CN107547501B - Identity authentication method and device - Google Patents
Identity authentication method and device Download PDFInfo
- Publication number
- CN107547501B CN107547501B CN201710382146.0A CN201710382146A CN107547501B CN 107547501 B CN107547501 B CN 107547501B CN 201710382146 A CN201710382146 A CN 201710382146A CN 107547501 B CN107547501 B CN 107547501B
- Authority
- CN
- China
- Prior art keywords
- client
- address
- dhcp server
- bras
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to an identity authentication method and device. The method is applied to the BRAS and comprises the following steps: under the condition that three layers of connection are formed between the BRAS and the client meets the identity authentication condition, the IP address of the client carried in a message sent out by the client is obtained; acquiring a mapping pair of a client IP address and an MAC address from a DHCP server; and acquiring the MAC address of the client based on the IP address and the mapping pair. The embodiment of the disclosure can acquire the IP address of the client carried in the message sent by the client, and acquire the MAC address of the client based on the mapping between the IP address and the MAC address, thereby automatically performing MAC identity authentication, avoiding the manual input of authentication information by a user, and realizing the non-perception authentication when the user accesses the Internet.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an identity authentication method and apparatus.
Background
With the continuous development of the Internet (Internet) market, the demand of people for communication has gradually extended from the low-speed services of traditional telephones, faxes, telegraphs and the like to the broadband service fields of high-speed Internet access, videophones, video on demand and the like, the demand of users for Internet access rate is higher and higher, and the low-speed Internet access mode of the traditional dial-up Modem (Modem) cannot meet the demand of users. Meanwhile, more and more users are connected to the metropolitan area network, the service requirements of the users are increasingly expanding, and the broadband metropolitan area network faces the development trend towards the direction of a multi-service bearer network.
In this case, a BRAS (Broadband Access Server) is adopted in the related art, so as to verify the validity of user Access, effectively manage the Access user, and manage and control the service used by the user. The BRAS has flexible access authentication mode, effective address management function, strong user management function, and can provide rich and flexible service and control function, and can provide a manageable, operable and profitable solution for broadband metropolitan area network by combining with other communication products. Portal is one of the technologies for realizing the BRAS function, and Portal authentication can accept authentication information (such as a user name and a password) input by a user through a Web page and authenticate the identity of the user, so that access control can be implemented at an access layer and a key data entrance needing protection.
Disclosure of Invention
In view of the above, the present disclosure provides an identity authentication method.
According to an aspect of the present disclosure, an identity authentication method is provided, where the method is applied in a broadband access server BRAS, and includes:
under the condition that three layers of connection are formed between a BRAS and a client and the client meets an identity authentication condition, acquiring a client IP address carried in a message sent out by the client;
acquiring a mapping pair of the client IP address and the MAC address from a DHCP server;
and acquiring the MAC address of the client based on the IP address and the mapping pair.
According to another aspect of the present disclosure, there is provided an identity authentication method, which is applied in a DHCP server, and includes:
responding to a client IP address allocation request from a broadband access server (BRAS), and allocating an IP address for the client;
and in the case of successfully allocating an IP address to a client, sending a mapping pair of the IP address and the MAC address of the client to the BRAS so that the BRAS acquires the MAC address of the client based on the mapping pair.
According to another aspect of the present disclosure, there is provided an identity authentication apparatus, which is applied in a broadband access server BRAS, including:
the system comprises an IP address acquisition module, a network side and a network side, wherein the IP address acquisition module is used for acquiring a client IP address carried in a message sent by a client under the condition that three layers of connection are formed between a BRAS and the client meets an identity authentication condition;
a mapping pair obtaining module, configured to obtain a mapping pair between the client IP address and the MAC address from a DHCP server;
and the MAC address acquisition module is used for acquiring the MAC address of the client based on the IP address and the mapping pair.
