CN108600225A - a kind of authentication method and device - Google Patents
a kind of authentication method and device Download PDFInfo
- Publication number
- CN108600225A CN108600225A CN201810380682.1A CN201810380682A CN108600225A CN 108600225 A CN108600225 A CN 108600225A CN 201810380682 A CN201810380682 A CN 201810380682A CN 108600225 A CN108600225 A CN 108600225A
- Authority
- CN
- China
- Prior art keywords
- lac
- lns
- user
- list item
- supported
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of authentication method of disclosure offer and device, it may include:Receive the first message identifying from LNS UP;First message identifying carries user information;Detect whether the LNS UP and opposite end LAC UP share this control server;Wherein, the opposite end LAC UP are the LAC UP that the user information is sent to the LNS UP;If so, based on LAC user's list item corresponding with the user information has been recorded, the corresponding LNS user's list item of the user information is generated.The method provided using the disclosure, it is possible to reduce certification number reduces the quantity of message identifying on control server, improves the equipment performance of control server.
Description
Technical field
This disclosure relates to computer communication field more particularly to a kind of authentication method and device.
Background technology
Layer 2 Tunneling Protocol (L2TP:Layer 2Tunneling Protocol), it is Virtual Private Dial-up Network (VPDN:
Virtual Private Dial-up Network) tunnel protocol one kind.L2TP passes through at public network (such as Internet)
On establish L2TP Tunnel so that remote subscriber (such as institution functioning abroad of enterprise and employee on business trip) utilize point-to-point protocol (PPP:
Point-to-Point Protocol) access public network after communicated with Intranet by L2TP Tunnel, with access look forward to
Industry intranet resources, to realize remote subscriber safety, economically and effectively access privately owned enterprise network.
L2TP access networkings generally include far end system, LAC (L2TP Access Concentrator, access concentrator)
With LNS (L2TP Network Server, L2TP Network Server).Wherein, far end system be VPDN networks to be accessed far
User terminal etc..LAC is the equipment for having PPP and L2TP protocol handling capabilities, is mainly used for providing for the user of PPP types and connects
Enter service.LNS is both PPP end systems and the server end of L2TP agreements, is set usually as the edge of an intranet
It is standby.LAC is connected with LNS by L2TP Tunnel.
In order to improve the utilization rate of Forwarding plane, the L2TP that generally use turns control separation architecture accesses networking.Turning control point
It, can be by the forwarding of LAC and LNS and control layer separation in L2TP access networkings from framework.For example, turning control separation architecture
Control server would generally be configured in L2TP access networkings, which can be the server of physics, can also be void
Quasi- server, mainly as LAC control layer equipment LAC-CP (L2TP Access Concentrator-Control
Plane, access concentrator control layer), and/or LNS control layer equipment LNS-CP (L2TP Network Server-
Control Plane, L2TP Network Server control layer), carry out control process.It is also configured in the networking and is accessed with user
The equipment of function, such as BRAS (Broadband Remote Access Server, Broadband Remote Access Server) equipment,
NAS (Network Access Server, network access server) equipment is used as the forwarding equipment LAC-UP (L2TP of LAC
Access Concentrator-User Plane, access concentrator forwarding), and as the forwarding equipment LNS- of LNS
UP (L2TP Network Server-User Plane, L2TP Network Server forwarding).
Invention content
In view of this, a kind of authentication method of disclosure offer and device reduce control server to reduce certification number
The quantity of upper message identifying improves the equipment performance of control server.
Specifically, the disclosure is achieved by the following technical solution:
According to the disclosure in a first aspect, providing a kind of authentication method, the method is applied to control server, including:
Receive the first message identifying from LNS-UP;First message identifying carries user information;
Detect whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, the opposite end LAC-UP is
The LAC-UP of the user information is sent to the LNS-UP;
If so, based on LAC user's list item corresponding with the user information has been recorded, user information correspondence is generated
LNS user's list item.
According to the second aspect of the disclosure, a kind of authentication device is provided, described device is applied to control server, including:
Receiving unit, for receiving the first message identifying from LNS-UP;First message identifying carries user's letter
Breath;
Detection unit, for detecting whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, described
Opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP;
Generation unit, for if so, based on LAC user's list item corresponding with the user information has been recorded, generating
The corresponding LNS user's list item of the user information.
According to the third aspect of the disclosure, a kind of control server, including processor and machine readable storage medium are provided,
The machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, and the processor is by institute
Machine-executable instruction is stated to promote to execute such as any one of claim 1 to 5 the method.
According to the fourth aspect of the disclosure, a kind of machine readable storage medium is provided, the machine readable storage medium is deposited
Machine-executable instruction is contained, when being called and being executed by processor, the machine-executable instruction promotes the processor to hold
Row any one of such as claim 1 to 5 the method.
