WO2008110082A1 - Procédé, appareil et système de commande de permission d'accès à internet - Google Patents

Procédé, appareil et système de commande de permission d'accès à internet Download PDF

Info

Publication number
WO2008110082A1
WO2008110082A1 PCT/CN2008/070106 CN2008070106W WO2008110082A1 WO 2008110082 A1 WO2008110082 A1 WO 2008110082A1 CN 2008070106 W CN2008070106 W CN 2008070106W WO 2008110082 A1 WO2008110082 A1 WO 2008110082A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
home gateway
user terminal
unit
username
Prior art date
Application number
PCT/CN2008/070106
Other languages
English (en)
Chinese (zh)
Inventor
Pingqiang Xu
Hongjie Yao
Junling Hu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008110082A1 publication Critical patent/WO2008110082A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2803Home automation networks
    • H04L12/2816Controlling appliance services of a home automation network by calling their functionalities
    • H04L12/2818Controlling appliance services of a home automation network by calling their functionalities from a device located outside both the home and the home network

Definitions

  • the present invention relates to the field of computer network technologies, and in particular, to a method, device and system for controlling access rights.
  • FIG. 1 is a schematic diagram of an existing Internet access control system.
  • the terminal of the home user is connected to the network through the home gateway 103, the terminal and the home gateway 103 constitute an internal network, and the part other than the home gateway 103 is referred to as an external network.
  • the account (including the user name and password) used by each member of the home user and the corresponding access right are set in the home gateway 103.
  • the terminal used by adults in the family is a personal computer (PC) 101
  • the terminal used by a minor is a PC 102.
  • the PC 101 and the PC 102 can also be the same terminal device.
  • the home gateway 103 When the user submits the Internet access request through the terminal, the home gateway 103 first pops up the authentication page, and the user inputs the user name and password on the authentication interface, and the home gateway 103 verifies the user name and password. After the authentication, the home gateway 103 corresponds to the user name.
  • Permissions bind the username directly to a specific permanent virtual connection ( Permanent Virtual Connection, PVC), users can access the Internet.
  • PVC Permanent Virtual Connection
  • the username used by adults in the family has access to all websites, so the username is bound to PVC2 that can connect to all websites, and the username used by minors. Only access to the verified green website, so bind the username to PVC1 that can only connect to the green website.
  • the home gateway needs to know the binding relationship between different user names and different connections. If the relationship is manually configured by the user, the user requirements are too high; if it is remotely distributed, a complex gateway system needs to be built, and There is a problem with username and password leaks. Summary of the invention
  • the purpose of the embodiment of the present invention is to provide a method for controlling the access rights of the Internet, which can simplify the configuration of the gateway and is easy to implement.
  • the method comprises the following steps:
  • the home gateway After receiving the Internet access request from the first user terminal, including the user name and password, the home gateway initiates an online request to the network side;
  • the network side authenticates the username and password, and after the verification is passed, binds the username to a connection with specific access rights;
  • the home gateway assigns an internal network address to the user terminal.
  • the embodiment of the present invention further provides another method for controlling the access rights of the Internet, including the following steps:
  • the home gateway allocates an internal network address to the user terminal;
  • the user terminal initiates an online request including a username and a password to the home gateway, and the home gateway initiates an online request to the network side according to the obtained username and password;
  • the network side verifies the username and password, and after the verification is passed, according to the username
  • Corresponding Internet access rights establish a connection with corresponding rights
  • the home gateway binds the internal network address assigned to the user terminal to the connection established on the network side.
  • the embodiment of the invention further provides an access control system for the Internet, comprising:
  • the Internet access requesting and receiving unit is configured to receive an online request including a user name and a password from the user terminal, and send an online request including the user name and password to the verification unit; and an address allocation unit, configured to allocate an internal network address to the user terminal;
  • a verification unit configured to verify a username and a password in the online request from the online request transceiving unit, and send the username to the binding unit and the connection establishing unit if the verification is passed, otherwise return the verification to the user terminal through the home gateway. Failure message
  • connection establishing unit configured to query the pre-set configuration relationship table according to the user name to obtain the access right, and establish a network connection with the access right;
  • the binding unit is configured to bind the username passed by the authentication with the connection established by the connection establishing unit and having the corresponding access right.
  • Embodiments of the present invention also propose a home gateway and a broadband remote access server for constructing the above system.
  • the verification of the user account and the authorization of the Internet access rights are all performed on the broadband remote access server, so that the setting of the home gateway can be greatly simplified and the distribution is convenient.
  • FIG. 1 is a schematic diagram of a system for implementing online access control in the prior art
  • FIG. 2 is a schematic diagram of a system for implementing online access control according to a first embodiment of the present invention
  • FIG. 3 is a flowchart of a first embodiment of the present invention
  • Figure 4 is a flow chart of a second embodiment of the present invention.
  • a point-to-point protocol over Ethernet (PPPoE) dialing proxy is built in the home gateway, which terminates the PPPoE request of the user and returns an internal network address to the terminal; It also initiates a new PPPoE dial-up, connects to the network, and reports the username to the BRAS; the BRAS assigns access to the Internet based on the username.
  • PPPoE point-to-point protocol over Ethernet
  • FIG. 2 A schematic diagram of the system according to the first embodiment of the present invention is shown in FIG. 2, wherein the home gateway 203 has a dialing proxy module 204 for receiving and terminating a PPPoE request from the user terminal, and returning an internal network address to the user terminal;
  • the BRAS 205 initiates a new PPPoE dialing and sends the username sent by the terminal to the BRAS 205.
  • the home gateway 203 includes:
  • the Internet access requesting and receiving unit is configured to receive an online request including a user name and a password from the user terminal, and send an online request including the user name and password to the remote access server;
  • An address allocation unit configured to allocate an internal network address to the user terminal
  • the dialing proxy is configured to terminate PPPoE dialing from the user terminal, and initiate a second PPPoE dialing to the broadband remote access server according to the PPPoE dialing.