According to another aspect of the present disclosure, there is provided an identity authentication apparatus, which is applied in a DHCP server, including:
the address allocation module is used for responding to a client IP address allocation request from a broadband access server (BRAS) and allocating an IP address for the client;
and the mapping pair sending module is used for sending the mapping pair of the IP address and the MAC address of the client to the BRAS under the condition that the IP address is successfully allocated to the client, so that the BRAS acquires the MAC address of the client based on the mapping pair.
According to the identity authentication method and device provided by the embodiment of the disclosure, when the BRAS and the client are connected in three layers and the client meets the identity authentication condition, the client IP address carried in the message sent by the client is acquired, and the MAC address of the client is acquired based on the mapping between the client IP address and the MAC address, so that the MAC identity authentication request is automatically performed, the authentication information is prevented from being manually input by a user, and the imperceptible authentication of the user during internet surfing is realized.
Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features, and aspects of the disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment.
Fig. 2 is a schematic diagram illustrating an application scenario of an identity authentication method according to an exemplary embodiment.
Fig. 3 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment.
Fig. 4 is a flowchart illustrating step 12 of a method of identity authentication according to an example embodiment.
Fig. 5 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment.
Fig. 6 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment.
Fig. 7 is a block diagram illustrating an identity authentication device in accordance with an example embodiment.
Fig. 8 is a block diagram illustrating an identity authentication device in accordance with an example embodiment.
Fig. 9 is a block diagram illustrating an identity authentication device in accordance with an example embodiment.
Detailed Description
Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.
Fig. 1 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment. The identity authentication method of the embodiment can be applied to a broadband access server BRAS. As shown in fig. 1, the method includes:
step S11, under the condition that the BRAS and the client are in three-layer connection and the client meets the identity authentication condition, the IP address of the client carried in the message sent by the client is obtained;
step S12, obtaining the mapping pair of the client IP address and the MAC address from the DHCP server;
step S13, acquiring the MAC address of the client based on the IP address and the mapping pair.
According to the embodiment of the disclosure, when the BRAS is connected with the client in three layers and the client meets the identity authentication condition, the client IP address carried in the message sent by the client is acquired, and the MAC address of the client is acquired based on the mapping between the client IP address and the MAC address, so that the MAC identity authentication request is automatically performed, the authentication information is prevented from being manually input by a user, and the non-perception authentication of the user during internet surfing is realized. According to the embodiment of the disclosure, the networking requirement between the authentication client and the BRAS during the deployment of the unaware scheme can be reduced, and the two-layer networking connection and the three-layer networking connection are compatible, so that the scheme deployment is easier, and the user experience is improved.
Fig. 2 is a schematic diagram illustrating an application scenario of an identity authentication method according to an exemplary embodiment. As shown in fig. 2, the broadband access server BRAS22 may establish a communication connection with a DHCP (Dynamic Host Configuration Protocol) server 25. The DHCP server 25 is configured to dynamically allocate network configuration parameters such as an IP address to the network device. The DHCP server 25 uses a client/server communication mode, the client applies for requesting allocation of network configuration parameters to the server, and the server returns configuration information such as an IP address allocated to the client, so as to implement dynamic configuration of information such as the IP address. The DHCP server 25 may also be a built-in DHCP server on the BRAS22 or a DHCP relay (DHCP relay) closest to the client, which is not limited in this disclosure.
Fig. 3 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment. The identity authentication method of the embodiment can be applied to a broadband access server BRAS. As shown in fig. 3, the method further comprises:
step S14, responding to the network communication request of the client, applying for IP address from the DHCP server;
step S15, when the application for IP address to DHCP server is successful, the mapping pair of the client IP address and MAC address from the DHCP server is saved locally in BRAS,
wherein, step 12 may comprise: the mapping pairs are read locally from the BRAS.
For example, when a user accesses a network through the client 21, the client 21 may initiate a network communication request. In response to a network communication request of the client 21, the BRAS22 may apply for the IP address of the client 21 from the DHCP server 25. For example, based on the access information (e.g., interface) of the client 21, the BRAS22 may find the domain (domain) corresponding to the client 21; according to the domain corresponding to the client 21, the BRAS22 can find the corresponding DHCP server 25, so that the IP address of the client 21 can be applied from the DHCP server 25.