The disclosure proposes a kind of authentication method, and control server is after the message identifying for receiving LNS-UP transmissions, if really
After the fixed LNS-UP and opposite end LAC-UP shares this control server, this can not be come from the certification of LNS-UP by control server
Message is sent to certificate server and is authenticated, but is used according to LAC corresponding with the user information carried in the message identifying
Family list item generates the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UP
It send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent
, generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifying
Quantity, improve control server performance.
Description of the drawings
Figure 1A is the L2TP access networking schematic diagrams of a kind of turn of control separation shown in one exemplary embodiment of the disclosure;
Figure 1B is that the another kind shown in one exemplary embodiment of the disclosure turns the L2TP access networking schematic diagrams that control detaches;
Fig. 2 is a kind of flow chart of authentication method shown in one exemplary embodiment of the disclosure;
Fig. 3 is a kind of schematic diagram of authentication method shown in one exemplary embodiment of the disclosure;
Fig. 4 is that the disclosure provides a kind of hardware architecture diagram of authentication method place control server;
Fig. 5 is a kind of block diagram of authentication device shown in one exemplary embodiment of the disclosure.
Specific implementation mode
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all implementations consistent with this disclosure.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the disclosure.
It is the purpose only merely for description specific embodiment in the term that the disclosure uses, is not intended to be limiting the disclosure.
The "an" of singulative used in disclosure and the accompanying claims book, " described " and "the" are also intended to including majority
Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps
Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the disclosure
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from
In the case of disclosure range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
Figure 1A is the L2TP access networkings for turning control separation architecture.In figure 1A, control server is both as the control layer of LAC
Equipment LAC-CP, and be simultaneously same control server as control layer the equipment LNS-CP, i.e. LAC-CP and LNS-CP of LNS.
After LAC-UP10 receives the message identifying of user terminal transmission, which can be sent to by LAC-UP10
Server 10 is controlled, the message identifying is sent to certificate server 10 by control server 10 and is authenticated.Control server
The authorization message that 10 reception certificate servers 10 issue, and the authorization message supported based on the only LAC in the authorization message, are generated
LAC user's list item.
After the completion of L2TP Tunnel between LAC-UP10 and LNS-UP10 is established, LAC-UP10 can be by the user terminal
User information is sent to LNS-UP10 by the L2TP Tunnel, and the message identifying of the user information will be carried by the LNS-UP10
It is sent to the control server 10.Control server 10 is in the certification for carrying the user information for receiving LNS-UP10 transmissions
After message, which is sent to certificate server 10.Control server 10 can receive certificate server 10 certification at
The authorization message sent after work(, and the authorization message supported based on the only LNS in the authorization message, generate LNS user's list item.
It can be seen from foregoing description under the scene that LAC-UP and LNS-UP share same control server, when useful
When the terminal access of family, the message identifying for coming from LAC-UP can be not only sent to certificate server by control server to be recognized
Card, can also be sent to certificate server by the message identifying for coming from LNS-UP and be authenticated.When a large amount of L2TP user terminals
When access, a large amount of message identifying is will produce, the mechanism of this double probate can cause to control the certification report that server receives
Text is double, on the one hand can cause packet congestion, on the other hand can substantially reduce the equipment performance of control server.
In view of this, the disclosure proposes a kind of authentication method, control server is in the certification report for receiving LNS-UP transmissions
Wen Hou, however, it is determined that after the LNS-UP and opposite end LAC-UP shares this control server, control server can not come from this
The message identifying of LNS-UP is sent to certificate server and is authenticated, but according to the user information that is carried in the message identifying
Corresponding LAC user's list item generates the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UP
It send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent
, generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifying
Quantity, improve control server performance.
Before introducing the authentication method of the disclosure, some concepts involved by the lower disclosure are introduced first.
Above-mentioned control server, can be physical server, can also be virtual machine, mainly as control plane equipment,
Play control action.Such as the association that the forwarding equipment LNS-UP of forwarding the equipment LAC-UP and/or LNS of processing LAC is sent
Discuss message etc..
The control server, can be simultaneously as the control layer equipment LAC-CP of certain LAC and certain LNS control layers equipment
LNS-CP, can also be separately as the control layer equipment LAC-CP of certain LAC, can also be separately as the control layer of certain LNS
Equipment LNS-CP.
Certainly, a part of resource of the control server can also be simultaneously as the control layer equipment LAC-CP of certain LAC
Control layer equipment LNS-CP and another part resource with certain LNS is separately as other LAC control layer equipment LAC-
CP, and separately as other LNS control layer equipment LNS-CP.
For example, it is assumed that the resource of control server 1 can be divided into three parts, first part's resource is used as LAC- simultaneously
CP1 and LNS-CP1, second part resource is separately as LAC-CP2, and Part III resource is separately as LNS-CP3.
Above-mentioned LAC-UP refers to the forwarding equipment of LAC, which can be the equipment for having user's access function,
For example NAS device, BRAS equipment etc. only illustratively illustrate, here without specifically defined.
Above-mentioned LNS-UP, refers to the forwarding equipment of LNS, which can be with BRAS equipment, NAS device etc., here
Only illustratively illustrate, it is not carried out specifically defined.
It should be noted that LAC-UP can be individual equipment, LNS-UP can also be individual equipment.For example, such as
Shown in Figure 1A, LAC-UP10 is individual equipment, and LNS-UP10 is also individual equipment.
Certainly, LAC-UP and LNS-UP can also be same equipment.For example, shown in Figure 1B, the LTS (L2TP in Figure 1B
Tunnel Switch, L2TP Tunnel exchange) equipment is both LAC-UP equipment and LNS-UP equipment.LAC-UP11 is come
It says, LTS equipment is LNS-UP equipment, and for LNS-UP11, LTS equipment is LAC-UP equipment.
It is a kind of flow chart of authentication method shown in one exemplary embodiment of the disclosure referring to Fig. 2, Fig. 2.This method can
It applies in control server, it may include step as follows.
The step of introducing disclosure identifying procedure before, lower LAC user's list item is first introduced.
1) LAC user's list item of the disclosure.
LAC user's list item of the disclosure can be as shown in table 1.
Table 1
Certainly, table 1 illustrates only the content that LAC user's list item includes mainly, and certainly, which can be with
Including other content, such as user access port, list item serial number and other extensions etc. are only illustratively said here
It is bright, it is not carried out specifically defined.
The disclosure increases shared tag field, such as free-auth fields in LAC user's list item.When the shared mark
When remembering that the value of field is the first preset value, show that LAC-UP and opposite end LNS-UP share same control server, when shared mark
Remember that the value of field is not the first preset value, for example, for the second preset value when, show that LAC-UP and opposite end LNS-UP be not shared same
One control server.
In addition, the authorization message in traditional LAC user's list item is only the authorization message that LAC is supported, and the disclosure carries
Authorization message in LAC user's list item of confession includes the authorization message that LAC is supported but LNS is not supported, LAC and LNS are supported
Authorization message, the authorization message and LAC that LAC and LNS are not supported do not support but LNS support authorization message.
The purpose done so essentially consists in the flow for adapting to the disclosure.Furthermore, it is understood that in the disclosure, when control services
After device determines that above-mentioned LNS-UP and opposite end LAC-UP share this control server.Controlling server, there is no need to will come from LNS-
The message identifying of UP is sent to certificate server and is authenticated, but based on corresponding with the user information in the message identifying
The authorization message that the LNS recorded in LAC user's list item is supported generates LNS user's list item.
So when generating LAC user's list item, by the authorization message that LAC is supported but LNS is not supported, LAC and LNS are equal
The authorization message that the authorization message and LAC that the authorization message of support, LAC and LNS are not supported are not supported but LNS is supported is all
It is recorded, so that need not be authenticated to the LNS-UP message identifyings sent, so that it may with according to LAC user's list item, life
At LNS user's list item.
2) how above-mentioned LAC user's list item generates.
When the message identifying that LAC-UP receives user terminal transmission (describes, LAC-UP is received and is used for convenience here
The message identifying that family terminal is sent is referred to as the second message identifying) after, which can be sent to control by LAC-UP
Second message identifying can be sent to certificate server and is authenticated by server, control server.
After certification passes through, certificate server can be to control server distributing authentication information.What certificate server issued awards
Include in power information:The authorization message that LAC is supported but LNS is not supported, the authorization message that LAC and LNS are supported, LAC and LNS
The authorization message that the authorization message and LAC that do not support are not supported but LNS is supported.
In addition, when L2TP entirety service deployments are planned, developer just by the LAC-UP of shared this control server with
The correspondence of LNS-UP configures on this control server.Server is controlled to search and be somebody's turn to do in the correspondence
The corresponding LNS-UP of LAC-UP.If can find, show that the LNS-UP of LAC-UP and lookup shares this control server, this
When, control server can set the value of shared tag field to the first preset value.If cannot search, show no LNS-
UP and this LAC-UP shares this control server, at this point, the value of shared tag field can be set as second by control server
Preset value.
Wherein, the first preset value indicates that LAC-UP and the LNS-UP found share this control server, the second preset value
Show that the no LNS-UP and LAC-UP shares this control server.
Then, the authorization message that control server is issued based on the certificate server, shares tag field and its value, with
And the user information carried in second message identifying generates the corresponding LAC user's list item of the user information.
Then, the user information carried in second message identifying can be sent to LNS-UP by LAC-UP.LNS-UP can base
In the user information, construction message identifying (describes, the LNS-UP message identifyings constructed is denoted as the first certification for convenience here
Message).Then first message identifying is sent to control server by LNS-UP.
