WO2013107055A1 - Method and apparatus for acquiring user information - Google Patents

Method and apparatus for acquiring user information Download PDF

Info

Publication number
WO2013107055A1
WO2013107055A1 PCT/CN2012/070696 CN2012070696W WO2013107055A1 WO 2013107055 A1 WO2013107055 A1 WO 2013107055A1 CN 2012070696 W CN2012070696 W CN 2012070696W WO 2013107055 A1 WO2013107055 A1 WO 2013107055A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
intranet
port
client device
query
Prior art date
Application number
PCT/CN2012/070696
Other languages
French (fr)
Chinese (zh)
Inventor
傅瑜
刘冰
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2012/070696 priority Critical patent/WO2013107055A1/en
Priority to CN201280000103.7A priority patent/CN103503423A/en
Publication of WO2013107055A1 publication Critical patent/WO2013107055A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present invention relates to communication technologies, and in particular, to a method and an apparatus for acquiring user information.
  • BACKGROUND In order to implement a client device located on an intranet to access a network resource located in an external network, a carrier-grade network address translation (CGN) device transmits an intranet Internet Protocol (IP) address of the client device. Convert to an external network IP address.
  • IP Internet Protocol
  • the above multiple client devices use the same external IP address, which makes it impossible to distinguish intranet users from the external network.
  • the embodiment of the invention provides a method and a device for acquiring user information, which can obtain user information of the intranet client device from the external network side, thereby realizing the distinction between the intranet users.
  • a method for obtaining user information including:
  • the carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • the CGN device sends a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address.
  • the CGN device receives the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
  • the authentication and authorization charging AAA server receives the first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by:
  • the carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • the AAA server sends a first query response to the CGN device, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
  • the authentication and authorization charging AAA server sends a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device.
  • the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device.
  • the CGN device In order to facilitate the CGN device to query the internal network IP address of the client device and the internal network port of the client device on the CGN device according to the external network IP address and the external network port;
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the carrier-level network address translation CGN device receives the second-query request sent by the AAA server, and the second query request includes the external network Internet protocol of the client device.
  • the CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
  • the second query response sent by the CGN device to the AAA server is a response corresponding to the second query request, and the second query response includes the intranet IP address and the An intranet port, so that the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the network management server sends a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet protocol IP address of the client device and an external network port of the client device, so as to facilitate the
  • the CGN device queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address and the external network port;
  • the network management server sends a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address. And the intranet port, querying user information of the client device;
  • the network management server receives the fourth query response sent by the AAA server, the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
  • an apparatus for obtaining user information including:
  • a querying unit configured to query an intranet IP address of the client device and the client according to an external network Internet Protocol IP address of the client device and an external network port of the client device The internal network port of the device;
  • a sending unit configured to send a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet Querying the user information of the client device by using the IP address and the intranet port;
  • the receiving unit is configured to receive the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
  • another apparatus for obtaining user information including:
  • a sending unit configured to send a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device, so that The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
  • a receiving unit configured to receive a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the Said internal network port;
  • a querying unit configured to query user information of the client device according to the intranet IP address and the intranet port.
  • another apparatus for obtaining user information including:
  • a first sending unit configured to send a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device In order to facilitate the CGN device to query the internal network IP address and the intranet port of the client device on the CGN device according to the external network IP address and the external network port;
  • a first receiving unit configured to receive a third query response sent by the CGN device, where the The third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the intranet port;
  • a second sending unit configured to send a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the Querying the user information of the client device by using the network IP address and the internal network port;
  • the second receiving unit is configured to receive a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
  • the foregoing technical solution queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the AAA server queries the user information of the client device.
  • FIG. 1 is a network structure diagram of an application scenario of a method and apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for acquiring user information according to an embodiment of the present invention
  • FIG. 3 is a flowchart of another method for obtaining user information according to an embodiment of the present invention
  • FIG. 5 is a flowchart of another method for obtaining user information according to an embodiment of the present invention
  • FIG. 6 is another method for acquiring user information according to an embodiment of the present invention
  • Flow chart FIG. 7 is a schematic structural diagram of an apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 8 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 10 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 11 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention.
  • Embodiments of the present invention relate to a client device located on an intranet, a CGN device located on an intranet and an extranet, and an Authentication Authorization Accounting server (AAA server) located at an external network.
  • the Internet may be an Internet Protocol version 4 (IPv4) network or an Internet Protocol version 6, IPv6 network.
  • IPv4 Internet Protocol version 4
  • IPv6 Internet Protocol version 6, IPv6 network.
  • IPv4 Internet Protocol version 4
  • IPv6 Internet Protocol version 6
  • the internal network can be an IPv4 network or an IPv6 network.
  • the client device is a device located on the intranet.
  • the client device may be a Personal Computer (PC), a Set Top Box (STB), a Customer Premises Equipment (CPE), or a Home Gateway (HG).
  • PC Personal Computer
  • STB Set Top Box
  • CPE Customer Premises Equipment
  • HG Home Gateway
  • the CGN device can record the intranet IP address assigned by the Dynamic Host Configuration Protocol (DHCP) server to the client device.
  • DHCP Dynamic Host Configuration Protocol
  • the CGN device can be based on a session initiated by the client device and within the client device
  • the network IP address generates a first correspondence.
  • the first correspondence includes an external network IP address, an intranet IP address, an external network port, and an intranet port of the client device. The first in the first correspondence is not used to limit the order.
  • the present invention does not limit the specific implementation manner in which the CGN device generates the first correspondence.
  • the following provides an implementation of the CGN device to generate the first correspondence. Please refer to:
  • the user of the client device requests the operator of the external network to open the permission of the client device to access the external network resource.
  • the operator of the external network stores the account and password corresponding to the rights of the client device to access the external network resources in the AAA server.
  • the operator of the external network records the user information of the user of the client device on the AAA server.
  • the user information may be the identity card number of the user of the client device, the passport number, or the military officer number.
  • the user of the client device sends an access request to the Broadband Remote Access Server (BRAS).
  • the BRAS sends an authentication request to the AAA server.
  • the BRAS device and the CGN device can be the same device.
  • the BRAS device and the CGN device may not be the same device.
  • the CGN device can log in and access the BRAS device.
  • the AAA server authenticates the client device based on pre-stored accounts and passwords. If the authentication is passed, the client device can access the external network resources.
  • the BRAS device acts as a DHCP server and dynamically allocates intranet IP addresses to client devices.
  • the client device sends a session establishment request to the application server of the external network.
  • the IP header of the session establishment request carries the intranet IP address of the client device and the intranet port.
  • the application server can be a web server, a video server, or an Internet Protocol television (IPTV) server.
  • the CGN device After receiving the session establishment request, the CGN device determines the external network IP address and the external network port for the client device, and forwards the session establishment request through the external network port. The CGN device saves the CGN device to generate a first correspondence according to the intranet IP address, the intranet port, the external network IP address, and the external network port.
  • Embodiments of the present invention relate to a Remote Authentication Dial In User Service (RADius). For details on the Radius protocol, see RFC2865.
  • Section 5 of the Radius Protocol defines 29 attributes (Attributes). Among them, the Radius protocol, Chapter 5, Section 5.1 defines the User-Name attribute. According to Section 5.1 of Chapter 5, the user information of the client device can be carried on the username attribute of the Radius protocol packet. Specifically, it can be carried in the String field of the username attribute.
  • the embodiment of the present invention defines a new attribute, namely a User-Identity attribute.
  • User information is carried in the user identity attribute.
  • Table 1 shows a specific implementation of the user identity attribute:
  • Table 1 Schematic diagram of a user identity attribute
  • the user identity attribute consists of three fields, a Type field, a Length field, and a String field.
  • a Type field refers to the description of the format of the username attribute in Section 5.1 of Chapter 5 of the Radius Protocol.
  • the value of the Type field in the User Identity attribute is a value other than the value of the Type field defined in Sections 5.1 through 5.29 of Chapter 5 of the Radius Protocol.
  • the value of the length field in the user identity attribute is greater than or equal to 3, and the length used to identify the user identity attribute is greater than or equal to 3 bytes.
  • a string field in the user identity attribute can be used to carry user information.
  • the user information can be an ID number, a passport number, a military officer number, or a mobile number.
  • the embodiment of the present invention defines another new attribute, that is, the ground, based on the Radius protocol.
  • Address and port properties Table 2 shows a specific implementation of the address and port attributes: Table 2: A schematic diagram of the structure of the address and port attributes
  • Type field A number used to identify the attribute, which is 8 bits long.
  • Length field Used to identify the length of the address and port attributes. The length of this field is 8 bits.
  • I field Used to identify the type of the intranet IP address, 0 corresponds to IPv4, and 1 corresponds to IPv6. This field is 1 bit long.
  • E field Used to identify the type of the external network IP address, 0 corresponds to IPv4, and 1 corresponds to IPv6. This field is 1 bit long.
  • Reserved field Reserved. This field is 14 bits long.
  • Internal Port The internal port. This field is 16 bits long.
  • External Port External port. This field is 16 bits long.
  • Internal IP Address The internal network IP address. This field is 128 bits long.
  • FIG. 1 is a structural diagram of networking of an application scenario according to an embodiment of the present invention.
  • the networking diagram of Figure 1 includes two networks and four network elements.
  • the two networks are the external network and the internal network.
  • the four network elements are the client device 1, the CGN device, the AAA server, and the network management server.
  • the client device 1 is located on the intranet.
  • the CGN device is located at the edge of the internal network and at the edge of the external network.
  • the AAA server and the network management server are located on the external network.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • FIG. 2 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
  • the CGN device queries the internal network IP address of the client device and the internal network port of the client device according to the external network IP address of the client device and the external network port of the client device.
  • the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
  • the CGN device sends a first query request to the AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server queries according to the intranet IP address and the intranet port.
  • User information for this client device is not limited to the Internet IP address and the intranet port.
  • the first query request is used to query the AAA server for user information of the client device.
  • the first query request may be a Radius protocol message.
  • the address and port attributes may be included in the corresponding Radius protocol packet of the first query request.
  • the intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes.
  • the intranet port of the client device carries the intranet port field of the address and port attributes.
  • the CGN device receives a first query response sent by the AAA server, where the first check is performed.
  • the response response is a response corresponding to the first query request, and the first query response includes the user information.
  • the first query response is used to send user information of the client device to the CGN device.
  • the first query response may be a Radius protocol message.
  • the user name attribute may be included in the corresponding Radius protocol packet of the first query request.
  • User information is carried in the string field of the username attribute.
  • the Radius protocol message may include a user identity attribute.
  • User information is carried in the user identity attribute.
  • the user information is carried in the string field of the user identity attribute.
  • the user information can be an ID number, a passport number, a military officer number, or a mobile number.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the first query request message is a first Radius protocol message
  • the first query response message is a second Radius protocol message.
  • the first Radius protocol packet is a Radius protocol packet.
  • the second Radius protocol packet is a Radius protocol packet.
  • the "first" and “second" in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • the intranet IP address and the intranet port are carried in the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • Embodiment 2 is a diagrammatic representation of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • FIG. 3 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
  • the AAA server receives a first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by: a carrier-level network address translation CGN device. According to the external network Internet Protocol IP address of the client device and the external network port of the client device, the intranet IP address of the client device and the intranet port of the client device are queried.
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the AAA server sends a first query response to the CGN device, where the first query response is a response corresponding to the first query request, where the first query response includes the user information.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the first query request is a first remote user dialing authentication service Radius protocol packet
  • the first query response packet is a second Radius protocol packet.
  • the first Radius protocol packet is a Radius protocol packet.
  • the second Radius protocol packet is a Radius protocol packet. The first and second addresses in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • the intranet IP address and the intranet port are carried on the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • FIG. 4 is a flowchart of a method for acquiring user information according to this embodiment, where the method includes:
  • the AAA server sends a second query request to the CGN device, where the second query request includes an external network IP address of the client device and an external network port of the client device, so as to facilitate the
  • the CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port.
  • the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
  • the second query request is used to query the CGN for the intranet IP address of the client device and the intranet port.
  • the "second" in the second query request is not used to limit the order.
  • the second query request may be a Radius protocol message.
  • the address and port attributes may be included in the corresponding Radius protocol packet of the second query request.
  • the external network IP address of the client device is carried in the external network IP address field of the address and port attributes.
  • the external network port of the client device carries the external network port field of the address and port attributes.
  • the AAA server receives a second query response sent by the CGN device, where the second query is performed.
  • the response response is a response corresponding to the second query request, and the second query response includes the intranet IP address and the intranet port.
  • the second query response is used to send the intranet IP address of the client device and the intranet port to the AAA server.
  • the intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes.
  • the intranet port of the client device is carried in the intranet port field of the address and port attributes.
  • the "second" in the second query response is not used to qualify the order.
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the user information of the client device may be an identity card number, a passport number, a military officer number, or a mobile phone number.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the second query request is a first Radius protocol message
  • the second query response is a second Radius protocol message
  • the first and second Radius protocol packets in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • Embodiment 4 The external network IP address and the external network port are carried on the address and port attributes of the first Radius protocol packet, and the internal network IP address and the address and port attribute of the second Radius protocol packet are carried by the internal network port. on. Embodiment 4:
  • FIG. 5 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
  • the CGN device receives a second query request sent by the AAA server, where the second query request includes an external network IP address of the client device and an external network port of the client device.
  • the CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port.
  • the second query response sent by the CGN device to the AAA server, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port, so that The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the second query request is a first Radius protocol message
  • the second query response is a second Radius protocol message
  • the first Radius protocol message and the second Radius protocol message are "first” and "second,” It is used to distinguish between the first Radius protocol packet and the second Radius protocol packet, and is not used to limit the sequence.
  • the external network IP address and the external network port are carried on the address and port attributes of the first Radius protocol packet, and the internal network IP address and the address and port attribute of the second Radius protocol packet are carried by the internal network port. on.
  • Embodiment 5 is a diagrammatic representation of Embodiment 5:
  • FIG. 6 is a flowchart of a method for acquiring user information according to this embodiment, where the method includes:
  • the network management server sends a third query request to the CGN device, where the third query request includes an external network IP address of the client device and an external network port of the client device, so as to facilitate the
  • the CGN device queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address and the external network port.
  • the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
  • the third query request is used to query the CGN for the intranet IP address of the client device and the intranet port.
  • the "third" in the third query request is not used to limit the order.
  • the third query request may be an application layer protocol message.
  • the application layer protocol can be a simple object access protocol (SOAP).
  • SOAP simple object access protocol
  • the external network IP address of the client device and the external network port can be carried in the payload of the SOAP packet.
  • the network management server can identify that the third query request is sent by the CGN device for querying the intranet IP address of the client device and the intranet port according to the external network IP address of the client device and the external network port.
  • the CGN device can perform the query in the first correspondence. 602.
  • the network management server receives a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the intranet port.
  • the third query response is used to send the intranet IP address of the client device and the intranet port to the network management server.
  • the "third" in the third query response is not used to limit the order.
  • the third query response may be an application layer protocol message.
  • the application layer protocol can be SOAP.
  • the intranet IP address of the client device and the intranet port can be carried in the payload of the SOAP message.
  • the network management server sends a fourth query request to the AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server queries the intranet IP address and the intranet port.
  • the fourth query request includes the intranet IP address and the intranet port, so that the AAA server queries the intranet IP address and the intranet port.
  • the fourth query request is used to query the AAA server for user information of the client device.
  • the "fourth" in the fourth inquiry request is not used to limit the order.
  • the fourth query request may be a Radius protocol message.
  • the address and port attributes may be included in the corresponding Radius protocol packet of the fourth query request.
  • the intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes.
  • the intranet port of the client device carries the intranet port field of the address and port attributes.
  • the network management server receives a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, where the fourth query response includes the user information.
  • the fourth query response is used to send the user information of the client device to the network management server.
  • the "fourth" in the fourth query response is not used to limit the order.
  • the fourth query response may be a Radius protocol message.
  • the Radius protocol packet corresponding to the fourth query request includes a username attribute.
  • User information can be carried in a string field of the username attribute.
  • the Radius protocol packet may be To include the user identity attribute.
  • User information can be hosted in the user identity attribute.
  • the user information is carried in a string field of the user identity attribute.
  • the user information can be an ID number, a passport number, a military officer number, or a mobile number.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the fourth query request is a first Radius protocol message
  • the fourth query response is a second Radius protocol message.
  • the first Radius protocol packet is a Radius protocol packet.
  • the second Radius protocol packet is a Radius protocol packet.
  • the first and second Radius protocol packets in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • the intranet IP address and the intranet port are carried on the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • the third query request is a first application layer protocol message
  • the fourth query response is a second application layer protocol message.
  • the first application layer protocol packet is an application layer protocol packet.
  • the second application layer protocol packet is an application layer protocol packet.
  • the first application layer protocol packet and the second application layer protocol packet are used to distinguish the first application layer protocol packet from the second application layer protocol packet. Text, not used to limit the order.
  • FIG. 7 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the query unit 701 is configured to query an intranet IP address of the client device and an intranet port of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • query unit 701 For specific implementation of the query unit 701, refer to 201 in the first embodiment.
  • the sending unit 702 is configured to send a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server according to the intranet IP address and the The intranet port queries the user information of the client device.
  • the receiving unit 703 is configured to receive a first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, where the first query response includes the user
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • Example 7 This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side.
  • the apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1.
  • the device for obtaining user information provided in this embodiment may be the AAA server in FIG. 1 .
  • FIG. 8 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the receiving unit 801 is configured to receive a first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by: a carrier-level network address translation
  • the CGN device queries the internal network IP address of the client device and the intranet port of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • the query unit 802 is configured to query user information of the client device according to the intranet IP address and the intranet port.
  • query unit 802 For the specific implementation of the query unit 802, refer to 302 in the second embodiment.
  • the sending unit 803 is configured to send a first query response to the CGN device, where the first query response is a response corresponding to the first query request, where the first query response includes the user information.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • FIG. 9 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the sending unit 901 is configured to send a second query request to the CGN device, where the second query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device, so that the CGN device is configured according to the external The IP address of the network and the external network port are queried on the CGN device for the intranet IP address of the client device and the intranet port of the client device.
  • the receiving unit 902 is configured to receive a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port.
  • the query unit 903 is configured to query the user information of the client device according to the intranet IP address and the intranet port.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side.
  • the apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1.
  • the device for obtaining user information provided by this embodiment may be the CGN device in FIG. 1 .
  • FIG. 10 is a method for acquiring a user provided in this embodiment.
  • a schematic diagram of the structure of the device, the device comprising:
  • the receiving unit 1001 is configured to receive a second query request sent by the AAA server by the authentication and authorization charging, where the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device.
  • the query unit 1002 is configured to query, on the CGN device, an intranet IP address of the client device and an intranet port of the client device according to the external network IP address and the external network port.
  • query unit 1002 For specific implementation of the query unit 1002, refer to 502 in the fourth embodiment.
  • the sending unit 1003 is configured to send a second query response to the AAA server, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port.
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • FIG. 11 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the first sending unit 1101 is configured to send a third query request to the CGN device, where the third query
  • the request includes the external network Internet Protocol IP address of the client device and the external network port of the client device, so that the CGN device queries the CGN device according to the external network IP address and the external network port.
  • Intranet IP address and intranet port are examples of Cisco Systems, Inc.
  • the first receiving unit 1102 is configured to receive a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet
  • IP address and the intranet port are IP addresses and the intranet port.
  • the first receiving unit 1102 For specific implementation of the first receiving unit 1102, refer to 602 in the fifth embodiment.
  • a second sending unit 1103 configured to send a fourth query request to the AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server according to the intranet IP address and the intranet port , query the user information of the client device.
  • the second receiving unit 1104 is configured to receive a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, where the fourth query response includes the user information.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the unit may be only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined. Either can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, i.e., may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a USB flash drive, a mobile hard disk, and a read only memory (abbreviated as ROM, English full name Read-Only Memory), random access memory (abbreviated as RAM, English full name called Random Access Memory), disk or optical disc and other media that can store program code.
  • ROM read only memory
  • RAM random access memory
  • disk or optical disc and other media that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present invention provide a method for acquiring user information, which comprises: a CGN device querying, according to an external network IP address and an external network port of a client device, an internal network IP address and an internal network port of the client device; the CGN device sending, to an AAA server, a first query request comprising the internal network IP address and the internal network port, so that the AAA server queries, according to the internal network IP address and the internal network port, user information of the client device; and the CGN device receiving a first query response sent by the AAA server, the first query response being a response corresponding to the first query request and comprising the user information. The embodiments of the present invention also provide other methods and apparatuses. By means of the technical solutions of the embodiments of the present invention, user information of an internal network client device can be acquired from an external network side, thereby distinguishing internal network users.

