[go: up one dir, main page]

WO2007000120A1 - An authentication access system, method and server - Google Patents

An authentication access system, method and server Download PDF

Info

Publication number
WO2007000120A1
WO2007000120A1 PCT/CN2006/001500 CN2006001500W WO2007000120A1 WO 2007000120 A1 WO2007000120 A1 WO 2007000120A1 CN 2006001500 W CN2006001500 W CN 2006001500W WO 2007000120 A1 WO2007000120 A1 WO 2007000120A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
authentication
module
address
information
Prior art date
Application number
PCT/CN2006/001500
Other languages
French (fr)
Chinese (zh)
Inventor
Weilong Ouyang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007000120A1 publication Critical patent/WO2007000120A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation

Definitions

  • the present invention relates to an authentication access system and an authentication access method and server.
  • the revenue of operators in broadband metropolitan area network services is not proportional to the number of network users.
  • operators continue to add new services to the network, so that network services involve all aspects of home network life, thereby generating value-added benefits.
  • services such as Voice over IP (Voice Protocol), Voice over IP (IPTV), and Internet games. It also promotes the transition of home networks into a multi-service network environment.
  • a home network of the prior art is shown in FIG. 1.
  • the home network includes: an access device that provides different services, such as a PC (Personal Computer) 111, a set top box (STB, Set Top Box) 112, IP phone 113, IP TV 114, etc.), the access device is connected to a digital subscriber line (DSL, Digital Subscriber Line) or a local Ethernet via a Remote Test Unit (RTU) 120 or a Routing Gateway 120 Access technologies such as a LAN (Local Area Network) are connected to a Layer 2 multiplexer (Multixer) 130 such as a Digital Subscriber Line Multiplexer (DSLAM, DAL Access Multiplexer), and the Multiplexer 130 extracts the Ethernet from the access medium.
  • a PC Personal Computer
  • STB Set Top Box
  • IP phone 113 IP TV 114
  • IP TV 114 IP TV 114
  • the packet is transparently transmitted to the broadband access server (BRAS, Broad Remote Access) through its own asynchronous transfer mode (ATM, Asynchronous Transfer Mode) or Ethernet uplink interface.
  • BRAS broadband access server
  • ATM Asynchronous Transfer Mode
  • Server 140 performs link termination and provides Internet (Internet) access and other value-added services for the access device.
  • IP phones must be online, so usually With the private line configuration (DHCP, Dynamic Host Configuration Protocol) and other private line access methods, IPTV does not need to continue online, only need to go online when watching, so you can use dial-up access, or dial-up and dedicated line hybrid access.
  • DHCP Dynamic Host Configuration Protocol
  • IPTV does not need to continue online, only need to go online when watching, so you can use dial-up access, or dial-up and dedicated line hybrid access.
  • the IP phone and the IPTV belong to the same user, the IP phone and the IPTV can only be charged separately according to the different access modes (for example, the IP phone adopts the monthly charging mode, and the IPTV adopts the traffic accounting method. ), it is impossible to use a variety of billing policies to perform unified billing management for this user.
  • the access modes of the access devices are different, so that the various charging devices in the network cannot perform unified charging management on the various access devices existing in the network.
  • the access authentication methods of the various access devices need to be unified, that is, the non-authenticated access mode is authenticated and accessed, and then unified management and charging are performed.
  • the authentication access process of the Point-to-Point over Ethernet (PPPOE) dial-up access method is as follows:
  • An access device 110 initiates a dial-up terminal, initiates a PPPoE request, the request is routed through a home network or a home gateway, and the Multiplexer bridges to the BRAS
  • the BRAS 140 peer-to-peer (PPP) protocol version 4/6 module 141 terminates the PPPoE message and creates a corresponding virtual link to notify the dial-up client (not shown) to initiate authentication;
  • PPP peer-to-peer
  • the access device 110 sends the account number and password to the BRAS 140 through a Password Authentication Protocol (PAP) or a challenge handshake authentication protocol (CHP);
  • PAP Password Authentication Protocol
  • CHP challenge handshake authentication protocol
  • the BPP 140 PPP Protocol Module 4/6 module 141 After receiving the account number and password sent by the client, the BPP 140 PPP Protocol Module 4/6 module 141 sends it to the proxy server 142 and constructs an authentication request accordingly. Thereafter, the authentication request is sent to the function server 150 for authentication;
  • the proxy server 142 notifies the dial-up client to apply for an IP address through the PPP protocol version 4/6 module 141;
  • the access device 110 applies for an IP address to the BRAS 140;
  • the PPP protocol version 4/6 module 141 of the BRAS 140 After receiving the address allocation request, the PPP protocol version 4/6 module 141 of the BRAS 140 requests the proxy server 142 for an IP address, and the proxy server 142 generally uses the dynamic of the shared address pool. Assigning, or the function server 150 specifies the static allocation mode to be delivered, and assigning an IP address to the dialing client;
  • the PFP protocol 4/6 module 141 informs the access device 110 of the IP address it has applied for;
  • the access device 110 uses the IP address to access the network through the virtual link.
  • the non-authenticated access modes used in the prior art mainly include: a DHCP access mode and an automatic address configuration access mode.
  • the access process of the DHCP access mode is as follows:
  • the PC After the user starts the PC, the PC automatically opens the Dynamic Address Configuration Protocol Client (DHCP Client) function and starts to apply for an IP address.
  • the DHCP client sends a search message (DHCP DISCOVER) to the interface link where the NIC is located to find an available DHCP server (DHCP Server).
  • DHCP Server After detecting the DHCP DISCOVER packet, the BRAS forwards the packet to the DHCP server by using its internal forwarding function (DHCP Relay).
  • DHCP Relay Dynamic Address Configuration Protocol Client
  • the DHCP server After receiving the message, the DHCP server confirms that the PC can be assigned an IP address, and then responds with a confirmation message.
  • the confirmation message is forwarded to the DHCP client of the PC through the BRAS. At this point, the PC finds an available DHCP Server.
  • the DHCP client sends a request to the DHCP server to allocate an IP address packet through the BRAS. After receiving the request, the DHCP server allocates an IP address and network related parameters to the PC, and sends a response packet to the user through the BRAS. Thereafter, the user PC accesses the network using the obtained IP address and associated network parameters.
  • the access process of the automatic address configuration access mode is as follows:
  • the access device After the user starts the access device, the access device automatically starts the automatic address configuration function of the IPv6 protocol.
  • the access device detects whether there is an interface ID with the same interface ID as the interface ID of the network interface, and the interface ID of the interface is configured by the MAC address of the network card of the access device.
  • the prior art provides an authentication access method based on Internet web page (WEB) authentication technology for a private line access mode such as DHCP. The process is as follows:
  • the steps before requesting the assignment of an IP address message to the BRAS are the same as the non-authentication access method described above.
  • the BRAS Before the BRAS receives the notification confirming that the user is authenticated by WEB, it does not allow the user to use the network, and discards the user other than the Hypertext Transfer Protocol (HTTP) message. After that, the HTTP packet is redirected to the WEB server.
  • HTTP Hypertext Transfer Protocol
  • the WEB Server forcibly sends an authentication page to the user. After receiving the authentication page, the user manually inputs a pre-assigned account number and password in the web page, and then sends an HTTP-based authentication request to the BRAS. The BRAS forwards the authentication request to the WEB Server.
  • the WEB Server sends the user's account and password to the authentication server for authentication. After the authentication server identifies the authentication result, the WEB Server is notified of the authentication result. If the authentication is passed, the WEB Server notifies the BRAS that the user can use the network normally, and forcibly sends the authentication pass page to the user, prompting the user to access the Internet normally. Otherwise, inform the user that the authentication failed.
  • the purpose of the non-authenticated access mode can be unified into the authentication access mode by using the WEB authentication technology, thereby achieving unified charging and management for devices with different access modes.
  • the method needs to set a processing module corresponding to the WEB technology in the BRAS, and the WEB device such as the WEB Server needs to be added in cooperation with the BRAS and the authentication server to provide the authentication function for the non-authenticated access mode.
  • non-PC terminals are required to support the HTTP protocol, the Secure Hypertext Transfer Protocol (HTTPS) protocol, and the WEB authentication protocol.
  • HTTPS Secure Hypertext Transfer Protocol
  • WEB authentication technology requires pre-allocation of accounts and passwords, but information appliances based on IPv6 protocols need to be plug-and-play, so this method cannot be implemented for terminal devices that do not integrate multiple protocols and/or require plug-and-play.
  • the WEB authentication technology cannot also bind the user's IP address to the access location. This is vulnerable to attack in the actual working environment.
  • the present invention provides an authentication access system, an authentication access method, and a server, which can conveniently implement authentication access of a client supporting a non-authenticated access mode.
  • an authentication access system includes: a broadband access server BRAS connected to an access device, and a function server connected to the BRAS;
  • the BRAS includes: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device, and a proxy module, configured to construct a request message; the BRAS further includes: a scheduling module A3S, which is connected to the protocol termination Between the module and the proxy module, configured to construct authentication information for the non-dial access mode and send to the proxy module, and forward the address allocation information and the charging information; or directly forward the authentication information of the dialing access mode to the proxy module, and forward the Address allocation information and billing information.
  • a protocol termination module configured to receive and terminate a protocol packet sent by the access device
  • a proxy module configured to construct a request message
  • the BRAS further includes: a scheduling module A3S, which is connected to the protocol termination Between the module and the proxy module, configured to construct authentication information for the non-dial access mode and send to the proxy module, and forward the address allocation information and the charging information; or directly forward the authentication information of the dialing access mode to the proxy module, and forward the Address allocation information and billing information.
  • the proxy module includes: an authentication proxy module, an address assignment proxy module, and a charging proxy module, which are respectively connected to the A3S; and the address allocation proxy module is configured to construct an address according to location information of the access device And an authentication requesting module, configured to: according to the location information of the access device, and the authentication information, an authentication request message; the charging proxy module, configured to use the location information of the access device And the authentication information constructs a charging request message.
  • the function server includes: an authentication module, which is connected to the authentication proxy module, and configured to authenticate the sent authentication request message; and an address allocation module, which is connected to the address allocation proxy module, for authenticating The access device allocates an IP address; and the charging module is connected to the charging proxy module for charging the service.
  • the protocol termination module includes: a dynamic host configuration protocol (DHCP) module, which is used to terminate DHCP protocol packets; a point-to-point protocol (PPP) module, which is used to terminate PPP protocol packets; and an auto configuration (Auto config) module. Protocol packet used to terminate stateless address configuration.
  • DHCP dynamic host configuration protocol
  • PPP point-to-point protocol
  • Auto config auto configuration
  • an access request message initiated by an access device to authenticate an access mode and a non-authentication access mode is received by a broadband access server (BRAS), and the access is authenticated.
  • the mode-initiated access request message is forwarded directly to the function server for authentication.
  • the BRAS obtains the location information of the access device to construct authentication information, and sends the authentication information to the function server. Send and carry The authentication request message of the authentication information is authenticated by the function server, and the BRAS determines whether the user is allowed to access according to the authentication result.
  • the non-authenticated access mode is a dynamic host configuration access mode, or the automatic access mode is configured; the authentication access mode is a point-to-point access mode.
  • the obtaining the location information of the access device is: obtaining the access request message sent by the access device, or sending, by the BRAS, a query request to the digital subscriber line multiplexer (DSLAM) where the access device is located to obtain .
  • DSLAM digital subscriber line multiplexer
  • the authentication information constructed by BRAS includes: account number and / or password.
  • the account is constructed according to the port number of the DSLAM and the BRAS port number where the access device is located, and the password is constructed according to the BRAS port number; or, according to the DSLAM port number and/or the connection where the access device is located
  • the account and password are constructed by entering a media access control (MAC) address of the device; or the password is constructed based on the BRAS port number and/or the IP address of the interface.
  • MAC media access control
  • the DSLAM port number includes: a device number of the DSLAM and a port number of the access device;
  • the BRAS port number includes: a device number of the BRAS and a port number of the access device.
  • the IP address assigned to the user is bound to the access device. And binding the IP address to the access device according to the port information of the BRAS and the MAC address of the access device; or binding the IP address to the access device according to the DSLAM port number where the access device is located.
  • the access device After the access device initiates the access request by using the non-authentication access mode and assigns the IP address to the device, the following steps are also included: After receiving the access packet sent by the access device, the BRAS starts to charge the access packet. . After the charging starts, the access information of the access device is periodically detected, and when the access information is not detected, the charging is terminated.
  • the access information is an address resolution protocol (ARP) packet, a neighbor discovery protocol (ND) packet, or a global link IP address applied by the user.
  • ARP address resolution protocol
  • ND neighbor discovery protocol
  • a broadband access server including: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device; a proxy module, configured to construct a request message; a scheduling module A3S, which is connected between the protocol termination module and the proxy module, configured to construct authentication information for the non-dial access mode and send it to the proxy module Block, and forwarding address allocation information and charging information; or directly forwarding the authentication information of the dialing access mode to the proxy module, and forwarding the address allocation information and the charging information.
  • the proxy module includes: an authentication proxy module, an address assignment proxy module, and a charging proxy module, which are respectively connected to the A3S;
  • the address allocation proxy module is configured to construct an address allocation request message according to the location information of the access device
  • the authentication proxy module is configured to construct an authentication request message according to the location information of the access device and the authentication information;
  • the charging proxy module is configured to construct a charging request message according to the location information of the access device and the authentication information.
  • the broadband access server further includes: an address allocation module connected to the address assignment proxy module, configured to allocate an address for the authenticated access device.
  • the protocol termination module includes:
  • the dynamic host configuration protocol is used to terminate the protocol packets of the DHCP protocol.
  • the PPP module is used to terminate the PPP protocol packets.
  • the Auto config module is automatically configured to terminate the association of stateless address configurations.
  • the authentication access system of the present invention can construct the authentication information for the non-authentication access mode, so that the non-authentication access mode is unified into the authentication access mode. After the access is successful, the accounting information is constructed by using the authentication information to charge the access device.
  • the problem that the access device supports multiple protocols is solved, and the difficulty of protocol configuration of the access device and the cost of the access device are reduced.
  • the system using the present invention only needs to add a scheduling module to the system, which reduces the system cost.
  • the invention does not need to allocate an account number and a password in advance, but the scheduling module automatically constructs a globally unique account and password according to the location information of the access device, so the invention can be compatible with all IP devices and realize plug and play function. .
  • the invention unifies the address allocation of various access modes into the address allocation module, which facilitates unified management and planning of addresses. Further, according to the location information of the access device, the device is Binding to its corresponding IP address ensures that the device can apply for the same IP address each time, simplifying the operation and reducing the cost.
  • the invention provides an effective supporting means for the long-term coexistence of the IPv4 protocol and the IPv6 protocol by separating the access mode and the authentication mode.
