CN1889484A - Identification insertion system and identification inserting method thereof - Google Patents
Identification insertion system and identification inserting method thereof Download PDFInfo
- Publication number
- CN1889484A CN1889484A CNA2005100801119A CN200510080111A CN1889484A CN 1889484 A CN1889484 A CN 1889484A CN A2005100801119 A CNA2005100801119 A CN A2005100801119A CN 200510080111 A CN200510080111 A CN 200510080111A CN 1889484 A CN1889484 A CN 1889484A
- Authority
- CN
- China
- Prior art keywords
- authentication
- access
- module
- access device
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
A certification switching-in system comprises wide band switch-in server connected to switch-in device, function server connected to BRAS including protocol end module and dispatch module. It is featured as utilizing protocol end module to receive and to end protocol message from switch-in device as well as to structure agent module of request message, setting dispatch module between protocol end module and agent module for retransmitting information.
Description
Technical field
The present invention relates to a kind of authentication connecting system and authentication accessing method thereof.
Background technology
At present, the income of operator in the broadband metropolitan area network business is not to be directly proportional with the network user's quantity.For additional income, operator constantly increases new business for network, makes the network service relate to the various aspects of home network life, thereby produces incremental benefit.For example: business such as IP-based voice (Vo-IP), Internet Protocol Television (IPTV) and online game.Simultaneously also impel home network to carry out the transition in the multiple services network environment.Described home network schematic diagram, as shown in Figure 1, described home network comprises: the access device that different business is provided (for example: PC, set-top box (STB), IP phone etc.), described access device is linked on Digital Subscriber Line multiplexer two layers of convergence devices (Multiplexer) such as (DSLAM) through Digital Subscriber Line (DSL) or local area ethernet access technologies such as (LAN) by far-end delivery unit (RTU) or routing gateway (Routing Gateway), from insert media, extract Ethernet (Ethernet) protocol massages by Multiplexer again, afterwards, by ATM(Asynchronous Transfer Mode) of himself or the last connecting port of Ethernet, carry out the link termination for BAS Broadband Access Server (BRAS) message transmission, insert internet and other value-added services for this access device provides again.
For operator, when increasing new business, also must effectively charge and just can obtain bigger income the business that the user uses.At present, mainly adopt this single charging way of monthly payment.Through the comprehensive study of different charge strategy (for example: in real time, flow or duration etc.) is found, adopts various charging way can significantly improve earning rate, and the while also provide autonomous consumption policy for the user.
But, in present multi-service home network, there is the multiple equipment that difference in functionality is provided, and its working method is also different not to the utmost, for example: the necessary consistently online of IP phone, so adopt DynamicHost configuration access via telephone line modes such as (DHCP) usually, IPTV then need not consistently online, is only watching Shi Caixu to reach the standard grade, so can adopt the dial-up access mode, perhaps dialing and special line mix access way.If above-mentioned IP phone and IPTV belong to a user, so because its access way difference, (for example: IP phone adopts the monthly payment charging way so can only charge respectively to described IP phone and IPTV at present, IPTV adopts the charge on traffic mode), can't adopt various charging policy that this user is carried out unified accounting management.Promptly under above-mentioned network environment, owing to the access way difference of each equipment, so adopt described various charging way to carry out unified accounting management to the various access devices that exist in the network.Solve this technical problem and just the access authentication mode of described various device need be united, promptly non-authentication access way is authenticated access, and then unify to manage and charge.
At present, the networking diagram of the dial-up access mode of prior art, as shown in Figure 2.For example: the authentication access process based on point-to-point protocol (PPPOE) the dial-up access mode of Ethernet is as follows:
-access device (for example: PC, STB) starts the dial-up terminal, initiates the PPPoE request, and described request is through home network route (RTU) or home gateway, and Multiplexer is bridged to BRAS;
Point-to-point (PPP) module termination PPPoE message of-BRAS, and create corresponding virtual link, the notice dialup client is initiated authentication;
-by PAP (PAP) or Challenge Handshake Authentication Protocol (CHAP) agreement, access device delivers account number and password to BRAS;
The PPP module of-BRAS sends it to acting server, and constructs authentication request in view of the above after receiving the account number and password that client is sent.Afterwards, described authentication request being sent to function server authenticates;
-Ruo authentication is passed through, and then acting server can be applied for the IP address by PPP module notice dialup client;
-access device is to BRAS application IP address;
After the PPP module of-BRAS was received address assignment request, to acting server application IP address, acting server generally adopted the dynamic assignment in shared address pond, or function server specifies the static allocation mode issue, came to be dialup client distributing IP address;
-acting server is informed its IP address of applying for of access device by the PPP module after distributing the address success;
-access device uses this IP address by the virtual link accesses network.
Non-authentication access way used in the prior art mainly comprises at present: DHCP access way and automatic address configuration access way.
The access process of described DHCP access way is as follows:
After-user started PC, then equipment was opened dynamic address configuration protocol client (DHCP Client) function automatically, begins to apply for the IP address.DHCP Client sends search message (DHCP DISCOVER) to the interface link at network interface card place, in order to seek available Dynamic Host Configuration Protocol server (DHCP Server).After BRAS detects described DHCP DISCOVER message, utilize its inner forwarding capability (DHCP Relay), this message is transmitted to DHCP Server.
After-DHCP Server receives described message, and confirm to can be this PC distributing IP address, afterwards, respond confirmation message.This confirmation message is transmitted to the DHCP Client of PC by BRAS.So far PC finds available DHCP Server.
-DHCP Client sends request distributing IP address message by BRAS to this DHCP Server.After described DHCP Server receives this request,, and send back message using to the user by BRAS for this PC distributes an IP address and network-related parameters.After this, user PC uses and obtains IP address and network of relation parameter access network.
The access process of described automatic address configuration access way is as follows:
After the user started PC, access device started the automatic address configuration feature of IPv6 agreement automatically.Described access device detects in the link at network interface place whether have the interface ID identical with himself interface ID, and described himself interface ID is by the MAC Address structure of the network interface card of this equipment.
If do not exist, then to the IP address prefix and the network parameter of this link of router solicitation that this link connected.Described router feeds back to user side afterwards according to being the unique IP address of its IP address allocated prefix and the described interface ID structure overall situation.After this, this user uses and obtains IP address and network of relation parameter access network.
In order to make above-mentioned non-authentication access way adopt the means of authentication to apply for IP address and access network, at present, prior art provides a kind of authentication accessing method based on internet web page (WEB) authentication techniques for access via telephone line modes such as DHCP, and its flow process is as follows:
-step before request distributing IP address message arrives BRAS is identical with above-mentioned non-authentication access way.
-before BRAS received to confirm the notice of this user by the WEB authentication, it did not allow this user to use network, and abandons this user other messages except that the HTTP(Hypertext Transport Protocol) message.Afterwards, with this HTTP message redirecting to WEB Server.
-WEB Server forces to send certification page to the user, and after this user received described certification page, manual pre-assigned account number and the password imported in webpage was afterwards to the authentication request of BRAS transmission based on HTTP.BRAS is transmitted to WEB Server with this authentication request.
-WEB Server delivers this user's account number and password to certificate server and authenticates.After certificate server is distinguished, authentication result is informed WEB Server.If authentication is passed through, then this user of WEB Server notice BRAS can normally use network, and forces to send authentication by the page to the user, and the prompting user can normally surf the Net.Otherwise, inform this user authentication failure.
Though can realize non-authentication access way normalizing to the purpose of authentication in the access way by described WEB authentication techniques, and then reach the effect that to carry out unified charging and management to the different equipment of various access waies.But obviously, this method need be provided with the processing module of corresponding WEB technology in BRAS, and needs to add WEB equipment such as WEB Server in the system and match with BRAS and certificate server authentication function to non-authentication access way just can be provided.
Simultaneously, need the terminal of non-PC to support http protocol, safety type HTML (Hypertext Markup Language) (HTTPS) agreement, and the WEB authentication protocol.And the WEB authentication techniques need allocate account number and password in advance, but the information household appliances based on the IPv6 agreement are needed plug and play, so this method does not have integrated various protocols and/or needs the plug and play terminal equipment to implement for those.
The WEB authentication techniques also can't realize the binding of user's IP address and on-position.Open to attack in actual working environment like this.
Summary of the invention
The invention provides a kind of authentication connecting system, exist in the prior art and need need client to support various protocols for system adds WEB equipment in order to solve; Can't realize the binding of IP address and on-position; And need allocate authentication information in advance and manual input when inserting, cause the problem that can't realize plug and play.
The present invention also provides a kind of authentication accessing method, implements based on said system.
System of the present invention comprises: the BAS Broadband Access Server that links to each other with access device (BRAS), and the function server that links to each other with described BRAS; Comprise among the described BRAS: the agreement termination block is used to receive and protocol massages that the described access device that terminates is sent; Proxy module is used to construct request message; Also comprise among the described BRAS: scheduler module (A3S), it is connected between described agreement termination block and the proxy module, is used to non-dial-up access mode to construct authentication information and send to proxy module, and forwarding address assignment information and charge information; Perhaps directly transmit the authentication information of dial-up access mode to proxy module, and forwarding address assignment information and charge information.
Comprise in the described proxy module: authentication proxy's module, address assignment proxy module, and charging proxy module, it links to each other with described A3S respectively; Described address assignment proxy module is used for the positional information structure address assignment request message according to described access device; Described authentication proxy module is used for the positional information according to described access device, and described authentication information structure authentication request message; Described charging proxy module is used for the positional information according to described access device, and described authentication information structure charging request message.
Comprise in the described function server: authentication module, it links to each other with described authentication proxy module, is used for the authentication request message of sending is authenticated; Address assignment module, it links to each other with described address assignment proxy module, is used to the access device distributing IP address by authentication; Accounting module, it links to each other with described charging proxy module, is used for business is chargeed.
