WO2012163159A1 - Procédé et dispositif d'unification de serveur aaa de réseau d'entreprise et de serveur aaa de réseau public - Google Patents

Procédé et dispositif d'unification de serveur aaa de réseau d'entreprise et de serveur aaa de réseau public Download PDF

Info

Publication number
WO2012163159A1
WO2012163159A1 PCT/CN2012/073066 CN2012073066W WO2012163159A1 WO 2012163159 A1 WO2012163159 A1 WO 2012163159A1 CN 2012073066 W CN2012073066 W CN 2012073066W WO 2012163159 A1 WO2012163159 A1 WO 2012163159A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
aaa server
enterprise network
public network
authentication
Prior art date
Application number
PCT/CN2012/073066
Other languages
English (en)
Chinese (zh)
Inventor
周俊超
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012163159A1 publication Critical patent/WO2012163159A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • H04L12/4625Single bridge functionality, e.g. connection of two networks over a single bridge
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for implementing an authentication, authorization, and accounting (AAA) server and a public network AAA server.
  • AAA authentication, authorization, and accounting
  • the AAA server acts as a user to perform authentication, authorization, and accounting centers for the PS service, and needs to interact with various network element devices and terminals.
  • PS packet switching
  • the AAA server authenticates the validity of the user.
  • the authentication passes the user's subscription information or configuration information to authorize the user to perform related service parameters, and records the user's business process. Billing information, billing users in real time or offline.
  • the AAA server is the core network element for the user to perform PS related services.
  • AAA servers are used for public network users, such as Code Division Multiple Access (CDMA) users, Worldwide Interoperability for Microwave Access (WiMAX) users, and general grouping.
  • Public users such as the General Packet Radio Service/Wideband Code Division Multiple Access (GPRSAVCDMA) users are called public network AAA servers. It is also applied to internal users of the enterprise network, called the enterprise network AAA server.
  • the two types of AAA servers are deployed separately.
  • the public network AAA server When the user logs in to the virtual private network (VPN), the public network AAA server first obtains the second layer tunneling protocol (Layer 2). Tunneling Protocol) Network server (L2TP Network Server, LNS) and tunnel information, and then access the LNS according to the above information.
  • Layer 2 Layer 2 Tunneling Protocol
  • LNS Tunneling Protocol
  • the main object of the present invention is to provide a method and apparatus for realizing the integration of an enterprise network AAA server and a public network AAA server, which saves enterprise costs and simplifies the authentication process.
  • the invention provides a method for realizing the integration of an enterprise network AAA server and a public network AAA server, including:
  • the authentication request includes an enterprise ISP domain name; authenticating the user as a public network user and an enterprise network user; the enterprise network is an enterprise network corresponding to the ISP domain name;
  • the user is provided with packet service processing.
  • the legality of authenticating the user as a public network user and an enterprise network user is: authenticating the user as a public network user;
  • the method further includes: sending a second layer tunneling protocol network server (LNS) information of the enterprise network to the user, and the user according to the LNS information and the The LNS establishes a connection.
  • LNS layer tunneling protocol network server
  • the method before the sending the LNS information of the enterprise network to the user, the method further includes:
  • the method further includes: Receiving the charging request of the user forwarded by the Layer 2 Tunneling Protocol Access Concentrator (LAC), and starting charging.
  • LAC Layer 2 Tunneling Protocol Access Concentrator
  • the present invention provides a device for realizing the integration of an enterprise network AAA server and a public network AAA server, including:
  • a receiving module configured to receive a user-initiated authentication request; the authentication request includes an enterprise ISP domain name;
  • An authentication module configured to authenticate the validity of the user as a public network user and an enterprise network user;
  • the enterprise network is an enterprise network corresponding to the ISP domain name;
  • the authorization module when used for authentication, provides packet service processing for the user.
  • the authentication module includes:
  • a first authentication unit configured to authenticate the validity of the user as a public network user
  • the second authentication unit is configured to authenticate the validity of the user as an enterprise network user when the first authentication unit passes the authentication.
  • the device further includes:
  • a sending module configured to send the LNS information of the enterprise network to the user, where the user establishes a connection with the LNS according to the LNS information.
  • the device further includes:
  • a configuration module configured to configure the LNS information.
  • the device further includes:
  • the charging module is configured to receive a charging request of the user forwarded by the LAC, and start charging.
  • the invention provides a method and a device for realizing the integration of an enterprise network AAA server and a public network AAA server, and utilizes the existing public network AAA server or enterprise network server, and simultaneously authenticates the legitimacy of the user as a public network user and an enterprise network user. There is no need to separately set up an enterprise network AAA server within the enterprise, which saves the enterprise cost and simplifies the authentication process.
  • FIG. 1 is a schematic flowchart of a method for implementing the method for integrating an enterprise network AAA server and a public network AAA server according to the present invention
  • FIG. 2 is a schematic diagram of signaling according to an embodiment of a method for implementing integration of an enterprise network AAA server and a public network AAA server;
  • FIG. 3 is a schematic flowchart of a method for authenticating an enterprise network AAA server and a public network AAA server according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of still another embodiment of a method for integrating an enterprise network AAA server and a public network AAA server according to the present invention
  • FIG. 5 is a schematic structural diagram of an apparatus for implementing an embodiment of an enterprise network AAA server and a public network AAA server;
  • FIG. 6 is a schematic structural diagram of an authentication module in an embodiment of an apparatus for implementing an enterprise network AAA server and a public network AAA server;
  • FIG. 7 is a schematic structural diagram of another embodiment of an apparatus for implementing integration between an enterprise network AAA server and a public network AAA server according to the present invention. detailed description
  • an embodiment of the method for implementing the combination of an enterprise network AAA server and a public network AAA server according to the present invention includes:
  • Step S10 Receive a user-initiated authentication request; the authentication request includes an enterprise Internet Service Provider (ISP) domain name;
  • ISP enterprise Internet Service Provider
  • step 201 the user first initiates a VPN session to the base station controller/Point Coordination Function (BSC/PCF) to request access to the VPN resource;
  • Step 202 An A10 connection is established between the BSC/PCF and the Packet Data Serving Node (L2TP Access Concentrator, PDSN/LAC).
  • BSC/PCF Base station controller/Point Coordination Function
  • PDSN/LAC Packet Data Serving Node
  • Step 203 The user performs Point-to-Point Protocol (PPP) session negotiation with the PDSN/LAC.
  • PPP Point-to-Point Protocol
  • Step 204 The user initiates an authentication request to the public network AAA server via the LAC, where the authentication request carries the ISP domain name of the enterprise.
  • Step S11 authenticating the validity of the user as a public network user and an enterprise network user; the enterprise network is an enterprise network corresponding to the ISP domain name;
  • step 205 since the enterprise network AAA server is integrated with the public network AAA server (the merged AAA server is still referred to as the public network AAA server), the public network AAA server simultaneously authenticates the user as the public network. The validity of the user and the enterprise network user. If the authentication succeeds, the LNS information of the authorized user, including the L2TP tunnel type, the LNS server address, and the LNS tunnel password.
  • Step S12 When the authentication is passed, provide the group service processing for the user.
  • step 206 after obtaining the LNS information, the LAC establishes an L2TP session with the LNS.
  • Step 207 The user negotiates a PPP session based on the L2TP tunnel with the LNS.
  • Step 208 After the negotiation is completed, the user establishes a PPP session with the LNS.
  • Step 209 The LNS initiates an Accounting Request (start) message to the public network AAA server, and the charging starts.
  • the user starts the packet service by using the tunnel with the LNS.
  • step S10 may include:
  • Step S101 Verify the legitimacy of the user as a public network user
  • Step S102 When the authentication is passed, the legitimacy of the user as the enterprise network user is authenticated.
  • the merged public network AAA server first authenticates the legitimacy of the user as a public network user, and then authenticates the user as the legitimacy of the enterprise network user, so that the merged authentication process maintains the original authentication process.
  • step S10 another embodiment of the method for implementing the integration between the enterprise network AAA server and the public network AAA server is provided.
  • the method before performing step S10, the method further includes:
  • Step S7 Configure the LNS information.
  • Steps S10 to S11 are performed in the following steps. The specific process is the same as the above, and will not be described again.
  • Step S8 Send the LNS information of the enterprise network to the user, where the user establishes a connection with the LNS according to the LNS information.
  • the LNS information is sent to the user, so that the user establishes a connection with the LNS according to the LNS information.
  • the LNS information includes the L2TP tunnel type, the LNS server address, and the LNS tunnel password.
  • Step S9 Receive a charging request of the user forwarded by the LAC, and start charging.
  • step S12 Receive the accounting request of the user forwarded by the LAC, and charge the user. Then, step S12 is performed, and the specific process is the same as the above, and will not be described again.
  • an embodiment of an apparatus for implementing the integration of an enterprise network AAA server and a public network AAA server according to the present invention includes:
  • the receiving module 10 is configured to receive a user-initiated authentication request, where the authentication request includes an enterprise ISP domain name;
  • the authentication module 20 is configured to authenticate the validity of the user as a public network user and an enterprise network user.
  • the enterprise network is an enterprise network corresponding to the ISP domain name;
  • the device for realizing the integration of the enterprise network AAA server and the public network AAA server may be a public network AAA server (incorporating the enterprise network AAA server into the public network AAA server), or may be an enterprise network AAA server (the public network The AAA server is integrated into the enterprise network AAA server.
  • a device in which the public network AAA server is used to implement the integration of the enterprise network AAA server and the public network AAA server is taken as an example for description.
  • the user initiates a VPN session to the BSC/PCF to request access to the VPN resource.
  • An A10 connection is established between the BSC/PCF and the PDSN/LAC.
  • the user performs PPP session negotiation with the PDSN/LAC.
  • the receiving module 10 of the public network AAA server receives the authentication request initiated by the user via the LAC, and the authentication request carries the ISP domain name of the enterprise.
  • the enterprise network AAA server is the same as the public network AAA server.
  • the merged AAA server is still called the public network AAA server.
  • the authentication module 20 of the public network AAA server authenticates the user as the public network user and the enterprise network user.
  • the LNS information includes the tunnel type of the L2TP, the LNS server address, the LNS tunnel password, and the like.
  • the LAC After obtaining the LNS information, the LAC establishes an L2TP session with the LNS.
  • the user negotiates a PPP session based on the L2TP tunnel with the LNS.
  • the user After the negotiation is complete, the user establishes a PPP session with the LNS.
  • the LNS initiates an Accounting Request ( start ) message to the public network AAA server, and the charging starts;
  • the user starts the grouping service with the authorization module 30 of the public network AAA server through the tunnel with the LNS.
  • the public network AAA server and the enterprise network AAA server are combined into one.
  • the existing public network AAA server or enterprise network AAA server, and the authenticity of the authenticated user as the public network user and the enterprise network user, does not need to separately set up an enterprise network AAA server in the enterprise, which saves the enterprise cost and simplifies the authentication process. .
  • the authentication module 20 includes:
  • the first authentication unit 21 is configured to authenticate the legitimacy of the user as a public network user.
  • the second authentication unit 22 is configured to authenticate the validity of the user as an enterprise network user when the first authentication unit 21 passes the authentication.
  • the merged public network AAA server first authenticates the user as the public network user by the first authentication unit 21, and the second authentication unit 22 authenticates the user as the legitimacy of the enterprise network user, so that the merged authentication is performed. The process maintains the original certification process.
  • the device further includes:
  • the configuration module 40 is configured to configure the LNS information.
  • the sending module 50 is configured to send the LNS information of the enterprise network to the user, where the user establishes a connection with the LNS according to the LNS information.
  • the charging module 60 is configured to receive an accounting request of the user forwarded by the LAC, and start charging.
  • the configuration module 40 configures the LNS information corresponding to the ISP domain name of the enterprise network to the public network AAA server, and prepares the subsequent public network AAA server for the user authentication.
  • the sending module 50 sends the LNS information to the user, so that the user establishes a connection with the LNS according to the L2TP tunnel type, the LNS server address, and the LNS tunnel password included in the LNS information.
  • the charging module 60 receives the charging request of the user forwarded by the LAC, and performs charging for the user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif d'unification d'un serveur AAA de réseau d'entreprise et d'un serveur AAA de réseau public. Le procédé comprend : la réception d'une demande d'authentification lancée par un utilisateur, la demande d'authentification comprenant un nom de domaine ISP d'une société ; l'authentification de la validité de l'utilisateur en tant qu'utilisateur du réseau public et en tant qu'utilisateur du réseau d'entreprise, le réseau d'entreprise étant le réseau d'entreprise correspondant au nom de domaine ISP ; et lorsque l'authentification réussit, la mise à disposition d'un traitement de service de paquet à l'utilisateur. En proposant le procédé et le dispositif d'unification du serveur AAA de réseau d'entreprise et du serveur AAA de réseau public, la présente invention permet aux sociétés de réduire leurs coûts tout en simplifiant en même temps le processus d'authentification.
PCT/CN2012/073066 2011-05-31 2012-03-26 Procédé et dispositif d'unification de serveur aaa de réseau d'entreprise et de serveur aaa de réseau public WO2012163159A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110144089.5 2011-05-31
CN201110144089.5A CN102195988B (zh) 2011-05-31 2011-05-31 实现企业网aaa服务器与公网aaa服务器合一的方法及装置

Publications (1)

Publication Number Publication Date
WO2012163159A1 true WO2012163159A1 (fr) 2012-12-06

Family

ID=44603375

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/073066 WO2012163159A1 (fr) 2011-05-31 2012-03-26 Procédé et dispositif d'unification de serveur aaa de réseau d'entreprise et de serveur aaa de réseau public

Country Status (2)

Country Link
CN (1) CN102195988B (fr)
WO (1) WO2012163159A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170127479A1 (en) * 2014-04-02 2017-05-04 BSH Hausgeräte GmbH Cooking appliance

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195988B (zh) * 2011-05-31 2015-10-21 中兴通讯股份有限公司 实现企业网aaa服务器与公网aaa服务器合一的方法及装置
CN109088809A (zh) * 2014-12-05 2018-12-25 华为技术有限公司 报文处理方法、网络服务器和虚拟专用网络系统
CN107040495B (zh) * 2016-02-03 2021-07-13 重庆小目科技有限责任公司 一种应用于工业通信和业务的多级联合身份认证方法
CN106059994B (zh) * 2016-04-29 2020-02-14 华为技术有限公司 一种数据传输方法及网络设备
CN111818014B (zh) * 2020-06-08 2023-05-09 中国电子科技集团公司第三十研究所 一种实现二次认证功能的网络侧aaa设计方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1855847A (zh) * 2005-04-14 2006-11-01 阿尔卡特公司 公共与专用网络服务管理系统和方法
CN1866822A (zh) * 2005-05-16 2006-11-22 联想(北京)有限公司 一种统一认证的实现方法
CN101990773A (zh) * 2007-01-22 2011-03-23 北方电讯网络有限公司 第一和第二认证域之间的交互工作
CN102195988A (zh) * 2011-05-31 2011-09-21 中兴通讯股份有限公司 实现企业网aaa服务器与公网aaa服务器合一的方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1855847A (zh) * 2005-04-14 2006-11-01 阿尔卡特公司 公共与专用网络服务管理系统和方法
CN1866822A (zh) * 2005-05-16 2006-11-22 联想(北京)有限公司 一种统一认证的实现方法
CN101990773A (zh) * 2007-01-22 2011-03-23 北方电讯网络有限公司 第一和第二认证域之间的交互工作
CN102195988A (zh) * 2011-05-31 2011-09-21 中兴通讯股份有限公司 实现企业网aaa服务器与公网aaa服务器合一的方法及装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170127479A1 (en) * 2014-04-02 2017-05-04 BSH Hausgeräte GmbH Cooking appliance

Also Published As

Publication number Publication date
CN102195988B (zh) 2015-10-21
CN102195988A (zh) 2011-09-21

Similar Documents

Publication Publication Date Title
EP3408988B1 (fr) Procédé et appareil d'accès au réseau
US9450951B2 (en) Secure over-the-air provisioning solution for handheld and desktop devices and services
TWI293844B (en) A system and method for performing application layer service authentication and providing secure access to an application server
US9015815B2 (en) Method and system for authenticating a network node in a UAM-based WLAN network
WO2012163159A1 (fr) Procédé et dispositif d'unification de serveur aaa de réseau d'entreprise et de serveur aaa de réseau public
WO2004107650A1 (fr) Systeme et procede d'authentification de reseau, d'autorisation et de comptabilite
WO2010108354A1 (fr) Procédé et système pour accéder à un service web en toute sécurité
CN103597779A (zh) 用于为用户实体提供网络接入的方法及装置
KR20060067263A (ko) Wlan-umts 연동망 시스템과 이를 위한 인증 방법
JP2005339093A (ja) 認証方法、認証システム、認証代行サーバ、ネットワークアクセス認証サーバ、プログラム、及び記録媒体
CN102244866A (zh) 门户认证方法及接入控制器
JP5886438B2 (ja) Eapを用いて外部認証を行う装置、システム及び方法
WO2008095444A1 (fr) Procédé et système d'authentification d'utilisateur
CN101867476A (zh) 一种3g虚拟私有拨号网用户安全认证方法及其装置
WO2008080351A1 (fr) Procédé d'exploitation de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de wlan (wapi)
WO2015089996A1 (fr) Procédé d'authentification de sécurité et serveur d'authentification d'autorisation
WO2013056619A1 (fr) Procédé, idp, sp et système pour la fédération d'identités
WO2014029367A1 (fr) Procédé, dispositif et système de configuration dynamique
CN103781073B (zh) 移动用户固网的接入方法及系统
US8213364B2 (en) Method for releasing a high rate packet data session
CN103685201A (zh) 一种wlan用户固网接入的方法和系统
WO2009082910A1 (fr) Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur
CN101471934A (zh) 动态主机配置协议中双向加密及身份鉴权的方法
WO2009012729A1 (fr) Procédé, système et dispositif de conversion d'authentification d'accès à un réseau
WO2014032518A1 (fr) Procédé et système d'établissement de tunnel l2tp

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12792764

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12792764

Country of ref document: EP

Kind code of ref document: A1