CN116248341A - RADIUS server authorization method, device and medium - Google Patents

Abstract

The present application relates to the communication field, in particular to a RADIUS server authorization method, device and medium. The method includes: calculating the user's pre-offline time based on the user's authentication time and the first authorization period; judging whether the pre-offline time is in a busy period in at least one preset period; the first authorization period is the system pre-configured to the user. Authorization duration, the preset time period includes busy time period and idle time period; if the pre-offline time is not in the busy time period in any preset time period, the first authorization time length is authorized to the user; if the pre-offline time is in the first preset time period In the busy period, the second authorized duration is calculated based on the idle period included in the first preset period, and the second authorized duration is combined with the first authorized duration to be authorized to the user; the first preset period is included in at least one preset period middle. This method can balance the load of RADIUS servers.

Description

A RADIUS server authorization method, device and medium

technical field

The present application relates to the communication field, and in particular to a RADIUS server authorization method, device and medium.

Background technique

At present, the authentication methods used by telecom operators and network service providers for users mainly include local authentication, RADIUS authentication and non-authentication; in practical applications, RADIUS authentication is the most widely used; Network Attached Storage (NAS) to obtain user information, the RASIUS server authenticates the user, and issues authorization time to the successfully authenticated user. In the prior art, the authorization period issued by the RADIUS server to the user is mostly a fixed value; the user needs to re-authenticate and authorize through the RADIUS server after the authorization period is exhausted. However, as the number of users increases, this authorization method in the prior art will lead to uneven work pressure on the RADIUS server.

Contents of the invention

The present application provides a RADIUS server authorization method, device and medium, which are used to solve the problem of unbalanced working pressure of RADIUS servers in the prior art, and can balance the working pressure of RADIUS servers.

In order to achieve the above object, the application adopts the following technical solutions:

In a first aspect, the present application provides a RADIUS server authorization method, the method comprising: calculating the user's pre-logout time based on the user's authentication time and the first authorization duration;

Judging whether the pre-offline time is in a busy period in at least one preset period; the first authorized period is the authorized period preconfigured to the user by the system, and the preset period includes a busy period and an idle period;

If the pre-offline time is not in the busy period of any preset period, the first authorized duration is authorized to the user;

If the pre-offline time is in the busy period in the first preset period, then calculate the second authorized duration based on the idle period included in the first preset period, and authorize the user after combining the second authorized duration with the first authorized duration; the second A preset period is included in at least one preset period.

As a possible implementation manner of the first aspect of the present application, calculating the second authorized duration based on the idle period included in the first preset period includes:

A time point is randomly selected from the idle time period, and the second authorized duration is determined based on the time point and the pre-offline time.

As a possible implementation of the first aspect of the present application, the second authorization period is determined based on the time point and the pre-offline time, including:

Calculate the duration from the time point to the first preset time point to obtain the first calculation duration;

Calculate the duration from the pre-offline time to the first preset time point to obtain the second calculation duration;

Calculate the duration from the pre-offline time to the second preset time point as the third calculation duration; and judge whether the time point is later than the end time of the busy period after the pre-offline time;

If it is the end of the busy period later than the pre-offline time, the second authorized duration is equal to the first calculation duration minus the second calculation duration;

If the end time of the busy period is not later than the pre-offline time, the second authorization duration is equal to the third calculation duration plus the first calculation duration.

As a possible implementation manner of the first aspect of the present application, the method further includes:

At least one preset time period is obtained according to at least one of historical service conditions and historical load conditions of the RADIUS server; the duration of the busy period in the preset period is shorter than the duration of the idle period in the preset period.

In a second aspect, the present application provides a RADIUS server authorization device, which includes:

A processing unit, configured to calculate the user's pre-logout time based on the user's authentication time and the first authorization duration;

The processing unit is also used to judge whether the pre-offline time is in a busy period in at least one preset period; the first authorized period is the authorized period preconfigured by the system to the user, and the preset period includes a busy period and an idle period;

The communication unit is used to authorize the first authorization duration to the user if the pre-offline time is not in any preset time period during the busy period;

The communication unit is also used to calculate the second authorized time length based on the idle time period included in the first preset time period if the pre-offline time is in the busy time period of the first preset time period, and combine the second authorized time length with the first authorized time length and then authorized to the user; the first preset time period is included in at least one preset time period.

As a possible implementation of the second aspect of the present application, calculating the second authorized duration based on the idle period included in the first preset period includes:

A time point is randomly selected from the idle time period, and the second authorized duration is determined based on the time point and the pre-offline time.

