CN100473049C - Method for realizing access device long-distance identification-dialing user service proxy authentication - Google Patents
Method for realizing access device long-distance identification-dialing user service proxy authentication Download PDFInfo
- Publication number
- CN100473049C CN100473049C CNB2005100374250A CN200510037425A CN100473049C CN 100473049 C CN100473049 C CN 100473049C CN B2005100374250 A CNB2005100374250 A CN B2005100374250A CN 200510037425 A CN200510037425 A CN 200510037425A CN 100473049 C CN100473049 C CN 100473049C
- Authority
- CN
- China
- Prior art keywords
- slave unit
- user service
- main equipment
- dialing user
- remote verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention is a method of remotely verifying dialing user service agent authentication for access devices, setting access devices as master and slave devices, where the master device is provided with a RADIUS agent module and a slave device information table; and the method comprises: the slave device sends RADIUM request packet to the master device, and the master device modifies tag value of the RADIUS request packet and records the tag value into the slave device information table and transmits the modified request packet to RADIUS server; the master device receives response packet from the RADIUS server and processes the response packet according to the slave device information table and transmits it to the slave device. And the method saves public network IP address resources of operators and improves device security.
Description
Technical field
The present invention relates to a kind of on broadband access equipment, realize that slave unit carries out the method that the radius user authenticates by the main equipment agency under the situation of the mixed networking of a plurality of access device cascades, in particular, a kind of in the broadband access network field by distribute private network IP address, main equipment to distribute public network IP address to realize the method that RADIUS authentication charges for slave unit.
Background technology
The critical function that broadband access equipment is realized is exactly that (Accounting), this is used for the user validation inspection comprising authentication for Authentication, Authorization in the AAA service; Authorize, be used for user configuration information and resource management; Chargeing, be used for the resource operating position and collect, is the important means that realizes that wideband switch-in business can be managed, can run.And radius protocol (RemoteAuthentication Dial-In User Service, remote verification dialing user service) is to use more a kind of concentrated long-range aaa protocol at present.
The realization of the access device RADIUS authentication of prior art mainly contains following mode:
Each access device independent user to its management authenticate, each equipment all disposes the RADIUS SERVER that connects the same first line of a couplet, and carry out communication with this server, this implementation need (DSLAM BAS) distributes public network IP address for each broadband access equipment.
The networking of prior art as shown in Figure 1, this networking need be in the IP address of the public network of first line of a couplet interface configuration of each access device, independent same RADIUS SERVER carries out alternately.Adopt this networking mode,, can cause the waste of public network IP address and in short supply, increase operation cost for the small-scale Virtual network operator of public network IP address resources anxiety; In addition, each access device all distributes public network IP address, with oneself being exposed on the public network, also can increase the danger that equipment is attacked, and has reduced the fail safe of equipment.
Therefore, there is defective in prior art, and awaits improving and development.
Summary of the invention
The object of the present invention is to provide a kind of implementation method of access device long-distance identification-dialing user service proxy authentication, under multiple access equipment network situation, by the master and slave relation between the division equipment, planning is used for the public network IP address of first line of a couplet RADIUS SERVER and the private network IP address that is used to realize cascade communication, overcomes the public network IP address resources waste in the existing networking plan and the problem of poor stability.
For realizing above-mentioned purpose of the present invention, technical scheme of the present invention comprises:
A kind of implementation method of access device long-distance identification-dialing user service proxy authentication, a certain access device is set directly to be connected as main equipment with the remote verification dialing user service server by last connecting port, the subtending port of other access device by self last connecting port and described main equipment cascade mutually is provided with a remote verification dialing user service agent module and a slave unit information table as slave unit at described main equipment; Distribute public network IP address on the last connecting port for described main equipment, the first line of a couplet interface assignment private network IP address of described slave unit; Described method also comprises:
A, described slave unit send remote verification dialing user service request bag to described main equipment, described main equipment is revised the ident value of this remote verification dialing user service request bag and is recorded into described slave unit information table, transmits this amended request package to described remote verification dialing user service server;
B, described main equipment are received respond packet that described remote verification dialing user service server beams back and are given described slave unit according to described slave unit information table processing forward.
Described method, wherein, described steps A also comprises:
A1: the local remote verification dialing user service request bag of initiating of described main equipment, be its allocation identification value, this remote verification dialing user service request bag is sent to described remote verification dialing user service server.
Described method, wherein, described steps A also comprises:
A2: the remote verification dialing user service agent module of described main equipment listens to the request package that slave unit is sent, and at new ident value of this locality application, replaces original old ident value;
A3: in described slave unit information table, note the slave unit IP address in the packet header, slave unit remote verification dialing user service client port numbers, the ident value that slave unit distributes, the new ident value that main equipment distributes;
A4: the remote verification dialing user service request bag that this is new sends to described remote verification dialing user service server.
Described method, wherein, described step B also comprises:
B1: after described main equipment is received the respond packet of beaming back from described remote verification dialing user service server, extract the ident value in the bag, inquire about described slave unit information table;
B2: if the ident value of described respond packet has corresponding record in described slave unit information table, then described record is transmitted to corresponding slave unit, and replace the ident value of described respond packet with the old ident value that slave unit distributes according to described slave unit information table, and read the slave unit IP address and the slave unit remote verification dialing user service client port numbers of the ident value record of corresponding described respond packet, and amended respond packet is sent to described slave unit.
Described method, wherein, described step B also comprises:
B3:, then directly this respond packet is issued local described main equipment and handle if the ident value of the respond packet that described remote verification dialing user service server is beamed back does not have record in described slave unit information table.
Described method, wherein, described main equipment also is provided with the aging mechanism of a slave unit information table, does not have the respond packet of corresponding certain record of loopback in the described remote verification dialing user service server scheduled time, then delete this record, should write down the ident value that distributes corresponding this locality simultaneously and reclaim.
The implementation method of a kind of access device long-distance identification-dialing user service proxy authentication provided by the present invention, compared with prior art, owing to adopt under the mixed networking situation of multiple access equipment, realize user's remote verification dialing user service server RADIUS SERVER authentication by cascade system, equipment is divided into main equipment and slave unit, main equipment first line of a couplet RADIUS SERVER, slave unit first line of a couplet main equipment, slave unit carries out the method that the radius user authenticates by the main equipment agency, saved runner public-network IP address resource, also made things convenient for simultaneously the unified management of equipment, the fail safe that has improved equipment, and it realizes simple.
Description of drawings
Fig. 1 is the multiple access device authentication networking diagram of prior art;
Fig. 2 is the mixed authentication of a multiple access equipment provided by the present invention networking diagram;
Fig. 3 is the flow chart that the RADIUS PROXY of main equipment handles request package;
Fig. 4 is the flow chart of the RADIUS PROXY processing response bag of main equipment.
Embodiment
Below in conjunction with accompanying drawing, will the enforcement of the technical program be described in further detail:
The implementation method of access device radius proxy provided by the present invention authentication as main equipment, realizes RADIUS PROXY agent functionality by selected access device on main equipment, other equipment are as slave unit, slave unit this main equipment of cascade that makes progress.Distribute public network IP address on the last connecting port for main equipment, and the last connecting port of other slave units is continuous with the subtending port of main equipment, what all distribute is private network IP address.Main equipment connects RADIUS SERVER by last connecting port, and slave unit is by the communication of main equipment agency realization with RADIUS SERVER.
In this way, just can solve in the prior art, in the time of multiple access equipment RADIUS authentication, waste of the public network IP address resources of existence and problem of shortage.
Networking mode of the present invention as shown in Figure 2, its comprising the steps: as shown in Figure 3 and Figure 4
The first step: will be main equipment with the direct-connected device definition of RADIUS SERVER, the device definition that will link to each other with main equipment be a slave unit, and the handling process on the slave unit is constant.
Second step: the process step that request package is handled on the described main equipment:
This step can comprise the following steps: again
1: the RADIUS request package that described main equipment is initiated in this locality for its allocation identification Identifier value, sends to RADIUS SERVER with bag.
2: described main equipment proxy module listens to the request package that slave unit is sent, and in new Identifier value of this locality application, replaces original old Identifier value.
3: in the slave unit information table, note slave unit IP address, slave unit RADIUSCLIENT port numbers, the Identifier value of slave unit distribution and the new Identifier value that main equipment distributes in the packet header.
4: the bag that this is new sends to RADIUS SERVER.
The 3rd step: described main equipment is received the respond packet handling process that server is beamed back:
This step can comprise the following steps: again
1: after described main equipment is received the RADIUS respond packet of returning from RADIUS SERVER, extract the Identifier value in the bag, inquire about the slave unit information table.
2: if there is corresponding record, show that then this respond packet need be transmitted to corresponding slave unit, so, replace this Identifier value with the old Identifier value that slave unit distributes, and read to should Identifier the slave unit IP address of record, slave unit RADIUS CLIENT port numbers, Jiang Xinbao sends to slave unit.
3: if the Identifier value of the respond packet that RADIUS SERVER beams back does not have record in the slave unit information table, then show it is that this respond packet is issued main equipment, then directly this bag is issued local RADIUS CLIENT and handle.
As shown in Figure 2, the present invention only needs to realize the radius proxy function in working order the main equipment, and for the existing equipment that is in from state, do not need to make any modification, can realize that its realization is simple and convenient, and save the public network IP address that needs distribution.
The main access device hardware of realization RADIUS PROXY function of the present invention need consist of the following components: first line of a couplet interface module is used for connecting with RADIUS SERVER; The integrated control board of radius proxy function; Principal and subordinate's subtending port plate is used for connecting with slave unit; The major function and the interaction relationship of each several part are as described below:
Described first line of a couplet interface module is responsible for carrying out communication with RADIUS SERVER, the RADIUS request package that control board is sent, comprise local that initiate or act on behalf of that slave unit initiates, send to RADIUSSERVER, simultaneously, the RADIUS respond packet that RADIUS SERVER is beamed back sends to the control template processing.
Described master-salve interface module is responsible for receiving and is in the RADIUS request package of sending from the equipment of state, and gives described control module it and handle; The respond packet of simultaneously control module being sent to slave unit sends from the master-slave equipment subtending port.
The described integrated control board of radius proxy functions of modules, realize monitoring the request package that slave unit is sent, it is made amendment and the request package of noting modification information sends to RADIUSSERVER by upper connective plate, and described modification information stores is in the slave unit information table; Simultaneously, receive the respond packet that the RADIUSSERVER server is beamed back, whether need to be transmitted to slave unit, if desired, just send to corresponding slave unit by subtending port by the modification information inquiry of noting in the past; Otherwise handle this locality.
The core algorithm of the inventive method is: add a proxy module in main equipment, this module need realize RADIUS CLIENT function on the one hand, be that main equipment itself is as radius client, user-dependent RADIUS request package, respond packet that this equipment is managed are handled, open a listening port on the other hand, the RADIUS request package that monitoring is sent from slave unit, corresponding is configured to radius server to main equipment on slave unit, the listening port on the main equipment is configured to the radius server port.
Here need to utilize Identifier territory in the RADIUS heading, RADIUS CLIENT comes matching request and respond packet with it, has RADIUS CLIENT end to distribute, and effectively local, the RADIUSSERVER end is not made an amendment.In RADIUS PROXY, need to realize RADIUS request package that this locality is initiated and the RADIUS request package of sending from the slave unit that listening port is received, the distribution of Identifier value is carried out in unification, promptly applies for same Identifier interval value.Simultaneously, on main equipment, need to safeguard a slave unit information table, this slave unit information table is a dynamic table, real time record in equipment running process, during RADIUS request that corresponding each slave unit is initiated, the IP address of slave unit, the udp port that slave unit RADIUS CLIENT uses number, the local Identifier value that slave unit RADIUS CLIENT distributes, main equipment is the corresponding relation of the new local Identifier value of its reallocation.
The concrete steps of the inventive method are described below:
RADIUS CLIENT PROXY agents listen port on the main equipment receives the request package that slave unit is sent, in new Identifier value of this locality application, replace original Identifier value in the bag with this value, in the slave unit information table, note the slave unit IP address in the packet header then, the RADIUS CLIENT port numbers of slave unit, the Identifier value that slave unit distributes, the newly assigned Identifier value of main equipment.Then, this bag is sent to the RADIUS SERVER that main equipment connects.
After main equipment is received the RADIUS respond packet that RADIUS SERVER returns, extract the Identifier value in the bag, inquiry slave unit information table, if there is corresponding record, the request package that then shows this respond packet correspondence was revised by main equipment, so this record need be transmitted to corresponding slave unit.So, the old Identifier value of corresponding record is replaced the Identifier value in the respond packet in the proxy module usefulness slave unit information table, and read to should Identifier the slave unit IP address of record, slave unit RADIUS CLIENT port numbers sends to slave unit with bag; If the Identifier value of the respond packet that RADIUS SERVER beams back does not have record in the slave unit information table, then show it is that this respond packet is issued local main equipment, then directly this bag is issued local RADIUS CLIENT processing and get final product.
In addition, described main equipment also needs to provide the aging mechanism of slave unit information table, as a timer, if promptly RADIUS SERVER does not have the respond packet of corresponding certain record of loopback in the given time, this record deletion then, should write down the Identifier ident value that distributes corresponding this locality simultaneously and reclaim, can be used by later RADIUS request package.Described aging mechanism is meant: the information table of record slave unit on described main equipment, this information table under normal circumstances, should after receiving the authentication response message of rad ius server, delete main equipment, if but in the ageing time that is provided with, described main equipment can't be received the authentication response message of radius server, so just directly deletes this information table.
Configuration instruction to equipment in the inventive method is as follows:
(1) configuration on the slave unit:
(a) the master-slave equipment subtending port IP address configuration with main equipment is RADIUS SERVER address, and this address can be private network IP address, public this IP address of each subtending port on the main equipment;
(b) the RADIUS PROXY listening port that starts on main equipment is configured to the RADIUSSERVER serve port;
(c) other are constant.
(2) configuration on the main equipment:
(a) on main equipment, realize RADIUS CLIENT PROXY agent functionality, and open the agents listen port on principal and subordinate's subtending port;
(b) configuration RADIUS SERVER;
(c) other are constant.
The implementation method of above-mentioned access device radius proxy authentication provided by the present invention, compared with prior art, because under the mixed networking situation of multiple access equipment, realize user's RADIUS SERVER authentication by cascade system, equipment is divided into main equipment and slave unit, main equipment first line of a couplet RADIUSSERVER, slave unit first line of a couplet main equipment, slave unit carries out the method that the radius user authenticates by the main equipment agency, saved runner public-network IP address resource, also made things convenient for simultaneously the unified management of equipment, the fail safe that has improved equipment, and it realizes simple.
Should be understood that above-mentioned description at specific embodiment of the present invention is comparatively concrete, can not therefore be interpreted as the restriction to scope of patent protection of the present invention, scope of patent protection of the present invention should be as the criterion with claims.
Claims (6)
1, a kind of implementation method of access device long-distance identification-dialing user service proxy authentication, a certain access device is set directly to be connected as main equipment with the remote verification dialing user service server by last connecting port, the subtending port of other access device by self last connecting port and described main equipment cascade mutually is provided with a remote verification dialing user service agent module and a slave unit information table as slave unit at described main equipment; Distribute public network IP address on the last connecting port for described main equipment, the first line of a couplet interface assignment private network IP address of described slave unit; Described method also comprises:
A, described slave unit send remote verification dialing user service request bag to described main equipment, described main equipment is revised the ident value of this remote verification dialing user service request bag and is recorded into described slave unit information table, transmits this amended request package to described remote verification dialing user service server;
B, described main equipment are received respond packet that described remote verification dialing user service server beams back and are given described slave unit according to described slave unit information table processing forward.
2, method according to claim 1 is characterized in that, described steps A also comprises:
A1: the local remote verification dialing user service request bag of initiating of described main equipment, be its allocation identification value, this remote verification dialing user service request bag is sent to described remote verification dialing user service server.
3, method according to claim 1 is characterized in that, described steps A also comprises:
A2: the remote verification dialing user service agent module of described main equipment listens to the request package that slave unit is sent, and at new ident value of this locality application, replaces original old ident value;
A3: in described slave unit information table, note the slave unit IP address in the packet header, slave unit remote verification dialing user service client port numbers, the ident value that slave unit distributes, the new ident value that main equipment distributes;
A4: the remote verification dialing user service request bag that this is new sends to described remote verification dialing user service server.
4, method according to claim 3 is characterized in that, described step B also comprises:
B1: after described main equipment is received the respond packet of beaming back from described remote verification dialing user service server, extract the ident value in the bag, inquire about described slave unit information table;
B2: if the ident value of described respond packet has corresponding record in described slave unit information table, then described record is transmitted to corresponding slave unit, and replace the ident value of described respond packet with the old ident value that slave unit distributes according to described slave unit information table, and read the slave unit IP address and the slave unit remote verification dialing user service client port numbers of the ident value record of corresponding described respond packet, and amended respond packet is sent to described slave unit.
5, method according to claim 4 is characterized in that, described step B also comprises:
B3:, then directly this respond packet is issued local described main equipment and handle if the ident value of the respond packet that described remote verification dialing user service server is beamed back does not have record in described slave unit information table.
6, method according to claim 5, it is characterized in that, described main equipment also is provided with the aging mechanism of a slave unit information table, the respond packet that promptly in the described remote verification dialing user service server scheduled time, does not have corresponding certain record of loopback, then delete this record, should write down the ident value that distributes corresponding this locality simultaneously and reclaim.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100374250A CN100473049C (en) | 2005-09-23 | 2005-09-23 | Method for realizing access device long-distance identification-dialing user service proxy authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100374250A CN100473049C (en) | 2005-09-23 | 2005-09-23 | Method for realizing access device long-distance identification-dialing user service proxy authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1937572A CN1937572A (en) | 2007-03-28 |
| CN100473049C true CN100473049C (en) | 2009-03-25 |
Family
ID=37954846
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100374250A Active CN100473049C (en) | 2005-09-23 | 2005-09-23 | Method for realizing access device long-distance identification-dialing user service proxy authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100473049C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101188501B (en) * | 2007-12-14 | 2010-06-02 | 中兴通讯股份有限公司 | Switching method for transfer mode under multiple policies |
| CN102427610A (en) * | 2011-12-29 | 2012-04-25 | 陈佳阳 | Wireless router with built-in user management function, system and networking method thereof |
| CN104052753B (en) * | 2014-06-26 | 2017-10-17 | 新华三技术有限公司 | A kind of authentication method and equipment |
| CN107018123B (en) * | 2016-11-14 | 2020-05-15 | 郭铮铮 | Method, device and system for managing equipment access authority |
| CN107547674B (en) * | 2017-05-15 | 2020-12-29 | 新华三信息技术有限公司 | Address allocation method and device |
-
2005
- 2005-09-23 CN CNB2005100374250A patent/CN100473049C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN1937572A (en) | 2007-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2023098645A1 (en) | Container network configuration method and apparatus, computing node, master node, and storage medium | |
| CN102724175B (en) | The telecommunication safety management framework of ubiquitous green community net control and method | |
| CN110086652B (en) | Management system and method for service network element in 5G core network | |
| RU2683630C2 (en) | Method for update of nsd network service descriptor and device | |
| CN105025044B (en) | A kind of apparatus control method and system | |
| CN110677383B (en) | Firewall wall opening method and device, storage medium and computer equipment | |
| CN104040964B (en) | Method, device and data center network across service area communication | |
| CN103607430A (en) | Network processing method and system, and network control center | |
| US10454880B2 (en) | IP packet processing method and apparatus, and network system | |
| EP4096189A1 (en) | Network slice configuration method, apparatus, and system | |
| CN102316001A (en) | Virtual network connection configuration realizing method and network equipment | |
| CN105306612A (en) | Method for acquiring identifier of terminal in network and management network element | |
| CN101958822A (en) | Cryptographic communication system and gateway device | |
| CN100369434C (en) | Method for implementing virtual LAN based on WAPI system in WLAN | |
| CN100473049C (en) | Method for realizing access device long-distance identification-dialing user service proxy authentication | |
| CN112995171B (en) | Cloud computing container management method based on regional position | |
| CN101951325A (en) | Network terminal configuration system based on automatic discovery and configuration method thereof | |
| WO2016070633A1 (en) | Network log generation method and device | |
| CN108964985B (en) | Method for managing virtual client terminal equipment using protocol message | |
| CN109298937A (en) | Document analysis method and the network equipment | |
| CN104426715B (en) | A kind of distributed testing tool control method | |
| CN102394770A (en) | Off-line configuration method for network equipment based on simple network management protocol (SNMP) | |
| CN117336022A (en) | Method, system, terminal and storage medium for authenticating power terminal in trusted WLAN | |
| CN111147429B (en) | Project research and development environment deployment system | |
| CN114884771B (en) | Identity network construction method, device and system based on zero trust concept |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |