WO2009059533A1

WO2009059533A1 - Strategy management control method, device and system

Info

Publication number: WO2009059533A1
Application number: PCT/CN2008/072860
Authority: WO
Inventors: Haifeng Duan
Original assignee: Huawei Technologies Co., Ltd.
Priority date: 2007-10-29
Filing date: 2008-10-28
Publication date: 2009-05-14
Also published as: CN101150853A

Abstract

A network system includes a network access server (10), an authentication authority accounting server (20,60) and a service server (30,50). The network system also includes a strategy management control server (40) used for creating strategy control information according to information of a user service usage state obtained by the service server (30,50) and/or the authentication authority accounting server (20,60) (S101), wherein the strategy control information is used for indicating the network access server (10) to manage and control a session of user, and sending the strategy control information created to the network access server (10) (S102). The network access server (10) manages and controls the session of user according to the strategy control information. And a strategy management control server (40), a service server (30,50) and an authentication authority accounting server (20,60). By means of the present invention, the reliability of the session of user on the NAS device side can be improved during the usage of service.

Description

一种策略管理控制方法、装置和*** 本申请要求于 2007 年 10 月 29 日提交中国专利局、申请号为 200710031119.5、发明名称为 "一种网络***、策略管理控制服务器及策略管理控制方法" 的中国专利申请的优先权，其全部内容通过引用结合在本申请中。技术领域 The present invention claims to be submitted to the Chinese Patent Office on October 29, 2007, the application number is 200710031119.5, and the invention name is "a network system, a policy management control server, and a policy management control method". Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field

本发明涉及通信领域，尤其涉及一种策略管理控制方法、装置和***。背景技术 The present invention relates to the field of communications, and in particular, to a policy management control method, apparatus, and system. Background technique

目前，各种各样的基于 IP的网絡接入技术让人们可以很便捷的使用各种终端接入到 Internet或者 Intranet网络。各种网络接入技术都需要相应的网络接入服务器（ NAS , Network Access Server ) 设备和认证授权计费服务器（AAA , Autentication Authorization Accounting )设备。比如，固网的电话拨号接入需要拨号接入服务器和 AAA设备，通用分组无线业务（GPRS, General Packet Radio Service )的 IP接入需要 GPRS网关支持节点（ GGSN, Gate GPRS Supporting Node ) 和 AAA设备。其中 NAS设备负责将用户会话从不同制式的承载网接入到 IP业务网络中以使用户享受 IP业务网络中各种业务服务器提供的服务， AAA设备则负责在 NAS设备将用户会话从不同制式的承载网接入到 IP业务网络的过程中，对用户进行认证和授权，认证和授权通过以后，对用户会话进行计费。 At present, various IP-based network access technologies allow people to easily access various terminals to the Internet or intranet networks. Various network access technologies require a corresponding network access server (NAS, Network Access Server) device and an authentication and authorization accounting server (AAA, Autentication Authorization Accounting) device. For example, a fixed-line telephone dial-up access requires a dial-up access server and an AAA device, and a general packet radio service (GPRS, General Packet Radio Service) IP access requires a GPRS gateway support node (GGSN, Gate GPRS Supporting Node) and an AAA device. . The NAS device is responsible for accessing the user session from the bearer network of different standards to the IP service network, so that the user enjoys the services provided by various service servers in the IP service network, and the AAA device is responsible for the user session from the NAS device. During the process of the bearer network accessing the IP service network, the user is authenticated and authorized. After the authentication and authorization are passed, the user session is charged.

在实现本发明的过程中，发明人发现，目前， NAS设备和 AAA设备之间，通过 NAS设备主动向 AAA设备请求对用户接入会话进行认证、授权以及计费。 NAS设备与 IP业务网络中各种业务服务器之间，通过 NAS设备向各业务服务器请求业务服务，在用户通过认证和授权并成功接入到 IP业务网络以后， AAA 服务器将不会主动对用户会话进行重新认证、授权和更新计费，业务服务器在为用户提供业务服务的过程中，比如发现用户会话状态为用户状态不正确、预付费用户余额不足、后付费用户的信用额度不够或用户对某个业务是不允许访问时，业务服务器将会对所述用户的会话进行相应控制，比如切断所述用户会话或者阻塞所述用户基于访问 IP地址、端口和 IP协议号的报文，这样，业务服务器侧用户会话状态将发生改变，但由于 NAS设备无法了解业务服务器侧对用户会话的控制动作， NAS设备侧的用户会话将保持原有状态，譬如当业务服务器已切断用户会话，或已阻塞用户访问的基于访问 IP地址、端口和 IP层协议号的报文时， NAS设备不会切断所述用户会话或者阻塞所述用户访问的基于访问 IP地址、端口和 IP层协议号的报文。现有技术的 NAS设备和 AAA设备间以及 NAS设备与业务服务器之间只存在从 NAS设备到 AAA设备以及 NAS设备到业务服务器的主动服务请求， AAA设备以及业务服务器不能对 NAS设备进行主动控制，致使业务使用过程中 NAS设备侧的用户会话的可靠性很低。发明内容 In the process of implementing the present invention, the inventor has found that, at present, between the NAS device and the AAA device, the NAS device actively requests the AAA device to authenticate, authorize, and charge the user access session. The NAS device and the various service servers in the IP service network request service services from the service servers through the NAS device. After the user passes the authentication and authorization and successfully accesses the IP service network, the AAA server will not actively talk to the user. Perform re-authentication, authorization, and update accounting. In the process of providing business services to users, for example, the user session status is found to be incorrect, the prepaid user balance is insufficient, the post-paid user's credit limit is insufficient, or the user is When the service is not allowed to be accessed, the service server will perform corresponding control on the user's session, such as cutting off the user session or blocking the user's message based on the access IP address, port, and IP protocol number. Service The user session status of the server will change. However, because the NAS device cannot understand the control action of the user server on the service server side, the user session on the NAS device side will remain in the original state, for example, when the service server has cut off the user session or is blocked. When the user accesses a packet based on the access IP address, the port, and the IP layer protocol number, the NAS device does not cut the user session or block the packet based on the access IP address, port, and IP layer protocol number accessed by the user. There is only an active service request between the NAS device and the AAA device and between the NAS device and the service server from the NAS device to the AAA device and the NAS device to the service server, and the AAA device and the service server cannot actively control the NAS device. The reliability of the user session on the NAS device side during service use is very low. Summary of the invention

