CN101137222B - Access authentication processing method and system and device - Google Patents
Access authentication processing method and system and device Download PDFInfo
- Publication number
- CN101137222B CN101137222B CN200710062836.4A CN200710062836A CN101137222B CN 101137222 B CN101137222 B CN 101137222B CN 200710062836 A CN200710062836 A CN 200710062836A CN 101137222 B CN101137222 B CN 101137222B
- Authority
- CN
- China
- Prior art keywords
- access network
- user terminal
- information
- user
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 17
- 238000012545 processing Methods 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 14
- 238000013475 authorization Methods 0.000 claims description 3
- 238000010295 mobile communication Methods 0.000 description 18
- 238000004891 communication Methods 0.000 description 11
- 230000008859 change Effects 0.000 description 5
- 230000000717 retained effect Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 208000005244 familial abdominal 2 aortic aneurysm Diseases 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种接入鉴权处理方法和系统及装置。该方法包括下列步骤:用户终端的本地归属接入网鉴权服务器记录漫游IP地址属性信息和漫游IP类型属性信息等用户归属信息;维护管理所记录的漫游IP地址属性信息和漫游IP类型属性信息等用户归属信息,并在用户终端发生改变时,主动发送通知到接入网鉴权服务器进行操作。其使得漫游用户终端本地归属接入网鉴权服务器能有效定位用户终端当前归属的异地归属接入网鉴权服务器,代价小,占用资源少,适合于在实际中应用。
The invention discloses an access authentication processing method, system and device. The method includes the following steps: the authentication server of the local home access network of the user terminal records user attribution information such as roaming IP address attribute information and roaming IP type attribute information; maintains and manages the recorded roaming IP address attribute information and roaming IP type attribute information Wait for the user's attribution information, and when the user terminal changes, actively send a notification to the access network authentication server for operation. It enables the authentication server of the local home access network of the roaming user terminal to effectively locate the authentication server of the remote home access network to which the user terminal currently belongs, with low cost and less resource occupation, and is suitable for practical application.
Description
技术领域technical field
本发明涉及移动通讯系统中的数据通信领域,特别是涉及一种在移动通讯系统中对漫游用户实施接入网鉴权服务器(AN-AAA)的接入鉴权的处理方法和系统及装置。The invention relates to the field of data communication in a mobile communication system, in particular to a processing method, system and device for performing access authentication of an access network authentication server (AN-AAA) to a roaming user in a mobile communication system.
背景技术Background technique
在用户能够访问网络以前,一般地,首先,网络要对用户进行接入鉴权,以确定用户的身份真实性。在码分多址2000-数据优化演进(Code DivisionMultiple Access2000-Evolution Data Only,CDMA2000-EVDO)移动通讯系统中,以接入网鉴权服务器(Access Network-Authentication、Authorization、Accounting,AN-AAA)作为接入网络侧的鉴权网元,对数据优化演进(EvolutionData Only,EVDO)终端进行接入认证。Before the user can access the network, generally, the network first needs to perform access authentication on the user to determine the authenticity of the user's identity. In the Code Division Multiple Access 2000-Evolution Data Only (CDMA2000-EVDO) mobile communication system, the access network authentication server (Access Network-Authentication, Authorization, Accounting, AN-AAA) is used as The authentication network element on the access network side performs access authentication on Evolution Data Only (EVDO) terminals.
无线接入网认证是确认将要接入EVDO无线网(AN)的EVDO终端合法性的机制。接入认证由接入网(AN)侧和接入网鉴权服务器(AN-AAA)配合完成,使用点到点协议(Point to Point Protocol,PPP)的挑战握手认证协议(Challenge Handshake Authentication Protocol,CHAP)认证,认证成功后,接入网鉴权服务器(AN-AAA)向接入网(AN)返回移动节点标识符(MNID),用于确定A8/A9(用于承载业务/用于传输信令)、A10/A11(用于承载业务/用于传输信令)接口消息中的移动节点标识符(MNID)。一旦用户通过接入网鉴权服务器鉴权,则会在接入网侧保留自己的身份信息。在一般情况下,下次用户起呼不用再进行接入网鉴权服务器鉴权,直接根据接入网侧保留的身份信息建立连接。Wireless access network authentication is a mechanism to confirm the legitimacy of EVDO terminals that will access the EVDO wireless network (AN). Access authentication is completed by the cooperation of the access network (AN) side and the access network authentication server (AN-AAA), using the Challenge Handshake Authentication Protocol (Point to Point Protocol, PPP), CHAP) authentication, after the authentication is successful, the access network authentication server (AN-AAA) returns the mobile node identifier (MNID) to the access network (AN), which is used to determine the A8/A9 (for bearing services/for transmission) Signaling), A10/A11 (for bearer services/for transmission signaling) interface messages in the mobile node identifier (MNID). Once the user is authenticated by the access network authentication server, his identity information will be retained on the access network side. Under normal circumstances, the next time the user initiates a call, he does not need to go through the authentication of the access network authentication server, and directly establishes a connection according to the identity information retained on the access network side.
接入网和接入网鉴权服务器之间是通过标准的A12接口(用于传递鉴权信息)进行通讯的,通过A12消息的交互完成鉴权认证,其具体过程包括以下步骤:The communication between the access network and the authentication server of the access network is carried out through a standard A12 interface (for transmitting authentication information), and the authentication is completed through the interaction of A12 messages. The specific process includes the following steps:
(1)接入网(AN)侧收到EVDO终端的呼叫请求,如果确定是新用户或需要鉴权的用户,就需要对其进行接入鉴权,也就是立即发起认证请求,构造A12接口的接入请求消息,通过远程验证拨入用户服务(RemoteAuthentication Dial In User Service,RADIUS)协议栈发送给接入网鉴权服务器(AN-AAA)进行认证。(1) The access network (AN) side receives a call request from an EVDO terminal. If it is determined that it is a new user or a user requiring authentication, it needs to perform access authentication, that is, immediately initiate an authentication request, and construct an A12 interface The access request message is sent to the access network authentication server (AN-AAA) through the Remote Authentication Dial In User Service (RADIUS) protocol stack for authentication.
(2)对A12接口接入请求消息的重发机制的管理。如果在一段时间内没有收到接入网鉴权服务器(AN-AAA)的鉴权响应则重发接入请求消息。(2) Management of the retransmission mechanism of the A12 interface access request message. If no authentication response from the access network authentication server (AN-AAA) is received within a period of time, the access request message is resent.
(3接入网侧接收到接入网鉴权服务器的认证结果,如果鉴权成功则返回有效的移动节点标识符(MNID),否则拒绝终端建立连接。(3 The access network side receives the authentication result from the access network authentication server, and returns a valid mobile node identifier (MNID) if the authentication is successful, otherwise rejects the terminal to establish a connection.
但是,现有的鉴权过程并没有充分考虑用户终端的移动性。而考虑到用户终端的移动性,通常存在第一接入网(AN1)和第二接入网(AN2)……,第n接入网(ANn);第一接入网(AN1)连接第一接入网鉴权服务器(AN-AAA1),第二接入网(AN2)连接第二接入网鉴权服务器(AN-AAA2)……,第n接入网(ANn)连接第n接入网鉴权服务器(AN-AAAn)。如果第一接入网(AN1)是用户的本地归属接入网,则第一接入网鉴权服务器(AN-AAA1)是用户的本地归属鉴权服务器。EVDO终端漫游时将会面临以下情况:However, the existing authentication process does not fully consider the mobility of the user terminal. In consideration of the mobility of user terminals, there usually exist a first access network (AN1) and a second access network (AN2)..., the nth access network (ANn); the first access network (AN1) connects to the One access network authentication server (AN-AAA1), the second access network (AN2) is connected to the second access network authentication server (AN-AAA2)..., the nth access network (ANn) is connected to the nth access network Access Authentication Server (AN-AAAn). If the first access network (AN1) is the user's local home access network, then the first access network authentication server (AN-AAA1) is the user's local home authentication server. When an EVDO terminal roams, it will face the following situations:
第一种情况:如果本地归属鉴权服务器(即第一接入网鉴权服务器,AN-AAA1)和第二接入网鉴权服务器(AN-AAA2)是同一服务器,通常本地归属接入网(即第一接入网,AN1)和第二接入网(AN2)需要互配为邻区,漫游用户从第一接入网漫游到第二接入网会发生A13切换(用于传递切换信息),第二接入网会从第一接入网中获取用户身份信息建立连接;Case 1: If the local home authentication server (i.e. the first access network authentication server, AN-AAA1) and the second access network authentication server (AN-AAA2) are the same server, usually the local home access network (that is, the first access network, AN1) and the second access network (AN2) need to be configured as adjacent cells, and A13 handover will occur when a roaming user roams from the first access network to the second access network (for transfer handover information), the second access network will obtain user identity information from the first access network to establish a connection;
第二种情况:如果本地归属鉴权服务器(即第一接入网鉴权服务器,AN-AAA1)和第二接入网鉴权服务器(AN-AAA2)不是同一服务器,漫游用户从本地归属接入网(即第一接入网,AN1)漫游到第二接入网(AN2),由于第二接入网没有用户身份信息而需要重建;同时,第二接入网鉴权服务器中没有用户的登记信息,只能通过与之互联的本地归属鉴权服务器(即第一接入网鉴权服务器,AN-AAA1)来确认合法性,确认鉴权通过后才能上网。The second case: if the local home authentication server (that is, the first access network authentication server, AN-AAA1) and the second access network authentication server (AN-AAA2) are not the same server, the roaming user The access network (namely the first access network, AN1) roams to the second access network (AN2), because the second access network has no user identity information and needs to be rebuilt; at the same time, there is no user in the authentication server of the second access network The registration information can only be verified through the local attribution authentication server interconnected with it (that is, the first access network authentication server, AN-AAA1), and can only access the Internet after confirming that the authentication is passed.
第一种情况是现有标准所支持的漫游模式。对于第二种情况,漫游用户异地鉴权可能出现以下问题:The first case is the roaming mode supported by existing standards. For the second case, the following problems may occur in remote authentication of roaming users:
(1)如果用户在异地一直上网,而同时在本地退网,即使删除了用户在本地归属鉴权服务器(即第一接入网鉴权服务器,AN-AAA1)的登记信息和本地归属接入网(即第一接入网,AN1)的身份信息,但由于用户终端在漫游第二接入网(AN2)中已经保留了身份信息并已经鉴权通过了,因而可以一直上网,直到再次进行鉴权,才能确定用户身份过时。(1) If the user has been surfing the Internet in a different place and at the same time logs out locally, even if the user's registration information on the local home authentication server (that is, the first access network authentication server, AN-AAA1) and the local home access network (i.e. the first access network, AN1), but since the user terminal has retained the identity information and passed the authentication while roaming in the second access network (AN2), it can always access the Internet until it is performed again. Authentication is required to determine that the user's identity is outdated.
(2)漫游用户在异地归属接入网(如第二接入网,AN2)留下了身份信息,一旦用户离开,该信息将一直保留,这将占用异地归属接入网的系统资源。如果漫游用户较多,占用资源将影响正常本地归属接入网用户终端的接入。(2) The roaming user has left identity information in the remote home access network (such as the second access network, AN2). Once the user leaves, the information will be kept forever, which will occupy the system resources of the remote home access network. If there are many roaming users, resource occupation will affect the normal local home access network user terminal access.
考虑之所以出现上面的问题,其原因是异地接入网鉴权服务器(如第二接入网鉴权服务器,AN-AAA2)可以通过漫游终端的RADIUS(远程验证拨入用户服务)报文中的UserName(用户姓名)和Calling-Station-ID(呼叫站点标识)属性信息来分析出用户所属的域。一般地,如果域内配置了多个接入网鉴权服务器,则根据优先级高低优先向优先级高的接入网鉴权服务器发送报文,如果不成功再向低一级的接入网鉴权服务器转发,除非没有配置,否则一定会成功转发,从而可以通过异地归属接入鉴权服务器互联到本发归属鉴权服务器,确认用户身份合法性。但反方向,如果漫游用户的本地归属鉴权服务器想定位漫游用户异地归属接入鉴权服务器,就必须首先确定异地归属接入鉴权服务器,但目前尚没有较好的解决方法。如果采取广播通知则需要通知所有与本地归属接入鉴权服务器互联的异地归属接入鉴权服务器,代价较大,占用资源较多,不适合在实际中应用。Considering the above problems, the reason is that the remote access network authentication server (such as the second access network authentication server, AN-AAA2) can pass the RADIUS (Remote Authentication Dial-In User Service) message of the roaming terminal. UserName (user name) and Calling-Station-ID (calling station identification) attribute information to analyze the domain to which the user belongs. Generally, if multiple access network authentication servers are configured in the domain, the packet will be sent to the access network authentication server with higher priority according to the priority, and if unsuccessful, then the packet will be sent to the lower-level access network authentication server. Unless it is not configured, it will be forwarded successfully, so that it can be connected to the original home authentication server through the remote home access authentication server to confirm the legitimacy of the user's identity. But in the opposite direction, if the local home authentication server of the roaming user wants to locate the remote home access authentication server of the roaming user, it must first determine the remote home access authentication server, but there is no better solution at present. If broadcast notification is adopted, it is necessary to notify all remote home access authentication servers interconnected with the local home access authentication server, which is costly and consumes more resources, and is not suitable for practical application.
发明内容Contents of the invention
本发明所要解决的问题是提供一种接入鉴权处理方法和系统及装置,其使得漫游用户终端本地归属接入网鉴权服务器能有效地定位用户终端当前归属的异地归属接入网鉴权服务器,进而可以进行相应操作。The problem to be solved by the present invention is to provide an access authentication processing method, system and device, which enable the authentication server of the local home access network of the roaming user terminal to effectively locate the authentication server of the remote home access network to which the user terminal currently belongs. server, and then perform corresponding operations.
为实现本发明目的而提供的一种接入鉴权处理方法,包括下列步骤:An access authentication processing method provided to achieve the purpose of the present invention includes the following steps:
步骤A,用户终端的本地归属接入网鉴权服务器记录用户归属信息;所述用户归属信息包括漫游IP地址属性信息和漫游IP类型属性信息。In step A, the authentication server of the local home access network of the user terminal records user affiliation information; the user affiliation information includes roaming IP address attribute information and roaming IP type attribute information.
步骤B,用户终端的本地归属接入网鉴权服务器在用户终端的接入网发生改变时,根据用户当前所在的接入网更新存储用户归属信息,并在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作。Step B, when the user terminal's local home access network authentication server changes the user terminal's access network, it updates and stores the user's affiliation information according to the user's current access network, and stores the user's affiliation information in the user terminal's registration information or access network information. When a change occurs, actively send a notification to the access network authentication server to perform authentication operations.
所述步骤A,用户终端的本地归属接入网鉴权服务器记录用户归属信息,包括下列情况:In the step A, the authentication server of the local home access network of the user terminal records the user home information, including the following situations:
如果用户终端在本地归属接入鉴权服务器接入到本地归属接入网,则所述漫游IP地址属性信息存储本地归属接入网的IP地址信息;所述漫游IP类型属性信息记录本地归属接入网类型信息;If the user terminal accesses the local home access network at the local home access authentication server, the roaming IP address attribute information stores the IP address information of the local home access network; the roaming IP type attribute information records the local home access network Network access type information;
如果用户终端在异地漫游接入到接入网,则所述漫游IP地址属性信息记录存储异地归属接入网鉴权服务器的IP地址信息;而漫游IP类型属性信息记录存储异地归属接入网鉴权服务器类型信息。If the user terminal accesses the access network while roaming in another place, the roaming IP address attribute information record stores the IP address information of the remote home access network authentication server; and the roaming IP type attribute information record stores the remote home access network authentication server. Authorization server type information.
所述步骤B可以包括下列步骤:Said step B may comprise the following steps:
步骤B1,用户终端的本地归属接入网鉴权服务器维护管理用户终端的漫游IP地址属性信息和漫游IP类型属性信息;Step B1, the local home access network authentication server of the user terminal maintains and manages the roaming IP address attribute information and the roaming IP type attribute information of the user terminal;
步骤B2,在用户终端的登记信息发生改变时,主动通知漫游的用户终端所在的当前的异地归属接入网鉴权服务器,重新进行鉴权操作;或者是用户终端的接入网发生改变时,通知原来的异地归属接入网删除用户终端的原来归属接入网中保存的用户终端身份信息,并通知原来的接入网鉴权服务器,在下一次用户终端进入原来的接入网时,需要重新进行鉴权操作,所述登记信息为用户终端的本地归属的接入网鉴权服务器的登记信息。Step B2, when the registration information of the user terminal changes, actively notify the current remote home access network authentication server where the roaming user terminal is located, and perform the authentication operation again; or when the access network of the user terminal changes, Notify the original remote home access network to delete the user terminal identity information saved in the original home access network of the user terminal, and notify the original access network authentication server that the next time the user terminal enters the original access network, it needs to re- An authentication operation is performed, and the registration information is the registration information of the authentication server of the access network to which the user terminal belongs locally.
所述步骤B中,用户终端的本地归属接入网鉴权服务器维护管理所记录的用户归属信息,可以包括下列步骤:In the step B, the user terminal's local home access network authentication server maintains and manages the recorded user home information, which may include the following steps:
当用户终端从异地回到本地,接入到本地归属接入网时,则漫游IP地址属性信息更新存储本地归属第一接入网的IP地址信息;而漫游IP类型属性信息更新存储为本地归属接入网类型信息;When the user terminal returns to the local area from a different place and accesses the local home access network, the roaming IP address attribute information is updated to store the IP address information of the local home first access network; and the roaming IP type attribute information is updated and stored as the local home network. Access network type information;
当用户从本地漫游到异地,接入到异地归属接入网时,则漫游IP地址属性信息更新存储异地归属接入网鉴权服务器的IP地址信息;而漫游IP类型属性信息更新存储异地归属接入网鉴权服务器类型信息;When a user roams from a local to a different place and accesses the remote home access network, the roaming IP address attribute information is updated to store the IP address information of the remote home access network authentication server; and the roaming IP type attribute information is updated to store the remote home access network. Network access authentication server type information;
当用户从异地漫游到新的异地,接入到异地归属新的接入网时,漫游IP地址属性信息更新存储新的异地归属新的接入网鉴权服务器的IP地址信息;而漫游IP类型属性信息更新存储异地归属新的接入网鉴权服务器类型信息。When a user roams from a different place to a new one and accesses a new access network belonging to the other place, the roaming IP address attribute information is updated to store the IP address information of the new access network authentication server belonging to the new remote place; and the roaming IP type The attribute information is updated to store the type information of the new access network authentication server belonging to the remote location.
所述步骤B中,在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作,可以包括下列步骤:In the step B, when the registration information of the user terminal or the access network changes, actively sending a notification to the access network authentication server to perform the authentication operation may include the following steps:
当用户从异地回到本地,接入到本地归属接入网时,用户终端的本地归属接入网鉴权服务器通知用户终端原来漫游所在的异地归属接入网鉴权服务器和原来漫游所在的异地归属接入网清除用户信息;When the user returns to the local home from a different place and accesses the local home access network, the local home access network authentication server of the user terminal notifies the user terminal of the home The home access network clears the user information;
当用户从异地漫游到异地,接入到新的异地归属接入网时,用户终端的本地归属接入网鉴权服务器通知用户终端原来漫游所在的异地归属接入网鉴权服务器和原来漫游所在的异地归属接入网清除用户信息。When a user roams from a different place to a different place and accesses a new remote home access network, the local home access network authentication server of the user terminal notifies the user terminal of the remote home access network authentication server where the user terminal originally roamed and the original roaming location The remote home access network clears user information.
所述步骤B中,在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作,还可以包括下列步骤:In the step B, when the registration information of the user terminal or the access network changes, actively sending a notification to the access network authentication server to perform the authentication operation may also include the following steps:
当用户终端从本地漫游到异地,接入到异地归属接入网时,用户终端的本地归属接入网鉴权服务器通知用户本地归属接入网下一次用户终端在本地接入时需要重新鉴权。When the user terminal roams from the local to a different place and accesses the remote home access network, the authentication server of the user terminal's local home access network notifies the user that the local home access network needs to re-authenticate the next time the user terminal accesses locally .
所述步骤B中,在用户终端发生改变时,主动发送通知进行变更操作,还可以更进一步包括下列步骤:In the step B, when the user terminal changes, actively send a notification to perform the change operation, and may further include the following steps:
当用户终端从一个异地归属接入网进入另一异地归属接入网时,新的异地归属接入网鉴权服务器通知用户终端的原来的异地归属接入网,下一次用户终端在原来的异地归属接入网接入时需要进行鉴权操作。When a user terminal enters another remote home access network from one remote home access network, the authentication server of the new remote home access network notifies the original remote home access network of the user terminal, and the next time the user terminal is in the original remote home access network An authentication operation is required when the home access network accesses.
为实现本发明目的还提供一种接入鉴权处理系统,包括用户终端,用户终端所在的本地归属接入网,用户终端所在的本地归属接入网鉴权服务器,用户终端所在的多个异地归属接入网,以及用户终端所在的多个异地归属接入网鉴权服务器,所述本地归属接入网鉴权服务器包括用户归属信息记录器,鉴权处理器;其中:In order to achieve the purpose of the present invention, an access authentication processing system is also provided, including a user terminal, a local home access network where the user terminal is located, an authentication server of the local home access network where the user terminal is located, and a plurality of different locations where the user terminal is located. The home access network, and multiple remote home access network authentication servers where the user terminal is located, the local home access network authentication server includes a user home information recorder and an authentication processor; wherein:
所述用户归属信息记录器,用于记录用户归属信息,所述该用户归属信息包括漫游IP地址属性信息和漫游IP类型属性信息;The user affiliation information recorder is configured to record user affiliation information, and the user affiliation information includes roaming IP address attribute information and roaming IP type attribute information;
所述鉴权处理器,用于在用户终端的接入网发生改变时,根据用户当前所在的接入网更新存储用户信息记录器中记录的用户归属信息,并在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作。The authentication processor is configured to update and store the user affiliation information recorded in the user information recorder according to the current access network of the user when the access network of the user terminal changes, and to store the user affiliation information recorded in the user terminal's registration information or access network. When the access network changes, it actively sends a notification to the access network authentication server for authentication operations.
所述的接入鉴权处理系统,其特征在于,所述本地归属接入网鉴权服务器还包括数据库单元,所述用户归属信息记录器位于本地归属第一接入网鉴权服务器的数据库单元中。The access authentication processing system is characterized in that the local home access network authentication server further includes a database unit, and the user attribution information recorder is located in the database unit of the local home first access network authentication server middle.
所述维护管理用户信息记录器中记录的用户归属信息,是指在用户终端归属接入网发生改变时,更新用户归属信息。The maintenance and management of the user affiliation information recorded in the user information recorder refers to updating the user affiliation information when the user terminal's affiliation access network changes.
所述在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作,包括以下情况:When the registration information of the user terminal or the access network changes, actively sending a notification to the access network authentication server to perform authentication operations includes the following situations:
如果是用户终端的接入网发生改变,则主动发送通知到原来的接入网鉴权服务器,通知原来的接入网删除用户终端的原来归属接入网中保存的用户终端身份信息。If the access network of the user terminal changes, a notification is actively sent to the original access network authentication server to notify the original access network to delete the user terminal identity information stored in the original home access network of the user terminal.
所述在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作,还包括以下情况:When the registration information of the user terminal or the access network changes, actively sending a notification to the access network authentication server to perform the authentication operation also includes the following situations:
如果是用户终端的登记信息发生改变,则主动发送通知到用户终端所在的接入网鉴权服务器,通知接入网重新进行鉴权处理,所述登记信息为用户终端的本地归属的接入网鉴权服务器的登记信息。If the registration information of the user terminal changes, a notification is actively sent to the authentication server of the access network where the user terminal is located, and the access network is notified to perform the authentication process again. The registration information is the access network to which the user terminal belongs locally. Registration information of the authentication server.
所述在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作,还进一步包括以下情况:When the registration information of the user terminal or the access network changes, actively sending a notification to the access network authentication server to perform the authentication operation further includes the following situations:
在用户终端的接入网发生改变时,通知原来的接入网鉴权服务器,在下一次用户终端进入原来的接入网时,需要重新进行鉴权操作。When the access network of the user terminal changes, the authentication server of the original access network is notified, and the authentication operation needs to be performed again when the user terminal enters the original access network next time.
为实现本发明目的还进一步提供一种接入网鉴权服务器,其特征在于包括用户归属信息记录器,鉴权处理器;其中:In order to realize the purpose of the present invention, an access network authentication server is further provided, which is characterized in that it includes a user attribution information recorder and an authentication processor; wherein:
所述用户归属信息记录器,用于记录用户归属信息,所述该用户归属信息包括漫游IP地址属性信息和漫游IP类型属性信息;The user affiliation information recorder is configured to record user affiliation information, and the user affiliation information includes roaming IP address attribute information and roaming IP type attribute information;
所述鉴权处理器,用于在用户终端的接入网发生改变时,根据用户当前所在的接入网更新存储用户信息记录器中记录的用户归属信息,并在用户终端的登记信息或接入网发生改变时,主动发送通知到接入网鉴权服务器进行鉴权操作。The authentication processor is configured to update and store the user affiliation information recorded in the user information recorder according to the current access network of the user when the access network of the user terminal changes, and to store the user affiliation information recorded in the user terminal's registration information or access network. When the access network changes, it actively sends a notification to the access network authentication server for authentication operations.
所述的接入网鉴权服务器,还包括数据库单元,所述用户归属信息记录器位于本地归属接入网鉴权服务器的数据库单元中。The access network authentication server further includes a database unit, and the user attribution information recorder is located in the database unit of the local home access network authentication server.
本发明的有益效果是:通过本发明的接入鉴权处理方法和系统及装置,可以实现异地漫游用户终端合法性信息及时通知本地归属接入网和异地归属接入网,保护合法用户的利益,避免用户归属接入网判定上的时间差,不会给非法用户以可乘之机,同时有利于优化系统资源的使用。其代价小,占用资源少,适合于在实际中应用。The beneficial effects of the present invention are: through the access authentication processing method, system and device of the present invention, the legitimacy information of the remote roaming user terminal can be notified in time to the local home access network and the remote home access network, protecting the interests of legitimate users , to avoid the time difference in the determination of the user's home access network, not to give illegal users an opportunity, and to optimize the use of system resources. Its cost is small, occupies less resources, and is suitable for practical application.
附图说明Description of drawings
图1是本发明接入鉴权处理方法流程图;Fig. 1 is a flow chart of the access authentication processing method of the present invention;
图2是图1中步骤S200的具体过程流程图;Fig. 2 is the specific process flowchart of step S200 in Fig. 1;
图3是CDMA2000-EVDO移动通信系统中漫游用户终端异地起呼,接入网鉴权服务器鉴权的流程图;Fig. 3 is the flow chart of the authentication server authentication of the access network authentication server in the CDMA2000-EVDO mobile communication system where the roaming user terminal initiates a call;
图4是CDMA2000-EVDO移动通信系统中漫游的用户终端76的登记信息发生变更,主动通知异地归属接入网鉴权服务器进行重新鉴权处理的流程图;Fig. 4 is the flow chart that the registration information of the roaming
图5是CDMA2000-EVDO移动通信系统中漫游的用户终端从异地重新回到本地,接入到本地归属的第一接入网的接入鉴权处理流程图;Fig. 5 is a flow chart of access authentication processing for a user terminal roaming in the CDMA2000-EVDO mobile communication system to return to the local area from a different place and access the first access network of the local home;
图6是CDMA2000-EVDO移动通信系统中漫游用户在异地归属的接入网之间漫游时接入鉴权流程图;6 is a flow chart of access authentication when a roaming user roams between access networks belonging to different places in the CDMA2000-EVDO mobile communication system;
图7是本发明接入鉴权处理系统结构示意图。Fig. 7 is a schematic structural diagram of the access authentication processing system of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明的一种接入鉴权处理方法和系统及装置进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the purpose, technical solution and advantages of the present invention clearer, an access authentication processing method, system and device of the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.
本发明实施例是以一种在CDMA2000-EVDO移动通信系统中实现的对漫游用户实施接入网鉴权服务器发起的一种接入鉴权处理方法和系统及装置而进行的描述。特别需要说明的是,尽管参照基于CDMA2000-EVDO移动通信系统等陆地的无线通信系统描述了本发明的实施例,然而应该理解,本发明也可以用于其他有线和无线的通信系统中,譬如在卫星通信系统中;同时还应该理解,本发明实施例也可以用在许多替代的无线通信系统中,譬如在广播通信系统、全球移动通信系统(Global System Mobile,GSM),码分多址(CodeDivision Multiple Access,CDMA)通信系统,宽带码分多址(Wideband CodeDivision Multiple Access,WCDMA)通信系统,时分-同步码分多址(Time-Division Synchronization Code Division-Multiple-Access,TD-SCDMA)通信系统,或其他公知的无线通信系统中的接入鉴权应用中。The embodiment of the present invention is described in terms of a method, system and device for implementing access authentication processing initiated by an access network authentication server for roaming users in a CDMA2000-EVDO mobile communication system. It should be noted that although the embodiments of the present invention have been described with reference to terrestrial wireless communication systems such as CDMA2000-EVDO mobile communication systems, it should be understood that the present invention can also be used in other wired and wireless communication systems, such as in In the satellite communication system; It should also be understood that the embodiment of the present invention can also be used in many alternative wireless communication systems, such as broadcast communication system, global system for mobile communication (Global System Mobile, GSM), code division multiple access (CodeDivision Multiple Access (CDMA) communication system, Wideband Code Division Multiple Access (WCDMA) communication system, Time-Division Synchronization Code Division-Multiple-Access (TD-SCDMA) communication system, Or in other known access authentication applications in wireless communication systems.
在下面的对本发明实施的描述中,为了更好地理解本发明(但不是对本发明的限定)而设定:In the following description of the implementation of the present invention, it is set in order to better understand the present invention (but not limit the present invention):
用户终端的本地归属鉴权服务器为第一接入网鉴权服务器(AN-AAA1);The local home authentication server of the user terminal is the first access network authentication server (AN-AAA1);
用户终端的本地归属接入网为第一接入网(AN1);The local home access network of the user terminal is the first access network (AN1);
用户终端的异地归属鉴权服务器为第二接入网鉴权服务器(AN-AAA2),……,第n接入网鉴权服务器(AN-AAAn);The remote home authentication server of the user terminal is the second access network authentication server (AN-AAA2), ..., the nth access network authentication server (AN-AAAn);
用户终端的异地归属接入网为第二接入网(AN2),……,第n接入网(ANn)。The remote home access network of the user terminal is the second access network (AN2), ..., the nth access network (ANn).
下面详细描述本发明的一种接入鉴权处理方法:An access authentication processing method of the present invention is described in detail below:
如图1所示,本发明的接入鉴权处理方法包括以下步骤:As shown in Figure 1, the access authentication processing method of the present invention includes the following steps:
步骤S100,用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1)记录用户归属信息。In step S100, the local home first access network authentication server 72 (AN-AAA1) of the
在用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1)中,对数据库管理的每一个用户终端信息增加用户归属信息,即增加漫游IP地址(RoamIPAddress)属性信息和漫游IP类型(RoamIPType)属性信息,记录该用户归属信息;In the local home first access network authentication server 72 (AN-AAA1) of the
漫游IP地址(RoamIPAddress)属性信息,用于记录存储IP地址信息;漫游IP类型(RoamIPType)属性信息,用于记录存储类型信息。Roaming IP address (RoamIPAddress) attribute information is used to record and store IP address information; roaming IP type (RoamIPType) attribute information is used to record and store type information.
如果用户终端76在本地归属第一接入鉴权服务器(AN-AAA1)接入到本地归属的第一接入网71(AN1),则漫游IP地址(RoamIPAddress)属性信息存储本地归属的第一接入网71(AN1)的IP地址信息,而漫游IP类型(RoamIPType)属性信息记录本地归属的第一接入网71(AN1)类型信息;If the
如果用户终端76在异地漫游,接入到异地归属第n接入网710(ANn),则漫游IP地址(RoamIPAddress)属性信息记录存储异地归属的第n接入网鉴权服务器79(AN-AAAn)的IP地址信息;而漫游IP类型(RoamIPType)属性信息记录存储异地归属的第n接入网鉴权服务器79(AN-AAAn)类型信息。If the
步骤S200,用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1)维护管理所记录的用户归属信息,并在用户终端76发生改变时,主动发送通知进行变更操作。In step S200, the local home first access network authentication server 72 (AN-AAA1) of the
如果是用户终端76的接入网发生改变,则主动发送通知到原来的接入网鉴权服务器,通知原来的接入网删除用户终端76的原来归属接入网中保存的用户终端身份信息。If the access network of the
较佳地,在用户终端76的接入网发生改变时,通知原来的接入网鉴权服务器,在下一次用户终端76进入原来的接入网时,需要重新进行鉴权操作。Preferably, when the access network of the
如果是用户终端76的登记信息发生改变,则主动发送通知到用户终端76所在的接入网鉴权服务器,通知接入网重新进行鉴权处理。If the registration information of the
如图2所示,步骤S200具体包括下列步骤:As shown in Figure 2, step S200 specifically includes the following steps:
步骤S210,用户终端76的本地归属第一接入网鉴权服务器72维护管理用户终端76的漫游IP地址(RoamIPAddress)属性信息和漫游IP类型(RoamIPType)属性信息,确保属性信息的及时更新;Step S210, the local home first access
用户终端76的本地归属第一接入网鉴权服务器72维护管理用户终端的用户归属信息,包括漫游IP地址(RoamIPAddress)属性信息和漫游IP类型(RoamIPType)属性信息,是指在用户终端76归属接入网发生改变时,更新用户归属信息。The local home first access
所述步骤S210包括以下情况:The step S210 includes the following situations:
当用户终端76从异地回到本地,接入到本地归属第一接入网71(AN1)时,则漫游IP地址(RoamIPAddress)属性信息更新存储本地归属第一接入网71(AN1)的IP地址信息;而漫游IP类型(RoamIPType)属性信息更新存储为本地归属的第一接入网71(AN1)类型信息;When the
当用户从本地漫游到异地,接入到异地归属第二接入网78(AN2)时,则漫游IP地址(RoamIPAddress)属性信息更新存储异地归属的第二接入网鉴权服务器77(AN-AAA2)的IP地址信息;而漫游IP类型(RoamIPType)属性信息更新存储异地归属的第二接入网鉴权服务器77(AN-AAA2)类型信息;When the user roams from this place to another place and accesses the second access network 78 (AN2) belonging to the other place, the roaming IP address (RoamIPAddress) attribute information is updated and stored in the second access network authentication server 77 (AN-2) belonging to the other place. AAA2) IP address information; and the roaming IP type (RoamIPType) attribute information updates and stores the type information of the second access network authentication server 77 (AN-AAA2) belonging to the remote place;
当用户从异地漫游到新的异地,接入到异地归属第n接入网710(ANn)时,漫游IP地址(RoamIPAddress)属性信息更新存储新的异地归属的第n接入网鉴权服务器79(AN-AAAn)的IP地址信息;而漫游IP类型(RoamIPType)属性信息更新存储异地归属的第n接入网鉴权服务器79(AN-AAAn)类型信息。When the user roams from a different place to a new one and accesses the nth access network 710 (ANn) belonging to the different place, the roaming IP address (RoamIPAddress) attribute information is updated and stored in the nth access
步骤S220,在用户终端76发生改变时,主动发送通知进行变更操作。即在用户终端76的登记信息发生改变时,主动通知漫游的用户终端76所在的当前的异地归属第n接入网鉴权服务器79(AN-AAAn),重新进行鉴权操作;或者是用户终端76的接入网发生改变时,通知原来的异地归属第n接入网710(ANn)删除用户终端76的原来归属第n接入网710(ANn)中保存的用户终端身份信息,并通知原来的接入网鉴权服务器,在下一次用户终端76进入原来的接入网时,需要重新进行鉴权操作。Step S220, when the
所述步骤S220包括以下情况:The step S220 includes the following situations:
当用户终端76的本地归属的第一接入网鉴权服务器72(AN-AAA1)的登记信息发生变更,用户终端76的本地归属的第一接入网鉴权服务器72(AN-AAA1)通知用户终端76漫游所在的异地归属的第n接入网鉴权服务器79(AN-AAAn),发起对该用户的重鉴权操作;When the registration information of the local first access network authentication server 72 (AN-AAA1) of the
当用户终端76从本地漫游到异地,接入到异地归属第二接入网78(AN2)时,用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1)通知用户本地归属第一接入网71(AN1)下一次用户终端76在本地接入时需要重新鉴权;When the
当用户从异地回到本地,接入到本地归属第一接入网71(AN1)时,用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1)通知用户终端76原来漫游所在的异地归属的第n接入网鉴权服务器79(AN-AAAn)和原来漫游所在的异地归属的第n接入网710(ANn)清除用户信息;When the user returns to the local area from a different place and accesses the local home first access network 71 (AN1), the local home first access network authentication server 72 (AN-AAA1) of the
当用户从异地漫游到异地,接入到异地归属第n接入网710(ANn)时,用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1)通知用户终端76原来漫游所在的异地归属的第n接入网鉴权服务器79(AN-AAAn)和原来漫游所在的异地归属的第n接入网710(ANn)清除用户信息。When a user roams from another place to another place and accesses the remote nth access network 710 (ANn), the local first access network authentication server 72 (AN-AAA1) of the
下面以CDMA2000-EVDO移动通信系统为例,详细说明本发明实施例的鉴权处理方法中,漫游的用户终端76异地接入鉴权处理的流程。如图3所示,是CDMA2000-EVDO移动通信系统中漫游用户终端76异地起呼,接入网鉴权服务器鉴权的流程图。其具体包括以下步骤:The following takes the CDMA2000-EVDO mobile communication system as an example to describe in detail the flow of authentication processing for remote access of the roaming
步骤a1,用户从原来的本地归属第一接入网71(AN1)漫游到异地归属第二接入网78(AN2),准备起呼;Step a1, the user roams from the original local first access network 71 (AN1) to the remote second access network 78 (AN2), and prepares to make a call;
步骤b1,漫游的用户终端76在异地起呼,用户终端76的异地归属第二接入网78(AN2)为用户终端76创建身份信息。由于是漫游的用户终端76新登录,所以需要进行鉴权;In step b1, the roaming
步骤c1,用户终端76漫游所在的异地归属的第二接入网鉴权服务器77(AN-AAA2)收到鉴权请求,通过报文分析确定该用户终端76是漫游用户,然后根据分析结果将请求发给报文指定的域;Step c1, the second access network authentication server 77 (AN-AAA2) belonging to the remote place where the
步骤d1,接入鉴权请求被转发到漫游的用户终端76所在的本地归属第一接入网71(AN1);Step d1, the access authentication request is forwarded to the local home first access network 71 (AN1) where the roaming
步骤e1,本地归属第一接入网71(AN1)在保存属性信息前,判断原来存储的属性信息数据。由于用户终端76从本地漫游到异地,因而漫游IP地址(RoamIPAddress)属性信息和漫游IP类型(RoamIPType)属性信息应该存储本地归属第一接入网71(AN1)的IP地址信息和本地归属第一接入网71(AN1)类型信息。这种情况,需要首先暂存该信息,等通知本地归属第一接入网71(AN1)后丢弃。用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1)将数据库中该用户终端76的漫游IP地址(RoamIPAddress)属性信息更新存储为异地归属的第二接入网鉴权服务器77(AN-AAA2)的IP地址信息;而漫游IP类型(RoamIPType)属性信息更新存储为异地归属的第二接入网鉴权服务器77(AN-AAA2)类型信息。同时根据接入请求,对用户进行鉴权;In step e1, the local home first access network 71 (AN1) judges the originally stored attribute information data before saving the attribute information. Since the
步骤f1,对用户的接入鉴权成功,则通知异地归属的第二接入网鉴权服务器77(AN-AAA2),转到步骤g1;如果鉴权失败,则发通知拒绝用户接入,如果异地归属的第二接入网78(AN2)已存在漫游用户身份信息则通知其删除。同时通知用户终端76的本地归属第一接入网71,下一次用户接入需要进行鉴权操作。Step f1, the user's access authentication is successful, then notify the second access network authentication server 77 (AN-AAA2) belonging to the remote place, and turn to step g1; if the authentication fails, then send a notification to reject the user's access, If the roaming user identity information exists in the second access network 78 (AN2) belonging to another place, it will be notified to delete it. At the same time, the local home
步骤g1,异地归属的第二接入网鉴权服务器77(AN-AAA2)向漫游的用户终端76目前异地归属的第二接入网78(AN2)转发鉴权成功,允许接入的通知;Step g1, the authentication server 77 (AN-AAA2) of the second access network belonging to the remote place forwards the notification that the authentication is successful and the access is allowed to the second access network 78 (AN2) of the roaming
步骤h1,漫游的用户终端76开始与异地归属的第二接入网78(AN2)进行正常EVDO业务流程。In step h1, the roaming
下面以CDMA2000-EVDO移动通信系统为例,详细说明本发明实施例的鉴权处理方法中,漫游的用户终端76在本地归属第一接入网鉴权服务器72(AN-AAA1)中的登记信息发生变更,主动通知漫游的用户终端76所在的异地归属第n接入网鉴权服务器79(AN-AAAn)激发用户异地归属第n接入网710(ANn)对漫游的用户终端76进行重新鉴权处理的流程。如图4所示,是CDMA2000-EVDO移动通信系统中漫游的用户终端76的登记信息发生变更,主动通知异地归属接入网鉴权服务器进行重新鉴权处理的流程图。Taking the CDMA2000-EVDO mobile communication system as an example below, in the authentication processing method of the embodiment of the present invention, the registration information of the roaming
其具体包括以下步骤:It specifically includes the following steps:
步骤a2,用户终端76正处于漫游状态,而本地归属第一接入网鉴权服务器72(AN-AAA1)中的用户登记信息发生变更,如退网,服务质量(Qualityof Service,QoS)等级变化,权限变化等;Step a2, the
步骤b2,用户终端76的本地归属第一接入网鉴权服务器72(AN-AAA1),根据对该用户终端76的本地归属的第一接入网鉴权服务器72(AN-AAA1)的数据库中记录的漫游IP地址(RoamIPAddress)属性信息和漫游IP类型(RoamIPType)属性信息记录,确定用户终端76当前处于漫游状态和漫游的用户终端76的异地归属第n接入网710(ANn)和第n接入网鉴权服务器79(AN-AAAn),立即发出通知;Step b2, the local home first access network authentication server 72 (AN-AAA1) of the
步骤c2,漫游的用户终端76的异地归属第n接入网鉴权服务器79(AN-AAAn)则立即通知漫游用户当前归属的异地归属第n接入网710(ANn)。In step c2, the remote home nth access network authentication server 79 (AN-AAAn) of the roaming
步骤d2,漫游用户当前归属的异地归属第n接入网710(ANn)对该用户终端76发起重鉴权操作。In step d2, the remote home nth access network 710 (ANn) to which the roaming user currently belongs initiates a re-authentication operation for the
步骤e2,漫游用户终端76重新开始进入异地鉴权流程。参见图3所示流程。In step e2, the roaming
下面以CDMA2000-EVDO移动通信系统为例,详细说明本发明实施例的鉴权处理方法中,漫游的用户终端76从异地重新回到本地,接入到本地归属接入网的接入鉴权处理流程。如图5所示,是CDMA2000-EVDO移动通信系统中漫游的用户终端76从异地重新回到本地,接入到本地归属的第一接入网71(AN1)的接入鉴权处理流程图。The following takes the CDMA2000-EVDO mobile communication system as an example to describe in detail the authentication processing method of the embodiment of the present invention, the roaming
其具体包括以下步骤:It specifically includes the following steps:
步骤a3,漫游的用户终端76从异地归属第n接入网710(ANn)回归本地归属的第一接入网71(AN1),不再处于漫游状态;Step a3, the roaming
步骤b3,用户终端76向本地归属的第一接入网71(AN1)起呼。由于本地归属的第一接入网鉴权服务器72(AN-AAA1)在确定用户漫游时已经通知本地归属的第一接入网71(AN1)下一次用户接入需要鉴权,因而本地归属的第一接入网71(AN1)需要向第一接入网鉴权服务器72(AN-AAA1)发起鉴权请求;In step b3, the
步骤c3,本地归属的第一接入网71(AN1)向本地归属的第一接入网鉴权服务器72(AN-AAA1)发起鉴权请求;Step c3, the local first access network 71 (AN1) initiates an authentication request to the local first access network authentication server 72 (AN-AAA1);
步骤d3,本地归属的第一接入网鉴权服务器72(AN-AAA1)确定用户终端76不是漫游的用户终端,但漫游IP地址(RoamIPAddress)属性信息和漫游IP类型(RoamIPType)属性信息存储用户终端76原来漫游所在的异地归属第n接入网鉴权服务器79(AN-AAAn)的漫游IP地址信息和漫游IP类型信息,则暂存该信息,并在向用户终端76原来漫游所在的异地归属第n接入网鉴权服务器79(AN-AAAn)发送通知后丢弃。然后将漫游IP地址(RoamIPAddress)属性信息更新存储为本地归属第一接入网71(AN1)的IP地址信息;而将漫游IP类型(RoamIPType)属性信息更新存储为第一接入网71(AN1)的类型信息;In step d3, the locally owned first access network authentication server 72 (AN-AAA1) determines that the
步骤e3,本地归属的第一接入网鉴权服务器72(AN-AAA1)通知用户终端76原来漫游所在的异地归属第n接入网鉴权服务器79(AN-AAAn),让用户终端76原来漫游所在的异地归属第n接入网710(ANn)清除用户的身份信息。同时向第一接入网71(AN1)发送鉴权结果,允许则可以接入,拒绝则不可接入。Step e3, the local first access network authentication server 72 (AN-AAA1) notifies the
步骤f3,用户终端76原来漫游所在的异地归属第n接入网710(ANn)接到通知后,删除用户终端原来漫游所在的异地归属第n接入网710(ANn)创建并保留的身份信息。Step f3, after receiving the notification, the remote home nth access network 710 (ANn) where the
下面以CDMA2000-EVDO移动通信系统为例,详细说明本发明实施例的鉴权处理方法中,漫游用户在异地归属的接入网之间漫游时接入鉴权流程。如图6所示,是CDMA2000-EVDO移动通信系统中漫游用户在异地归属的接入网之间漫游时接入鉴权流程图。Taking the CDMA2000-EVDO mobile communication system as an example, the following describes in detail the access authentication process of the roaming user roaming between access networks belonging to different places in the authentication processing method of the embodiment of the present invention. As shown in FIG. 6 , it is a flow chart of access authentication when a roaming user roams between access networks belonging to different places in the CDMA2000-EVDO mobile communication system.
其具体包括以下步骤:It specifically includes the following steps:
步骤a4,漫游的用户终端76从异地归属第n接入网710(ANn)漫游到异地归属第二接入网78(AN2)Step a4, the roaming
步骤b4,漫游的用户终端76在新的异地归属第二接入网(AN2)起呼,异地归属第二接入网(AN2)会为其创建身份信息,由于是漫游的用户终端76新登录,因此需要进行鉴权。Step b4, the roaming
步骤c4,异地归属第二接入网鉴权服务器(AN-AAA2)收到鉴权请求,通过报文分析确定该用户是漫游用户,然后根据分析结果将请求发给报文指定的域;Step c4, the second access network authentication server (AN-AAA2) belonging to the remote place receives the authentication request, determines that the user is a roaming user through message analysis, and then sends the request to the domain specified in the message according to the analysis result;
步骤d4,接入鉴权请求转发到漫游的用户终端76所在的本地归属第一接入网鉴权服务器72(AN-AAA1);Step d4, the access authentication request is forwarded to the local home first access network authentication server 72 (AN-AAA1) where the roaming
步骤e4,用户终端76所在的本地归属第一接入网鉴权服务器72(AN-AAA1)确定用户终端76已经漫游到不同的异地归属接入网,但漫游IP地址(RoamIPAddress)属性信息和漫游IP类型(RoamIPType)属性信息仍然存储用户原来漫游时异地归属第n接入网鉴权服务器(AN-AAAn)的漫游IP地址信息和漫游IP类型信息,则暂存该信息,并在向异地归属第n接入网鉴权服务器(AN-AAAn)发送通知后丢弃。然后将漫游IP地址(RoamIPAddress)属性信息更新为新的异地归属的第二接入网鉴权服务器(AN-AAA2)的IP地址;而将漫游IP类型(RoamIPType)属性信息更新为新的异地归属的第二接入网鉴权服务器(AN-AAA2)类型;同时根据接入请求,对用户进行鉴权;Step e4, the local home first access network authentication server 72 (AN-AAA1) where the
步骤f4,本地归属第一接入网鉴权服务器72(AN-AAA1)通知用户终端76原来漫游所在的异地归属第n接入网鉴权服务器(AN-AAAn),让用户终端76原来漫游所在的异地归属第n接入网(ANn)清除用户的身份信息;Step f4, the first local access network authentication server 72 (AN-AAA1) notifies the
步骤g4,异地归属第n接入网(ANn)接到通知后,删除异地归属第n接入网(ANn)为原来漫游的用户终端76创建并保留的身份信息;Step g4, after receiving the notification, the nth access network (ANn) belonging to the remote place deletes the identity information created and retained by the nth access network (ANn) belonging to the remote place for the original
步骤h4,对用户的接入鉴权成功,则通知新的异地归属的第二接入网鉴权服务器(AN-AAA2)。如果鉴权失败,则发通知拒绝用户接入,如果新的异地归属的第二接入网(AN2)已存在漫游用户身份信息则删除。In step h4, if the access authentication of the user is successful, the new second access network authentication server (AN-AAA2) belonging to another place is notified. If the authentication fails, a notification is sent to deny user access, and if the roaming user identity information already exists in the new remote second access network (AN2), it is deleted.
较佳地,还包括下列步骤:本地归属的第一接入网鉴权服务器(AN-AAA1)通知用户终端76的原来的异地归属第n接入网(ANn),下一次用户终端76在原来的异地归属第1接入网(ANn)接入时需要进行鉴权操作;Preferably, the following steps are also included: the first access network authentication server (AN-AAA1) of the local home notifies the original remote home of the
步骤i4,新的异地归属的第二接入网鉴权服务器(AN-AAA2)向漫游的用户终端76目前归属的第二接入网(AN2)转发鉴权成功,允许接入的通知;Step i4, the new second access network authentication server (AN-AAA2) belonging to another place forwards the notification of successful authentication and access permission to the second access network (AN2) to which the
步骤j4,漫游的用户终端76开始与新的异地归属的第二接入网鉴权服务器(AN-AAA2)进行EVDO业务。In step j4, the roaming
这里需要说明的是,步骤f4~g4和步骤h4~i4可同时进行,而不影响流程的执行,在本发明实施例中只是为了更好地说明本发明的过程而说明该过程,但其并不是对本发明实施过程的限定。What needs to be explained here is that steps f4-g4 and steps h4-i4 can be performed simultaneously without affecting the execution of the flow. It is not intended to limit the implementation process of the present invention.
相应地于本发明的接入鉴权处理方法,本发明还提供一种接入鉴权处理系统。Corresponding to the access authentication processing method of the present invention, the present invention also provides an access authentication processing system.
如图7所示,本发明的接入鉴权处理系统,包括用户终端76,用户终端76所在的本地归属第一接入网71(AN1),用户终端76所在的本地归属第一接入网鉴权服务器72(AN-AAA1),用户终端76所在的多个异地归属第n接入网710(ANn),以及用户终端76所在的多个异地归属第n接入网鉴权服务器79(AN-AAAn),其中,所述第一接入网鉴权服务器72(AN-AAA1)包括用户归属信息记录器74,鉴权处理器75。As shown in FIG. 7 , the access authentication processing system of the present invention includes a
所述用户归属信息记录器74,用于记录用户归属信息;该用户归属信息包括漫游IP地址(RoamIPAddress)属生信息和漫游IP类型(RoamIPType)属性信息。所述用户归属信息记录器74位于本地归属第一接入网鉴权服务器72的数据库单元73中。The user
所述鉴权处理器75,用于维护管理用户信息记录器中记录的用户归属信息,并在用户终端76的信息发生改变时,主动发送通知到接入网鉴权服务器进行操作。The
维护管理用户信息记录器中记录的用户归属信息,是指在用户终端76归属接入网发生改变时,更新用户归属信息。二Maintaining and managing the user affiliation information recorded in the user information recorder refers to updating the user affiliation information when the access network to which the
如果是用户终端76的接入网发生改变,则鉴权处理器75主动发送通知到原来的接入网鉴权服务器,通知原来的接入网删除用户终端76.的原来归属接入网中保存的用户终端身份信息。If the access network of the
较佳地,鉴权处理器75在用户终端76的接入网发生改变时,通知原来的接入网鉴权服务器,在下一次用户终端76进入原来的接入网时,需要重新进行鉴权操作。Preferably, when the access network of the
如果是用户终端76的登记信息发生改变,则鉴权处理器75主动发送通知到用户终端76所在的接入网鉴权服务器,通知接入网重新进行鉴权处理。If the registration information of the
本发明的接入鉴权处理方法和系统及装置,可以实现异地漫游用户终端76合法性信息及时通知本地归属接入网和异地归属接入网,保护合法用户的利益,避免用户归属接入网判定上的时间差,不会给非法用户以可乘之机,同时有利于优化系统资源的使用。其代价小,占用资源少,适合于在实际中应用。The access authentication processing method, system and device of the present invention can realize the timely notification of the legality information of the remote
本发明的接入鉴权处理系统工作过程,与前述的接入鉴权处理方法过程相同,因此,在本发明实施例中不再一一详细描述。The working process of the access authentication processing system of the present invention is the same as that of the aforementioned access authentication processing method, so no detailed description will be given in the embodiments of the present invention.
由于本发明实施例提供了对前面优选实施例的描述,以使本领域的任何技术人员都能重现本发明。在不超出本发明权利要求范围内对这些实施例的各种修改,如果对于本领域的技术人员而言是显而易见的,或者这里所提供的技术方案可以应用于其他实施例而无须创造性劳动,则都在本发明的保护范围之内。因此,本发明不限于这里所示的实施例,而应该包括与这里所公开的权利要求技术特征一致的最宽泛的范围。Since the embodiments of the present invention provide a description of the foregoing preferred embodiments to enable anyone skilled in the art to reproduce the present invention. Various modifications to these embodiments within the scope of the claims of the present invention, if it is obvious to those skilled in the art, or the technical solutions provided here can be applied to other embodiments without creative work, then All within the protection scope of the present invention. Therefore, the present invention is not limited to the embodiments shown here, but should encompass the broadest scope consistent with the technical features of the claims disclosed herein.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710062836.4A CN101137222B (en) | 2007-01-18 | 2007-01-18 | Access authentication processing method and system and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710062836.4A CN101137222B (en) | 2007-01-18 | 2007-01-18 | Access authentication processing method and system and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101137222A CN101137222A (en) | 2008-03-05 |
| CN101137222B true CN101137222B (en) | 2013-06-05 |
Family
ID=39160990
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710062836.4A Active CN101137222B (en) | 2007-01-18 | 2007-01-18 | Access authentication processing method and system and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101137222B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102014366B (en) * | 2009-09-04 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Method, device and system for updating IP address home information |
| CN106815099B (en) * | 2017-01-19 | 2020-09-18 | 腾讯科技(深圳)有限公司 | Authentication system and method |
| CN107220839B (en) * | 2017-06-26 | 2020-11-27 | 南京熊猫电子股份有限公司 | Internet-based smart television authentication and information preparation implementation method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553610A (en) * | 2003-05-30 | 2004-12-08 | ��Ϊ��������˾ | Authentication method for code division multiple access system user roaming to global system for mobile communication |
| CN1558693A (en) * | 2004-01-13 | 2004-12-29 | ����ͨѶ�ɷ�����˾ | System and method for implementing remote roaming service of users through routing server |
-
2007
- 2007-01-18 CN CN200710062836.4A patent/CN101137222B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553610A (en) * | 2003-05-30 | 2004-12-08 | ��Ϊ��������˾ | Authentication method for code division multiple access system user roaming to global system for mobile communication |
| CN1558693A (en) * | 2004-01-13 | 2004-12-29 | ����ͨѶ�ɷ�����˾ | System and method for implementing remote roaming service of users through routing server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101137222A (en) | 2008-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895157B2 (en) | Network security management method, and apparatus | |
| CN101573998B (en) | Method and apparatus for determining an authentication procedure | |
| US8914867B2 (en) | Method and apparatus for redirecting data traffic | |
| US20080294891A1 (en) | Method for Authenticating a Mobile Node in a Communication Network | |
| WO2019134704A1 (en) | Key updating method and apparatus | |
| US8621572B2 (en) | Method, apparatus and system for updating authentication, authorization and accounting session | |
| US8611859B2 (en) | System and method for providing secure network access in fixed mobile converged telecommunications networks | |
| WO2019042378A1 (en) | Method and apparatus for providing user identity information, and storage medium | |
| WO2020083288A1 (en) | Safety defense method and apparatus for dns server, and communication device and storage medium | |
| EP2304980B1 (en) | A method and apparatus for a subscriber database | |
| KR102769532B1 (en) | Method, device and system for generating and managing application keys in a communication network for encrypted communication with service applications | |
| JP4377328B2 (en) | Personal information protection of mobile terminals by improving home location register | |
| CN114223232B (en) | Communication method and related equipment | |
| CN101137222B (en) | Access authentication processing method and system and device | |
| CN115835202A (en) | An authentication method and system | |
| CN116250289B (en) | Delivery method for network slice authentication authorization state | |
| CN114024693B (en) | Authentication method, device, session management function entity, server and terminal | |
| WO2024060894A1 (en) | Communication method and apparatus | |
| KR102797871B1 (en) | Method, device, and system for generating and managing anchor keys in a communication network for encrypted communication with service applications | |
| US20240422711A1 (en) | Method, device and system for registering a terminal with a communication network | |
| CN119316834A (en) | Secondary authentication method, electronic device and readable storage medium | |
| CN105379378A (en) | Method and apparatus for proximity service register | |
| KR20220128993A (en) | Method, device, and system for generating and managing anchor keys in a communication network for encrypted communication with service applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20151231 Address after: 518000 Guangdong city of Shenzhen province Qianhai Shenzhen Hong Kong cooperation zone before Bay Road No. 1 building 201 room A Patentee after: Shenzhen Zhongxing new energy automobile service Co., Ltd. Address before: 518057 Nanshan District high tech Industrial Park, Guangdong, South Road, science and technology, ZTE building, legal department Patentee before: ZTE Corporation |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190717 Address after: 441000, No. six, international innovation industrial base, 49 Deng Cheng Avenue, hi tech Zone, Xiangfan, Hubei, Xiangyang Patentee after: ZTE NEW ENERGY AUTOMOBILE CO., LTD. Address before: 518000 Room 201, Building A, No. 1 Qianwan Road, Qianhai-Shenzhen-Hong Kong Cooperation Zone, Shenzhen Patentee before: Shenzhen Zhongxing new energy automobile service Co., Ltd. |