As a possible implementation of the second aspect of the present application, the second authorization period is determined based on the time point and the pre-offline time, including:

Calculate the duration from the time point to the first preset time point to obtain the first calculation duration;

Calculate the duration from the pre-offline time to the first preset time point to obtain the second calculation duration;

Calculate the duration from the pre-offline time to the second preset time point as the third calculation duration; and judge whether the time point is later than the end time of the busy period after the pre-offline time;

If it is the end of the busy period later than the pre-offline time, the second authorized duration is equal to the first calculation duration minus the second calculation duration;

If the end time of the busy period is not later than the pre-offline time, the second authorization duration is equal to the third calculation duration plus the first calculation duration.

As a possible implementation of the second aspect of the present application, the processing unit is further configured to obtain at least one preset period according to at least one of the historical business conditions and historical load conditions of the RADIUS server; the busy period in the preset period The duration of is less than the duration of the idle time period in the preset time period.

In a third aspect, the present application provides a RADIUS server authorization device, which includes: a processor and a communication interface; the communication interface is coupled to the processor, and the processor is used to run computer programs or instructions to implement the first aspect and the first The RADIUS server authorization method described in any possible implementation manner of the aspect.

In a fourth aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are run on the terminal, the terminal is made to execute any one of the possibilities in the first aspect and the first aspect. The RADIUS server authorization method described in Implementation Methods.

In the fifth aspect, the embodiment of the present application provides a computer program product containing instructions. When the computer program product is run on the RADIUS server authorization device, the RADIUS server authorization device is executed as in any one of the first aspect and the first aspect. Implementation of the RADIUS server authorization method described in .

In a sixth aspect, an embodiment of the present application provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run computer programs or instructions to implement any one of the first aspect and the first aspect. The RADIUS server authorization method described in a possible implementation.

Specifically, the chip provided in the embodiment of the present application further includes a memory for storing computer programs or instructions.

The technical solution provided by this application brings at least the following beneficial effects: this application adjusts the authorization duration of the RADIUS server based on the preset time period, and can adjust the offline time of some users to the idle time period when the processing pressure of the RADIUS server is relatively small. Balance the working pressure of RADIUS servers and distribute the load of RADIUS servers reasonably.

Description of drawings

FIG. 1 is a schematic diagram of an AAA system architecture provided by an embodiment of the present application;

Fig. 2 is a schematic flow chart of a RADIUS server authorization method provided by the embodiment of the present application;

Fig. 3 is the RADIUS server historical service distribution diagram that the embodiment of the present application provides;

Fig. 4 is a schematic diagram of a RADIUS server authorization method provided by the embodiment of the present application;

FIG. 5 is a schematic structural diagram of a RADIUS server authorization device provided in an embodiment of the present application;

FIG. 6 is a schematic structural diagram of another RADIUS server authorization device provided in the embodiment of the present application;

FIG. 7 is a schematic structural diagram of a chip provided by an embodiment of the present application.

Detailed ways

The RADIUS server authorization method and device provided in the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

The term "and/or" in this article is just an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B can mean: A exists alone, A and B exist simultaneously, and there exists alone B these three situations.

The terms "first" and "second" in the specification and drawings of the present application are used to distinguish different objects, or to distinguish different processes for the same object, rather than to describe a specific sequence of objects.

In addition, the terms "including" and "having" mentioned in the description of the present application and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but optionally also includes other unlisted steps or units, or optionally also includes Other steps or elements inherent to the process, method, product or apparatus are included.

It should be noted that, in the embodiments of the present application, words such as "exemplary" or "for example" are used as examples, illustrations or descriptions. Any embodiment or design scheme described as "exemplary" or "for example" in the embodiments of the present application shall not be interpreted as being more preferred or more advantageous than other embodiments or design schemes. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete manner.

In the following, some related terms and technologies involved in the embodiments of the present application are explained.

1), AAA and AAA system

AAA is the abbreviation of authentication (Authentication, A), authorization (Authorization, A) and accounting (Accounting, A). Serve.

Specifically, the three security services provided by AAA refer to:

Authentication: It is to verify the identity of the user to determine whether it is a legitimate user.

Authorization: Authorize the authenticated users to use which services.

Billing: It is to record the resources of users using network services, and this information will be used as the basis for billing.

First, the authentication part provides authentication of the user. The entire authentication usually uses the user to enter the user name and password for authority review. The principle of authentication is that each user has a unique permission access standard. The AAA server checks the user's criteria with the criteria of each user in the database one by one. If so, the user authentication is passed. If not, deny the network connection.

Secondly, the user needs to obtain the authority to operate the corresponding task through authorization. For example, after logging in to the system, the user may execute some commands to perform operations. At this point, the authorization process checks whether the user has permission to execute these commands. Simply put, the authorization process is a combination of a series of coercive strategies, including: determining the type or quality of activities, resources, or services that users are allowed to have. The authorization process takes place in an authentication context, and once a user is authenticated, they are granted the appropriate permissions.