It controls server and executes step 201 to step 202.
Step 201:It controls server and receives the first message identifying from LNS-UP;First message identifying, which carries, to be used
Family information;
Wherein, the user information refers to the information of one user of unique mark, which may include user name,
The MAC Address of user terminal and combination of the two etc..Here only user information is illustratively illustrated, it is not right
It is specifically limited.
Step 202:Control server detects whether the LNS-UP and opposite end LAC-UP shares this control server;Its
In, the opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP.
When realizing, control server can be searched in LAC user's table of local record comprising in first message identifying
LAC user's list item of the user information of carrying.
Then the value of the shared identification field of LAC user's list item is checked.
If the value of the shared identification field of LAC user's list item is the first preset value, it is determined that the LNS-UP and right
End LAC-UP shares this control server.
If the value of the shared identification field of LAC user's list item is the second preset value, it is determined that the LNS-UP and right
End LAC-UP does not share this control server.
Wherein, the first preset value shows that the LNS-UP and opposite end LAC-UP share this control server;
Second preset value shows that the LNS-UP and opposite end LAC-UP do not share this control server.
Step 203:If so, control server has been based on having recorded LAC user's list item corresponding with the user information,
Generate the corresponding LNS user's list item of the user information.
In the embodiments of the present disclosure, when control server determines that the LNS-UP and opposite end LAC-UP share this control server
Afterwards, control server, which is forbidden first message identifying being sent to certificate server, is authenticated, and by first message identifying
It abandons.
In addition, the authorization message that control server can also be supported based on the LNS recorded in the LAC user's list item found
(authorization attribute that LAC is not supported but LNS is supported, the authorization attribute that LAC and LNS are supported) and first message identifying are taken
The user information of band generates the corresponding LNS user's list item of the user information.
In addition, control server after generating the corresponding LNS user's list item of user information that the first message identifying carries, is controlled
The authorization message that control server can also not support the LAC recorded in LAC user's list item that this finds delete (such as LAC,
The authorization message that LNS is not supported, the authorization message that LAC is not supported but LNS is supported).
In the embodiments of the present disclosure, when control server determines that the LNS-UP and opposite end LAC-UP do not share this control service
After device, which can be sent to certificate server and be authenticated by control server.After certification passes through, control clothes
Business device receives the authorization message that certificate server issues, and is then based on the use carried in the authorization message and first message identifying
Family information generates the corresponding LNS user's list item of the user information.
Server is controlled it can be seen from foregoing description after the message identifying for receiving LNS-UP transmissions, however, it is determined that should
After LNS-UP and opposite end LAC-UP shares this control server, this can not be come from the message identifying of LNS-UP by control server
Certificate server is sent to be authenticated, but according to LAC user's table corresponding with the user information carried in the message identifying
, generate the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UP
It send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent
, generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifying
Quantity, improve control server performance.
Below by Fig. 3, the authentication method provided the disclosure is described in detail.
In figure 3, LAC-UP31 and LNS-UP31 shares CP31 (CP31, that is, control described herein server), and CP31 is logical
It crosses the tunnels VXLAN 31 with LAC-UP31 to be connected, CP31 is connected by the tunnels VXLAN 32 with LNS-UP31.CP31 and authentication service
Device is connected.
Assuming that the entitled test1 of the user of user terminal 31, the MAC Address of user terminal is 1-1-1.
After LAC-UP31 receives the message identifying of the transmission of user terminal 31, which can send out the message identifying
It send to certificate server and is authenticated.The user information of user terminal 31 is carried in the message identifying, such as carries user's end
The user name test1 at end 31 and the MAC Address of user terminal are 1-1-1.
After certificate server passes through the user information authentication, certificate server can be with distributing authentication information.It issues
Include the authorization message that LAC is supported but LNS is not supported in authorization message, LAC is not supported, but the authorization message that LNS is supported is (such as
IP address, the IP address of IPv6), LAC support and the authorization messages (such as bandwidth Car attributes) also supported of LNS and LAC and
The authorization message that LNS is not supported.
In addition, when L2TP entirety service deployments are planned, developer is just by the LAC-UP's of shared CP31 and LNS-UP
Correspondence configures on the CP31.After CP31 receives the above-mentioned message identifying of LAC-UP31 transmissions, CP31 can shared
In the correspondence of the LAC and LNS of this CP31, LNS-UP corresponding with LAC-UP31 has been searched whether.If can find,
Then set the value of shared field free-auth fields to Y.If cannot find, by the value of free-auth fields
It is set as N.
In this example, since LAC-UP31 and LNS-UP31 share this CP31, so the value of free-auth fields is set
It is set to Y.
Then, CP31 can according to the authorization message, user terminal 31 that above-mentioned certificate server issues user information and
Free-auth fields and its value generate LAC user's list item corresponding with the user terminal 31 31.LAC user's list item 31 can
As shown in table 2.
Table 2
Wherein, SeqNum indicates the serial number of this user's list item;
Interface indicates to receive the interface of the message identifying;
Username is user's name, and MAC-Address is the MAC Address of user terminal;
IP-address, ipv6-address and Car (bandwidth) are the authorization message that certificate server issues;
Free-auth is shared field;
Role indicates the attribute of the list item, for example, the list item is LAC user's list item or LNS user's list item.
Certainly, which further includes other authorization messages that certificate server issues, here only illustratively
Illustrate, without specifically defined.
Then, LAC-UP31 can negotiate to establish L2TP Tunnel with LNS-UP31.After the completion of L2TP Tunnel is established, LAC-
The user information of the user terminal 31 can be sent to LNS-UP31 by UP31 by the L2TP Tunnel.
LNS-UP31 can construct message identifying, be taken in the message identifying after the user information for receiving the user terminal 31
With the user information of user terminal 31.Then, LNS-UP can be sent the message identifying constructed by the tunnels VXLAN 32
To CP31.
CP31, can be in LAC user's table after the message identifying for receiving LNS-UP31 transmissions, and it includes the user to search
LAC user's list item 31 of the user information of terminal 31.
Then check whether the value of the shared field free-auth fields of LAC user's list item 31 is Y.
If the value of the shared field free-auth fields of LAC user's list item 31 is Y, show LAC-UP31 and
LNS-UP31 shares CP31.
If the shared field free-auth fields value of LAC user's list item 31 is not Y (for example being N etc.), show
LAC-UP31 and LNS-UP31 does not share CP31.
1) when the value of the free-auth fields of LAC user's list item 31 is Y, CP31 can be based on LAC user's list item 31
(such as table 1) generates LNS user's list item 31.
In an optional implementation manner, CP31 can based in LAC user's list item 31 LNS support authorization message, with
And the user information of user terminal 31 generates LNS user's list item 31, and the mandate that LAC is not supported in LAC user's list item 31 is believed
Breath is deleted.
For example, the LAC in LAC user's list item 31 is supported, but the authorization message that LNS is not supported (is denoted as mandate here
Information 1), CP31 is not using the value of the authorization message 1 in LAC user's list item 31 as corresponding with the authorization message 1 in LNS list items
Value.
LAC in LAC user's list item 31 is not supported but the authorization message of LNS supports (is denoted as authorization message here
2), CP31 can be using the value of the authorization message 2 in LAC list items 31 as the value of the authorization message 2 in LNS user's list item 31.Meanwhile
CP31 can delete the value of authorization message 2 in LAC user's list item 31.
For example, the value of IP-address, ipv6-address in LAC user's list item 31 are deleted, by LAC user's list item
The value of IP-address, ipv6-address in 31 are as IP-address, ipv6-address in LNS user's list item 31
Value.
(authorization message is denoted as here for the authorization message that the LAC in LAC user's list item 31 is not supported, LNS is not also supported
3), CP31 is not using the value of the authorization message 3 in LAC user's list item 31 as value corresponding with the authorization message 3 in LNS list items.
Meanwhile CP31 can delete the value of the authorization message 3 in LAC user's list item 31.
LAC in LAC user's list item 31 is supported, the authorization message (being denoted as authorization message 4 here) that LNS is also supported,
CP31 can be using the value of the authorization message 4 in LAC user's list item 31 as value corresponding with the authorization message 4 in LNS list items.
For example, using the value of the Car in LAC user's list item 31 as the value of the Car in LNS user's list item 31.
The LNS user's list item 31 for user terminal 31 generated, as shown in table 3.
Table 3
Wherein, SeqNum indicates the serial number of this user's list item;
Interface indicates to receive the interface of the message identifying;
Username is user's name, and MAC-Address is the MAC Address of user terminal;
IP-address, ipv6-address and Car (bandwidth) are that certificate server issues, and awarding of supporting of LNS
Weigh information;
Free-auth is shared field;
Role indicates the attribute of the list item, for example, the list item is LAC user's list item or LNS user's list item.
Certainly, which further includes other authorization messages that certificate server issues, here only illustratively
Illustrate, without specifically defined.
LAC user's list item 31 that LAC is not supported is deleted, as shown in table 4.
Table 4
2) when the value of the free-auth fields of LAC user's list item 31 is N, CP31 can will come from LNS-UP31's
Message identifying is sent to certificate server and is authenticated.After certification passes through, authorization message can be handed down to by certificate server
CP31.CP31 can generate LNS user's list item according to the authorization message and the user information of user terminal 31.
By CP31 it can be seen from foregoing description after the message identifying for receiving LNS-UP31 transmissions, however, it is determined that the LNS-
After UP31 and LAC-UP31 shares this CP31, the message identifying that this can not be come from LNS-UP31 by CP31 is sent to authentication service
Device is authenticated, but according to LAC user's list item 31 corresponding with the user information carried in the message identifying, generate the user
The corresponding LNS user's list item of information 31.
Under shared CP31 scenes, the message identifying for coming from LNS-UP31 need not be sent to certification by control server
Server is authenticated, but according to LAC user's list item is generated after being authenticated to the message identifying that LAC-UP is sent, it generates
LNS user's list item.Due to being reduced to primary certification by traditional double probate, so the quantity of message identifying is greatly reduced,
Improve the performance of control server.
Referring to Fig. 4, the disclosure also provides a kind of hardware architecture diagram of authentication method place control server, the control service
Device includes:Communication interface 401, processor 402, memory 403 and bus 404;Wherein, communication interface 401,402 and of processor
Memory 403 completes mutual communication by bus 404.
Wherein, processor 402 can be a CPU, and memory 403 can be nonvolatile memory (non-
Volatile memory), and the logical order of certification is stored in memory 403, processor 402 can execute memory
The logical order of the certification stored in 403, to realize the function of reducing certification number.
Machine readable storage medium 403 referred to herein can be any electronics, magnetism, optics or other physical stores
Device can include or store information, such as executable instruction, data, etc..For example, machine readable storage medium can be:
RAM (Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, storage are driven
Dynamic device (such as hard disk drive), solid state disk, any kind of storage dish (such as CD, dvd) or similar storage are situated between
Matter or combination thereof.
So far, hardware configuration description shown in Fig. 4 is completed.
It is a kind of block diagram of authentication device shown in one exemplary embodiment of the disclosure referring to Fig. 5, Fig. 5.The device can answer
Used in control server, it may include device as follows.
Receiving unit 501, for receiving the first message identifying from LNS-UP;First message identifying carries user
Information;
Detection unit 502, for detecting whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein,
The opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP;
Generation unit 503, for if so, based on LAC user's list item corresponding with the user information has been recorded, giving birth to
At the corresponding LNS user's list item of the user information.
Optionally, the detection unit 502, specifically in LAC user's table, lookup includes the first of the user information
LAC user's list item;Check the value of the shared tag field in the first LAC user's list item;If the shared tag field
Value be the first preset value, it is determined that the LNS-UP and opposite end LAC-UP share this control server.
Optionally, the generation unit 503 is awarded specifically for what is supported based on the LNS recorded in LAC user's list item
Information and the user information are weighed, LNS user's list item is generated.
Optionally, described device further includes:
Deleting unit 504, the authorization message for not supporting the LAC recorded in LAC user's list item are deleted.
Optionally, LAC user's list item generates in the following way:
After carrying the second message identifying of the user information receive that the LAC-UP sends, by described second
Message identifying is sent to certificate server and is authenticated, and receives the target authorization message that certificate server issues;
In LAC-UP the and LNS-UP correspondences for sharing this control server of pre-configuration, search and the LAC-UP
Corresponding LNS-UP, if can find, the LAC-CP sets the value of shared tag field to the first preset value;If cannot
It finds, the LAC-CP sets the value of shared tag field to the second preset value;
Based on the target authorization message, the shared tag field and its value and the user information, institute is generated
State LAC user's list item;
The target authorization message includes:What the authorization message that LAC is supported but LNS is not supported, LAC and LNS were supported awards
Weigh information, the authorization message that the authorization message and LAC that LAC and LNS are not supported are not supported but LNS is supported.
The function of each unit and the realization process of effect specifically refer to and correspond to step in the above method in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiments, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component
The unit of explanation may or may not be physically separated, and the component shown as unit can be or can also
It is not physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to actual
It needs that some or all of module therein is selected to realize the purpose of disclosure scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiments of the disclosure, not limiting the disclosure, all essences in the disclosure
With within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of the disclosure protection god.
Claims (12)
1. a kind of authentication method, which is characterized in that the method is applied to control server, including:
Receive the first message identifying from LNS-UP;First message identifying carries user information;
Detect whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, the opposite end LAC-UP is to institute
State the LAC-UP that LNS-UP sends the user information;
If so, based on LAC user's list item corresponding with the user information has been recorded, it is corresponding to generate the user information
LNS user's list item.
2. according to the method described in claim 1, it is characterized in that, whether the detection LNS-UP and opposite end LAC-UP is total
This control server is enjoyed, including:
In LAC user's table, the first LAC user's list item for including the user information is searched;
Check the value of the shared tag field in the first LAC user's list item;
If the value of the shared tag field is the first preset value, it is determined that the LNS-UP and opposite end LAC-UP shares this control
Control server.
3. according to the method described in claim 1, it is characterized in that, described corresponding with the user information based on having recorded
LAC user's list item generates the corresponding LNS user's list item of the user information, including:
Based on the LNS recorded in LAC user's list item the authorization messages supported and the user information, LNS user is generated
List item.
4. according to the method described in claim 3, it is characterized in that, after generating LNS user's list item, the method is also wrapped
It includes:
The authorization message that the LAC recorded in LAC user's list item is not supported is deleted.
5. method according to any one of claims 1 to 4, which is characterized in that LAC user's list item is given birth in the following way
At:
After carrying the second message identifying of the user information receive that the LAC-UP sends, by second certification
Message is sent to certificate server and is authenticated, and receives the target authorization message that certificate server issues;
In LAC-UP the and LNS-UP correspondences for sharing this control server of pre-configuration, search corresponding with the LAC-UP
LNS-UP, if can find, the LAC-CP sets the value of shared tag field to the first preset value;If cannot search
It arrives, the LAC-CP sets the value of shared tag field to the second preset value;
Based on the target authorization message, the shared tag field and its value and the user information, described in generation
LAC user's list item;
The target authorization message includes:The authorization message that LAC is supported but LNS is not supported, the mandate letter that LAC and LNS are supported
Breath, the authorization message that the authorization message and LAC that LAC and LNS are not supported are not supported but LNS is supported.
6. a kind of authentication device, which is characterized in that described device is applied to control server, including:
Receiving unit, for receiving the first message identifying from LNS-UP;First message identifying carries user information;
Detection unit, for detecting whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein, the opposite end
LAC-UP is the LAC-UP that the user information is sent to the LNS-UP;
Generation unit, for if so, based on LAC user's list item corresponding with the user information has been recorded, generating the use
The corresponding LNS user's list item of family information.
7. device according to claim 6, which is characterized in that the detection unit is specifically used in LAC user's table,
Search the first LAC user's list item for including the user information;Check the shared tag field in the first LAC user's list item
Value;If the value of the shared tag field is the first preset value, it is determined that the LNS-UP and opposite end LAC-UP is shared
This control server.
8. device according to claim 6, which is characterized in that the generation unit is specifically used for being based on the LAC user
The authorization message and the user information that the LNS recorded in list item is supported, generate LNS user's list item.
9. device according to claim 6, which is characterized in that described device further includes:
Deleting unit, the authorization message for not supporting the LAC recorded in LAC user's list item are deleted.
10. according to the device described in claim 5-9, which is characterized in that LAC user's list item generates in the following way:
After carrying the second message identifying of the user information receive that the LAC-UP sends, by second certification
Message is sent to certificate server and is authenticated, and receives the target authorization message that certificate server issues;
In LAC-UP the and LNS-UP correspondences for sharing this control server of pre-configuration, search corresponding with the LAC-UP
LNS-UP, if can find, the LAC-CP sets the value of shared tag field to the first preset value;If cannot search
It arrives, the LAC-CP sets the value of shared tag field to the second preset value;
Based on the target authorization message, the shared tag field and its value and the user information, described in generation
LAC user's list item;
The target authorization message includes:The authorization message that LAC is supported but LNS is not supported, the mandate letter that LAC and LNS are supported
Breath, the authorization message that the authorization message and LAC that LAC and LNS are not supported are not supported but LNS is supported.
11. a kind of control server, which is characterized in that described machine readable to deposit including processor and machine readable storage medium
Storage media is stored with the machine-executable instruction that can be executed by the processor, and the processor is by the executable finger of the machine
Order promotes to execute such as any one of claim 1 to 5 the method.
12. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with the executable finger of machine
It enables, when being called and being executed by processor, the machine-executable instruction promotes the processor to execute such as claim 1 to 5
Any one the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810380682.1A CN108600225B (en) | 2018-04-25 | 2018-04-25 | Authentication method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810380682.1A CN108600225B (en) | 2018-04-25 | 2018-04-25 | Authentication method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108600225A true CN108600225A (en) | 2018-09-28 |
CN108600225B CN108600225B (en) | 2021-03-23 |
Family
ID=63609761
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810380682.1A Active CN108600225B (en) | 2018-04-25 | 2018-04-25 | Authentication method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108600225B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109600292A (en) * | 2018-12-24 | 2019-04-09 | 安徽皖通邮电股份有限公司 | A kind of LAC router initiates the method and system of L2TP Tunnel connection from dialing |
CN110972140A (en) * | 2019-12-04 | 2020-04-07 | 北京首信科技股份有限公司 | Method and device for processing information in telecommunication 4G mobile network |
CN111431787A (en) * | 2019-01-10 | 2020-07-17 | ***通信有限公司研究院 | Tunnel establishment method and device and computer readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2000022790A1 (en) * | 1998-10-09 | 2000-04-20 | Asc - Advanced Switching Communications | Layer two tunneling protocol (l2tp) merging and management |
CN101272403A (en) * | 2008-05-27 | 2008-09-24 | 华为技术有限公司 | Method, system and device for implementing DHCP user service wholesale |
US20080285577A1 (en) * | 2007-05-15 | 2008-11-20 | Yehuda Zisapel | Systems and Methods for Providing Network-Wide, Traffic-Aware Dynamic Acceleration and Admission Control for Peer-to-Peer Based Services |
CN101599904A (en) * | 2009-06-26 | 2009-12-09 | 中国电信股份有限公司 | The method and system that a kind of virtual dial-up safe inserts |
CN102148881A (en) * | 2011-03-30 | 2011-08-10 | 华为技术有限公司 | Address processing method and device |
-
2018
- 2018-04-25 CN CN201810380682.1A patent/CN108600225B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2000022790A1 (en) * | 1998-10-09 | 2000-04-20 | Asc - Advanced Switching Communications | Layer two tunneling protocol (l2tp) merging and management |
US20080285577A1 (en) * | 2007-05-15 | 2008-11-20 | Yehuda Zisapel | Systems and Methods for Providing Network-Wide, Traffic-Aware Dynamic Acceleration and Admission Control for Peer-to-Peer Based Services |
CN101272403A (en) * | 2008-05-27 | 2008-09-24 | 华为技术有限公司 | Method, system and device for implementing DHCP user service wholesale |
CN101599904A (en) * | 2009-06-26 | 2009-12-09 | 中国电信股份有限公司 | The method and system that a kind of virtual dial-up safe inserts |
CN102148881A (en) * | 2011-03-30 | 2011-08-10 | 华为技术有限公司 | Address processing method and device |
Non-Patent Citations (2)
Title |
---|
MILES, CHRISTOPHER RAYMOND; CHAN, KA CHING: "Building an End-to-End ISP Broadband Infrastructure as an Advanced Networking Subject", 《COMPUTER APPLICATIONS IN ENGINEERING EDUCATION 》 * |
程胜军: "基于L2TP无线局域网安全解决方案", 《计算机安全》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109600292A (en) * | 2018-12-24 | 2019-04-09 | 安徽皖通邮电股份有限公司 | A kind of LAC router initiates the method and system of L2TP Tunnel connection from dialing |
CN109600292B (en) * | 2018-12-24 | 2021-09-28 | 安徽皖通邮电股份有限公司 | Method and system for LAC router to initiate L2TP tunnel connection by self dialing number |
CN111431787A (en) * | 2019-01-10 | 2020-07-17 | ***通信有限公司研究院 | Tunnel establishment method and device and computer readable storage medium |
CN111431787B (en) * | 2019-01-10 | 2022-02-11 | ***通信有限公司研究院 | Tunnel establishment method and device and computer readable storage medium |
CN110972140A (en) * | 2019-12-04 | 2020-04-07 | 北京首信科技股份有限公司 | Method and device for processing information in telecommunication 4G mobile network |
Also Published As
Publication number | Publication date |
---|---|
CN108600225B (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11863625B2 (en) | Routing messages between cloud service providers | |
US11032234B2 (en) | ARP offloading for managed hardware forwarding elements | |
US9544248B2 (en) | Overlay network capable of supporting storage area network (SAN) traffic | |
CN103580980B (en) | The method and device thereof that virtual network finds and automatically configures automatically | |
EP3461072B1 (en) | Access control in a vxlan | |
US8230050B1 (en) | Providing access to configurable private computer networks | |
US11497067B2 (en) | Establishing a private network using multi-uplink capable network devices | |
US20140230044A1 (en) | Method and Related Apparatus for Authenticating Access of Virtual Private Cloud | |
US11343247B1 (en) | Local delegation of remote key management service | |
US9537766B2 (en) | Packet switching without look-up table for ethernet switches | |
US20170171077A1 (en) | Transactional controls for supplying control plane data to managed hardware forwarding elements | |
CN104734955A (en) | Network function virtualization implementation method, wide-band network gateway and control device | |
WO2019201209A1 (en) | Message forwarding | |
CN108600225A (en) | a kind of authentication method and device | |
CN106878474A (en) | The method and apparatus that a kind of P2P connections are set up | |
CN108234422A (en) | Resource regulating method and device | |
CN108462683A (en) | authentication method and device | |
CN107634907B (en) | Data forwarding method and device for L2VPN (layer two virtual private network) | |
CN108259205B (en) | Route publishing method and network equipment | |
US20170085474A1 (en) | Fiber channel over ethernet (fcoe) frame forwarding system | |
Zientara | Learn pfSense 2.4: Get up and running with Pfsense and all the core concepts to build firewall and routing solutions | |
US20240095809A1 (en) | Cloud infrastructure-based online publishing platforms for virtual private label clouds | |
US10574596B2 (en) | Software defined networking FCoE initialization protocol snooping bridge system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |