WO2016127583A1 - 认证处理方法及装置 - Google Patents

认证处理方法及装置 Download PDF

Info

Publication number
WO2016127583A1
WO2016127583A1 PCT/CN2015/084725 CN2015084725W WO2016127583A1 WO 2016127583 A1 WO2016127583 A1 WO 2016127583A1 CN 2015084725 W CN2015084725 W CN 2015084725W WO 2016127583 A1 WO2016127583 A1 WO 2016127583A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
diameter
network access
access device
link
Prior art date
Application number
PCT/CN2015/084725
Other languages
English (en)
French (fr)
Inventor
景阳
靳康
张娜
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016127583A1 publication Critical patent/WO2016127583A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications

Definitions

  • the present invention relates to the field of communications, and in particular to a network access device, a method and an apparatus for authenticating a Diameter server.
  • the Diameter protocol is designated as the next-generation AAA protocol standard by the Internet Engineering Task Force (IETF) Authentication, Authorization and Accounting (AAA) working group. .
  • the Diameter protocol supports the Internet Protocol (IP), Network Attached Server (NAS) request, and the authentication, authorization, and accounting functions of the mobile agent.
  • IP Internet Protocol
  • NAS Network Attached Server
  • the implementation is based on the Radius protocol type. Attributes are the attribute numbers of the inherited Radius, but they overcome many of the shortcomings of the Radius protocol and are more suitable for the future AAA protocol of mobile communication systems. At home, the Diameter protocol is rarely used on NAS devices.
  • the present invention provides a network access device, a method and a device for authenticating a Diameter server, to at least solve the problem that the Diameter protocol in the related art cannot be applied to the network access device.
  • an authentication processing method for a network access device including: a network access device receiving an authentication packet; and the network access device acquiring, according to the authentication packet, an authentication that needs to be performed currently. And when the authentication type is a Diameter authentication type, the network access device acquires a link corresponding to a Diameter authentication type; and the network access device sends the authentication packet to a Diameter server by using the link.
  • the network access device before the network access device receives the authentication packet, the network access device includes: pre-configuring a Diameter authentication type and configuration information of the link in the network access device.
  • the configuration information of the link includes at least one of the following: a link type between the network access device and the Diameter server, an Internet Protocol IP address of the Diameter server, and the The port number of the network access device and the port number of the Diameter server.
  • the configuration information of the link includes: a Diameter-group number, where The Diameter-group number has a binding relationship with one or more of the links.
  • the plurality of links bound to the Diameter-group number include an active link and a backup link.
  • the method includes: receiving, by the Diameter server, indication information indicating that the authentication succeeds or the authentication fails, and Sending the indication information to the user equipment.
  • a method for authenticating a Diameter server including: a Diameter server receiving an authentication message from a network access device; and the Diameter server authenticating the authentication message.
  • the authentication is performed by the Diameter server, the information indicating that the authentication succeeds or the authentication fails is sent to the network access device.
  • an authentication processing apparatus for a network access device, the device being applied to the network access device, the device comprising: a first receiving module, configured to receive an authentication message
  • the first obtaining module is configured to obtain a type of the authentication that needs to be performed according to the authentication packet
  • the second acquiring module is configured to acquire a link corresponding to the Diameter authentication type when the authentication type is a Diameter authentication type
  • the sending module is configured to send the authentication packet to the Diameter server by using the link.
  • the device further includes: a configuration module, configured to pre-configure a Diameter authentication type and configuration information of the link in the network access device.
  • the configuration information of the link includes at least one of the following: a link type between the network access device and the Diameter server, an Internet Protocol IP address of the Diameter server, and the The port number of the network access device and the port number of the Diameter server.
  • the configuration information of the link includes: a Diameter-group number, where the Diameter-group number has a binding relationship with one or more of the links.
  • the plurality of links bound to the Diameter-group number include an active link and a backup link.
  • the device further includes: a second receiving module, configured to receive the indication information that is sent by the Diameter server to indicate that the authentication succeeds or the authentication fails, and send the indication information to the user equipment.
  • an authentication processing apparatus of a Diameter server the apparatus being applied to a Diameter server, the apparatus comprising: a receiving module, configured to be connected from a network The authentication module is configured to receive the authentication packet.
  • the device further includes: a sending module, configured to send the indication information used to indicate that the authentication succeeds or the authentication fails to the network access device.
  • the network access device receives the authentication packet by using the network access device.
  • the network access device obtains the authentication type that needs to be performed according to the authentication packet.
  • the authentication type is the Diameter authentication type
  • the network access device obtains the authentication type corresponding to the Diameter authentication type.
  • Link the network access device sends an authentication packet to the Diameter server through the link.
  • FIG. 1 is a flowchart of an authentication processing method of a network access device according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of an authentication processing apparatus of a network access device according to an embodiment of the present invention
  • FIG. 3 is a structural block diagram (1) of an authentication processing apparatus of a network access device according to an embodiment of the present invention
  • FIG. 4 is a structural block diagram (2) of an authentication processing apparatus of a network access device according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of an authentication processing method of a Diameter server according to an embodiment of the present invention.
  • FIG. 6 is a structural block diagram of an authentication processing apparatus of a Diameter server according to an embodiment of the present invention.
  • FIG. 7 is a structural block diagram (1) of an authentication processing apparatus of a Diameter server according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a network topology according to an embodiment of the present invention.
  • FIG. 9 is a flow chart of message authentication according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a method for authenticating a network access device according to an embodiment of the present invention. As shown in FIG. 1 , the process includes the following steps. :
  • Step S102 The network access device receives the authentication packet.
  • Step S104 The network access device acquires an authentication type that needs to be performed according to the authentication packet.
  • Step S106 When the authentication type is a Diameter authentication type, the network access device acquires a link corresponding to the Diameter authentication type.
  • Step S108 The network access device sends an authentication packet to the Diameter server through the link.
  • the network access device sends the authentication packet to the Diameter server through the link, and the application of the Diameter protocol on the NAS device is rare.
  • the foregoing steps solve the problem that the Diameter protocol cannot be applied in the network access device in the related art, and the effect of the network access device using the Diameter protocol for message authentication is achieved.
  • the network access device Before the network access device receives the authentication packet, the network access device needs to complete the corresponding configuration in advance.
  • the network access device pre-configures the Diameter authentication type and the link between the network access device and the Diameter server. Configuration information, so that the network access device and the Diameter server complete the information exchange of the authentication message.
  • the configuration information of the link includes at least one of the following: a link type between the network access device and the Diameter server, an Internet Protocol IP address of the Diameter server, a port number of the network access device, The port number of the Diameter server.
  • the configuration information of the link includes: a Diameter-group number, where the Diameter-group number has a binding relationship with one or more of the links.
  • the plurality of links bound to the Diameter-group number include an active link and a backup link.
  • the authentication packet is sent to the Diameter server according to the Diameter-group number
  • the authentication packet is sent to the Diameter server through the primary link in the Diameter-group number; in the event that the primary link fails, the The standby link sends the authentication packet to the Diameter server.
  • the network access device receives the indication information sent by the Diameter server to indicate that the authentication succeeds or the authentication fails, and sends the indication information to the user equipment.
  • an authentication processing device for the network access device is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and details are not described herein.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of an authentication processing apparatus of a network access device according to an embodiment of the present invention.
  • the device is applied to the network access device.
  • the device includes: a first receiving module 22 configured to receive
  • the first obtaining module 24 is configured to obtain the type of the authentication that needs to be performed according to the authentication packet.
  • the second obtaining module 26 is configured to obtain the authentication type corresponding to the Diameter authentication type when the authentication type is the Diameter authentication type.
  • a link a sending module 28 configured to send the acknowledgement to the Diameter server over the link Certificate message.
  • FIG. 3 is a structural block diagram (1) of an authentication processing apparatus of a network access device according to an embodiment of the present invention. As shown in FIG. 3, the device further includes: a configuration module 32, configured to be pre-configured in the network access device. Diameter authentication type and configuration information of the link.
  • the configuration information of the link includes at least one of the following: a link type between the network access device and the Diameter server, an Internet Protocol IP address of the Diameter server, a port number of the network access device, and a port of the Diameter server. number.
  • the configuration information of the link includes: a Diameter-group number, where the Diameter-group number has a binding relationship with one or more of the links.
  • a plurality of the links bound to the Diameter-group number include an active link and a backup link.
  • FIG. 4 is a structural block diagram (2) of an authentication processing apparatus of a network access device according to an embodiment of the present invention.
  • the apparatus further includes: a second receiving module 42 configured to receive the sending by the Diameter server.
  • the indication information indicating that the authentication succeeds or the authentication fails, and the indication information is sent to the user equipment.
  • FIG. 5 is a flowchart of an authentication processing method of a Diameter server according to an embodiment of the present invention. As shown in FIG. 5, the process includes the following steps:
  • Step S502 the Diameter server receives the authentication packet from the network access device.
  • Step S504 the Diameter server authenticates the authentication packet.
  • the Diameter server authenticates the authentication packet received from the network access device.
  • the application of the Diameter protocol on the NAS device is rare.
  • the above steps solve the Diameter protocol in the related art. In the problem that the network access device cannot be applied, the effect of the network access device using the Diameter protocol for message authentication is achieved.
  • the Diameter server after the Diameter server authenticates the authentication packet, the Diameter server sends the indication information indicating that the authentication succeeds or the authentication fails to the network access device.
  • An authentication processing device of the Diameter server is also provided in the embodiment, and the device is used to implement the foregoing embodiments and preferred embodiments, and details are not described herein.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 6 is a structural block diagram of an authentication processing apparatus of a Diameter server according to an embodiment of the present invention.
  • the apparatus is applied to a Diameter server.
  • the apparatus includes: a receiving module 62 configured to receive an authentication report from a network access device.
  • the authentication module 64 is configured to authenticate the authentication packet.
  • FIG. 7 is a structural block diagram (1) of an authentication processing apparatus of a Diameter server according to an embodiment of the present invention. As shown in FIG. 7, the apparatus further includes: a sending module 72, configured to indicate an indication that the authentication succeeds or the authentication fails. The information is sent to the network access device.
  • a sending module 72 configured to indicate an indication that the authentication succeeds or the authentication fails. The information is sent to the network access device.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are respectively located.
  • the first processor, the second processor, and the third processor In the first processor, the second processor, and the third processor.
  • the present invention provides a method for sending a user authentication packet to a Diameter server for authentication and authorization on a Broadband Remote Access Server (BRAS) device. It is a method of grouping and managing Diameter link information. Each link (link) is connected to a specific Diameter server according to its own link information, and each link is managed by a group, and an active/standby link is specified in the group by configuration. Or specify polling to send packets through the link in the group.
  • FIG. 8 is a schematic diagram of a network topology according to an embodiment of the present invention.
  • Step 1 Configure the Diameter-link information, including the link type, the peer IP address, the local port number, and the peer port number.
  • Step 2 Configure the Diameter-group information, bind the configured Diameter-link number to the Diameter-group, and specify the primary and secondary link numbers, but only one primary link.
  • Step 3 Add the Diameter authentication type to the authentication template.
  • Step 4 Bind the Diameter-group number to the authentication template.
  • Step 5 Add the Diameter authorization type under the authorization template.
  • Step 6 Bind the authentication template and authorization template in the domain profile of the user to the domain template.
  • Table 1 shows the basic configuration functions of the Diameter component.
  • Step 1 When the user authentication message reaches the AAA Information Management (AIM) component, the AIM component obtains the user access domain.
  • AIM AAA Information Management
  • Step 2 Obtain the authentication template from the domain, obtain the authentication type (assumed to be Diameter authentication), and the Diameter-group number in the serious template.
  • Step 3 Send the user authentication information and the Diameter-group number to the Diameter component.
  • Step 4 The Diameter component obtains a Diameter-link configuration under the Diameter-group template, which may include a primary link and multiple candidate links.
  • Step 5 If the primary link link is up, the user authentication packet is sent to the primary link; otherwise, the first configured alternate link is sent to send the authentication packet.
  • Table 2 shows the basic configuration functions of the AIM component.
  • the template parameter is the link number.
  • Each of the Diameter-link templates supports the following link information: link status (enable, disable); link ip type configuration; link peer ipv4 Address parameter; link peer ipv6 address parameter; link peer port number; link local port number; link link type (tcp or sctp); link relink interval; link local-host Parameter; link local-realm parameter; link dest-host parameter; link dest-realm parameter; whether the link can send a Capabilities-Exchange-Request (CER) message; whether the link can be sent A Capabilities-Exchange-Request (DWR) packet.
  • CER Capabilities-Exchange-Request
  • the template parameter is the group number.
  • Each of the Diameter-group templates can be bound to a primary link and several standby links, and the number of retransmissions and the retransmission interval of packets on a single link. time.
  • the AIM component sends the Diameter-group number and user authentication information to the Diameter component.
  • the Diameter component looks up the Diameter-link bound to it according to the Diameter-group number, if the main If the link is forwarded, the authentication packet is sent to the Diameter server through the information configured on the primary link. Otherwise, the first configured alternate link is selected to deliver the authentication packet to the corresponding Diameter server.
  • the link information is obtained from the configuration under the Diameter-link template.
  • the Diameter server will return the authentication success result and the authorization information to the Diameter component.
  • the Diameter component will then pass the information to the AIM component, and the AIM will return the result and authorization information to the user.
  • FIG. 9 is a flow chart of message authentication according to an embodiment of the present invention. As shown in FIG. 9, the process includes the following steps:
  • Step S902 the AIM component obtains the domain where the user accesses
  • Step S904 searching for an authentication template by domain
  • Step S906 obtaining a Diameter authentication type and a Diameter group number from the authentication module.
  • Step S908 the user authentication information and the Diameter group number are transmitted to the Diameter component;
  • Step S910 the Diameter component obtains the link number configured in the group by the group number
  • Step S912 Obtain the information of the link according to the link number, and send the user authentication packet to the Diameter server corresponding to the link.
  • Step S914 it is determined whether the authentication is successful, if the determination result is yes, step S916 is performed, and if the determination result is no, step S920 is performed;
  • Step S916 sending the authentication result and the authorization information to the AIM component
  • Step S918 the AIM component returns the authorization information and the authentication result to the user.
  • Step S920 notifying the AIM component of the result of the authentication failure
  • step S922 the AIM component notifies the user that the authentication has failed.
  • the present invention solves the problem that the Diameter protocol cannot be applied in the network access device in the related art, and the effect of the network access device using the Diameter protocol for message authentication is achieved.
  • a storage medium is further provided, wherein the software includes the above-mentioned software, including but not limited to: an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, thereby They may be stored in a storage device by a computing device, and in some cases, the steps shown or described may be performed in an order different than that herein, or separately fabricated into individual integrated circuit modules, or Implementing multiple modules or steps in them as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
  • the network access device receives the authentication packet according to the foregoing technical solution provided by the embodiment of the present invention; the network access device obtains the current authentication type according to the authentication packet; when the authentication type is the Diameter authentication type, the network access device acquires A link corresponding to the Diameter authentication type; the network access device sends an authentication packet to the Diameter server through the link.
  • the problem that the Diameter protocol cannot be applied in the network access device in the related art is solved, and the effect of the network access device using the Diameter protocol for message authentication is achieved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种认证处理方法及装置,其中,该网络接入设备的认证处理方式包括:网络接入设备接收认证报文;网络接入设备依据认证报文获取当前需要执行的认证类型;在认证类型为Diameter认证类型时,网络接入设备获取与Diameter认证类型对应的链路;网络接入设备通过该链路向Diameter服务器发送认证报文。通过本发明解决了相关技术中Diameter协议在网络接入设备还不能得以应用的问题,进而达到了网络接入设备利用Diameter协议进行报文认证的效果。

Description

认证处理方法及装置 技术领域
本发明涉及通信领域,具体而言,涉及一种网络接入设备、Diameter服务器的认证处理方法及装置。
背景技术
Diameter协议作为Radius协议的升级版本,被互联网工程任务组(Internet Engineering Task Force,简称为IETF)的认证授权计费(Authentication、Authorization and Accounting,简称为AAA)工作组指定为下一代的AAA协议标准。Diameter协议支持移动互联网协议(Internet Protocol,简称为IP)、网络接入服务器(Network Attached Server,简称为NAS)请求和移动代理的认证、授权、计费功能,其实现与Radius协议类型,且基础属性都是继承的Radius的属性号,但是又克服了Radius协议的很多缺陷,是比较适合未来移动通信系统的AAA协议。在国内,Diameter协议在NAS设备上的应用很少。
针对相关技术中,Diameter协议在网络接入设备还不能得以应用的问题,还未提出有效的解决方案。
发明内容
本发明提供了一种网络接入设备、Diameter服务器的认证处理方法及装置,以至少解决相关技术中Diameter协议在网络接入设备还不能得以应用的问题。
根据本发明的一个实施例,提供了一种网络接入设备的认证处理方法,包括:网络接入设备接收认证报文;所述网络接入设备依据所述认证报文获取当前需要执行的认证类型;在所述认证类型为Diameter认证类型时,所述网络接入设备获取与Diameter认证类型对应的链路;所述网络接入设备通过所述链路向Diameter服务器发送所述认证报文。
在本发明实施例中,网络接入设备接收认证报文之前包括:在所述网络接入设备中预先配置Diameter认证类型,以及所述链路的配置信息。
在本发明实施例中,所述链路的配置信息包括以下至少之一:所述网络接入设备与所述Diameter服务器之间的链路类型、所述Diameter服务器的互联网协议IP地址、所述网络接入设备的端口号、所述Diameter服务器的端口号。
在本发明实施例中,所述链路的配置信息包括:Diameter-group号,其中,所 述Diameter-group号与一个或多个所述链路存在绑定关系。
在本发明实施例中,与所述Diameter-group号绑定的多个所述链路中包括主用链路和备用链路。
在本发明实施例中,所述网络接入设备通过所述链路向Diameter服务器发送所述认证报文之后包括:接收所述Diameter服务器发送的用于指示认证成功或者认证失败的指示信息,并将所述指示信息发送给用户设备。
根据本发明的另一个实施例,还提供了一种Diameter服务器的认证处理方法,包括:Diameter服务器从网络接入设备接收认证报文;所述Diameter服务器对所述认证报文进行认证。
在本发明实施例中,所述Diameter服务器对所述认证报文进行认证之后包括:所述Diameter服务器将用于指示认证成功或者认证失败的指示信息发送给所述网络接入设备。
根据本发明的一个实施例,还提供了一种网络接入设备的认证处理装置,所述装置应用于所述网络接入设备,所述装置包括:第一接收模块,设置为接收认证报文;第一获取模块,设置为依据所述认证报文获取当前需要执行的认证类型;第二获取模块,设置为在所述认证类型为Diameter认证类型时,获取与Diameter认证类型对应的链路;发送模块,设置为通过所述链路向Diameter服务器发送所述认证报文。
在本发明实施例中,所述装置还包括:配置模块,设置为在所述网络接入设备中预先配置Diameter认证类型,以及所述链路的配置信息。
在本发明实施例中,所述链路的配置信息包括以下至少之一:所述网络接入设备与所述Diameter服务器之间的链路类型、所述Diameter服务器的互联网协议IP地址、所述网络接入设备的端口号、所述Diameter服务器的端口号。
在本发明实施例中,所述链路的配置信息包括:Diameter-group号,其中,所述Diameter-group号与一个或多个所述链路存在绑定关系。
在本发明实施例中,与所述Diameter-group号绑定的多个所述链路中包括主用链路和备用链路。
在本发明实施例中,所述装置还包括:第二接收模块,设置为接收所述Diameter服务器发送的用于指示认证成功或者认证失败的指示信息,并将所述指示信息发送给用户设备。
根据本发明的另一个实施例,还提供了一种Diameter服务器的认证处理装置,所述装置应用于Diameter服务器,所述装置包括:接收模块,设置为从网络接入设 备接收认证报文;认证模块,设置为对所述认证报文进行认证。
在本发明实施例中,所述装置还包括:发送模块,设置为将用于指示认证成功或者认证失败的指示信息发送给所述网络接入设备。
通过本发明,采用网络接入设备接收认证报文;网络接入设备依据认证报文获取当前需要执行的认证类型;在认证类型为Diameter认证类型时,网络接入设备获取与Diameter认证类型对应的链路;网络接入设备通过该链路向Diameter服务器发送认证报文。解决了相关技术中Diameter协议在网络接入设备还不能得以应用的问题,进而达到了网络接入设备利用Diameter协议进行报文认证的效果。
附图说明
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1是根据本发明实施例的网络接入设备的认证处理方法的流程图;
图2是根据本发明实施例的网络接入设备的认证处理装置的结构框图;
图3是根据本发明实施例的网络接入设备的认证处理装置的结构框图(一);
图4是根据本发明实施例的网络接入设备的认证处理装置的结构框图(二);
图5是根据本发明实施例的Diameter服务器的认证处理方法的流程图;
图6是根据本发明实施例的Diameter服务器的认证处理装置的结构框图;
图7是根据本发明实施例的Diameter服务器的认证处理装置的结构框图(一);
图8是根据本发明实施例所涉及的网络拓扑示意图;
图9是根据本发明实施例的报文认证流程图。
具体实施方式
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。
在本实施例中提供了一种网络接入设备的认证处理方法,图1是根据本发明实施例的网络接入设备的认证处理方法的流程图,如图1所示,该流程包括如下步骤:
步骤S102,网络接入设备接收认证报文;
步骤S104,网络接入设备依据认证报文获取当前需要执行的认证类型;
步骤S106,在认证类型为Diameter认证类型时,网络接入设备获取与Diameter认证类型对应的链路;
步骤S108,网络接入设备通过该链路向Diameter服务器发送认证报文。
通过上述步骤,在确定认证类型为Diameter认证类型,网络接入设备将认证报文通过链路发送给Diameter服务器,相比于现有技术中,Diameter协议在NAS设备上的应用很少的现象,上述步骤解决了相关技术中Diameter协议在网络接入设备还不能得以应用的问题,进而达到了网络接入设备利用Diameter协议进行报文认证的效果。
网络接入设备接收认证报文之前,网络接入设备需要预先完成相应的配置,在一个可选实施例中,网络接入设备预先配置Diameter认证类型,以及其与Diameter服务器之间的链路的配置信息,以便于网络接入设备与Diameter服务器完成认证报文的信息交互。
在一个可选实施例中,链路的配置信息包括以下至少之一:网络接入设备与该Diameter服务器之间的链路类型、Diameter服务器的互联网协议IP地址、网络接入设备的端口号、Diameter服务器的端口号。在另一个可选实施例中,链路的配置信息包括:Diameter-group号,其中,Diameter-group号与一个或多个该链路存在绑定关系。
在一个可选实施例中,与Diameter-group号绑定的多个链路中包括主用链路和备用链路。在根据Diameter-group号将认证报文发送给Diameter服务器时,通过Diameter-group号中的主用链路将认证报文发送给Diameter服务器;在该主用链路出现故障的情况下,通过一个备用链路将认证报文发送给Diameter服务器。
在Diameter服务器完成报文的认证之后,在一个可选实施例中,网络接入设备接收Diameter服务器发送的用于指示认证成功或者认证失败的指示信息,并将该指示信息发送给用户设备。
在本实施例中还提供了一种网络接入设备的认证处理装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。
图2是根据本发明实施例的网络接入设备的认证处理装置的结构框图,该装置应用于该网络接入设备,如图2所示,该装置包括:第一接收模块22,设置为接收认证报文;第一获取模块24,设置为依据该认证报文获取当前需要执行的认证类型;第二获取模块26,设置为在该认证类型为Diameter认证类型时,获取与Diameter认证类型对应的链路;发送模块28,设置为通过该链路向Diameter服务器发送该认 证报文。
图3是根据本发明实施例的网络接入设备的认证处理装置的结构框图(一),如图3所示,该装置还包括:配置模块32,设置为在该网络接入设备中预先配置Diameter认证类型,以及该链路的配置信息。
可选地,链路的配置信息包括以下至少之一:网络接入设备与该Diameter服务器之间的链路类型、Diameter服务器的互联网协议IP地址、网络接入设备的端口号、Diameter服务器的端口号。
可选地,链路的配置信息包括:Diameter-group号,其中,该Diameter-group号与一个或多个该链路存在绑定关系。
可选地,与Diameter-group号绑定的多个该链路中包括主用链路和备用链路。
图4是根据本发明实施例的网络接入设备的认证处理装置的结构框图(二),如图4所示,该装置还包括:第二接收模块42,设置为接收该Diameter服务器发送的用于指示认证成功或者认证失败的指示信息,并将该指示信息发送给用户设备。
在本实施例中还提供了一种Diameter服务器的认证处理方法,图5是根据本发明实施例的Diameter服务器的认证处理方法的流程图,如图5所示,该流程包括如下步骤:
步骤S502,Diameter服务器从网络接入设备接收认证报文;
步骤S504,Diameter服务器对该认证报文进行认证。
通过上述步骤,Diameter服务器对从网络接入设备接收的认证报文进行认证,相比于现有技术中,Diameter协议在NAS设备上的应用很少的现象,上述步骤解决了相关技术中Diameter协议在网络接入设备还不能得以应用的问题,进而达到了网络接入设备利用Diameter协议进行报文认证的效果。
在一个可选实施例中,Diameter服务器对该认证报文进行认证之后,Diameter服务器将用于指示认证成功或者认证失败的指示信息发送给网络接入设备。
在本实施例中还提供了一种Diameter服务器的认证处理装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。
图6是根据本发明实施例的Diameter服务器的认证处理装置的结构框图,该装置应用于Diameter服务器,如图6所示,该装置包括:接收模块62,设置为从网络接入设备接收认证报文;认证模块64,设置为对该认证报文进行认证。
图7是根据本发明实施例的Diameter服务器的认证处理装置的结构框图(一),如图7所示,该装置还包括:发送模块72,设置为将用于指示认证成功或者认证失败的指示信息发送给网络接入设备。
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述各个模块均位于同一处理器中;或者,上述各个模块分别位于第一处理器、第二处理器和第三处理器…中。
针对相关技术中存在的上述问题,下面结合可选实施例进行说明,在本可选实施例中结合了上述可选实施例及其可选实施方式。
本可选实施例提出了一种在宽带接入服务器(Broadband Remote Access Server,简称为BRAS)设备上,将用户认证报文发送到Diameter服务器上做认证授权的方法,本可选实施例采取的是分组管理Diameter链路信息的方式,每个链路(link)对应自己的链路信息与特定的Diameter服务器连接,用组(group)管理各个link,并在group内通过配置指定主备link,或者指定轮询通过group中的链路发送报文。图8是根据本发明实施例所涉及的网络拓扑示意图。
本可选实施例涉及的主要步骤如下:
BRAS设备配置:
步骤1:配置Diameter-link信息,其中包括链路类型、对端ip地址、本端端口号、对端端口号等等链路信息。
步骤2:配置Diameter-group信息,将配置好的Diameter-link号绑定在Diameter-group中,并且可以指定主备link号,但是只能指定一个是主link。
步骤3:在认证模板下增加Diameter认证类型。
步骤4:在认证模板下绑定Diameter-group号。
步骤5:在授权模板下增加Diameter授权类型。
步骤6:将1、2中认证模板、授权模板绑定在用户接入的domain模板下。
表一为Diameter组件基本配置函数。
表一:
Figure PCTCN2015084725-appb-000001
用户上线时,将认证报文发送给Diameter服务器的流程:
步骤1:用户认证报文达到AAA信息管理(AAA Information Managemen,简称为AIM)组件时,AIM组件获得用户接入domain。
步骤2:从domain中获得认证模板,在认真模板中获得认证类型(假设是Diameter认证),以及Diameter-group号。
步骤3:将用户认证信息及Diameter-group号发送给Diameter组件。
步骤4:Diameter组件获取Diameter-group模板下的Diameter-link配置,其中可以包括一个主link和多个备选link。
步骤5:如果主link链路是通的,则将用户认证报文发送给主link;否则选第一个配置的备选通的link发送认证报文。
表二为AIM组件的基本配置函数。
表二:
Figure PCTCN2015084725-appb-000002
在一个可选实施例中:
1、建立Diameter-link配置模板,模板参数为link号,每一个Diameter-link模板下支持配置如下链路信息:链路状态(enable、disable);链路ip类型配置;链路对等端ipv4地址参数;链路对等端ipv6地址参数;链路对等端端口号;链路本端端口号;链路链接类型(tcp or sctp);链路重新链接的间隔时间;链路local-host参数;链路local-realm参数;链路dest-host参数;链路dest-realm参数;链路是否可以发送能力交换请求(Capabilities-Exchange-Request,简称为CER)报文;链路是否可以发送设备监控请求(Capabilities-Exchange-Request,简称为DWR)报文。
2、建立Diameter-group配置模板,模板参数为group号,每个Diameter-group模板下可以绑定一个主link和若干个备link,以及单条链路上报文重发次数和报文重传间隔时间。
3、在认证模板下增加Diameter认证类型,和绑定Diameter-group的配置。
4、在授权模板下增加Diameter授权类型的配置。
5、将认证模板、授权模板绑定在domain模板下。
6、让认证用户在认证过程中,从5所述的domain接入。
7、按照domain找到绑定的认证模板,读取认证模板下的认证类型,如果是Diameter认证,则需要获得Diameter-group号,如果获得不到则返回认证失败。
8、AIM组件将Diameter-group号以及用户认证信息发送给Diameter组件。
9、Diameter组件按照Diameter-group号查找其中绑定的Diameter-link,如果主 链路通,则选择将认证报文通过主链路下配置的信息传递给Diameter服务器;否则选择第一个配置的通的备选链路将认证报文传递给对应的Diameter服务器。链路信息从Diameter-link模板下配置中获取。
10、如果认证通过,Diameter服务器会将认证成功结果以及授权信息,返回给Diameter组件,Diameter组件再将这些信息传给AIM组件,AIM再将结果和授权信息返回给用户。
图9是根据本发明实施例的报文认证流程图,如图9所示,该流程包括如下步骤:
步骤S902,AIM组件获得用户接入所在的域;
步骤S904,按域查找认证模板;
步骤S906,从认证模块下获取Diameter认证类型和Diameter组号;
步骤S908,将用户认证信息和Diameter组号传给Diameter组件;
步骤S910,Diameter组件按组号获得组内配置的链路号;
步骤S912,按链路号获得此链路下的信息,将用户认证报文发送到此链路对应的Diameter服务器;
步骤S914,判断认证是否成功,在判断结果为是的情况下,执行步骤S916,在判断结果为否的情况下,执行步骤S920;
步骤S916,将认证结果和授权信息发送给AIM组件;
步骤S918,AIM组件将授权信息和认证结果返回给用户;
步骤S920,将认证失败结果通知AIM组件;
步骤S922,AIM组件通知用户认证失败。
综上所述,通过本发明解决了相关技术中Diameter协议在网络接入设备还不能得以应用的问题,进而达到了网络接入设备利用Diameter协议进行报文认证的效果。
在另外一个实施例中,还提供了一种软件,该软件用于执行上述实施例及优选实施方式中描述的技术方案。
在另外一个实施例中,还提供了一种存储介质,该存储介质中存储有上述软件,该存储介质包括但不限于:光盘、软盘、硬盘、可擦写存储器等。
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而, 可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。
工业实用性
基于本发明实施例提供的上述技术方案,网络接入设备接收认证报文;网络接入设备依据认证报文获取当前需要执行的认证类型;在认证类型为Diameter认证类型时,网络接入设备获取与Diameter认证类型对应的链路;网络接入设备通过该链路向Diameter服务器发送认证报文。解决了相关技术中Diameter协议在网络接入设备还不能得以应用的问题,进而达到了网络接入设备利用Diameter协议进行报文认证的效果。

Claims (16)

  1. 一种网络接入设备的认证处理方法,包括:
    网络接入设备接收认证报文;
    所述网络接入设备依据所述认证报文获取当前需要执行的认证类型;
    在所述认证类型为Diameter认证类型时,所述网络接入设备获取与Diameter认证类型对应的链路;
    所述网络接入设备通过所述链路向Diameter服务器发送所述认证报文。
  2. 根据权利要求1所述的方法,其中,网络接入设备接收认证报文之前包括:
    在所述网络接入设备中预先配置Diameter认证类型,以及所述链路的配置信息。
  3. 根据权利要求2所述的方法,其中,
    所述链路的配置信息包括以下至少之一:所述网络接入设备与所述Diameter服务器之间的链路类型、所述Diameter服务器的互联网协议IP地址、所述网络接入设备的端口号、所述Diameter服务器的端口号。
  4. 根据权利要求2所述的方法,其中,所述链路的配置信息包括:
    Diameter-group号,其中,所述Diameter-group号与一个或多个所述链路存在绑定关系。
  5. 根据权利要求4所述的方法,其中,与所述Diameter-group号绑定的多个所述链路中包括主用链路和备用链路。
  6. 根据权利要求1所述的方法,其中,所述网络接入设备通过所述链路向Diameter服务器发送所述认证报文之后包括:
    接收所述Diameter服务器发送的用于指示认证成功或者认证失败的指示信息,并将所述指示信息发送给用户设备。
  7. 一种Diameter服务器的认证处理方法,包括:
    Diameter服务器从网络接入设备接收认证报文;
    所述Diameter服务器对所述认证报文进行认证。
  8. 根据权利要求7所述的方法,其中,所述Diameter服务器对所述认证报文进行 认证之后包括:
    所述Diameter服务器将用于指示认证成功或者认证失败的指示信息发送给所述网络接入设备。
  9. 一种网络接入设备的认证处理装置,所述装置应用于所述网络接入设备,所述装置包括:
    第一接收模块,设置为接收认证报文;
    第一获取模块,设置为依据所述认证报文获取当前需要执行的认证类型;
    第二获取模块,设置为在所述认证类型为Diameter认证类型时,获取与Diameter认证类型对应的链路;
    发送模块,设置为通过所述链路向Diameter服务器发送所述认证报文。
  10. 根据权利要求9所述的装置,其中,所述装置还包括:
    配置模块,设置为在所述网络接入设备中预先配置Diameter认证类型,以及所述链路的配置信息。
  11. 根据权利要求10所述的装置,其中,所述链路的配置信息包括以下至少之一:所述网络接入设备与所述Diameter服务器之间的链路类型、所述Diameter服务器的互联网协议IP地址、所述网络接入设备的端口号、所述Diameter服务器的端口号。
  12. 根据权利要求10所述的装置,其中,所述链路的配置信息包括:Diameter-group号,其中,所述Diameter-group号与一个或多个所述链路存在绑定关系。
  13. 根据权利要求12所述的装置,其中,与所述Diameter-group号绑定的多个所述链路中包括主用链路和备用链路。
  14. 根据权利要求9所述的装置,其中,所述装置还包括:
    第二接收模块,设置为接收所述Diameter服务器发送的用于指示认证成功或者认证失败的指示信息,并将所述指示信息发送给用户设备。
  15. 一种Diameter服务器的认证处理装置,所述装置应用于Diameter服务器,所述装置包括:
    接收模块,设置为从网络接入设备接收认证报文;
    认证模块,设置为对所述认证报文进行认证。
  16. 根据权利要求15所述的装置,其中,所述装置还包括:
    发送模块,设置为将用于指示认证成功或者认证失败的指示信息发送给所述网络接入设备。
PCT/CN2015/084725 2015-02-15 2015-07-21 认证处理方法及装置 WO2016127583A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510083910.5 2015-02-15
CN201510083910.5A CN105991597A (zh) 2015-02-15 2015-02-15 认证处理方法及装置

Publications (1)

Publication Number Publication Date
WO2016127583A1 true WO2016127583A1 (zh) 2016-08-18

Family

ID=56614109

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/084725 WO2016127583A1 (zh) 2015-02-15 2015-07-21 认证处理方法及装置

Country Status (2)

Country Link
CN (1) CN105991597A (zh)
WO (1) WO2016127583A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018040567A1 (zh) * 2016-08-31 2018-03-08 华为技术有限公司 一种防止信令攻击方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014361A (zh) * 2009-09-07 2011-04-13 华为技术有限公司 一种认证授权计费会话更新方法、装置和系统
CN103078877A (zh) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 基于dns的用户认证和域名访问控制方法及系统
CN103916854A (zh) * 2013-01-08 2014-07-09 中兴通讯股份有限公司 一种无线局域网络用户接入固定宽带网络的方法和系统
WO2014151979A1 (en) * 2013-03-15 2014-09-25 Qualcomm Incorporated Authentication for relay deployment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE60320862D1 (de) * 2003-06-18 2008-06-19 Ericsson Telefon Ab L M Anordnung und verfahren in bezug auf ip-netzwerkzugang
CN101296081A (zh) * 2007-04-29 2008-10-29 华为技术有限公司 认证、认证后分配ip地址的方法、系统、接入实体和装置
CN101141391A (zh) * 2007-10-09 2008-03-12 中兴通讯股份有限公司 一种实现故障切换的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014361A (zh) * 2009-09-07 2011-04-13 华为技术有限公司 一种认证授权计费会话更新方法、装置和系统
CN103916854A (zh) * 2013-01-08 2014-07-09 中兴通讯股份有限公司 一种无线局域网络用户接入固定宽带网络的方法和系统
CN103078877A (zh) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 基于dns的用户认证和域名访问控制方法及系统
WO2014151979A1 (en) * 2013-03-15 2014-09-25 Qualcomm Incorporated Authentication for relay deployment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018040567A1 (zh) * 2016-08-31 2018-03-08 华为技术有限公司 一种防止信令攻击方法及装置
US11089479B2 (en) 2016-08-31 2021-08-10 Huawei Technologies Co., Ltd. Signaling attack prevention method and apparatus

Also Published As

Publication number Publication date
CN105991597A (zh) 2016-10-05

Similar Documents

Publication Publication Date Title
CN108881308B (zh) 一种用户终端及其认证方法、系统、介质
US20160380999A1 (en) User Identifier Based Device, Identity and Activity Management System
US8601568B2 (en) Communication system for authenticating or relaying network access, relaying apparatus, authentication apparatus, and communication method
JP2020177537A (ja) 認証認可サーバー、クライアント、サービス提供システム、アクセス管理方法とプログラム
JP2006203300A (ja) 転送装置、アクセス可否判定方法およびプログラム
WO2015131524A1 (zh) 远程访问服务器的方法及web服务器
CN111194035B (zh) 一种网络连接方法、装置和存储介质
US8769623B2 (en) Grouping multiple network addresses of a subscriber into a single communication session
WO2017005163A1 (zh) 基于无线通信的安全认证装置
CN108966363A (zh) 一种连接建立方法及装置
JP2016072793A (ja) 遠隔会議システム、プログラム、セキュリティサーバ及びアプリケーションサーバ
WO2011040192A1 (ja) 仮想マシン、仮想マシンのプログラム、アプリケーションサービス提供システム及びアプリケーションサービス提供方法
CN109379339A (zh) 一种Portal认证方法及装置
JP6185934B2 (ja) サーバー・アプリケーションと多数の認証プロバイダーとの統合
WO2016127583A1 (zh) 认证处理方法及装置
CN106304071B (zh) 一种网络接入认证方法、接入认证设备及系统
CN106453400B (zh) 一种认证方法及系统
JP5319575B2 (ja) 通信方法および通信システム
CN106533700B (zh) 一种接口功能的实现方法及装置
JP6126062B2 (ja) ネットワーク装置及びネットワーク装置のmacアドレス認証方法
JP2020173507A (ja) 認証仲介装置及び認証仲介プログラム
JP5577976B2 (ja) ネットワーク中継装置
JP5920891B2 (ja) 通信サービス認証・接続システム及びその方法
TWI255629B (en) Method for allocating certified network configuration parameters
JP2010061192A (ja) 中継装置、およびプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15881743

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15881743

Country of ref document: EP

Kind code of ref document: A1