WO2012119386A1 - Authentication method, device and system in access network - Google Patents

Authentication method, device and system in access network Download PDF

Info

Publication number
WO2012119386A1
WO2012119386A1 PCT/CN2011/078317 CN2011078317W WO2012119386A1 WO 2012119386 A1 WO2012119386 A1 WO 2012119386A1 CN 2011078317 W CN2011078317 W CN 2011078317W WO 2012119386 A1 WO2012119386 A1 WO 2012119386A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication server
authentication
mac address
user terminal
packet
Prior art date
Application number
PCT/CN2011/078317
Other languages
French (fr)
Chinese (zh)
Inventor
李克嘉
赵胜涛
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2011/078317 priority Critical patent/WO2012119386A1/en
Priority to CN2011800018495A priority patent/CN103392333A/en
Publication of WO2012119386A1 publication Critical patent/WO2012119386A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to the field of communications, and in particular, to an authentication method, device, and system in an access network. Background technique
  • Ethernet over IP IP over IP
  • PPOE Ethernet bearer-to-peer protocol
  • the IPOE mode authentication is mainly implemented by the Dynamic Host Configuration Protocol (DHCP).
  • DHCP was originally mainly used for local area network (LAN) applications.
  • LAN local area network
  • the automatic discovery mechanism was used to try to contact the DHCP server on the network.
  • the DHCP client When the DHCP client logs in to the network for the first time, it sends a DHCP DISCOVER packet to the network. Since the DHCP client does not know which network it belongs to, the source address of the DHCP DISCOVER packet is 0.0.0.0 and the destination address. Then it is 255.255.255.255, and then attach the information of DHCP discover to broadcast to the network.
  • the DHCP server listens to the DHCP DISCOVER packet sent by the DHCP client, it selects the first vacant IP from the address range that has not yet been leased, and responds to the DHCP client with a DHCP.
  • OFFER message according to the DHCP server settings, the DHCP OFFER message will contain a lease term information.
  • the DHCP client receives responses from multiple DHCP servers on the network, it will only pick one of the DHCP OFFERs (usually the one that arrived first) and will send a DHCP REQUEST message to the network, telling all DHCP servers that it will accept Which DHCP server provides the IP address.
  • DHCP itself does not have the function to be used for authentication, but DHCP can cooperate with other technologies to implement authentication, such as DHCP+WEB mode, DHCP+client mode, and use of DHCP+OPTION extension word. Segments are authenticated, all of which are collectively referred to as DHCP+ authentication.
  • the OPTION fields used as DHCP extensions are mainly OPTION60 and OPTION82.
  • the information of the Vendor and the Service Option in the OPTION60 is the information carried by the user terminal when the DHCP request is initiated.
  • the network device only needs to transparently transmit.
  • the function is to identify the type of the user terminal, thereby identifying the user service type, and the DHCP server. Different service IP addresses can be assigned accordingly.
  • the OPTION82 information is inserted by the network device in the DHCP message sent by the user terminal, and is mainly used to identify the access location of the user terminal.
  • the PPPOE workflow consists of two P-segments for discovery and session.
  • the client host broadcasts a PADI message with the destination address being the broadcast address of the Ethernet network, the CODE field value being 0x09, and the SESSION-ID field value being 0x0000.
  • PADI is used to make the requested services to the access server.
  • the access server receives the PADI message and sends a PADO message in response to the request.
  • the value of the CODE field is 0x07, and the value of the SESSION-ID field is still 0x0000.
  • PADO contains a tag for the access server name type and one or more service name type tags indicating the types of services that can be provided to the client host.
  • the client host selects a suitable PADO in multiple PADO packets that may be received, and then sends a PPPOE valid discovery request PADR message to the selected access server, where the CODE field is 0x19, and the SESSIONJD field value is still 0x0000.
  • the PADR must contain a service name type tag that determines the type of service requested from the access server.
  • the access server After receiving the PADR packet, the access server prepares to start the PPP session. It sends a PPPOE valid discovery session to acknowledge the PADS packet.
  • the value of the CODE field is 0x65
  • the value of the SESSION-ID field is a unique PPPOE session identification number generated by the access server.
  • An embodiment of the present invention provides an authentication method in an access network, where the access network includes multiple authentication servers, and the method includes:
  • An embodiment of the present invention provides an access device, where the access device is connected to multiple authentication servers, and the access device includes:
  • a first network side port configured to send a discovery packet to the multiple authentication servers
  • a second network-side port configured to receive a response packet of the authentication server, obtain a MAC address of the authentication server that sends the response packet from the response packet, and store the obtained MAC address of the authentication server in the authentication server list.
  • the packet processing unit receives the discovery packet from the user terminal, selects one MAC address from the plurality of MAC addresses of the authentication server list, and sends the discovery packet from the user terminal to the corresponding authentication according to the selected MAC address.
  • the server authenticates the user terminal.
  • An embodiment of the present invention provides an authentication system in an access network, including an access device and multiple authentication servers, where the access device is connected to the multiple authentication servers.
  • the access device sends a discovery packet to the multiple authentication servers, receives a response packet from the authentication server, and obtains a MAC address of the authentication server that sends the response packet from the response packet. Storing the obtained MAC address of the authentication server in the authentication server list; receiving the discovery message from the user terminal, selecting one MAC address from the multiple MAC addresses of the authentication server list, and coming from the user according to the selected MAC address The discovery message of the terminal is sent to the corresponding authentication server to authenticate the user terminal.
  • the method, the device, and the device provided by the embodiment of the present invention are controlled by the access device, and can implement the controllable load sharing in multiple authentication servers.
  • the unicast of the discovery packet of the user terminal to the corresponding authentication server is performed. , can eliminate too many OFFER messages, reducing the waste of bandwidth and CPU resources.
  • FIG. 1 is a network architecture diagram according to an embodiment of the present invention
  • FIG. 3 is an interaction diagram of a method according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an access device according to an embodiment of the present invention. Specific embodiment
  • An embodiment of the present invention provides an authentication method in an access network, where the access network is as shown in FIG. 1.
  • the access device 10 is connected to multiple authentication servers 20, 22, and 24.
  • Step 200 Send a discovery packet to the multiple authentication servers.
  • the access device 10 may send a DHCP-based discovery message or a PPPOE-based discovery message to multiple authentication servers 20, 22, and 24.
  • Step 202 Receive a response packet of the authentication server, obtain a MAC address of the authentication server from the response packet, and store the obtained MAC address in the authentication server list.
  • Step 204 Receive a discovery message from the user terminal, select a MAC address from multiple MAC addresses in the authentication server list, and send the discovery message from the user terminal to the corresponding authentication server for authentication.
  • the access device may select one MAC address from the multiple MAC addresses according to the port attribute of the connection user terminal, the weight attribute of the authentication server, the parity of the MAC address of the authentication server, and a combination of one or more of the Hash algorithms. .
  • an embodiment of the present invention can effectively implement the controllable load sharing in multiple authentication servers.
  • the unicasting of the discovery message of the user terminal to the corresponding authentication server can eliminate excessive response packets. Reduce bandwidth and waste of CPU resources.
  • an embodiment of the present invention provides an authentication method in an access network, where the access network is as shown in FIG. 1.
  • the authentication server is a DHCP server.
  • the method includes:
  • Step 300 The access device constructs a DHCP DISCOVER message to be broadcast in the network.
  • the source address of the DHCP DISCOVER packet constructed by the access device is 0.0.0.0, and the destination address is
  • Step 302 The access device receives the DHCP OFFER packet of the DHCP server, extracts the MAC address in the packet, and saves the MAC address in the authentication server list.
  • the structure of the authentication server list can be as follows:
  • the access device can also extract the IP address of the DHCP server from the DHCP OFFER packet.
  • the IP address obtained is saved in the list of authentication servers.
  • Step 304 The access device receives the DHCP DISCOVER message sent by the user terminal; the source address of the DHCP DISCOVER message from the user terminal is 0.0.0.0, and the destination address is
  • Step 306 Select a MAC address from the list of authentication servers, and send the DHCP DSCOVER packet from the user terminal to the corresponding DHCP server.
  • the access device replaces the destination address of the DHCP DISCOVER packet of the user terminal with the selected MAC address, and unicasts the DHCP DISCOVER text to the corresponding DHCP server.
  • the access device may adopt an average allocation. For example, if the DHCP DISCOVER message of the first user terminal is unicast to the first DHCP server, the DHCP DISCOVER message of the second user terminal is unicast to the second DHCP server, and so on.
  • the access device may also be based on the weight attribute of the DHCP server. For example, a weight value is set for each DHCP server, and the weight is divided according to the weight value. For example, if the weight of the DHCP server 30 is 2, the DHCP server sends a DHCP DISCOVER packet to the next DHCP server.
  • the access device may also select a corresponding DHCP server according to the parity of the port that receives the DHCP DISCOVER message.
  • the policy needs to configure the correspondence between the port parity and the MAC address of the DHCP server on the access device in advance. .
  • the access device can also adopt the Hash algorithm to select a MAC address according to the result of the Hash algorithm. This policy needs to configure the correspondence between the Hash algorithm result and the MAC on the access device.
  • the access device can also adopt the method of time sharing. For example, if a DHCP server is selected first, the DHCP DISCOVER packet of the user terminal is sent to the DHCP server. If the OFFER packet of the DHCP server is not received within a certain period of time, the switch is switched. Go to the next DHCP Server.
  • Step 308 Regularly broadcast a DHCP DISCOVER message or send a Ping detection message, and update the authentication server list according to the received response message.
  • the time when the access device periodically broadcasts DHCP DISCOVER packets can be set, for example, once every hour, and the list of authentication servers is updated according to the received OFFER packets.
  • the access device can also ping the DHCP server in the authentication server list. Specifically, you can set a counter to send ping probe packets to each DHCP server. The number of response timeouts of the server is counted. If the access device receives a response message from a DHCP server, the counter is cleared and the ping detection of the DHCP server is stopped. If the response is not received for a certain period of time (such as 5 seconds) The DHCP server response message adds 1 to the counter and continues to send the Ping probe. If the response timeout count exceeds 3 times, the DHCP server is considered to be in an abnormal state.
  • the access device determines that a DHCP server is in an abnormal state
  • the user terminal that is in the DHCP server is notified to re-apply for an IP address.
  • the access device may send a ForceRenew packet to the user terminal to notify the user terminal to release the applied application. IP address and re-apply for an IP address.
  • the authentication method provided in this embodiment obtains the MAC address of the DHCP server by constructing a DHCP DISCOVER message, and after receiving the DHCP DISCOVER message of the user terminal, the DHCP DISCOVER message is unicast to a DHCP server, which can be effectively Controllable load sharing in the DHCP server can also eliminate excessive OFFER messages and reduce the waste of bandwidth and CPU resources.
  • An embodiment of the present invention provides an authentication method. The method provided may be based on the architecture of FIG. 1.
  • the authentication server in this embodiment may be a Broadband Remote Access Server (BRAS).
  • BRAS Broadband Remote Access Server
  • the methods provided include:
  • Step 400 The access device constructs a PADI message and broadcasts in the network.
  • the destination address is the broadcast address of the Ethernet.
  • the CODE field value is 0x09, and the SESSION-ID field value is 0x0000.
  • Step 402 The access device receives the responding PADO packet, obtains the MAC address of the BRAS, and saves the obtained MAC address in the authentication server list.
  • Step 404 Receive a PADI message of the user terminal.
  • Step 406 Select a MAC address from the list of authentication servers, and receive the received PADI message. Forwarded to the corresponding BRAS;
  • the access device After receiving the PADI message from the user terminal, the access device replaces the broadcast address in the PADI message with the selected MAC address and sends it to the corresponding BRAS.
  • the access device may adopt an average allocation method, such as unicasting the PADI message of the first user terminal to the first BRAS, and unicasting the PADI message of the second user terminal to the second BRAS. , And so on.
  • the access device may also be based on the weight attribute of the BRAS, such as setting a weight value for each BRAS on the access device, and performing traffic distribution according to the weight value. For example, if the weight of the BRAS 30 is 2, the PRAS message is unicast twice to the BRAS 30 before switching to the next BRAS.
  • the access device may also select a corresponding BRAS according to the parity of the port that receives the PADI message.
  • the policy needs to configure the correspondence between the port and the MAC of the BRAS on the access device.
  • the access device can also adopt the Hash algorithm to select a MAC address according to the result of the Hash algorithm. This policy needs to configure the correspondence between the Hash algorithm result and the MAC on the access device.
  • the access device can also adopt the method of time sharing. For example, first select a BRAS, and send the PADI message of the user terminal to the BRAS. If the PADO packet of the BRAS is not received within a certain period of time, switch to the next BRAS. .
  • the access device can also select the corresponding MAC address according to the OPTION 60 information in the PADI message. This policy needs to configure the correspondence between the OPTION 60 and the MAC on the access device.
  • Step 408 Send a Ping detection packet to the BRAS in the authentication server list, and update the authentication server list according to the response message of the BRAS.
  • a counter is set to send a Ping probe packet to each BRAS, and the interval for sending the Ping detection packet may be 1 second, and the response timeout number of each BRAS is counted, if the access device receives a certain BRAS.
  • the response message clears the counter and stops the ping detection of the BRAS; if the response message of the BRAS is not received after a certain time (such as 0.5 seconds), the counter is incremented by 1, and the ping detection packet is continuously sent. If the response timeout count exceeds 2 times, the BRAS is considered to be in an abnormal state.
  • the access device determines that a certain BRAS is in an abnormal state, the MAC address of the corresponding BRAS is deleted from the authentication server list, and the user terminal belonging to the BRAS is notified to go offline again. Specifically, the access device sends the PADT to the user terminal. Message. The user terminal will enter after receiving the PADT message. Line redial.
  • the authentication method provided in this embodiment obtains the MAC address of the BRAS by constructing a PADI message, and after receiving the PADI message of the user terminal, unicasts the PADI message to a BRAS, which can be effectively implemented in multiple BRASs. Controlled load sharing can also eliminate excessive PADO packets, reducing bandwidth and CPU resource waste.
  • An embodiment of the present invention provides an access device, where the access device is connected to multiple authentication servers, as shown in FIG. 5, including:
  • the first network side port 500 is configured to send a discovery packet to the multiple authentication servers.
  • the first network side port 500 can send a DHCP based discovery message or a PPPOE based discovery message to multiple authentication servers.
  • the second network side port 502 is configured to receive a response packet of the authentication server, obtain a MAC address of the authentication server that sends the response packet from the response packet, and store the obtained MAC address of the authentication server in the authentication server. List.
  • the first network side port 500 in this embodiment may be further configured to send a probe packet to the multiple authentication servers to detect the status of the multiple authentication servers, and refresh the list of the authentication servers according to the detection result.
  • the ping probe packet is sent to multiple authentication servers, and the authentication server list is updated according to the response packet.
  • the first network side port 500 can also periodically broadcast a discovery message to the network, and update the authentication server list according to the response message.
  • the message processing unit 504 receives the discovery message from the user terminal, selects one MAC address from the plurality of MAC addresses of the authentication server list, and sends the discovery message from the user terminal to the corresponding one according to the selected MAC address.
  • the authentication server authenticates the user terminal.
  • the message processing unit 504 may: after receiving the discovery message from the user terminal, replace the broadcast address in the discovery message with the selected MAC address, and send the message to the corresponding authentication server.
  • the access device in this embodiment may be a Digital Subscriber Line Access Multiplexer (DSLAM), an Optical Line Terminal (OLT), or an Integrated Service Access Network (Multi-Service Access Network). , MSAN) equipment, etc.
  • DSLAM Digital Subscriber Line Access Multiplexer
  • OLT Optical Line Terminal
  • Multi-Service Access Network Multi-Service Access Network
  • MSAN Integrated Service Access Network
  • the access device acquires the MAC address of the authentication server by constructing the discovery packet. After receiving the discovery packet of the user terminal, the device unicasts the packet to an authentication server, which can effectively implement load balancing in multiple authentication servers and eliminate excessive response packets. Packets, reducing bandwidth and waste of CPU resources.

Abstract

Provided are an authentication method, device and system in an access network. The method includes: sending a discovery message to a plurality of authentication server; receiving a response message from an authentication servers, obtaining from the response message the MAC address of the authentication server sending the same, and storing the obtained MAC address of the authentication server in an authentication server list; receiving a discovery message from a user terminal, selecting one MAC address from a plurality of MAC addresses in the authentication server list, and sending the discovery message from the user terminal to the corresponding authentication server according to the selected MAC address so as to authenticate the user terminal.

Description

一种接入网络中的认证方法、 设备和系统 技术领域  Authentication method, device and system in access network
本发明涉及通信领域, 尤其涉及一种接入网络中的认证方法、 设备和系统。 背景技术  The present invention relates to the field of communications, and in particular, to an authentication method, device, and system in an access network. Background technique
在宽带接入认证上,目前广泛使用的有两种方式:以太网承载 IP协议 (IP over Ethernet, IPOE)和以太网 载点对点十办议(?0^« to Point Protocol over Ethernet, PPPOE)。  In broadband access authentication, there are two methods widely used: Ethernet over IP (IPOE) and Ethernet bearer-to-peer protocol (PPPOE).
IPOE 方式认证主要是通过动态主机配置协议 (Dynamic Host Configuration Protocol, DHCP)来实现。 DHCP最初主要是针对局域网(Local Area Network, LAN) 的应用, 通过用户终端上的 DHCP客户端, 利用自动发现机制来尝试联系网络 中的 DHCP服务器。  The IPOE mode authentication is mainly implemented by the Dynamic Host Configuration Protocol (DHCP). DHCP was originally mainly used for local area network (LAN) applications. Through the DHCP client on the user terminal, the automatic discovery mechanism was used to try to contact the DHCP server on the network.
当 DHCP客户端第一次登录网络时, 会向网络发出一个 DHCP DISCOVER 报文,由于 DHCP客户端还不知道自己属于哪一个网络,所以 DHCP DISCOVER 报文的源地址为 0.0.0.0 , 而目的地址则为 255.255.255.255, 然后再附上 DHCP discover的信息, 向网络进行广播。  When the DHCP client logs in to the network for the first time, it sends a DHCP DISCOVER packet to the network. Since the DHCP client does not know which network it belongs to, the source address of the DHCP DISCOVER packet is 0.0.0.0 and the destination address. Then it is 255.255.255.255, and then attach the information of DHCP discover to broadcast to the network.
当 DHCP服务器监听到 DHCP客户端发出的 DHCP DISCOVER报文后, 会从那些还没有租出的地址范围内, 选择最前面的空置 IP, 连同其它 TCP/IP设 定, 响应给 DHCP客户端一个 DHCP OFFER报文, 根据 DHCP服务器的设定, DHCP OFFER报文会包含一个租约期限的信息。  When the DHCP server listens to the DHCP DISCOVER packet sent by the DHCP client, it selects the first vacant IP from the address range that has not yet been leased, and responds to the DHCP client with a DHCP. OFFER message, according to the DHCP server settings, the DHCP OFFER message will contain a lease term information.
如果 DHCP客户端收到网络上多台 DHCP服务器的响应, 只会挑选其中一 个 DHCP OFFER (通常是最先抵达的那个), 并且会向网络发送一个 DHCP REQUEST报文, 告诉所有 DHCP服务器它将接受哪一台 DHCP服务器提供的 IP地址。  If the DHCP client receives responses from multiple DHCP servers on the network, it will only pick one of the DHCP OFFERs (usually the one that arrived first) and will send a DHCP REQUEST message to the network, telling all DHCP servers that it will accept Which DHCP server provides the IP address.
DHCP本身并没有用来认证的功能, 但是 DHCP 可以配合其他技术实现认 证, 比如 DHCP+WEB方式、 DHCP+客户端方式和利用 DHCP+OPTION扩展字 段进行认证, 所有这些方式都统称为 DHCP+认证。 用来作为 DHCP 扩展的 OPTION字段主要为 OPTION60和 OPTION82。 其中 OPTION60中带有 Vendor 和 Service Option信息, 是由用户终端发起 DHCP请求时携带的信息, 网络设备 只需要透传即可, 其作用是用来识别用户终端类型, 从而识别用户业务类型, DHCP服务器可以据此分配不同的业务 IP地址。 而 OPTION82信息是由网络设 备在用户终端发出的 DHCP报文中插入的,主要用来标识用户终端的接入位置。 DHCP itself does not have the function to be used for authentication, but DHCP can cooperate with other technologies to implement authentication, such as DHCP+WEB mode, DHCP+client mode, and use of DHCP+OPTION extension word. Segments are authenticated, all of which are collectively referred to as DHCP+ authentication. The OPTION fields used as DHCP extensions are mainly OPTION60 and OPTION82. The information of the Vendor and the Service Option in the OPTION60 is the information carried by the user terminal when the DHCP request is initiated. The network device only needs to transparently transmit. The function is to identify the type of the user terminal, thereby identifying the user service type, and the DHCP server. Different service IP addresses can be assigned accordingly. The OPTION82 information is inserted by the network device in the DHCP message sent by the user terminal, and is mainly used to identify the access location of the user terminal.
PPPOE的工作流程包含发现和会话两个 P介段。 The PPPOE workflow consists of two P-segments for discovery and session.
在发现(Discovery ) P介段, 客户端主机广播发起 PADI报文, 目的地址为以 太网的广播地址, CODE字段值为 0x09, SESSION-ID(会话 ID )字段值为 0x0000。 PADI用于向接入服务器提出所要求提供的服务。  In the Discovery P segment, the client host broadcasts a PADI message with the destination address being the broadcast address of the Ethernet network, the CODE field value being 0x09, and the SESSION-ID field value being 0x0000. PADI is used to make the requested services to the access server.
接入服务器收到 PADI报文, 发送 PADO报文以响应请求。 其中 CODE字 段值为 0x07, SESSION-ID字段值仍为 0x0000。 PADO包含一个接入服务器名 称类型的标签以及一个或多个服务名称类型标签, 表明可向客户端主机提供的 服务种类。  The access server receives the PADI message and sends a PADO message in response to the request. The value of the CODE field is 0x07, and the value of the SESSION-ID field is still 0x0000. PADO contains a tag for the access server name type and one or more service name type tags indicating the types of services that can be provided to the client host.
客户端主机在可能收到的多个 PADO报文中选择一个合适的 PADO, 然后 向所选择的接入服务器发送 PPPOE有效发现请求 PADR报文,其中 CODE字段 为 0x19, SESSIONJD字段值仍为 0x0000, PADR必须包含一个服务名称类型 标签, 确定向接入服务器请求的服务种类。  The client host selects a suitable PADO in multiple PADO packets that may be received, and then sends a PPPOE valid discovery request PADR message to the selected access server, where the CODE field is 0x19, and the SESSIONJD field value is still 0x0000. The PADR must contain a service name type tag that determines the type of service requested from the access server.
接入服务器收到 PADR报文后准备开始 PPP会话,它发送一个 PPPOE有效 发现会话确认 PADS报文。 其中 CODE字段值为 0x65, SESSION-ID字段值为 接入服务器所产生的一个唯一的 PPPOE会话标识号码。当客户端主机收到 PADS 确认后, 双方就进入 PPP会话阶段。  After receiving the PADR packet, the access server prepares to start the PPP session. It sends a PPPOE valid discovery session to acknowledge the PADS packet. The value of the CODE field is 0x65, and the value of the SESSION-ID field is a unique PPPOE session identification number generated by the access server. When the client host receives the PADS confirmation, both parties enter the PPP session phase.
由于在网络中往往使用多个 DHCP服务器或者 BRAS, 在使用 IPOE 或 PPPOE 方式做接入认证时, 当一个用户拨号时, 所有接到请求报文 ( DHCP DISCOVER或 PADI )的服务器都会发出响应报文( DHCP OFFER或 PADO )。 用户终端往往选择第一个接收到的 DHCP OFFER或 PADO, 进行后续的会话, 用户终端选择哪一个 DHCP Server或 BRAS进行后续的认证, 完全依赖于哪个 服务器的响应报文先到达, 不能进行主动的控制, 在实际使用中, 受到网络转 发时延等客观因素的影响, 不能达到 "均担" 的效果, 容易造成大部分用户集 中于某个服务器的问题。 发明内容 Since multiple DHCP servers or BRASs are often used in the network, when IPOE or PPPOE is used for access authentication, when a user dials, all the servers that receive the request message (DHCP DISCOVER or PADI) will send a response message. (DHCP OFFER or PADO). The user terminal often selects the first received DHCP OFFER or PADO for subsequent sessions. Which DHCP server or BRAS the user terminal selects for subsequent authentication depends entirely on which server's response message arrives first, and cannot actively take the initiative. Control, in actual use, subject to network transfer The influence of objective factors such as delay can not achieve the effect of "even burden", which is easy to cause most users to concentrate on a certain server. Summary of the invention
本发明一个实施例提供一种接入网络中的认证方法, 所述接入网络包括多 个认证服务器, 所述方法包括:  An embodiment of the present invention provides an authentication method in an access network, where the access network includes multiple authentication servers, and the method includes:
向所述多个认证服务器发送发现报文;  Sending a discovery message to the plurality of authentication servers;
接收认证服务器的回应报文, 从所述回应报文获取发送所述回应报文的认 证服务器的 MAC地址, 将获取的认证服务器的 MAC地址存储在认证服务器列 表中;  Receiving a response packet of the authentication server, obtaining a MAC address of the authentication server that sends the response packet from the response packet, and storing the obtained MAC address of the authentication server in the authentication server list;
接收来自用户终端的发现报文,从所述认证服务器列表的多个 MAC地址中 选择一个 MAC地址, 根据所选择的 MAC地址将来自用户终端的发现报文发送 给对应的认证服务器以对所述用户终端进行认证。 本发明一个实施例提供一种接入设备, 所述接入设备连接有多个认证服务 器, 所述接入设备包括:  Receiving a discovery message from the user terminal, selecting a MAC address from the plurality of MAC addresses of the authentication server list, and sending the discovery message from the user terminal to the corresponding authentication server according to the selected MAC address to The user terminal performs authentication. An embodiment of the present invention provides an access device, where the access device is connected to multiple authentication servers, and the access device includes:
第一网络侧端口, 用于向所述多个认证服务器发送发现报文;  a first network side port, configured to send a discovery packet to the multiple authentication servers;
第二网络侧端口, 用于接收认证服务器的回应报文, 从所述回应报文获取 发送所述回应报文的认证服务器的 MAC地址, 将获取的认证服务器的 MAC地 址存储在认证服务器列表中;  a second network-side port, configured to receive a response packet of the authentication server, obtain a MAC address of the authentication server that sends the response packet from the response packet, and store the obtained MAC address of the authentication server in the authentication server list. ;
报文处理单元, 接收来自用户终端的发现报文, 从所述认证服务器列表的 多个 MAC地址中选择一个 MAC地址, 根据所选择的 MAC地址将来自用户终 端的发现报文发送给对应的认证服务器以对所述用户终端进行认证。 本发明一个实施例提供一种接入网络中的认证系统, 包括接入设备以及多 个认证服务器, 所述接入设备与所述多个认证服务器相连,  The packet processing unit receives the discovery packet from the user terminal, selects one MAC address from the plurality of MAC addresses of the authentication server list, and sends the discovery packet from the user terminal to the corresponding authentication according to the selected MAC address. The server authenticates the user terminal. An embodiment of the present invention provides an authentication system in an access network, including an access device and multiple authentication servers, where the access device is connected to the multiple authentication servers.
所述接入设备, 向所述多个认证服务器发送发现报文; 接收认证服务器的 回应报文, 从所述回应报文获取发送所述回应报文的认证服务器的 MAC地址, 将获取的认证服务器的 MAC地址存储在认证服务器列表中;接收来自用户终端 的发现报文, 从所述认证服务器列表的多个 MAC地址中选择一个 MAC地址, 根据所选择的 MAC 地址将来自用户终端的发现报文发送给对应的认证服务器 以对所述用户终端进行认证。 The access device sends a discovery packet to the multiple authentication servers, receives a response packet from the authentication server, and obtains a MAC address of the authentication server that sends the response packet from the response packet. Storing the obtained MAC address of the authentication server in the authentication server list; receiving the discovery message from the user terminal, selecting one MAC address from the multiple MAC addresses of the authentication server list, and coming from the user according to the selected MAC address The discovery message of the terminal is sent to the corresponding authentication server to authenticate the user terminal.
本发明实施例提供的方法、 设备和装置在接入设备上做控制, 可以有效的 在多个认证服务器中实现可控的负荷分担; 由于将用户终端的发现报文单播给 对应的认证服务器, 可以消除了过多的 OFFER报文, 减少带宽和 CPU资源的 浪费。 附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施 例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述 中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付 出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  The method, the device, and the device provided by the embodiment of the present invention are controlled by the access device, and can implement the controllable load sharing in multiple authentication servers. The unicast of the discovery packet of the user terminal to the corresponding authentication server is performed. , can eliminate too many OFFER messages, reducing the waste of bandwidth and CPU resources. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below, and obviously, in the following description The drawings are only some of the embodiments of the present invention, and other drawings may be obtained from those skilled in the art without departing from the drawings.
图 1为本发明实施例提供的网络架构图;  FIG. 1 is a network architecture diagram according to an embodiment of the present invention;
图 2为本发明实施例提供的方法流程图  2 is a flowchart of a method according to an embodiment of the present invention
图 3为本发明实施例提供的方法交互图;  FIG. 3 is an interaction diagram of a method according to an embodiment of the present invention;
图 4为本发明实施例提供的方法交互图;  4 is an interaction diagram of a method according to an embodiment of the present invention;
图 5为本发明实施例提供的接入设备的结构示意图。 具体实施例  FIG. 5 is a schematic structural diagram of an access device according to an embodiment of the present invention. Specific embodiment
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是 全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创造 性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。 本发明一个实施例提供一种接入网络中的认证方法, 其中接入网络如图 1 所示, 在图 1中, 接入设备 10连接有多个认证服务器 20、 22、 24。  BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail with reference to the accompanying drawings. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative work are within the scope of the present invention. An embodiment of the present invention provides an authentication method in an access network, where the access network is as shown in FIG. 1. In FIG. 1, the access device 10 is connected to multiple authentication servers 20, 22, and 24.
本实施例提供的方法的流程图如图 2所示, 包括: 步骤 200、 向所述多个认证服务器发送发现报文; A flowchart of the method provided in this embodiment is shown in FIG. 2, and includes: Step 200: Send a discovery packet to the multiple authentication servers.
本实施例中,接入设备 10可以向多个认证服务器 20、22、24发送基于 DHCP 的发现报文或者基于 PPPOE的发现报文。  In this embodiment, the access device 10 may send a DHCP-based discovery message or a PPPOE-based discovery message to multiple authentication servers 20, 22, and 24.
步骤 202、 接收认证服务器的回应报文, 从回应报文中获取认证服务器的 MAC地址, 将获取的 MAC地址存储在认证服务器列表中;  Step 202: Receive a response packet of the authentication server, obtain a MAC address of the authentication server from the response packet, and store the obtained MAC address in the authentication server list.
步骤 204、 接收来自用户终端的发现报文, 从所述认证服务器列表的多个 MAC地址中选择一个 MAC地址, 将来自用户终端的发现报文发送给对应的认 证服务器进行认证。  Step 204: Receive a discovery message from the user terminal, select a MAC address from multiple MAC addresses in the authentication server list, and send the discovery message from the user terminal to the corresponding authentication server for authentication.
具体的, 接入设备可以根据连接用户终端的端口属性、 认证服务器的权重 属性、 认证服务器的 MAC地址的奇偶性和 Hash算法中的一个或多个的组合从 多个 MAC地址中选择一个 MAC地址。  Specifically, the access device may select one MAC address from the multiple MAC addresses according to the port attribute of the connection user terminal, the weight attribute of the authentication server, the parity of the MAC address of the authentication server, and a combination of one or more of the Hash algorithms. .
本发明实施例提供的方法, 可以有效的在多个认证服务器中实现可控的负 荷分担; 由于将用户终端的发现报文单播给对应的认证服务器, 可以消除了过 多的响应报文, 减少带宽和 CPU资源的浪费。 具体的, 本发明一个实施例提供一种接入网络中的认证方法, 所述接入网 络如图 1所示, 在图 1中, 认证服务器为 DHCP server。  The method provided by the embodiment of the present invention can effectively implement the controllable load sharing in multiple authentication servers. The unicasting of the discovery message of the user terminal to the corresponding authentication server can eliminate excessive response packets. Reduce bandwidth and waste of CPU resources. Specifically, an embodiment of the present invention provides an authentication method in an access network, where the access network is as shown in FIG. 1. In FIG. 1, the authentication server is a DHCP server.
所述方法包括:  The method includes:
步骤 300、 接入设备构造 DHCP DISCOVER报文在网络中广播;  Step 300: The access device constructs a DHCP DISCOVER message to be broadcast in the network.
接入设备构造的 DHCP DISCOVER报文的源地址为 0.0.0.0, 目的地址为
Figure imgf000007_0001
The source address of the DHCP DISCOVER packet constructed by the access device is 0.0.0.0, and the destination address is
Figure imgf000007_0001
步骤 302、 接入设备接收 DHCP服务器的 DHCP OFFER报文, 提取报文中 的 MAC地址, 将 MAC地址保存在认证服务器列表中;  Step 302: The access device receives the DHCP OFFER packet of the DHCP server, extracts the MAC address in the packet, and saves the MAC address in the authentication server list.
认证服务器列表的结构可以如下表所示:  The structure of the authentication server list can be as follows:
Figure imgf000007_0002
接入设备还可以从 DHCP OFFER报文中提取 DHCP Server的 IP地址,将提 取的 IP地址保存在认证服务器列表中。
Figure imgf000007_0002
The access device can also extract the IP address of the DHCP server from the DHCP OFFER packet. The IP address obtained is saved in the list of authentication servers.
步骤 304、 接入设备接收到用户终端发送的 DHCP DISCOVER报文; 来自用户终端的 DHCP DISCOVER报文的源地址为 0.0.0.0, 目的地址为
Figure imgf000008_0001
Step 304: The access device receives the DHCP DISCOVER message sent by the user terminal; the source address of the DHCP DISCOVER message from the user terminal is 0.0.0.0, and the destination address is
Figure imgf000008_0001
步骤 306、 从认证服务器列表中选择一个 MAC 地址, 将来自用户终端的 DHCP DSCOVER报文发送给对应的 DHCP Server„  Step 306: Select a MAC address from the list of authentication servers, and send the DHCP DSCOVER packet from the user terminal to the corresponding DHCP server.
具体的, 接入设备将用户终端的 DHCP DISCOVER报文的目的地址替换成 所选择的 MAC地址, 将 DHCP DISCOVER 文单播给对应的 DHCP Server„ 在具体选择时, 接入设备可以采取平均分配的方式, 如将第一个用户终端 的 DHCP DISCOVER报文单播给第一个 DHCP Server, 将第二个用户终端的 DHCP DISCOVER报文单播给第二 DHCP Server, 依次类推。  Specifically, the access device replaces the destination address of the DHCP DISCOVER packet of the user terminal with the selected MAC address, and unicasts the DHCP DISCOVER text to the corresponding DHCP server. „In the specific selection, the access device may adopt an average allocation. For example, if the DHCP DISCOVER message of the first user terminal is unicast to the first DHCP server, the DHCP DISCOVER message of the second user terminal is unicast to the second DHCP server, and so on.
接入设备也可以是根据 DHCP Server的权重属性, 如给每个 DHCP Server 设置一个权重值, 按照权重值进行分流。 比如 DHCP Server 30的权重值为 2, 则连续向 DHCP Server 30单播两次 DHCP DISCOVER报文后才切换到下一个 DHCP Server。  The access device may also be based on the weight attribute of the DHCP server. For example, a weight value is set for each DHCP server, and the weight is divided according to the weight value. For example, if the weight of the DHCP server 30 is 2, the DHCP server sends a DHCP DISCOVER packet to the next DHCP server.
接入设备还可以根据根据接收到 DHCP DISCOVER报文的端口的奇偶性选 择一个对应的 DHCP Server,这种策略需要预先在接入设备上配置端口奇偶性与 DHCP Server的 MAC地址之间的对应关系。  The access device may also select a corresponding DHCP server according to the parity of the port that receives the DHCP DISCOVER message. The policy needs to configure the correspondence between the port parity and the MAC address of the DHCP server on the access device in advance. .
接入设备还可以采取 Hash算法,根据 Hash算法的结果选择一个 MAC地址 等, 这种策略需要在接入设备上配置 Hash算法结果与 MAC的对应关系。  The access device can also adopt the Hash algorithm to select a MAC address according to the result of the Hash algorithm. This policy needs to configure the correspondence between the Hash algorithm result and the MAC on the access device.
接入设备还可以采用定时分担的方式, 如首先选择一个 DHCP Server, 将用 户终端的 DHCP DISCOVER报文发送给该 DHCP Server, 如果超过一定时间没 有接收到该 DHCP Server的 OFFER报文的话, 则切换到下一个 DHCP Server。  The access device can also adopt the method of time sharing. For example, if a DHCP server is selected first, the DHCP DISCOVER packet of the user terminal is sent to the DHCP server. If the OFFER packet of the DHCP server is not received within a certain period of time, the switch is switched. Go to the next DHCP Server.
本实施例提供的方法还可以包括:  The method provided in this embodiment may further include:
步骤 308、 定期广播 DHCP DISCOVER报文或者发送 Ping检测报文, 根据 收到的响应报文更新认证服务器列表。  Step 308: Regularly broadcast a DHCP DISCOVER message or send a Ping detection message, and update the authentication server list according to the received response message.
接入设备定期广播 DHCP DISCOVER报文的时间可以设置, 如 1小时发送 一次等, 根据收到的 OFFER报文更新认证服务器列表。  The time when the access device periodically broadcasts DHCP DISCOVER packets can be set, for example, once every hour, and the list of authentication servers is updated according to the received OFFER packets.
接入设备也可以对认证服务器列表中的 DHCP Server进行 Ping检测, 具体 可以是:设置一个计数器,向每个 DHCP Server发送 Ping探测报文,对每个 DHCP Server的响应超时次数进行计数,如果接入设备接收到某个 DHCP Server的响应 消息, 则将计数器清零并停止对该 DHCP Server进行 Ping检测; 如果超过一定 时间(如 5秒)未收到该 DHCP Server的响应消息, 则将计数器加 1, 并继续发 送 Ping探测 4艮文, 如果响应超时计数超过 3次, 则认为该 DHCP Server处于异 常状态。 The access device can also ping the DHCP server in the authentication server list. Specifically, you can set a counter to send ping probe packets to each DHCP server. The number of response timeouts of the server is counted. If the access device receives a response message from a DHCP server, the counter is cleared and the ping detection of the DHCP server is stopped. If the response is not received for a certain period of time (such as 5 seconds) The DHCP server response message adds 1 to the counter and continues to send the Ping probe. If the response timeout count exceeds 3 times, the DHCP server is considered to be in an abnormal state.
当接入设备判定某个 DHCP Server处于异常状态时,则通知归属于该 DHCP Server 的用户终端重新申请 IP 地址, 具体可以是接入设备向用户终端发送 ForceRenew报文以通知用户终端释放已申请的 IP地址并重新申请 IP地址。  When the access device determines that a DHCP server is in an abnormal state, the user terminal that is in the DHCP server is notified to re-apply for an IP address. The access device may send a ForceRenew packet to the user terminal to notify the user terminal to release the applied application. IP address and re-apply for an IP address.
本实施例提供的认证方法, 通过构造 DHCP DISCOVER报文获取 DHCP Server的 MAC地址, 在收到用户终端的 DHCP DISCOVER报文后, 将 DHCP DISCOVER报文单播给一个 DHCP Server, 可以有效的在多个 DHCP Server中 实现可控的负荷分担, 还可以消除了过多的 OFFER报文, 减少带宽和 CPU资 源的浪费。 本发明一个实施例提供一种认证方法, 所提供的方法可以基于图 1的架构, 其中, 本实施例中的认证服务器可以是宽带远程接入服务器 (Broadband Remote Access Server, BRAS)。  The authentication method provided in this embodiment obtains the MAC address of the DHCP server by constructing a DHCP DISCOVER message, and after receiving the DHCP DISCOVER message of the user terminal, the DHCP DISCOVER message is unicast to a DHCP server, which can be effectively Controllable load sharing in the DHCP server can also eliminate excessive OFFER messages and reduce the waste of bandwidth and CPU resources. An embodiment of the present invention provides an authentication method. The method provided may be based on the architecture of FIG. 1. The authentication server in this embodiment may be a Broadband Remote Access Server (BRAS).
所提供的方法包括:  The methods provided include:
步骤 400、 接入设备构造一个 PADI报文, 在网络中广播;  Step 400: The access device constructs a PADI message and broadcasts in the network.
接入设备构造的 PADI报文, 目的地址为以太网的广播地址, CODE字段值 为 0x09, SESSION-ID (会话 ID )字段值为 0x0000。  PADI packet constructed by the access device. The destination address is the broadcast address of the Ethernet. The CODE field value is 0x09, and the SESSION-ID field value is 0x0000.
步骤 402、 接入设备接收回应的 PADO报文, 获取 BRAS的 MAC地址, 将 获取的 MAC地址保存在认证服务器列表中;  Step 402: The access device receives the responding PADO packet, obtains the MAC address of the BRAS, and saves the obtained MAC address in the authentication server list.
本实施例中的认证服务器列表可以如下表所示:  The list of authentication servers in this embodiment can be as follows:
Figure imgf000009_0001
步骤 404、 接收用户终端的 PADI报文。
Figure imgf000009_0001
Step 404: Receive a PADI message of the user terminal.
步骤 406、 从认证服务器列表中选择一个 MAC地址, 将收到的 PADI报文 转发给对应的 BRAS; Step 406: Select a MAC address from the list of authentication servers, and receive the received PADI message. Forwarded to the corresponding BRAS;
接入设备在收到用户终端的 PADI报文后, 将 PADI报文中的广播地址替换 为所选择的 MAC地址发送给对应的 BRAS。  After receiving the PADI message from the user terminal, the access device replaces the broadcast address in the PADI message with the selected MAC address and sends it to the corresponding BRAS.
在具体选择时, 接入设备可以采取平均分配的方式, 如将第一个用户终端 的 PADI报文单播给第一个 BRAS, 将第二个用户终端的 PADI报文单播给第二 BRAS , 依次类推。  In the specific selection, the access device may adopt an average allocation method, such as unicasting the PADI message of the first user terminal to the first BRAS, and unicasting the PADI message of the second user terminal to the second BRAS. , And so on.
接入设备也可以是根据 BRAS的权重属性, 如在接入设备上给每个 BRAS 设置一个权重值, 按照权重值进行分流。 比如 BRAS 30的权重值为 2, 则连续 向 BRAS 30单播两次 PADI报文后才切换到下一个 BRAS。  The access device may also be based on the weight attribute of the BRAS, such as setting a weight value for each BRAS on the access device, and performing traffic distribution according to the weight value. For example, if the weight of the BRAS 30 is 2, the PRAS message is unicast twice to the BRAS 30 before switching to the next BRAS.
接入设备还可以根据根据接收到 PADI报文的端口的奇偶性选择一个对应 的 BRAS, 这种策略需要在接入设备上配置端口与 BRAS的 MAC的对应关系。  The access device may also select a corresponding BRAS according to the parity of the port that receives the PADI message. The policy needs to configure the correspondence between the port and the MAC of the BRAS on the access device.
接入设备还可以采取 Hash算法,根据 Hash算法的结果选择一个 MAC地址 等, 这种策略需要在接入设备上配置 Hash算法结果与 MAC的对应关系。  The access device can also adopt the Hash algorithm to select a MAC address according to the result of the Hash algorithm. This policy needs to configure the correspondence between the Hash algorithm result and the MAC on the access device.
接入设备还可以采用定时分担的方式,如首先选择一个 BRAS ,将用户终端 的 PADI报文发送给该 BRAS, 如果超过一定时间没有接收到该 BRAS的 PADO 报文的话, 则切换到下一个 BRAS。  The access device can also adopt the method of time sharing. For example, first select a BRAS, and send the PADI message of the user terminal to the BRAS. If the PADO packet of the BRAS is not received within a certain period of time, switch to the next BRAS. .
接入设备还可以根据 PADI报文中的 OPTION 60信息选择对应的 MAC地 址, 这种策略需要在接入设备上配置 OPTION 60与 MAC的对应关系。  The access device can also select the corresponding MAC address according to the OPTION 60 information in the PADI message. This policy needs to configure the correspondence between the OPTION 60 and the MAC on the access device.
本实施例提供的方法还可以包括:  The method provided in this embodiment may further include:
步骤 408、 向认证服务器列表中的 BRAS发送 Ping检测报文, 根据 BRAS 的响应报文更新认证服务器列表。  Step 408: Send a Ping detection packet to the BRAS in the authentication server list, and update the authentication server list according to the response message of the BRAS.
具体可以是,设置一个计数器,向每个 BRAS发送 Ping探测报文,发送 Ping 检测报文的间隔可以是 1秒, 对每个 BRAS的响应超时次数进行计数, 如果接 入设备接收到某个 BRAS的响应消息, 则将计数器清零并停止对该 BRAS进行 Ping检测; 如果超过一定时间 (如 0.5秒) 未收到该 BRAS的响应消息, 则将 计数器加 1, 并继续发送 Ping探测报文, 如果响应超时计数超过 2次, 则认为 该 BRAS处于异常状态。  Specifically, a counter is set to send a Ping probe packet to each BRAS, and the interval for sending the Ping detection packet may be 1 second, and the response timeout number of each BRAS is counted, if the access device receives a certain BRAS. The response message clears the counter and stops the ping detection of the BRAS; if the response message of the BRAS is not received after a certain time (such as 0.5 seconds), the counter is incremented by 1, and the ping detection packet is continuously sent. If the response timeout count exceeds 2 times, the BRAS is considered to be in an abnormal state.
当接入设备判定某个 BRAS处于异常状态时, 从认证服务器列表中删除对 应的 BRAS的 MAC地址, 并通知归属于该 BRAS的用户终端重新下线, 具体 可以是接入设备向用户终端发送 PADT报文。 用户终端收到 PADT报文后会进 行重新拨号。 When the access device determines that a certain BRAS is in an abnormal state, the MAC address of the corresponding BRAS is deleted from the authentication server list, and the user terminal belonging to the BRAS is notified to go offline again. Specifically, the access device sends the PADT to the user terminal. Message. The user terminal will enter after receiving the PADT message. Line redial.
本实施例提供的认证方法, 通过构造 PADI报文获取 BRAS的 MAC地址, 在收到用户终端的 PADI报文后, 将 PADI报文单播给一个 BRAS, 可以有效的 在多个 BRAS中实现可控的负荷分担, 还可以消除了过多的 PADO报文, 减少 带宽和 CPU资源的浪费。 本发明一个实施例提供一种接入设备, 所提的接入设备连接多个认证服务 器, 如图 5所示, 包括:  The authentication method provided in this embodiment obtains the MAC address of the BRAS by constructing a PADI message, and after receiving the PADI message of the user terminal, unicasts the PADI message to a BRAS, which can be effectively implemented in multiple BRASs. Controlled load sharing can also eliminate excessive PADO packets, reducing bandwidth and CPU resource waste. An embodiment of the present invention provides an access device, where the access device is connected to multiple authentication servers, as shown in FIG. 5, including:
第一网络侧端口 500, 用于向所述多个认证服务器发送发现报文。  The first network side port 500 is configured to send a discovery packet to the multiple authentication servers.
第一网络侧端口 500可以向多个认证服务器发送基于 DHCP的发现报文或 者基于 PPPOE的发现报文。  The first network side port 500 can send a DHCP based discovery message or a PPPOE based discovery message to multiple authentication servers.
第二网络侧端口 502, 用于接收认证服务器的回应报文,从所述回应报文中 获取发送所述回应报文的认证服务器的 MAC 地址, 将获取的认证服务器的 MAC地址存储在认证服务器列表中。  The second network side port 502 is configured to receive a response packet of the authentication server, obtain a MAC address of the authentication server that sends the response packet from the response packet, and store the obtained MAC address of the authentication server in the authentication server. List.
本实施例中的第一网络侧端口 500还可以用于向所述多个认证服务器发送 探测报文以对所述多个认证服务器的状态进行探测, 根据探测结果刷新所述认 证服务器列表。  The first network side port 500 in this embodiment may be further configured to send a probe packet to the multiple authentication servers to detect the status of the multiple authentication servers, and refresh the list of the authentication servers according to the detection result.
具体的可以是对多个认证服务器发送 Ping探测报文, 根据响应报文更新认 证服务器列表。  Specifically, the ping probe packet is sent to multiple authentication servers, and the authentication server list is updated according to the response packet.
第一网络侧端口 500还可以定期向网络广播发现报文, 根据回应报文更新 认证服务器列表。  The first network side port 500 can also periodically broadcast a discovery message to the network, and update the authentication server list according to the response message.
报文处理单元 504,接收来自用户终端的发现报文, 从所述认证服务器列表 的多个 MAC地址中选择一个 MAC地址, 根据所选择的 MAC地址将来自用户 终端的发现报文发送给对应的认证服务器以对所述用户终端进行认证。  The message processing unit 504 receives the discovery message from the user terminal, selects one MAC address from the plurality of MAC addresses of the authentication server list, and sends the discovery message from the user terminal to the corresponding one according to the selected MAC address. The authentication server authenticates the user terminal.
具体的, 报文处理单元 504可以是在收到来自用户终端的发现报文后, 将 发现报文中的广播地址替换为所选择的 MAC地址后发送给对应的认证服务器。  Specifically, the message processing unit 504 may: after receiving the discovery message from the user terminal, replace the broadcast address in the discovery message with the selected MAC address, and send the message to the corresponding authentication server.
本实施例中的接入设备可以是数字用户线路接入复用器 ( Digital Subscriber Line Access Multiplexer, DSLAM )、 光线路终端(Optical Line Terminal, OLT)或 者综合业务接入网 (Multi-Service Access Network, MSAN )设备等。  The access device in this embodiment may be a Digital Subscriber Line Access Multiplexer (DSLAM), an Optical Line Terminal (OLT), or an Integrated Service Access Network (Multi-Service Access Network). , MSAN) equipment, etc.
本实施例提供的接入设备, 通过构造发现报文获取认证服务器的 MAC 地 址, 在收到用户终端的发现报文后, 将发现报文单播给一个认证服务器, 可以 有效的在多个认证服务器中实现可控的负荷分担, 还可以消除了过多的响应报 文报文, 减少带宽和 CPU资源的浪费。 The access device provided in this embodiment acquires the MAC address of the authentication server by constructing the discovery packet. After receiving the discovery packet of the user terminal, the device unicasts the packet to an authentication server, which can effectively implement load balancing in multiple authentication servers and eliminate excessive response packets. Packets, reducing bandwidth and waste of CPU resources.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是 可以通过程序来指令相关的硬件完成, 所述的程序可以存储于一计算机可读存 储介质中, 如 ROM/RAM、 磁碟或光盘等。  A person skilled in the art can understand that all or part of the steps of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, such as ROM/RAM, magnetic. Disc or CD.
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限于 此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到 变化或替换, 都应涵盖在本发明的保护范围之内, 因此, 本发明的保护范围应 所述以权利要求的保护范围为准。  The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. The scope of protection of the present invention should be construed as the scope of protection of the present invention.

Claims

权利要求书 Claim
1、 一种接入网络中的认证方法, 其特征在于, 所述接入网络包括多个认证 服务器, 所述方法包括: An authentication method in an access network, where the access network includes multiple authentication servers, and the method includes:
向所述多个认证服务器发送发现报文;  Sending a discovery message to the plurality of authentication servers;
接收认证服务器的回应报文, 从所述回应报文中获取发送所述回应报文的 认证服务器的媒体访问控制 MAC地址, 将获取的认证服务器的 MAC地址存储 在认证服务器列表中;  Receiving a response packet of the authentication server, obtaining a media access control MAC address of the authentication server that sends the response packet from the response packet, and storing the obtained MAC address of the authentication server in the authentication server list;
接收来自用户终端的发现报文,从所述认证服务器列表的多个 MAC地址中 选择一个 MAC地址, 根据所选择的 MAC地址将来自用户终端的发现报文发送 给对应的认证服务器以对所述用户终端进行认证。  Receiving a discovery message from the user terminal, selecting a MAC address from the plurality of MAC addresses of the authentication server list, and sending the discovery message from the user terminal to the corresponding authentication server according to the selected MAC address to The user terminal performs authentication.
2、 根据权利要求 1所述的方法, 其特征在于, 所述发现报文为基于动态主 机配置协议 DHCP的发现报文或者为基于以太网承载点对点 PPPoE协议的发现 报文。  The method according to claim 1, wherein the discovery message is a discovery message based on a dynamic host configuration protocol (DHCP) or a discovery message based on an Ethernet bearer point-to-point PPPoE protocol.
3、根据权利要求 1或 2所述的方法,其特征在于,所述根据所选择的 MAC 地址将来自用户终端的发现报文发送给对应的认证服务器以对所述用户终端进 行认证具体包括:  The method according to claim 1 or 2, wherein the sending the discovery message from the user terminal to the corresponding authentication server to authenticate the user terminal according to the selected MAC address comprises:
将所述来自用户终端的发现报文中的广播地址替换成所选择的 MAC地址, 根据所选择的 MAC 地址将来自用户的发现报文发送给对应的认证服务器以对 所述用户终端进行认证。  And replacing the broadcast address in the discovery packet from the user terminal with the selected MAC address, and sending the discovery message from the user to the corresponding authentication server according to the selected MAC address to authenticate the user terminal.
4、根据权利要求 1-3任意一项所述的方法, 其特征在于, 所述方法还包括: 广播探测报文, 根据探测报文的回应报文刷新认证服务器列表。  The method according to any one of claims 1-3, wherein the method further comprises: broadcasting a probe packet, and refreshing the authentication server list according to the response packet of the probe packet.
5、 根据权利要求 4所述的方法, 其特征在于, 所述方法还包括:  The method according to claim 4, wherein the method further comprises:
当判定某个认证服务器异常时, 通知归属到该处理异常状态的认证服务器 的用户终端重新申请 IP地址。  When it is determined that an authentication server is abnormal, the user terminal that belongs to the authentication server that handles the abnormal state is notified to re-apply for an IP address.
6、 根据权利要求 1-3任意一项所述的方法, 其特征在于, 从所述认证服务 器列表的多个 MAC地址中选择一个 MAC地址具体包括:  The method according to any one of claims 1-3, wherein selecting one of the plurality of MAC addresses of the authentication server list comprises:
根据连接所述用户终端的端口属性、 认证服务器的权重属性、 认证服务器 的 MAC地址的奇偶性和 Hash算法的结果中的一个或多个的组合从所述认证服 务器列表的多个 MAC地址中选择一个 MAC地址。 The authentication service is based on a combination of one or more of a port attribute of the user terminal, a weight attribute of the authentication server, a parity of a MAC address of the authentication server, and a hash algorithm. One of the multiple MAC addresses of the server list is selected.
7、根据权利要求 2所述的方法,其特征在于,当所述发现报文为基于 DHCP 时, 所述从所述认证服务器列表的多个 MAC地址中选择一个 MAC地址具体包 中选择一个 MAC地址。  The method according to claim 2, wherein, when the discovery message is based on DHCP, selecting one MAC address from a plurality of MAC addresses of the authentication server list, selecting one MAC address.
8、 一种接入设备, 所述接入设备连接有多个认证服务器, 其特征在于, 所 述接入设备包括:  An access device, where the access device is connected to multiple authentication servers, the access device includes:
第一网络侧端口, 用于向所述多个认证服务器发送发现报文;  a first network side port, configured to send a discovery packet to the multiple authentication servers;
第二网络侧端口, 用于接收认证服务器的回应报文, 从所述回应报文中获 取发送所述回应报文的认证服务器的媒体访问控制 MAC地址,将获取的认证服 务器的 MAC地址存储在认证服务器列表中;  a second network side port, configured to receive a response packet of the authentication server, obtain a media access control MAC address of the authentication server that sends the response message from the response packet, and store the obtained MAC address of the authentication server in the In the list of authentication servers;
报文处理单元, 接收来自用户终端的发现报文, 从所述认证服务器列表的 多个 MAC地址中选择一个 MAC地址, 根据所选择的 MAC地址将来自用户终 端的发现报文发送给对应的认证服务器以对所述用户终端进行认证。  The packet processing unit receives the discovery packet from the user terminal, selects one MAC address from the plurality of MAC addresses of the authentication server list, and sends the discovery packet from the user terminal to the corresponding authentication according to the selected MAC address. The server authenticates the user terminal.
9、 根据权利要求 8所述的接入设备, 其特征在于, 所述第一网络侧端口还 用于向所述多个认证服务器发送探测报文以对所述多个认证服务器的状态进行 探测, 根据探测结果刷新所述认证服务器列表。  The access device according to claim 8, wherein the first network side port is further configured to send a probe message to the plurality of authentication servers to detect a status of the multiple authentication servers. And refreshing the list of authentication servers according to the detection result.
10、 一种接入网络中的认证系统, 包括接入设备以及多个认证服务器, 所 述接入设备与所述多个认证服务器相连, 其特征在于,  An authentication system in an access network, comprising an access device and a plurality of authentication servers, wherein the access device is connected to the plurality of authentication servers, wherein
所述接入设备, 向所述多个认证服务器发送发现报文; 接收认证服务器的 回应报文, 从所述回应报文中获取发送所述回应报文的认证服务器的媒体访问 控制 MAC地址, 将获取的认证服务器的 MAC地址存储在认证服务器列表中; 接收来自用户终端的发现报文,从所述认证服务器列表的多个 MAC地址中选择 一个 MAC地址, 根据所选择的 MAC地址将来自用户终端的发现报文发送给对 应的认证服务器以对所述用户终端进行认证。  The access device sends a discovery packet to the plurality of authentication servers; receives a response packet from the authentication server, and obtains, by the response packet, a media access control MAC address of the authentication server that sends the response packet, Storing the obtained MAC address of the authentication server in the authentication server list; receiving the discovery message from the user terminal, selecting one MAC address from the multiple MAC addresses of the authentication server list, and coming from the user according to the selected MAC address The discovery message of the terminal is sent to the corresponding authentication server to authenticate the user terminal.
PCT/CN2011/078317 2011-08-12 2011-08-12 Authentication method, device and system in access network WO2012119386A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2011/078317 WO2012119386A1 (en) 2011-08-12 2011-08-12 Authentication method, device and system in access network
CN2011800018495A CN103392333A (en) 2011-08-12 2011-08-12 Authentication method, device and system in access network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/078317 WO2012119386A1 (en) 2011-08-12 2011-08-12 Authentication method, device and system in access network

Publications (1)

Publication Number Publication Date
WO2012119386A1 true WO2012119386A1 (en) 2012-09-13

Family

ID=46797443

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/078317 WO2012119386A1 (en) 2011-08-12 2011-08-12 Authentication method, device and system in access network

Country Status (2)

Country Link
CN (1) CN103392333A (en)
WO (1) WO2012119386A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556337A (en) * 2021-07-20 2021-10-26 迈普通信技术股份有限公司 Terminal address identification method, network system, electronic device and storage medium
CN114501445A (en) * 2022-01-06 2022-05-13 新华三技术有限公司合肥分公司 Access control method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110121202B (en) * 2018-02-07 2021-06-15 成都鼎桥通信技术有限公司 Access method and terminal equipment
CN113132294B (en) * 2019-12-30 2022-05-13 中国移动通信集团四川有限公司 Data packet filtering method, system and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098347A (en) * 2006-06-28 2008-01-02 华为技术有限公司 Method of assigning IP address for subscriber terminal
CN101453415A (en) * 2007-11-29 2009-06-10 华为技术有限公司 Protection method, system and equipment for access network
US20110072120A1 (en) * 2009-09-22 2011-03-24 Ambit Microsystems (Shanghai) Ltd. Router and method for configuring ip addresses of the router

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009627A (en) * 2006-12-27 2007-08-01 华为技术有限公司 A service binding method and device
CN101350842A (en) * 2008-08-13 2009-01-21 成都华程信息技术有限公司 Cluster management base on gateway mode

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098347A (en) * 2006-06-28 2008-01-02 华为技术有限公司 Method of assigning IP address for subscriber terminal
CN101453415A (en) * 2007-11-29 2009-06-10 华为技术有限公司 Protection method, system and equipment for access network
US20110072120A1 (en) * 2009-09-22 2011-03-24 Ambit Microsystems (Shanghai) Ltd. Router and method for configuring ip addresses of the router

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556337A (en) * 2021-07-20 2021-10-26 迈普通信技术股份有限公司 Terminal address identification method, network system, electronic device and storage medium
CN114501445A (en) * 2022-01-06 2022-05-13 新华三技术有限公司合肥分公司 Access control method and device
CN114501445B (en) * 2022-01-06 2024-02-09 新华三技术有限公司合肥分公司 Access control method and device

Also Published As

Publication number Publication date
CN103392333A (en) 2013-11-13

Similar Documents

Publication Publication Date Title
US8782256B2 (en) Deterministic session load-balancing and redundancy of access servers in a computer network
US20070274290A1 (en) Apparatus and method for packet forwarding in layer 2 network
EP2012485A1 (en) Management method, apparatus and system of session connection
WO2009094928A1 (en) A method and equipment for transmitting a message based on the layer-2 tunnel protocol
US20080285569A1 (en) Device for Session-Based Packet Switching
JP4080765B2 (en) Network system
EP2362587B1 (en) Method and apparatus for realizing ARP request broadcasting limitation
US20070195804A1 (en) Ppp gateway apparatus for connecting ppp clients to l2sw
EP1704686B1 (en) Directed pppoe session initiation over a switched ethernet
WO2008138196A1 (en) Method and device for reporting information
WO2012171169A1 (en) Communications method and load balancer
WO2012109917A1 (en) Message forwarding method, apparatus and system in network
WO2007000120A1 (en) An authentication access system, method and server
WO2012034413A1 (en) Method for dual stack user management and broadband access server
US11582113B2 (en) Packet transmission method, apparatus, and system utilizing keepalive packets between forwarding devices
WO2008151548A1 (en) A method and apparatus for preventing the counterfeiting of the network-side media access control (mac) address
JP5604389B2 (en) Communication system, router device, and router switching method
WO2015018069A1 (en) Method, device and system for acquiring service by network terminal
WO2011144152A1 (en) Method for providing information, home gateway and home network system
US20100039956A1 (en) Method and system for performing keep-alive monitoring on subscriber sessions
WO2012119386A1 (en) Authentication method, device and system in access network
WO2012126335A1 (en) Access control method, access device and system
CN106131177B (en) Message processing method and device
CN107995124B (en) Traffic scheduling method and device
CN107645556B (en) It is a kind of to realize that SDN turns the isolated broadband access of control and keepalive method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11860346

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11860346

Country of ref document: EP

Kind code of ref document: A1