鉴于此，本发明实施例提供一种策略管理控制方法、装置和***，可在业务使用过程中，提高 NAS设备侧用户会话的可靠性。 In view of this, the embodiments of the present invention provide a policy management control method, apparatus, and system, which can improve the reliability of a user session on a NAS device side during service usage.

本发明实施例提供了一种策略管理控制服务器，该服务器包括： The embodiment of the invention provides a policy management control server, and the server includes:

策略生成单元，用于根据业务服务器和 /或认证授权计费服务器获得的用户业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制； a policy generating unit, configured to generate policy control information according to user service usage status information obtained by the service server and/or the authentication and authorization charging server, where the policy control information is used to instruct the network access server to manage the session of the user and Control

策略发送单元，用于将所述策略生成单元生成的所述策略控制信息发送给所述网络接入服务器。 And a policy sending unit, configured to send the policy control information generated by the policy generating unit to the network access server.

相应的，本发明实施例提供了一种网络***，该网络***包括有网络接入服务器、认证授权计费服务器以及业务服务器，另外，该网络***还包括：策略管理控制服务器，用于根据业务服务器和 /或认证授权计费服务器获得的用户业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制；并将所述生成的所述策略控制信息发送给所述网 ^^入服务器； Correspondingly, the embodiment of the present invention provides a network system, where the network system includes a network access server, an authentication and authorization accounting server, and a service server. In addition, the network system further includes: a policy management control server, configured to use the service The user service usage status information obtained by the server and/or the authentication and authorization accounting server generates policy control information, where the policy control information is used to instruct the network access server to manage and control the session of the user; Sending the policy control information to the network server;

所述网络接入服务器根据所述策略控制信息对所述用户的会话进行管理和控制。 The network access server manages and controls the session of the user according to the policy control information.

相应的，本发明实施例提供了一种业务服务器，包括： Correspondingly, an embodiment of the present invention provides a service server, including:

服务提供单元，用于为用户提供业务服务； a service providing unit, configured to provide a service service for a user;

获得单元，用于获得所述用户的业务使用状态信息； An obtaining unit, configured to obtain service usage status information of the user;

会话控制单元，用于根据所述获得单元获得的所述用户的业务使用状态信息控制所述会话用户的会话 , 以使所述用户在权限范围内使用所述服务提供单元提供的业务服务； a session control unit, configured to use, according to the obtaining unit, the service usage status letter of the user Controlling the session of the session user, so that the user uses the service service provided by the service providing unit within the scope of authority;

另外，所述业务服务器还包括： In addition, the service server further includes:

策略管理控制单元，用于根据所述获得单元获得的所述用户的业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制；并将所述生成的所述策略控制信息发送给所述网絡接入服务器。 a policy management control unit, configured to generate policy control information according to the service usage state information of the user obtained by the obtaining unit, where the policy control information is used to instruct the network access server to manage and control the session of the user; And sending the generated policy control information to the network access server.

相应的，本发明实施例提供了一种网絡***，包括网络接入服务器、认证授权计费服务器以及业务服务器，所述业务服务器包括： Correspondingly, the embodiment of the present invention provides a network system, including a network access server, an authentication and authorization accounting server, and a service server, where the service server includes:

会话控制单元，用于根据所述获得单元获得的所述用户的业务使用状态信息控制所述会话用户的会话，以使所述用户在权限范围内使用所述服务提供单元提供的业务服务； a session control unit, configured to control, according to the service usage status information of the user obtained by the obtaining unit, a session of the session user, so that the user uses a service service provided by the service providing unit within a scope of rights;

其特征在于，所述业务服务器还包括： The service server further includes:

策略管理控制单元，用于根据所述获得单元获得的所述用户的业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制；并将所述生成的所述策略控制信息发送给所述网络接入服务器。 a policy management control unit, configured to generate policy control information according to the service usage state information of the user obtained by the obtaining unit, where the policy control information is used to instruct the network access server to manage and control the session of the user; And sending the generated policy control information to the network access server.

相应的，本发明实施例提供了一种认证授权计费服务器，包括有认证单元、授权单元以及计费单元，另外，所述认证授权计费服务器还包括： Correspondingly, the embodiment of the present invention provides an authentication and authorization accounting server, which includes an authentication unit, an authorization unit, and a charging unit. In addition, the authentication and authorization accounting server further includes:

获得单元，用于根据所述认证单元、授权单元以及所述计费单元所记录的用户认证授权计费信息获得所述用户的业务使用状态信息； And an obtaining unit, configured to obtain, according to the authentication unit, the authorization unit, and the user authentication and authorization charging information recorded by the charging unit, the service usage status information of the user;

相应的，本发明实施例提供了一种网络***，包括网络接入服务器、认证授权计费服务器和业务服务器，所述认证授权计费服务器包括有认证单元、授权单元以及计费单元，另外，所述认证授权计费服务器还包括： Correspondingly, an embodiment of the present invention provides a network system, including a network access server and a certificate. The authorization and accounting server includes an authentication unit, an authorization unit, and a charging unit. The authentication and authorization accounting server further includes:

相应的，本发明实施例提供了一种策略管理控制方法，包括： Correspondingly, an embodiment of the present invention provides a policy management control method, including:

接收业务服务器和 /或认证授权计费服务器发送的用户的业务使用状态信息； Receiving service usage status information of the user sent by the service server and/or the authentication and authorization accounting server;

根据所述接收的所述用户的业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对用户的会话进行管理和控制； Generating policy control information according to the received service usage state information of the user, where the policy control information is used to instruct the network access server to manage and control the session of the user;

将所述策略控制信息发送给所述网絡接入服务器。 Sending the policy control information to the network access server.

本发明实施例通过业务服务器和 /或认证授权计费服务器获得的用户的业务使用状态信息生成策略控制信息控制网络接入服务器对用户的会话进行管理和控制，可在业务使用过程中，提高 NAS设备侧用户会话的可靠性。附图说明 The embodiment of the present invention controls the network access server to manage and control the session of the user by using the business service state information generation policy control information obtained by the service server and/or the authentication and authorization accounting server, and can improve the NAS during the service use process. The reliability of the user session on the device side. DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动性的前提下，还可以根据这些附图获得其他的附图。 In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.

图 1是本发明网络***的实施例的结构组成示意图； 1 is a schematic structural diagram of an embodiment of a network system of the present invention;

图 2是本发明网络***实施例中策略管理控制方法的流程示意图；图 3是本发明网络***实施例的结构组成示意图； 2 is a schematic flowchart of a policy management control method in an embodiment of a network system according to the present invention; FIG. 3 is a schematic structural diagram of an embodiment of a network system according to the present invention;

图 4是本发明网络***实施例的结构组成示意图。具体实施方式 4 is a schematic structural diagram of an embodiment of a network system of the present invention. detailed description

下面将结合附图及实施例对本发明作进一步地详细描述。 The invention will be further described in detail below with reference to the drawings and embodiments.

图 1是本发明网络***的实施例的结构组成示意图。如 1 图所示，该第一实施例的网络***包括网络接入服务器 10、认证授权计费服务器 20、业务服务器 30以及策略管理控制服务器 40, 其中， 1 is a schematic diagram showing the structure of an embodiment of a network system of the present invention. As shown in FIG. 1, the network system of the first embodiment includes a network access server 10, an authentication and authorization accounting server 20, a service server 30, and a policy management control server 40, wherein

网络接入服务器 10用于将用户会话从不同制式的承载网接入到 IP业务网络中以使用户享受 IP业务网絡中各种业务服务器 30提供的业务服务。网络接入服务器 10, 比如， LAN/ WLAN NAS、通用分组网无线业务网关支持节点（ GGSN, Gate General Packet Radio Sevice Supporting Node )、拔号接入月良务器、 Dial-up NAS 或 Xdsl NAS 等，可以将用户会话从比如 LAN/WLAN 网络、 GPRS/CDMAAVCDMA 网络或 Dial-up Xdsl 网络等的各种制式的承载网接入到 IP业务网络中。 The network access server 10 is configured to access user sessions from different types of bearer networks to the IP service network to enable users to enjoy the service services provided by various service servers 30 in the IP service network. The network access server 10, for example, a LAN/WLAN NAS, a GPSN, a Gate General Packet Radio Sevice Supporting Node (GGSN), a dial-up access server, a Dial-up NAS, or an Xdsl NAS. The user session can be accessed from the bearer network of various standards such as a LAN/WLAN network, a GPRS/CDMAAVCDMA network, or a Dial-up Xdsl network to the IP service network.

认证授权计费服务器 20用于在网络接入服务器 10将用户会话从不同制式的承载网接入到 IP业务网络的过程中，对用户进行认证和授权，认证和授权通过以后，在用户享受所述各种业务服务器 30提供的服务过程中，对用户会话进行计费。认证授权计费服务器 20可采用流量、时间或其他计费方式。 The authentication and authorization accounting server 20 is configured to authenticate and authorize the user when the network access server 10 accesses the user session from the bearer network of different standards to the IP service network. After the authentication and authorization are passed, the user enjoys the user. In the service process provided by the various service servers 30, the user session is charged. The authentication and authorization accounting server 20 can use traffic, time or other charging methods.

业务服务器 30用于为接入 IP业务网络的用户提供各种各样的业务服务，比如，网页浏览、音乐下载等，获得所述用户的业务使用状态信息，并根据获得的所述用户的业务使用状态信息控制所述用户的会话，以使所述用户在权限范围内使用所述业务服务器 30提供的业务服务。业务服务器 30可以为无线应用协议网关（ WAPGW, Wireless Application Protocol GateWay ). 多媒体消息服务中心（MMSC, Multimedia Messaging Service Centre ). 内容计费网关（CCG, Content Charge Gateway )或流媒体服务器（ Stream Server )等。 The service server 30 is configured to provide a variety of service services for users accessing the IP service network, such as web browsing, music download, etc., to obtain service usage status information of the user, and according to the obtained service of the user. The user's session is controlled using status information to enable the user to use the service services provided by the service server 30 within the scope of authority. The service server 30 may be a Wireless Application Protocol GateWay (MGW, Multimedia Messaging Service Centre). A Content Charging Gateway (CCG) or a Streaming Server (Stream Server) Wait.

本实施例的网络***还包括策略管理控制服务器 40, 用于根据业务服务器 30或 /和认证授权计费服务器 20获得的用户业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器 10对所述用户的会话进行管理和控制；并将所述生成的所述策略控制信息发送给所述网络接入服务器 10。 The network system of this embodiment further includes a policy management control server 40, configured to generate policy control information according to user service usage status information obtained by the service server 30 or/and the authentication and authorization charging server 20, where the policy control information is used to indicate the network. The access server 10 manages and controls the session of the user; and sends the generated policy control information to the network access server 10.

所述网络接入服务器 10根据所述策略控制信息对所述用户的会话进行管理和控制。 The network access server 10 manages and controls the session of the user according to the policy control information.

其中，需要说明的是，业务服务器 30控制用户的会话，可以是控制的业务侧的业务会话，或是控制用户侧的用户终端与网络接入服务器 10建立的会话，如业务服务器 30可以根据业务会话的状态生成控制策略给策略管理控制服务器 40, 然后由策略管理控制服务器 40下发控制策略给网络接入服务器 10, 从而达到控制用户接入侧会话的目的；而网络接入服务器 10根据策略管理控制服务器 40发送的策略控制信息控制的则是用户侧的会话，即用户终端与网络接入服务器 10之间建立的会话。 It should be noted that the service server 30 controls the user's session, which may be a controlled service. The side of the service session, or the session established by the user terminal on the user side and the network access server 10, for example, the service server 30 can generate a control policy to the policy management control server 40 according to the state of the service session, and then the policy management control server 40 The control policy is sent to the network access server 10, so as to achieve the purpose of controlling the user's access side session; and the network access server 10 controls the user-side session according to the policy control information sent by the policy management control server 40, that is, the user. A session established between the terminal and the network access server 10.

这样，在本实施例中由于可由业务服务器或 AAA服务器控制网络接入服务器对用户侧的会话进行控制，提高了 NAS设备侧用户会话的可靠性。 In this way, in this embodiment, since the service server or the AAA server controls the network access server to control the session on the user side, the reliability of the user session on the NAS device side is improved.

进一步参照图 1 ,策略管理控制服务器 40包括策略生成单元 41和策略发送单元 42, 所述策略生成单元 41用于根据业务服务器 30获得的用户业务使用状态信息生成策略控制信息，所述策略发送单元 42, 用于将所述策略生成单元 41 生成的所述策略控制信息发送给所述网络接入服务器 10。比如，业务服务器 30 根据认证授权计费服务器 20所记录的用户认证授权计费信息可发现用户状态不正确、预付费用户余额不足、后付费用户的信用额度不够、用户对某个业务是不允许访问等业务使用状态信息，业务服务器 30将根据所述业务使用状态信息进行切断所述用户的接入会话或者阻塞所述用户基于访问 IP地址、端口和 IP协议号的报文等控制操作。此时，策略管理控制服务器 40根据所述业务服务器 30 获得的所述用户状态不正确、预付费用户余额不足、后付费用户的信用额度不够、用户对某个业务是不允许访问等业务使用状态信息，生成策略控制信息，比如，根据 "用户状态不正确" 的信息生成 "切断用户接入会话" 的策略控制信息；根据 "预付费用和余额不足" 的信息生成 "阻塞所述用户基于访问 IP地址报文" 的策略控制信息。 With reference to FIG. 1 , the policy management control server 40 includes a policy generating unit 41 and a policy sending unit 42 , where the policy generating unit 41 is configured to generate policy control information according to the user service usage state information obtained by the service server 30, where the policy sending unit is used. 42. The policy control information generated by the policy generating unit 41 is sent to the network access server 10. For example, the service server 30 may find that the user status is incorrect according to the user authentication and authorization charging information recorded by the authentication and authorization charging server 20, the prepaid user balance is insufficient, the credit amount of the postpaid user is insufficient, and the user is not allowed for a certain service. The service server uses the status information of the service, and the service server 30 performs a control operation such as cutting off the access session of the user or blocking the user based on the access IP address, the port, and the IP protocol number according to the service usage status information. At this time, the policy management control server 40 is inaccurate according to the user status obtained by the service server 30, the prepaid user balance is insufficient, the credit amount of the postpaid user is insufficient, and the user is not allowed to access the service. Information, generating policy control information, for example, generating policy control information of "cutting off user access session" according to "user status is incorrect" information; generating "blocking the user based access IP according to "prepaid and insufficient balance" information Policy control information for address messages.

其中，策略控制信息可基于 Radius协议、 Diameter协议、 COPS协议或基于 TCP/IP的应用协议实现，该策略控制信息包括基于用户标识（可以是电话号码、手机号等可以唯一标识一个用户身份的信息）的策略控制信息或基于用户 IP层 5元组（源 IP地址、目的 IP地址、源端口号、目的端口号以及 IP协议号）的策略控制信息。 The policy control information may be implemented based on a Radius protocol, a Diameter protocol, a COPS protocol, or a TCP/IP-based application protocol, where the policy control information includes information that can uniquely identify a user based on a user identifier (which may be a phone number, a mobile phone number, etc.) Policy control information or policy control information based on the user IP layer 5-tuple (source IP address, destination IP address, source port number, destination port number, and IP protocol number).

表 1示出了策略控制服务器 40与网络接入服务器 10之间基于 Radius协议、 Diameter协议、 COPS协议或基于 TCP/IP的应用协议扩展的控制接口以及关键参数。本实施例中的策略控制信息即是通过表 1 中的相关接口和参数从策略控制服务器 40发送给网络接入服务器 10的，比如，当策略控制服务器 40根据业务服务器 30获得的 "预付费用和余额不足" 的信息生成 "阻塞所述用户基于访问 IP地址报文"的策略控制信息后，在基于 Radius协议、 Diameter协议、 COPS 协议或基于 TCP/IP的应用协议的协议数据的扩展接口 SubSessionCtrlRequest的 Visit-Ip参数项携带 "访问 IP地址" 信息，在 Action参数项携带 "阻塞" 信息，并将所述协议数据发送给网络接入服务器 10, 当网络接入服务器 10接收到协议数据后，解析扩展接口项 SubSessionCtrlRequest的 Visit-Ip参数项和 Action参数项的内容，便可获得 "阻塞所述用户基于访问 IP地址报文" 的策略控制信息。 Table 1 shows the control interface and key parameters between the policy control server 40 and the network access server 10 based on the Radius protocol, the Diameter protocol, the COPS protocol, or the TCP/IP-based application protocol extension. The policy control information in this embodiment is controlled by the relevant interface and parameters in Table 1. The server 40 is sent to the network access server 10, for example, when the policy control server 40 generates a policy of "blocking the user based on the access IP address message" based on the information of "prepaid and insufficient balance" obtained by the service server 30. After the information, the Visit-Ip parameter of the extension interface SubSessionCtrlRequest of the protocol data based on the Radius protocol, the Diameter protocol, the COPS protocol or the TCP/IP-based application protocol carries the "access IP address" information, and the "Action Block" is carried in the Action parameter item. The information is sent to the network access server 10, and after the network access server 10 receives the protocol data, the content of the Visit-Ip parameter item and the Action parameter item of the extended interface item SubSessionCtrlRequest is parsed, and the content can be obtained. The policy control information of the user based on accessing the IP address message is blocked.

表 1 Table 1

扩展接口携带参数参数备注必选 /可选接口描述用户唯一性 Extended interface Carrying parameters Parameter remarks Required / Optional Interface description User uniqueness

User-Id 必选 User-Id required

标识 Identification

对用户 IP接 IP connection to the user

入会话采取 Take in session

的动作 Actions

Action 必选 Action Required

1 : 去激活 2: 用户接人阻塞用户的 1 : Deactivate 2: User access blocked user

UserSessionCtrlRequest 会话控制所有 IP报文 UserSessionCtrlRequest session control all IP packets

请求用户 IP接人 Request user IP access

Session-Id 可选 Session-Id optional

会话标识用户唯一性 Session ID User Uniqueness

User-Id 必选 User-Id required

标识用户接人 Identification user access

UserSessionCtrlResponse 用户 IP接人会话控制 UserSessionCtrlResponse User IP Access Session Control

Session-Id 可选 Session-Id optional

会话标识响应 Session ID response

Result-Code 错误码必选 Result-Code error code Required

用户唯一性 IP五元组 User uniqueness IP quintuple

SubSessionCtrlRequest User-Id 必选 SubSessionCtrlRequest User-Id Required

标识业务会话用户 IP接人控制请求 Identification business session user IP access control request

Session-Id 可选 Session-Id optional

会话标识 Session identifier

User-Ip 用户 IP地址必选 User-Ip User IP Address Required

User-Port 用户端口必选 User-Port User Port Required

Visit-Ip 访问 IP地址必选 Visit-Ip access IP address Required

Visit-Port 访问端口必选 IP层协议号 Visit-Port access port required IP layer protocol number

Protocol ( TCP, UDP、必选 Protocol (TCP, UDP, required)

ICMP等） ICMP, etc.)

对用户 IP层 5 For user IP layer 5

元组子会话 Tuple subsession

采取的动作 Action taken

1 : 删除会话 1 : Delete session

Action 必选 Action Required

2: 阻塞 3: 2: Blocking 3:

转发 Forward

4: 重定向 5: 4: Redirect 5:

镜像 Mirror

用户唯一性 User uniqueness

User-Id 必选 User-Id required

标识 IP五元组 Identification IP quintuple

SubSessionCtrlResponse 用户 IP接人业务会话 SubSessionCtrlResponse User IP Pickup Business Session

Session-Id 可选 Session-Id optional

会话标识控制响应 Session ID Control Response

Result-Code 错误码必选 Result-Code error code Required

需要重新认 Need to be recognized again

证和授权的 Certificate and authorized

User-Id 必选 User-Id required

用户唯一性 User uniqueness

标识 Identification

重新认证 Recertification

ReAccessRequest 和授权请需要重新认 ReAccessRequest and authorization please re-recognize

求证和授权的 Proof and authorization

Session-Id 可选 Session-Id optional

用户 IP接人 User IP access

会话标识需要重新认 Session ID needs to be re-recognized

证和授权的 Certificate and authorized

User-Id 必选 User-Id required

用户唯一性 User uniqueness

标识重新认证 Identification

ReAccessResponse 需要重新认和授权响证和授权的应ReAccessResponse needs to re-recognize and authorize the token and authorization

Session-Id 可选 Session-Id optional

用户 IP接人 User IP access

会话标识 Session identifier

Result-Code 错误码必选 Result-Code error code Required

其中，所述策略管理控制服务器 40也可根据认证授权计费服务器 20获得的用户的业务使用状态信息生成策略控制信息。 The policy management control server 40 may also generate policy control information according to the service usage state information of the user obtained by the authentication and authorization charging server 20.

