[go: up one dir, main page]

CN113453226A - Dual-stack user permission authentication method and device - Google Patents

Dual-stack user permission authentication method and device Download PDF

Info

Publication number
CN113453226A
CN113453226A CN202110724192.0A CN202110724192A CN113453226A CN 113453226 A CN113453226 A CN 113453226A CN 202110724192 A CN202110724192 A CN 202110724192A CN 113453226 A CN113453226 A CN 113453226A
Authority
CN
China
Prior art keywords
address
user equipment
target user
authentication
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110724192.0A
Other languages
Chinese (zh)
Other versions
CN113453226B (en
Inventor
宫玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Big Data Technologies Co Ltd
Original Assignee
New H3C Big Data Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Big Data Technologies Co Ltd filed Critical New H3C Big Data Technologies Co Ltd
Priority to CN202110724192.0A priority Critical patent/CN113453226B/en
Publication of CN113453226A publication Critical patent/CN113453226A/en
Application granted granted Critical
Publication of CN113453226B publication Critical patent/CN113453226B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W56/00Synchronisation arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for dual-stack user authentication. When the access authentication server determines that a user equipment is on line in an intranet, the entry comprising the user name corresponding to the user equipment, the first class IP address and the second class IP address is sent to the access authentication server, and after the access authentication server determines that the first class IP address of the target user equipment passes the access authentication, the entry comprising the user name corresponding to the target user equipment, the first class IP address and the second class IP address access authentication state can be locally generated, so that when the access authentication server subsequently performs the access authentication on the second class IP address of the target user equipment, the access authentication state of the second class IP address of the target user equipment can be directly determined as the access authentication success based on the entry, and the dual-stack user only needs one access authentication without deploying a DHCP server on an access NAS.