In one implementation, after the DHCP server 25 successfully allocates an IP address to the client 21, the DHCP server 25 may record a mapping pair of the IP address of the client 21 and the MAC address of the client 21, and the DHCP server 25 may send the mapping pair to the BRAS 22. BRAS22 may check whether DHCP server 25 is a DHCP server of the domain corresponding to client 21 according to its own configuration. If DHCP server 25 is the DHCP server of the domain corresponding to client 21, BRAS22 may locally save the mapping pair from DHCP server 25; if DHCP server 25 is not the DHCP server of the domain corresponding to client 21, the message in which the mapping pair is located may be discarded. In this way, only the mapping pairs sent from the DHCP server of the domain corresponding to the client 21 can be saved, thereby reducing the storage pressure.
In one implementation manner, when the network access traffic of the client 21 reaches a certain threshold within a certain time, the client 21 may be considered to satisfy the identity authentication condition, and the identity authentication may be performed on the client 21. BRAS22 may obtain the MAC address of client 21 to initiate a MAC Authentication request to AAA (Authentication, Authorization, Accounting) Authentication server 24 based on the MAC address of client 21. The AAA authentication server 24 provides three network security management functions, namely authentication, authorization and accounting. And (3) authentication: confirming the identity of a remote user accessing the network, and judging whether an accessor is a legal network user; authorization: different authorities are given to different users, and the services which can be used by the users are limited. For example, an administrator authorizes an office user to access and print a file in the server, while other temporary visitors do not have this permission; charging: all operations of the user in the process of using the network service are recorded, including the type of the used service, the starting time, the data flow and the like, so that the use condition of the user on the network resource is collected and recorded, the charging requirement for the time and the flow can be realized, and the network is also monitored.
In one implementation, if there is three-layer connection between the BRAS22 and the client 21, the SMAC address in the message sent by the client 21 is the MAC address of the upper-layer router, so that the MAC address of the client 21 cannot be directly found; the SIP address in the message sent by the client 21 is the IP address of the client 21. Therefore, BRAS22 can obtain the IP address (SIP address) of client 21 carried in the message sent by client 21. Thus, BRAS22 can locally read the mapping pair and look up the mapping pair based on the IP address of client 21, so as to find out the MAC address of client 21.
In one implementation, when the AAA authentication server 24 receives the MAC identity authentication request from the BRAS22, it may determine whether the MAC address of the client 21 is a MAC address that has been bound to the user authentication information. If the MAC address of the client 21 is the MAC address bound with the user authentication information, the BRAS22 may be notified that the MAC identity authentication request passes, the BRAS22 may pass the network communication request of the client 21, and the user may normally surf the internet through the client 21.
By the mode of the embodiment of the disclosure, the mapping pair of the client IP address and the MAC address from the DHCP server can be locally stored in the BRAS, and the MAC address of the client is obtained based on the IP address and the mapping pair, so that MAC identity authentication is performed, authentication information input by a user is avoided, and non-perception authentication when the user accesses the Internet is realized, thereby improving user experience.
On the contrary, when the identity authentication is performed according to the related technology, the mapping pair of the client IP address and the MAC address is not stored in the BRAS, so that when three layers of connection are formed between the BRAS and the client, the BRAS cannot acquire the MAC address of the client, which results in failure of a MAC identity authentication request, and a user needs to input authentication information, which cannot realize the non-perception authentication, resulting in poor user experience.
Fig. 4 is a flowchart illustrating step 12 of a method of identity authentication according to an example embodiment. The identity authentication method of the embodiment can be applied to a broadband access server BRAS. As shown in fig. 4, step 12 may include:
step S121, sending an inquiry request of the mapping pair of the client IP address and the MAC address to a DHCP server;
step S122, receiving the mapping pair from the DHCP server.
For example, when a user accesses a network through the client 21, the client 21 may initiate a network communication request. In response to a network communication request of the client 21, the BRAS22 may apply for the IP address of the client 21 from the DHCP server 25. For example, based on the access information (e.g., interface) of the client 21, the BRAS22 may find the domain (domain) corresponding to the client 21; according to the domain corresponding to the client 21, the BRAS22 can find the corresponding DHCP server 25, so that the IP address of the client 21 can be applied from the DHCP server 25.