Finally, the billing process will count the number of resources consumed by the user during the connection process. These resources include the connection time or the user's sending and receiving traffic during the connection process, and so on. The billing process can be performed based on statistical logs of the connection process, user information, authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

The AAA system is the system that implements the AAA function. The specific protocols for implementing authentication, authorization, and accounting applications on the AAA system mainly include RADIUS and TACACS+ protocols. The Diameter protocol is also being gradually promoted as a new standard. Among them, see the standard RFC2865 and RFC 2866 for the details of the RADIUS protocol. TACACS+ has enhanced functions based on the TACACS protocol (RFC 1492). Refer to RFC 3588 and RFC4006 for the content of the Diameter protocol.

2), RADIUS and RADIUS server

RADIUS (Remote Authentication Dial-In User Server, Remote Authentication Dial-In User Server) is a distributed, C/S-structured information exchange protocol, defined by the standards RFC2865 and RFC2866, which can contain the interference of the network from unauthorized access, It is often used in various network environments that require high security and allow remote user access.

A RADIUS server is a protocol server that transmits authentication, authorization, and configuration information between Network Attached Storage (NAS) and a shared authentication server. RADIUS uses UDP as its transport protocol. In addition, RADIUS is also responsible for transmitting the accounting information between the network access server and the shared accounting server. A large amount of information is stored on the RADIUS server, and there is no need to save this information on the NAS, but to access the information through the RADUIS protocol. The centralized and unified storage of these information makes management more convenient and safer. A RADIUS server can act as a proxy, communicating with other RADIUS servers or other types of authentication servers in the identity of a client. User roaming is usually realized through RADIUS proxy.

FIG. 1 discloses a schematic diagram of an exemplary AAA system architecture. The system adopts a typical client/server (Client/Server) structure; including: multiple users 100 (only one is shown in the figure), multiple NAS 101 ( Only one is shown in the figure) and multiple RADIUS servers 102 (only one is shown in the figure). The AAA program running on the NAS 101 is a server for the user, and a client for the RADIUS server 102 . The NAS 101 is responsible for transmitting user information to the designated RADIUS server 102, and then performs corresponding processing according to the information returned by the RADIUS server 102. The RADIUS server 102 stores a large amount of information, including user information, NAS information, authorization attribute information, and the like. It should be noted that FIG. 1 is only a schematic diagram of a scene that can be used in the present application, and does not constitute a limitation on the applicable scene of the technical solution provided in the present application.

An exemplary working mode of the AAA system is as follows: when the user 100 wants to log in to the network, the NAS 101 will provide a user login interface to ask the user 100 to provide user information (username and password), and the user 100 waits for the authentication result.

After receiving user information, NAS 101 sends an access-request packet (access-request) to RADIUS server 102, which includes some RADIUS related attributes: user name, user password, ID of the access server and ID of the access port.

After receiving the access-request packet (access-request) from the NAS, the RADIUS server 102 first verifies whether the shared key of the NAS 101 is consistent with that set by the RADIUS server, so as to determine that the NAS 101 belongs to the RADIUS client. After the RADIUS server 102 checks that the access request packet sent by the NAS 101 is correct, it inquires whether there is such a user in the user database. If the query user information is incorrect, RADIUS server 102 will send an access-reject packet (access-reject) to NAS101, and NAS101 will reject and stop the service request of user 100 after receiving the packet, and user 100 will be forced to quit.

If the query user information is correct, the RADIUS server 102 will send an access challenge packet (access-challenge) to the NAS 101 to further verify the login request of the user 100. The IP of the server, the physical port number of user 100 login, etc. After NAS101 receives the access-request packet, NAS101 will notify user 100 to require user 100 to provide more user information, and require user 100 to further confirm the login request. After user 100 confirms, RADIUS server 102 will send two Compare the request information, and then decide how to respond to the application request (send access-accept, access-reject or send access-challenge again); The user's configuration information is placed in an access-accept packet (access-accept) and returned to the NAS 101, and the NAS 101 will limit the ability of the user 100 to access the network according to the configuration information in the packet.

After the verification and authorization are completed, the user 100 can enter the network through the switch. When the user 100 enters the network, the NAS 101 will send an accounting start request packet (accounting-requeststart) to the RADIUS server 102 to notify the RADIUS server 102 to start accounting. When the user logs off the network, the NAS 101 will send an accounting-request stop packet (accounting-request stop) to the RADIUS server 102, and the RADIUS server 102 will calculate the relevant fee for the user 100 to use the network according to the information in the accounting packet.

The RADIUS server 102 compares the authentication credentials of the user reported by the NAS 101 with the user credentials stored in the database. If the credentials match, the user is authenticated successfully and the user is granted access to the network. If the credentials do not match, authentication fails and network access is denied. If the authentication is successful, the RADIUS server 102 will issue corresponding authorization to the user through the RADIUS protocol, such as domain name, bandwidth rate, and duration. The corresponding authorization attributes are enforced by the NAS. Among them, the authorization duration issued by the RADIUS server is an important parameter when authorizing users, which involves users' online perception, NAS resource allocation, and RADIUS server processing pressure. After the authorization period ends, the book needs to be re-authenticated, authorized, and online.

At present, in the prior art, the authorization duration of the RADIUS server is usually a fixed value or a specified range. The fixed value means that the RADIUS server assigns a fixed duration to the user according to the pre-configuration; the specified range means that the RADIUS server randomly generates a duration from the maximum and minimum Internet duration specified by the user according to the user information and authorizes it to the user. Currently, the authorization duration based on a fixed value is widely used in RADIUS servers.

It can be seen that no matter the authorization duration based on a fixed value or the authorization duration of a specified range is uncontrollable for the RADIUS server; that is, the RADIUS server cannot determine when the user goes offline. With the rapid development of network services, the above two timing methods have the following disadvantages:

1. User perception is poor. For users, the above two methods authorize users, and users will go offline when the authorization period expires during busy business hours, so they need to re-authenticate, authorize, and go online. For some users who have high real-time requirements (such as users engaged in live broadcasting, users engaged in online education), re-authentication, authorization, and online will seriously affect the user experience and experience.

2. The load of the RADIUS server is unbalanced. For the RADIUS server, the pressure on the RADIUS server mainly depends on the user's online habits; according to statistics, the processing pressure of the RADIUS server in peak hours is about 40% higher than that in low hours; Excessive processing pressure will affect the efficiency, performance, and lifespan of the RADIUS server.

In order to solve the above problems, the present application firstly provides a RADIUS server authorization method, which can improve user perception and balance the load of the RADIUS server.

With reference to Fig. 2, the application provides a kind of RADIUS server authorizing method, and this method comprises:

S100. Calculate the user's pre-logout time based on the user's authentication time and the first authorization duration;

It can be understood that the above authentication time may be the time when the authentication starts or the time when the authentication ends (successfully). For example, in the AAA architecture described in FIG. 1, the above-mentioned authentication time can be: the time when the authentication starts, that is, the time point when the user 100 sends user information to the NAS 101; it can also be the time when the authentication ends, that is, the RADIUS server 102 will The time point when the received packet is returned to NAS101.

Among them, the first authorization duration is the authorization duration pre-configured by the system to users, and the first authorization duration can be freely set by telecom operators and network service providers according to actual needs; the authorization duration can be a fixed value or a specified range authorization period. Exemplarily, as an authorized duration of a specified range, the above-mentioned first authorized duration may be: a random number between 40-60 hours; as a fixed-value authorized duration, the above-mentioned first authorized duration may be 40 hours, 50 hours or 60 hours, etc., can be adjusted by telecom operators and network service providers according to actual usage needs.

S200. Determine whether the pre-offline time is in a busy period in at least one preset period;

The above-mentioned preset time period includes: a busy time period and an idle time period, and the preset time period can have multiple or one;

In a possible implementation manner, the present application can obtain the at least one preset time period according to at least one of the historical business conditions and historical load conditions of the RADIUS server; wherein, the duration of the busy period in the preset time period less than the duration of the idle time period in the preset time period. Specifically refer to Fig. 3, Fig. 3 is an exemplary RADIUS server historical service distribution map provided by the present application, the abscissa in the figure is a time period, a total of 24 time periods, covering 0:00:00:00 to 23:59 59 seconds. It can be understood that the 00 time period in the figure is from 0:00:00 to 0:59:59, and the vertical axis in the figure is the business volume. As can be seen in the figure, the historical service conditions in the figure can include: user request offline service, timeout offline service and other services, wherein other services include: Lost-Carrier (the line is suddenly abnormal, resulting in offline), Idle-Timeout ( Some devices may have an idle threshold for the user, and the idle time will go offline after a long time), etc. Among them, the user request offline service refers to the user's initiative to request offline, and the user actively goes offline; the timeout offline service refers to the RADIUS server logging off the user whose authorization time has expired, and the user needs to re-authenticate, authorize, and go online.

It can be understood that the business situation of the RADIUS server is determined by the user's habit of using the network in actual applications. Since the number of users of the RADIUS server is relatively large and the users are relatively fixed; from a macro perspective, the habits of RADIUS server users It will also be relatively fixed, and the replacement of a small number of users will not change the user habits of the RADIUS server from a macro level.

It can be seen from Figure 3 that the business peaks are concentrated in the 08 and 09 periods, while the historical business in the 01 and 02 periods is relatively low. It can be seen from FIG. 3 that during the period when the above-mentioned business peaks are concentrated, the user requests to go offline are relatively heavy. Therefore, this application can be obtained according to the historical service situation shown in FIG. 3 , the first preset time period; wherein. The first preset time period includes 08 time period and 01 time period; wherein, the busy time period in the first preset time period includes: 08 time period; the idle time period includes: 01 time period.

At the same time, it can be seen from the figure that in the historical services of the RADIUS server, the services that log out after timeout are evenly distributed and almost the same; it can be seen that there will be a certain number of users in the users managed by the RADIUS server, and the usage habits of these users are as follows: : After the authorization period provided by the RADIUS server is exhausted, the RADIUS server will make it offline, and will not actively request the offline service.

S300. If the pre-offline time is not in a busy period in any preset period, authorize the first authorized duration to the user;

S400. If the pre-offline time is in the busy period of the first preset time period, calculate the second authorized duration based on the idle period included in the first preset period, and authorize the user after combining the second authorized duration with the first authorized duration ; The first preset time period is included in at least one preset time period.

This application adjusts the authorization time of the RADIUS server based on the preset time period, which can adjust the time of the overtime logout service user to the idle time period when the processing pressure of the RADIUS server is relatively small, and can balance the load of the RADIUS server. For those users with high real-time requirements, using the technical solution provided by this application can reduce the overtime logout of these users due to the exhaustion of authorization time during busy hours, so it can improve the user experience and experience, and improve the user experience. perception.

In a possible implementation manner, the calculation of the second authorized duration based on the idle period included in the first preset period includes:

A time point is randomly selected from the idle time period, and the second authorized duration is determined based on the time point and the pre-offline time.

In a possible implementation manner, the above-mentioned determination of the second authorization period based on the time point and the pre-offline time includes:

Calculate the duration from the time point to the first preset time point to obtain the first calculation duration;

Calculate the duration from the pre-offline time to the first preset time point to obtain the second calculation duration;

Calculate the duration from the pre-offline time to the second preset time point as the third calculation duration; and judge whether the time point is later than the end time of the busy period after the pre-offline time;

Wherein, the first preset time point may be 0:00:00 seconds, and the second preset time point may be 23:59:59 seconds.

If it is the end of the busy period later than the pre-offline time, the second authorized duration is equal to the first calculation duration minus the second calculation duration;

If the end time of the busy period is not later than the pre-offline time, the second authorization duration is equal to the third calculation duration plus the first calculation duration.

In a possible implementation manner, the method also includes:

At least one preset time period is obtained according to at least one of historical service conditions and historical load conditions of the RADIUS server; the duration of the busy period in the preset period is shorter than the duration of the idle period in the preset period.

The preset time period obtained according to the historical load of the RADIUS server in a certain area is shown in Table 1:

Table 1 Preset timetable

Referring to Fig. 4, Fig. 4 is the schematic diagram of the RADIUS server authorization method provided by the present application; As can be seen from the figure, if user A is successfully authenticated, the authentication time is obtained; the RADIUS server obtains the first authorization duration of user A according to configuration, such as authentication time plus the first An authorized duration is 08:05:00, and it is determined that this time falls into the busy period in the preset period 1 in the table, which is busy period 1 in the figure; the idle period corresponding to busy period 1 is idle period 1, such as 10: 00:00～12:00:00. Then, it is necessary to calculate the second authorized duration corresponding to the idle period 1.

In a possible implementation manner, the application obtains the start time of idle time of idle period 1, which is 10:00:00; and judges that the start time of idle time is greater than the end time of busy time 09:00:00. Randomly select a time point from the idle time period 10:00:00～12:00:00, such as 11:30:00, and then convert the time into a duration (in seconds), that is, 11*3600+30*60+ 0 = 41400 seconds. The user's pre-logout time is 08:05:00, and the time to 0 o'clock (in seconds) is 8*3600+5*60+0=29100 seconds. The second authorization duration is 41400-29100=12300 seconds.

In another possible implementation, the application randomly selects a time point in idle period 1, such as 11:30:00, and calculates the duration from this time point to 00:00:00 as 11*60*60+ 30*60=41400 seconds, get the first calculation duration;

Calculate the duration from 08:05:00 to 00:00:00 as 8*3600+5*60+0=29100 seconds to get the second calculation duration; calculate the duration from 08:05:00 to 23:59:59 as 15 *60*60+55*60＝57300 seconds, the third calculation duration is obtained; in the 24-hour format regardless of the date, the random time point is earlier than the end time of the busy period 2, so the second authorization duration is equal to 41400- 29100 = 12300 seconds.

If user B is successfully authenticated, the authentication time is obtained. The RADIUS server obtains the first authorization duration of user B according to the configuration. Suppose the busy period in period 2 is shown as busy period 2 in the figure, and the idle period corresponding to busy period 2 in preset period 2 is idle period 2, then the application can calculate the second authorized duration according to idle period 2.

In a possible implementation manner, the application acquires that the start time of the idle period 2 is 00:30:00, which is earlier than the end time of the busy hour at 20:00:00 when the date is not considered. Calculate the time from the pre-offline time 21:00:00 to the current 23:59:59, which is 23:59:59 minus 21:00:00, which is 3*3600=10800 seconds. Randomly select a time point from 00:30:00 to 04:30:00, such as 00:41:55, and convert this time into a duration (in seconds), that is, 41*60+55=2515 seconds. Then the second authorization duration is: 10800+2515=13315 seconds.

In another possible implementation, the application randomly selects a time point in the idle period 2, such as 00:41:55, and calculates the duration from this time point to 00:00:00 as 41*60+55= 2515 seconds to get the first calculation duration; calculate the duration from 21:00:00 to 00:00:00 as 21*60*60=75600 seconds to get the second calculation duration; calculate 21:00:00 to 23:59: The duration of 59 is 3*3600=10800 seconds, and the third calculation duration is obtained; in the 24-hour format regardless of the date, the above random time point is earlier than the end time of busy period 2, so the second authorization duration is equal to 10800+ 2515 = 13315 seconds.

This application analyzes the user's pre-offline time and modifies the user's authorization time based on the pre-offline time; users who originally performed overtime offline business during busy periods can be adjusted to overtime offline business during idle periods . According to the above analysis, it can be known that the RADIUS server handles the overtime offline business distribution evenly, and the business volume distribution of the overtime offline business during the busy period and idle time is relatively even; while the RADIUS server handles the user's active offline during busy time and other The business is relatively heavy, so this application adjusts the authorization time of the RADIUS server so that the users who originally performed time-out offline business during the busy period can be adjusted to perform the time-out offline business during the idle time, so that the RADIUS server can process time-out during the busy period. The processing capacity of the offline business is transferred to the active offline business and other businesses; based on this, this application can reduce the business volume of the RADIUS server handling overtime offline business during busy hours, and transfer this part of the business volume to the RADIUS server. During the relatively small idle time, let the RADIUS server mainly handle the user's active offline business during the busy period, so that the pressure on the RADIUS server can be balanced, and the load on the RADIUS server can be balanced.

At the same time, through the adjustment of the authorization time, this application can reduce the users with strong real-time requirements when they are busy, because the authorization time is exhausted, and the RADIUS server overtimes the offline, causing the user to go offline; at the same time, these real-time requirements Strong users are mostly using the network, and disconnection will affect the user experience and feeling, and affect the user perception of these users. Based on this, the application can adjust the overtime logout time of these users with strong real-time characteristics to the idle period, which can improve the user's use experience and experience, and can improve user perception.

In the embodiment of the present application, the RADIUS server authorization device can be divided into functional modules or functional units according to the above-mentioned method examples. For example, each functional module or functional unit can be divided corresponding to each function, or two or more than two functions can be integrated. in a processing unit. The above-mentioned integrated modules can be implemented not only in the form of hardware, but also in the form of software function modules or functional units. Wherein, the division of modules or units in the embodiment of the present application is schematic, and is only a logical function division, and there may be another division manner in actual implementation.

As shown in Figure 5, a RADIUS server authorization device is provided for the present application, and the device includes:

A processing unit 201, configured to calculate the user's pre-logout time based on the user's authentication time and the first authorization duration;

The processing unit 201 is also used to determine whether the pre-offline time is in a busy period in at least one preset period; the first authorized duration is the authorized duration preconfigured by the system to the user, and the preset period includes a busy period and an idle period;

The communication unit 202 is configured to authorize the first authorized duration to the user if the pre-offline time is not in any preset time period during the busy period;

The communication unit 202 is also used to calculate the second authorized time length based on the idle time period included in the first preset time period if the pre-offline time is in the busy time period of the first preset time period, and combine the second authorized time length with the first authorized time length Authorized to the user after combination; the first preset time period is included in at least one preset time period.

As a possible implementation manner, calculating the second authorized duration based on the idle period included in the first preset period includes:

A time point is randomly selected from the idle time period, and the second authorized duration is determined based on the time point and the pre-offline time.

As a possible implementation, the second authorization period is determined based on the time point and the pre-offline time, including:

Calculate the duration from the time point to the first preset time point to obtain the first calculation duration;

Calculate the duration from the pre-offline time to the first preset time point to obtain the second calculation duration;

Calculate the duration from the pre-offline time to the second preset time point as the third calculation duration; and judge whether the time point is later than the end time of the busy period after the pre-offline time;

If it is the end of the busy period later than the pre-offline time, the second authorized duration is equal to the first calculation duration minus the second calculation duration;

If the end time of the busy period is not later than the pre-offline time, the second authorization duration is equal to the third calculation duration plus the first calculation duration.

As a possible implementation, the processing unit 201 is further configured to obtain at least one preset period according to at least one of the historical business conditions and historical load conditions of the RADIUS server; the duration of the busy period in the preset period is less than the preset The length of the idle slot in the bucket.

When implemented by hardware, the communication unit 202 in the embodiment of the present application may be integrated on a communication interface, and the processing unit 201 may be integrated on a processor. The specific implementation is shown in Figure 6.

Fig. 6 shows another possible structural diagram of the RADIUS server authorization apparatus involved in the above embodiment. The RADIUS server authorization device includes: a processor 302 and a communication interface 303 . The processor 302 is configured to control and manage the actions of the RADIUS server authorization device, for example, execute the steps executed by the processing unit 201 above, and/or execute other processes of the technology described herein. The communication interface 303 is used to support communication between the RADIUS server authorization device and other network entities, for example, to perform the steps performed by the communication unit 202 above. The RADIUS server authorization device may further include a memory 301 and a bus 304, and the memory 301 is used for storing program codes and data of the RADIUS server authorization device.

Wherein, the memory 301 may be a memory in the RADIUS server authorization device, etc., and the memory may include a volatile memory, such as a random access memory; the memory may also include a non-volatile memory, such as a read-only memory, a flash memory, Hard disk or solid state disk; the storage may also include a combination of the above-mentioned types of storage.

The above-mentioned processor 302 may implement or execute various exemplary logic blocks, modules and circuits described in conjunction with the disclosure of this application. The processor may be a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. It can implement or execute the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor may also be a combination of computing functions, for example, a combination of one or more microprocessors, a combination of DSP and a microprocessor, and the like.

The bus 304 may be an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus or the like. The bus 304 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 6 , but it does not mean that there is only one bus or one type of bus.

FIG. 7 is a schematic structural diagram of a chip 170 provided by an embodiment of the present application. The chip 170 includes one or more than two (including two) processors 1710 and a communication interface 1730 .

Optionally, the chip 170 further includes a memory 1740 , which may include a read-only memory and a random access memory, and provides operation instructions and data to the processor 1710 . A part of the memory 1740 may also include a non-volatile random access memory (non-volatile random access memory, NVRAM).

In some implementations, the memory 1740 stores the following elements, execution modules or data structures, or their subsets, or their extended sets.

In the embodiment of the present application, the corresponding operation is executed by calling the operation instruction stored in the memory 1740 (the operation instruction may be stored in the operating system).

Wherein, the above-mentioned processor 1710 may realize or execute various exemplary logical blocks, units and circuits described in conjunction with the disclosure of the present application. The processor may be a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. It may implement or execute the various illustrative logical blocks, units and circuits described in connection with the present disclosure. The processor may also be a combination of computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like.

Memory 1740 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, hard disk or solid state disk; combination.

The bus 1720 may be an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus or the like. The bus 1720 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one line is used in FIG. 7 , but it does not mean that there is only one bus or one type of bus.

Through the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above-mentioned functional modules is used as an example for illustration. In practical applications, the above-mentioned functions can be allocated according to needs It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. For the specific working process of the above-described system, device, and unit, reference may be made to the corresponding process in the foregoing method embodiments, and details are not repeated here.

An embodiment of the present application provides a computer program product containing instructions, and when the computer program product is run on a computer, the computer is made to execute the RADIUS server authorization method in the above method embodiment.

The embodiment of the present application also provides a computer-readable storage medium, and instructions are stored in the computer-readable storage medium, and when the instructions are run on the computer, the computer is made to execute the RADIUS server in the method flow shown in the above method embodiment authorization method.

Wherein, the computer-readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples (non-exhaustive list) of computer-readable storage media include: electrical connections with one or more wires, portable computer disks, hard disks, Random Access Memory (RAM), read-only memory (Read-Only Memory, ROM), Erasable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), Registers, Hard Disk, Optical Fiber, Portable Compact Disk Read-Only Memory (Compact Disc Read-Only Memory, CD-ROM ), an optical storage device, a magnetic storage device, or any suitable combination of the above, or any other form of computer-readable storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be a component of the processor. The processor and the storage medium may be located in an application specific integrated circuit (Application Specific Integrated Circuit, ASIC). In the embodiments of the present application, a computer-readable storage medium may be any tangible medium containing or storing a program, and the program may be used by or in combination with an instruction execution system, device or device.

An embodiment of the present invention provides a computer program product containing instructions. When the instructions are run on a computer, the computer is made to execute the RADIUS server authorization method as described in FIG. 2 and FIG. 4 .

Since the RADIUS server authorization device, computer-readable storage medium, and computer program product in the embodiment of the present invention can be applied to the above-mentioned method, therefore, the technical effect that it can obtain can also refer to the above-mentioned method embodiment, the embodiment of the present invention is in This will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

The above are only specific implementation methods of this application, but the protection scope of this application is not limited thereto. Any changes or replacements within the technical scope disclosed in this application shall be covered within the protection scope of this application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (10)

1. A RADIUS server authorization method is characterized in that, comprising: Calculate the pre-logout time of the user based on the user's authentication time and the first authorization duration; Judging whether the pre-offline time is in a busy period in at least one preset period; the first authorized period is the authorized period preconfigured by the system to the user, and the preset period includes a busy period and an idle period; If the pre-offline time is not in a busy period in any preset period, authorize the first authorized duration to the user; If the pre-offline time is in the busy period of the first preset period, then calculate the second authorized duration based on the idle period included in the first preset period, and combine the second authorized duration with the first authorized The durations are combined and authorized to the user; the first preset time period is included in the at least one preset time period. 2. The method according to claim 1, wherein the calculating the second authorized duration based on the idle period included in the first preset period comprises: A time point is randomly selected from the idle time period, and the second authorized duration is determined based on the time point and the pre-offline time. 3. The method according to claim 2, wherein the determining the second authorization duration based on the time point and the pre-offline time includes: calculating the duration from the time point to the first preset time point to obtain the first calculation duration; calculating the duration from the pre-offline time to the first preset time point to obtain a second calculation duration; Calculate the duration from the pre-offline time to the second preset time point as the third calculation duration; and judge whether the time point is later than the end time of the busy period after the pre-offline time; If it is later than the end time of the busy period where the pre-offline time is located, the second authorized duration is equal to the first calculation duration minus the second calculation duration; If it is not later than the end time of the busy period in which the pre-offline time is located, the second authorized duration is equal to the third calculated duration plus the first calculated duration. 4. The method according to any one of claims 1 to 3, characterized in that the method further comprises: The at least one preset time period is obtained according to at least one of historical service conditions and historical load conditions of the RADIUS server; the duration of the busy period in the preset period is shorter than the duration of the idle period in the preset period. 5. A RADIUS server authorization device, characterized in that the device comprises: A processing unit, configured to calculate the user's pre-logout time based on the user's authentication time and the first authorization duration; The processing unit is also used to judge whether the pre-offline time is in a busy period in at least one preset period; the first authorized duration is the authorized duration preconfigured by the system to the user, and the preset period Including busy hours and free hours; A communication unit, configured to authorize the first authorized duration to the user if the pre-offline time is not in any preset time period during the busy period; The communication unit is further configured to calculate a second authorized duration based on an idle period included in the first preset period if the pre-offline time is in a busy period of the first preset period, and set the second The authorization period is combined with the first authorization period and then authorized to the user; the first preset period is included in the at least one preset period. 6. The device according to claim 5, wherein the calculation of the second authorized duration based on the idle period included in the first preset period comprises: A time point is randomly selected from the idle time period, and the second authorized duration is determined based on the time point and the pre-offline time. 7. The device according to claim 6, wherein the determining the second authorization duration based on the time point and the pre-offline time includes: calculating the duration from the time point to the first preset time point to obtain the first calculation duration; calculating the duration from the pre-offline time to the first preset time point to obtain a second calculation duration; Calculate the duration from the pre-offline time to the second preset time point as the third calculation duration; and judge whether the time point is later than the end time of the busy period after the pre-offline time; If it is later than the end time of the busy period where the pre-offline time is located, the second authorized duration is equal to the first calculation duration minus the second calculation duration; If it is not later than the end time of the busy period in which the pre-offline time is located, the second authorized duration is equal to the third calculated duration plus the first calculated duration. 8. The device according to any one of claims 5-7, wherein the processing unit is further configured to obtain the at least one A preset time period; the duration of the busy period in the preset time period is shorter than the duration of the idle period in the preset time period. 9. A RADIUS server authorization device, characterized in that it comprises: a processor and a communication interface; the communication interface is coupled to the processor, and the processor is used to run a computer program or an instruction, so as to realize the requirements of claim 1- 4. The method described in any one. 10. A computer-readable storage medium, wherein instructions are stored in the computer-readable storage medium, wherein when a computer executes the instructions, the computer executes the method according to any one of claims 1-4.

Images