CN108600225A - a kind of authentication method and device - Google Patents

a kind of authentication method and device Download PDF

Info

Publication number
CN108600225A
CN108600225A CN201810380682.1A CN201810380682A CN108600225A CN 108600225 A CN108600225 A CN 108600225A CN 201810380682 A CN201810380682 A CN 201810380682A CN 108600225 A CN108600225 A CN 108600225A
Authority
CN
China
Prior art keywords
lac
lns
user
list item
supported
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810380682.1A
Other languages
Chinese (zh)
Other versions
CN108600225B (en
Inventor
章靠
林英姿
徐步正
晁岳磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201810380682.1A priority Critical patent/CN108600225B/en
Publication of CN108600225A publication Critical patent/CN108600225A/en
Application granted granted Critical
Publication of CN108600225B publication Critical patent/CN108600225B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of authentication method of disclosure offer and device, it may include:Receive the first message identifying from LNS UP;First message identifying carries user information;Detect whether the LNS UP and opposite end LAC UP share this control server;Wherein, the opposite end LAC UP are the LAC UP that the user information is sent to the LNS UP;If so, based on LAC user's list item corresponding with the user information has been recorded, the corresponding LNS user's list item of the user information is generated.The method provided using the disclosure, it is possible to reduce certification number reduces the quantity of message identifying on control server, improves the equipment performance of control server.