In one implementation, after the DHCP server 25 successfully allocates an IP address to the client 21, the DHCP server 25 may record a mapping pair of the IP address of the client 21 and the MAC address of the client 21, but not send the mapping pair to the BRAS 22.
In one implementation manner, when the network access traffic of the client 21 reaches a certain threshold within a certain time, the client 21 may be considered to satisfy the identity authentication condition, and the identity authentication may be performed on the client 21. BRAS22 may obtain the MAC address of client 21 to initiate a MAC authentication request to AAA authentication server 24 based on the MAC address of client 21.
In one implementation, if there is three-layer connection between the BRAS22 and the client 21, the SMAC address in the message sent by the client 21 is the MAC address of the upper-layer router, so that the MAC address of the client 21 cannot be directly found; the SIP address in the message sent by the client 21 is the IP address of the client 21. Therefore, BRAS22 may obtain the IP address (SIP address) of client 21 carried in the message sent by client 21, and send a query request of mapping pair of client IP address and MAC address to DHCP server 24.
In one implementation, DHCP server 25 may send a mapping pair of client IP address and MAC address to BRAS22 in response to a query request from BRAS 22. Upon receiving the mapping pair, BRAS22 may look up a match for the mapping pair from DHCP server 25 based on the IP address of client 21, and may match to the MAC address of client 21.
In one implementation, when the AAA authentication server 24 receives the MAC identity authentication request from the BRAS22, it may determine whether the MAC address of the client 21 is a MAC address that has been bound to the user authentication information. If the MAC address of the client 21 is the MAC address bound with the user authentication information, the BRAS22 may be notified that the MAC identity authentication request passes, the BRAS22 may pass the network communication request of the client 21, and the user may normally surf the internet through the client 21.
By means of the method and the device, the mapping pair query request can be sent to the DHCP server to obtain the mapping pair when the identity authentication condition is met, the MAC address of the client side is obtained based on the IP address and the mapping pair, the MAC identity authentication is convenient to carry out, the user is prevented from inputting authentication information, the non-perception authentication of the user during internet surfing is realized, and the user experience is improved.
On the contrary, when the identity authentication is performed according to the related technology, the BRAS cannot send a mapping pair query request to the DHCP server to acquire a mapping pair, so that when three layers of connection are formed between the BRAS and the client, the BRAS cannot acquire the MAC address of the client, which results in failure of the MAC identity authentication request, the user needs to input authentication information, and the unaware authentication cannot be realized, which results in poor user experience.
In one implementation, when the AAA authentication server 24 receives the MAC identity authentication request from the BRAS22, it may determine whether the MAC address of the client 21 is a MAC address that has been bound to the user authentication information. If the MAC address of the client 21 is not the MAC address bound with the user authentication information, the AAA authentication server 24 may determine that there is no MAC binding, and for the first time the client 21 accesses the internet, may notify the BRAS22 that the MAC identity authentication request fails (fails), and the BRAS22 does not pass the network communication request of the client 21.
In this case, if the user accesses an arbitrary Web address through a browser, the BRAS22 may redirect to the Portal Web page (Web) server 23 and transmit the MAC address of the client 21 to the Portal Web page server 23. The Portal web server 23 may pop up an authentication page in the web page of the browser for the user to enter user authentication information (e.g., username and password, etc.). Where redirection may refer to redirection of the client's 21 network request (access to any web site) to another network location (the authentication page of the Portal web server 23). After the user inputs and confirms the user authentication information on the authentication page, the Portal web server 23 may send the user authentication information of the client 21 and the MAC address from the BRAS22 to the AAA authentication server 24, and initiate a MAC identity authentication request to the AAA authentication server 24.
In one implementation manner, the AAA authentication server 24 may verify the user authentication information, and if the user authentication information passes the verification, determine the MAC address of the client 21 as the MAC address bound to the user authentication information, and notify the BRAS22 that the MAC authentication request passes, and the BRAS22 may pass the network communication request of the client 21, so that the user may normally surf the internet through the client 21. If the user authentication information is not verified (for example, the password is wrong), the BRAS22 is informed that the MAC identity authentication request fails, and the BRAS22 does not release the network communication request of the client 21.
It should be understood by those skilled in the art that the above-mentioned processing procedure after the MAC identity authentication request fails can be implemented by various methods known in the related art, and the disclosure is not limited thereto.
Fig. 5 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment. The identity authentication method of the embodiment can be applied to a broadband access server BRAS. As shown in fig. 5, the method further comprises:
step S16, when receiving the notice message that the DHCP server releases the IP address, the mapping pair is deleted from BRAS locally.
For example, in the case where the BRAS22 locally stores the mapping pair of the client IP address and the MAC address from the DHCP server 22, if the DHCP server 25 releases the IP address assigned to the client 21, the DHCP server 25 may assign a new IP address when the client 21 accesses again. In this case, the correspondence (mapping pair) between the IP address and the MAC address of the client 21 changes, and the MAC address of the client 21 cannot be searched for from the mapping pair stored in the BRAS 22. At this time, the DHCP server 25 may send a notification message to the BRAS22 when the IP address is released, notifying that the IP address has been released. Thus, BRAS22 can remove the mapping pair from local.
In this way, invalid mapping pairs can be deleted, reducing storage pressure.
Fig. 6 is a flow chart illustrating a method of identity authentication in accordance with an example embodiment. The identity authentication method of the embodiment can be applied to a DHCP server. As shown in fig. 6, the method includes:
step S61, responding to the client IP address distribution request from the broadband access server BRAS, and distributing the IP address for the client;
and step S62, under the condition that the IP address is successfully allocated to the client, sending the mapping pair of the IP address and the MAC address of the client to the BRAS, so that the BRAS acquires the MAC address of the client based on the mapping pair.
For example, as shown in fig. 2, when a user accesses a network through a client 21, the client 21 may initiate a network communication request. In response to a network communication request of the client 21, the BRAS22 may apply for the IP address of the client 21 from the DHCP server 25. DHCP server 25 may assign an IP address to client 21 in response to a client IP address assignment request from BRAS 22.
In one implementation, in the case of successful allocation of an IP address to the client 21, the DHCP server 25 may send a mapping pair of the IP address and the MAC address of the client 21 to the BRAS. Thus, when the BRAS22 and the client 21 are connected in three layers and the client 21 meets the authentication condition, the BRAS22 can obtain the MAC address of the client based on the mapping pair, and further initiate a MAC authentication request to the AAA authentication server 24.
In one implementation, step S62 may include: in response to a query request of a BRAS for a mapping pair of a client IP address and a MAC address, sending the mapping pair to the BRAS so that the BRAS acquires the MAC address of the client based on the mapping pair. For example, after the DHCP server 25 successfully allocates the IP address to the client 21, the DHCP server 25 may record a mapping pair of the IP address of the client 21 and the MAC address of the client 21. When the client 21 satisfies the authentication condition, the BRAS22 may send a query request of a mapping pair of the client IP address and the MAC address to the DHCP server 24. DHCP server 25 may send the mapping pair to the BRAS in response to the query request, so that the BRAS obtains the MAC address of the client based on the mapping pair.
In one implementation, the method may further include: and when the IP address is released, sending a notification message to the BRAS. For example, in the case where the BRAS22 locally stores the mapping pair of the client IP address and the MAC address from the DHCP server 22, if the DHCP server 25 releases the IP address assigned to the client 21, a notification message may be sent to the BRAS22 to notify that the IP address has been released. Thus, BRAS22 can remove the mapping pair from local.
According to the embodiment of the disclosure, the IP address can be allocated to the client, and the mapping pair of the IP address and the MAC address of the client is sent to the BRAS, so that the BRAS acquires the MAC address of the client based on the mapping pair, thereby carrying out MAC identity authentication, avoiding the manual input of authentication information by a user, and realizing the non-perception authentication when the user accesses the Internet.
Corresponding to the embodiment of the identity authentication method, the disclosure also provides an embodiment of an identity authentication device. Fig. 7 is a block diagram illustrating an identity authentication device in accordance with an example embodiment. The identity authentication device of the embodiment can be applied to a broadband access server BRAS. As shown in fig. 7, the identity authentication apparatus includes:
an IP address obtaining module 71, configured to obtain a client IP address carried in a message sent by a client when a BRAS is connected to the client in three layers and the client meets an identity authentication condition;
a mapping pair obtaining module 72, configured to obtain a mapping pair between the IP address and the MAC address of the client from the DHCP server;
a MAC address obtaining module 73, configured to obtain a MAC address of the client based on the IP address and the mapping pair.
In one implementation, the apparatus further includes:
the address application module is used for responding to a network communication request of the client and applying for an IP address from the DHCP server;
a mapping pair storage module, for locally storing the mapping pair of the client IP address and the MAC address from the DHCP server in the BRAS under the condition that the application of the IP address to the DHCP server is successful,
the map pair obtaining module 72 is specifically configured to: the mapping pairs are read locally from the BRAS.
In one implementation, the map pair obtaining module 72 is specifically configured to:
sending a query request of the mapping pair of the IP address and the MAC address of the client to a DHCP server;
receiving the mapping pair from the DHCP server.
In one implementation, the apparatus further includes:
and the mapping pair deleting module is used for locally deleting the mapping pair from the BRAS when receiving the notification message that the DHCP server releases the IP address.
According to the embodiment of the disclosure, when the BRAS is connected with the client in three layers and the client meets the identity authentication condition, the client IP address carried in the message sent by the client is acquired, and the MAC address of the client is acquired based on the mapping between the client IP address and the MAC address, so that the MAC identity authentication request is automatically performed, the authentication information is prevented from being manually input by a user, and the non-perception authentication of the user during internet surfing is realized.
Corresponding to the embodiment of the identity authentication method, the disclosure also provides an embodiment of an identity authentication device. Fig. 8 is a block diagram illustrating an identity authentication device in accordance with an example embodiment. The identity authentication device of the embodiment can be applied to a DHCP server. As shown in fig. 8, the identity authentication apparatus includes:
the address allocation module 81 is used for responding to a client IP address allocation request from a broadband access server BRAS and allocating an IP address for the client;
and a mapping pair sending module 82, configured to send, in a case that an IP address is successfully allocated to a client, a mapping pair of the IP address and the MAC address of the client to the BRAS, so that the BRAS obtains the MAC address of the client based on the mapping pair.
In one implementation, the mapping pair sending module 82 is specifically configured to:
in response to a query request of a BRAS for a mapping pair of a client IP address and a MAC address, sending the mapping pair to the BRAS so that the BRAS acquires the MAC address of the client based on the mapping pair.
In one implementation, the apparatus further includes:
and the message sending module is used for sending a notification message to the BRAS when the IP address is released.
According to the embodiment of the disclosure, the IP address can be allocated to the client, and the mapping pair of the IP address and the MAC address of the client is sent to the BRAS, so that the BRAS acquires the MAC address of the client based on the mapping pair, thereby carrying out MAC identity authentication, avoiding the user from manually inputting authentication information, and realizing the non-perception authentication when the user accesses the Internet.
The identity authentication device of the embodiment of the disclosure can be applied to a broadband access server BRAS or a DHCP server. The embodiment of the apparatus may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the device where the software implementation is located as a logical means. From a hardware aspect, as shown in fig. 9, it is a schematic diagram of a hardware structure of a device in which the identity authentication apparatus of the present disclosure is located, and in addition to the processing component, the power supply component, the network interface, the input/output interface and the memory shown in fig. 9, the device in the embodiment may also include other hardware, such as a forwarding chip responsible for processing a packet, in general; the device may also be a distributed device in terms of hardware structure, and may include multiple interface cards to facilitate expansion of message processing at the hardware level.
Fig. 9 is a block diagram illustrating an apparatus 1900 for an identity authentication device according to an example embodiment. For example, the apparatus 1900 may be provided as a broadband access server BRAS or a DHCP server. Referring to fig. 9, the device 1900 includes a processing component 1922 further including one or more processors and memory resources, represented by memory 1932, for storing instructions, e.g., applications, executable by the processing component 1922. The application programs stored in memory 1932 may include one or more modules that each correspond to a set of instructions. Further, the processing component 1922 is configured to execute instructions to perform the above-described method.
The device 1900 may also include a power component 1926 configured to perform power management of the device 1900, a wired or wireless network interface 1950 configured to connect the device 1900 to a network, and an input/output (I/O) interface 1958. The device 1900 may operate based on an operating system stored in memory 1932, such as Windows Server, MacOS XTM, UnixTM, LinuxTM, FreeBSDTM, or the like.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided that includes instructions, such as the memory 1932 that includes instructions, which are executable by the processing component 1922 of the apparatus 1900 to perform the above-described method.
The present disclosure may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement various aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present disclosure may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry that can execute the computer-readable program instructions implements aspects of the present disclosure by utilizing the state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terms used herein were chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the techniques in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (8)
1. An identity authentication method is applied to a broadband access server (BRAS), and comprises the following steps:
under the condition that three layers of connection are formed between a BRAS and a client and the client meets an identity authentication condition, a client IP address carried in a message sent by the client is obtained, wherein the identity authentication condition comprises that the network access flow of the client reaches a specified threshold value within specified time;
acquiring a mapping pair of the client IP address and the MAC address from a DHCP server;
acquiring the MAC address of the client based on the IP address and the mapping pair;
and initiating an MAC identity authentication request to an AAA authentication server, wherein the MAC identity authentication request is used for indicating the AAA authentication server to judge whether the MAC address of the client is the MAC address bound with the user authentication information.
2. The method of claim 1, further comprising:
responding to a network communication request of a client, and applying for an IP address from a DHCP server;
in case of successful application of IP address to DHCP server, the mapping pair of client IP address and MAC address from DHCP server is saved locally in BRAS,
wherein, obtaining the mapping pair of the client IP address and the MAC address from the DHCP server includes:
the mapping pairs are read locally from the BRAS.
3. The method of claim 1, wherein obtaining the mapping pair of the client IP address and the MAC address from the DHCP server comprises:
sending a query request of the mapping pair of the IP address and the MAC address of the client to a DHCP server;
receiving the mapping pair from the DHCP server.
4. The method of claim 2, further comprising:
and when receiving a notification message that the DHCP server releases the IP address, locally deleting the mapping pair from the BRAS.
5. An identity authentication device, which is applied in a broadband access server BRAS, and comprises:
the system comprises an IP address acquisition module, a network access module and a network access module, wherein the IP address acquisition module is used for acquiring a client IP address carried in a message sent by a client under the condition that a BRAS (broadband remote access) and the client are in three-layer connection and the client meets an identity authentication condition, and the identity authentication condition comprises that the network access flow of the client reaches a specified threshold within specified time;
a mapping pair obtaining module, configured to obtain a mapping pair between the client IP address and the MAC address from a DHCP server;
the MAC address acquisition module is used for acquiring the MAC address of the client based on the IP address and the mapping pair; and initiating an MAC identity authentication request to an AAA authentication server, wherein the MAC identity authentication request is used for indicating the AAA authentication server to judge whether the MAC address of the client is the MAC address bound with the user authentication information.
6. The apparatus of claim 5, further comprising:
the address application module is used for responding to a network communication request of the client and applying for an IP address from the DHCP server;
a mapping pair storage module, for locally storing the mapping pair of the client IP address and the MAC address from the DHCP server in the BRAS under the condition that the application of the IP address to the DHCP server is successful,
wherein the map pair obtaining module is specifically configured to:
the mapping pairs are read locally from the BRAS.
7. The apparatus of claim 5, wherein the map pair obtaining module is specifically configured to:
sending a query request of the mapping pair of the IP address and the MAC address of the client to a DHCP server;
receiving the mapping pair from the DHCP server.
8. The apparatus of claim 6, further comprising:
and the mapping pair deleting module is used for locally deleting the mapping pair from the BRAS when receiving the notification message that the DHCP server releases the IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710382146.0A CN107547501B (en) | 2017-05-26 | 2017-05-26 | Identity authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710382146.0A CN107547501B (en) | 2017-05-26 | 2017-05-26 | Identity authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107547501A CN107547501A (en) | 2018-01-05 |
| CN107547501B true CN107547501B (en) | 2020-05-12 |
Family
ID=60966914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710382146.0A Active CN107547501B (en) | 2017-05-26 | 2017-05-26 | Identity authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107547501B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108171589A (en) * | 2018-01-29 | 2018-06-15 | 北京小度信息科技有限公司 | Verification method and device |
| CN109962917A (en) * | 2019-03-26 | 2019-07-02 | 中国民生银行股份有限公司 | Authentication information processing method and equipment, system, storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102204307A (en) * | 2011-06-15 | 2011-09-28 | 华为技术有限公司 | Wlan authentication method based on MAC address and device thereof |
| CN103795584A (en) * | 2012-10-30 | 2014-05-14 | 华为技术有限公司 | Client side identity detection method and gateway |
| CN103856469A (en) * | 2012-12-06 | 2014-06-11 | 中国电信股份有限公司 | Method and system supporting DHCP authentication and provenance, and DHCP server |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4685520B2 (en) * | 2005-06-24 | 2011-05-18 | オリンパス株式会社 | IP address acquisition method |
-
2017
- 2017-05-26 CN CN201710382146.0A patent/CN107547501B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102204307A (en) * | 2011-06-15 | 2011-09-28 | 华为技术有限公司 | Wlan authentication method based on MAC address and device thereof |
| CN103795584A (en) * | 2012-10-30 | 2014-05-14 | 华为技术有限公司 | Client side identity detection method and gateway |
| CN103856469A (en) * | 2012-12-06 | 2014-06-11 | 中国电信股份有限公司 | Method and system supporting DHCP authentication and provenance, and DHCP server |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107547501A (en) | 2018-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10361970B2 (en) | Automated instantiation of wireless virtual private networks | |
| US10142159B2 (en) | IP address allocation | |
| CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
| KR101159355B1 (en) | Method and system for securely provisioning a client device | |
| US7502929B1 (en) | Method and apparatus for assigning network addresses based on connection authentication | |
| CN108737585B (en) | IP address allocation method and device | |
| CN105592180B (en) | A kind of method and apparatus of Portal certification | |
| US20210321253A1 (en) | Virtual tenant for multiple dwelling unit | |
| WO2015196755A1 (en) | Address allocation method in subscriber identifier and locator separation network, and access service router | |
| CN107547501B (en) | Identity authentication method and device | |
| WO2014190687A1 (en) | Method, device and system for allocating phone number | |
| CN109067729B (en) | Authentication method and device | |
| CN109788528B (en) | Access point and method and system for opening internet access service thereof | |
| CN110753063B (en) | Authentication method, device, equipment and medium | |
| CN113014680B (en) | Broadband access method, device, equipment and storage medium | |
| CN101945053A (en) | Method and device for transmitting message | |
| CN110855596A (en) | Communication connection method and device, communication equipment and computer readable storage medium | |
| US20180124606A1 (en) | System and method for emergency response portal video camera feed integrity | |
| CN115348643A (en) | Wi-Fi network access method and device and computer readable storage medium | |
| CN116489123A (en) | Industrial Internet identification-based processing method and device | |
| US20140344449A1 (en) | Ip address allocation for wi-fi clients | |
| JP4608466B2 (en) | Communication system and communication method | |
| CN108306807B (en) | Account opening management method and device | |
| CN114765601A (en) | Address prefix obtaining method and device | |
| CN114640651B (en) | Communication method, communication system, LNS device, user terminal device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |