CN103546286A - Authentication processing method and device - Google Patents
Authentication processing method and device Download PDFInfo
- Publication number
- CN103546286A CN103546286A CN201210243159.7A CN201210243159A CN103546286A CN 103546286 A CN103546286 A CN 103546286A CN 201210243159 A CN201210243159 A CN 201210243159A CN 103546286 A CN103546286 A CN 103546286A
- Authority
- CN
- China
- Prior art keywords
- line
- authentication
- bng
- aaa server
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides an authentication processing method and device. The authentication processing method includes that a BNG (broadband network gateway) receives first authentication request information for authenticating UE (user equipment), the first authentication request information carries identifications for identifying the UE and parameters of physical links of a UE access network; the BNG generates a first line identification for the UE according to the parameters and transmits the first line identification to an authentication authorizing charging AAA server, the AAA server authenticates the UE according to the line identification. By the authentication processing method and device, the problem that a single terminal on the same physical link cannot be implicitly authenticated by a physical link based authentication method in the prior art is solved, so that the implicit authentication of the single terminal on the same physical link can be realized, and the requirement on flexibility of terminal equipment is met.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of authentication method and device.
Background technology
Home gateway (Residential Gateway, referred to as RG), as a centralized intelligence interface, connects home network and external network, takes on that home network connects with external network, the role of master control and coordination.International normal structure broadband forum (Broadband Forum, referred to as BBF) carries out the standardization effort of aspect, broadband, and the problem relating to comprises authentication, policy control of fixed network terminal equipment (for example, home gateway RG) etc.For the Role delineation of RG, and the terminal equipment that is attached to network by RG, BBF provides multiple certificate scheme.But along with the further lifting demand of user's experience and the flexibility demand of terminal equipment, current certificate scheme can not meet present situation.
For example, when user asks access network, network will authenticate it, for user's authentication mode, conventionally be divided into two kinds of explicit authentication and implicit authentication.Explicit authentication is that user need to provide user name and password, user awareness verification process; Implicit authentication does not need user that user name and password are provided, and network completes the authentication to user by the physical link at authenticated user place, not perception of user verification process.Explicit authentication is a kind of authentication of user awareness, all needs to input username and password, user to experience generally at every turn; And implicit authentication is for other authentication method of physical link level, not perception of user, compares explicit authentication better user experience.Yet, while connecting a plurality of terminal equipment under a certain physical link, because correlation technique is other authentication granularity of physical link level, cannot carry out implicit authentication to the single terminal under Same Physical link, therefore there is certain limitation.
Therefore, in correlation technique, exist the authentication method based on physical link cannot realize the problem to the implicit authentication of single terminal under Same Physical link.
Summary of the invention
The invention provides a kind of authentication method and device, at least to solve the authentication method of prior art based on physical link, cannot realize the implicit authentication to single terminal under Same Physical link.
According to an aspect of the present invention, a kind of authentication method is provided, comprise: wideband network gateway BNG receives the first authentication request information that user equipment (UE) is authenticated, wherein, described the first authentication request information carries for identifying described UE, and the parameter information of the physical link of described UE access network; Described BNG is that described UE generates First Line line according to described parameter information; Described BNG sends to authentication and authorization charging aaa server by described First Line line, and wherein, described aaa server authenticates described UE according to described line identification.
Preferably, after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated legal in the situation that, also comprise: described BNG sends session establishment request to strategic server, wherein, carry the described First Line line corresponding with described UE in described session request, described strategic server is that described UE generates strategy according to described First Line line.
Preferably, after described BNG sends to described aaa server by described line identification, and, at described aaa server, described UE is authenticated legal in the situation that, also comprise: described BNG receives the second authentication request information to described UE authentication again; Described BNG is according to described second authentication request Information generation the second line identification; Described BNG sends to described aaa server by described the second line identification according to described the second authentication request Information generation, wherein, described aaa server is according to described the second line identification, and the described First Line line of storage after legal to described UE authentication authenticates described UE.
Preferably, at described BNG by after sending to described aaa server according to described second line identification of described the second authentication request Information generation, and, at described aaa server according to described the second line identification, and described First Line line authenticates in legal situation described UE, also comprise: described BNG receives the authentication of described AAA transmission and receives information, and wherein, described authentication carries the user name of described UE in receiving information.
Preferably, after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated in illegal situation, also comprise: described BNG receives described the first authentication request information that Portal server sends, wherein, described Portal server and described UE obtain for identifying the user profile of described UE after mutual.
Preferably, for identify the parameter information of described UE comprise following one of at least: the media access control layer MAC Address of described UE, sequence number SN.
According to a further aspect in the invention, a kind of authentication apparatus is provided, be arranged in wideband network gateway BNG, comprise: the first receiver module, for receiving the first authentication request information that user equipment (UE) is authenticated, wherein, described the first authentication request information carries for identifying described UE, and the parameter information of the physical link of described UE access network; The first generation module, for according to described parameter information being described UE generation First Line line; The first sending module, for described First Line line is sent to authentication and authorization charging aaa server, wherein, described aaa server authenticates described UE according to described First Line line.
Preferably, also comprise: the second sending module, for after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated legal in the situation that, to strategic server, send session establishment request, wherein, in described session request, carry the described First Line line corresponding with described UE, described strategic server is that described UE generates strategy according to described First Line line.
Preferably, also comprise: the second receiver module, for after described line identification is sent to described aaa server, and, at described aaa server, described UE is authenticated legal in the situation that, again receive the second authentication request information to described UE authentication; The second generation module, for according to described second authentication request Information generation the second line identification; The 3rd sending module, for described the second line identification according to described the second authentication request Information generation is sent to described aaa server, wherein, described aaa server is according to described the second line identification, and the described First Line line of storage after legal to described UE authentication authenticates described UE.
Preferably, also comprise: the 3rd receiver module, be used at described BNG after sending to described aaa server according to described second line identification of described the second authentication request Information generation, and, at described aaa server, according to described the second line identification, and described First Line line authenticates in legal situation described UE, receives the authentication that described AAA sends and receives information, wherein, described authentication carries the user name of described UE in receiving information.
Preferably, also comprise: the 4th receiver module, for after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated in illegal situation, receive described the first authentication request information that Portal server sends, wherein, after described Portal server and described UE are mutual, obtain the user profile of described UE.
By the present invention, adopt wideband network gateway BNG to receive the first authentication request information that user equipment (UE) is authenticated, wherein, described the first authentication request information carries for identifying described UE, and the parameter information of the physical link of described UE access network; Described BNG is that described UE generates First Line line according to described parameter information; Described BNG sends to authentication and authorization charging aaa server by described First Line line, wherein, described aaa server authenticates described UE according to described line identification, having solved in correlation technique exists the authentication method based on physical link cannot realize the problem to the implicit authentication of single terminal under Same Physical link, and then to have reached can be the implicit authentication of single terminal under Same Physical link, and the effect that meets terminal equipment requirement on flexibility.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms the application's a part, and schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is according to the flow chart of the authentication method of the embodiment of the present invention;
Fig. 2 is according to the structured flowchart of the authentication apparatus of the embodiment of the present invention;
Fig. 3 is the preferred structure block diagram one according to the authentication apparatus of the embodiment of the present invention;
Fig. 4 is the preferred structure block diagram two according to the authentication apparatus of the embodiment of the present invention;
Fig. 5 is the preferred structure block diagram three according to the authentication apparatus of the embodiment of the present invention;
Fig. 6 is the preferred structure block diagram four according to the authentication apparatus of the embodiment of the present invention;
Fig. 7 is the flow chart of the authentication of the RG based on physical link in correlation technique;
Fig. 8 is authentication during UE first attached and the flow chart of policy control during according to the route type RG of the embodiment of the present invention;
Fig. 9 is authentication when UE adheres to again during according to the route type RG of the embodiment of the present invention and the flow chart of policy control;
Figure 10 is authentication during UE first attached and the flow chart of policy control during according to the bridge type RG of the embodiment of the present invention;
Figure 11 is authentication when UE adheres to again during according to the bridge type RG of the embodiment of the present invention and the flow chart of policy control.
Embodiment
Hereinafter with reference to accompanying drawing, also describe the present invention in detail in conjunction with the embodiments.It should be noted that, in the situation that not conflicting, embodiment and the feature in embodiment in the application can combine mutually.
A kind of authentication method is provided in the present embodiment, and Fig. 1 is according to the flow chart of the authentication method of the embodiment of the present invention, and as shown in Figure 1, this flow process comprises the steps:
Step S102, wideband network gateway BNG receives the first authentication request information that user equipment (UE) is authenticated, wherein, this the first authentication request information carries for identifying UE, and the parameter information of the physical link of UE access network, wherein, the parameter information of sign UE can comprise following one of at least: the media access control layer MAC Address of UE, SN sequence number;
Step S104, BNG is that UE generates First Line line according to above-mentioned parameter information;
Step S106, BNG sends to authentication and authorization charging aaa server by First Line line, and wherein, this aaa server authenticates this UE according to this First Line line.
Pass through above-mentioned steps, according to authenticating for the First Line line that identifies the sign of UE and generate for this UE, advantageously user is distinguished, with respect to authenticating the UE of whole Same Physical link in prior art, and can not the single UE under Same Physical link be authenticated, not only solved existing limitation in prior art, and, having reached can be the implicit authentication of single terminal under Same Physical link, and the effect that meets terminal equipment requirement on flexibility.
Aaa server authenticates UE according to line identification, this process can be UE verification process first, can certainly right and wrong verification process first, and, in execution, all there is the legal and illegal situation of authentication that authenticates first with non-verification process first, , according to aaa server, whether above-mentioned line identification is carried out to authentication success, also can carry out different processing to above-mentioned steps: for example, after BNG sends to aaa server by this First Line line, aaa server authenticates UE according to this First Line line, this process is UE verification process first, now, may occur that aaa server authenticates illegal situation to UE, when there is such situation, (this authentication request information is equivalent to the first authentication request information in above-mentioned steps to the authentication request information that BNG reception Portal server sends, and according to the follow-up step of this authentication request information and executing), wherein, in this first authentication request information, carry the user profile of UE, after Portal server and UE are mutual, obtain user profile for identifying UE (wherein, this user profile can be this user's username and password).BNG and then according to the follow-up authentication processing of the first authentication request information and executing receiving.
And after BNG sends to aaa server by this First Line line, and, at aaa server, UE is authenticated legal in the situation that, BNG can also send session establishment request to strategic server, wherein, in this session request, carry the First Line line corresponding with this UE, this strategic server is that UE generates strategy according to the First Line line corresponding with this UE.It should be noted that, aaa server authenticates legal situation to UE and can be authentication first herein, also can be for non-authentication first, when processing, so long as aaa server authenticates when legal UE, aaa server just sends authentication to BNG and receives information, wherein, this authentication carries the user name of UE in receiving information, and then BNG is by the user name of the UE receiving, and authenticating legal line identification strategic server, strategic server is generated strategy according to above-mentioned information.
More preferably, after BNG sends to aaa server by line identification, and, at aaa server, UE is authenticated legal in the situation that, also comprise: BNG receives the second authentication request information to UE authentication again; BNG is according to second authentication request Information generation the second line identification; BNG will send to aaa server according to the second line identification of the second authentication request Information generation, and wherein, aaa server is according to the second line identification, and the First Line line of storage after legal to UE authentication authenticates UE.; at aaa server, UE is authenticated when legal; the First Line line that this aaa server authentication storage is legal; when the UE corresponding with First Line line is again during request authentication; First Line line is identical with the second line identification generating according to the second solicited message again sending, thereby has realized the authentication to UE.
Preferably, at BNG, according to parameter information, be that after UE generation circuit sign, BNG can also carry out storage system maintenance to the UE corresponding with line identification and the corresponding relation between line identification.It should be noted that, generally do not adopt such processing, and adopt such processing mode, can so that UE when authenticate next time with regard to the newly-generated line identification of unnecessary duplicate removal, directly according to above-mentioned stored corresponding relation, extract the line identification corresponding with UE, then according to the line identification of this extraction, carry out follow-up authentication operation.
When wideband network gateway BNG receives the authentication request information that user equipment (UE) is authenticated, this BNG can receive the authentication request information that UE is authenticated by route type home gateway RG and/or bridge type RG, also there is a little difference in the step performed by different RG, and these differences are mainly because of the difference of RG type there is not substantial difference in difference on treatment step.
A kind of authentication apparatus is also provided in the present embodiment, and this device is used for realizing above-described embodiment and preferred implementation, has carried out repeating no more of explanation.As used below, the combination of software and/or the hardware of predetermined function can be realized in term " module ".Although the described device of following examples is preferably realized with software, hardware, or the realization of the combination of software and hardware also may and be conceived.
Fig. 2 is according to the structured flowchart of the authentication apparatus of the embodiment of the present invention, and as shown in Figure 2, this device is arranged in wideband network gateway BNG, comprises the first receiver module 22, the first generation module 24 and the first sending module 26, below this device is described.
The first receiver module 22, for receiving the first authentication request information that user equipment (UE) is authenticated, wherein, authenticates the first solicited message and carries for identifying UE, and the parameter information of the physical link of UE access network; The first generation module 24, is connected to above-mentioned the first receiver module 22, for according to above-mentioned parameter information being UE generation First Line line; The first sending module 26, is connected to above-mentioned generation module 24, and for above-mentioned First Line line is sent to authentication and authorization charging aaa server, wherein, this aaa server authenticates UE according to above-mentioned First Line line.
Fig. 3 is the preferred structure block diagram one according to the authentication apparatus of the embodiment of the present invention, and as shown in Figure 3, this device, except comprising all modules shown in Fig. 2, also comprises the second sending module 32, below this second sending module 32 is described.
The second sending module 32, be connected to above-mentioned the first sending module 26, for after BNG sends to aaa server by line identification, and, at aaa server, UE is authenticated legal in the situation that, to strategic server, send session establishment request, wherein, in this session request, carry the First Line line corresponding with UE, strategic server is that UE generates strategy according to above-mentioned First Line line.
Fig. 4 is the preferred structure block diagram two according to the authentication apparatus of the embodiment of the present invention, as shown in Figure 4, this device, except comprising all modules shown in Fig. 2, also comprises the second receiver module 42, the second generation module 44 and the 3rd sending module 46, below this device is described.
The second receiver module 42, is connected to above-mentioned the first sending module 26, for after line identification is sent to aaa server, and, at aaa server, UE is authenticated legal in the situation that, again receive the second authentication request information to UE authentication; The second generation module 44, is connected to above-mentioned the second receiver module 42, for according to second authentication request Information generation the second line identification; The 3rd sending module 46, be connected to above-mentioned the second generation module 44, for sending to aaa server according to the second line identification of the second authentication request Information generation, wherein, aaa server is according to the second line identification, and the First Line line of storage after legal to UE authentication authenticates UE.
Fig. 5 is the preferred structure block diagram three according to the authentication apparatus of the embodiment of the present invention, and as shown in Figure 5, this device, except comprising all modules shown in Fig. 4, also comprises the 3rd receiver module 52, below this device is described.
The 3rd receiver module 52, be connected to above-mentioned the 3rd sending module 46, be used at BNG after sending to aaa server according to the second line identification of the second authentication request Information generation, and, at aaa server, according to the second line identification, and First Line line authenticates in legal situation UE, receives the authentication that AAA sends and receives information, wherein, authentication carries the user name of UE in receiving information.
Fig. 6 is the preferred structure block diagram four according to the authentication apparatus of the embodiment of the present invention, and as shown in Figure 6, this device, except comprising all modules shown in Fig. 2, also comprises the 4th receiver module 62, below this device is described.
The 4th receiver module 62, be connected to above-mentioned the first sending module 62, for after BNG sends to aaa server by First Line line, and, at aaa server, UE is authenticated in illegal situation, receive the first authentication request information that Portal server sends, wherein, after Portal server and UE are mutual, obtain the user profile of UE.
The user authen method that above-described embodiment and preferred implementation provide, solve the authentication method based on physical link in correlation technique and cannot realize the problem to the implicit authentication of single terminal under Same Physical link, in addition, above-mentioned listed authentication method can also be combined with policy control, a kind of new policy control method is provided.It should be noted that, the type of the home gateway that UE is accompanying is different, and performed step there are differences, and take respectively route type RG and bridge type RG below to describe as example.
Route type RG:
User equipment (UE) adheres to and initiates address request from RG, by this RG, be that accompanying UE is to wideband network gateway (Broadband Network Gateway, referred to as BNG) initiation authentication request, wherein, in this authentication request, carry media access control (Media Access Control, referred to as MAC) address and/or the SN sequence number of this UE.BNG is according to the MAC Address of UE entrained in authentication request or SN sequence number, and the physical link information of UE access, is this UE structural line line Line ID.
BNG initiates authentication request to fixed network AAA, wherein, carries the line identification of UE in the authentication request that this BNG initiates to fixed network AAA.
Fixed network AAA judges this line identification, if AAA judges that this line identification is legal, AAA replys authentication to BNG and accepts message, and carries the user name that this line identification is corresponding.More preferably, this BNG can also be to the request of setting up of strategic server initiation session, wherein, carries the parameters such as the user name of UE and/or IP address and/or line identification in this session establishment request; Then, strategic server is that UE formulates qos policy according to the above-mentioned parameter receiving.
If AAA judges that this line identification is illegal, to BNG, reply authentication refuse information.BNG replys authentication refuse information to RG.When UE initiates HTTP request, RG is redirected to Portal server by user's request, wherein, carries MAC Address or the SN sequence number of UE in user's request that RU sends to Portal server.UE and Portal server interactive user name and password.Portal server is initiated authentication request to RG, wherein, carries user name, password and MAC Address or the SN sequence number of UE in the authentication request that Portal server is initiated to RG.RG sends to BNG by authentication request message, and BNG is according to the MAC Address of described UE or SN sequence number, and the physical link of described UE access, is described UE structural line line Line ID.The binding relationship of while BNG maintenance customer's name and line identification.Further, BNG sends to fixed network AAA by line identification, user name, password, and as authentication success, AAA stores the line identification of described UE.
Bridge type RG:
User equipment (UE) is from the access of fixed access network network and initiate address request to BNG, and this BNG is according to the MAC Address of UE or SN sequence number, and the physical link information of UE access, is this UE structural line line Line ID.
BNG initiates authentication request to fixed network AAA, carries the line identification of UE in the authentication request that wherein BNG initiates to fixed network AAA.
Fixed network AAA judges this line identification, if judge, this line identification is legal, to BNG, replys authentication and accepts message, and accept to carry in message in authentication the user name that this line identification is corresponding.More preferably, this BNG can also be to the request of setting up of strategic server initiation session, and wherein, this session establishment request carries the parameters such as the user name of UE and/or IP address and/or line identification; Strategic server is that UE formulates qos policy according to the above-mentioned parameter receiving.
If AAA judges that this line identification is illegal, to BNG, reply authentication refuse information.When UE initiates HTTP request, BNG is redirected to Portal server by user's request, wherein, carries MAC Address or the SN sequence number of UE in user's request that BNG sends to Portal server.UE and Portal server interactive user name and password.Portal server is initiated authentication request to BNG, wherein, carries user name, password and MAC Address or the SN sequence number of UE in the authentication request that Portal server is initiated to BNG.BNG is according to the MAC Address of UE or SN sequence number, and the physical link of UE access, is UE structural line line Line ID.The binding relationship of while BNG maintenance customer's name and line identification.BNG sends to fixed network AAA by line identification, user name, password, if authentication success, the line identification of AAA storage UE.
Fig. 7 is the flow chart of the authentication of the RG based on physical link in correlation technique, it should be noted that, this RG identifying procedure belongs to a link implementing the embodiment of the present invention and preferred implementation, and as shown in Figure 7, this flow process comprises the steps:
Step S702, RG sends point-to-point protocol (the Point-to-Point Protocol over Ethernet based on Ethernet to BNG, referred to as PPPoE) authentication request message, wherein, in the authentication request message of PPPoE that should be based on Ethernet, carry user name and the password of RG;
Step S704, BNG receives after the authentication request message of RG, (the PPPoE message that RG initiates is inserted by access node during through access node to obtain the physical link information of RG, be Agent Circuit ID parameter) and the MAC Address of RG, to BBF AAA, send authentication access request message simultaneously, wherein, in this authentication access request message, carry user name and the password of RG;
Step S706, BBF AAA authenticates this RG according to this authentication access request message, if RG authentication is passed through, BBF AAA replys authentication to BNG and accepts message, BNG preserves physical link information and the MAC Address of RG;
Step S708, BNG replys authentication success message to RG.
Fig. 8 is authentication during UE first attached and the flow chart of policy control during according to the route type RG of the embodiment of the present invention, and as shown in Figure 8, this flow process comprises the following steps:
Step S802, UE sends IP address request (for example, dhcp discover message) to RG, wherein, carries MAC Address or the SN sequence number of UE in this IP address request;
Step S804, RG is that UE distributes private network IP address, and records MAC Address or the SN sequence number of this UE;
Step S806, whether RG sends authentication access request message to BNG, legal to authenticate this UE; Particularly, RG inserts MAC Address or the SN sequence number of UE in this authentication request message;
Step S808, BNG receives after authentication access request message, obtains the physical link information at this UE place, for example, port numbers, virtual circuit parameter etc.For example: physical link information can be: " Access-Node-Identifier atm slot/port:vpi.vci " (ATM/DSL scene), " Access-Node-Identifier eth slot/port[:vlan-id] " (Ethernet scene);
Particularly, at RG, be under the scene of route type, physical link information and the RG of UE are identical.BNG obtains the physical link information (corresponding above-mentioned process embodiment illustrated in fig. 7) at RG place by the MAC Address of RG, and then obtains the physical link information of UE.And then BNG is according to the physical link information of UE, and the MAC Address of UE or SN sequence number are that UE generation circuit identifies and send to BBF authentication, mandate, charging (Authentication Authorization Accounting, referred to as AAA) server.
Step S810, BBF AAA authenticates line identification, if this line identification is illegal, to BNG, replys authentication access-reject message;
Step S812, BNG replys authentication access-reject message to RG;
Step S814, UE initiates HTTP request, request access external business website;
Step S816, because now this UE is not by authentication, RG replys http response message to UE, pushes Portal authenticating address; Particularly, MAC Address or the SN sequence number of UE in the http response message sending at RG, have also been inserted;
Step S818, UE sends HTTP request message to Portal server, with request authentication; MAC Address or the SN sequence number of UE in this request message, have also been carried simultaneously;
Step S820, Portal server sends http response message, i.e. pushing certification page to UE;
Step S822, UE inputs the information such as user name, password at certification page, send to Portal server;
Step S824, Portal server sends authentication request message to RG, wherein, carries user name, password, MAC Address or the SN sequence number of UE in the authentication request message that this Portal server sends to RG;
Step S826, RG sends authentication request message to BNG, wherein, carries user name, password, MAC Address or the SN sequence number of UE in the authentication request message that this RG sends to BNG;
Step S828, BNG receives after authentication access request message, obtains the physical link information at this UE place, for example, port numbers, virtual circuit parameter etc.For example: physical link information can be: " Access-Node-Identifier atm slot/port:vpi.vci " (ATM/DSL scene), " Access-Node-Identifier eth slot/port[:vlan-id] " (Ethernet scene) etc.; And according to the MAC Address of UE or SN sequence number, obtain the line identification (S808 generates by step) of UE, then the user name of UE, password and line identification are sent to BBF AAA;
Step S830, BBFAAA authenticates user, if this user is legal, BBFAAA preserves this user's line identification; To BNG, reply authentication simultaneously and accept message;
Step S832, BNG replys authentication to RG and accepts message;
Step S834, RG replys authentication response message to Portal server, and the authentication of indication current UE is passed through;
Step S836, Portal server is replied response message to UE, and notice UE authentication is passed through;
Step S838, RG sends charging to BNG and starts message, and wherein, this charging that RG sends to BNG starts to carry in message the outside ip address of UE and the Port collection that RG distributes for this UE;
Step S840, BNG sends charging to BBF AAA and starts message, and wherein, this charging that BNG sends to BBF AAA starts to carry in message the outside ip address of UE and the Port collection that RG distributes for this UE;
Step S842, BNG sets up request message to strategic server (Policy Server) initiation session, wherein, carries the outside ip address of UE and the Port collection that RG distributes for this UE in this session establishment request message, and/or user name, and/or line identification.
Fig. 9 is authentication when UE adheres to again during according to the route type RG of the embodiment of the present invention and the flow chart of policy control, and as shown in Figure 9, this flow process comprises the following steps:
Step S902, UE sends IP address request (for example, dhcp discover message) to RG, wherein, carries MAC Address or the SN sequence number of UE in this IP address request;
Step S904, RG is that UE distributes private network IP address, and records MAC Address or the SN sequence number of this UE;
Step S906, whether RG sends authentication access request message to BNG, legal to authenticate this UE; Particularly, RG inserts MAC Address or the SN sequence number of UE in this authentication request message;
Step S908, BNG receives after authentication access request message, obtains the physical link information at this UE place, for example, port numbers, virtual circuit parameter etc.For example: physical link information can be: " Access-Node-Identifier atm slot/port:vpi.vci " (ATM/DSL scene), " Access-Node-Identifier eth slot/port[:vlan-id] " (Ethernet scene);
Particularly, at RG, be under the scene of route type, the physical link information of UE is identical with RG's.BNG obtains the physical link information (corresponding to above-mentioned process embodiment illustrated in fig. 6) at RG place by the MAC Address of RG, and then obtains the physical link information of UE.Further, BNG is according to the physical link information of UE, and the MAC Address of UE or SN sequence number are that UE generation circuit identifies and send to BBF AAA.If BNG directly searches the line identification of the UE of this preservation according to the MAC Address of UE or SN sequence number, need not regenerate.
Step S910, BBF AAA authenticates line identification, if this line identification is legal, to BNG, replys authentication and accepts message, and wherein, this authentication accepts to carry in message the user name of UE;
Step S912, BNG replys authentication to RG and accepts message;
Step S914, RG sends charging to BNG and starts message, and wherein, this charging that RG sends to BNG starts to carry in message the outside ip address of UE and the Port collection that RG distributes for this UE;
Step S916, BNG sends charging to BBF AAA and starts message, and wherein, this charging that BNG sends to BBF AAA starts to carry in message the outside ip address of UE and the Port collection that RG distributes for this UE;
Step S918, BNG sets up request message to strategic server initiation session, wherein, carries the outside ip address of UE and the Port collection that RG distributes for this UE in this session establishment request message that BNG initiates to strategic server, and/or user name, and/or line identification.
Figure 10 is authentication during UE first attached and the flow chart of policy control during according to the bridge type RG of the embodiment of the present invention, and as shown in figure 10, this flow process comprises the following steps:
Step S1002, user equipment (UE) sends IP address request (for example, dhcp discover message) to BNG, wherein, carries MAC Address or the SN sequence number of UE in this IP address request;
Step S1004, BNG is UE distributing IP address, and records MAC Address or the SN sequence number of this UE;
Step S1006, whether BNG sends authentication access request message to BBFAAA, legal to authenticate this UE; Particularly, BNG is according to the physical link information at this UE place of carrying up in dhcp message, i.e. Option82 option in dhcp discover message, and MAC Address or SN sequence number are UE structural line line (Line ID), and send to BBFAAA;
Step S1008, BBF AAA authenticates line identification, if this line identification is illegal, to BNG, replys authentication access-reject message;
Step S1010, UE initiates HTTP request, request access external business website;
Step S1012, because now this UE is not by authentication, BNG replys http response message to UE, pushes Portal authenticating address; Particularly, MAC Address or the SN sequence number of UE at BNG, in http response message, have also been inserted;
Step S1014, UE sends HTTP request message to Portal server, with request authentication; MAC Address or the SN sequence number of UE in this request message, have also been carried simultaneously;
Step S1016, Portal server sends http response message, i.e. pushing certification page to UE;
Step S1018, UE inputs the information such as user name, password at certification page, send to Portal server;
Step S1020, Portal server sends authentication request message to BNG, wherein, carries user name, password, MAC Address or the SN sequence number of UE in this authentication request message that Portal server sends to BNG;
Step S1022, BNG receives after authentication access request message, obtains the line identification of UE according to the MAC Address of UE or SN sequence number, then the user name of UE, password and line identification sent to BBF AAA;
Step S1024, BBF AAA authenticates user, if this user is legal, BBF AAA preserves this user's line identification; To BNG, reply authentication simultaneously and accept message;
Step S1026, BNG replys authentication response message to Portal server, and the authentication of indication current UE is passed through;
Step S1028, Portal server is replied response message to UE, and notice UE authentication is passed through;
Step S1030, BNG sends charging to BBF AAA and starts message, and wherein, this charging that BNG sends to BBF AAA starts to carry in message the IP address of UE;
Step S1032, BNG sets up request message to strategic server initiation session, wherein, carries the IP address of UE in this session establishment request message that BNG initiates to strategic server, and/or user name, and/or line identification.
Figure 11 is authentication when UE adheres to again during according to the bridge type RG of the embodiment of the present invention and the flow chart of policy control, and as shown in figure 11, this flow process comprises the following steps:
Step S1102, UE sends IP address request (for example, dhcp discover message) to BNG, wherein, carries MAC Address or the SN sequence number of UE in this IP address request;
Step S1104, BNG is UE distributing IP address, and records MAC Address or the SN sequence number of this UE;
Step S1106, whether BNG sends authentication access request message to BBF AAA, to authenticate this UE, be validated user; Particularly, BNG is according to the physical link information at this UE place of carrying up in dhcp message, i.e. Option82 option in dhcp discover message, and MAC Address or SN sequence number are UE structural line line (Line ID), and send to BBF AAA.If BNG directly searches the line identification of the UE of this preservation according to the MAC Address of UE or SN sequence number, need not regenerate.
Step S1108, BBF AAA authenticates line identification, if this line identification is legal, to BNG, replys authentication and accepts message; And the user name of carrying UE in replying message;
Step S1110, BNG sends charging to BBF AAA and starts message, and wherein, this charging that BNG sends to BBF AAA starts to carry in message the IP address of UE;
Step S1112, BNG sets up request message to strategic server initiation session, wherein, carries the IP address of UE in this session establishment request message that BNG initiates to strategic server, and/or user name, and/or line identification.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in storage device and be carried out by calculation element, and in some cases, can carry out shown or described step with the order being different from herein, or they are made into respectively to each integrated circuit modules, or a plurality of modules in them or step are made into single integrated circuit module to be realized.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (11)
1. an authentication method, is characterized in that, comprising:
Wideband network gateway BNG receives the first authentication request information that user equipment (UE) is authenticated, and wherein, described the first authentication request information carries for identifying described UE, and the parameter information of the physical link of described UE access network;
Described BNG is that described UE generates First Line line according to described parameter information;
Described BNG sends to authentication and authorization charging aaa server by described First Line line, and wherein, described aaa server authenticates described UE according to described line identification.
2. method according to claim 1, is characterized in that, after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated legal in the situation that, also comprise:
Described BNG sends session establishment request to strategic server, wherein, carries the described First Line line corresponding with described UE in described session request, and described strategic server is that described UE generates strategy according to described First Line line.
3. method according to claim 1, is characterized in that, after described BNG sends to described aaa server by described line identification, and, at described aaa server, described UE is authenticated legal in the situation that, also comprise:
Described BNG receives the second authentication request information to described UE authentication again;
Described BNG is according to described second authentication request Information generation the second line identification;
Described BNG sends to described aaa server by described the second line identification according to described the second authentication request Information generation, wherein, described aaa server is according to described the second line identification, and the described First Line line of storage after legal to described UE authentication authenticates described UE.
4. method according to claim 3, it is characterized in that, at described BNG by after sending to described aaa server according to described second line identification of described the second authentication request Information generation, and, at described aaa server according to described the second line identification, and described First Line line authenticates in legal situation described UE, also comprise:
Described BNG receives the authentication of described AAA transmission and receives information, and wherein, described authentication carries the user name of described UE in receiving information.
5. according to the method described in any one in claim 1 to 4, it is characterized in that, after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated in illegal situation, also comprise:
Described BNG receives described the first authentication request information that Portal server sends, and wherein, after described Portal server and described UE are mutual, obtains for identifying the user profile of described UE.
6. method according to claim 5, is characterized in that, for identify the parameter information of described UE comprise following one of at least:
The media access control layer MAC Address of described UE, sequence number SN.
7. an authentication apparatus, is characterized in that, is arranged in wideband network gateway BNG, comprising:
The first receiver module, for receiving the first authentication request information that user equipment (UE) is authenticated, wherein, described the first authentication request information carries for identifying described UE, and the parameter information of the physical link of described UE access network;
The first generation module, for according to described parameter information being described UE generation First Line line;
The first sending module, for described First Line line is sent to authentication and authorization charging aaa server, wherein, described aaa server authenticates described UE according to described First Line line.
8. device according to claim 7, is characterized in that, also comprises:
The second sending module, for after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated legal in the situation that, to strategic server, send session establishment request, wherein, carry the described First Line line corresponding with described UE in described session request, described strategic server is that described UE generates strategy according to described First Line line.
9. device according to claim 7, is characterized in that, also comprises:
The second receiver module, for after described line identification is sent to described aaa server, and, at described aaa server, described UE is authenticated legal in the situation that, again receive the second authentication request information to described UE authentication;
The second generation module, for according to described second authentication request Information generation the second line identification;
The 3rd sending module, for described the second line identification according to described the second authentication request Information generation is sent to described aaa server, wherein, described aaa server is according to described the second line identification, and the described First Line line of storage after legal to described UE authentication authenticates described UE.
10. device according to claim 9, is characterized in that, also comprises:
The 3rd receiver module, be used at described BNG after sending to described aaa server according to described second line identification of described the second authentication request Information generation, and, at described aaa server according to described the second line identification, and described First Line line authenticates in legal situation described UE, the authentication that receives described AAA transmission is received information, and wherein, described authentication carries the user name of described UE in receiving information.
11. according to the device described in claim 7 to 10 any one, it is characterized in that, also comprises:
The 4th receiver module, for after described BNG sends to described aaa server by described First Line line, and, at described aaa server, described UE is authenticated in illegal situation, receive described the first authentication request information that Portal server sends, wherein, described Portal server and described UE obtain the user profile of described UE after mutual.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210243159.7A CN103546286B (en) | 2012-07-13 | 2012-07-13 | Authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210243159.7A CN103546286B (en) | 2012-07-13 | 2012-07-13 | Authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103546286A true CN103546286A (en) | 2014-01-29 |
| CN103546286B CN103546286B (en) | 2018-08-24 |
Family
ID=49969366
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210243159.7A Expired - Fee Related CN103546286B (en) | 2012-07-13 | 2012-07-13 | Authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103546286B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106357483A (en) * | 2015-07-17 | 2017-01-25 | 华为技术有限公司 | Message transmission method, access node, access controller and access system |
| WO2017012443A3 (en) * | 2015-07-17 | 2017-03-23 | 华为技术有限公司 | Message transmission method, access node, access controller and access system |
| CN112653653A (en) * | 2019-10-11 | 2021-04-13 | 中兴通讯股份有限公司 | Communication circuit management method, network device and storage medium |
| WO2021135493A1 (en) * | 2019-12-31 | 2021-07-08 | 中兴通讯股份有限公司 | Method and apparatus for accessing home gateway, system processor and storage medium |
| CN116743413A (en) * | 2022-10-26 | 2023-09-12 | 荣耀终端有限公司 | Internet of things equipment authentication method and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101145907A (en) * | 2006-09-11 | 2008-03-19 | 华为技术有限公司 | Method and system for user authentication based on DHCP |
| CN101521576A (en) * | 2009-04-07 | 2009-09-02 | 中国电信股份有限公司 | Method and system for identity authentication of internet user |
| CN101547383A (en) * | 2008-03-26 | 2009-09-30 | 华为技术有限公司 | Access authentication method, access authentication system and related equipment |
| CN102045405A (en) * | 2009-10-16 | 2011-05-04 | 华为技术有限公司 | Address translation method, equipment and system |
| US20110173678A1 (en) * | 2008-02-13 | 2011-07-14 | Futurewei Technologies, Inc. | User and Device Authentication in Broadband Networks |
-
2012
- 2012-07-13 CN CN201210243159.7A patent/CN103546286B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101145907A (en) * | 2006-09-11 | 2008-03-19 | 华为技术有限公司 | Method and system for user authentication based on DHCP |
| US20110173678A1 (en) * | 2008-02-13 | 2011-07-14 | Futurewei Technologies, Inc. | User and Device Authentication in Broadband Networks |
| CN101547383A (en) * | 2008-03-26 | 2009-09-30 | 华为技术有限公司 | Access authentication method, access authentication system and related equipment |
| CN101521576A (en) * | 2009-04-07 | 2009-09-02 | 中国电信股份有限公司 | Method and system for identity authentication of internet user |
| CN102045405A (en) * | 2009-10-16 | 2011-05-04 | 华为技术有限公司 | Address translation method, equipment and system |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106357483A (en) * | 2015-07-17 | 2017-01-25 | 华为技术有限公司 | Message transmission method, access node, access controller and access system |
| WO2017012443A3 (en) * | 2015-07-17 | 2017-03-23 | 华为技术有限公司 | Message transmission method, access node, access controller and access system |
| CN113225238A (en) * | 2015-07-17 | 2021-08-06 | 华为技术有限公司 | Message transmission method, access node, access controller and access system |
| US11178073B2 (en) | 2015-07-17 | 2021-11-16 | Huawei Technologies Co., Ltd. | Message transmission method, access node, access controller, and access system |
| CN113225238B (en) * | 2015-07-17 | 2022-08-26 | 华为技术有限公司 | Message transmission method, access node, access controller and access system |
| US11902183B2 (en) | 2015-07-17 | 2024-02-13 | Huawei Technologies Co., Ltd. | Message transmission method, access node, access controller, and access system |
| CN112653653A (en) * | 2019-10-11 | 2021-04-13 | 中兴通讯股份有限公司 | Communication circuit management method, network device and storage medium |
| CN112653653B (en) * | 2019-10-11 | 2023-08-22 | 中兴通讯股份有限公司 | Communication circuit management method, network equipment and storage medium |
| WO2021135493A1 (en) * | 2019-12-31 | 2021-07-08 | 中兴通讯股份有限公司 | Method and apparatus for accessing home gateway, system processor and storage medium |
| CN116743413A (en) * | 2022-10-26 | 2023-09-12 | 荣耀终端有限公司 | Internet of things equipment authentication method and electronic equipment |
| CN116743413B (en) * | 2022-10-26 | 2024-04-12 | 荣耀终端有限公司 | Internet of things equipment authentication method and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103546286B (en) | 2018-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103973658A (en) | Static user terminal authentication processing method and device | |
| CN103685210B (en) | The register method and device of terminal | |
| JP4291213B2 (en) | Authentication method, authentication system, authentication proxy server, network access authentication server, program, and recording medium | |
| CN101946455B (en) | One-pass authentication mechanism and system for heterogeneous networks | |
| CN101039311B (en) | Identification web page service network system and its authentication method | |
| WO2006020329B1 (en) | Method and apparatus for determining authentication capabilities | |
| CN103281305B (en) | The connection control method of the wisdom city system based on security gateway | |
| CN101087236B (en) | VPN access method and device | |
| CN105556915B (en) | A kind of fusion method and server, client and system of multilink | |
| CN103546286A (en) | Authentication processing method and device | |
| CN101867476A (en) | 3G virtual private dialing network user safety authentication method and device thereof | |
| CN109104475A (en) | Connect restoration methods, apparatus and system | |
| CN106464556B (en) | Node network access method, device and system | |
| CN103067407B (en) | The authentication method and device of accessing user terminal to network | |
| CN107493293A (en) | A kind of method of sip terminal access authentication | |
| CN104580553A (en) | Identification method and device for network address translation device | |
| CN105578463A (en) | Double connection secure communication method and device | |
| CN105392137A (en) | Household WIFI embezzlement preventing method, wireless router and terminal equipment | |
| CN102487506A (en) | Access authentication method, system and server based on WAPI (wireless local access network authentication and privacy infrastructure) protocol | |
| CN106131177B (en) | Message processing method and device | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN103873585A (en) | Radius authentication device and method | |
| CN106533700B (en) | Method and device for realizing interface function | |
| CN101742502A (en) | Method, system and device for realizing WAPI authentication | |
| CN104052753B (en) | A kind of authentication method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180824 Termination date: 20200713 |