Comprise in the described agreement termination block: DHCP (DHCP) module, the protocol massages of the DHCP that is used to terminate; The PPP(Point-to-Point Protocol) module, the protocol massages of the PPP that is used to terminate; Automatically configuration (Auto config) module, the protocol massages of the stateless address configuration that is used to terminate.
The inventive method, receive the access request message that access device is initiated with authentication access way and non-authentication access way by BAS Broadband Access Server (BRAS), and will directly be forwarded to function server with the access request message that the authentication access way is initiated and authenticate; It is characterized in that, after BRAS receives the access request message of initiating with non-authentication access way, the positional information of obtaining this access device is its structure authentication information, and send the authentication request message carry this authentication information to function server, by function server this user is authenticated, BRAS determines whether to allow this user to insert according to authentication result.
Described non-authentication access way is a DynamicHost configuration access way, perhaps disposes access way automatically; Described authentication access way is point-to-point access way.
The obtain manner of the positional information of described access device is: obtain from the access request message that access device sends, perhaps obtained to Digital Subscriber Line multiplexer (DSLAM) the transmission query requests at this access device place by BRAS.
The authentication information of BRAS structure comprises: account number and/or password.Port numbers and BRAS port numbers according to the DSLAM at described access device place are constructed described account number, construct described password according to the BRAS port numbers; Perhaps, construct described account number and password according to the DSLAM port numbers at described access device place and/or media interviews control (MAC) address of this access device; Perhaps, construct described password according to the IP address of BRAS port numbers and/or interface.
Described DSLAM port numbers comprises: the device number of described DSLAM and the port numbers of access device; Described BRAS port numbers comprises: the device number of described BRAS and the port numbers of access device.
After authentication, will be user's IP address allocated and access device binding.MAC Address according to port information and the access device of described BRAS is described access device binding IP address; Perhaps, the DSLAM port numbers according to the access device place is described access device binding IP address.
Access device adopts non-authentication access way to initiate to insert request, and behind the IP address that has been this devices allocation, comprises the following steps: that also BRAS receives the access message that this access device is sent, and then begins its charging.Charge after the beginning, timing detects the access information of this access device, when detecting less than described access information, stops chargeing.Described access information is this user's ARP(Address Resolution Protocol) message, Neighbor Discovery Protocol (ND) message, perhaps the global link IP address of this user applies.
Beneficial effect of the present invention is as follows:
Because the present invention has added scheduler module (A3S) in existing authentication connecting system, utilizing it is non-authentication access way structure authentication information, thereby non-authentication access way normalizing has been arrived in the authentication access way.After inserting successfully, utilize described authentication information structure charging request message to come this access device is chargeed.
And then solved the problem that needs access device to support various protocols, reduced the protocol configuration difficulty of access device and the cost of access device.
Adopt system of the present invention only to need in system, to add scheduler module, reduced system cost.
The present invention need not to distribute in advance account number and password, but constructs unique account number and the password of the overall situation by described scheduler module automatically according to the positional information of access device, so the present invention can compatible all IP devices, and realizes plug-and-play feature.
The present invention in address assignment module, is convenient to realize the unified management and the planning of address with the address assignment unification of various access waies.Can be this apparatus bound IP address corresponding with it according to the positional information of described access device more, the equipment that guaranteed can be applied for identical IP address at every turn, has simplified the difficulty of operation and has reduced cost.
The present invention is by to the separating of access way and authentication mode, for the long-term co-existence of IPv4 agreement and IPv6 agreement provides the effective support means.
Based on system of the present invention and authentication method, can adopt unified charging policy to charge to various access waies, be convenient to like this in system, implement multiple charging policy, make operator obtain bigger income.
Description of drawings
Fig. 1 is the home network schematic diagram of prior art;
Fig. 2 is the system group network figure of the dial-up access mode of prior art;
Fig. 3 is the system group network figure of the inventive method;
Fig. 4 is the flow chart of steps of the inventive method.
Embodiment
Have non-authentication access way is carried out under the prerequisite of authentication function satisfying system, simplify more, make user side need not to support various protocols, make system can realize the binding of IP address and on-position, and the raising system is to the IP device compatibility in order to make system.The present invention has added scheduler module (A3S) in access authentication system, be used to non-authentication access way structure authentication information, but make non-authentication access way normalizing in authentication mode.
Authentication connecting system networking schematic diagram of the present invention, as shown in Figure 3, this system comprises as seen from the figure:
The BAS Broadband Access Server (BRAS) that links to each other with described access device, and the function server that links to each other with described BRAS.In described BRAS, comprise: the agreement termination block that links to each other with described access device, wherein include DHCP (DHCP) module, point-to-point protocol module (PPP) module and dispose (Auto config) module automatically, and the protocol module of other agreement, wherein said automatic configuration module refers in particular to the stateless automatic address configuration module based on the IPv6 agreement; The scheduler module (A3S) that links to each other with described agreement termination block; The proxy module that links to each other with A3S wherein includes address assignment proxy module, authentication proxy's module and charging proxy module.Comprise in the described function server: the authentication module that links to each other with described authentication proxy module, the address assignment module that links to each other with described address assignment proxy module, and the accounting module that links to each other with described charging proxy module.
Described BRAS, it is used to receive the access request message that described access device is sent, and described request message is done to insert processing.In described BRAS:
Described agreement termination block, the protocol massages that it is used to receive and the described access device that terminates is sent.The DHCP module that is provided with of portion within it, the protocol massages of its DHCP that is used to terminate; The PPP module, the protocol massages of its PPP that is used to terminate; Auto config module, the protocol massages of its stateless address configuration that is used to terminate.
Described A3S, it is used to non-authentication access way (for example: the access via telephone line mode) construct account number and password, and transmit the account number and the password of described structure, perhaps directly transmit the account number and the password of the authentication access way of being sent by user side; And authenticating by back forwarding address assignment information and charge information.
Described proxy module, the described authentication proxy module of its inside is used for positional information and/or media interviews control (MAC) address according to described access device, and by number of the account and password that A3S constructs, constructs authentication request message; Described address assignment proxy module is used for constructing address assignment request message according to the positional information and/or the MAC Address of described access device; Described charging proxy module is used for constructing charging request message according to the positional information and/or the MAC Address of described access device.
The described authentication module of described function server inside, the authentication request information that is used for authentication proxy's module is sent authenticates; Described address assignment module is used to the access device distributing IP address by authentication; Described accounting module is used for business is chargeed.
Above-mentioned address assignment module also can be arranged among the described BRAS, and its annexation and function are constant.
The inventive method is utilized said system, by being non-authentication access way structure authentication information in system, makes non-authentication accessing method normalizing in authentication accessing method.The flow process of the inventive method comprises the following steps: as shown in Figure 4 as seen from the figure
S1, access device adopt authentication access way or non-authentication access way to send to BAS Broadband Access Server (BRAS) and insert request message;
S2, BRAS judge this access request message is how to initiate, if initiate with the authentication access way, then change step S5 over to;
S3, if it is to initiate with non-authentication access way that BRAS judges this accesss request message, then BRAS is that it constructs authentication information according to the positional information of this access device;
S4, BRAS send the authentication request message that carries described authentication information to function server;
S5, function server authenticate this user;
S6, if the access authority is arranged, then change step S7 over to; Otherwise, inform this user's access failure reason;
S7, function server are this access device distributing IP address;
S8, finish cut-in operation by described BRAS.
Below by the example of two kinds of non-authentication access waies the concrete implementation step of the inventive method is described.
Example 1: the DHCP access way is authenticated, and insert.
Access device adopts DHCP the 4th or the 6th edition (v4/v6) agreement to initiate to insert request, and described access request message is by RTU, and Multiplexer or DSLAM are bridged to BRAS equipment.
Agreement termination block among the described BRAS judges that this request inserts the protocol of messages form, draws this message and initiates with DHCP v4/v6 agreement.Afterwards, change this message the DHCP module of described agreement termination block inside over to, in order to termination user's DHCP protocol massages.After aforesaid operations is finished, processed request is inserted message send to the A3S module, in order to system application IP address.
A3S sends acknowledge message to system, in order to whether to have disposed corresponding address allocation server and certificate server under the interface of confirming this access device place.After confirming to be provided with described equipment, A3S perhaps sends the positional information that query requests is obtained this access device by BRAS to the DSLAM at this access device place with the positional information in the access request message of this access device transmission, in order to the structure authentication information.Promptly construct account number, and construct password according to the BRAS port numbers according to the DSLAM port numbers and the BRAS port numbers at access device place.Described DSLAM port numbers comprises: the device number of DSLAM and user access port are number (for example: asymmetric digital subscriber line (ADSL) port numbers); Described BRAS port numbers comprises: the device number of BRAS and user access port are number (for example: the identifier of physical port number, VLAN (VLAN)).Described account number and password also can be constructed according to the DSLAM port numbers at described access device place and/or media interviews control (MAC) address of this access device, perhaps construct according to the IP address of BRAS port numbers and/or interface.
Constructed authentication informations such as password and account number for described access device after, described A3S sends to authentication proxy's module with this authentication information, described authentication proxy module is according to positional information and/or media interviews control (MAC) address of described access device, and by the number of the account and the password of A3S structure, construct authentication request message, and described authentication request message is sent to authentication module.
After authentication module is received this authentication request message, therefrom resolve the account number and the password of this access device, and this authentication information is authenticated.Authentication module writes down this user's corresponding information, issues corresponding strategy simultaneously, and feeds back authentication result by authentication proxy's module to A3S.If A3S confirms that authentification of user does not pass through, so directly return the information that can not find the corresponding with service device to access device; Otherwise described A3S informs that address assignment proxy module authentication passes through.
The address assignment proxy module is constructed address assignment request message according to the positional information and/or the MAC Address of described access device, and is sent to address assignment module after receiving and authenticating the message of passing through.Described positional information comprises: the port numbers and the BRAS port numbers of the Digital Subscriber Line multiplexer (DSLAM) at this access device place.
Address assignment module is IP address corresponding with it of this devices allocation and corresponding rental period according to user's port information and MAC Address, and sets up the binding relationship between this MAC Address, port information and the IP address.Afterwards, by the address assignment proxy module IP address allocated and corresponding rental period are fed back to described A3S.
A3S is according to the IP address that obtains, set up the IP address and this user's of issuing strategy between mapping relations.Afterwards, notify this station address to be allocated successfully by the DHCP module, and finish follow-up cut-in operation by BRAS.So far flow process finishes.
Example 2: automatic configuration access way is authenticated, and insert.
Auto configuration mode proposes in the 6th edition (v6) agreement of IP, and this access way is stateless, and adopts this access way will be the access device configuration address automatically.Its method flow is as follows:
Access device is created the IP address of the link-local network segment under its interface voluntarily, sends link detecting message to system then, in order to detect whether the address of creating is the repeat to address (RA).Agreement termination block among the described BRAS changes it over to automatic configuration module after receiving this duplicate address detection message (DAD), and through confirming the current not conflict in this address, then the agreement termination block is initiated authentication request to described A3S.
A3S sends acknowledge message to system, in order to whether to have disposed corresponding address allocation server and certificate server under the interface of confirming this access device place.After confirming to be provided with described equipment, A3S perhaps sends the positional information that query requests is obtained this access device by BRAS to the DSLAM at this access device place with the positional information in the access request message of this access device transmission, in order to the structure authentication information.Promptly construct account number according to the DSLAM port numbers and the BRAS port numbers at access device place; And construct password according to the BRAS port numbers.Perhaps adopt other positional information structure authentication informations.
Constructed authentication informations such as password and account number for described access device after, described A3S sends to authentication proxy's module with this authentication information, described authentication proxy module is according to positional information and/or media interviews control (MAC) address of described access device, and by the number of the account and the password of A3S structure, construct authentication request message, and described authentication request message is sent to authentication module.
After authentication module is received this authentication request message, therefrom resolve the account number and the password of this access device, and this authentication information is authenticated.Authentication module writes down this user's corresponding information, issues corresponding strategy simultaneously, and feeds back authentication result by authentication proxy's module to A3S.If A3S confirms that authentification of user does not pass through, so directly return access device and can't use this address or address overlap information to access device; Otherwise, A3S will authenticate by and the address of this establishment do not have overlapping information notification assignment agent module.
Described assignment agent module is constructed address assignment request message according to the positional information and/or the MAC Address of described access device, and sends to address assignment module.Described positional information comprises: the port numbers and the BRAS port numbers of the Digital Subscriber Line multiplexer (DSLAM) at this access device place.
Address assignment module is its link-local IP address and corresponding rental period of distributing this access device to create voluntarily according to user's port information and MAC Address, and sets up the binding relationship between this MAC Address, port information and this IP address.Afterwards, by the address assignment proxy module IP address allocated and corresponding rental period are fed back to described A3S.Finish the access of link-local.
Afterwards, described A3S is to the corresponding global address network segment of this access device place interface of address assignment proxy module application information.Its authentication is identical with above-mentioned flow process with access process.After obtaining described global address network segment information, finish follow-up cut-in operation by BRAS.So far flow process finishes.
In order to reach non-authentication access way normalizing, need the access way of authentication to utilize authentication connecting system of the present invention can implement equally to the effect that authenticates in the access way.
Example 3: point-to-point (PPP) mode inserts.
A, access device adopt PPPoE agreement application access network.Described request inserts message and is bridged to BRAS equipment by RTU, Multiplexer.Agreement termination block in the BRAS equipment judges that this request inserts the protocol of messages form, draws this message and initiates with the PPPoE agreement.Afterwards, change this message the ppp protocol module of described agreement termination block inside over to, termination PPPoE agreement is also created corresponding virtual link.Afterwards, the notice access device is initiated authentication request in virtual link, if access device adopts point-to-point protocol (PPPoA) the agreement access network based on asynchronous transfer mode, then directly jump into step b;
B, ppp protocol module are extracted the account number and the password of user's input from request message, and send it to A3S.In this case, A3S no longer is this access device structure authentication information, but the authentication information of directly user being imported sends to authentication proxy's module.Authentication proxy's module is constructed authentication request message according to described authentication information and positional information, and sends to authentication module.
When authentication module was responded authentification failure, then A3S notice ppp protocol module was initiated the chain rupture request to access device, and removes corresponding virtual connection; Otherwise A3S notice ppp protocol module is initiated address assignment request to access device, and to address assignment proxy module application corresponding IP address.
Follow-up distribution is consistent with the DHCP access way with the handling process of binding IP address.After described A3S had obtained IP address allocated, if the PPPv4 Client-initiated inserts request, then described A3S feedback corresponding IP address was given the ppp protocol module; If the PPPv6 Client-initiated inserts request, then that the interface at this user place is pre-configured IP address prefix returns to access device, and preserve the IP address prefix of this virtual link, when the user starts the automatic address configuration, user side returns the corresponding IP address prefix from the trend system, thereby makes access device obtain real IP address.
Based on said system and authentication accessing method, after having distributed the IP address for access device, the beginning charging step, below corresponding above-mentioned authentication accessing method, specify with 3 examples.
The charging method of example 1-1:DHCP access way correspondence.
After the distributing IP address function was finished, the DHCP protocol module in the agreement termination block was waited for ARP or the ND message that this user sends.
When access device uses the IP address online be assigned to, and described DHCP module is judged that then this user reaches the standard grade, and is reported this user to reach the standard grade to the A3S module when receiving described message.Afterwards, the A3S module is initiated to charge to accounting module by the charging proxy module and is begun request, and begins the charging to this user.
After beginning to charge, the DHCP protocol module detects ARP or the ND message that once whether has this user every certain time length.When the DHCP protocol module detects the ARP of access device or the neighbours of ND " not on the throne " state, then judge this user offline, and report this user offline to the A3S module.A3S sends the request of chargeing that stops by the charging proxy module to accounting module afterwards, and finishes this user is chargeed.
Example 2-1: the charging method that disposes the access way correspondence automatically.
After the distributing IP address function was finished, the automatic configuration module in the agreement termination block was waited for the global link IP address information that this access device is sent.
When access device uses the IP address online be assigned to, and when configuration module detects this user's global link IP address information automatically, judge that then this user reaches the standard grade, and report this user to reach the standard grade to the A3S module.Afterwards, the A3S module is initiated to charge to accounting module by the charging proxy module and is begun request, and begins the charging to this user.
After beginning to charge, configuration module detects once whether there is global link IP address every certain time length automatically.When automatic configuration module detects global link IP address " not on the throne " state of access device, then judge this user offline, and report this user offline to the A3S module.A3S sends the request of chargeing that stops by the charging proxy module to accounting module afterwards, and finishes this user is chargeed.
Example 3-1: the charging method of point-to-point (PPP) access way correspondence is identical with the flow process of above-mentioned two charging method examples.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (17)
1, a kind of authentication connecting system comprises: the BAS Broadband Access Server that links to each other with access device (BRAS), and the function server that links to each other with described BRAS;
Comprise among the described BRAS: the agreement termination block is used to receive and protocol massages that the described access device that terminates is sent; Proxy module is used to construct request message;
It is characterized in that, also comprise among the described BRAS: scheduler module (A3S), it is connected between described agreement termination block and the proxy module, is used to non-dial-up access mode to construct authentication information and send to proxy module, and forwarding address assignment information and charge information; Perhaps directly transmit the authentication information of dial-up access mode to proxy module, and forwarding address assignment information and charge information.
2, the system as claimed in claim 1 is characterized in that, comprises in the described proxy module: authentication proxy's module, address assignment proxy module, and charging proxy module, and it links to each other with described A3S respectively;
Described address assignment proxy module is used for the positional information structure address assignment request message according to described access device;
Described authentication proxy module is used for the positional information according to described access device, and described authentication information structure authentication request message;
Described charging proxy module is used for the positional information according to described access device, and described authentication information structure charging request message.
3, system as claimed in claim 2 is characterized in that, comprises in the described function server:
Authentication module, it links to each other with described authentication proxy module, is used for the authentication request message of sending is authenticated;
Address assignment module, it links to each other with described address assignment proxy module, is used to the access device distributing IP address by authentication;
Accounting module, it links to each other with described charging proxy module, is used for business is chargeed.
4, system as claimed in claim 2 is characterized in that, also comprises among the described BRAS: with the address assignment module that described address assignment proxy module links to each other, be used to the access device distributing IP address by authentication.
5, system as claimed in claim 4 is characterized in that, comprises in the described function server:
Authentication module, it links to each other with described authentication proxy module, is used for the authentication request message of sending is authenticated;
Accounting module, it links to each other with described charging proxy module, is used for business is chargeed.
6, as each described system of claim 1 to 5, it is characterized in that, comprise in the described agreement termination block:
DHCP (DHCP) module, the protocol massages of the DHCP that is used to terminate;
The PPP(Point-to-Point Protocol) module, the protocol massages of the PPP that is used to terminate;
Automatically configuration (Auto config) module, the protocol massages of the stateless address configuration that is used to terminate.
7, a kind of authentication accessing method, receive the access request message that access device is initiated with authentication access way and non-authentication access way by BAS Broadband Access Server (BRAS), and will directly be forwarded to function server with the access request message that the authentication access way is initiated and authenticate; It is characterized in that, after BRAS receives the access request message of initiating with non-authentication access way, the positional information of obtaining this access device is its structure authentication information, and send the authentication request message carry this authentication information to function server, by function server this user is authenticated, BRAS determines whether to allow this user to insert according to authentication result.
8, method as claimed in claim 7 is characterized in that, described non-authentication access way is a DynamicHost configuration access way, perhaps disposes access way automatically; Described authentication access way is point-to-point access way.
9, method as claimed in claim 8, it is characterized in that, the obtain manner of the positional information of described access device is: obtain from the access request message that access device sends, perhaps obtained to Digital Subscriber Line multiplexer (DSLAM) the transmission query requests at this access device place by BRAS.
10, method as claimed in claim 9 is characterized in that, the authentication information of BRAS structure comprises: account number and/or password.
11, method as claimed in claim 10 is characterized in that, constructs described account number according to port numbers and the BRAS port numbers of the DSLAM at described access device place, constructs described password according to the BRAS port numbers; Perhaps, construct described account number and password according to the DSLAM port numbers at described access device place and/or media interviews control (MAC) address of this access device; Perhaps, construct described password according to the IP address of BRAS port numbers and/or interface.
12, method as claimed in claim 11 is characterized in that, described DSLAM port numbers comprises: the device number of described DSLAM and the port numbers of access device;
Described BRAS port numbers comprises: the device number of described BRAS and the port numbers of access device.
13, method as claimed in claim 12 is characterized in that, after authentication, will be user's IP address allocated and access device binding.
14, method as claimed in claim 13 is characterized in that, the MAC Address according to port information and the access device of described BRAS is described access device binding IP address; Perhaps, the DSLAM port numbers according to the access device place is described access device binding IP address.
15, method as claimed in claim 14 is characterized in that, access device adopts non-authentication access way to initiate to insert request, and behind the IP address that has been this devices allocation, also comprises the following steps:
BRAS receives the access message that this access device is sent, and then begins its charging.
16, method as claimed in claim 15 is characterized in that, after the beginning of chargeing, regularly detects the access information of this access device, when detecting less than described access information, stops chargeing.
As claim 15 or 16 described methods, it is characterized in that 17, described access information is this user's ARP(Address Resolution Protocol) message, Neighbor Discovery Protocol (ND) message, perhaps the global link IP address of this user applies.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100801119A CN100421403C (en) | 2005-06-29 | 2005-06-29 | Identification insertion system and identification inserting method thereof |
| PCT/CN2006/001500 WO2007000120A1 (en) | 2005-06-29 | 2006-06-29 | An authentication access system, method and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100801119A CN100421403C (en) | 2005-06-29 | 2005-06-29 | Identification insertion system and identification inserting method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889484A true CN1889484A (en) | 2007-01-03 |
| CN100421403C CN100421403C (en) | 2008-09-24 |
Family
ID=37578744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100801119A Expired - Fee Related CN100421403C (en) | 2005-06-29 | 2005-06-29 | Identification insertion system and identification inserting method thereof |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100421403C (en) |
| WO (1) | WO2007000120A1 (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025475A (en) * | 2009-09-23 | 2011-04-20 | 中兴通讯股份有限公司 | Address allocation method, apparatus and system in hot backup scene |
| CN102244867A (en) * | 2010-05-14 | 2011-11-16 | 新浪网技术(中国)有限公司 | Network access control method and system |
| CN102413199A (en) * | 2011-10-20 | 2012-04-11 | 江苏省邮电规划设计院有限责任公司 | System and method for creating and reporting address mapping relations by broadband remote access server |
| CN102420818A (en) * | 2011-11-28 | 2012-04-18 | 中国联合网络通信集团有限公司 | Network access control method, device and system |
| CN103108324A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | Access authentication method and system |
| CN103516671A (en) * | 2012-06-21 | 2014-01-15 | 中兴通讯股份有限公司 | User service access processing method, access equipment and access terminal |
| CN103856469A (en) * | 2012-12-06 | 2014-06-11 | 中国电信股份有限公司 | Method and system supporting DHCP authentication and provenance, and DHCP server |
| CN107124398A (en) * | 2017-03-29 | 2017-09-01 | 华为技术有限公司 | A kind of method of certification terminal device, apparatus and system |
| CN111314503A (en) * | 2020-03-31 | 2020-06-19 | 新华三信息安全技术有限公司 | Method and device for recovering IPoE user table |
| WO2020155941A1 (en) * | 2019-01-31 | 2020-08-06 | 华为技术有限公司 | Message scheduling method, related device, and computer storage medium |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114520737B (en) * | 2022-01-26 | 2024-04-02 | 北京华信傲天网络技术有限公司 | Two-layer data access control method and system for wireless user |
| CN115001745B (en) * | 2022-04-24 | 2024-01-30 | 四川天邑康和通信股份有限公司 | Intranet user local authentication system and method based on government enterprise gateway |
| CN118018224A (en) * | 2022-11-09 | 2024-05-10 | 华为技术有限公司 | Communication method, storage medium and program product |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH11322125A (en) * | 1998-03-10 | 1999-11-24 | Fuji Photo Film Co Ltd | Correction data display card, recording paper package, recording paper residual amount display device and thermal printer |
| US7088708B2 (en) * | 2001-09-20 | 2006-08-08 | The Directv Group, Inc. | System and method for remotely communicating with a broadband modem |
| ES2279078T3 (en) * | 2003-06-24 | 2007-08-16 | Alcatel Lucent | NETWORK ACCESS TO DIGITAL SUBSCRIBER LINE WITH IMPROVED CONTROL OF AUTHENTICATION, AUTHORIZATION, ACCOUNTING AND CONFIGURATION FOR MULTIPLE EMISSION SERVICES. |
| CN1286297C (en) * | 2003-09-25 | 2006-11-22 | 华为技术有限公司 | Method of realizing sign delivery of user's position |
-
2005
- 2005-06-29 CN CNB2005100801119A patent/CN100421403C/en not_active Expired - Fee Related
-
2006
- 2006-06-29 WO PCT/CN2006/001500 patent/WO2007000120A1/en active Application Filing
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025475A (en) * | 2009-09-23 | 2011-04-20 | 中兴通讯股份有限公司 | Address allocation method, apparatus and system in hot backup scene |
| CN102244867A (en) * | 2010-05-14 | 2011-11-16 | 新浪网技术(中国)有限公司 | Network access control method and system |
| CN102244867B (en) * | 2010-05-14 | 2013-05-01 | 新浪网技术(中国)有限公司 | Network access control method and system |
| CN102413199B (en) * | 2011-10-20 | 2013-12-04 | 江苏省邮电规划设计院有限责任公司 | System and method for creating and reporting address mapping relations by broadband remote access server |
| CN102413199A (en) * | 2011-10-20 | 2012-04-11 | 江苏省邮电规划设计院有限责任公司 | System and method for creating and reporting address mapping relations by broadband remote access server |
| CN103108324A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | Access authentication method and system |
| CN102420818A (en) * | 2011-11-28 | 2012-04-18 | 中国联合网络通信集团有限公司 | Network access control method, device and system |
| CN103516671A (en) * | 2012-06-21 | 2014-01-15 | 中兴通讯股份有限公司 | User service access processing method, access equipment and access terminal |
| CN103856469A (en) * | 2012-12-06 | 2014-06-11 | 中国电信股份有限公司 | Method and system supporting DHCP authentication and provenance, and DHCP server |
| CN107124398A (en) * | 2017-03-29 | 2017-09-01 | 华为技术有限公司 | A kind of method of certification terminal device, apparatus and system |
| WO2020155941A1 (en) * | 2019-01-31 | 2020-08-06 | 华为技术有限公司 | Message scheduling method, related device, and computer storage medium |
| US11689465B2 (en) | 2019-01-31 | 2023-06-27 | Huawei Technologies Co., Ltd. | Packet scheduling method, related device, and computer storage medium |
| CN111314503A (en) * | 2020-03-31 | 2020-06-19 | 新华三信息安全技术有限公司 | Method and device for recovering IPoE user table |
| CN111314503B (en) * | 2020-03-31 | 2022-03-29 | 新华三信息安全技术有限公司 | Method and device for recovering IPoE user table |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2007000120A1 (en) | 2007-01-04 |
| CN100421403C (en) | 2008-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1876754B1 (en) | Method system and server for implementing dhcp address security allocation | |
| CN110830333B (en) | Intelligent household equipment access authentication method, device, gateway and storage medium | |
| EP2106079B1 (en) | System, device and method for auto-configuring application terminals in home network | |
| CN101043331A (en) | System and method for distributing address for network equipment | |
| EP2124404B1 (en) | Device and method for automatically configuring application terminals in a home network | |
| CN1123154C (en) | System, device and method for routine selection dhcp configuration agreement packets | |
| CN1213567C (en) | Concentrated network equipment managing method | |
| CN1553691A (en) | Large-capacity broadband access method and system | |
| CN1889484A (en) | Identification insertion system and identification inserting method thereof | |
| EP2346217B1 (en) | Method, device and system for identifying an IPv6 session | |
| CN101309284B (en) | Remote access communication method, apparatus and system | |
| CN1411239A (en) | Kanuchi Koichi (JP)" | |
| CN1878133A (en) | Dynamic VLAN ID assignment and packet transfer apparatus | |
| CN1716967A (en) | Predetermined internet protocol communication device and method for achieving no routing within the edge | |
| CN1309233C (en) | Method for supporting PPPoA on wideband switch-in equipment | |
| CN1805396A (en) | Method for implementing network access through broadband router | |
| CN1404265A (en) | Dynamic main machine allocation protocal electronic deception with modulator-demodulator unit | |
| CN101047695A (en) | Method for implementing selection of multi-service and dynamic service in digital customer line | |
| CN104093149A (en) | Wireless access method and device for monitoring equipment | |
| CN108307694B (en) | A kind of network connection information acquisition method and router | |
| WO2007028330A1 (en) | A method and system for automatically distributing the service to the ppp access terminal | |
| CN1310410A (en) | service login | |
| CN1863143A (en) | Method, system and apparatus for implementing Web server access | |
| CN101902623B (en) | Method and device for transmitting network video service | |
| CN101188628B (en) | Method, system, network device for distributing service information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080924 Termination date: 20150629 |
|
| EXPY | Termination of patent right or utility model |