CN109150787A

CN109150787A - A kind of authority acquiring method, apparatus, equipment and storage medium

Info

Publication number: CN109150787A
Application number: CN201710444357.2A
Authority: CN
Inventors: 李晓龙
Original assignee: Xian Zhongxing New Software Co Ltd
Current assignee: Xian Zhongxing New Software Co Ltd
Priority date: 2017-06-13
Filing date: 2017-06-13
Publication date: 2019-01-04
Also published as: WO2018227802A1

Abstract

The embodiment of the invention discloses a kind of authority acquiring method, apparatus, equipment and storage mediums.The method comprise the steps that sending the authority acquiring request for carrying user information to remote customer dialing authentication system radius server, the authority acquiring request is for obtaining the corresponding access authority information of the user information；Receive the authority acquiring response for the carrying access authority information that the radius server is sent.

Description

A kind of authority acquiring method, apparatus, equipment and storage medium

Technical field

The present invention relates to field of communication technology more particularly to a kind of authority acquiring method, apparatus, equipment and storage medium.

Background technique

The equipment for being stored with accessible resource or usable resource is properly termed as resource apparatus, and resource apparatus can be to money Source requestor provides the resource on resource apparatus.

Resource requestor requests access to resource apparatus or when using resource on resource apparatus, and resource apparatus is according in advance The permissions data of the legitimate user of storage carries out authentication to resource requestor, if certification passes through, to legitimate user's body The resource requestor of part provides the resource on resource apparatus.

But when the permissions data of legitimate user stores on resource apparatus, resource apparatus is once stolen or meets with Network attack, illegal user still may obtain the resource on resource apparatus, to bring great security risk.

Summary of the invention

In view of this, an embodiment of the present invention is intended to provide a kind of authority acquiring method, apparatus, equipment and storage medium, energy Illegal user is enough avoided to obtain the resource being stored on resource apparatus.

The technical solution of the embodiment of the present invention is achieved in that

In a first aspect, the embodiment of the present invention provides a kind of authority acquiring method, which comprises to remote customer dialing Verification System radius server sends the authority acquiring request for carrying user information, and the authority acquiring request is for obtaining institute State the corresponding access authority information of user information；Receive the carrying access authority information that the radius server is sent Authority acquiring response.

In the above scheme, before sending the authority acquiring request for carrying user information to radius server described, It include: to receive the resource access request for carrying the user information, the resource access request is for obtaining user's letter Breath corresponding accessible resource on resource apparatus；Correspondingly, in the carrying institute for receiving the radius server and sending After the authority acquiring response for stating access authority information, comprising: determine that the user information exists according to the access authority information Corresponding accessible resource on the resource apparatus.

In the above scheme, the resource apparatus is home gateway, described to receive the resource for carrying the user information Access request, comprising: receive the log on request for carrying the user information that internet-of-things terminal is sent；The log on request is used In request in home gateway accessible resource corresponding with the user information；It is described true according to the access authority information The fixed user information corresponding accessible resource on the resource apparatus, comprising: determined according to the access authority information The internet-of-things terminal corresponding accessible resource on the home gateway.

In the above scheme, the user information includes the MAC address and password of internet-of-things terminal, together One MAC Address corresponds to identical or different access authority information from the combination of different passwords.

In the above scheme, the resource apparatus is terminal device, and the accessible resource is the application for allowing to enable Set, then before the authority acquiring request for sending carrying user information to radius server, comprising: receiving use Laggard access customer acquisition of information state is operated in the enabling that instruction starts the application on the terminal device；In the user information Under acquisition state, user information is received；Then the carrying access authority letter that the radius server is sent is received described After the authority acquiring response of breath, comprising: determined according to the set of the corresponding application for allowing to enable of the access authority information Whether the application is enabled.

In the above scheme, the user information includes username and password, the combination of same user name and different passwords Corresponding different access authority information.

In the above scheme, described send to remote customer dialing authentication system radius server carries user information Authority acquiring request, comprising: the access for carrying the user information and access permission mark to the transmission of radius server is asked Seek message Access-Requst；The permission for receiving the carrying access authority information that the radius server is sent Obtain response, comprising: receive the carrying access authority information that the radius server is sent is successfully accessed response report Literary Access-Accept.

In the above scheme, connecing in the carrying access authority information for receiving the radius server transmission After entering successfully back message Access-Accept, comprising: sent to radius server and carry the access authority information Accounting request message Accounting-Request, the accounting request message is for requesting the radius server according to institute It states access authority information and determines the corresponding charging mode of the user information and/or charging rate.

In the above scheme, the access request message containing type type characterizes the attribute of the access permission mark To AVP field.

Second aspect, the embodiment of the present invention provide a kind of authority acquiring method, which comprises remote customer dialing is recognized What card system radius server reception radius client was sent carries user information authority acquiring request, and the permission obtains Take request for obtaining the corresponding access authority information of the user information；The use is carried to the transmission of radius client The authority acquiring of the corresponding access authority information of family information responds.

In above scheme, what the radius server reception radius client was sent carries the user information Authority acquiring request includes: that the radius server reception radius client transmission carries user information and access permission The access request message Access-Requst of mark；It is described to carry the user information correspondence to the transmission of radius client Access authority information authority acquiring response, comprising: to the transmission of radius client, to carry the user information corresponding Access authority information is successfully accessed back message Access-Accept.

In above scheme, the access authority information is used to determine the corresponding accessible resource of the user information, and not Same access authority information corresponds to different accessible resources.

In above scheme, the corresponding access authority letter of the user information is carried to the transmission of radius client described Breath is successfully accessed after back message Access-Accept, comprising: receives the carrying access that raduis client is sent The accounting request message Accounting-Request of authority information；The user information is determined according to the access authority information Corresponding charging mode and/or charging rate.

The third aspect, the embodiment of the present invention provide a kind of authority acquiring device, and the authority acquiring device includes: the first hair Module is sent, the authority acquiring for being configured to send carrying user information to remote customer dialing authentication system radius server is asked It asks, the authority acquiring request is for obtaining the corresponding access authority information of the user information；First receiving module, is configured to Receive the authority acquiring response for the carrying access authority information that the radius server is sent.

Fourth aspect, the embodiment of the present invention provide a kind of authority acquiring device, and the authority acquiring device includes: second to connect Module is received, is configured to receive the power for carrying the user information that remote customer dialing authentication system radius client is sent Limit acquisition request；The authority acquiring request is for obtaining the corresponding access authority information of the user information；Second sends mould Block is configured to send the authority acquiring sound for carrying the corresponding access authority information of the user information to radius client It answers.

In the above scheme, the access authority information is used to determine the corresponding accessible resource of the user information, and Different access authority information correspond to different accessible resources.

5th aspect, the embodiment of the present invention provide a kind of resource apparatus, and the resource apparatus includes:

Memory, processor and storage on a memory and the authority acquiring program that can run on a processor, the place It manages and realizes first aspect any authority acquiring method when device executes described program.

6th aspect, the embodiment of the present invention provides a kind of remote customer dialing authentication system authentication server, described long-range Subscriber dialing Verification System certificate server includes: memory, processor and storage on a memory and can transport on a processor Capable authority acquiring program, the processor realize second aspect any authority acquiring method when executing described program.

7th aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored with authority acquiring program, In, the power as described in first aspect is any or second aspect is any is realized when the authority acquiring program is executed by processor The step of limiting acquisition methods.

