[go: up one dir, main page]

WO2009049557A1 - An authentication-conversion-based communication method, system and device - Google Patents

An authentication-conversion-based communication method, system and device Download PDF

Info

Publication number
WO2009049557A1
WO2009049557A1 PCT/CN2008/072700 CN2008072700W WO2009049557A1 WO 2009049557 A1 WO2009049557 A1 WO 2009049557A1 CN 2008072700 W CN2008072700 W CN 2008072700W WO 2009049557 A1 WO2009049557 A1 WO 2009049557A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
user equipment
external
access
Prior art date
Application number
PCT/CN2008/072700
Other languages
French (fr)
Chinese (zh)
Inventor
Weilong Ouyang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009049557A1 publication Critical patent/WO2009049557A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a communication method, system, and device based on an authentication mechanism conversion. Background technique
  • PSTN Public Switched Telephone Network
  • bearer telephone service DDN (Digital Data Network) Private line and so on.
  • IP Internet Protocol
  • VoIP Voice over IP
  • Video over IP Video over IP
  • TV over IP IP
  • PPP Point-to-Point Protocol
  • dialing is only applicable to dial-up Internet access and DSL (Digital Subscriber Loop) access, and other access methods are not well supported.
  • the service provider evolves from the PPP (Dial-up) access mode to the access mode of all IP services of the subscriber through a unified transmission mode.
  • the access mode is a Subscriber Session, which includes two basic sessions. IP session (session) and PPP Session (session).
  • IP sessions can be statically or dynamically established via DHCP (Dynamic Host Configuration Protocol), such as IP session calls authenticated by PANA (Network Access Protocol Workgroup), or IP authenticated via DHCP Auth. Conversation call.
  • DHCP Dynamic Host Configuration Protocol
  • PANA Network Access Protocol Workgroup
  • IP authenticated via DHCP Auth. Conversation call With the popularity of broadband access (such as DSL) and digital devices (such as PCs), devices inside gateways (including home networks or enterprise gateways) pass LAN (Local Area Network) and WLAN (Wireless Local). Area Network (Wireless Ethernet) interconnects to form an independent network that can be directly connected to a broadband metropolitan area network through a gateway. Users can also get the same experience as cable TV by connecting to the broadband network, or they can log in to the company network via the Internet to access e-mail or servers, so that they can work directly at home.
  • LAN Local Area Network
  • WLAN Wireless Local Area Network
  • the Layer 2 bridging function provided by the home gateway is used, and the network operator that the user subscribes to is subscribed by using a protocol such as point-to-point dialing, and accesses the Internet through the home gateway; or directly uses DHCP access. Go to the home gateway, access the gateway and access the Internet through the home gateway to enable the user to access the friend's gateway.
  • the embodiment of the invention provides a communication method, a device and a system based on the authentication mechanism, so that the user can access the gateway and the network operator contracted by the user at the same time.
  • An embodiment of the present invention provides a communication method based on an authentication mechanism, which includes: acquiring authentication information of a user equipment;
  • mapping table indicating a correspondence between the internal address and the external address
  • the embodiment of the present invention further provides a communication system based on an authentication mechanism, including a user equipment and an external network device, and further includes:
  • a gateway device at the edge of the network, configured to acquire authentication information of the user equipment, The authentication information is encapsulated into an external network authentication protocol packet, and is sent to the external network for authentication of the external network. After the external network authentication succeeds, the user equipment is requested to apply for an external address, and the address allocation discovery report is received from the user equipment. And assigning an internal address to the user equipment, establishing a mapping table indicating the correspondence between the internal address and the external address, generating a forwarding table according to the mapping table and the forwarding policy, and performing the user according to the forwarding table. Communication of the device with the external network.
  • the embodiment of the invention further provides a network edge gateway device, comprising: an authentication module, configured to acquire authentication information of the user equipment, encapsulate the authentication information into an external network authentication protocol, and send the external information
  • the authentication request of the network authentication protocol is requested to perform authentication of the external network
  • a forwarding table generating module configured to: when receiving an authentication success message of the external network, request an external address for the user equipment, receive an address allocation discovery message from the user equipment, and allocate an internal address to the user equipment, and establish a mapping table indicating a correspondence between the internal address and the external address, and generating a forwarding table according to the mapping table and a forwarding policy;
  • a communication module configured to send the authentication request message, receive an authentication response message, and perform communication between the user equipment and an external network according to the forwarding table.
  • the home gateway may construct a permission table of the user access gateway according to the user account and the external user access permission table, and establish the internal address of the user and Static mapping of external addresses; At the same time, the forwarding of users and gateway devices is dynamically implemented through the permission table. In this way, the user can not only access the services provided by the network operator that he has contracted, but also access the services provided by the gateway.
  • FIG. 1 is a structural diagram of implementing a functional model in an embodiment of the present invention
  • FIG. 3 is a structural diagram of implementing a functional model in an embodiment of the present invention.
  • FIG. 4 is a flowchart of an authentication implementation in an embodiment of the present invention
  • 5 is a structural diagram of implementing a functional model in Embodiment 3 of the present invention
  • FIG. 6 is a flowchart of an authentication implementation in Embodiment 3 of the present invention
  • FIG. 7 is a structural diagram of implementing a functional model in Embodiment 4 of the present invention.
  • FIG. 9 is a structural diagram of a gateway device of a network edge according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a system in an embodiment of the present invention. detailed description
  • An embodiment of the present invention provides a method for converting an authentication mechanism, including:
  • the specific process includes: obtaining a user identifier and a MAC (Media Access Control) address from the authentication information of the user equipment, and encapsulating the user identifier and the MAC address according to an external network protocol.
  • the access mode of the user equipment authentication information includes but is not limited to: 802. lx access mode, PPPoE access mode, and the like; the external network authentication protocol packet includes but is not limited to: PPPoE and DHCP Auth packets.
  • the external network authentication protocol uses the external network authentication protocol to convert the authentication information of the user equipment, and the specific process includes: sending an authentication request to the authentication server, and receiving an authentication response message returned by the authentication server.
  • the authentication success message of the external network is converted into the authentication success message of the user equipment, and the user equipment is notified that the authentication is successful.
  • the method further includes: assigning an external address and an internal address on the gateway where the user equipment is located, where the internal address allocated to the user equipment is an address allocation discovery packet received from the user equipment.
  • the external user access permission table of the gateway is preset, and the external user access permission table includes a range of user session identifiers (including a MAC address or an internal IP address of the user equipment) that allow access to the gateway; Scope and external users
  • the access permission table determines the access authority of the user equipment, and the access gateway of the user equipment is a forwarding policy of the user equipment, where determining the permission of the user equipment to access the gateway specifically includes: allowing the user equipment to access the gateway And the external network; or prohibiting the user equipment from accessing the gateway and the external network; or allowing the user equipment to access the gateway and prohibiting access to the external network; or allowing the user equipment to access the external network and prohibiting access to the gateway.
  • a forwarding table is generated according to the mapping table and the forwarding policy, and communication between the user equipment and the external device is performed according to the forwarding table.
  • the EAP-SIM authentication mode is mainly used for the SIM card authentication mode of the cellular mobile operator WLAN
  • the two-way authentication and dynamic key between the user and the network are supported.
  • the client uses the WLAN network card with the SIM card reader, that is, the 802.1x dial-up access method to access the gateway
  • the friend's home gateway uses the DHCP Auth access method to access the international network.
  • the Internet, and the friend's home gateway set the external user access permission table to support WLAN access
  • the functional model of the implementation scheme is shown in Figure 1
  • the user device such as a portable device
  • Connect to the gateway and IP edge device connect to the Internet through the IP edge device
  • the IP edge device connects to the external DHCP server and the authentication server at the same time.
  • the user equipment includes an 802.1X authentication client and a DHCP client.
  • the home gateway includes: an internal DHCP server, configured to receive an access request of a DHCP client in the user equipment, and access the internal MAC address of the gateway through the gateway.
  • the 802. lx authentication entity is configured to receive an authentication request of the 802. lx authentication client, access the IP edge device through the DHCP authentication client, or access the IP edge device through the user MAC forwarding table in the home gateway.
  • the authentication implementation process of the first embodiment is as shown in FIG. 2, and includes:
  • S201 The user equipment uses the 802. lx authentication entity to exchange the Association message with the home gateway through the WLAN, and requires access to the home gateway.
  • the Authenticator of the home gateway sends an EAPoL/EAP-Request/Identitiy message to the user equipment to authenticate the user equipment.
  • S203 The user equipment responds to the home gateway with EAPoL/EAP-Response/Identitiy
  • the message carries the account information of the user equipment.
  • the home gateway does not have the user equipment authentication data, so the home gateway initiates the DHCP Auth/EAP and 802. lx/EAP SIM authentication conversion mechanism, and extracts the EAP message and the user's MAC address from 802. lx to reconstruct the DHCP Auth message.
  • the broadband access server sends a DHCP Discover/Auth-port/EAP message, requests authentication, and records the account of the user equipment.
  • the broadband access server sends a DHCP EAP/EAP-Request/Identity message to the home gateway to obtain an account of the user equipment.
  • the home network sends a DHCP EAP/EAP-Reponse/Identity message to the broadband access server, where the message carries the account of the user equipment.
  • the broadband access server sends a Radius Request/EAP Message/EAP-Response/Identity message to the authentication server, requesting authentication of the user equipment.
  • the authentication server responds to the broadband access server with a Radius Request/EAP Message/EAP-Request/SIM/Start message according to the type of the user equipment, and the message carries the version list AT- Version-list, starts the authentication, and performs parameter negotiation.
  • the broadband access server receives the Radius Request/EAP Message/EAP-Request/SIM/Start message, sends a DHCP EAP/EAP-Request/SIM/Start message to the home gateway, starts authentication, and performs parameter negotiation.
  • the home gateway converts the DHCP-authenticated EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Start and sends it to the user equipment.
  • the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Start, and the message carries a start request.
  • the home gateway encapsulates the 802. lx EAP response message EAPoL/EAP-Response/SIM/Start into DHCP EAP/EAP-Response/SIM/Start according to the DHCP Auth protocol format, and forwards it to the broadband access server.
  • the broadband access server sends a Radius Request/EAP Message/EAP-Response/SIM/Start message to the authentication server, requesting access to the Internet.
  • the authentication server sends a Radius Request/EAP Message/EAP-Success/DHCP Request message to the broadband access server, where the message carries the inquiry User confirmation parameters: for example, level AT - RAND and address AT - MAC.
  • the broadband access server sends a DHCP EAP/EAP-Request/SIM/Challenge message to the home gateway, and notifies the user that the device reports the confirmation parameter.
  • the home gateway converts the DHCP-authenticated EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Challenge and sends it to the user equipment.
  • the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Challenge, and the message carries the confirmation parameter.
  • the home gateway encapsulates the 802. lx EAP response message EAPoL/EAP-Response/SIM/ Challenge into DHCP EAP/EAP-Response/SIM/ Challenge according to the DHCP Auth protocol format, and forwards it to the broadband access service.
  • the broadband access server takes the DHCP Auth format and sends the EAP message to the authentication server through the Radius protocol, the Radius Request/EAP Message/EAP-Response/SIM/ Challenge, and the message carries the confirmation parameter of the user equipment.
  • the authentication server authenticates the user according to the confirmation parameter of the user equipment, and sends a Radius Request/EAP Message/EAP-Success/DHCP Request message to the broadband access server to notify the user that the authentication is successful.
  • the broadband access server notifies the home gateway of the user equipment authentication by using the DHCP offer/EAP-Success/yiaddr message.
  • the home gateway After confirming that the user is successfully authenticated, the home gateway sends an authentication success message EAPoL/EAP-Success to the user equipment, and continues the DHCP Auth process to apply for an external address on the gateway where the user equipment is located.
  • the user initiates an address allocation discovery message (DHCP Request), and the address allocation server of the home gateway directly responds to the address allocation confirmation (DHCPACK) and starts the address allocation process to allocate the internal address on the gateway where the user is located.
  • DHCP Request address allocation discovery message
  • DHCPACK address allocation confirmation
  • the home gateway constructs the permission table of the user's access gateway according to the user account and the external user access permission table, and establishes a static mapping of the user's internal address and the external address; and simultaneously realizes the dynamic access table by accessing the gateway. Forwarding of users and gateway devices. In this way, users can not only access the network operators provided by their own contract. The service can also access the services provided by the gateway.
  • the friend's home gateway uses PPPoE (Ethernet Point-to-Point Protocol) to access the Internet, but does not set
  • PPPoE Ethernet Point-to-Point Protocol
  • the functional model of the implementation scheme is shown in Figure 3. The rest is the same as the structure of Figure 1 except that the home gateway uses the PPPoE authentication client instead of the DHCP authentication client.
  • the authentication implementation process of the second embodiment is as shown in FIG. 4, and includes:
  • S401 The user equipment uses an 802.1x authentication client to exchange Association messages with the home gateway through the WLAN, and requests access to the home gateway.
  • S402 The 802.1X authentication body (Authenticator) of the home gateway sends an EAPoL/EAP-Request/Identitiy message to the user equipment to authenticate the user equipment.
  • Authenticator The 802.1X authentication body of the home gateway sends an EAPoL/EAP-Request/Identitiy message to the user equipment to authenticate the user equipment.
  • the user equipment sends an EAPoL/EAP-Response/Identitiy message to the home gateway to the home gateway, where the message carries the account information of the user equipment.
  • the home gateway does not have the user equipment authentication data, so the home gateway initiates the PPPoE/EAP and 802.1 x/EAP SIM authentication conversion mechanism, and after the PPPoE discovery phase ends, the EAP message and the user's MAC address are retrieved from the 802. lx.
  • a PPPoE authentication message is constructed according to the PPPoE EAP authentication protocol, and a PPPoE/LCP/EAP message is sent to the broadband access server to request authentication and record the account of the user equipment.
  • the broadband access server sends a PPPoE/EAP/EAP-Request/Identity message to the home gateway, and obtains an account of the user equipment.
  • the home gateway sends a PPPoE/EAP/EAP-Reponse/Identity message to the broadband access server, where the message carries the account of the user equipment.
  • the broadband access server sends a Radius Request/EAP Message/EAP-Response/Identity message to the authentication server, requesting authentication of the user equipment.
  • the authentication server responds to the broadband access server with a Radius Request/EAP Message/EAP-Request/SIM/Start message according to the type of the user equipment, and the message carries the version list AT- Version-list, starts the authentication, and performs parameter negotiation.
  • the broadband access server receives the Radius Request/EAP After the message/EAP-Request/SIM/Start message, the PPPoE/EAP/EAP-Request/SIM/Start message is sent to the home gateway to initiate authentication and perform parameter negotiation.
  • the home gateway converts the PPPoE-certified EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Start and sends the message to the user equipment.
  • the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Start, and the message carries a start request.
  • the home gateway encapsulates the 802. lx EAP response message EAPoL/EAP-Response/SIM/Start into PPPoE/EAP/EAP-Response/SIM/Start according to the PPPoE protocol format, and forwards it to the broadband access server.
  • the broadband access server sends a Radius Request/EAP Message/EAP-Response/SIM/Start message to the authentication server, requesting access to the Internet.
  • the authentication server sends a Radius Request/EAP Message/EAP-Success/DHCP Request message to the broadband access server, where the message carries the user confirmation parameter that needs to be queried: for example, level AT-RAND and address AT-MAC.
  • the broadband access server sends a PPPoE/EAP/EAP-Request/SIM/Challenge message to the home gateway, and notifies the user equipment to report the confirmation parameter.
  • the home gateway converts the PPPoE-certified EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Challenge and sends it to the user equipment.
  • the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Challenge, and the message carries the confirmation parameter.
  • the home gateway will encapsulate the 802. lx EAP response message EAPoL/EAP-Response/SIM/ Challenge into PPPoE/EAP/EAP-Response/SIM/ Challenge according to the PPPoE protocol format, and forward it to the broadband access service.
  • the broadband access server takes the PPPoE format to take out the EAP message and responds to the authentication server by using the Radius protocol Radius Request/EAP Message/EAP-Response/SIM/Challenge, and the message carries the confirmation parameter of the user equipment.
  • S420 The authentication server authenticates the user according to the confirmation parameter of the user equipment, and sends a Radius Request/EAP to the broadband access server.
  • the message/EAP-Success/DHCP Request message informs the user that the authentication is successful.
  • S421 The broadband access server notifies the home gateway of the user equipment success by using the PPPoE/EAP/EAP-Success/yiaddr message.
  • the home gateway After confirming that the user is successfully authenticated, the home gateway sends an authentication success message EAPoL/EAP-Success to the user equipment, and continues the PPPoE process to apply for an external address on the gateway where the user equipment is located.
  • the user initiates an address allocation discovery message (DHCP Request), and the address allocation server of the home gateway directly responds to the address allocation confirmation (DHCPACK) and starts the address allocation process to allocate the internal address on the gateway where the user is located.
  • DHCP Request address allocation discovery message
  • DHCPACK address allocation confirmation
  • the home gateway constructs the permission table of the user's access gateway according to the user account and the external user access permission table, and establishes a static mapping of the user's internal address and the external address;
  • the user accesses the network to publish and establish a mapping relationship between the user's internal address and the external address. In this way, the user can only access the services provided by the network operator that he or she has contracted but cannot access the services provided by the gateway.
  • the friend's home gateway when the user uses the PPPoE dialing access mode, and the friend's home gateway uses the DHCP Auth to access the Internet, the friend's home gateway sets the external user access permission table to allow the user to access part of the gateway.
  • the functional model of the implementation scheme is shown in Figure 5.
  • the user equipment only includes the PPPoE client, and the 802. lx authentication in the home gateway is replaced by the PPPoE proxy.
  • the other parts are the same as in Figure 1. .
  • the authentication implementation process of the third embodiment is as shown in FIG. 6, and includes:
  • Step s601 to step s604 when the user equipment accesses the home gateway by using the Ethernet, the user equipment starts PPPoE dialing, and the PPPoE proxy (Proxy) of the home gateway negotiates with the user to establish PPPoE.
  • the PPPoE proxy Proxy
  • step s605 the user equipment sends a PPPoE/PPP/LCP/Configure-Resquest configuration request message to the home gateway.
  • Step s606 the home gateway sends the user equipment PPPoE/PPP/LCP/Configure-Ack configuration response message.
  • Step s607 The home gateway initiates authentication of the user equipment, and initiates authentication conversion of DHCP Auth/CHAP and PPPoE. Taking CHAP as an example, the home gateway constructs a DHCP message DHCP Discover/Auth-Prot/CHAP according to the user's MAC, and sends it to the broadband access server to initiate address allocation.
  • Step s608 The broadband address server sends the address discovery packet DHCP Discover to the external DHCP server.
  • Step s609 The external DHCP server returns an address allocation confirmation message (DHCP Offer) to the broadband address server, where the message carries a parameter such as challenge.
  • DHCP Offer address allocation confirmation message
  • Step s610 the broadband access server returns an address allocation confirmation message to the home gateway.
  • DHCP Offer and carry parameters such as challenge.
  • Step s611 The home gateway extracts a challenge message from the DHCP message to construct a PPP CHAP authentication message PPPoE/PPP/CHAP/Challenge, and initiates authentication of the user equipment.
  • Step s612 The user equipment sends a PPPoE/PPP/CHAP/Response message to the home gateway, where the message carries the user equipment's own account number and authentication parameters, such as the encrypted word according to the challenge and the user password.
  • Step s613 The home gateway extracts the account and the authentication parameter of the user equipment from the PPP CHAP message, and the MAC address of the user equipment reconstructs the DHCP Request message to request the broadband access server for authentication and records the user account.
  • Step s614 The broadband access server sends a Radius/Access-Request/CHAP/Response to the authentication server, requesting authentication of the request of the user equipment.
  • Step s615 the authentication server authenticates and responds to the authentication result via Radius/Access-Accept/CHAP/Response.
  • Step s616 The broadband access server sends a DHCP Request request message to the DHCP server, requesting an address to be allocated.
  • step s617 the DHCP server sends a DHCP Ack acknowledgment message to the broadband access server, where the message carries the assigned address.
  • step S618 the broadband access server confirms that the user authentication is passed, and responds to the gateway.
  • a DHCP Ack/CHAP/Success message notifies the user that the authentication is successful and completes the user's address allocation process.
  • Step s619 The home gateway sends a DHCP Ack message to the PPPoE CHAP authentication engineering message and sends the message to the user equipment.
  • Step s619 to step s624 after confirming that the authentication is successful, the user equipment starts the address allocation process, and the PPPoE agent of the home gateway allocates the address inside the gateway to the user through the built-in DHCP server.
  • the home gateway constructs a permission table of the user's access gateway according to the user account and the external user access permission table, and establishes a static mapping of the user's internal address and the external address; since the permission table only allows the user to access the gateway.
  • the forwarding table between the user and part of the resources of the external network is dynamically set by the user accessing the permission table of the gateway and the mapping relationship between the internal address and the external address of the user is established. In this way, the user can only access the services provided by the network operator that he has contracted but cannot access the services provided by the gateway.
  • the friend's home gateway when the user uses the PANA dial-up access method, and the friend's home gateway uses the DHCP Auth to access the Internet, the friend's home gateway sets the external user access permission table to allow the user to access part of the gateway.
  • the functional model of the implementation scheme is shown in Figure 7.
  • the PANA client replaces the PPPoE client in the user equipment
  • the PANA proxy in the home gateway replaces the PPPoE proxy.
  • the other parts are the same as in Figure 5.
  • the authentication implementation process of the fourth embodiment is as shown in FIG. 8, and includes:
  • Step s801 to step s804 when the user directly uses the Ethernet to the home gateway, the user first initiates a normal DHCP address allocation process, and the built-in DHCP server of the home gateway allocates an internal address to the user according to a normal process.
  • Step s805 After obtaining the internal address, the user sends a PANA Client Initiation to start the PANA authentication negotiation process.
  • Step s806 The home gateway starts the PANA authentication proxy (Proxy) to perform the PANA authentication negotiation process with the user and initiates the authentication conversion of the DHCP Auth/EAP and PANA.
  • the home gateway constructs the DHCP Auth message according to the user MAC. (DHCP Discover/Auth prot/EAP) Requests authentication from the broadband access server and negotiates to use the EAP authentication method.
  • Step s807 The broadband access server responds to the DHCP EAP/EAP-Request/Identity message to the home gateway, and starts the EAP authentication process.
  • Step s808 If the home gateway does not have the user account information, the DHCP EAP/EAP-Request/Identity is converted into a PANA Auth request/EAP Request message, and the user is notified to start EAP authentication.
  • Step s809 and step s812 the user responds to the home gateway with a PANA Auth request / EAP Response message, where the message carries the user's account and other related authentication information.
  • Step s813 the home gateway extracts the EAP message in the PANA message, constructs a DHCP EAP/EAP-Response/Identity according to the user identifier (user account) and the user session identifier (the user's MAC and IP), sends the packet to the broadband access server, and records the user. Account information.
  • Step s814 the home gateway sends a PANAAuth response to the user.
  • Step s815 The broadband access server extracts the EAP message from the DHCP message, and requests the authentication server to authenticate the request of the user through the Radius protocol.
  • Step s816 The authentication server authenticates the user according to the authentication information of the EAP message, and once authenticated, responds to the broadband access server with a Radius Request/EAP Message/EAP-Success message.
  • Step s817 The broadband access server sends an EAP message from the Radius response message, and confirms that the user authentication is passed, and the home gateway user is notified to pass the DHCP offer/EAP-Success/yiaddr.
  • Step s818 After confirming that the user authentication is successful, the home gateway allocates a Session Id to the PANA session, and converts the DHCP message into a PANA Bind request according to the EAP message, the Session Id, and the internal address of the user extracted from the DHCP offer/EAP-Success/yiaddr message. (EAP Success, Session Id, IP Filter) message, informing the user that the authentication passes and establishes the binding between the user's internal address and the Session Id.
  • the home gateway sends a DHCP Request message to the broadband access server to continue the DHCP Auth process, and requests the user for an external address on the gateway.
  • step s819 after confirming that the authentication is successful, the user responds to the home gateway with a PANABind answer confirming that the binding is successfully established, and the user's IP session is successfully established.
  • Step s820 to step s822 after the proxy user applies to the external address of the user, the home gateway constructs a permission table of the access gateway of the user according to the user account and the external user access permission table, and establishes a static mapping of the internal address and the external address of the user; At the same time, the user and the gateway device are dynamically forwarded through the permission table of the user's access gateway and the mapping relationship between the user's internal address and the external address is established. In this way, the user can access the services provided by the network operator that he or she has signed up, and can also access some resources of the gateway.
  • the embodiment of the invention further provides a network edge gateway device, as shown in FIG. 9, comprising:
  • the authentication module 10 is configured to obtain the authentication information of the user equipment, encapsulate the authentication information into an external network authentication protocol packet, and send an authentication request including the external network authentication protocol packet to the communication module 30 to request the external network. Certification.
  • the forwarding table generating module 20 is configured to: when receiving the authentication success message, apply for an external address on the gateway where the user equipment is located, receive an address allocation discovery message from the user equipment, and allocate, on the gateway where the user equipment is located.
  • the internal address, and the mapping table of the user equipment is established according to the internal address and the external address, and the forwarding policy of the user equipment is constructed according to the account of the user equipment and the external user access authority table, and according to the mapping table and forwarding The policy generates a forwarding table.
  • the communication module 30 is configured to send the request message sent by the authentication module 10 to receive the authentication response message, and perform communication between the user equipment and the external device according to the forwarding table generated by the forwarding table generation module 20.
  • the forwarding table generating module 20 specifically includes:
  • the mapping table establishing sub-module 210 is configured to establish a mapping table of the user equipment according to an external address on the gateway and an internal address on the gateway.
  • the forwarding policy establishing sub-module 220 is configured to construct a forwarding policy of the user equipment according to the account of the user equipment and the external user access authority table.
  • mapping table establishing submodule 210 includes:
  • the external address allocating unit 2110 is configured to: when receiving the authentication success message, The external address on the gateway where the user device applies.
  • the internal address allocation unit 2120 is configured to receive an address assignment from the user equipment, and allocate an internal address on the gateway where the user equipment is located.
  • the mapping table establishing unit 2130 is configured to establish a mapping table of the user equipment according to the external address and the internal address determined by the external address assigning unit 2110 and the internal address assigning unit 2120.
  • the forwarding policy establishing submodule 220 includes:
  • the access permission table unit 2210 is configured to set an external user access permission table of the gateway, and the identity identifier.
  • the access authority determining unit 2220 is configured to determine, according to the user identifier and the external user access permission table set by the access authority form element 2210, the access gateway of the user equipment, and the access gateway of the user equipment is the forwarding policy.
  • the authentication module 10 includes:
  • the authentication information extraction sub-module 110 is configured to obtain a user identifier list from the authentication information of the user equipment.
  • the external network protocol encapsulation sub-module 120 is configured to encapsulate the user identification list obtained by the authentication information extraction sub-module 110 according to an external network protocol.
  • the authentication request sending sub-module 130 is configured to send an authentication request including the external network authentication protocol packet to the communication module 30.
  • the embodiment of the present invention further provides a communication system based on the authentication mechanism conversion.
  • the user equipment 1001, the external network device 1003, and the gateway device 1005 at the network edge are used. Describe the authentication information of the user equipment, and encapsulate the authentication information into an external network authentication protocol packet;
  • the network device applies for the external address on the gateway where the user equipment is located; receives the address allocation discovery packet from the user equipment, and allocates the gateway for the user equipment.
  • the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is a better implementation. the way.
  • the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium, including a plurality of instructions for making a A computer device (which may be a personal computer, server, or network device, etc.) performs the methods described in various embodiments of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An authentication-conversion-based communication method and a gateway device and a system of network edge, the method comprises: acquiring the authentication information of a client device; and encapsulating the authentication information as the external network authentication protocol message, then sending it to the external network in order to execute an authentication of the external network; and applying an external address and allocating an internal address for the client device after the authentication of the external network is succeed; and building a mapping table which denoting the correspondence of the internal address and the external address; and creating an relaying table according to the mapping table and a relaying strategy; and then, making the client device communicate with the external network according to the relaying table. The present invention may make a client access to a gateway and the network operators signed up with the client itself at the same time.

Description

一种基于认证机制转换的通信方法、 系统及设备  Communication method, system and device based on authentication mechanism conversion
技术领域 Technical field
本发明涉及通信技术领域,尤其涉及一种基于认证机制转换的通 信方法、 系统及设备。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a communication method, system, and device based on an authentication mechanism conversion. Background technique
传统电信运营商建立承载不同业务的网络,为不同的用户提供不 同的业务, 例如: PSTN ( Public Switched Telephone Network, 公共交 换电话网)承载电话业务、 DDN ( Digital Data Network, 数字数据网 ) 承载企业专线等。 随着电信竟争不断加大, 电信运营商将不同的网络 融合到一个网络上以承载多业务,从而降低运营成本,提高盈利能力。 越来越多的业务在 IP ( Internet Potocol, 互联网协议)上出现, 并不 断提升性能, 例如 Voice over IP ( IP承载语音)、 Video over IP ( IP承 载视频)、 TV over IP ( IP承载电视), 使得电信运营商选择 IP承载 网作为融合网络的承载技术,其中电信运营商更关注于用户的认证和 计费。 但是, PPP ( Point-to-Point Protocol, 点对点协议)拨号仅仅适 用于拨号上网和 DSL ( Digital Subscriber Loop, 数字用户线 )接入, 不能很好支持其它接入方式。  Traditional telecom operators establish networks that carry different services and provide different services for different users. For example: PSTN (Public Switched Telephone Network), bearer telephone service, DDN (Digital Data Network) Private line and so on. As telecom competition continues to increase, telecom operators combine different networks into one network to carry multiple services, thereby reducing operating costs and improving profitability. More and more services appear on IP (Internet Protocol) and continue to improve performance, such as Voice over IP, Video over IP, and TV over IP. Therefore, the telecommunication operator selects the IP bearer network as the bearer technology of the converged network, and the telecommunication operator pays more attention to the authentication and charging of the user. However, PPP (Point-to-Point Protocol) dialing is only applicable to dial-up Internet access and DSL (Digital Subscriber Loop) access, and other access methods are not well supported.
业务运营商从 PPP (拨号)接入方式演进到通过统一的传送方式 来承载签约用户的所有 IP业务的接入方式,该接入方式为 Subscriber Session (用户会话), 包括两种基本的会话, IP session (会话) 和 PPP Session (会话)。  The service provider evolves from the PPP (Dial-up) access mode to the access mode of all IP services of the subscriber through a unified transmission mode. The access mode is a Subscriber Session, which includes two basic sessions. IP session (session) and PPP Session (session).
在宽带环境中, IP 会话可以通过 DHCP ( Dynamic Host Configuration Protocol , 动态主机分配协议)静态或动态建立, 如通 过 PANA (网络接入协议工作组 )认证的 IP会话呼叫、 或通过 DHCP Auth认证的 IP会话呼叫。 随着宽带接入(如 DSL )和数字设备 (如 PC等) 的普及, 网关 (包括家庭网络或企业网关等) 内部的设备通 过 LAN ( Local Area Network,以太局域网)和 WLAN ( Wireless Local Area Network, 无线以太网)互连, 可以形成独立的网络, 通过网关 可以直接连接到宽带城域网中。 用户还可以通过连接到该宽带网络, 获得和有线电视等一样的体验,也可以通过国际互联网远程登陆到公 司网络中访问电子邮件或服务器, 使得可以直接在家中办公。 In a broadband environment, IP sessions can be statically or dynamically established via DHCP (Dynamic Host Configuration Protocol), such as IP session calls authenticated by PANA (Network Access Protocol Workgroup), or IP authenticated via DHCP Auth. Conversation call. With the popularity of broadband access (such as DSL) and digital devices (such as PCs), devices inside gateways (including home networks or enterprise gateways) pass LAN (Local Area Network) and WLAN (Wireless Local). Area Network (Wireless Ethernet) interconnects to form an independent network that can be directly connected to a broadband metropolitan area network through a gateway. Users can also get the same experience as cable TV by connecting to the broadband network, or they can log in to the company network via the Internet to access e-mail or servers, so that they can work directly at home.
现有技术中, 通过家庭网关提供的二层桥接功能, 以及利用点到 点拨号等协议接入到用户自己签约的网络运营商,并通过家庭网关接 入国际互联网; 或直接釆用 DHCP接入到家庭网关中,访问网关并通 过家庭网关接入到国际互联网中以使用户接入到好友的网关中。  In the prior art, the Layer 2 bridging function provided by the home gateway is used, and the network operator that the user subscribes to is subscribed by using a protocol such as point-to-point dialing, and accesses the Internet through the home gateway; or directly uses DHCP access. Go to the home gateway, access the gateway and access the Internet through the home gateway to enable the user to access the friend's gateway.
在实现本发明的过程中, 发明人发现现有技术至少存在以下问 题:  In carrying out the process of the present invention, the inventors have found that the prior art has at least the following problems:
利用点到点拨号协议与釆用 DHCP不能同时进行,使得用户无法 同时接入到网关和自己签约的网络运营商中, 切换时需要人工干预。 发明内容  The use of the point-to-point dial-up protocol and the use of DHCP cannot be performed at the same time, so that the user cannot access the gateway and the network operator that is contracted by the user at the same time, and manual intervention is required when switching. Summary of the invention
本发明实施例提供一种基于认证机制转换的通信方法,设备及系 统, 以实现用户可以同时接入到网关和自己签约的网络运营商中。  The embodiment of the invention provides a communication method, a device and a system based on the authentication mechanism, so that the user can access the gateway and the network operator contracted by the user at the same time.
本发明实施例提供了一种基于认证机制转换的通信方法, 包括: 获取用户设备的认证信息;  An embodiment of the present invention provides a communication method based on an authentication mechanism, which includes: acquiring authentication information of a user equipment;
将所述认证信息封装为外部网络认证协议报文,发送给外部网络 以进行外部网络的认证;  Encapsulating the authentication information into an external network authentication protocol packet, and sending the authentication information to an external network for authentication of the external network;
在外部网络的认证成功后, 为所述用户设备申请外部地址, 分配 内部地址;  After the authentication of the external network is successful, apply for an external address for the user equipment, and allocate an internal address;
建立表示所述内部地址和所述外部地址对应关系的映射表; 根据所述映射表和转发策略生成转发表;  Establishing a mapping table indicating a correspondence between the internal address and the external address; generating a forwarding table according to the mapping table and a forwarding policy;
并根据所述转发表进行所述用户设备与外部网络的通信。  And performing communication between the user equipment and an external network according to the forwarding table.
本发明实施例还提供了一种基于认证机制转换的通信系统,包括 用户设备和外部网络设备, 还包括:  The embodiment of the present invention further provides a communication system based on an authentication mechanism, including a user equipment and an external network device, and further includes:
网络边缘的网关设备, 用于获取所述用户设备的认证信息, 将所 述认证信息封装为外部网络认证协议报文 ,发送给外部网络以进行外 部网络的认证, 当外部网络认证成功后, 为所述用户设备申请外部地 址,接收来自所述用户设备的地址分配发现报文, 为所述用户设备分 配内部地址,建立表示所述内部地址和所述外部地址对应关系的映射 表, 根据所述映射表和转发策略生成转发表, 并根据所述转发表进行 所述用户设备与所述外部网络的通信。 a gateway device at the edge of the network, configured to acquire authentication information of the user equipment, The authentication information is encapsulated into an external network authentication protocol packet, and is sent to the external network for authentication of the external network. After the external network authentication succeeds, the user equipment is requested to apply for an external address, and the address allocation discovery report is received from the user equipment. And assigning an internal address to the user equipment, establishing a mapping table indicating the correspondence between the internal address and the external address, generating a forwarding table according to the mapping table and the forwarding policy, and performing the user according to the forwarding table. Communication of the device with the external network.
本发明实施例还提供了一种网络边缘的网关设备, 包括: 认证模块, 用于获取用户设备的认证信息, 将所述认证信息封装 为外部网络认证协议 ^艮文,并发送包含所述外部网络认证协议 ^艮文的 认证请求 , 以请求进行外部网络的认证;  The embodiment of the invention further provides a network edge gateway device, comprising: an authentication module, configured to acquire authentication information of the user equipment, encapsulate the authentication information into an external network authentication protocol, and send the external information The authentication request of the network authentication protocol is requested to perform authentication of the external network;
转发表生成模块, 用于当接收到外部网络的认证成功消息时, 为 所述用户设备申请外部地址,接收来自所述用户设备的地址分配发现 报文, 为所述用户设备分配内部地址, 建立表示所述内部地址和所述 外部地址对应关系的映射表, 根据所述映射表和转发策略生成转发 表;  a forwarding table generating module, configured to: when receiving an authentication success message of the external network, request an external address for the user equipment, receive an address allocation discovery message from the user equipment, and allocate an internal address to the user equipment, and establish a mapping table indicating a correspondence between the internal address and the external address, and generating a forwarding table according to the mapping table and a forwarding policy;
通信模块, 用于发送所述认证请求消息, 接收认证响应消息, 并 根据转发表进行所述用户设备与外部网络的通信。  And a communication module, configured to send the authentication request message, receive an authentication response message, and perform communication between the user equipment and an external network according to the forwarding table.
与现有技术相比, 本发明的实施例中, 家庭网关在为用户分配完 地址后,可以根据用户帐号和外部用户访问权限表构造用户的访问网 关的权限表, 并建立用户的内部地址和外部地址的静态映射; 同时通 过权限表动态实现用户和网关设备的转发。这样用户不仅可以访问自 己签约的网络运营商所提供的服务同时也可以接入到网关所提供的 服务。 附图说明  Compared with the prior art, in the embodiment of the present invention, after allocating the address for the user, the home gateway may construct a permission table of the user access gateway according to the user account and the external user access permission table, and establish the internal address of the user and Static mapping of external addresses; At the same time, the forwarding of users and gateway devices is dynamically implemented through the permission table. In this way, the user can not only access the services provided by the network operator that he has contracted, but also access the services provided by the gateway. DRAWINGS
图 1是本发明实施例 中实现功能模型结构图;  1 is a structural diagram of implementing a functional model in an embodiment of the present invention;
图 2是本发明实施例 中认证实现流程图;  2 is a flowchart of an authentication implementation in an embodiment of the present invention;
图 3是本发明实施例 中实现功能模型结构图;  3 is a structural diagram of implementing a functional model in an embodiment of the present invention;
图 4是本发明实施例 中认证实现流程图; 图 5是本发明实施例三中实现功能模型结构图; 图 6是本发明实施例三中认证实现流程图; 4 is a flowchart of an authentication implementation in an embodiment of the present invention; 5 is a structural diagram of implementing a functional model in Embodiment 3 of the present invention; FIG. 6 is a flowchart of an authentication implementation in Embodiment 3 of the present invention;
图 7是本发明实施例四中实现功能模型结构图;  7 is a structural diagram of implementing a functional model in Embodiment 4 of the present invention;
图 8是本发明实施例四中认证实现流程图;  8 is a flowchart of an authentication implementation in Embodiment 4 of the present invention;
图 9是本发明实施例中一种网络边缘的网关设备结构图; 图 10是本发明实施例中的系统结构图示意图。 具体实施方式  FIG. 9 is a structural diagram of a gateway device of a network edge according to an embodiment of the present invention; FIG. 10 is a schematic structural diagram of a system in an embodiment of the present invention. detailed description
本发明实施例提供了一种认证机制转换方法, 包括:  An embodiment of the present invention provides a method for converting an authentication mechanism, including:
1、 将来自用户设备的认证信息转换为外部网络认证协议报文。 具体过程包括: 从所述用户设备的认证信息中获取用户标识和 MAC ( Media Access Control, 媒体访问控制)地址, 将所述用户标识和 MAC地址按照外部网络协议进行封装。 其中, 用户设备认证信息的 接入方式包括但不限于: 802. lx接入方式、 PPPoE接入方式等; 外部 网络认证协议报文包括但不限于: PPPoE和 DHCP Auth报文等。  1. Convert the authentication information from the user equipment into an external network authentication protocol packet. The specific process includes: obtaining a user identifier and a MAC (Media Access Control) address from the authentication information of the user equipment, and encapsulating the user identifier and the MAC address according to an external network protocol. The access mode of the user equipment authentication information includes but is not limited to: 802. lx access mode, PPPoE access mode, and the like; the external network authentication protocol packet includes but is not limited to: PPPoE and DHCP Auth packets.
2、 利用所述外部网络认证协议 ^艮文对所述用户设备进行外部网 络的认证。该利用外部网络认证协议 ^艮文为所述外部网络认证协议转 换该用户设备的认证信息, 具体过程包括: 向认证服务器发送认证请 求, 并接收所述认证服务器返回的认证响应消息。  2. Performing external network authentication on the user equipment by using the external network authentication protocol. The external network authentication protocol uses the external network authentication protocol to convert the authentication information of the user equipment, and the specific process includes: sending an authentication request to the authentication server, and receiving an authentication response message returned by the authentication server.
3、将外部网络的认证成功消息转换为用户设备的认证成功消息, 通知所述用户设备认证成功。确认所述用户设备认证成功后,还包括: 为该用户设备分配所在网关上的外部地址和内部地址, 其中, 为所述 用户设备分配的内部地址是在接收来自用户设备的地址分配发现报 文之后进行的所在网关上的内部地址;根据该内部地址和外部地址建 立所在网关上的表示内部地址和外部地址的对应关系的映射表。  3. The authentication success message of the external network is converted into the authentication success message of the user equipment, and the user equipment is notified that the authentication is successful. After the user equipment is successfully authenticated, the method further includes: assigning an external address and an internal address on the gateway where the user equipment is located, where the internal address allocated to the user equipment is an address allocation discovery packet received from the user equipment. The internal address on the gateway where the gateway is located; the mapping table indicating the correspondence between the internal address and the external address on the gateway where the internal address and the external address are established.
4、 预先设置网关的外部用户访问权限表, 在该外部用户访问权 限表中, 包括允许访问所述网关的用户会话标识范围(包括用户设备 的 MAC地址或内部 IP地址等); 根据用户会话标识范围和外部用户 访问权限表确定所述用户设备的访问网关的权限,该用户设备的访问 网关的权限为该用户设备的转发策略, 其中, 确定用户设备的访问网 关的权限具体包括: 允许所述用户设备访问网关和外部网络; 或禁止 所述用户设备访问网关和外部网络;或允许所述用户设备访问网关且 禁止访问外部网络;或允许所述用户设备访问外部网络且禁止访问网 关。根据上述的映射表和转发策略生成转发表, 并根据该转发表进行 用户设备与外部设备之间的通信。 4. The external user access permission table of the gateway is preset, and the external user access permission table includes a range of user session identifiers (including a MAC address or an internal IP address of the user equipment) that allow access to the gateway; Scope and external users The access permission table determines the access authority of the user equipment, and the access gateway of the user equipment is a forwarding policy of the user equipment, where determining the permission of the user equipment to access the gateway specifically includes: allowing the user equipment to access the gateway And the external network; or prohibiting the user equipment from accessing the gateway and the external network; or allowing the user equipment to access the gateway and prohibiting access to the external network; or allowing the user equipment to access the external network and prohibiting access to the gateway. A forwarding table is generated according to the mapping table and the forwarding policy, and communication between the user equipment and the external device is performed according to the forwarding table.
本发明实施例一中, 当用户釆用 EAP SIM接入方式(EAP-SIM 认证方式主要用于蜂窝移动运营商 WLAN的 SIM卡认证方式, 支持 用户与网络之间的双向认证和动态密钥下发。 在该认证方式中, 用户 端釆用装有 SIM卡读卡器的 WLAN网卡, 即 802.1x拨号接入方式) 接入网关, 而好友的家庭网关釆用 DHCP Auth接入方式接入国际互 联网, 并且好友的家庭网关设置外部用户访问权限表中支持 WLAN 的接入时, 实现方案的功能模型如图 1所示, 用户设备(例如便携式 设备)通过 WLAN网络连接家庭网关, 并通过家庭网关连接到网关 和 IP边缘设备,通过 IP边缘设备连接到国际互联网,且 IP边缘设备 同时连接外部 DHCP服务器和认证服务器。  In the first embodiment of the present invention, when the user uses the EAP SIM access mode (the EAP-SIM authentication mode is mainly used for the SIM card authentication mode of the cellular mobile operator WLAN, the two-way authentication and dynamic key between the user and the network are supported. In this authentication mode, the client uses the WLAN network card with the SIM card reader, that is, the 802.1x dial-up access method to access the gateway, and the friend's home gateway uses the DHCP Auth access method to access the international network. The Internet, and the friend's home gateway set the external user access permission table to support WLAN access, the functional model of the implementation scheme is shown in Figure 1, the user device (such as a portable device) connects to the home gateway through the WLAN network, and through the home gateway Connect to the gateway and IP edge device, connect to the Internet through the IP edge device, and the IP edge device connects to the external DHCP server and the authentication server at the same time.
其中, 用户设备中包括 802.1 X认证体客户端和 DHCP客户端; 家庭网关中包括: 内部 DHCP服务器, 用于接收用户设备中的 DHCP 客户端的接入请求, 通过网关的用户 MAC 内部转发表接入网关; 802. lx认证体,用于接收 802. lx认证体客户端的认证请求,通过 DHCP 认证客户端接入到 IP边缘设备,或通过家庭网关内的用户 MAC转发 表接入 IP边缘设备。  The user equipment includes an 802.1X authentication client and a DHCP client. The home gateway includes: an internal DHCP server, configured to receive an access request of a DHCP client in the user equipment, and access the internal MAC address of the gateway through the gateway. The 802. lx authentication entity is configured to receive an authentication request of the 802. lx authentication client, access the IP edge device through the DHCP authentication client, or access the IP edge device through the user MAC forwarding table in the home gateway.
实施例一的认证实现过程如图 2所示, 包括:  The authentication implementation process of the first embodiment is as shown in FIG. 2, and includes:
s201 , 用户设备利用 802. lx认证体客户端通过 WLAN与家庭网 关交互 Association消息 , 要求接入到家庭网关。  S201: The user equipment uses the 802. lx authentication entity to exchange the Association message with the home gateway through the WLAN, and requires access to the home gateway.
s202 , 家庭网关的 802.1 X认证体( Authenticator ) 向用户设备发 送 EAPoL/EAP-Request/Identitiy消息, 对用户设备进行认证。  S202. The Authenticator of the home gateway sends an EAPoL/EAP-Request/Identitiy message to the user equipment to authenticate the user equipment.
s203 , 用户设备向家庭网关回应 EAPoL/EAP-Response/Identitiy 消息, 该消息中携带用户设备的帐号信息。 S203: The user equipment responds to the home gateway with EAPoL/EAP-Response/Identitiy The message carries the account information of the user equipment.
s204, 由于家庭网关没有用户设备认证的数据, 因此家庭网关启 动 DHCP Auth/EAP和 802. lx/EAP SIM的认证转换机制, 从 802. lx取 出 EAP消息和用户的 MAC地址重新构造 DHCP Auth消息向宽带接 入服务器发送 DHCP Discover/Auth-port/EAP消息, 请求认证并记录 用户设备的帐号。  S204, the home gateway does not have the user equipment authentication data, so the home gateway initiates the DHCP Auth/EAP and 802. lx/EAP SIM authentication conversion mechanism, and extracts the EAP message and the user's MAC address from 802. lx to reconstruct the DHCP Auth message. The broadband access server sends a DHCP Discover/Auth-port/EAP message, requests authentication, and records the account of the user equipment.
s205 , 宽 带接入服务 器 向 家 庭 网 关 发 送 DHCP EAP/EAP-Request/Identity消息, 要求获得用户设备的账号。  S205. The broadband access server sends a DHCP EAP/EAP-Request/Identity message to the home gateway to obtain an account of the user equipment.
s206 , 家庭 网 关 向 宽 带 接入服务 器发 送 DHCP EAP/EAP-Reponse/Identity消息, 该消息中携带用户设备的账号。  S206. The home network sends a DHCP EAP/EAP-Reponse/Identity message to the broadband access server, where the message carries the account of the user equipment.
s207 , 宽带接入服务器向认证服务器发送 Radius Request/EAP Message/EAP-Response/Identity消息, 请求对该用户设备进行认证。  S207: The broadband access server sends a Radius Request/EAP Message/EAP-Response/Identity message to the authentication server, requesting authentication of the user equipment.
s208 , 认证服务器根据用户设备的类型向宽带接入服务器回应 Radius Request/EAP Message/EAP-Request/SIM/Start消息, 该消息中 携带版本列表 AT- Version-list, 启动认证并进行参数协商。  S208: The authentication server responds to the broadband access server with a Radius Request/EAP Message/EAP-Request/SIM/Start message according to the type of the user equipment, and the message carries the version list AT- Version-list, starts the authentication, and performs parameter negotiation.
s209 , 宽 带 接 入 服 务 器 收 到 Radius Request/EAP Message/EAP-Request/SIM/Start 消息后, 向家庭网关发送 DHCP EAP/EAP-Request/SIM/Start消息, 启动认证并进行参数协商。  S209, the broadband access server receives the Radius Request/EAP Message/EAP-Request/SIM/Start message, sends a DHCP EAP/EAP-Request/SIM/Start message to the home gateway, starts authentication, and performs parameter negotiation.
s210,家庭网关将 DHCP认证的 EAP消息转换成 802. lx的 EAP 消息 EAPoL/EAP-Request/SIM/Start发给用户设备。  S210: The home gateway converts the DHCP-authenticated EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Start and sends it to the user equipment.
s211 , 用 户 设备向 家庭 网 关 回应 认证响应 消 息 EAPoL/EAP-Response/SIM/Start , 该消息中携带开始请求。  S211, the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Start, and the message carries a start request.
s212 , 家 庭 网 关 将 802. lx 的 EAP 响 应 消 息 EAPoL/EAP-Response/SIM/Start 按 DHCP Auth 的协议格式封装为 DHCP EAP/EAP-Response/SIM/Start , 并转发给宽带接入服务器。  S212, the home gateway encapsulates the 802. lx EAP response message EAPoL/EAP-Response/SIM/Start into DHCP EAP/EAP-Response/SIM/Start according to the DHCP Auth protocol format, and forwards it to the broadband access server.
s213 , 宽带接入服务器向认证服务器发送 Radius Request/EAP Message/EAP-Response/SIM/Start消息, 要求接入国际互联网。  S213: The broadband access server sends a Radius Request/EAP Message/EAP-Response/SIM/Start message to the authentication server, requesting access to the Internet.
s214 , 认证服务器向宽带接入服务器发送 Radius Request/EAP Message/EAP-Success/DHCP Request消息, 该消息中携带需要询问的 用户确认参数: 例如级别 AT— RAND和地址 AT— MAC等。 S214, the authentication server sends a Radius Request/EAP Message/EAP-Success/DHCP Request message to the broadband access server, where the message carries the inquiry User confirmation parameters: for example, level AT - RAND and address AT - MAC.
s215 , 宽 带接入服务 器 向 家 庭 网 关 发 送 DHCP EAP/EAP-Request/SIM/Challenge消息, 通知用户设备上报确认参数。  S215, the broadband access server sends a DHCP EAP/EAP-Request/SIM/Challenge message to the home gateway, and notifies the user that the device reports the confirmation parameter.
s216,家庭网关将 DHCP认证的 EAP消息转换成 802. lx的 EAP 消息 EAPoL/EAP-Request/SIM/Challenge发给用户设备。  S216, the home gateway converts the DHCP-authenticated EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Challenge and sends it to the user equipment.
s217 , 用 户 设备向 家庭 网 关 回应 认证响应 消 息 EAPoL/EAP-Response/SIM/Challenge , 该消息中携带确认参数。  S217, the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Challenge, and the message carries the confirmation parameter.
s218 , 家 庭 网 关 将 802. lx 的 EAP 响 应 消 息 EAPoL/EAP-Response/SIM/ Challenge按 DHCP Auth的协议格式封装 为 DHCP EAP/EAP-Response/SIM/ Challenge ,并转发给宽带接入服务 哭口  S218, the home gateway encapsulates the 802. lx EAP response message EAPoL/EAP-Response/SIM/ Challenge into DHCP EAP/EAP-Response/SIM/ Challenge according to the DHCP Auth protocol format, and forwards it to the broadband access service.
s219, 宽带接入服务器将 DHCP Auth格式取出 EAP 消息通过 Radius 协 议 Radius Request/EAP Message/EAP-Response/SIM/ Challenge回应认证服务器, 该消息中携带用户设备的确认参数。  S219, the broadband access server takes the DHCP Auth format and sends the EAP message to the authentication server through the Radius protocol, the Radius Request/EAP Message/EAP-Response/SIM/ Challenge, and the message carries the confirmation parameter of the user equipment.
s220, 认证服务器根据用户设备的确认参数认证用户是合法的, 向 宽 带 接 入 服 务 器 发 送 Radius Request/EAP Message/EAP-Success/DHCP Request消息, 通知用户认证成功。  S220: The authentication server authenticates the user according to the confirmation parameter of the user equipment, and sends a Radius Request/EAP Message/EAP-Success/DHCP Request message to the broadband access server to notify the user that the authentication is successful.
s221 , 宽带接入服务器通过 DHCP offer/EAP-Success/yiaddr消息 将用户设备认证成功通知家庭网关。  S221: The broadband access server notifies the home gateway of the user equipment authentication by using the DHCP offer/EAP-Success/yiaddr message.
s222, 家庭网关确认用户认证成功后, 向用户设备发送认证成功 消息 EAPoL/EAP-Success, 并继续 DHCP Auth的过程, 为用户设备 申请所在网关上的外部地址。  S222: After confirming that the user is successfully authenticated, the home gateway sends an authentication success message EAPoL/EAP-Success to the user equipment, and continues the DHCP Auth process to apply for an external address on the gateway where the user equipment is located.
s223 至 s227, 用户在确认认证成功后, 发起地址分配发现报文 ( DHCP Request ), 家庭网关的地址分配服务器直接回应地址分配确 认(DHCPACK )并启动地址分配过程为用户分配所在网关上的内部 地址。 家庭网关在为用户分配完地址后, 根据用户帐号和外部用户访 问权限表构造用户的访问网关的权限表,并建立用户的内部地址和外 部地址的静态映射; 同时通过访问网关的权限表动态实现用户和网关 设备的转发。这样用户不仅可以访问自己签约的网络运营商所提供的 服务, 同时也可以接入到网关所提供的服务。 S223 to s227, after confirming the successful authentication, the user initiates an address allocation discovery message (DHCP Request), and the address allocation server of the home gateway directly responds to the address allocation confirmation (DHCPACK) and starts the address allocation process to allocate the internal address on the gateway where the user is located. . After allocating the address for the user, the home gateway constructs the permission table of the user's access gateway according to the user account and the external user access permission table, and establishes a static mapping of the user's internal address and the external address; and simultaneously realizes the dynamic access table by accessing the gateway. Forwarding of users and gateway devices. In this way, users can not only access the network operators provided by their own contract. The service can also access the services provided by the gateway.
本发明实施例二中, 当用户釆用 EAP SIM接入方式(802.1x拨 号的接入方式), 而好友的家庭网关釆用 PPPoE (以太网点到点协议) 接入到国际互联网, 但没有设置外部用户访问权限表支持 WLAN的 接入时, 实现方案的功能模型如图 3 所示, 除了家庭网关用 PPPoE 认证客户端取代了 DHCP认证客户端之外,其余部分与图 1结构相同。  In the second embodiment of the present invention, when the user uses the EAP SIM access mode (802.1x dial-up access mode), the friend's home gateway uses PPPoE (Ethernet Point-to-Point Protocol) to access the Internet, but does not set When the external user access table supports WLAN access, the functional model of the implementation scheme is shown in Figure 3. The rest is the same as the structure of Figure 1 except that the home gateway uses the PPPoE authentication client instead of the DHCP authentication client.
实施例二的认证实现过程如图 4所示, 包括:  The authentication implementation process of the second embodiment is as shown in FIG. 4, and includes:
s401 , 用户设备利用 802.1x认证体客户端通过 WLAN与家庭网 关交互 Association消息 , 要求接入到家庭网关。  S401: The user equipment uses an 802.1x authentication client to exchange Association messages with the home gateway through the WLAN, and requests access to the home gateway.
s402 , 家庭网关的 802.1 X认证体( Authenticator ) 向用户设备发 送 EAPoL/EAP-Request/Identitiy消息, 对用户设备进行认证。  S402: The 802.1X authentication body (Authenticator) of the home gateway sends an EAPoL/EAP-Request/Identitiy message to the user equipment to authenticate the user equipment.
s403 , 用 户 设备 向 家 庭 网 关 向 家 庭 网 关 回 应 EAPoL/EAP-Response/Identitiy 消息, 该消息中携带用户设备的帐号 信息。  S403. The user equipment sends an EAPoL/EAP-Response/Identitiy message to the home gateway to the home gateway, where the message carries the account information of the user equipment.
s404, 由于家庭网关没有用户设备认证的数据, 因此家庭网关启 动 PPPoE/EAP和 802.1 x/EAP SIM的认证转换机制 , 在 PPPoE发现阶 段结束后,从 802. lx取出 EAP消息和用户的 MAC地址,根据 PPPoE EAP 认证协议构造 PPPoE 认证消息, 向宽带接入服务器发送 PPPoE/LCP/EAP消息 , 请求认证并记录用户设备的帐号。  S404, the home gateway does not have the user equipment authentication data, so the home gateway initiates the PPPoE/EAP and 802.1 x/EAP SIM authentication conversion mechanism, and after the PPPoE discovery phase ends, the EAP message and the user's MAC address are retrieved from the 802. lx. A PPPoE authentication message is constructed according to the PPPoE EAP authentication protocol, and a PPPoE/LCP/EAP message is sent to the broadband access server to request authentication and record the account of the user equipment.
s405 , 宽带接入服务器向家庭网关发送 PPPoE/ EAP /EAP-Request/Identity消息, 要求获得用户设备的账号。  S405. The broadband access server sends a PPPoE/EAP/EAP-Request/Identity message to the home gateway, and obtains an account of the user equipment.
s406 , 家庭网关向宽带接入服务器发送 PPPoE/ EAP /EAP-Reponse/Identity消息, 该消息中携带用户设备的账号。  S406: The home gateway sends a PPPoE/EAP/EAP-Reponse/Identity message to the broadband access server, where the message carries the account of the user equipment.
s407 , 宽带接入服务器向认证服务器发送 Radius Request/EAP Message/EAP-Response/Identity消息, 请求对该用户设备进行认证。  S407. The broadband access server sends a Radius Request/EAP Message/EAP-Response/Identity message to the authentication server, requesting authentication of the user equipment.
s408 , 认证服务器根据用户设备的类型向宽带接入服务器回应 Radius Request/EAP Message/EAP-Request/SIM/Start消息, 该消息中 携带版本列表 AT- Version-list, 启动认证并进行参数协商。  S408: The authentication server responds to the broadband access server with a Radius Request/EAP Message/EAP-Request/SIM/Start message according to the type of the user equipment, and the message carries the version list AT- Version-list, starts the authentication, and performs parameter negotiation.
s409 , 宽 带 接 入 服 务 器 收 到 Radius Request/EAP Message/EAP-Request/SIM/Start 消息后, 向家庭网关发送 PPPoE/ EAP/EAP-Request/SIM/Start消息, 启动认证并进行参数协商。 S409, the broadband access server receives the Radius Request/EAP After the message/EAP-Request/SIM/Start message, the PPPoE/EAP/EAP-Request/SIM/Start message is sent to the home gateway to initiate authentication and perform parameter negotiation.
s410, 家庭网关将 PPPoE认证的 EAP消息转换成 802. lx的 EAP 消息 EAPoL/EAP-Request/SIM/Start发给用户设备。  S410: The home gateway converts the PPPoE-certified EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Start and sends the message to the user equipment.
s411 , 用 户 设备向 家庭 网 关 回应 认证响应 消 息 EAPoL/EAP-Response/SIM/Start , 该消息中携带开始请求。  S411, the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Start, and the message carries a start request.
s412 , 家 庭 网 关 将 802. lx 的 EAP 响 应 消 息 EAPoL/EAP-Response/SIM/Start 按 PPPoE 的协议格式封装为 PPPoE/EAP/EAP-Response/SIM/Start , 并转发给宽带接入服务器。  S412, the home gateway encapsulates the 802. lx EAP response message EAPoL/EAP-Response/SIM/Start into PPPoE/EAP/EAP-Response/SIM/Start according to the PPPoE protocol format, and forwards it to the broadband access server.
s413 , 宽带接入服务器向认证服务器发送 Radius Request/EAP Message/EAP-Response/SIM/Start消息, 要求接入国际互联网。  S413: The broadband access server sends a Radius Request/EAP Message/EAP-Response/SIM/Start message to the authentication server, requesting access to the Internet.
s414 , 认证服务器向宽带接入服务器发送 Radius Request/EAP Message/EAP-Success/DHCP Request消息, 该消息中携带需要询问的 用户确认参数: 例如级别 AT— RAND和地址 AT— MAC等。  S414: The authentication server sends a Radius Request/EAP Message/EAP-Success/DHCP Request message to the broadband access server, where the message carries the user confirmation parameter that needs to be queried: for example, level AT-RAND and address AT-MAC.
s415 , 宽 带接入服务器 向 家庭 网 关发送 PPPoE/ EAP/EAP-Request/SIM/Challenge消息, 通知用户设备上报确认参数。  S415, the broadband access server sends a PPPoE/EAP/EAP-Request/SIM/Challenge message to the home gateway, and notifies the user equipment to report the confirmation parameter.
s416, 家庭网关将 PPPoE认证的 EAP消息转换成 802. lx的 EAP 消息 EAPoL/EAP-Request/SIM/Challenge发给用户设备。  S416, the home gateway converts the PPPoE-certified EAP message into an 802. lx EAP message EAPoL/EAP-Request/SIM/Challenge and sends it to the user equipment.
s417 , 用 户 设备向 家庭 网 关 回应 认证响应 消 息 EAPoL/EAP-Response/SIM/Challenge , 该消息中携带确认参数。  S417, the user equipment responds to the home gateway with an authentication response message EAPoL/EAP-Response/SIM/Challenge, and the message carries the confirmation parameter.
s418 , 家 庭 网 关 将 802. lx 的 EAP 响 应 消 息 EAPoL/EAP-Response/SIM/ Challenge 按 PPPoE 的协议格式封装为 PPPoE/EAP/EAP-Response/SIM/ Challenge , 并转发给宽带接入服务 哭口  S418, the home gateway will encapsulate the 802. lx EAP response message EAPoL/EAP-Response/SIM/ Challenge into PPPoE/EAP/EAP-Response/SIM/ Challenge according to the PPPoE protocol format, and forward it to the broadband access service.
s419, 宽带接入服务器将 PPPoE格式取出 EAP消息通过 Radius 协议 Radius Request/EAP Message/EAP-Response/SIM/Challenge回应 认证服务器, 该消息中携带用户设备的确认参数。  S419, the broadband access server takes the PPPoE format to take out the EAP message and responds to the authentication server by using the Radius protocol Radius Request/EAP Message/EAP-Response/SIM/Challenge, and the message carries the confirmation parameter of the user equipment.
s420, 认证服务器根据用户设备的确认参数认证用户是合法的, 向 宽 带 接 入 服 务 器 发 送 Radius Request/EAP Message/EAP-Success/DHCP Request消息, 通知用户认证成功。 s421 , 宽带接入服务器通过 PPPoE/EAP/EAP-Success/yiaddr消息 将用户设备认证成功通知家庭网关。 S420: The authentication server authenticates the user according to the confirmation parameter of the user equipment, and sends a Radius Request/EAP to the broadband access server. The message/EAP-Success/DHCP Request message informs the user that the authentication is successful. S421: The broadband access server notifies the home gateway of the user equipment success by using the PPPoE/EAP/EAP-Success/yiaddr message.
s422, 家庭网关确认用户认证成功后, 向用户设备发送认证成功 消息 EAPoL/EAP-Success, 并继续 PPPoE的过程, 为用户设备申请 所在网关上的外部地址。  S422: After confirming that the user is successfully authenticated, the home gateway sends an authentication success message EAPoL/EAP-Success to the user equipment, and continues the PPPoE process to apply for an external address on the gateway where the user equipment is located.
s423 至 s426, 用户在确认认证成功后, 发起地址分配发现报文 ( DHCP Request ), 家庭网关的地址分配服务器直接回应地址分配确 认(DHCPACK )并启动地址分配过程为用户分配所在网关上的内部 地址。 家庭网关在为用户设备分配完地址后, 根据用户帐号和外部用 户访问权限表构造用户的访问网关的权限表,并建立用户的内部地址 和外部地址的静态映射; 由于外部用户访问权限表不允许用户访问网 发表并且建立用户的内部地址和外部地址的映射关系。这样用户只能 访问自己签约的网络运营商所提供的服务但不能接入到网关所提供 的服务。  S423 to s426, after confirming the successful authentication, the user initiates an address allocation discovery message (DHCP Request), and the address allocation server of the home gateway directly responds to the address allocation confirmation (DHCPACK) and starts the address allocation process to allocate the internal address on the gateway where the user is located. . After allocating the address to the user equipment, the home gateway constructs the permission table of the user's access gateway according to the user account and the external user access permission table, and establishes a static mapping of the user's internal address and the external address; The user accesses the network to publish and establish a mapping relationship between the user's internal address and the external address. In this way, the user can only access the services provided by the network operator that he or she has contracted but cannot access the services provided by the gateway.
本发明实施例三中, 当用户釆用 PPPoE拨号的接入方式, 而好 友的家庭网关釆用 DHCP Auth接入到国际互联网, 但好友的家庭网 关设置外部用户访问权限表允许用户访问部分的网关的资源并支持 PPPoE的接入时, 实现方案的功能模型如图 5所示, 用户设备中只包 括 PPPoE客户端 , 家庭网关中的 802. lx认证替由 PPPoE代理替换, 其他部分与图 1相同。  In the third embodiment of the present invention, when the user uses the PPPoE dialing access mode, and the friend's home gateway uses the DHCP Auth to access the Internet, the friend's home gateway sets the external user access permission table to allow the user to access part of the gateway. When the resources support PPPoE access, the functional model of the implementation scheme is shown in Figure 5. The user equipment only includes the PPPoE client, and the 802. lx authentication in the home gateway is replaced by the PPPoE proxy. The other parts are the same as in Figure 1. .
实施例三的认证实现过程如图 6所示, 包括:  The authentication implementation process of the third embodiment is as shown in FIG. 6, and includes:
步骤 s601至步骤 s604 , 当用户设备利用以太网接入到家庭网关 时, 用户设备启动 PPPoE拨号, 家庭网关的 PPPoE代理( Proxy )与 用户建立 PPPoE的协商。  Step s601 to step s604, when the user equipment accesses the home gateway by using the Ethernet, the user equipment starts PPPoE dialing, and the PPPoE proxy (Proxy) of the home gateway negotiates with the user to establish PPPoE.
步 骤 s605 , 用 户 设 备 向 家 庭 网 关 发 送 PPPoE/PPP/LCP/Configure-Resquest配置请求消息。  In step s605, the user equipment sends a PPPoE/PPP/LCP/Configure-Resquest configuration request message to the home gateway.
步 骤 s606 , 家 庭 网 关 向 用 户 设 备 发 送 PPPoE/PPP/LCP/Configure-Ack配置响应消息。 Step s606, the home gateway sends the user equipment PPPoE/PPP/LCP/Configure-Ack configuration response message.
步骤 s607 , 家庭网关启动对用户设备认证, 并启动 DHCP Auth/CHAP和 PPPoE的认证转换。 以 CHAP为例, 家庭网关根据用 户的 MAC构造 DHCP消息 DHCP Discover/Auth-Prot/CHAP ,发送到 宽带接入服务器, 发起地址分配。  Step s607: The home gateway initiates authentication of the user equipment, and initiates authentication conversion of DHCP Auth/CHAP and PPPoE. Taking CHAP as an example, the home gateway constructs a DHCP message DHCP Discover/Auth-Prot/CHAP according to the user's MAC, and sends it to the broadband access server to initiate address allocation.
步骤 s608, 宽带地址服务器向外部 DHCP服务器发送该地址发 现报文 DHCP Discover。  Step s608: The broadband address server sends the address discovery packet DHCP Discover to the external DHCP server.
步骤 s609, 外部 DHCP服务器向宽带地址服务器返回地址分配 确认报文( DHCP Offer ) , 该报文中携带 challenge等参数。  Step s609: The external DHCP server returns an address allocation confirmation message (DHCP Offer) to the broadband address server, where the message carries a parameter such as challenge.
步骤 s610,宽带接入服务器向家庭网关回应该地址分配确认报文 Step s610, the broadband access server returns an address allocation confirmation message to the home gateway.
( DHCP Offer )并携带 challenge等参数。 (DHCP Offer) and carry parameters such as challenge.
步骤 s611 , 家庭网关从 DHCP消息中取出 challenge等消息构造 PPP CHAP认证消息 PPPoE/PPP/CHAP/Challenge,发起用户设备的认 证。  Step s611: The home gateway extracts a challenge message from the DHCP message to construct a PPP CHAP authentication message PPPoE/PPP/CHAP/Challenge, and initiates authentication of the user equipment.
步骤 s612,用户设备向家庭网关回应 PPPoE/PPP/CHAP/Response 消息, 该消息中携带用户设备自己的帐号和认证参数, 如根据 challenge和用户密码成功的加密字等参数。  Step s612: The user equipment sends a PPPoE/PPP/CHAP/Response message to the home gateway, where the message carries the user equipment's own account number and authentication parameters, such as the encrypted word according to the challenge and the user password.
步骤 s613 ,家庭网关从 PPP CHAP消息中取出用户设备的帐号和 认证参数、 及用户设备的 MAC地址重新构造 DHCP Request消息向 宽带接入服务器请求认证并记录用户的帐号。  Step s613: The home gateway extracts the account and the authentication parameter of the user equipment from the PPP CHAP message, and the MAC address of the user equipment reconstructs the DHCP Request message to request the broadband access server for authentication and records the user account.
步骤 s614 , 宽 带接入服务器向认证服务器发送 Radius/Access-Request/CHAP/Response , 请求对该用户设备的请求进 行认证。  Step s614: The broadband access server sends a Radius/Access-Request/CHAP/Response to the authentication server, requesting authentication of the request of the user equipment.
步 骤 s615 , 认 证 服 务 器 认 证 并 通 过 Radius/ Access-Accept/CHAP/Response回应认证结果。  Step s615, the authentication server authenticates and responds to the authentication result via Radius/Access-Accept/CHAP/Response.
步骤 s616, 宽带接入服务器向 DHCP服务器发送 DHCP Request 请求消息, 要求分配地址。  Step s616: The broadband access server sends a DHCP Request request message to the DHCP server, requesting an address to be allocated.
步骤 s617, DHCP服务器向宽带接入服务器发送 DHCP Ack确认 消息, 该消息中携带分配的地址。 步骤 S618 , 宽带接入服务器确认用户认证通过后, 向网关回应In step s617, the DHCP server sends a DHCP Ack acknowledgment message to the broadband access server, where the message carries the assigned address. Step S618, the broadband access server confirms that the user authentication is passed, and responds to the gateway.
DHCP Ack/CHAP/Success消息,通知用户认证成功并完成用户的地址 分配过程。 A DHCP Ack/CHAP/Success message notifies the user that the authentication is successful and completes the user's address allocation process.
步骤 s619, 家庭网关将 DHCP Ack消息转换成 PPPoE的 CHAP 认证工程消息发给用户设备。  Step s619: The home gateway sends a DHCP Ack message to the PPPoE CHAP authentication engineering message and sends the message to the user equipment.
步骤 s619至步骤 s624, 用户设备在确认认证成功后, 启动地址 分配过程, 家庭网关的 PPPoE代理通过内置的 DHCP服务器为用户 分配网关内部的地址。 家庭网关在为用户分配完地址后, 根据用户帐 号和外部用户访问权限表构造用户的访问网关的权限表,并建立用户 的内部地址和外部地址的静态映射; 由于权限表只允许用户访问网关 的部分资源,因此通过用户访问网关的权限表动态设置用户和外部网 络的部分资源之间的转发表并且建立用户的内部地址和外部地址的 映射关系。这样用户只能访问自己签约的网络运营商所提供的服务但 不能接入到网关所提供的服务。  Step s619 to step s624, after confirming that the authentication is successful, the user equipment starts the address allocation process, and the PPPoE agent of the home gateway allocates the address inside the gateway to the user through the built-in DHCP server. After assigning the address to the user, the home gateway constructs a permission table of the user's access gateway according to the user account and the external user access permission table, and establishes a static mapping of the user's internal address and the external address; since the permission table only allows the user to access the gateway. Part of the resource, therefore, the forwarding table between the user and part of the resources of the external network is dynamically set by the user accessing the permission table of the gateway and the mapping relationship between the internal address and the external address of the user is established. In this way, the user can only access the services provided by the network operator that he has contracted but cannot access the services provided by the gateway.
本发明实施例四中, 当用户釆用 PANA拨号的接入方式, 而好友 的家庭网关釆用 DHCP Auth接入到国际互联网, 但好友的家庭网关 设置外部用户访问权限表允许用户访问部分的网关的资源并支持 PANA 的接入时, 实现方案的功能模型如图 7 所示, 用户设备中用 PANA客户端代替 PPPoE客户端, 家庭网关中的 PANA代理代替 PPPoE代理, 其他部分与图 5相同。  In the fourth embodiment of the present invention, when the user uses the PANA dial-up access method, and the friend's home gateway uses the DHCP Auth to access the Internet, the friend's home gateway sets the external user access permission table to allow the user to access part of the gateway. When the resources support PANA access, the functional model of the implementation scheme is shown in Figure 7. The PANA client replaces the PPPoE client in the user equipment, and the PANA proxy in the home gateway replaces the PPPoE proxy. The other parts are the same as in Figure 5.
实施例四的认证实现过程如图 8所示, 包括:  The authentication implementation process of the fourth embodiment is as shown in FIG. 8, and includes:
步骤 s801至步骤 s804, 当用户利用以太网直接到家庭网关时, 用户首先启动正常的 DHCP地址分配过程, 家庭网关内置的 DHCP 服务器按正常流程为用户分配内部的地址。  Step s801 to step s804, when the user directly uses the Ethernet to the home gateway, the user first initiates a normal DHCP address allocation process, and the built-in DHCP server of the home gateway allocates an internal address to the user according to a normal process.
步骤 s805 , 在获得内部地址后, 用户发送 PANA客户端初始化 ( PANA Client Initiation ) 启动 PANA认证协商过程。  Step s805: After obtaining the internal address, the user sends a PANA Client Initiation to start the PANA authentication negotiation process.
步骤 s806 , 家庭网关启动 PANA认证代理( Proxy ) 与用户进行 PANA的认证协商过程并启动 DHCP Auth/EAP和 PANA的认证转换, 以 EAP CHAP为例, 家庭网关根据用户 MAC构造 DHCP Auth消息 ( DHCP Discover/Auth prot/EAP )向宽带接入服务器请求认证并协商 使用 EAP认证方式。 Step s806: The home gateway starts the PANA authentication proxy (Proxy) to perform the PANA authentication negotiation process with the user and initiates the authentication conversion of the DHCP Auth/EAP and PANA. Taking the EAP CHAP as an example, the home gateway constructs the DHCP Auth message according to the user MAC. (DHCP Discover/Auth prot/EAP) Requests authentication from the broadband access server and negotiates to use the EAP authentication method.
步骤 s807 , 宽带接入服务器向家庭网关回应 DHCP EAP/ EAP-Request/Identity消息, 启动 EAP认证过程。  Step s807: The broadband access server responds to the DHCP EAP/EAP-Request/Identity message to the home gateway, and starts the EAP authentication process.
步骤 s808 , 家庭网关没有该用户账号信息, 则将 DHCP EAP/ EAP-Request/Identity转换成 PANA Auth request/EAP Request消息, 通知用户启动 EAP认证。  Step s808: If the home gateway does not have the user account information, the DHCP EAP/EAP-Request/Identity is converted into a PANA Auth request/EAP Request message, and the user is notified to start EAP authentication.
步骤 s809和步骤 s812, 用户向家庭网关回应 PANA Auth request /EAP Response消息, 该消息中携带用户的账号等相关认证信息。  Step s809 and step s812, the user responds to the home gateway with a PANA Auth request / EAP Response message, where the message carries the user's account and other related authentication information.
步骤 s813 , 家庭网关提取 PANA消息中的 EAP消息, 根据用户 标识(用户帐号)和用户会话标识(用户的 MAC和 IP )构造 DHCP EAP/EAP-Response/Identity , 发送给宽带接入服务器并记录用户的账 号信息。  Step s813, the home gateway extracts the EAP message in the PANA message, constructs a DHCP EAP/EAP-Response/Identity according to the user identifier (user account) and the user session identifier (the user's MAC and IP), sends the packet to the broadband access server, and records the user. Account information.
步骤 s814, 家庭网关向用户发送 PANAAuth应答。  Step s814, the home gateway sends a PANAAuth response to the user.
步骤 s815, 宽带接入服务器从 DHCP 消息中提取 EAP消息, 通 过 Radius协议向认证服务器请求对该用户的请求进行认证。  Step s815: The broadband access server extracts the EAP message from the DHCP message, and requests the authentication server to authenticate the request of the user through the Radius protocol.
步骤 s816, 认证服务器根据 EAP消息的认证信息对用户进行认 证, 一旦通过认证, 则向宽带接入服务器回应 Radius Request/EAP Message/EAP-Success消息。  Step s816: The authentication server authenticates the user according to the authentication information of the EAP message, and once authenticated, responds to the broadband access server with a Radius Request/EAP Message/EAP-Success message.
步骤 s817,宽带接入服务器从 Radius响应消息中提出 EAP消息, 并确认用户认证通过后, 通过 DHCP offer/EAP-Success/yiaddr通知家 庭网关用户认证通过。  Step s817: The broadband access server sends an EAP message from the Radius response message, and confirms that the user authentication is passed, and the home gateway user is notified to pass the DHCP offer/EAP-Success/yiaddr.
步骤 s818, 家庭网关在确认用户认证成功后为该 PANA会话分 配 Session Id,根据从 DHCP offer/EAP-Success/yiaddr消息提取的 EAP 消息、 Session Id和用户的内部地址将 DHCP消息转换为 PANA Bind request (EAP Success, Session Id, IP Filter)消息 , 通知用户认证通过并 建立用户的内部地址和 Session Id的绑定。 家庭网关向宽带接入服务 器发送 DHCP Request消息继续 DHCP Auth的过程,为用户申请所在 网关上的外部地址。 步骤 s819,用户在确认认证成功后,向家庭网关回应 PANABind answer确认绑定建立成功, 则用户的 IP会话建立成功。 Step s818: After confirming that the user authentication is successful, the home gateway allocates a Session Id to the PANA session, and converts the DHCP message into a PANA Bind request according to the EAP message, the Session Id, and the internal address of the user extracted from the DHCP offer/EAP-Success/yiaddr message. (EAP Success, Session Id, IP Filter) message, informing the user that the authentication passes and establishes the binding between the user's internal address and the Session Id. The home gateway sends a DHCP Request message to the broadband access server to continue the DHCP Auth process, and requests the user for an external address on the gateway. In step s819, after confirming that the authentication is successful, the user responds to the home gateway with a PANABind answer confirming that the binding is successfully established, and the user's IP session is successfully established.
步骤 s820到步骤 s822, 家庭网关在代理用户申请到用户的外部 地址后,根据用户帐号和外部用户访问权限表构造用户的访问网关的 权限表, 并建立用户的内部地址和外部地址的静态映射; 同时通过用 户的访问网关的权限表动态实现用户和网关设备的转发并且建立用 户的内部地址和外部地址的映射关系。这样用户除了能访问自己签约 的网络运营商所提供的服务而且还可以访问网关的部分资源。  Step s820 to step s822, after the proxy user applies to the external address of the user, the home gateway constructs a permission table of the access gateway of the user according to the user account and the external user access permission table, and establishes a static mapping of the internal address and the external address of the user; At the same time, the user and the gateway device are dynamically forwarded through the permission table of the user's access gateway and the mapping relationship between the user's internal address and the external address is established. In this way, the user can access the services provided by the network operator that he or she has signed up, and can also access some resources of the gateway.
本发明实施例还提供了一种网络边缘的网关设备, 如图 9所示, 包括:  The embodiment of the invention further provides a network edge gateway device, as shown in FIG. 9, comprising:
认证模块 10 , 用于获取用户设备的认证信息, 将该认证信息封 装为外部网络认证协议报文,并发送包含该外部网络认证协议报文的 认证请求给通信模块 30, 以请求进行外部网络的认证。  The authentication module 10 is configured to obtain the authentication information of the user equipment, encapsulate the authentication information into an external network authentication protocol packet, and send an authentication request including the external network authentication protocol packet to the communication module 30 to request the external network. Certification.
转发表生成模块 20 , 用于当接收到认证成功消息时, 为该用户 设备申请所在网关上的外部地址,接收来自该用户设备的地址分配发 现才艮文, 为该用户设备分配所在网关上的内部地址, 并才艮据该内部地 址和该外部地址建立该用户设备的映射表,以及根据该用户设备的帐 号和外部用户访问权限表构造该用户设备的转发策略,并根据该映射 表和转发策略生成转发表。  The forwarding table generating module 20 is configured to: when receiving the authentication success message, apply for an external address on the gateway where the user equipment is located, receive an address allocation discovery message from the user equipment, and allocate, on the gateway where the user equipment is located The internal address, and the mapping table of the user equipment is established according to the internal address and the external address, and the forwarding policy of the user equipment is constructed according to the account of the user equipment and the external user access authority table, and according to the mapping table and forwarding The policy generates a forwarding table.
通信模块 30 , 用于将认证模块 10发送的请求消息发送出去, 接 收认证响应消息; 并根据转发表生成模块 20生成的转发表进行该用 户设备与外部设备的通信。  The communication module 30 is configured to send the request message sent by the authentication module 10 to receive the authentication response message, and perform communication between the user equipment and the external device according to the forwarding table generated by the forwarding table generation module 20.
进一步的, 该转发表生成模块 20具体包括:  Further, the forwarding table generating module 20 specifically includes:
映射表建立子模块 210 , 用于根据所在网关上的外部地址和所在 网关上的内部地址建立该用户设备的映射表。  The mapping table establishing sub-module 210 is configured to establish a mapping table of the user equipment according to an external address on the gateway and an internal address on the gateway.
转发策略建立子模块 220 , 用于根据该用户设备的帐号和外部用 户访问权限表构造该用户设备的转发策略。  The forwarding policy establishing sub-module 220 is configured to construct a forwarding policy of the user equipment according to the account of the user equipment and the external user access authority table.
进一步的, 该映射表建立子模块 210包括:  Further, the mapping table establishing submodule 210 includes:
外部地址分配单元 2110 , 用于当接收到认证成功消息时, 为该 用户设备申请所在网关上的外部地址。 The external address allocating unit 2110 is configured to: when receiving the authentication success message, The external address on the gateway where the user device applies.
内部地址分配单元 2120 , 用于接收来自用户设备的地址分配发 现"¾文, 并为用户设备分配所在网关上的内部地址。  The internal address allocation unit 2120 is configured to receive an address assignment from the user equipment, and allocate an internal address on the gateway where the user equipment is located.
映射表建立单元 2130, 用于根据外部地址分配单元 2110和内部 地址分配单元 2120确定的外部地址和内部地址, 建立该用户设备的 映射表。  The mapping table establishing unit 2130 is configured to establish a mapping table of the user equipment according to the external address and the internal address determined by the external address assigning unit 2110 and the internal address assigning unit 2120.
进一步的, 该转发策略建立子模块 220包括:  Further, the forwarding policy establishing submodule 220 includes:
访问权限表单元 2210 ,用于设置网关的外部用户访问权限表,该 话标识。  The access permission table unit 2210 is configured to set an external user access permission table of the gateway, and the identity identifier.
访问权限确定单元 2220 , 用于根据用户标识和该访问权限表单 元 2210设置的外部用户访问权限表确定该用户设备的访问网关的权 限, 该用户设备的访问网关的权限为该转发策略。  The access authority determining unit 2220 is configured to determine, according to the user identifier and the external user access permission table set by the access authority form element 2210, the access gateway of the user equipment, and the access gateway of the user equipment is the forwarding policy.
进一步的, 该认证模块 10包括:  Further, the authentication module 10 includes:
认证信息提取子模块 110, 用于从该用户设备的认证信息中获取 用户标识列表;  The authentication information extraction sub-module 110 is configured to obtain a user identifier list from the authentication information of the user equipment.
外部网络协议封装子模块 120 , 用于将认证信息提取子模块 110 获取的用户标识列表按照外部网络协议进行封装。  The external network protocol encapsulation sub-module 120 is configured to encapsulate the user identification list obtained by the authentication information extraction sub-module 110 according to an external network protocol.
认证请求发送子模块 130, 用于将包含该外部网络认证协议报文 的认证请求发送给通信模块 30。  The authentication request sending sub-module 130 is configured to send an authentication request including the external network authentication protocol packet to the communication module 30.
无线接入给用户带来的移动的业务体验。 随着 WLAN等热点的 大规模部署, 让用户离开家可以接入到国际互联网中, 回到家中切换 到家庭网关依然可以访问国际互联网。 当一个用户到好友家中做客 时,他还可以通过自己的帐号接入到好友家中的网关使用好友签约的 业务和网络运营商接入到国际互联网中使用自己签约的业务。  The mobile service experience brought by wireless access to users. With the large-scale deployment of hotspots such as WLANs, users can access the Internet when they leave home, and switch back to the home gateway to access the Internet. When a user visits a friend's home, he can also access the gateway in the friend's home through his own account, and use the service signed by the friend and the network operator to access the Internet to use the service signed by himself.
本发明实施例还提出了一种基于认证机制转换的通信系统,如图 10所示, 包括用户设备 1001、 外部网络设备 1003和网络边缘的网关 设备 1005 , 该网络边缘的网关设备用于获取所述用户设备的认证信 息, 将该认证信息封装为外部网络认证协议报文; 当通过利用外部网 络设备认证协议 4艮文对该用户设备进行外部网络的认证时,为该用户 设备申请所在网关上的外部地址;接收来自所述用户设备的地址分配 发现报文, 为该用户设备分配所在网关上的内部地址, 并根据该内部 地址和该外部地址建立该用户设备的映射表;以及根据该用户设备的 帐号和外部用户访问权限表构造该用户设备的转发策略;并根据该映 射表和该转发策略生成转发表,并根据该转发表进行该用户设备与该 外部网络设备的通信。 The embodiment of the present invention further provides a communication system based on the authentication mechanism conversion. As shown in FIG. 10, the user equipment 1001, the external network device 1003, and the gateway device 1005 at the network edge are used. Describe the authentication information of the user equipment, and encapsulate the authentication information into an external network authentication protocol packet; When the user equipment is authenticated by the external network, the network device applies for the external address on the gateway where the user equipment is located; receives the address allocation discovery packet from the user equipment, and allocates the gateway for the user equipment. An internal address, and establishing a mapping table of the user equipment according to the internal address and the external address; and constructing a forwarding policy of the user equipment according to the account of the user equipment and an external user access authority table; and according to the mapping table and the The forwarding policy generates a forwarding table, and performs communication between the user equipment and the external network device according to the forwarding table.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解 到本发明可借助软件加必需的通用硬件平台的方式来实现, 当然也可 以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解, 本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以 软件产品的形式体现出来, 该计算机软件产品存储在一个存储介质 中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服 务器, 或者网络设备等)执行本发明各个实施例所述的方法。  Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is a better implementation. the way. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium, including a plurality of instructions for making a A computer device (which may be a personal computer, server, or network device, etc.) performs the methods described in various embodiments of the present invention.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本 发明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求 Rights request
1、 一种基于认证机制转换的通信方法, 其特征在于, 包括: 获取用户设备的认证信息; A communication method based on an authentication mechanism conversion, comprising: acquiring authentication information of a user equipment;
将所述认证信息封装为外部网络认证协议报文,发送给外部网络 以进行外部网络的认证;  Encapsulating the authentication information into an external network authentication protocol packet, and sending the authentication information to an external network for authentication of the external network;
在外部网络的认证成功后, 为所述用户设备申请外部地址, 分配 内部地址;  After the authentication of the external network is successful, apply for an external address for the user equipment, and allocate an internal address;
建立表示所述内部地址和所述外部地址对应关系的映射表; 根据所述映射表和转发策略生成转发表;  Establishing a mapping table indicating a correspondence between the internal address and the external address; generating a forwarding table according to the mapping table and a forwarding policy;
并根据所述转发表进行所述用户设备与外部网络的通信。  And performing communication between the user equipment and an external network according to the forwarding table.
2、 如权利要求 1 所述基于认证机制转换的通信方法, 其特征在 于, 所述转发策略的构造方法具体包括:  2. The communication method based on the authentication mechanism conversion according to claim 1, wherein the method for constructing the forwarding policy specifically includes:
根据所述用户设备的帐号和外部用户访问权限表构造所述用户 设备的转发策略。  And configuring a forwarding policy of the user equipment according to an account of the user equipment and an external user access permission table.
3、 如权利要求 2所述基于认证机制转换的通信方法, 其特征在 于,所述根据用户设备的帐号和外部用户访问权限表构造所述用户设 备的转发策略具体包括:  The communication method based on the authentication mechanism conversion according to claim 2, wherein the forwarding policy of the user equipment according to the account number of the user equipment and the external user access authority table specifically includes:
设置网关的外部用户访问权限表,所述外部用户访问权限表中包 括允许访问所述网关的用户标识列表;  Setting an external user access permission table of the gateway, where the external user access permission table includes a list of user identifiers that allow access to the gateway;
根据所述用户标识列表和所述外部用户访问权限表确定所述用 户设备的访问网关的权限,所述用户设备的访问网关的权限为所述转 发策略。 Determining the access gateway of the user equipment according to the user identifier list and the external user access permission table, where the access authority of the user equipment is the forwarding policy.
4、 如权利要求 3所述基于认证机制转换的通信方法, 其特征在 于, 所述转发策略具体包括: The communication method based on the authentication mechanism conversion according to claim 3, wherein the forwarding policy specifically includes:
允许所述用户设备访问网关和外部网络; 或  Allowing the user device to access the gateway and the external network; or
禁止所述用户设备访问网关和外部网络; 或  Disabling the user equipment from accessing the gateway and the external network; or
允许所述用户设备访问网关且禁止访问外部网络; 或  Allowing the user device to access the gateway and prohibit access to the external network; or
允许所述用户设备访问外部网络且禁止访问网关。  The user equipment is allowed to access the external network and access to the gateway is prohibited.
5、 如权利要求 1 所述基于认证机制转换的通信方法, 其特征在 于, 所述获取用户设备的认证信息, 将所述认证信息封装为外部网络 认证协议报文具体为:  The communication method based on the authentication mechanism conversion according to claim 1, wherein the obtaining the authentication information of the user equipment, and encapsulating the authentication information into the external network authentication protocol packet is specifically:
从所述用户设备的认证信息中获取用户标识列表;  Obtaining a user identifier list from the authentication information of the user equipment;
将所述用户标识列表按照外部网络认证协议进行封装。  The user identification list is encapsulated according to an external network authentication protocol.
6、 如权利要求 5所述基于认证机制转换的通信方法, 其特征在 于, 所述用户标识列表包括用户标识和用户会话标识, 所述用户标识 包括用户帐号, 所述用户会话标识包括用户设备的媒体接入控制 MAC地址或内部 IP地址。  The communication method based on the authentication mechanism conversion according to claim 5, wherein the user identification list includes a user identifier and a user session identifier, the user identifier includes a user account, and the user session identifier includes a user equipment. Media access control MAC address or internal IP address.
7、 如权利要求 1至 6中任一项所述基于认证机制转换的通信方 法, 其特征在于, 所述用户设备的认证信息的接入方式包括: 802.1x 接入方式、 PPPoE接入方式或 PANA接入方式; 所述外部网络认证协 议报文包括: PPPoE或 DHCP Auth报文。  The communication method based on the authentication mechanism conversion according to any one of claims 1 to 6, wherein the access mode of the authentication information of the user equipment includes: an 802.1x access mode, a PPPoE access mode, or PANA access mode; the external network authentication protocol packet includes: PPPoE or DHCP Auth packet.
8、 一种基于认证机制转换的通信系统, 包括用户设备和外部网 络, 其特征在于, 还包括:  8. A communication system based on an authentication mechanism conversion, comprising a user equipment and an external network, characterized in that:
网络边缘的网关设备, 用于获取所述用户设备的认证信息, 将所 述认证信息封装为外部网络认证协议报文,发送给外部网络以进行外 部网络的认证, 当外部网络认证成功后, 为所述用户设备申请外部地 址,接收来自所述用户设备的地址分配发现报文, 为所述用户设备分 配内部地址,建立表示所述内部地址和所述外部地址对应关系的映射 表, 根据所述映射表和转发策略生成转发表, 并根据所述转发表进行 所述用户设备与所述外部网络的通信。 a gateway device at the edge of the network, configured to acquire authentication information of the user equipment, The authentication information is encapsulated into an external network authentication protocol packet, and is sent to the external network for authentication of the external network. After the external network authentication succeeds, the user equipment is requested to apply for an external address, and the address allocation discovery report is received from the user equipment. And assigning an internal address to the user equipment, establishing a mapping table indicating the correspondence between the internal address and the external address, generating a forwarding table according to the mapping table and the forwarding policy, and performing the user according to the forwarding table. Communication of the device with the external network.
9、 一种网络边缘的网关设备, 其特征在于, 包括:  9. A network edge gateway device, comprising:
认证模块, 用于获取用户设备的认证信息, 将所述认证信息封装 为外部网络认证协议 ^艮文,并发送包含所述外部网络认证协议 ^艮文的 认证请求 , 以请求进行外部网络的认证;  The authentication module is configured to obtain authentication information of the user equipment, encapsulate the authentication information into an external network authentication protocol, and send an authentication request including the external network authentication protocol to request authentication of the external network. ;
转发表生成模块, 用于当接收到外部网络的认证成功消息时, 为 所述用户设备申请外部地址,接收来自所述用户设备的地址分配发现 报文, 为所述用户设备分配内部地址, 并建立表示所述内部地址和所 述外部地址对应关系的映射表,根据所述映射表和转发策略生成转发 表;  a forwarding table generating module, configured to: when receiving an authentication success message of the external network, request an external address for the user equipment, receive an address allocation discovery message from the user equipment, and allocate an internal address to the user equipment, and Establishing a mapping table indicating the correspondence between the internal address and the external address, and generating a forwarding table according to the mapping table and the forwarding policy;
通信模块, 用于发送所述认证请求消息, 接收认证响应消息, 并 根据所述转发表进行所述用户设备与外部网络的通信。  And a communication module, configured to send the authentication request message, receive an authentication response message, and perform communication between the user equipment and an external network according to the forwarding table.
10、 如权利要求 9所述网络边缘的网关设备, 其特征在于, 所述 转发表生成模块包括:  The gateway device of the network edge according to claim 9, wherein the forwarding table generating module comprises:
映射表建立子模块,用于建立表示所述内部地址和所述外部地址 对应关系的映射表;  a mapping table establishing submodule, configured to establish a mapping table indicating a correspondence between the internal address and the external address;
转发策略建立子模块,用于根据用户设备的帐号和外部用户访问 权限表构造所述用户设备的转发策略。 A forwarding policy establishment sub-module for accessing the account of the user device and the external user The permission table constructs a forwarding policy of the user equipment.
11、 如权利要求 10所述网络边缘的网关设备, 其特征在于, 所 述转发策略建立子模块包括:  The gateway device of the network edge according to claim 10, wherein the forwarding policy establishing submodule comprises:
访问权限表单元, 用于设置网关的外部用户访问权限表, 所述外 标识;  An access permission table unit, configured to set an external user access permission table of the gateway, the external identifier;
访问权限确定单元,用于根据用户标识和所述外部用户访问权限 表确定所述用户设备的访问网关的权限,所述用户设备的访问网关的 权限为所述转发策略。  The access authority determining unit is configured to determine, according to the user identifier and the external user access permission table, the permission of the access gateway of the user equipment, where the access gateway of the user equipment is the forwarding policy.
12、 如权利要求 10所述网络边缘的网关设备, 其特征在于, 所 述映射表建立子模块包括:  12. The gateway device of the network edge according to claim 10, wherein the mapping table establishing submodule comprises:
外部地址分配单元, 用于当接收到外部网络认证的成功消息时, 为所述用户设备申请外部地址;  An external address allocation unit, configured to request an external address for the user equipment when receiving a success message of the external network authentication;
内部地址分配单元,用于接收来自所述用户设备的地址分配发现 报文, 并为所述用户设备分配所内部地址;  An internal address allocation unit, configured to receive an address allocation discovery message from the user equipment, and allocate an internal address to the user equipment;
映射表建立单元,用于建立表示所述外部地址和内部地址对应关 系的映射表。  A mapping table establishing unit is configured to establish a mapping table indicating a correspondence between the external address and the internal address.
13、 如权利要求 9 - 12任意一项所述网络边缘的网关设备, 其特 征在于, 所述认证模块具体包括:  The gateway device of the network edge according to any one of claims 9 to 12, wherein the authentication module specifically includes:
认证信息提取子模块,用于从所述用户设备的认证信息中获取用 户标识列表;  An authentication information extraction submodule, configured to obtain a user identifier list from the authentication information of the user equipment;
外部网络协议封装子模块,用于将所述用户标识列表按照外部网 络认证协议进行封装; An external network protocol encapsulation submodule for using the user identification list according to an external network Encapsulation protocol
认证请求发送子模块,用于发送包含该外部网络认证协议报文的 认证请求。  The authentication request sending submodule is configured to send an authentication request that includes the external network authentication protocol packet.
PCT/CN2008/072700 2007-10-15 2008-10-15 An authentication-conversion-based communication method, system and device WO2009049557A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007101640024A CN101414998B (en) 2007-10-15 2007-10-15 Communication method, system and equipment based on authentication mechanism conversion
CN200710164002.4 2007-10-15

Publications (1)

Publication Number Publication Date
WO2009049557A1 true WO2009049557A1 (en) 2009-04-23

Family

ID=40567029

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072700 WO2009049557A1 (en) 2007-10-15 2008-10-15 An authentication-conversion-based communication method, system and device

Country Status (2)

Country Link
CN (1) CN101414998B (en)
WO (1) WO2009049557A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833817A (en) * 2012-09-05 2012-12-19 中国联合网络通信集团有限公司 Network access method and system based on home gateway and home gateway
CN115801868A (en) * 2022-11-29 2023-03-14 企查查科技有限公司 Data access method and device

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130814A (en) * 2010-01-20 2011-07-20 中兴通讯股份有限公司 Method for configuring user access information, network element (NE) device and server
CN102111766B (en) * 2011-01-10 2015-06-03 中兴通讯股份有限公司 Network accessing method, device and system
CN102625305B (en) * 2011-01-30 2017-05-31 中兴通讯股份有限公司 Access the method and system of evolved packet system
CN102447709A (en) * 2012-01-17 2012-05-09 神州数码网络(北京)有限公司 Access authority control method and system based on DHCP and 802.1x
CN103888945B (en) * 2012-12-20 2018-05-08 中国移动通信集团公司 A kind of WLAN cut-in methods, system and multimode gateway
CN103024099A (en) * 2012-12-28 2013-04-03 太仓市同维电子有限公司 DHCP (dynamic host configuration protocol)-option-message-based automatic configuration method for network access device
CN108023971B (en) * 2016-11-04 2021-04-20 新华三技术有限公司 DHCP message forwarding method and device
CN107133516B (en) * 2017-04-24 2020-10-30 深信服科技股份有限公司 Authority control method and system
CN107547621B (en) * 2017-06-27 2020-11-06 新华三技术有限公司 Message forwarding method and device
CN109040334B (en) * 2018-07-12 2021-05-11 山东师范大学 Static intranet mapping method, extranet server, intranet communication device and system
CN113094719B (en) * 2020-01-08 2023-08-08 钉钉控股(开曼)有限公司 Access control method, device and equipment
CN116132982A (en) * 2021-11-15 2023-05-16 中国移动通信有限公司研究院 Authentication method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1458763A (en) * 2002-05-15 2003-11-26 华为技术有限公司 Broadband network access method
JP2004062417A (en) * 2002-07-26 2004-02-26 Nippon Telegr & Teleph Corp <Ntt> Certification server device, server device and gateway device
CN1486029A (en) * 2002-09-23 2004-03-31 华为技术有限公司 Method for implementing EAP authentication in remote authentication based network
CN1567868A (en) * 2003-07-02 2005-01-19 华为技术有限公司 Authentication method based on Ethernet authentication system
CN1663168A (en) * 2002-04-26 2005-08-31 汤姆森许可公司 Transitive authentication authorization accounting in interworking between access networks
CN1701567A (en) * 2003-05-12 2005-11-23 索尼株式会社 Inter-device authentication system, inter-device authentication method, communication device, and computer program
CN1720691A (en) * 2002-11-29 2006-01-11 摩托罗拉公司 A communication system and method of authentication therefor
US20060098614A1 (en) * 2004-10-07 2006-05-11 Samsung Electronics Co., Ltd. Apparatus and method for providing indoor and outdoor wireless access in broadband wireless access communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007062417A (en) * 2005-08-29 2007-03-15 Toshiba Corp Riding route guide device, riding route guide system, riding route guide method and ticket gate machine

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1663168A (en) * 2002-04-26 2005-08-31 汤姆森许可公司 Transitive authentication authorization accounting in interworking between access networks
CN1458763A (en) * 2002-05-15 2003-11-26 华为技术有限公司 Broadband network access method
JP2004062417A (en) * 2002-07-26 2004-02-26 Nippon Telegr & Teleph Corp <Ntt> Certification server device, server device and gateway device
CN1486029A (en) * 2002-09-23 2004-03-31 华为技术有限公司 Method for implementing EAP authentication in remote authentication based network
CN1720691A (en) * 2002-11-29 2006-01-11 摩托罗拉公司 A communication system and method of authentication therefor
CN1701567A (en) * 2003-05-12 2005-11-23 索尼株式会社 Inter-device authentication system, inter-device authentication method, communication device, and computer program
CN1567868A (en) * 2003-07-02 2005-01-19 华为技术有限公司 Authentication method based on Ethernet authentication system
US20060098614A1 (en) * 2004-10-07 2006-05-11 Samsung Electronics Co., Ltd. Apparatus and method for providing indoor and outdoor wireless access in broadband wireless access communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"The Paper Collection of the New Development on Communication Theory and Technology 2007--12th Countrywide Communication Academic Conference for Youth (the second volume)", 2007, article "Broad Access Authentication Technique-PPPoE, 802.1 x,DHCP+ Web Portal and DHCP+", pages: 1809 - 1812 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833817A (en) * 2012-09-05 2012-12-19 中国联合网络通信集团有限公司 Network access method and system based on home gateway and home gateway
CN102833817B (en) * 2012-09-05 2015-03-11 中国联合网络通信集团有限公司 Network access method and system based on home gateway and home gateway
CN115801868A (en) * 2022-11-29 2023-03-14 企查查科技有限公司 Data access method and device

Also Published As

Publication number Publication date
CN101414998A (en) 2009-04-22
CN101414998B (en) 2012-08-08

Similar Documents

Publication Publication Date Title
WO2009049557A1 (en) An authentication-conversion-based communication method, system and device
JP3984993B2 (en) Method and system for establishing a connection through an access network
US7522907B2 (en) Generic wlan architecture
US8189567B2 (en) Method and nodes for registering a terminal
EP1465385B1 (en) Method for common authentication and authorization across disparate networks
CN101437223B (en) Access method, system and apparatus for household base station
KR100907507B1 (en) User Authentication Method and System for the WLAN Network Interworking of Wireless LAN Terminal
US20120208504A1 (en) Femto access point initialization and authentication
WO2015196396A1 (en) Method for establishing network connection, gateway and terminal
WO2008000192A1 (en) Network access method of terminals, network access system and gateway equipment
WO2010041622A1 (en) Communication system, connection control device, mobile terminal, base station control method, service request method, and program
WO2010015188A1 (en) Method, device and system for accessing mobile core network of access points
WO2008138274A1 (en) A method and corresponding device and system for accessing remote service
WO2014005267A1 (en) Method, apparatus, and system for accessing mobile network
CN101232699B (en) System and method for determining terminal mobility management type
US8619674B1 (en) Delivery of wireless access point information
WO2009094910A1 (en) Method, system and apparatus for fixed mobile convergence
TWI592001B (en) System and method for providing telephony services over wifi for non-cellular devices
WO2005069533A1 (en) A method of acquiring permanent user identification by the packet data gateway (pdg) in the wlan
TW201316792A (en) Authentication method and apparatus for user equipment and LIPA network eneities
TW201134147A (en) WiFi and WiMAX internetworking
CN104640111B (en) Network access processing method, device and system
WO2013023591A1 (en) Method and device for selecting policy server
US8621198B2 (en) Simplified protocol for carrying authentication for network access
WO2008148348A1 (en) Communication method, system, and home bs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08840189

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08840189

Country of ref document: EP

Kind code of ref document: A1