[go: up one dir, main page]

WO2006057489A1 - Method of processing message using regular expresion - action list and apparatus there-of - Google Patents

Method of processing message using regular expresion - action list and apparatus there-of Download PDF

Info

Publication number
WO2006057489A1
WO2006057489A1 PCT/KR2005/002911 KR2005002911W WO2006057489A1 WO 2006057489 A1 WO2006057489 A1 WO 2006057489A1 KR 2005002911 W KR2005002911 W KR 2005002911W WO 2006057489 A1 WO2006057489 A1 WO 2006057489A1
Authority
WO
WIPO (PCT)
Prior art keywords
regular expression
action
attribute
message
received message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2005/002911
Other languages
French (fr)
Inventor
Yong Jae Lee
Sung Suk Cho
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TELCOWARE CO Ltd
Original Assignee
TELCOWARE CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TELCOWARE CO Ltd filed Critical TELCOWARE CO Ltd
Publication of WO2006057489A1 publication Critical patent/WO2006057489A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to a message processing method, and more par ⁇ ticularly, to a method of processing a message, e.g., a Remote Authentication Dial In User Service (RADIUS) message or a Diameter message, used for communication between a server and a client for authentication, authorization, accounting, etc., using a list of patterns of a regular expression and corresponding actions (execution commands).
  • a message e.g., a Remote Authentication Dial In User Service (RADIUS) message or a Diameter message
  • RADIUS Remote Authentication Dial In User Service
  • Diameter message used for communication between a server and a client for authentication, authorization, accounting, etc.
  • an authentication/authorization/accounting (AAA) server that authenticates and authorizes a subscriber and processes accounting is needed.
  • a device that requests the AAA server to perform authentication, authorization, and accounting is usually referred to as a client device.
  • the client device and the AAA server usually use a RADIUS message or a Diameter message to exchange information.
  • the AAA server and the client device based on a RADIUS protocol are referred to as a RADIUS server and a RADIUS client.
  • Information for authentication, authorization, or accounting is contained in an attribute in a RADIUS message to be transmitted.
  • a RADIUS server performs routing using a user name among attributes.
  • a conventional RADIUS server performs routing only with respect to a particular realm of an attribute value of the user name.
  • the present invention provides a method of processing a message for au ⁇ thentication, authorization, or accounting using a list of patterns of a regular expression and corresponding actions (i.e., execution commands), thereby allowing a function to be set, added, and changed without modification of a source code.
  • Technical Solution [6] According to an aspect of the present invention, there is provided a method of processing a message for user authentication, authorization, or accounting and a recording medium for recording a program for executing the method.
  • the method includes setting a regular expression- action list including at least one regular expression- action set which includes an attribute identifier, a regular expression, and action; receiving a message for user authentication, authorization, or accounting; extracting an attribute from the received message; determining whether the attribute in the received message matches with a regular expression included in the regular expression- action list; and executing an action corresponding to the matched regular expression when it is determined that the attribute in the received message matches with the regular expression in the regular expression-action list.
  • the determining may include the operations of (a) determining whether an attribute corresponding to an attribute identifier included in the regular expression-action set in the regular expression-action list is included in the received message, and (b) de ⁇ termining whether an attribute value corresponding to the attribute identifier in the received message matches with a pattern of the regular expression in the regular expression- action set when it is determined that the attribute corresponding to the attribute identifier in the regular expression-action set matches with the received message, and operations (a) and (b) may be repeated with respect to another regular expression- action set included in the regular expression-action list according to a pre ⁇ determined priority order when the attribute value in the received message does not matches with the pattern of the regular expression in the regular expression- action set.
  • the message may be based on one protocol among a Remote Authentication Dial In
  • the regular expression- action set may further include a condition that can be set or canceled.
  • an apparatus for processing a message for user authentication, authorization, or accounting includes a storage unit storing a regular expression-action list including at least one regular expression-action set which comprises an attribute identifier, a regular expression, and action; a message receiver receiving a message for user authentication, authorization, or accounting; a message decoder extracting an attribute from the received message; and an action execution unit determining whether the attribute in the received message matches with a regular expression included in the regular expression- action list and executing an action corresponding to the matched regular expression when it is determined that the attribute in the received message matches with the regular expression in the regular expression-action list.
  • a command is made based on a list of patterns of a regular expression and corresponding actions (commands) when processing a message for user au- thentication, authorization, or accounting.
  • a message processing function can be set, added, and changed without a change of a source code.
  • FIG. 1 is a schematic diagram illustrating a Remote Authentication Dial In User
  • RADIUS Remote Authentication Dial
  • FIG. 2 illustrates the structure of a RADIUS message according to an embodiment of the present invention
  • FIG. 3 illustrates the structure of a standard attribute
  • FIG. 4 illustrates the structure of a vendor-specific attribute
  • FIG. 5 illustrates the structure of a string
  • FIG. 6 is a flowchart of a method of processing a RADIUS message according to an embodiment of the present invention
  • FIG. 7 is a table showing a regular expression-action list according to an embodiment of the present invention.
  • FIG. 8 illustrates an attribute list that has been extracted from a received RADIUS message and changed according to an embodiment of the present invention.
  • FIG. 9 is a table showing examples of regular expression grammar used in a regular expression- action list according to an embodiment of the present invention. Best Mode for Carrying Out the Invention
  • FIG. 1 is a schematic diagram illustrating a Remote Authentication Dial In User
  • RADIUS Remote Authentication Dial
  • RADIUS Remote Authentication Dial
  • the RADIUS client 50 and the RADIUS server 100 send and receive RADIUS messages.
  • the RADIUS client 50 sends an access-request message to the RADIUS server 100
  • the RADIUS server 100 processes the access- request message and sends an access-accept or access-reject message to the RADIUS client 50.
  • information for authorization may be transmitted together.
  • the RADIUS client 50 sends an accounting-request message to the RADIUS server 100
  • the RADIUS server 100 sends an accounting-response message to the RADIUS client 50.
  • the RADIUS client 50 may be implemented as a Network Attached Storage (NAS), an Inter- Working Function (IWF), a Packet Data Service Node (PDSN), or an Access Network Controller (ANC).
  • NAS Network Attached Storage
  • IWF Inter- Working Function
  • PDSN Packet Data Service Node
  • ANC Access Network Controller
  • the RADIUS server 100 includes modules 110, 120, and 130 that largely perform three functions.
  • the module 110 performs user authentication.
  • the module 120 performs accounting.
  • the module 130 performs a proxy function, i.e., sends a request to and acquires a response from another server for user authentication.
  • FIGS. 2 through 5 illustrate the structure of a RADIUS message according to an embodiment of the present invention.
  • the RADIUS message includes a code field 210, an identifier field 220, a length field 230, an authenticator field 240, and an attribute field 250.
  • the code field 210 is used to identify the RADIUS message.
  • a code is " 1”
  • the RADIUS message is an access-request message.
  • the code is "2”
  • the RADIUS message is an access-accept message.
  • the code is "3”
  • the RADIUS message is an access-reject message.
  • the code is "4"
  • the RADIUS message is an accounting-request message.
  • the code is "5", the RADIUS message is an accounting-response message.
  • a single RADIUS message may include a plurality of attribute fields.
  • FIG. 3 il ⁇ lustrates the structure of a standard attribute.
  • the standard attribute includes a type 251, a length 252, and a value 253.
  • FIG. 4 illustrates the structure of a vendor- specific attribute.
  • the vendor-specific attribute is an attribute that is optionally defined and used by a vendor, i.e., a RADIUS device developer, or a user.
  • the vendor-specific attribute includes a type 254, a length 255, a vendor-ID 256, and a string 260.
  • the type 254 is fixed to "26". In other words, when the type 254 is "26", the attribute is the vendor- specific attribute.
  • the vendor-ID 256 and the string 260 are fields that the vendor can inde ⁇ pendently define and use.
  • the string 260 may include a vendor- type 261, a length 262, and a value 263 in the same structure as that of the standard attribute.
  • a RADIUS server performs routing using a user name among attributes included in a RADIUS message.
  • the attribute value of the user name is largely divided into a realm and the remaining portion. For example, when a user name has the pattern of an attribute value in a form "hongildong@hrpd.nate.com", a portion behind @, i.e., "hrpd.nate.com” is the realm.
  • the conventional RADIUS server performs routing using only the realm of the attribute value of the user name. Accordingly, to perform routing referring to other portions than the realm or perform a special function in the con ⁇ ventional technology, a program code needs to be modified.
  • FIG. 6 is a flowchart of a method of processing a RADIUS message according to an embodiment of the present invention.
  • a regular expression-action list including a plurality of regular expression-action sets is set in operation S310.
  • Each regular expression- action set includes an attribute name, a regular expression, and an action.
  • Each regular expression- action set may further include a condition.
  • the attribute name is an attribute identifier for discriminating attributes from each other. An identifier other than the attribute name may be used as the attribute identifier.
  • FIG. 7 is a table showing a regular expression-action list according to an embodiment of the present invention.
  • regular expression-action sets structured in a form " ⁇ attribute name> / ⁇ regular expression> / ⁇ action> / [ ⁇ condition> (optional)]" are listed.
  • Regular expression-action sets having a higher priority order may be listed first. The function of a regular expression-action set will be described by explaining several specific regular expression-action sets.
  • the first regular expression-action set 401 functions to process a RADIUS message including a user name in a form of "*@hrpd.nate.com” in its attribute using a MyRealm processor.
  • a second regular expression-action set 402 i.e., "User-Name / ⁇ . ⁇ .ezweb ⁇ .ne ⁇ .jp$/realm:KDDIRealm/”
  • the attribute name is the "User-Name”
  • the regular expression is " ⁇ . ⁇ .ezweb ⁇ .ne ⁇ .jp$/”
  • the action is "realm:KDDIRealm” and there is no condition.
  • the second regular expression-action set 402 functions to process a RADIUS message including a user name in a form of "*.ezweb.ne.jp" in its attribute using a KDDIRealm processor.
  • processing the message using the MyRealm or KDDIRealm processor indicates that the message is processed according to the setting in the MyRealm or KDDIRealm processor.
  • the MyRealm or KDDIRealm processor may be set such that the message is processed within a RADIUS server or that the message is sent to and processed by a particular external server.
  • an eighth regular expression-action set 408 there are two regular expression- action sets. With respect to one regular expression-action set "Password / ⁇ $/setcond:NP/”, the attribute name is "Password”, the regular expression is " ⁇ $” and the action is "setcond:NP”.
  • the regular expression-action set "Password / ⁇ $/setcond:NP/” functions to set a condition of NP when the attribute name "Password” is included in the attributes of a received RADIUS message and the attribute value of the "Password” is null(" ").
  • the attribute name is "User-Name”
  • the regular expression is " ⁇ sktelecom$”
  • the action is "accept”
  • the condition is "NP”.
  • the regular expression-action set "User-Name / ⁇ sktelecom$/accept/NP” functions to accept a user when the condition of NP has been set and the user name "sktelecom” is included in the attributes of a received RADIUS message.
  • the eighth regular expression-action set 408 functions to return an access-accept message when the password is null (“ ") and the user name is "sktelecom” in an attribute list included in the received RADIUS message.
  • the setting of the regular expression-action list may be performed before the operation of an AAA server and stored in an internal storage unit (i.e., memory) of the AAA server. It is also apparent that a regular expression- action set may be added or changed when necessary after the regular expression-action list is initially set.
  • a RADIUS message is received in operation S312.
  • the RADIUS message may be received by a message receiver included in the AAA server.