Authority acquiring method provided in an embodiment of the present invention carries the power of user information by sending to radius server Acquisition request is limited, the authority acquiring request is for obtaining the corresponding access authority information of the user information；Described in reception The authority acquiring response for the carrying access authority information that radius server is sent；It may have access to since user information is corresponding Resource is by the radius server of network side is arranged according to user information and the permissions data for being stored in radius server What certification obtained, and illegal user can not obtain the permissions data stored on radius server so that illegal user without Method gets the resource on resource apparatus.

Detailed description of the invention

Figure 1A is the network architecture schematic diagram one of authority acquiring method in the embodiment of the present invention；

Figure 1B is the flow diagram for the authority acquiring method realized in the embodiment of the present invention based on radius server；

Fig. 2A is the interaction flow schematic diagram one of authority acquiring method in the embodiment of the present invention；

Fig. 2 B is attribute in authority acquiring method in the embodiment of the present invention to the form schematic diagram of field；

Fig. 3 is the processing flow schematic diagram one of authority acquiring method in the embodiment of the present invention；

Fig. 4 A is the network architecture schematic diagram two of authority acquiring of embodiment of the present invention method；

Fig. 4 B is the interaction flow schematic diagram two of authority acquiring method in the embodiment of the present invention；

Fig. 5 is the processing flow schematic diagram two of authority acquiring method in the embodiment of the present invention；

Fig. 6 A is the network architecture schematic diagram three of authority acquiring method in the embodiment of the present invention；

Fig. 6 B is the processing flow schematic diagram three of authority acquiring method in the embodiment of the present invention；

Fig. 7 is the structural schematic diagram one of authority acquiring device in the embodiment of the present invention；

Fig. 8 is the structural schematic diagram two of authority acquiring device in the embodiment of the present invention；

Fig. 9 is the structural schematic diagram of resource apparatus in the embodiment of the present invention；

Figure 10 is the structural schematic diagram of radius server in the embodiment of the present invention.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description.

Embodiment one

Figure 1A is the network architecture schematic diagram one of authority acquiring method in the embodiment of the present invention.As shown in Figure 1A, of the invention The network architecture of embodiment may include: resource requestor 10, resource apparatus 11, certificate server 12.Wherein, resource apparatus 11 can be an equipment, for example, the terminal devices such as home gateway, mobile phone, resource requestor 10 can be another equipment or User, such as internet-of-things terminal.Resource apparatus 11 can provide access corresponding with resource requestor 12 to resource requestor 10 The corresponding accessible resource of permission.

In embodiments of the present invention, resource requestor 10 can send the resource for carrying user information to resource apparatus 11 Access request, the resource access request can be for requesting user information corresponding accessible resource on resource apparatus to be stepped on Land request, resource apparatus 11 can send the authority acquiring request for carrying user information to certificate server 12, be recognized with obtaining The corresponding access authority of user information that server 12 is determined according to user information is demonstrate,proved, resource apparatus 11 is further according to user information pair The access authority answered determines user information corresponding resource for allowing to access on resource apparatus 11, and allows resource requestor 10 Use the resource being allowed access to.In other embodiments of the present invention, the resource that resource requestor 10 is sent to resource apparatus 11 Access request is also possible to the enabling request for requesting to enable a certain resource on resource apparatus 11, and resource apparatus 11 can be with After receiving the resource access request, 10 report of user information of resource requestor is triggered, later, resource apparatus 11 can basis User information obtains the corresponding access authority of user information from certificate server, and true according to the corresponding access authority of user information Determine whether resource requestor 10 is allowed to enable requested resource, if requested resource belongs to the access authority and sets in resource On standby 11 it is corresponding allow using resource, then allow resource requestor 10 to enable requested resource.

Storage and verification process due to user data are executed by certificate server 12, do not need to store on resource apparatus 11 All legitimate user's data, when so as to avoid resource apparatus 11 from losing or meet with network attack, user data loss is asked Topic.

In embodiments of the present invention, the corresponding access authority of user information can be access authority information, access authority letter Breath may include at least one of access authority grade, access authority range, access authority size, access authority content information, Different user informations can correspond to same or different access authority information, and different access authority information can correspond to money Access authority grade pair is can store on different accessible resources on source device 11, resource apparatus 11 or server 12 The range for the accessible resource answered or the size of accessible resource or quantity, so that resource apparatus 11 being capable of root Corresponding accessible resource is provided to resource requestor 10 according to the corresponding access authority information of user information.For example, user Information may include username and password, and in one example, different user informations can refer to different user names, different User name can correspond to identical or different access authority information, and in another example, different user informations may also mean that The combination of user name and password, then same user name can also correspond to same or different access right from the combination of different passwords Limit information.Using the matching rule of above-mentioned various user informations and access authority information, can be provided for resource apparatus 11 cleverer The control mode of accessible resource living.

In embodiments of the present invention, above-mentioned certificate server 12 can be remote customer dialing authentication system (Remote Authentication Dial In User Service, radius) server, then resource apparatus 11 can pass through radius Client and radius server carry out the interactive process of authority acquiring, it should be noted that radius client can dispose In on resource apparatus 11, can also be located at except resource apparatus 11.

Figure 1B is the flow diagram for the authority acquiring method realized in the embodiment of the present invention based on radius server, this The executing subject of inventive embodiments can be the resource apparatus for being deployed with radius client, alternatively, being deployed on resource apparatus Radius client, alternatively, being deployed in except resource apparatus and establishing the radius client for having communication connection with resource apparatus End.As shown in Figure 1B, the step of embodiment of the present invention may include:

S101: sending the authority acquiring request for carrying user information to radius server, which is used for Obtain the corresponding access authority information of user information.

In embodiments of the present invention, after resource apparatus 11 receives and carries the resource access request of user information, Resource apparatus 11 can be by radius client or the radius client from being deployed on resource apparatus 11 to radius Server sending permission acquisition request.Illustratively, resource apparatus 11 can after receiving resource access request, to Radius client sends the certification request for carrying user information, is initiated with triggering radius client to radius server Identifying procedure.

S102: the authority acquiring for carrying the corresponding access authority information of user information that radius server is sent is received Response.

In embodiments of the present invention, access authority information is determined for the corresponding accessible resource of user information, and Different access authority information correspond to different accessible resources.

In embodiments of the present invention, the authentication data and permission number for the legitimate user that radius server is stored according to itself According to being authenticated and authenticated to user information, if certification passes through, the corresponding access authority information of user information is carried in permission It obtains in response and is sent to resource apparatus 11 or radius client.Wherein, access authority information is determined for user The corresponding accessible resource of information, different access authority information can correspond to different accessible resources.Then, radius visitor The corresponding access authority information of user information can be sent to resource apparatus 11 by authentication response by family end.Later, resource is set Standby 11 can determine user information corresponding accessible resource on resource apparatus 11 according to access authority information, wherein no Same access authority information can correspond to the different accessible resources on resource apparatus.

Authority acquiring method provided in an embodiment of the present invention can have user to want to obtain may have access on resource apparatus When resource, first the user information that resource requestor uses is authenticated by radius server, determines that resource requestor institute is right The access authority information answered, since different access authority information corresponds to different accessible resources, it is thus possible to guarantee resource Data, the resource stored in equipment can be only opened to legitimate user's access with access authority, to avoid illegally using Family obtains and is stored in the data stored on resource apparatus.

Embodiment two

It in embodiments of the present invention, can be using in (Request For Comments, the RFC) serial protocols that request for comments RFC2865 agreement defined in access request message (Access-Request) and be successfully accessed back message (Access- Accept) the substitution implementation responded respectively as above-mentioned authority acquiring request and authority acquiring.Fig. 2A is that the present invention is implemented The interaction flow schematic diagram one of authority acquiring method in example, as shown in Figure 2 A, between radius client and radius server Interactive process may include:

S201:radius client sends access request message to radius server.

Wherein, access request message can carry access permission mark and user information, to indicate the access request report Text is for requesting the corresponding access authority information of user information.For example, the embodiment of the present invention can be fixed to RFC2865 agreement Style number (type) field of the attribute of justice to (Attribute Value Pairs, AVP) field, i.e., in attribute list field Extension has been carried out to use.Illustratively, access request message containing type type characterizes the attribute of the access permission mark To AVP field.

Fig. 2 B is attribute in authority acquiring method in the embodiment of the present invention to the form schematic diagram of field.As shown in Figure 2 B, AVP field may include: the domain style number (type), the length domain (length) and the domain value (value), wherein style number domain is also referred to as For radius type field.Illustratively, the domain type, the domain length and the domain value can occupy 1 byte respectively.In RFC In the description of part " designated number (Assigned Number) " of 6 agreements, the enumerated value of the domain the type field in AVP field Use rule be defined as follows: range is that the enumerated value of 192-223 is reserved to experiment and uses, and range is enumerating for 224-240 Value is reserved to specific implementation and uses, and range is that the enumerated value of 241-255 is reserved.

In embodiments of the present invention, the value of the domain type field can be optimized, for example, can be in access request report AVP field that the value that the domain type is carried in text is 224 indicates access request message for requesting access authority information, it can Using the value in the domain type be 224 AVP field as to the mark of the relevant message process of request access authority information, can should Mark is known as access permission mark (access permission).In other embodiments of the present invention, it can also use and belong to model The other values in 224-240 are enclosed as the mark for indicating request access authority information.In one example, in access request message The value in the domain value can be 0.

S202:radius server is successfully accessed back message to the transmission of radius client.

Wherein, radius server is after authenticating user information, if certification passes through, connects user information is corresponding Enter authority information carrying and is sent to radius client in being successfully accessed back message.Illustratively, it is successfully accessed response report The value in the domain type in AVP field in text can be that the value in the domain 224, value can be the corresponding access right of the user information Limit information, for example, the value in the domain value can be any value in 1-254.In other embodiments of the present invention, radius is serviced Device is after passing through user information authentication, if not inquiring the matched access authority of the user information in rights database When information, the AVP field that the value in the domain type is 224, the value in the domain value is 255 can be carried in being successfully accessed back message, To indicate that the user information is not configured any access authority information.

In other embodiments of the present invention, if radius server determines that user is illegal after authenticating to user information User, authentication authorization and accounting result are authentification failure, and radius server can also send admission reject to radius client and respond report Literary (Access-Reject), wherein carrying does not have the information of access authority for identifying the user information.Illustratively, it accesses The value for refusing the domain type in the AVP field in back message can be 224, and the value of codomain can be 255, to identify the user Information does not have access authority information.In other embodiments of the present invention, it can not also be carried in admission reject back message and include The AVP field that the value in the domain type is 224.

In other embodiments of the present invention, back message is successfully accessed to the transmission of radius client in radius server Later, it can also include the steps that following starting charging flow:

S203:radius client sends accounting request message to radius server.

Wherein, user information can be carried in accounting request message (Accounting-Request), can also taken simultaneously The corresponding access authority information of band user information.Illustratively, the value in the domain type in the AVP field in accounting request message can The value for thinking the domain 224, value can be the corresponding access authority information of the user information.

S204:radius server sends charging response message to radius client.

Wherein, charging response (Accounting-Response) is sent to radius client in radius server Afterwards, radius server can be according to the corresponding access authority information pair of user information resource access behaviour related with user information Make carry out charging.In embodiments of the present invention, different access authority information can correspond to different charging mode and/or charging Rate.Charging mode for example can be by different period corresponding charging rate chargings, alternatively, pay-per-use etc., meter The resource that expense rate for example can be the unit time uses rate.

The embodiment of the present invention is extended RFC agreement, provides one kind in radius client and radius server The exchange method of access authority information is obtained under Verification System framework.Since radius server is typically deployed at mobile network's Core-network side obtains the mode of access authority information, can provide to enterprise using radius server as certificate server Accessible resource solution in safety, flexible management vast resources equipment.On the one hand, it does not need to store on resource apparatus User authentication data not will cause whole user authentication datas when single resource apparatus is lost and lose.On the other hand, enterprise is not It needs to be separately provided the server of storage user authentication data and permissions data, especially needs to manage across ground in some enterprises Area, transnational magnanimity resource apparatus when, do not need enterprise it is each area or country certificate server is separately provided, in turn The possibility that user information is leaked in trans-regional transmission process can be reduced.It can be seen that using permission provided in an embodiment of the present invention Acquisition methods, in rights management process of the enterprise to vast resources equipment, the safety of user information has obtained strong guarantee.

Fig. 3 is the processing flow schematic diagram one of authority acquiring method in the embodiment of the present invention.As shown in figure 3, the present invention is real The step of applying may include:

S301:radius client terminal start-up, and the access request identified with access permission is sent to radius server Message.

Wherein, the username and password write-in Access-Request that radius client can will acquire (is accessed Request message) in, and add access permission in the AVP field of Access-Request and identify (access permission).Illustratively, using network package analysis software to access request message in carry access permission mark The parsing of AVP field is as follows:

AVP:l=3t=Acess-Permission (224): 0

Wherein, in the AVP field, l indicates the domain length, and the value of l is that 3, t indicates the domain type, and the value of t is 224, value The value in domain is 0.In other embodiments of the present invention, the value in the domain length can also be more than or equal to 3.

S302:radius server receives access request message, and search access right database.

Wherein, radius server can identify access permission mark (Access in recognizing access request message Permission field) when, search access right database.

S303:radius server judges whether to inquire the corresponding access authority letter of user information in rights database Breath executes S305 if inquiring, if do not inquired, executes S304.

S304:radius server sends admission reject back message to radius client.

Wherein, when radius server does not inquire the corresponding authority information of this user name in rights database, to Radius client sends admission reject back message (Access-Reject).

S305:radius server sends to radius client and is successfully accessed response report with what access permission identified Text.

Wherein, the corresponding access authority information of the user name inquired from rights database is written radius server To the domain the value field for being successfully accessed back message (Access-Accept), the length in the domain value in the embodiment of the present invention It can be defaulted as 1 byte, then, the value in the domain value can be the numerical value in 0-255, wherein the value in the domain value can be used as 0 Access authority in access request message obtains mark, and the value in the domain value can be used as 255 does not inquire user information The mistake being successfully accessed in back message when corresponding access authority information responds mark, and 255 can also be used as unverified pass through When admission reject back message in the domain value value.Therefore the permission of 254 seed types can be supported herein.In other realities of the invention It applies in example, the length in the domain value can be extended, such as 2 bytes, then when the byte number in the domain value increases, value Support that the access authority information carried can be more in domain.Illustratively, using network package analysis software to being successfully accessed back Answer the AVP field parsing for carrying access permission mark in message as follows:

AVP:l=3t=Acess-Permission (224): 1

At this point, the rights database of radius server can not only configure different power according to the difference of user name Limit, can also configure different permissions according to the difference of password.For example, certain terminal device A using user entitled " admin " into Row logs in, if the password of input is " testA ", it is 1 that access authority information can be configured in rights database, if defeated The password entered is " testB ", then it is 2 that access authority information can be configured in rights database.It can plan different user Possess different permissions when using same user name and different password logins, and the subsequent charging stage can be influenced.

In addition, radius server can be provided for the user of different access authority information different charge mode and/or Charging rate.For example, online rate of the internet-of-things terminal by unit time when home gateway progress internet business.

After radius client receives Access-Accept message, the access permission mark in AVP field is parsed (Access-Permission) field, the login module of terminal device decontrol this according to the value in the domain value of the AVP field The permission that user logs in.For example, can configure the user with different access authority information in radius client obtains difference Resource illustratively can obtain the different permission surf times.

S306:radius client, which receives, is successfully accessed back message, sends accounting request report to radius server Text.

Wherein, the AVP field in accounting request message (Accounting-Request) equally configures corresponding access and is permitted It can identify.Illustratively, using network package analysis software to the AVP word for carrying access permission mark in accounting request message Section parsing is as follows:

AVP:l=3t=Acess-Permission (224): 1

S307:radius server receives accounting request message, sends charging back message, according to access permission mark pair The access authority information answered carries out starting charging using the corresponding charging mode of access authority information and/or charging rate.

Wherein, radius server reads connecing in the AVP field of accounting request message (Accounting-Request) Enter the value in the corresponding domain value of permission flag (Access-Permission) field, and can to use same user name with not Resource access operations corresponding to the user information of access authentication, which are carried out, with password combination carries out classification charging.Illustratively, sharp With network package analysis software to the AVP field solution for carrying access permission mark in accounting request message and charging back message Analysis is following any:

AVP:l=3t=Acess-Permission (224): 1 or

AVP:l=3t=Acess-Permission (224): 2

It should be noted that S301 to S308 is to be related to access permission mark (Access-Permission) field Radius interaction flow, subsequent charging back message can be identical as the definition in RFC2865 agreement, i.e. place after S308 Reason process can identify (Access-Permission) field without the concern for access permission.

S308: at the end of charging, radius client sends charging ending request message to radius server.

S309:radius server stops charging after receiving charging ending request message, and sends out to radius client Charging is sent to terminate back message.

The other technologies solution details and technical effect of the embodiment of the present invention can refer to shown in Figure 1A to Fig. 2 B.

Embodiment three

Fig. 4 A is the network architecture schematic diagram two of authority acquiring of embodiment of the present invention method.As shown in Figure 4 A, the present invention is real Applying home gateway (Customer Premises Equipment, CPE) 130 in example and internet-of-things terminal can be respectively as A kind of substitution implementation of resource apparatus 11 and resource requestor 10 shown in Figure 1A, correspondingly, on home gateway can Accession page can be used as a kind of example of the accessible resource on resource apparatus 11.In embodiments of the present invention, authentication service Device 12 can may be other certificate servers for radius server.

Based on the network architecture shown in Fig. 4 A, the embodiment of the present invention provides a kind of authority acquiring method, and Fig. 4 B is the present invention The interaction flow schematic diagram two of authority acquiring method in embodiment.As shown in Figure 4 B, the step of embodiment of the present invention includes:

S401: internet-of-things terminal sends the log on request for carrying user information to CPE.

Wherein, which can be used for the accessible page on request CPE.In embodiments of the present invention, object Networked terminals can obtain from CPE after establishing communication connection with CPE and be based on networking products interface (Website User Interface, WEB UI) technological development login page, user can pass through WEB UI input user information, user information example It such as can be username and password.Then, user information can be carried and be sent to CPE in log on request by internet-of-things terminal. Illustratively, accessible page can be the parameter configuration page of CPE.In embodiments of the present invention, internet-of-things terminal can lead to It crosses various ways and CPE is established and communicated to connect, for example, extra long distance low power consumption data transmission technology (long can be based on Range, lora) network, cable, WiFi network and CPE foundation communication connection.Internet-of-things terminal for example can be camera, scanning Instrument, printer, projector etc..

S402:CPE sends the authority acquiring request for carrying user information to certificate server, and authority acquiring request is used for Obtain the corresponding access authority of the user information.

Wherein, certificate server can be radius server, then CPE can be by radius client to radius Server sending permission acquisition request.For example, CPE is upper can be deployed with radius client, and receive Internet of Things After the log on request of terminal, by radius client to radius server sending permission acquisition request.Illustratively, permission Acquisition request can be access request message (Access-Request).

S403: certificate server sends the authority acquiring response for carrying the corresponding access authority of user information to CPE.

Wherein, authority acquiring response is to be successfully accessed back message (Access-Accept).

S404:CPE determines internet-of-things terminal corresponding addressable page on CPE according to the corresponding access authority of user information Face.

S405:CPE sends accessible page to internet-of-things terminal.

In embodiments of the present invention, as a kind of substitution implementation of S302, authority acquiring request can be also used for obtaining Take the corresponding access authority information of user information；Then S303-S304 could alternatively be: certificate server can send to CPE and take Authority acquiring response with the corresponding access authority information of the user information.CPE can be determined according to access authority information Internet-of-things terminal corresponding accessible page on CPE.

Illustratively, authority acquiring request can for the value comprising the domain type in AVP field be 224, the value in the domain value For 0 access request message, it can be 224 for the value comprising the domain type in AVP field that authority acquiring, which responds, the value in the domain value Back message is successfully accessed for the corresponding access authority information of user information.

In the present invention is implemented, different access authority information can correspond to the different addressable pages on home gateway Face.For example, the corresponding accessible page of normal user permission can be the configuration page of Common Parameters.Administrator right is corresponding Accessible page can be the configuration page of advanced parameters.The corresponding accessible page of superuser right can be device manufacturer The configuration page of inner parameter.Since the data of the user information of each permission of correspondence do not need to be stored on home gateway, i.e., The device manufacturer of home gateway does not need power user's account and corresponding password storage on home gateway, it is thus possible to protect Card can not crack out the power user's account and password of device manufacturer's setting from being stored in the information stored in home gateway.

In one example, user information may include username and password, and different user names can correspond to different connect Enter authority information, same user name can also correspond to different access authority information from the combination of different passwords.Using this side Formula can be convenient management operation, different access authority information configured using identical user name and different passwords, so as to To reduce the user name resource for needing to plan.

In another example, user information may be media access control (the Media Access of internet-of-things terminal Control, MAC) address and password, MAC Address is also referred to as physical address or hardware address, the same address MAC and different passwords The corresponding identical or different access authority information of combination.In this way, it may not be necessary to plan user name, resource apparatus The corresponding access authority of each internet-of-things terminal can be configured on certificate server, due to not needing to transmit user in a network Information, it is thus possible to avoid revealing user information in verification process.

Fig. 5 is the processing flow schematic diagram two of authority acquiring method in the embodiment of the present invention.Such as Fig. 5 of embodiment of the present invention institute Show, the step of embodiment of the present invention may include:

S501:CPE provides log-in interface, obtains username and password.

Wherein, user or administrator can be by internet-of-things terminal login CPE offers based on web UI or Secure Shell The login interface of the technologies such as agreement (Secure Shell, SSH) inputs username and password.

S502:CPE check username and password whether load standard letter, if so, execute S503, if it is not, execute S508.

Wherein it is possible to detected by the legitimacy that the login module of CPE carries out username and password, it illustratively, can be right User name or the length of password carry out legitimacy detection.

S503:CPE starts radius client, carries the certification that access permission identifies to the transmission of radius server and asks Seek message.

Wherein it is possible to send the inside story corresponding user name of notice radius client and close by the login module of CPE The information such as code.The authentication request packet that radius client is sent can be access request message (Access-Request), connect Entering the AVP field in request message includes access permission mark (access permission field).Illustratively, net is utilized It is as follows to the AVP field parsing for carrying access permission mark in access request message that network package analyzes software:

AVP:l=3t=Acess-Permission (224): 0

Wherein, when the value in the domain value is 0 in AVP field, it is believed that this access request message is for requesting user information corresponding Access authority information.

S504:radius server receives authentication request packet, and search access right database.

Wherein, radius server can receive the access request message, the message interaction process of the identifying procedure with Consistent in RFC2865, when in access request message including access permission identification field, the increase of radius server connects for this Enter the processing of the rights database inquiry operation of permission flag field, the corresponding authority configuration data of inquiry user name.

S505:radius server judges whether to inquire the corresponding access authority of this user in rights database, if so, S506 is executed, if it is not, executing S507.

S506:radius server sends to radius client and is successfully accessed response report with what access permission identified Text.

Wherein, what radius server can will return to the user right inquired write-in is successfully accessed back message After send.Radius client can notify the login module of CPE according to corresponding after receiving and being successfully accessed back message User right, open different login interface give this user, and landfall process ends here.

S507:radius server sends admission reject back message to radius client.

Wherein, radius server is not due to inquiring the corresponding access authority information of this user name, radius server It is considered that even if this username and password is verified, but since corresponding user's logon rights, the use can not be matched Family information can not obtain corresponding access authority on CPE, therefore radius server can also return to admission reject to radius Message.Radius client can notify the login module of CPE that this user name has not been obtained after receiving admission reject message User right corresponding with password can not open any login interface to this user.Log-in module can refuse stepping on for this user Record, then landfall process ends here.

S508:CPE reacquires username and password, stops reacquiring if errors number reaches preset times.

Wherein, CPE can pop up web UI window again and prompt to re-enter user using the user of internet-of-things terminal Name and password.

It in other embodiments of the present invention, is to be verified but not in permissions data in the authentication result of username and password When library inquiry is to corresponding access authority information, radius server can also send to radius client and carry the domain value Value be 255 AVP field be successfully accessed back message.

Authority acquiring method provided in an embodiment of the present invention can be applied to the French MF259 project similar with shown in Fig. 5 The network architecture in, the present solution provides safer and convenient centralized rights management modes.In the embodiment of the present invention Mainly apply the authentication of radius and the function of authorization, i.e., can not also be triggered after being successfully accessed back message with The relevant accounting request message of the billing function of radius.

The other technologies solution details of the embodiment of the present invention are similar with Figure 1A to Fig. 4 B, specifically refer to Figure 1A to Fig. 4 B Associated description in shown technical solution.

Authority acquiring method provided in an embodiment of the present invention all has at three safety, storage and degree of load aspects Preferable technical effect.

In terms of safety, by the way that there is the field specifically realized in the AVP in extension radius agreement, utilize The scalability of radius standardization agreement is no longer controlled alone privilege feature by each resource apparatus or terminal device, But be managed collectively, for some using the setting side being stored separately on user right data in each terminal device Formula, once some terminal device is lost, then all user informations stored in this terminal device all asking there may be leakage Topic, for example, in certain Internet of Things networks, for example, a certain purpose lora network of France, internet-of-things terminal and home gateway Foundation has communication connection, since the CPE (i.e. terminal device) as resource apparatus is numerous, if the user that will allow to access CPE Permissions data is stored in each CPE, the risk revealed safely that entire lora network all suffers from, this is not for Internet of Things It is acceptable.In order to promote safety, the embodiment of the present invention by the verification process of the available resources requested access on CPE change by Radius server executes, still, due to that can not be that a username and password is arranged in each CPE in radius server The process of certification and authority acquiring is carried out, for the enterprise for managing CPE, management data are too many for this, thus can pass through One group of user name is set, and each user name can be for different permissions, so that can when logging in the terminal device in lora network To obtain corresponding with user name permission, wherein the identical user name of use log in different terminal equipment can have it is identical Access authority information, logging in same terminal device using different user names can have different access authority information.Look forward to Industry only needs to manage the corresponding authentication data of a small amount of user name and a small amount of user and the corresponding permissions data of password, so that enterprise Industry will be more succinct and flexible to the management of the user data for logging in magnanimity CPE.Also, in embodiments of the present invention, by In transferring to radius server to store the corresponding authentication data of user information and permissions data, therefore, enterprise only needs really The safety of radius server is protected, and no longer needs to consider the safety of each terminal device, for enterprise, some end End equipment loses the safety issue that will not cause whole network.

In terms of storage, for the equipment in cpe device and general Internet of Things, memory space is one non- Often important problem, if necessary to which, into each home gateway, this will just be occupied by user authentication data and permissions data storage A part of memory space of equipment, in turn results in equipment cost rising, and the decline of equipment competitiveness is used in embodiments of the present invention Family certification and permissions data are storages into radius server, i.e., only need that a server is arranged, so that it may by magnanimity User right information data on terminal device are all stored onto server, thus reduced individual equipment in storing data The carrying cost for needing to expend.

In terms of complexity, complexity here is directed primarily to the complexity of user right change operation, for core For net routing device, due to negligible amounts, the complexity issue of user right change is not very serious, but for Internet of Things Large number of due to home gateway for terminal device, the workload of user right change is very big, also, in object In networking, for the needs of network management, need to change internet-of-things terminal corresponding accessible resource on home gateway, if Still user information and corresponding accessible resource are stored on home gateway, need to modify the user stored on home gateway one by one The data of the corresponding accessible resource of information.Permissions data is stored in radius server using provided in an embodiment of the present invention The mode being managed collectively, when needing to change the corresponding accessible resource of user information, it is only necessary in the permission of server It modifies in database, terminal device only needs the AVP field extended according to embodiments of the present invention, obtains user The corresponding modified access authority information of information, and should to use by the corresponding accessible resource opening of the access authority information The user that user information logs in.

Example IV

Fig. 6 A is the network architecture schematic diagram three of authority acquiring method in the embodiment of the present invention.As shown in Figure 6A, of the invention Terminal device in embodiment can be used as a kind of substitution implementation of resource apparatus shown in Figure 1A.On terminal device Available resources can be preassembled application (Application, APP) on terminal device, then resource requestor can be to ask Ask the user of the APP in using terminal equipment.In embodiments of the present invention, certificate server can be that Radius server can also Think other certificate servers.

Based on the network architecture shown in Fig. 6 A, the embodiment of the present invention also provides a kind of authority acquiring method, and Fig. 6 B is this hair The processing flow schematic diagram three of authority acquiring method in bright embodiment.As shown in Figure 6B, the step of embodiment of the present invention includes:

S601: terminal device operates laggard access customer in the enabling for receiving the APP being used to indicate on starting terminal device Acquisition of information state.

Wherein, itself can be arranged into user information when detecting that request enables the enabling instruction of APP in terminal device Acquisition state.For example, terminal device can detect the click on the icon of a certain APP for needing permission to control on the screen Touch operation.In embodiments of the present invention, illustratively, which, which obtains state, can be pop-up user information acquisition window Mouthful etc., alternatively, the input equipment on terminal device such as enters at the state of input information to be accessed, input equipment for example can be touching Screen, microphone etc. are touched, the present invention is without limitation.In embodiments of the present invention, APP can be is existed by Android tool installation kit The application installed in Android operation system, for example, the clients such as wechat, microblogging, Taobao, are also possible to some operating systems and provide Tool software, for example, picture library software, software of taking pictures, positioning function be arranged software.

It should be noted that in other embodiments of the present invention, terminal device, which can be pre-configured with, to need to carry out permission control The APP of system gathers, and terminal device only can enter user information when user requests the APP of starting to be the APP in APP set and obtain Take state.

S602: terminal device receives user information under user information acquisition state.

Wherein, user information may include username and password, alternatively, user information may include fingerprint, alternatively, user Information may include sound, iris etc., and the embodiment of the present invention is without limitation.

S603: terminal device sends the authority acquiring request for carrying user information to certificate server, which asks It asks for obtaining the corresponding access authority of user information.

Wherein, authority acquiring request can be also used for obtaining the corresponding access authority information of the user information；It is then described It is corresponding to the terminal device transmission carrying user information according to the authority acquiring request to receive the certificate server Access authority authority acquiring response, comprising: receive that the certificate server sends to carry the user information corresponding Access authority information authority acquiring response；Correspondingly, described according to the corresponding application for allowing to enable of the access authority Set determines whether to enable the application, comprising: true according to the corresponding set of applications for allowing to enable of the access authority information Fixed whether to enable the application, different access authority information corresponds to the different set of applications for allowing to enable.

S604: certificate server sends the authority acquiring sound for carrying the corresponding access authority of user information to terminal device It answers.

Wherein, the corresponding access authority of user information can be authenticate successfully it is corresponding have access authority or certification lose Lose it is corresponding do not have access authority, alternatively, the corresponding access authority of user information is also possible to different access authority information. Different access authority or access authority information can be with the upper different accessible resources of counterpart terminal equipment.

For example, in one example, terminal device, which can configure, above-mentioned has access authority right on the terminal device The accessible resource answered is all APP in APP set.In another example, terminal device, which can also configure, above-mentioned does not has Corresponding accessible resource is all APP for not allowing to access in APP set to access authority on the terminal device.Again In one example, terminal device can also be configured with lower access authority information corresponding accessible resource on the terminal device It is the part APP in APP set.In another example, terminal device can also configure the letter of the access authority with highest information Ceasing corresponding accessible resource on the terminal device is all APP in APP set.Terminal device can use any of the above-described kind Or the combination of a variety of configuration modes configures different accessible resources to different access authority.

S605: terminal device allows the set of applications enabled to determine whether to enable the APP according to access authority is corresponding.

Wherein, terminal device, which may determine that, requests whether the APP enabled belongs to the corresponding access authority of the user information The set of applications for allowing to enable configured, if so, terminal device enables APP, if it is not, then terminal device can be with output phase The refusal information answered.Illustratively, terminal device, which can pop up user in display screen, does not have permission to believe using the prompt of the APP Breath, and forbid enabling APP.After terminal device enables APP, what APP entered APP itself logs in process flow, for example, micro- Letter APP can authenticate the account information of wechat user according to the Booting sequence of default, and to be certified by rear display, this is micro- The conversations list page of credit household.

In other embodiments of the present invention, certificate server can be radius server, then can portion on terminal device There is radius client in administration, and terminal device can be after detecting enabling request, and starting radius client simultaneously will acquire User information radius certificate server is sent to by radius client.Specific verification process and Figure 1A to Fig. 2 B institute Show similar.

Authority acquiring method provided in an embodiment of the present invention, which can be applied not only to user, requests to enable on terminal device The scene of APP applies also for the scene that external equipment request enables the APP on terminal device.It should be noted that outside is set Standby can be established by software or hardware interface and terminal device communicates to connect.

It takes the mobile phone as an example, " safe mobile phone " application can be installed on mobile phone, it can a built-in radius visitor in the application Family end.The owner of mobile phone can preset one or more in " safe mobile phone " application and need to carry out permission control APP, wherein also may include " safe mobile phone " application.These APP no longer individually carry out permission control by mobile phone, but every Before the secondary login using APP account number, the concentration purview certification of mobile phone itself is first carried out.For example, " safe mobile phone " is applied The instruction for enabling these APP can be monitored, when monitoring enabling instruction, " safe mobile phone " application can be in the APP to be enabled Before the account debarkation authentication process of itself, first to using the user of mobile phone to carry out concentration purview certification.It should be noted that should The account of APP itself, which logs in, usually interacts realization by APP certificate server corresponding with the APP, i.e. " safety Mobile phone ", which applies the purview certification initiated and the account of the APP for carrying out permission control itself is needed to log in, is independent from each other certification Process.

In one example, " safe mobile phone " application detection APP1 receives open command and enters operating status, and user is defeated Before the username and password for entering APP1 itself login, need first to input the user name that " safe mobile phone " application carries out purview certification And password, then, " safe mobile phone " application sends access request report to radius certificate server as radius client Text, and receive radius server transmission be successfully accessed back message, wherein access request message and be successfully accessed response report The AVP field comprising access permission mark can be carried in text." safe mobile phone " application control if not passing through purview certification APP1 is closed, opens APP1 if through purview certification.

In the application of this scene, for some mobile phone owners high to security requirement, even if APP Username and password is stolen, since illegal user does not have the rights management password of this mobile phone, such as use of " safe mobile phone " application Name in an account book and password, illegal user, which can not operate, to be needed to authenticate the APP that could be used.Further, mobile phone owner only needs It is configured on radius server, so that the rejection of radius server carrys out any purview certification request of mobile phone since then, So this mobile phone also just fail to open the APP for having demand to permission.As it can be seen that using authority acquiring side provided in an embodiment of the present invention Method can be very good the safety of the personal information stored in maintenance mobile phone.

In addition, in order to promote the starting speed of APP, mobile phone owner would generally be arranged when APP is logged in it is required use it is silent Recognize logon information, still, when hand-set from stolen, illegal user can also be carried out using default logon information when clicking and enabling APP APP is logged in, and the personal information stored in APP may be stolen.Using authority acquiring method provided in an embodiment of the present invention, if When illegal user or user with lower access authority want to open the APP on mobile phone, mobile phone can be asked receiving When asking the enabling request for enabling APP, user is authenticated in third-party certificate server by being arranged, i.e., only allows to authenticate Server authentication passes through or authenticates the user with corresponding access authority using APP, so as to avoid storing in APP Private data is lost.As it can be seen that authority acquiring method provided in an embodiment of the present invention is able to ascend in the terminal devices such as mobile phone and stores Data safety.

The other technologies solution details and technical effect of the embodiment of the present invention are similar with Figure 1A to Fig. 3, specifically refer to figure Associated description in technical solution shown in 1A to Fig. 3.

Embodiment five

The embodiment of the present invention also provides a kind of authority acquiring device, and Fig. 7 is authority acquiring device in the embodiment of the present invention Structural schematic diagram one, as shown in fig. 7, authority acquiring device 70 includes:

First sending module 701 is configured to send carrying user to remote customer dialing authentication system radius server The authority acquiring request of information, the authority acquiring request is for obtaining the corresponding access authority information of the user information；

First receiving module 702 is configured to receive the carrying access authority information that the radius server is sent Authority acquiring response.

Wherein, the access authority information is determined for the corresponding accessible resource of the user information, and different Access authority information correspond to different accessible resources.

In the above scheme, the authority acquiring device can be located at home gateway side, then:

First receiving module 702, the logging in for user information that carry for being configurable to receive internet-of-things terminal transmission are asked It asks, the log on request is for obtaining the accessible resource on the home gateway；

First sending module 701 is configurable to send the authority acquiring for carrying the user information to certificate server Request, the authority acquiring request is for obtaining the corresponding access authority of the user information；

First receiving module 702, the user that carries for being also configured as receiving the certificate server transmission believe Cease the authority acquiring response of corresponding access authority；And determine the internet-of-things terminal described according to the access authority Corresponding accessible resource on home gateway.

In the above scheme, the authority acquiring device can be located at terminal equipment side, then:

First receiving module 702 is configurable to receiving the application being used to indicate on the starting terminal device It enables and operates laggard access customer acquisition of information state；And under the user information acquisition state, user information is received；

First receiving module 702, the user that carries for being also configured as receiving the certificate server transmission believe Cease the authority acquiring response of corresponding access authority；And according to the corresponding set of applications for allowing to enable of the access authority Determine whether to enable the application.

The authority acquiring device of the present embodiment, can be used for executing in embodiment of the method shown in Figure 1A to Fig. 6 and is deployed with The technical solution that the resource apparatus or radius client or home gateway or terminal device of radius client execute, Its implementing principle and technical effect can refer to method shown in Figure 1A to Fig. 6.

The embodiment of the present invention also provides a kind of authority acquiring device, and Fig. 8 is authority acquiring device in the embodiment of the present invention Structural schematic diagram two, as shown in figure 8, authority acquiring device 80 includes:

Second receiving module 801 is configured to receive the carrying that remote customer dialing authentication system radius client is sent There is the authority acquiring request of the user information, the authority acquiring request is for obtaining the corresponding access right of the user information Limit information；

Second sending module 802 is configured to carry the corresponding access of the user information to the transmission of radius client The authority acquiring of authority information responds.

In the above scheme, the authority acquiring request can be the access request message carried with access permission mark Access-Requst, the authority acquiring response can be to be successfully accessed back message Access-Accept；Wherein, described Access authority information is for determining the corresponding accessible resource of the user information, and different access authority information is corresponding different Accessible resource.

The authority acquiring device of the present embodiment can be used for executing the middle radius of embodiment of the method shown in Figure 1A to Fig. 6 The technical solution that server executes, implementing principle and technical effect can refer to method shown in Figure 1A to Fig. 6.

Embodiment six

Fig. 9 is the structural schematic diagram of resource apparatus in the embodiment of the present invention, as shown in figure 9, resource apparatus 11 includes storage Device 903, processor 904 and it is stored in the authority acquiring program that can be run on memory 903 and on processor 904 (in figure not Show), wherein the processor performs the steps of when executing described program

The authority acquiring request for carrying user information is sent to remote customer dialing authentication system radius server, it is described Authority acquiring request is for obtaining the corresponding access authority information of the user information；The radius server is received to send The carrying access authority information authority acquiring response；Wherein, the access authority information is for determining user's letter Corresponding accessible resource is ceased, and different access authority information corresponds to different accessible resources.

The resource apparatus 11 can also include interface 901, bus 902, interface 901, memory 903 and processor 904 It is connected by bus 902.Wherein interface 901 can be used for establishing with certificate server and communicate to connect.Wherein, interface can be Wire transmission interface, wireless transmission interface.Interface 901 can be also used for obtaining the resource access request of resource requestor, interface It can also be the input equipment that can receive instruction.Illustratively, interface can be transmitting or receiving antenna, be also possible to by collecting It is realized at the program module in digital circuit processor.

In other embodiments of the present invention, it is furthermore achieved that following steps when which is executed by processor 904: in institute It states before sending the authority acquiring request for carrying user information to radius server, comprising: reception carries user's letter The resource access request of breath, for obtaining, the user information is corresponding on resource apparatus to be may have access to the resource access request Resource；Then it is responded in the authority acquiring for receiving the carrying access authority information that the radius server is sent Afterwards, comprising: the user information corresponding accessible resource on the resource apparatus is determined according to the access authority information.

In the above scheme, the resource apparatus 11 can be home gateway, terminal device etc..

If the resource apparatus 11 is home gateway, it is furthermore achieved that once when described program is executed by processor 904 Step: home gateway receives the log on request for carrying user information that internet-of-things terminal is sent, and the log on request is for obtaining Take the accessible resource on the home gateway；The authority acquiring for sending the carrying user information to certificate server is asked It asks, the authority acquiring request is for obtaining the corresponding access authority of the user information；The certificate server is received to send Carry the corresponding access authority of the user information authority acquiring response；The Internet of Things are determined according to the access authority Network termination corresponding accessible resource on the home gateway.

If the resource apparatus 11 is home gateway, it is furthermore achieved that once when described program is executed by processor 904 Step: terminal device operates laggard access customer information in the enabling for receiving the application being used to indicate on the starting terminal device Acquisition state；Under the user information acquisition state, user information is received；It is sent to certificate server and carries user's letter The authority acquiring request of breath, the authority acquiring request is for obtaining the corresponding access authority of the user information；Described in reception The authority acquiring for carrying the corresponding access authority of the user information that certificate server is sent responds；According to the access right The corresponding set of applications for allowing enabling is limited to determine whether to enable the application.

The authority acquiring device of the present embodiment, the middle resource that can be used for executing embodiment of the method shown in Figure 1A to Fig. 6 are set The standby technical solution executed, implementing principle and technical effect can refer to method shown in Figure 1A to Fig. 6.

Figure 10 is the structural schematic diagram of radius server in the embodiment of the present invention, as shown in Figure 10, radius server 100 include memory 1003, processor 1004 and are stored in the permission that can be run on memory 1003 and on processor 1004 Obtain program (not shown), wherein the processor performs the steps of when executing described program

What remote customer dialing authentication system radius server reception radius client was sent carries the user The authority acquiring request of information, the authority acquiring request is for obtaining the corresponding access authority information of the user information；To Radius client sends the authority acquiring response for carrying the corresponding access authority information of the user information.

The processor can further realize following steps when executing described program:

Radius server receive radius client send carry the user information and access permission mark Access request message Access-Requst；The corresponding access authority of the user information is carried to the transmission of radius client Information is successfully accessed back message Access-Accept.

In embodiments of the present invention, it is corresponding addressable to be determined for the user information for the access authority information Resource, and different access authority information corresponds to different accessible resources.

The radius server 100 can also include interface 1001, bus 1002, interface 1001, memory 1003 with Processor 1004 is connected by bus 1002.Wherein interface 1001 can be used for and radius client or resource apparatus 11 establish communication connection.Wherein, interface can be wire transmission interface, wireless transmission interface.Illustratively, interface can be hair It penetrates or receiving antenna, is also possible to be realized by the program module being integrated in digital circuit processor.

In practical applications, processor can be by central processing unit (the Central Processing in terminal Unit, CPU), microprocessor (Micro Processor Unit, MPU), digital signal processor (Digital Signal Processor, DSP) or field programmable gate array (Field Programmable Gate Array, FPGA) etc. realize.

Embodiment seven

The embodiment of the present invention also provides a kind of storage medium, is stored with authority acquiring program, wherein the authority acquiring journey Sequence is configured to execute:

The authority acquiring request for carrying user information is sent to remote customer dialing authentication system radius server, it is described Authority acquiring request is for obtaining the corresponding access authority information of the user information；The radius server is received to send The carrying access authority information authority acquiring response.

In the present invention is implemented, the access authority information is determined for the corresponding addressable money of the user information Source, and different access authority information corresponds to different accessible resources.

The other technologies solution details and technical effect of the embodiment of the present invention and it is above-mentioned be deployed with radius client Resource apparatus or radius client related embodiment are similar.

The authority acquiring program can be further configured to execute:

The other technologies solution details of the embodiment of the present invention and technical effect related with radius server are implemented to above-mentioned Example is similar.

Home gateway receives the log on request for carrying user information that internet-of-things terminal is sent, and the log on request is used for Obtain the accessible resource on the home gateway；The authority acquiring for sending the carrying user information to certificate server is asked It asks, the authority acquiring request is for obtaining the corresponding access authority of the user information；The certificate server is received to send Carry the corresponding access authority of the user information authority acquiring response；The Internet of Things are determined according to the access authority Network termination corresponding accessible resource on the home gateway.

The other technologies solution details and technical effect of the embodiment of the present invention and above-mentioned and home gateway related embodiment class Seemingly.

Terminal device operates laggard access customer in the enabling for receiving the application being used to indicate on the starting terminal device Acquisition of information state；Under the user information acquisition state, user information is received；It is sent to certificate server and carries the use The authority acquiring request of family information, the authority acquiring request is for obtaining the corresponding access authority of the user information；It receives The authority acquiring for carrying the corresponding access authority of the user information that the certificate server is sent responds；It is connect according to described Enter the corresponding set of applications for allowing enabling of permission to determine whether to enable the application.

It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this kind of process, method, article or device institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or device.

The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.

Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in a storage medium In (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, computer, clothes Business device, air conditioner or the network equipment etc.) execute method described in each embodiment of the present invention.

The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims

1. a kind of authority acquiring method, which is characterized in that the described method includes:

Remote customer dialing authentication system radius client sends the authority acquiring for carrying user information to radius server Request, the authority acquiring request is for obtaining the corresponding access authority information of the user information；

Receive the authority acquiring response for the carrying access authority information that the radius server is sent.

2. the method according to claim 1, wherein carrying user information in described send to radius server Authority acquiring request before, comprising: receive and carry the resource access request of the user information, the resource access request For obtaining the user information corresponding accessible resource on resource apparatus；

Correspondingly, in the authority acquiring response for receiving the carrying access authority information that the radius server is sent Later, comprising: the user information corresponding addressable money on the resource apparatus is determined according to the access authority information Source.

3. according to the method described in claim 2, the reception carries it is characterized in that, the resource apparatus is home gateway There is the resource access request of the user information, comprising: receive internet-of-things terminal transmission carries stepping on for the user information Land request；The log on request is for requesting the accessible resource corresponding with the user information on the home gateway；

It is described that the user information corresponding accessible resource on the resource apparatus is determined according to the access authority information, It include: that the internet-of-things terminal corresponding accessible resource on the home gateway is determined according to the access authority information.

4. according to the method described in claim 3, it is characterized in that, the user information includes the media interviews of internet-of-things terminal MAC Address and password are controlled, same MAC Address corresponds to identical or different access authority information from the combination of different passwords.

5. according to the method described in claim 2, it is characterized in that, the resource apparatus is terminal device, the addressable money Source is the set for allowing the application enabled, then in the authority acquiring request for sending carrying user information to radius server Before, comprising: operate laggard access customer information in the enabling for receiving the application being used to indicate on the starting terminal device and obtain Take state；Under the user information acquisition state, user information is received；

Then after the authority acquiring response for receiving the carrying access authority information that the radius server is sent, It include: to determine whether to enable the application according to the corresponding set for allowing the application enabled of the access authority information.

6. the method according to claim 1, wherein the user information includes username and password, same use Name in an account book corresponds to different access authority information from the combination of different passwords.

7. the method according to claim 1, wherein described service to remote customer dialing authentication system radius Device send carry user information authority acquiring request, comprising: to radius server transmission carry all user informations and The access request message Access-Requst of access permission mark access-permission；

The authority acquiring response for receiving the carrying access authority information that the radius server is sent, comprising: connect That receives the carrying access authority information that the radius server is sent is successfully accessed back message Access-Accept.

8. the method according to the description of claim 7 is characterized in that in the carrying for receiving the radius server and sending The access authority information is successfully accessed after back message Access-Accept, comprising:

The accounting request message Accounting-Request for carrying the access authority information, institute are sent to radius server Accounting request message is stated for requesting the radius server to determine the user information pair according to the access authority information The charging mode and/or charging rate answered.

9. the method according to the description of claim 7 is characterized in that the access request message containing type type characterizes institute The attribute of access permission mark is stated to AVP field.

10. a kind of authority acquiring method, which is characterized in that the described method includes:

What the reception of remote customer dialing authentication system radius server was sent carries user information authority acquiring request, described Authority acquiring request is for obtaining the corresponding access authority information of the user information；

The authority acquiring response of the corresponding access authority information of the user information is carried to transmission.

11. according to the method described in claim 10, it is characterized in that, the radius server receives radius client hair It includes: that the radius server receives the transmission of radius client that send, which carries the authority acquiring request of the user information, Carry the access request message Access-Requst of user information and access permission mark；

It is described that the authority acquiring response for carrying the corresponding access authority information of the user information is sent to radius client, Include: sent to radius client carry the corresponding access authority information of the user information be successfully accessed back message Access-Accept。

12. according to the method for claim 11, which is characterized in that it is described carry to the transmission of radius client it is described The corresponding access authority information of user information is successfully accessed after back message Access-Accept, comprising: receives raduis The accounting request message Accounting-Request for the carrying access authority information that client is sent；According to the access Authority information determines the corresponding charging mode of the user information and/or charging rate.

13. a kind of authority acquiring device, which is characterized in that the authority acquiring device includes:

First sending module is configured to send the power for carrying user information to remote customer dialing authentication system radius server Acquisition request is limited, the authority acquiring request is for obtaining the corresponding access authority information of the user information；

First receiving module, the permission for being configured to receive the carrying access authority information that the radius server is sent obtain Take response.

14. a kind of authority acquiring device, which is characterized in that the authority acquiring device includes:

Second receiving module, be configured to reception remote customer dialing authentication system radius client transmission carries the use Family information authority acquiring request, the authority acquiring request is for obtaining the corresponding access authority information of the user information；

Second sending module is configured to carry the corresponding access authority information of the user information to the transmission of radius client Authority acquiring response.

15. a kind of resource apparatus, which is characterized in that the resource apparatus includes:

Memory, processor and storage on a memory and the authority acquiring program that can run on a processor,

The processor realizes claim 1 to claim 9 any authority acquiring method when executing described program.

16. a kind of remote customer dialing authentication system authentication server, which is characterized in that the remote customer dialing authentication system Certificate server includes:

The processor realizes claim 10 to claim 12 any authority acquiring method when executing described program.

17. a kind of computer readable storage medium is stored with authority acquiring program, wherein the authority acquiring program is processed The step of authority acquiring method as described in any one of claims 1 to 12 is realized when device executes.