 设备将其认证信息通过所述网关设备 /网桥设备中的网络接入服务器传送到所 述连接服务网络的 AAA服务器; 由所述主机设备、所述网关设备 /网桥设备中 的网络接入服务器、 AAA服务器, 执行所述主机设备的设备认证和 /或用户认 证的三方认证。 After the device authentication and/or user authentication of the gateway device/bridge device is completed, the host device transmits its authentication information to the connection service network through the network access server in the gateway device/bridge device. The AAA server performs the three-party authentication of the device authentication and/or the user authentication of the host device by the host device, the network access server in the gateway device/bridge device, and the AAA server.
9.根据权利要求 8所述的方法, 其特征在于, 户认证; 9. The method according to claim 8, characterized by: user authentication;
10.根据权利要求 9所述的方法, 其特征在于, 所述网关设备 /网桥设备与 所述接入服务网络中的网络接入服务器、 AAA服务器, 执行所述网关设备 /网 桥设备的设备认证和 /或用户认证的三方认证时, The method according to claim 9, wherein the gateway device/bridge device and the network access server and the AAA server in the access service network perform the gateway device/bridge device When three-party authentication for device certification and/or user authentication,
所述网关设备 /网桥设备为申请者, 所述接入服务网络中的网络接入服务 器为认证者, AAA服务器为认证服务器; 的认证服务器时, 所述网关设备 /网桥设备采用双 EAP模式认证; 或者 The gateway device/bridge device is an applicant, the network access server in the access service network is an authenticator, and the AAA server is an authentication server; when the authentication server is used, the gateway device/bridge device adopts dual EAP. Mode authentication; or
若所述网关设备 /网桥设备的设备认证和用户认证都执行, 并终结于在同 一认证服务器时, 所述网关设备 /网桥设备采用双 EAP模式认证; 或所述网关
设备 /网桥设备采用单 EAP模式 , 将设备认证和用户认证联合认证; 或者 若所述网关设备 /网桥设备只执行设备认证或只执行用户认证时, 所述网 关设备 /网桥设备采用单 EAP模式。 If the device authentication and the user authentication of the gateway device/bridge device are both performed and terminated in the same authentication server, the gateway device/bridge device adopts dual EAP mode authentication; or the gateway The device/bridge device adopts a single EAP mode to jointly authenticate the device authentication and the user authentication. Alternatively, if the gateway device/bridge device performs only device authentication or only performs user authentication, the gateway device/bridge device adopts a single EAP mode.
11.根据权利要求 9所述的方法, 其特征在于, 由所述主机设备、 所述网 关设备 /网桥设备中的网络接入服务器、 AAA服务器, 执行所述主机设备的设 备认证和 /或用户认证的三方认证时, 所述主机设备为申请者, 所述网关设备 / 网桥设备中的网络接入服务器为认证者, AAA服务器为认证服务器; The method according to claim 9, wherein the device authentication of the host device is performed by the host device, the network access server in the gateway device/bridge device, and the AAA server, and/or In the three-party authentication of the user authentication, the host device is an applicant, the network access server in the gateway device/bridge device is an authenticator, and the AAA server is an authentication server;
若所述主机设备的认证和用户认证都执行,但终结在不同认证服务器认证 时, 所述主机设备采用双 EAP模式认证; 或者 If both the authentication and the user authentication of the host device are performed, but the authentication is terminated by different authentication servers, the host device adopts dual EAP mode authentication; or
若所述主机设备的设备认证和用户认证都执行,并终结在同一认证服务器 认证时,所述主机设备采用双 EAP模式认证,或主所述机设备采用单 EAP模. 式, 将设备认证和用户认证联合认证; 或者 If both the device authentication and the user authentication of the host device are performed, and the authentication is terminated in the same authentication server, the host device adopts dual EAP mode authentication, or the main device device adopts a single EAP mode, and the device authentication and User authentication joint authentication; or
若所述主机设备只进行设备认证认证或只进行用户认证,所述主机设备采 用单 EAP模式。 If the host device performs only device authentication authentication or only user authentication, the host device adopts a single EAP mode.