Description

A kind of authentication method and device
Technical field
This disclosure relates to computer communication field more particularly to a kind of authentication method and device.
Background technology
Layer 2 Tunneling Protocol (L2TP:Layer 2Tunneling Protocol), it is Virtual Private Dial-up Network (VPDN: Virtual Private Dial-up Network) tunnel protocol one kind.L2TP passes through at public network (such as Internet) On establish L2TP Tunnel so that remote subscriber (such as institution functioning abroad of enterprise and employee on business trip) utilize point-to-point protocol (PPP: Point-to-Point Protocol) access public network after communicated with Intranet by L2TP Tunnel, with access look forward to Industry intranet resources, to realize remote subscriber safety, economically and effectively access privately owned enterprise network.
L2TP access networkings generally include far end system, LAC (L2TP Access Concentrator, access concentrator) With LNS (L2TP Network Server, L2TP Network Server).Wherein, far end system be VPDN networks to be accessed far User terminal etc..LAC is the equipment for having PPP and L2TP protocol handling capabilities, is mainly used for providing for the user of PPP types and connects Enter service.LNS is both PPP end systems and the server end of L2TP agreements, is set usually as the edge of an intranet It is standby.LAC is connected with LNS by L2TP Tunnel.
In order to improve the utilization rate of Forwarding plane, the L2TP that generally use turns control separation architecture accesses networking.Turning control point It, can be by the forwarding of LAC and LNS and control layer separation in L2TP access networkings from framework.For example, turning control separation architecture Control server would generally be configured in L2TP access networkings, which can be the server of physics, can also be void Quasi- server, mainly as LAC control layer equipment LAC-CP (L2TP Access Concentrator-Control Plane, access concentrator control layer), and/or LNS control layer equipment LNS-CP (L2TP Network Server- Control Plane, L2TP Network Server control layer), carry out control process.It is also configured in the networking and is accessed with user The equipment of function, such as BRAS (Broadband Remote Access Server, Broadband Remote Access Server) equipment, NAS (Network Access Server, network access server) equipment is used as the forwarding equipment LAC-UP (L2TP of LAC Access Concentrator-User Plane, access concentrator forwarding), and as the forwarding equipment LNS- of LNS UP (L2TP Network Server-User Plane, L2TP Network Server forwarding).
Invention content
In view of this, a kind of authentication method of disclosure offer and device reduce control server to reduce certification number The quantity of upper message identifying improves the equipment performance of control server.
Specifically, the disclosure is achieved by the following technical solution:
According to the disclosure in a first aspect, providing a kind of authentication method, the method is applied to control server, including:
Receive the first message identifying from LNS-UP;First message identifying carries user information;
Detect whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, the opposite end LAC-UP is The LAC-UP of the user information is sent to the LNS-UP;
If so, based on LAC user's list item corresponding with the user information has been recorded, user information correspondence is generated LNS user's list item.
According to the second aspect of the disclosure, a kind of authentication device is provided, described device is applied to control server, including:
Receiving unit, for receiving the first message identifying from LNS-UP;First message identifying carries user's letter Breath;
Detection unit, for detecting whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, described Opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP;
Generation unit, for if so, based on LAC user's list item corresponding with the user information has been recorded, generating The corresponding LNS user's list item of the user information.
According to the third aspect of the disclosure, a kind of control server, including processor and machine readable storage medium are provided, The machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, and the processor is by institute Machine-executable instruction is stated to promote to execute such as any one of claim 1 to 5 the method.
According to the fourth aspect of the disclosure, a kind of machine readable storage medium is provided, the machine readable storage medium is deposited Machine-executable instruction is contained, when being called and being executed by processor, the machine-executable instruction promotes the processor to hold Row any one of such as claim 1 to 5 the method.
The disclosure proposes a kind of authentication method, and control server is after the message identifying for receiving LNS-UP transmissions, if really After the fixed LNS-UP and opposite end LAC-UP shares this control server, this can not be come from the certification of LNS-UP by control server Message is sent to certificate server and is authenticated, but is used according to LAC corresponding with the user information carried in the message identifying Family list item generates the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UP It send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent , generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifying Quantity, improve control server performance.
Description of the drawings
Figure 1A is the L2TP access networking schematic diagrams of a kind of turn of control separation shown in one exemplary embodiment of the disclosure;
Figure 1B is that the another kind shown in one exemplary embodiment of the disclosure turns the L2TP access networking schematic diagrams that control detaches;
Fig. 2 is a kind of flow chart of authentication method shown in one exemplary embodiment of the disclosure;
Fig. 3 is a kind of schematic diagram of authentication method shown in one exemplary embodiment of the disclosure;
Fig. 4 is that the disclosure provides a kind of hardware architecture diagram of authentication method place control server;
Fig. 5 is a kind of block diagram of authentication device shown in one exemplary embodiment of the disclosure.
Specific implementation mode
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all implementations consistent with this disclosure.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the disclosure.
It is the purpose only merely for description specific embodiment in the term that the disclosure uses, is not intended to be limiting the disclosure. The "an" of singulative used in disclosure and the accompanying claims book, " described " and "the" are also intended to including majority Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the disclosure A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from In the case of disclosure range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
