CN1553741A - Method and system for providing users with network roaming - Google Patents
Method and system for providing users with network roaming Download PDFInfo
- Publication number
- CN1553741A CN1553741A CNA031380441A CN03138044A CN1553741A CN 1553741 A CN1553741 A CN 1553741A CN A031380441 A CNA031380441 A CN A031380441A CN 03138044 A CN03138044 A CN 03138044A CN 1553741 A CN1553741 A CN 1553741A
- Authority
- CN
- China
- Prior art keywords
- roaming
- user
- authentication
- aaa
- aaa server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
发明领域field of invention
本发明涉及数据通信网络,特别涉及为用户提供网络漫游服务的方法和系统。The invention relates to a data communication network, in particular to a method and a system for providing users with network roaming services.
背景技术Background technique
现代社会已经进入信息社会,而通信网络作为信息的载体,已经应用到整个社会的各个方面。常用的通信技术有以太网、令牌网、FR(帧中继)、IP(因特网协议)、ATM(异步转移模式)等等,常用的通信网络有以太网组成的局域网、TCP/IP组成的广域网和INTERNET(因特网)等等。Modern society has entered the information society, and communication network, as the carrier of information, has been applied to all aspects of the whole society. Commonly used communication technologies include Ethernet, Token Ring, FR (Frame Relay), IP (Internet Protocol), ATM (Asynchronous Transfer Mode), etc. Commonly used communication networks include LAN composed of Ethernet and TCP/IP. WAN and INTERNET (Internet) and so on.
在实际网络中,PC(个人计算机)与网络的连接可以有多种方式,例如通过LAN Switch(以太网交换机)、AP(无线接入点)、VDSL(甚高速数字用户线路)、ADSL(不对称数字用户线路)等方式接入网络。In the actual network, PC (personal computer) can be connected to the network in many ways, such as through LAN Switch (Ethernet switch), AP (wireless access point), VDSL (Very High Speed Digital Subscriber Line), ADSL (not Symmetrical Digital Subscriber Line) and other means to access the network.
在需要管理的网络中,需要放置RADIUS(远端用户拨入鉴权服务)认证服务器等AAA(认证、授权和计费)服务器,来验证用户身份的合法性。另外,在实际应用中,为保证网络的安全性和管理需要,一般要求对客户进行认证、授权和计费,以保证客户合理地享受运营商提供的网络服务。常用的用户认证手段有很多种,例如PPPoE(以太网承载的点到点协议)认证、WEB认证和802.1X认证等。In the network that needs to be managed, AAA (Authentication, Authorization, and Accounting) servers such as RADIUS (Authenticating Remote Incoming User Service) authentication servers need to be placed to verify the legitimacy of user identities. In addition, in practical applications, in order to ensure network security and management needs, it is generally required to authenticate, authorize, and bill customers to ensure that customers can reasonably enjoy the network services provided by operators. There are many common user authentication methods, such as PPPoE (Point-to-Point Protocol over Ethernet) authentication, WEB authentication, and 802.1X authentication.
在实际应用中,一个用户的信息一般都会存储在该用户开户的AAA服务器中,称为“归属地”AAA服务器,用户开户的网络称为“归属地”网络。用户在获得上网的开户信息后(包括但不限于用户名/密码、智能卡等信息),可以在网络提供商NSP/ISP提供的整个网络内使用。因此,从地理上,用户可以从NSP/ISP(网络服务提供商/网络接入服务提供商)网络上任何一个地方上网。在用户未处于归属地网络(即漫游)的情况下,用户接入的网络叫做“漫游地”网络,用户接入的地方也通过AAA服务器进行认证、授权、计费,这个AAA服务器叫做“漫游地”AAA服务器。In practical applications, a user's information is generally stored in the AAA server where the user opens an account, which is called the "home" AAA server, and the network where the user opens an account is called the "home" network. After the user obtains the account opening information (including but not limited to user name/password, smart card, etc.), the user can use it within the entire network provided by the network provider NSP/ISP. Therefore, geographically, users can access the Internet from anywhere on the NSP/ISP (Network Service Provider/Internet Access Service Provider) network. When the user is not in the home network (that is, roaming), the network the user accesses is called the "roaming" network, and the place where the user accesses is also authenticated, authorized, and billed through the AAA server. This AAA server is called "roaming". ground" AAA server.
以一个提供在北京和南京接入的ISP(网络接入服务提供商)为例。A用户为北京用户,即其归属地AAA服务器在北京。当A用户在南京而需要从南京的同一个ISP网络中使用网络业务,比如访问WWW网站等时,就需要为其提供网络漫游服务。Take an ISP (Internet Access Service Provider) providing access in Beijing and Nanjing as an example. User A is a Beijing user, that is, its home AAA server is in Beijing. When user A is in Nanjing and needs to use network services from the same ISP network in Nanjing, such as accessing WWW websites, etc., network roaming services need to be provided for him.
此时,对A用户而言,南京是“漫游地”,南京接入的AAA服务器是“漫游地”AAA服务器。由于A用户的信息在北京,因此,南京的“漫游地”AAA服务器必须从北京的归属地AAA服务器才能够获得A用户的信息。At this time, for user A, Nanjing is a "roaming location", and the AAA server connected to Nanjing is a "roaming location" AAA server. Since the information of user A is in Beijing, the "roaming" AAA server in Nanjing must obtain the information of user A from the home AAA server in Beijing.
现在,企业和运营商都有漫游服务功能,但其规模都比较小。目前的认证计费服务器组网都是网状组网。不同运营商之间要么没有互联互通,要么就是有限的几台AAA服务器之间网状组网)。从物理设备连接角度看,每个AAA服务器之间通过电信网/因特网连接,如图1(a)所示。从逻辑连接来看,实际AAA服务器之间是网状网,每一个AAA服务器都和其他所有AAA服务器之间有连接。如图1(b)所示。Now, enterprises and operators have roaming service functions, but their scale is relatively small. The current networking of authentication and accounting servers is a mesh network. Either there is no interconnection between different operators, or there is a mesh network between a limited number of AAA servers). From the perspective of physical device connection, each AAA server is connected through the telecommunication network/Internet, as shown in Figure 1(a). From the perspective of logical connection, the actual AAA servers are a mesh network, and each AAA server is connected to all other AAA servers. As shown in Figure 1(b).
用户认证、计费时,使用的都是用户名,其中用户帐号名组成是“用户名@域名”,目前漫游地和归属地之间的识别都是通过“用户名@域名”中的域名,例如“user@chinatelecom.sh.com”中的“chinatelecom.sh.com”来识别的。例如,域名为chinatelecom.sh.com表示此用户开户AAA服务器是上海电信的AAA服务器。而“user@163.com”中的“163.com”表示此用户开户AAA服务器即归属地AAA服务器在广东电信。User name is used for user authentication and billing, and the user account name is composed of "user name@domain name". Currently, the identification between the roaming location and the home location is through the domain name in "user name@domain name". For example, "chinatelecom.sh.com" in "user@chinatelecom.sh.com" to identify. For example, if the domain name is chinalecom.sh.com, it means that the AAA server for this user's account opening is the AAA server of Shanghai Telecom. And "163.com" in "user@163.com" indicates that the AAA server where the user opened an account is the home AAA server in Guangdong Telecom.
上述现有技术存在如下问题:There is following problem in above-mentioned prior art:
1.由于所有AAA服务器是网状连接的,所有AAA服务器都必须知道其他所有存在连接关系的AAA服务器,需要在每一台AAA服务器上进行配置,因此,域名的增加、删除和改变往往波及整网所有的AAA服务器,维护量很大,维护难度也很大。1. Since all AAA servers are connected in a mesh, all AAA servers must know all other AAA servers that have connection relationships, and configuration needs to be performed on each AAA server. Therefore, the addition, deletion and change of domain names often affect the entire network. All the AAA servers on the Internet require a lot of maintenance and are also very difficult to maintain.
2.不同运营商、企业之间如果采用网状连接的话,必须知道彼此的AAA配置,因此安全性很差。而且由于运营商之间管理问题,很难同步,维护难度非常大。2. If different operators and enterprises adopt mesh connection, they must know each other's AAA configuration, so the security is very poor. Moreover, due to management problems between operators, it is difficult to synchronize, and maintenance is very difficult.
3.由于AAA服务器之间是网状连接,所有认证、计费信息都是分散进行的,不同区域的同一运营商、以及不同运营商之间无法统一结算。3. Due to the mesh connection between AAA servers, all authentication and billing information are distributed, and the same operator in different regions and different operators cannot be uniformly settled.
4.每个运营商、企业之间互通时,都是商定双边协议,因此,一个运营商或者企业要和多个运营商或者企业互通时,要多次商定双边协议。不仅在协议之间有差别,很不方便,而且在技术上难度也较大。4. When each operator or enterprise communicates with each other, a bilateral agreement is negotiated. Therefore, when an operator or enterprise wants to communicate with multiple operators or enterprises, bilateral agreements must be negotiated multiple times. Not only is there a difference between the protocols, which is very inconvenient, but it is also technically difficult.
5.由于接入服务器或者类似的接入设备也需要配置所有的AAA服务器对应的关系,往往一个接入设备只能配置有限的域名关系,因此,扩展性差,而且维护量大。5. Since the access server or similar access devices also need to be configured with the corresponding relationship of all AAA servers, often an access device can only be configured with limited domain name relationships, so the scalability is poor and the maintenance amount is large.
发明内容Contents of the invention
因此,本发明的目的就是要克服现有技术在实现用户漫游服务功能方面存在的上述缺陷。Therefore, the object of the present invention is to overcome the above-mentioned defects in the prior art in realizing the user roaming service function.
根据本发明的第一方面,提供一种在上述系统中为用户提供漫游服务的方法,该方法包括:According to the first aspect of the present invention, there is provided a method for providing roaming service for users in the above system, the method includes:
(1)漫游地接入设备根据漫游用户的客户终端设备发来的接入请求,获取用户信息;(1) The roaming access device obtains user information according to the access request sent by the client terminal device of the roaming user;
(2)漫游地接入设备将用户信息发送至漫游地AAA服务器进行认证;(2) The roaming access device sends user information to the roaming AAA server for authentication;
(3)漫游地AAA服务器对用户信息进行识别,当确定为漫游用户时,将该用户的认证信息发送至漫游转发装置,通过漫游转发装置发送给该用户归属地的AAA服务器进行认证;(3) The AAA server in the roaming place identifies the user information, and when it is determined to be a roaming user, sends the user's authentication information to the roaming forwarding device, and sends it to the AAA server in the user's home place through the roaming forwarding device for authentication;
(4)该用户归属地的AAA服务器根据用户信息判断用户是否合法,然后将认证成功/失败报文通过漫游转发装置发送给所述漫游地AAA服务器;(4) The AAA server at the user's home location judges whether the user is legal according to the user information, and then sends the authentication success/failure message to the AAA server at the roaming place through the roaming forwarding device;
(5)如果该用户归属地的AAA服务器发来的是认证成功报文,则所述漫游地AAA服务器将通知所述漫游地接入设备给用户授权;如果发来的是认证失败报文,则拒绝为该用户提供接入服务;(5) If the AAA server at the user's home location sends an authentication success message, the roaming AAA server will notify the roaming access device to authorize the user; if the authentication failure message is sent, refuse to provide access services to the user;
(6)在对所述用户认证成功后,所述漫游地接入设备向所述漫游地AAA服务器发出计费开始请求;(6) After the user is successfully authenticated, the roaming access device sends an accounting start request to the roaming AAA server;
(7)所述漫游地AAA服务器将计费报文通过所述漫游转发装置转发至所述用户归属地AAA服务器进行计费。(7) The roaming AAA server forwards the charging message to the user's home AAA server through the roaming forwarding device for charging.
本发明中所述的认证与计费方法可采用例如PPPoE、802.1X、WEB认证等常规方式。本领域技术人员可以理解,虽然在各种认证方法的过程中,接入设备和AAA服务器之间略有差别,但在本发明的上述方法中并不产生实质性的差别。The authentication and accounting methods described in the present invention can adopt conventional methods such as PPPoE, 802.1X, and WEB authentication. Those skilled in the art can understand that although there are slight differences between the access device and the AAA server in the process of various authentication methods, there is no substantial difference in the above methods of the present invention.
根据本发明的第二方面,提供一种为用户提供漫游服务的系统,该系统包括:客户终端,接入设备和AAA服务器,其中接入设备用于为客户终端提供接入服务,所述AAA服务器用于对接入设备转发的客户终端的认证报文进行认证和对接入成功的客户终端进行计费,其特征在于,所述系统还包括漫游转发装置,用于在漫游用户的漫游地AAA服务器与归属地AAA服务器之间转发漫游用户的认证与计费信息。According to the second aspect of the present invention, there is provided a system for providing roaming services for users, the system includes: a client terminal, an access device and an AAA server, wherein the access device is used to provide access services for the client terminal, and the AAA The server is used to authenticate the authentication message of the client terminal forwarded by the access device and to charge for the successfully accessed client terminal. It is characterized in that the system also includes a roaming forwarding device for The authentication and accounting information of the roaming user is forwarded between the AAA server and the home AAA server.
在本发明的上述系统中,漫游转发装置可以包括分层组网的同一运营商网络中的高层AAA服务器、星状组网时中心AAA服务器、运营商边界的AAA网关。In the above system of the present invention, the roaming forwarding device may include a high-level AAA server in the same operator network in a hierarchical network, a central AAA server in a star network, and an AAA gateway at the operator's border.
在本发明的上述系统中,所述接入设备或AAA服务器中可以设置漫游域模块,用于配置路径信息,以将漫游用户的认证和计费信息配置到可找到用户归属地AAA服务器的漫游转发装置上。In the above system of the present invention, a roaming domain module can be set in the access device or the AAA server, which is used to configure path information, so as to configure the authentication and charging information of the roaming user to the roaming domain where the user's home AAA server can be found. on the forwarding device.
本发明具有如下优点:The present invention has the following advantages:
1、对于同一运营商或企业,只需要在有限的几台AAA服务器上配置漫游的连接关系,维护量小。1. For the same operator or enterprise, only a few AAA servers need to configure roaming connection relationships, and the maintenance amount is small.
2、不同运营商、企业之间通过AAA服务器网关转发用户认证信息和计费信息,从而彼此之间通过网间接口互联,安全性高,易操作,维护量少。此外,通过AAA网关互联,所有认证、计费信息都是统一进行的,同一运营商的不同区域、以及不同运营商之间可以统一结算、统计。2. Different operators and enterprises transmit user authentication information and billing information through the AAA server gateway, so that they are interconnected through the network interface, which has high security, easy operation, and less maintenance. In addition, through the interconnection of AAA gateways, all authentication and billing information are unified, and unified settlement and statistics can be made between different regions of the same operator and different operators.
3、当一个运营商或者企业要和多个运营商或者企业互通时,只要商定一次协议即可和所有运营商或者企业互通,协议完全一致,技术难度低,商定时间短。3. When an operator or enterprise wants to communicate with multiple operators or enterprises, it can communicate with all operators or enterprises only by negotiating an agreement once. The agreement is completely consistent, the technical difficulty is low, and the negotiation time is short.
4、接入设备或者类似的接入设备不需要配置所有的AAA服务器对应的关系,只要配置核心的关系和一个漫游关系,扩展性好,并且可以对接入设备实现零维护。4. Access devices or similar access devices do not need to configure all the corresponding relationships of AAA servers, as long as the core relationship and a roaming relationship are configured, the scalability is good, and zero maintenance can be realized for the access devices.
附图说明Description of drawings
通过详细文字说明并结合以下附图,本发明的上述目的、特征及优点将变得更加易于理解,其中:Through the detailed text description and in conjunction with the following drawings, the above-mentioned purpose, features and advantages of the present invention will become easier to understand, wherein:
图1(a)和(b)是说明现有的AAA服务器网状组网方式的示意图;Fig. 1 (a) and (b) are the schematic diagrams illustrating the existing AAA server mesh networking mode;
图2是说明在本发明优选实施方案中同一运营商的AAA服务器组网方式的示意图,其中图2(a)是分层组网方式;图2(b)是星状组网方式;Fig. 2 is a schematic diagram illustrating the AAA server networking mode of the same operator in the preferred embodiment of the present invention, wherein Fig. 2 (a) is a hierarchical networking mode; Fig. 2 (b) is a star networking mode;
图3是分层组网方式中对高层AAA服务器进行配置的流程图;Fig. 3 is a flow chart of configuring the high-level AAA server in the layered networking mode;
图4是说明根据本发明优选实施方案的两个不同运营商之间组网方式的示意图;Fig. 4 is a schematic diagram illustrating a networking mode between two different operators according to a preferred embodiment of the present invention;
图5是说明根据本发明优选实施方案在多个不同运营商之间组网方式的示意图;Fig. 5 is a schematic diagram illustrating a networking mode among a plurality of different operators according to a preferred embodiment of the present invention;
图6是说明根据本发明优选实施方案的用户漫游认证、计费流程的流程图;Fig. 6 is a flowchart illustrating user roaming authentication and billing procedures according to a preferred embodiment of the present invention;
图7是说明根据本发明优选实施方案的协议适配过程的时序图,其中图7(a)表示相同协议之间的适配过程,图7(b)表示不同协议之间的适配过程。7 is a sequence diagram illustrating a protocol adaptation process according to a preferred embodiment of the present invention, wherein FIG. 7(a) represents an adaptation process between the same protocols, and FIG. 7(b) represents an adaptation process between different protocols.
具体实施方式Detailed ways
下面结合附图具体说明本发明的优选实施方案。The preferred embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.
在本发明中,对用户认证和计费的方法可以采用如上所述的常规的PPPoE认证与计费、WEB认证与计费和802.1X认证与计费等方法。在本说明书中以PPPoE认证和计费为例来说明。In the present invention, the method for user authentication and charging can adopt methods such as conventional PPPoE authentication and charging, WEB authentication and charging, and 802.1X authentication and charging as mentioned above. In this manual, PPPoE authentication and accounting are taken as examples.
实施例1:同一运营商/企业中不同区域的漫游Example 1: Roaming in different areas in the same operator/enterprise
同一运营商/企业的主要问题是网状连接问题,也就是常说的N2问题,因此,可以采用其他组网方式,包括但不限于分层网络和星状网络解决这个问题。The main problem of the same operator/enterprise is the mesh connection problem, which is often called the N2 problem. Therefore, other networking methods, including but not limited to hierarchical networks and star networks, can be used to solve this problem.
在本发明的一个实施例中,分层组网如图2(a)所示,底层AAA服务器之间并不互联,由高层AAA服务器之间配置整网连接组成网状网络或者半网状网络,从而大大缓解了维护工作量,一般会降低一个数量级。In one embodiment of the present invention, the layered network is shown in Figure 2 (a), the underlying AAA servers are not interconnected, and the entire network connection is configured between the high-level AAA servers to form a mesh network or a semi-mesh network , thus greatly reducing the maintenance workload, generally by an order of magnitude.
其中,在高层AAA服务器之间典型的配置例如为:Among them, the typical configuration between high-level AAA servers is, for example:
[用户数据部分][User data section]
用户名=lisi@local.comUsername = lisi@local.com
属性=普通用户attribute = common user
下一个认证主服务器=Next authentication master server =
下一个认证备服务器=Next Authentication Standby Server =
下一个计费主服务器=Next billing master server =
下一个计费备服务器=Next billing standby server =
这里需要说明,上面的配置中等号后面为空表示该用户是本地的AAA认证用户(域名为local.com),没有下一个服务器。It needs to be explained here that the empty space after the equal sign in the above configuration indicates that the user is a local AAA authentication user (the domain name is local.com), and there is no next server.
用户名=zhangsan@beijing.comUsername=zhangsan@beijing.com
属性=proxy用户attribute = proxy user
下一个认证主服务器=10.1.1.1:1812next authentication master = 10.1.1.1:1812
下一个认证备服务器=10.1.1.2:1812Next authentication standby server = 10.1.1.2:1812
下一个计费主服务器=10.1.1.3:1813next billing master = 10.1.1.3:1813
下一个计费备服务器=10.1.1.4:1813Next accounting standby server=10.1.1.4:1813
共享密钥=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxShared Key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[域名部分][domain name part]
域名=roamingdomain name = roaming
属性=proxyattribute = proxy
下一个认证主服务器=10.1.1.1:1812next authentication master = 10.1.1.1:1812
下一个认证备服务器=10.1.1.2:1812Next authentication standby server = 10.1.1.2:1812
下一个计费主服务器=10.1.1.3:1813next billing master = 10.1.1.3:1813
下一个计费备服务器=10.1.1.4:1813Next accounting standby server=10.1.1.4:1813
共享密钥=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxShared Key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[default(缺省)][default (default)]
属性=proxy !或者discard(丢弃)等attribute = proxy ! Or discard (discard), etc.
下一个认证主服务器=10.1.1.1:1812next authentication master = 10.1.1.1:1812
下一个认证备服务器=10.1.1.2:1812Next authentication standby server = 10.1.1.2:1812
下一个计费主服务器=10.1.1.3:1813next billing master = 10.1.1.3:1813
下一个计费备服务器=10.1.1.4:1813Next accounting standby server=10.1.1.4:1813
共享密钥=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxShared Key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
以上给出了一个简单的示例性的配置文件,以说明对分层组网中高层AAA服务器进行配置的方法。在实际当中,一般可以通过文本文件、二进制文件和数据库方式存储,通过手工编辑、配置界面如命令行或者GUI(图形用户界面)进行上述配置。具体处理流程如图3所示。A simple exemplary configuration file is given above to illustrate the method for configuring the high-level AAA server in the layered network. In practice, it can generally be stored in the form of text files, binary files and databases, and the above configuration can be performed through manual editing and configuration interfaces such as command lines or GUI (graphical user interface). The specific processing flow is shown in Figure 3.