  • a configuration relationship table between the user name and the Internet access authority is preset in the BRAS 205, and the configuration relationship table is queried according to the received user name, and the access permission is obtained, and the received user name and the user are provided according to the access permission. Bind the connection to the Internet.
  • BRAS 205 needs to include:
  • a verification unit configured to verify a username and a password in the online request from the home gateway, and if the verification succeeds, notify the binding unit and the connection establishment unit that the verification is successful, and send the username to the two units, otherwise, through the home gateway Returning a verification failure message to the user terminal;
  • connection establishing unit configured to query the pre-set configuration relationship table according to the user name to obtain the access right, and establish a network connection with the access right;
  • the binding unit is configured to bind the username passed by the authentication with the connection established by the connection establishing unit and having the corresponding access right.
  • the process of the embodiment of the present invention is as shown in FIG. 3, and includes the following steps:
  • Step 301 The user terminal initiates a first PPPoE dialing request to the home gateway, where the request includes a username and a password input by the user.
  • Step 302 The gateway terminates the first PPPoE request of the terminal, and initiates a second PPPoE request including the username and password to the BRAS.
  • Step 303 The BRAS verifies the user name and password. After the verification is passed, according to the locally configured configuration name of the user name and the online access authority, the user name is assigned corresponding access rights, that is, the user name has corresponding The PPPoE connection of the Internet access is bound, and the home gateway is notified that the Internet access has been assigned. If the verification fails, the home gateway returns the rejection information to the user terminal, and the process ends.
  • Step 304 The home gateway allocates an internal network address to the user terminal.
  • the home gateway processes the data of the user terminal in a routing manner.
  • the home gateway may further include a buffer unit and a judging unit, the buffer unit is configured to temporarily store the username and password received in step 302, and if the second user terminal sends the same user name to the home gateway after the foregoing process.
  • the determining unit of the home gateway determines whether the username and password match the username and password that have been temporarily stored in the cache unit, If so, the connection is no longer initiated to the network side as in the above procedure, but the existing connection is automatically used, and an internal network address is directly assigned and returned to the second user terminal. Then, the second user terminal uses the connection that the user name has been bound to access the Internet. When the user terminal disconnects, the cache unit of the home gateway deletes the corresponding user name and password temporarily stored.
  • the second embodiment of the present invention enables the dynamic host configuration protocol on the internal network side by the home gateway.
  • the (Dynamic Host Configuration Protocol, DHCP) server assigns an internal network address to the user terminal through DHCP.
  • the specific implementation process of the second embodiment is shown in FIG. 4, and includes the following steps:
  • Step 401 The user terminal obtains an internal network address from the home gateway through DHCP; the user terminal may obtain an internal network address from the home gateway by other means, or statically configure the network address.
  • Step 402 The user terminal initiates an online request to the home gateway, and the home gateway pops up the authentication page, and the user terminal inputs the username and password.
  • Step 403 After obtaining the user name and password input by the user, the home gateway sends a PPPoE dialing to the BRAS, and the authentication page of the user terminal indicates that the user is authenticating.
  • Step 404 The BRAS verifies the user name and password, and after establishing the network connection, establishes a network connection with corresponding authority according to the access right corresponding to the user name; the home gateway displays the authentication pass to the user terminal, and starts a heartbeat program at the user terminal to confirm The user terminal is connected to the home gateway.
  • Step 405 The home gateway binds the internal network address allocated to the user terminal to the established network connection.
  • the home gateway of the second embodiment includes the following modules:
  • a DHCP unit configured to allocate an internal network address to the user terminal by using a DHCP method
  • an Internet access requesting and receiving unit configured to receive the user name and password from the user terminal. Requesting an Internet access, and sending an online request containing the username and password to the remote access server;
  • Binding unit configured to connect the connection established by the broadband remote server with the user terminal
  • BRAS also needs to pre-configure the configuration relationship between user name and Internet access, and includes the following modules:
  • a verification unit configured to verify a username and a password in the online request from the home gateway, notify the connection establishment unit that the verification succeeds if the verification succeeds, and send the username to the connection establishment unit, otherwise return the verification to the user terminal through the home gateway. Failure message
  • connection establishing unit configured to query the pre-set configuration relationship table according to the user name to obtain the Internet access authority, establish a network connection with the Internet access authority, and send the description information of the network connection to the home gateway.
  • the solution of the present invention does not need to change the existing surfing habits of the user, and the user name and password need only be configured in advance on the network side, and the home gateway does not need to perform any configuration to issue the cartridge;
  • the transformation is small, and the connection mechanism between the user terminal and the home gateway can be automatically maintained through the existing mechanism of PPPoE, which is beneficial to implementation.
  • the connection maintenance mechanism between the user name and the home gateway in the solution of the present invention the user terminal can be correctly charged, and the rights and interests of the user are guaranteed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Cette invention concerne un procédé de commande de permission d'accès à internet comprenant les étapes suivantes : lorsqu'une passerelle de rattachement reçoit une requête d'accès à internet contenant un nom d'utilisateur et un mot de passe provenant du premier utilisateur terminal, la passerelle de rattachement lance une requête d'accès à internet comprenant ledit nom d'utilisateur et ledit mot de passe vers le réseau ; le réseau vérifie alors ledit nom d'utilisateur et ledit mot de passe, s'ils sont corrects, lie ledit nom d'utilisateur à une permission d'accès à internet spécifique ; la passerelle de rattachement attribue une adresse de réseau interne à l'utilisateur final. Cette invention présente également un autre procédé de commande de permission d'accès à internet, un système de celui-ci et une passerelle de rattachement et un serveur d'accès à distance large bande (BRAS) utilisés pour ledit système. Cette invention permet d'obtenir une commande de permission d'accès à internet tout en simplifiant la configuration de la passerelle de rattachement.
PCT/CN2008/070106 2007-03-13 2008-01-15 Procédé, appareil et système de commande de permission d'accès à internet WO2008110082A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100880779A CN101267304B (zh) 2007-03-13 2007-03-13 一种上网权限控制方法、装置及系统
CN200710088077.9 2007-03-13

Publications (1)

Publication Number Publication Date
WO2008110082A1 true WO2008110082A1 (fr) 2008-09-18

Family

ID=39759006

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070106 WO2008110082A1 (fr) 2007-03-13 2008-01-15 Procédé, appareil et système de commande de permission d'accès à internet

Country Status (2)

Country Link
CN (1) CN101267304B (fr)
WO (1) WO2008110082A1 (fr)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488874B (zh) * 2009-02-26 2013-10-23 中国联合网络通信集团有限公司 配置信息生成方法及装置、视频终端
CN101515868A (zh) * 2009-03-31 2009-08-26 华为技术有限公司 一种网络权限管理方法、装置和系统
CN102480437A (zh) * 2010-11-23 2012-05-30 中兴通讯股份有限公司 一种对家庭网关上网数据进行控制的方法及装置
CN102571729A (zh) * 2010-12-27 2012-07-11 方正宽带网络服务股份有限公司 Ipv6网络接入认证方法、装置及系统
CN103138979B (zh) * 2011-11-30 2016-08-03 华为终端有限公司 网络接入管理方法和网络接入设备
CN103262492A (zh) * 2011-12-14 2013-08-21 华为技术有限公司 一种发送业务流的方法及设备
CN103179554B (zh) * 2011-12-22 2016-06-22 中国移动通信集团广东有限公司 无线宽带网络接入控制方法、装置与网络设备
CN103795687B (zh) * 2012-10-30 2017-06-23 中国电信股份有限公司 一种实现多用户账号登录的方法、系统及家庭网关
CN103227729B (zh) * 2013-04-19 2016-01-13 深圳市吉祥腾达科技有限公司 PPPoE拨号用户名和密码错误故障提示方法及装置
CN104954128A (zh) * 2014-03-27 2015-09-30 四川新力光源股份有限公司 用户身份验证方法、装置及智能照明系统
CN105471828B (zh) * 2014-09-05 2019-07-26 联想(北京)有限公司 网络接入设备及其控制方法
CN104901856A (zh) * 2015-05-21 2015-09-09 烽火通信科技股份有限公司 一对多的PPPoE代理的上网控制方法及系统
CN106302035B (zh) * 2015-05-26 2019-11-29 美的集团股份有限公司 家电系统的通信方法及家电系统
CN109150787A (zh) * 2017-06-13 2019-01-04 西安中兴新软件有限责任公司 一种权限获取方法、装置、设备和存储介质
CN109714417B (zh) * 2018-12-27 2021-08-10 迈普通信技术股份有限公司 基于用户行为的网络控制系统及方法
CN114286420B (zh) * 2021-12-21 2023-09-05 深圳创维数字技术有限公司 基于pon技术的网关的锁定方法、装置、服务器以及介质
CN115988632B (zh) * 2023-01-10 2024-07-30 中国联合网络通信集团有限公司 网络接入方法、装置、设备及存储介质

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060005032A1 (en) * 2004-06-15 2006-01-05 Adam Cain Method and system for enabling trust-based authorization over a network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4487490B2 (ja) * 2003-03-10 2010-06-23 ソニー株式会社 情報処理装置、およびアクセス制御処理方法、情報処理方法、並びにコンピュータ・プログラム
JP2006180095A (ja) * 2004-12-21 2006-07-06 Matsushita Electric Ind Co Ltd ゲートウェイ及びWebサーバのアクセス制御方法

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060005032A1 (en) * 2004-06-15 2006-01-05 Adam Cain Method and system for enabling trust-based authorization over a network

Also Published As

Publication number Publication date
CN101267304A (zh) 2008-09-17
CN101267304B (zh) 2010-09-08

Similar Documents

Publication Publication Date Title
WO2008110082A1 (fr) Procédé, appareil et système de commande de permission d'accès à internet
CN101127600B (zh) 一种用户接入认证的方法
JP2005339093A (ja) 認証方法、認証システム、認証代行サーバ、ネットワークアクセス認証サーバ、プログラム、及び記録媒体
CN101888389B (zh) 一种实现icp联盟统一认证的方法和系统
TW201204098A (en) Dynamic service groups based on session attributes
JP2006148648A (ja) ユーザ端末接続制御方法および装置
WO2008022589A1 (fr) Système et procédé destinés à authentifier une demande d'accès pour un réseau local
WO2009052734A1 (fr) Procédé, équipement et système pour démarrer un service de la télévision par réseau
KR20060125372A (ko) 다중 영구가상회선 접속환경을 위한 중간 인증관리 시스템및 그 방법
WO2008019624A1 (fr) Procédé et système destinés à mettre en oeuvre la gestion de configuration de dispositifs dans un réseau
WO2016192608A2 (fr) Procédé d'authentification, système d'authentification et dispositif associé
CN101141492A (zh) 实现dhcp地址安全分配的方法及系统
WO2015089996A1 (fr) Procédé d'authentification de sécurité et serveur d'authentification d'autorisation
WO2014110984A1 (fr) Procédé et appareil d'authentification pour accès à un réseau par un terminal d'utilisateur
WO2016192427A1 (fr) Procédé et dispositif de rétablissement de configuration d'interface de point d'accès, et passerelle de rattachement
WO2015184410A1 (fr) Réseau vidéo domanial de confiance
WO2009079895A1 (fr) Procédé permettant d'attribuer une adresse ip secondaire sur la base d'une authentification d'accès dhcp
WO2010020123A1 (fr) Procédé, système de réseau et dispositif de périphérie de réseau pour reprendre la session ip
WO2006038391A1 (fr) Appareil de reseau et systeme de reseau
WO2009079896A1 (fr) Procédé d'authenfication d'accès utilisateur fondé sur un protocole de configuration d'hôte dynamique
JP2016177795A (ja) アクセス認可装置、アクセス認可方法、プログラムおよび通信システム
US20120106399A1 (en) Identity management system
JP2003242109A (ja) 認証アクセス制御サーバ装置と、ゲートウェイ装置と、認証アクセス制御方法と、ゲートウェイ制御方法と、認証アクセス制御プログラム及びそのプログラムを記録した記録媒体と、ゲートウェイ制御プログラム及びそのプログラムを記録した記録媒体
CN102075567B (zh) 认证方法、客户端、服务器、直通服务器及认证系统
WO2011063658A1 (fr) Procédé et système d'authentification de sécurité unifiée

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700118

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700118

Country of ref document: EP

Kind code of ref document: A1