Description

获取用户信息的方法及装置 技术领域 本发明实施例涉及通信技术, 尤其涉及获取用户信息的方法及装置。 背景技术 为实现位于内网的客户端设备访问位于外网的网络资源, 运营商级网 络地址转换( Carrier-grade NAT , CGN )设备将客户端设备的内网因特网协 议 ( Internet Protocol, IP )地址转换为外网 IP地址。  The present invention relates to communication technologies, and in particular, to a method and an apparatus for acquiring user information. BACKGROUND In order to implement a client device located on an intranet to access a network resource located in an external network, a carrier-grade network address translation (CGN) device transmits an intranet Internet Protocol (IP) address of the client device. Convert to an external network IP address.
发明人发现现有技术存在如下技术问题:  The inventors found that the prior art has the following technical problems:
内网中可能存在多个客户端设备, 上述多个客户端设备使用同一个外 网 IP地址, 这使得从外网侧无法对内网用户进行区分。  There may be multiple client devices in the intranet. The above multiple client devices use the same external IP address, which makes it impossible to distinguish intranet users from the external network.
发明内容 Summary of the invention
本发明实施例提供获取用户信息的方法及装置, 可以从外网侧获取内 网客户端设备的用户信息, 从而实现对内网用户进行区分。  The embodiment of the invention provides a method and a device for acquiring user information, which can obtain user information of the intranet client device from the external network side, thereby realizing the distinction between the intranet users.
一方面, 提供了一种获取用户信息的方法, 包括:  In one aspect, a method for obtaining user information is provided, including:
运营商级网络地址转换 CGN设备根据客户端设备的外网因特网协议 IP 地址以及所述客户端设备的外网端口, 查询所述客户端设备的内网 IP地址 以及所述客户端设备的内网端口;  The carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device. Port
所述 CGN设备向认证授权计费 AAA服务器发送第一查询请求, 所述 第一查询请求中包含所述内网 IP地址以及所述内网端口,以便于所述 AAA 服务器根据所述内网 IP地址以及所述内网端口,查询所述客户端设备的用 户信息;  The CGN device sends a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address. An address and the intranet port, querying user information of the client device;
所述 CGN设备接收所述 AAA服务器发送的第一查询响应, 所述第一 查询响应为所述第一查询请求对应的响应, 所述第一查询响应中包含所述 用户信息。  The CGN device receives the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
另一方面, 提供了另一种获取用户信息的方法, 包括: 认证授权计费 AAA服务器接收 CGN设备发送的第一查询请求, 所述 第一查询请求中包含所述内网 IP地址以及所述内网端口, 所述第一查询请 求通过如下途径获得: On the other hand, another method of obtaining user information is provided, including: The authentication and authorization charging AAA server receives the first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by:
运营商级网络地址转换 CGN设备根据客户端设备的外网因特网协议 IP 地址以及所述客户端设备的外网端口, 查询所述客户端设备的内网 IP地址 以及所述客户端设备的内网端口;  The carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device. Port
所述 AAA服务器根据所述内网 IP地址以及所述内网端口, 查询所述 客户端设备的用户信息;  Querying, by the AAA server, user information of the client device according to the intranet IP address and the intranet port;
所述 AAA服务器向所述 CGN设备发送第一查询响应, 所述第一查询 响应为所述第一查询请求对应的响应, 所述第一查询响应中包含所述用户 信息。  The AAA server sends a first query response to the CGN device, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
另一方面, 提供了另一种获取用户信息的方法, 包括:  On the other hand, another method of obtaining user information is provided, including:
认证授权计费 AAA服务器向运营商级网络地址转换 CGN设备发送第 二查询请求, 所述第二查询请求中包含客户端设备的外网因特网协议 IP地 址以及所述客户端设备的外网端口,以便于所述 CGN设备根据所述外网 IP 地址以及所述外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地 址以及所述客户端设备的内网端口;  The authentication and authorization charging AAA server sends a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device. In order to facilitate the CGN device to query the internal network IP address of the client device and the internal network port of the client device on the CGN device according to the external network IP address and the external network port;
所述 AAA服务器接收所述 CGN设备发送的第二查询响应, 所述第二 查询响应为所述第二查询请求对应的响应, 所述第二查询响应中包含所述 内网 IP地址以及所述内网端口;  Receiving, by the AAA server, a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the Intranet port;
所述 AAA服务器根据所述内网 IP地址以及所述内网端口, 查询所述 客户端设备的用户信息。  The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
另一方面, 提供了另一种获取用户信息的方法, 包括:  On the other hand, another method of obtaining user information is provided, including:
运营商级网络地址转换 CGN设备接收认证授权计费 AAA服务器发送 的第二查询请求, 所述第二查询请求中包含客户端设备的外网因特网协议 The carrier-level network address translation CGN device receives the second-query request sent by the AAA server, and the second query request includes the external network Internet protocol of the client device.
IP地址以及所述客户端设备的外网端口; 所述 CGN设备根据所述外网 IP地址以及所述外网端口, 在所述 CGN 设备上查询所述客户端设备的内网 IP 地址以及所述客户端设备的内网端 口; An IP address and an external network port of the client device; The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
所述 CGN设备向所述 AAA服务器发送的第二查询响应, 所述第二查 询响应为所述第二查询请求对应的响应, 所述第二查询响应中包含所述内 网 IP地址以及所述内网端口, 以便于所述 AAA服务器根据所述内网 IP地 址以及所述内网端口, 查询所述客户端设备的用户信息。  The second query response sent by the CGN device to the AAA server, the second query response is a response corresponding to the second query request, and the second query response includes the intranet IP address and the An intranet port, so that the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
另一方面, 提供了另一种获取用户信息的方法, 包括:  On the other hand, another method of obtaining user information is provided, including:
网管服务器向运营商级网络地址转换 CGN设备发送第三查询请求, 所 述第三查询请求中包含客户端设备的外网因特网协议 IP地址以及所述客户 端设备的外网端口, 以便于所述 CGN设备根据所述外网 IP地址以及所述 外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地址以及内网端 口;  The network management server sends a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet protocol IP address of the client device and an external network port of the client device, so as to facilitate the The CGN device queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address and the external network port;
所述网管服务器接收所述 CGN设备发送的第三查询响应, 所述第三查 询响应为所述第三查询请求对应的响应, 所述第三查询响应中包含所述内 网 IP地址以及所述内网端口;  Receiving, by the network management server, a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the Intranet port;
所述网管服务器向认证授权计费 AAA服务器发送第四查询请求,所述 第四查询请求包含所述内网 IP地址以及所述内网端口, 以便于所述 AAA 服务器根据所述内网 IP地址以及所述内网端口, 查询所述客户端设备的用 户信息;  The network management server sends a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address. And the intranet port, querying user information of the client device;
所述网管服务器接收所述 AAA服务器发送的第四查询响应,所述第四 查询响应为所述第四查询请求对应的响应, 所述第四查询响应中包含所述 用户信息。  The network management server receives the fourth query response sent by the AAA server, the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
另一方面, 提供了一种获取用户信息的装置, 包括:  In another aspect, an apparatus for obtaining user information is provided, including:
查询单元, 用于根据客户端设备的外网因特网协议 IP地址以及所述客 户端设备的外网端口, 查询所述客户端设备的内网 IP地址以及所述客户端 设备的内网端口; a querying unit, configured to query an intranet IP address of the client device and the client according to an external network Internet Protocol IP address of the client device and an external network port of the client device The internal network port of the device;
发送单元, 用于向认证授权计费 AAA服务器发送第一查询请求, 所述 第一查询请求中包含所述内网 IP地址以及所述内网端口,以便于所述 AAA 服务器根据所述内网 IP地址以及所述内网端口, 查询所述客户端设备的用 户信息;  a sending unit, configured to send a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet Querying the user information of the client device by using the IP address and the intranet port;
接收单元, 用于接收所述 AAA服务器发送的第一查询响应, 所述第一 查询响应为所述第一查询请求对应的响应, 所述第一查询响应中包含所述 用户信息。  The receiving unit is configured to receive the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
另一方面, 提供了另一种获取用户信息的装置, 包括:  In another aspect, another apparatus for obtaining user information is provided, including:
发送单元,用于向运营商级网络地址转换 CGN设备发送第二查询请求, 所述第二查询请求中包含客户端设备的外网因特网协议 IP地址以及所述客 户端设备的外网端口, 以便于所述 CGN设备根据所述外网 IP地址以及所 述外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地址以及所述 客户端设备的内网端口;  a sending unit, configured to send a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device, so that The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
接收单元, 用于接收所述 CGN设备发送的第二查询响应, 所述第二查 询响应为所述第二查询请求对应的响应, 所述第二查询响应中包含所述内 网 IP地址以及所述内网端口;  a receiving unit, configured to receive a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the Said internal network port;
查询单元, 用于根据所述内网 IP地址以及所述内网端口, 查询所述客 户端设备的用户信息。  And a querying unit, configured to query user information of the client device according to the intranet IP address and the intranet port.
另一方面, 提供了另一种获取用户信息的装置, 包括:  In another aspect, another apparatus for obtaining user information is provided, including:
第一发送单元,用于向运营商级网络地址转换 CGN设备发送第三查询 请求, 所述第三查询请求中包含客户端设备的外网因特网协议 IP地址以及 所述客户端设备的外网端口, 以便于所述 CGN设备根据所述外网 IP地址 以及所述外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地址以 及内网端口;  a first sending unit, configured to send a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device In order to facilitate the CGN device to query the internal network IP address and the intranet port of the client device on the CGN device according to the external network IP address and the external network port;
第一接收单元, 用于接收所述 CGN设备发送的第三查询响应, 所述第 三查询响应为所述第三查询请求对应的响应, 所述第三查询响应中包含所 述内网 IP地址以及所述内网端口; a first receiving unit, configured to receive a third query response sent by the CGN device, where the The third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the intranet port;
第二发送单元, 用于向认证授权计费 AAA服务器发送第四查询请求, 所述第四查询请求包含所述内网 IP 地址以及所述内网端口, 以便于所述 AAA服务器根据所述内网 IP地址以及所述内网端口,查询所述客户端设备 的用户信息;  a second sending unit, configured to send a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the Querying the user information of the client device by using the network IP address and the internal network port;
第二接收单元, 用于接收所述 AAA服务器发送的第四查询响应, 所述 第四查询响应为所述第四查询请求对应的响应, 所述第四查询响应中包含 所述用户信息。  The second receiving unit is configured to receive a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
可见, 上述技术方案根据客户端设备的外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地址以及内网端口。 根据该客户端 设备的内网 IP地址以及内网端口, 在 AAA服务器中查询该客户端设备的用 户信息。 通过上述技术方案, 可以从外网侧获取内网客户端设备的用户信 息, 从而实现对内网用户进行区分。  It can be seen that the foregoing technical solution queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. According to the intranet IP address of the client device and the intranet port, the AAA server queries the user information of the client device. Through the above technical solution, the user information of the intranet client device can be obtained from the external network side, thereby realizing the distinction between the intranet users.
附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对 实施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。 BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. The drawings are some embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.
图 1 是本发明实施例提供的获取用户信息的方法及装置的一个应用场 景的组网结构图;  1 is a network structure diagram of an application scenario of a method and apparatus for acquiring user information according to an embodiment of the present invention;
图 2是本发明实施例提供的一种获取用户信息的方法的流程图; 图 3是本发明实施例提供的另一种获取用户信息的方法的流程图; 图 4是本发明实施例提供的另一种获取用户信息的方法的流程图; 图 5是本发明实施例提供的另一种获取用户信息的方法的流程图; 图 6是本发明实施例提供的另一种获取用户信息的方法的流程图; 图 7是本发明实施例提供的一种获取用户信息的装置的结构示意图; 图 8是本发明实施例提供的另一种获取用户信息的装置的结构示意图; 图 9是本发明实施例提供的另一种获取用户信息的装置的结构示意图; 图 10是本发明实施例提供的另一种获取用户信息的装置的结构示意 图; 2 is a flowchart of a method for acquiring user information according to an embodiment of the present invention; FIG. 3 is a flowchart of another method for obtaining user information according to an embodiment of the present invention; FIG. 5 is a flowchart of another method for obtaining user information according to an embodiment of the present invention; FIG. 6 is another method for acquiring user information according to an embodiment of the present invention; Flow chart FIG. 7 is a schematic structural diagram of an apparatus for acquiring user information according to an embodiment of the present invention; FIG. 8 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention; A schematic structural diagram of another apparatus for acquiring user information; FIG. 10 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention;