下面结合图3说明高层AAA服务器根据上述配置确定对漫游用户的认证报文的处理策略的过程:Below in conjunction with Fig. 3, illustrate the process that the high-level AAA server determines the processing strategy for the authentication message of the roaming user according to the above configuration:
1)当高层AAA服务器收到用户RADIUS报文时,解析出RADIUS报文属性;1) When the high-level AAA server receives the user RADIUS message, it parses out the RADIUS message attributes;
2)根据各种常规的策略,以及例外处理(例如代码中固定特殊数据策略、系统管理员数据策略等等),判断是否需要进行配置数据的查找。如果是,转步骤3);如果否,则转步骤8)。2) According to various conventional policies and exception handling (such as fixed special data policies in the code, system administrator data policies, etc.), it is judged whether it is necessary to search for configuration data. If yes, go to step 3); if no, go to step 8).
3)根据用户数据部分的内容进行判断,如果从用户数据部分可以找到对应的数据,则以此数据中配置的策略来判断后续处理是进行认证计费,还是进行RADIUS Proxy(即远端用户拨入鉴权服务的代理),以及其他方式如丢弃、强制失败等等。同时,还要判断一些辅助的参数,比如RADIUS Proxy的下一步认证计费服务器地址、端口号、共享密钥等等。特别要说明的是,共享密钥可以明文,也可以通过对称/不对称加密方式进行保存,如常用的DES、3DES等。3) Judging according to the content of the user data part, if the corresponding data can be found from the user data part, then use the strategy configured in the data to judge whether the subsequent processing is to perform authentication and accounting, or to perform RADIUS Proxy (that is, the remote user dials Incoming authentication service proxy), and other methods such as discarding, forcing failure, etc. At the same time, it is also necessary to judge some auxiliary parameters, such as the address of the next authentication and accounting server of RADIUS Proxy, port number, shared key and so on. In particular, it should be noted that the shared key can be stored in plain text or by symmetric/asymmetric encryption, such as commonly used DES, 3DES, etc.
4)如果没有找到用户数据,则转步骤5);如果找到用户数据,则转步骤8)。4) If the user data is not found, then go to step 5); if the user data is found, then go to step 8).
5)根据域数据部分中的内容进行判断,如果域数据部分可以找到对应的数据,以此数据所配置的策略来判断下一步处理是进行认证计费,还是进行RADIUS Proxy,以及其他方式如丢弃,强制失败等等。同时,还要判断一些辅助的参数,比如RADIUS Proxy的下一步认证计费服务器地址、端口号、共享密钥等等。特别要说明的是,共享密钥可以明文,也可以通过对称/不对称加密方式进行保存,如常用的DES、3DES等。5) Judging according to the content in the domain data part, if the corresponding data can be found in the domain data part, the policy configured with this data will determine whether the next step is to perform authentication and accounting, or RADIUS Proxy, and other methods such as discarding , force failure, etc. At the same time, it is also necessary to judge some auxiliary parameters, such as the address of the next authentication and accounting server of RADIUS Proxy, port number, shared key and so on. In particular, it should be noted that the shared key can be stored in plain text or by symmetric/asymmetric encryption, such as commonly used DES, 3DES, etc.
6)如果没有找到域数据,则转步骤7);如果找到域数据,则转步骤8)。6) If the domain data is not found, then go to step 7); if the domain data is found, then go to step 8).
7)使用缺省配置数据。7) Use the default configuration data.
8)用户报文处理策略已经搜索完毕,根据找到的处理策略,进行下一步处理,包括RADIUS转发、认证、计费、丢弃等等。8) The user packet processing strategy has been searched, and the next step of processing is performed according to the found processing strategy, including RADIUS forwarding, authentication, accounting, discarding, etc.
根据上述的配置及处理过程,所有底层AAA服务器只要配置一条域数据或者缺省数据即可,从而可以大大缓解维护工作量,一般会降低一个数量级。但是高层AAA服务器之间,需要根据漫游的域,进行完全的配置。例如A服务器到B服务器有10个漫游域,A服务器到C服务器有5个漫游域,这样A服务器需要配置15个漫游域,其他的B、C服务器也一样。根据需要配置成为网状或者半网状网络。According to the above configuration and processing process, all the underlying AAA servers only need to configure one piece of domain data or default data, which can greatly ease the maintenance workload, generally by an order of magnitude. However, the high-level AAA servers need to be completely configured according to the roaming domain. For example, there are 10 roaming domains from server A to server B, and 5 roaming domains from server A to server C. In this way, server A needs to be configured with 15 roaming domains, and the same is true for other servers B and C. Configure as a mesh or semi-mesh network as required.
分层组网的方式可以是两层,也可以是多层。The hierarchical networking method can be two layers or multiple layers.
在本发明的另一种实施例中,也可以采用星状网络进行AAA服务器的组网,如图2(b)所示。In another embodiment of the present invention, a star network may also be used for AAA server networking, as shown in FIG. 2( b ).
其具体的配置格式和处理流程与上述分层组网的方式相同。Its specific configuration format and processing flow are the same as the above-mentioned layered networking.
因此,在配置时,所有星状网络上的边缘AAA服务器只要配置一条域数据或者缺省数据即可,从而可以大大减轻维护工作量,一般会降低一个数量级。而在星状网络中的中心节点的AAA服务器上,与上述分层组网中的高层AAA服务器类似,需要根据漫游的域进行完全的配置。即,整网上所有的漫游域都应该在中心节点AAA服务器上找到对应的配置。Therefore, during configuration, all edge AAA servers on the star network only need to configure one piece of domain data or default data, which can greatly reduce the maintenance workload, generally by an order of magnitude. On the AAA server of the central node in the star network, similar to the high-level AAA server in the above-mentioned layered network, it needs to be completely configured according to the roaming domain. That is, all roaming domains on the entire network should find corresponding configurations on the central node AAA server.
在实际组网中,可以组合使用网状/半网状、层状、星状等等多种网络的某一种,或者多种组合使用。In actual networking, one of various networks such as mesh/semi-mesh, layered, and star can be used in combination, or multiple types can be used in combination.
用户漫游接入流程以PPPoE的认证为例,如图5所示。具体过程如下:The user roaming access process takes PPPoE authentication as an example, as shown in Figure 5. The specific process is as follows:
1)PPPoE客户端向PPPoE服务器设备发送一个PADI(PPPoE激活发现初始报文)报文,开始PPPoE接入。1) The PPPoE client sends a PADI (PPPoE Activation Discovery Initial Message) message to the PPPoE server device to start PPPoE access.
2)PPPoE服务器向客户端发送PADO报文(PPPoE激活发现提供报文)。2) The PPPoE server sends a PADO message (PPPoE activation discovery offer message) to the client.
3)客户端根据回应,发起PADR(PPPoE激活发现请求报文)请求给PPPoE服务器。3) The client initiates a PADR (PPPoE Activation Discovery Request message) request to the PPPoE server according to the response.
4)PPPoE服务器产生一个session id(会话标识),通过PADS(PPPoE激活发现会话报文)发给客户端。4) The PPPoE server generates a session id (session identifier), and sends it to the client through PADS (PPPoE activation discovery session message).
5)客户端和PPPoE服务器之间进行PPP(点到点协议)的LCP(链路控制协议)协商,建立链路层通信。同时,协商使用CHAP(质询握手验证协议)认证方式。5) LCP (Link Control Protocol) negotiation of PPP (Point-to-Point Protocol) is performed between the client and the PPPoE server to establish link layer communication. At the same time, negotiate to use the CHAP (Challenge Handshake Authentication Protocol) authentication method.
6)PPPoE服务器通过Challenge(质询)报文发送给认证客户端,提供一个128比特的Challenge(即服务器产生的随机字)。6) The PPPoE server sends a Challenge (challenge) message to the authentication client, providing a 128-bit Challenge (that is, a random word generated by the server).
7)客户端收到Challenge报文后,将密码和Challenge用公知的MD5算法处理,然后在Response(回应)报文中把它发送给PPPoE服务器。7) After the client receives the Challenge message, it processes the password and Challenge with the known MD5 algorithm, and then sends it to the PPPoE server in the Response (response) message.
8)PPPoE服务器将Challenge、Challenge-Password和用户名一起送到漫游地RADIUS(远端用户拨入鉴权服务)用户认证服务器(即AAA服务器)进行认证。8) The PPPoE server sends Challenge, Challenge-Password and user name to the RADIUS (Remote User Dial-In Authentication Service) user authentication server (ie AAA server) in the roaming area for authentication.
9)漫游地RADIUS用户认证服务器根据用户名识别是一个漫游用户,其归属地例如在北京,那么就先将此认证报文转发到中间AAA服务器,该中间的AAA服务器一般是分层组网时的高层AAA服务器或者星状组网时的中心接点AAA服务器。中间AAA服务器主要是完成Proxy(代理服务器)的功能,例如是RADIUS代理服务器,执行典型的如公知的RFC2865、RFC2866、RFC2869的RADIUS Proxy功能。由此将“漫游地”AAA服务器发过来的认证、计费报文按照域名配置寻找“归属地”AAA服务器的路径,然后向下一个中间AAA服务器发送,直到发送到“归属地”AAA服务器。中间AAA服务器可以是同一个区域内的,也可以是在不同区域。中间AAA服务器一般不直接做用户认证、计费功能,而是根据各种域名配置的路径信息,转发认证、计费报文。9) The roaming RADIUS user authentication server identifies a roaming user according to the user name, and its attribution is in Beijing, for example, so the authentication message is forwarded to the intermediate AAA server. The intermediate AAA server is generally a layered network The high-level AAA server or the central node AAA server in a star network. The middle AAA server mainly completes the function of Proxy (proxy server), for example, is a RADIUS proxy server, and performs typical RADIUS Proxy functions such as known RFC2865, RFC2866, and RFC2869. Therefore, the authentication and accounting messages sent by the "roaming" AAA server are searched for the path of the "home" AAA server according to the domain name configuration, and then sent to the next intermediate AAA server until they are sent to the "home" AAA server. The intermediate AAA servers can be in the same area or in different areas. Generally, the intermediate AAA server does not directly perform user authentication and accounting functions, but forwards authentication and accounting packets according to the path information configured by various domain names.
10)归属地RADIUS用户认证服务器根据用户信息判断用户是否合法,然后将回应认证成功/失败报文象在步骤9)中那样通过中间AAA服务器发送到漫游地RADIUS用户认证服务器。10) the home RADIUS user authentication server judges whether the user is legal according to the user information, and then sends the response authentication success/failure message to the roaming ground RADIUS user authentication server by the intermediate AAA server as in step 9).
11)漫游地RADIUS用户认证服务器将认证成功/失败报文转发到PPPoE服务器。如果成功,则携带协商参数以及用户的相关业务属性给用户授权。如果认证失败,则流程到此结束。11) The roaming RADIUS user authentication server forwards the authentication success/failure message to the PPPoE server. If successful, the user will be authorized with the negotiation parameters and related service attributes of the user. If authentication fails, the process ends here.