12.根据权利要求 11所述的方法, 其特征在于, 所述接入服务网络中还设 置有基站, 所述基站将所述网关设备 /网桥设备与所述基站间的 AAA报文承 载, 与所述基站与所述认证服务器间的 AAA报文承载进行转换。 The method according to claim 11, wherein the access service network is further provided with a base station, and the base station carries an AAA packet between the gateway device/bridge device and the base station, And converting the AAA packet bearer between the base station and the authentication server.
13.根据权利要求 12所述的方法,其特征在于, 所述网关设备 /网桥设备通 过第一接口与每一主机设备相连, 所述网关设备 /网桥设备通过第二接口与所 述接入服务网络相连; 所述第一接口采用 802.3或 802.11或 802.16传送技术; 所述第二接口采用 802.16无线传送技术; The method according to claim 12, wherein the gateway device/bridge device is connected to each host device through a first interface, and the gateway device/bridge device connects to the device through a second interface. The first interface uses 802.3 or 802.11 or 802.16 transmission technology; the second interface uses 802.16 wireless transmission technology;
所述主机设备与所述网关设备 /网桥设备间通过空中接口的 PKMv2传送 EAP报文, 所述主机设备与所述网关设备 /网桥设备间的 EAP报文承载为 EAPoP; 或者 The EAP packet is transmitted between the host device and the gateway device/bridge device through the air interface PKMv2, and the EAP packet between the host device and the gateway device/bridge device is EAPoP; or
所述主机设备与所述网关设备 /网桥设备间通过 802.3或 802.11传送 EAP Transmitting EAP between the host device and the gateway device/bridge device through 802.3 or 802.11
14.根据权利要求 13所述的方法,其特征在于, 所述网关设备 /网桥设备与 所述基站间的 AAA报文承载在 PKMv2协议上, 为 AAAoP; 所述基站与所述 认证服务器间的 AAA报文承载在传输层上, 为 AAAoT;
所述基站将所述网关设备 /网桥设备与所述基站间的 AAA报文的承载,与 所述基站与所述认证服务器间的 AAA报文承载进行转换是指, 所述基站将 AAAoP的 ^艮文转换为 ΑΑΑοΤ ό 报文。 The method according to claim 13, wherein the AAA message between the gateway device/bridge device and the base station is carried on the PKMv2 protocol, which is AAAoP; between the base station and the authentication server The AAA packet is carried on the transport layer and is AAAoT. Converting, by the base station, the bearer of the AAA packet between the gateway device/bridge device and the base station, and the AAA packet bearer between the base station and the authentication server, the base station will be AAAoP ^艮文 converted to ΑΑΑοΤ ό message.
15.根据权利要求 14所述的方法,其特征在于,设置所述网关设备 /网桥设 备与所述基站间承载 AAA 4艮文的 PKMv2 的 PKM-REQ/RSP 消息类型, The method according to claim 14, wherein the PKM-REQ/RSP message type of the PKMv2 carrying the AAA 4 message between the gateway device/bridge device and the base station is set,
PKM-REQ/RSP消息用于支持所述网关设备 /网桥设备与所述基站间的 AAA报 文传送。 The PKM-REQ/RSP message is used to support AAA message transmission between the gateway device/bridge device and the base station.
16.—种多主机网络的 AAA系统, 包括接入服务网络和连接服务网络, 所 述接入服务网络中设置有网络接入服务器 ,所述连接服务网络中设置有至少一 个 AAA服务器, 其特征在于, 所述 AAA系统还包括: 网关设备 /网桥设备及 主机设备; 16. An AAA system of a multi-host network, comprising an access service network and a connection service network, wherein the access service network is provided with a network access server, and the connection service network is provided with at least one AAA server, and its characteristics The AAA system further includes: a gateway device/bridge device and a host device;
所述主机设备与所述网关设备 /网桥设备连接; 所述网关设备 /网桥设备与 所述接入服务网络连接; 所述主机设备的认证与所述网关设备 /网桥设备的认 证分开独立执行; 述连接服务网络中的 AAA服务器,执行所述网关设备 /网桥设备的设备认证和 /或用户认证的三方认证; The host device is connected to the gateway device/bridge device; the gateway device/bridge device is connected to the access service network; and the authentication of the host device is separated from the authentication of the gateway device/bridge device Performing independently; performing an AAA server in the connection service network, performing three-party authentication of device authentication and/or user authentication of the gateway device/bridge device;
所述主机设备与所述接入服务网络中的网络接入服务器、及所述连接服务 网络中的 AAA服务器,执行所述主机设备的设备认证和 /或用户认证的三方认证。 The host device and the network access server in the access service network and the AAA server in the connection service network perform three-party authentication of device authentication and/or user authentication of the host device.
17.根据权利要求 16所述的多主机网络的 AAA系统, 其特征在于, 所述 网关设备 /网桥设备与所述主机设备为申请者; 所述接入服务网络中的网络接 入服务器为认证者; 所述连接服务网络中的 AAA服务器为认证服务器。 The AAA system of the multi-master network according to claim 16, wherein the gateway device/bridge device and the host device are applicants; and the network access server in the access service network is Authenticator; The AAA server in the connection service network is an authentication server.
18. 根据权利要求 17所述的多主机网络的 AAA系统, 其特征在于, 所 述接入服务网络中还设置有基站; 所述基站对所述网关设备 /网桥设备与所述 基站间的 AAA报文的承载, 和所述基站与所述认证服务器间的 AAA报文的 承载进行转换。 The AAA system of the multi-master network according to claim 17, wherein the access service network is further provided with a base station; the base station is between the gateway device/bridge device and the base station The bearer of the AAA packet is converted, and the bearer of the AAA packet between the base station and the authentication server is converted.
19.根据权利要求 18所述的多主机网络的 AAA系统, 其特征在于, 所述网关设备 /网桥设备通过第一接口与每一主机设备相连, 所述第一接 口采用 802.3或 802.11或 802.16传送技术;
所述网关设备 /网桥设备通过第二接口与所述接入服务网络相连, 所述第 二接口采用 802.16无线传送技术; The AAA system of the multi-master network according to claim 18, wherein the gateway device/bridge device is connected to each host device through a first interface, and the first interface adopts 802.3 or 802.11 or 802.16. Transmission technology The gateway device/bridge device is connected to the access service network through a second interface, and the second interface adopts an 802.16 wireless transmission technology;
所述主机设备与所述网关设备 /网桥设备间通过空中接口的 PKMv2传送 EAP报文, 所述主机设备与所述网关设备 /网桥设备间的 EAP报文承载为 EAPoP; 或者所述主机设备与所述网关设备 /网桥设备间通过 8Q2.3或 802.11传送 EAP报文,所述主才几设备与所述网关设备 /网桥设备间的 EAP ^艮文承载为 EAPoL; 所述网关设备 /网桥设备与所述基站间通过空中接口的 PKMv2传送 EAP 报文, 所述网关设备 /网桥设备与所述基站间的 EAP报文承载为 EAPoP。 The EAP packet is transmitted between the host device and the gateway device/bridge device through the air interface PKMv2, and the EAP packet between the host device and the gateway device/bridge device is EAPoP; or the host The EAP packet is transmitted between the device and the gateway device/bridge device through 8Q2.3 or 802.11, and the EAP payload between the primary device and the gateway device/bridge device is EAPoL; The EAP packet is transmitted between the device/bridge device and the base station through the air interface PKMv2, and the EAP packet bearer between the gateway device/bridge device and the base station is EAPoP.
20.根据权利要求 19所述的多主机网络的 AAA系统, 其特征在于, 当所 述主机设备与所述网关设备 /网桥设备的 EAP承载为 EAPoL时, 所述网关设 备 /网桥设备将所述主机设备与所述网关设备 /网桥设备间的 EAPoL 与所述网 关设备 /网桥设备与所述基站间 EAPoP进行转换。 The AAA system of the multi-master network according to claim 19, wherein when the EAP bearer of the host device and the gateway device/bridge device is EAPoL, the gateway device/bridge device will The EAPoL between the host device and the gateway device/bridge device and the EAPoP between the gateway device/bridge device and the base station are converted.
21.—种多主机网络的 AAA系统认证方法,其特征在于, 当主机设备与网关 设备 /网桥设备连接时, AAA系统分别对所述网关设备 /网桥设备、所述主机设备 进行认证; 服务网络中的网络接入服务器传送至连接服务网络的 AAA服务器, 由所述网 关设备 /网桥设备、 所述接入服务网络中的网络接入服务器、 AAA服务器, 执 行所述网关设备 /网桥设备的设备认证和 /或用户认证的三方认证; An AAA system authentication method for a multi-host network, wherein, when the host device is connected to the gateway device/bridge device, the AAA system authenticates the gateway device/bridge device and the host device respectively; The network access server in the service network is transmitted to the AAA server connected to the service network, and the gateway device/network is executed by the gateway device/bridge device, the network access server in the access service network, and the AAA server. Tripartite certification of equipment certification and/or user authentication of bridge equipment;
所述网关设备 /网桥设备的设备认证和 /或用户认证认证结束后, 所述主机 设备将其认证信息通过所述接入服务网络的网络接入服务器传送到所述连接 服务网络的 AAA服务器, 由所述主机设备、 所述接入服务网络的网络接入服 务器、 AAA服务器,执行所述主机设备的设备认证和 /或用户认证的三方认证。 After the device authentication and/or user authentication of the gateway device/bridge device is completed, the host device transmits its authentication information to the AAA server of the connection service network through the network access server of the access service network. The three-party authentication of the device authentication and/or the user authentication of the host device is performed by the host device, the network access server of the access service network, and the AAA server.
22.根据权利要求 21所述的方法,其特征在于, 所述网关设备 /网桥设备的 设备认证执行先于所述网关设备 /网桥设备的用户认证; The method according to claim 21, wherein the device authentication of the gateway device/bridge device performs user authentication prior to the gateway device/bridge device;
23.根据权利要求 22所述的方法, 其特征在于, 23. The method of claim 22, wherein
若所述网关设备 /网桥设备的设备认证和用户认证都执行, 但终结于不同 的认证服务器时, 所述网关设备 /网桥设备采用双 EAP模式认证; 或者
若所述网关设备 /网桥设备的设备认证和用户认证都执行, 并终结于同一 认证服务器时, 所述网关设备 /网桥设备采用双 EAP模式认证; 或所述网关设 备 /网桥设备采用单 EAP模式, 将设备认证和用户认证联合认证; 或者 If the device authentication and the user authentication of the gateway device/bridge device are performed, but are terminated by different authentication servers, the gateway device/bridge device adopts dual EAP mode authentication; or If the device authentication and the user authentication of the gateway device/bridge device are both performed and terminated in the same authentication server, the gateway device/bridge device adopts dual EAP mode authentication; or the gateway device/bridge device adopts Single EAP mode, joint authentication of device authentication and user authentication; or
若所述网关设备 /网桥设备只进行设备认证或只进行用户认证时, 所述网 关设备 /网桥设备采用单 EAP模式。 If the gateway device/bridge device only performs device authentication or only performs user authentication, the gateway device/bridge device adopts a single EAP mode.
24.根据权利要求 22所述的方法, 其特征在于, 24. The method of claim 22, wherein
若所述主机设备的设备认证和用户认证都执行,但终结于不同认证服务器 认证时, 所述主机设备采用双 EAP模式认证; 或者 If both the device authentication and the user authentication of the host device are performed but are terminated by different authentication server authentication, the host device adopts dual EAP mode authentication; or
若所述主机设备的设备认证和用户认证都执行,并终结于在同一认证服务 器认证时, 所述主机设备采用双 EAP模式认证; 或所述主机设备采用单 EAP 模式, 将设备认证和用户认证联合认证; 或者 If both the device authentication and the user authentication of the host device are performed, and the terminal device is authenticated by the same authentication server, the host device adopts dual EAP mode authentication; or the host device adopts a single EAP mode, and performs device authentication and user authentication. Joint certification; or
若所述主机设备只进行设备认证或用户认证, 所述主机设备采用单 EAP 模式。 If the host device performs only device authentication or user authentication, the host device adopts a single EAP mode.
25.根据权利要求 23或 24所述的方法, 其特征在于,、 25. A method according to claim 23 or 24, characterized in that
所述网关设备 /网桥设备通过第一接口与每一主机设备相连, 所述第一接 口采用: 802.3或 802.11或 802.16传送技术; The gateway device/bridge device is connected to each host device through a first interface, and the first interface adopts: 802.3 or 802.11 or 802.16 transmission technology;
所述网关设备 /网桥设备通过第二接口与所述接入服务网络相连, 所述接 入服务网络还设置有基站, 所述第二接口采用 802.16无线传送技术; The gateway device/bridge device is connected to the access service network through a second interface, the access service network is further provided with a base station, and the second interface adopts an 802.16 wireless transmission technology;
所述主机设备与所述网关设备 /网桥设备间通过空中接口的 PKMv2 传送 EAP 报文, 所述主机设备与所述网关设备 /网桥设备间的 EAP报文承载为 EAPoP; 或所述主机设备与所述网关设备 /网桥设备间通过 802.3或 802.11传 所述网关设备 /网桥设备与所述基站间通过空中接口的 PKMv2传送 EAP 报文, 所述网关设备 /网桥设备与所述基站间的 EAP报文承载为 EAPoP。 The EAP packet is transmitted between the host device and the gateway device/bridge device through the air interface PKMv2, and the EAP packet between the host device and the gateway device/bridge device is EAPoP; or the host Transmitting EAP packets between the device and the gateway device/bridge device through the air interface PKMv2 between the gateway device/bridge device and the base station by using 802.3 or 802.11, the gateway device/bridge device and the The EAP packet carrying between the base stations is EAPoP.
26.根据权利要求 25 所述的方法, 其特征在于, 当所述主机设备与网关设备 / 网桥设备的 EAP承载为 EAPoL时, 所述网关设备 /网桥设备将所述主机设备 与所述网关设备 /网桥设备间的 EAPoL 与所述网关设备 /网桥设备与所述基站 间 EAPoP进行转换,所述网关设备 /网桥设备将 EAPoL报文转为 EAPoP报文。
The method according to claim 25, wherein when the EAP bearer of the host device and the gateway device/bridge device is EAPoL, the gateway device/bridge device compares the host device with the EAPoL between the gateway device/bridge device and the EAPoP between the gateway device/bridge device and the base station, the gateway device/bridge device converts the EAPoL message into an EAPoP message.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200610078076.1 | 2006-04-29 | ||
CN2006100780761A CN101064605B (en) | 2006-04-29 | 2006-04-29 | AAA framework of multi-host network and authentication method |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007131426A1 true WO2007131426A1 (en) | 2007-11-22 |
Family
ID=38693542
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2007/001398 WO2007131426A1 (en) | 2006-04-29 | 2007-04-26 | Aaa system and authentication method of multi-hosts network |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101064605B (en) |
WO (1) | WO2007131426A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011514082A (en) * | 2008-03-06 | 2011-04-28 | 西安西▲電▼捷通▲無▼▲綫▼▲網▼絡通信股▲分▼有限公司 | Entities' bidirectional identification method based on a practical and reliable third party |
US8751792B2 (en) | 2009-09-30 | 2014-06-10 | China Iwncomm Co., Ltd. | Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party |
US8763100B2 (en) | 2009-08-28 | 2014-06-24 | China Iwncomm Co., Ltd. | Entity authentication method with introduction of online third party |
CN109067729A (en) * | 2018-07-26 | 2018-12-21 | 新华三技术有限公司 | A kind of authentication method and device |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009079867A1 (en) * | 2007-12-25 | 2009-07-02 | Zte Corporation | User authenticaion system and method based on wimax system |
CN101472257B (en) * | 2007-12-27 | 2012-10-17 | 华为技术有限公司 | Method ,system and device for triggering authentication |
CN101472280A (en) * | 2007-12-27 | 2009-07-01 | 华为技术有限公司 | Network-access method of gateway mobile station, communication system and relevant equipment |
CN101471778A (en) * | 2007-12-27 | 2009-07-01 | 华为技术有限公司 | Method for obtaining network information and communication system as well as relevant equipment |
CN101483634B (en) * | 2008-01-10 | 2013-06-26 | 华为技术有限公司 | Method and apparatus for triggering reidentification |
CN101499993B (en) | 2008-01-30 | 2012-07-04 | 华为技术有限公司 | Authentication method, equipment and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1553741A (en) * | 2003-05-30 | 2004-12-08 | ��Ϊ��������˾ | Method and system for providing user network roam |
CN1574986A (en) * | 2003-05-29 | 2005-02-02 | 三星电子株式会社 | Complex wireless service arrangement using wired or wireless communication systems |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI20000760A0 (en) * | 2000-03-31 | 2000-03-31 | Nokia Corp | Authentication in a packet data network |
US8077681B2 (en) * | 2002-10-08 | 2011-12-13 | Nokia Corporation | Method and system for establishing a connection via an access network |
CN100563158C (en) * | 2005-10-26 | 2009-11-25 | 杭州华三通信技术有限公司 | Access control method and system |
-
2006
- 2006-04-29 CN CN2006100780761A patent/CN101064605B/en active Active
-
2007
- 2007-04-26 WO PCT/CN2007/001398 patent/WO2007131426A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1574986A (en) * | 2003-05-29 | 2005-02-02 | 三星电子株式会社 | Complex wireless service arrangement using wired or wireless communication systems |
CN1553741A (en) * | 2003-05-30 | 2004-12-08 | ��Ϊ��������˾ | Method and system for providing user network roam |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011514082A (en) * | 2008-03-06 | 2011-04-28 | 西安西▲電▼捷通▲無▼▲綫▼▲網▼絡通信股▲分▼有限公司 | Entities' bidirectional identification method based on a practical and reliable third party |
US8510565B2 (en) | 2008-03-06 | 2013-08-13 | China Iwncomm Co., Ltd. | Bidirectional entity authentication method based on the credible third party |
US8763100B2 (en) | 2009-08-28 | 2014-06-24 | China Iwncomm Co., Ltd. | Entity authentication method with introduction of online third party |
US8751792B2 (en) | 2009-09-30 | 2014-06-10 | China Iwncomm Co., Ltd. | Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party |
CN109067729A (en) * | 2018-07-26 | 2018-12-21 | 新华三技术有限公司 | A kind of authentication method and device |
Also Published As
Publication number | Publication date |
---|---|
CN101064605A (en) | 2007-10-31 |
CN101064605B (en) | 2011-02-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2445143B1 (en) | Method and system for accessing a 3rd generation network | |
WO2007131426A1 (en) | Aaa system and authentication method of multi-hosts network | |
US8335490B2 (en) | Roaming Wi-Fi access in fixed network architectures | |
US8601569B2 (en) | Secure access to a private network through a public wireless network | |
US8667151B2 (en) | Bootstrapping method for setting up a security association | |
US8127136B2 (en) | Method for security association negotiation with extensible authentication protocol in wireless portable internet system | |
US8509440B2 (en) | PANA for roaming Wi-Fi access in fixed network architectures | |
WO2019017837A1 (en) | Network security management method and apparatus | |
US20060259759A1 (en) | Method and apparatus for securely extending a protected network through secure intermediation of AAA information | |
WO2005055518A1 (en) | A method for establishment of the service tunnel in wlan | |
WO2008019615A1 (en) | The method, device and system for access authenticating | |
KR20060067263A (en) | Fast re-authentication method when handoff in wlan-umts interworking network | |
WO2006000149A1 (en) | A method for implementing access authentication of wlan user | |
WO2011098048A1 (en) | Radio node accessing network method, system and relay node | |
WO2009074108A1 (en) | Interworking 802.1 af devices with 802.1x authenticator | |
WO2008080351A1 (en) | Wireless local network operation method based on wapi | |
WO2011127774A1 (en) | Method and apparatus for controlling mode for user terminal to access internet | |
WO2008110099A1 (en) | Method, system and associated device for authenticating apparatus access to a communication network | |
WO2010069202A1 (en) | Authentication negotiation method and the system thereof, security gateway, home node b | |
Yang et al. | 3G and WLAN interworking security: Current status and key issues | |
TWI428031B (en) | Authentication method and apparatus for user equipment and lipa network eneities | |
WO2010102496A1 (en) | Method for implementing zero-interference charging at wapi system terminal | |
CN101272297B (en) | EAP authentication method of WiMAX network user | |
WO2010118570A1 (en) | Wimax and wifi networks converging system and apparatus | |
WO2008080352A1 (en) | A wlan authentication charging method based on wapi |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07720971 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07720971 Country of ref document: EP Kind code of ref document: A1 |