图 2 是本发明网络***实施例中策略管理控制方法的流程示意图，如图 2 所示，所述网络***实施例中策略管理控制方法具体包括： 2 is a schematic flowchart of a policy management control method in an embodiment of a network system according to the present invention, as shown in FIG. 2 The policy management control method in the network system embodiment specifically includes:

步骤 S100, 业务服务器或认证授权计费服务器获得用户的业务使用状态信息；比如，业务服务器可获得用户状态不正确、预付费用户余额不足、后付费用户的信用额度不够、用户对某个业务是不允许访问等业务使用状态信息。 Step S100: The service server or the authentication and authorization accounting server obtains the service usage status information of the user. For example, the service server may obtain the user status incorrectly, the prepaid user balance is insufficient, the postpaid user's credit limit is insufficient, and the user is for a certain service. Service status information such as access is not allowed.

步骤 S101 , 策略管理控制服务器根据业务服务器或认证授权计费服务器获得的所述用户的业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对用户的会话进行管理和控制，会话管理控制包括激活、丟弃 IP接入会话的所有 IP报文、重新发起认证和授权、丟包、转发、镜像、重定向以及删除等。 Step S101: The policy management control server generates policy control information according to the service usage state information of the user obtained by the service server or the authentication and authorization accounting server, where the policy control information is used to instruct the network access server to manage the session of the user. Control, session management control includes activating, discarding all IP packets of the IP access session, re-initiating authentication and authorization, packet loss, forwarding, mirroring, redirection, and deletion.

比如，策略管理控制服务器根据 "用户状态不正确" 的信息生成 "切断用户接入会话" 的策略控制信息；根据 "预付费用和余额不足" 的信息生成 "阻塞所述用户基于访问 IP地址报文" 的策略控制信息；或根据用户的业务使用状态信息生成 "要求网络接入服务器重新向 AAA服务器发起认证和授权" 的策略控制信息。 For example, the policy management control server generates policy control information of "cutting off the user access session" according to the information of "the user status is incorrect"; generating "blocking the user based access IP address message according to the information of "prepaid and insufficient balance" Policy control information; or generate policy control information that requires the network access server to initiate authentication and authorization to the AAA server based on the user's service usage status information.

其中，策略控制信息可基于 Radius协议、 Diameter协议、 COPS协议或基于 TCP/IP的应用协议实现，该策略控制信息包括基于用户标识（可以是电话号码、手机号等可以唯一标识一个用户身份的信息）的策略控制信息或基于用户 IP层 5元组（源 IP地址、目的 IP地址、源端口号、目的端口号以及 IP协议号）的策略控制信息。一些策略控制服务器与网络接入服务器之间基于 Radius协议、 Diameter协议、 COPS协议或基于 TCP/IP的应用协议扩展的控制接口以及关键参数仍参照前述表 1所示内容。 The policy control information may be implemented based on a Radius protocol, a Diameter protocol, a COPS protocol, or a TCP/IP-based application protocol, where the policy control information includes information that can uniquely identify a user based on a user identifier (which may be a phone number, a mobile phone number, etc.) Policy control information or policy control information based on the user IP layer 5-tuple (source IP address, destination IP address, source port number, destination port number, and IP protocol number). Some of the control interfaces and protocol parameters based on the Radius protocol, Diameter protocol, COPS protocol or TCP/IP-based application protocol extension between the policy control server and the network access server are still referred to the foregoing Table 1.

步骤 S102, 策略管理控制服务器将所述策略控制信息发送给网络接入服务器。网络接入服务器接收到所述策略控制信息后，将根据所述策略控制信息对用户会话进行管理和控制。比如，当接收到 "切断用户接入会话" 的策略控制信息后，执行切断用户接入会话的操作；当收到 "要求网络接入服务器重新向 AAA服务器发起认证和授权"的策略控制信息时，网络接入服务器重新向 AAA 服务器发起认证和授权，并根据 AAA服务器的响应结果进行会话控制。 Step S102: The policy management control server sends the policy control information to the network access server. After receiving the policy control information, the network access server manages and controls the user session according to the policy control information. For example, when receiving the policy control information of "cutting off the user access session", performing the operation of cutting off the user access session; when receiving the policy control information requesting the network access server to initiate authentication and authorization to the AAA server again The network access server re-authenticates and authorizes the AAA server, and performs session control according to the response result of the AAA server.

图 3是本发明网络***实施例的结构组成示意图；如图 3所示，本实施例与前述实施例的不同之处在于本实施例中策略管理控制功能集成在业务服务器中实现，具体的，本实施例的网络***包括网入服务器 10、认证授权计费服务器 20以及业务服务器 50。 3 is a schematic structural diagram of an embodiment of a network system according to the present invention; as shown in FIG. 3, the difference between the embodiment and the foregoing embodiment is that the policy management control function is integrated in the service server in this embodiment, specifically, The network system of this embodiment includes a network entry server 10, and an authentication and authorization fee. Server 20 and service server 50.