12)PPPoE服务器将认证结果返回给客户端。12) The PPPoE server returns the authentication result to the client.
13)用户进行NCP(网络控制协议)(如IPCP即IP控制协议)协商,通过PPPoE服务器获取到规划的IP地址等参数。13) The user conducts NCP (Network Control Protocol) (such as IPCP or IP Control Protocol) negotiation, and obtains parameters such as the planned IP address through the PPPoE server.
14)认证如果成功,PPPoE服务器发起计费开始请求给漫游地RADIUS用户计费服务器。14) If the authentication is successful, the PPPoE server initiates an accounting start request to the roaming RADIUS user accounting server.
15)漫游地RADIUS用户计费服务器发现用户是漫游用户,其归属地在北京,那么就如同上述步骤9)那样将此计费报文通过中间AAA服务器转发到归属地RADIUS用户计费服务器,进行真正的计费。15) the roaming ground RADIUS user accounting server finds that the user is a roaming user, and its place of origin is in Beijing, so just as above-mentioned step 9) this billing message is forwarded to the home place RADIUS user accounting server by the middle AAA server, and carries out True billing.
16)归属地RADIUS用户计费服务器回应计费开始应答报文,通过中间服务器转发给漫游地RADIUS用户计费服务器。16) The home RADIUS user accounting server responds with an accounting start response message, and forwards it to the roaming RADIUS user accounting server through the intermediate server.
17)漫游地RADIUS用户计费服务器将回应的计费开始应答报文转发给PPPoE服务器。17) The roaming RADIUS user accounting server forwards the accounting start response message to the PPPoE server.
用户此时通过认证,并且获得了合法的权限,可以正常地接受网络服务。At this time, the user has passed the authentication and obtained legal authority, and can normally receive network services.
当用户希望终止网络业务的时候,同样也可以通过PPPoE断开网络连接,此时会按照14)~17)中的过程发送计费终止报文。When the user wishes to terminate the network service, the network connection can also be disconnected through PPPoE, and the billing termination message will be sent according to the procedures in 14)-17).
如上所述,在该实施例中,用户的认证、计费报文在“漫游地”AAA服务器和“归属地”AAA服务器之间转发时(主要在步骤9)、10)和15)、16)中),要经过中间的多个AAA服务器。As mentioned above, in this embodiment, when the user's authentication and accounting messages are forwarded between the "roaming" AAA server and the "home" AAA server (mainly in steps 9), 10) and 15), 16 )), it needs to go through multiple AAA servers in the middle.
实施例2:两个不同运营商/企业之间漫游Example 2: Roaming between two different operators/enterprises
在每个运营商/企业边界上设置一个AAA网关,当用户在两个运营商/企业之间漫游时,彼此之间所有的认证、计费漫游都走这个网关。所有AAA服务器,除了配置本地用户认证、计费信息外,将所有漫游用户的域名都配置成为到AAA网关的缺省路径或者漫游路径。具体配置过程与上面对分层组网或星状组网中的配置相同。网络内的各AAA服务器无需配置每一个漫游域名对应的路径。这样,当在两个网络之间进行维护时,每增加、删除、修改一个新的域名,只需要在该AAA网关上进行对应的路径修改,而网络内的AAA服务器不需要做改动,从而减小了维护工作量。Set up an AAA gateway on the boundary of each operator/enterprise. When a user roams between two operators/enterprises, all authentication and billing roaming between each other go through this gateway. All AAA servers, in addition to configuring local user authentication and accounting information, configure the domain names of all roaming users as the default path or roaming path to the AAA gateway. The specific configuration process is the same as that for the layered or star network above. Each AAA server in the network does not need to configure a path corresponding to each roaming domain name. In this way, when performing maintenance between two networks, every time a new domain name is added, deleted, or modified, only the corresponding path modification needs to be performed on the AAA gateway, and the AAA server in the network does not need to be modified, thereby reducing the The maintenance workload is reduced.
同时,由于不同的运营商采用的协议可能不同,因此通过AAA网关方式,可以在AAA网关上进行协议适配,进行统一的认证统计,计费结算。目前协议适配有RADIUS-RADIUS、RADIUS-DIAMETER等,这些协议可以单向适配,但一般都是双向适配。At the same time, because different operators may adopt different protocols, through the AAA gateway mode, protocol adaptation can be performed on the AAA gateway, and unified authentication statistics and billing settlement can be performed. Currently, RADIUS-RADIUS, RADIUS-DIAMETER, etc. are adapted to the protocol. These protocols can be adapted in one direction, but are generally adapted in two directions.
协议适配有两种方法:There are two methods for protocol adaptation:
1.在使用同一种协议时,由于网关两侧对协议中认证、计费等属性有各自不同的要求,需要一个转换的过程,即在网关上进行属性转换,以满足网关两侧的要求。具体地说,以RADIUS-RADIUS为例,AAA网关处理时序图如图7(a)所示。下面结合图7(a)说明协议适配的流程:1. When using the same protocol, since the two sides of the gateway have different requirements for attributes such as authentication and billing in the protocol, a conversion process is required, that is, attribute conversion is performed on the gateway to meet the requirements of both sides of the gateway. Specifically, taking RADIUS-RADIUS as an example, the sequence diagram of AAA gateway processing is shown in Fig. 7(a). The following describes the protocol adaptation process in combination with Figure 7(a):
1)某一个AAA服务器向AAA网关发出RADIUS认证请求报文,其内容典型地包括例如用户名“zhangsan@beijing.com”、用户接入设备名、用户的密码等。1) A certain AAA server sends a RADIUS authentication request message to the AAA gateway, and its content typically includes, for example, the user name "zhangsan@beijing.com", the name of the user's access device, and the user's password.
2)AAA网关识别出(一般简单地可以按照域名识别,也可以严格按照上述AAA处理流程识别)这个AAA服务器的报文格式和另一侧的AAA服务器的报文格式要求不一致,例如另一侧的AAA服务器要求所有用户名大写,并且要求提供用户漫游地AAA服务器的地址,而且用户接入设备名必须给出一个接入设备对应的数字编码,而不是名字。此时,该AAA网关根据该另一侧AAA服务器的要求,将接收到的RADIUS报文中的用户名全部改为大写,增加一个用户漫游地AAA服务器地址的属性并填入AAA服务器对应的IP地址,最后按照事先配置好的设备名和数字编码的映射表,改为对应的数字编码。然后将改变后的RADIUS重新组包发送给该另一侧的AAA服务器。2) The AAA gateway recognizes (generally, it can be simply identified by the domain name, or it can be identified strictly according to the above-mentioned AAA processing flow) that the message format of the AAA server is inconsistent with the message format requirements of the AAA server on the other side, for example, the other side The AAA server requires all user names to be capitalized, and requires the address of the AAA server where the user roams, and the user's access device name must give a corresponding numeric code for the access device, not the name. At this time, the AAA gateway, according to the requirements of the AAA server on the other side, changes all the user names in the received RADIUS message to uppercase, adds an attribute of the address of the AAA server where the user roams, and fills in the corresponding IP address of the AAA server. Finally, change the address to the corresponding digital code according to the pre-configured mapping table of device name and digital code. Then send the changed RADIUS reassembly packet to the AAA server on the other side.
3)上述另一侧的AAA服务器在认证成功后,将认证成功报文返回给AAA网关。认证成功报文一般包括用户名、用户接入设备名等。3) The AAA server on the other side returns the authentication success message to the AAA gateway after the authentication is successful. The authentication success message generally includes the user name, the name of the user's access device, and the like.
4)上述AAA网关接收到该报文后,识别出报文格式不匹配,按照上述协议适配过程的逆过程进行处理。将用户名保留或者变成小写,将用户接入设备名按照事先配置好的设备名和数字编码的映射表,从数字编码改为对应的设备名。4) After the above-mentioned AAA gateway receives the message, it recognizes that the message format does not match, and processes it according to the reverse process of the above-mentioned protocol adaptation process. Keep or change the user name to lowercase, and change the user access device name from the digital code to the corresponding device name according to the pre-configured mapping table between the device name and the digital code.
其他如RADIUS认证报文、计费报文处理流程也与上述过程基本一致。Other processes, such as RADIUS authentication packets and accounting packets, are also basically consistent with the above process.
在上述协议适配过程中,目前常用的技术是表格映射,即运营商A和运营商B之间的属性映射表,从而在转换时按照表格中的属性和规定的转换方法进行转换和逆转换。In the above-mentioned protocol adaptation process, the currently commonly used technology is table mapping, that is, the attribute mapping table between operator A and operator B, so that conversion and inverse conversion are performed according to the attributes in the table and the specified conversion method during conversion .
当然,本发明并不局限于表格印射的方法,也可以使用其他广泛应用的方法如软件模块或者插件方法。例如,运营商A需要和运营商B之间漫游,则也可以在AAA网关上增加一个软件模块或者插件完成协议适配功能。其中,重新改变AAA网关软件或者增加补丁,来完成这个功能是最简单的方法。Of course, the present invention is not limited to the form mapping method, and other widely used methods such as software modules or plug-in methods can also be used. For example, if operator A needs to roam with operator B, a software module or plug-in can also be added to the AAA gateway to complete the protocol adaptation function. Among them, changing the AAA gateway software or adding a patch is the easiest way to complete this function.
2.如果使用不同的协议,例如RADIUS、DIAMETER(一种兼容RADIUS协议的增强型AAA协议)等协议,那么就需要网关进行转换,从一种协议报文转换成为另外一种协议报文。以RADIUS-DIAMETER为例,AAA网关处理时序图如图7(b)所示:2. If different protocols are used, such as RADIUS, DIAMETER (an enhanced AAA protocol compatible with RADIUS protocol) and other protocols, then the gateway needs to convert from one protocol message to another protocol message. Taking RADIUS-DIAMETER as an example, the sequence diagram of AAA gateway processing is shown in Figure 7(b):
1)某一个AAA服务器向AAA网关发起RADIUS认证请求报文,内容典型的如用户名“zhangsan@beijing.com”、用户接入设备名、用户的密码等。1) A certain AAA server sends a RADIUS authentication request message to the AAA gateway, and the content is typically such as the user name "zhangsan@beijing.com", the name of the user's access device, and the user's password.
2)AAA网关识别出(一般简单的可以按照域名识别,也可以严格按照上述AAA处理流程识别)这个AAA服务器的报文格式和另外一侧的AAA服务器的报文格式要求不一致,例如另外一侧的AAA服务器要求使用DIAMETER协议,并且要求所有用户名大写、要求提供用户漫游地AAA服务器的地址、而且用户接入设备名必须给出一个接入设备对应的数字编码,而不是名字。此时,AAA网关根据要求,将接收到的RADIUS报文中的用户名全部改为大写,增加一个用户漫游地AAA服务器地址的属性并填入AAA服务器对应的IP地址,最后按照事先配置好的设备名和数字编码的映射表,改为对应的数字编码。然后将新的DIAMETER请求组包发送给该另外一侧的AAA服务器。2) The AAA gateway recognizes (generally, it can be simply identified by the domain name, or it can be identified strictly according to the above-mentioned AAA processing flow) that the message format of the AAA server is inconsistent with the message format requirements of the AAA server on the other side, for example, the other side The AAA server requires the use of the DIAMETER protocol, and requires all user names to be capitalized, and requires the address of the AAA server where the user roams, and the user's access device name must give a corresponding numeric code for the access device, not the name. At this time, the AAA gateway will change all the user names in the received RADIUS message to uppercase according to the requirements, add an attribute of the address of the AAA server where the user roams and fill in the corresponding IP address of the AAA server, and finally follow the pre-configured The mapping table of device names and digital codes is changed to the corresponding digital codes. Then send the new DIAMETER request package to the AAA server on the other side.