Description

Dual-stack user permission authentication method and device
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for dual-stack user authentication.
Background
In an SDN network park access scene, after the user access authentication is successful, the access to intranet resources is free. When accessing the external network, it is necessary to charge according to the traffic. The park access generally uses the switch, and is mainly used for controlling related functions of access and not for charging flow. Therefore, a router needs to be installed at the egress location as an allowed NAS to charge the traffic of the user accessing the external network. The AAA servers of the admitted NAS and the allowed NAS are separate, i.e. a total of 2 sets of authentication systems (admission authentication + allowed authentication) are required.
At present, in an IPv4+ IPv6 dual-stack scenario, in order to implement single-stack authentication, dual-stack release is performed, a DHCP Server is hung on an out-of-NAS device, and DHCPv4 Relay and DHCPv6 Relay messages of a dual-stack user both pass through an intranet service port of the out-of-NAS device and reach the DHCP Server. The allowed NAS device can respectively acquire the corresponding relation of the MAC-IPv4 and the MAC-IPv6 of the terminal by analyzing the DHCP Relay message. If the MAC addresses are the same, the IPv4 addresses and the IPv6 addresses belong to the same user, so after the IPv4 addresses and the IPv6 addresses of the dual-stack user are respectively obtained, an association table entry of the MAC-IPv4-IPv6 is generated on the NAS after the NAS is made.
After that, the IPv4 or IPv6 flow of the user triggers Portal authentication, after the authentication is successful, the authorized NAS can obtain the corresponding relation of the account number-IPv 4 or account number-IPv 6, the previous MAC-IPv4-IPv6 table entry is superimposed, and finally a complete table entry, namely the account number-MAC-IPv 4-IPv6, is generated.
However, the DHCP Server allocates IP to the intranet user, the intranet user who does not have the requirement for accessing the extranet needs to acquire an address through the external network access Server, the flow path is unreasonable, and once the external network access Server fails, the intranet user cannot acquire the IP address through DHCP, which affects intranet access.
Disclosure of Invention
The application provides a method and a device for dual-stack user permission authentication, which are used for solving the problems that in the prior art, an intranet flow path is unreasonable due to the fact that a DHCP server is mounted on a permission NAS, and the permission NAS fails to access the intranet.
In a first aspect, an embodiment of the present application provides a dual-stack user export authorization method, which is applied to an export authorization server, where the export authorization server sends a table entry including a user name, a first class IP address, and a second class IP address corresponding to a user equipment to the export authorization server when determining that the user equipment is online in an intranet; the method comprises the following steps:
receiving an out-of-authentication request which is sent by an out-of-access server (NAS) and comprises a first class of IP address of target user equipment, wherein after the out-of-access server receives an IP message sent by one user equipment, if the fact that a session matched with the IP address of the user does not exist locally is judged, the out-of-authentication request comprising the IP address of the user equipment is sent to the out-of-authentication server;
if the first list item matched with the first-class IP address of the target user equipment exists locally, sending a first notification to the export-enabled NAS to notify the export-enabled NAS to generate a first session corresponding to the first-class IP address of the target user equipment, and adding the first session into a first session group, wherein the export-enabled NAS sends an IP message to an export-enabled authentication server when receiving the IP message matched with the session in the first session group;
if a first-class IP message of a specified type sent by the target user equipment is received, carrying out user identity authentication on the first-class IP address of the target user equipment, if the user identity authentication is determined to be successful, generating a second table entry comprising the user name corresponding to the target user equipment, the first class IP address and the permission authentication state of success of permission authentication, and based on the first table entry and the second table entry, generating a third table entry which comprises the user name, the first class IP address, the second class IP address and the permission authentication state corresponding to the target user equipment and is in the permission authentication success, and sending a second notification to the egress NAS to notify the egress NAS to join the first session to a second session group, and when receiving the IP message matched with the session in the second session group, the NAS forwards the IP message to an external network.
Optionally, the method further comprises:
receiving an out-allowed authentication request which is sent by the out-allowed NAS and comprises the second type of IP address of the target user equipment;
and based on the second-class IP address of the target user equipment and the third entry, determining that the permission authentication state of the second-class IP address of the target user equipment is success of permission authentication, sending a third notification to the permission NAS to notify the permission NAS to generate a second session corresponding to the second-class IP address of the target user equipment, and adding the second session into a second session group.
Optionally, the first IP packet of the specified type is an http/https packet; the step of performing user identity authentication on the first type of IP address of the target user equipment comprises the following steps:
based on the http/https message of the first-class IP address sent by the target user equipment, pushing an authorized authentication page to the target user equipment;
and performing user identity authentication on the first-class IP address of the target user equipment based on the received user name and password input by the user.
In a second aspect, the present application provides a dual-stack user permission authentication method, which is applied to a permission access server NAS, wherein when determining that a user equipment is online in an intranet, the permission authentication server sends a table entry including a user name, a first class IP address and a second class IP address corresponding to the user equipment to the permission authentication server; the method comprises the following steps:
receiving a first-class IP message sent by target user equipment, and if judging that a first session matched with a first-class IP address of the target user equipment does not exist locally, sending an outgoing authentication request comprising the first-class IP address of the target user equipment to the outgoing authentication server;
receiving a first notification sent by the export-enabled authentication server, generating a first session corresponding to a first-class IP address of the target user equipment, adding the first session into a first session group, and forwarding an IP message matched with the session in the first session group to the export-enabled authentication server when receiving the IP message, wherein if the export-enabled authentication server judges that a first table item matched with the first-class IP address of the target user equipment exists locally, the first notification is sent to the export-enabled NAS;
receiving a second notification sent by the export-enabled authentication server, adding the first session into a second session group, and forwarding an IP message matched with the session in the second session group to an external network when receiving an IP message of a specified type sent by the target user equipment, wherein if the export-enabled authentication server receives the first type of IP message sent by the target user equipment, the first type of IP address of the target user equipment is authenticated by a user, if the user identity authentication is determined to be successful, a second table entry comprising a user name corresponding to the target user equipment, the first type of IP address and an export authentication state of which are successful of export authentication is generated, and a third table entry comprising the user name corresponding to the target user equipment, the first type of IP address, the second type of IP address and the export authentication state of which are successful of export authentication is generated based on the first table entry and the second table entry, and sending a second notification to the egress NAS.
Optionally, the method further comprises:
receiving a second-class IP message sent by the target user equipment, and if judging that a second session matched with a second-class IP address of the target user equipment does not exist locally, sending an out-of-authentication request comprising the second-class IP address of the target user equipment to the out-of-authentication server;
and receiving a third notification sent by the permission authentication server, generating a second session corresponding to the second type of IP address of the target user equipment, and adding the second session into a second session group, wherein if the permission authentication server determines that the permission authentication state of the second type of IP address of the target user equipment is successful in permission authentication based on the second type of IP address of the target user equipment and the third table entry, the third notification is sent to the permission NAS.
In a third aspect, the present application provides a dual-stack user export authorization apparatus, which is applied to an export authorization server, wherein when an access authorization server determines that a user equipment is online in an intranet, the access authorization server sends a list item including a user name, a first class IP address and a second class IP address corresponding to the user equipment to the export authorization server; the device comprises:
