[go: up one dir, main page]

WO2009079896A1 - Procédé d'authenfication d'accès utilisateur fondé sur un protocole de configuration d'hôte dynamique - Google Patents

Procédé d'authenfication d'accès utilisateur fondé sur un protocole de configuration d'hôte dynamique Download PDF

Info

Publication number
WO2009079896A1
WO2009079896A1 PCT/CN2008/000464 CN2008000464W WO2009079896A1 WO 2009079896 A1 WO2009079896 A1 WO 2009079896A1 CN 2008000464 W CN2008000464 W CN 2008000464W WO 2009079896 A1 WO2009079896 A1 WO 2009079896A1
Authority
WO
WIPO (PCT)
Prior art keywords
host configuration
configuration protocol
dynamic host
access authentication
dhcp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/000464
Other languages
English (en)
Chinese (zh)
Inventor
Zhenfu Zhao
Jian Feng
Wei Chen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2009079896A1 publication Critical patent/WO2009079896A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to the field of communications, and in particular, to a user access authentication method and an IP address allocation method based on a dynamic host configuration protocol.
  • BACKGROUND With the development of Ethernet technology, Ethernet technology gradually expands from a local area network to a metropolitan area network and an inter-city network, and the application scope of the Dynamic Host Configuration Protocol (DHCP) is gradually extended to the metropolitan area and the city. At the same time, it gradually became the network IP address management technology selected by operators when conducting business. For example, the IP TV (ie, IPTV) services carried out by China Netcom are basically based on DHCP to achieve dynamic access for users.
  • IPTV IPTV
  • the present invention provides a user access authentication method and an IP address allocation method based on a dynamic host configuration protocol.
  • the user access authentication method based on the dynamic host configuration protocol includes the following steps: S102: After receiving the dynamic host configuration protocol discovery message from the dynamic host configuration protocol user equipment, the dynamic host configuration protocol server or the relay station receives the dynamic host configuration protocol discovery message from the dynamic host configuration protocol user equipment, Sending the access authentication notification information to the dynamic host configuration protocol user equipment by using the extended option of the dynamic host configuration protocol. S104.
  • the dynamic host configuration protocol user equipment determines whether to perform access authentication according to the access authentication notification information, and the determination result is yes. In the case of the dynamic host configuration protocol extension option, sending the access authentication attribute information to the dynamic host configuration protocol server or the relay station; and S106, the dynamic host configuration protocol server or the relay station uses the access authentication attribute information to initiate the dynamic host configuration protocol.
  • User device access authentication After receiving the dynamic host configuration protocol discovery message from the dynamic host configuration protocol user equipment, the dynamic host configuration protocol server or the relay station receives the dynamic host configuration protocol discovery message from the dynamic host configuration protocol user equipment, Sending the access authentication notification information to the dynamic host configuration protocol user equipment by
  • Step S104 includes the following steps: The dynamic host configuration protocol user equipment determines whether there are multiple access authentication methods in the access authentication method; if the determination result is yes, the dynamic host configuration protocol user equipment selects one or more One of the access authentication methods that it can support performs access authentication processing, and sends a corresponding access authentication attribute message to the dynamic host configuration protocol server or the relay station through the extended option of the dynamic host configuration protocol, otherwise the subsequent connection is ignored. Into the certification process.
  • the dynamic host configuration protocol server or the relay station respectively identifies the multiple access authentication methods by using the uniquely determined option values of the extended options of the dynamic host configuration protocol.
  • the dynamic host configuration protocol server or relay station also returns an access authentication result and corresponding 4 authorized information to the dynamic host configuration protocol user equipment.
  • the extended option of the dynamic host configuration protocol is provided by the dynamic host configuration protocol; in step S104, the dynamic host configuration protocol request message carries the extended option of the dynamic host configuration protocol.
  • the dynamic host configuration protocol server or the relay station returns the access authentication result and the corresponding authorization information to the dynamic host configuration protocol user equipment by using the extended option of the dynamic host configuration protocol.
  • the dynamic host configuration protocol acknowledgement message or the dynamic host configuration protocol denial message carries an extended option of the dynamic host configuration protocol.
  • the IP address allocation method using the user access authentication method includes the following steps: The dynamic host configuration protocol user equipment requests the dynamic host configuration protocol server or the relay station to allocate an IP address resource; the dynamic host configuration protocol month The server or the relay station performs access authentication on the dynamic host configuration protocol user equipment; and if the dynamic host configuration protocol user equipment passes the access authentication, the dynamic host configuration protocol or the relay station responds to the dynamic host configuration protocol user equipment Request, assign an IP address to the Dynamic Host Configuration Protocol user equipment, otherwise the Dynamic Host Configuration Protocol server or relay refuses to assign an IP address to the Dynamic Host Configuration Protocol user equipment.
  • the invention carries the user access authentication information through the extended option of the DHCP protocol, thereby combining the access authentication of the DHCP user equipment with the dynamic IP address allocation process of the user equipment, simplifying the complexity of the user service based on the DHCP protocol, and reducing the user.
  • FIG. 1 is a flowchart of a user access authentication method based on a dynamic host configuration protocol according to an embodiment of the present invention
  • FIG. 2 is a dynamic and host configuration protocol according to another embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a network architecture of a network to which the methods shown in FIGS. 1 and 2 are applied.
  • the main idea of the present invention is to simplify the broadband access device to the DHCP user by extending the options of the DHCP protocol and carrying the user access authentication information without affecting the DHCP protocol processing flow and its dynamic IP address allocation function.
  • the access authentication process of the device implements the authentication and authorization of the DHCP user equipment while completing the dynamic IP address allocation.
  • the DHCP option is used to record and transmit information such as user access authentication and authorization, and the DHCP user equipment is authenticated and authorized without changing the DHCP protocol processing flow and basic functions. Processing is perfectly integrated with the DHCP dynamic IP address allocation process.
  • the sub-options of the DHCP extension option respectively record user authentication and authorization information related to DHCP access, such as access authentication method identifier, access authentication user name, access user password, and access authentication.
  • the challenge value, the access authentication MAC value, and the like, the specific content may be determined according to the selected access authentication method.
  • DHCP CLIENT ie, Dynamic Host Configuration Protocol user equipment
  • DHCPDISCOVER ie, Dynamic Host Configuration Protocol Discovery
  • the DHCP SERVER for the IP address assignment (that is, the Dynamic Host Configuration Protocol server).
  • the DHCP SERVER After receiving the DHCPDISCOVER message, the DHCP SERVER enters the DHCPOFFER (that is, the dynamic host configuration provided) message returned to the DHCP CLIENT according to the authentication requirement, and enters the option to identify the DHCP CLIENT for access authentication.
  • the list of supported access authentication methods and corresponding authentication and authorization attributes can be entered in the DHCPOFFER (for example, the Challenge Handshake Authentication Protocol) When referred to as CHAP, it is necessary to carry the challenge value at the same time).
  • CHAP Challenge Handshake Authentication Protocol
  • After the DHCPOFFER message returned by the DHCP SERVER if the relevant access authentication option cannot be identified, the subsequent access authentication process is ignored; if the corresponding access authentication option can be identified and processed, If you do not have the access authentication method that you can support, you will ignore the subsequent access authentication process and only apply for the dynamic IP address. If the DHCP CLIENT finds its own matching and supportable access authentication method, it submits the corresponding access authentication attribute (for example, user name, key, etc.) to the DHCP SERVER according to the needs of the access authentication method. Access authentication.
  • AAA DHCPREQUEST message
  • the authentication, authorization, and accounting server is not initiated.
  • AAA AAA
  • DHCP will only have restricted network access rights after successfully obtaining an IP address. If an access authentication option is found, the related user access authentication information will be removed. AAA authentication is initiated. If the authentication succeeds, the DHCP CLIENT will obtain the network access rights of the corresponding account after successfully obtaining the dynamic IP address; otherwise, even if the DHCP CLIENT can successfully apply for the dynamic IP address, it will only have limited network access. Permissions.
  • the DHCP SERVER can choose whether to send the access authentication result and authorization information to the DHCP CLIENT through DHCPACK (Dynamic Host Configuration Confirmation) / DHCPNAK (Dynamic Host Configuration Denial) message.
  • DHCPACK Dynamic Host Configuration Confirmation
  • DHCPNAK Dynamic Host Configuration Denial
  • the DHCP SERVER receives the DHCPDECLINE sent by the DHCP CLIENT (That is, after the Dynamic Host Configuration Protocol Deny) and DHCPRELEASE (that is, Dynamic Host Configuration Protocol Release) messages, the external network access rights obtained before the DHCP CLIENT needs to be reclaimed.
  • the effective utilization of the dynamic IP address resource needs to be improved, and the IP address resource is not allowed to be allocated to the DHCP CLIENT that does not support the access authentication or the DHCP CLIENT that fails the authentication.
  • the DHCP CLIENT that does not support access authentication or the DHCP CLIENT that fails the authentication directly responds to the DHCPNAK message according to the result to refuse to allocate the dynamic IP address.
  • the DHCP user access authentication option information may be carried in the following messages according to the needs of the application: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK:, DHCPNA:.
  • the access authentication and authorization processing of the DHCP user equipment may be performed by DHCP.
  • the RELAY initiates the DHCP CLIENT.
  • the DHCP RELAY initiates user authentication to the AAA and sets the access rights of the DHCP user according to the result returned by the AAA.
  • FIG. 2 a user access authentication method based on a dynamic host configuration protocol according to another embodiment of the present invention is illustrated. As shown in Figure 2, the method includes the following steps:
  • the DHCP CLIENT in the subnet 1 initiates a DHCPDISCOVER message, and searches for a DHCP SERVER capable of providing dynamic IP address allocation;
  • the DHCP SERVER on the broadband access router performs normal DHCP message processing, and according to the authentication requirement, enters an option to identify the DHCP CLIENT access authentication in the DHCPOFFER message, which is required in the option. Identify the access authentication methods supported or provided by the user, including the selected CHAP access authentication method, and the challenge value required for CHAP authentication, and then send the DHCPOFFER to the DHCP CLIENT;
  • the DHCP CLIENT identifies that the DHCP SERVER needs to perform the CHAP-based access authentication process, extracts the CHAP authentication-related challenge value and other attributes for CHAP correlation calculation, and enters in the DHCPREQUEST message.
  • the CHAP calculation result is submitted to the DHCP SERVER for access authentication.
  • the DHCP SERVER After receiving the access authentication result returned by the AAA server, the DHCP SERVER checks the access authentication result. If the access authentication succeeds, the user access authentication and the 4 authorized result are recorded, and the DHCP CLIENT is allowed to obtain the dynamic IP address. Accessing the external network; otherwise, the DHCP CLIENT is not allowed to access the external network; S212, the DHCP SERVER returns a DHCPACK/DHCPNAK message to the DHCP CLIENT. For this example, the access authentication result needs to control the allocation of the dynamic IP address; therefore, after the authentication is passed The DHCP CLIENT is allowed to assign a dynamic IP address to the DHCP CLIENT for access.
  • FIG. 3 is a schematic diagram of a network architecture of a network to which the methods shown in FIGS. 1 and 2 are applied. As shown in FIG. 3, the network includes an access router, an egress router, a switch, a subnet 1, and a subnet 2.
  • a DHCP SERVER is configured in the access router in the network to implement dynamic access of the DHCP user equipment. In order to facilitate the charging of services, only the DHCP CLIENT that passes the authentication can access the external network. Otherwise, access to the external network is not allowed.
  • a protocol such as WEB portal or 802.IX is usually enabled between the DHCP CLIENT and the DHCP SERVER for access authentication.
  • an embodiment according to the present invention is used between the DHCP CLIENT and the DHCP SERVER in the network.
  • Methods Two ZXR10 router devices are used, which are broadband access routers and egress routers. Among them, the broadband access router functions as a broadband access server (BRAS) while completing the function of the router.
  • the embedded DHCP SERVER is used to complete the dynamic IP address allocation and access to all internal subnet users.
  • the access router accesses the Internet through the uplink interface GEI_2/1, and connects to the switch 1 through the downlink interface FEI_1/1.
  • DHCP CLIENT 1 in subnet 1 initiates a DHCPDISCOVER message to search for a DHCP SERVER that can provide dynamic IP address allocation; 2) After the DHCP SERVER on the broadband access router receives the DHCPDISCOVER message, it performs normal DHCP dynamic IP address allocation. And according to the authentication requirements, in the DHCPOFFER message, the option to identify the DHCP CLIENT for access authentication is required. The option needs to identify the access authentication method supported by the option, including the selected CHAP access authentication method, and CHAP.
  • the DHCP CLIENT After receiving the DHCPOFFER message returned by the DHCP SERVER, the DHCP CLIENT recognizes that the DHCP SERVER needs to perform CHAP-based access authentication processing, and extracts attributes such as 4 megabytes related to CHAP authentication. Perform CHAP related calculation, and enter the CHAP calculation result in the DHCPREQUEST message, and submit it to the DHCP SERVER for access authentication;
  • the DHCP SERVER After receiving the DHCPREQUEST message from the DHCP CLIENT, the DHCP SERVER will find the access authentication option, and then take out the relevant user access authentication information and initiate AAA access authentication. If the access authentication succeeds, the user authentication and authorization are recorded. As a result, the DHCP CLIENT is allowed to access the external network normally after successfully obtaining the dynamic IP address; otherwise, the DHCP CLIENT is not allowed to access the external network;
  • the present invention perfectly integrates the access AAA authentication and authorization processing of the DHCP user equipment with the dynamic IP address allocation process of the DHCP protocol through a simple DHCP protocol option extension, and dynamically exchanges the IP address of the DHCP protocol without changing the DHCP protocol.
  • the access authentication and authorization of the DHCP user equipment are simultaneously implemented, which greatly simplifies the broadband access device based on
  • DHCP When DHCP is used for services, other protocols are required to implement the access authentication process complexity caused by access authentication and authorization, which greatly reduces the cost of R&D and maintenance.
  • a broadband access network device such as a radio access controller (AC), a broadband access server (BAS), a broadband access router, etc.
  • AC radio access controller
  • BAS broadband access server
  • a broadband access router etc.
  • the DHCP protocol itself is passed. It can complete the functions that need to be supported by other authentication and authorization related protocols, greatly simplify the complexity brought by the authentication and authorization of broadband service access based on DHCP, and reduce the research and development cost of the terminal equipment. At the same time, it also reduces the cost.
  • the equipment maintenance cost of the operator When DHCP is used for services, other protocols are required to implement the access authentication process complexity caused by access authentication and authorization, which greatly reduces the cost of R&D and maintenance.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention se rapporte à un procédé d'authentification d'accès utilisateur fondé sur un protocole de configuration d'hôte dynamique ('Dynamic Host Configuration Protocol' ou DHCP), et à un procédé d'attribution d'adresse IP selon lesquels, après qu'un serveur DHCP ou une station relais a reçu des informations de découverte DHCP en provenance d'un dispositif utilisateur DHCP, ils envoient une notification d'authentification d'accès au dispositif utilisateur DHCP via une option d'extension du DHCP (S102); le dispositif utilisateur DHCP détermine si l'authentification d'accès s'est réalisée selon la notification d'authentification d'accès ou non et, si tel est le cas, il envoie des informations d'attributs d'authentification d'accès au serveur DHCP ou à la station relais via l'option d'extension du DHCP (S104); et le serveur DHCP ou la station relais démarrent l'authentification d'accès du dispositif utilisateur DHCP sur la base des informations d'attributs d'authentification d'accès (S106).
PCT/CN2008/000464 2007-12-14 2008-03-07 Procédé d'authenfication d'accès utilisateur fondé sur un protocole de configuration d'hôte dynamique Ceased WO2009079896A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2007103021264A CN101184100A (zh) 2007-12-14 2007-12-14 基于动态主机配置协议的用户接入认证方法
CN200710302126.4 2007-12-14

Publications (1)

Publication Number Publication Date
WO2009079896A1 true WO2009079896A1 (fr) 2009-07-02

Family

ID=39449182

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/000464 Ceased WO2009079896A1 (fr) 2007-12-14 2008-03-07 Procédé d'authenfication d'accès utilisateur fondé sur un protocole de configuration d'hôte dynamique

Country Status (2)

Country Link
CN (1) CN101184100A (fr)
WO (1) WO2009079896A1 (fr)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640592A (zh) * 2008-07-28 2010-02-03 深圳华为通信技术有限公司 认证方法及系统、终端、服务器
CN101997931A (zh) * 2009-08-28 2011-03-30 中国移动通信集团公司 位置信息获取方法和设备
CN103841219B (zh) * 2012-11-21 2017-11-24 华为技术有限公司 释放ip地址的方法、装置及接入设备
CN103442094A (zh) * 2013-08-15 2013-12-11 深圳市龙视传媒有限公司 一种服务地址分配方法、相关设备及系统
CN107438113A (zh) * 2017-07-04 2017-12-05 上海斐讯数据通信技术有限公司 一种通过动态主机配置协议进行重定向的方法与系统
CN111314269B (zh) * 2018-12-11 2023-09-12 中兴通讯股份有限公司 一种地址自动分配协议安全认证方法及设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005104500A1 (fr) * 2004-04-23 2005-11-03 Telefonaktiebolaget Lm Ericsson (Publ) Support aaa destine a dhcp
CN1855926A (zh) * 2005-04-29 2006-11-01 华为技术有限公司 实现dhcp地址安全分配的方法及系统
CN1859437A (zh) * 2005-04-30 2006-11-08 华为技术有限公司 用户终端获取接入位置信息的方法及用户终端和相应设备
CN1889577A (zh) * 2006-07-18 2007-01-03 Ut斯达康通讯有限公司 一种基于dhcp扩展属性的ip地址分配方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005104500A1 (fr) * 2004-04-23 2005-11-03 Telefonaktiebolaget Lm Ericsson (Publ) Support aaa destine a dhcp
CN1855926A (zh) * 2005-04-29 2006-11-01 华为技术有限公司 实现dhcp地址安全分配的方法及系统
CN1859437A (zh) * 2005-04-30 2006-11-08 华为技术有限公司 用户终端获取接入位置信息的方法及用户终端和相应设备
CN1889577A (zh) * 2006-07-18 2007-01-03 Ut斯达康通讯有限公司 一种基于dhcp扩展属性的ip地址分配方法

Also Published As

Publication number Publication date
CN101184100A (zh) 2008-05-21

Similar Documents

Publication Publication Date Title
EP1876754B1 (fr) Procede, systeme et serveur pour mettre en oeuvre l'attribution de securite d'adresse dhcp
US8291489B2 (en) Method and apparatus for registering auto-configured network addresses based on connection authentication
CN101127600B (zh) 一种用户接入认证的方法
CN101286948B (zh) 一种访问权限控制的方法和无线接入设备
CN101895587B (zh) 防止用户私自修改ip地址的方法、装置和系统
WO2009079895A1 (fr) Procédé permettant d'attribuer une adresse ip secondaire sur la base d'une authentification d'accès dhcp
EP2615788A1 (fr) Procédé de gestion d'utilisateur de double pile et serveur d'accès à large bande
CN105323325A (zh) 一种身份位置分离网络中的地址分配方法及接入服务节点
WO2009079896A1 (fr) Procédé d'authenfication d'accès utilisateur fondé sur un protocole de configuration d'hôte dynamique
CN110445889A (zh) 一种以太网环境下交换机ip地址管理方法及系统
JP2001326696A (ja) アクセス制御方法
WO2012126335A1 (fr) Procédé de contrôle d'accès, dispositif d'accès et système
WO2006068108A1 (fr) Portail, configuration en réseau et procédé de contrôle d’accès à un serveur internet
WO2010000157A1 (fr) Procédé de configuration, équipement et système de dispositif d'accès
WO2015184853A1 (fr) Procédé et appareil d'authentification pour auto-configuration ipv6 sans état
CN113556337A (zh) 终端地址识别方法、网络系统、电子设备及存储介质
WO2007000120A1 (fr) Systeme, procede et serveur d'acces pour authentification
WO2024000975A1 (fr) Système et procédé d'établissement de session, dispositif électronique et support de stockage
WO2020078428A1 (fr) Procédé et dispositif permettant qu'un utilisateur accède à internet, serveur d'accès à distance à large bande et support de stockage
KR100739299B1 (ko) 중간 dhcp 서버를 이용한 중앙집중관리방식의 아이피자동할당 방법
CN115604230B (zh) 设备地址管理方法、装置及服务器
CN102577299B (zh) 简化的接入网认证信息承载协议
CN104052826B (zh) 基于dhcp的发现网络媒体服务器的方法和装置
KR100513296B1 (ko) 네트워크 접근제어를 위한 네트워크 관리장치와관리시스템 및 이를 이용한 네트워크 접근제어 방법
WO2011150867A2 (fr) Procédé et appareil d'authentification de terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08714917

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08714917

Country of ref document: EP

Kind code of ref document: A1