  • the received message is decoded by a RADIUS message decoder and is converted into an attribute list form in operation S314. In other words, attributes are extracted from the received message and listed.
  • FIG. 8 illustrates the attribute list that has been extracted from the received message and changed according to an embodiment of the present invention.
  • the attribute list includes an identifier (e.g., an attribute name), a value, etc.
  • the name is determined by a type (251 in FIG. 3).
  • the name is determined by a vendor-Id (256 in FIG. 4) and a vendor-type (261 in FIG. 5).
  • each of the attributes included in the attribute list is compared with regular expression- action sets in a predetermined regular expression-action list in operations S316 through S320.
  • regular expression-action list it is determined whether an attribute name and value in the received message match with those in each regular expression-action set in operations S316 through S320. If they match with each other, a function (i.e., action) set in the regular expression- action set is executed in operation S322.
  • An internal module that processes the attribute matching and the execution of the action according to the matching (operations S316 through S322) in the AAA server may be referred to as an action execution unit.
  • operation S316 it is determined whether an attribute name in the attribute list matches with that in the regular expression-action set. In other words, it is determined whether the attribute name in the regular expression-action set is included in the attribute list in the received RADIUS message. As described above, this operation may be performed in the order of regular expression-action sets set in the regular expression- action list. In an embodiment of the present invention, it is assumed that the regular expression-action list shown in FIG. 7 is used and the attribute list extracted from the received message is the same as an attribute list 500 shown in FIG. 8. Here, it is determined whether the attribute name in the first regular expression-action set 401, i.e., "User-Name" is included in an attribute list 500. Referring to FIG.
  • the attribute list 500 includes the "User-Name”.
  • an attribute corresponding to the attribute name in the regular expression-action set is included in the attribute list 500 extracted from the received message, matching an attribute value with a regular expression is performed in operation S318. For example, it is determined whether an attribute value "hongildong@hrpd.nate.com" in the received message matches with a pattern of a regular expression in the first regular expression-action set 401.
  • the regular expression in the first regular expression-action set 401 is " ⁇ .+@hrpd.nate.com$".
  • the action in the matched regular expression-action set is executed in operation S322.
  • the action has a form of a character string and may largely designate the following functions.
  • the actions included in the first and second regular expression- action sets 401 and 402 in the regular expression-action list shown in FIG. 7 correspond to this routing function.
  • Another one is a message change function that designates addition, removal, and value change of an attribute.
  • a value portion may be designated using a sub ⁇ expression of the matched regular expression.
  • the actions included in the sixth and seventh regular expression-action sets 406 and 407 in the regular expression- action list shown in FIG. 7 correspond to this message change function.
  • Still another one is a forced allow/reject function that forcedly designates the form of a response message and returns success/fail response.
  • the actions included in the fourth and fifth regular expression-action sets 404 and 405 in the regular expression- action list shown in FIG. 7 correspond to this forced allow/reject function.
  • Yet another one is a condition setting/canceling function that turns on or off a particular condition value in a routing processor to allow the result of a previous action to be reflected to subsequent pattern matching, thereby enabling an arbitrary logical combination of conditions.
  • the action included in the eighth regular expression-action set 408 in the regular expression- action list shown in FIG. 7 corresponds to the condition setting/canceling function.
  • the matching may not be performed any more and the message processing procedure may end.
  • the action is the one that sets a particular condition
  • the matching is performed with respect to a subsequent regular expression-action set in operations S316 and S318 and matching or unmatching is determined in operation S320.
  • a regular expression- action list is set and an attribute in a received message is compared with each regular expression-action set in the regular expression- action list so that a function (i.e., an action) executed according to the entire attribute value or an arbitrary part of the attribute value can be set differently.
  • a function i.e., an action
  • a message processing function can be added or changed without a change of a program.
  • FIG. 9 is a table showing examples of regular expression grammar used in a regular expression- action list according to an embodiment of the present invention.
  • Regular expressions shown in FIG. 9 are usually used extended regular expressions.
  • a first regular expression " ⁇ The” indicates that it matches with any string that starts with “The”.
  • a second regular expression “of despair$” indicates that it matches any string that ends with “of despair”.
  • a third regular expression " ⁇ abc$” indicates a string that starts and ends with "abc", that is, the third regular expression may be "abc" itself.
  • regular expressions or extended regular expressions may be used.
  • Al ⁇ ternatively, specially defined regular expressions may be used.
  • messages for authentication, authorization, and accounting are processed using a list of patterns of a regular expression and cor ⁇ responding actions (i.e., commands), thereby facilitating addition and change of a function.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method and apparatus for processing a message for user authentication, authorization, or accounting using a regular expression-action list are provided. The method includes setting a regular expression-action list including at least one regular expression-action set which comprises an attribute identifier, a regular expression, and action; receiving a message for user authentication, authorization, or accounting; extracting an attribute from the received message; determining whether the attribute in the received message matches with a regular expression included in the regular expression- action list; and executing an action corresponding to the matched regular expression when it is determined that the attribute in the received message matches with the regular expression in the regular expression-action list. Accordingly, a message processing function can be set, added, and changed without a change of a source code when the message for the user authentication, authorization, and accounting is processed.

Description

Description
METHOD OF PROCESSING MESSAGE USING REGULAR EXPRESSION - ACTION LIST AND APPARATUS THERE OF
Technical Field
[1] The present invention relates to a message processing method, and more par¬ ticularly, to a method of processing a message, e.g., a Remote Authentication Dial In User Service (RADIUS) message or a Diameter message, used for communication between a server and a client for authentication, authorization, accounting, etc., using a list of patterns of a regular expression and corresponding actions (execution commands). Background Art
[2] Generally, to provide communication services to subscribers in communication networks and systems, an authentication/authorization/accounting (AAA) server that authenticates and authorizes a subscriber and processes accounting is needed. A device that requests the AAA server to perform authentication, authorization, and accounting is usually referred to as a client device. For authentication, authorization, and accounting, the client device and the AAA server usually use a RADIUS message or a Diameter message to exchange information. The AAA server and the client device based on a RADIUS protocol are referred to as a RADIUS server and a RADIUS client.
[3] Information for authentication, authorization, or accounting is contained in an attribute in a RADIUS message to be transmitted. Generally, a RADIUS server performs routing using a user name among attributes. However, when routing is performed using a user name, a conventional RADIUS server performs routing only with respect to a particular realm of an attribute value of the user name.
[4] Accordingly, to perform an additional function such as message manipulation or routing referring to others than the particular realm of a user name that is not defined in standard, it is needed to modify a source code to add a necessary function in con¬ ventional technology.
Disclosure of Invention
Technical Problem
[5] The present invention provides a method of processing a message for au¬ thentication, authorization, or accounting using a list of patterns of a regular expression and corresponding actions (i.e., execution commands), thereby allowing a function to be set, added, and changed without modification of a source code. Technical Solution [6] According to an aspect of the present invention, there is provided a method of processing a message for user authentication, authorization, or accounting and a recording medium for recording a program for executing the method. The method includes setting a regular expression- action list including at least one regular expression- action set which includes an attribute identifier, a regular expression, and action; receiving a message for user authentication, authorization, or accounting; extracting an attribute from the received message; determining whether the attribute in the received message matches with a regular expression included in the regular expression- action list; and executing an action corresponding to the matched regular expression when it is determined that the attribute in the received message matches with the regular expression in the regular expression-action list.
[7] The determining may include the operations of (a) determining whether an attribute corresponding to an attribute identifier included in the regular expression-action set in the regular expression-action list is included in the received message, and (b) de¬ termining whether an attribute value corresponding to the attribute identifier in the received message matches with a pattern of the regular expression in the regular expression- action set when it is determined that the attribute corresponding to the attribute identifier in the regular expression-action set matches with the received message, and operations (a) and (b) may be repeated with respect to another regular expression- action set included in the regular expression-action list according to a pre¬ determined priority order when the attribute value in the received message does not matches with the pattern of the regular expression in the regular expression- action set.
[8] The message may be based on one protocol among a Remote Authentication Dial In
User Service (RADIUS) protocol and a Diameter protocol. The regular expression- action set may further include a condition that can be set or canceled.
[9] According to another aspect of the present invention, there is provided an apparatus for processing a message for user authentication, authorization, or accounting. The apparatus includes a storage unit storing a regular expression-action list including at least one regular expression-action set which comprises an attribute identifier, a regular expression, and action; a message receiver receiving a message for user authentication, authorization, or accounting; a message decoder extracting an attribute from the received message; and an action execution unit determining whether the attribute in the received message matches with a regular expression included in the regular expression- action list and executing an action corresponding to the matched regular expression when it is determined that the attribute in the received message matches with the regular expression in the regular expression-action list.
[10] Accordingly, a command is made based on a list of patterns of a regular expression and corresponding actions (commands) when processing a message for user au- thentication, authorization, or accounting. As a result, a message processing function can be set, added, and changed without a change of a source code.
Advantageous Effects
[11] According to the present invention, messages for authentication, authorization, and accounting are processed using a list of patterns of a regular expression and cor¬ responding actions (i.e., commands), thereby facilitating addition and change of a function. Brief Description of the Drawings
[12] The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:
[13] FIG. 1 is a schematic diagram illustrating a Remote Authentication Dial In User
Service (RADIUS) server and a RADIUS client that use an embodiment of the present invention;
[14] FIG. 2 illustrates the structure of a RADIUS message according to an embodiment of the present invention;
[15] FIG. 3 illustrates the structure of a standard attribute;
[16] FIG. 4 illustrates the structure of a vendor- specific attribute;
[17] FIG. 5 illustrates the structure of a string;
[18] FIG. 6 is a flowchart of a method of processing a RADIUS message according to an embodiment of the present invention;
[19] FIG. 7 is a table showing a regular expression-action list according to an embodiment of the present invention;
[20] FIG. 8 illustrates an attribute list that has been extracted from a received RADIUS message and changed according to an embodiment of the present invention; and
[21] FIG. 9 is a table showing examples of regular expression grammar used in a regular expression- action list according to an embodiment of the present invention. Best Mode for Carrying Out the Invention
[22] FIG. 1 is a schematic diagram illustrating a Remote Authentication Dial In User
Service (RADIUS) server 100 and a RADIUS client 50 that use an embodiment of the present invention. The RADIUS client 50 and the RADIUS server 100 send and receive RADIUS messages. When the RADIUS client 50 sends an access-request message to the RADIUS server 100, the RADIUS server 100 processes the access- request message and sends an access-accept or access-reject message to the RADIUS client 50. Here, information for authorization may be transmitted together. When the RADIUS client 50 sends an accounting-request message to the RADIUS server 100, the RADIUS server 100 sends an accounting-response message to the RADIUS client 50.
[23] The RADIUS client 50 may be implemented as a Network Attached Storage (NAS), an Inter- Working Function (IWF), a Packet Data Service Node (PDSN), or an Access Network Controller (ANC).
[24] The RADIUS server 100 includes modules 110, 120, and 130 that largely perform three functions. The module 110 performs user authentication. The module 120 performs accounting. The module 130 performs a proxy function, i.e., sends a request to and acquires a response from another server for user authentication.
[25] FIGS. 2 through 5 illustrate the structure of a RADIUS message according to an embodiment of the present invention.
[26] Referring to FIG. 2, the RADIUS message includes a code field 210, an identifier field 220, a length field 230, an authenticator field 240, and an attribute field 250. The code field 210 is used to identify the RADIUS message. When a code is " 1", the RADIUS message is an access-request message. When the code is "2", the RADIUS message is an access-accept message. When the code is "3", the RADIUS message is an access-reject message. When the code is "4", the RADIUS message is an accounting-request message. When the code is "5", the RADIUS message is an accounting-response message.
[27] A single RADIUS message may include a plurality of attribute fields. FIG. 3 il¬ lustrates the structure of a standard attribute. Referring to FIG. 3, the standard attribute includes a type 251, a length 252, and a value 253.
[28] FIG. 4 illustrates the structure of a vendor- specific attribute. The vendor-specific attribute is an attribute that is optionally defined and used by a vendor, i.e., a RADIUS device developer, or a user. Referring to FIG. 4, the vendor-specific attribute includes a type 254, a length 255, a vendor-ID 256, and a string 260. The type 254 is fixed to "26". In other words, when the type 254 is "26", the attribute is the vendor- specific attribute. The vendor-ID 256 and the string 260 are fields that the vendor can inde¬ pendently define and use. As shown in FIG. 5, the string 260 may include a vendor- type 261, a length 262, and a value 263 in the same structure as that of the standard attribute.
[29] As is seen from FIGS. 2 through 5, the structure of a RADIUS message according to an embodiment of the present invention is the same as that of a typical RADIUS message.
[30] Generally, a RADIUS server performs routing using a user name among attributes included in a RADIUS message. The attribute value of the user name is largely divided into a realm and the remaining portion. For example, when a user name has the pattern of an attribute value in a form "hongildong@hrpd.nate.com", a portion behind @, i.e., "hrpd.nate.com" is the realm. The conventional RADIUS server performs routing using only the realm of the attribute value of the user name. Accordingly, to perform routing referring to other portions than the realm or perform a special function in the con¬ ventional technology, a program code needs to be modified.
[31] FIG. 6 is a flowchart of a method of processing a RADIUS message according to an embodiment of the present invention. A regular expression-action list including a plurality of regular expression-action sets is set in operation S310. Each regular expression- action set includes an attribute name, a regular expression, and an action. Each regular expression- action set may further include a condition. The attribute name is an attribute identifier for discriminating attributes from each other. An identifier other than the attribute name may be used as the attribute identifier.
[32] FIG. 7 is a table showing a regular expression-action list according to an embodiment of the present invention. Referring to FIG. 7, regular expression-action sets structured in a form "<attribute name> / <regular expression> / <action> / [< condition> (optional)]" are listed. Regular expression-action sets having a higher priority order may be listed first. The function of a regular expression-action set will be described by explaining several specific regular expression-action sets.
[33] Referring to a first regular expression-action set 401, i.e., "User-Name /
Λ.+@hrpd.nate.com$/realm:MyRealm/", the attribute name is the "User-Name", the regular expression is "Λ.+@hrpd.nate.com$", the action is "realm:MyRealm", and there is no condition. The first regular expression-action set 401 functions to process a RADIUS message including a user name in a form of "*@hrpd.nate.com" in its attribute using a MyRealm processor. Referring to a second regular expression-action set 402, i.e., "User-Name /Λ.\.ezweb\.ne\.jp$/realm:KDDIRealm/", the attribute name is the "User-Name", the regular expression is "Λ.\.ezweb\.ne\.jp$/", the action is "realm:KDDIRealm", and there is no condition. The second regular expression-action set 402 functions to process a RADIUS message including a user name in a form of "*.ezweb.ne.jp" in its attribute using a KDDIRealm processor. Here, processing the message using the MyRealm or KDDIRealm processor indicates that the message is processed according to the setting in the MyRealm or KDDIRealm processor. The MyRealm or KDDIRealm processor may be set such that the message is processed within a RADIUS server or that the message is sent to and processed by a particular external server.
[34] Referring to an eighth regular expression-action set 408, there are two regular expression- action sets. With respect to one regular expression-action set "Password / Λ$/setcond:NP/", the attribute name is "Password", the regular expression is "Λ$" and the action is "setcond:NP". The regular expression-action set "Password / Λ$/setcond:NP/" functions to set a condition of NP when the attribute name "Password" is included in the attributes of a received RADIUS message and the attribute value of the "Password" is null(" "). With respect to the other regular expression- action set "User-Name /Λsktelecom$/accept/NP", the attribute name is "User-Name", the regular expression is "Λsktelecom$", the action is "accept", and the condition is "NP". The regular expression-action set "User-Name / Λsktelecom$/accept/NP" functions to accept a user when the condition of NP has been set and the user name "sktelecom" is included in the attributes of a received RADIUS message. As a result, the eighth regular expression-action set 408 functions to return an access-accept message when the password is null (" ") and the user name is "sktelecom" in an attribute list included in the received RADIUS message.
[35] Accordingly, as shown in the eighth regular expression- action set 408, there is a case where a single action can be executed only when a received message matches with two or more regular expression patterns. This may be accomplished through condition setting.
[36] As shown in FIG. 7, the setting of the regular expression-action list may be performed before the operation of an AAA server and stored in an internal storage unit (i.e., memory) of the AAA server. It is also apparent that a regular expression- action set may be added or changed when necessary after the regular expression-action list is initially set.
[37] Referring back to FIG. 6, after the regular expression- action list is set, a RADIUS message is received in operation S312. The RADIUS message may be received by a message receiver included in the AAA server. The received message is decoded by a RADIUS message decoder and is converted into an attribute list form in operation S314. In other words, attributes are extracted from the received message and listed.
[38] FIG. 8 illustrates the attribute list that has been extracted from the received message and changed according to an embodiment of the present invention. Referring to FIG. 8, the attribute list includes an identifier (e.g., an attribute name), a value, etc.
[39] In case of a standard attribute, the name is determined by a type (251 in FIG. 3). In case of a vendor- specific attribute, the name is determined by a vendor-Id (256 in FIG. 4) and a vendor-type (261 in FIG. 5).
[40] Referring back to FIG. 6, after the attribute list is extracted from the received message, each of the attributes included in the attribute list is compared with regular expression- action sets in a predetermined regular expression-action list in operations S316 through S320. In other words, according to an order set in the regular expression- action list, it is determined whether an attribute name and value in the received message match with those in each regular expression-action set in operations S316 through S320. If they match with each other, a function (i.e., action) set in the regular expression- action set is executed in operation S322. An internal module that processes the attribute matching and the execution of the action according to the matching (operations S316 through S322) in the AAA server may be referred to as an action execution unit.
[41] The following describes in detail operations S316 through S320 performed by the action execution unit.
[42] In operation S316, it is determined whether an attribute name in the attribute list matches with that in the regular expression-action set. In other words, it is determined whether the attribute name in the regular expression-action set is included in the attribute list in the received RADIUS message. As described above, this operation may be performed in the order of regular expression-action sets set in the regular expression- action list. In an embodiment of the present invention, it is assumed that the regular expression-action list shown in FIG. 7 is used and the attribute list extracted from the received message is the same as an attribute list 500 shown in FIG. 8. Here, it is determined whether the attribute name in the first regular expression-action set 401, i.e., "User-Name" is included in an attribute list 500. Referring to FIG. 8, the attribute list 500 includes the "User-Name". When an attribute corresponding to the attribute name in the regular expression-action set is included in the attribute list 500 extracted from the received message, matching an attribute value with a regular expression is performed in operation S318. For example, it is determined whether an attribute value "hongildong@hrpd.nate.com" in the received message matches with a pattern of a regular expression in the first regular expression-action set 401. Here, the regular expression in the first regular expression-action set 401 is "Λ.+@hrpd.nate.com$". Ac¬ cordingly, when a user name has a form of "*@hrpd.nate.com" the attribute value matches with the regular expression in the first regular expression- action set 401. Here, since the attribute value "hongildong@hrpd.nate.com" in the received message has a form of "*@hrpd.nate.com", it is determined they match with each other. As described above, when it is determined that they match with each other in operation S320, the action in the first regular expression- action set 401 is executed in operation S322.
[43] In other words, when it is determined that the pattern of the attribute value included in the received message matches with the pattern of the regular expression in the regular expression-action set through the matching operation, the action in the matched regular expression-action set is executed in operation S322. The action has a form of a character string and may largely designate the following functions.
[44] One is a routing function that transmits a message to a particular realm processor to allow a RADIUS server to process the message or performs as a proxy with respect to a particular external server. The actions included in the first and second regular expression- action sets 401 and 402 in the regular expression-action list shown in FIG. 7 correspond to this routing function.
[45] Another one is a message change function that designates addition, removal, and value change of an attribute. Here, a value portion may be designated using a sub¬ expression of the matched regular expression. The actions included in the sixth and seventh regular expression-action sets 406 and 407 in the regular expression- action list shown in FIG. 7 correspond to this message change function.
[46] Still another one is a forced allow/reject function that forcedly designates the form of a response message and returns success/fail response. The actions included in the fourth and fifth regular expression-action sets 404 and 405 in the regular expression- action list shown in FIG. 7 correspond to this forced allow/reject function.
[47] Yet another one is a condition setting/canceling function that turns on or off a particular condition value in a routing processor to allow the result of a previous action to be reflected to subsequent pattern matching, thereby enabling an arbitrary logical combination of conditions. The action included in the eighth regular expression-action set 408 in the regular expression- action list shown in FIG. 7 corresponds to the condition setting/canceling function.
[48] It is apparent that other functions may be designated through the definition of an action. With only the setting of the regular expression-action list, all functions of a server processing a RADIUS message can be redefined. Accordingly, the functions of the server can be reconstructed and a necessary special function can be added, without reconstruction of software.
[49] After the action is executed in operation S322, as shown in FIG. 6, the matching may not be performed any more and the message processing procedure may end. However, when the action is the one that sets a particular condition, the matching is performed with respect to a subsequent regular expression-action set in operations S316 and S318 and matching or unmatching is determined in operation S320.
[50] In addition, when it is determined that the attribute in the received message does not match with the pattern of the regular expression in the regular expression-action set in operation S320 and when it is determined that the regular expression-action set is not the end of the regular expression-action list in operation S324, the matching is performed with respect to a subsequent regular expression-action set in operations S316 and S318 and matching or unmatching is determined in operation S320.
[51] As described above, a regular expression- action list is set and an attribute in a received message is compared with each regular expression-action set in the regular expression- action list so that a function (i.e., an action) executed according to the entire attribute value or an arbitrary part of the attribute value can be set differently. Ac¬ cordingly, a message processing function can be added or changed without a change of a program.
[52] FIG. 9 is a table showing examples of regular expression grammar used in a regular expression- action list according to an embodiment of the present invention. Regular expressions shown in FIG. 9 are usually used extended regular expressions. In the regular expression grammar, a first regular expression "ΛThe" indicates that it matches with any string that starts with "The". A second regular expression "of despair$" indicates that it matches any string that ends with "of despair". A third regular expression "Λabc$" indicates a string that starts and ends with "abc", that is, the third regular expression may be "abc" itself.
[53] Usually used regular expressions or extended regular expressions may be used. Al¬ ternatively, specially defined regular expressions may be used.
[54] In the above-described embodiments, a method of processing a RADIUS message has been described. However, the present invention can also be used to process a message such as a Diameter message for authentication, authorization, or accounting based on a different protocol. Industrial Applicability
[55] According to the present invention, messages for authentication, authorization, and accounting are processed using a list of patterns of a regular expression and cor¬ responding actions (i.e., commands), thereby facilitating addition and change of a function.

Claims

Claims
[1] A method of processing a message for user authentication, authorization, or accounting, the method comprising: setting a regular expression-action list including at least one regular expression- action set which comprises an attribute identifier, a regular expression, and action; receiving a message for user authentication, authorization, or accounting; extracting an attribute from the received message; determining whether the attribute in the received message matches with a regular expression included in the regular expression-action list; and executing an action corresponding to the matched regular expression when it is determined that the attribute in the received message matches with the regular expression in the regular expression-action list.
[2] The method of claim 1, wherein the determining comprises the operations of:
(a) determining whether an attribute corresponding to an attribute identifier included in the regular expression-action set in the regular expression-action list is included in the received message; and
(b) determining whether an attribute value corresponding to the attribute identifier in the received message matches with a pattern of the regular expression in the regular expression-action set when it is determined that the attribute corresponding to the attribute identifier in the regular expression-action set matches with the received message, and operations (a) and (b) are repeated with respect to another regular expression- action set included in the regular expression-action list according to a pre¬ determined priority order when the attribute value in the received message does not matches with the pattern of the regular expression in the regular expression- action set.
[3] The method of claim 2, wherein the at least one regular expression-action set is listed in the regular expression-action list according to the predetermined priority order.
[4] The method of claim 1, wherein the message is based on one protocol among a
Remote Authentication Dial In User Service (RADIUS) protocol and a Diameter protocol.
[5] The method of claim 1, wherein the regular expression-action set further comprises a condition that can be set or canceled.
[6] The method of claim 1, further comprising: converting the attribute in the received message into a list form, wherein the attribute list comprises an attribute identifier and an attribute value of the received message.
[7] A recording medium for recording a program for executing the method of any one of claims 1 through 6, wherein the program can be read and executed by a digital signal processor.
[8] An apparatus for processing a message for user authentication, authorization, or accounting, the apparatus comprising: a storage unit storing a regular expression-action list including at least one regular expression- action set which comprises an attribute identifier, a regular expression, and action; a message receiver receiving a message for user authentication, authorization, or accounting; a message decoder extracting an attribute from the received message; and an action execution unit determining whether the attribute in the received message matches with a regular expression included in the regular expression- action list and executing an action corresponding to the matched regular expression when it is determined that the attribute in the received message matches with the regular expression in the regular expression-action list.
[9] The apparatus of claim 8, wherein the apparatus is one among a Remote Au¬ thentication Dial In User Service (RADIUS) server based on a RADIUS protocol and a Diameter server based on a Diameter protocol.
PCT/KR2005/002911 2004-11-25 2005-09-02 Method of processing message using regular expresion - action list and apparatus there-of Ceased WO2006057489A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2004-0097634 2004-11-25
KR1020040097634A KR100622274B1 (en) 2004-11-25 2004-11-25 Method and apparatus for processing message using regular expression-command list

Publications (1)

Publication Number Publication Date
WO2006057489A1 true WO2006057489A1 (en) 2006-06-01

Family

ID=36498203

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/002911 Ceased WO2006057489A1 (en) 2004-11-25 2005-09-02 Method of processing message using regular expresion - action list and apparatus there-of

Country Status (2)

Country Link
KR (1) KR100622274B1 (en)
WO (1) WO2006057489A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9319416B2 (en) 2014-07-03 2016-04-19 Alcatel Lucent Priority based radius authentication
US20220060460A1 (en) * 2019-07-26 2022-02-24 International Business Machines Corporation Enterprise workspaces

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
WO2004077783A1 (en) * 2003-02-28 2004-09-10 Siemens Aktiengesellschaft Method for transmitting data in a wlan network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6205479B1 (en) 1998-04-14 2001-03-20 Juno Online Services, Inc. Two-tier authentication system where clients first authenticate with independent service providers and then automatically exchange messages with a client controller to gain network access
US7047563B1 (en) 2000-12-07 2006-05-16 Cisco Technology, Inc. Command authorization via RADIUS

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
WO2004077783A1 (en) * 2003-02-28 2004-09-10 Siemens Aktiengesellschaft Method for transmitting data in a wlan network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9319416B2 (en) 2014-07-03 2016-04-19 Alcatel Lucent Priority based radius authentication
US20220060460A1 (en) * 2019-07-26 2022-02-24 International Business Machines Corporation Enterprise workspaces
US11750588B2 (en) * 2019-07-26 2023-09-05 International Business Machines Corporation Enterprise workspaces

Also Published As

Publication number Publication date
KR100622274B1 (en) 2006-09-19
KR20060058555A (en) 2006-05-30

Similar Documents

Publication Publication Date Title
US8064583B1 (en) Multiple data store authentication
US20080141350A1 (en) Authentication for computer system management
US20060039304A1 (en) Method and apparatus for wireless distribution of a file using ad-hoc wireless networks
US7032067B2 (en) Security token sharable data and synchronization cache
US20020133719A1 (en) Method and apparatus for sharing authentication information between multiple servers
GB2408659A (en) Authentication of network users
CN115098528B (en) Service processing method, device, electronic equipment and computer readable storage medium
CN114285859B (en) Data processing method, device, equipment and storage medium for middle layer block chain service
US20030093558A1 (en) Dynamic port assignment
CN118175464B (en) FTTR gateway upgrade method, gateway device, system and computer readable storage medium
JP2010506511A (en) Client-based anonymous
US7047563B1 (en) Command authorization via RADIUS
CN111953540A (en) Message generation method and device, electronic equipment and storage medium
WO2006057489A1 (en) Method of processing message using regular expresion - action list and apparatus there-of
CN111340481B (en) Data processing method, device and equipment based on multi-chain block chain network
WO2025044320A1 (en) Key authentication method and apparatus, electronic device, and storage medium
JP2003303174A (en) Terminal authentication method and device
CN101534197B (en) Method, device and system for treating user relogin in single-point login system
CN116033022A (en) Data center access method, device, gateway and storage medium
CN110866021B (en) A method and system for locking and releasing locks based on Go language distributed locks
JP2003186839A (en) Password surrogate system and method
CN119071056B (en) A method, apparatus, and medium for instruction authorization based on the RADIUS protocol.
CN114845248B (en) User location acquisition method, front-end, device and system
CN112543179A (en) Unified compatibility method and system for roadside intelligent equipment
CN118338289B (en) Verification device and method based on multiple access sites

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 69(1) EPC OF 140907

122 Ep: pct application non-entry in european phase

Ref document number: 05781127

Country of ref document: EP

Kind code of ref document: A1