the device comprises a receiving unit and a receiving unit, wherein the receiving unit is used for receiving an export authorization request which is sent by an export access server NAS and comprises a first-class IP address of target user equipment, and the export authorization request comprises the IP address of the user equipment is sent to the export authorization server if the fact that a session matched with the IP address of the user does not exist locally after the export NAS receives an IP message sent by the user equipment;
a sending unit, configured to send a first notification to the egress NAS to notify the egress NAS to generate a first session corresponding to the first class IP address of the target user equipment, and add the first session to a first session group, if it is determined that a first entry matching the first class IP address of the target user equipment exists locally, where the egress NAS sends an IP packet to the egress authentication server when receiving the IP packet matching the session in the first session group;
an authentication unit, configured to perform user identity authentication on a first type IP address of the target user equipment if the receiving unit receives a first type IP packet of a specified type sent by the target user equipment, generate a second entry including a user name corresponding to the target user equipment, the first type IP address and an authorized state of which are authorized successfully, and generate a third entry including the user name, the first type IP address, the second type IP address and an authorized state of which are authorized successfully, based on the first entry and the second entry, corresponding to the target user equipment, and based on the third entry, and the sending unit is configured to send a second notification to the authorized NAS to notify the authorized NAS to add the first session to a second session group, where the authorized NAS, when receiving an IP packet matching a session in the second session group, and forwarding the IP message to an external network.
Alternatively,
the receiving unit is further configured to receive an logout authorization request including the second type IP address of the target user equipment, sent by the logout NAS;
based on the second type IP address of the target user equipment and the third entry, determining that the permission authentication state of the second type IP address of the target user equipment is success of permission authentication, where the sending unit is configured to send a third notification to the permission NAS to notify the permission NAS to generate a second session corresponding to the second type IP address of the target user equipment, and join the second session in a second session group.
Optionally, the first IP packet of the specified type is an http/https packet; when the first type IP address of the target user equipment is subjected to user identity authentication, the authentication unit is specifically configured to:
based on the http/https message of the first-class IP address sent by the target user equipment, pushing an authorized authentication page to the target user equipment;
and performing user identity authentication on the first-class IP address of the target user equipment based on the received user name and password input by the user.
In a fourth aspect, the present application provides a dual-stack user permission authentication apparatus, which is applied to a permission access server NAS, where the permission authentication server sends a table entry including a user name, a first class IP address, and a second class IP address corresponding to a user equipment to the permission access server when determining that the user equipment is online in an intranet; the device comprises:
the first receiving unit is used for receiving a first-class IP message sent by target user equipment;
a sending unit, configured to send an logout authentication request including the first type IP address of the target user equipment to the logout authentication server if it is determined that the first session matching the first type IP address of the target user equipment does not exist locally;
a second receiving unit, configured to receive a first notification sent by the logout authorization server, generate a first session corresponding to a first type of IP address of the target user equipment, and add the first session into a first session group, where when the first receiving unit receives an IP packet matching the session in the first session group, the sending unit is configured to forward the IP packet to the logout authorization server, where if the logout authorization server determines that a first entry matching the first type of IP address of the target user equipment locally exists, the sending unit sends the first notification to the logout NAS;
the second receiving unit is further configured to receive a second notification sent by the quasi-authentication server, add the first session to a second session group, and when the first receiving unit receives an IP packet matching a session in the second session group, the sending unit is configured to forward the IP packet to an external network, where if the quasi-authentication server receives a first type of IP packet of a specified type sent by the target user equipment, the first type of IP address of the target user equipment is subjected to user identity authentication, if it is determined that the user identity authentication is successful, a user name corresponding to the target user equipment is generated, and the first type of IP address and a quasi-authentication state are second entries whose quasi-authentication status is that the quasi-authentication is successful, and a user name corresponding to the target user equipment is generated based on the first entry and the second entry, the first-class IP address, the second-class IP address and a third table entry with the permission authentication state of success permission authentication are sent to the permission NAS.
Optionally, the first receiving unit is further configured to:
receiving a second-class IP message sent by the target user equipment, wherein if the second session matched with the second-class IP address of the target user equipment does not exist locally, the sending unit is used for sending an out-of-authentication request including the second-class IP address of the target user equipment to the out-of-authentication server;
the second receiving unit is further configured to receive a third notification sent by the logout authorization server, generate a second session corresponding to the second type IP address of the target user equipment, and join the second session into a second session group, where if the logout authorization server determines that the logout authorization status of the second type IP address of the target user equipment is that the logout authorization is successful based on the second type IP address of the target user equipment and the third entry, the third notification is sent to the logout NAS.
In a fifth aspect, an embodiment of the present application provides a logout authentication server, where the logout authentication server includes:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory and for executing the steps of the method according to any one of the above first aspects in accordance with the obtained program instructions.
In a sixth aspect, the present application further provides a computer-readable storage medium, which stores computer-executable instructions for causing the computer to perform the steps of the method according to any one of the above first aspects.
In a seventh aspect, an embodiment of the present application provides an egress access server NAS, where the egress NAS includes:
a memory for storing program instructions;
a processor for calling the program instructions stored in the memory and executing the steps of the method according to any one of the above second aspects in accordance with the obtained program instructions.
In an eighth aspect, the present embodiments also provide a computer-readable storage medium, which stores computer-executable instructions for causing the computer to perform the steps of the method according to any one of the above second aspects.
To sum up, in the dual-stack user permission authentication method applied to the permission authentication server provided in the embodiment of the present application, when determining that a user equipment is online in an intranet, the permission authentication server sends a user name corresponding to the user equipment, a list item including a first type IP address and a second type IP address to the permission authentication server, and receives a permission authentication request including the first type IP address of a target user equipment sent by a permission access server NAS, where after receiving an IP packet sent by the user equipment, if it is determined that a session matching the IP address of the user does not exist locally, the permission authentication server sends a permission authentication request including the IP address of the user equipment; if the first list item matched with the first-class IP address of the target user equipment exists locally, sending a first notification to the export-enabled NAS to notify the export-enabled NAS to generate a first session corresponding to the first-class IP address of the target user equipment, and adding the first session into a first session group, wherein the export-enabled NAS sends an IP message to an export-enabled authentication server when receiving the IP message matched with the session in the first session group; if a first-class IP message of a specified type sent by the target user equipment is received, carrying out user identity authentication on the first-class IP address of the target user equipment, if the user identity authentication is determined to be successful, generating a second table entry comprising the user name corresponding to the target user equipment, the first class IP address and the permission authentication state of success of permission authentication, and based on the first table entry and the second table entry, generating a third table entry which comprises the user name, the first class IP address, the second class IP address and the permission authentication state corresponding to the target user equipment and is in the permission authentication success, and sending a second notification to the egress NAS to notify the egress NAS to join the first session to a second session group, and when receiving the IP message matched with the session in the second session group, the NAS forwards the IP message to an external network.
By adopting the dual-stack user permission authentication method provided by the embodiment of the application, after an admission authentication server determines that a user is online, the user information (the user name, the Ipv4 address and the Ipv6 address) is synchronized to the permission authentication server in advance, so that when the permission authentication server performs permission authentication on the user, the permission authentication of another type of IP address can be realized only by executing the permission authentication process of one type of IP address. Meanwhile, the DHCP server does not need to be mounted on the Network Access Server (NAS), so that the intranet path is reasonable, and the fault of the NAS does not influence intranet users to access the intranet.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present application or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present application.
Fig. 1 is a schematic networking diagram of a campus access network according to an embodiment of the present disclosure;
fig. 2 is a detailed flowchart of a method for dual-stack user out-of-authentication according to an embodiment of the present application;
fig. 3 is a detailed flowchart of another dual-stack user permission authentication method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a dual-stack user-out authentication apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of another dual-stack user-out authentication apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an authentication server for permission authentication according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a quasi NAS provided in an embodiment of the present application.
Detailed Description
The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in the embodiments of the present application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
The embodiment of the application provides a dual-stack user permission authentication method which can be applied to networks including an admission NAS (network attached storage), a permission NAS, an admission authentication server and a permission authentication server, such as a campus access network. The admission Authentication server may be an admission AAA (Authentication, Authorization, and Accounting) server, or an admission RADIUS (Remote Authentication Dial In User Service) server, which is not limited to this. The egress authentication server may be an egress AAA server or an egress RADIUS server, which is not limited in this respect.
Fig. 1 is a schematic diagram illustrating an example of a networking of a campus access network according to an embodiment of the present disclosure. When a user accesses intranet resources, admission control needs to be performed on the user, that is, the user is authenticated by using the admission NAS and the admission authentication server. After the authentication is successful, the user is allowed to access the intranet resource, and the admission NAS and the admission authentication server can charge the flow of the user accessing the intranet resource (if the intranet resource is accessed freely, the flow charging is not performed). When a user accesses an external network resource, the user needs to be subjected to export control, that is, the user is authenticated by the export-allowed NAS and the export-allowed authentication server. And after the authentication is successful, allowing the user to access the external network resource, and enabling the NAS and the authentication server to charge the flow of the user accessing the external network resource.
Exemplarily, referring to fig. 2, a detailed flowchart of a dual-stack user authentication method provided in an embodiment of the present application is shown, where the method is applied to an authentication server for allowing, when it is determined that a user equipment is online in an intranet, an admission authentication server sends a table entry including a user name, a first type IP address, and a second type IP address corresponding to the user equipment to the authentication server for allowing, and the method includes the following steps:
step 200: and receiving an admission authentication request which is sent by an admission access server NAS and comprises the first-class IP address of the target user equipment.
After receiving an IP packet sent by a user device, if it is determined that a session matching the IP address of the user does not exist locally, the logout NAS sends a logout authentication request including the IP address of the user device to the logout authentication server.
In the embodiment of the present application, if the first-type IP address is an Ipv4 address, the second-type IP address is an Ipv6 address, and if the first-type IP address is an Ipv6 address, the second-type IP address is an Ipv7 address, which is not limited specifically herein.
In the embodiment of the application, after the intranet of the user is allowed to go online, the allowed authentication server sends the account number, the Ipv4 address and the Ipv6 address of the online user to the allowed authentication server, specifically, the allowed authentication server may send a UDP message to the allowed authentication server, and the allowed authentication server may generate a table entry including the account number, the Ipv4 address and the Ipv6 address corresponding to the online user, as shown in table 1.
TABLE 1
Account number IPv4 address IPv6 address
abc 201.0.0.1 2001:201::1234
Then, after the logout NAS receives an IP packet (a first-type IP packet/a second-type IP packet, which is described below by taking the first-type IP packet as an example) sent by the user, if it is determined that a session (e.g., an IPoE session) corresponding to the first-type IP address of the user is not created locally, the logout authorization server sends a logout authorization request including the user information (e.g., the first-type IP address of the user) to the logout authorization server.
Step 210: and if the first table item matched with the first-class IP address of the target user equipment exists locally, sending a first notification to the export-enabled NAS to notify the export-enabled NAS to generate a first session corresponding to the first-class IP address of the target user equipment, and adding the first session into a first session group.
And when receiving the IP message matched with the session in the first session group, the egress NAS sends the IP message to the egress authentication server.
Specifically, after receiving an outgoing authentication request including the first type IP address of the user sent by the outgoing NAS, the outgoing-allowed authentication server determines whether a first entry corresponding to the first type IP address is maintained locally, and as can be seen from the above, if the user is online on the internet, the outgoing-allowed authentication server maintains the first entry corresponding to the user (the account of the user, the Ipv4 address, and the Ipv6 address), and if the outgoing-allowed authentication server determines that the first entry corresponding to the first type IP address of the user is maintained locally, the outgoing-allowed authentication server sends a first notification to the outgoing NAS, and after receiving the first notification, the outgoing-allowed authentication server generates a first session corresponding to the first type IP address of the user, and adds the first session to a first session group (limit session group).
In practical application, the limit session group gives the NAS permission through a user-group attribute authorization in an Access Accept message of a standard RADIUS protocol. The session group is required to be created in advance on the outbound-to-NAS, a QoS strategy is created to match the http/https flow of the session group, and the QoS action is to redirect the next-hop of the http/https message of the user to the outbound authentication server. (the logout NAS needs to be directly connected to the logout authentication server).
Step 220: and if a first-class IP message of a specified type sent by the target user equipment is received, performing user identity authentication on a first-class IP address of the target user equipment, if the user identity authentication is determined to be successful, generating a second table entry which comprises a user name corresponding to the target user equipment, wherein the first-class IP address and the permission authentication state are permission authentication successes, generating a third table entry which comprises the user name, the first-class IP address, the second-class IP address and the permission authentication state are permission authentication successes based on the first table entry and the second table entry, and sending a second notice to the permission NAS to inform the permission NAS of adding the first session into a second session group.
And when receiving the IP message matched with the session in the second session group, the NAS forwards the IP message to an external network.
In the embodiment of the application, the first IP packet of the designated type is an http/https packet. Then, in the embodiment of the present application, when performing user identity authentication on the first type IP address of the target user equipment, a preferred implementation manner is to push an authorized authentication page to the target user equipment based on an http/https message of the first type IP address sent by the target user equipment; and performing user identity authentication on the first-class IP address of the target user equipment based on the received user name and password input by the user.
That is, when a user accesses a webpage of an external network, after the traffic reaches the export-allowed NAS, the export-allowed NAS redirects http/https traffic of the limit user group to an authentication page of the export-allowed authentication server according to a pre-configured QoS policy, and forces the user to fill an account password in the authentication page for authentication. And if the account password filled by the user is correct, determining that the authentication is passed.
At this time, the logout authorization server locally generates a second entry including the user name corresponding to the user, the first type IP address and the logout authorization status as the logout authorization success, as shown in table 2.
TABLE 2