3)上述另外一侧的AAA服务器在认证成功后,将DIAMETER应答报文(包含认证成功信息)返回给AAA网关。认证成功报文一般包括例如用户名、用户接入设备名等。3) After the above-mentioned AAA server on the other side succeeds in authentication, it returns a DIAMETER response message (including authentication success information) to the AAA gateway. The authentication success message generally includes, for example, the user name, the name of the user's access device, and the like.
4)AAA网关接收到该报文后,识别出报文格式不匹配,按照上述协议适配过程的逆过程进行处理。将DIAMETER协议转换为RADIUS协议,并且将用户名保留或者变成小写,将用户接入设备名按照事先配置好的设备名和数字编码的映射表,从数字编码改为对应的设备名。4) After receiving the message, the AAA gateway recognizes that the message format does not match, and processes it according to the reverse process of the above protocol adaptation process. Convert the DIAMETER protocol to the RADIUS protocol, and keep or change the user name to lowercase, and change the user access device name from the digital code to the corresponding device name according to the pre-configured mapping table between the device name and the digital code.
其他如RADIUS认证报文、计费报文和DIAMETER处理流程也与上述过程基本一致。Other processes such as RADIUS authentication packets, accounting packets, and DIAMETER processing are also basically the same as the above-mentioned procedures.
与上述相同协议的适配过程类似,在不同协议的适配过程中,目前常用的技术是表格映射,即运营商A和运营商B之间属性映射表,从而在转换时按照表格中的属性和规定的转换方法进行转换和逆转换。当然也可以采用本领域普遍使用的方法如软件模块或者插件方法。其中最简单的方法是重新改变AAA网关软件或者增加补丁,来完成这个功能。Similar to the above-mentioned adaptation process of the same protocol, in the adaptation process of different protocols, the commonly used technology is table mapping, that is, the attribute mapping table between operator A and operator B, so that when converting, according to the attributes in the table Perform conversion and inverse conversion with the specified conversion method. Of course, methods commonly used in this field, such as software modules or plug-in methods, may also be used. The easiest way is to change the AAA gateway software or add patches to complete this function.
在本发明该实施例的用户漫游接入流程中,步骤(1)-(8)基本与前述实施例中的基本相同。不同之处在于,在步骤(9)中,如果漫游地RADIUS用户认证服务器根据用户名识别是一个漫游用户,并且其归属地服务器是属于另一个运营商的,那么就先将此认证报文转发到漫游地的AAA网关。在AAA网关中使用标准的Proxy功能(典型的如公知的RFC2865、RFC2866、RFC2869的RADIUS Proxy功能),转发到归属地AAA网关上。归属地AAA网关也使用标准的Proxy功能将认证报文转发到归属地的RADIUS用户认证服务器上进行真正的认证。In the user roaming access process in this embodiment of the present invention, steps (1)-(8) are basically the same as those in the foregoing embodiments. The difference is that in step (9), if the roaming RADIUS user authentication server identifies a roaming user according to the user name, and its home server belongs to another operator, then the authentication message is forwarded earlier AAA gateway to the roaming location. Use the standard Proxy function (typically such as the well-known RADIUS Proxy function of RFC2865, RFC2866, RFC2869) in the AAA gateway to forward to the home AAA gateway. The home AAA gateway also uses the standard Proxy function to forward the authentication message to the home RADIUS user authentication server for real authentication.
在步骤(10)中,归属地RADIUS用户认证服务器根据用户信息判断用户是否合法,然后将认证成功/失败报文通过归属地AAA网关和漫游地AAA网关,转发到漫游地RADIUS用户认证服务器。此后的过程同实施例1的步骤(11)至(13)。In step (10), the home RADIUS user authentication server judges whether the user is legal according to the user information, and then forwards the authentication success/failure message to the roaming RADIUS user authentication server by the home AAA gateway and the roaming AAA gateway. The subsequent process is the same as the steps (11) to (13) of Embodiment 1.
用户计费过程如下:The user billing process is as follows:
14)认证如果成功,PPPoE服务器发起计费开始请求给漫游地RADIUS用户计费服务器。14) If the authentication is successful, the PPPoE server initiates an accounting start request to the roaming RADIUS user accounting server.
15)漫游地RADIUS用户计费服务器发现用户是漫游用户,那么就如同上述步骤9)那样将此计费报文通过中间AAA网关(漫游地AAA网关和归属地AAA网关)转发到归属地RADIUS用户计费服务器,进行真正的计费。15) The roaming RADIUS user billing server finds that the user is a roaming user, and forwards the billing message to the home RADIUS user through the intermediate AAA gateway (the roaming AAA gateway and the home AAA gateway) as in the above step 9) The billing server performs real billing.
16)归属地RADIUS用户计费服务器回应计费开始应答报文,通过中间AAA网关(归属地AAA网关和漫游地AAA网关)转发给漫游地RADIUS用户计费服务器。16) The home RADIUS user accounting server responds with an accounting start response message, and forwards it to the roaming RADIUS user accounting server through the intermediate AAA gateways (the home AAA gateway and the roaming AAA gateway).
17)漫游地RADIUS用户计费服务器将回应的计费开始应答报文转发给漫游地PPPoE服务器。17) The accounting server of the roaming RADIUS user forwards the responding accounting start response message to the roaming PPPoE server.
实施例3:多个运营商之间的漫游Embodiment 3: Roaming among multiple operators
当某一个特定用户漫游时,只能是两个运营商实体之间的漫游,但是当某个接入设备上接入的用户漫游时,就会出现在多个运营商之间的漫游。判断多个运营商之间的漫游,实际上就是判断某一个用户漫游情况的总和。When a specific user roams, it can only be roaming between two operator entities, but when a user connected to a certain access device roams, roaming among multiple operators will occur. Judging the roaming between multiple operators is actually the sum of judging the roaming situation of a certain user.
每个运营商、企业之间互通时,都是商定双边协议,因此,一个运营商或者企业,要和多个运营商或者企业互通时,要多次商定双边协议,而且协议之间有差别,很不方便,而且有技术难度。When each operator or enterprise communicates with each other, a bilateral agreement is negotiated. Therefore, when an operator or enterprise wants to communicate with multiple operators or enterprises, it must negotiate bilateral agreements multiple times, and there are differences between the agreements. Very inconvenient and technically difficult.
通过组建一个漫游联盟,在联盟内进行所有漫游数据配置,使得所有接入到漫游联盟的运营商、企业都可以互相漫游。并且一个运营商或者企业要和多个运营商或者企业互通时,只要与漫游联盟商定一次协议即可和所有运营商或者企业互通,协议完全一致,技术难度低,商定时间短。By forming a roaming alliance, all roaming data configurations are performed in the alliance, so that all operators and enterprises connected to the roaming alliance can roam with each other. And when an operator or enterprise wants to communicate with multiple operators or enterprises, it only needs to negotiate an agreement with the roaming alliance to communicate with all operators or enterprises. The agreement is completely consistent, the technical difficulty is low, and the negotiation time is short.
同时,漫游联盟通过边界的AAA网关和各个运营商、企业网的AAA网关互联,可以提供协议适配、认证统计、计费结算等等。At the same time, the roaming alliance is interconnected with the AAA gateways of various operators and enterprise networks through the AAA gateway at the border, and can provide protocol adaptation, authentication statistics, billing and settlement, etc.
为了实现认证统计和计费结算等,在运营商或者企业AAA网关,以及漫游联盟的AAA网关上除了报文转发、协议转换外,还要将认证信息、计费信息存储、计算汇总,从而使得两个连接的实体(例如运营商和运营商之间)可以核对详细的认证、计费信息(即对帐功能),以及双方汇总的认证信息的统计和计费信息的结算。例如,一般运营商和运营商之间有结算协议,假设计费信息是漫游地运营商和归属地运营商之间是3∶7分成,则根据汇总后的计费信息进行收入结算。因此,在本发明中,将认证、计费信息存储在AAA网关上,即可采用常规的认证统计、计费结算、以及对帐方法。In order to achieve authentication statistics and billing settlement, etc., in addition to message forwarding and protocol conversion, authentication information and billing information must be stored and calculated on the AAA gateway of the operator or enterprise, and the AAA gateway of the roaming alliance, so that Two connected entities (for example, between operators) can check detailed authentication and billing information (ie, reconciliation function), as well as statistics of authentication information and settlement of billing information summarized by both parties. For example, there is a settlement agreement between the general operator and the operator. Assuming that the billing information is 3:7 between the roaming operator and the home operator, the revenue settlement is performed according to the aggregated billing information. Therefore, in the present invention, by storing the authentication and charging information on the AAA gateway, conventional authentication statistics, charging settlement, and account reconciliation methods can be adopted.
“漫游联盟”可以指一个组织,在这里还可以指一组统一配置、管理的AAA服务器。从“漫游联盟”外来看,这些AAA服务器就有点类似上述的AAA网关,但这些AAA服务器不再是点对点的关系,而是一个多对多的关系。在上述网关基础上进行更进一步的要求,包括多对多的配置、多对多的适配等。其中配置的格式以及搜索过程如实施例2中所述,在本例中,需要额外说明的就是“漫游联盟”的AAA服务器中需要配置各互通的运营商之间所有相关的漫游关系,以及漫游时协议适配的要求。"Roaming alliance" may refer to an organization, and here may also refer to a group of AAA servers configured and managed uniformly. From the outside of the "roaming alliance", these AAA servers are somewhat similar to the above-mentioned AAA gateways, but these AAA servers are no longer a point-to-point relationship, but a many-to-many relationship. Further requirements are carried out on the basis of the above gateways, including many-to-many configuration and many-to-many adaptation. The configured format and search process are as described in Embodiment 2. In this example, what needs to be additionally explained is that all relevant roaming relationships between interoperable operators need to be configured in the AAA server of the "Roaming Alliance", and the roaming When the protocol adaptation requirements.
同时,漫游联盟内部结构,可以是这些漫游联盟边缘的AAA服务器的网状互联,也可以有它内部的组网,可以组合使用网状/半网状、层状、星状等等多种网络的某一种,或者多种组合使用。需要说明,这里指的网络都是指AAA服务器直接的逻辑网络,不是指物理连接网络。At the same time, the internal structure of the roaming alliance can be the mesh interconnection of the AAA servers on the edge of these roaming alliances, or it can have its internal network, which can be combined with mesh/semi-mesh, layered, star, etc. one, or a combination of several. It should be noted that the network referred to here refers to the logical network directly connected to the AAA server, not to the physical connection network.