Figure 1A is the L2TP access networkings for turning control separation architecture.In figure 1A, control server is both as the control layer of LAC Equipment LAC-CP, and be simultaneously same control server as control layer the equipment LNS-CP, i.e. LAC-CP and LNS-CP of LNS.
After LAC-UP10 receives the message identifying of user terminal transmission, which can be sent to by LAC-UP10 Server 10 is controlled, the message identifying is sent to certificate server 10 by control server 10 and is authenticated.Control server The authorization message that 10 reception certificate servers 10 issue, and the authorization message supported based on the only LAC in the authorization message, are generated LAC user's list item.
After the completion of L2TP Tunnel between LAC-UP10 and LNS-UP10 is established, LAC-UP10 can be by the user terminal User information is sent to LNS-UP10 by the L2TP Tunnel, and the message identifying of the user information will be carried by the LNS-UP10 It is sent to the control server 10.Control server 10 is in the certification for carrying the user information for receiving LNS-UP10 transmissions After message, which is sent to certificate server 10.Control server 10 can receive certificate server 10 certification at The authorization message sent after work(, and the authorization message supported based on the only LNS in the authorization message, generate LNS user's list item.
It can be seen from foregoing description under the scene that LAC-UP and LNS-UP share same control server, when useful When the terminal access of family, the message identifying for coming from LAC-UP can be not only sent to certificate server by control server to be recognized Card, can also be sent to certificate server by the message identifying for coming from LNS-UP and be authenticated.When a large amount of L2TP user terminals When access, a large amount of message identifying is will produce, the mechanism of this double probate can cause to control the certification report that server receives Text is double, on the one hand can cause packet congestion, on the other hand can substantially reduce the equipment performance of control server.
In view of this, the disclosure proposes a kind of authentication method, control server is in the certification report for receiving LNS-UP transmissions Wen Hou, however, it is determined that after the LNS-UP and opposite end LAC-UP shares this control server, control server can not come from this The message identifying of LNS-UP is sent to certificate server and is authenticated, but according to the user information that is carried in the message identifying Corresponding LAC user's list item generates the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UP It send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent , generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifying Quantity, improve control server performance.
Before introducing the authentication method of the disclosure, some concepts involved by the lower disclosure are introduced first.
Above-mentioned control server, can be physical server, can also be virtual machine, mainly as control plane equipment, Play control action.Such as the association that the forwarding equipment LNS-UP of forwarding the equipment LAC-UP and/or LNS of processing LAC is sent Discuss message etc..
The control server, can be simultaneously as the control layer equipment LAC-CP of certain LAC and certain LNS control layers equipment LNS-CP, can also be separately as the control layer equipment LAC-CP of certain LAC, can also be separately as the control layer of certain LNS Equipment LNS-CP.
Certainly, a part of resource of the control server can also be simultaneously as the control layer equipment LAC-CP of certain LAC Control layer equipment LNS-CP and another part resource with certain LNS is separately as other LAC control layer equipment LAC- CP, and separately as other LNS control layer equipment LNS-CP.
For example, it is assumed that the resource of control server 1 can be divided into three parts, first part's resource is used as LAC- simultaneously CP1 and LNS-CP1, second part resource is separately as LAC-CP2, and Part III resource is separately as LNS-CP3.
Above-mentioned LAC-UP refers to the forwarding equipment of LAC, which can be the equipment for having user's access function, For example NAS device, BRAS equipment etc. only illustratively illustrate, here without specifically defined.
Above-mentioned LNS-UP, refers to the forwarding equipment of LNS, which can be with BRAS equipment, NAS device etc., here Only illustratively illustrate, it is not carried out specifically defined.
It should be noted that LAC-UP can be individual equipment, LNS-UP can also be individual equipment.For example, such as Shown in Figure 1A, LAC-UP10 is individual equipment, and LNS-UP10 is also individual equipment.
Certainly, LAC-UP and LNS-UP can also be same equipment.For example, shown in Figure 1B, the LTS (L2TP in Figure 1B Tunnel Switch, L2TP Tunnel exchange) equipment is both LAC-UP equipment and LNS-UP equipment.LAC-UP11 is come It says, LTS equipment is LNS-UP equipment, and for LNS-UP11, LTS equipment is LAC-UP equipment.
It is a kind of flow chart of authentication method shown in one exemplary embodiment of the disclosure referring to Fig. 2, Fig. 2.This method can It applies in control server, it may include step as follows.
The step of introducing disclosure identifying procedure before, lower LAC user's list item is first introduced.
1) LAC user's list item of the disclosure.
LAC user's list item of the disclosure can be as shown in table 1.
Table 1
Certainly, table 1 illustrates only the content that LAC user's list item includes mainly, and certainly, which can be with Including other content, such as user access port, list item serial number and other extensions etc. are only illustratively said here It is bright, it is not carried out specifically defined.
The disclosure increases shared tag field, such as free-auth fields in LAC user's list item.When the shared mark When remembering that the value of field is the first preset value, show that LAC-UP and opposite end LNS-UP share same control server, when shared mark Remember that the value of field is not the first preset value, for example, for the second preset value when, show that LAC-UP and opposite end LNS-UP be not shared same One control server.
In addition, the authorization message in traditional LAC user's list item is only the authorization message that LAC is supported, and the disclosure carries Authorization message in LAC user's list item of confession includes the authorization message that LAC is supported but LNS is not supported, LAC and LNS are supported Authorization message, the authorization message and LAC that LAC and LNS are not supported do not support but LNS support authorization message.
The purpose done so essentially consists in the flow for adapting to the disclosure.Furthermore, it is understood that in the disclosure, when control services After device determines that above-mentioned LNS-UP and opposite end LAC-UP share this control server.Controlling server, there is no need to will come from LNS- The message identifying of UP is sent to certificate server and is authenticated, but based on corresponding with the user information in the message identifying The authorization message that the LNS recorded in LAC user's list item is supported generates LNS user's list item.
So when generating LAC user's list item, by the authorization message that LAC is supported but LNS is not supported, LAC and LNS are equal The authorization message that the authorization message and LAC that the authorization message of support, LAC and LNS are not supported are not supported but LNS is supported is all It is recorded, so that need not be authenticated to the LNS-UP message identifyings sent, so that it may with according to LAC user's list item, life At LNS user's list item.
2) how above-mentioned LAC user's list item generates.
When the message identifying that LAC-UP receives user terminal transmission (describes, LAC-UP is received and is used for convenience here The message identifying that family terminal is sent is referred to as the second message identifying) after, which can be sent to control by LAC-UP Second message identifying can be sent to certificate server and is authenticated by server, control server.
After certification passes through, certificate server can be to control server distributing authentication information.What certificate server issued awards Include in power information:The authorization message that LAC is supported but LNS is not supported, the authorization message that LAC and LNS are supported, LAC and LNS The authorization message that the authorization message and LAC that do not support are not supported but LNS is supported.
In addition, when L2TP entirety service deployments are planned, developer just by the LAC-UP of shared this control server with The correspondence of LNS-UP configures on this control server.Server is controlled to search and be somebody's turn to do in the correspondence The corresponding LNS-UP of LAC-UP.If can find, show that the LNS-UP of LAC-UP and lookup shares this control server, this When, control server can set the value of shared tag field to the first preset value.If cannot search, show no LNS- UP and this LAC-UP shares this control server, at this point, the value of shared tag field can be set as second by control server Preset value.
Wherein, the first preset value indicates that LAC-UP and the LNS-UP found share this control server, the second preset value Show that the no LNS-UP and LAC-UP shares this control server.
Then, the authorization message that control server is issued based on the certificate server, shares tag field and its value, with And the user information carried in second message identifying generates the corresponding LAC user's list item of the user information.
Then, the user information carried in second message identifying can be sent to LNS-UP by LAC-UP.LNS-UP can base In the user information, construction message identifying (describes, the LNS-UP message identifyings constructed is denoted as the first certification for convenience here Message).Then first message identifying is sent to control server by LNS-UP.
It controls server and executes step 201 to step 202.
Step 201:It controls server and receives the first message identifying from LNS-UP;First message identifying, which carries, to be used Family information;
Wherein, the user information refers to the information of one user of unique mark, which may include user name, The MAC Address of user terminal and combination of the two etc..Here only user information is illustratively illustrated, it is not right It is specifically limited.
Step 202:Control server detects whether the LNS-UP and opposite end LAC-UP shares this control server;Its In, the opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP.
When realizing, control server can be searched in LAC user's table of local record comprising in first message identifying LAC user's list item of the user information of carrying.
Then the value of the shared identification field of LAC user's list item is checked.
If the value of the shared identification field of LAC user's list item is the first preset value, it is determined that the LNS-UP and right End LAC-UP shares this control server.
If the value of the shared identification field of LAC user's list item is the second preset value, it is determined that the LNS-UP and right End LAC-UP does not share this control server.
Wherein, the first preset value shows that the LNS-UP and opposite end LAC-UP share this control server;
Second preset value shows that the LNS-UP and opposite end LAC-UP do not share this control server.
Step 203:If so, control server has been based on having recorded LAC user's list item corresponding with the user information, Generate the corresponding LNS user's list item of the user information.
In the embodiments of the present disclosure, when control server determines that the LNS-UP and opposite end LAC-UP share this control server Afterwards, control server, which is forbidden first message identifying being sent to certificate server, is authenticated, and by first message identifying It abandons.
In addition, the authorization message that control server can also be supported based on the LNS recorded in the LAC user's list item found (authorization attribute that LAC is not supported but LNS is supported, the authorization attribute that LAC and LNS are supported) and first message identifying are taken The user information of band generates the corresponding LNS user's list item of the user information.
In addition, control server after generating the corresponding LNS user's list item of user information that the first message identifying carries, is controlled The authorization message that control server can also not support the LAC recorded in LAC user's list item that this finds delete (such as LAC, The authorization message that LNS is not supported, the authorization message that LAC is not supported but LNS is supported).
In the embodiments of the present disclosure, when control server determines that the LNS-UP and opposite end LAC-UP do not share this control service After device, which can be sent to certificate server and be authenticated by control server.After certification passes through, control clothes Business device receives the authorization message that certificate server issues, and is then based on the use carried in the authorization message and first message identifying Family information generates the corresponding LNS user's list item of the user information.
Server is controlled it can be seen from foregoing description after the message identifying for receiving LNS-UP transmissions, however, it is determined that should After LNS-UP and opposite end LAC-UP shares this control server, this can not be come from the message identifying of LNS-UP by control server Certificate server is sent to be authenticated, but according to LAC user's table corresponding with the user information carried in the message identifying , generate the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UP It send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent , generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifying Quantity, improve control server performance.
Below by Fig. 3, the authentication method provided the disclosure is described in detail.
In figure 3, LAC-UP31 and LNS-UP31 shares CP31 (CP31, that is, control described herein server), and CP31 is logical It crosses the tunnels VXLAN 31 with LAC-UP31 to be connected, CP31 is connected by the tunnels VXLAN 32 with LNS-UP31.CP31 and authentication service Device is connected.
Assuming that the entitled test1 of the user of user terminal 31, the MAC Address of user terminal is 1-1-1.
After LAC-UP31 receives the message identifying of the transmission of user terminal 31, which can send out the message identifying It send to certificate server and is authenticated.The user information of user terminal 31 is carried in the message identifying, such as carries user's end The user name test1 at end 31 and the MAC Address of user terminal are 1-1-1.
After certificate server passes through the user information authentication, certificate server can be with distributing authentication information.It issues Include the authorization message that LAC is supported but LNS is not supported in authorization message, LAC is not supported, but the authorization message that LNS is supported is (such as IP address, the IP address of IPv6), LAC support and the authorization messages (such as bandwidth Car attributes) also supported of LNS and LAC and The authorization message that LNS is not supported.
In addition, when L2TP entirety service deployments are planned, developer is just by the LAC-UP's of shared CP31 and LNS-UP Correspondence configures on the CP31.After CP31 receives the above-mentioned message identifying of LAC-UP31 transmissions, CP31 can shared In the correspondence of the LAC and LNS of this CP31, LNS-UP corresponding with LAC-UP31 has been searched whether.If can find, Then set the value of shared field free-auth fields to Y.If cannot find, by the value of free-auth fields It is set as N.
In this example, since LAC-UP31 and LNS-UP31 share this CP31, so the value of free-auth fields is set It is set to Y.
Then, CP31 can according to the authorization message, user terminal 31 that above-mentioned certificate server issues user information and Free-auth fields and its value generate LAC user's list item corresponding with the user terminal 31 31.LAC user's list item 31 can As shown in table 2.
Table 2
Wherein, SeqNum indicates the serial number of this user's list item;
Interface indicates to receive the interface of the message identifying;
Username is user's name, and MAC-Address is the MAC Address of user terminal;
IP-address, ipv6-address and Car (bandwidth) are the authorization message that certificate server issues;
Free-auth is shared field;
Role indicates the attribute of the list item, for example, the list item is LAC user's list item or LNS user's list item.
Certainly, which further includes other authorization messages that certificate server issues, here only illustratively Illustrate, without specifically defined.
Then, LAC-UP31 can negotiate to establish L2TP Tunnel with LNS-UP31.After the completion of L2TP Tunnel is established, LAC- The user information of the user terminal 31 can be sent to LNS-UP31 by UP31 by the L2TP Tunnel.
LNS-UP31 can construct message identifying, be taken in the message identifying after the user information for receiving the user terminal 31 With the user information of user terminal 31.Then, LNS-UP can be sent the message identifying constructed by the tunnels VXLAN 32 To CP31.
CP31, can be in LAC user's table after the message identifying for receiving LNS-UP31 transmissions, and it includes the user to search LAC user's list item 31 of the user information of terminal 31.
Then check whether the value of the shared field free-auth fields of LAC user's list item 31 is Y.
If the value of the shared field free-auth fields of LAC user's list item 31 is Y, show LAC-UP31 and LNS-UP31 shares CP31.
If the shared field free-auth fields value of LAC user's list item 31 is not Y (for example being N etc.), show LAC-UP31 and LNS-UP31 does not share CP31.
1) when the value of the free-auth fields of LAC user's list item 31 is Y, CP31 can be based on LAC user's list item 31 (such as table 1) generates LNS user's list item 31.
In an optional implementation manner, CP31 can based in LAC user's list item 31 LNS support authorization message, with And the user information of user terminal 31 generates LNS user's list item 31, and the mandate that LAC is not supported in LAC user's list item 31 is believed Breath is deleted.
For example, the LAC in LAC user's list item 31 is supported, but the authorization message that LNS is not supported (is denoted as mandate here Information 1), CP31 is not using the value of the authorization message 1 in LAC user's list item 31 as corresponding with the authorization message 1 in LNS list items Value.
LAC in LAC user's list item 31 is not supported but the authorization message of LNS supports (is denoted as authorization message here 2), CP31 can be using the value of the authorization message 2 in LAC list items 31 as the value of the authorization message 2 in LNS user's list item 31.Meanwhile CP31 can delete the value of authorization message 2 in LAC user's list item 31.
For example, the value of IP-address, ipv6-address in LAC user's list item 31 are deleted, by LAC user's list item The value of IP-address, ipv6-address in 31 are as IP-address, ipv6-address in LNS user's list item 31 Value.
(authorization message is denoted as here for the authorization message that the LAC in LAC user's list item 31 is not supported, LNS is not also supported 3), CP31 is not using the value of the authorization message 3 in LAC user's list item 31 as value corresponding with the authorization message 3 in LNS list items. Meanwhile CP31 can delete the value of the authorization message 3 in LAC user's list item 31.
LAC in LAC user's list item 31 is supported, the authorization message (being denoted as authorization message 4 here) that LNS is also supported, CP31 can be using the value of the authorization message 4 in LAC user's list item 31 as value corresponding with the authorization message 4 in LNS list items.
For example, using the value of the Car in LAC user's list item 31 as the value of the Car in LNS user's list item 31.
The LNS user's list item 31 for user terminal 31 generated, as shown in table 3.
Table 3
Wherein, SeqNum indicates the serial number of this user's list item;
Interface indicates to receive the interface of the message identifying;
Username is user's name, and MAC-Address is the MAC Address of user terminal;
IP-address, ipv6-address and Car (bandwidth) are that certificate server issues, and awarding of supporting of LNS Weigh information;
Free-auth is shared field;
Role indicates the attribute of the list item, for example, the list item is LAC user's list item or LNS user's list item.
Certainly, which further includes other authorization messages that certificate server issues, here only illustratively Illustrate, without specifically defined.
LAC user's list item 31 that LAC is not supported is deleted, as shown in table 4.
Table 4
2) when the value of the free-auth fields of LAC user's list item 31 is N, CP31 can will come from LNS-UP31's Message identifying is sent to certificate server and is authenticated.After certification passes through, authorization message can be handed down to by certificate server CP31.CP31 can generate LNS user's list item according to the authorization message and the user information of user terminal 31.
By CP31 it can be seen from foregoing description after the message identifying for receiving LNS-UP31 transmissions, however, it is determined that the LNS- After UP31 and LAC-UP31 shares this CP31, the message identifying that this can not be come from LNS-UP31 by CP31 is sent to authentication service Device is authenticated, but according to LAC user's list item 31 corresponding with the user information carried in the message identifying, generate the user The corresponding LNS user's list item of information 31.
Under shared CP31 scenes, the message identifying for coming from LNS-UP31 need not be sent to certification by control server Server is authenticated, but according to LAC user's list item is generated after being authenticated to the message identifying that LAC-UP is sent, it generates LNS user's list item.Due to being reduced to primary certification by traditional double probate, so the quantity of message identifying is greatly reduced, Improve the performance of control server.
Referring to Fig. 4, the disclosure also provides a kind of hardware architecture diagram of authentication method place control server, the control service Device includes:Communication interface 401, processor 402, memory 403 and bus 404;Wherein, communication interface 401,402 and of processor Memory 403 completes mutual communication by bus 404.
Wherein, processor 402 can be a CPU, and memory 403 can be nonvolatile memory (non- Volatile memory), and the logical order of certification is stored in memory 403, processor 402 can execute memory The logical order of the certification stored in 403, to realize the function of reducing certification number.
Machine readable storage medium 403 referred to herein can be any electronics, magnetism, optics or other physical stores Device can include or store information, such as executable instruction, data, etc..For example, machine readable storage medium can be: RAM (Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, storage are driven Dynamic device (such as hard disk drive), solid state disk, any kind of storage dish (such as CD, dvd) or similar storage are situated between Matter or combination thereof.
So far, hardware configuration description shown in Fig. 4 is completed.
It is a kind of block diagram of authentication device shown in one exemplary embodiment of the disclosure referring to Fig. 5, Fig. 5.The device can answer Used in control server, it may include device as follows.
Receiving unit 501, for receiving the first message identifying from LNS-UP;First message identifying carries user Information;
Detection unit 502, for detecting whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, The opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP;
Generation unit 503, for if so, based on LAC user's list item corresponding with the user information has been recorded, giving birth to At the corresponding LNS user's list item of the user information.
Optionally, the detection unit 502, specifically in LAC user's table, lookup includes the first of the user information LAC user's list item;Check the value of the shared tag field in the first LAC user's list item;If the shared tag field Value be the first preset value, it is determined that the LNS-UP and opposite end LAC-UP share this control server.
Optionally, the generation unit 503 is awarded specifically for what is supported based on the LNS recorded in LAC user's list item Information and the user information are weighed, LNS user's list item is generated.
Optionally, described device further includes:
Deleting unit 504, the authorization message for not supporting the LAC recorded in LAC user's list item are deleted.
Optionally, LAC user's list item generates in the following way:
After carrying the second message identifying of the user information receive that the LAC-UP sends, by described second Message identifying is sent to certificate server and is authenticated, and receives the target authorization message that certificate server issues;
In LAC-UP the and LNS-UP correspondences for sharing this control server of pre-configuration, search and the LAC-UP Corresponding LNS-UP, if can find, the LAC-CP sets the value of shared tag field to the first preset value;If cannot It finds, the LAC-CP sets the value of shared tag field to the second preset value;
Based on the target authorization message, the shared tag field and its value and the user information, institute is generated State LAC user's list item;
The target authorization message includes:What the authorization message that LAC is supported but LNS is not supported, LAC and LNS were supported awards Weigh information, the authorization message that the authorization message and LAC that LAC and LNS are not supported are not supported but LNS is supported.
The function of each unit and the realization process of effect specifically refer to and correspond to step in the above method in above-mentioned apparatus Realization process, details are not described herein.
For device embodiments, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component The unit of explanation may or may not be physically separated, and the component shown as unit can be or can also It is not physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to actual It needs that some or all of module therein is selected to realize the purpose of disclosure scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiments of the disclosure, not limiting the disclosure, all essences in the disclosure With within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of the disclosure protection god.

Claims (12)

1. a kind of authentication method, which is characterized in that the method is applied to control server, including:
Receive the first message identifying from LNS-UP;First message identifying carries user information;
Detect whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, the opposite end LAC-UP is to institute State the LAC-UP that LNS-UP sends the user information;
If so, based on LAC user's list item corresponding with the user information has been recorded, it is corresponding to generate the user information LNS user's list item.
2. according to the method described in claim 1, it is characterized in that, whether the detection LNS-UP and opposite end LAC-UP is total This control server is enjoyed, including:
In LAC user's table, the first LAC user's list item for including the user information is searched;
Check the value of the shared tag field in the first LAC user's list item;
If the value of the shared tag field is the first preset value, it is determined that the LNS-UP and opposite end LAC-UP shares this control Control server.
3. according to the method described in claim 1, it is characterized in that, described corresponding with the user information based on having recorded LAC user's list item generates the corresponding LNS user's list item of the user information, including:
Based on the LNS recorded in LAC user's list item the authorization messages supported and the user information, LNS user is generated List item.
4. according to the method described in claim 3, it is characterized in that, after generating LNS user's list item, the method is also wrapped It includes:
The authorization message that the LAC recorded in LAC user's list item is not supported is deleted.
5. method according to any one of claims 1 to 4, which is characterized in that LAC user's list item is given birth in the following way At:
After carrying the second message identifying of the user information receive that the LAC-UP sends, by second certification Message is sent to certificate server and is authenticated, and receives the target authorization message that certificate server issues;
In LAC-UP the and LNS-UP correspondences for sharing this control server of pre-configuration, search corresponding with the LAC-UP LNS-UP, if can find, the LAC-CP sets the value of shared tag field to the first preset value;If cannot search It arrives, the LAC-CP sets the value of shared tag field to the second preset value;
Based on the target authorization message, the shared tag field and its value and the user information, described in generation LAC user's list item;
The target authorization message includes:The authorization message that LAC is supported but LNS is not supported, the mandate letter that LAC and LNS are supported Breath, the authorization message that the authorization message and LAC that LAC and LNS are not supported are not supported but LNS is supported.
6. a kind of authentication device, which is characterized in that described device is applied to control server, including:
Receiving unit, for receiving the first message identifying from LNS-UP;First message identifying carries user information;
Detection unit, for detecting whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, the opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP;
Generation unit, for if so, based on LAC user's list item corresponding with the user information has been recorded, generating the use The corresponding LNS user's list item of family information.
7. device according to claim 6, which is characterized in that the detection unit is specifically used in LAC user's table, Search the first LAC user's list item for including the user information;Check the shared tag field in the first LAC user's list item Value;If the value of the shared tag field is the first preset value, it is determined that the LNS-UP and opposite end LAC-UP is shared This control server.
8. device according to claim 6, which is characterized in that the generation unit is specifically used for being based on the LAC user The authorization message and the user information that the LNS recorded in list item is supported, generate LNS user's list item.
9. device according to claim 6, which is characterized in that described device further includes:
Deleting unit, the authorization message for not supporting the LAC recorded in LAC user's list item are deleted.
10. according to the device described in claim 5-9, which is characterized in that LAC user's list item generates in the following way:
After carrying the second message identifying of the user information receive that the LAC-UP sends, by second certification Message is sent to certificate server and is authenticated, and receives the target authorization message that certificate server issues;
In LAC-UP the and LNS-UP correspondences for sharing this control server of pre-configuration, search corresponding with the LAC-UP LNS-UP, if can find, the LAC-CP sets the value of shared tag field to the first preset value;If cannot search It arrives, the LAC-CP sets the value of shared tag field to the second preset value;
Based on the target authorization message, the shared tag field and its value and the user information, described in generation LAC user's list item;
The target authorization message includes:The authorization message that LAC is supported but LNS is not supported, the mandate letter that LAC and LNS are supported Breath, the authorization message that the authorization message and LAC that LAC and LNS are not supported are not supported but LNS is supported.
11. a kind of control server, which is characterized in that described machine readable to deposit including processor and machine readable storage medium Storage media is stored with the machine-executable instruction that can be executed by the processor, and the processor is by the executable finger of the machine Order promotes to execute such as any one of claim 1 to 5 the method.
12. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with the executable finger of machine It enables, when being called and being executed by processor, the machine-executable instruction promotes the processor to execute such as claim 1 to 5 Any one the method.
CN201810380682.1A 2018-04-25 2018-04-25 Authentication method and device Active CN108600225B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810380682.1A CN108600225B (en) 2018-04-25 2018-04-25 Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810380682.1A CN108600225B (en) 2018-04-25 2018-04-25 Authentication method and device

Publications (2)

Publication Number Publication Date
CN108600225A true CN108600225A (en) 2018-09-28
CN108600225B CN108600225B (en) 2021-03-23

Family

ID=63609761

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810380682.1A Active CN108600225B (en) 2018-04-25 2018-04-25 Authentication method and device

Country Status (1)

Country Link
CN (1) CN108600225B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600292A (en) * 2018-12-24 2019-04-09 安徽皖通邮电股份有限公司 A kind of LAC router initiates the method and system of L2TP Tunnel connection from dialing
CN110972140A (en) * 2019-12-04 2020-04-07 北京首信科技股份有限公司 Method and device for processing information in telecommunication 4G mobile network
CN111431787A (en) * 2019-01-10 2020-07-17 ***通信有限公司研究院 Tunnel establishment method and device and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000022790A1 (en) * 1998-10-09 2000-04-20 Asc - Advanced Switching Communications Layer two tunneling protocol (l2tp) merging and management
CN101272403A (en) * 2008-05-27 2008-09-24 华为技术有限公司 Method, system and device for implementing DHCP user service wholesale
US20080285577A1 (en) * 2007-05-15 2008-11-20 Yehuda Zisapel Systems and Methods for Providing Network-Wide, Traffic-Aware Dynamic Acceleration and Admission Control for Peer-to-Peer Based Services
CN101599904A (en) * 2009-06-26 2009-12-09 中国电信股份有限公司 The method and system that a kind of virtual dial-up safe inserts
CN102148881A (en) * 2011-03-30 2011-08-10 华为技术有限公司 Address processing method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000022790A1 (en) * 1998-10-09 2000-04-20 Asc - Advanced Switching Communications Layer two tunneling protocol (l2tp) merging and management
US20080285577A1 (en) * 2007-05-15 2008-11-20 Yehuda Zisapel Systems and Methods for Providing Network-Wide, Traffic-Aware Dynamic Acceleration and Admission Control for Peer-to-Peer Based Services
CN101272403A (en) * 2008-05-27 2008-09-24 华为技术有限公司 Method, system and device for implementing DHCP user service wholesale
CN101599904A (en) * 2009-06-26 2009-12-09 中国电信股份有限公司 The method and system that a kind of virtual dial-up safe inserts
CN102148881A (en) * 2011-03-30 2011-08-10 华为技术有限公司 Address processing method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MILES, CHRISTOPHER RAYMOND; CHAN, KA CHING: "Building an End-to-End ISP Broadband Infrastructure as an Advanced Networking Subject", 《COMPUTER APPLICATIONS IN ENGINEERING EDUCATION 》 *
程胜军: "基于L2TP无线局域网安全解决方案", 《计算机安全》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600292A (en) * 2018-12-24 2019-04-09 安徽皖通邮电股份有限公司 A kind of LAC router initiates the method and system of L2TP Tunnel connection from dialing
CN109600292B (en) * 2018-12-24 2021-09-28 安徽皖通邮电股份有限公司 Method and system for LAC router to initiate L2TP tunnel connection by self dialing number
CN111431787A (en) * 2019-01-10 2020-07-17 ***通信有限公司研究院 Tunnel establishment method and device and computer readable storage medium
CN111431787B (en) * 2019-01-10 2022-02-11 ***通信有限公司研究院 Tunnel establishment method and device and computer readable storage medium
CN110972140A (en) * 2019-12-04 2020-04-07 北京首信科技股份有限公司 Method and device for processing information in telecommunication 4G mobile network

Also Published As

Publication number Publication date
CN108600225B (en) 2021-03-23

Similar Documents

Publication Publication Date Title
US11863625B2 (en) Routing messages between cloud service providers
US11032234B2 (en) ARP offloading for managed hardware forwarding elements
US9544248B2 (en) Overlay network capable of supporting storage area network (SAN) traffic
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
EP3461072B1 (en) Access control in a vxlan
US8230050B1 (en) Providing access to configurable private computer networks
US11497067B2 (en) Establishing a private network using multi-uplink capable network devices
US20140230044A1 (en) Method and Related Apparatus for Authenticating Access of Virtual Private Cloud
US11343247B1 (en) Local delegation of remote key management service
US9537766B2 (en) Packet switching without look-up table for ethernet switches
US20170171077A1 (en) Transactional controls for supplying control plane data to managed hardware forwarding elements
CN104734955A (en) Network function virtualization implementation method, wide-band network gateway and control device
WO2019201209A1 (en) Message forwarding
CN108600225A (en) a kind of authentication method and device
CN106878474A (en) The method and apparatus that a kind of P2P connections are set up
CN108234422A (en) Resource regulating method and device
CN108462683A (en) authentication method and device
CN107634907B (en) Data forwarding method and device for L2VPN (layer two virtual private network)
CN108259205B (en) Route publishing method and network equipment
US20170085474A1 (en) Fiber channel over ethernet (fcoe) frame forwarding system
Zientara Learn pfSense 2.4: Get up and running with Pfsense and all the core concepts to build firewall and routing solutions
US20240095809A1 (en) Cloud infrastructure-based online publishing platforms for virtual private label clouds
US10574596B2 (en) Software defined networking FCoE initialization protocol snooping bridge system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant