WO2009009972A1 - Method and system for implementing authentication - Google Patents

Method and system for implementing authentication Download PDF

Info

Publication number
WO2009009972A1
WO2009009972A1 PCT/CN2008/070977 CN2008070977W WO2009009972A1 WO 2009009972 A1 WO2009009972 A1 WO 2009009972A1 CN 2008070977 W CN2008070977 W CN 2008070977W WO 2009009972 A1 WO2009009972 A1 WO 2009009972A1
Authority
WO
WIPO (PCT)
Prior art keywords
dhcp
dhcp client
client
authentication
message
Prior art date
Application number
PCT/CN2008/070977
Other languages
French (fr)
Chinese (zh)
Inventor
Amy Zhao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009009972A1 publication Critical patent/WO2009009972A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to Internet Protocol (IP) network technology, and in particular, to a method and system for implementing authentication in a Dynamic Host Configuration Protocol (DHCP).
  • IP Internet Protocol
  • DHCP Dynamic Host Configuration Protocol
  • FIG. 1 shows the workflow of the existing DHCP. As shown in Figure 1, the following steps are included:
  • Step 101 The DHCP client sends a DHCP Discovery (DISCOVER) message to the DHCP server.
  • DISCOVER DHCP Discovery
  • Step 102 The DHCP server sends a DHCP Offer (OFFER) packet to the DHCP client.
  • Each DHCP server with a free address in the network responds to the DHCP DISCOVER message sent by the DHCP client, and sends a DHCP OFFER message to the DHCP client, and the DHCP OFFER message "Your address (yiaddr) "The domain carries the provided network IP address and some DHCP options (options) configuration parameter information associated with the IP address.
  • Step 103 The DHCP client sends a DHCP Request (REQUEST) message to the DHCP server.
  • the DHCP client selects a DHCP OFFER message from the received DHCP OFFER message sent by the multiple DHCP servers, for example, selecting the DHCP OFFER message sent by the first arriving DHCP server, and broadcasting a DHCP REQUEST message to Tell each DHCP server in the network that the DH CP client will specify which DHCP server provides the IP address.
  • Step 104 The DHCP server selected by the DHCP client sends DHCP to the DHCP client. Acknowledge (ACK) or DHCP unacknowledged (NAK).
  • ACK Acknowledge
  • NAK DHCP unacknowledged
  • the DHCP server sends a DHCP ACK packet to the DHCP client to confirm that the IP lease is valid.
  • the DHCP ACK packet also carries some configuration parameters related to the IP address, and it is necessary to ensure that the configuration parameters in this step cannot conflict with the configuration parameters mentioned in step 102.
  • the DHCP server will send a DHCP NAK 4 message to the DHCP client to notify DHCP.
  • the client IP address configuration failed.
  • the DHCP client can also send an Address Resolution Protocol (ARP) packet to the network to check whether there are other devices in the network that use the IP address. Yes, a DHCP DECLINE message is sent to the DHCP server, the configured IP address is rejected, and the D HCP DISCOVER message is resent.
  • ARP Address Resolution Protocol
  • DHCP version 4 (v4). If it is DHCPv6, except for the different types of packets, DHCP DISCOVER, DHCP OFFER, DHCP REQUEST and DHCP ACK are shown in Figure 1.
  • DHCP DISCOVER DHCP OFFER
  • DHCP REQUEST DHCP REQUEST
  • DHCP ACK DHCP ACK
  • SOLICIT request (SOLICIT)
  • ADVE RTISE, REQUEST, and REPLY messages other workflows, such as message interaction and the functions of each message, are the same as DHCPv4.
  • EAP Authentication Protocol
  • EAP is an authentication framework that can support multiple authentication modes. EAP packets can be carried by different protocols, such as authentication, authorization, and accounting (AAA).
  • AAA authentication, authorization, and accounting
  • the industry standard that carries EAP for authentication is defined in the Remote Authentication Dial In User Service (Radius) and the next-generation AAA protocol Diameter.
  • EAP mainly includes four message formats, namely request, response, success, and failure (fai lure).
  • FIG. 2 is a schematic diagram of an existing EAP message interaction manner. As shown in Figure 2, the EAP request and the EAP response are always in pairs. Moreover, the number of EAP request and EAP response pairs and the information carried by them are not fixed, and need to be determined according to the authentication method used in the actual application. .
  • a method of combining the DHCP and the EAP to implement user authentication has been proposed in the prior art.
  • the method is to carry the EAP payload by adding a new DHCP format DHCPEAP, and the EAP method is used for authentication, and after the authentication succeeds. , assign the IP address and related parameters to the client.
  • FIG. 3 is a schematic diagram of a method for implementing user authentication in DHCP through EAP. As shown in Figure 3, the following steps are included:
  • Step 301 The DHCP client sends a DHCP DISCOVER message to the network access server (N AS).
  • the DHCP Discovery (DHCP DISCOVER) message in this step carries the DHCP_AUTH_pro to option, which is used to identify that the subsequent steps will use ⁇ for authentication.
  • Step 302 The NAS sends a DHCPEAP packet to the DHCP client, where the payload carries an EAP request message.
  • Step 303 The DHCP client sends a DHCPEAP message to the NAS, and the payload carries an EAP response message.
  • Step 304 The NAS strips the EAP payload in the DHCP EAP, and carries the EAP payload in the AAA protocol, such as Radius, to the AAA server.
  • AAA protocol such as Radius
  • Step 305 The AAA server sends an authentication success packet to the NAS, such as an Access-Accept message in the Radius protocol.
  • Step 306 The NAS sends a DHCP Offer (DHCP OFFER) message to the DHCP client.
  • DHCP OFFER DHCP Offer
  • the DHCP OFFER packet carries the IP address provided by the NAS to the DHCP client and related configuration parameter information.
  • step 1 03 and step 1 04 shown in FIG. 1 The subsequent processing is the same as step 1 03 and step 1 04 shown in FIG. 1 and will not be described again.
  • the method shown in Figure 3 implements user authentication in DHCP through EAP, this method has the following drawbacks:
  • the failure message also needs to be carried by the OFFER message.
  • the "yi addr" field in the OFFER message loses its meaning.
  • the DHCP client needs to check whether the authentication succeeds or fails before it can be checked.
  • OFFER message the same problem, is the need to make major changes to the existing state machine and implementation, increasing the complexity of the implementation.
  • re-authentication refers to repeated authentication due to various needs after the first authentication.
  • the embodiment of the invention provides three methods for implementing authentication, which can implement the authentication mechanism in DHCP.
  • the embodiment of the invention simultaneously provides three systems for implementing authentication, which can be implemented in a single DHCP. Certification mechanism.
  • a method of implementing authentication comprising:
  • the network side receives the DHCP request packet from the DHCP client of the dynamic host configuration protocol, authenticates the DHCP client, and sends a response message to the DHCP client for the success or failure of the authentication.
  • a method of implementing authentication comprising:
  • the network side authenticates the DHCP client that sends the packet to the DHCP client. If the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client. If the authentication fails, the DHCP client sends a DHCP unacknowledgment message to the DHCP client.
  • a method of implementing authentication comprising:
  • the network side receives the DHCP discovery packet from the DHCP client, and the DHCP discovery packet carries the quick confirmation option information; the network side authenticates the DHCP client, and sends back the authentication success to the DHC P client.
  • the response is 4 essays.
  • a system for implementing authentication comprising: a DHCP client and a network side;
  • the DHCP client is configured to send a DHCP request message to the network side, and receive a response text of the authentication success or not sent by the network side;
  • the network side is configured to authenticate the DHCP client after receiving the DHCP request from the DHCP client, and send back a response to the DHCP client.
  • a system for implementing authentication comprising: a DHCP client and a network side;
  • the DHCP client is configured to send a message to the network side, and receive a response message that the network side sends back the authentication success or not;
  • the network side is configured to authenticate the DHCP client, and if the authentication succeeds, send a DHCP confirmation message to the DHCP client; if the authentication fails, send back D to the DHCP client.
  • a system for implementing authentication comprising: a DHCP client and a network side;
  • the DHCP client is configured to send, to the network side, a D HCP discovery message carrying the fast acknowledgment option information, and receive a response message that the network side sends back the authentication success or not; After receiving the discovery file from the DHCP client, the DHC P client is authenticated, and the response of the authentication success or not is sent back to the DHCP client.
  • the network side authenticates the DHCP client and sends it back to the DHCP client. Response message for successful authentication.
  • the authentication process is triggered. That is, the DHCP client has obtained the address information or the DHCP client does not need to obtain the address according to the selected mode. In the case of information, the authentication process is triggered, so there is no problem of resource waste due to the use of the address information selection method in the prior art and the need to modify the existing state machine corresponding to this step.
  • the network side if the authentication succeeds, the network side sends a DHCP acknowledgement message to the DHCP client. If the authentication fails, the network side sends a DHCP unacknowledged message to the DHCP client, that is, the current use.
  • the result of the DHCP protocol confirms that the packet is sent back to the authentication result information, and the original message format does not need to be changed as in the prior art, thereby reducing the complexity of the implementation.
  • Figure 1 is a schematic diagram of an existing DHCP workflow
  • FIG. 2 is a schematic diagram of an existing EAP message interaction manner
  • FIG. 3 is a schematic diagram of a method for implementing user authentication in DHCP through EAP;
  • FIG. 4 is a flow chart of a first embodiment of a method of the present invention.
  • Figure 5 is a flow chart of a second embodiment of the method of the present invention.
  • Figure 6 is a flow chart of a third embodiment of the method of the present invention.
  • Figure 7 is a flow chart of a fourth embodiment of the method of the present invention.
  • Figure 8 is a schematic view showing the structure of a first embodiment of the system of the present invention. detailed description
  • the network side receives the DHCP request message from the DHCP client, authenticates the DHCP client, and sends a response message to the DHCP client for the success or failure of the authentication.
  • the network side Before receiving the DHCP request packet from the DHCP client, the network side further includes: D
  • the HCP client obtains the address information from the network side, and the specific information includes: the DHCP client sends a DHC P-discovery message to the network side; the network side sends a DHCP-provided message to the DHCP client, and the DHCP-provided message carries the information provided to the DHCP client. IP address and configuration parameter information.
  • re-authentication can be triggered by the DHCP client or by the DHCP server.
  • the DHCP client needs to trigger re-authentication, including the following two types:
  • the DHCP client records the IP address before the restart.
  • the DHCP client sends a DHCP REQUEST to the DHCP server and carries the IP address to continue to use it. At the same time, it requests relevant configuration parameters.
  • the DHCP client does not record the IP address before the restart. This situation is the same as the first authentication. It needs to send a DHCP DISCOVER to the DHCP server.
  • the DHCP client When the DHCP client performs address update, it needs to be re-authenticated for security reasons or a means of periodic authentication.
  • the situation in which the DHCP server needs to trigger re-authentication mainly includes:
  • the DHCP server changes the policy of the accessed user for some specific reasons, or recovers the original The certification that comes.
  • the DHCP server needs to periodically request the DHCP client to re-authenticate for security reasons.
  • the DHCP client If the DHCP client triggers the re-authentication, the DHCP client will send a DHCP Request message to the network. After receiving the DHCP Request message, the network side authenticates the DHCP client.
  • the network side first sends a mandatory update message to the DHCP client. After receiving the forced update message, the DHCP client sends a DHCP request message to the network side. After receiving the DHCP request packet, the DHCP client is authenticated.
  • the network sends a response message indicating whether the authentication succeeds to the DHCP client. For example, if the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client. If the authentication fails, the DHCP client sends a DHCP acknowledgement message to the DHCP client. Text.
  • FIG. 4 is a flow chart of a first embodiment of a method of the present invention. Assume that E is adopted by the network side in this embodiment.
  • the AP authentication mode is the one-time pas sword (OTP) authentication method. Then, as shown in Figure 4, the following steps are included:
  • Step 4 01 The DHCP client sends a DHCP discovery (DHCP DI SCOVER) to the NAS.
  • DHCP DI SCOVER DHCP DI SCOVER
  • the network side is specifically divided into two parts, a NAS and an AAA server according to its actual composition.
  • the NAS is a DHCP server or a DHCP proxy
  • the NAS is an AAA client relative to the AAA server.
  • Step 402 The NAS sends a DHCP provision (DHCP OFFER) to the DHCP client.
  • DHCP OFFER a DHCP provision
  • the DHCP OFFER packet carries the IP address and related configuration parameter information provided to the DHCP client.
  • each DHCP server may respond after receiving the DHCP DISCOVER from the DHCP client, that is, send DHCP back to the DHCP client.
  • the OFFER packet therefore, in this step, the DHCP client may receive multiple DHCP OFFE R packets at the same time.
  • Step 4 0 3 The DHCP client sends a DHCP request (DHCP REQUEST) to the NAS.
  • DHCP REQUEST a DHCP request
  • the DHCP client sends a DHCP REQUEST message to the NAS to request the IP address and related configuration parameters.
  • the DHCP client receives multiple DHCP OFFER messages in step 402, in this step, the DHCP client needs to select multiple DHCP OFFERs first, and select one of the IP addresses provided by the DHCP OFFER as its own IP address. How to select a DHCP client is the same as the prior art, and is not described here.
  • Step 404 The NAS sends a DHCPEAP packet to the DHCP client.
  • the NAS sends a DHCPE AP message to the DHCP client, and carries an EAP Request message to request the ID of the DHCP client.
  • Step 405 The DHCP client sends a DHCPE AP ⁇ message to the NAS.
  • the DHCP client carries its own ID in the EAP Response, and carries the EAP Response (EAP Resp onse) in the DHCPEAP and sends it to the NAS.
  • EAP Response EAP Resp onse
  • the process of requesting IDs in steps 404 and 405 is the process specified in the EAP authentication protocol.
  • Step 406 The NAS strips the EAP Response message in the DHCPEAP and sends it to the AAA server in the existing AAA protocol.
  • an access request (Access-Request) in the existing AAA protocol Radius can be used to carry an EAP Response message.
  • Step 407 The AAA server generates an EAP Request (EAP Req uest) message carrying the challenge word information of the OTP, and carries the message to the NAS in the existing AAA protocol.
  • EAP Request EAP Req uest
  • an Access-Challenge message in the existing Radius protocol can be used to carry an EAP Request message.
  • Step 408 The NAS strips out the EAP Request message and sends it to the DHCP EAP packet to the D.
  • Step 409 The DHCP client generates a response according to the received challenge word information, and carries the message in the EAP_Response message, and sends the message to the NAS through the DHCPEAP.
  • Step 410 The NAS strips the EAP-Response message in the DHCPEAP, and carries the message to the AAA server in the existing AAA protocol.
  • Step 411 The AAA server authenticates the DHCP client according to the received challenge word response information, and sends back a response message indicating whether the authentication succeeds or not to the NAS.
  • the method for the AAA server to authenticate the DHCP client according to the challenge word response information is a prior art, and details are not described herein again.
  • the AAA server According to the authentication result, the AAA server generates an EAP-Success message indicating that the authentication is successful or an EAP-Failure message indicating that the authentication is failed, and carries the message in the existing AAA protocol, such as access-accept or access. Access-Reject is sent to the NAS in the text.
  • Step 412 The NAS sends a DHCPAC K packet indicating that the authentication succeeds or a DHCPNAK packet indicating that the authentication is successful according to the authentication result.
  • the NAS needs to further confirm whether the DHCP client can use the IP address requested in step 403. If yes, send a DHCP ACK. If not, send the DHCPNAK4 message. .
  • the embodiments of the present invention are only specific ways of implementing the solution of the present invention, but are not intended to limit the technical solutions of the present invention.
  • the EAP Request and the EAP Response message are not only allowed to be carried through the DHCPEAP packet, and other methods are also available as long as the same purpose can be achieved.
  • two separate packet types, DHCPEAPREQUEST and DHCPEAPRESPONSE can be newly defined to carry EAP Request and EAP Response messages.
  • the EAP authentication mode adopted by the network side is the OTP authentication mode. If other authentication modes are used, the EAP message interaction mode shown in FIG. 4 may be different.
  • the steps 404-405 are optional steps, which may be omitted. If the steps 404-405 are omitted, the NAS will carry the EAP-S tart message in the existing AAA protocol packet and send it to the AAA server. Steps 407 ⁇ 41 0 may need to be repeated multiple times.
  • the authentication method such as Extended Protocol Authentication EEAP - Transport Layer Security TLS (Transport Layer TLS)
  • the embodiment shown in FIG. 4 is an implementation flow when the DHCP client performs authentication for the first time.
  • the following two embodiments are used to describe the implementation process when the DHCP client performs re-authentication.
  • FIG. 5 is a flow chart of a second embodiment of the method of the present invention, in which re-authentication is triggered by a DHCP client.
  • the DHCP client needs to update the address or with the address request allocation parameter, it sends a DGCP request (DHCP REQUEST) message directly to the NA S.
  • DHCP REQUEST DGCP request
  • steps 401 and 402 in FIG. 4 are missing, that is, the process of discovering and providing an IP address, and steps 501 to 510 are the same as steps 403-412 shown in FIG. No longer.
  • FIG. 6 is a flow chart of a third embodiment of the method of the present invention.
  • the re-authentication in this embodiment is triggered by the network side, that is, in step 601, the network side sends a forced update (F0RCERENEW) message to the DHCP client; in step 602, 0? Received by the client? 0 £ ⁇ After 4 ⁇ , send a DHCP REQUEST message to the NAS.
  • steps 603 - 61 1 are the same as steps 404 - 412 shown in Figure 4, and will not be described again.
  • the embodiments shown in FIG. 5 and FIG. 6 are used to implement re-authentication, but in some special cases, for example, the DHCP client does not need or does not need to perform authentication when initially accessing the network, and only needs to perform the diagram.
  • the DHCP client needs to be authenticated for the reasons mentioned in the DHCP client re-authentication situation, or the DHCP server needs to be authenticated for the reasons mentioned in the DHCP server re-authentication situation, although the authentication in these two cases belongs to The first certification, but the certification process is performed according to the process shown in Figure 5 or Figure 6.
  • the DHCP client sends a DHCP REQUEST to the network side to trigger the network side to perform authentication.
  • Another authentication mode is provided in the embodiment of the present invention: The network side receives the DH from the DHCP client. The CP finds the packet, and the DHCP discovery packet carries the fast acknowledgment option information. The network side authenticates the DHCP client and sends a response to the DHCP client to verify the success or failure of the authentication.
  • the method for the network side to send a response message to the DHCP client for the success or failure of the authentication includes: sending a DHCP acknowledgement message to the D HCP client if the authentication succeeds; and sending the DHCP unacknowledgment to the DHCP client if the authentication fails. Message. Moreover, the DHCP acknowledgement message further carries the address information provided by the network side to the DHCP client.
  • the specific implementation is shown in Figure 7.
  • FIG. 7 is a flow chart of a fourth embodiment of the method of the present invention. Compared with the embodiment shown in FIG. 4, the difference is: in the DHCP DI SCOVER message sent by the DHCP client to the NAS, the fast acknowledgment (rap id commi t) option information is carried in the step 701; after receiving the DHCP DI SCOVER, the NAS That is, authentication is performed, and the information exchange process of steps 401 and 402 shown in FIG. 4 is no longer needed. Moreover, before the NAS sends an acknowledgement packet to the DHCP client in step 71 0, it is necessary to confirm whether the IP address can be provided for the DHCP client.
  • the fast acknowledgment (rap id commi t) option information is carried in the step 701; after receiving the DHCP DI SCOVER, the NAS That is, authentication is performed, and the information exchange process of steps 401 and 402 shown in FIG. 4 is no longer needed.
  • the NAS sends an acknowledgement packet to the DHCP client
  • the DHCP client sends a DHCP confirmation message to the DHCP client, and carries the address information provided to the DHCP client in the DHCP confirmation message.
  • the remaining steps 702 ⁇ 709 are the same as steps 404 - 411 shown in Figure 4, and will not be described again.
  • the CPv4 is replaced by DHCPv6.
  • the foregoing embodiments are equally applicable. The difference is that the packet type may be different. For example, in the embodiment in which the network side triggers re-authentication in FIG. 6, steps 601, 602, and 61 1 are changed accordingly. Re-created (Reconf i gure), Renew and Rep ly.
  • FIG. 8 is a schematic structural diagram of a first embodiment of the system of the present invention. As shown in Figure 8, the system includes: a DHCP client 801 and a network side 802:
  • the DHCP client 801 is configured to send a DHCP request message to the network side 802, and receive a response message that the network side sends back the authentication success or not.
  • the network side 802 is configured to authenticate the DH CP client 801 after receiving the DHCP request message from the DHCP client 801, and send a response message to the DHCP client 801 for the success or failure of the authentication.
  • the DHCP client 810 is further used to send the discovery message to the network side 802, and receive the address letter sent back by the network side 802.
  • the network side 802 is further configured to receive the discovery packet of the DHCP client 801 and send back the address information to the DHCP client 801.
  • the network side 802 may be further configured to send a mandatory update message to the DHCP client 801; accordingly, the DHCP client 801 receives the mandatory update report. After the text, the DHCP request message is sent to the network side 802.
  • the network side 802 After the network side 802 completes the authentication of the DHCP client 801, it sends a response message to the DHCP client 801, for example, if the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client. The DHCP unacknowledged message is sent back to the DHCP client.
  • the DHCP client can also be used to send a DHCP discovery message carrying the fast acknowledgment option information to the network side 802, and receive the response of the authentication succeeded by the network side.
  • the technical solution of the embodiment of the present invention not only solves the problem of performing authentication and re-authentication on the DHCP client, but also implements the authentication, and basically does not need to modify the existing message format, compared to the prior art. , reducing the difficulty and complexity of implementation.

Abstract

A method and system for implementing authentication, the network side receiving a DHCP request message or a DHCP finding message taking a fasting validating option information coming from a dynamic host configuration protocol (DHCP) client, authenticating the DHCP client, and sending back the response message of successful authentication or not to the DHCP client, if the authentication is successful, then the network side sending back a DHCP validating message to the DHCP client, if the authentication is failed, then sending a DHCP un-validating message to the DHCP client.

Description

一种实现认证的方法和系统 技术领域  Method and system for realizing authentication
本发明涉及网际协议( Internet Protocol, IP)网络技术, 特别涉及一 种在动态主机酉己置十办议( Dynamic Host Configuration Protocol, DHCP )中 实现认证的方法和系统。 背景技术  The present invention relates to Internet Protocol (IP) network technology, and in particular, to a method and system for implementing authentication in a Dynamic Host Configuration Protocol (DHCP). Background technique
在全 IP网络中,基于用户的接入认证是必不可少的,但是现有一些协议 却没有提供认证功能, 比如 DHCP。 现有的 DHCP主要用于在用户请求下为用 户分配 IP地址。 图 1为现有 DHCP工作流程示意图。 如图 1所示, 包括以下 步骤:  In an all-IP network, user-based access authentication is essential, but some existing protocols do not provide authentication functions, such as DHCP. The existing DHCP is mainly used to assign an IP address to the user at the request of the user. Figure 1 shows the workflow of the existing DHCP. As shown in Figure 1, the following steps are included:
步骤 101: DHCP客户端向 DHCP服务器发送 DHCP发现( DISCOVER )报文。 当 DHCP客户端首次登录网络时, 向网络中的 DHCP服务器广播一个 DHCP Step 101: The DHCP client sends a DHCP Discovery (DISCOVER) message to the DHCP server. When the DHCP client logs in to the network for the first time, it broadcasts a DHCP to the DHCP server on the network.
DISCOVER报文, 以寻找 DHCP服务器。 DISCOVER message to find the DHCP server.
步骤 102: DHCP服务器向 DHCP客户端回送 DHCP提供 (OFFER)报文。 网络中的每一个有空闲地址的 DHCP服务器均对 DHCP客户端发出的 DHCP DISCOVER报文作出响应, 向 DHCP客户端回送 DHCP OFFER报文, 并在 DHCP OFFER才艮文的 "你的地址(yiaddr ) " 域中携带所提供的网络 IP地址, 以及 与该 IP地址相关的一些 DHCP选项 ( options ) 配置参数信息。  Step 102: The DHCP server sends a DHCP Offer (OFFER) packet to the DHCP client. Each DHCP server with a free address in the network responds to the DHCP DISCOVER message sent by the DHCP client, and sends a DHCP OFFER message to the DHCP client, and the DHCP OFFER message "Your address (yiaddr) "The domain carries the provided network IP address and some DHCP options (options) configuration parameter information associated with the IP address.
步骤 103: DHCP客户端向 DHCP服务器发送 DHCP请求(REQUEST)报文。 DHCP客户端从接收到的多台 DHCP服务器回送的 DHCP OFFER报文中选择 一个 DHCP OFFER 4艮文, 比如选择最先到达的 DHCP服务器发送的 DHCP OFFER 报文, 并广播一个 DHCP REQUEST报文, 以告诉网络中的各 DHCP服务器, DH CP客户端将指定接受哪台 DHCP服务器提供的 IP地址。  Step 103: The DHCP client sends a DHCP Request (REQUEST) message to the DHCP server. The DHCP client selects a DHCP OFFER message from the received DHCP OFFER message sent by the multiple DHCP servers, for example, selecting the DHCP OFFER message sent by the first arriving DHCP server, and broadcasting a DHCP REQUEST message to Tell each DHCP server in the network that the DH CP client will specify which DHCP server provides the IP address.
步骤 104: 被 DHCP客户端选中的 DHCP服务器向 DHCP客户端发送 DHCP 确认 ( ACK ) 文或 DHCP未确认 ( NAK ) 4艮文。 Step 104: The DHCP server selected by the DHCP client sends DHCP to the DHCP client. Acknowledge (ACK) or DHCP unacknowledged (NAK).
如果 IP地址配置成功, DHCP服务器向 DHCP客户端回送一个 DHCP ACK 报文, 以确认 IP租约的正式生效。 DHCP ACK报文中同样携带有与 IP地址相 关的一些配置参数, 而且需要确保本步骤中的配置参数不能和步骤 102 中所 提到的配置参数发生沖突。  If the IP address is configured successfully, the DHCP server sends a DHCP ACK packet to the DHCP client to confirm that the IP lease is valid. The DHCP ACK packet also carries some configuration parameters related to the IP address, and it is necessary to ensure that the configuration parameters in this step cannot conflict with the configuration parameters mentioned in step 102.
如果因为 DHCP客户端所请求的 IP地址已经被分配给其它 DHCP客户端等 原因导致 DHCP服务器不能满足 DHCP客户端的请求, 那么, DHCP服务器将向 DHCP客户端回送一个 DHCP NAK 4艮文, 以通知 DHCP客户端 IP地址配置失败。  If the DHCP server cannot satisfy the DHCP client's request because the IP address requested by the DHCP client has been assigned to other DHCP clients, the DHCP server will send a DHCP NAK 4 message to the DHCP client to notify DHCP. The client IP address configuration failed.
后续过程中, DHCP客户端在接收到 DHCP ACK报文后, 还可以向网络发 送一个地址解析协议 (Address Resolution Protocol, ARP )数据包, 以查 询网络中有没有其它设备在使用该 IP地址, 如果有, 则向 DHCP服务器发送 一个 DHCP拒绝(DECLINE) 文, 拒绝接受所配置的 IP地址, 并重新发送 D HCP DISCOVER 艮文。  After receiving the DHCP ACK message, the DHCP client can also send an Address Resolution Protocol (ARP) packet to the network to check whether there are other devices in the network that use the IP address. Yes, a DHCP DECLINE message is sent to the DHCP server, the configured IP address is rejected, and the D HCP DISCOVER message is resent.
另外, 除被 DHCP客户端选中的 DHCP服务器以外,其它的 DHCP服务器都 将收回其曾提供的 IP地址。  In addition, except for the DHCP server selected by the DHCP client, other DHCP servers will reclaim the IP address they provided.
图 1所示 DHCP工作流程是以 DHCP版本 4 ( v4 ) 为例进行说明的, 如果 是 DHCPv6, 除了才艮文类型不同, 即将图 1中的 DHCP DISCOVER, DHCP OFFER, DHCP REQUEST以及 DHCP ACK 4艮文分别替换为请求(SOLICIT) 、 通告(ADVE RTISE) 、 REQUEST 和应答(REPLY)报文之外, 其它工作流程, 如消息交互 方式以及各 4艮文的功能等均与 DHCPv4相同。  The DHCP workflow shown in Figure 1 is illustrated by DHCP version 4 (v4). If it is DHCPv6, except for the different types of packets, DHCP DISCOVER, DHCP OFFER, DHCP REQUEST and DHCP ACK are shown in Figure 1. In addition to the request (SOLICIT), ADVE RTISE, REQUEST, and REPLY messages, other workflows, such as message interaction and the functions of each message, are the same as DHCPv4.
从上面的介绍可以看出, 现有 DHCP中并没有认证功能, 所以, 为提高安 全性, 希望将现有认证机制引入到 DHCP中。  As can be seen from the above description, there is no authentication function in the existing DHCP. Therefore, in order to improve security, it is desirable to introduce an existing authentication mechanism into DHCP.
Authentication Protocol, EAP ) 。 EAP 是一种认证框架, 能够支持多种不 同的认证方式, 而且 E AP报文可以被不同的协议承载, 比如认证、 授权、 计 费 (Authentication Authorization Accounting, AAA )领域常用的两种协 议, 即远程用户拨号认证系统(Remote Authentication Dial In User Service, Radius ) 以及下一代 AAA协议 Diameter中均定义了承载 EAP来进 行认证的行业标准。 EAP主要包括四种报文格式, 分别为请求( request ) 、 响应 ( response ) 、 成功 ( success ) 以及失败( fai lure ) 。 图 2为现有 EA P消息交互方式示意图。 如图 2所示, EAP request和 EAP response总是成 对出现的, 而且, EAP request和 EAP response对的数量以及各自携带的信 息是不固定的, 需要根据实际应用中所采用的认证方式而定。 Authentication Protocol, EAP ). EAP is an authentication framework that can support multiple authentication modes. EAP packets can be carried by different protocols, such as authentication, authorization, and accounting (AAA). The industry standard that carries EAP for authentication is defined in the Remote Authentication Dial In User Service (Radius) and the next-generation AAA protocol Diameter. EAP mainly includes four message formats, namely request, response, success, and failure (fai lure). FIG. 2 is a schematic diagram of an existing EAP message interaction manner. As shown in Figure 2, the EAP request and the EAP response are always in pairs. Moreover, the number of EAP request and EAP response pairs and the information carried by them are not fixed, and need to be determined according to the authentication method used in the actual application. .
现有技术中已经提出了一种将 DHCP和 EAP进行结合,从而实现用户认证 的方式, 该方式通过添加新的 DHCP 文格式 DHCPEAP来携带 EAP载荷, 利用 EAP的方法进行认证, 并在认证成功后, 为客户端分配 IP地址及相关参数。  A method of combining the DHCP and the EAP to implement user authentication has been proposed in the prior art. The method is to carry the EAP payload by adding a new DHCP format DHCPEAP, and the EAP method is used for authentication, and after the authentication succeeds. , assign the IP address and related parameters to the client.
图 3为现有通过 EAP实现 DHCP中的用户认证的方法示意图。如图 3所示, 包括以下步骤:  FIG. 3 is a schematic diagram of a method for implementing user authentication in DHCP through EAP. As shown in Figure 3, the following steps are included:
步骤 301: DHCP客户端向网络接入服务器(Network Access Server, N AS)发送 DHCP 发现(DHCP DISCOVER)报文。  Step 301: The DHCP client sends a DHCP DISCOVER message to the network access server (N AS).
本步骤中的 DHCP发现(DHCP DISCOVER)报文中携带有 DHCP_AUTH_pro to选项, 用来标识之后的步骤将使用 ΕΑΡ进行认证。  The DHCP Discovery (DHCP DISCOVER) message in this step carries the DHCP_AUTH_pro to option, which is used to identify that the subsequent steps will use ΕΑΡ for authentication.
步骤 302: NAS向 DHCP客户端发送 DHCPEAP报文, 载荷中携带有 EAP请 求 ( EAP request ) 消息。  Step 302: The NAS sends a DHCPEAP packet to the DHCP client, where the payload carries an EAP request message.
步骤 303: DHCP客户端向 NAS发送 DHCPEAP报文, 载荷中携带有 EAP响 应 ( EAP response ) 消息。  Step 303: The DHCP client sends a DHCPEAP message to the NAS, and the payload carries an EAP response message.
步骤 304: NAS剥离 DHCPEAP中的 EAP载荷, 并将该 EAP载荷携带在 AAA 协议, 如 Radius中发送至 AAA服务器。  Step 304: The NAS strips the EAP payload in the DHCP EAP, and carries the EAP payload in the AAA protocol, such as Radius, to the AAA server.
根据所使用的 EAP认证方法的不同, 本步骤中, 可能需要 DHCP客户端、 NAS以及 AAA服务器之间进行多次信息交互。  Depending on the EAP authentication method used, you may need to perform multiple information exchanges between the DHCP client, NAS, and AAA server in this step.
步骤 305: AAA服务器向 NAS发送认证成功报文, 比如 Radius协议中的 访问接受 ( Access-Accept )报文。 步骤 306 : NAS向 DHCP客户端发送 DHCP提供 ( DHCP OFFER )才艮文。 Step 305: The AAA server sends an authentication success packet to the NAS, such as an Access-Accept message in the Radius protocol. Step 306: The NAS sends a DHCP Offer (DHCP OFFER) message to the DHCP client.
DHCP OFFER报文中携带有 NAS提供给 DHCP客户端的 IP地址以及相关的 配置参数信息。  The DHCP OFFER packet carries the IP address provided by the NAS to the DHCP client and related configuration parameter information.
后续处理过程与图 1所示的步骤 1 03以及步骤 1 04相同, 不再赘述。 图 3所示方法虽然通过 EAP实现了 DHCP中的用户认证,但是该方法存在 着以下缺陷:  The subsequent processing is the same as step 1 03 and step 1 04 shown in FIG. 1 and will not be described again. Although the method shown in Figure 3 implements user authentication in DHCP through EAP, this method has the following drawbacks:
首先,理论上在 DHCP客户端发送出 DHCP DI SCOVER报文之后,会有多个 DHCP服务器进行应答。 现有 DHCP协议中是 DHCP客户端从接收到的多个 OFF ER中做出选择, 但图 3所示方法并未涉及这种情况该如何处理。 设想如果所 有的 DHCP服务器都是在认证完成后再发送 OFFER , DHCP客户端再进行选择, 那么无疑会造成资源的浪费, 因为认证是一项十分耗时的工作。 但是如果在 认证之前进行选择,也就是说在 DHCP客户端接收到第一个 DHCPEAP报文时就 做出选择, 那么, 这就与图 1所示的 DHCP客户端在接收到 OFFER报文后进行 选择不一致, 从而需要对现有的状态机和实现方式进行较大的改动, 增加了 实现的复杂度。  First, in theory, after the DHCP client sends a DHCP DI SCOVER message, multiple DHCP servers will respond. In the existing DHCP protocol, the DHCP client selects from multiple OFF ERs received, but the method shown in Figure 3 does not address how this should be handled. Imagine that if all DHCP servers send OFFER after the authentication is completed and the DHCP client makes a selection, it will undoubtedly cause waste of resources, because authentication is a very time-consuming task. However, if the selection is made before the authentication, that is, when the DHCP client receives the first DHCPEAP message, then this is done after the DHCP client shown in FIG. 1 receives the OFFER message. Inconsistent selections require large changes to existing state machines and implementations, increasing the complexity of implementation.
此外, 如果认证失败, 那么失败消息也需要由 OFFER报文来携带, 这样, OFFER报文中的 "y i addr" 字段就失去了意义, DHCP客户端需要首先检查认 证成功还是失败, 然后才能去检查 OFFER报文, 同样, 造成的问题就是需要 对现有的状态机和实现方式进行较大改动, 增加实现的复杂度。  In addition, if the authentication fails, the failure message also needs to be carried by the OFFER message. Thus, the "yi addr" field in the OFFER message loses its meaning. The DHCP client needs to check whether the authentication succeeds or fails before it can be checked. OFFER message, the same problem, is the need to make major changes to the existing state machine and implementation, increasing the complexity of the implementation.
再有, 图 3所示方法没有考虑到重认证的情况, 所谓重认证即是指在首 次认证之后由于各种需要进行的重复认证。 发明内容  Further, the method shown in Fig. 3 does not take into account the case of re-authentication, and the so-called re-authentication refers to repeated authentication due to various needs after the first authentication. Summary of the invention
本发明实施例提供三种实现认证的方法,能够筒单地在 DHCP中实现认证 机制。  The embodiment of the invention provides three methods for implementing authentication, which can implement the authentication mechanism in DHCP.
本发明实施例同时提供三种实现认证的系统,能够筒单地在 DHCP中实现 认证机制。 The embodiment of the invention simultaneously provides three systems for implementing authentication, which can be implemented in a single DHCP. Certification mechanism.
本发明实施例的技术方案是这样实现的:  The technical solution of the embodiment of the present invention is implemented as follows:
一种实现认证的方法, 该方法包括:  A method of implementing authentication, the method comprising:
网络侧接收来自动态主机配置协议 DHCP客户端的 DHCP请求报文, 对所 述 DHCP客户端进行认证, 并向所述 DHCP客户端回送认证成功与否的响应报 文。  The network side receives the DHCP request packet from the DHCP client of the dynamic host configuration protocol, authenticates the DHCP client, and sends a response message to the DHCP client for the success or failure of the authentication.
一种实现认证的方法, 该方法包括:  A method of implementing authentication, the method comprising:
网络侧对向自身发送报文的 DHCP客户端进行认证,若认证成功, 则向所 述 DHCP客户端回送 DHCP确认 文; 若认证失败, 则向所述 DHCP客户端回送 DHCP未确认 ^艮文。  The network side authenticates the DHCP client that sends the packet to the DHCP client. If the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client. If the authentication fails, the DHCP client sends a DHCP unacknowledgment message to the DHCP client.
一种实现认证的方法, 该方法包括:  A method of implementing authentication, the method comprising:
网络侧接收来自 DHCP客户端的 DHCP发现报文,所述 DHCP发现报文中携 带有快速确认选项信息; 网络侧对所述 DHCP客户端进行认证, 并向所述 DHC P客户端回送认证成功与否的响应 4艮文。  The network side receives the DHCP discovery packet from the DHCP client, and the DHCP discovery packet carries the quick confirmation option information; the network side authenticates the DHCP client, and sends back the authentication success to the DHC P client. The response is 4 essays.
一种实现认证的系统, 该系统包括: DHCP客户端以及网络侧;  A system for implementing authentication, the system comprising: a DHCP client and a network side;
所述 DHCP客户端, 用于向所述网络侧发送 DHCP请求 文, 并接收所述 网络侧回送的认证成功与否的响应 文;  The DHCP client is configured to send a DHCP request message to the network side, and receive a response text of the authentication success or not sent by the network side;
所述网络侧, 用于在接收到来自所述 DHCP客户端的 DHCP请求 文后, 对所述 DHCP客户端进行认证, 并向所述 DHCP客户端回送认证成功与否的响 应艮文。  The network side is configured to authenticate the DHCP client after receiving the DHCP request from the DHCP client, and send back a response to the DHCP client.
一种实现认证的系统, 该系统包括: DHCP客户端以及网络侧;  A system for implementing authentication, the system comprising: a DHCP client and a network side;
所述 DHCP客户端,用于向所述网络侧发送>¾文, 并接收所述网络侧回送 的认证成功与否的响应报文;  The DHCP client is configured to send a message to the network side, and receive a response message that the network side sends back the authentication success or not;
所述网络侧, 用于对所述 DHCP客户端进行认证, 若认证成功, 则向所述 DHCP客户端回送 DHCP确认报文; 若认证失败, 则向所述 DHCP客户端回送 D The network side is configured to authenticate the DHCP client, and if the authentication succeeds, send a DHCP confirmation message to the DHCP client; if the authentication fails, send back D to the DHCP client.
HCP未确认 4艮文。 一种实现认证的系统, 该系统包括: DHCP客户端以及网络侧; HCP did not confirm 4 essays. A system for implementing authentication, the system comprising: a DHCP client and a network side;
所述 DHCP客户端, 用于向所述网络侧发送携带有快速确认选项信息的 D HCP发现报文, 并接收所述网络侧回送的认证成功与否的响应报文; 所述网络侧, 用于在接收到来自所述 DHCP客户端的发现 文后, 对所述 DHC P客户端进行认证, 并向所述 DHCP客户端回送认证成功与否的响应 4艮文。  The DHCP client is configured to send, to the network side, a D HCP discovery message carrying the fast acknowledgment option information, and receive a response message that the network side sends back the authentication success or not; After receiving the discovery file from the DHCP client, the DHC P client is authenticated, and the response of the authentication success or not is sent back to the DHCP client.
可见, 采用本发明实施例的技术方案, 网络侧接收来自 DHCP客户端的 D HCP请求报文或携带有快速确认选项信息的 DHCP发现报文后, 对 DHCP客户 端进行认证, 并向 DHCP客户端回送认证成功与否的响应报文。 由于是在接收 到 DHCP请求报文或携带有快速确认选项信息的 DHCP发现报文后, 触发认证 流程, 也就是说, 在 DHCP客户端已经获取到地址信息或 DHCP客户端无需按 照选择方式获取地址信息的情况下触发认证流程, 所以也就不存在由于采用 现有技术中的地址信息选择方式而造成的资源浪费以及需要对现有对应此步 骤的状态机进行改动等问题。 再有, 本发明实施例所述方案中, 若认证成功, 则网络侧向 DHCP客户端发送 DHCP确认报文, 若认证失败, 则网络侧向 DHCP 客户端发送 DHCP未确认报文, 即利用现有 DHCP协议中的结果确认报文来回 送认证结果信息, 无需像现有技术一样对原有报文格式进行更改, 从而降低 了方案实现的复杂度。 附图说明  It can be seen that, by adopting the technical solution of the embodiment of the present invention, after receiving the D HCP request message from the DHCP client or the DHCP discovery message carrying the fast acknowledgment option information, the network side authenticates the DHCP client and sends it back to the DHCP client. Response message for successful authentication. After the DHCP request packet is received or the DHCP discovery packet carrying the fast acknowledgment option information is received, the authentication process is triggered. That is, the DHCP client has obtained the address information or the DHCP client does not need to obtain the address according to the selected mode. In the case of information, the authentication process is triggered, so there is no problem of resource waste due to the use of the address information selection method in the prior art and the need to modify the existing state machine corresponding to this step. Further, in the solution of the embodiment of the present invention, if the authentication succeeds, the network side sends a DHCP acknowledgement message to the DHCP client. If the authentication fails, the network side sends a DHCP unacknowledged message to the DHCP client, that is, the current use. The result of the DHCP protocol confirms that the packet is sent back to the authentication result information, and the original message format does not need to be changed as in the prior art, thereby reducing the complexity of the implementation. DRAWINGS
图 1为现有 DHCP工作流程示意图;  Figure 1 is a schematic diagram of an existing DHCP workflow;
图 2为现有 EAP消息交互方式示意图;  2 is a schematic diagram of an existing EAP message interaction manner;
图 3为现有通过 EAP实现 DHCP中的用户认证的方法示意图;  FIG. 3 is a schematic diagram of a method for implementing user authentication in DHCP through EAP;
图 4为本发明方法第一实施例的流程图;  4 is a flow chart of a first embodiment of a method of the present invention;
图 5为本发明方法第二实施例的流程图;  Figure 5 is a flow chart of a second embodiment of the method of the present invention;
图 6为本发明方法第三实施例的流程图;  Figure 6 is a flow chart of a third embodiment of the method of the present invention;
图 7为本发明方法第四实施例的流程图; 图 8为本发明系统第一实施例的组成结构示意图。 具体实施方式 Figure 7 is a flow chart of a fourth embodiment of the method of the present invention; Figure 8 is a schematic view showing the structure of a first embodiment of the system of the present invention. detailed description
为使本发明的目的、 技术方案及优点更加清楚明白, 以下参照附图并举 实施例, 对本发明作进一步地详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings.
在本发明的实施方式中, 网络侧接收来自 DHCP客户端的 DHCP请求报文, 对 DHCP客户端进行认证, 并向 DHCP客户端回送认证成功与否的响应报文。  In the embodiment of the present invention, the network side receives the DHCP request message from the DHCP client, authenticates the DHCP client, and sends a response message to the DHCP client for the success or failure of the authentication.
上述方案可以应用在对 DHCP客户端进行认证的不同环境中:  The above solution can be applied in different environments for authenticating DHCP clients:
( 1 )对 DHCP客户端进行初次认证:  (1) Initial authentication of the DHCP client:
在网络侧接收来自 DHCP客户端的 DHCP请求报文之前, 还将进一步包括: D Before receiving the DHCP request packet from the DHCP client, the network side further includes: D
HCP客户端从网络侧获取地址信息, 具体包括: DHCP客户端向网络侧发送 DHC P发现报文; 网络侧向 DHCP客户端回送 DHCP提供报文, DHCP提供报文中携带有 提供给 DHCP客户端的 IP地址及配置参数信息。 The HCP client obtains the address information from the network side, and the specific information includes: the DHCP client sends a DHC P-discovery message to the network side; the network side sends a DHCP-provided message to the DHCP client, and the DHCP-provided message carries the information provided to the DHCP client. IP address and configuration parameter information.
( 2 )对 DHCP客户端进行重认证:  (2) Re-authenticate the DHCP client:
在实际应用中, 重认证可以由 DHCP客户端触发, 也可以由 DHCP服务器端 触发。 通常, DHCP客户端需要触发重认证的情况包括以下两种:  In actual applications, re-authentication can be triggered by the DHCP client or by the DHCP server. Generally, the DHCP client needs to trigger re-authentication, including the following two types:
A、 DHCP客户端重启, 具体又分为两种情况:  A. The DHCP client restarts. The details are divided into two cases:
DHCP客户端记录了重启前的 IP地址, DHCP客户端向 DHCP服务器发送 DHCP REQUEST, 并携带 IP地址要求继续使用, 同时请求相关配置参数;  The DHCP client records the IP address before the restart. The DHCP client sends a DHCP REQUEST to the DHCP server and carries the IP address to continue to use it. At the same time, it requests relevant configuration parameters.
或者, DHCP客户端没有记录重启前的 IP地址, 这种情况如同首次认证一 样, 需要向 DHCP服务器发送 DHCP DISCOVER  Or, the DHCP client does not record the IP address before the restart. This situation is the same as the first authentication. It needs to send a DHCP DISCOVER to the DHCP server.
B、 地址更新 ( renew ) :  B, address update (renew):
当 DHCP客户端进行地址更新时, 出于安全考虑或是周期性认证的一个手 段, 需要重新进行认证。  When the DHCP client performs address update, it needs to be re-authenticated for security reasons or a means of periodic authentication.
而 DHCP服务器端需要触发重认证的情况主要包括:  The situation in which the DHCP server needs to trigger re-authentication mainly includes:
A、 DHCP服务器由于某些特定原因更改对已接入用户的策略, 或者收回原 来的认证。 A. The DHCP server changes the policy of the accessed user for some specific reasons, or recovers the original The certification that comes.
B、 DHCP服务器出于安全考虑需要周期性地要求 DHCP客户端重认证。  B. The DHCP server needs to periodically request the DHCP client to re-authenticate for security reasons.
如果是 DHCP客户端触发的重认证, 那么 DHCP客户端将会主动向网络侧发 送 DHCP请求报文, 网络侧在接收到 DHCP请求报文后, 对该 DHCP客户端进行认 证。  If the DHCP client triggers the re-authentication, the DHCP client will send a DHCP Request message to the network. After receiving the DHCP Request message, the network side authenticates the DHCP client.
如果是网络侧触发的重认证, 那么, 首先由网络侧向 DHCP客户端发送强 制更新报文, DHCP客户端在接收到该强制更新报文后, 向网络侧发送 DHCP请 求报文; 网络侧在接收到 DHCP请求报文后, 对该 DHCP客户端进行认证。  If the network side triggers the re-authentication, the network side first sends a mandatory update message to the DHCP client. After receiving the forced update message, the DHCP client sends a DHCP request message to the network side. After receiving the DHCP request packet, the DHCP client is authenticated.
上述过程中, 根据所采用的 EAP认证方式的不同, 网络侧对 DHCP客户端进 行认证的具体实现流程也将不同。  In the above process, the specific implementation process of authenticating the DHCP client on the network side will be different depending on the EAP authentication mode used.
认证完成后, 网络侧向 DHCP客户端回送认证成功与否的响应 文, 比如: 若认证成功, 则向 DHCP客户端发送 DHCP确认报文; 若认证失败, 则向 DHCP客 户端发送 DHCP未确认报文。  After the authentication is complete, the network sends a response message indicating whether the authentication succeeds to the DHCP client. For example, if the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client. If the authentication fails, the DHCP client sends a DHCP acknowledgement message to the DHCP client. Text.
下面通过较佳实施例对本发明作进一步地详细说明:  The invention will now be further described in detail by means of preferred embodiments:
图 4为本发明方法第一实施例的流程图。 假设本实施例中网络侧采用的 E 4 is a flow chart of a first embodiment of a method of the present invention. Assume that E is adopted by the network side in this embodiment.
AP认证方式为一次性密码(One-Time pas sword, OTP)认证方式, 那么, 如图 4 所示, 包括以下步骤: The AP authentication mode is the one-time pas sword (OTP) authentication method. Then, as shown in Figure 4, the following steps are included:
步骤 401: DHCP客户端向 NAS发送 DHCP发现(DHCP DI SCOVER )才艮文。 本实施例中, 为便于描述, 将网络侧按照其实际组成具体划分为 NAS和 A AA服务器两部分。 相对于 DHCP客户端来说, NAS为 DHCP服务器或 DHCP代理, 而 相对于 AAA服务器来说, NAS为 AAA客户端。 Step 4 01: The DHCP client sends a DHCP discovery (DHCP DI SCOVER) to the NAS. In this embodiment, for convenience of description, the network side is specifically divided into two parts, a NAS and an AAA server according to its actual composition. Relative to the DHCP client, the NAS is a DHCP server or a DHCP proxy, and the NAS is an AAA client relative to the AAA server.
步骤 402: NAS向 DHCP客户端发送 DHCP提供 ( DHCP OFFER )才艮文。  Step 402: The NAS sends a DHCP provision (DHCP OFFER) to the DHCP client.
DHCP OFFER报文中携带有提供给 DHCP客户端的 IP地址以及相关配置参数 信息。  The DHCP OFFER packet carries the IP address and related configuration parameter information provided to the DHCP client.
由于网络侧可能有多个 DHCP服务器, 而每个 DHCP服务器在接收到 DHCP客 户端发来的 DHCP DISCOVER后, 都可能作出响应, 即向 DHCP客户端回送 DHCP OFFER报文, 所以, 本步骤中, DHCP客户端可能会同时接收到多条 DHCP OFFE R报文。 Since there may be multiple DHCP servers on the network side, each DHCP server may respond after receiving the DHCP DISCOVER from the DHCP client, that is, send DHCP back to the DHCP client. The OFFER packet, therefore, in this step, the DHCP client may receive multiple DHCP OFFE R packets at the same time.
步骤 403: DHCP客户端向 NAS发送 DHCP请求(DHCP REQUEST ) ^艮文。 Step 4 0 3 : The DHCP client sends a DHCP request (DHCP REQUEST) to the NAS.
DHCP客户端向 NAS发送 DHCP REQUEST^艮文, 以请求 IP地址和相关配置参 数。  The DHCP client sends a DHCP REQUEST message to the NAS to request the IP address and related configuration parameters.
如果步骤 402中 DHCP客户端接收到多条 DHCP OFFER报文,那么,本步骤中, DHCP客户端需要首先对多条 DHCP OFFER进行选择, 选择其中一个 DHCP OFFER 提供的 IP地址作为自身的 IP地址。 DHCP客户端如何进行选择与现有技术相同, 此处不再赘述。  If the DHCP client receives multiple DHCP OFFER messages in step 402, in this step, the DHCP client needs to select multiple DHCP OFFERs first, and select one of the IP addresses provided by the DHCP OFFER as its own IP address. How to select a DHCP client is the same as the prior art, and is not described here.
步骤 404: NAS向 DHCP客户端发送 DHCPEAP才艮文。  Step 404: The NAS sends a DHCPEAP packet to the DHCP client.
由于需要对 DHCP客户端进行认证, 所以 NAS向 DHCP客户端发送 DHCPE AP才艮 文, 并在其中携带 EAP请求(EAP Request ) 消息, 以请求 DHCP客户端的 ID。  Because the DHCP client needs to be authenticated, the NAS sends a DHCPE AP message to the DHCP client, and carries an EAP Request message to request the ID of the DHCP client.
步骤 405: DHCP客户端向 NAS发送 DHCPE AP^艮文。  Step 405: The DHCP client sends a DHCPE AP^ message to the NAS.
DHCP客户端在 EAP Response中携带自身的 ID, 并将 EAP 响应 ( EAP Resp onse)携带在 DHCPEAP中发送至 NAS。  The DHCP client carries its own ID in the EAP Response, and carries the EAP Response (EAP Resp onse) in the DHCPEAP and sends it to the NAS.
步骤 404和 405所述请求 ID的过程为 EAP认证协议中规定的流程。  The process of requesting IDs in steps 404 and 405 is the process specified in the EAP authentication protocol.
步骤 406: NAS剥离 DHCPEAP中的 EAP 响应 ( EAP Response)消息, 并携带 在现有 AAA协议 ·艮文中发送到 AAA服务器。  Step 406: The NAS strips the EAP Response message in the DHCPEAP and sends it to the AAA server in the existing AAA protocol.
比如, 可以使用现有 AAA协议 Radius中的接入请求 ( Access-Request )来 携带 EAP 响应 (EAP Response) 消息。  For example, an access request (Access-Request) in the existing AAA protocol Radius can be used to carry an EAP Response message.
步骤 407: AAA服务器生成携带有 OTP的挑战字信息的 EAP 请求( EAP Req uest ) 消息, 并携带在现有 AAA协议 文中发送至 NAS。  Step 407: The AAA server generates an EAP Request (EAP Req uest) message carrying the challenge word information of the OTP, and carries the message to the NAS in the existing AAA protocol.
比如, 可以使用现有 Radius协议中的接入挑战 (Access-Challenge)报 文来携带 EAP请求 (EAP Request ) 消息。  For example, an Access-Challenge message in the existing Radius protocol can be used to carry an EAP Request message.
步骤 408: NAS剥离出 EAP Request消息, 并携带在 DHCPEAP报文中发送至 D Step 408: The NAS strips out the EAP Request message and sends it to the DHCP EAP packet to the D.
HCP客户端。 步骤 409: DHCP客户端根据接收到的挑战字信息产生应答, 并携带在 EAP 响应 (EAP_Response) 消息中, 通过 DHCPEAP才艮文发送给 NAS。 HCP client. Step 409: The DHCP client generates a response according to the received challenge word information, and carries the message in the EAP_Response message, and sends the message to the NAS through the DHCPEAP.
步骤 410: NAS剥离 DHCPEAP中的 EAP响应 ( EAP- Response ) 消息, 并携带 在现有 AAA协议中发送至 AAA服务器。  Step 410: The NAS strips the EAP-Response message in the DHCPEAP, and carries the message to the AAA server in the existing AAA protocol.
t匕: ¾口, 可以使用现有 AAA十办议 Radius中的接人请求( Access— Request )来 携带 EAP响应 (EAP Response ) 消息。  t匕: 3⁄4 port, you can use the existing AAA ten-handed Radius access request (Access_Request) to carry EAP Response (EAP Response) message.
步骤 411: AAA服务器根据接收到的挑战字应答信息对 DHCP客户端进行认 证, 并向 NAS回送认证成功与否的响应艮文。  Step 411: The AAA server authenticates the DHCP client according to the received challenge word response information, and sends back a response message indicating whether the authentication succeeds or not to the NAS.
AAA服务器根据挑战字应答信息对 DHCP客户端进行认证的方法为现有技 术, 此处不再赘述。  The method for the AAA server to authenticate the DHCP client according to the challenge word response information is a prior art, and details are not described herein again.
根据认证结果, AAA服务器生成表示认证成功的 EAP-Success消息或表示 认证失败的 EAP-Failure消息, 并携带在现有 AAA协议的报文中, 如接入接受 ( Access-Accept )或接人 4巨绝 ( Access-Reject )才艮文中发送给 NAS。  According to the authentication result, the AAA server generates an EAP-Success message indicating that the authentication is successful or an EAP-Failure message indicating that the authentication is failed, and carries the message in the existing AAA protocol, such as access-accept or access. Access-Reject is sent to the NAS in the text.
步骤 412: NAS根据认证结果, 向 DHCP客户端发送表征认证成功的 DHCPAC K报文或表征认证失败的 DHCPNAK报文。  Step 412: The NAS sends a DHCPAC K packet indicating that the authentication succeeds or a DHCPNAK packet indicating that the authentication is successful according to the authentication result.
当然, 依据现有技术, NAS在获知认证成功后, 还需要进一步确认 DHCP 客户端是否可以使用步骤 403中所请求的 IP地址, 如果可以, 则发送 DHCP ACK, 如果不可以, 则发送 DHCPNAK4艮文。  Of course, according to the prior art, after the NAS is informed that the authentication is successful, the NAS needs to further confirm whether the DHCP client can use the IP address requested in step 403. If yes, send a DHCP ACK. If not, send the DHCPNAK4 message. .
对于本领域技术人员, 本发明实施例仅为实现本发明所述方案的具体方 式, 但并不用于限制本发明的技术方案。 比如, 对于上述实施例来说, 并不 局限在只能通过 DHCPEAP报文来携带 EAP Request和 EAP Response消息, 只要 能达到同样的目的, 采用其它的方式也是可以的。 比如, 可以新定义两个独 立的报文类型 DHCPEAPREQUEST和 DHCPEAPRESPONSE , 通过这两个报文来携带 E AP Request和 EAP Response消息。  For the person skilled in the art, the embodiments of the present invention are only specific ways of implementing the solution of the present invention, but are not intended to limit the technical solutions of the present invention. For example, for the foregoing embodiment, the EAP Request and the EAP Response message are not only allowed to be carried through the DHCPEAP packet, and other methods are also available as long as the same purpose can be achieved. For example, two separate packet types, DHCPEAPREQUEST and DHCPEAPRESPONSE, can be newly defined to carry EAP Request and EAP Response messages.
需要说明的是, 图 4所示实施例中, 网络侧采用的 EAP认证方式为 OTP认证 方式, 如果采用其它认证方式, 图 4所示的 EAP消息交互方式将有可能不同, 比如, 步骤 404 ~ 405本身就是可选步骤, 可以省略, 如果省略步骤 404 ~ 405 , 步骤 406中 NAS将通过现有 AAA协议报文中携带 EAP-S t a r t消息, 并发送至 AAA 服务器; 再有, 步骤 407 ~ 41 0可能需要重复多次, 比如在扩展协议认证 EEAP -传输层安全 TLS ( Transpor t Layer Secur i ty )等认证方式中, 就可能需要 多次重复步骤 407 ~ 41 0所述过程。 It should be noted that, in the embodiment shown in FIG. 4, the EAP authentication mode adopted by the network side is the OTP authentication mode. If other authentication modes are used, the EAP message interaction mode shown in FIG. 4 may be different. For example, the steps 404-405 are optional steps, which may be omitted. If the steps 404-405 are omitted, the NAS will carry the EAP-S tart message in the existing AAA protocol packet and send it to the AAA server. Steps 407 ~ 41 0 may need to be repeated multiple times. For example, in the authentication method such as Extended Protocol Authentication EEAP - Transport Layer Security TLS (Transport Layer TLS), it may be necessary to repeat the processes described in steps 407 ~ 41 0 .
图 4所示实施例为 DHCP客户端首次进行认证时的实现流程,下面通过两个 实施例来说明 DHCP客户端进行重认证时的实现流程。  The embodiment shown in FIG. 4 is an implementation flow when the DHCP client performs authentication for the first time. The following two embodiments are used to describe the implementation process when the DHCP client performs re-authentication.
图 5为本发明方法第二实施例的流程图,该实施例中的重认证由 DHCP客户 端触发。 当 DHCP客户端需要更新地址或者带地址请求分配参数时, 直接向 NA S发送 DGCP请求(DHCP REQUEST )报文。  Figure 5 is a flow chart of a second embodiment of the method of the present invention, in which re-authentication is triggered by a DHCP client. When the DHCP client needs to update the address or with the address request allocation parameter, it sends a DGCP request (DHCP REQUEST) message directly to the NA S.
本实施例与图 4相比, 区别仅在于, 缺少了图 4中的步骤 401和 402 , 即发 现和提供 IP地址的过程, 步骤 501 ~ 51 0与图 4所示的步骤 403 - 412相同, 不再 赘述。  Compared with FIG. 4, the difference between this embodiment and FIG. 4 is that the steps 401 and 402 in FIG. 4 are missing, that is, the process of discovering and providing an IP address, and steps 501 to 510 are the same as steps 403-412 shown in FIG. No longer.
图 6为本发明方法第三实施例的流程图。该实施例中的重认证由网络侧触 发, 即在步骤 601中由网络侧向 DHCP客户端发送强制更新 ( F0RCERENEW )报文; 步骤 602中0 ?客户端接收到?0 £1^ ¥4艮文后, 向 NAS发送 DHCP REQUEST才艮 文。 后续步骤 603 - 61 1与图 4所示的步骤 404 - 412相同, 不再赘述。  Figure 6 is a flow chart of a third embodiment of the method of the present invention. The re-authentication in this embodiment is triggered by the network side, that is, in step 601, the network side sends a forced update (F0RCERENEW) message to the DHCP client; in step 602, 0? Received by the client? 0 £1^ After 4艮, send a DHCP REQUEST message to the NAS. Subsequent steps 603 - 61 1 are the same as steps 404 - 412 shown in Figure 4, and will not be described again.
通常情况下, 图 5和图 6所示实施例用于实现重认证, 但是在某些特殊情 况下, 比如, DHCP客户端在初始接入网络时没有或者并不需要进行认证, 只 需执行图 1所示的普通 DHCP流程。 当 DHCP客户端因为 DHCP客户端重认证情况中 所提到的原因需要进行认证, 或 DHCP服务器因为 DHCP服务器重认证情况中所 提到的原因需要进行认证时, 虽然这两种情况下的认证属于首次认证, 但是 却按照图 5或图 6所示流程执行认证过程。  Generally, the embodiments shown in FIG. 5 and FIG. 6 are used to implement re-authentication, but in some special cases, for example, the DHCP client does not need or does not need to perform authentication when initially accessing the network, and only needs to perform the diagram. The normal DHCP process shown in 1. When the DHCP client needs to be authenticated for the reasons mentioned in the DHCP client re-authentication situation, or the DHCP server needs to be authenticated for the reasons mentioned in the DHCP server re-authentication situation, although the authentication in these two cases belongs to The first certification, but the certification process is performed according to the process shown in Figure 5 or Figure 6.
上述三个实施例虽然在具体实现上有所不同, 但是有一个共同点, 即都 是通过 DHCP客户端向网络侧发送 DHCP REQUEST来触发网络侧进行认证。 本发 明实施例中同时提供了另外一种认证方式: 网络侧接收来自 DHCP客户端的 DH CP发现报文, DHCP发现报文中携带有快速确认选项信息; 网络侧对 DHCP客户 端进行认证, 并向 DHCP客户端回送认证成功与否的响应 4艮文。 其中, 网络侧 向 DHCP客户端回送认证成功与否的响应报文的方法包括: 若认证成功, 则向 D HCP客户端发送 DHCP确认报文; 若认证失败, 则向 DHCP客户端发送 DHCP未确认 报文。 而且, DHCP确认报文中进一步携带有网络侧提供给 DHCP客户端的地址 信息。 具体实现如图 7所示。 Although the above three embodiments are different in specific implementation, there is a common point that the DHCP client sends a DHCP REQUEST to the network side to trigger the network side to perform authentication. Another authentication mode is provided in the embodiment of the present invention: The network side receives the DH from the DHCP client. The CP finds the packet, and the DHCP discovery packet carries the fast acknowledgment option information. The network side authenticates the DHCP client and sends a response to the DHCP client to verify the success or failure of the authentication. The method for the network side to send a response message to the DHCP client for the success or failure of the authentication includes: sending a DHCP acknowledgement message to the D HCP client if the authentication succeeds; and sending the DHCP unacknowledgment to the DHCP client if the authentication fails. Message. Moreover, the DHCP acknowledgement message further carries the address information provided by the network side to the DHCP client. The specific implementation is shown in Figure 7.
图 7为本发明方法第四实施例的流程图。 与图 4所示实施例相比, 区别在 于: 步骤 701中 DHCP客户端向 NAS发送的 DHCP DI SCOVER报文中携带有快速确认 ( rap id commi t )选项信息; NAS在接收到 DHCP DI SCOVER后即进行认证, 不 再需要执行图 4所示的步骤 401和 402的信息交互过程; 而且, 步骤 71 0中 NAS 向 DHCP客户端回送确认报文之前, 需要确认是否可以为 DHCP客户端提供 I P地 址, 如果可以, 且认证成功, 则向 DHCP客户端发送 DHCP确认 文, 并在 DHCP 确认报文中携带提供给 DHCP客户端的地址信息。其余步骤 702 ~ 709与图 4所示 步骤 404 - 411相同, 不再赘述。  Figure 7 is a flow chart of a fourth embodiment of the method of the present invention. Compared with the embodiment shown in FIG. 4, the difference is: in the DHCP DI SCOVER message sent by the DHCP client to the NAS, the fast acknowledgment (rap id commi t) option information is carried in the step 701; after receiving the DHCP DI SCOVER, the NAS That is, authentication is performed, and the information exchange process of steps 401 and 402 shown in FIG. 4 is no longer needed. Moreover, before the NAS sends an acknowledgement packet to the DHCP client in step 71 0, it is necessary to confirm whether the IP address can be provided for the DHCP client. If the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client, and carries the address information provided to the DHCP client in the DHCP confirmation message. The remaining steps 702 ~ 709 are the same as steps 404 - 411 shown in Figure 4, and will not be described again.
上述各实施例均是在默认 DHCP为 DHCPv4的情况下进行说明的, 如果将 DH Each of the above embodiments is described in the case where the default DHCP is DHCPv4, if DH is
CPv4替换为 DHCPv6 , 上述各实施例将同样适用, 区别只是报文类型可能有所 不同, 比如在图 6中网络侧触发重认证的实施例中, 步骤 601、 602和 61 1将相 应地变更为重酉己置 ( Reconf i gure ) 、 Renew以及 Rep ly。 The CPv4 is replaced by DHCPv6. The foregoing embodiments are equally applicable. The difference is that the packet type may be different. For example, in the embodiment in which the network side triggers re-authentication in FIG. 6, steps 601, 602, and 61 1 are changed accordingly. Re-created (Reconf i gure), Renew and Rep ly.
基于上述方法, 图 8为本发明系统第一实施例的组成结构示意图。 如图 8 所示, 该系统包括: DHCP客户端 801以及网络侧 802 :  Based on the above method, FIG. 8 is a schematic structural diagram of a first embodiment of the system of the present invention. As shown in Figure 8, the system includes: a DHCP client 801 and a network side 802:
DHCP客户端 801 , 用于向网络侧 802发送 DHCP请求报文, 并接收网络侧 80 2回送的认证成功与否的响应报文;  The DHCP client 801 is configured to send a DHCP request message to the network side 802, and receive a response message that the network side sends back the authentication success or not.
网络侧 802 , 用于在接收到来自 DHCP客户端 801的 DHCP请求报文后, 对 DH CP客户端 801进行认证, 并向 DHCP客户端 801回送认证成功与否的响应报文。  The network side 802 is configured to authenticate the DH CP client 801 after receiving the DHCP request message from the DHCP client 801, and send a response message to the DHCP client 801 for the success or failure of the authentication.
当利用图 8所示系统对 DHCP客户端 8 01进行初次认证时, DHCP客户端 8 01 将进一步用于, 向网络侧 802发送发现才艮文, 并接收网络侧 802回送的地址信 息; 网络侧 802进一步用于, 接收 DHCP客户端 801的发现报文, 并向 DHCP客户 端 801回送地址信息。 When the DHCP client 819 is initially authenticated by using the system shown in FIG. 8, the DHCP client 810 is further used to send the discovery message to the network side 802, and receive the address letter sent back by the network side 802. The network side 802 is further configured to receive the discovery packet of the DHCP client 801 and send back the address information to the DHCP client 801.
当利用图 8所示系统对 DHCP客户端 801进行重认证时, 网络侧 802还可进一 步用于, 向 DHCP客户端 801发送强制更新 文; 相应地, DHCP客户端 801在接 收到该强制更新报文后, 向网络侧 802发送 DHCP请求报文。  When the DHCP client 801 is re-authenticated by using the system shown in FIG. 8, the network side 802 may be further configured to send a mandatory update message to the DHCP client 801; accordingly, the DHCP client 801 receives the mandatory update report. After the text, the DHCP request message is sent to the network side 802.
网络侧 802完成对 DHCP客户端 801的认证后,向 DHCP客户端 801回送认证成 功与否的响应报文, 比如, 若认证成功, 则向 DHCP客户端回送 DHCP确认报文; 若认证失败, 则向 DHCP客户端回送 DHCP未确认报文。  After the network side 802 completes the authentication of the DHCP client 801, it sends a response message to the DHCP client 801, for example, if the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client. The DHCP unacknowledged message is sent back to the DHCP client.
在本实施例技术方案的基础上, DHCP客户端还可用于向网络侧 802发送携 带有快速确认选项信息的 DHCP发现报文, 并接收网络侧回送的认证成功与否 的响应 4艮文。  On the basis of the technical solution of the embodiment, the DHCP client can also be used to send a DHCP discovery message carrying the fast acknowledgment option information to the network side 802, and receive the response of the authentication succeeded by the network side.
图 8所示系统实施例的具体构成以及工作流程与其对应的方法实施例相 同, 不再赘述。  The specific configuration and workflow of the system embodiment shown in FIG. 8 are the same as the corresponding method embodiments, and will not be described again.
可见, 采用本发明实施例的技术方案, 不仅解决了对 DHCP客户端进行认 证和重认证的问题, 而且要实现所述认证, 基本无需对现有报文格式进行改 动, 相比于现有技术, 降低了实现的难度和复杂度。  It can be seen that the technical solution of the embodiment of the present invention not only solves the problem of performing authentication and re-authentication on the DHCP client, but also implements the authentication, and basically does not need to modify the existing message format, compared to the prior art. , reducing the difficulty and complexity of implementation.
综上所述, 以上仅为本发明的较佳实施例而已, 并非用于限定本发明的 保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改 进等, 均应包含在本发明的保护范围之内。  In conclusion, the above is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 书 Claim
1、 一种实现认证的方法, 其特征在于, 该方法包括:  A method for implementing authentication, characterized in that the method comprises:
接收来自动态主机配置协议 DHCP客户端的 DHCP请求报文 DHCP REQUEST; 对所述 DHCP客户端进行认证;  Receiving a DHCP request message from a dynamic host configuration protocol DHCP client DHCP REQUEST; authenticating the DHCP client;
向所述 DHCP客户端回送认证成功与否的响应报文。  Sending a response packet indicating whether the authentication succeeds or not to the DHCP client.
2、 根据权利要求 1所述的方法, 其特征在于, 所述接收来自 DHCP客户 端的 DHCP请求 4艮文 DHCP REQUEST之前, 进一步包括: 所述 DHCP客户端从网 络侧获取网络侧提供的地址信息。  The method of claim 1, wherein the receiving the DHCP request from the DHCP client before the DHCP REQUEST further comprises: obtaining, by the DHCP client, the address information provided by the network side from the network side.
3、 根据权利要求 2所述的方法, 其特征在于, 所述 DHCP客户端从网络 侧获取网络侧提供的地址信息的步骤包括:  The method according to claim 2, wherein the step of obtaining, by the DHCP client, the address information provided by the network side from the network side comprises:
所述 DHCP客户端向网络侧发送 DHCP发现才艮文 DHCP DISCOVER;  The DHCP client sends a DHCP discovery message to the network side, DHCP DISCOVER;
所述网络侧向所述 DHCP客户端回送 DHCP提供才艮文 DHCP OFFER, 所述 D HCP提供报文中携带有提供给所述 DHCP客户端的 IP地址及配置参数信息。  The network side sends back a DHCP provisioning DHCP OFFER to the DHCP client, and the D HCP provides a packet carrying an IP address and configuration parameter information provided to the DHCP client.
4、 根据权利要求 3所述的方法, 其特征在于, 当所述网络侧向所述 DHC P客户端回送一条以上 DHCP OFFER时, 则该方法进一步包括:  The method according to claim 3, wherein when the network side sends back more than one DHCP OFFER to the DHC P client, the method further includes:
所述 DHCP客户端从所述一条以上的 DHCP提供 文携带的一个以上 IP地 址中选择出一个 IP地址,作为所述 DHCP请求才艮文 DHCP REQUEST所请求的地 址。  The DHCP client selects an IP address from more than one IP address carried by the one or more DHCP providers, and the DHCP request is the address requested by the DHCP REQUEST.
5、 根据权利要求 1所述的方法, 其特征在于, 所述接收来自 DHCP客户 端的 DHCP请求报文之前, 进一步包括:  The method according to claim 1, wherein before receiving the DHCP request message from the DHCP client, the method further includes:
向所述 DHCP客户端发送强制更新报文。  Send a mandatory update message to the DHCP client.
6、 根据权利要求 1所述的方法, 其特征在于, 所述对 DHCP客户端进行 认证的步骤包括:  The method according to claim 1, wherein the step of authenticating the DHCP client comprises:
使用可扩展认证协议 EAP认证方式, 对所述 DHCP客户端进行认证。  The DHCP client is authenticated by using the extensible authentication protocol EAP authentication mode.
7、 根据权利要求 1所述的方法, 其特征在于, 所述向 DHCP客户端回送 认证成功与否的响应报文的步骤包括: 若认证成功, 则向所述 DHCP客户端发送 DHCP确认 4艮文 DHCP ACK; The method according to claim 1, wherein the step of sending back a response message of the authentication success to the DHCP client comprises: If the authentication is successful, sending a DHCP confirmation message to the DHCP client;
若认证失败, 则向所述 DHCP客户端发送 DHCP未确认报文 DHCP NAK。 If the authentication fails, the DHCP unacknowledged message DHCP NAK is sent to the DHCP client.
8、 根据权利要求 7所述的方法, 其特征在于, 所述 DHCP请求报文中携 带有所述 DHCP客户端请求的地址; The method according to claim 7, wherein the DHCP request message carries an address requested by the DHCP client;
向所述 DHCP客户端发送 DHCP确认 文具体包括:确认所述 DHCP客户端 是否可以使用所请求的地址;  Sending the DHCP confirmation message to the DHCP client specifically includes: confirming whether the DHCP client can use the requested address;
如果可以, 且认证成功, 则向所述 DHCP客户端发送 DHCP确认 文。 If yes, and the authentication is successful, a DHCP confirmation is sent to the DHCP client.
9、 一种实现认证的方法, 其特征在于, 该方法包括: 9. A method for implementing authentication, the method comprising:
对向自身发送报文的 DHCP客户端进行认证, 若认证成功, 则向所述 DHC P客户端回送 DHCP确认报文 DHCP ACK; 若认证失败, 则向所述 DHCP客户端 回送 DHCP未确认 4艮文 DHCP NAK。  The DHCP client that sends the packet is authenticated. If the authentication succeeds, the DHCP acknowledgement packet DHCP ACK is sent back to the DHC P client. If the authentication fails, the DHCP client is sent back to the DHCP client. DHCP NAK.
10、 根据权利要求 9所述的方法, 其特征在于, 所述 DHCP客户端发送的 ^¾文中携带有所述 DHCP客户端请求的地址;  The method according to claim 9, wherein the DHCP client sends an address requested by the DHCP client;
所述向所述 DHCP客户端发送 DHCP确认报文具体包括:确认所述 DHCP客 户端是否可以使用所请求的地址;  The sending the DHCP acknowledgement message to the DHCP client specifically includes: confirming whether the DHCP client can use the requested address;
如果可以, 且认证成功, 则向所述 DHCP客户端回送 DHCP确认 4艮文 DHCP ACK。  If yes, and the authentication is successful, a DHCP acknowledgment is sent back to the DHCP client.
11、 一种实现认证的方法, 其特征在于, 该方法包括:  11. A method for implementing authentication, the method comprising:
接收来自 DHCP客户端的 DHCP发现报文 DHCP DISCOVER, 所述 DHCP发现 报文中携带有快速确认选项信息;  Receiving a DHCP discovery message DHCP DISCOVER from the DHCP client, the DHCP discovery message carries a quick confirmation option information;
对所述 DHCP客户端进行认证;  Authenticating the DHCP client;
向所述 DHCP客户端回送认证成功与否的响应报文。  Sending a response packet indicating whether the authentication succeeds or not to the DHCP client.
12、 根据权利要求 11所述的方法, 其特征在于, 所述向 DHCP客户端回 送认证成功与否的响应报文的步骤包括:  The method according to claim 11, wherein the step of sending a response message to the DHCP client for successful authentication includes:
若认证成功, 则向所述 DHCP客户端发送 DHCP确认报文 DHCP ACK;  If the authentication is successful, sending a DHCP acknowledgement message DHCP ACK to the DHCP client;
若认证失败, 则向所述 DHCP客户端发送 DHCP未确认报文 DHCP NAK。 If the authentication fails, the DHCP unacknowledged message DHCP NAK is sent to the DHCP client.
13、 根据权利要求 11所述的方法, 其特征在于, 该方法进一步包括: 确 认是否可以为所述客户端提供地址; 13. The method according to claim 11, wherein the method further comprises: determining whether an address can be provided for the client;
如果可以, 且认证成功, 则向所述 DHCP客户端发送 DHCP确认 文, 并 在所述 DHCP确认报文中携带提供给所述 DHCP客户端的地址信息。  If the authentication succeeds, the DHCP client sends a DHCP confirmation message to the DHCP client, and carries the address information provided to the DHCP client in the DHCP confirmation message.
14、 一种实现认证的系统, 其特征在于, 该系统包括: DHCP客户端以及 网络侧;  14. A system for implementing authentication, the system comprising: a DHCP client and a network side;
所述 DHCP客户端,用于向所述网络侧发送 DHCP请求 4艮文 DHCP REQUEST, 并接收所述网络侧回送的认证成功与否的响应 4艮文;  The DHCP client is configured to send a DHCP request to the network side, and receive a response from the network side, and receive a response from the network side.
所述网络侧, 用于在接收到来自所述 DHCP客户端的 DHCP请求 文后, 对所述 DHCP客户端进行认证, 并向所述 DHCP客户端回送认证成功与否的响 应报文。  The network side is configured to authenticate the DHCP client after receiving the DHCP request message from the DHCP client, and send a response message to the DHCP client for successful authentication.
15、 根据权利要求 14所述的系统, 其特征在于, 所述 DHCP客户端进一 步用于向所述网络侧发送 DHCP发现才艮文 DHCP DISCOVER, 并接收所述网络侧 提供的地址信息;  The system according to claim 14, wherein the DHCP client is further configured to send a DHCP discovery message to the network side, and receive the address information provided by the network side;
所述网络侧进一步用于接收来自所述 DHCP客户端的 DHCP发现 4艮文 DHCP The network side is further configured to receive DHCP discovery from the DHCP client.
DI SCOVER, 并向所述 DHCP客户端提供地址信息。 DI SCOVER, and provides address information to the DHCP client.
16、 根据权利要求 14所述的系统, 其特征在于, 所述网络侧进一步用于 向所述 DHCP客户端发送强制更新>¾文;  The system according to claim 14, wherein the network side is further configured to send a forced update to the DHCP client.
所述 DHCP客户端在接收到所述强制更新 文后, 向所述网络侧发送 DHC P请求 4艮文0 ? REQUEST。  After receiving the mandatory update text, the DHCP client sends a DHC P request to the network side. REQUEST.
17、 一种实现认证的系统, 其特征在于, 该系统包括: DHCP客户端以及 网络侧;  17. A system for implementing authentication, the system comprising: a DHCP client and a network side;
所述 DHCP客户端, 用于向所述网络侧发送报文, 并接收所述网络侧回送 的认证成功与否的响应报文;  The DHCP client is configured to send a message to the network side, and receive a response message that the network side sends back the authentication success or not;
所述网络侧, 用于对所述 DHCP客户端进行认证, 若认证成功, 则向所述 The network side is configured to perform authentication on the DHCP client, and if the authentication succeeds, the
DHCP客户端回送 DHCP确认报文; 若认证失败, 则向所述 DHCP客户端回送 D HCP未确认 4艮文。 The DHCP client sends back a DHCP confirmation message; if the authentication fails, it sends a D back to the DHCP client. HCP did not confirm 4 essays.
18、 一种实现认证的系统, 其特征在于, 该系统包括: DHCP客户端以及 网络侧;  18. A system for implementing authentication, the system comprising: a DHCP client and a network side;
所述 DHCP客户端, 用于向所述网络侧发送携带有快速确认选项信息的 D HCP发现报文, 并接收所述网络侧回送的认证成功与否的响应报文;  The DHCP client is configured to send, to the network side, a D HCP discovery message carrying the fast acknowledgment option information, and receive a response message that the network side sends back the authentication success or not;
所述网络侧, 用于在接收到来自所述 DHCP客户端的发现报文后, 对所述 DHCP客户端进行认证, 并向所述 DHCP客户端回送认证成功与否的响应报文。  The network side is configured to: after receiving the discovery packet from the DHCP client, authenticate the DHCP client, and send a response packet of the authentication success to the DHCP client.
PCT/CN2008/070977 2007-07-19 2008-05-15 Method and system for implementing authentication WO2009009972A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710130456.X 2007-07-19
CNA200710130456XA CN101350809A (en) 2007-07-19 2007-07-19 Method and system for implementing authentication

Publications (1)

Publication Number Publication Date
WO2009009972A1 true WO2009009972A1 (en) 2009-01-22

Family

ID=40259306

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070977 WO2009009972A1 (en) 2007-07-19 2008-05-15 Method and system for implementing authentication

Country Status (2)

Country Link
CN (1) CN101350809A (en)
WO (1) WO2009009972A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231725B (en) * 2010-03-25 2014-09-10 北京星网锐捷网络技术有限公司 Method, equipment and system for authenticating dynamic host configuration protocol message
CN102123157B (en) * 2011-03-03 2013-12-04 上海华为技术有限公司 Authentication method and system
CN105592172A (en) * 2014-10-23 2016-05-18 中兴通讯股份有限公司 Dynamic host configuration protocol (DHCP) reconnection method, DHCP server and system
CN106254376B (en) * 2016-09-05 2019-10-11 新华三技术有限公司 A kind of authentication and negotiation method and device
CN111064699A (en) * 2019-10-25 2020-04-24 苏州浪潮智能科技有限公司 Client management method, device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450766A (en) * 2002-04-10 2003-10-22 深圳市中兴通讯股份有限公司 User management method based on dynamic mainframe configuration procotol
CN1889577A (en) * 2006-07-18 2007-01-03 Ut斯达康通讯有限公司 IP address distributing method based on DHCP extended attribute

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450766A (en) * 2002-04-10 2003-10-22 深圳市中兴通讯股份有限公司 User management method based on dynamic mainframe configuration procotol
CN1889577A (en) * 2006-07-18 2007-01-03 Ut斯达康通讯有限公司 IP address distributing method based on DHCP extended attribute

Also Published As

Publication number Publication date
CN101350809A (en) 2009-01-21

Similar Documents

Publication Publication Date Title
US8291489B2 (en) Method and apparatus for registering auto-configured network addresses based on connection authentication
US20100223655A1 (en) Method, System, and Apparatus for DHCP Authentication
US7502929B1 (en) Method and apparatus for assigning network addresses based on connection authentication
US7840811B2 (en) Network system and communication methods for securely bootstraping mobile IPv6 mobile node using pre-shared key
WO2008138242A1 (en) Management method, apparatus and system of session connection
TWI536854B (en) User-based authentication for realtime communications
EP2234343A1 (en) Method, device and system for selecting service network
US10805298B2 (en) Result reporting for authentication, authorization and accounting protocols
CN101296081A (en) Authentication, method, system, access body and device for distributing IP address after authentication
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
JP2010531516A (en) Device provisioning and domain join emulation over insecure networks
JP2009110522A (en) Proxy authentication server
US11444954B2 (en) Authentication/authorization server, client, service providing system, access management method, and medium
CN107147496A (en) Under a kind of service-oriented technological frame between different application unified authorization certification method
JP2001211180A (en) Dhcp server with client authenticating function and authenticating method thereof
WO2013056619A1 (en) Method, idp, sp and system for identity federation
WO2009009972A1 (en) Method and system for implementing authentication
WO2014117600A1 (en) Dns-based method and system for user authentication and domain name access control
JP4592789B2 (en) COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND COMMUNICATION CONTROL PROCESSING PROGRAM
CN101656712B (en) Method for recovering IP session, network system and network edge device
US7558845B2 (en) Modifying a DHCP configuration for one system according to a request from another system
US20100107231A1 (en) Failure indication
WO2016192427A1 (en) Method and device for restoring interface configuration of access point, and home gate way
US7606916B1 (en) Method and apparatus for load balancing within a computer system
US8615591B2 (en) Termination of a communication session between a client and a server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08748583

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08748583

Country of ref document: EP

Kind code of ref document: A1