[go: up one dir, main page]

CN1681243B - Method for realizing user authentication of wide-band network special bus - Google Patents

Method for realizing user authentication of wide-band network special bus Download PDF

Info

Publication number
CN1681243B
CN1681243B CN 200410033120 CN200410033120A CN1681243B CN 1681243 B CN1681243 B CN 1681243B CN 200410033120 CN200410033120 CN 200410033120 CN 200410033120 A CN200410033120 A CN 200410033120A CN 1681243 B CN1681243 B CN 1681243B
Authority
CN
China
Prior art keywords
authentication
port
individual line
line subscriber
broadband access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200410033120
Other languages
Chinese (zh)
Other versions
CN1681243A (en
Inventor
龚敏聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 200410033120 priority Critical patent/CN1681243B/en
Publication of CN1681243A publication Critical patent/CN1681243A/en
Application granted granted Critical
Publication of CN1681243B publication Critical patent/CN1681243B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种实现宽带网络专线用户认证的方法,应用于至少包括宽带接入服务器和认证服务器的宽带接入系统,所述宽带接入服务器具有用于接入专线用户的专线端口;所述方法包括步骤:专线端口配置成快速认证方式,构造帐号生成策略;宽带接入服务器根据前述帐号生成策略生成认证帐号,向认证服务器发送认证请求;认证服务器解析所述认证请求,对所述认证帐号进行认证以确定是否允许专线用户上线,并返回认证结果。本发明通用性较高,易于扩展且不会额外增加成本。

The invention discloses a method for realizing authentication of a dedicated line user of a broadband network, which is applied to a broadband access system at least including a broadband access server and an authentication server, and the broadband access server has a dedicated line port for accessing a dedicated line user; The method includes the steps: the dedicated line port is configured as a fast authentication mode, and an account generation strategy is constructed; the broadband access server generates an authentication account according to the aforementioned account generation strategy, and sends an authentication request to the authentication server; the authentication server parses the authentication request, and the authentication The account is authenticated to determine whether the leased line user is allowed to go online, and returns the authentication result. The invention has high versatility, is easy to expand and does not increase additional cost.

Description

一种实现宽带网络专线用户认证的方法 A Method for Realizing User Authentication of Broadband Network Dedicated Line

技术领域technical field

本发明涉及宽带网络技术,特别是涉及一种宽带网络中对用户进行认证的方法。The invention relates to broadband network technology, in particular to a method for authenticating users in the broadband network.

背景技术Background technique

随着信息技术的发展,具有高带宽、覆盖面广及接入方式多样等特点的宽带网络越来越受到重视,也吸引了越来越多的用户。With the development of information technology, more and more attention has been paid to broadband networks featuring high bandwidth, wide coverage and various access methods, and more and more users have been attracted.

目前,可以将宽带网络的用户分为两大类:拨号用户和专线用户。所谓专线用户,指的是通过二层专线端口接入宽带网络的用户。一般来说,二层专线端口包括以太网端口、永久虚拟专线(PVC,Pernament Virtual Circuit)或虚拟局域网(VLAN,Virtual Local Area Network)等接入二层专线用户的物理端口或者逻辑端口;所述以太网端口包括GE(吉比特以太网)光口、FE(FastEthernet,快速以太网)电口/光口;其中,永久虚拟专线支持IPOEOA(IP overEthernet over ATM)用户,以太网端口和虚拟局域网支持IPOE(IP over Ethernet)用户。At present, broadband network users can be divided into two categories: dial-up users and leased line users. The so-called leased line users refer to users who access the broadband network through a Layer 2 leased line port. Generally speaking, a layer-2 leased line port includes an Ethernet port, a permanent virtual private line (PVC, Pernament Virtual Circuit) or a virtual local area network (VLAN, Virtual Local Area Network) to access a physical port or a logical port of a layer-2 leased line user; Ethernet ports include GE (Gigabit Ethernet) optical ports, FE (FastEthernet, Fast Ethernet) electrical/optical ports; among them, the permanent virtual private line supports IPOEOA (IP overEthernet over ATM) users, Ethernet ports and virtual local area network support IPOE (IP over Ethernet) users.

针对不同的用户类型,在认证和计费等方面的策略是不同的。其中,由于专线用户一般是企业集团用户等长期在线的用户,一种现有技术采用的方法是分配静态IP地址,专线用户在开机后直接上线,采用包月方式进行收费。这种方法的缺陷在于:缺乏对专线用户的认证和管理,也不能根据实际流量进行统计和计费。For different user types, the authentication and accounting policies are different. Wherein, since leased line users are generally long-term online users such as enterprise group users, a method adopted in the prior art is to assign static IP addresses, and leased line users directly go online after starting up, and charge by monthly subscription. The disadvantage of this method is that it lacks authentication and management of leased line users, and cannot perform statistics and billing based on actual traffic.

另一种管理专线用户的现有技术采用的方法是:对专线用户进行捆绑处理,将用户的VLAN ID、MAC地址(网卡地址)和IP地址(互联网协议地址)等属性进行绑定,并通过宽带接入服务器上报至认证服务器,由认证服务器进行用户认证,根据前述属性决定用户是否合法。使用VLAN端口绑定方式,能够很好地解决专线用户上网的管理:宽带接入服务器可通过用户VALNID、MAC地址、IP地址的捆绑手段,保障网络安全(如防地址盗用、用户相互侵犯等),统计相关信息,可准确定位用户何时何地上网以实现按照流量时长计费。Another method used in the prior art for managing leased line users is: bundle the leased line users, bind attributes such as the user's VLAN ID, MAC address (network card address) and IP address (Internet Protocol address), and pass The broadband access server reports to the authentication server, and the authentication server performs user authentication, and determines whether the user is legal according to the aforementioned attributes. Using the VLAN port binding method can well solve the management of private line users accessing the Internet: the broadband access server can guarantee network security (such as preventing address theft, mutual infringement, etc.) , statistics related information, can accurately locate when and where users go online to realize billing according to traffic duration.

但是,该现有技术具有一些不足之处:需要在宽带接入服务器和认证服务器之间开发单独的私有协议,所述私有协议用于传输用户的属性和根据所述属性进行用户认证,导致其通用性受到限制,从而无法应用于第三方的认证服务器,不利于扩展;而且会导致额外增加成本。However, this prior art has some deficiencies: a separate private protocol needs to be developed between the broadband access server and the authentication server, and the private protocol is used to transmit user attributes and perform user authentication according to the attributes, resulting in its The versatility is limited, so it cannot be applied to a third-party authentication server, which is not conducive to expansion; and will cause additional cost.

发明内容Contents of the invention

有鉴于此,本发明解决的技术问题在于提供一种通用的易于扩展且不会额外增加成本的实现宽带网络专线用户认证的方法。In view of this, the technical problem to be solved by the present invention is to provide a universal method for realizing broadband network leased line user authentication that is easy to expand and does not increase additional costs.

为此,本发明解决技术问题的技术方案是:提供一种实现宽带网络专线用户认证的方法,应用于至少包括宽带接入服务器和认证服务器的宽带接入系统,所述宽带接入服务器具有用于接入专线用户的专线端口;所述方法包括步骤:For this reason, the technical solution of the present invention to solve the technical problem is: to provide a method for realizing broadband network leased line user authentication, which is applied to a broadband access system including at least a broadband access server and an authentication server, and the broadband access server has To access the leased line port of the leased line user; the method includes the steps of:

1)专线端口配置成快速认证方式,构造帐号生成策略;其中所述专线端口为所述宽带接入服务器提供二层接入的物理端口或逻辑端口;1) The dedicated line port is configured as a fast authentication mode, and an account generation strategy is constructed; wherein the dedicated line port provides a physical port or a logical port for Layer 2 access for the broadband access server;

2)宽带接入服务器作为认证服务器的客户端,根据前述帐号生成策略生成认证帐号,向认证服务器发送认证请求;2) The broadband access server, as the client of the authentication server, generates an authentication account according to the aforementioned account generation strategy, and sends an authentication request to the authentication server;

3)认证服务器解析所述认证请求,对所述认证帐号进行认证以确定是否允许专线用户上线,并返回认证结果;3) The authentication server parses the authentication request, authenticates the authentication account to determine whether the dedicated line user is allowed to go online, and returns an authentication result;

其中,所述步骤1)包括:将所述专线端口配置成静态或动态快速认证方式,同时指定该专线端口的具体账号生成策略;所述专线端口的配置过程包括:在端口模式下,用命令来配置专线用户的认证方式,其中,Wherein, the step 1) includes: configuring the dedicated line port as a static or dynamic fast authentication mode, and specifying the specific account generation strategy of the dedicated line port at the same time; the configuration process of the dedicated line port includes: in the port mode, use the command To configure the authentication method of the leased line user, among them,

在所述专线端口配置成静态快速认证方式时,所述命令包括用于表示配置该端口为二层专线端口并且需要进行认证的关键字,用于指定所述专线端口的认证帐号的关键字,以及用于表示密码的关键字;在所述专线端口配置成动态快速认证方式时,所述命令包括用于表示配置该端口为二层专线端口并且需要进行专线用户的认证的关键字,用于表示根据专线用户的信息在专线用户上线时进行认证的关键字,以及用于指出该专线用户的认证口令的关键字。When the leased line port is configured in a static fast authentication mode, the command includes a keyword indicating that the port is configured as a Layer 2 leased line port and requires authentication, and a keyword used to specify the authentication account of the leased line port, And a keyword used to indicate a password; when the leased line port is configured as a dynamic fast authentication mode, the command includes a keyword used to indicate that the port is configured as a layer 2 leased line port and authentication of a leased line user is required, for Indicates the keyword used to authenticate the leased line user when the leased line user goes online based on the information of the leased line user, and the keyword used to indicate the authentication password of the leased line user.

其中,在所述步骤3)之后还包括当认证通过后,宽带接入服务器向认证服务器发送计费开始请求。Wherein, after the step 3), the broadband access server sends an accounting start request to the authentication server after the authentication is passed.

其中,所述帐号生成策略是基于专线端口指定认证帐号或基于专线用户的信息构造内部帐号。Wherein, the account generation strategy is to designate an authentication account based on the leased line port or construct an internal account based on the information of the leased line user.

其中,所述专线用户的信息包括IP地址、MAC地址、VLAN和/或PVC。Wherein, the information of the leased line user includes IP address, MAC address, VLAN and/or PVC.

其中,在所述专线端口配置成静态快速认证方式时,所述步骤2)中,宽带接入服务器根据前述帐号生成策略生成认证帐号和密码,向认证服务器发送认证请求。Wherein, when the dedicated line port is configured as a static fast authentication mode, in step 2), the broadband access server generates an authentication account and password according to the aforementioned account generation strategy, and sends an authentication request to the authentication server.

