WO2009012729A1 - A method, system and device for converting the network access authentication - Google Patents

A method, system and device for converting the network access authentication Download PDF

Info

Publication number
WO2009012729A1
WO2009012729A1 PCT/CN2008/071774 CN2008071774W WO2009012729A1 WO 2009012729 A1 WO2009012729 A1 WO 2009012729A1 CN 2008071774 W CN2008071774 W CN 2008071774W WO 2009012729 A1 WO2009012729 A1 WO 2009012729A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
layer
client
protocol
authentication protocol
Prior art date
Application number
PCT/CN2008/071774
Other languages
French (fr)
Chinese (zh)
Inventor
Ruobin Zheng
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009012729A1 publication Critical patent/WO2009012729A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/54Store-and-forward switching systems 
    • H04L12/56Packet switching systems

Definitions

  • the present invention relates to the field of network communications, and in particular, to a method, system and apparatus for network access authentication conversion. Background technique
  • the protocol for carrying authentication for network access is a layer 3 authentication protocol.
  • the layer 3 authentication protocol system generally includes a PANA client (PANA client, PaC) and a PANA authentication agent.
  • PAA PANA Authentication Agent
  • AS Authentication Server
  • EP Enforcement Point
  • the PaC is located on the client of the PANA protocol, and is used to obtain access to the network where the PAA is located and participate in the authentication process of the PANA protocol.
  • the PAA is located at one end of the access network and is responsible for communicating with the AS to verify the authenticity of the PaC certificate.
  • the access control status can be updated by establishing or deleting the access authorization.
  • the AS is responsible for checking the PAC certificate forwarded by the PAA, and returns the result and authorization of the inspection to the PAA.
  • the EP is located on a node on the access network and is responsible for monitoring the packets coming in and out of the PaC device and filtering the packets according to the monitoring policy obtained from the PAA.
  • FIG. 1 is a diagram showing an access network architecture of an existing layer 2 authentication protocol, where a plurality of customer premises equipment (TE), such as a customer premises equipment 1 to a customer premises equipment N, are included in a customer premises network, where Between the customer premises equipment 1 and the customer premises equipment N, a plurality of customer premises equipments are also included, and the customer premises equipments are connected to the access nodes (Access Nodes) in the IP convergence access network through a residential gateway (RG).
  • the AN is authenticated by the AS in the Access Layer 2 authentication protocol of the Broadband Network Gateway (BNG) in the IP aggregation access network.
  • BNG Broadband Network Gateway
  • the existing user terminal basically uses the layer 2 authentication protocol, such as a layer 2 authentication method 802.1x and a point-to-point protocol (PPP), etc., the TE of the TE access layer 2 in FIG.
  • the Layer 2 authentication protocol is an RG that cannot pass through Layer 3. Even the Layer 2 RG does not support transparent transmission of Layer 2 broadcast information.
  • layer 2 protocol authentication can pass through the RG of layer 3, but it cannot reach the AN or IP aggregation node of layer 3
  • the IP edge node where the PAA is located, and with the development of the access network, the layer 3 AN or IP aggregation node is the development trend of the next generation access network, which requires the client to meet the requirements of the layer 3 authentication protocol, but the layer 3 PANA of the authentication protocol is a new authentication protocol. If PANA is used for authentication, all clients supporting all Layer 2 authentication protocols need to be upgraded or replaced with a client supporting Layer 3 authentication protocol, but through This upgrade or replacement cost can be high. Summary of the invention
  • embodiments of the present invention provide a method, system, and apparatus for network access authentication conversion.
  • converting the received first authentication protocol message into a second authentication protocol message to the authentication device for authentication and solving the authentication process of the layer 2 authentication client in the layer 3 protocol, thereby Allow users to smoothly transition to IP-based next-generation access networks.
  • An embodiment of the present invention provides a method for network access authentication and conversion, where the method includes: receiving a first authentication protocol packet sent by a first party that supports the first authentication protocol;
  • An embodiment of the present invention further provides a network node device, including a receiving unit, an authentication relay unit, and a sending unit, where:
  • the receiving unit is configured to receive a first authentication protocol message sent by a first party that supports the first authentication protocol
  • the authentication relay unit is configured to convert the first authentication protocol packet received by the receiving unit into a second authentication protocol packet
  • the sending unit is configured to send the second authentication protocol packet converted by the authentication relay unit to a second party that supports the second authentication protocol.
  • the embodiment of the present invention further provides a network access authentication conversion system, including a client, an authentication relay, and an authentication device, where:
  • the client is configured to perform layer 2 authentication protocol packet interaction with the authentication relay, and provide an identity authentication material to perform authentication authentication on the authentication device.
  • the authentication relay is used to perform the conversion function of the layer 2 authentication protocol packet and the layer 3 authentication protocol packet, and the authentication relay agent interacts with the client to perform the layer 2 authentication protocol packet, and performs layer 3 with the authentication device.
  • Authentication protocol packet interaction ;
  • the authentication device is configured to perform Layer 3 authentication protocol packet interaction with the authentication relay to provide authentication and authorization for the user or device associated with the client.
  • the authentication initiator is set in the network system, and after receiving the first authentication protocol message of the client, the first authentication protocol message is converted into the second authentication protocol message and sent to the authentication device for authentication, and the solution is solved.
  • the Layer 2 authentication protocol client cannot be authenticated on the next generation access network.
  • the client converts the first authentication protocol message into the second authentication protocol message by the authentication relay, and completes the access authentication in the authentication device by the interaction of the second authentication protocol message.
  • the original layer 2 authentication protocol message is uniformly converted into the layer 3 authentication protocol message on the network side, thereby solving the problem that the layer 2 authentication protocol message cannot traverse the layer 3 network node, and the user does not need to Upgrade and replace the original Layer 2 client so that users can smoothly transition to the IP-based next-generation access network.
  • 1 is a schematic diagram of an access network architecture of an existing layer 2 authentication protocol
  • 2A is a system diagram of network access authentication conversion in an embodiment of the present invention.
  • 2B is a schematic structural diagram of an authentication relay in the embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an IP session period in a process of client authentication relaying in the embodiment of the present invention
  • FIG. 4 is a diagram of an application scenario of an IP aggregation network authentication relay in the embodiment of the present invention
  • FIG. 5 is a schematic diagram of another application scenario of the authentication relay in the embodiment of the present invention.
  • FIG. 6 is a schematic diagram of still another application scenario of the authentication relay in the embodiment of the present invention.
  • FIG. 7 is a flowchart of successful 802. lx to PANA authentication authentication conversion in the embodiment of the present invention
  • FIG. 8 is a flowchart of 802. lx to PANA re-authentication authentication conversion in the embodiment of the present invention
  • FIG. 10 is a flowchart of PKM-to-PANA re-authentication authentication conversion in the embodiment of the present invention
  • FIG. 11 is an 802.1x-to-DHCP in the embodiment of the present invention.
  • FIG. 12 is a flowchart of an 802.1 X to DHCP re-authentication authentication conversion in the embodiment of the present invention
  • FIG. 13 is a flowchart of a PKM-to-DHCP authentication successful authentication conversion according to an embodiment of the present invention
  • 14 is a flowchart of the authentication conversion of PKM to DHCP re-authentication in the embodiment of the present invention.
  • Embodiments of the present invention provide a method and device for network access authentication conversion.
  • the authentication relay agent uniformly converts the original layer 2 authentication protocol message into the layer 3 authentication protocol message, thereby solving the problem that the layer 2 authentication protocol client cannot traverse the layer 3 RG layer.
  • the problem of the AN or IP aggregation node of 3 does not need to upgrade the client of the original layer 2 authentication protocol, so that the client smoothly transitions to the IP-based next generation access network, effectively protecting the interests of the user.
  • FIG. 2A is a system diagram of network access authentication conversion in the embodiment of the present invention, where the system includes a client 201, an authentication relay 202, an authenticator 203, an authentication server 204, and a layer 3 monitoring point. 205 and layer 2 access controller 206, wherein layer 2 access controller 206 and layer 3 monitoring point 205 are both located in the data plane, and other functional units are located in the control plane.
  • the client 201 is an authenticated applicant, and the client 201 seeks to obtain access to the network to which the authenticator 203 belongs, and provides identity authentication material to the authentication server 204 to participate in the authentication process of the authentication protocol, and the client 201 is associated with a group of authentication protocols.
  • the client 201's own device or certificate it can be a portable computer, personal digital assistant, mobile phone, PC or router connected to the terminal device on the network, using the layer 2 authentication protocol through the certification relay 202
  • the authentication server 204 of the support layer 3 authentication protocol where the authenticator 203 is located performs authentication, and the layer 2 authentication protocol used by the client 202 includes 802.1X, PPP, and Privacy Key Management ( ⁇ ).
  • the Authentication Relay (AR) 202 provides a layer 2 authentication client 201 with a layer 2 authentication protocol message to a layer 3 authentication protocol message (such as PANA protocol or DHCP protocol), which is sent by the client 201.
  • the message of the layer 2 authentication protocol is sent to the authenticator 203, and the message of the layer 3 authentication protocol sent by the authenticator 203 is converted into the layer 2 authentication protocol, and the message is sent to the client 201, thereby
  • the interaction of the authentication information between the client 201 and the authenticator 203 is established.
  • the client 201 authenticated by the AR202 and the authenticator 203 perform layer 3 protocol information interaction, and the client 201 is authenticated or authenticated by using the address identifier of the client 201.
  • the AR 202 is provided with a receiving unit 2021, an authentication relay unit 2022, a sending unit 2023, and a re-authentication unit 2024.
  • the receiving unit 2021 is configured to receive and support the first authentication.
  • the first authentication protocol sent by the first party of the agreement The authentication relay unit 2022 is configured to convert the first authentication protocol packet received by the receiving unit 2021 into the second authentication protocol packet, and the sending unit 2023 is configured to send the second authentication protocol packet converted by the authentication relay unit 2022 to the second authentication protocol packet.
  • the first party may be a client, the first authentication protocol is a layer 2 authentication protocol, the second party may be an authentication device, and the second authentication protocol is a layer 3 authentication protocol; or, the first party The authentication device, the first authentication protocol is a layer 3 authentication protocol, the second party may be a client, and the second authentication protocol is a layer 2 authentication protocol.
  • the re-authentication unit 2024 herein is used to initiate a re-authentication process for the client 201 during the course of the session.
  • the authenticator 203 is an authentication proxy, that is, the PAA in the PANA protocol, and the proxy client 201 performs an AAA authentication protocol (such as RADIUS/Diameter)/API interaction with the authentication server 204 through the interaction of the layer 3 authentication protocol message with the AR 202.
  • the device associated with the client 201 provides access authentication and authorization.
  • the authenticator 203 can also update the access control state at the client 201 by establishing or releasing the access authorization. If the authenticator 203 and the authentication server 204 are located at the same network node, the authenticator 203 and the authentication server 204 can perform data transfer through an application program interface (API) if the authenticator 203 and the authentication server 204 are not located.
  • API application program interface
  • the authenticator 203 and the authentication server 204 need to perform data transmission through a RADIUS or Diameter message carrying an authentication, authorization, and accounting protocol (AAA, AAA M message).
  • the authenticator 203 sends a layer 3 access control policy and/or an authorization key to the layer 3 monitoring point 205.
  • the authenticator 203 can be located in a network edge node of the network, such as a network gateway or network node such as BNG.
  • the Authentication Server (AS) 204 is responsible for verifying the authentication material provided by the client 201, and returns the result of the verification and the authorized parameters to the client 201, including the access control policy and the authorization key.
  • the authentication server 204 may be located in the same network node as the authenticator 203, or may be located in a dedicated network node on the access network or a central server on the Internet.
  • a Layer 3 Enforcement Point (L3 EP) 205 is located at a node accessing the data plane of the network, and is responsible for monitoring the data packet from the layer 2 access controller 206, and according to the connection obtained from the authenticator 203. Incoming control policies to perform non-encrypted access filtering or encrypted access filtering on data packets. If the underlying network lacks security, the encrypted access filtering method must be used.
  • the layer 3 access controller 206 and the L3 EP205 need to establish a layer 3 security association. The establishment of the security association can use the Internet key exchange protocol (Internet). Key Exchange, IKE), etc. After the completion of the layer 3 security alliance,
  • the network layer encryption protocol can be used for data stream security protection.
  • the encrypted data stream information can use the IP Security Protocol (IPSec) protocol.
  • IPSec IP Security Protocol
  • the authenticator 203 and the L3 EP are located at the same node, only the API needs to perform data interaction between them; otherwise, the Layer 2 Control Protocol (L2CP) or the Simple Network Management Protocol (Simple Network Management Protocol) is required. , SNMP) for data interaction.
  • L2CP Layer 2 Control Protocol
  • Simple Network Management Protocol Simple Network Management Protocol
  • SNMP Simple Network Management Protocol
  • the Layer 2 Access Controller (L2 AC) 206 is located at a node accessing the data plane of the network, and is responsible for monitoring the data packet from the client 201 and forwarding it according to the L3 EP205 from the authenticator 203.
  • the access control policy performs non-encrypted access filtering or encrypted access filtering on the data packet.
  • the L2 AC is located on the path between the client 201 and the AR 202. If the underlying network lacks security, you must use the encrypted access filtering method.
  • a Layer 2 security association needs to be established between the client 201 and the L2 AC206.
  • the Layer 2 security association establishes a four-way handshake protocol that can use 802.11i (4 WHS).
  • the link layer encryption protocol can be used for data stream security protection, and the encryption can use the 802.11i link layer encryption protocol, or 802.16 Link layer encryption protocol.
  • the L2 AC206 and the L3 EP205 are located at the same node of the data plane, they can be set in the same device when the device is constructed.
  • the layer 2 can be protected by the layer 2 or the client 201. Secure with layer 3.
  • the following is a schematic diagram of the IP session period in the client authentication transfer process of FIG. 3 in combination with the system diagram of the network access authentication relay shown in FIG. 3 and FIG. 2, as follows:
  • Step S301 Perform interaction of a layer 2 authentication protocol message between the client and the AR.
  • Step S302 The AR converts the layer 2 authentication protocol message of the client into a layer 3 authentication protocol message. Before the client fails to pass the authentication, the AR may apply for a temporary IP address instead of each client or use its own IP address to support layer 3. Certification
  • Step S303 Perform interaction of the layer 3 authentication protocol message between the authenticator and the AR.
  • Step S304 The Authenticator converts the Layer 3 authentication protocol message into an interaction between the Authentication, Authorization, and Accounting (AAA) protocol message and the AS.
  • AAA Authentication, Authorization, and Accounting
  • Step S305 After the client passes the authentication, the client applies for a formal IP address for itself.
  • the IP address can be provided by the AR or the DHCP server. If the IP address is provided by the AR, the IP address is The AR in step S302 replaces the IP address of each client application - corresponding;
  • Step S306 After the client passes the authentication, the authenticator sends the access control policy and the authorization key to the L3 EP.
  • Step S307 A layer 3 security association is established between the L2 AC and the L3 EP.
  • Step S308 The L3 EP converts the access control policy of layer 3 into the access control policy of layer 2; Step S309: Generate an authorization key of layer 2 in the L3 EP;
  • Step S310 The converted layer 2 access control policy and the layer 2 authorization key are sent to the L2 AC.
  • Step S311 The L2 AC establishes a layer 2 security association with the client.
  • Step S312 The client establishes a data flow with the network where the authenticator is located, and the data flow is accessed through the security filtering of the L2 AC and the L3 EP.
  • Step S313 The L2 AC notifies the client that the user wants to go offline and listens to the message that the user goes offline, and the L2 AC senses that the client is offline when the layer 2 authentication protocol is 802. lx. Notifying the AR through EAP offline (EAPoL-Logoff) 4;
  • Step S314 The AR terminates the layer 3 authentication session, and the entire IP session ends.
  • the layer 3 authentication protocol is PANA
  • the AR and the authenticator terminate the response or PANAN terminate the reply (PANA- Termination-Request or PANA- Termination- Answer)
  • the message is used to terminate the PANA session process.
  • the Layer 3 authentication protocol is the Dynamic Host Configuration Protocol (DHCP) authentication protocol
  • the AR sends a DHCP Release (DHCP Release) message to the authenticator to terminate the IP session.
  • DHCP Dynamic Host Configuration Protocol
  • FIG. 4 to FIG. 6 show an application scenario of the authentication relay in the embodiment of the present invention
  • FIG. 4 shows an authentication relay application in the IP aggregation network, and in the access IP aggregation network, the central office access node (Central Office AN, CO AN ) or IP edge devices, such as BNG or Broadband Network Gateway (BRAS) with PAA and L3 EP, ARs for Layer 2 with AR and AC, edge devices in IP aggregation networks
  • BRAS Broadband Network Gateway
  • ARs for Layer 2 with AR and AC edge devices in IP aggregation networks
  • PANA terminal directly performs the interaction between the Layer 3 authentication protocols through the PAA provided on the IP aggregation network.
  • FIG. 5 is a schematic diagram of another application scenario of the authentication relay in the embodiment of the present invention.
  • the PAA and the L3 EP are set on the IP edge device, such as the BNG or the BRAS, and are set on the RG or the AP or the base station (Base, Station, BS).
  • AR and L2 AC the client can be authenticated by the AR transit authentication process during the authentication process.
  • the AP is connected to the PAA for authentication.
  • FIG. 6 is a schematic diagram of still another application scenario of the authentication relay in the embodiment of the present invention.
  • the home network and the visited network communicate with each other through the connection between the IP edge devices, and the PAA is set on the home network IP edge device such as BNG or BRAS.
  • L3EP set the AR on the BNG or BRAS of the device at the edge of the IP address of the visited network, and set the AC on the AN of the visited network.
  • the client roams from the home network to the visited network, it performs authentication relay through the visited network BNG or the AR on the BRAS, and returns to the PAA on the IP edge device of the home network for authentication.
  • FIG. 7 shows the successful authentication conversion of 802.1X to PANA authentication in the embodiment of the present invention.
  • the flow chart, the specific steps are as follows:
  • Step S701 The client initiates an EAPoL-Start (EAPoL-Start) message, and starts an Extensible Authentication Protocol ( ⁇ ) authentication process;
  • EAPoL-Start EAPoL-Start
  • Extensible Authentication Protocol
  • Step S702 After receiving the EAPoL-Start 4 message, the AR triggers the PANA client to initiate the PANA-Client-Initiation to select the PAA that provides the authentication and authorization service;
  • Step S703 The PAA sends a PANA-Auth-Request message to the AR, indicating that the PAA can provide the authenticated authentication and authorization service, and configure the local local IP address for the AR, where the S position is
  • Step S704 The AR sends a PANA-Auth- Answer message to the PAA, indicating that the AR has received the PANA-Auth-Request message.
  • Step S705 The PAA sends an EAP-Request/Identity message to the AR, and the message is carried by the PANA-Auth-Request message.
  • Step S706 The AR converts the PANA-Auth-Request packet into an EAPoL packet, and sends the EAP-Request/Identity message to the client through the EAPoL packet.
  • Step S707 The client sends an EAPoL message carrying an EAP-Response/Identity message to the AR.
  • Step S708 The AR converts the EAPoL message into a PANA message, and carries the EAP-Response/Identity message to the PAA through the PANA-Auth- Answer message.
  • Steps S709 to S710 Perform EAP method negotiation and EAP method negotiation, and the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR.
  • the interaction between the PAA and the authentication protocol message The identity authentication of the entire client can be completed.
  • the AR converts the EAPoL packet into a PANA packet for authentication and conversion to implement client-to-PAA authentication. This process is completed until the EAP authentication process ends.
  • Step S711 After the user authentication succeeds, the PAA returns an EAP success message (EAP success) message to the AR, and encapsulates the EAP success message and the corresponding EAP derivative key in the PANA-Auth-Request message, and passes the PANA-Auth-Request.
  • EAP success EAP success
  • the message is carried to the AR, where the C position is
  • Step S712 After receiving the PANA-Auth-Request packet, the AR sends a PANA-Auth-Answer message to the PAA to respond to the PAA, where the C bit is set;
  • Step S713 The AR sends the received EAP Success message to the client through the EAPoL message.
  • FIG. 8 is a flow chart showing the authentication conversion of 802.1 X to PANA re-authentication in the embodiment of the present invention, and the specific steps are as follows:
  • Step S801 The client initiates an EAPoL-Start packet, and restarts the EAP authentication.
  • Step S802 When the set handshake timer or the re-authentication timer exceeds the set time, the re-authentication may be initiated by the AR.
  • Step S801 and step S802 are two methods of re-authentication initiation, and the process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
  • Step S803 After the re-authentication is triggered by the step S801 or the step S802, the process of re-authentication is requested between the AR and the PAA through the PANA-Notification-Request (PANA-Notification-Request) message, where the A bit is set;
  • Step S804 The PAA sends a PANA Announcement Answer (PANA-Notification-Answer) to the AR, indicating that the PAA has received the request for re-authentication, where the A bit is located;
  • PANA-Notification-Answer PANA Announcement Answer
  • Steps S805 to S813 are the same as steps S705 to S713 described in FIG. 7, and are not described here.
  • FIG. 7 and Figure 8 above show that the client is authenticated to the PANA protocol through the 802. lx authentication protocol.
  • the flow chart of the certifier's authentication When the client is an 802.16 client and the PKM layer 2 protocol is used for authentication, the flow chart of the client authentication relay is shown in Figure 9. The specific steps are as follows:
  • Step S901 The client initiates a PKM request/EAP start (PKM-REQ/EAP-Start) message, and starts an EAP authentication process.
  • PKM-REQ/EAP-Start PKM request/EAP start
  • Step S902 After receiving the PKM-REQ/EAP-Start message, the AR triggers the PANA-Client-Initiation message to select the PAA that provides the authentication and authorization service.
  • Step S903 The PAA sends a PANA-Auth-Request message to the AR to indicate that it can provide the authenticated authentication and authorization service, and configures the local IP address used locally by the AR, where the S position is set.
  • Step S904 The AR sends the PANA-Auth- Answer message to PAA;
  • Step S905 The PAA sends an EAP-Request/Identity message to the AR, and the message is carried by the PANA-Auth-Request message.
  • Step S906 The AR converts the PANA-Auth-Request message into a PKM-RSP/EAP-Transfer message, and sends the EAP-Request/Identity message to the PKM-RSP/EAP-Transfer message.
  • Step S907 The client sends a PKM-REQ/EAP-Transfer message carrying an EAP-Response/Identity message to the AR;
  • Step S908 The AR converts the PKM packet into a PANA packet, and carries the EAP-Response/Identity message to the PAA through the PANA-Auth- Answer message.
  • Steps S909 to S910 Perform EAP method negotiation and EAP method negotiation, and the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR.
  • the interaction between the PAA and the authentication protocol message can complete the identity authentication of the entire client.
  • the AR converts the PKM packet into a PANA packet for authentication and conversion, and implements the client-to-PAA identity authentication.
  • Step S911 After the user authentication succeeds, the PAA returns an EAP success message (EAP success) message to the AR, and encapsulates the EAP success message and the corresponding EAP derivative key in the PANA-Auth-Request message, and passes the PANA-Auth.
  • the Request message is carried to the AR, where the C position is set;
  • Step S912 After receiving the PANA-Auth-Request, the AR sends a PANA-Auth-Answer message to the PAA, where the C bit is set.
  • Step S913 The AR sends the received EAP Success message to the client through the PKM-RSP/EAP-Transfer message.
  • the PKM authentication message is converted into a PANA message for authentication.
  • the client needs to be re-authenticated to extend the session period or other during the entire IP session. The reason also requires re-authentication of the client.
  • FIG. 10 is a flowchart of an authentication conversion performed by an 802.16 client to a PANA authentication server in the embodiment of the present invention, and the specific steps are as follows:
  • Step S1001 The client initiates a PKM-REQ/EAP-Start message, and restarts the EAP authentication.
  • Step S1002 When the set handshake timer or the re-authentication timer exceeds the set time, the re-authentication may be initiated by the AR. ;
  • Step S1001 and step S1002 are two methods of re-authentication.
  • the process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
  • Step S1003 After the re-authentication is triggered by the step S1001 or the step S1002, the process of re-authentication is requested between the AR and the PAA through the PANA-Notification-Request (PANA-Notification-Request) message, where the A bit is set;
  • Step S1004 The PAA sends a PANA Announcement Answer (PANA-Notification- Answer) to the AR, indicating that the PAA has received the request for re-authentication, where the A bit is located;
  • PANA-Notification- Answer PANA Announcement Answer
  • Steps S1005 to S1013 are the same as steps S905 to S913 described in FIG. 9, and details are not described herein again.
  • FIG. 11 to FIG. 14 describe the layer 2 client after the authentication conversion by the DHCP protocol of the layer 3 authentication protocol. A flowchart for performing authentication.
  • FIG. 11 is a flowchart of a successful authentication conversion process from 802.1x to DHCP in the embodiment of the present invention. The specific steps are as follows:
  • Step S1101 The client initiates an EAPoL-Start message, and starts an EAP authentication process.
  • Step S1102 After receiving the EAPoL-Start text, the AR triggers the DHCP Discovery (DHCP Discover) to select the DHCP Authenticator PAA and the DHCP server that provide the authentication and authorization service, and indicates the AR by the authentication option (auth-proto Option). Supported authentication mode;
  • DHCP Discover DHCP Discovery
  • the AR After receiving the EAPoL-Start text, the AR triggers the DHCP Discovery (DHCP Discover) to select the DHCP Authenticator PAA and the DHCP server that provide the authentication and authorization service, and indicates the AR by the authentication option (auth-proto Option). Supported authentication mode;
  • Step S1103 After the PAA receives the DHCP Discover message, the authentication option is added to indicate the authentication mode supported by the PAA, and the unclaimed IP address that the DHCP server can provide to the client is recorded, and the IP address is replaced by one.
  • the local IP address used by the AR and then forwards the DHCP Address Assignment Service (DHCP Offer) message to the AR;
  • Step S1104 The AR sends a DHCP address request (DHCP Request) message in response to the DHCP Offer message of the PAA.
  • the DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode. And accepted the IP address provided by the PAA;
  • Step S1105 After receiving the DHCP Request message, the PAA sends an EEAP-Request/Identity message to the AR, and the message is carried by a DHCP Address Assignment (DHCP Ack) message;
  • DHCP Ack DHCP Address Assignment
  • Step S1106 The AR sends the DHCP Ack packet to the EAPoL packet, and sends the EAP-Request/Identity message to the client through the EAPoL packet.
  • Step S1107 The client sends an EAP-Response/Identity message to the AR by sending an EAP-Response/Identity message to the AR.
  • Step S1108 The AR sends the EAPoL message to the DHCP message, and the EAP-Response/Identity message is sent to the PAA through the DHCP Request message.
  • Step S1109 to step S1110 performing an EAP method negotiation (EAP Method) negotiation and an authentication method interaction process, where the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR and The interaction between the PAA and the authentication protocol message can complete the identity authentication of the entire client.
  • the AR converts the EAPoL packet into a DHCP packet for authentication and conversion, and implements the client-to-PAA identity authentication. End;
  • Step S1111 After the client authentication succeeds, the PAA returns an EAP success message (EAP success) message to the AR, where the EAP success message is carried in the DHCP Ack message, and yiaddr is the assigned global IP address.
  • EAP success EAP success
  • Step SI 112 After receiving the DHCP Ack packet, the AR sends the DHCP Ack packet to the EAPoL packet carrying the EAP success message, and sends the EAPoL packet carrying the EAP success message to the client.
  • the 802. lx authentication message is converted into a DHCP message for authentication. After the authentication succeeds, the client needs to be re-authenticated to extend the session period during the entire IP session. Or for other reasons, the client needs to be re-authenticated.
  • the flowchart of the 802. lx to DHCP re-authentication authentication conversion in the embodiment of the present invention is shown in FIG. 12, and the specific steps are as follows: Step S1201: The client initiates an EAPoL-Start message and restarts EAP authentication; Step S1202: When the set handshake timer or re-authentication timer exceeds the set time, Re-authentication initiated by the AR;
  • Step S1201 and step S1202 are two methods of re-authentication initiation, and the process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
  • Step S1203 The AR sends a DHCP Request message (DHCP Request) message to the PAA.
  • the DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode, and accepts the PAA. IP address provided by the PAA;
  • Steps S1204 to S1211 are the same as steps S1105 to S1112 described in FIG. 11, and the details are not described here.
  • FIG. 11 and Figure 12 are flowcharts for the client to authenticate through the 802.1 X authentication protocol. After the authentication is transferred, the client authenticates to the DHCP authenticator. When the client is an 802.16 client, the PKM layer 2 protocol is used for authentication.
  • the flow chart of the client authentication relay is as shown in FIG. 13. The specific steps are as follows: Step S1301: The client initiates a PKM-REQ/EAP-Start message to start the EAP authentication process. Step 1302: The AR receives the PKM-REQ.
  • the DHCP Discover message is triggered to select the DHCP Authenticator PAA and the DHCP server that provide the authentication and authorization service, and the authentication mode (auth-proto Option) is used to indicate the authentication mode supported by the AR.
  • Step S1303 After receiving the DHCP Discover message, the PAA adds an authentication option to indicate the authentication mode supported by the PAA, and records an un-lipped IP address that can be provided by the DHCP server for the client, and replaces the IP address with one for the IP address. The local IP address used by the AR, and then forwards the DHCP Offer message to the AR;
  • Step S1304 The AR sends a DHCP Request message in response to the DHCP Offer message of the PAA.
  • the DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode, and accepts the PAA. IP address;
  • Step S1305 After receiving the DHCP Request message, the PAA sends an EEAP-Request/Identity message to the AR, and the message is carried by the DHCP Ack packet.
  • Step S1306 The AR sends the DHCP Ack packet to the PKM-RSP/EAP-Transfer message, and sends the EAP-Request/Identity message to the client through the PKM-RSP/EAP-Transfer message.
  • Step S1307 The client sends the PKM.
  • the -REQ/EAP-Transfer message carries the EAP-Response/Identity message to the AR;
  • Step S1308 The AR converts the PKM message into a DHCP message, and carries the EAP-Response/Identity message to the PAA through the DHCP Request message.
  • Step S1309 to step S1310 performing an EAP method negotiation (EAP Method) negotiation and an authentication method interaction process, where the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR and The interaction between the PAA and the authentication protocol message can complete the identity authentication of the entire client.
  • the AR converts the PKM packet into a DHCP packet for authentication and conversion to implement the client-to-PAA identity authentication. This process is up to the EAP authentication process. End;
  • Step S1311 After the client authentication succeeds, the PAA replies to the EAP success message (EAP success) message, wherein the EAP success message is carried in the DHCP Ack message, and yiaddr is the assigned global IP address.
  • EAP success EAP success
  • yiaddr is the assigned global IP address.
  • Step S1312 After receiving the DHCP Ack packet, the AR sends the DHCP Ack packet to the EAPoL packet carrying the EAP success message, and sends the PKM-RSP/EAP-Transfer packet carrying the EAP success message to the client.
  • FIG. 14 is a flowchart showing the authentication conversion of the 802.16 client to the DHCP authentication server in the embodiment of the present invention, and the specific steps are as follows:
  • Step S1401 The client initiates a PKM-REQ/EAP-Start message, and restarts the EAP authentication.
  • Step S1402 When the set handshake timer or the re-authentication timer exceeds the set time, the re-authentication may be initiated by the AR.
  • Step S1401 and step S1402 are two methods of re-authentication initiated, and the process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
  • Step S1403 The AR sends a DHCP Request message (DHCP Request) message to the PAA.
  • the DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode, and accepts the PAA. IP address provided by the PAA;
  • the steps S1404 to S1411 are the same as the steps S1305 to S1312 described in Fig. 13, and the details are not described here.
  • the following figure 8 to FIG. 14 describe the process of PKM and 802. lx authentication conversion in the layer 2 authentication protocol, and so on, the authentication protocol message in layer 2 sent by the client implements the layer 2 authentication protocol message layer to layer through the AR. 3
  • the conversion of the authentication protocol message is performed in the authentication server of layer 3.
  • the data plane of the authentication transit system needs to control the data flow of the data plane through the L2 AC and the L3 EP, and the layer 3 security association is established between the L2 AC and the L3 EP, and the layer 2 is established between the L2 AC and the client.
  • the access control policy generated by the PAA is sent to the L3 EP
  • the L3 EP sends the access control policy to the L2 AC. If the network layer where the data plane is located lacks security, you need to use the encrypted access filtering method to establish the security of the data stream.
  • the embodiment of the present invention provides an authentication relay agent in the network node device, and after receiving the layer 2 authentication protocol message of the client, the layer 2 authentication protocol message is uniformly converted into a layer 3 authentication protocol message and sent to the authenticator.
  • the authentication is performed to solve the problem that the layer 2 authentication protocol client cannot be authenticated in the next generation access network.
  • the end can authenticate to the authenticator of the next generation access network through the layer 2 authentication method, thereby realizing the authentication and authorization of the client in the authentication server, and the user can complete the upgrade without upgrading and replacing the client.
  • the technology of separating the bearer and the control is adopted, and the layer 3 monitoring point and the layer 2 access controller monitor the data surface control data flow information, and after the authentication is passed, the layer 3 is monitored to the layer 2 through the layer 3
  • the access controller sends an access control policy to ensure the security of incoming and outgoing data flow information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method for converting the network access authentication, includes the following steps: receiving a first authentication protocol packet transmitted by a first side which supports the first authentication protocol; converting the first authentication protocol packet to a second authentication protocol packet, and transmitting the converted second authentication protocol packet to a second side which supports the second authentication protocol. A network node device and a system for converting the network access authentication are disclosed. Through implementing the embodiments of the invention, an authentication relay converts the layer-2 authentication protocol message to the layer-3 authentication protocol message, and authentication and authorization are performed in the network in which the authenticator lies, thus the problem of performing authentication in the next generation access network is resolved.

Description

一种网络接入认证转换的方法及系统和装置 技术领域  Method, system and device for network access authentication conversion
本发明涉及网络通信领域, 尤其涉及一种网络接入认证转换的方法及系统 和装置。 背景技术  The present invention relates to the field of network communications, and in particular, to a method, system and apparatus for network access authentication conversion. Background technique
网络接入认证承载协议 ( Protocol for carrying Authentication for Network Access, PANA )是一种层 3认证协议,这种层 3的认证协议系统一般包括有 PANA 客户端( PANA Client, PaC )、 PANA认证代理( PANA Authentication Agent, PAA )、 认证月良务器( Authentication Server, AS ) 以及控制点( Enforcement Point, EP )。 其中, PaC位于 PANA协议的客户端, 用于获得 PAA所在网络的访问, 并参与 PANA协议的认证过程; PAA位于访问网络的一端, 用于负责与 AS沟通以验证 PaC认证证书的真伪, 并为关联于 PaC的设备提供网络访问授权, 此外还可以 通过建立或删除访问授权来对访问的控制状态进行更新; AS 负责对 PAA转发 的 PaC认证证书进行检验, 并向 PAA返回检验的结果和授权的参数; EP位于 访问网络上的一个节点,负责对出入 PaC设备的数据包进行监控,并依据从 PAA 处获得的监控策略来对数据包进行过滤。  The protocol for carrying authentication for network access (PANA) is a layer 3 authentication protocol. The layer 3 authentication protocol system generally includes a PANA client (PANA client, PaC) and a PANA authentication agent. PANA Authentication Agent (PAA), Authentication Server (AS), and Enforcement Point (EP). The PaC is located on the client of the PANA protocol, and is used to obtain access to the network where the PAA is located and participate in the authentication process of the PANA protocol. The PAA is located at one end of the access network and is responsible for communicating with the AS to verify the authenticity of the PaC certificate. Provide network access authorization for the device associated with the PaC. In addition, the access control status can be updated by establishing or deleting the access authorization. The AS is responsible for checking the PAC certificate forwarded by the PAA, and returns the result and authorization of the inspection to the PAA. The EP is located on a node on the access network and is responsible for monitoring the packets coming in and out of the PaC device and filtering the packets according to the monitoring policy obtained from the PAA.
图 1示出了现有的层 2认证协议的接入网架构图, 在用户驻地网处包含了 多个用户驻地设备 ( Terminal Equipment, TE ), 如用户驻地设备 1至用户驻地 设备 N, 其中, 用户驻地设备 1和用户驻地设备 N之间还包括了多个用户驻地 设备, 这些用户驻地设备通过驻地网关 (Residential Gateway, RG )联入 IP汇 聚接入网中的接入节点(Access Node, AN ), 再通过 IP汇聚接入网中的宽带网 络网关 ( Broadband Network Gateway, BNG )接入层 2认证协议的 AS中对 TE 进行认证。  FIG. 1 is a diagram showing an access network architecture of an existing layer 2 authentication protocol, where a plurality of customer premises equipment (TE), such as a customer premises equipment 1 to a customer premises equipment N, are included in a customer premises network, where Between the customer premises equipment 1 and the customer premises equipment N, a plurality of customer premises equipments are also included, and the customer premises equipments are connected to the access nodes (Access Nodes) in the IP convergence access network through a residential gateway (RG). The AN is authenticated by the AS in the Access Layer 2 authentication protocol of the Broadband Network Gateway (BNG) in the IP aggregation access network.
现有的用户终端基本釆用的是层 2认证协议, 如一种层 2认证方法 802.1x 和点对点协议 ( Point-to-Point Protocol, PPP )等, 图 1中的 TE接入层 2的 RG 或接入点 ( Access Point, AP )通过层 2协议进行认证时, 层 2认证协议是无法 穿过层 3的 RG, 即使是层 2的 RG也不支持对层 2广播信息的透传。 如果层 2 协议认证能够穿越层 3的 RG, 但也不能够穿越层 3的 AN或 IP汇聚节点达到 PAA所在的 IP边缘节点, 而随着接入网络的发展,层 3的 AN或 IP汇聚节点是 下一代接入网的发展趋势, 这需要客户端都能够满足层 3认证协议的要求, 但 是层 3认证协议的 PANA是一种新的认证协议, 如果都釆用 PANA进行认证, 需要对所有的支持所有层 2认证协议的客户端进行升级或换成支持层 3认证协 议的客户端, 但是通过这种升级或换代成本会很高。 发明内容 The existing user terminal basically uses the layer 2 authentication protocol, such as a layer 2 authentication method 802.1x and a point-to-point protocol (PPP), etc., the TE of the TE access layer 2 in FIG. When an Access Point (AP) authenticates through the Layer 2 protocol, the Layer 2 authentication protocol is an RG that cannot pass through Layer 3. Even the Layer 2 RG does not support transparent transmission of Layer 2 broadcast information. If layer 2 protocol authentication can pass through the RG of layer 3, but it cannot reach the AN or IP aggregation node of layer 3 The IP edge node where the PAA is located, and with the development of the access network, the layer 3 AN or IP aggregation node is the development trend of the next generation access network, which requires the client to meet the requirements of the layer 3 authentication protocol, but the layer 3 PANA of the authentication protocol is a new authentication protocol. If PANA is used for authentication, all clients supporting all Layer 2 authentication protocols need to be upgraded or replaced with a client supporting Layer 3 authentication protocol, but through This upgrade or replacement cost can be high. Summary of the invention
鉴于上述现有技术所存在的问题, 本发明实施例提供了一种网络接入认证转换 的方法、 系统和装置。 通过在网络侧中设置一认证中转者, 将接收的第一认证 协议消息转换为第二认证协议消息到认证设备中进行认证, 解决了层 2认证客 户端在层 3协议中的认证过程, 从而使用户平滑地过渡到基于 IP的下一代接入 网。 In view of the above problems in the prior art, embodiments of the present invention provide a method, system, and apparatus for network access authentication conversion. By setting an authentication relay in the network side, converting the received first authentication protocol message into a second authentication protocol message to the authentication device for authentication, and solving the authentication process of the layer 2 authentication client in the layer 3 protocol, thereby Allow users to smoothly transition to IP-based next-generation access networks.
本发明实施例提供了一种网络接入认证转换的方法, 该方法包括: 接收支持第一认证协议的第一方发送的第一认证协议报文;  An embodiment of the present invention provides a method for network access authentication and conversion, where the method includes: receiving a first authentication protocol packet sent by a first party that supports the first authentication protocol;
将所述第一认证协议报文转换为第二认证协议报文, 并将所述转换的第二 认证协议报文发送至支持第二认证协议的第二方。  Converting the first authentication protocol packet into a second authentication protocol packet, and sending the converted second authentication protocol packet to a second party supporting the second authentication protocol.
本发明实施例还提供了一种网络节点设备, 包括接收单元、 认证中转单元 和发送单元, 其中:  An embodiment of the present invention further provides a network node device, including a receiving unit, an authentication relay unit, and a sending unit, where:
所述接收单元用于接收支持第一认证协议的第一方发送的第一认证协议报 文;  The receiving unit is configured to receive a first authentication protocol message sent by a first party that supports the first authentication protocol;
所述认证中转单元用于将所述接收单元接收的第一认证协议报文转换为第 二认证协议艮文;  The authentication relay unit is configured to convert the first authentication protocol packet received by the receiving unit into a second authentication protocol packet;
所述发送单元用于将所述认证中转单元转换的第二认证协议报文发送至支 持第二认证协议的第二方。  The sending unit is configured to send the second authentication protocol packet converted by the authentication relay unit to a second party that supports the second authentication protocol.
本发明实施例还提供了一种网络接入认证转换系统, 包括客户端、 认证中 转者、 认证设备, 其中:  The embodiment of the present invention further provides a network access authentication conversion system, including a client, an authentication relay, and an authentication device, where:
所述客户端用于与所述认证中转者进行层 2认证协议报文交互, 并提供身 份认证材料给所述认证设备进行接入认证;  The client is configured to perform layer 2 authentication protocol packet interaction with the authentication relay, and provide an identity authentication material to perform authentication authentication on the authentication device.
所述认证中转者用于完成层 2认证协议报文和层 3认证协议报文的转换功 能, 所述认证中转者与客户端进行层 2认证协议报文交互, 与认证设备进行层 3 认证协议报文交互; The authentication relay is used to perform the conversion function of the layer 2 authentication protocol packet and the layer 3 authentication protocol packet, and the authentication relay agent interacts with the client to perform the layer 2 authentication protocol packet, and performs layer 3 with the authentication device. Authentication protocol packet interaction;
所述认证设备用于与所述认证中转者进行层 3认证协议报文交互, 为所述 客户端所关联的用户或设备提供认证和授权。  The authentication device is configured to perform Layer 3 authentication protocol packet interaction with the authentication relay to provide authentication and authorization for the user or device associated with the client.
实施本发明实施例, 通过在网络系统中设置认证中转者, 在接收客户端的 第一认证协议消息之后, 将第一认证协议消息转换为第二认证协议消息发送到 认证设备中进行认证, 解决了层 2认证协议客户端不能在下一代接入网进行认 证的问题。 通过所述认证的方法, 客户端通过认证中转者将第一认证协议消息 转换为第二认证协议消息, 通过第二认证协议消息的交互在认证设备中完成接 入认证。 通过所述方法的实现, 在网络侧将原有的层 2认证协议消息统一转换 为层 3认证协议消息, 从而解决了层 2认证协议消息无法穿越层 3网络节点的 问题, 而用户也不需要对原有的层 2客户端进行升级和换代, 使用户可以平滑 地过渡到基于 IP的下一代接入网。 附图说明  After the embodiment of the present invention is configured, the authentication initiator is set in the network system, and after receiving the first authentication protocol message of the client, the first authentication protocol message is converted into the second authentication protocol message and sent to the authentication device for authentication, and the solution is solved. The Layer 2 authentication protocol client cannot be authenticated on the next generation access network. Through the authentication method, the client converts the first authentication protocol message into the second authentication protocol message by the authentication relay, and completes the access authentication in the authentication device by the interaction of the second authentication protocol message. Through the implementation of the method, the original layer 2 authentication protocol message is uniformly converted into the layer 3 authentication protocol message on the network side, thereby solving the problem that the layer 2 authentication protocol message cannot traverse the layer 3 network node, and the user does not need to Upgrade and replace the original Layer 2 client so that users can smoothly transition to the IP-based next-generation access network. DRAWINGS
图 1是现有的层 2认证协议的接入网架构示意图;  1 is a schematic diagram of an access network architecture of an existing layer 2 authentication protocol;
图 2 A是本发明实施例中的网络接入认证转换的系统图;  2A is a system diagram of network access authentication conversion in an embodiment of the present invention;
图 2B是本发明实施例中的认证中转者的结构示意图;  2B is a schematic structural diagram of an authentication relay in the embodiment of the present invention;
图 3是本发明实施例中的客户端认证中转过程中的 IP会话周期示意图; 图 4是本发明实施例中的 IP汇聚网认证中转的应用场景图;  3 is a schematic diagram of an IP session period in a process of client authentication relaying in the embodiment of the present invention; FIG. 4 is a diagram of an application scenario of an IP aggregation network authentication relay in the embodiment of the present invention;
图 5是本发明实施例中的认证中转的另一应用场景示意图;  FIG. 5 is a schematic diagram of another application scenario of the authentication relay in the embodiment of the present invention;
图 6是本发明实施例中的认证中转的再一应用场景示意图;  FIG. 6 is a schematic diagram of still another application scenario of the authentication relay in the embodiment of the present invention; FIG.
图 7是本发明实施例中的 802. lx到 PANA认证成功的认证转换的流程图; 图 8是本发明实施例中的 802. lx到 PANA重认证的认证转换的流程图; 图 9是本发明实施例中的 PKM到 PANA认证成功的认证转换的流程图; 图 10是本发明实施例中的 PKM到 PANA重认证的认证转换的流程图; 图 11是本发明实施例中 802.1x到 DHCP认证成功的认证转换流程图; 图 12是本发明实施例中 802.1 X到 DHCP重认证的认证转换的流程图; 图 13是本发明实施例中 PKM到 DHCP认证成功的认证转换的流程图; 图 14是本发明实施例中 PKM到 DHCP重认证的认证转换的流程图。 具体实施方式 7 is a flowchart of successful 802. lx to PANA authentication authentication conversion in the embodiment of the present invention; FIG. 8 is a flowchart of 802. lx to PANA re-authentication authentication conversion in the embodiment of the present invention; FIG. 10 is a flowchart of PKM-to-PANA re-authentication authentication conversion in the embodiment of the present invention; FIG. 11 is an 802.1x-to-DHCP in the embodiment of the present invention. FIG. 12 is a flowchart of an 802.1 X to DHCP re-authentication authentication conversion in the embodiment of the present invention; FIG. 13 is a flowchart of a PKM-to-DHCP authentication successful authentication conversion according to an embodiment of the present invention; 14 is a flowchart of the authentication conversion of PKM to DHCP re-authentication in the embodiment of the present invention. detailed description
本发明实施例提供了一种网络接入认证转换的方法及其装置。 通过在网络 节点设备中设置认证中转者, 通过认证中转者将原有的层 2认证协议消息统一 转换为层 3认证协议消息,从而解决了层 2认证协议客户端无法穿越层 3的 RG、 层 3的 AN或 IP汇聚节点的问题, 无需对原有的层 2认证协议的客户端进行升 级,使客户端平滑的过渡到基于 IP的下一代接入网,有效地保护了用户的利益。  Embodiments of the present invention provide a method and device for network access authentication conversion. By setting the authentication relay in the network node device, the authentication relay agent uniformly converts the original layer 2 authentication protocol message into the layer 3 authentication protocol message, thereby solving the problem that the layer 2 authentication protocol client cannot traverse the layer 3 RG layer. The problem of the AN or IP aggregation node of 3 does not need to upgrade the client of the original layer 2 authentication protocol, so that the client smoothly transitions to the IP-based next generation access network, effectively protecting the interests of the user.
下面结合附图详细说明本发明的优选实施例。  Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
首先请参阅图 2A, 图 2A示出了本发明实施例中的网络接入认证转换的系 统图, 该系统包括客户端 201、认证中转者 202、认证者 203、认证服务器 204、 层 3监控点 205以及层 2接入控制器 206,其中层 2接入控制器 206和层 3监控 点 205都位于数据面中, 其他的功能单元都位于控制面中。  Referring to FIG. 2A, FIG. 2A is a system diagram of network access authentication conversion in the embodiment of the present invention, where the system includes a client 201, an authentication relay 202, an authenticator 203, an authentication server 204, and a layer 3 monitoring point. 205 and layer 2 access controller 206, wherein layer 2 access controller 206 and layer 3 monitoring point 205 are both located in the data plane, and other functional units are located in the control plane.
客户端 201即为认证的申请者, 客户端 201寻求获得对认证者 203所属网 络的访问, 并提供身份认证材料给认证服务器 204参与认证协议的认证过程, 客户端 201 关联于一组在认证协议范围内证明客户端 201 自身的设备或证书, 它可以是便携式电脑、 个人数字助理、 移动电话、 PC机或路由器等连接在网络 上的终端设备, 釆用层 2认证协议通过认证中转者 202参与认证者 203所在的 支持层 3认证协议的认证服务器 204中进行认证, 客户端 202釆用的层 2认证 协议包括了 802.1 X、 PPP以及私钥管理协议( Privacy Key Management , ΡΚΜ ) 等。  The client 201 is an authenticated applicant, and the client 201 seeks to obtain access to the network to which the authenticator 203 belongs, and provides identity authentication material to the authentication server 204 to participate in the authentication process of the authentication protocol, and the client 201 is associated with a group of authentication protocols. Within the scope of the client 201's own device or certificate, it can be a portable computer, personal digital assistant, mobile phone, PC or router connected to the terminal device on the network, using the layer 2 authentication protocol through the certification relay 202 The authentication server 204 of the support layer 3 authentication protocol where the authenticator 203 is located performs authentication, and the layer 2 authentication protocol used by the client 202 includes 802.1X, PPP, and Privacy Key Management (ΡΚΜ).
认证中转者 ( Authentication Relay, AR ) 202为层 2认证的客户端 201提供 了层 2认证协议消息到层 3认证协议消息 (如 PANA协议或 DHCP协议) 间的 转换, 即将客户端 201发送过来的层 2的认证协议的消息转换为层 3认证协议 的消息发送至认证者 203 ,将认证者 203发送过来的层 3的认证协议的消息转换 为层 2认证协议的消息发送至客户端 201 ,从而建立客户端 201与认证者 203之 间认证信息的交互。 AR202代理认证的客户端 201与认证者 203之间进行层 3 协议信息的交互, 利用客户端 201 的地址标识完成对所述客户端 201 的认证或 地址标识。 图 2B示出了本发明实施例中 AR的结构示意图, 该 AR202中设有 接收单元 2021、 认证中转单元 2022、 发送单元 2023以及重认证单元 2024 , 其 中: 接收单元 2021用于接收支持第一认证协议的第一方发送的第一认证协议报 文; 认证中转单元 2022用于将接收单元 2021接收的第一认证协议报文转换为 第二认证协议报文; 发送单元 2023用于将认证中转单元 2022转换后的第二认 证协议报文发送至支持第二认证协议的第三方。 需要说明的是, 该第一方可以 为客户端, 则第一认证协议为层 2认证协议, 第二方可以为认证设备, 则第二 认证协议为层 3认证协议; 或者, 该第一方可以为认证设备, 第一认证协议为 层 3认证协议, 该第二方可以为客户端, 所述第二认证协议为层 2认证协议。 这里的所述重认证单元 2024用于在会话的过程中发起对客户端 201的重认证过 程。 The Authentication Relay (AR) 202 provides a layer 2 authentication client 201 with a layer 2 authentication protocol message to a layer 3 authentication protocol message (such as PANA protocol or DHCP protocol), which is sent by the client 201. The message of the layer 2 authentication protocol is sent to the authenticator 203, and the message of the layer 3 authentication protocol sent by the authenticator 203 is converted into the layer 2 authentication protocol, and the message is sent to the client 201, thereby The interaction of the authentication information between the client 201 and the authenticator 203 is established. The client 201 authenticated by the AR202 and the authenticator 203 perform layer 3 protocol information interaction, and the client 201 is authenticated or authenticated by using the address identifier of the client 201. 2B is a schematic structural diagram of an AR in the embodiment of the present invention. The AR 202 is provided with a receiving unit 2021, an authentication relay unit 2022, a sending unit 2023, and a re-authentication unit 2024. The receiving unit 2021 is configured to receive and support the first authentication. The first authentication protocol sent by the first party of the agreement The authentication relay unit 2022 is configured to convert the first authentication protocol packet received by the receiving unit 2021 into the second authentication protocol packet, and the sending unit 2023 is configured to send the second authentication protocol packet converted by the authentication relay unit 2022 to the second authentication protocol packet. A third party that supports the second authentication agreement. It should be noted that the first party may be a client, the first authentication protocol is a layer 2 authentication protocol, the second party may be an authentication device, and the second authentication protocol is a layer 3 authentication protocol; or, the first party The authentication device, the first authentication protocol is a layer 3 authentication protocol, the second party may be a client, and the second authentication protocol is a layer 2 authentication protocol. The re-authentication unit 2024 herein is used to initiate a re-authentication process for the client 201 during the course of the session.
认证者 203为认证代理, 即在 PANA协议中的 PAA, 通过与 AR202进行层 3认证协议消息的交互, 代理客户端 201与认证服务器 204进行 AAA认证协议 (如 RADIUS/Diameter ) /API交互, 为关联于客户端 201的设备提供接入认证 和授权, 此外, 认证者 203还可以通过建立或解除访问授权, 对客户端 201处 的接入访问控制状态进行更新。 若认证者 203与认证服务器 204位于同一网络 节点时, 认证者 203与认证服务器之间 204可以通过应用程序接口 (Application Program Interface, API )来进行数据传递, 若认证者 203与认证服务器 204不位 于同一网络节点时, 认证者 203与认证服务器 204需要通过能携带认证、 授权 和计费协议 ( Authentication, Authorization and Accounting, AAA M言息的 RADIUS 或 Diameter报文来进行数据传递。 在完成认证之后, 认证者 203下发层 3接入 控制策略和 /或授权密钥给层 3监控点 205。 所述认证者 203可位于网络的 IP边 缘节点如 BNG等网络网关或网络节点中。  The authenticator 203 is an authentication proxy, that is, the PAA in the PANA protocol, and the proxy client 201 performs an AAA authentication protocol (such as RADIUS/Diameter)/API interaction with the authentication server 204 through the interaction of the layer 3 authentication protocol message with the AR 202. The device associated with the client 201 provides access authentication and authorization. In addition, the authenticator 203 can also update the access control state at the client 201 by establishing or releasing the access authorization. If the authenticator 203 and the authentication server 204 are located at the same network node, the authenticator 203 and the authentication server 204 can perform data transfer through an application program interface (API) if the authenticator 203 and the authentication server 204 are not located. When the same network node is used, the authenticator 203 and the authentication server 204 need to perform data transmission through a RADIUS or Diameter message carrying an authentication, authorization, and accounting protocol (AAA, AAA M message). The authenticator 203 sends a layer 3 access control policy and/or an authorization key to the layer 3 monitoring point 205. The authenticator 203 can be located in a network edge node of the network, such as a network gateway or network node such as BNG.
认证服务器( Authentication Server, AS ) 204负责对客户端 201提供的认证 材料进行检验, 并向客户端 201 返回检验的结果和授权的参数, 其中包括接入 控制策略和授权密钥等。 认证服务器 204可以与认证者 203位于同一个网络节 点中, 也可以位于访问网络上一个专门的网络节点或是因特网上的中心服务器。  The Authentication Server (AS) 204 is responsible for verifying the authentication material provided by the client 201, and returns the result of the verification and the authorized parameters to the client 201, including the access control policy and the authorization key. The authentication server 204 may be located in the same network node as the authenticator 203, or may be located in a dedicated network node on the access network or a central server on the Internet.
层 3监控点 ( Layer 3 Enforcement Point, L3 EP ) 205位于访问网络数据面 上的一个节点, 负责对来自层 2接入控制器 206的数据包进行监控, 并依据从 认证者 203 处获得的接入控制策略来对数据包进行非加密接入过滤或加密接入 过滤。 若网络底层缺乏安全保障, 则必须釆用加密接入过滤方式, 层 2接入控 制器 206与 L3 EP205之间需要建立层 3安全联盟, 安全联盟的建立可釆用因特 网密钥交换协议( Internet Key Exchange, IKE )等。在完成层 3安全联盟建立后, 可釆用网络层加密协议进行数据流的安全保护, 加密数据流信息可釆用 IP网络 安全协议( IP Security Protocol, IPSec )协议。 若认证者 203和 L3 EP位于同一 节点,则它们之间仅需 API进行数据交互即可,否则,则需要层 2控制协议( Layer 2 Control Protocol, L2CP )或简单网络管理协议(Simple Network Management Protocol, SNMP )进行数据交互。 L3 EP205通常是位于 AR202与认证者 203之 间的路径上。 A Layer 3 Enforcement Point (L3 EP) 205 is located at a node accessing the data plane of the network, and is responsible for monitoring the data packet from the layer 2 access controller 206, and according to the connection obtained from the authenticator 203. Incoming control policies to perform non-encrypted access filtering or encrypted access filtering on data packets. If the underlying network lacks security, the encrypted access filtering method must be used. The layer 3 access controller 206 and the L3 EP205 need to establish a layer 3 security association. The establishment of the security association can use the Internet key exchange protocol (Internet). Key Exchange, IKE), etc. After the completion of the layer 3 security alliance, The network layer encryption protocol can be used for data stream security protection. The encrypted data stream information can use the IP Security Protocol (IPSec) protocol. If the authenticator 203 and the L3 EP are located at the same node, only the API needs to perform data interaction between them; otherwise, the Layer 2 Control Protocol (L2CP) or the Simple Network Management Protocol (Simple Network Management Protocol) is required. , SNMP) for data interaction. The L3 EP 205 is typically located on the path between the AR 202 and the authenticator 203.
层 2接入控制器( Layer 2 Access Controller, L2 AC ) 206位于访问网络数据 面上的一个节点, 负责对来自客户端 201 的数据包进行监控, 并依据从认证者 203处通过 L3 EP205转发的接入控制策略对数据包进行非加密接入过滤或加密 接入过滤。 通常 L2 AC位于客户端 201与 AR202之间的路径上。 若网络底层缺 乏安全保障, 则必须釆用加密接入过滤方式, 客户端 201与 L2 AC206之间需要 建立层 2安全联盟,层 2安全联盟建立可釆用 802.11i的四次握手协议( 4 WHS ), 或釆用 802.16的三次握手协议(3WHS ); 在完成安全联盟建立后, 可釆用链路 层加密协议进行数据流的安全保护, 加密可釆用 802.11i链路层加密协议, 或 802.16链路层加密协议。  The Layer 2 Access Controller (L2 AC) 206 is located at a node accessing the data plane of the network, and is responsible for monitoring the data packet from the client 201 and forwarding it according to the L3 EP205 from the authenticator 203. The access control policy performs non-encrypted access filtering or encrypted access filtering on the data packet. Usually the L2 AC is located on the path between the client 201 and the AR 202. If the underlying network lacks security, you must use the encrypted access filtering method. A Layer 2 security association needs to be established between the client 201 and the L2 AC206. The Layer 2 security association establishes a four-way handshake protocol that can use 802.11i (4 WHS). ), or use the 802.16 three-way handshake protocol (3WHS); after completing the establishment of the security association, the link layer encryption protocol can be used for data stream security protection, and the encryption can use the 802.11i link layer encryption protocol, or 802.16 Link layer encryption protocol.
L2 AC206与 L3 EP205同时位于数据面相同节点时, 其在构造设备时可以 设置在同一个设备中, 此时, 该合一设备与客户端 201之间, 既可以用层 2安 全保护, 也可以用层 3安全保护。  When the L2 AC206 and the L3 EP205 are located at the same node of the data plane, they can be set in the same device when the device is constructed. In this case, the layer 2 can be protected by the layer 2 or the client 201. Secure with layer 3.
下面结合图 3和图 2所示的网络接入认证中转的系统图来说明图 3的客户 端认证中转过程中的 IP会话周期示意图, 步骤如下:  The following is a schematic diagram of the IP session period in the client authentication transfer process of FIG. 3 in combination with the system diagram of the network access authentication relay shown in FIG. 3 and FIG. 2, as follows:
步骤 S301: 客户端与 AR之间进行层 2认证协议消息的交互;  Step S301: Perform interaction of a layer 2 authentication protocol message between the client and the AR.
步骤 S302: AR将客户端的层 2认证协议消息转换为层 3认证协议消息, 在客户端没有通过认证之前, AR可以代替每个客户端申请临时的 IP地址或利 用自己的 IP地址来支持层 3认证;  Step S302: The AR converts the layer 2 authentication protocol message of the client into a layer 3 authentication protocol message. Before the client fails to pass the authentication, the AR may apply for a temporary IP address instead of each client or use its own IP address to support layer 3. Certification
步骤 S303: 认证者与 AR之间进行层 3认证协议消息的交互;  Step S303: Perform interaction of the layer 3 authentication protocol message between the authenticator and the AR.
步骤 S304 : 认证者将层 3 认证协议消息转化为认证、 授权、 计费 ( Authentication, Authorization and Accounting, AAA )协议消息与 AS进行信 息之间的交互;  Step S304: The Authenticator converts the Layer 3 authentication protocol message into an interaction between the Authentication, Authorization, and Accounting (AAA) protocol message and the AS.
步骤 S305: 客户端通过认证之后, 客户端为自己申请正式的 IP地址, 该 IP 地址可以由 AR或 DHCP服务器提供, 若该 IP地址由 AR提供, 则该 IP地址与 步骤 S302中的 AR代替每个客户端申请时的 IP地址——对应; Step S305: After the client passes the authentication, the client applies for a formal IP address for itself. The IP address can be provided by the AR or the DHCP server. If the IP address is provided by the AR, the IP address is The AR in step S302 replaces the IP address of each client application - corresponding;
步骤 S306: 客户端通过认证之后, 认证者将接入控制策略和授权密钥下发 到 L3 EP;  Step S306: After the client passes the authentication, the authenticator sends the access control policy and the authorization key to the L3 EP.
步骤 S307: L2 AC与 L3 EP之间建立层 3的安全联盟;  Step S307: A layer 3 security association is established between the L2 AC and the L3 EP.
步骤 S308: L3 EP将层 3的接入控制策略转换为层 2的接入控制策略; 步骤 S309: 在 L3 EP中生成层 2的授权密钥;  Step S308: The L3 EP converts the access control policy of layer 3 into the access control policy of layer 2; Step S309: Generate an authorization key of layer 2 in the L3 EP;
步骤 S310: 将转换后的层 2接入控制策略和层 2的授权密钥下发给 L2 AC; 步骤 S311 : L2 AC与客户端建立层 2的安全联盟;  Step S310: The converted layer 2 access control policy and the layer 2 authorization key are sent to the L2 AC. Step S311: The L2 AC establishes a layer 2 security association with the client.
步骤 S312: 客户端与认证者所在的网络建立数据流, 该数据流通过 L2 AC 和 L3 EP的安全过滤在接入网络;  Step S312: The client establishes a data flow with the network where the authenticator is located, and the data flow is accessed through the security filtering of the L2 AC and the L3 EP.
步骤 S313: L2 AC通过监听到客户端的数据包信息感知客户端要下线, 将 用户下线的消息通知给 AR,对于层 2认证协议为 802. lx时, L2 AC感知客户端 下线时, 通过 EAP下线( EAPoL-Logoff ) 4艮文通知给 AR;  Step S313: The L2 AC notifies the client that the user wants to go offline and listens to the message that the user goes offline, and the L2 AC senses that the client is offline when the layer 2 authentication protocol is 802. lx. Notifying the AR through EAP offline (EAPoL-Logoff) 4;
步骤 S314: AR终止层 3认证会话, 整个 IP会话结束, 对于层 3认证协议 为 PANA 时, AR 与认证者之间通过 PANA 终止请求或 PANAN 终止答复 ( PANA- Termination-Request或 PANA- Termination- Answer )才艮文进行交互 , 以 此报文来终止 PANA会话过程。若层 3认证协议为动态主机配置协议(Dynamic Host Configuration Protocol, DHCP )认证协议时, AR发送 DHCP释放 (DHCP Release)报文给认证者, 以终止 IP会话。  Step S314: The AR terminates the layer 3 authentication session, and the entire IP session ends. When the layer 3 authentication protocol is PANA, the AR and the authenticator terminate the response or PANAN terminate the reply (PANA- Termination-Request or PANA- Termination- Answer) The message is used to terminate the PANA session process. If the Layer 3 authentication protocol is the Dynamic Host Configuration Protocol (DHCP) authentication protocol, the AR sends a DHCP Release (DHCP Release) message to the authenticator to terminate the IP session.
图 4至图 6示出了本发明实施例中的认证中转的应用场景, 图 4为认证中 转应用在 IP汇聚网中,在接入 IP汇聚网中,中心局接入节点( Central Office AN, CO AN )或 IP边缘设备, 如 BNG或宽带远程接入服务器( Broadband Network Gateway, BRAS )上设有 PAA和 L3 EP, 在层 2的 AN上设有 AR和 AC, IP 汇聚网中的边缘设备仅支持 PANA认证, 但层 2的客户端可以通过 AN上设有 的 AR进行认证中转,通过 AR中转后能支持不同认证方式的客户端,如 802.1x/f 终端、 802.16终端、 PPP终端等, 而 PANA终端通过 IP汇聚网上设有的 PAA直 接进行层三认证协议之间的交互。  4 to FIG. 6 show an application scenario of the authentication relay in the embodiment of the present invention, and FIG. 4 shows an authentication relay application in the IP aggregation network, and in the access IP aggregation network, the central office access node (Central Office AN, CO AN ) or IP edge devices, such as BNG or Broadband Network Gateway (BRAS) with PAA and L3 EP, ARs for Layer 2 with AR and AC, edge devices in IP aggregation networks Only PANA authentication is supported, but the client of layer 2 can perform authentication relay through the AR provided on the AN, and can support clients with different authentication modes after the AR transit, such as 802.1x/f terminal, 802.16 terminal, PPP terminal, etc. The PANA terminal directly performs the interaction between the Layer 3 authentication protocols through the PAA provided on the IP aggregation network.
图 5示出了本发明实施例中认证中转的另一应用场景示意图, 在 IP边缘设 备,如 BNG或 BRAS上设置 PAA和 L3 EP,在 RG或 AP或基站( Base, Station, BS )上设置 AR和 L2 AC, 则客户端可以在认证的过程中由 AR中转认证协议 通过 AN接入 PAA处进行认证。 FIG. 5 is a schematic diagram of another application scenario of the authentication relay in the embodiment of the present invention. The PAA and the L3 EP are set on the IP edge device, such as the BNG or the BRAS, and are set on the RG or the AP or the base station (Base, Station, BS). AR and L2 AC, the client can be authenticated by the AR transit authentication process during the authentication process. The AP is connected to the PAA for authentication.
图 6 示出了本发明实施例中认证中转的再一应用场景示意图, 家乡地网络 与拜访地网络通过 IP边缘设备之间的连接互通, 在家乡地网络 IP边缘设备如 BNG或 BRAS上设置 PAA和 L3EP ,在拜访地网络 IP边缘处设备的 BNG或 BRAS 上设置 AR, 在拜访地网络的 AN上设置 AC。 当客户端由家乡地网络漫游至拜 访地网络时, 通过拜访地网络 BNG或 BRAS上的 AR进行认证中转, 回到家乡 地网络的 IP边缘设备上的 PAA处进行认证。  FIG. 6 is a schematic diagram of still another application scenario of the authentication relay in the embodiment of the present invention. The home network and the visited network communicate with each other through the connection between the IP edge devices, and the PAA is set on the home network IP edge device such as BNG or BRAS. And L3EP, set the AR on the BNG or BRAS of the device at the edge of the IP address of the visited network, and set the AC on the AN of the visited network. When the client roams from the home network to the visited network, it performs authentication relay through the visited network BNG or the AR on the BRAS, and returns to the PAA on the IP edge device of the home network for authentication.
下面根据图 3所示的会话周期和图 4至图 6所示的认证中转应用场景来详 细说明整个的认证中转过程, 图 7示出了本发明实施例中 802.1 X到 PANA认证 成功的认证转换的流程图, 具体步骤如下:  The entire authentication relay process is described in detail according to the session period shown in FIG. 3 and the authentication relay application scenario shown in FIG. 4 to FIG. 6. FIG. 7 shows the successful authentication conversion of 802.1X to PANA authentication in the embodiment of the present invention. The flow chart, the specific steps are as follows:
步骤 S701 : 客户端发起 EAPoL启动 ( EAPoL-Start )报文, 启动可扩展认 证协议 ( Extensible Authentication Protocol , ΕΑΡ )认证过程;  Step S701: The client initiates an EAPoL-Start (EAPoL-Start) message, and starts an Extensible Authentication Protocol (ΕΑΡ) authentication process;
步骤 S702: AR 收到 EAPoL-Start 4艮文之后, 触发 PANA客户启动 4艮文 ( PANA-Client-Initiation ) 来选择提供认证授权服务的 PAA;  Step S702: After receiving the EAPoL-Start 4 message, the AR triggers the PANA client to initiate the PANA-Client-Initiation to select the PAA that provides the authentication and authorization service;
步骤 S703: PAA向 AR发送 PANA认证请求( PANA-Auth-Request )消息 , 表明 PAA可以提供认证的认证授权服务,并给 AR配置本地使用的局部 IP地址, 其中, S位置位;  Step S703: The PAA sends a PANA-Auth-Request message to the AR, indicating that the PAA can provide the authenticated authentication and authorization service, and configure the local local IP address for the AR, where the S position is
步骤 S704: AR发送 PANA认证答复( PANA- Auth- Answer ) 消息给 PAA, 表明 AR已收到 PANA-Auth-Request消息;  Step S704: The AR sends a PANA-Auth- Answer message to the PAA, indicating that the AR has received the PANA-Auth-Request message.
步骤 S705: PAA向 AR发出 EAP身份请求( EAP-Request/Identity ) 消息, 该消息由 PANA-Auth-Request报文携带;  Step S705: The PAA sends an EAP-Request/Identity message to the AR, and the message is carried by the PANA-Auth-Request message.
步骤 S706: AR将 PANA-Auth-Request报文转化为 EAPoL报文,通过 EAPoL 报文携带 EAP-Request/Identity消息发送给客户端;  Step S706: The AR converts the PANA-Auth-Request packet into an EAPoL packet, and sends the EAP-Request/Identity message to the client through the EAPoL packet.
步骤 S707: 客户 端发送 EAPoL 报文携 带 EAP 身份应答 ( EAP-Response/Identity ) 消息给 AR;  Step S707: The client sends an EAPoL message carrying an EAP-Response/Identity message to the AR.
步骤 S708: AR将 EAPoL报文转换为 PANA报文,通过 PANA- Auth- Answer 报文携带 EAP-Response/Identity消息给 PAA;  Step S708: The AR converts the EAPoL message into a PANA message, and carries the EAP-Response/Identity message to the PAA through the PANA-Auth- Answer message.
步骤 S709至步骤 S710: 进行 EAP的认证方法(EAP Method )协商, 以及 认证方法交互的过程, 这里需要将客户端关联的身份证书信息传递多次至认证 服务器, 通过在客户端和 AR以及 AR和 PAA之间进行认证协议消息的交互才 能完成整个客户端的身份认证, 在此过程中, AR将 EAPoL报文转换为 PANA 报文进行认证转换实现客户端到 PAA的身份认证,此过程直到 EAP认证过程结 束; Steps S709 to S710: Perform EAP method negotiation and EAP method negotiation, and the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR. The interaction between the PAA and the authentication protocol message The identity authentication of the entire client can be completed. In this process, the AR converts the EAPoL packet into a PANA packet for authentication and conversion to implement client-to-PAA authentication. This process is completed until the EAP authentication process ends.
步骤 S711:用户认证成功后, PAA向 AR回复 EAP认证成功( EAP success ) 消息,并将 EAP success消息和相应的 EAP衍生密钥封装在 PANA-Auth-Request 报文中, 通过 PANA-Auth-Request报文携带给 AR, 其中, C位置位;  Step S711: After the user authentication succeeds, the PAA returns an EAP success message (EAP success) message to the AR, and encapsulates the EAP success message and the corresponding EAP derivative key in the PANA-Auth-Request message, and passes the PANA-Auth-Request. The message is carried to the AR, where the C position is
步骤 S712 : AR 收到 PANA-Auth-Request 报文后, 向 PAA 发送 PANA- Auth- Answer报文来响应 PAA, 其中, C位置位;  Step S712: After receiving the PANA-Auth-Request packet, the AR sends a PANA-Auth-Answer message to the PAA to respond to the PAA, where the C bit is set;
步骤 S713: AR将收到的 EAP Success消息通过 EAPoL报文携带发送至客 户端。  Step S713: The AR sends the received EAP Success message to the client through the EAPoL message.
在图 7所示的认证转换流程图中, 通过将 802.1x认证消息转换为 PANA消 息进行认证, 先通过 802. lx中的 EAPoL消息携带相应的 EAP消息到 AR中去 后, AR与 PAA之间通过 PANA-Request和 PANA- Answer消息进行携带相应的 EAP消息完成对所述 802. lx终端的认证过程, 在认证成功之后,在整个 IP会话 周期中, 需要对客户端进行重认证来延长会话周期, 或其他原因也需要对客户 端进行重认证。 图 8中示出了本发发明实施例中的 802.1 X到 PANA重认证的认 证转换的流程图, 具体步骤如下:  In the authentication conversion flowchart shown in FIG. 7, after the 802.1x authentication message is converted into a PANA message for authentication, the EAPoL message in the 802. lx first carries the corresponding EAP message to the AR, and between the AR and the PAA. The authentication process of the 802. lx terminal is performed by carrying the corresponding EAP message through the PANA-Request and the PANA-Diffuse message. After the authentication succeeds, the client needs to be re-authenticated to extend the session period in the entire IP session. , or for other reasons, the client needs to be re-authenticated. FIG. 8 is a flow chart showing the authentication conversion of 802.1 X to PANA re-authentication in the embodiment of the present invention, and the specific steps are as follows:
步骤 S801 : 客户端发起 EAPoL-Start报文, 重新启动 EAP认证;  Step S801: The client initiates an EAPoL-Start packet, and restarts the EAP authentication.
步骤 S802: 当设定的握手定时器或重认证定时器超过设定的时间时, 可以 通过 AR发起重认证;  Step S802: When the set handshake timer or the re-authentication timer exceeds the set time, the re-authentication may be initiated by the AR.
步骤 S801和步骤 S802是重认证发起的两种方式, 可以由客户端发起重认 证的过程 , 也可以通过 AR发起重认证的过程。  Step S801 and step S802 are two methods of re-authentication initiation, and the process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
步骤 S803: 通过步骤 S801或步骤 S802触发重认证之后, AR与 PAA之间 通过 PANA通告请求( PANA-Notification-Request ) 4艮文请求重认证的过程, 其 中 A位置位;  Step S803: After the re-authentication is triggered by the step S801 or the step S802, the process of re-authentication is requested between the AR and the PAA through the PANA-Notification-Request (PANA-Notification-Request) message, where the A bit is set;
步骤 S804: PAA向 AR发送 PANA通告答复( PANA-Notification- Answer ) 才艮文表明 PAA已收到重认证的请求, 其中 A位置位;  Step S804: The PAA sends a PANA Announcement Answer (PANA-Notification-Answer) to the AR, indicating that the PAA has received the request for re-authentication, where the A bit is located;
步骤 S805至步骤 S813与图 7所述的步骤 S705至步骤 S713相同, 这里不 再过多赘述。  Steps S805 to S813 are the same as steps S705 to S713 described in FIG. 7, and are not described here.
以上图 7和图 8是客户端通过 802. lx认证协议进行认证中转到 PANA协议 的认证者进行认证的流程图, 当客户端为 802.16客户端,釆用 PKM层 2协议进 行认证时, 客户端认证中转的流程图如图 9所示中, 具体步骤如下: Figure 7 and Figure 8 above show that the client is authenticated to the PANA protocol through the 802. lx authentication protocol. The flow chart of the certifier's authentication. When the client is an 802.16 client and the PKM layer 2 protocol is used for authentication, the flow chart of the client authentication relay is shown in Figure 9. The specific steps are as follows:
步骤 S901: 客户端发起 PKM请求/ EAP启动( PKM-REQ/EAP- Start )报文, 启动 EAP认证过程;  Step S901: The client initiates a PKM request/EAP start (PKM-REQ/EAP-Start) message, and starts an EAP authentication process.
步骤 S902 : AR 收到 PKM-REQ/EAP-Start 艮文之后 , 触发 PANA-Client-Initiation报文来选择提供认证授权服务的 PAA;  Step S902: After receiving the PKM-REQ/EAP-Start message, the AR triggers the PANA-Client-Initiation message to select the PAA that provides the authentication and authorization service.
步骤 S903: PAA向 AR发送 PANA-Auth-Request消息表明自己可以提供认 证的认证授权服务, 并给 AR配置本地使用的局部的 IP地址, 其中, S位置位; 步骤 S904: AR发送 PANA-Auth- Answer消息给 PAA;  Step S903: The PAA sends a PANA-Auth-Request message to the AR to indicate that it can provide the authenticated authentication and authorization service, and configures the local IP address used locally by the AR, where the S position is set. Step S904: The AR sends the PANA-Auth- Answer message to PAA;
步骤 S905 : PAA 向 AR 发出 EAP-Request/Identity 消息, 该消息由 PANA-Auth-Request报文携带;  Step S905: The PAA sends an EAP-Request/Identity message to the AR, and the message is carried by the PANA-Auth-Request message.
步骤 S906: AR将 PANA-Auth-Request 艮文转化为 PKM响应 /EAP传递 ( PKM-RSP/EAP-Transfer ) 报文, 通过 PKM-RSP/EAP-Transfer 报文携带 EAP-Request/Identity消息发送给客户端;  Step S906: The AR converts the PANA-Auth-Request message into a PKM-RSP/EAP-Transfer message, and sends the EAP-Request/Identity message to the PKM-RSP/EAP-Transfer message. Client
步骤 S907: 客户端发送 PKM-REQ/EAP-Transfer报文携带 EAP身份应答 ( EAP-Response/Identity ) 消息给 AR;  Step S907: The client sends a PKM-REQ/EAP-Transfer message carrying an EAP-Response/Identity message to the AR;
步骤 S908: AR将 PKM报文转换为 PANA报文, 通过 PANA-Auth- Answer 报文携带 EAP-Response/Identity消息给 PAA;  Step S908: The AR converts the PKM packet into a PANA packet, and carries the EAP-Response/Identity message to the PAA through the PANA-Auth- Answer message.
步骤 S909至步骤 S910: 进行 EAP的认证方法(EAP Method )协商, 以及 认证方法交互的过程, 这里需要将客户端关联的身份证书信息传递多次至认证 服务器, 通过在客户端和 AR以及 AR和 PAA之间进行认证协议消息的交互才 能完成整个客户端的身份认证, 在此过程中, AR将 PKM报文转换为 PANA报 文进行认证转换实现客户端到 PAA的身份认证,此过程直到 EAP认证过程结束; 步骤 S911:用户认证成功后, PAA向 AR回复 EAP认证成功( EAP success ) 消息,并将 EAP success消息和相应的 EAP衍生密钥封装在 PANA-Auth-Request 报文中, 通过 PANA-Auth-Request报文携带给 AR, 其中 C位置位;  Steps S909 to S910: Perform EAP method negotiation and EAP method negotiation, and the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR. The interaction between the PAA and the authentication protocol message can complete the identity authentication of the entire client. In this process, the AR converts the PKM packet into a PANA packet for authentication and conversion, and implements the client-to-PAA identity authentication. Step S911: After the user authentication succeeds, the PAA returns an EAP success message (EAP success) message to the AR, and encapsulates the EAP success message and the corresponding EAP derivative key in the PANA-Auth-Request message, and passes the PANA-Auth. - The Request message is carried to the AR, where the C position is set;
步骤 S912 : AR 收到 PANA-Auth-Request 才艮文后, 向 PAA 发送 PANA-Auth- Answer报文 , 其中 C位置位;  Step S912: After receiving the PANA-Auth-Request, the AR sends a PANA-Auth-Answer message to the PAA, where the C bit is set.
步骤 S913: AR将收到的 EAP Success消息通过 PKM-RSP/EAP-Transfer报 文携带发送至客户端。 在图 9所示的认证转换流程图中,通过将 PKM认证消息转换为 PANA消息 进行认证, 在认证成功之后, 在整个 IP会话周期中, 需要对客户端进行重认证 来延长会话周期, 或其他原因也需要对客户端进行重认证。 图 10中示出了本发 发明实施例中的 802.16客户端到 PANA认证服务器中进行重认证的认证转换的 流程图, 具体步骤如下: Step S913: The AR sends the received EAP Success message to the client through the PKM-RSP/EAP-Transfer message. In the authentication conversion flowchart shown in FIG. 9, the PKM authentication message is converted into a PANA message for authentication. After the authentication succeeds, the client needs to be re-authenticated to extend the session period or other during the entire IP session. The reason also requires re-authentication of the client. FIG. 10 is a flowchart of an authentication conversion performed by an 802.16 client to a PANA authentication server in the embodiment of the present invention, and the specific steps are as follows:
步骤 S 1001: 客户端发起 PKM-REQ/EAP-Start报文, 重新启动 EAP认证; 步骤 S1002: 当设定的握手定时器或重认证定时器超过设定的时间时, 可以 通过 AR发起重认证;  Step S1001: The client initiates a PKM-REQ/EAP-Start message, and restarts the EAP authentication. Step S1002: When the set handshake timer or the re-authentication timer exceeds the set time, the re-authentication may be initiated by the AR. ;
步骤 S1001和步骤 S1002是重认证发起的两种方式, 可以由客户端发起重 认证的过程 , 也可以通过 AR发起重认证的过程。  Step S1001 and step S1002 are two methods of re-authentication. The process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
步骤 S1003: 通过步骤 S1001或步骤 S1002触发重认证之后, AR与 PAA 之间通过 PANA通告请求( PANA-Notification-Request ) 4艮文请求重认证的过程, 其中 A位置位;  Step S1003: After the re-authentication is triggered by the step S1001 or the step S1002, the process of re-authentication is requested between the AR and the PAA through the PANA-Notification-Request (PANA-Notification-Request) message, where the A bit is set;
步骤 S1004: PAA向 AR发送 PANA通告答复( PANA-Notification- Answer ) 才艮文表明 PAA已收到重认证的请求, 其中 A位置位;  Step S1004: The PAA sends a PANA Announcement Answer (PANA-Notification- Answer) to the AR, indicating that the PAA has received the request for re-authentication, where the A bit is located;
步骤 S1005至步骤 S1013与图 9所述的步骤 S905至步骤 S913相同, 这里 不再过多赘述。  Steps S1005 to S1013 are the same as steps S905 to S913 described in FIG. 9, and details are not described herein again.
以上是通过层 3认证协议中的 PANA协议在实现认证协议转换后对层 2客 户端进行认证的, 下面图 11至图 14描述了通过层 3认证协议的 DHCP协议实 现认证转换后对层 2客户端进行认证的流程图。  The above is to authenticate the layer 2 client after the authentication protocol is converted through the PANA protocol in the layer 3 authentication protocol. The following FIG. 11 to FIG. 14 describe the layer 2 client after the authentication conversion by the DHCP protocol of the layer 3 authentication protocol. A flowchart for performing authentication.
首先请参阅图 11 , 图 11示出了本发明实施例中 802.1x到 DHCP认证成功 的认证转换流程图, 具体步骤如下:  Referring to FIG. 11 , FIG. 11 is a flowchart of a successful authentication conversion process from 802.1x to DHCP in the embodiment of the present invention. The specific steps are as follows:
步骤 S1101 : 客户端发起 EAPoL-Start报文, 启动 EAP认证过程;  Step S1101: The client initiates an EAPoL-Start message, and starts an EAP authentication process.
步骤 S1102: AR收到 EAPoL-Start 文之后 , 触发 DHCP发现 4艮文( DHCP Discover )来选择提供认证授权服务的 DHCP认证者 PAA和 DHCP服务器, 并 通过认证选项 ( auth-proto Option )表明 AR所支持的认证模式;  Step S1102: After receiving the EAPoL-Start text, the AR triggers the DHCP Discovery (DHCP Discover) to select the DHCP Authenticator PAA and the DHCP server that provide the authentication and authorization service, and indicates the AR by the authentication option (auth-proto Option). Supported authentication mode;
步骤 S1103 : PAA收到 DHCP Discover报文之后, 添加认证选项表明 PAA 所支持的认证模式, 并记录下可将 DHCP服务器为客户端提供的未租借的 IP地 址, 并将该 IP地址替换为一个供 AR本地使用的局部 IP地址, 然后向 AR转发 DHCP地址分配服务确认 ( DHCP Offer ) 消息; 步骤 S1104: AR发送 DHCP地址分配请求( DHCP Request )消息响应 PAA 的 DHCP Offer消息, DHCP Request消息中包含了 PAA支持的认证模式和 PAA 提供的 IP地址, 表明 AR已经选择能支持相应认证模式的 PAA, 并接受了 PAA 提供的 IP地址; Step S1103: After the PAA receives the DHCP Discover message, the authentication option is added to indicate the authentication mode supported by the PAA, and the unclaimed IP address that the DHCP server can provide to the client is recorded, and the IP address is replaced by one. The local IP address used by the AR, and then forwards the DHCP Address Assignment Service (DHCP Offer) message to the AR; Step S1104: The AR sends a DHCP address request (DHCP Request) message in response to the DHCP Offer message of the PAA. The DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode. And accepted the IP address provided by the PAA;
步骤 S1105: PAA 收到 DHCP Request 消息之后, 向 AR 发出 EEAP-Request/Identity消息, 该消息由 DHCP地址分配回应 ( DHCP Ack )报文 携带;  Step S1105: After receiving the DHCP Request message, the PAA sends an EEAP-Request/Identity message to the AR, and the message is carried by a DHCP Address Assignment (DHCP Ack) message;
步骤 S 1106: AR将 DHCP Ack报文转化为 EAPoL报文 , 通过 EAPoL报文 携带 EAP-Request/Identity消息发送给客户端;  Step S1106: The AR sends the DHCP Ack packet to the EAPoL packet, and sends the EAP-Request/Identity message to the client through the EAPoL packet.
步骤 S1107:客户端发送 EAPoL报文携带 EAP-Response/Identity消息给 AR; 步骤 S1108: AR将 EAPoL报文转换为 DHCP报文, 通过 DHCP Request报 文携带 EAP-Response/Identity消息给 PAA;  Step S1107: The client sends an EAP-Response/Identity message to the AR by sending an EAP-Response/Identity message to the AR. Step S1108: The AR sends the EAPoL message to the DHCP message, and the EAP-Response/Identity message is sent to the PAA through the DHCP Request message.
步骤 S1109至步骤 S1110: 进行 EAP的认证方法 ( EAP Method )协商, 以 及认证方法交互的过程, 这里需要将客户端关联的身份证书信息传递多次至认 证服务器, 通过在客户端和 AR以及 AR和 PAA之间进行认证协议消息的交互 才能完成整个客户端的身份认证,在此过程中, AR将 EAPoL报文转换为 DHCP 报文进行认证转换实现客户端到 PAA的身份认证,此过程直到 EAP认证过程结 束;  Step S1109 to step S1110: performing an EAP method negotiation (EAP Method) negotiation and an authentication method interaction process, where the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR and The interaction between the PAA and the authentication protocol message can complete the identity authentication of the entire client. In this process, the AR converts the EAPoL packet into a DHCP packet for authentication and conversion, and implements the client-to-PAA identity authentication. End;
步骤 S1111 : 客户端认证成功后, PAA 向 AR 回复 EAP认证成功 ( EAP success ) 消息, 其中, EAP success消息通过 DHCP Ack报文携带, yiaddr为分 配的全局 IP地址;  Step S1111: After the client authentication succeeds, the PAA returns an EAP success message (EAP success) message to the AR, where the EAP success message is carried in the DHCP Ack message, and yiaddr is the assigned global IP address.
步骤 SI 112: AR收到 DHCP Ack报文后 , 将 DHCP Ack报文转换为 EAPoL 报文携带 EAP success消息,并将携带有 EAP success消息的 EAPoL报文发送给 客户端。  Step SI 112: After receiving the DHCP Ack packet, the AR sends the DHCP Ack packet to the EAPoL packet carrying the EAP success message, and sends the EAPoL packet carrying the EAP success message to the client.
在图 11 所示的认证转换流程图中, 通过将 802. lx认证消息转换为 DHCP 消息进行认证, 在认证成功之后, 在整个 IP会话周期中, 需要对客户端进行重 认证来延长会话周期, 或其他原因也需要对客户端进行重认证。 图 12中示出了 本发明实施例中的 802. lx到 DHCP重认证的认证转换的流程图,具体步骤如下: 步骤 S1201 : 客户端发起 EAPoL-Start报文, 重新启动 EAP认证; 步骤 S1202: 当设定的握手定时器或重认证定时器超过设定的时间时, 可以 通过 AR发起重认证; In the authentication conversion flowchart shown in Figure 11, the 802. lx authentication message is converted into a DHCP message for authentication. After the authentication succeeds, the client needs to be re-authenticated to extend the session period during the entire IP session. Or for other reasons, the client needs to be re-authenticated. The flowchart of the 802. lx to DHCP re-authentication authentication conversion in the embodiment of the present invention is shown in FIG. 12, and the specific steps are as follows: Step S1201: The client initiates an EAPoL-Start message and restarts EAP authentication; Step S1202: When the set handshake timer or re-authentication timer exceeds the set time, Re-authentication initiated by the AR;
步骤 S1201和步骤 S1202是重认证发起的两种方式, 可以由客户端发起重 认证的过程 , 也可以通过 AR发起重认证的过程。  Step S1201 and step S1202 are two methods of re-authentication initiation, and the process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
步骤 S1203: AR发送 DHCP地址分配请求( DHCP Request ) 消息给 PAA, DHCP Request消息中包含了 PAA支持的认证模式和 PAA提供的 IP地址, 表明 AR已经选择能支持相应认证模式的 PAA, 并接受了 PAA提供的 IP地址;  Step S1203: The AR sends a DHCP Request message (DHCP Request) message to the PAA. The DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode, and accepts the PAA. IP address provided by the PAA;
步骤 S1204至步骤 S1211与图 11所述的步骤 S1105至步骤 S1112相同, 这 里不再过多赘述。  Steps S1204 to S1211 are the same as steps S1105 to S1112 described in FIG. 11, and the details are not described here.
以上图 11和图 12是客户端通过 802.1 X认证协议发起认证, 经过认证中转 后,到 DHCP认证者中进行认证的流程图,当客户端为 802.16客户端,釆用 PKM 层 2协议进行认证时,客户端认证中转的流程图如图 13所示中,具体步骤如下: 步骤 S 1301: 客户端发起 PKM-REQ/EAP-Start报文, 启动 EAP认证过程; 步骤 1302: AR收到 PKM-REQ/EAP-Start报文之后, 触发 DHCP Discover 报文来选择提供认证授权服务的 DHCP认证者 PAA和 DHCP服务器,并通过认 证选项 ( auth-proto Option )表明 AR所支持的认证模式;  Figure 11 and Figure 12 are flowcharts for the client to authenticate through the 802.1 X authentication protocol. After the authentication is transferred, the client authenticates to the DHCP authenticator. When the client is an 802.16 client, the PKM layer 2 protocol is used for authentication. The flow chart of the client authentication relay is as shown in FIG. 13. The specific steps are as follows: Step S1301: The client initiates a PKM-REQ/EAP-Start message to start the EAP authentication process. Step 1302: The AR receives the PKM-REQ. After the /EAP-Start packet, the DHCP Discover message is triggered to select the DHCP Authenticator PAA and the DHCP server that provide the authentication and authorization service, and the authentication mode (auth-proto Option) is used to indicate the authentication mode supported by the AR.
步骤 S1303: PAA收到 DHCP Discover报文之后, 添加认证选项表明 PAA 所支持的认证模式, 并记录下可将 DHCP服务器为客户端提供的未租借的 IP地 址, 并将该 IP地址替换为一个供 AR本地使用的局部 IP地址, 然后向 AR转发 DHCP Offer消息;  Step S1303: After receiving the DHCP Discover message, the PAA adds an authentication option to indicate the authentication mode supported by the PAA, and records an un-lipped IP address that can be provided by the DHCP server for the client, and replaces the IP address with one for the IP address. The local IP address used by the AR, and then forwards the DHCP Offer message to the AR;
步骤 S1304: AR发送 DHCP Request消息响应 PAA的 DHCP Offer消息 , DHCP Request消息中包含了 PAA支持的认证模式和 PAA提供的 IP地址, 表明 AR已经选择能支持相应认证模式的 PAA, 并接受了 PAA提供的 IP地址;  Step S1304: The AR sends a DHCP Request message in response to the DHCP Offer message of the PAA. The DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode, and accepts the PAA. IP address;
步骤 S1305: PAA 收到 DHCP Request 消息之后, 向 AR 发出 EEAP-Request/Identity消息, 该消息由 DHCP Ack报文携带;  Step S1305: After receiving the DHCP Request message, the PAA sends an EEAP-Request/Identity message to the AR, and the message is carried by the DHCP Ack packet.
步骤 S1306: AR将 DHCP Ack报文转化为 PKM-RSP/EAP-Transfer报文, 通过 PKM-RSP/EAP-Transfer报文携带 EAP-Request/Identity消息发送给客户端; 步骤 S1307 : 客户 端 发送 PKM-REQ/EAP-Transfer 报文携 带 EAP-Response/Identity消息给 AR;  Step S1306: The AR sends the DHCP Ack packet to the PKM-RSP/EAP-Transfer message, and sends the EAP-Request/Identity message to the client through the PKM-RSP/EAP-Transfer message. Step S1307: The client sends the PKM. The -REQ/EAP-Transfer message carries the EAP-Response/Identity message to the AR;
步骤 S1308: AR将 PKM报文转换为 DHCP报文,通过 DHCP Request报文 携带 EAP-Response/Identity消息给 PAA; 步骤 S1309至步骤 S1310: 进行 EAP的认证方法( EAP Method )协商, 以 及认证方法交互的过程, 这里需要将客户端关联的身份证书信息传递多次至认 证服务器, 通过在客户端和 AR以及 AR和 PAA之间进行认证协议消息的交互 才能完成整个客户端的身份认证, 在此过程中, AR将 PKM报文转换为 DHCP 报文进行认证转换实现客户端到 PAA的身份认证,此过程直到 EAP认证过程结 束; Step S1308: The AR converts the PKM message into a DHCP message, and carries the EAP-Response/Identity message to the PAA through the DHCP Request message. Step S1309 to step S1310: performing an EAP method negotiation (EAP Method) negotiation and an authentication method interaction process, where the identity certificate information associated with the client needs to be transmitted to the authentication server multiple times, through the client and the AR and the AR and The interaction between the PAA and the authentication protocol message can complete the identity authentication of the entire client. In this process, the AR converts the PKM packet into a DHCP packet for authentication and conversion to implement the client-to-PAA identity authentication. This process is up to the EAP authentication process. End;
步骤 S1311 : 客户端认证成功后, PAA向 AR 回复 EAP认证成功 ( EAP success ) 消息, 其中, EAP success消息通过 DHCP Ack报文携带, yiaddr为分 配的全局 IP地址;  Step S1311: After the client authentication succeeds, the PAA replies to the EAP success message (EAP success) message, wherein the EAP success message is carried in the DHCP Ack message, and yiaddr is the assigned global IP address.
步骤 S1312: AR收到 DHCP Ack报文后 , 将 DHCP Ack报文转换为 EAPoL 报文携 带 EAP success 消 息 , 并将携 带有 EAP success 消 息 的 PKM-RSP/EAP-Transfer报文发送给客户端。  Step S1312: After receiving the DHCP Ack packet, the AR sends the DHCP Ack packet to the EAPoL packet carrying the EAP success message, and sends the PKM-RSP/EAP-Transfer packet carrying the EAP success message to the client.
在图 13所示的认证转换流程图中, 通过将 PKM认证消息转换为 DHCP消 息进行认证, 在认证成功之后, 在整个 IP会话周期中, 需要对客户端进行重认 证来延长会话周期, 或其他原因也需要对客户端进行重认证。 图 14中示出了本 发发明实施例中的 802.16客户端到 DHCP认证服务器中进行重认证的认证转换 的流程图, 具体步骤如下:  In the authentication conversion flowchart shown in FIG. 13, the PKM authentication message is converted into a DHCP message for authentication. After the authentication succeeds, the client needs to be re-authenticated to extend the session period or other during the entire IP session. The reason also requires re-authentication of the client. FIG. 14 is a flowchart showing the authentication conversion of the 802.16 client to the DHCP authentication server in the embodiment of the present invention, and the specific steps are as follows:
步骤 S1401: 客户端发起 PKM-REQ/EAP-Start报文, 重新启动 EAP认证; 步骤 S1402: 当设定的握手定时器或重认证定时器超过设定的时间时, 可以 通过 AR发起重认证;  Step S1401: The client initiates a PKM-REQ/EAP-Start message, and restarts the EAP authentication. Step S1402: When the set handshake timer or the re-authentication timer exceeds the set time, the re-authentication may be initiated by the AR.
步骤 S1401和步骤 S1402是重认证发起的两种方式, 可以由客户端发起重 认证的过程 , 也可以通过 AR发起重认证的过程。  Step S1401 and step S1402 are two methods of re-authentication initiated, and the process of re-authentication may be initiated by the client, or the process of re-authentication may be initiated by the AR.
步骤 S1403: AR发送 DHCP地址分配请求( DHCP Request ) 消息给 PAA, DHCP Request消息中包含了 PAA支持的认证模式和 PAA提供的 IP地址, 表明 AR已经选择能支持相应认证模式的 PAA, 并接受了 PAA提供的 IP地址;  Step S1403: The AR sends a DHCP Request message (DHCP Request) message to the PAA. The DHCP Request message includes the authentication mode supported by the PAA and the IP address provided by the PAA, indicating that the AR has selected the PAA that can support the corresponding authentication mode, and accepts the PAA. IP address provided by the PAA;
步骤 S1404至步骤 S1411与图 13所述的步骤 S1305至步骤 S1312相同,这 里不再过多赘述。  The steps S1404 to S1411 are the same as the steps S1305 to S1312 described in Fig. 13, and the details are not described here.
以上图 8至图 14描述了层 2认证协议中的 PKM和 802. lx认证转换的过程, 以此类推,客户端发送的层 2中的认证协议消息通过 AR实现了层 2认证协议消 息向层 3认证协议消息的转换, 到层 3的认证服务器中进行认证。 在认证授权 之后, 所述认证中转系统的数据面需要通过 L2 AC和 L3 EP来控制数据面的数 据流, L2 AC与 L3 EP之间要建立层 3的安全联盟, L2 AC与客户端之间建立层 2的安全联盟, 通过 PAA生成的接入控制策略下发给 L3 EP之后, L3 EP将所 述接入控制策略下发至 L2 AC。 如果数据面所处的网络层缺乏安全保障, 则需 要釆用加密接入过滤方式建立数据流的安全保障。 The following figure 8 to FIG. 14 describe the process of PKM and 802. lx authentication conversion in the layer 2 authentication protocol, and so on, the authentication protocol message in layer 2 sent by the client implements the layer 2 authentication protocol message layer to layer through the AR. 3 The conversion of the authentication protocol message is performed in the authentication server of layer 3. Authorization Afterwards, the data plane of the authentication transit system needs to control the data flow of the data plane through the L2 AC and the L3 EP, and the layer 3 security association is established between the L2 AC and the L3 EP, and the layer 2 is established between the L2 AC and the client. After the access control policy generated by the PAA is sent to the L3 EP, the L3 EP sends the access control policy to the L2 AC. If the network layer where the data plane is located lacks security, you need to use the encrypted access filtering method to establish the security of the data stream.
综上所述, 本发明实施例通过在网络节点设备中设置一认证中转者, 在接 收客户端的层 2认证协议消息之后, 将层 2认证协议消息统一转换为层 3认证 协议消息发送至认证者中进行认证, 解决了层 2认证协议客户端不能在下一代 接入网的认证问题。 通过在网络汇聚网的接入汇聚网和其他网络节点中设置认 证中转者,解决了层 2认证协议消息无法穿透层 3的 RG或 AN等进行认证的问 题, 通过所述认证的方法, 客户端能够通过层 2 的认证方法到下一代接入网的 认证者中进行认证, 从而实现客户端在认证服务器中的认证和授权, 而用户不 需对客户端进行升级和换代就能完成。 在认证接入系统中釆用承载与控制相分 离的技术, 通过层 3监控点和层 2接入控制器监数据面上控数据流信息, 在认 证通过后, 通过层 3监控点向层 2接入控制器下发接入控制策略保障了出入客 户端数据流信息的安全。  In summary, the embodiment of the present invention provides an authentication relay agent in the network node device, and after receiving the layer 2 authentication protocol message of the client, the layer 2 authentication protocol message is uniformly converted into a layer 3 authentication protocol message and sent to the authenticator. The authentication is performed to solve the problem that the layer 2 authentication protocol client cannot be authenticated in the next generation access network. By setting an authentication relay in the access aggregation network and other network nodes of the network aggregation network, the problem that the layer 2 authentication protocol message cannot penetrate the RG or AN of the layer 3 is solved, and the client is authenticated by the authentication method. The end can authenticate to the authenticator of the next generation access network through the layer 2 authentication method, thereby realizing the authentication and authorization of the client in the authentication server, and the user can complete the upgrade without upgrading and replacing the client. In the authentication access system, the technology of separating the bearer and the control is adopted, and the layer 3 monitoring point and the layer 2 access controller monitor the data surface control data flow information, and after the authentication is passed, the layer 3 is monitored to the layer 2 through the layer 3 The access controller sends an access control policy to ensure the security of incoming and outgoing data flow information.
以上所揭露的仅为本发明实施例中的一种较佳实施例而已, 当然不能以此 来限定本发明之权利范围, 因此依本发明权利要求所作的等同变化, 仍属本发 明所涵盖的范围。  The above is only a preferred embodiment of the present invention, and the scope of the present invention is not limited thereto. Therefore, the equivalent changes according to the claims of the present invention are still covered by the present invention. range.

Claims

权 利 要 求 Rights request
1、 一种网络接入认证转换的方法, 其特征在于, 该方法包括以下步骤: 接收支持第一认证协议的第一方发送的第一认证协议报文;  A method for network access authentication conversion, the method comprising the steps of: receiving a first authentication protocol packet sent by a first party that supports the first authentication protocol;
将所述第一认证协议报文转换为第二认证协议报文, 并将所述转换的第二 认证协议报文发送至支持第二认证协议的第二方。  Converting the first authentication protocol packet into a second authentication protocol packet, and sending the converted second authentication protocol packet to a second party supporting the second authentication protocol.
2、 如权利要求 1所述的网络接入认证转换的方法, 其特征在于, 所述第一方为客户端, 所述第一认证协议为层 2认证协议; 所述第二方为 认证设备, 所述第二认证协议为层 3认证协议; 或, The network access authentication conversion method according to claim 1, wherein the first party is a client, the first authentication protocol is a layer 2 authentication protocol, and the second party is an authentication device. The second authentication protocol is a layer 3 authentication protocol; or
所述第一方为认证设备, 所述第一认证协议为层 3认证协议; 所述第二方 为客户端, 所述第二认证协议为层 2认证协议, 其中:  The first party is an authentication device, and the first authentication protocol is a layer 3 authentication protocol; the second party is a client, and the second authentication protocol is a layer 2 authentication protocol, where:
所述层 2认证协议为 802. lx认证协议或 PKM认证协议,所述层 3认证协议 为网络接入认证承载协议或动态主机配置协议。  The layer 2 authentication protocol is an 802. lx authentication protocol or a PKM authentication protocol, and the layer 3 authentication protocol is a network access authentication bearer protocol or a dynamic host configuration protocol.
3、 如权利要求 2所述的网络接入认证转换的方法, 其特征在于, 在网络侧 对客户端的认证过程中, 认证中转者代替客户端申请 IP地址, 在网络侧对客户 端认证成功之后, 为客户端分配 IP地址, 其中: 所述认证中转者为客户端分配 的 IP地址与所述认证中转者代替客户端申请的 IP地址——对应。 The network access authentication and conversion method according to claim 2, wherein in the authentication process of the client on the network side, the authentication relayer applies for an IP address instead of the client, and after the network side successfully authenticates the client And assigning an IP address to the client, where: the IP address assigned by the authentication relay to the client corresponds to the IP address that the authentication relay replaces the client application.
4、 如权利要求 3所述的网络接入认证转换的方法, 其特征在于, 进一步包 括: The method for network access authentication conversion according to claim 3, further comprising:
在网络侧对客户端认证成功后, 认证者下发第一接入控制策略和 /或第一授 权密钥给层 3监控点;  After the authentication of the client is successful on the network side, the authenticator sends a first access control policy and/or a first authorization key to the layer 3 monitoring point;
层 3监控点将所述第一接入控制策略转换为第二接入控制策略, 和 /或根据 所述第一授权密钥生成第二授权密钥;  The layer 3 monitoring point converts the first access control policy into a second access control policy, and/or generates a second authorization key according to the first authorization key;
将所述第二接入控制策略和 /或第二授权密钥下发给层 2接入控制器。  And sending the second access control policy and/or the second authorization key to the layer 2 access controller.
5、 如权利要求 4所述的网络接入认证转换的方法, 其特征在于, 进一步包 认证者下发第一接入控制策略和 /或第一授权密钥后, 层 3监控点与层 2接 入控制器建立第一安全联盟; 5. The method for network access authentication conversion according to claim 4, further comprising After the Authenticator delivers the first access control policy and/or the first authorization key, the layer 3 monitoring point establishes a first security association with the layer 2 access controller;
层 3监控点下发第二接入控制策略和 /或第二授权密钥后, 层 2接入控制器 与客户端建立第二安全联盟。  After the layer 2 monitoring point sends the second access control policy and/or the second authorization key, the layer 2 access controller establishes a second security association with the client.
6、 如权利要求 2所述的网络接入认证转换的方法, 其特征在于, 进一步包 括: The method for network access authentication conversion according to claim 2, further comprising:
所述网络侧对客户端认证成功后, 认证中转者在会话过程中将第一认证协 议消息转换为第二认证协议消息, 到认证者中进行重认证。  After the network side successfully authenticates the client, the authentication relay converts the first authentication protocol message into the second authentication protocol message during the session, and performs re-authentication in the authenticator.
7、 一种网络节点设备, 其特征在于, 包括接收单元、 认证中转单元和发送 单元, 其中: A network node device, comprising: a receiving unit, an authentication relay unit, and a transmitting unit, wherein:
所述接收单元用于接收支持第一认证协议的第一方发送的第一认证协议报 文;  The receiving unit is configured to receive a first authentication protocol message sent by a first party that supports the first authentication protocol;
所述认证中转单元用于将所述接收单元接收的第一认证协议报文转换为第 二认证协议艮文;  The authentication relay unit is configured to convert the first authentication protocol packet received by the receiving unit into a second authentication protocol packet;
所述发送单元用于将所述认证中转单元转换的第二认证协议报文发送至支 持第二认证协议的第二方。  The sending unit is configured to send the second authentication protocol packet converted by the authentication relay unit to a second party that supports the second authentication protocol.
8、 如权利要求 7所述的网络节点设备, 其特征在于, 8. The network node device of claim 7, wherein
所述第一方为客户端, 所述第一认证协议为层 2认证协议; 所述第二方为 认证设备, 所述第二认证协议为层 3认证协议; 或,  The first party is a client, the first authentication protocol is a layer 2 authentication protocol; the second party is an authentication device, and the second authentication protocol is a layer 3 authentication protocol; or
所述第一方为认证设备, 所述第一认证协议为层 3认证协议; 所述第二方 为客户端, 所述第二认证协议为层 2认证协议。  The first party is an authentication device, and the first authentication protocol is a layer 3 authentication protocol; the second party is a client, and the second authentication protocol is a layer 2 authentication protocol.
9、 如权利要求 8所述的网络节点设备, 其特征在于, 所述网络节点设备还 包括一重认证单元, 用于在会话过程中对客户端发起重认证过程。 The network node device according to claim 8, wherein the network node device further comprises a re-authentication unit, configured to initiate a re-authentication process to the client during the session.
10、 如权利要求 9 所述的网络节点设备, 其特征在于, 所述网络节点设备 为宽带网络网关、 宽带远程接入服务器、 接入节点、 驻地网关、 接入点和基站 中的任一个 t 10. The network node device according to claim 9, wherein the network node device is a broadband network gateway, a broadband remote access server, an access node, a resident gateway, an access point, and a base station. Either a t
11、 一种网络接入认证转换系统, 其特征在于, 包括客户端、 认证中转者、 认证设备, 其中: A network access authentication conversion system, comprising: a client, an authentication relay, and an authentication device, wherein:
所述客户端, 用于与所述认证中转者进行层 2认证协议报文交互, 并提供 身份认证材料给所述认证设备进行接入认证;  The client is configured to perform a layer 2 authentication protocol packet interaction with the authentication relay, and provide an identity authentication material to perform authentication authentication on the authentication device.
所述认证中转者, 用于完成层 2认证协议报文和层 3认证协议报文的转换 功能, 所述认证中转者与所述客户端进行层 2认证协议报文交互, 与所述认证 设备进行层 3认证协议报文交互;  The authentication relay is configured to perform a layer 2 authentication protocol packet and a layer 3 authentication protocol packet conversion function, and the authentication relay device interacts with the client to perform a layer 2 authentication protocol packet, and the authentication device Perform layer 3 authentication protocol packet interaction;
所述认证设备, 用于与所述认证中转者进行层 3认证协议报文交互, 为所 述客户端所关联的用户或设备提供认证和授权。  The authentication device is configured to perform Layer 3 authentication protocol packet interaction with the authentication relay to provide authentication and authorization for the user or device associated with the client.
12、 如权利要求 11所述的网络接入认证转换系统, 其特征在于, 所述认证 设备包括认证者和认证服务器: 12. The network access authentication conversion system according to claim 11, wherein the authentication device comprises an authenticator and an authentication server:
所述认证者用于与所述认证中转者进行层 3认证协议的消息交互, 为所述 客户端所关联的用户或设备提供接入认证和授权;  The authenticator is configured to interact with the authentication relay agent to perform a layer 3 authentication protocol, and provide access authentication and authorization for the user or device associated with the client;
所述认证服务器用于通过所述认证者, 根据所述客户端提供的身份认证材 料进行接入认证, 并通过所述认证者向所述客户端返回认证结果和第一接入控 制策略。  The authentication server is configured to perform access authentication according to the identity authentication material provided by the client by using the authenticator, and return the authentication result and the first access control policy to the client by using the authenticator.
13、 如权利要求 12所述的网络接入认证转换系统, 其特征在于, 所述网络 接入认证转换系统还包括层 3监控点和层 2接入控制器, 其中: The network access authentication and conversion system according to claim 12, wherein the network access authentication conversion system further comprises a layer 3 monitoring point and a layer 2 access controller, wherein:
所述层 3监控点, 根据所述认证者下发的第一接入控制策略对来自层 2接 入控制器的数据包进行监控, 将第一接入控制策略转换为第二接入控制策略, 和 /或根据第一授权密钥生成第二授权密钥;  The layer 3 monitoring point, monitoring the data packet from the layer 2 access controller according to the first access control policy delivered by the authenticator, and converting the first access control policy into the second access control policy And/or generating a second authorization key according to the first authorization key;
所述层 2接入控制器, 根据所述第二接入控制策略对来自客户端的数据包 进行监控。  The layer 2 accesses the controller, and monitors data packets from the client according to the second access control policy.
14、 如权利要求 13所述的网络接入认证转换系统, 其特征在于, 所述层 3 监控点和层 2接入控制器位于同一个节点设备。 The network access authentication conversion system according to claim 13, wherein the layer 3 monitoring point and the layer 2 access controller are located in the same node device.
PCT/CN2008/071774 2007-07-26 2008-07-28 A method, system and device for converting the network access authentication WO2009012729A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200710029380 CN101355485B (en) 2007-07-26 2007-07-26 Method for conversing network access authentication as well as system and apparatus thereof
CN200710029380.1 2007-07-26

Publications (1)

Publication Number Publication Date
WO2009012729A1 true WO2009012729A1 (en) 2009-01-29

Family

ID=40281025

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071774 WO2009012729A1 (en) 2007-07-26 2008-07-28 A method, system and device for converting the network access authentication

Country Status (2)

Country Link
CN (1) CN101355485B (en)
WO (1) WO2009012729A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932361A (en) * 2012-11-09 2013-02-13 苏州阔地网络科技有限公司 Method and system for achieving dynamic interface

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102388639B (en) * 2011-09-29 2015-04-08 华为技术有限公司 Method and device for accessing mobile network and user device
CN103108324A (en) * 2011-11-09 2013-05-15 中兴通讯股份有限公司 Access authentication method and system
KR102098239B1 (en) * 2012-12-04 2020-04-08 삼성전자주식회사 Method and apparatus for setting up internet protocol address in a wireless communication system
CN107547431B (en) * 2017-05-24 2020-07-07 新华三技术有限公司 Message processing method and device
CN107547550B (en) * 2017-09-06 2020-03-06 新华三技术有限公司 Authentication method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859098A (en) * 2006-03-08 2006-11-08 华为技术有限公司 Method for realizing EAP identification relay in radio cut-in system
CN1998260A (en) * 2004-07-01 2007-07-11 艾利森电话股份有限公司 Method and system for providing backward compatibility between protocol for carrying authentication for network access (PANA) and point-to-point protocol (PPP) in a packet data network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1998260A (en) * 2004-07-01 2007-07-11 艾利森电话股份有限公司 Method and system for providing backward compatibility between protocol for carrying authentication for network access (PANA) and point-to-point protocol (PPP) in a packet data network
CN1859098A (en) * 2006-03-08 2006-11-08 华为技术有限公司 Method for realizing EAP identification relay in radio cut-in system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932361A (en) * 2012-11-09 2013-02-13 苏州阔地网络科技有限公司 Method and system for achieving dynamic interface

Also Published As

Publication number Publication date
CN101355485A (en) 2009-01-28
CN101355485B (en) 2013-01-09

Similar Documents

Publication Publication Date Title
US7680878B2 (en) Apparatus, method and computer software products for controlling a home terminal
JP4666169B2 (en) Method of communication via untrusted access station
KR100759489B1 (en) Method and appratus for security of ip security tunnel using public key infrastructure in a mobile communication network
EP2136508B1 (en) A method and system for network access
JP4394682B2 (en) Apparatus and method for single sign-on authentication via untrusted access network
JP2002314549A (en) User authentication system and user authentication method used for the same
KR20030040601A (en) Access method for inter-working with wireless internet networks
CN102271134B (en) Method and system for configuring network configuration information, client and authentication server
WO2008138274A1 (en) A method and corresponding device and system for accessing remote service
CN106169952B (en) A kind of authentication method that internet Key Management Protocol is negotiated again and device
WO2006135217A1 (en) System and method for otimizing tunnel authentication procedure over a 3g-wlan interworking system
JP2007503637A (en) Method, system, authentication server, and gateway for providing credentials
WO2014176964A1 (en) Communication managing method and communication system
WO2006063511A1 (en) A method for realizing the synchronous authentication among the different authentication control devices
WO2014101449A1 (en) Method for controlling access point in wireless local area network, and communication system
WO2014107974A1 (en) Method and system for wireless local area network user to access fixed broadband network
WO2009012729A1 (en) A method, system and device for converting the network access authentication
WO2011127774A1 (en) Method and apparatus for controlling mode for user terminal to access internet
WO2013056668A1 (en) Device, system and method using eap for external authentication
CN103067337A (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
WO2007131426A1 (en) Aaa system and authentication method of multi-hosts network
CA2690017C (en) A method for releasing a high rate packet data session
WO2009082950A1 (en) Key distribution method, device and system
WO2009082910A1 (en) Method and device for network configuration to user terminal
CN108964985A (en) A kind of management method of protocol massages and virtual client terminal device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08783767

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08783767

Country of ref document: EP

Kind code of ref document: A1