图 11是本发明实施例提供的另一种获取用户信息的装置的结构示意 图。  FIG. 11 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention.
具体实施方式 detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本 发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描 述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提 下所获得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明的实施例涉及位于内网的客户端设备、 位于内网和外网的 CGN 设备以及位于夕卜网的认证授权计费服务器 ( Authentication Authorization Accounting server, AAA服务器 )。 夕卜网可以是因特网协议版本 4 ( Internet Protocol version 4, IPv4 )网络或者因特网十办议版本 6( Internet Protocol version 6, IPv6 ) 网络。 内网可以是 IPv4网络或者 IPv6网络。 下文将对上述设备 进行说明:  Embodiments of the present invention relate to a client device located on an intranet, a CGN device located on an intranet and an extranet, and an Authentication Authorization Accounting server (AAA server) located at an external network. The Internet may be an Internet Protocol version 4 (IPv4) network or an Internet Protocol version 6, IPv6 network. The internal network can be an IPv4 network or an IPv6 network. The above equipment will be explained below:
客户端设备是位于内网的设备。 具体实现时, 客户端设备可以是个人 电脑( Personal Computer, PC ) 、 机顶盒( Set Top Box, STB ) 、 用户驻地 设备 ( Customer Premises Equipment, CPE )或者家庭网关 ( Home Gateway, HG ) 。  The client device is a device located on the intranet. In specific implementation, the client device may be a Personal Computer (PC), a Set Top Box (STB), a Customer Premises Equipment (CPE), or a Home Gateway (HG).
CGN设备可以记录动态主机设置协议(Dynamic Host Configuration Protocol, DHCP )服务器为客户端设备分配的内网 IP地址。 另外, CGN 设备可以基于该客户端设备发起的会话(Session ) 以及该客户端设备的内 网 IP地址, 生成第一对应关系。 第一对应关系包括该客户端设备的外网 IP 地址、 内网 IP地址、 外网端口和内网端口。 第一对应关系中的 "第一,, 不 用于限定先后顺序。 The CGN device can record the intranet IP address assigned by the Dynamic Host Configuration Protocol (DHCP) server to the client device. In addition, the CGN device can be based on a session initiated by the client device and within the client device The network IP address generates a first correspondence. The first correspondence includes an external network IP address, an intranet IP address, an external network port, and an intranet port of the client device. The first in the first correspondence is not used to limit the order.
本发明不限制 CGN设备生成第一对应关系的具体实现方式。 下文提供 了 CGN设备生成第一对应关系的一种实现方式, 请参考:  The present invention does not limit the specific implementation manner in which the CGN device generates the first correspondence. The following provides an implementation of the CGN device to generate the first correspondence. Please refer to:
客户端设备的用户向外网的运营商提出开通客户端设备访问外网资源 的权限的申请。  The user of the client device requests the operator of the external network to open the permission of the client device to access the external network resource.
外网的运营商在 AAA服务器存储客户端设备访问外网资源的权限对 应的账户和密码。 另外, 外网的运营商在 AAA服务器记录客户端设备的用 户的用户信息。 用户信息可以是客户端设备的用户的身份证号码、 护照号 码、 或者军官证号码等。  The operator of the external network stores the account and password corresponding to the rights of the client device to access the external network resources in the AAA server. In addition, the operator of the external network records the user information of the user of the client device on the AAA server. The user information may be the identity card number of the user of the client device, the passport number, or the military officer number.
客户端设备的用户向宽带接入服务器 ( Broadband Remote Access Server, BRAS )发送接入请求。 BRAS向 AAA服务器发送认证请求。 BRAS 设备与 CGN设备可以是同一台设备。 BRAS设备与 CGN设备也可以不是 同一台设备。 当 BRAS设备与 CGN设备不是同一台设备时, CGN设备可 以登录并访问 BRAS设备。 AAA服务器根据预先存储的账户和密码对客户 端设备进行认证。 认证获得通过则表明客户端设备能够访问外网资源。  The user of the client device sends an access request to the Broadband Remote Access Server (BRAS). The BRAS sends an authentication request to the AAA server. The BRAS device and the CGN device can be the same device. The BRAS device and the CGN device may not be the same device. When the BRAS device is not the same device as the CGN device, the CGN device can log in and access the BRAS device. The AAA server authenticates the client device based on pre-stored accounts and passwords. If the authentication is passed, the client device can access the external network resources.
BRAS设备作为 DHCP服务器, 为客户端设备动态分配内网 IP地址。 客户端设备向外网的应用服务器发送会话建立请求。 会话建立请求的 IP头中携带客户端设备的内网 IP地址以及内网端口。 应用服务器可以是网 页服务器、 视频服务器或者因特网协议电视(Internet Protocol television, IPTV )服务器。  The BRAS device acts as a DHCP server and dynamically allocates intranet IP addresses to client devices. The client device sends a session establishment request to the application server of the external network. The IP header of the session establishment request carries the intranet IP address of the client device and the intranet port. The application server can be a web server, a video server, or an Internet Protocol television (IPTV) server.
CGN设备收到会话建立请求后,为客户端设备确定外网 IP地址以及外 网端口, 并通过外网端口将会话建立请求转发出去。 CGN设备保存 CGN 设备根据内网 IP地址、 内网端口、 外网 IP地址以及外网端口, 生成第一对 应关系。 本发明的实施例涉及远程用户拨号认证系统 ( Remote Authentication Dial In User Service, Radius )十办议才艮文。 关于 Radius协议的具体内容, 请 参见 RFC2865。 After receiving the session establishment request, the CGN device determines the external network IP address and the external network port for the client device, and forwards the session establishment request through the external network port. The CGN device saves the CGN device to generate a first correspondence according to the intranet IP address, the intranet port, the external network IP address, and the external network port. Embodiments of the present invention relate to a Remote Authentication Dial In User Service (RADius). For details on the Radius protocol, see RFC2865.
Radius协议第 5章定义了 29种属性(Attributes) 。 其中, Radius协议 第 5章第 5.1节定义了用户名 (User-Name)属性。 根据第 5章第 5.1节可 知, 客户端设备的用户信息可以承载在 Radius协议报文的用户名属性上。 具体来说, 可以承载在用户名属性的字符串 (String)字段。  Chapter 5 of the Radius Protocol defines 29 attributes (Attributes). Among them, the Radius protocol, Chapter 5, Section 5.1 defines the User-Name attribute. According to Section 5.1 of Chapter 5, the user information of the client device can be carried on the username attribute of the Radius protocol packet. Specifically, it can be carried in the String field of the username attribute.
本发明实施例在 Radius协议的基础上, 定义了一种新的属性, 即用户 身份(User-Identity)属性。 用户身份属性中承载了用户信息。 表 1为用户 身份属性的一种具体实现方式:  Based on the Radius protocol, the embodiment of the present invention defines a new attribute, namely a User-Identity attribute. User information is carried in the user identity attribute. Table 1 shows a specific implementation of the user identity attribute:
表 1: 用户身份属性的一种结构示意图  Table 1: Schematic diagram of a user identity attribute
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 类型 I 长度 I 字符串 ... 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type I Length I string...
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_ 上表中, 用户身份属性包括三个字段, 分别为类型 (Type) 字段、 长 度(Length) 字段以及字符串 (String) 字段。 关于三个字段的格式, 可以 参考 Radius协议第 5章第 5.1节对用户名属性的格式的说明。 用户身份属性中的类型字段的值为 Radius协议第 5章第 5.1节至第 5.29 节中定义的类型字段的值以外的值。 用户身份属性中的长度字段的值为大于或者等于 3 ,用于标识用户身份 属性的长度大于或者等于 3字节。 用户身份属性中的字符串字段可以用于承载用户信息。 用户信息可以 是身份证号码、 护照号码、 军官证号码或者手机号码。  +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_ +_+_+_+_+_+_+_+_ In the above table, the user identity attribute consists of three fields, a Type field, a Length field, and a String field. For the format of the three fields, refer to the description of the format of the username attribute in Section 5.1 of Chapter 5 of the Radius Protocol. The value of the Type field in the User Identity attribute is a value other than the value of the Type field defined in Sections 5.1 through 5.29 of Chapter 5 of the Radius Protocol. The value of the length field in the user identity attribute is greater than or equal to 3, and the length used to identify the user identity attribute is greater than or equal to 3 bytes. A string field in the user identity attribute can be used to carry user information. The user information can be an ID number, a passport number, a military officer number, or a mobile number.
本发明实施例在 Radius协议的基础上, 定义了另一种新的属性, 即地 址与端口属性。 表 2为地址与端口属性的一种具体实现方式: 表 2: 地址与端口属性的一种结构示意图 The embodiment of the present invention defines another new attribute, that is, the ground, based on the Radius protocol. Address and port properties. Table 2 shows a specific implementation of the address and port attributes: Table 2: A schematic diagram of the structure of the address and port attributes
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 类型 I 长度 |I|E| 保留 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type I Length |I|E| Reserved
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 内网端口 I 外网端口  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+ Internal network port I External network port
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 内网 IP地址  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+ Intranet IP address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 外网 IP地址 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+ External IP address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 下面分别对表 2中的字段进行说明: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+ The following describes the fields in Table 2:
类型 (Type)字段: 用于标识该属性的编号, 该字段的长度为 8比特。 长度(Length)字段: 用于标识地址与端口属性的长度, 该字段的长度 为 8比特。  Type field: A number used to identify the attribute, which is 8 bits long. Length field: Used to identify the length of the address and port attributes. The length of this field is 8 bits.
I字段: 用于标识内网 IP地址的类型, 0对应 IPv4, 1对应 IPv6 。 该 字段的长度为 1比特。  I field: Used to identify the type of the intranet IP address, 0 corresponds to IPv4, and 1 corresponds to IPv6. This field is 1 bit long.
E字段: 用于标识外网 IP地址的类型, 0对应 IPv4, 1对应 IPv6。 该 字段的长度为 1比特。  E field: Used to identify the type of the external network IP address, 0 corresponds to IPv4, and 1 corresponds to IPv6. This field is 1 bit long.
保留 (Reserved)字段: 保留。 该字段的长度为 14比特。  Reserved field: Reserved. This field is 14 bits long.
内网端口 ( Internal Port) : 内网端口。 该字段的长度为 16比特。  Internal Port: The internal port. This field is 16 bits long.
外网端口 ( External Port) : 外网端口。 该字段的长度为 16比特。  External Port: External port. This field is 16 bits long.
内网 IP地址( Internal IP Address ): 内网 IP地址。该字段的长度为 128 比特。  Internal IP Address: The internal network IP address. This field is 128 bits long.
夕卜网 IP地址(External IP Address ) : 夕卜网 IP地址。 该字段的长度为 本发明实施例提供了获取用户信息的方法及装置, 可以解决从外网侧 无法对内网用户进行区分的技术问题。 图 1 为本发明实施例某一应用场景 的组网结构图。 External IP Address: The IP address of the Xipu network. The length of this field is The embodiment of the invention provides a method and a device for acquiring user information, which can solve the technical problem that the intranet user cannot be distinguished from the external network side. FIG. 1 is a structural diagram of networking of an application scenario according to an embodiment of the present invention.
图 1 的组网结构图包括两个网络以及四个网元。 两个网络分别是外网 和内网。 四个网元分别是客户端设备 1、 CGN设备、 AAA服务器以及网管 服务器。 其中, 客户端设备 1位于内网。 CGN设备位于内网的边缘以及外 网的边缘。 AAA服务器以及网管服务器位于外网。  The networking diagram of Figure 1 includes two networks and four network elements. The two networks are the external network and the internal network. The four network elements are the client device 1, the CGN device, the AAA server, and the network management server. The client device 1 is located on the intranet. The CGN device is located at the edge of the internal network and at the edge of the external network. The AAA server and the network management server are located on the external network.
实施例一:  Embodiment 1:
本实施例提供了一种获取用户信息的方法, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的方法可以应用于图 1 所示的组网结构中。 参见图 2, 图 2是本实施例提供的获取用户信息的方法 的流程图, 该方法包括:  This embodiment provides a method for obtaining user information, which can obtain user information of an intranet user from an external network side. The method for obtaining user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. Referring to FIG. 2, FIG. 2 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
201、 CGN设备根据客户端设备的外网 IP地址以及该客户端设备的外 网端口, 查询该客户端设备的内网 IP地址以及该客户端设备的内网端口。  201. The CGN device queries the internal network IP address of the client device and the internal network port of the client device according to the external network IP address of the client device and the external network port of the client device.
具体实现时, CGN设备可以根据客户端设备的外网 IP地址以及外网端 口, 在第一对应关系中查询客户端设备的内网 IP地址以及内网端口。  In a specific implementation, the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
202、该 CGN设备向 AAA服务器发送第一查询请求, 该第一查询请求 中包含该内网 IP地址以及该内网端口, 以便于该 AAA服务器根据该内网 IP地址以及该内网端口, 查询该客户端设备的用户信息。  202. The CGN device sends a first query request to the AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server queries according to the intranet IP address and the intranet port. User information for this client device.
第一查询请求用于向 AAA服务器查询客户端设备的用户信息。  The first query request is used to query the AAA server for user information of the client device.
第一查询请求可以是 Radius协议报文。 具体实现时, 第一查询请求对 应的 Radius协议报文中可以包含地址与端口属性。客户端设备的内网 IP地 址承载在地址与端口属性的内网 IP地址字段。 客户端设备的内网端口承载 在地址与端口属性的内网端口字段。  The first query request may be a Radius protocol message. In a specific implementation, the address and port attributes may be included in the corresponding Radius protocol packet of the first query request. The intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes. The intranet port of the client device carries the intranet port field of the address and port attributes.
203、该 CGN设备接收该 AAA服务器发送的第一查询响应, 该第一查 询响应为该第一查询请求对应的响应, 该第一查询响应中包含该用户信息。 第一查询响应用于向 CGN设备发送客户端设备的用户信息。 203. The CGN device receives a first query response sent by the AAA server, where the first check is performed. The response response is a response corresponding to the first query request, and the first query response includes the user information. The first query response is used to send user information of the client device to the CGN device.
第一查询响应可以是 Radius协议报文。 具体实现时, 第一查询请求对 应的 Radius协议报文中可以包含用户名属性。 用户信息承载在用户名属性 的字符串字段。  The first query response may be a Radius protocol message. In a specific implementation, the user name attribute may be included in the corresponding Radius protocol packet of the first query request. User information is carried in the string field of the username attribute.
另夕卜, 当第一查询响应是 Radius协议报文时, 该 Radius协议报文中可 以包含用户身份属性。 用户身份属性中承载了用户信息。 具体实现时, 用 户信息承载在用户身份属性的字符串字段。 用户信息可以是身份证号码、 护照号码、 军官证号码或者手机号码。  In addition, when the first query response is a Radius protocol message, the Radius protocol message may include a user identity attribute. User information is carried in the user identity attribute. In the specific implementation, the user information is carried in the string field of the user identity attribute. The user information can be an ID number, a passport number, a military officer number, or a mobile number.
可见, 通过本实施例提供的获取用户信息的方法, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the method for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
可选的,  Optional,
该第一查询请求为第一 Radius协议报文, 该第一查询响应报文为第二 Radius协议报文。  The first query request message is a first Radius protocol message, and the first query response message is a second Radius protocol message.
具体实现时, 第一 Radius协议报文为 Radius协议报文。 第二 Radius 协议报文为 Radius协议报文。第一 Radius协议报文与第二 Radius协议报文 中的 "第一" 与 "第二" 用于区分第一 Radius协议报文和第二 Radius协议 报文, 不用于限定先后顺序。  In the specific implementation, the first Radius protocol packet is a Radius protocol packet. The second Radius protocol packet is a Radius protocol packet. The "first" and "second" in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
可选的,  Optional,
该内网 IP地址以及该内网端口承载在该第一 Radius协议报文的地址与 端口属性上, 该用户信息承载在该第二 Radius协议报文的用户名属性上或 者用户身份属性上。 实施例二: The intranet IP address and the intranet port are carried in the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet. Embodiment 2:
本实施例提供了一种获取用户信息的方法, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的方法可以应用于图 1 所示的组网结构中。 参见图 3 , 图 3是本实施例提供的获取用户信息的方法 的流程图, 该方法包括:  This embodiment provides a method for obtaining user information, which can obtain user information of an intranet user from an external network side. The method for obtaining user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. Referring to FIG. 3, FIG. 3 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
301、 AAA服务器接收 CGN设备发送的第一查询请求, 该第一查询请 求中包含该内网 IP地址以及该内网端口, 该第一查询请求通过如下途径获 得:运营商级网络地址转换 CGN设备根据客户端设备的外网因特网协议 IP 地址以及该客户端设备的外网端口, 查询该客户端设备的内网 IP地址以及 该客户端设备的内网端口。  301. The AAA server receives a first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by: a carrier-level network address translation CGN device. According to the external network Internet Protocol IP address of the client device and the external network port of the client device, the intranet IP address of the client device and the intranet port of the client device are queried.
301具体实现时, 请参见实施例一中的 201以及 202。  For specific implementation of 301, please refer to 201 and 202 in the first embodiment.
302、 该 AAA服务器根据该内网 IP地址以及该内网端口, 查询该客户 端设备的用户信息。  302. The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
302具体实现时, 请参见实施例一中的 202。  For specific implementation of 302, refer to 202 in the first embodiment.
303、该 AAA服务器向该 CGN设备发送第一查询响应, 该第一查询响 应为该第一查询请求对应的响应, 该第一查询响应中包含该用户信息。  303. The AAA server sends a first query response to the CGN device, where the first query response is a response corresponding to the first query request, where the first query response includes the user information.
303具体实现时, 请参见实施例一中的 203。  For specific implementation of 303, refer to 203 in the first embodiment.
可见, 通过本实施例提供的获取用户信息的方法, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the method for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
可选的,  Optional,
该第一查询请求为第一远程用户拨号认证服务 Radius协议报文, 该第 一查询响应报文为第二 Radius协议报文。 具体实现时, 第一 Radius协议报文为 Radius协议报文。 第二 Radius 协议报文为 Radius协议报文。第一 Radius协议报文与第二 Radius协议报文 中的 "第一" 与 "第二" 用于区分第一 Radius协议报文和第二 Radius协议 报文, 不用于限定先后顺序。 The first query request is a first remote user dialing authentication service Radius protocol packet, and the first query response packet is a second Radius protocol packet. In the specific implementation, the first Radius protocol packet is a Radius protocol packet. The second Radius protocol packet is a Radius protocol packet. The first and second addresses in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
可选的,  Optional,
该内网 IP地址以及该内网端口承载在该第一 Radius协议报文的地址与 端口属性上, 该用户信息承载在该第二 Radius协议报文的用户名属性上或 者用户身份属性上。  The intranet IP address and the intranet port are carried on the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
实施例三:  Embodiment 3:
本实施例提供了一种获取用户信息的方法, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的方法可以应用于图 1 所示的组网结构中。 参见图 4, 图 4是本实施例提供的获取用户信息的方法 的流程图, 该方法包括:  This embodiment provides a method for obtaining user information, which can obtain user information of an intranet user from an external network side. The method for obtaining user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. Referring to FIG. 4, FIG. 4 is a flowchart of a method for acquiring user information according to this embodiment, where the method includes:
401、 AAA服务器向 CGN设备发送第二查询请求, 该第二查询请求中 包含客户端设备的外网 IP 地址以及该客户端设备的外网端口, 以便于该 401. The AAA server sends a second query request to the CGN device, where the second query request includes an external network IP address of the client device and an external network port of the client device, so as to facilitate the
CGN设备根据该外网 IP地址以及该外网端口, 在 CGN设备上查询该客户 端设备的内网 IP地址以及该客户端设备的内网端口。 The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port.
具体实现时, CGN设备可以根据客户端设备的外网 IP地址以及外网端 口, 在第一对应关系中查询客户端设备的内网 IP地址以及内网端口。  In a specific implementation, the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
第二查询请求用于向 CGN查询客户端设备的内网 IP地址以及内网端 口。 第二查询请求中的 "第二" 不用于限定先后顺序。  The second query request is used to query the CGN for the intranet IP address of the client device and the intranet port. The "second" in the second query request is not used to limit the order.
第二查询请求可以是 Radius协议报文。 具体实现时, 第二查询请求对 应的 Radius协议报文中可以包含地址与端口属性。客户端设备的外网 IP地 址承载在地址与端口属性的外网 IP地址字段。 客户端设备的外网端口承载 在地址与端口属性的外网端口字段。  The second query request may be a Radius protocol message. In a specific implementation, the address and port attributes may be included in the corresponding Radius protocol packet of the second query request. The external network IP address of the client device is carried in the external network IP address field of the address and port attributes. The external network port of the client device carries the external network port field of the address and port attributes.
402、该 AAA服务器接收该 CGN设备发送的第二查询响应, 该第二查 询响应为该第二查询请求对应的响应, 该第二查询响应中包含该内网 IP地 址以及该内网端口。 402. The AAA server receives a second query response sent by the CGN device, where the second query is performed. The response response is a response corresponding to the second query request, and the second query response includes the intranet IP address and the intranet port.
第二查询响应用于向 AAA服务器发送客户端设备的内网 IP地址以及 内网端口。 具体实现时, 客户端设备的内网 IP地址承载在地址与端口属性 的内网 IP地址字段。 客户端设备的内网端口承载在地址与端口属性的内网 端口字段。 第二查询响应中的 "第二" 不用于限定先后顺序。  The second query response is used to send the intranet IP address of the client device and the intranet port to the AAA server. In specific implementation, the intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes. The intranet port of the client device is carried in the intranet port field of the address and port attributes. The "second" in the second query response is not used to qualify the order.
403、 该 AAA服务器根据该内网 IP地址以及该内网端口, 查询该客户 端设备的用户信息。  403. The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
具体实现时, 客户端设备的用户信息可以是身份证号码、 护照号码、 军官证号码或者手机号码。  In specific implementation, the user information of the client device may be an identity card number, a passport number, a military officer number, or a mobile phone number.
可见, 通过本实施例提供的获取用户信息的方法, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the method for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
可选的,  Optional,
该第二查询请求为第一 Radius 协议报文, 该第二查询响应为第二 Radius协议报文。  The second query request is a first Radius protocol message, and the second query response is a second Radius protocol message.
第一 Radius协议报文与第二 Radius协议报文中的 "第一" 与 "第二,, 用于区分第一 Radius协议报文与第二 Radius协议报文, 不用于限定先后顺 序。  The first and second Radius protocol packets in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
可选的,  Optional,
该外网 IP地址以及该外网端口承载在该第一 Radius协议报文的地址与 端口属性上,该内网 IP地址以及该内网端口承载在该第二 Radius协议报文 的地址与端口属性上。 实施例四: The external network IP address and the external network port are carried on the address and port attributes of the first Radius protocol packet, and the internal network IP address and the address and port attribute of the second Radius protocol packet are carried by the internal network port. on. Embodiment 4:
本实施例提供了一种获取用户信息的方法, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的方法可以应用于图 1 所示的组网结构中。 参见图 5, 图 5是本实施例提供的获取用户信息的方法 的流程图, 该方法包括:  This embodiment provides a method for obtaining user information, which can obtain user information of an intranet user from an external network side. The method for obtaining user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. Referring to FIG. 5, FIG. 5 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
501、 CGN设备接收 AAA服务器发送的第二查询请求, 该第二查询请 求中包含客户端设备的外网 IP地址以及该客户端设备的外网端口。  501. The CGN device receives a second query request sent by the AAA server, where the second query request includes an external network IP address of the client device and an external network port of the client device.
501具体实现时, 请参见实施例三中的 401。  For specific implementation of 501, refer to 401 in the third embodiment.
502、 该 CGN设备根据该外网 IP地址以及该外网端口, 在该 CGN设 备上查询该客户端设备的内网 IP地址以及该客户端设备的内网端口。  502. The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port.
502具体实现时, 请参见实施例三中的 401。  For specific implementation of 502, please refer to 401 in the third embodiment.
503、该 CGN设备向该 AAA服务器发送的第二查询响应, 该第二查询 响应为该第二查询请求对应的响应, 该第二查询响应中包含该内网 IP地址 以及该内网端口, 以便于该 AAA服务器根据该内网 IP地址以及该内网端 口, 查询该客户端设备的用户信息。  503. The second query response sent by the CGN device to the AAA server, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port, so that The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
503具体实现时, 请参见实施例三中的 402以及 403。  For specific implementation of 503, please refer to 402 and 403 in Embodiment 3.
可见, 通过本实施例提供的获取用户信息的方法, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the method for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
可选的,  Optional,
该第二查询请求为第一 Radius 协议报文, 该第二查询响应为第二 Radius协议报文。  The second query request is a first Radius protocol message, and the second query response is a second Radius protocol message.
第一 Radius协议报文与第二 Radius协议报文中的 "第一" 与 "第二,, 用于区分第一 Radius协议报文与第二 Radius协议报文, 不用于限定先后顺 序。 The first Radius protocol message and the second Radius protocol message are "first" and "second," It is used to distinguish between the first Radius protocol packet and the second Radius protocol packet, and is not used to limit the sequence.
可选的,  Optional,
该外网 IP地址以及该外网端口承载在该第一 Radius协议报文的地址与 端口属性上,该内网 IP地址以及该内网端口承载在该第二 Radius协议报文 的地址与端口属性上。  The external network IP address and the external network port are carried on the address and port attributes of the first Radius protocol packet, and the internal network IP address and the address and port attribute of the second Radius protocol packet are carried by the internal network port. on.
实施例五:  Embodiment 5:
本实施例提供了一种获取用户信息的方法, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的方法可以应用于图 1 所示的组网结构中。 参见图 6, 图 6是本实施例提供的获取用户信息的方法 的流程图, 该方法包括:  This embodiment provides a method for obtaining user information, which can obtain user information of an intranet user from an external network side. The method for obtaining user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. Referring to FIG. 6, FIG. 6 is a flowchart of a method for acquiring user information according to this embodiment, where the method includes:
601、 网管服务器向 CGN设备发送第三查询请求, 该第三查询请求中 包含客户端设备的外网 IP 地址以及该客户端设备的外网端口, 以便于该 601. The network management server sends a third query request to the CGN device, where the third query request includes an external network IP address of the client device and an external network port of the client device, so as to facilitate the
CGN设备根据该外网 IP地址以及该外网端口, 在 CGN设备上查询该客户 端设备的内网 IP地址以及内网端口。 The CGN device queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address and the external network port.
具体实现时, CGN设备可以根据客户端设备的外网 IP地址以及外网端 口, 在第一对应关系中查询客户端设备的内网 IP地址以及内网端口。  In a specific implementation, the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
第三查询请求用于向 CGN查询客户端设备的内网 IP地址以及内网端 口。 第三查询请求中的 "第三" 不用于限定先后顺序。  The third query request is used to query the CGN for the intranet IP address of the client device and the intranet port. The "third" in the third query request is not used to limit the order.
第三查询请求可以是应用层协议报文。 应用层协议可以是简单对象访 问十办议 ( Simple Object Access Protocol, SOAP ) 。  The third query request may be an application layer protocol message. The application layer protocol can be a simple object access protocol (SOAP).
可选的, 客户端设备的外网 IP地址以及外网端口可以承载在 SOAP报 文的净荷中。  Optionally, the external network IP address of the client device and the external network port can be carried in the payload of the SOAP packet.
网管服务器能够识别出第三查询请求是 CGN设备发送的用于根据客户 端设备的外网 IP地址以及外网端口查询客户端设备的内网 IP地址以及内网 端口的 4艮文。 具体实现时, CGN设备可以在第一对应关系中进行查询。 602、 该网管服务器接收该 CGN设备发送的第三查询响应, 该第三查 询响应为该第三查询请求对应的响应, 该第三查询响应中包含该内网 IP地 址以及该内网端口。 The network management server can identify that the third query request is sent by the CGN device for querying the intranet IP address of the client device and the intranet port according to the external network IP address of the client device and the external network port. In a specific implementation, the CGN device can perform the query in the first correspondence. 602. The network management server receives a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the intranet port.
第三查询响应用于向网管服务器发送客户端设备的内网 IP地址以及内 网端口。 第三查询响应中的 "第三" 不用于限定先后顺序。  The third query response is used to send the intranet IP address of the client device and the intranet port to the network management server. The "third" in the third query response is not used to limit the order.
第三查询响应可以是应用层协议报文。 应用层协议可以是 SOAP。 可选的, 客户端设备的内网 IP地址以及内网端口可以承载在 SOAP报 文的净荷中。  The third query response may be an application layer protocol message. The application layer protocol can be SOAP. Optionally, the intranet IP address of the client device and the intranet port can be carried in the payload of the SOAP message.
603、 该网管服务器向 AAA服务器发送第四查询请求, 该第四查询请 求包含该内网 IP地址以及该内网端口, 以便于该 AAA服务器根据该内网 IP地址以及该内网端口, 查询该客户端设备的用户信息。  603. The network management server sends a fourth query request to the AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server queries the intranet IP address and the intranet port. User information of the client device.
第四查询请求用于向 AAA服务器查询客户端设备的用户信息。第四查 询请求中的 "第四" 不用于限定先后顺序。  The fourth query request is used to query the AAA server for user information of the client device. The "fourth" in the fourth inquiry request is not used to limit the order.
第四查询请求可以是 Radius协议报文。 具体实现时, 第四查询请求对 应的 Radius协议报文中可以包含地址与端口属性。客户端设备的内网 IP地 址承载在地址与端口属性的内网 IP地址字段。 客户端设备的内网端口承载 在地址与端口属性的内网端口字段。  The fourth query request may be a Radius protocol message. In a specific implementation, the address and port attributes may be included in the corresponding Radius protocol packet of the fourth query request. The intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes. The intranet port of the client device carries the intranet port field of the address and port attributes.
604、 该网管服务器接收该 AAA服务器发送的第四查询响应, 该第四 查询响应为该第四查询请求对应的响应, 该第四查询响应中包含该用户信 自  604. The network management server receives a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, where the fourth query response includes the user information.
第四查询响应用于向网管服务器发送客户端设备的用户信息。 第四查 询响应中的 "第四" 不用于限定先后顺序。  The fourth query response is used to send the user information of the client device to the network management server. The "fourth" in the fourth query response is not used to limit the order.
第四查询响应可以是 Radius协议报文。 具体实现时, 第四查询请求对 应的 Radius协议报文中包含用户名属性。 用户信息可以承载在用户名属性 的字符串字段。  The fourth query response may be a Radius protocol message. In a specific implementation, the Radius protocol packet corresponding to the fourth query request includes a username attribute. User information can be carried in a string field of the username attribute.
另夕卜, 当第四查询响应是 Radius协议报文时, 该 Radius协议报文中可 以包含用户身份属性。 用户信息可以承载在用户身份属性中。 具体实现时, 用户信息承载在用户身份属性的字符串字段。 用户信息可以是身份证号码、 护照号码、 军官证号码或者手机号码。 In addition, when the fourth query response is a Radius protocol packet, the Radius protocol packet may be To include the user identity attribute. User information can be hosted in the user identity attribute. In specific implementation, the user information is carried in a string field of the user identity attribute. The user information can be an ID number, a passport number, a military officer number, or a mobile number.
可见, 通过本实施例提供的获取用户信息的方法, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the method for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
可选的,  Optional,
该第四查询请求为第一 Radius 协议报文, 该第四查询响应为第二 Radius协议报文。  The fourth query request is a first Radius protocol message, and the fourth query response is a second Radius protocol message.
具体实现时, 第一 Radius协议报文为 Radius协议报文。 第二 Radius 协议报文为 Radius协议报文。第一 Radius协议报文与第二 Radius协议报文 中的 "第一,, 与 "第二,, 用于区分第一 Radius协议报文与第二 Radius协议 报文, 不用于限定先后顺序。  In the specific implementation, the first Radius protocol packet is a Radius protocol packet. The second Radius protocol packet is a Radius protocol packet. The first and second Radius protocol packets in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
可选的,  Optional,
该内网 IP地址以及该内网端口承载在该第一 Radius协议报文的地址与 端口属性上, 该用户信息承载在该第二 Radius协议报文的用户名属性上或 者用户身份属性上。  The intranet IP address and the intranet port are carried on the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
可选的,  Optional,
该第三查询请求为第一应用层协议报文, 该第四查询响应为第二应用 层协议报文。  The third query request is a first application layer protocol message, and the fourth query response is a second application layer protocol message.
具体实现时, 第一应用层协议报文为应用层协议报文。 第二应用层协 议报文为应用层协议报文。 第一应用层协议报文与第二应用层协议报文中 的 "第一" 与 "第二" 用于区分第一应用层协议报文与第二应用层协议报 文, 不用于限定先后顺序。 In a specific implementation, the first application layer protocol packet is an application layer protocol packet. The second application layer protocol packet is an application layer protocol packet. The first application layer protocol packet and the second application layer protocol packet are used to distinguish the first application layer protocol packet from the second application layer protocol packet. Text, not used to limit the order.
实施例六  Embodiment 6
本实施例提供了一种获取用户信息的装置, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的装置可以应用于图 1 所示的组网结构中。 具体实现时, 本实施例提供的获取用户信息的装置可 以是图 1中的 CGN设备。 参见图 7, 图 7是本实施例提供的获取用户信息 的装置的结构示意图, 该装置包括:  This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side. The apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. In a specific implementation, the device for obtaining user information provided by this embodiment may be the CGN device in FIG. Referring to FIG. 7, FIG. 7 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
查询单元 701 , 用于根据客户端设备的外网因特网协议 IP地址以及该 客户端设备的外网端口, 查询该客户端设备的内网 IP地址以及该客户端设 备的内网端口。  The query unit 701 is configured to query an intranet IP address of the client device and an intranet port of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
查询单元 701具体实现时, 请参见实施例一中的 201。  For specific implementation of the query unit 701, refer to 201 in the first embodiment.
发送单元 702, 用于向认证授权计费 AAA服务器发送第一查询请求, 该第一查询请求中包含该内网 IP地址以及该内网端口, 以便于该 AAA服 务器根据该内网 IP地址以及该内网端口, 查询该客户端设备的用户信息。  The sending unit 702 is configured to send a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server according to the intranet IP address and the The intranet port queries the user information of the client device.
发送单元 702具体实现时, 请参见实施例一中的 202。  When the sending unit 702 is specifically implemented, refer to 202 in the first embodiment.
接收单元 703 , 用于接收该 AAA服务器发送的第一查询响应, 该第一 查询响应为该第一查询请求对应的响应, 该第一查询响应中包含该用户信 自  The receiving unit 703 is configured to receive a first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, where the first query response includes the user
接收单元 703具体实现时, 请参见实施例一中的 203。  When the receiving unit 703 is specifically implemented, refer to 203 in the first embodiment.
可见, 通过本实施例提供的获取用户信息的装置, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the device for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
实施例七 本实施例提供了一种获取用户信息的装置, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的装置可以应用于图 1 所示的组网结构中。 具体实现时, 本实施例提供的获取用户信息的装置可 以是图 1中的 AAA服务器。 参见图 8, 图 8是本实施例提供的获取用户信 息的装置的结构示意图, 该装置包括: Example 7 This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side. The apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. The device for obtaining user information provided in this embodiment may be the AAA server in FIG. 1 . Referring to FIG. 8, FIG. 8 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
接收单元 801 , 用于接收 CGN设备发送的第一查询请求, 该第一查询 请求中包含该内网 IP地址以及该内网端口, 该第一查询请求通过如下途径 获得:运营商级网络地址转换 CGN设备根据客户端设备的外网因特网协议 IP地址以及该客户端设备的外网端口, 查询该客户端设备的内网 IP地址以 及该客户端设备的内网端口。  The receiving unit 801 is configured to receive a first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by: a carrier-level network address translation The CGN device queries the internal network IP address of the client device and the intranet port of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
接收单元 801具体实现时, 请参见实施例二中的 301。  For details of the receiving unit 801, refer to 301 in the second embodiment.
查询单元 802, 用于 ^据该内网 IP地址以及该内网端口, 查询该客户 端设备的用户信息。  The query unit 802 is configured to query user information of the client device according to the intranet IP address and the intranet port.
查询单元 802具体实现时, 请参见实施例二中的 302。  For the specific implementation of the query unit 802, refer to 302 in the second embodiment.
发送单元 803 , 用于向该 CGN设备发送第一查询响应, 该第一查询响 应为该第一查询请求对应的响应, 该第一查询响应中包含该用户信息。  The sending unit 803 is configured to send a first query response to the CGN device, where the first query response is a response corresponding to the first query request, where the first query response includes the user information.
发送单元 803具体实现时, 请参见实施例二中的 303。  For details of the sending unit 803, refer to 303 in the second embodiment.
可见, 通过本实施例提供的获取用户信息的装置, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the device for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
实施例八  Example eight
本实施例提供了一种获取用户信息的装置, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的装置可以应用于图 1 所示的组网结构中。 具体实现时, 本实施例提供的获取用户信息的装置可 以是图 1中的 AAA服务器。 参见图 9, 图 9是本实施例提供的获取用户信 息的装置的结构示意图, 该装置包括: This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side. The device for obtaining user information provided in this embodiment can be applied to FIG. 1 In the networking structure shown. The device for obtaining user information provided in this embodiment may be the AAA server in FIG. 1 . Referring to FIG. 9, FIG. 9 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
发送单元 901 , 用于向 CGN设备发送第二查询请求, 该第二查询请求 中包含客户端设备的外网因特网协议 IP 地址以及该客户端设备的外网端 口, 以便于该 CGN设备根据该外网 IP地址以及该外网端口, 在 CGN设备 上查询该客户端设备的内网 IP地址以及该客户端设备的内网端口。  The sending unit 901 is configured to send a second query request to the CGN device, where the second query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device, so that the CGN device is configured according to the external The IP address of the network and the external network port are queried on the CGN device for the intranet IP address of the client device and the intranet port of the client device.
发送单元 901具体实现时, 请参见实施例三中的 401。  When the sending unit 901 is specifically implemented, refer to 401 in the third embodiment.
接收单元 902, 用于接收该 CGN设备发送的第二查询响应, 该第二查 询响应为该第二查询请求对应的响应, 该第二查询响应中包含该内网 IP地 址以及该内网端口。  The receiving unit 902 is configured to receive a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port.
接收单元 902具体实现时, 请参见实施例三中的 402。  When the receiving unit 902 is specifically implemented, refer to 402 in the third embodiment.
查询单元 903 , 用于 ^据该内网 IP地址以及该内网端口, 查询该客户 端设备的用户信息。  The query unit 903 is configured to query the user information of the client device according to the intranet IP address and the intranet port.
查询单元 903具体实现时, 请参见实施例三中的 403。  For the specific implementation of the query unit 903, refer to 403 in the third embodiment.
可见, 通过本实施例提供的获取用户信息的装置, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the device for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
实施例九  Example nine
本实施例提供了一种获取用户信息的装置, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的装置可以应用于图 1 所示的组网结构中。 具体实现时, 本实施例提供的获取用户信息的装置可 以是图 1中的 CGN设备。 参见图 10, 图 10是本实施例提供的获取用户信 息的装置的结构示意图, 该装置包括: This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side. The apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. The device for obtaining user information provided by this embodiment may be the CGN device in FIG. 1 . Referring to FIG. 10, FIG. 10 is a method for acquiring a user provided in this embodiment. A schematic diagram of the structure of the device, the device comprising:
接收单元 1001 , 用于接收认证授权计费 AAA服务器发送的第二查询 请求, 该第二查询请求中包含客户端设备的外网因特网协议 IP地址以及该 客户端设备的外网端口。  The receiving unit 1001 is configured to receive a second query request sent by the AAA server by the authentication and authorization charging, where the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device.
接收单元 1001具体实现时, 请参见实施例四中的 501。  For specific implementation of the receiving unit 1001, refer to 501 in the fourth embodiment.
查询单元 1002, 用于根据该外网 IP地址以及该外网端口, 在该 CGN 设备上查询该客户端设备的内网 IP地址以及该客户端设备的内网端口。  The query unit 1002 is configured to query, on the CGN device, an intranet IP address of the client device and an intranet port of the client device according to the external network IP address and the external network port.
查询单元 1002具体实现时, 请参见实施例四中的 502。  For specific implementation of the query unit 1002, refer to 502 in the fourth embodiment.
发送单元 1003 , 用于向该 AAA服务器发送的第二查询响应, 该第二 查询响应为该第二查询请求对应的响应, 该第二查询响应中包含该内网 IP 地址以及该内网端口, 以便于该 AAA服务器根据该内网 IP地址以及该内 网端口, 查询该客户端设备的用户信息。  The sending unit 1003 is configured to send a second query response to the AAA server, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port. The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
发送单元 1003具体实现时, 请参见实施例四中的 503。  For specific implementation of the sending unit 1003, refer to 503 in the fourth embodiment.
可见, 通过本实施例提供的获取用户信息的装置, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the device for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
实施例十  Example ten
本实施例提供了一种获取用户信息的装置, 可以实现从外网侧获得内 网用户的用户信息。 本实施例提供的获取用户信息的装置可以应用于图 1 所示的组网结构中。 具体实现时, 本实施例提供的获取用户信息的装置可 以是图 1中的网管服务器。 参见图 11 , 图 11是本实施例提供的获取用户信 息的装置的结构示意图, 该装置包括:  This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side. The apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1. In a specific implementation, the device for obtaining user information provided in this embodiment may be the network management server in FIG. Referring to FIG. 11, FIG. 11 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
第一发送单元 1101 ,用于向 CGN设备发送第三查询请求,该第三查询 请求中包含客户端设备的外网因特网协议 IP地址以及该客户端设备的外网 端口, 以便于该 CGN设备根据该外网 IP地址以及该外网端口, 在 CGN设 备上查询该客户端设备的内网 IP地址以及内网端口。 The first sending unit 1101 is configured to send a third query request to the CGN device, where the third query The request includes the external network Internet Protocol IP address of the client device and the external network port of the client device, so that the CGN device queries the CGN device according to the external network IP address and the external network port. Intranet IP address and intranet port.
第一发送单元 1101具体实现时, 请参见实施例五中的 601。  When the first sending unit 1101 is specifically implemented, refer to 601 in the fifth embodiment.
第一接收单元 1102,用于接收该 CGN设备发送的第三查询响应,该第 三查询响应为该第三查询请求对应的响应, 该第三查询响应中包含该内网 The first receiving unit 1102 is configured to receive a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet
IP地址以及该内网端口。 IP address and the intranet port.
第一接收单元 1102具体实现时, 请参见实施例五中的 602。  For specific implementation of the first receiving unit 1102, refer to 602 in the fifth embodiment.
第二发送单元 1103 , 用于向 AAA服务器发送第四查询请求, 该第四 查询请求包含该内网 IP地址以及该内网端口, 以便于该 AAA服务器根据 该内网 IP地址以及该内网端口, 查询该客户端设备的用户信息。  a second sending unit 1103, configured to send a fourth query request to the AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server according to the intranet IP address and the intranet port , query the user information of the client device.
第二发送单元 1103具体实现时, 请参见实施例五中的 603。  When the second sending unit 1103 is specifically implemented, refer to 603 in the fifth embodiment.
第二接收单元 1104, 用于接收该 AAA服务器发送的第四查询响应, 该第四查询响应为该第四查询请求对应的响应, 该第四查询响应中包含该 用户信息。  The second receiving unit 1104 is configured to receive a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, where the fourth query response includes the user information.
第二接收单元 1104具体实现时, 请参见实施例五中的 604。  When the second receiving unit 1104 is specifically implemented, refer to 604 in the fifth embodiment.
可见, 通过本实施例提供的获取用户信息的装置, 根据客户端设备的 外网 IP地址以及外网端口, 在 CGN设备中查询该客户端设备的内网 IP地 址以及内网端口。根据该客户端设备的内网 IP地址以及内网端口,在 AAA 服务器中查询该客户端设备的用户信息。 通过本实施例提供的技术方案, 可以从外网侧获取内网客户端设备的用户信息, 从而实现对内网用户进行 区分。  It can be seen that, by using the device for obtaining user information provided by the embodiment, the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port. The user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port. With the technical solution provided in this embodiment, the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
本领域普通技术人员可以意识到, 结合本文中所公开的实施例描述的 各示例的单元及算法步骤, 能够以电子硬件、 或者计算机软件和电子硬件 的结合来实现。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方 案的特定应用和设计约束条件。 专业技术人员可以对每个特定的应用来使 用不同方法来实现所描述的功能, 但是这种实现不应认为超出本发明的范 围。 Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. Professional technicians can make it for each specific application The described functionality is implemented in different ways, but such implementation should not be considered to be beyond the scope of the invention.
所属领域的技术人员可以清楚地了解到, 为描述的方便和简洁, 上述 描述的系统、 装置和单元的具体工作过程, 可以参考前述方法实施例中的 对应过程, 在此不再赘述。  A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统、 装置 和方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅 是示意性的, 例如, 所述单元的划分, 可以仅仅为一种逻辑功能划分, 实 际实现时可以有另外的划分方式, 例如多个单元或组件可以结合或者可以 集成到另一个系统, 或一些特征可以忽略, 或不执行。 另一点, 所显示或 讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口, 装置 或单元的间接耦合或通信连接, 可以是电性, 机械或其它的形式。  In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the unit may be only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined. Either can be integrated into another system, or some features can be ignored, or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的, 作为单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地 方, 或者也可以分布到多个网络单元上。 可以根据实际的需要选择其中的 部分或者全部单元来实现本实施例方案的目的。  The units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, i.e., may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元 中, 也可以是各个单元单独物理存在, 也可以两个或两个以上单元集成在 一个单元中。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使 用时, 可以存储在一个计算机可读取存储介质中。 基于这样的理解, 本发 明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的 部分可以以软件产品的形式体现出来, 该计算机软件产品存储在一个存储 介质中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服 务器, 或者网络设备等)执行本发明各个实施例所述方法的全部或部分步 骤。 而前述的存储介质包括: U盘、 移动硬盘、 只读存储器(英文缩写为 ROM, 英文全称为 Read-Only Memory ) 、 随机存取存储器(英文缩写为 RAM, 英文全称为 Random Access Memory )、 磁碟或者光盘等各种可以存 储程序代码的介质。 The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a USB flash drive, a mobile hard disk, and a read only memory (abbreviated as ROM, English full name Read-Only Memory), random access memory (abbreviated as RAM, English full name called Random Access Memory), disk or optical disc and other media that can store program code.
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局 限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可 轻易想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明 的保护范围应所述以权利要求的保护范围为准。  The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权利要求 Rights request
1、 一种获取用户信息的方法, 其特征在于, 包括:  A method for obtaining user information, comprising:
运营商级网络地址转换 CGN设备根据客户端设备的外网因特网协议 IP 地址以及所述客户端设备的外网端口, 查询所述客户端设备的内网 IP地址 以及所述客户端设备的内网端口;  The carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device. Port
所述 CGN设备向认证授权计费 AAA服务器发送第一查询请求, 所述 第一查询请求中包含所述内网 IP地址以及所述内网端口,以便于所述 AAA 服务器根据所述内网 IP地址以及所述内网端口, 查询所述客户端设备的用 户信息;  The CGN device sends a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address. An address and the intranet port, querying user information of the client device;
所述 CGN设备接收所述 AAA服务器发送的第一查询响应, 所述第一 查询响应为所述第一查询请求对应的响应, 所述第一查询响应中包含所述 用户信息。  The CGN device receives the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
2、 根据权利要求 1所述方法, 其特征在于,  2. The method of claim 1 wherein:
所述第一查询请求为第一远程用户拨号认证服务 Radius协议报文, 所 述第一查询响应报文为第二 Radius协议报文。  The first query request is a first remote user dialing authentication service Radius protocol message, and the first query response message is a second Radius protocol message.
3、 根据权利要求 2所述方法, 其特征在于,  3. The method of claim 2, wherein
所述内网 IP地址以及所述内网端口承载在所述第一 Radius协议报文的 地址与端口属性上, 所述用户信息承载在所述第二 Radius协议报文的用户 名属性上或者用户身份属性上。  The internal network IP address and the internal network port are carried on the address and the port attribute of the first Radius protocol packet, and the user information is carried on the user name attribute of the second Radius protocol packet or the user On the identity attribute.
4、 一种获取用户信息的方法, 其特征在于, 包括:  4. A method for obtaining user information, comprising:
认证授权计费 AAA服务器接收 CGN设备发送的第一查询请求, 所述 第一查询请求中包含所述内网 IP地址以及所述内网端口, 所述第一查询请 求通过如下途径获得:  The AAA server receives the first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by:
运营商级网络地址转换 CGN设备根据客户端设备的外网因特 网协议 IP地址以及所述客户端设备的外网端口, 查询所述客户端设 备的内网 IP地址以及所述客户端设备的内网端口; 所述 AAA服务器根据所述内网 IP地址以及所述内网端口, 查询所述 客户端设备的用户信息; The carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device. port; Querying, by the AAA server, user information of the client device according to the intranet IP address and the intranet port;
所述 AAA服务器向所述 CGN设备发送第一查询响应, 所述第一查询 响应为所述第一查询请求对应的响应, 所述第一查询响应中包含所述用户 信息。  The AAA server sends a first query response to the CGN device, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
5、 根据权利要求 4所述方法, 其特征在于,  5. The method of claim 4 wherein:
所述第一查询请求为第一远程用户拨号认证服务 Radius协议报文, 所 述第一查询响应报文为第二 Radius协议报文。  The first query request is a first remote user dialing authentication service Radius protocol message, and the first query response message is a second Radius protocol message.
6、 根据权利要求 5所述方法, 其特征在于,  6. The method of claim 5 wherein:
所述内网 IP地址以及所述内网端口承载在所述第一 Radius协议报文的 地址与端口属性上, 所述用户信息承载在所述第二 Radius协议报文的用户 名属性上或者用户身份属性上。  The internal network IP address and the internal network port are carried on the address and the port attribute of the first Radius protocol packet, and the user information is carried on the user name attribute of the second Radius protocol packet or the user On the identity attribute.
7、 一种获取用户信息的方法, 其特征在于, 包括:  7. A method for obtaining user information, comprising:
认证授权计费 AAA服务器向运营商级网络地址转换 CGN设备发送第 二查询请求, 所述第二查询请求中包含客户端设备的外网因特网协议 IP地 址以及所述客户端设备的外网端口,以便于所述 CGN设备根据所述外网 IP 地址以及所述外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地 址以及所述客户端设备的内网端口;  The authentication and authorization charging AAA server sends a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device. In order to facilitate the CGN device to query the internal network IP address of the client device and the internal network port of the client device on the CGN device according to the external network IP address and the external network port;
所述 AAA服务器接收所述 CGN设备发送的第二查询响应, 所述第二 查询响应为所述第二查询请求对应的响应, 所述第二查询响应中包含所述 内网 IP地址以及所述内网端口;  Receiving, by the AAA server, a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the Intranet port;
所述 AAA服务器根据所述内网 IP地址以及所述内网端口, 查询所述 客户端设备的用户信息。  The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
8、 根据权利要求 7所述方法, 其特征在于,  8. The method of claim 7 wherein:
所述第二查询请求为第一远程用户拨号认证服务 Radius协议报文, 所 述第二查询响应为第二 Radius协议报文。 The second query request is a first remote user dialing authentication service Radius protocol message, and the second query response is a second Radius protocol message.
9、 根据权利要求 8所述方法, 其特征在于, 9. The method of claim 8 wherein:
所述外网 IP地址以及所述外网端口承载在所述第一 Radius协议报文的 地址与端口属性上, 所述内网 IP 地址以及所述内网端口 载在所述第二 Radius协议 文的地址与端口属性上。  The external network IP address and the external network port are carried on the address and port attribute of the first Radius protocol packet, and the internal network IP address and the internal network port are carried in the second Radius protocol The address and port properties are on.
10、 一种获取用户信息的方法, 其特征在于, 包括:  10. A method for obtaining user information, comprising:
运营商级网络地址转换 CGN设备接收认证授权计费 AAA服务器发送 的第二查询请求, 所述第二查询请求中包含客户端设备的外网因特网协议 IP地址以及所述客户端设备的外网端口;  The carrier-level network address translation CGN device receives the second query request sent by the authentication and authorization charging AAA server, where the second query request includes the external network Internet Protocol IP address of the client device and the external network port of the client device. ;
所述 CGN设备根据所述外网 IP地址以及所述外网端口, 在所述 CGN 设备上查询所述客户端设备的内网 IP 地址以及所述客户端设备的内网端 口;  The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
所述 CGN设备向所述 AAA服务器发送的第二查询响应, 所述第二查 询响应为所述第二查询请求对应的响应, 所述第二查询响应中包含所述内 网 IP地址以及所述内网端口, 以便于所述 AAA服务器根据所述内网 IP地 址以及所述内网端口, 查询所述客户端设备的用户信息。  The second query response sent by the CGN device to the AAA server, the second query response is a response corresponding to the second query request, and the second query response includes the intranet IP address and the An intranet port, so that the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
11、 根据权利要求 10所述方法, 其特征在于,  11. The method of claim 10, wherein
所述第二查询请求为第一远程用户拨号认证服务 Radius协议报文, 所 述第二查询响应为第二 Radius协议报文。  The second query request is a first remote user dialing authentication service Radius protocol message, and the second query response is a second Radius protocol message.
12、 根据权利要求 11所述方法, 其特征在于,  12. The method of claim 11 wherein:
所述外网 IP地址以及所述外网端口承载在所述第一 Radius协议报文的 地址与端口属性上, 所述内网 IP 地址以及所述内网端口 载在所述第二 Radius协议 文的地址与端口属性上。  The external network IP address and the external network port are carried on the address and port attribute of the first Radius protocol packet, and the internal network IP address and the internal network port are carried in the second Radius protocol The address and port properties are on.
13、 一种获取用户信息的方法, 其特征在于, 包括:  13. A method for obtaining user information, comprising:
网管服务器向运营商级网络地址转换 CGN设备发送第三查询请求, 所 述第三查询请求中包含客户端设备的外网因特网协议 IP地址以及所述客户 端设备的外网端口, 以便于所述 CGN设备根据所述外网 IP地址以及所述 外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地址以及内网端 口; The network management server sends a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet protocol IP address of the client device and an external network port of the client device, so as to facilitate the The CGN device is based on the external network IP address and the An external network port, querying, on the CGN device, an intranet IP address and an intranet port of the client device;
所述网管服务器接收所述 CGN设备发送的第三查询响应, 所述第三查 询响应为所述第三查询请求对应的响应, 所述第三查询响应中包含所述内 网 IP地址以及所述内网端口;  Receiving, by the network management server, a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the Intranet port;
所述网管服务器向认证授权计费 AAA服务器发送第四查询请求,所述 第四查询请求包含所述内网 IP地址以及所述内网端口, 以便于所述 AAA 服务器根据所述内网 IP地址以及所述内网端口, 查询所述客户端设备的用 户信息;  The network management server sends a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address. And the intranet port, querying user information of the client device;
所述网管服务器接收所述 AAA服务器发送的第四查询响应,所述第四 查询响应为所述第四查询请求对应的响应, 所述第四查询响应中包含所述 用户信息。  The network management server receives the fourth query response sent by the AAA server, the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
14、 根据权利要求 13所述方法, 其特征在于,  14. The method of claim 13 wherein:
所述第四查询请求为第一远程用户拨号认证服务 Radius协议报文, 所 述第四查询响应为第二 Radius协议报文。  The fourth query request is a first remote user dialing authentication service Radius protocol message, and the fourth query response is a second Radius protocol message.
15、 根据权利要求 14所述方法, 其特征在于,  15. The method of claim 14 wherein:
所述内网 IP地址以及所述内网端口承载在所述第一 Radius协议报文的 地址与端口属性上, 所述用户信息承载在所述第一 Radius协议报文的用户 名属性上或者用户身份属性上。  The internal network IP address and the internal network port are carried on the address and the port attribute of the first Radius protocol packet, and the user information is carried in the user name attribute of the first Radius protocol packet or the user. On the identity attribute.
16、 一种获取用户信息的装置, 其特征在于, 包括:  16. An apparatus for obtaining user information, comprising:
查询单元, 用于根据客户端设备的外网因特网协议 IP地址以及所述客 户端设备的外网端口, 查询所述客户端设备的内网 IP地址以及所述客户端 设备的内网端口;  a querying unit, configured to query an intranet IP address of the client device and an intranet port of the client device according to an external network Internet protocol IP address of the client device and an external network port of the client device;
发送单元, 用于向认证授权计费 AAA服务器发送第一查询请求, 所述 第一查询请求中包含所述内网 IP地址以及所述内网端口,以便于所述 AAA 服务器根据所述内网 IP地址以及所述内网端口, 查询所述客户端设备的用 户信息; a sending unit, configured to send a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet Querying the client device by using an IP address and the intranet port Household information;
接收单元, 用于接收所述 AAA服务器发送的第一查询响应, 所述第一 查询响应为所述第一查询请求对应的响应, 所述第一查询响应中包含所述 用户信息。  The receiving unit is configured to receive the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
17、 一种获取用户信息的装置, 其特征在于, 包括:  17. An apparatus for obtaining user information, comprising:
发送单元,用于向运营商级网络地址转换 CGN设备发送第二查询请求, 所述第二查询请求中包含客户端设备的外网因特网协议 IP地址以及所述客 户端设备的外网端口, 以便于所述 CGN设备根据所述外网 IP地址以及所 述外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地址以及所述 客户端设备的内网端口;  a sending unit, configured to send a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device, so that The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
接收单元, 用于接收所述 CGN设备发送的第二查询响应, 所述第二查 询响应为所述第二查询请求对应的响应, 所述第二查询响应中包含所述内 网 IP地址以及所述内网端口;  a receiving unit, configured to receive a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the Said internal network port;
查询单元, 用于根据所述内网 IP地址以及所述内网端口, 查询所述客 户端设备的用户信息。  And a querying unit, configured to query user information of the client device according to the intranet IP address and the intranet port.
18、 一种获取用户信息的装置, 其特征在于, 包括:  18. An apparatus for obtaining user information, comprising:
第一发送单元,用于向运营商级网络地址转换 CGN设备发送第三查询 请求, 所述第三查询请求中包含客户端设备的外网因特网协议 IP地址以及 所述客户端设备的外网端口, 以便于所述 CGN设备根据所述外网 IP地址 以及所述外网端口, 在 CGN设备上查询所述客户端设备的内网 IP地址以 及内网端口;  a first sending unit, configured to send a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device In order to facilitate the CGN device to query the internal network IP address and the intranet port of the client device on the CGN device according to the external network IP address and the external network port;
第一接收单元, 用于接收所述 CGN设备发送的第三查询响应, 所述第 三查询响应为所述第三查询请求对应的响应, 所述第三查询响应中包含所 述内网 IP地址以及所述内网端口;  a first receiving unit, configured to receive a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address And the intranet port;
第二发送单元, 用于向认证授权计费 AAA服务器发送第四查询请求, 所述第四查询请求包含所述内网 IP 地址以及所述内网端口, 以便于所述 AAA服务器根据所述内网 IP地址以及所述内网端口,查询所述客户端设备 的用户信息; a second sending unit, configured to send a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so as to facilitate the The AAA server queries the user information of the client device according to the intranet IP address and the intranet port;
第二接收单元, 用于接收所述 AAA服务器发送的第四查询响应, 所述 第四查询响应为所述第四查询请求对应的响应, 所述第四查询响应中包含 所述用户信息。  The second receiving unit is configured to receive a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
PCT/CN2012/070696 2012-01-21 2012-01-21 Method and apparatus for acquiring user information WO2013107055A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/070696 WO2013107055A1 (en) 2012-01-21 2012-01-21 Method and apparatus for acquiring user information
CN201280000103.7A CN103503423A (en) 2012-01-21 2012-01-21 Method and apparatus for acquiring user information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/070696 WO2013107055A1 (en) 2012-01-21 2012-01-21 Method and apparatus for acquiring user information

Publications (1)

Publication Number Publication Date
WO2013107055A1 true WO2013107055A1 (en) 2013-07-25

Family

ID=48798540

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/070696 WO2013107055A1 (en) 2012-01-21 2012-01-21 Method and apparatus for acquiring user information

Country Status (2)

Country Link
CN (1) CN103503423A (en)
WO (1) WO2013107055A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107819889A (en) * 2016-09-14 2018-03-20 华为技术有限公司 A kind of network address translation NAT method, equipment and system
US9973399B2 (en) 2012-12-27 2018-05-15 Huawei Technologies Co., Ltd. IPV6 address tracing method, apparatus, and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972225A (en) * 2005-11-24 2007-05-30 华为技术有限公司 Method for interacting user information between different sub-systems in next generation network
CN101056211A (en) * 2007-06-22 2007-10-17 中兴通讯股份有限公司 A method and system for auditing the network access behavior of the user
CN102036227A (en) * 2009-09-27 2011-04-27 中国移动通信集团公司 Method, system and device for acquiring user identifier of data service
CN102136938A (en) * 2010-12-29 2011-07-27 华为技术有限公司 Method and device for providing user information for carried grade network address translation (CGN) equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052009B (en) * 2007-05-14 2010-08-18 中兴通讯股份有限公司 Method for realizing internal access by NAT device for private net element using public net address
CN101150519B (en) * 2007-10-30 2010-06-23 杭州华三通信技术有限公司 Control method and device for network address translation service
TWI441493B (en) * 2007-11-27 2014-06-11 Ind Tech Res Inst System and method for connection of hosts behind nats

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972225A (en) * 2005-11-24 2007-05-30 华为技术有限公司 Method for interacting user information between different sub-systems in next generation network
CN101056211A (en) * 2007-06-22 2007-10-17 中兴通讯股份有限公司 A method and system for auditing the network access behavior of the user
CN102036227A (en) * 2009-09-27 2011-04-27 中国移动通信集团公司 Method, system and device for acquiring user identifier of data service
CN102136938A (en) * 2010-12-29 2011-07-27 华为技术有限公司 Method and device for providing user information for carried grade network address translation (CGN) equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9973399B2 (en) 2012-12-27 2018-05-15 Huawei Technologies Co., Ltd. IPV6 address tracing method, apparatus, and system
CN107819889A (en) * 2016-09-14 2018-03-20 华为技术有限公司 A kind of network address translation NAT method, equipment and system
CN107819889B (en) * 2016-09-14 2021-09-07 华为技术有限公司 Method, equipment and system for Network Address Translation (NAT)

Also Published As

Publication number Publication date
CN103503423A (en) 2014-01-08

Similar Documents

Publication Publication Date Title
TWI274491B (en) Network interconnection apparatus, network interconnection method, name resolution apparatus and computer program
US7856023B2 (en) Secure virtual private network having a gateway for managing global ip address and identification of devices
EP1876754A1 (en) Method system and server for implementing dhcp address security allocation
EP2346217B1 (en) Method, device and system for identifying an IPv6 session
US10142159B2 (en) IP address allocation
US9973399B2 (en) IPV6 address tracing method, apparatus, and system
TW201204098A (en) Dynamic service groups based on session attributes
WO2012088911A1 (en) Method and device for ip terminal to access network
WO2016192608A2 (en) Authentication method, authentication system and associated device
US20150244630A1 (en) IPoE DUAL-STACK SUBSCRIBER FOR ROUTED RESIDENTIAL GATEWAY CONFIGURATION
WO2012034413A1 (en) Method for dual stack user management and broadband access server
WO2011144152A1 (en) Method for providing information, home gateway and home network system
WO2013056619A1 (en) Method, idp, sp and system for identity federation
US8769623B2 (en) Grouping multiple network addresses of a subscriber into a single communication session
CN103581350A (en) Method, terminals, equipment and system for publishing Internet services across NAT
US9521033B2 (en) IPoE dual-stack subscriber for bridged residential gateway configuration
WO2015184853A1 (en) Authentication method and apparatus for ipv6 stateless auto-configuration
WO2013120315A1 (en) Method for processing domain name information, wireless router, and client
WO2021121040A1 (en) Broadband access method and apparatus, device, and storage medium
WO2014110912A1 (en) Method and apparatus for accessing demilitarized zone host on local area network
WO2013107055A1 (en) Method and apparatus for acquiring user information
US9319416B2 (en) Priority based radius authentication
WO2013159591A1 (en) Method and apparatus for differentiating wireless terminals
WO2012034428A1 (en) Method and service node for ip address reassignment
WO2012119537A1 (en) Service processing method and system, and set-top box

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12866031

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12866031

Country of ref document: EP

Kind code of ref document: A1