每当增加、删除、修改一个漫游客户的信息,例如域名和归属地AAA服务器信息,漫游联盟内部就要进行配置修改,使得漫游联盟内部所有和漫游客户相连的边缘AAA服务器都知道改动后的信息。根据漫游联盟内部组网结构不同,漫游联盟内部配置改动也不同。如果是网状/半网状网络,则需要每个相关的边缘AAA服务器都修改;如果是层状网络,则需要高层的AAA服务器修改;如果是星状网络,则需要中心节点AAA服务器修改。其他网络也一样,原则就是能够保证修改后提供正确的AAA路径。Every time a roaming customer's information is added, deleted, or modified, such as domain name and home AAA server information, the configuration must be modified within the roaming alliance, so that all edge AAA servers connected to the roaming customer in the roaming alliance know the changed information . Depending on the internal network structure of the roaming alliance, the internal configuration changes of the roaming alliance are also different. If it is a mesh/semi-mesh network, each relevant edge AAA server needs to be modified; if it is a layered network, it needs to be modified by the high-level AAA server; if it is a star network, it needs to be modified by the central node AAA server. The same is true for other networks. The principle is to ensure that correct AAA paths are provided after modification.
对漫游联盟的AAA网关进行配置以及实现在漫游联盟的AAA网关上进行协议适配的具体方法与两个运营商/企业之间的AAA网关之间的协议适配方法相同。The specific method for configuring the AAA gateway of the roaming alliance and implementing protocol adaptation on the AAA gateway of the roaming alliance is the same as the method for protocol adaptation between AAA gateways between two operators/enterprises.
用户漫游接入流程基本如前所述,唯一不同的地方是用户通过“归属地”AAA服务器后到“漫游地”AAA服务器之间,还需要经过中间的各个实体的AAA网关,以及漫游联盟的AAA网关。The user roaming access process is basically as described above, the only difference is that after the user passes through the "home" AAA server to the "roaming" AAA server, it also needs to pass through the AAA gateway of each entity in the middle, and the roaming alliance's AAA gateway.
具体地说,就是以AAA网关为边界,中间实体一般是(漫游地AAA服务器→)本运营商AAA网络→本运营商AAA网关→漫游联盟→对端运营商AAA网关→对端运营商AAA网络(→归属地AAA服务器)。在每个中间实体上,都实现常规的Proxy功能,例如RADIUS Proxy功能。在漫游联盟的边缘AAA服务器上,需要做协议适配。适配过程与实施例2中所说明的相同,不再赘述。Specifically, with the AAA gateway as the boundary, the intermediate entity is generally (roaming AAA server →) the AAA network of the operator → the AAA gateway of the operator → roaming alliance → AAA gateway of the opposite operator → AAA network of the opposite operator (→Home AAA server). On each intermediate entity, implement conventional Proxy functions, such as RADIUS Proxy functions. Protocol adaptation is required on the edge AAA server of the roaming alliance. The adaptation process is the same as that described in Embodiment 2 and will not be repeated here.
漫游联盟的AAA服务器或者AAA网关逻辑上是独立于各运营商的,一般可以是一个独立组织提供的网络。但是,运营商之间也可以合作,将当前自己网络中的AAA服务器或AAA网关划出来作为漫游联盟的AAA服务器使用。此外,漫游联盟甚至可以不是独立的硬件,而仅仅由一个软件模块实现其功能。漫游联盟网关和运营商网关逻辑功能上是独立的,但是可以在同一个物理实体例如运营商网关上实现。The AAA server or AAA gateway of the roaming alliance is logically independent from each operator, and generally can be a network provided by an independent organization. However, operators can also cooperate to use the current AAA server or AAA gateway in their network as the AAA server of the roaming alliance. In addition, the roaming alliance may not even be independent hardware, but only a software module to realize its function. The roaming federation gateway and the operator gateway are logically and functionally independent, but can be implemented on the same physical entity such as the operator gateway.
在该实施例3的用户漫游接入流程中,步骤(1)-(8)基本与前述实施例中的基本相同。不同之处在于,在步骤(9)中,如果漫游地RADIUS用户认证服务器根据用户名识别是一个漫游用户,并且其归属地服务器是属于另一个运营商的,那么就先将此认证报文转发到漫游地的AAA网关。再经过中间的各个实体。以AAA网关为边界,中间实体一般是(漫游地AAA服务器→)本运营商AAA网络→本运营商AAA网关→漫游联盟→对端运营商AAA网关→对端运营商AAA网络(→归属地AAA服务器))。在AAA网关中都使用标准的Proxy功能(典型的如公知的RFC2865、RFC2866、RFC2869的RADIUS Proxy功能),转发到归属地AAA网关上。归属地AAA网关也使用标准的Proxy功能将认证报文转发到归属地的RADIUS用户认证服务器上进行真正的认证。In the user roaming access process in Embodiment 3, steps (1)-(8) are basically the same as those in the foregoing embodiments. The difference is that in step (9), if the roaming RADIUS user authentication server identifies a roaming user according to the user name, and its home server belongs to another operator, then the authentication message is forwarded earlier AAA gateway to the roaming location. Then go through the entities in between. With the AAA gateway as the boundary, the intermediate entity is generally (roaming AAA server →) the AAA network of the operator → the AAA gateway of the operator → roaming alliance → AAA gateway of the opposite operator → AAA network of the opposite operator (→ home AAA server)). All use the standard Proxy function (typically known as the RADIUS Proxy function of RFC2865, RFC2866, RFC2869) in the AAA gateway, and forward to the home AAA gateway. The home AAA gateway also uses the standard Proxy function to forward the authentication message to the home RADIUS user authentication server for real authentication.
在步骤(10)中,归属地RADIUS用户认证服务器根据用户信息判断用户是否合法,然后将认证成功/失败报文从归属地的AAA网关经过中间的各个实体的AAA网关,以及漫游联盟的AAA网关到漫游地RADIUS用户认证服务器。此后的过程同实施例1的步骤(11)至(13)。In step (10), the home RADIUS user authentication server judges whether the user is legal according to the user information, and then passes the authentication success/failure message from the home AAA gateway through the AAA gateways of each entity in the middle, and the AAA gateway of the roaming alliance Go to the roaming RADIUS user authentication server. The subsequent process is the same as the steps (11) to (13) of Embodiment 1.
用户计费过程如下:The user billing process is as follows:
14)认证如果成功,漫游地PPPoE服务器发起计费开始请求给漫游地RADIUS用户计费服务器。14) If the authentication is successful, the roaming PPPoE server initiates an accounting start request to the roaming RADIUS user accounting server.
15)漫游地RADIUS用户计费服务器发现用户是漫游用户,那么就如同上述步骤9)那样将此计费报文通过中间漫游转发装置(归属地的AAA网关经过中间的各个实体的AAA网关,以及漫游联盟的AAA网关)转发到归属地RADIUS用户计费服务器,进行真正的计费。15) The roaming ground RADIUS user billing server finds that the user is a roaming user, then just like above-mentioned step 9), this billing message is roamed through the intermediate forwarding device (the AAA gateway of the home place passes through the AAA gateway of each entity in the middle, and The AAA gateway of the roaming alliance) forwards to the home RADIUS user accounting server for real accounting.
16)归属地RADIUS用户计费服务器回应计费开始应答报文,通过中间漫游转发装置(归属地的AAA网关经过中间的各个实体的AAA网关,以及漫游联盟的AAA网关归属地AAA网关和漫游地AAA网关)转发给漫游地RADIUS用户计费服务器。16) The home RADIUS user accounting server responds to the accounting start response message, and passes through the intermediate roaming forwarding device (the home AAA gateway passes through the AAA gateways of each entity in the middle, and the AAA gateway of the roaming alliance home AAA gateway and the roaming location AAA gateway) to the roaming RADIUS user accounting server.
17)漫游地RADIUS用户计费服务器将回应的计费开始应答报文转发给漫游地PPPoE服务器。17) The accounting server of the roaming RADIUS user forwards the responding accounting start response message to the roaming PPPoE server.
实施例4:接入设备和AAA服务器漫游接入Embodiment 4: Roaming access between the access device and the AAA server
由于接入设备(例如接入服务器)接入的用户需要漫游时,都是通过接入设备上配置的域名知道用户连接到的归属地AAA服务器,或者相连的AAA网关等对应关系,但往往一个接入设备只能配置有限的域名关系,一般在几十个左右,典型的如32个,扩展性差,当需要配置漫游的域名时,肯定无法满足运营或者管理的需要。而且,漫游中每增加一个归属地,就要在全网所有的接入设备上增加新的漫游的域名,因此,维护量非常大。When a user connected to an access device (such as an access server) needs to roam, the domain name configured on the access device knows the corresponding relationship such as the home AAA server to which the user is connected, or the connected AAA gateway. Access devices can only be configured with limited domain name relationships, generally around dozens, typically 32, and poor scalability. When it is necessary to configure roaming domain names, it will certainly not be able to meet the needs of operation or management. Moreover, every time a home is added during roaming, a new roaming domain name needs to be added to all access devices in the entire network, so the amount of maintenance is very large.
在本发明的该实施例中,通过在接入设备上设置一个漫游域模块,使得除本接入设备核心的关系例如本地归属网络的AAA服务器等之外,其他漫游用户都走漫游域,使得所有漫游用户都接到对应的高层AAA服务器或者直接接到AAA网关,由它们再将漫游信息转发到归属地。In this embodiment of the present invention, by setting a roaming domain module on the access device, all other roaming users will go to the roaming domain except for the core relationship of the access device, such as the AAA server of the local home network, so that All roaming users are connected to the corresponding high-level AAA server or directly connected to the AAA gateway, and they forward the roaming information to the home.
在漫游域模块中,所有本地认证的都会直接配置用户对应的AAA服务器(认证、计费);所有有特殊要求(例如某个接入企业要求配置企业的AAA服务器,而该AAA服务器不是本地认证用户,则需要特殊配置)的也会直接配置用户对应的AAA服务器(认证、计费)。In the roaming domain module, all local authentication will directly configure the corresponding AAA server (authentication, accounting); all special requirements (for example, an access enterprise requires the configuration of the enterprise's AAA server, but the AAA server is not local authentication user, special configuration is required), and the corresponding AAA server (authentication, accounting) will also be directly configured for the user.
考虑到每个漫游域模块配置一次维护量太大,因此,设置一个“漫游域”配置项,在该配置项中,所有非本地、非特殊要求的用户,都走漫游域配置的AAA服务器进行认证和计费,这个AAA服务器可以是上述的AAA网关,或者任意一个可以找到用户归属地AAA服务器路径的AAA服务器。Considering that the maintenance of each roaming domain module configuration is too large, a "roaming domain" configuration item is set. In this configuration item, all non-local and non-specially required users will go to the AAA server configured in the roaming domain. For authentication and accounting, the AAA server can be the above-mentioned AAA gateway, or any AAA server that can find the path of the user's home AAA server.
在配置漫游域时,可以利用上面提到的“用户名@域名”中的所有域名信息,也可以是域名信息中的一部分。例如zhangsan@telecom.beijing.com,可以按照域名“telecom.beijing.com”就进行漫游配置处理,也可以按照域名“beijing.com”就进行漫游配置处理。配置方法与前述实施例中的相同。When configuring a roaming domain, you can use all the domain name information in the "username@domain name" mentioned above, or a part of the domain name information. For example, zhangsan@telecom.beijing.com can perform roaming configuration processing according to the domain name "telecom.beijing.com", or perform roaming configuration processing according to the domain name "beijing.com". The configuration method is the same as in the previous embodiment.
通常,AAA服务器也可以设置漫游域模块,将所有漫游用户直接通过漫游域转到其他AAA服务器或者AAA网关上。其实现方法与接入设备提供漫游域的方法相同。Usually, the AAA server can also set a roaming domain module to transfer all roaming users to other AAA servers or AAA gateways directly through the roaming domain. Its realization method is the same as that of access device providing roaming domain.
这样,接入服务器或者类似的接入设备、以及AAA服务器不需要配置所有的AAA服务器对应的关系,只要配置核心的关系和一个漫游关系。也就是说,在进行增加、修改、删除等网络漫游关系的改动时,只需要在某一个AAA网关或者漫游联盟上配置一次,由于所有接入设备和漫游地或者中间AAA服务器上都配置了漫游关系,因此,无需在所有设备和漫游地或者中间AAA服务器上修改,就可以马上使用。其扩展性好,可以做到漫游的零维护。In this way, the access server or similar access devices and the AAA server do not need to configure all the corresponding relationships of the AAA servers, but only need to configure the core relationship and a roaming relationship. That is to say, when changing the network roaming relationship such as adding, modifying, or deleting, it only needs to be configured once on a certain AAA gateway or roaming alliance. Since roaming is configured on all access devices and roaming locations or intermediate AAA servers relationship, so it can be used immediately without modification on all devices and roaming locations or intermediate AAA servers. It has good scalability and can achieve zero maintenance for roaming.
用户漫游接入流程基本同前例,只是在接入设备、AAA服务器漫游配置和控制上进行了优化。The user roaming access process is basically the same as the previous example, except that the roaming configuration and control of the access device and AAA server are optimized.
其具体过程是,在经过上述实施例中步骤(1)至(7)后,在步骤(8)中,如果漫游地接入服务器(PPPoE接入服务器)根据例如用户名识别出是漫游用户,则直接通过漫游域模块找到对应的AAA网关或者漫游联盟,或是找到归属地AAA服务器的路径,将此认证报文转发到漫游地的AAA网关。或者,当接入服务器中未设置漫游域模块而在AAA服务器(在本例中为RADIUS用户认证服务器)中设置了漫游域模块时,在步骤(9)中,RADIUS用户认证服务器根据用户名识别是一个漫游用户,则也可以通过其配置的漫游域模块找到对应的AAA网关或者漫游联盟,或是找到归属地AAA服务器的路径,将此认证报文转发到漫游地的AAA网关。在AAA网关中使用标准的Proxy功能(典型的如公知的RFC2865、RFC2866、RFC2869的RADIUS Proxy功能),转发到归属地AAA网关上。归属地AAA网关也使用标准的Proxy功能将认证报文转发到归属地的RADIUS用户认证服务器上进行真正的认证。Its concrete process is, after step (1) to (7) through above-mentioned embodiment, in step (8), if the roaming ground access server (PPPoE access server) is identified as roaming user according to such as username, Then directly find the corresponding AAA gateway or roaming alliance through the roaming domain module, or find the path of the home AAA server, and forward the authentication message to the AAA gateway in the roaming place. Or, when the roaming domain module is not set in the access server and the roaming domain module is set in the AAA server (RADIUS user authentication server in this example), in step (9), the RADIUS user authentication server identifies the If you are a roaming user, you can also find the corresponding AAA gateway or roaming alliance through the configured roaming domain module, or find the path of the home AAA server, and forward the authentication message to the roaming AAA gateway. Use the standard Proxy function (typically such as the well-known RADIUS Proxy function of RFC2865, RFC2866, RFC2869) in the AAA gateway to forward to the home AAA gateway. The home AAA gateway also uses the standard Proxy function to forward the authentication message to the home RADIUS user authentication server for real authentication.
在步骤(10)中,归属地RADIUS用户认证服务器根据用户信息判断用户是否合法,然后将认证成功/失败报文同样按照上述方法通过归属地RADIUS用户认证服务器中配置的漫游域模块找到对应的AAA网关或者漫游联盟,从而转发到漫游地RADIUS用户认证服务器。此后的过程同实施例1的步骤(11)至(13)。In step (10), the home RADIUS user authentication server judges whether the user is legal according to the user information, and then finds the corresponding AAA with the authentication success/failure message through the roaming domain module configured in the home RADIUS user authentication server in the same manner as above Gateway or roaming alliance, so as to forward to the roaming RADIUS user authentication server. The subsequent process is the same as the steps (11) to (13) of Embodiment 1.
用户计费过程如下:The user billing process is as follows:
14)认证如果成功,PPPoE服务器发起计费开始请求给漫游地RADIUS用户计费服务器。14) If the authentication is successful, the PPPoE server initiates an accounting start request to the roaming RADIUS user accounting server.
15)漫游地RADIUS用户计费服务器发现用户是漫游用户,那么就如同上述步骤9)那样将此计费报文通过漫游地RADIUS用户认证服务器中配置的漫游域模块找到对应的AAA网关或者漫游联盟,从而转发到归属地RADIUS用户计费服务器,进行真正的计费。15) The RADIUS user accounting server in the roaming area finds that the user is a roaming user, and then finds the corresponding AAA gateway or roaming alliance with the accounting message through the roaming domain module configured in the RADIUS user authentication server in the roaming area, just like the above step 9) , so as to forward it to the local RADIUS user accounting server for real accounting.
16)归属地RADIUS用户计费服务器回应计费开始应答报文,通过配置的漫游域模块找到对应的AAA网关或者漫游联盟,从而转发到漫游地RADIUS用户计费服务器。16) The home RADIUS user accounting server responds to the accounting start response message, finds the corresponding AAA gateway or roaming alliance through the configured roaming domain module, and forwards it to the roaming RADIUS user accounting server.
17)漫游地RADIUS用户计费服务器将回应的计费开始应答报文转发给漫游地PPPoE服务器。17) The accounting server of the roaming RADIUS user forwards the responding accounting start response message to the roaming PPPoE server.
尽管上面结合多个实施例对本发明进行了说明,但是这些说明的目的只是为了便于对本发明有更为清楚和全面理解,而不是对本发明的限定。例如,在本发明的这些实施例中是以PPPoE认证方式为例来说明的,显然本发明也可用于除PPPoE以外的例如WEB认证、802.1X认证以及其它常规的网络用户认证方法。另外,本发明也不限于在说明书中提到的RADIUS、DIAMETER等协议为用户提供漫游服务。因此,对本发明实施例的各个细节显然可以进行各种修改和采用各种等同的替代手段,这些修改和等同替代仍属于本发明的范围。Although the present invention has been described above in conjunction with multiple embodiments, the purpose of these descriptions is only to facilitate a clearer and more comprehensive understanding of the present invention, rather than to limit the present invention. For example, in these embodiments of the present invention, the PPPoE authentication method is used as an example to describe, obviously, the present invention can also be used for such as WEB authentication, 802.1X authentication and other conventional network user authentication methods other than PPPoE. In addition, the present invention is not limited to providing roaming services for users through protocols such as RADIUS and DIAMETER mentioned in the specification. Therefore, it is obvious that various modifications and equivalent substitutions can be made to the details of the embodiments of the present invention, and these modifications and equivalent substitutions still belong to the scope of the present invention.
Claims (12)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031380441A CN100370869C (en) | 2003-05-30 | 2003-05-30 | Method and system for providing user network roam |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031380441A CN100370869C (en) | 2003-05-30 | 2003-05-30 | Method and system for providing user network roam |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1553741A true CN1553741A (en) | 2004-12-08 |
| CN100370869C CN100370869C (en) | 2008-02-20 |
Family
ID=34323637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031380441A Expired - Lifetime CN100370869C (en) | 2003-05-30 | 2003-05-30 | Method and system for providing user network roam |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100370869C (en) |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006116908A1 (en) * | 2005-04-30 | 2006-11-09 | Huawei Technologies Co., Ltd. | A method and interface apparatus for authentication and charging |
| WO2006131898A2 (en) * | 2005-06-09 | 2006-12-14 | Utstarcom Telecom Co., Ltd. | Controllable multicast management method for downstream users of internet protocol television (iptv) |
| WO2007087744A1 (en) * | 2006-01-26 | 2007-08-09 | Huawei Technologies Co., Ltd. | A system, device and method for realizing terminal roaming control |
| WO2007131426A1 (en) * | 2006-04-29 | 2007-11-22 | Huawei Technologies Co., Ltd. | Aaa system and authentication method of multi-hosts network |
| CN100370734C (en) * | 2006-03-13 | 2008-02-20 | 华为技术有限公司 | WAP service charging method |
| CN100372327C (en) * | 2005-01-11 | 2008-02-27 | 华为技术有限公司 | Network access system and access method based on serving cell |
| CN100426930C (en) * | 2006-04-30 | 2008-10-15 | 中国联合通信有限公司 | Wireless data communication monitoring system and method |
| WO2008122233A1 (en) * | 2007-04-04 | 2008-10-16 | Huawei Technologies Co., Ltd. | Charging network, charging method and gateway |
| CN100444688C (en) * | 2005-08-08 | 2008-12-17 | 中兴通讯股份有限公司 | Automatic roaming area entry method under mobile limit |
| CN100461958C (en) * | 2006-04-30 | 2009-02-11 | 中国联合通信有限公司 | A mobile communication access system and method |
| WO2009056010A1 (en) * | 2007-11-01 | 2009-05-07 | Zte Corporation | Method of obtaining proxy call session control function address while roaming |
| CN101184336B (en) * | 2007-12-05 | 2010-04-21 | 中兴通讯股份有限公司 | Method of implementing content charging user roaming |
| CN101151856B (en) * | 2005-03-28 | 2010-10-13 | 松下电器产业株式会社 | Mobile router, home agent, and terminal position management method |
| CN101917722A (en) * | 2010-08-31 | 2010-12-15 | 广州杰赛科技股份有限公司 | Method for identifying non-attributive place access identity of terminal in wireless local area network |
| CN101925061A (en) * | 2010-08-31 | 2010-12-22 | 广州杰赛科技股份有限公司 | Method for non-home domain accessing identity authentication in wireless metropolitan area network terminal |
| US7869803B2 (en) | 2002-10-15 | 2011-01-11 | Qualcomm Incorporated | Profile modification for roaming in a communications environment |
| CN101958846A (en) * | 2010-11-03 | 2011-01-26 | 北京北信源软件股份有限公司 | Method for client roaming across servers |
| US7882346B2 (en) | 2002-10-15 | 2011-02-01 | Qualcomm Incorporated | Method and apparatus for providing authentication, authorization and accounting to roaming nodes |
| US7895145B2 (en) | 2006-07-31 | 2011-02-22 | Huawei Technologies Co., Ltd. | Method, system and device for controlling policy information required by a requested service |
| CN102238547A (en) * | 2011-07-19 | 2011-11-09 | 华为软件技术有限公司 | User session control method, session server, authentication, authorization and accounting (AAA) server and system |
| CN102355650A (en) * | 2011-07-15 | 2012-02-15 | 华为软件技术有限公司 | Service processing method and system thereof |
| CN101136861B (en) * | 2006-09-01 | 2012-07-04 | 阿尔卡特朗讯 | Method of providing an IPTV service and network unit |
| CN1859167B (en) * | 2005-11-04 | 2012-08-08 | 华为技术有限公司 | Exciting method for network telephone terminal configuration |
| CN101203036B (en) * | 2006-12-15 | 2012-09-05 | 华为技术有限公司 | Tactics coordination system and tactics coordination method |
| CN101447973B (en) * | 2007-11-27 | 2014-02-12 | 开曼晨星半导体公司 | Access management method for home indoor base station of mobile communication |
| CN103813327A (en) * | 2012-11-09 | 2014-05-21 | 华为技术有限公司 | Authentication mode indicating method |
| US9313784B2 (en) | 2005-09-19 | 2016-04-12 | Qualcomm Incorporated | State synchronization of access routers |
| WO2016107148A1 (en) * | 2014-12-31 | 2016-07-07 | 中兴通讯股份有限公司 | Authentication and authorization method combining radius and diameter |
| CN109981574A (en) * | 2019-02-21 | 2019-07-05 | 深圳优仕康通信有限公司 | A kind of networking encryption method, network relay equipment and computer readable storage medium |
| CN114629683A (en) * | 2022-02-11 | 2022-06-14 | 亚信科技(成都)有限公司 | Access method, device, equipment and storage medium of management server |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002042861A2 (en) * | 2000-11-13 | 2002-05-30 | Ecutel, Inc. | System and method for secure network mobility |
| CN1134201C (en) * | 2001-11-13 | 2004-01-07 | 西安西电捷通无线网络通信有限公司 | Cross-IP internet roaming method for mobile terminal |
-
2003
- 2003-05-30 CN CNB031380441A patent/CN100370869C/en not_active Expired - Lifetime
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7882346B2 (en) | 2002-10-15 | 2011-02-01 | Qualcomm Incorporated | Method and apparatus for providing authentication, authorization and accounting to roaming nodes |
| US7869803B2 (en) | 2002-10-15 | 2011-01-11 | Qualcomm Incorporated | Profile modification for roaming in a communications environment |
| CN100372327C (en) * | 2005-01-11 | 2008-02-27 | 华为技术有限公司 | Network access system and access method based on serving cell |
| CN101151856B (en) * | 2005-03-28 | 2010-10-13 | 松下电器产业株式会社 | Mobile router, home agent, and terminal position management method |
| WO2006116908A1 (en) * | 2005-04-30 | 2006-11-09 | Huawei Technologies Co., Ltd. | A method and interface apparatus for authentication and charging |
| WO2006131898A2 (en) * | 2005-06-09 | 2006-12-14 | Utstarcom Telecom Co., Ltd. | Controllable multicast management method for downstream users of internet protocol television (iptv) |
| WO2006131898A3 (en) * | 2005-06-09 | 2007-07-05 | Utstarcom Telecom Co Ltd | Controllable multicast management method for downstream users of internet protocol television (iptv) |
| CN100438622C (en) * | 2005-06-09 | 2008-11-26 | Ut斯达康通讯有限公司 | Controlled multicast managing method for network interactive television roaming user |
| CN100444688C (en) * | 2005-08-08 | 2008-12-17 | 中兴通讯股份有限公司 | Automatic roaming area entry method under mobile limit |
| US9313784B2 (en) | 2005-09-19 | 2016-04-12 | Qualcomm Incorporated | State synchronization of access routers |
| CN1859167B (en) * | 2005-11-04 | 2012-08-08 | 华为技术有限公司 | Exciting method for network telephone terminal configuration |
| WO2007087744A1 (en) * | 2006-01-26 | 2007-08-09 | Huawei Technologies Co., Ltd. | A system, device and method for realizing terminal roaming control |
| CN100370734C (en) * | 2006-03-13 | 2008-02-20 | 华为技术有限公司 | WAP service charging method |
| WO2007131426A1 (en) * | 2006-04-29 | 2007-11-22 | Huawei Technologies Co., Ltd. | Aaa system and authentication method of multi-hosts network |
| CN100461958C (en) * | 2006-04-30 | 2009-02-11 | 中国联合通信有限公司 | A mobile communication access system and method |
| CN100426930C (en) * | 2006-04-30 | 2008-10-15 | 中国联合通信有限公司 | Wireless data communication monitoring system and method |
| US7895145B2 (en) | 2006-07-31 | 2011-02-22 | Huawei Technologies Co., Ltd. | Method, system and device for controlling policy information required by a requested service |
| CN101136861B (en) * | 2006-09-01 | 2012-07-04 | 阿尔卡特朗讯 | Method of providing an IPTV service and network unit |
| CN101203036B (en) * | 2006-12-15 | 2012-09-05 | 华为技术有限公司 | Tactics coordination system and tactics coordination method |
| WO2008122233A1 (en) * | 2007-04-04 | 2008-10-16 | Huawei Technologies Co., Ltd. | Charging network, charging method and gateway |
| US8453211B2 (en) | 2007-11-01 | 2013-05-28 | ZTECorporation | Method of obtaining proxy call session control function address while roaming |
| WO2009056010A1 (en) * | 2007-11-01 | 2009-05-07 | Zte Corporation | Method of obtaining proxy call session control function address while roaming |
| CN101447973B (en) * | 2007-11-27 | 2014-02-12 | 开曼晨星半导体公司 | Access management method for home indoor base station of mobile communication |
| CN101184336B (en) * | 2007-12-05 | 2010-04-21 | 中兴通讯股份有限公司 | Method of implementing content charging user roaming |
| CN101925061A (en) * | 2010-08-31 | 2010-12-22 | 广州杰赛科技股份有限公司 | Method for non-home domain accessing identity authentication in wireless metropolitan area network terminal |
| CN101917722A (en) * | 2010-08-31 | 2010-12-15 | 广州杰赛科技股份有限公司 | Method for identifying non-attributive place access identity of terminal in wireless local area network |
| CN101925061B (en) * | 2010-08-31 | 2013-02-13 | 广州杰赛科技股份有限公司 | Method for non-home domain accessing identity authentication in wireless metropolitan area network terminal |
| CN101917722B (en) * | 2010-08-31 | 2013-05-08 | 广州杰赛科技股份有限公司 | Method for identifying non-attributive place access identity of terminal in wireless local area network |
| CN101958846A (en) * | 2010-11-03 | 2011-01-26 | 北京北信源软件股份有限公司 | Method for client roaming across servers |
| CN101958846B (en) * | 2010-11-03 | 2015-04-15 | 北京北信源软件股份有限公司 | Method for client roaming across servers |
| CN102355650B (en) * | 2011-07-15 | 2016-08-17 | 华为软件技术有限公司 | A kind of method for processing business and system |
| CN102355650A (en) * | 2011-07-15 | 2012-02-15 | 华为软件技术有限公司 | Service processing method and system thereof |
| CN102238547B (en) * | 2011-07-19 | 2013-12-04 | 华为软件技术有限公司 | User session control method, session server, authentication, authorization and accounting (AAA) server and system |
| CN102238547A (en) * | 2011-07-19 | 2011-11-09 | 华为软件技术有限公司 | User session control method, session server, authentication, authorization and accounting (AAA) server and system |
| CN103813327A (en) * | 2012-11-09 | 2014-05-21 | 华为技术有限公司 | Authentication mode indicating method |
| CN103813327B (en) * | 2012-11-09 | 2017-11-17 | 华为技术有限公司 | A kind of method for indicating authentication mode |
| WO2016107148A1 (en) * | 2014-12-31 | 2016-07-07 | 中兴通讯股份有限公司 | Authentication and authorization method combining radius and diameter |
| CN109981574A (en) * | 2019-02-21 | 2019-07-05 | 深圳优仕康通信有限公司 | A kind of networking encryption method, network relay equipment and computer readable storage medium |
| CN109981574B (en) * | 2019-02-21 | 2023-02-28 | 深圳优仕康通信有限公司 | Networking encryption method, network relay equipment and computer readable storage medium |
| CN114629683A (en) * | 2022-02-11 | 2022-06-14 | 亚信科技(成都)有限公司 | Access method, device, equipment and storage medium of management server |
| CN114629683B (en) * | 2022-02-11 | 2023-09-05 | 亚信科技(成都)有限公司 | Access method, device, equipment and storage medium of management server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100370869C (en) | 2008-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1553741A (en) | Method and system for providing users with network roaming | |
| CN1152333C (en) | Method for realizing portal authentication based on protocols of authentication, charging and authorization | |
| CN1163029C (en) | Data exchange method and network system for data network users | |
| JP4782139B2 (en) | Method and system for transparently authenticating mobile users and accessing web services | |
| RU2342700C2 (en) | Increased level of automation during initialisation of computer system for network access | |
| CN1186906C (en) | Wireless LAN safety connecting-in control method | |
| CN1403952A (en) | Ethernet confirming access method | |
| CN102036227B (en) | Method, system and device for acquiring user identifier of data service | |
| CN1553368A (en) | Network authentication, authorization and accounting system and method | |
| US20060109839A1 (en) | User terminal connection control method and apparatus | |
| CN1685689A (en) | Device, method and computer software product for controlling home terminal | |
| CN1503506A (en) | virtual access router | |
| CN1531284A (en) | Protection of network infrastructure and secure communication of control information | |
| CN101039311A (en) | Identification web page service network system and its authentication method | |
| CN1855847A (en) | Public and private network service management systems and methods | |
| CN1674577A (en) | Router and SIP server | |
| CN1805396A (en) | Method for implementing network access through broadband router | |
| CN1809072A (en) | Network architecture of backward compatible authentication, authorization and accounting system and implementation method | |
| CN101064605A (en) | AAA framework of multi-host network and authentication method | |
| CN100340089C (en) | System and method for network connection | |
| CN101052032A (en) | Business entity certifying method and device | |
| JP2010529760A (en) | How to terminate a high-rate packet data session | |
| CN1790985A (en) | Method for realizing synchronous identification between different identification control equipments | |
| CN1248455C (en) | Customer access management system for wideband network | |
| CN1805441A (en) | Integrated WLAN authentication architecture and method of implementing structural layers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20080220 |
|
| CX01 | Expiry of patent term |