Account number IPv4 address Grant authentication status
abc 201.0.0.1 Success of the permission authentication
Further, a third table entry including the user name, the first type IP address, the second type IP address and the logout authorization state corresponding to the target user equipment is generated by combining the first table entry and the second table entry, as shown in table 3.
TABLE 3
Account number IPv4 address IPv6 address Grant authentication status
abc 201.0.0.1 2001:201::1234 Success of the permission authentication
Meanwhile, the logout authentication server sends a second notice to the logout NAS to inform the logout NAS of adding the first session corresponding to the first-class IP address of the user into a second session group.
In practical applications, the second session group is a normal session group, and the session group does not match any QoS, i.e. is put through by default. If the IPoE session uses the IPv4 address as the user name, the flow of the user can directly hit the IPoE session by using the IPv4 source address, and the external network resources can be freely accessed subsequently.
Further, the permission authentication server receives a permission authentication request which is sent by the permission NAS and comprises the second-class IP address of the target user equipment; and based on the second-class IP address of the target user equipment and the third entry, determining that the permission authentication state of the second-class IP address of the target user equipment is success of permission authentication, sending a third notification to the permission NAS to notify the permission NAS to generate a second session corresponding to the second-class IP address of the target user equipment, and adding the second session into a second session group.
Therefore, for a dual-stack user, the permission authentication of another type of IP address can be realized only by executing the permission authentication process of one type of IP address. Meanwhile, the DHCP server does not need to be mounted on the Network Access Server (NAS), so that the intranet path is reasonable, and the fault of the NAS does not influence intranet users to access the intranet.
Exemplarily, referring to fig. 3, a detailed flowchart of another dual-stack user authentication method provided in an embodiment of the present application is shown, where the method is applied to an NAS, where an admission authentication server sends a table entry including a user name, a first type IP address, and a second type IP address corresponding to a user equipment to an admission authentication server when determining that the user equipment is online in an intranet, and the method includes:
step 300: receiving a first-class IP message sent by target user equipment, and sending an out-of-authentication request including a first-class IP address of the target user equipment to the out-of-authentication server if judging that a first session matched with the first-class IP address of the target user equipment does not exist locally.
Step 310: and receiving a first notification sent by the export-allowed authentication server, generating a first session corresponding to the first class of IP address of the target user equipment, adding the first session into a first session group, and forwarding an IP message matched with the session in the first session group to the export-allowed authentication server when receiving the IP message.
And if the export-allowed authentication server judges that a first table item matched with the first-class IP address of the target user equipment exists locally, sending a first notice to the export-allowed NAS.
Step 320: and receiving a second notification sent by the permission authentication server, adding the first session into a second session group, and forwarding an IP message matched with the session in the second session group to an external network when receiving the IP message.
If the first-class IP message of the specified type sent by the target user equipment is received by the permission authentication server, user identity authentication is carried out on the first-class IP address of the target user equipment, if the user identity authentication is determined to be successful, a second table entry comprising the user name corresponding to the target user equipment and the first-class IP address and the permission authentication state of which are permission authentication successes is generated, a third table entry comprising the user name corresponding to the target user equipment, the first-class IP address, the second-class IP address and the permission authentication state of which are permission authentication successes is generated based on the first table entry and the second table entry, and a second notice is sent to the permission NAS.
Further, the admission NAS receives the second-type IP packet sent by the target user equipment, and sends an admission authentication request including the second-type IP address of the target user equipment to the admission authentication server if it is determined that the second session matching the second-type IP address of the target user equipment does not exist locally.
And the allowed NAS receives a third notification sent by the allowed NAS, generates a second session corresponding to the second-class IP address of the target user equipment, and joins the second session into a second session group, wherein if the allowed NAS determines that the allowed authentication state of the second-class IP address of the target user equipment is the allowed authentication success based on the second-class IP address of the target user equipment and the third table entry, the allowed NAS sends the third notification to the allowed NAS.
Based on the same inventive concept as the above-mentioned method embodiment applied to the export authentication server, as an example, refer to fig. 4, which is a schematic structural diagram of a dual-stack user export authentication apparatus provided by the present application, the dual-stack user export authentication apparatus is applied to the export authentication server, wherein when determining that a user equipment is online in an intranet, the export authentication server sends a table entry including a user name, a first type IP address and a second type IP address corresponding to the user equipment to the export authentication server; the device comprises:
a receiving unit 40, configured to receive an logout authorization request including a first type IP address of a target user equipment, where the logout authorization request is sent by a logout access server NAS, and after receiving an IP packet sent by one user equipment, if it is determined that a session matching the IP address of the user does not exist locally, the logout authorization request including the IP address of the user equipment is sent to the logout authorization server;
a sending unit 41, configured to send a first notification to the egress NAS to notify the egress NAS to generate a first session corresponding to the first class IP address of the target user equipment, and add the first session to a first session group, if it is determined that a first entry matching the first class IP address of the target user equipment exists locally, where the egress NAS sends an IP packet to the egress authentication server when receiving an IP packet matching the session in the first session group;
an authenticating unit 42, configured to, if the receiving unit 40 receives the first-class IP packet of the specified type sent by the target user equipment, perform user identity authentication on the first-class IP address of the target user equipment, if it is determined that the user identity authentication is successful, generate a second entry including a user name corresponding to the target user equipment, where the first-class IP address and an allowed authentication state are allowed authentication successes, and generate, based on the first entry and the second entry, a third entry including the user name, the first-class IP address, the second-class IP address and an allowed authentication state allowed authentication successes, and the sending unit 41 is configured to send a second notification to the allowed NAS to notify the allowed NAS to add the NAS to a second session group the first session, where, when the allowed NAS receives an IP packet matching a session in the second session group, and forwarding the IP message to an external network.
Alternatively,
the receiving unit 40 is further configured to receive an logout authentication request including the second type IP address of the target user equipment, sent by the logout NAS;
the authenticating unit is further configured to determine, based on the second-type IP address of the target user equipment and the third entry, that an out-allowed authentication state of the second-type IP address of the target user equipment is an out-allowed authentication success, and the sending 41 unit is configured to send a third notification to the out-allowed NAS, so as to notify the out-allowed NAS to generate a second session corresponding to the second-type IP address of the target user equipment, and join the second session in a second session group.
Optionally, the first IP packet of the specified type is an http/https packet; when performing user identity authentication on the first class IP address of the target user equipment, the authentication unit 42 is specifically configured to:
based on the http/https message of the first-class IP address sent by the target user equipment, pushing an authorized authentication page to the target user equipment;
and performing user identity authentication on the first-class IP address of the target user equipment based on the received user name and password input by the user.
Based on the same inventive concept as the embodiment of the method for allowing NAS, as shown in fig. 5, for example, for a dual-stack user-allowed authentication apparatus provided in the embodiment of the present application, the dual-stack user-allowed authentication apparatus is applied to an allowed access server NAS, where an allowed authentication server sends a table entry including a user name, a first type IP address, and a second type IP address corresponding to a user equipment to an allowed authentication server when determining that the user equipment is online in an intranet; the device comprises:
a first receiving unit 50, configured to receive a first type of IP packet sent by a target user equipment;
a sending unit 51, configured to send an logout authorization request including the first type IP address of the target user equipment to the logout authorization server if it is determined that the first session matching the first type IP address of the target user equipment does not exist locally;
a second receiving unit 52, configured to receive a first notification sent by the logout authorization server, generate a first session corresponding to the first type IP address of the target user equipment, and add the first session into a first session group, where when the first receiving unit 50 receives an IP packet matching the session in the first session group, the sending unit is configured to forward the IP packet to the logout authorization server, where if the logout authorization server determines that a first entry matching the first type IP address of the target user equipment exists locally, the sending unit sends the first notification to the logout NAS;
the second receiving unit 52 is further configured to receive a second notification sent by the logout authorization server, add the first session to a second session group, and when the first receiving unit receives an IP packet matching a session in the second session group, the sending unit 51 is configured to forward the IP packet to an external network, where if the logout authorization server receives a first type of IP packet of a specified type sent by the target user equipment, the first type of IP address of the target user equipment is subjected to user identity authentication, if it is determined that the user identity authentication is successful, a second entry including a user name corresponding to the target user equipment is generated, where the first type of IP address and the logout authorization state are successful, and a user name corresponding to the target user equipment is generated based on the first entry and the second entry, the first-class IP address, the second-class IP address and a third table entry with the permission authentication state of success permission authentication are sent to the permission NAS.
Optionally, the first receiving unit 50 is further configured to:
receiving a second-class IP packet sent by the target user equipment, if it is determined that a second session matching the second-class IP address of the target user equipment does not exist locally, the sending unit 51 is configured to send an logout authorization request including the second-class IP address of the target user equipment to the logout authorization server;
the second receiving unit 52 is further configured to receive a third notification sent by the logout authorization server, generate a second session corresponding to the second type IP address of the target user equipment, and join the second session into a second session group, where if the logout authorization server determines that the logout authorization status of the second type IP address of the target user equipment is that the logout authorization is successful based on the second type IP address of the target user equipment and the third entry, the third notification is sent to the logout NAS.
The above units may be one or more integrated circuits configured to implement the above methods, for example: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), among others. For another example, when one of the above units is implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. For another example, these units may be integrated together and implemented in the form of a system-on-a-chip (SOC).
Further, in the export-enabled authentication server provided in the embodiment of the present application, from a hardware aspect, a schematic diagram of a hardware architecture of the export-enabled authentication server may be shown in fig. 6, where the export-enabled authentication server may include: a memory 60 and a processor 61, which,
the memory 60 is used to store program instructions; the processor 61 calls the program instructions stored in the memory 60 and executes the above-described embodiment of the method applied to the authentication server in accordance with the obtained program instructions. The specific implementation and technical effects are similar, and are not described herein again.
Optionally, the present application further provides a stand-off authentication server, including at least one processing element (or chip) for performing the above method embodiments.
Optionally, the present application also provides a program product, such as a computer-readable storage medium, storing computer-executable instructions for causing a computer to perform the above-described method embodiments for approving an authentication server.
Further, in the egress NAS provided in the embodiment of the present application, in terms of hardware, a schematic diagram of a hardware architecture of the egress NAS may be shown in fig. 7, where the egress NAS may include: a memory 70 and a processor 71, which,
the memory 70 is used to store program instructions; the processor 71 calls the program instructions stored in the memory 70 and executes the above-described embodiment of the method applied to the quasi NAS according to the obtained program instructions. The specific implementation and technical effects are similar, and are not described herein again.
Optionally, the present application further provides a licensed NAS, comprising at least one processing element (or chip) for performing the above method embodiments.
Optionally, the present application also provides a program product, such as a computer-readable storage medium, storing computer-executable instructions for causing a computer to perform the above-described method embodiments for aligning a NAS.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A double-stack user permission authentication method is characterized by being applied to a permission authentication server, wherein when the permission authentication server determines that a user device is online in an intranet, the permission authentication server sends a list item comprising a user name, a first class IP address and a second class IP address corresponding to the user device to the permission authentication server; the method comprises the following steps:
receiving an out-of-authentication request which is sent by an out-of-access server (NAS) and comprises a first class of IP address of target user equipment, wherein after the out-of-access server receives an IP message sent by one user equipment, if the fact that a session matched with the IP address of the user does not exist locally is judged, the out-of-authentication request comprising the IP address of the user equipment is sent to the out-of-authentication server;
if the first list item matched with the first-class IP address of the target user equipment exists locally, sending a first notification to the export-enabled NAS to notify the export-enabled NAS to generate a first session corresponding to the first-class IP address of the target user equipment, and adding the first session into a first session group, wherein the export-enabled NAS sends an IP message to an export-enabled authentication server when receiving the IP message matched with the session in the first session group;
if a first-class IP message of a specified type sent by the target user equipment is received, carrying out user identity authentication on the first-class IP address of the target user equipment, if the user identity authentication is determined to be successful, generating a second table entry comprising the user name corresponding to the target user equipment, the first class IP address and the permission authentication state of success of permission authentication, and based on the first table entry and the second table entry, generating a third table entry which comprises the user name, the first class IP address, the second class IP address and the permission authentication state corresponding to the target user equipment and is in the permission authentication success, and sending a second notification to the egress NAS to notify the egress NAS to join the first session to a second session group, and when receiving the IP message matched with the session in the second session group, the NAS forwards the IP message to an external network.
2. The method of claim 1, wherein the method further comprises:
receiving an out-allowed authentication request which is sent by the out-allowed NAS and comprises the second type of IP address of the target user equipment;
and based on the second-class IP address of the target user equipment and the third entry, determining that the permission authentication state of the second-class IP address of the target user equipment is success of permission authentication, sending a third notification to the permission NAS to notify the permission NAS to generate a second session corresponding to the second-class IP address of the target user equipment, and adding the second session into a second session group.
3. The method according to claim 1 or 2, wherein the first IP packet of the specified type is an http/https packet; the step of performing user identity authentication on the first type of IP address of the target user equipment comprises the following steps:
based on the http/https message of the first-class IP address sent by the target user equipment, pushing an authorized authentication page to the target user equipment;
and performing user identity authentication on the first-class IP address of the target user equipment based on the received user name and password input by the user.
4. A double-stack user permission authentication method is characterized by being applied to a permission access server NAS, wherein when the permission authentication server determines that a user device is online in an intranet, the permission authentication server sends a list item comprising a user name, a first class IP address and a second class IP address corresponding to the user device to the permission authentication server; the method comprises the following steps:
receiving a first-class IP message sent by target user equipment, and if judging that a first session matched with a first-class IP address of the target user equipment does not exist locally, sending an outgoing authentication request comprising the first-class IP address of the target user equipment to the outgoing authentication server;
receiving a first notification sent by the export-enabled authentication server, generating a first session corresponding to a first-class IP address of the target user equipment, adding the first session into a first session group, and forwarding an IP message matched with the session in the first session group to the export-enabled authentication server when receiving the IP message, wherein if the export-enabled authentication server judges that a first table item matched with the first-class IP address of the target user equipment exists locally, the first notification is sent to the export-enabled NAS;
receiving a second notification sent by the export-enabled authentication server, adding the first session into a second session group, and forwarding an IP message matched with the session in the second session group to an external network when receiving an IP message of a specified type sent by the target user equipment, wherein if the export-enabled authentication server receives the first type of IP message sent by the target user equipment, the first type of IP address of the target user equipment is authenticated by a user, if the user identity authentication is determined to be successful, a second table entry comprising a user name corresponding to the target user equipment, the first type of IP address and an export authentication state of which are successful of export authentication is generated, and a third table entry comprising the user name corresponding to the target user equipment, the first type of IP address, the second type of IP address and the export authentication state of which are successful of export authentication is generated based on the first table entry and the second table entry, and sending a second notification to the egress NAS.
5. The method of claim 4, wherein the method further comprises:
receiving a second-class IP message sent by the target user equipment, and if judging that a second session matched with a second-class IP address of the target user equipment does not exist locally, sending an out-of-authentication request comprising the second-class IP address of the target user equipment to the out-of-authentication server;
and receiving a third notification sent by the permission authentication server, generating a second session corresponding to the second type of IP address of the target user equipment, and adding the second session into a second session group, wherein if the permission authentication server determines that the permission authentication state of the second type of IP address of the target user equipment is successful in permission authentication based on the second type of IP address of the target user equipment and the third table entry, the third notification is sent to the permission NAS.
6. A kind of double stack user authorizes the authentication device, characterized by, apply to authorizing the server out, among them, authorize the server to confirm a user equipment is online in the intranet, will include the correspondent user name of the user equipment, the entry of the first class IP address and second class IP address is sent to authorize the server out while being said; the device comprises:
the device comprises a receiving unit and a receiving unit, wherein the receiving unit is used for receiving an export authorization request which is sent by an export access server NAS and comprises a first-class IP address of target user equipment, and the export authorization request comprises the IP address of the user equipment is sent to the export authorization server if the fact that a session matched with the IP address of the user does not exist locally after the export NAS receives an IP message sent by the user equipment;
a sending unit, configured to send a first notification to the egress NAS to notify the egress NAS to generate a first session corresponding to the first class IP address of the target user equipment, and add the first session to a first session group, if it is determined that a first entry matching the first class IP address of the target user equipment exists locally, where the egress NAS sends an IP packet to the egress authentication server when receiving the IP packet matching the session in the first session group;
an authentication unit, configured to perform user identity authentication on a first type IP address of the target user equipment if the receiving unit receives a first type IP packet of a specified type sent by the target user equipment, generate a second entry including a user name corresponding to the target user equipment, the first type IP address and an authorized state of which are authorized successfully, and generate a third entry including the user name, the first type IP address, the second type IP address and an authorized state of which are authorized successfully, based on the first entry and the second entry, corresponding to the target user equipment, and based on the third entry, and the sending unit is configured to send a second notification to the authorized NAS to notify the authorized NAS to add the first session to a second session group, where the authorized NAS, when receiving an IP packet matching a session in the second session group, and forwarding the IP message to an external network.
7. The apparatus of claim 6,
the receiving unit is further configured to receive an logout authorization request including the second type IP address of the target user equipment, sent by the logout NAS;
the authentication unit is further configured to determine, based on the second-type IP address of the target user equipment and the third entry, that an out-allowed authentication state of the second-type IP address of the target user equipment is an out-allowed authentication success, and then the sending unit is configured to send a third notification to the out-allowed NAS, so as to notify the out-allowed NAS to generate a second session corresponding to the second-type IP address of the target user equipment, and join the second session in a second session group.
8. The apparatus according to claim 6 or 7, wherein the first IP packet of the specified type is an http/https packet; when the first type IP address of the target user equipment is subjected to user identity authentication, the authentication unit is specifically configured to:
based on the http/https message of the first-class IP address sent by the target user equipment, pushing an authorized authentication page to the target user equipment;
and performing user identity authentication on the first-class IP address of the target user equipment based on the received user name and password input by the user.
9. A kind of double stack user authorizes the authentication device, characterized by that, apply to authorizing and leaving the access server NAS, wherein, authorize server, confirm a user equipment on the online in the intranet, send the entry comprising user name, first class IP address and second class IP address that the user equipment corresponds to authorize the server to authorize; the device comprises:
the first receiving unit is used for receiving a first-class IP message sent by target user equipment;
a sending unit, configured to send an logout authentication request including the first type IP address of the target user equipment to the logout authentication server if it is determined that the first session matching the first type IP address of the target user equipment does not exist locally;
a second receiving unit, configured to receive a first notification sent by the logout authorization server, generate a first session corresponding to a first type of IP address of the target user equipment, and add the first session into a first session group, where when the first receiving unit receives an IP packet matching the session in the first session group, the sending unit is configured to forward the IP packet to the logout authorization server, where if the logout authorization server determines that a first entry matching the first type of IP address of the target user equipment locally exists, the sending unit sends the first notification to the logout NAS;
the second receiving unit is further configured to receive a second notification sent by the quasi-authentication server, add the first session to a second session group, and when the first receiving unit receives an IP packet matching a session in the second session group, the sending unit is configured to forward the IP packet to an external network, where if the quasi-authentication server receives a first type of IP packet of a specified type sent by the target user equipment, the first type of IP address of the target user equipment is subjected to user identity authentication, if it is determined that the user identity authentication is successful, a user name corresponding to the target user equipment is generated, and the first type of IP address and a quasi-authentication state are second entries whose quasi-authentication status is that the quasi-authentication is successful, and a user name corresponding to the target user equipment is generated based on the first entry and the second entry, the first-class IP address, the second-class IP address and a third table entry with the permission authentication state of success permission authentication are sent to the permission NAS.
10. The apparatus of claim 9, wherein the first receiving unit is further to:
receiving a second-class IP message sent by the target user equipment, wherein if the second session matched with the second-class IP address of the target user equipment does not exist locally, the sending unit is used for sending an out-of-authentication request including the second-class IP address of the target user equipment to the out-of-authentication server;
the second receiving unit is further configured to receive a third notification sent by the logout authorization server, generate a second session corresponding to the second type IP address of the target user equipment, and join the second session into a second session group, where if the logout authorization server determines that the logout authorization status of the second type IP address of the target user equipment is that the logout authorization is successful based on the second type IP address of the target user equipment and the third entry, the third notification is sent to the logout NAS.
CN202110724192.0A 2021-06-29 2021-06-29 Dual-stack user admission authentication method and device Active CN113453226B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110724192.0A CN113453226B (en) 2021-06-29 2021-06-29 Dual-stack user admission authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110724192.0A CN113453226B (en) 2021-06-29 2021-06-29 Dual-stack user admission authentication method and device

Publications (2)

Publication Number Publication Date
CN113453226A true CN113453226A (en) 2021-09-28
CN113453226B CN113453226B (en) 2023-12-26

Family

ID=77813676

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110724192.0A Active CN113453226B (en) 2021-06-29 2021-06-29 Dual-stack user admission authentication method and device

Country Status (1)

Country Link
CN (1) CN113453226B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110106947A1 (en) * 2009-10-30 2011-05-05 Hangzhou H3C Technologies Co., Ltd. Method and Apparatus for Dual Stack Access
WO2012034413A1 (en) * 2010-09-15 2012-03-22 中兴通讯股份有限公司 Method for dual stack user management and broadband access server
CN104601743A (en) * 2015-02-11 2015-05-06 杭州华三通信技术有限公司 IP (internet protocol) forwarding IPoE (IP over Ethernet) dual-stack user access control method and equipment based on Ethernet
WO2016192608A2 (en) * 2015-06-04 2016-12-08 华为技术有限公司 Authentication method, authentication system and associated device
CN110012032A (en) * 2019-04-28 2019-07-12 新华三技术有限公司 A kind of user authen method and device
CN110995886A (en) * 2019-12-12 2020-04-10 新华三大数据技术有限公司 Network address management method, device, electronic equipment and medium
CN111327599A (en) * 2020-01-21 2020-06-23 新华三信息安全技术有限公司 Authentication process processing method and device
CN111628968A (en) * 2020-04-23 2020-09-04 新华三技术有限公司合肥分公司 Authentication method, device, authentication system and network equipment
CN112822218A (en) * 2021-02-28 2021-05-18 新华三信息安全技术有限公司 Access control method and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110106947A1 (en) * 2009-10-30 2011-05-05 Hangzhou H3C Technologies Co., Ltd. Method and Apparatus for Dual Stack Access
WO2012034413A1 (en) * 2010-09-15 2012-03-22 中兴通讯股份有限公司 Method for dual stack user management and broadband access server
CN104601743A (en) * 2015-02-11 2015-05-06 杭州华三通信技术有限公司 IP (internet protocol) forwarding IPoE (IP over Ethernet) dual-stack user access control method and equipment based on Ethernet
WO2016192608A2 (en) * 2015-06-04 2016-12-08 华为技术有限公司 Authentication method, authentication system and associated device
CN110012032A (en) * 2019-04-28 2019-07-12 新华三技术有限公司 A kind of user authen method and device
CN110995886A (en) * 2019-12-12 2020-04-10 新华三大数据技术有限公司 Network address management method, device, electronic equipment and medium
CN111327599A (en) * 2020-01-21 2020-06-23 新华三信息安全技术有限公司 Authentication process processing method and device
CN111628968A (en) * 2020-04-23 2020-09-04 新华三技术有限公司合肥分公司 Authentication method, device, authentication system and network equipment
CN112822218A (en) * 2021-02-28 2021-05-18 新华三信息安全技术有限公司 Access control method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
罗辉琼;聂瑞华;: "基于IPv4/IPv6双协议栈的校园网认证接入研究", 中国教育信息化, no. 09 *
马迎;张丹东;赵志辉;: "基于BRAS架构下校园无线网络漫游的一次认证", 中国教育信息化, no. 05 *

Also Published As

Publication number Publication date
CN113453226B (en) 2023-12-26

Similar Documents

Publication Publication Date Title
EP3267704B1 (en) Method for unified application authentication in trunking system, server and terminal
CN102124455B (en) Stream of packets in network provides service
JP5393871B2 (en) Protection of messages related to multicast communication sessions within a wireless communication system
US11063990B2 (en) Originating caller verification via insertion of an attestation parameter
US8726019B2 (en) Context limited shared secret
US20160308904A1 (en) Integrative network management method and apparatus for supplying connection between networks based on policy
JP2004241976A (en) Mobile communication network system and method for authenticating mobile terminal
US20250141683A1 (en) Cybersecurity guard for core network elements
WO2011098660A1 (en) Method and apparatus for redirecting data traffic
CN108632325A (en) A kind of call method and device of application
US8381301B1 (en) Split-flow attack detection
CN111478879B (en) DHCP (dynamic host configuration protocol) continuation method and device, electronic equipment and machine-readable storage medium
CN106133735A (en) The safety of IP Multimedia System (IMS) is accessed by web real-time Communication for Power (WebRTC)
CN110913011A (en) Session keeping method, session keeping device, readable storage medium and electronic equipment
CN108259454B (en) Portal authentication method and device
CN106878099B (en) A traffic management method, terminal device, server and system
CN113453226B (en) Dual-stack user admission authentication method and device
US20110302245A1 (en) Realization method and system for participating in a predefined group session
US10382431B2 (en) Network hop count network location identifier
CN114513347B (en) Terminal authentication method and device
EP4513926A1 (en) Systems and methods for end user authentication
Akman et al. Privacy-preserving access for multi-access edge computing (MEC) applications
US8266686B1 (en) System and method for VoIP firewall security
US7817607B1 (en) Private mobile IP connection in a shared-pool environment
Barnawi et al. Security Analysis and Delay Evaluation for SIP-Based mobile MASS examination system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant