WO2013037264A1 - Procédé et système de commande d'admission - Google Patents

Procédé et système de commande d'admission Download PDF

Info

Publication number
WO2013037264A1
WO2013037264A1 PCT/CN2012/080649 CN2012080649W WO2013037264A1 WO 2013037264 A1 WO2013037264 A1 WO 2013037264A1 CN 2012080649 W CN2012080649 W CN 2012080649W WO 2013037264 A1 WO2013037264 A1 WO 2013037264A1
Authority
WO
WIPO (PCT)
Prior art keywords
bandwidth
authentication
bng
authentication request
licensable
Prior art date
Application number
PCT/CN2012/080649
Other languages
English (en)
Chinese (zh)
Inventor
尤建洁
范亮
袁立权
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013037264A1 publication Critical patent/WO2013037264A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/2898Subscriber equipments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/74Admission control; Resource allocation measures in reaction to resource unavailability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/74Admission control; Resource allocation measures in reaction to resource unavailability
    • H04L47/745Reaction in network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present invention relates to the field of communications and, in particular, to an admission control method and system.
  • multimode terminals can implement seamless connections between different types of wireless access networks, such as cellular Universal Mobile Telecommunications System (UMTS), Enhanced Data Rate GSM Evolution (EDGE, Enhanced Data Rate for EDGE). GSM Evolution), a seamless connection between General Packet Radio Service (GPRS) and Wireless Local Area Networks (WLAN) in IEEE 802.11.
  • UMTS Universal Mobile Telecommunications System
  • EDGE Enhanced Data Rate GSM Evolution
  • GSM Evolution GSM Evolution
  • GPRS General Packet Radio Service
  • WLAN Wireless Local Area Networks
  • WLANs provide high data rates in a small range of homes and hotspots, while cellular networks offer greater flexibility and ubiquitous coverage, but at lower data rates; if combined with the advantages of both, users will Benefited from.
  • multimode terminals use WLAN for data access and Voice over Internet Protocol (VoIP) applications, while also using overlapping cellular networks for voice calls or media access.
  • VoIP Voice over Internet Protocol
  • BBF Broadband Forum
  • RG passes BNG (Broadband Network).
  • the broadband network gateway interacts with the BBF AAA for authentication.
  • the BNG can query the link status (such as bandwidth) of the RG to the AN (Access Node) through the Layer 2 protocol, and then report it to the AAA.
  • the AAA determines the current status. Whether the link status can meet the RG subscription information. If not, AAA can reject the RG's authentication.
  • a non-BBF mobile terminal accesses the network through the RG, and also needs to perform bandwidth check on the UE during the authentication process.
  • the link state of the UE queried by the BNG is the same as that of the RG (in the BNG view, the link identifiers of the two are the same, which are the same link).
  • the BBF AAA cannot detect that the RG has applied for some bandwidth of the physical link (assuming that the link actually supports 9M, the RG applies for 8M, and when the UE subscribes to 2M, the existing bandwidth check) If the authentication request of the UE is received, the authentication request of the UE may be incorrectly accepted due to the fact that the actual physical link bandwidth cannot meet the subscription bandwidth of the UE.
  • the main purpose of the embodiments of the present invention is to provide an admission control method and system, which avoids mistaking the user when the bandwidth resource is insufficient.
  • An embodiment of the present invention provides an admission control method, including:
  • the access node (AN) receives the authentication request initiated by the client as the client, or after receiving the authentication request initiated by the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, Inserting the digital subscriber line (DSL) parameter of the RG or the UE into the authentication request, and sending the authentication request to the network side;
  • UE user equipment
  • BBF non-broadband forum
  • the network side determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • an initial value of the licensable bandwidth of the current link is a bandwidth in a DSL parameter of the RG or the UE;
  • the method further includes: after the RG or the UE is authenticated, the network side updates an licensable bandwidth of the current link, and subtracts the RG or UE subscription from the licensable bandwidth of the current link. Bandwidth as the new licensable bandwidth.
  • the network side includes a broadband network gateway (BNG);
  • BNG broadband network gateway
  • the step of the network side determining whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes: determining, by the BNG, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE.
  • the subscription bandwidth of the RG is sent by the BBF Authentication and Authorization Accounting (AAA) server to the BNG after the RG passes the identity authentication.
  • AAA BBF Authentication and Authorization Accounting
  • the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication, and then sent by the BBF AAA server to the BNG.
  • the network side includes a BNG and a BBF AAA server;
  • the step of the AN sending the authentication request to the network side includes:
  • the step of determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes:
  • the subscription bandwidth of the UE is not limited.
  • the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication.
  • An embodiment of the present invention provides an AN, where the AN is configured to: after receiving a home gateway (RG) as an authentication request initiated by a client, or receiving a non-broadband forum (BBF) user equipment forwarded by the RG (UE) After the authentication request, the digital subscriber line (DSL) parameter of the RG or the UE is inserted into the authentication request, and the authentication request is sent to the network side.
  • RG home gateway
  • BMF non-broadband forum
  • DSL digital subscriber line
  • the embodiment of the present invention further provides a network side admission control system, where the network side admission control system is configured to: after receiving the authentication request initiated by the client, the home gateway (RG) sent by the access node (AN) Or, after the authentication request of the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, determining whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE Through authentication, the authentication request includes the DSL parameter of the RG or the UE.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • an initial value of the licensable bandwidth of the current link is a bandwidth in a DSL parameter of the RG or the UE;
  • the network side admission control system is further configured to: after the RG or the UE passes the authentication, update the licensable bandwidth of the current link, and subtract the licable bandwidth of the current link from the RG or the UE The contracted bandwidth is used as the new licensable bandwidth.
  • the system includes a broadband network gateway (BNG), where:
  • the BNG is configured to: after receiving the authentication request, determine whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the system further includes a BBF Authentication and Authorization Accounting (AAA) server, where: the BNG is further configured to: forward the authentication request to the BBF AAA server; and the BBF AAA server is configured to: receive After the authentication request is received, the RG is authenticated. After the authentication is passed, the RG's subscription bandwidth is sent to the BNG.
  • AAA BBF Authentication and Authorization Accounting
  • the system further includes a BBF AAA server and a home AAA server of the UE, where:
  • the BNG is further configured to: forward the authentication request to the BBF AAA server;
  • the BBF AAA is further configured to: forward the authentication request to the home AAA server, and after receiving the subscription bandwidth of the UE , sent to the BNG;
  • the home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA service.
  • the system includes a BNG and a BBF AAA server;
  • the BNG is configured to: after receiving the authentication request, send to the BBF AAA server; the BBF AAA server is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, if satisfied, Then the RG or UE passes the authentication.
  • the system further includes a home AAA server of the UE, where: The BBF AAA server is further configured to: forward the authentication request to the home AAA; the home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, after the authentication is passed, The subscription bandwidth of the UE is sent to the BBF AAA server.
  • the method and system provided by the embodiment of the present invention compares the licensable bandwidth and the subscription bandwidth of the link, and accesses the user when the licensable bandwidth meets the subscription bandwidth, thereby avoiding mistaking the user.
  • FIG. 1 is a related art 802.1x-based RG authentication diagram
  • Figure 3 is a flow chart according to an embodiment of the present invention.
  • Figure 4 is a flow chart according to an embodiment of the present invention.
  • Figure 5 is a flow chart according to an embodiment of the present invention.
  • Figure 6 is a flow chart in accordance with an implementation of the present invention.
  • An embodiment of the present invention provides an admission control method, including:
  • the access node receives the RG as the authentication request initiated by the client, or after receiving the authentication request initiated by the non-BBF UE forwarded by the RG, inserts the DSL parameter of the RG or the UE into the authentication request, Sending the authentication request to the network side;
  • the network side determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • the initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE; after the RG or the UE passes the authentication, the network side further updates the current link.
  • the network side includes a BNG
  • the determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes: determining, by the BNG, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, if yes, The RG or UE passes the authentication.
  • the subscription bandwidth of the RG is sent by the BBF AAA to the BNG after the RG passes the identity authentication.
  • the subscription bandwidth of the UE is sent by the home AAA of the UE to the BBF AAA after the UE passes the identity authentication, and then sent by the BBF AAA to the BNG.
  • the network side includes BNG and BBF AAA;
  • the sending, by the AN, the authentication request to the network side includes:
  • the AN sends the authentication request to the BNG;
  • the BNG sends the authentication request to the BBF AAA;
  • the determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes:
  • the BBF AAA determines whether the licensable bandwidth of the current link satisfies the signing bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the subscription bandwidth of the UE is sent by the home AAA of the UE to the BBF AAA after the UE passes the identity authentication.
  • the RG initiates the authentication request.
  • the AN acts as the 802. lx authenticator and the RADIUS client.
  • the DSL parameters are inserted into the RG and sent to the BNG.
  • the BBF AAA sends the RG's subscription bandwidth to the BNG;
  • the BNG determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG. If yes, the RG passes the authentication.
  • the BNG update can authorize bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG.
  • the RG acts as an 802. lx authenticator and a RADIUS client, and further sends a request message to the AN, and the AN inserts the DSL parameter of the UE. Sent to BNG.
  • the home AAA sends the UE's subscription bandwidth to the BNG via the BBF AAA.
  • the BNG determines whether the licensable bandwidth satisfies the UE's subscription bandwidth. If yes, the UE passes the authentication.
  • the BNG updates the licensable bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the UE's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameters of the UE. Since the UE accesses the network through the RG, the DSL parameters of the UE and the RG are the same.
  • each link in the BNG corresponds to an licensable bandwidth
  • the link identifier or the line identifier is used to distinguish each link
  • the corresponding licensable bandwidth is obtained according to the link identifier or the line identifier in the DSL parameter.
  • RG acts as an 802. lx client, initiates an authentication request;
  • AN acts as an 802. lx authenticator and RADIUS After receiving the request, the client inserts the DSL DSL parameter and sends it to the BBF AAA via the BNG.
  • the BBF AAA checks whether the authorized bandwidth meets the RG's subscription bandwidth. If it is satisfied, the RG passes the authentication.
  • the BNG update can authorize bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG.
  • the RG acts as an 802. lx authenticator and a RADIUS client, and further sends a request message to the AN, and the AN inserts the DSL parameter of the UE. Sent to BBF AAA via BNG.
  • the home AAA sends the subscription bandwidth of the UE to the BBF AAA.
  • the BBF AAA determines whether the licensable bandwidth satisfies the UE's subscription bandwidth. If yes, the UE passes the authentication.
  • the BBF AAA updates the licensable bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the UE's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG/UE. Since the UE accesses the network through the RG, the DSL parameters of the UE and the RG are the same.
  • each link in the BBF AAA corresponds to an licensable bandwidth.
  • the link identifier or the line identifier is used to distinguish the links, and the corresponding authorized bandwidth is obtained through the link identifier or the line identifier in the DSL parameter.
  • FIG. 3 is an authentication process of the RG as an 802. lx client according to the embodiment 1 of the present invention.
  • the process includes the AN transmitting the DSL parameter corresponding to the RG to the BNG, and the BNG performs related processing based on the DSL parameter and the RG's subscription bandwidth.
  • the process includes the following steps:
  • Step 301 The RG acts as an 802.1x client, attaches to the Ethernet, and initiates an EAPoL Start message to request authentication.
  • Step 302 The AN, as the 802. lx authenticator, sends an EAPoL Start message to the RG, and sends an EAP Identity Request message to the RG to notify the RG to report the user name.
  • Step 303 After receiving the EAP Identity Request message sent by the AN, the RG returns an authentication protocol ID response (EAP Identity Response) message to the AN, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 304 The AN encapsulates the received EAP Identity Response packet into an authentication access request. (RADIUS Access Request) is sent to the BNG in the text.
  • Step 305 The BNG serves as a RADIUS proxy (RADIUS proxy), and sends the received RADIUS Access Request packet to the BBF AAA.
  • RADIUS proxy RADIUS proxy
  • Step 306 The BBF AAA replies to the RADIUS Access Response packet to the BNG, where the packet carries the EAP Challenge.
  • Step 307 The BNG sends the received RADIUS Access Response message to the AN.
  • Step 308 The AN unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the RG. After receiving the EAP packet sent by the AN, the RG replies to the AN, and the packet carries the Challenged Password.
  • Step 309 The AN encapsulates the received EAP 4 message into an authentication access request (RADIUS Access
  • the DSL parameters corresponding to the RG such as the line ID (Link ID) and the bandwidth, are inserted at the same time, for example: Line ID (or Line ID) (or Link ID) Link ID ) ) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the DSL parameter corresponding to the RG may also be sent to the BNG in step 304.
  • Step 310 The BNG reads the DSL parameter corresponding to the RG, and receives the received RADIUS Access.
  • Step 311 If the RG passes the authentication, the BBF AAA returns a RADIUS Access Accept message to the BNG, and carries the RG's subscription bandwidth. If the RG fails to pass the authentication, the RADIUS Access Reject is returned. The message is sent to BNG.
  • Step 312 If the BNG receives the authentication success packet, the BNG reads the RG's subscription bandwidth, checks whether the current licensable bandwidth meets the RG's subscription bandwidth, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculation is performed. The new licensable bandwidth, minus the RG's subscription bandwidth for the old licensable bandwidth. The initial licensable bandwidth is the bandwidth in the DSL parameters corresponding to the RG. If not, the BNG sends a RADIUS Access Reject message to the AN or reconfigures the link of the RG. In the case that the RG authentication is successful, the BNG saves the link identifier and the licensable bandwidth in the DSL parameter corresponding to the RG.
  • Step 313 The AN unblocks the EAP packet. If the RG authentication succeeds, the EAP Success packet is sent to the RG. If the RG authentication fails, the authentication protocol fails to be sent. ( EAP-Failure ) message to RG.
  • the process includes the AN transmitting a DSL parameter corresponding to the UE to the BNG, and the BNG performs related processing based on the DSL parameter and the UE's subscription bandwidth.
  • the process includes the following steps:
  • Step 401 The RG performs authentication on the BBF network. For specific steps, refer to Embodiment 1.
  • Step 402 The UE acts as an 802.1x client, attaches to the network through the RG, and initiates an authentication protocol start (EAPoL Start) message to request authentication.
  • EAPoL Start authentication protocol start
  • Step 403 The RG, as the 802. lx authenticator, sends an EAP Identity Request message to the UE after receiving the EAPoL Start message sent by the UE, and is used to notify the UE to report the user name.
  • Step 404 After receiving the EAP Identity Request message sent by the RG, the UE returns an authentication protocol ID response (EAP Identity Response) message to the RG, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 405 The RG is used as a RADIUS client, and the received EAP Identity Response packet is encapsulated into a RADIUS Access Request message and sent to the AN.
  • Step 406 The AN acts as a RADIUS proxy (RADIUS proxy), and sends the RADIUS Access Request packet to the BNG.
  • RADIUS proxy RADIUS proxy
  • Step 407 The BNG acts as a RADIUS proxy and sends the RADIUS Access Request packet to the BBF AAA.
  • Step 408 The UE is a non-BBF user, and the Home (Home) AAA of the UE is required to participate in the authentication, and the BBF AAA sends the RADIUS Access Request message to the Home AAA.
  • Step 409 The Home AAA replies to the RADIUS Access Response to the BBF AAA, where the message carries the EAP Challenge.
  • Step 410 The BBF AAA forwards the RADIUS Access Response message to the BNG;
  • Step 411 the BNG forwards the RADIUS Access Response message to the AN;
  • Step 412 the AN forwards the RADIUS Access Response message to the RG;
  • Step 413 The RG unblocks the EAP from the received RADIUS Access Response packet.
  • the packet is sent to the UE.
  • the UE After receiving the EAP packet sent by the RG, the UE sends a packet to the RG, and the packet carries a Challenged Password.
  • Step 414 After receiving the ⁇ message sent by the UE, the RG encapsulates the EAP 4 ⁇ message into a RADIUS Access Request message and sends the message to the AN.
  • Step 415 After receiving the RADIUS Access Request message, the AN inserts the DSL parameter corresponding to the UE, such as a line identifier (Link ID) and a bandwidth, for example: a line identifier.
  • Link ID indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the AN sends a RADIUS Access Request packet to the BNG.
  • the DSL parameter corresponding to the UE may also be sent to the BNG in step 406.
  • Step 416 After receiving the RADIUS Access Request message, the BNG reads the DSL parameter corresponding to the UE, and then sends the RADIUS Access Request message to the BBF AAA.
  • Step 417 The BBF AAA sends the RADIUS Access Request message to the Home AAA.
  • Step 418 If the UE passes the authentication, the Home AAA replies to the RADIUS Access Accept message to the BBF AAA, and carries the subscription bandwidth corresponding to the UE. If the UE does not pass the authentication, the RADIUS Access Reject message is sent to the BBF AAA.
  • Step 419 The BBF AAA sends the RADIUS Access Accept message or the RADIUS Access Reject message to the BNG.
  • Step 420 If the UE passes the authentication, the BNG reads the subscription bandwidth of the UE, checks whether the current licensable bandwidth meets the subscription bandwidth of the UE, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculates a new licensable. Bandwidth, minus the UE's subscription bandwidth for the old licensable bandwidth. Since the UE accesses the network through the RG, the link identifiers of the RG and the UE are the same, and their DSL parameters are also the same. If not, the BNG reconfigures the UE's link or sends a RADIUS Access Reject to the AN.
  • Step 421 The AN sends a RADIUS Access Accept message or a RADIUS Access Reject message to the RG.
  • the RG decapsulates the EAP packet. If the UE is successfully authenticated, the UE sends an EAP Success message to the UE. If the UE fails to authenticate, the authentication protocol fails. (EAP-Failure) message to the UE.
  • the process includes the AN transmitting the DSL parameter corresponding to the RG to the BBF AAA via the BNG, and the BBF AAA is related based on the DSL parameter and the RG's subscription bandwidth. deal with.
  • the process includes the following steps:
  • Step 501 The RG acts as an 802.1x client, attaches to the Ethernet, and initiates an EAPoL Start message to request authentication.
  • Step 502 The AN, as an 802. lx authenticator, sends an EAPoL Start message to the RG, and sends an EAP Identity Request message to the RG to notify the RG to report the username.
  • Step 503 After receiving the EAP Identity Request message sent by the AN, the RG returns an authentication protocol ID response (EAP Identity Response) message to the AN, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 504 The AN encapsulates the received EAP Identity Response message into a RADIUS Access Request message and sends the message to the BNG.
  • Step 505 The BNG acts as a RADIUS proxy (RADIUS proxy) and will receive the RADIUS.
  • RADIUS proxy RADIUS proxy
  • the Access Request message is sent to the BBF AAA.
  • Step 506 The BBF AAA replies to the RADIUS Access Response packet to the BNG, where the packet carries an EAP Challenge.
  • Step 507 The BNG sends the received RADIUS Access Response message to the AN.
  • Step 508 The AN unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the RG. After receiving the EAP packet sent by the AN, the RG replies to the AN, and the packet carries the Challenged Password.
  • Step 509 The AN encapsulates the received EAP 4 ⁇ message into a RADIUS Access Request message, and inserts the DSL parameter corresponding to the RG, such as a line identifier (Line ID) (or a link identifier (Link ID). ) and bandwidth, for example: Line ID (or Link ID) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the DSL parameter corresponding to the RG may also be sent to the BNG in step 504.
  • Step 510 The BNG sends the received RADIUS Access Request message to the BBF AAA.
  • the BBF AAA maintains the licensable bandwidth corresponding to the link identifier of the DSL parameter of the RG, that is, the current licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth, and the initial licensable bandwidth is the bandwidth in the DSL parameter. . If the RG fails to pass the authentication, the RADIUS Access Reject packet is sent to the BNG and the reason for the rejection is carried.
  • Step 512 The BNG forwards the RADIUS Access Accept message or the RADIUS Access Reject message to the AN.
  • Step 513 The AN unblocks the EAP packet. If the RG authentication succeeds, the EAP Success packet is sent to the RG. If the RG authentication fails, the EAP-Failure packet is sent to the RG.
  • FIG. 6 is an authentication process of a UE as an 802. lx client according to Embodiment 4 of the present invention.
  • the process includes the AN transmitting the DSL parameter corresponding to the UE to the BBF AAA via the BNG, and the BBF AAA performs related processing based on the DSL parameter and the UE's subscription bandwidth. .
  • the process includes the following steps:
  • Step 601 The RG performs authentication on the BBF network.
  • the RG performs authentication on the BBF network. For specific steps, refer to Embodiment 1.
  • Step 602 The UE acts as an 802.1x client, attaches to the network through the RG, and initiates an authentication protocol start (EAPoL Start) message to request authentication.
  • EAPoL Start authentication protocol start
  • Step 603 The RG is used as an 802. lx authenticator, and after receiving the EAPoL Start message sent by the UE, the RG sends an EAP Identity Request message to the UE to notify the UE to report the user name.
  • Step 604 After receiving the EAP Identity Request message sent by the RG, the UE returns an authentication protocol ID response (EAP Identity Response) message to the RG, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 605 The RG is also used as a RADIUS client, and the received EAP Identity Response packet is encapsulated into an authentication access request (RADIUS Access Request) and sent to the AN.
  • RADIUS Access Request an authentication access request
  • Step 606 the AN acts as a RADIUS proxy (RADIUS proxy), and RADIUS Access Request ⁇ is sent to BNG.
  • RADIUS proxy RADIUS proxy
  • Step 607 The BNG acts as a RADIUS proxy and sends the RADIUS Access Request packet to the BBF AAA.
  • Step 608 The UE is a non-BBF user, and the Home (Home) AAA of the UE is required to participate in the authentication, and the BBF AAA sends the RADIUS Access Request message to the Home AAA.
  • Step 609 The Home AAA replies to the RADIUS Access Response packet to the BBF AAA, where the packet carries the EAP Challenge.
  • Step 610 The BBF AAA forwards the RADIUS Access Response message to the BNG.
  • step 611 the BNG forwards the RADIUS Access Response message to the AN.
  • Step 612 the AN forwards the RADIUS Access Response message to the RG;
  • Step 613 The RG unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the UE. After receiving the EAP packet sent by the RG, the UE sends a packet to the RG, and the packet carries the Challenged Password.
  • Step 614 After receiving the reply message from the UE, the RG encapsulates the EAP ⁇ message into a RADIUS Access Request message and sends the message to the AN.
  • Step 615 A, as a RADIUS proxy, after receiving the RADIUS Access Request message, insert the DSL parameter corresponding to the UE, such as a line identifier (Link ID) and a bandwidth, for example: a line identifier.
  • Link ID indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the AN sends a RADIUS Access Request packet to the BNG.
  • the DSL parameter corresponding to the UE may also be sent to the BNG in step 606.
  • Step 616 The BNG sends the RADIUS Access Request message to the BBF AAA.
  • Step 617 The BBF AAA reads the DSL parameter corresponding to the UE, and sends the RADIUS Access Request message to the Home AAA.
  • Step 618 if the UE passes the authentication, the Home AAA replies to the authentication access accept (RADIUS)
  • the Access Accept message is sent to the BBF AAA and carries the subscription bandwidth corresponding to the UE. If the UE fails to pass the authentication, the RADIUS Access Reject message is sent to the BBF AAA. Step 619: If the UE is authenticated, the BBF AAA determines whether the licensable bandwidth corresponding to the link identifier in the DSL parameter meets the subscription bandwidth of the UE. If yes, the BBF AAA sends a RADIUS Access Accept to the BNG. Message.
  • the BBF AAA maintains the licensable bandwidth corresponding to the link identifier in the DSL parameter of the UE, that is, the current licensable bandwidth is the old licensable bandwidth minus the subscription bandwidth of the UE, and the initial licensable bandwidth is the bandwidth in the DSL parameter. . If the licensable bandwidth corresponding to the link identifier in the DSL parameter does not satisfy the subscription bandwidth of the UE, the BBF AAA sends a RADIUS Access Reject packet to the BNG, and carries the rejection reason. Note: The UE accesses the network through the RG, and the DSL parameters of the UE and the RG are the same.
  • Step 620 If the UE is authenticated, the BNG reads the subscription bandwidth of the UE, checks whether the current licensable bandwidth meets the subscription bandwidth of the UE, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculates a new licensable Bandwidth, minus the UE's subscription bandwidth for the old licensable bandwidth. Since the UE accesses the network through the RG, the link identifiers of the RG and the UE are the same, and their DSL parameters are also the same. If not, the BNG reconfigures the UE's link or sends a RADIUS Access Reject to the AN.
  • Step 621 The AN sends a RADIUS Access Accept message or a RADIUS Access Reject message to the RG.
  • Step 622 The RG decapsulates the EAP packet, and if the UE is successfully authenticated, sends an EAP Success message to the UE. If the UE fails to authenticate, the EAP-Failure packet is sent to the UE.
  • the embodiment of the present invention further provides an admission control system, including: an AN and a network side, where: the AN is configured to: after receiving an RG as an authentication request initiated by a client, or receiving a non-BBF forwarded by the RG After the authentication request of the UE, insert the DSL parameter of the RG or the UE in the authentication request, and send the authentication request to the network side;
  • the network side is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • the initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE.
  • the network side is further configured to: after the RG or the UE passes the authentication, update the current chain.
  • the licensable bandwidth of the path the licensable bandwidth of the current link is subtracted from the MPLS or UE's subscription bandwidth as a new licensable bandwidth.
  • the network side includes a BNG
  • the AN is further configured to send the authentication request to the BNG;
  • the BNG is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the network side further includes a BBF AAA:
  • the BNG is further configured to: forward the authentication request to the BBF AAA;
  • the BBF AAA is configured to perform identity authentication on the RG after receiving the authentication request, and send the subscription bandwidth of the RG to the BNG after the authentication is passed.
  • the network side further includes a BBF AAA and a home AAA of the UE:
  • the BNG is further configured to: forward the authentication request to the BBF AAA;
  • the BBF AAA is further configured to: forward the authentication request to the home AAA, and after receiving the subscription bandwidth of the UE, send the BNG to the BNG;
  • the home AAA is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA.
  • the network side includes BNG and BBF AAA;
  • the AN is further configured to: send the authentication request to the BNG;
  • the BNG is configured to: send the authentication request to the BBF AAA;
  • the BBF AAA is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the network side further includes a home AAA of the UE, where:
  • the BBF AAA is further configured to: forward the authentication request to the home AAA;
  • the home AAA is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA.
  • a program to instruct the associated hardware such as a read only memory, a magnetic disk, or an optical disk.
  • all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits. Accordingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may use software functions. The form of the module is implemented. The invention is not limited to any specific form of combination of hardware and software.
  • the method and system provided by the embodiments of the present invention compares the licensable bandwidth of the link with the subscription bandwidth, and accesses the user when the licensable bandwidth meets the subscription bandwidth, thereby avoiding mistaking the user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un système de commande d'admission, le procédé consistant, après qu'un nœud d'accès (AN) a reçu une demande d'authentification émise par une passerelle résidentielle (RG) en tant que côté client, ou qu'il a reçu une demande d'authentification déclenchée par un équipement utilisateur (UE) d'un forum non à large bande (BBF) et réacheminé par la passerelle RG, à interpoler le paramètre de ligne d'abonné numérique (DSL) de la passerelle RG ou de l'UE en une demande d'authentification, et à envoyer la demande d'authentification à un côté réseau ; le côté réseau évalue si la largeur de bande admissible d'une liaison courante respecte la largeur de bande convenue par la passerelle RG ou l'UE ; dans l'affirmative, la passerelle RG ou l'UE est authentifiée.
PCT/CN2012/080649 2011-09-16 2012-08-28 Procédé et système de commande d'admission WO2013037264A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110275323.8 2011-09-16
CN2011102753238A CN103002443A (zh) 2011-09-16 2011-09-16 一种接纳控制方法和系统

Publications (1)

Publication Number Publication Date
WO2013037264A1 true WO2013037264A1 (fr) 2013-03-21

Family

ID=47882601

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/080649 WO2013037264A1 (fr) 2011-09-16 2012-08-28 Procédé et système de commande d'admission

Country Status (2)

Country Link
CN (1) CN103002443A (fr)
WO (1) WO2013037264A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957566B (zh) 2014-04-17 2018-05-25 华为技术有限公司 带宽控制方法和带宽控制设备
CN106341374B (zh) * 2015-07-10 2020-09-29 中兴通讯股份有限公司 一种限制非许可用户设备接入家庭网关的方法和装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1833224A1 (fr) * 2006-03-08 2007-09-12 Alcatel Lucent Déclenchement des actions DHCP par des changements d'état IEEE 802.1x
CN101729599A (zh) * 2009-11-20 2010-06-09 中国电信股份有限公司 移动终端利用宽带网络访问互联网的方法及系统
CN101789906A (zh) * 2010-02-24 2010-07-28 杭州华三通信技术有限公司 用户接入认证的方法和系统
US20110173678A1 (en) * 2008-02-13 2011-07-14 Futurewei Technologies, Inc. User and Device Authentication in Broadband Networks

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102586B (zh) * 2006-07-07 2010-05-12 华为技术有限公司 一种资源接纳控制方法
US8526304B2 (en) * 2007-12-20 2013-09-03 Zte Corporation Processing method for resource request in NGN
US8953601B2 (en) * 2008-05-13 2015-02-10 Futurewei Technologies, Inc. Internet protocol version six (IPv6) addressing and packet filtering in broadband networks
CN102131296A (zh) * 2010-01-15 2011-07-20 中兴通讯股份有限公司 在全业务融合网络中控制资源的方法和系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1833224A1 (fr) * 2006-03-08 2007-09-12 Alcatel Lucent Déclenchement des actions DHCP par des changements d'état IEEE 802.1x
US20110173678A1 (en) * 2008-02-13 2011-07-14 Futurewei Technologies, Inc. User and Device Authentication in Broadband Networks
CN101729599A (zh) * 2009-11-20 2010-06-09 中国电信股份有限公司 移动终端利用宽带网络访问互联网的方法及系统
CN101789906A (zh) * 2010-02-24 2010-07-28 杭州华三通信技术有限公司 用户接入认证的方法和系统

Also Published As

Publication number Publication date
CN103002443A (zh) 2013-03-27

Similar Documents

Publication Publication Date Title
US9716999B2 (en) Method of and system for utilizing a first network authentication result for a second network
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
JP4865805B2 (ja) 異なる認証証明書をサポートするための方法および機器
US9020467B2 (en) Method of and system for extending the WISPr authentication procedure
EP1693995B1 (fr) Procédé d'application d'une authentification d'accès d'un utilisateur wlan
EP3120515B1 (fr) Protection de données de bout en bout améliorée
JP4687788B2 (ja) 無線アクセスシステムおよび無線アクセス方法
WO2007019771A1 (fr) Méthode de contrôle d’accès d’un utilisateur changeant de réseau à visiter, son unité et son système
EP1523129A2 (fr) Méthode et dispositif pour contrôler l'accès d'un terminal sans fil dans un réseau de communication
NL2014020B1 (en) Voice and text data service for mobile subscribers.
WO2005039110A1 (fr) Analyse du traitement d'acces a un service selectionne dans un reseau local radio
WO2009135371A1 (fr) Procédé de détermination de mode de connexion de réseau
US8893231B2 (en) Multi-access authentication in communication system
CN1845523B (zh) 互通无线局域网中实现服务质量协商的方法
WO2006003630A1 (fr) Procede et systeme pour etablir une retrocompatibilite entre protocoles pana et ppp dans un reseau de paquets de donnees
US8458773B2 (en) Method, device, and system for authentication
WO2015013647A1 (fr) Fourniture de services de téléphonie sur wifi pour des dispositifs non cellulaires
WO2013037264A1 (fr) Procédé et système de commande d'admission
CN103582159A (zh) 一种固定移动网络融合场景下的多连接建立方法及系统
WO2006003629A1 (fr) Procede et noeuds serveurs a paquets de donnees pour la realisation d'acces reseau a des terminaux mobiles sous protocoles pana et ppp
WO2014032542A1 (fr) Procédé et système pour la configuration d'une pluralité de connexions
WO2014121613A1 (fr) Procédé et dispositif correspondant pour acquérir des informations de localisation
WO2021185347A1 (fr) Procédé de commande d'accès et dispositif de communication
CN101483580B (zh) 初始业务流建立方法、装置及通信系统
WO2005074193A1 (fr) Procede destine au terminal utilisateur permettant de d'acquerir des informations de paquet

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12832390

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12832390

Country of ref document: EP

Kind code of ref document: A1