其中业务服务器 50进一步包括服务提供单元 51、获得单元 52、会话控制单元 53以及策略管理控制单元 54。服务提供单元 51用于为用户提供业务服务；所述获得单元 52用于获得所述用户的业务使用状态信息；所述会话控制单元 53 用于根据所述获得单元 52获得的所述用户的业务使用状态信息控制所述会话用户的会话，以使所述用户在权限范围内使用所述服务提供单元 51提供的业务服务；所述策略管理控制单元 54, 用于根据所述获得单元 52获得的所述用户的业务使用状态信息生成策略控制信息，并将所述生成的所述策略控制信息发送给所述网络接入服务器 10。所述网络接入服务器 10根据所述策略控制信息对所述用户的会话进行管理和控制。 The service server 50 further includes a service providing unit 51, an obtaining unit 52, a session control unit 53, and a policy management control unit 54. The service providing unit 51 is configured to provide a service service for the user; the obtaining unit 52 is configured to obtain service usage status information of the user; and the session control unit 53 is configured to obtain the service of the user according to the obtaining unit 52. Using the state information to control the session of the session user, so that the user uses the service service provided by the service providing unit 51 within the scope of authority; the policy management control unit 54 is configured to obtain according to the obtaining unit 52. The service usage status information of the user generates policy control information, and the generated policy control information is sent to the network access server 10. The network access server 10 manages and controls the session of the user according to the policy control information.

本实施例中策略管理控制方法具体包括：业务服务器获得用户的业务使用状态信息；业务服务器根据业务服务器获得的所述用户的业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对用户的会话进行管理和控制；业务服务器将所述策略控制信息发送给所述网络接入服务器。网絡接入服务器接收到所述策略控制信息后，将根据所述策略控制信息建立用户接入会话。实现业务使用过程中，网络接入服务器接收到所述策略控制信息后，将根据所述策略控制信息对用户会话进行管理和控制。 The policy management control method in this embodiment specifically includes: the service server obtains service usage status information of the user; the service server generates policy control information according to the service usage status information of the user obtained by the service server, where the policy control information is used to indicate the network. The access server manages and controls the user's session; the service server sends the policy control information to the network access server. After receiving the policy control information, the network access server establishes a user access session according to the policy control information. During the implementation of the service, after receiving the policy control information, the network access server manages and controls the user session according to the policy control information.

图 4是本发明网络***实施例的结构组成示意图；如图 4所示，本实施例与第一实施例的不同之处在于本实施例中策略管理控制功能集成在认证授权计费服务器中实现，具体的，本实施例的网络***包括网络接入服务器 10、认证授权计费服务器 60以及业务服务器 30。 4 is a schematic structural diagram of an embodiment of a network system according to the present invention; as shown in FIG. 4, the difference between this embodiment and the first embodiment is that the policy management control function is integrated in the authentication and authorization accounting server in this embodiment. Specifically, the network system of this embodiment includes a network access server 10, an authentication and authorization charging server 60, and a service server 30.

其中认证授权计费服务器 60进一步包括认证单元 61、授权单元 62、计费单元 63、获得单元 64以及策略管理控制单元 65 , 其中，所述认证单元 61用于对接入用户会话进行认证；所述授权单元 62用于对接入用户会话进行授权；所述计费单元 63用于对接入用户会话计费；所述获得单元 52用于根据所述认证单元 61、授权单元 62以及所述计费单元 63所记录的用户认证授权计费信息获得所述用户的业务使用状态信息；所述策略管理控制单元 65用于根据所述获得单元 62获得的所述用户的业务使用状态信息生成策略控制信息，并将所述生成的所述策略控制信息发送给所述网络接入服务器 10。所述网络接入服务器 10根据所述策略控制信息对所述用户的会话进行管理和控制。本实施例中策略管理控制方法具体包括：认证授权计费服务器获得用户的业务使用状态信息；认证授权计费服务器根据所述认证授权计费服务器获得的所述用户的业务使用状态信息生成策略控制信息；所述认证授权计费服务器将所述策略控制信息发送给所述网络接入服务器。网络接入服务器接收到所述策略控制信息后，将根据所述策略控制信息对用户会话进行管理和控制。 The authentication and authorization accounting server 60 further includes an authentication unit 61, an authorization unit 62, a charging unit 63, an obtaining unit 64, and a policy management control unit 65, where the authentication unit 61 is configured to authenticate the access user session. The authorization unit 62 is configured to authorize the access user session; the charging unit 63 is configured to charge the access user session; the obtaining unit 52 is configured to use the authentication unit 61, the authorization unit 62, and the The user authentication authorization charging information recorded by the charging unit 63 obtains the service usage status information of the user; the policy management control unit 65 is configured to generate a policy according to the service usage status information of the user obtained by the obtaining unit 62. Controlling the information, and transmitting the generated policy control information to the network access server 10. The network access server 10 manages and controls the session of the user according to the policy control information. The policy management control method in this embodiment includes: the authentication and authorization accounting server obtains the service usage status information of the user; and the authentication authorization accounting server generates the policy control according to the service usage status information of the user obtained by the authentication and authorization accounting server. Information: The authentication and authorization charging server sends the policy control information to the network access server. After receiving the policy control information, the network access server manages and controls the user session according to the policy control information.

本发明实施例通过业务服务器和 /或认证授权计费服务器获得的用户的业务使用状态信息生成策略控制信息控制网絡接入服务器对用户的会话进行管理和控制，可在业务使用过程中，提高 NAS设备侧用户会话的可靠性。 The embodiment of the present invention controls the network access server to manage and control the session of the user by using the business service state information generation policy control information obtained by the service server and/or the authentication and authorization accounting server, and can improve the NAS during the service use process. The reliability of the user session on the device side.

以上所揭露的仅为本发明一种较佳实施例而已，当然不能以此来限定本发明之权利范围，因此依本发明权利要求所作的等同变化，仍属本发明所涵盖的范围。 The above description is only a preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and the equivalent changes made by the claims of the present invention are still within the scope of the present invention.

Claims

权利要求 Rights request

1、一种策略管理控制服务器，其特征在于，包括： A policy management control server, comprising:

2、如权利要求 1所述的策略管理控制服务器，其特征在于，所述的策略控制信息包括基于用户标识的策略控制信息或基于用户 IP层 5元组的策略控制信息。 2. The policy management control server according to claim 1, wherein the policy control information comprises policy control information based on user identification or policy control information based on a user IP layer 5-tuple.

3、一种网络***，包括有网络接入服务器、认证授权计费服务器以及业务服务器，其特征在于，该网絡***还包括： A network system, including a network access server, an authentication and authorization accounting server, and a service server, wherein the network system further includes:

策略管理控制服务器，用于根据业务服务器和 /或认证授权计费服务器获得的用户业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制；并将所述生成的所述策略控制信息发送给所述网 ^^入服务器； a policy management control server, configured to generate policy control information according to user service usage status information obtained by the service server and/or the authentication and authorization accounting server, where the policy control information is used to instruct the network access server to manage the session of the user And controlling; and sending the generated policy control information to the network server;

4、一种业务服务器，其特征在于，包括： 4. A service server, comprising:

策略管理控制单元，用于根据所述获得单元获得的所述用户的业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制；并将所述生成的所述策略控制信息发送给所述网络接入服务器。 a policy management control unit, configured to generate policy control information according to the service usage state information of the user obtained by the obtaining unit, where the policy control information is used to instruct the network access server to The user's session is managed and controlled; and the generated policy control information is sent to the network access server.

5、一种网络***，包括认证授权计费服务器，其特征在于，所***还包括网络接入服务器和业务服务器，其中 A network system, comprising an authentication and authorization accounting server, wherein the system further comprises a network access server and a service server, wherein

所述业务服务器用于获得用户的业务使用状态信息，并根据所述用户的业务使用状态信息生成策略控制信息，以及将所述生成的所述策略控制信息发送给所述网络接入服务器，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制； The service server is configured to obtain service usage status information of the user, generate policy control information according to the service usage status information of the user, and send the generated policy control information to the network access server. The policy control information is used to instruct the network access server to manage and control the session of the user;

所述网络接入服务器用于根据所述策略控制信息对所述用户的会话进行管理和控制。 The network access server is configured to manage and control the session of the user according to the policy control information.

6、一种认证授权计费服务器，包括有认证单元、授权单元以及计费单元，其特征在于，所述认证授权计费服务器还包括： An authentication and authorization accounting server, comprising: an authentication unit, an authorization unit, and a charging unit, wherein the authentication and authorization accounting server further includes:

7、一种网络***，包括业务服务器，其特征在于，所述***还包括网络接入服务器和认证授权计费服务器，其中， A network system, comprising a service server, wherein the system further comprises a network access server and an authentication and authorization accounting server, wherein

所述认证授权计费服务器用于获得用户的业务使用状态信息，并根据所述用户的业务使用状态信息生成策略控制信息，以及将所述生成的所述策略控制信息发送给所述网络接入服务器，所述策略控制信息用于指示网络接入服务器对所述用户的会话进行管理和控制； The authentication and authorization accounting server is configured to obtain service usage status information of the user, generate policy control information according to the service usage status information of the user, and send the generated policy control information to the network access a server, where the policy control information is used to instruct the network access server to manage and control the session of the user;

8、一种策略管理控制方法，其特征在于，包括： 8. A policy management control method, characterized in that:

根据业务服务器和 /或认证授权计费服务器获得的用户的业务使用状态信息生成策略控制信息，所述策略控制信息用于指示网络接入服务器对用户的会话进行管理和控制； Generating policy control information according to the service usage status information of the user obtained by the service server and/or the authentication and authorization accounting server, where the policy control information is used to instruct the network access server to manage and control the session of the user;

将所述策略控制信息发送给所述网络接入服务器。 Sending the policy control information to the network access server.

9、如权利要求 8所述的方法，其特征在于，所述的策略控制信息包括基于用户标识的策略控制信息或基于用户 IP层 5元组的策略控制信息。 The method according to claim 8, wherein the policy control information comprises policy control information based on user identity or policy control information based on a user IP layer 5-tuple.

10、如权利要求 8或 9所述的方法，其特征在于，通过 Radius协议、 Diameter 协议、 COPS协议或基于 TCP/IP的应用协议将所述策略控制信息发送给所述网络接入服务器。 10. The method of claim 8 or 9, wherein the policy control information is sent to the network access server via a Radius protocol, a Diameter protocol, a COPS protocol, or a TCP/IP based application protocol.