其中,当认证通过后,宽带接入服务器允许该专线端口上的专线用户上线,并且将该专线端口上的所有专线用户的所有流量都累计到专线端口。Wherein, after the authentication is passed, the broadband access server allows the leased line users on the leased line port to go online, and accumulates all traffic of all leased line users on the leased line port to the leased line port.

其中,在所述专线端口配置成动态快速认证方式时,所述步骤2)中,当宽带接入服务器检测到专线用户上线请求时,根据配置的帐号生成策略为专线用户构造对应的内部帐号,并向认证服务器发起认证请求。Wherein, when the dedicated line port is configured as a dynamic fast authentication mode, in step 2), when the broadband access server detects the online request of the dedicated line user, it constructs a corresponding internal account for the dedicated line user according to the configured account generation strategy, And initiate an authentication request to the authentication server.

其中,在所述步骤3)之后还包括当认证通过后,宽带接入服务器允许该专线用户接入,向认证服务器发送计费开始请求,启动对该专线用户的计费,直到检测到该专线用户下线才发起计费结束请求。Wherein, after said step 3), it also includes that after the authentication is passed, the broadband access server allows the dedicated line user to access, sends a billing start request to the authentication server, and starts charging the dedicated line user until the dedicated line user is detected. The accounting end request is initiated only when the user goes offline.

其中,在所述步骤2)之前还包括认证服务器上建立帐号信息。Wherein, before the step 2), account information is also established on the authentication server.

其中,认证服务器在建立帐号信息时在专线用户帐号下记入对应的IP地址或IP网段。Wherein, the authentication server enters the corresponding IP address or IP network segment under the dedicated line user account when establishing the account information.

相对于现有技术,本发明的有益效果是:首先,由于本发明通过将专线端口配置成快速认证方式,并且指定帐号生成策略,宽带接入服务器为专线端口或者在检测到专线用户上线请求时根据帐号生成策略自动生成认证帐号,向认证服务器发送认证请求,从而无需在宽带接入服务器和认证服务器之间开发单独的私有协议,可以应用于第三方的认证服务器,通用性和扩展性得到较大的提高。其次,既可以实现对专线用户的认证,同时又将认证过程对专线用户屏蔽,使专线用户上网更为简捷。再次,可以精确地统计专线端口和专线用户的时长和流量,实行灵活的计费策略。最后,通过配置成静态快速认证方式或动态认证方式,可以实现对专线用户的独立管理或者进行群组管理。帐号生成策略可以根据情况固定指定,也可以根据专线用户的信息进行构造。此外,由于无需开发单独的私有协议,不会增加额外的成本。Compared with the prior art, the beneficial effects of the present invention are as follows: First, because the present invention configures the dedicated line port as a fast authentication mode and specifies an account generation strategy, the broadband access server is a dedicated line port or detects a dedicated line user's online request. Automatically generate the authentication account according to the account generation strategy, and send the authentication request to the authentication server, so that there is no need to develop a separate private protocol between the broadband access server and the authentication server, which can be applied to the third-party authentication server, and the versatility and scalability are improved. Big improvement. Secondly, it can not only realize the authentication of the leased line users, but also shield the authentication process from the leased line users, making it easier for the leased line users to access the Internet. Thirdly, it can accurately count the duration and traffic of leased line ports and leased line users, and implement flexible billing policies. Finally, by configuring static quick authentication or dynamic authentication, independent management or group management of leased line users can be realized. The account generation policy can be fixed according to the situation, or can be constructed according to the information of the leased line users. In addition, there is no additional cost since there is no need to develop a separate proprietary protocol.

附图说明Description of drawings

图1是一种宽带接入系统的原理图;Fig. 1 is a schematic diagram of a broadband access system;

图2是本发明实现宽带网络专线用户认证的方法的流程图;Fig. 2 is the flow chart of the method for realizing broadband network private line user authentication of the present invention;

图3是本发明采用静态快速认证方式的实施例的流程图;Fig. 3 is the flow chart of the embodiment that the present invention adopts static fast authentication mode;

图4是本发明采用动态快速认证方式的实施例的流程图。Fig. 4 is a flow chart of an embodiment of the present invention using a dynamic fast authentication method.

具体实施方式Detailed ways

请参阅图1,本发明实现宽带网络专线用户认证的方法应用于宽带接入系统,所述系统包括认证服务器110、宽带接入服务器120、交换机130及用户终端140。Referring to FIG. 1 , the method for realizing broadband network leased line user authentication in the present invention is applied to a broadband access system, and the system includes an authentication server 110 , a broadband access server 120 , a switch 130 and a user terminal 140 .

其中,所述认证服务器110为专线用户提供认证、授权和计费等功能,又被称为远程验证拨入用户服务(RADIUS,Remote Authentication Dial-In UserService)。其包括用户认证管理模块,用于限定专线用户合法的使用网络,与宽带接入服务器结合起来,可以做到专线用户、IP地址及时间段的一一对应;用户帐号管理模块,用于对用户帐号进行有效的管理;计费模块,用于对专线用户进行计费;数据库,用于存储认证帐户和密码信息。Wherein, the authentication server 110 provides functions such as authentication, authorization, and billing for leased line users, and is also called Remote Authentication Dial-In User Service (RADIUS, Remote Authentication Dial-In User Service). It includes a user authentication management module, which is used to limit the legal use of the network by leased line users, and is combined with a broadband access server to achieve one-to-one correspondence between leased line users, IP addresses and time periods; a user account management module, which is used to identify users Effective management of accounts; billing module, used for billing dedicated line users; database, used to store authentication account and password information.

所述宽带接入服务器120是进行专线用户的认证和计费不可缺少的工具,可以作为认证服务器110的客户端,将专线用户的认证、计费等信息传送到认证服务器110。The broadband access server 120 is an indispensable tool for authentication and billing of leased line users, and can serve as a client of the authentication server 110 to transmit information such as authentication and billing of leased line users to the authentication server 110 .

所述宽带接入服务器120具有专线端口(图未示),所述专线端口是指接入专线用户的物理端口或者逻辑端口,包括以太网端口ETH_PORT(FE/GE)、PVC、VLAN等提供二层接入的物理或者逻辑端口,其中配置快速认证方式。所述宽带接入服务器120中存储专线端口配置的帐号生成策略。The broadband access server 120 has a dedicated line port (not shown in the figure), and the dedicated line port refers to a physical port or a logical port for accessing a dedicated line user, including an Ethernet port ETH_PORT (FE/GE), PVC, VLAN, etc. to provide two Layer access physical or logical port, where the fast authentication mode is configured. The broadband access server 120 stores the account generation policy of the leased line port configuration.

所述交换机130包括DSLAM(Digital Subscriber Liner Multiplexer,数字用户线接入服务器)、LAN Switch(局域网交换机)等,用于实现专线用户的接入。The switch 130 includes a DSLAM (Digital Subscriber Liner Multiplexer, Digital Subscriber Line Access Server), a LAN Switch (Local Area Network Switch), etc., for realizing the access of leased line users.

本发明通过将专线端口对应到认证帐号、或者将专线端口上的每个专线用户对应到一个内部帐号上,实现对专线用户的快速认证。所述快速认证是指专线用户需要进行认证但又不需要由专线用户显式地输入认证帐号和密码,而是由宽带接入服务器120自动生成认证帐号和密码,并向认证服务器110发起认证请求,当认证通过后允许专线用户接入。因此,既可以实现对专线用户的认证,同时又将认证过程对专线用户屏蔽,使专线用户上网更为简捷。The invention realizes fast authentication of the dedicated line users by corresponding the dedicated line port to the authentication account, or corresponding each dedicated line user on the dedicated line port to an internal account. The fast authentication means that the leased line user needs to be authenticated but does not need to explicitly input the authentication account number and password by the leased line user, but the broadband access server 120 automatically generates the authentication account number and password, and initiates an authentication request to the authentication server 110 , after the authentication is passed, the leased line user is allowed to access. Therefore, the authentication of the leased line users can be realized, and at the same time, the authentication process can be shielded from the leased line users, making it easier for the leased line users to access the Internet.

在此基础上,宽带接入服务器120还可以向认证服务器110发送计费开始请求,启动对专线用户的计费,并准确地记录专线用户的时长和流量。当然,专线用户也可以采用包月收费等其他计费方式。On this basis, the broadband access server 120 can also send a charging start request to the authentication server 110 to start charging for the leased line users, and accurately record the duration and traffic of the leased line users. Of course, dedicated line users can also use other billing methods such as monthly subscription fees.

请参阅图2,本发明实现宽带网络专线用户认证的方法的流程包括:Please refer to Fig. 2, the flow process of the method that the present invention realizes broadband network leased line user authentication comprises:

1)专线端口配置成快速认证方式,构造帐号生成策略;1) The private line port is configured as a fast authentication method, and an account generation strategy is constructed;

2)宽带接入服务器根据前述帐号生成策略生成认证帐号,向认证服务器发送认证请求;2) The broadband access server generates an authentication account according to the aforementioned account generation strategy, and sends an authentication request to the authentication server;

3)认证服务器解析所述认证请求,并对所述认证帐号进行认证以确定是否允许专线用户接入,返回认证结果。3) The authentication server parses the authentication request, authenticates the authentication account to determine whether the dedicated line user is allowed to access, and returns an authentication result.

其中,步骤1)中所述快速认证方式可以分为静态快速认证方式和动态快速认证方式。Wherein, the fast authentication method described in step 1) can be divided into a static fast authentication method and a dynamic fast authentication method.

所述静态快速认证方式中,当步骤1)某个专线端口配置成静态快速认证方式时,其帐号生成策略是基于该专线端口指定一个固定的认证帐号和密码;宽带接入服务器在存储帐号生成策略后,立即实施步骤2),基于专线端口自动生成认证帐号,为该专线端口对应的所有专线用户向认证服务器发起一个认证请求。In the static quick authentication mode, when step 1) a certain dedicated line port is configured as a static quick authentication mode, its account generation strategy is to specify a fixed authentication account number and password based on the dedicated line port; After the policy is established, immediately implement step 2), automatically generate an authentication account based on the dedicated line port, and initiate an authentication request to the authentication server for all dedicated line users corresponding to the dedicated line port.

采用静态快速认证方式,可以对一个专线端口的流量信息进行准确统计,即当一个专线端口已认证通过后,该专线端口上的专线用户上线不再需要认证,而是直接上线,但该专线端口上的所有专线用户的所有流量都累计到专线端口上,作为一个专线的用户来处理。静态快速认证可支持的专线端口类型包括但不限于:FE、GE、PVC、VLAN,这些专线端口上具体可以接入的用户连接类型包括IPOEOA、IPOE等。The static fast authentication method can be used to accurately count the traffic information of a leased line port. That is, after a leased line port has been authenticated, the leased line users on the leased line port do not need to be authenticated to go online, but go online directly. All traffic of all leased line users on the port is accumulated on the leased line port and processed as a leased line user. The types of leased line ports that can be supported by static fast authentication include but are not limited to: FE, GE, PVC, and VLAN. The specific user connection types that can be accessed on these dedicated line ports include IPOEOA, IPOE, etc.

所述动态快速认证方式是指快速认证的对象是专线端口上的具体专线用户。当某个专线端口在步骤1)配置成动态快速认证方式时,宽带接入服务器并不立即发起认证,而是在检测到该专线端口上有专线用户上线时,才在步骤3)中根据具体的帐号生成策略,自动为该专线用户生成一个对应的内部帐号,向认证服务器发起认证请求。The dynamic fast authentication method means that the object of fast authentication is a specific leased line user on a leased line port. When a leased line port is configured as a dynamic fast authentication method in step 1), the broadband access server does not initiate authentication immediately, but only when it detects that a leased line user is online on the leased line port, it will perform the authentication according to the specific circumstances in step 3). According to the account generation policy, a corresponding internal account is automatically generated for the leased line user, and an authentication request is sent to the authentication server.

当认证通过后,允许该专线用户接入,同时向认证服务器发送计费开始请求,启动对该专线用户的计费,直到检测到该专线用户下线才发起计费结束请求。After the authentication is passed, the leased line user is allowed to access, and at the same time, an accounting start request is sent to the authentication server to start accounting for the leased line user, and the billing end request is not initiated until the leased line user is detected to be offline.

采用动态快速认证方式,可以对一个专线端口上的每个专线用户或用户群进行精确的时长和/或流量计费。动态快速认证方式支持IPOEOA和IPOE等用户类型。By adopting the dynamic fast authentication method, accurate time duration and/or flow accounting can be performed for each leased line user or user group on a leased line port. The dynamic fast authentication mode supports user types such as IPOEOA and IPOE.

为了便于对本发明实现宽带网络专线用户认证的方法的理解,下面结合实施例对本发明做进一步的描述。In order to facilitate the understanding of the method for realizing broadband network leased line user authentication in the present invention, the present invention will be further described below in conjunction with the embodiments.

请参阅图3,是本发明一种采用静态快速认证方式的实施例的流程图。Please refer to FIG. 3 , which is a flow chart of an embodiment of the present invention using a static fast authentication method.

首先,实施步骤S1,将一个专线端口配置成静态快速认证方式,同时指定该专线端口的具体的帐号生成策略。First, implement step S1, configure a dedicated line port as a static fast authentication mode, and specify a specific account generation strategy for the dedicated line port.

本实施例的具体配置过程为:在端口模式下,用命令The specific configuration process of this embodiment is: in port mode, use the command

L2-acc-policyL2-acc-policy

by-port username<username>by-port username<username>

[password<passowrd>][password<passowrd>]

来配置专线用户的认证方式,其中L2-acc-policy是关键字,用于表示配置该端口为二层专线端口,并且需要进行认证;by-port username是关键字,用于指定所述基于专线端口的认证帐号;Password是可选项,指出密码。To configure the authentication method of leased line users, where L2-acc-policy is a keyword, which is used to indicate that the port is configured as a layer 2 leased line port, and authentication is required; by-port username is a keyword, used to specify the leased line-based Port authentication account; Password is optional, indicating the password.

当一个专线端口配置成静态快速认证方式后,立即实施步骤S2,宽带接入服务器按照所述帐号生成策略自动基于该专线端口生成认证帐号和密码,向认证服务器发起认证请求,上传认证帐号和密码。When a dedicated line port is configured as a static fast authentication mode, step S2 is immediately implemented, and the broadband access server automatically generates an authentication account and password based on the dedicated line port according to the account generation strategy, initiates an authentication request to the authentication server, and uploads the authentication account and password .

步骤S3,认证服务器检查认证帐号和密码,查询数据库是否存在匹配的认证帐号,决定是否通过认证,如果认证通过,实施步骤S4,向宽带接入服务器发送认证成功响应,并进入步骤S5;如果认证失败,实施步骤S7。Step S3, the authentication server checks the authentication account number and password, checks whether there is a matching authentication account number in the database, and decides whether to pass the authentication. If the authentication is passed, implement step S4, send an authentication success response to the broadband access server, and enter step S5; If it fails, go to step S7.

步骤S5,宽带接入服务器允许专线端口对应的专线用户接入,向认证服务器发起计费开始请求,启动该专线端口的计费;并定时获取该专线端口的流量信息上报给认证服务器。需要说明的是,当一个专线端口已认证通过后,该专线端口上的专线用户上线不再需要认证,而是直接上线,但该专线端口上的所有专线用户的所有流量都累计到专线端口上,作为一个专线用户来处理,宽带接入服务器确保该专线端口上所统计的流量是专线端口的所有上线用户的流量总和,包括上行和下行。Step S5, the broadband access server allows the leased line user corresponding to the leased line port to access, initiates an accounting start request to the authentication server, starts the accounting of the leased line port; and regularly obtains the flow information of the leased line port and reports it to the authentication server. It should be noted that after a leased line port has been authenticated, the leased line users on the leased line port no longer need authentication to go online, but go online directly, but all the traffic of all leased line users on the leased line port is accumulated to the leased line port , as a leased line user, the broadband access server ensures that the traffic counted on the leased line port is the sum of the traffic of all online users of the leased line port, including uplink and downlink.

步骤S6,一旦专线端口的工作方式不再是静态快速认证方式,即在端口模式下用命令no L2-acc-policy取消该专线端口的认证方式,该专线端口的计费就应该立即结束,由宽带接入服务器向认证服务器发送计费结束请求。Step S6, once the working mode of the leased line port is no longer the static fast authentication mode, that is, in the port mode, the command no L2-acc-policy is used to cancel the authentication mode of the leased line port, and the billing of the leased line port should be terminated immediately. The broadband access server sends an accounting end request to the authentication server.

步骤S7,认证服务器向宽带接入服务器发送认证失败响应,并进入步骤S8。In step S7, the authentication server sends an authentication failure response to the broadband access server, and proceeds to step S8.

步骤S8,宽带接入服务器拒绝该专线端口的专线用户上线。Step S8, the broadband access server rejects the dedicated line user of the dedicated line port to go online.

请参阅图4,是本发明一种采用动态快速认证方式的实施例的流程图。Please refer to FIG. 4 , which is a flow chart of an embodiment of the present invention using a dynamic fast authentication method.

首先,实施步骤D1,将一个专线端口配置成动态快速认证方式,同时指定该专线端口的具体的帐号生成策略,所述帐号生成策略就是指根据专线用户的什么信息来构造和如何构造认证帐号。First, implement step D1, configure a leased line port as a dynamic fast authentication mode, and specify a specific account generation strategy for the leased line port at the same time. The account generation strategy refers to constructing and how to construct an authentication account based on the information of the leased line user.

本实施例的具体配置过程为:在端口模式下,用命令The specific configuration process of this embodiment is: in port mode, use the command

L2-acc-policyL2-acc-policy

{by-userip[mask<mask>][prefix<prefix>][surfix<surfix>]{by-userip[mask<mask>][prefix<prefix>][surfix<surfix>]

[password<passowrd>][password<passowrd>]

来配置专线用户的认证方式,其中L2-acc-policy是关键字,用于表示配置该端口为二层专线端口,并且需要进行专线用户的认证;by-userip是关键字,表示根据专线用户的IP地址在专线用户上线时进行认证,具体如何生成专线用户的认证帐户有多种方式:比如mask就是指定对专线用户的IP地址与<mask>作与操作,prefix指在专线用户的IP地址前加上前缀<prefix>,surfix指在专线用户的IP地址后加上后缀<surfix>,这三种方式可以组合使用,实现灵活的用户帐户构造方法;Password关键字及后面的项指出该专线用户的认证口令。To configure the authentication method of the leased line user, where L2-acc-policy is a keyword, which indicates that the port is configured as a Layer 2 leased line port, and authentication of the leased line user is required; by-userip is a keyword, indicating that according to the The IP address is authenticated when the leased line user goes online. There are many ways how to generate the authentication account of the leased line user: for example, the mask is to specify the IP address of the leased line user and <mask> to operate and operate, and the prefix refers to the IP address of the leased line user. Add the prefix <prefix>, surfix refers to adding the suffix <surfix> after the IP address of the leased line user, these three methods can be used in combination to realize a flexible user account construction method; the Password keyword and the following items indicate the leased line user authentication password.

举例来说,比如某个专线端口的IP地址为:10.11.128.1,子网掩码为:255.255.255.0。在该专线端口下配置如下快速认证方式:For example, the IP address of a dedicated line port is: 10.11.128.1, and the subnet mask is: 255.255.255.0. Configure the following fast authentication methods under the leased line port:

L2-acc-policyL2-acc-policy

by-userip mask 255.255.255.248 prefix gd-surfix@163by-userip mask 255.255.255.248 prefix gd-surfix@163

password 0 szdxpassword 0 szdx

根据上述配置,该专线端口上可能生成的用户认证帐号就包括:“gd-10.11.128.8@163”、“gd-10.11.128.16@163”、“gd-10.11.128.24@163”、“gd-10.11.128.32@163”等,如果该专线端口的一个专线用户的IP地址为10.11.128.10,则该用户的快速认证帐号为:“gd-10.11.128.8@163”。According to the above configuration, the user authentication accounts that may be generated on the leased line port include: 10.11.128.32@163", etc., if the IP address of a dedicated line user on the leased line port is 10.11.128.10, then the user's quick authentication account is: "gd-10.11.128.8@163".

其他的帐号生成策略基本类似,可以根据用户的其他信息,如MAC地址、VLAN、PVC等信息来动态生成。如:Other account generation policies are basically similar, and can be dynamically generated based on other user information, such as MAC address, VLAN, PVC, and other information. like:

L2-acc-policyL2-acc-policy

{|by-mac[prefix<prefix>][surfix<surfix>]{|by-mac[prefix<prefix>][surfix<surfix>]

|by-vlan[prefix<prefix>][surfix<surfix>]|by-vlan[prefix<prefix>][surfix<surfix>]

|by-vpivci[prefix<prefix>][surfix<surfix>]}|by-vpivci[prefix<prefix>][surfix<surfix>]}

[password<passowrd>][password<passowrd>]

当一个专线端口配置成二层动态快速认证方式后,该专线端口上的所有用户连接都将自动通过快速认证方式上线。When a leased line port is configured as the Layer 2 dynamic fast authentication method, all user connections on the leased line port will automatically go online through the fast authentication method.

步骤D2,宽带接入服务器检测是否有专线用户上线请求时,当检测到专线用户上线请求时,将进入步骤D3。In step D2, when the broadband access server detects whether there is a dedicated line user's online request, it will enter step D3 when it detects the dedicated line user's online request.

步骤D3,根据配置的帐号生成策略自动为专线用户构造对应的内部帐号,并向认证服务器发起认证请求。Step D3, automatically constructing a corresponding internal account for the leased line user according to the configured account generation policy, and sending an authentication request to the authentication server.

步骤D4,认证服务器检查内部帐号,查询数据库是否存在匹配的内部帐号,决定是否通过认证,如果认证通过,实施步骤D5,向宽带接入服务器发送认证成功响应,并进入步骤D6;如果认证失败,实施步骤D8。Step D4, the authentication server checks the internal account number, checks whether there is a matching internal account number in the database, and decides whether to pass the authentication. If the authentication is passed, implement step D5, send an authentication success response to the broadband access server, and enter step D6; if the authentication fails, Step D8 is carried out.

步骤D6,宽带接入服务器允许专线用户正常上线,然后向认证服务器发起计费开始请求,启动该专线用户的计费。In step D6, the broadband access server allows the leased line user to go online normally, and then initiates an accounting start request to the authentication server to start accounting for the leased line user.

步骤D7,当宽带接入服务器检测到专线用户下线时,立即结束对该用户的计费,由宽带接入服务器向认证服务器发送计费结束请求。Step D7, when the broadband access server detects that the leased line user is offline, it immediately ends the charging for the user, and the broadband access server sends a charging end request to the authentication server.

步骤S8,认证服务器向宽带接入服务器发送认证失败响应,并进入步骤D9。In step S8, the authentication server sends an authentication failure response to the broadband access server, and proceeds to step D9.

步骤D9,宽带接入服务器拒绝该专线用户上线。Step D9, the broadband access server rejects the dedicated line user to go online.

另外,当专线端口不再工作于动态快速认证方式、或专线端口被删除时,宽带接入服务器将该专线端口上所有在线用户下线并结束计费。In addition, when the leased line port no longer works in the dynamic fast authentication mode, or the leased line port is deleted, the broadband access server will log off all online users on the leased line port and end the billing.

可以理解的是,本发明中,要求认证服务器上必须按照所配置的帐号生成策略事先在数据库中为所有需要快速认证的专线端口或专线用户建立正确的帐号和密码信息。It can be understood that, in the present invention, it is required that the authentication server must establish correct account and password information in the database in advance for all dedicated line ports or dedicated line users requiring fast authentication according to the configured account generation strategy.

并且,对于需要在认证服务器上将专线用户IP地址与专线用户的内部帐号进行绑定时,认证服务器必须在专线用户帐号下记入对应的IP地址或IP网段,并在这些专线用户上线时检验其IP地址的合法性。In addition, when it is necessary to bind the IP address of the leased line user with the internal account of the leased line user on the authentication server, the authentication server must record the corresponding IP address or IP network segment under the account of the leased line user, and when these leased line users go online Check the legitimacy of its IP address.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications should also be It is regarded as the protection scope of the present invention.

Claims (10)

1. method that realizes broadband network individual line subscriber authentication is applied to comprise at least the broadband access system of BAS Broadband Access Server and certificate server, and described BAS Broadband Access Server has the port of private line that is used to insert individual line subscriber; It is characterized in that, comprise step:
1) port of private line is configured to the rapid authentication mode, structure account number generation strategy; Wherein said port of private line provides the physical port or the logic port of two layers of access for described BAS Broadband Access Server;
2) BAS Broadband Access Server generates the authentication account number as the client of certificate server according to aforementioned account number generation strategy, sends authentication request to certificate server;
3) certificate server is resolved described authentication request, described authentication account number is authenticated determining whether allowing individual line subscriber to reach the standard grade, and the return authentication result;
Wherein, described step 1) comprises: described port of private line is configured to static state or dynamic rapid authentication mode, specifies the concrete number of the account generation strategy of this port of private line simultaneously; The layoutprocedure of described port of private line comprises: under port mode, and with ordering the authentication mode that disposes individual line subscriber, wherein,
When described port of private line is configured to static rapid authentication mode, described order comprises that being used to represent to dispose this port is the two layers of port of private line and the keyword that need authenticate, be used to specify the keyword of the authentication account number of described port of private line, and the keyword that is used to represent password; When described port of private line is configured to dynamic rapid authentication mode, described order comprises that being used to represent to dispose this port is the two layers of port of private line and the keyword that need carry out the authentication of individual line subscriber, be used to represent the keyword that the information according to individual line subscriber authenticates when individual line subscriber is reached the standard grade, and the keyword that is used to point out the authenticate password of this individual line subscriber.
2. the method for realization broadband network individual line subscriber authentication according to claim 1 is characterized in that: comprise also after described step 3) that after authentication is passed through BAS Broadband Access Server sends to charge to certificate server and begins request.
3. the method for realization broadband network individual line subscriber according to claim 1 authentication is characterized in that: described account number generation strategy is based on that port of private line is specified the authentication account number or based on the inner account number of the information structuring of individual line subscriber.
4. the method for realization broadband network individual line subscriber authentication according to claim 3, it is characterized in that: the information of described individual line subscriber comprises IP address, MAC Address, VLAN and/or PVC.
5. according to the method for claim 1 or the authentication of 2 described realization broadband network individual line subscribers, it is characterized in that: when described port of private line is configured to static rapid authentication mode, described step 2) in, BAS Broadband Access Server generates authentication account number and password according to aforementioned account number generation strategy, sends authentication request to certificate server.
6. the method for realization broadband network individual line subscriber authentication according to claim 5, it is characterized in that: after authentication is passed through, BAS Broadband Access Server allows the individual line subscriber on this port of private line to reach the standard grade, and all flows of all individual line subscribers on this port of private line all are accumulated to port of private line.
7. the method for realization broadband network individual line subscriber authentication according to claim 1, it is characterized in that: when described port of private line is configured to dynamic rapid authentication mode, described step 2) in, when detecting individual line subscriber, BAS Broadband Access Server reaches the standard grade when request, account number generation strategy according to configuration is the corresponding inside account number of individual line subscriber structure, and initiates authentication request to certificate server.
8. the method for realization broadband network individual line subscriber authentication according to claim 7, it is characterized in that: after described step 3), also comprise after authentication is passed through, BAS Broadband Access Server allows this individual line subscriber to insert, send charging to certificate server and begin request, startup is to the charging of this individual line subscriber, rolls off the production line and just initiates the charging ending request up to detecting this individual line subscriber.
9. the method for realization broadband network individual line subscriber authentication according to claim 1 is characterized in that: in described step 2) also comprise before and set up account on the certificate server.
10. the method for realization broadband network individual line subscriber authentication according to claim 9 is characterized in that: certificate server is charged to corresponding IP address or IP network section under the individual line subscriber account number when setting up account.
CN 200410033120 2004-04-05 2004-04-05 Method for realizing user authentication of wide-band network special bus Expired - Fee Related CN1681243B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200410033120 CN1681243B (en) 2004-04-05 2004-04-05 Method for realizing user authentication of wide-band network special bus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200410033120 CN1681243B (en) 2004-04-05 2004-04-05 Method for realizing user authentication of wide-band network special bus

Publications (2)

Publication Number Publication Date
CN1681243A CN1681243A (en) 2005-10-12
CN1681243B true CN1681243B (en) 2011-06-08

Family

ID=35067683

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200410033120 Expired - Fee Related CN1681243B (en) 2004-04-05 2004-04-05 Method for realizing user authentication of wide-band network special bus

Country Status (1)

Country Link
CN (1) CN1681243B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107528928A (en) * 2016-06-20 2017-12-29 中兴通讯股份有限公司 The method and device of wire management on a kind of individual line subscriber
CN109150925B (en) * 2018-11-08 2021-06-15 网宿科技股份有限公司 IPoE static authentication method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1423452A (en) * 2001-12-05 2003-06-11 上海卓扬科技有限公司 Broad access network user identifying method
CN1464682A (en) * 2002-06-24 2003-12-31 华为技术有限公司 Method for implementing broad band pre-payment based on authentication, authorization and charging protocol

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1423452A (en) * 2001-12-05 2003-06-11 上海卓扬科技有限公司 Broad access network user identifying method
CN1464682A (en) * 2002-06-24 2003-12-31 华为技术有限公司 Method for implementing broad band pre-payment based on authentication, authorization and charging protocol

Also Published As

Publication number Publication date
CN1681243A (en) 2005-10-12

Similar Documents

Publication Publication Date Title
CN102726069B (en) The dynamic Service group of dialogue-based attribute
CN103039038B (en) Method and system for efficient use of a telecommunications network and connections between the telecommunications network and customer premises equipment
US8125980B2 (en) User terminal connection control method and apparatus
JP4291213B2 (en) Authentication method, authentication system, authentication proxy server, network access authentication server, program, and recording medium
CN100370869C (en) Method and system for providing users with network roaming
CN103039037B (en) For effectively managing the method and system of the connection between communication network and this communication network and customer rs premise equipment
CN101110847B (en) Method, device and system for obtaining medium access control address
CN102449978B (en) Dynamically configuring attributes of a parent circuit on a network element
EP1876754A1 (en) Method system and server for implementing dhcp address security allocation
US20080235770A1 (en) System and Method of Network Authentication, Authorization and Accounting
CN102136938B (en) Method and device for providing user information for carried grade network address translation (CGN) equipment
CN101102291B (en) Method of Realizing User&#39;s Access to Internet Based on PPPOE Proxy Function
CN101212374A (en) Method and system for realizing remote access to campus network resources
CN1647451B (en) Apparatus, method and system for monitoring information in a network environment
WO2012034413A1 (en) Method for dual stack user management and broadband access server
WO2011110028A1 (en) Load sharing method, system and access server
CN103067407B (en) The authentication method and device of accessing user terminal to network
CN101141492B (en) Method and system for implementing DHCP address safety allocation
CN103039040A (en) Method for efficient initialization of a telecommunications network and telecommunications network
CN105871782B (en) Network service processing method, device, business router and platform authentication system
CN1681243B (en) Method for realizing user authentication of wide-band network special bus
CN100488192C (en) Method for implementing dedicated network access by using PPPOE protocol
CN115604230A (en) Equipment address management method and device and server
CN105515797B (en) Park area network user authentication charging method, device and system
CN101193129A (en) Authentication user name generation method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110608

Termination date: 20150405

EXPY Termination of patent right or utility model