  • a unified charging policy can be used for charging for various access modes, which facilitates implementing multiple charging policies in the system, so that operators can obtain greater benefits.
  • FIG. 1 is a schematic diagram of a prior art home network
  • FIG. 2 is a network diagram of a system for dial-up access in the prior art
  • FIG. 3 is a networking diagram of an embodiment of a system of the present invention.
  • FIG. 4 is a flow chart of an embodiment of a method of the present invention.
  • the system can implement the authentication function for the non-authenticated access mode, so that the system does not need to support multiple protocols, so that the system can implement the binding of the IP address and the access location, and
  • a scheduling module A3S
  • the access authentication system which is used to construct the authentication information for the non-authenticated access mode, so that the non-authenticated access mode can be normalized into the authentication mode.
  • the network of the authentication access system of the present invention is shown in FIG. 3.
  • the system includes: a broadband access server (BRAS) 400 connected to the access device 300, and a function server 500 connected to the BRAS 400.
  • BRAS broadband access server
  • the BRAS 400 includes:
  • the protocol termination module 410 connected to the access device 300 includes a Dynamic Host Configuration Protocol (DHCP) module 411, a Point-to-Point Protocol Module (PPP) module 412, and an Auto Config module 413, and protocols of other protocols.
  • DHCP Dynamic Host Configuration Protocol
  • PPP Point-to-Point Protocol Module
  • Auto Config an Auto Config module 413, and protocols of other protocols.
  • a module (not shown), wherein the automatic configuration module 413 may be a stateless automatic address configuration module based on an IPv6 protocol;
  • A3S scheduling module
  • the proxy module 430 connected to the A3S 420 includes an address assignment proxy module 431, an authentication proxy module 432, and a billing proxy module 433.
  • the function server 500 includes an authentication module 520 connected to the authentication proxy module, an address assignment module 510 connected to the address assignment proxy module, and a billing module 530 connected to the billing proxy module.
  • the BRAS 400 is configured to receive an access request message sent by the access device 300, and perform access processing on the request message.
  • the BRAS 400 :
  • the protocol termination module 410 is configured to receive and terminate the protocol packet from the access device 300.
  • the DHCP module 411 is used to terminate the DHCP protocol packet;
  • the PPP module 412 is used to terminate the PPP protocol packet; and
  • the Auto config module 413 is used to terminate the protocol for the stateless address configuration.
  • the A3S 420 is configured to construct an account and a password for a non-authenticated access mode (for example, a private line access mode), and forward the account and the password, or directly forward the account of the authenticated access method sent by the user. And password; and forwarding address allocation information and billing information after the authentication is passed.
  • a non-authenticated access mode for example, a private line access mode
  • the authentication proxy module 432 inside the proxy module 430 is configured to construct an authentication request message according to the location information of the access device and/or the media access control address, and the account and password configured by the A3S 420;
  • the address allocation proxy module 431 is configured to construct an address allocation request message according to the location information and/or the MAC address of the access device;
  • the charging proxy module 433 is configured to use location information and/or MAC according to the access device. The address is used to construct an accounting request message.
  • the authentication module 520 is configured to authenticate the authentication request information sent by the authentication proxy module.
  • the address allocation module 510 is configured to allocate an IP address to the authenticated access device. 530 is used to charge the service.
  • the above address allocation module can also be set in the BRAS, and the connection relationship and function are unchanged.
  • the broadband access server provided by the embodiment of the present invention can provide a unified authentication, address, and charging mechanism for multiple access modes.
  • the broadband access server constructs authentication messages and processes them.
  • the certificate process, address allocation and billing according to the authentication result.
  • the broadband access server relays the authentication message, the address message, and the charging message to the function server, where the transfer refers to the account and password, the address, and the charging message that will extract the authentication message of the dialing mode.
  • Interface protocol forwarding of the function server.
  • the A3S may be configured to perform an authentication message according to the foregoing message proxy user when the user accesses the application address or the check address overlap message in a non-dial manner; after collecting the authentication and the address assignment succeeding, the A3S is responsible for collecting and reporting the charging proxy module.
  • the corresponding charging information for example, according to the charging policy delivered by the authentication band module, constructs an accounting message for the charging event of the protocol termination module.
  • the method of the present invention normalizes the non-authenticated access method into the authenticated access method by constructing authentication information for the non-authenticated access method in the system.
  • the flow of the embodiment of the method of the present invention is shown in Figure 4, and includes the following steps:
  • the access device sends an access request message to the BRAS by using an authenticated access mode or a non-authenticated access mode.
  • the BRAS determines the manner in which the access request message is initiated, if initiated in the authenticated access mode, then proceeds to step S5; if initiated in the non-authenticated access mode, proceeds to step S3;
  • the BRAS constructs authentication information according to the location information of the access device.
  • the BRAS sends an authentication request message carrying the authentication information to the function server.
  • the function server authenticates the user; if there is access permission, then proceeds to step S7; otherwise, proceeds to step S6;
  • the function server allocates an IP address to the access device.
  • the access work is completed by the BRAS.
  • Example 1 The DHCP access mode is authenticated and accessed.
  • the access device initiates an access request using a DHCP version 4 or 6 (v4/v6) protocol, and the access request message is bridged to the BRAS device through the RTU, and the Multiplexer or DSLAM.
  • the protocol termination module in the BRAS determines the protocol format of the request access message, and concludes that the message is initiated by the DHCP v4/v6 protocol. Then, the message is transferred to the DHCP module in the protocol termination module to terminate the DHCP protocol packet of the user. After the above operation is completed, the processed request access message is sent to the A3S module to apply for an IP address from the system.
  • the A3S sends an acknowledgment message to the system to confirm whether the corresponding address allocation server and authentication server are configured on the interface where the access device is located. After confirming that the device is set, the A3S obtains the location information in the access request message sent by the access device, or the BRAS sends a query request to the DSLAM where the access device is located to obtain the location information of the access device, To construct authentication information. That is, the account is constructed according to the DSLAM port number and the BRAS port number where the access device is located, and the password is constructed according to the BRAS port number.
  • the DSLAM port number includes: a DSLAM device number and a user access port number (for example, an asymmetric digital subscriber line (ADSL, Asymmetric) port number);
  • the BRAS port number includes: a BRAS device number and a user connection Incoming port number (for example: physical port number, virtual local area network identifier (VLAN, Virtual LAN)).
  • the account number and password may also be constructed according to the DSLAM port number of the access device and/or the media access control address of the access device, or according to the BRAS port number and/or the IP address of the interface.
  • the A3S After the authentication information such as the password and the account is configured for the access device, the A3S sends the authentication information to the authentication proxy module, where the authentication proxy module is based on the location information of the access device and/or the media access control address. And an account and password constructed by the A3S to construct an authentication request message, and send the authentication request message to the authentication module.
  • the authentication module After receiving the authentication request message, the authentication module parses the account and password of the access device, and authenticates the authentication information.
  • the authentication module records the corresponding information of the user, and simultaneously issues the corresponding policy, and feeds the authentication result to the A3S through the authentication proxy module. If the A3S confirms that the user authentication fails, the information of the corresponding server cannot be directly returned to the access device; otherwise, the A3S informs the address allocation proxy module that the authentication is passed.
  • the address allocation proxy module After receiving the message of the authentication, the address allocation proxy module constructs an address allocation request message according to the location information and/or the MAC address of the access device, and sends the message to the address allocation module.
  • the location information includes: a port number of a digital subscriber line multiplexer where the access device is located And BRAS port number.
  • the address allocation module allocates a corresponding IP address and corresponding lease period to the device according to the port information and the MAC address of the user, and establishes a binding relationship between the MAC address, the port information, and the IP address. Thereafter, the assigned IP address and the corresponding lease are fed back to the A3S through the address assignment agent module.
  • the A3S Based on the obtained IP address, the A3S establishes a mapping relationship between the IP address and the policy of the user that is delivered. After that, the DHCP module notifies the user that the address allocation is successful, and the BRAS completes the subsequent access work. This is the end of the process.
  • Example 2 Authenticate the automatic configuration access mode and access it.
  • the automatic configuration mode is proposed in the IP version 6 protocol. This access mode is stateless, and the access mode will automatically configure the address for the access device.
  • the method is as follows: The access device creates an IP address of the local link network segment to which the interface belongs, and then sends a link detection message to the system to detect whether the created address is a duplicate address. After receiving the Duplicated Address Detection (DAD), the protocol termination module in the BRAS transfers the duplicated address detection (DAD) to the automatic configuration module. After confirming that the address does not currently conflict, the protocol termination module initiates the A3S. Authentication request.
  • DAD Duplicated Address Detection
  • DAD duplicated address detection
  • the A3S sends an acknowledgment message to the system to confirm whether the corresponding address allocation server and authentication server are configured on the interface where the access device is located. After confirming that the device is set, the A3S obtains the location information in the access request message sent by the access device, or the BRAS sends a query request to the DSLAM where the access device is located to obtain the location information of the access device, To construct authentication information. That is, the account is constructed according to the DSLAM port number and the BRAS port number where the access device is located; and the password is constructed according to the BRAS port number. Or use other location information to construct authentication information.
  • the A3S After the authentication information such as the password and the account is configured for the access device, the A3S sends the authentication information to the authentication proxy module, where the authentication proxy module is based on the location information of the access device and/or the media access control address. And an account and password constructed by the A3S to construct an authentication request message, and send the authentication request message to the authentication module.
  • the authentication module After receiving the authentication request message, the authentication module parses the account and password of the access device, and authenticates the authentication information. The authentication module records the corresponding information of the user, and at the same time The corresponding policy is issued, and the authentication result is fed back to the A3S through the authentication agent module. If the A3S confirms that the user authentication fails, the access device directly returns to the access device cannot use the address or address overlap information; otherwise, the A3S informs the distribution agent module that the authentication is passed and the created address does not overlap.
  • the distribution agent module constructs an address allocation request message according to the location information and/or the MAC address of the access device, and sends the message to the address allocation module.
  • the location information includes: a port number of the digital subscriber line multiplexer where the access device is located, and a BRAS port number.
  • the address allocation module allocates a local link IP address and a corresponding lease period created by the access device according to the port information and the MAC address of the user, and establishes a binding between the MAC address, the port information, and the IP address. relationship. Thereafter, the assigned IP address and the corresponding lease are fed back to the A3S through the address assignment proxy module. Complete access to the local link.
  • the A3S applies to the address allocation proxy module for the global address network segment information corresponding to the interface where the access device is located.
  • the authentication and access procedures are the same as the above process.
  • the BRAS completes the subsequent access work. This is the end of the process.
  • the access mode requiring authentication can also be implemented by using the authentication access system of the present invention.
  • Example 3 Point-to-point access.
  • the access device uses the PPPoE protocol to apply for access to the network.
  • the request access message is bridged to the BRAS device through the RTU and the Multiplexer.
  • the protocol termination module in the BRAS device determines the protocol format of the request access message, and the message is initiated by the PPPoE protocol. Then, the message is transferred to the PPP protocol module inside the protocol termination module, and the PPPoE protocol is terminated and a corresponding virtual link is created. Afterwards, the access device is notified to initiate an authentication request in the virtual link. If the access device accesses the network using the Point-to-Point Protocol (PPPoA) protocol based on the asynchronous transfer mode, the process directly jumps to step b;
  • PPPoA Point-to-Point Protocol
  • the PPP protocol module extracts the account and password input by the user from the request message and sends it to the A3S.
  • A3S no longer constructs authentication information for the access device, but directly sends the authentication information input by the user to the authentication proxy module.
  • the authentication agent module constructs an authentication request message according to the authentication information and the location information, and sends the authentication request message to the authentication module.
  • the A3S When the authentication module fails to respond to the authentication, the A3S notifies the PPP protocol module to the access device. Initiating a broken link request and tearing down the corresponding virtual connection; otherwise, the A3S notifies the PPP protocol module to initiate an address allocation request to the access device, and requests the corresponding IP address from the address allocation proxy module.
  • Subsequent allocation and binding BP address processing is consistent with the DHCP access mode.
  • the A3S obtains the assigned IP address
  • the PPPv4 user initiates the access request the A3S feeds back the corresponding IP address to the PPP protocol module; if the PPPv6 user initiates the access request, the user is located
  • the pre-configured IP address prefix of the interface is returned to the access device, and the IP address prefix of the virtual link is saved.
  • the user initiates the automatic address configuration, the user automatically returns a corresponding IP address prefix to the system, thereby enabling the access device. Get a real IP address.
  • the charging step is started, and the following is the corresponding authentication access method, which is specifically described by three examples.
  • Example 1-1 The charging method corresponding to the DHCP access method.
  • the DHCP protocol module in the protocol termination module waits for the ARP or ND packet sent by the user.
  • the access device accesses the Internet using the assigned IP address, and the DHCP module receives the message, it determines that the user is online, and reports the user to the A3S module to go online. Thereafter, the A3S module initiates a charging start request to the charging module through the charging proxy module, and starts charging for the user.
  • the DHCP protocol module checks whether there is an ARP (Address Resolution Protocol) or ND (Neighbor Discovery) packet of the user.
  • ARP Address Resolution Protocol
  • ND Neighbor Discovery
  • Example 2-1 Automatically configure the accounting method corresponding to the access method.
  • the automatic configuration module in the protocol termination module waits for the global link IP address information sent by the access device.
  • the automatic configuration module detects the global link IP address information of the user, it determines that the user goes online and sends the A3S module to the A3S module. Report the user online. Thereafter, the A3S module initiates a charging start request to the charging module through the charging proxy module, and starts charging for the user.
  • the automatic configuration module detects whether there is a global link IP address every certain period of time.
  • the automatic configuration module detects that the global link IP address of the access device is not in the state, the user is determined to go offline, and reports the user to the A3S module to go offline. Then the A3S passes the charging proxy module to the charging module. A termination charging request is sent and the user is charged.
  • Example 3-1 Point-to-point PPP access mode
  • the charging method is similar to the above two charging method examples.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

An authentication access system, method and server can solve the problem that the prior art need to add the WEB devices to the system, the client must support multiple protocols, the IP address can’t be bound with the access location, and the plug and play of devices can’t be realized. The system includes: a broadband access server (BRAS) connected with the access device, and a function server connected with the BRAS. The BRAS includes: a protocol termination module for receiving and terminating the protocol messages transmitted by the access device, and an agent module for constructing the request message. The BRAS also includes: a scheduling module connected between the protocol termination module and the agent module for constructing the authentication information for non-dialing access mode and transmitting the authentication information to the agent module, and forwarding the address allocation information and the charging information, or directly forwarding the authentication information of dialing access mode to the agent module and forwarding the address allocation information and the charging information.

Description

一种认证接入系统及认证接入方法和月艮务器 技术领域 本发明涉及一种认证接入系统及认证接入方法和 务器。  TECHNICAL FIELD The present invention relates to an authentication access system and an authentication access method and server.
背景技术 Background technique
目前, 运营商在宽带城域网业务中的收益并不与网絡用户的数量成 正比。 为增加收益, 运营商不断为网络增加新的业务, 使网络服务涉及 到家庭网络生活的各个方面,从而产生增值收益。例如:基于 IP ( Intemet Protocol,网际协议 )的语音( Vo-IP, Voice over IP )、 IP电视 ( IPTV, Internet Protocol Television )和网络游戏等业务。 同时也促使家庭网络过渡到多业 务的网络环境中。 一种现有技术的家庭网络如图 1 所示, 所述家庭网絡 包括: 提供不同业务的接入设备, 例如: PC ( Personal Computer, 个人计 算机) 111、机顶盒(STB, Set Top Box ) 112、 IP电话 113 、 IP电视 114 等), 所述接入设备通过远端传送单元(RTU, Remote Test Unit )或路由 网关( Routing Gateway ) 120经数字用户线( DSL, Digital Subscriber Line ) 或局域以太网 ( LAN, Local Area Network )等接入技术接入到数字用户 线复用器 ( DSLAM , DAL Access Multiplexer ) 等二层汇聚设备 ( Multiplexer ) 130 上, 再由 Multiplexer 130从接入媒介中提取以太网 ( Ethernet ) 协议报文, 之后, 通过其自身的异步传输模式 ( ATM, Asynchronous Transfer Mode )或 Ethernet的上联接口, 将报文透传给宽带 接入月 I务器 ( BRAS, Broad Remote Access Server ) 140进行链路终结, 再为该接入设备提供 Internet (互联网)接入和其他增值业务。  At present, the revenue of operators in broadband metropolitan area network services is not proportional to the number of network users. In order to increase revenue, operators continue to add new services to the network, so that network services involve all aspects of home network life, thereby generating value-added benefits. For example, services such as Voice over IP (Voice Protocol), Voice over IP (IPTV), and Internet games. It also promotes the transition of home networks into a multi-service network environment. A home network of the prior art is shown in FIG. 1. The home network includes: an access device that provides different services, such as a PC (Personal Computer) 111, a set top box (STB, Set Top Box) 112, IP phone 113, IP TV 114, etc.), the access device is connected to a digital subscriber line (DSL, Digital Subscriber Line) or a local Ethernet via a Remote Test Unit (RTU) 120 or a Routing Gateway 120 Access technologies such as a LAN (Local Area Network) are connected to a Layer 2 multiplexer (Multixer) 130 such as a Digital Subscriber Line Multiplexer (DSLAM, DAL Access Multiplexer), and the Multiplexer 130 extracts the Ethernet from the access medium. After the Ethernet protocol packet, the packet is transparently transmitted to the broadband access server (BRAS, Broad Remote Access) through its own asynchronous transfer mode (ATM, Asynchronous Transfer Mode) or Ethernet uplink interface. Server 140 performs link termination and provides Internet (Internet) access and other value-added services for the access device.
对于运营商而言, 在增加新业务的同时, 也必须对用户使用的业务 进行有效的计费才能获取更大的收益。 目前, 主要采用包月这种单一的 计费方式。 经过对不同计费策略(例如: 实时、 流量或时长等) 的综合 研究发现, 采用多样的计费方式可以大幅提高收益率, 而且同时也为用 户提供自主的消费策略。  For operators, when adding new services, they must also effectively bill the services used by users to obtain more revenue. At present, it mainly adopts a single billing method such as monthly subscription. A comprehensive study of different billing strategies (eg, real-time, traffic, or duration) found that using a variety of billing methods can significantly increase profitability, while also providing users with autonomous consumption strategies.
但是, 在目前的多业务家庭网络中存在多种提供不同功能的设备, 而且其工作方式也不尽不同, 例如: IP 电话必须持续在线, 所以通常采 用动态主机配置(DHCP, Dynamic Host Configuration Protocol )等专线 接入方式, 而 IPTV则无需持续在线, 仅在观看时才需上线, 所以可采用 拨号接入方式, 或者拨号和专线混合接入方式。 若上述 IP 电话和 IPTV 同属于一个用户, 那么由于其接入方式不同, 所以目前只能对所述 IP电 话和 IPTV分别计费 (例如: IP电话采用包月计费方式, IPTV采用流量 计费方式), 无法釆用多样的计费策略对该用户进行统一的计费管理。 即 在上述网络环境下, 由于各个接入设备的接入方式不同, 所以釆用所述 多样的计费方式无法对网络中存在的各种接入设备进行统一的计费管 理。 要解决这一技术问题就需要将所述各种接入设备的接入认证方式统 一起来, 即对非认证接入方式进行认证接入, 进而统一进行管理和计费。 However, there are many different devices that provide different functions in the current multi-service home network, and they work in different ways. For example: IP phones must be online, so usually With the private line configuration (DHCP, Dynamic Host Configuration Protocol) and other private line access methods, IPTV does not need to continue online, only need to go online when watching, so you can use dial-up access, or dial-up and dedicated line hybrid access. If the IP phone and the IPTV belong to the same user, the IP phone and the IPTV can only be charged separately according to the different access modes (for example, the IP phone adopts the monthly charging mode, and the IPTV adopts the traffic accounting method. ), it is impossible to use a variety of billing policies to perform unified billing management for this user. That is to say, in the above network environment, the access modes of the access devices are different, so that the various charging devices in the network cannot perform unified charging management on the various access devices existing in the network. To solve this technical problem, the access authentication methods of the various access devices need to be unified, that is, the non-authenticated access mode is authenticated and accessed, and then unified management and charging are performed.
目前, 现有技术的拨号接入方式的组网如图 2所示。  At present, the networking of the dial-up access mode of the prior art is as shown in FIG. 2.
在该组网的框架下 ,基于以太网的点对点协议 ( PPPOE, Point to Point over Ethernet )拨号接入方式的认证接入流程如下:  In the framework of the networking, the authentication access process of the Point-to-Point over Ethernet (PPPOE) dial-up access method is as follows:
接入设备(例如: PC、 STB ) 110启动拨号终端, 发起 PPPoE请求, 所述请求经家庭网络路由或家庭网关, 以及 Multiplexer桥接到 BRAS An access device (eg, PC, STB) 110 initiates a dial-up terminal, initiates a PPPoE request, the request is routed through a home network or a home gateway, and the Multiplexer bridges to the BRAS
140; 140;
BRAS 140的点对点( PPP )协议第 4/6版模块 141终结 PPPoE报文, 并创建相应的虚链路, 通知拨号客户端 (图未示)发起认证;  The BRAS 140 peer-to-peer (PPP) protocol version 4/6 module 141 terminates the PPPoE message and creates a corresponding virtual link to notify the dial-up client (not shown) to initiate authentication;
通过密码验证协议 ( PAP, Password Authentication Protocol )或质询 握手验证协议 ( CHAP, challenge handshake authentication protocol ), 接 入设备 110将帐号和密码送交 BRAS 140;  The access device 110 sends the account number and password to the BRAS 140 through a Password Authentication Protocol (PAP) or a challenge handshake authentication protocol (CHP);
BRAS 140的 PPP协议第 4/6版模块 141收到客户端发来的帐号和密 码后, 将其发送到代理服务器 142, 并据此构造认证请求。 之后, 将所述 认证请求发送给功能服务器 150进行认证;  After receiving the account number and password sent by the client, the BPP 140 PPP Protocol Module 4/6 module 141 sends it to the proxy server 142 and constructs an authentication request accordingly. Thereafter, the authentication request is sent to the function server 150 for authentication;
若认证通过,则代理服务器 142通过 PPP协议第 4/6版模块 141通知 拨号客户端可申请 IP地址;  If the authentication is passed, the proxy server 142 notifies the dial-up client to apply for an IP address through the PPP protocol version 4/6 module 141;
接入设备 110向 BRAS 140申请 IP地址;  The access device 110 applies for an IP address to the BRAS 140;
BRAS 140的 PPP协议第 4/6版模块 141收到地址分配请求后, 向代 理服务器 142申请 IP地址, 代理服务器 142—般采用共用地址池的动态 分配, 或功能服务器 150指定下发的静态分配方式, 为拨号客户端分配 IP地址; After receiving the address allocation request, the PPP protocol version 4/6 module 141 of the BRAS 140 requests the proxy server 142 for an IP address, and the proxy server 142 generally uses the dynamic of the shared address pool. Assigning, or the function server 150 specifies the static allocation mode to be delivered, and assigning an IP address to the dialing client;
代理服务器 142分配地址成功后, 通过 PFP协议第 4/6版模块 141 告知接入设备 110其申请到的 IP地址;  After the proxy server 142 successfully assigns the address, the PFP protocol 4/6 module 141 informs the access device 110 of the IP address it has applied for;
接入设备 110使用该 IP地址通过虚链路访问网络。  The access device 110 uses the IP address to access the network through the virtual link.
目前现有技术中所采用的非认证接入方式主要包括: DHCP接入方 式和自动地址配置接入方式。  Currently, the non-authenticated access modes used in the prior art mainly include: a DHCP access mode and an automatic address configuration access mode.
所述 DHCP接入方式的接入流程如下:  The access process of the DHCP access mode is as follows:
用户启动 PC 后, PC 自动打开动态地址配置协议客户端 (DHCP Client )功能, 开始申请 IP地址。 DHCP Client向网卡所在的接口链路发 送搜索报文 ( DHCP DISCOVER ),用以寻找可用的 DHCP服务器( DHCP Server )。 BRAS检测到所述 DHCP DISCOVER报文后, 利用其内部的转 发功能(DHCP Relay ), 将该报文转发给 DHCP Server。  After the user starts the PC, the PC automatically opens the Dynamic Address Configuration Protocol Client (DHCP Client) function and starts to apply for an IP address. The DHCP client sends a search message (DHCP DISCOVER) to the interface link where the NIC is located to find an available DHCP server (DHCP Server). After detecting the DHCP DISCOVER packet, the BRAS forwards the packet to the DHCP server by using its internal forwarding function (DHCP Relay).
DHCP Server收到所述报文后,并确认可为该 PC分配 IP地址,之后, 回应确认4艮文。 通过 BRAS将该确认报文转发给 PC的 DHCP Client。 至 此 PC找到可用的 DHCP Server。  After receiving the message, the DHCP server confirms that the PC can be assigned an IP address, and then responds with a confirmation message. The confirmation message is forwarded to the DHCP client of the PC through the BRAS. At this point, the PC finds an available DHCP Server.
DHCP Client通过 BRAS向该 DHCP Server发送请求分配 IP地址报 文。 所述 DHCP Server收到该请求后, 为该 PC分配一个 IP地址和网絡 相关参数, 并通过 BRAS向用户发送回应报文。 此后, 用户 PC使用获得 的 IP地址和相关网络参数接入网络。  The DHCP client sends a request to the DHCP server to allocate an IP address packet through the BRAS. After receiving the request, the DHCP server allocates an IP address and network related parameters to the PC, and sends a response packet to the user through the BRAS. Thereafter, the user PC accesses the network using the obtained IP address and associated network parameters.
所述自动地址配置接入方式的接入流程如下:  The access process of the automatic address configuration access mode is as follows:
用户启动接入设备后 ,接入设备自动启动 IPv6协议的自动地址配置 功能。 所述接入设备检测网络接口所在的链路中是否存在与其自身接口 ID相同的接口 ID, 所述其自身的接口 ID由该接入设备的网卡的 MAC 地址构造。  After the user starts the access device, the access device automatically starts the automatic address configuration function of the IPv6 protocol. The access device detects whether there is an interface ID with the same interface ID as the interface ID of the network interface, and the interface ID of the interface is configured by the MAC address of the network card of the access device.
若不存在, 则向该链路所连接的路由器申请该链路的 IP地址前缀和 网络参数。所述路由器根据为其分配的 BP地址前缀和所述接口 ID构造全 局唯一的 IP地址, 之后反馈给用户端。 此后, 该用户使用获得的 IP地址 和相关网络参数接入网络。 为了使上述非认证接入方式采用认证的手段来申请 IP地址和接入网 络, 目前, 现有技术为 DHCP等专线接入方式提供了一种基于互联网网 页 (WEB )认证技术的认证接入方法, 其流程如下: If it does not exist, apply for the IP address prefix and network parameters of the link to the router connected to the link. The router constructs a globally unique IP address according to the BP address prefix assigned to it and the interface ID, and then feeds back to the UE. Thereafter, the user accesses the network using the obtained IP address and associated network parameters. In order to enable the non-authenticated access method to apply for an IP address and an access network by means of authentication, the prior art provides an authentication access method based on Internet web page (WEB) authentication technology for a private line access mode such as DHCP. The process is as follows:
在请求分配 IP地址报文到达 BRAS之前的步骤与上述非认证接入方 式相同。  The steps before requesting the assignment of an IP address message to the BRAS are the same as the non-authentication access method described above.
在 BRAS收到确认该用户通过 WEB认证的通知之前,其不允许该用 户使用网络, 并丢弃该用户除超文本传输协议( HTTP, Hypertext Transfer Protocol )报文以外的其他报文。 之后, 将该 HTTP报文重定向到 WEB Server上。  Before the BRAS receives the notification confirming that the user is authenticated by WEB, it does not allow the user to use the network, and discards the user other than the Hypertext Transfer Protocol (HTTP) message. After that, the HTTP packet is redirected to the WEB server.
WEB Server向用户强制发送认证页面,该用户收到所述认证页面后, 手工在网页中输入预先分配的帐号和密码,之后向 BRAS发送基于 HTTP 的认证请求。 BRAS将该认证请求转发给 WEB Server。  The WEB Server forcibly sends an authentication page to the user. After receiving the authentication page, the user manually inputs a pre-assigned account number and password in the web page, and then sends an HTTP-based authentication request to the BRAS. The BRAS forwards the authentication request to the WEB Server.
WEB Server将该用户的帐号和密码送交认证服务器进行认证。 认证 服务器辨别后,将认证结果告知 WEB Server,若认证通过,则 WEB Server 通知 BRAS该用户可正常使用网络, 并向用户强制发送认证通过页面, 提示用户可正常上网。 否则, 告知该用户认证失败。  The WEB Server sends the user's account and password to the authentication server for authentication. After the authentication server identifies the authentication result, the WEB Server is notified of the authentication result. If the authentication is passed, the WEB Server notifies the BRAS that the user can use the network normally, and forcibly sends the authentication pass page to the user, prompting the user to access the Internet normally. Otherwise, inform the user that the authentication failed.
虽然通过所述 WEB 认证技术可以实现将非认证接入方式归一到认 证接入方式中的目的, 进而达到可对各种接入方式不同的设备进行统一 的计费和管理的效果。 但是显然, 本方法需要在 BRAS中设置对应 WEB 技术的处理模块,并且系统中需要添加 WEB Server等 WEB设备与 BRAS 和认证服务器相配合才能提供对非认证接入方式的认证功能。  The purpose of the non-authenticated access mode can be unified into the authentication access mode by using the WEB authentication technology, thereby achieving unified charging and management for devices with different access modes. However, it is obvious that the method needs to set a processing module corresponding to the WEB technology in the BRAS, and the WEB device such as the WEB Server needs to be added in cooperation with the BRAS and the authentication server to provide the authentication function for the non-authenticated access mode.
同时, 需要非 PC的终端支持 HTTP协议、 安全式超文本传输协议 ( HTTPS, Secure Hypertext Transfer Protocol )协议, 以及 WEB认证协 议。 而且 WEB认证技术需要预先分配帐号和密码, 但是对基于 IPv6协 议的信息家电需要即插即用, 所以本方法对于那些没有集成多种协议和 / 或需要即插即用的终端设备无法实施。  At the same time, non-PC terminals are required to support the HTTP protocol, the Secure Hypertext Transfer Protocol (HTTPS) protocol, and the WEB authentication protocol. Moreover, WEB authentication technology requires pre-allocation of accounts and passwords, but information appliances based on IPv6 protocols need to be plug-and-play, so this method cannot be implemented for terminal devices that do not integrate multiple protocols and/or require plug-and-play.
WEB认证技术也无法实现用户的 IP地址与接入位置的绑定。这样在 实际工作环境中容易遭到攻击。  The WEB authentication technology cannot also bind the user's IP address to the access location. This is vulnerable to attack in the actual working environment.
发明内容 本发明提供一种认证接入系统及认证接入方法和服务器, 可以便捷 地实现支持非认证接入方式的客户端的认证接入。 Summary of the invention The present invention provides an authentication access system, an authentication access method, and a server, which can conveniently implement authentication access of a client supporting a non-authenticated access mode.
根据本发明的一个方面, 一种认证接入系统包括: 与接入设备相连 的宽带接入服务器 BRAS, 以及与所述 BRAS相连的功能服务器; 所述 According to an aspect of the present invention, an authentication access system includes: a broadband access server BRAS connected to an access device, and a function server connected to the BRAS;
BRAS包括: 协议终结模块,用于接收并终结所述接入设备发来的协议报 文; 代理模块, 用于构造请求消息; 所述 BRAS还包括: 调度模块 A3S, 其连接于所述协议终结模块和代理模块之间, 用于为非拨号接入方式构 造认证信息并发送到代理模块, 以及转发地址分配信息和计费信息; 或 者直接向代理模块转发拨号接入方式的认证信息, 以及转发地址分配信 息和计费信息。 The BRAS includes: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device, and a proxy module, configured to construct a request message; the BRAS further includes: a scheduling module A3S, which is connected to the protocol termination Between the module and the proxy module, configured to construct authentication information for the non-dial access mode and send to the proxy module, and forward the address allocation information and the charging information; or directly forward the authentication information of the dialing access mode to the proxy module, and forward the Address allocation information and billing information.
所述代理模块中包括: 认证代理模块、 地址分配代理模块, 以及计 费代理模块, 其分别与所述 A3S相连; 所述地址分配代理模块, 用于根 据所述接入设备的位置信息构造地址分配请求消息; 所述认证代理模 块, 用于根据所述接入设备的位置信息, 以及所述认证信息构造认证请 求消息; 所述计费代理模块, 用于根据所述接入设备的位置信息, 以及 所述认证信息构造计费请求消息。  The proxy module includes: an authentication proxy module, an address assignment proxy module, and a charging proxy module, which are respectively connected to the A3S; and the address allocation proxy module is configured to construct an address according to location information of the access device And an authentication requesting module, configured to: according to the location information of the access device, and the authentication information, an authentication request message; the charging proxy module, configured to use the location information of the access device And the authentication information constructs a charging request message.
所述功能服务器中包括: 认证模块, 其与所述认证代理模块相连, 用于对发来的认证请求消息进行认证; 地址分配模块, 其与所述地址分 配代理模块相连, 用于为通过认证的接入设备分配 IP地址; 计费模块, 其与所述计费代理模块相连, 用于对业务进行计费。  The function server includes: an authentication module, which is connected to the authentication proxy module, and configured to authenticate the sent authentication request message; and an address allocation module, which is connected to the address allocation proxy module, for authenticating The access device allocates an IP address; and the charging module is connected to the charging proxy module for charging the service.
所述协议终结模块中包括: 动态主机配置协议(DHCP )模块, 用于 终结 DHCP的协议报文; 点对点协议(PPP )模块, 用于终结 PPP的协 议报文; 自动配置( Auto config )模块, 用于终结无状态地址配置的协议 报文。  The protocol termination module includes: a dynamic host configuration protocol (DHCP) module, which is used to terminate DHCP protocol packets; a point-to-point protocol (PPP) module, which is used to terminate PPP protocol packets; and an auto configuration (Auto config) module. Protocol packet used to terminate stateless address configuration.
根据本发明的另一方面, 认证接入方法中, 由宽带接入服务器 ( BRAS )接收接入设备以认证接入方式和非认证接入方式发起的接入请 求消息, 并将以认证接入方式发起的接入请求消息直接转发到功能服务 器进行认证; BRAS接收到以非认证接入方式发起的接入请求消息后,获 取该接入设备的位置信息为其构造认证信息, 并向功能服务器发送携带 该认证信息的认证请求消息, 由功能服务器对该用户进行认证, BRAS 根据认证结果确定是否允许该用户接入。 According to another aspect of the present invention, in an authentication access method, an access request message initiated by an access device to authenticate an access mode and a non-authentication access mode is received by a broadband access server (BRAS), and the access is authenticated. The mode-initiated access request message is forwarded directly to the function server for authentication. After receiving the access request message initiated by the non-authenticated access mode, the BRAS obtains the location information of the access device to construct authentication information, and sends the authentication information to the function server. Send and carry The authentication request message of the authentication information is authenticated by the function server, and the BRAS determines whether the user is allowed to access according to the authentication result.
所述的非认证接入方式为动态主机配置接入方式, 或者自动配置接 入方式; 所述认证接入方式为点对点接入方式。  The non-authenticated access mode is a dynamic host configuration access mode, or the automatic access mode is configured; the authentication access mode is a point-to-point access mode.
所述接入设备的位置信息的获取方式为: 从接入设备发送的接入请 求消息中获取, 或者由 BRAS 向该接入设备所在的数字用户线复用器 ( DSLAM )发送查询请求来获取。  The obtaining the location information of the access device is: obtaining the access request message sent by the access device, or sending, by the BRAS, a query request to the digital subscriber line multiplexer (DSLAM) where the access device is located to obtain .
BRAS 构造的认证信息包括: 帐号和 /或密码。 根据所述接入设备所 在的 DSLAM的端口号和 BRAS端口号来构造所述帐号, 根据 BRAS端 口号来构造所述密码; 或者, 根据所述接入设备所在的 DSLAM端口号 和 /或该接入设备的媒体访问控制 (MAC )地址来构造所述帐号和密码; 或者, 根据 BRAS端口号和 /或接口的 IP地址来构造所述密码。  The authentication information constructed by BRAS includes: account number and / or password. The account is constructed according to the port number of the DSLAM and the BRAS port number where the access device is located, and the password is constructed according to the BRAS port number; or, according to the DSLAM port number and/or the connection where the access device is located The account and password are constructed by entering a media access control (MAC) address of the device; or the password is constructed based on the BRAS port number and/or the IP address of the interface.
所述 DSLAM端口号包括: 所述 DSLAM的设备号和接入设备的端 口号; 所述 BRAS端口号包括: 所述 BRAS的设备号和接入设备的端口 号。  The DSLAM port number includes: a device number of the DSLAM and a port number of the access device; the BRAS port number includes: a device number of the BRAS and a port number of the access device.
通过认证后, 将为用户分配的 IP地址与接入设备绑定。 根据所述 BRAS的端口信息和接入设备的 MAC地址, 为所述接入设备绑定 IP地 址; 或者, 根据接入设备所在的 DSLAM端口号为所述接入设备绑定 IP 地址。  After the authentication, the IP address assigned to the user is bound to the access device. And binding the IP address to the access device according to the port information of the BRAS and the MAC address of the access device; or binding the IP address to the access device according to the DSLAM port number where the access device is located.
接入设备采用非认证接入方式发起接入请求, 并为该设备分配了 IP 地址后, 还包括下列步骤: BRAS收到该接入设备发来的接入报文, 则开 始对其计费。 计费开始后, 定时检测该接入设备的接入信息, 当检测不 到所述接入信息时, 终止计费。 所述接入信息为该用户的地址解析协议 ( ARP )报文、 邻居发现协议(ND )报文, 或者该用户申请的全局链路 IP地址。  After the access device initiates the access request by using the non-authentication access mode and assigns the IP address to the device, the following steps are also included: After receiving the access packet sent by the access device, the BRAS starts to charge the access packet. . After the charging starts, the access information of the access device is periodically detected, and when the access information is not detected, the charging is terminated. The access information is an address resolution protocol (ARP) packet, a neighbor discovery protocol (ND) packet, or a global link IP address applied by the user.
根据本发明的又一方面, 提供一种宽带接入服务器, 包括: 协议终 结模块, 用于接收并终结所述接入设备发来的协议报文; 代理模块, 用 于构造请求消息; 还包括: 调度模块 A3S, 其连接于所述协议终结模块 和代理模块之间, 用于为非拨号接入方式构造认证信息并发送到代理模 块, 以及转发地址分配信息和计费信息; 或者直接向代理模块转发拨号 接入方式的认证信息, 以及转发地址分配信息和计费信息。 According to still another aspect of the present invention, a broadband access server is provided, including: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device; a proxy module, configured to construct a request message; a scheduling module A3S, which is connected between the protocol termination module and the proxy module, configured to construct authentication information for the non-dial access mode and send it to the proxy module Block, and forwarding address allocation information and charging information; or directly forwarding the authentication information of the dialing access mode to the proxy module, and forwarding the address allocation information and the charging information.
所述代理模块包括: 认证代理模块、 地址分配代理模块, 以及计费 代理模块, 其分别与所述 A3S相连;  The proxy module includes: an authentication proxy module, an address assignment proxy module, and a charging proxy module, which are respectively connected to the A3S;
所述地址分配代理模块用于根据所述接入设备的位置信息构造地址 分配请求消息;  The address allocation proxy module is configured to construct an address allocation request message according to the location information of the access device;
所述认证代理模块用于根据所述接入设备的位置信息, 以及所述认 证信息构造认证请求消息;  The authentication proxy module is configured to construct an authentication request message according to the location information of the access device and the authentication information;
所述计费代理模块用于根据所述接入设备的位置信息 , 以及所述认 证信息构造计费请求消息。  The charging proxy module is configured to construct a charging request message according to the location information of the access device and the authentication information.
该宽带接入服务器还包括: 与所述地址分配代理模块相连的地址分 配模块, 用于为通过认证的接入设备分配地址。  The broadband access server further includes: an address allocation module connected to the address assignment proxy module, configured to allocate an address for the authenticated access device.
所述协议终结模块中包括:  The protocol termination module includes:
动态主机配置协议 DHCP模块, 用于终结 DHCP的协议报文; 点对点协议 PPP模块, 用于终结 PPP的协议报文;  The dynamic host configuration protocol, the DHCP module, is used to terminate the protocol packets of the DHCP protocol. The PPP module is used to terminate the PPP protocol packets.
自动配置 Auto config模块, 用于终结无状态地址配置的协 i¾ 艮文。 本发明有益效果如下:  The Auto config module is automatically configured to terminate the association of stateless address configurations. The beneficial effects of the present invention are as follows:
由于本发明的认证接入系统可以为非认证接入方式构造认证信息, 从而使非认证接入方式归一到了认证接入方式中。 在接入成功后, 利用 所述认证信息构造计费请求消息来对该接入设备计费。  The authentication access system of the present invention can construct the authentication information for the non-authentication access mode, so that the non-authentication access mode is unified into the authentication access mode. After the access is successful, the accounting information is constructed by using the authentication information to charge the access device.
进而解决了需要接入设备支持多种协议的问题, 降低了接入设备的 协议配置难度和接入设备的成本。  The problem that the access device supports multiple protocols is solved, and the difficulty of protocol configuration of the access device and the cost of the access device are reduced.
此外, 采用本发明的系统只需在系统中添加调度模块, 降低了系统 成本。  In addition, the system using the present invention only needs to add a scheduling module to the system, which reduces the system cost.
本发明无需事先分配帐号和密码, 而是由所述的调度模块根据接入 设备的位置信息自动构造全局唯一的帐号和密码, 所以本发明可以兼容 所有的 IP设备, 并实现即插即用功能。  The invention does not need to allocate an account number and a password in advance, but the scheduling module automatically constructs a globally unique account and password according to the location information of the access device, so the invention can be compatible with all IP devices and realize plug and play function. .
本发明将各种接入方式的地址分配统一到地址分配模块中 , 便于实 现地址的统一管理和规划。 更可根据所述接入设备的位置信息为该设备 绑定与其对应的 IP地址, 保证了设备每次可申请到相同的 IP地址, 简化 了运营的难度和降低了成本。 The invention unifies the address allocation of various access modes into the address allocation module, which facilitates unified management and planning of addresses. Further, according to the location information of the access device, the device is Binding to its corresponding IP address ensures that the device can apply for the same IP address each time, simplifying the operation and reducing the cost.
本发明通过对接入方式和认证方式的分离 ,为 IPv4协议和 IPv6协议 的长期共存提供了有效的支撑手段。  The invention provides an effective supporting means for the long-term coexistence of the IPv4 protocol and the IPv6 protocol by separating the access mode and the authentication mode.
基于本发明的系统和认证方法, 可以对各种接入方式采用统一的计 费策略进行计费, 这样便于在系统中实施多种计费策略, 使运营商获得 更大的收益。  Based on the system and the authentication method of the present invention, a unified charging policy can be used for charging for various access modes, which facilitates implementing multiple charging policies in the system, so that operators can obtain greater benefits.
附图说明 图 1为现有技术的家庭网络示意图; BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of a prior art home network;
图 2为现有技术的拨号接入方式的系统组网图;  2 is a network diagram of a system for dial-up access in the prior art;
图 3为本发明的系统实施例的组网图;  3 is a networking diagram of an embodiment of a system of the present invention;
图 4为本发明方法实施例的流程图。  4 is a flow chart of an embodiment of a method of the present invention.
具体实施方式 在满足系统具有对非认证接入方式进行认证功能的前提下, 为了使 系统更加简化, 使用户端无需支持多种协议, 使系统可实现 IP地址与接 入位置的绑定, 以及提高系统对 IP设备兼容性, 本发明在接入认证系统 中添加调度模块(A3S ), 用于为非认证接入方式构造认证信息, 使非认 证接入方式可归一到认证方式中。 In the embodiment, the system can implement the authentication function for the non-authenticated access mode, so that the system does not need to support multiple protocols, so that the system can implement the binding of the IP address and the access location, and To improve the compatibility of the system with the IP device, the present invention adds a scheduling module (A3S) to the access authentication system, which is used to construct the authentication information for the non-authenticated access mode, so that the non-authenticated access mode can be normalized into the authentication mode.
本发明的认证接入系统组网示意如图 3 所示, 该系统包括: 与接入 设备 300相连的宽带接入服务器(BRAS ) 400, 以及与所述 BRAS 400 相连的功能服务器 500。  The network of the authentication access system of the present invention is shown in FIG. 3. The system includes: a broadband access server (BRAS) 400 connected to the access device 300, and a function server 500 connected to the BRAS 400.
所述 BRAS 400包括:  The BRAS 400 includes:
与所述接入设备 300相连的协议终结模块 410,其中包含有动态主机 配置协议(DHCP )模块 411、 点对点协议模块(PPP )模块 412和自动 配置(Auto config )模块 413, 以及其它协议的协议模块(图未示), 其 中所述的自动配置模块 413可以是基于 IPv6协议的无状态自动地址配置 模块;  The protocol termination module 410 connected to the access device 300 includes a Dynamic Host Configuration Protocol (DHCP) module 411, a Point-to-Point Protocol Module (PPP) module 412, and an Auto Config module 413, and protocols of other protocols. a module (not shown), wherein the automatic configuration module 413 may be a stateless automatic address configuration module based on an IPv6 protocol;
与所述协议终结模块 410相连的调度模块(A3S ) 420; 与 A3S 420相连的代理模块 430,其中包含有地址分配代理模块 431、 认证代理模块 432和计费代理模块 433。 a scheduling module (A3S) 420 connected to the protocol termination module 410; The proxy module 430 connected to the A3S 420 includes an address assignment proxy module 431, an authentication proxy module 432, and a billing proxy module 433.
所述功能服务器 500包括:与所述认证代理模块相连的认证模块 520, 与所述地址分配代理模块相连的地址分配模块 510,以及与所述计费代理 模块相连的计费模块 530。  The function server 500 includes an authentication module 520 connected to the authentication proxy module, an address assignment module 510 connected to the address assignment proxy module, and a billing module 530 connected to the billing proxy module.
所述 BRAS400用于接收所述接入设备 300发来的接入请求消息, 并 对所述请求消息作接入处理。 在所述 BRAS 400中:  The BRAS 400 is configured to receive an access request message sent by the access device 300, and perform access processing on the request message. In the BRAS 400:
所述协议终结模块 410用于接收并终结所述接入设备 300爰来的协 议报文。 在其内部设置的 DHCP模块 411用于终结 DHCP的协议报文; PPP模块 412用于终结 PPP的协议报文; Auto config模块 413用于终结 无状态地址配置的协议 ·^艮文。  The protocol termination module 410 is configured to receive and terminate the protocol packet from the access device 300. The DHCP module 411 is used to terminate the DHCP protocol packet; the PPP module 412 is used to terminate the PPP protocol packet; and the Auto config module 413 is used to terminate the protocol for the stateless address configuration.
所述 A3S 420用于为非认证接入方式(例如: 专线接入方式)构造 帐号和密码, 并转发所述构造的帐号和密码, 或者直接转发由用户端发 来的认证接入方式的帐号和密码; 以及在认证通过后转发地址分配信息 和计费信息。  The A3S 420 is configured to construct an account and a password for a non-authenticated access mode (for example, a private line access mode), and forward the account and the password, or directly forward the account of the authenticated access method sent by the user. And password; and forwarding address allocation information and billing information after the authentication is passed.
所述代理模块 430内部的所述认证代理模块 432用于根据所述接入 设备的位置信息和 /或媒体访问控制地址, 以及由 A3S 420构造的账号和 密码, 来构造认证请求消息; 所述地址分配代理模块 431 用于根据所述 接入设备的位置信息和 /或 MAC地址来构造地址分配请求消息; 所述计 费代理模块 433用于根据所述接入设备的位置信息和 /或 MAC地址来构 造计费请求消息。  The authentication proxy module 432 inside the proxy module 430 is configured to construct an authentication request message according to the location information of the access device and/or the media access control address, and the account and password configured by the A3S 420; The address allocation proxy module 431 is configured to construct an address allocation request message according to the location information and/or the MAC address of the access device; the charging proxy module 433 is configured to use location information and/or MAC according to the access device. The address is used to construct an accounting request message.
所述功能服务器内部的所述认证模块 520 用于对认证代理模块发来 的认证请求信息进行认证; 所述地址分配模块 510用于为通过认证的接 入设备分配 IP地址; 所述计费模块 530用于对业务进行计费。  The authentication module 520 is configured to authenticate the authentication request information sent by the authentication proxy module. The address allocation module 510 is configured to allocate an IP address to the authenticated access device. 530 is used to charge the service.
上述的地址分配模块也可设置于所述 BRAS 中, 其连接关系和功能 不变。  The above address allocation module can also be set in the BRAS, and the connection relationship and function are unchanged.
也就是说, 本发明实施例提供的宽带接入服务器, 可以为多种接入 方式提供统一的认证、 地址和计费机制。 例如:  That is, the broadband access server provided by the embodiment of the present invention can provide a unified authentication, address, and charging mechanism for multiple access modes. E.g:
为非拨号方式的接入, 宽带接入服务器为其构造认证消息及处理认 证过程, 按认证结果进行地址分配和计费。 For non-dial-up access, the broadband access server constructs authentication messages and processes them. The certificate process, address allocation and billing according to the authentication result.
为拨号方式的接入, 宽带接入服务器中转认证消息、 地址消息和计 费消息到功能跟务器, 其中, 中转是指将提取拨号方式的认证消息的帐 号和密码、 地址和计费消息以功能服务器的接口协议转发。  For dial-up access, the broadband access server relays the authentication message, the address message, and the charging message to the function server, where the transfer refers to the account and password, the address, and the charging message that will extract the authentication message of the dialing mode. Interface protocol forwarding of the function server.
其中, A3S 可以是在用户以非拨号方式接入的申请地址或检查地址 重叠等消息时, 根据前述消息代理用户构造认证消息; 在确认认证及地 址分配成功后, 负责收集和上报计费代理模块相应的计费信息, 例如根 据认证带模块下发的计费策略, 将协议终结模块的计费事件构造计费消 息。  The A3S may be configured to perform an authentication message according to the foregoing message proxy user when the user accesses the application address or the check address overlap message in a non-dial manner; after collecting the authentication and the address assignment succeeding, the A3S is responsible for collecting and reporting the charging proxy module. The corresponding charging information, for example, according to the charging policy delivered by the authentication band module, constructs an accounting message for the charging event of the protocol termination module.
本发明方法通过在系统中为非认证接入方式构造认证信息, 使非认 证接入方法归一到认证接入方法中。 本发明方法实施例的流程如图 4所 示, 包括下列步骤:  The method of the present invention normalizes the non-authenticated access method into the authenticated access method by constructing authentication information for the non-authenticated access method in the system. The flow of the embodiment of the method of the present invention is shown in Figure 4, and includes the following steps:
51、 接入设备采用认证接入方式或非认证接入方式向 BRAS发送接 入请求消息;  51. The access device sends an access request message to the BRAS by using an authenticated access mode or a non-authenticated access mode.
52、 BRAS判断该接入请求消息是以什么方式发起,若是以认证接入 方式发起,则转入步骤 S5; 若是以非认证接入方式发起,则转入步骤 S3;  52, the BRAS determines the manner in which the access request message is initiated, if initiated in the authenticated access mode, then proceeds to step S5; if initiated in the non-authenticated access mode, proceeds to step S3;
53、 BRAS根据该接入设备的位置信息为其构造认证信息;  53. The BRAS constructs authentication information according to the location information of the access device.
54、 BRAS向功能服务器发送携带有所述认证信息的认证请求消息; 54. The BRAS sends an authentication request message carrying the authentication information to the function server.
55、 功能服务器对该用户进行认证; 若有接入权限, 则转入步骤 S7; 否则, 转入步骤 S6; 55, the function server authenticates the user; if there is access permission, then proceeds to step S7; otherwise, proceeds to step S6;
56、 告知该用户接入失败原因;  56. Informing the user of the reason for the access failure;
57、 功能服务器为该接入设备分配 IP地址;  57. The function server allocates an IP address to the access device.
58、 由所述 BRAS完成接入工作。  58. The access work is completed by the BRAS.
以下通过两种非认证接入方式的实例来描述本发明方法的具体实施 步驟。  The specific implementation steps of the method of the present invention are described below by way of two examples of non-authenticated access methods.
例 1 : 对 DHCP接入方式进行认证, 并接入。  Example 1: The DHCP access mode is authenticated and accessed.
接入设备采用 DHCP第 4或第 6版( v4/ v6 )协议发起接入请求, 所 述接入请求消息通过 RTU, 以及 Multiplexer或 DSLAM桥接到 BRAS设 备。 所述 BRAS 中的协议终结模块判断该请求接入消息的协议格式, 得 出本消息是以 DHCP v4/ v6协议发起的。之后,将该消息转入所述协议终 结模块内部的 DHCP模块, 用以终结用户的 DHCP协议报文。 上述操作 完成后, 将处理后的请求接入消息发送到 A3S模块, 用以向系统申请 IP 地址。 The access device initiates an access request using a DHCP version 4 or 6 (v4/v6) protocol, and the access request message is bridged to the BRAS device through the RTU, and the Multiplexer or DSLAM. The protocol termination module in the BRAS determines the protocol format of the request access message, and concludes that the message is initiated by the DHCP v4/v6 protocol. Then, the message is transferred to the DHCP module in the protocol termination module to terminate the DHCP protocol packet of the user. After the above operation is completed, the processed request access message is sent to the A3S module to apply for an IP address from the system.
A3S 向系统发送确认消息, 用以确认该接入设备所在的接口下是否 配置了相应的地址分配服务器和认证服务器。 确认设置了所述设备后, A3S以该接入设备发送的接入请求消息中的位置信息, 或者由 BRAS向 该接入设备所在的 DSLAM发送查询请求来获取该接入设备的位置信 息, 用以构造认证信息。 即根据接入设备所在的 DSLAM端口号及 BRAS 端口号来构造帐号, 并根据 BRAS端口号来构造密码。 所述的 DSLAM 端口号包括: DSLAM的设备号和用户接入端口号(例如: 不对称数字用 户线(ADSL, Asymmetric )端口号); 所述的 BRAS端口号包括: BRAS 的设备号和用户接入端口号(例如: 物理端口号、 虚拟局域网的标识符 ( VLAN, Virtual LAN ) )。所述帐号和密码还可根据所述接入设备所在的 DSLAM端口号和 /或该接入设备的媒体访问控制地址来构造, 或者根据 BRAS端口号和 /或接口的 IP地址来构造。  The A3S sends an acknowledgment message to the system to confirm whether the corresponding address allocation server and authentication server are configured on the interface where the access device is located. After confirming that the device is set, the A3S obtains the location information in the access request message sent by the access device, or the BRAS sends a query request to the DSLAM where the access device is located to obtain the location information of the access device, To construct authentication information. That is, the account is constructed according to the DSLAM port number and the BRAS port number where the access device is located, and the password is constructed according to the BRAS port number. The DSLAM port number includes: a DSLAM device number and a user access port number (for example, an asymmetric digital subscriber line (ADSL, Asymmetric) port number); the BRAS port number includes: a BRAS device number and a user connection Incoming port number (for example: physical port number, virtual local area network identifier (VLAN, Virtual LAN)). The account number and password may also be constructed according to the DSLAM port number of the access device and/or the media access control address of the access device, or according to the BRAS port number and/or the IP address of the interface.
为所述接入设备构造了密码和帐号等认证信息后, 所述 A3S将该认 证信息发送到认证代理模块, 所述认证代理模块根据所述接入设备的位 置信息和 /或媒体访问控制地址, 以及由 A3S构造的账号和密码, 来构造 认证请求消息, 并将所述认证请求消息发送给认证模块。  After the authentication information such as the password and the account is configured for the access device, the A3S sends the authentication information to the authentication proxy module, where the authentication proxy module is based on the location information of the access device and/or the media access control address. And an account and password constructed by the A3S to construct an authentication request message, and send the authentication request message to the authentication module.
认证模块收到该认证请求消息后, 从中解析该接入设备的帐号和密 码, 并对该认证信息进行认证。 认证模块记录该用户的相应信息, 同时 下发相应的策略, 并通过认证代理模块向 A3S反馈认证结果。 如果 A3S 确认用户认证不通过, 那么直接向接入设备返回找不到对应服务器的信 息; 否则所述 A3S告知地址分配代理模块认证通过。  After receiving the authentication request message, the authentication module parses the account and password of the access device, and authenticates the authentication information. The authentication module records the corresponding information of the user, and simultaneously issues the corresponding policy, and feeds the authentication result to the A3S through the authentication proxy module. If the A3S confirms that the user authentication fails, the information of the corresponding server cannot be directly returned to the access device; otherwise, the A3S informs the address allocation proxy module that the authentication is passed.
地址分配代理模块收到认证通过的消息后, 根据所述接入设备的位 置信息和 /或 MAC地址来构造地址分配请求消息, 并发送给地址分配模 块。 所述位置信息包括: 该接入设备所在的数字用户线复用器的端口号 和 BRAS端口号。 After receiving the message of the authentication, the address allocation proxy module constructs an address allocation request message according to the location information and/or the MAC address of the access device, and sends the message to the address allocation module. The location information includes: a port number of a digital subscriber line multiplexer where the access device is located And BRAS port number.
地址分配模块根据用户的端口信息和 MAC地址,为该设备分配一个 与其对应的 IP地址和相应的租期, 并建立该 MAC地址、 端口信息和 IP 地址之间的绑定关系。 之后, 通过地址分配代理模块将分配的 IP地址和 相应的租期反馈给所述 A3S。  The address allocation module allocates a corresponding IP address and corresponding lease period to the device according to the port information and the MAC address of the user, and establishes a binding relationship between the MAC address, the port information, and the IP address. Thereafter, the assigned IP address and the corresponding lease are fed back to the A3S through the address assignment agent module.
A3S根据获得的 IP地址,建立 IP地址与下发的该用户的策略之间的 映射关系。之后,通过 DHCP模块通知该用户地址分配成功, 并由 BRAS 完成后续接入工作。 至此流程结束。  Based on the obtained IP address, the A3S establishes a mapping relationship between the IP address and the policy of the user that is delivered. After that, the DHCP module notifies the user that the address allocation is successful, and the BRAS completes the subsequent access work. This is the end of the process.
例 2: 对自动配置接入方式进行认证, 并接入。  Example 2: Authenticate the automatic configuration access mode and access it.
自动配置方式是在 IP第 6版协议中提出的, 这种接入方式是无状态 的, 并且采用本接入方式将自动为接入设备配置地址。 其方法流程如下: 接入设备自行创建其接口所属的本地链路网段的 IP地址, 然后向系 统发送链路检测消息,用以检测创建的地址是否为重复地址。所述 BRAS 中的协议终结模块收到该重复地址检测报文(DAD, Duplicated Address Detection )后, 将其转入自动配置模块, 经确认该地址当前没有冲突, 则 协议终结模块向所述 A3S发起认证请求。  The automatic configuration mode is proposed in the IP version 6 protocol. This access mode is stateless, and the access mode will automatically configure the address for the access device. The method is as follows: The access device creates an IP address of the local link network segment to which the interface belongs, and then sends a link detection message to the system to detect whether the created address is a duplicate address. After receiving the Duplicated Address Detection (DAD), the protocol termination module in the BRAS transfers the duplicated address detection (DAD) to the automatic configuration module. After confirming that the address does not currently conflict, the protocol termination module initiates the A3S. Authentication request.
A3S 向系统发送确认消息, 用以确认该接入设备所在的接口下是否 配置了相应的地址分配服务器和认证服务器。 确认设置了所述设备后, A3S以该接入设备发送的接入请求消息中的位置信息, 或者由 BRAS向 该接入设备所在的 DSLAM发送查询请求来获取该接入设备的位置信 息, 用以构造认证信息。 即根据接入设备所在的 DSLAM端口号及 BRAS 端口号来构造帐号; 并根据 BRAS端口号来构造密码。 或者采用其他位 置信息构造认证信息。  The A3S sends an acknowledgment message to the system to confirm whether the corresponding address allocation server and authentication server are configured on the interface where the access device is located. After confirming that the device is set, the A3S obtains the location information in the access request message sent by the access device, or the BRAS sends a query request to the DSLAM where the access device is located to obtain the location information of the access device, To construct authentication information. That is, the account is constructed according to the DSLAM port number and the BRAS port number where the access device is located; and the password is constructed according to the BRAS port number. Or use other location information to construct authentication information.
为所述接入设备构造了密码和帐号等认证信息后, 所述 A3S将该认 证信息发送到认证代理模块, 所述认证代理模块根据所述接入设备的位 置信息和 /或媒体访问控制地址, 以及由 A3S构造的账号和密码, 来构造 认证请求消息, 并将所述认证请求消息发送给认证模块。  After the authentication information such as the password and the account is configured for the access device, the A3S sends the authentication information to the authentication proxy module, where the authentication proxy module is based on the location information of the access device and/or the media access control address. And an account and password constructed by the A3S to construct an authentication request message, and send the authentication request message to the authentication module.
认证模块收到该认证请求消息后, 从中解析该接入设备的帐号和密 码, 并对该认证信息进行认证。 认证模块记录该用户的相应信息, 同时 下发相应的策略, 并通过认证代理模块向 A3S反馈认证结果。 如果 A3S 确认用户认证不通过, 那么直接向接入设备返回接入设备无法使用该地 址或地址重叠信息; 否则, A3S将认证通过且该创建的地址没有重叠的 信息告知分配代理模块。 After receiving the authentication request message, the authentication module parses the account and password of the access device, and authenticates the authentication information. The authentication module records the corresponding information of the user, and at the same time The corresponding policy is issued, and the authentication result is fed back to the A3S through the authentication agent module. If the A3S confirms that the user authentication fails, the access device directly returns to the access device cannot use the address or address overlap information; otherwise, the A3S informs the distribution agent module that the authentication is passed and the created address does not overlap.
所述分配代理模块根据所述接入设备的位置信息和 /或 MAC地址来 构造地址分配请求消息, 并发送给地址分配模块。 所述位置信息包括: 该接入设备所在的数字用户线复用器的端口号和 BRAS端口号。  The distribution agent module constructs an address allocation request message according to the location information and/or the MAC address of the access device, and sends the message to the address allocation module. The location information includes: a port number of the digital subscriber line multiplexer where the access device is located, and a BRAS port number.
地址分配模块根据用户的端口信息和 MAC地址,为其分配该接入设 备自行创建的本地链路 IP地址和相应的租期, 并建立该 MAC地址、 端 口信息和该 IP地址之间的绑定关系。 之后, 通过地址分配代理模块将分 配的 IP地址和相应的租期反馈给所述 A3S。 完成本地链路的接入。  The address allocation module allocates a local link IP address and a corresponding lease period created by the access device according to the port information and the MAC address of the user, and establishes a binding between the MAC address, the port information, and the IP address. relationship. Thereafter, the assigned IP address and the corresponding lease are fed back to the A3S through the address assignment proxy module. Complete access to the local link.
之后, 所述 A3S向地址分配代理模块申请该接入设备所在接口相应 的全局地址网段信息。 其认证和接入流程与上述流程相同。 在获得所述 全局地址网段信息后, 由 BRAS完成后续接入工作。 至此流程结束。  Then, the A3S applies to the address allocation proxy module for the global address network segment information corresponding to the interface where the access device is located. The authentication and access procedures are the same as the above process. After obtaining the global address network segment information, the BRAS completes the subsequent access work. This is the end of the process.
为了达到非认证接入方式归一到认证接入方式中的效果, 需要认证 的接入方式利用本发明的认证接入系统同样可以实施。  In order to achieve the effect of unauthenticated access mode normalization to the authentication access mode, the access mode requiring authentication can also be implemented by using the authentication access system of the present invention.
例 3: 点对点方式接入。  Example 3: Point-to-point access.
a、接入设备采用 PPPoE协议申请接入网络。 所述请求接入消息通过 RTU、 Multiplexer桥接到 BRAS设备。 BRAS设备中的协议终结模块判断 该请求接入消息的协议格式,得出本消息是以 PPPoE协议发起的。之后, 将该消息转入所述协议终结模块内部的 PPP协议模块, 终结 PPPoE协议 并创建相应的虚拟链路。 之后, 通知接入设备在虛拟链路中发起认证请 求, 如果接入设备采用基于异步传输模式的点对点协议(PPPoA )协议接 入网絡, 则直接跳入步骤 b;  a. The access device uses the PPPoE protocol to apply for access to the network. The request access message is bridged to the BRAS device through the RTU and the Multiplexer. The protocol termination module in the BRAS device determines the protocol format of the request access message, and the message is initiated by the PPPoE protocol. Then, the message is transferred to the PPP protocol module inside the protocol termination module, and the PPPoE protocol is terminated and a corresponding virtual link is created. Afterwards, the access device is notified to initiate an authentication request in the virtual link. If the access device accesses the network using the Point-to-Point Protocol (PPPoA) protocol based on the asynchronous transfer mode, the process directly jumps to step b;
b、 PPP协议模块从请求消息中提取用户输入的帐号和密码, 并将其 发送到 A3S。 在这种情况下, A3S 不再为该接入设备构造认证信息, 而 是直接将用户输入的认证信息发送到认证代理模块。 认证代理模块根据 所述认证信息及位置信息构造认证请求消息, 并发送到认证模块。  b. The PPP protocol module extracts the account and password input by the user from the request message and sends it to the A3S. In this case, A3S no longer constructs authentication information for the access device, but directly sends the authentication information input by the user to the authentication proxy module. The authentication agent module constructs an authentication request message according to the authentication information and the location information, and sends the authentication request message to the authentication module.
当认证模块回应认证失败时,则 A3S 通知 PPP协议模块向接入设备 发起断链请求, 并拆除相应的虚拟连接; 否则, A3S 通知 PPP协议模块 向接入设备发起地址分配请求, 并向地址分配代理模块申请相应的 IP地 址。 When the authentication module fails to respond to the authentication, the A3S notifies the PPP protocol module to the access device. Initiating a broken link request and tearing down the corresponding virtual connection; otherwise, the A3S notifies the PPP protocol module to initiate an address allocation request to the access device, and requests the corresponding IP address from the address allocation proxy module.
后续的分配和绑定 BP地址的处理流程与 DHCP接入方式一致。 当所 述 A3S获得了分配的 IP地址后,若是 PPPv4用户发起的接入清求, 则所 述 A3S反馈相应的 IP地址给 PPP协议模块; 若是 PPPv6用户发起的接 入请求,则将该用户所在的接口预先配置的 IP地址前缀返回给接入设备, 并保存该虚拟链路的 IP地址前缀, 当用户启动自动地址配置时, 用户端 自动向系统返回相应的 IP地址前缀,从而使接入设备获得真正的 IP地址。  Subsequent allocation and binding BP address processing is consistent with the DHCP access mode. After the A3S obtains the assigned IP address, if the PPPv4 user initiates the access request, the A3S feeds back the corresponding IP address to the PPP protocol module; if the PPPv6 user initiates the access request, the user is located The pre-configured IP address prefix of the interface is returned to the access device, and the IP address prefix of the virtual link is saved. When the user initiates the automatic address configuration, the user automatically returns a corresponding IP address prefix to the system, thereby enabling the access device. Get a real IP address.
基于上述系统和认证接入方法, 在为接入设备分配了 IP地址后, 开 始计费步骤, 以下对应上述认证接入方法, 以 3个实例具体说明。  Based on the foregoing system and the authentication access method, after the IP address is assigned to the access device, the charging step is started, and the following is the corresponding authentication access method, which is specifically described by three examples.
例 1-1 : DHCP接入方式对应的计费方法。  Example 1-1: The charging method corresponding to the DHCP access method.
在分配 IP地址操作完成后, 协议终结模块中的 DHCP协议模块等待 该用户发来的 ARP或 ND报文。  After the operation of assigning an IP address is complete, the DHCP protocol module in the protocol termination module waits for the ARP or ND packet sent by the user.
当接入设备使用分配到的 IP地址上网, 并且所述 DHCP模块收到所 述报文时, 则判定该用户上线, 并向 A3S模块上报该用户上线。 之后, A3S模块通过计费代理模块向计费模块发起计费开始请求, 并开始对该 用户的计费。  When the access device accesses the Internet using the assigned IP address, and the DHCP module receives the message, it determines that the user is online, and reports the user to the A3S module to go online. Thereafter, the A3S module initiates a charging start request to the charging module through the charging proxy module, and starts charging for the user.
开始计费后, DHCP协议模块每隔一定时长检测一次是否存在该用 户的 ARP ( Address Resolution Protocol, 地址解析协议)或 ND ( Neighbor Discovery, 邻居发现)报文。 当 DHCP协议模块检测到接入设备的 ARP 或 D的邻居 "不在位" 状态, 则判定该用户下线, 并向 A3S模块上报 该用户下线。之后 A3S通过计费代理模块向计费模块发送终止计费请求, 并结束对该用户计费。  After the start of the accounting, the DHCP protocol module checks whether there is an ARP (Address Resolution Protocol) or ND (Neighbor Discovery) packet of the user. When the DHCP protocol module detects that the ARP or D neighbor of the access device is in the "out of position" state, the user is determined to go offline, and the user is reported to the A3S module to go offline. After that, the A3S sends a termination charging request to the charging module through the charging proxy module, and ends charging the user.
例 2-1 : 自动配置接入方式对应的计费方法。  Example 2-1: Automatically configure the accounting method corresponding to the access method.
在分配 IP地址操作完成后, 协议终结模块中的自动配置模块等待该 接入设备发来的全局链路 IP地址信息。  After the operation of assigning an IP address is completed, the automatic configuration module in the protocol termination module waits for the global link IP address information sent by the access device.
当接入设备使用分配到的 IP地址上网时, 并且自动配置模块检测到 该用户的全局链路 IP地址信息时, 则判定该用户上线, 并向 A3S模块上 报该用户上线。 之后, A3S模块通过计费代理模块向计费模块发起计费 开始请求, 并开始对该用户的计费。 When the access device uses the assigned IP address to access the Internet, and the automatic configuration module detects the global link IP address information of the user, it determines that the user goes online and sends the A3S module to the A3S module. Report the user online. Thereafter, the A3S module initiates a charging start request to the charging module through the charging proxy module, and starts charging for the user.
开始计费后, 自动配置模块每隔一定时长检测一次是否存在全局链 路 IP地址。当自动配置模块检测到接入设备的全局链路 IP地址 "不在位,, 状态, 则判定该用户下线, 并向 A3S模块上报该用户下线。 之后 A3S通 过计费代理模块向计费模块发送终止计费请求, 并结束对该用户计费。  After the accounting starts, the automatic configuration module detects whether there is a global link IP address every certain period of time. When the automatic configuration module detects that the global link IP address of the access device is not in the state, the user is determined to go offline, and reports the user to the A3S module to go offline. Then the A3S passes the charging proxy module to the charging module. A termination charging request is sent and the user is charged.
例 3-1:点对点 PPP接入方式对应的计费方法与上述两个计费方法实 例的流程相似。  Example 3-1: Point-to-point PPP access mode The charging method is similar to the above two charging method examples.
显然, 本领域的技术人员可以对本发明进行各种改动和变型而不脱 离本发明的精神和范围。 这样, 倘若本发明的这些修改和变型属于本发 明权利要求及其等同技术的范围之内, 则本发明也意图包含这些改动和 变型在内。  It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims

权 利 要 求 Rights request
1、 一种认证接入系统, 包括: 与接入设备相连的宽带接入服务器 BRAS、 与所述 BRAS相连的功能服务器; 其中,  An authentication access system, comprising: a broadband access server BRAS connected to the access device, and a function server connected to the BRAS;
所述 BARS用于为非认证方式的接入构造认证信息及对应该认证信 息的认证请求消息; 在认证通过后, 为所述非认证方式的接入构造地址 分配请求信息和计费信息;  The BARS is configured to construct authentication information and an authentication request message corresponding to the authentication information for the non-authentication mode access; after the authentication is passed, the request information and the charging information are allocated for the access configuration address of the non-authentication mode;
所述功能服务器用于在接收到前述认证请求消息后对所述非认证方 式的接入进行认证; 在认证通过后, 为所述非认证方式的接入进行计费。  The function server is configured to authenticate the access of the non-authentication mode after receiving the foregoing authentication request message, and perform charging for the non-authentication mode access after the authentication is passed.
2、 根据权利要求 1所述的认证接入系统, 其特征在于, 所述 BRAS 包括: 协议终结模块, 用于接收并终结所述接入设备发来的协议报文; 代理模块, 用于构造请求消息; 还包括: 调度模块 A3S, 其连接于所述 协议终结模块和代理模块之间, 用于为非认证方式的接入构造认证信息 并发送到代理模块, 转发地址分配信息, 以及根据计费策略转发或构造 计费信息; 或者直接向代理模块转发认证接入方式的认证信息, 以及转 发地址分配信息和计费信息。  The authentication access system according to claim 1, wherein the BRAS comprises: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device; and a proxy module, configured to construct The request message further includes: a scheduling module A3S connected between the protocol termination module and the proxy module, configured to construct authentication information for non-authentication access and send to the proxy module, forward address allocation information, and The fee policy forwards or constructs the charging information; or directly forwards the authentication information of the authentication access mode to the proxy module, and forwards the address allocation information and the charging information.
3、 如权利要求 2所述的系统, 其特征在于, 所述代理模块包括: 认 证代理模块、地址分配代理模块, 以及计费代理模块,其分别与所述 A3S 相连;  The system of claim 2, wherein the proxy module comprises: an authentication proxy module, an address assignment proxy module, and a charging proxy module, respectively connected to the A3S;
所述地址分配代理模块用于根据所述接入设备的信息构造地址分配 请求消息;  The address allocation proxy module is configured to construct an address allocation request message according to the information of the access device;
所述认证代理模块用于根据所述接入设备的信息, 以及所述认证信 息构造认证请求消息;  The authentication proxy module is configured to construct an authentication request message according to the information of the access device and the authentication information;
所述计费代理模块用于根据所述接入设备的信息, 以及所述认证信 息构造计费请求消息。  The charging proxy module is configured to construct a charging request message according to the information of the access device and the authentication information.
4、 如权利要求 3所述的系统, 其特征在于, 所述功能服务器包括: 认证模块, 与所述认证代理模块相连, 用于对发来的认证请求消息 进行认证;  The system of claim 3, wherein the function server comprises: an authentication module, connected to the authentication agent module, for authenticating the sent authentication request message;
地址分配模块, 与所述地址分配代理模块相连, 用于为通过认证的 接入设备分配地址; 计费模块, 与所述计费代理模块相连, 用于对业务进行计费。 An address allocation module, connected to the address allocation proxy module, configured to allocate an address for the authenticated access device; The charging module is connected to the charging proxy module and configured to charge the service.
5、 如权利要求 3所述的系统, 其特征在于, 所述 BRAS还包括: 与 所述地址分配代理模块相连的地址分配模块, 用于为通过认证的接入设 备分配地址。  The system of claim 3, wherein the BRAS further comprises: an address assignment module coupled to the address assignment proxy module, configured to allocate an address for the authenticated access device.
6、 如权利要求 5所述的系统, 其特征在于, 所述功能服务器包括: 认证模块, 与所述认证代理模块相连, 用于对发来的认证请求消息 进行认证;  The system of claim 5, wherein the function server comprises: an authentication module, connected to the authentication agent module, configured to authenticate the sent authentication request message;
计费模块, 与所述计费代理模块相连, 用于对业务进行计费。  The charging module is connected to the charging proxy module and configured to charge the service.
7、 如权利要求 1至 6任一项所述的系统, 其特征在于, 所述协议终 结模块包括:  The system according to any one of claims 1 to 6, wherein the protocol termination module comprises:
动态主机配置协议 DHCP模块, 用于终结 DHCP的协议报文; 点对点协议 PPP模块, 用于终结 PPP的协议 ^艮文;  Dynamic host configuration protocol DHCP module, used to terminate DHCP protocol packets; Point-to-point protocol PPP module, used to terminate PPP protocol ^艮文;
自动配置 Auto config模块, 用于终结无状态地址配置的协议报文。 The Auto config module is automatically configured to terminate protocol packets configured for stateless address.
8、 一种认证接入方法, 由宽带接入服务器 BRAS接收接入设备以非 认证接入方式发起的接入请求消息; 其特征在于, BRAS接收到以非认证 接入方式发起的接入请求消息后, 获取该接入设备的信息为其构造认证 信息, 并向功能服务器发送携带该认证信息的认证请求消息, 由功能服 务器对该用户进行认证, BRAS根据认证结果确定是否允许该用户接入。 8. An authentication access method, where an access request message initiated by an access device in a non-authenticated access mode is received by a broadband access server BRAS; and the BRAS receives an access request initiated by a non-authenticated access mode. After the message is obtained, the information about the access device is configured to construct authentication information, and an authentication request message carrying the authentication information is sent to the function server, and the function server authenticates the user, and the BRAS determines whether to allow the user to access according to the authentication result. .
9、 如权利要求 8所述的方法, 其特征在于, 还包括: BRAS将以认 证接入方式发起的接入请求消息直接转发到功能服务器进行认证。  9. The method according to claim 8, further comprising: the BRAS directly forwards the access request message initiated by the authentication access mode to the function server for authentication.
10、 如权利要求 9所述的方法, 其特征在于, 所述的非认证接入方 式为动态主机配置接入方式, 或者自动配置接入方式; 所述认证接入方 式为点对点接入方式。  The method of claim 9, wherein the non-authenticated access mode is an active access mode, or the access mode is automatically configured; and the authenticated access mode is a point-to-point access mode.
11、 如权利要求 10所述的方法, 其特征在于, 所述获取接入设备的 信息包括: 从接入设备发送的接入请求消息中获取, 或者由 BRAS向该 接入设备所在的数字用户线复用器 DSLAM发送查询请求来获取。  The method of claim 10, wherein the obtaining the information of the access device comprises: acquiring from an access request message sent by the access device, or from the BRAS to the digital user where the access device is located The line multiplexer DSLAM sends a query request to obtain.
12、 如权利要求 11所述的方法, 其特征在于, 所述构造认证信息包 括: 根据所述接入设备所在的 DSLAM的端口号和 BRAS端口号来构造 所述帐号, 根据 BRAS端口号来构造所述密码; 或者, 居所述接入设 备所在的 DSLAM端口号和 /或该接入设备的媒体访问控制 MAC地址来 构造所述帐号和密码; 或者,根据 BRAS端口号和 /或接口的 IP地址来构 造所述密码。 The method according to claim 11, wherein the constructing the authentication information comprises: constructing the account according to a port number of the DSLAM and a BRAS port number where the access device is located, and constructing according to the BRAS port number The password; or, the access device The DSLAM port number and/or the media access control MAC address of the access device are configured to construct the account number and password; or the password is constructed according to the BRAS port number and/or the IP address of the interface.
13、 如权利要求 12所述的方法, 其特征在于, 所述 DSLAM端口号 包括: 所述 DSLAM的设备号和接入设备的端口号;  The method of claim 12, wherein the DSLAM port number comprises: a device number of the DSLAM and a port number of the access device;
所述 BRAS端口号包括:所述 BRAS的设备号和接入设备的端口号。 The BRAS port number includes: a device number of the BRAS and a port number of the access device.
14、 如权利要求 9所述的方法, 其特征在于, 在认证通过后, 还包 括: BRAS构造地址分配请求, 功能服务器为接入设备分配 IP地址; 或 者 BRAS为接入设备分配 IP地址。 14. The method according to claim 9, wherein after the authentication is passed, the method further comprises: BRAS constructing an address allocation request, the function server assigning an IP address to the access device; or the BRAS assigning an IP address to the access device.
15、 如权利要求 14所述的方法, 其特征在于, 通过认证后, 将为用 户分配的 IP地址与接入设备绑定。  The method according to claim 14, wherein after the authentication, the IP address assigned to the user is bound to the access device.
16、 如权利要求 15所述的方法, 其特征在于, 根据所述 BRAS的端 口信息和接入设备的 MAC地址, 为所述接入设备绑定 IP地址; 或者, 根据接入设备所在的 DSLAM端口号为所述接入设备绑定 IP地址。  The method according to claim 15, wherein the access device is bound with an IP address according to the port information of the BRAS and the MAC address of the access device; or, according to the DSLAM where the access device is located The port number is the IP address bound to the access device.
17、 如权利要求 15所述的方法, 其特征在于, 当接入设备采用非认 证接入方式发起接入请求时, 为该接入设备分配 IP地址后, 还包括: The method of claim 15, wherein, when the access device initiates the access request by using the non-authenticated access mode, and after the IP address is allocated to the access device, the method further includes:
BRAS收到该接入设备发来的接入报文, 开始对其计费。 The BRAS receives the access packet from the access device and starts charging it.
18、 如权利要求 17所述的方法, 其特征在于, 计费开始后, 定时检 测该接入设备的接入信息, 当检测不到所述接入信息时, 终止计费。  The method according to claim 17, wherein after the charging starts, the access information of the access device is periodically detected, and when the access information is not detected, the charging is terminated.
19、 如权利要求 17或 18所述的方法, 其特征在于, 所述接入信息 为该用户的地址解析协议 ARP报文、 邻居发现协议 ND ^艮文, 或者该用 户申请的全局链路 IP地址。  The method according to claim 17 or 18, wherein the access information is an address resolution protocol ARP packet of the user, a neighbor discovery protocol ND^艮, or a global link IP requested by the user. address.
20、 一种宽带接入服务器, 包括: 协议终结模块, 用于接收并终结 所述接入设备发来的协议报文; 代理模块, 用于构造请求消息;  A broadband access server, comprising: a protocol termination module, configured to receive and terminate a protocol packet sent by the access device; and a proxy module, configured to construct a request message;
其特征在于, 还包括: 调度模块 A3S, 其连接于所述协议终结模块 和代理模块之间, 用于为非拨号接入方式构造认证信息并发送到代理模 块, 转发地址分配信息, 以及根据计费策略转发或构造计费信息; 或者 直接向代理模块转发拨号接入方式的认证信息, 以及转发地址分配信息 和计费信息。 The method further includes: a scheduling module A3S connected between the protocol termination module and the proxy module, configured to construct authentication information for the non-dial-up access method, send the information to the proxy module, forward the address allocation information, and calculate The fee policy forwards or constructs the charging information; or directly forwards the authentication information of the dialing access mode to the proxy module, and forwards the address allocation information and the charging information.
21、 如权利要求 20所述的宽带接入服务器, 其特征在于, 所述代理 模块包括: 认证代理模块、 地址分配代理模块, 以及计费代理模块, 其 分别与所述 A3S相连; The broadband access server according to claim 20, wherein the proxy module comprises: an authentication proxy module, an address assignment proxy module, and a charging proxy module, which are respectively connected to the A3S;
所述地址分配代理模块用于根据所述接入设备的信息构造地址分配 请求消息;  The address allocation proxy module is configured to construct an address allocation request message according to the information of the access device;
所述认证代理模块用于根据所述接入设备的信息, 以及所述认证信 息构造认证请求消息;  The authentication proxy module is configured to construct an authentication request message according to the information of the access device and the authentication information;
所述计费代理模块用于根据所述接入设备的信息, 以及所述认证信 息构造计费请求消息。  The charging proxy module is configured to construct a charging request message according to the information of the access device and the authentication information.
22、 如权利要求 20所述的宽带接入服务器, 其特征在于, 还包括: 与所述地址分配代理模块相连的地址分配模块, 用于为通过认证的接入 设备分配地址。  The broadband access server of claim 20, further comprising: an address allocation module connected to the address assignment proxy module, configured to allocate an address for the authenticated access device.
23、 如权利要求 20至 22任一项所述的宽带接入服务器, 其特征在 于, 所述协议终结模块中包括:  The broadband access server according to any one of claims 20 to 22, wherein the protocol termination module includes:
动态主机配置协议 DHCP模块, 用于终结 DHCP的协议报文; 点对点协议 PPP模块, 用于终结 PPP的协议报文;  The dynamic host configuration protocol, the DHCP module, is used to terminate the protocol packets of the DHCP protocol. The PPP module is used to terminate the PPP protocol packets.
自动配置 Auto config模块, 用于终结无状态地址配置的协议报文。  The Auto config module is automatically configured to terminate protocol packets configured for stateless address.
PCT/CN2006/001500 2005-06-29 2006-06-29 An authentication access system, method and server WO2007000120A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510080111.9 2005-06-29
CNB2005100801119A CN100421403C (en) 2005-06-29 2005-06-29 Identification insertion system and identification inserting method thereof

Publications (1)

Publication Number Publication Date
WO2007000120A1 true WO2007000120A1 (en) 2007-01-04

Family

ID=37578744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/001500 WO2007000120A1 (en) 2005-06-29 2006-06-29 An authentication access system, method and server

Country Status (2)

Country Link
CN (1) CN100421403C (en)
WO (1) WO2007000120A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520737A (en) * 2022-01-26 2022-05-20 北京华信傲天网络技术有限公司 Two-layer data access control method and system for wireless user
CN115001745A (en) * 2022-04-24 2022-09-02 四川天邑康和通信股份有限公司 Local authentication system and method for intranet users based on government-enterprise gateway
WO2024098948A1 (en) * 2022-11-09 2024-05-16 华为技术有限公司 Communication methods, storage medium and program product

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025475A (en) * 2009-09-23 2011-04-20 中兴通讯股份有限公司 Address allocation method, apparatus and system in hot backup scene
CN102244867B (en) * 2010-05-14 2013-05-01 新浪网技术(中国)有限公司 Network access control method and system
CN102413199B (en) * 2011-10-20 2013-12-04 江苏省邮电规划设计院有限责任公司 System and method for creating and reporting address mapping relations by broadband remote access server
CN103108324A (en) * 2011-11-09 2013-05-15 中兴通讯股份有限公司 Access authentication method and system
CN102420818A (en) * 2011-11-28 2012-04-18 中国联合网络通信集团有限公司 Network access control method, device and system
CN103516671B (en) * 2012-06-21 2018-08-07 中兴通讯股份有限公司 The access processing method and access device and access terminal of a kind of customer service
CN103856469A (en) * 2012-12-06 2014-06-11 中国电信股份有限公司 Method and system supporting DHCP authentication and provenance, and DHCP server
CN107124398B (en) * 2017-03-29 2021-12-03 华为技术有限公司 Method, device and system for authenticating terminal equipment
CN111510394B (en) * 2019-01-31 2022-04-12 华为技术有限公司 Message scheduling method, related equipment and computer storage medium
CN111314503B (en) * 2020-03-31 2022-03-29 新华三信息安全技术有限公司 Method and device for recovering IPoE user table

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010039244A1 (en) * 1998-03-10 2001-11-08 Fuji Photo Film Co., Ltd. Recording sheet package, correction information sheet for the same, and thermal printer for use therewith

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7088708B2 (en) * 2001-09-20 2006-08-08 The Directv Group, Inc. System and method for remotely communicating with a broadband modem
ES2279078T3 (en) * 2003-06-24 2007-08-16 Alcatel Lucent NETWORK ACCESS TO DIGITAL SUBSCRIBER LINE WITH IMPROVED CONTROL OF AUTHENTICATION, AUTHORIZATION, ACCOUNTING AND CONFIGURATION FOR MULTIPLE EMISSION SERVICES.
CN1286297C (en) * 2003-09-25 2006-11-22 华为技术有限公司 Method of realizing sign delivery of user's position

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010039244A1 (en) * 1998-03-10 2001-11-08 Fuji Photo Film Co., Ltd. Recording sheet package, correction information sheet for the same, and thermal printer for use therewith

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ZHOU X.: "BRIEF INTRODUCTION OF BROADBAND USER ACCESS AUTHENTICATION TECHNOLOGY (1)", CATV TECHNOLOGY, no. 20, 2004, pages 18 *
ZHOU X.: "BRIEF INTRODUCTION OF BROADBAND USER ACCESS AUTHENTICATION TECHNOLOGY (2)", CATV TECHNOLOGY, no. 21, 2004, pages 18 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520737A (en) * 2022-01-26 2022-05-20 北京华信傲天网络技术有限公司 Two-layer data access control method and system for wireless user
CN114520737B (en) * 2022-01-26 2024-04-02 北京华信傲天网络技术有限公司 Two-layer data access control method and system for wireless user
CN115001745A (en) * 2022-04-24 2022-09-02 四川天邑康和通信股份有限公司 Local authentication system and method for intranet users based on government-enterprise gateway
CN115001745B (en) * 2022-04-24 2024-01-30 四川天邑康和通信股份有限公司 Intranet user local authentication system and method based on government enterprise gateway
WO2024098948A1 (en) * 2022-11-09 2024-05-16 华为技术有限公司 Communication methods, storage medium and program product

Also Published As

Publication number Publication date
CN1889484A (en) 2007-01-03
CN100421403C (en) 2008-09-24

Similar Documents

Publication Publication Date Title
WO2007000120A1 (en) An authentication access system, method and server
EP1876754B1 (en) Method system and server for implementing dhcp address security allocation
US7733859B2 (en) Apparatus and method for packet forwarding in layer 2 network
JP4541848B2 (en) User terminal connection control method and apparatus
JP5674934B2 (en) Method and device for automatically switching networks, wireless access device and intermediate device
CN102036227B (en) Method, system and device for acquiring user identifier of data service
WO2004105319A1 (en) Broadband access method with great capacity and the system thereof
KR101620479B1 (en) A method and a gateway for providing multiple internet access
WO2012088982A1 (en) Method, apparatus and virtual private network system for issuing routing information
WO2008006317A1 (en) A system and method for the multi-service access
WO2012103726A1 (en) Method, apparatus, and system for transmitting media data based on over the top (ott)
WO2013107136A1 (en) Terminal access authentication method and customer premise equipment
WO2012034413A1 (en) Method for dual stack user management and broadband access server
WO2008106881A1 (en) A ppp access method, corresponding system and access node device
WO2008138274A1 (en) A method and corresponding device and system for accessing remote service
WO2005119968A1 (en) A method for transmitting the policy information between the network devices
WO2016192608A2 (en) Authentication method, authentication system and associated device
WO2014176964A1 (en) Communication managing method and communication system
CN108307694B (en) A kind of network connection information acquisition method and router
US9450920B2 (en) Method for providing access of an user end device to a service provided by an application function within a network structure and a network structure
WO2012126335A1 (en) Access control method, access device and system
WO2008151548A1 (en) A method and apparatus for preventing the counterfeiting of the network-side media access control (mac) address
WO2014153860A1 (en) Network access method, gateway and system
WO2007028330A1 (en) A method and system for automatically distributing the service to the ppp access terminal
WO2009074072A1 (en) Method, network system and network equipment of dynamic strategy conversion

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06753065

Country of ref document: EP

Kind code of ref document: A1