Nothing Special   »   [go: up one dir, main page]

CN104052753A - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
CN104052753A
CN104052753A CN201410298084.1A CN201410298084A CN104052753A CN 104052753 A CN104052753 A CN 104052753A CN 201410298084 A CN201410298084 A CN 201410298084A CN 104052753 A CN104052753 A CN 104052753A
Authority
CN
China
Prior art keywords
authenticating device
authentication
slave
message identifying
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410298084.1A
Other languages
Chinese (zh)
Other versions
CN104052753B (en
Inventor
聂明顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201410298084.1A priority Critical patent/CN104052753B/en
Publication of CN104052753A publication Critical patent/CN104052753A/en
Application granted granted Critical
Publication of CN104052753B publication Critical patent/CN104052753B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an authentication method and device. The authentication method includes the steps that a first authentication device is used for maintaining an authentication capability list; if the first authentication device is a Slave authentication device, whether the number of authentication client sides which are processed by the authentication device at present reaches the processing capability of the authentication device or not is inquired from the authentication capability list when an authentication message is received; if not, the authentication message is authenticated; if yes, a first mark is added into the authentication message, and then the authentication message is sent to a Master authentication device; if the first authentication device is the Master authentication device, when the authentication message which carries the first mark is received, the authentication message is authenticated if the number of authentication client sides which are processed at present by the authentication device does not reach the processing capability of the authentication device through the inquiry from the authentication capability list. In the embodiment of the authentication method and device, the processing loads of a convergence layer device can be reduced, and the bottleneck of network authentication is avoided.

Description

A kind of authentication method and equipment
Technical field
The present invention relates to communication technical field, especially related to a kind of authentication method and equipment.
Background technology
As shown in Figure 1, in 802.1x verification process, identifying procedure can comprise: 1, Authentication Client sends EAPoL (Extensible Authentication Protocol over LAN to authenticating device, Extensible Authentication Protocol based on local area network (LAN))-Start (beginning) message, starts 802.1x authentication access.2, authenticating device sends EAP-Request/Identity (request/sign) message to Authentication Client, requires Authentication Client report of user name.3, Authentication Client is responded EAP-Response (response)/Identity to authenticating device, comprising user name.4, authenticating device is encapsulated into RADIUS (Remote Authentication Dial In User Service by EAP-Response/Identity message, remote customer dialing authentication system) in Access (obtaining)-Request message, send to certificate server.5, certificate server produces Challenge (challenge), and sends RADIUS Access-Challenge message to authenticating device, in this message, includes EAP-Request/MD5-Challenge.6, authenticating device sends EAP-Request/MD5-Challenge message to Authentication Client.7, Authentication Client, after receiving EAP-Request/MD5-Challenge message, calculates Challenged Password (password), and passes through EAP-Response/MD5-Challenge message response to authenticating device.8, authenticating device is by Challenge, and Challenged Password sends to certificate server together with user name, is authenticated, and respond authentication success message or authentification failure message to authenticating device by certificate server.If 9 authentications are passed through, authenticating device sends charging starting request message to certificate server, by certificate server, relative users is carried out to charging.So far, user reaches the standard grade complete.
In above-mentioned identifying procedure, authenticating device is a convergence-level equipment, and above-mentioned authentication processing all realizes on a convergence-level equipment.Increase along with number of users, authentication mode increasingly sophisticated, when realizing authentication processing by a convergence-level equipment, can increase the weight of the processing load of convergence-level equipment, and easily cause the bottleneck of network authentication, and this convergence-level equipment also possibly cannot complete authentication processing.
Summary of the invention
The embodiment of the present invention provides a kind of authentication method, is applied to the first authenticating device in network, and in described the first authenticating device and network, other authenticating device forms authentication aggregation group, and the method comprises:
Described the first authenticating device is safeguarded authentication capability table, records the role of each authenticating device in authentication aggregation group in described authentication capability table, disposal ability and the Authentication Client number of working as pre-treatment; If the role of described the first authenticating device is Slave authenticating device, described the first authenticating device, when receiving message identifying, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from described authentication capability table; If do not reached, described message identifying is carried out to authentication processing; If reached, in described message identifying, add for representing current the first mark that does not carry out authentication processing of described message identifying, described message identifying is sent to Master authenticating device in authentication aggregation group; If the role of described the first authenticating device is Master authenticating device, described the first authenticating device is when receiving the message identifying that has carried the first mark, described the first authenticating device inquires this authenticating device when the Authentication Client number of pre-treatment does not reach the disposal ability of this authenticating device from described authentication capability table, and described message identifying is carried out to authentication processing.
Described the first authenticating device is safeguarded the process of authentication capability table, specifically comprises:
The jumping figure that described the first authenticating device arrives this authenticating device in certificate server is notified to other authenticating device, and reception arrives the jumping figure of certificate server from described other authenticating device of other authenticating device, and utilizing this authenticating device to arrive the jumping figure of certificate server and the jumping figure that other authenticating device arrives certificate server, the role who determines this authenticating device is Slave authenticating device or Master authenticating device;
If the role of described the first authenticating device is Master authenticating device, described the first authenticating device sends authentication statistics request message to authenticating each Slave authenticating device in aggregation group, and the authentication that described in receiving, each Slave authenticating device returns statistics response message, in described each authentication statistics response message, carried respectively the disposal ability of corresponding Slave authenticating device and the Authentication Client number of working as pre-treatment; Utilize the authentication statistics response message that described each Slave authenticating device returns to safeguard authentication capability table, described authentication capability table is sent to described each Slave authenticating device, by described each Slave authenticating device, safeguard described authentication capability table;
If the role of described the first authenticating device is Slave authenticating device, described the first authenticating device receives the authentication statistics request message of Master authenticating device in Self-certified aggregation group, and to described Master authenticating device return authentication statistics response message, in described authentication statistics response message, the disposal ability of this authenticating device and the Authentication Client number of working as pre-treatment have been carried; Described the first authenticating device receives and safeguards the authentication capability table from described Master authenticating device.
Described method further comprises: if the role of described the first authenticating device is Slave authenticating device, after described the first authenticating device carries out authentication processing to described message identifying, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying of described the first authenticating device after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and send to Master authenticating device; If the role of described the first authenticating device is Master authenticating device, described the first authenticating device, after receiving the message identifying that has carried the second mark, directly sends to described certificate server by described message identifying.
Described method further comprises: described the first authenticating device inquires this authenticating device when the Authentication Client number of pre-treatment reaches the disposal ability of this authenticating device from described authentication capability table, and the Authentication Client number that whether has Slave authenticating device to work as pre-treatment from described authentication capability table in authentication query aggregation group does not reach the disposal ability of this Slave authenticating device;
If had, described the first authenticating device sends to this Slave authenticating device inquiring by described message identifying, by this Slave authenticating device, described message identifying is carried out to authentication processing.
Described method further comprises: whether described the first authenticating device has Slave authenticating device after the Authentication Client number of pre-treatment does not reach the disposal ability of this Slave authenticating device from described authentication capability table in authentication query aggregation group, if Query Result is no, described the first authenticating device sends SNMP warning message to Network Management Equipment; Wherein, in described SNMP warning message, carry described the first authenticating device and each Slave authenticating device and all cannot carry out to Authentication Client the information of authentication processing.
The embodiment of the present invention provides a kind of authenticating device, and in described authenticating device and network, other authenticating device forms authentication aggregation group, and described authenticating device specifically comprises: maintenance module, enquiry module, authentication module and sending module; Wherein:
When the role of this authenticating device is Slave authenticating device, described maintenance module, for safeguarding authentication capability table, records the role of each authenticating device in authentication aggregation group, disposal ability and the Authentication Client number of working as pre-treatment in described authentication capability table; Described enquiry module for when receiving message identifying, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from described authentication capability table; Described authentication module, for when not reaching the disposal ability of this authenticating device, carries out authentication processing to described message identifying; Described sending module, for when reaching the disposal ability of this authenticating device, in described message identifying, add for representing current the first mark that does not carry out authentication processing of described message identifying, described message identifying is sent to Master authenticating device in authentication aggregation group;
When the role of this authenticating device is Master authenticating device, described maintenance module, for safeguarding authentication capability table, records the role of each authenticating device in authentication aggregation group, disposal ability and the Authentication Client number of working as pre-treatment in described authentication capability table; Described enquiry module for when receiving the message identifying that has carried the first mark, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from described authentication capability table; Described authentication module, for when not reaching the disposal ability of this authenticating device, carries out authentication processing to described message identifying.
Also comprise: determination module, for this authenticating device being arrived to the jumping figure of certificate server, notify to other authenticating device, reception arrives the jumping figure of certificate server from described other authenticating device of other authenticating device, and utilizing this authenticating device to arrive the jumping figure of certificate server and the jumping figure that other authenticating device arrives certificate server, the role who determines this authenticating device is Master authenticating device or Slave authenticating device;
When the role of this authenticating device is Master authenticating device, described maintenance module, specifically for each Slave authenticating device in authentication aggregation group, send authentication statistics request message, and the authentication that described in receiving, each Slave authenticating device returns statistics response message, in described each authentication statistics response message, carried respectively the disposal ability of corresponding Slave authenticating device and the Authentication Client number of working as pre-treatment; Utilize the authentication statistics response message that described each Slave authenticating device returns to safeguard authentication capability table, described authentication capability table is sent to described each Slave authenticating device, by described each Slave authenticating device, safeguard described authentication capability table;
When the role of this authenticating device is Slave authenticating device, described maintenance module, specifically for receiving the authentication statistics request message of Master authenticating device in Self-certified aggregation group, and to described Master authenticating device return authentication statistics response message, in described authentication statistics response message, the disposal ability of this authenticating device and the Authentication Client number of working as pre-treatment have been carried; Receive and safeguard the authentication capability table from described Master authenticating device.
When the role of this authenticating device is Slave authenticating device, described sending module, also for after described message identifying is carried out to authentication processing, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and send to Master authenticating device;
When the role of this authenticating device is Master authenticating device, described sending module, also, for after receiving the message identifying that has carried the second mark, sends to described certificate server by described message identifying.
When the role of this authenticating device is Master authenticating device, described enquiry module, also, for inquiring this authenticating device when the Authentication Client number of pre-treatment reaches the disposal ability of this authenticating device from described authentication capability table, the Authentication Client number that whether has Slave authenticating device to work as pre-treatment from described authentication capability table in authentication query aggregation group does not reach the disposal ability of this Slave authenticating device;
Described sending module, also, for when Query Result is when being, sends to this Slave authenticating device inquiring by described message identifying, by this Slave authenticating device, described message identifying is carried out to authentication processing.
When the role of this authenticating device is Master authenticating device, described sending module, also for whether having Slave authenticating device after the Authentication Client number of pre-treatment does not reach the disposal ability of this Slave authenticating device from described authentication capability table authentication query aggregation group, if Query Result is no, to Network Management Equipment, send Simple Network Management Protocol SNMP warning message; Wherein, in described SNMP warning message, carry this authenticating device and each Slave authenticating device and all cannot carry out to Authentication Client the information of authentication processing.
Based on technique scheme, in the embodiment of the present invention, by a plurality of authenticating devices (as a convergence-level equipment and a plurality of access layer equipment) being formed to authentication aggregation group, and use a convergence-level equipment and a plurality of access layer equipment in authentication aggregation group to carry out authentication processing to Authentication Client, thereby avoid only using a convergence-level equipment to carry out authentication processing, alleviate the processing load of convergence-level equipment, avoid causing the bottleneck of network authentication, and can promote the inclusive authentication ability of network, improve the reliability of authentication.
Accompanying drawing explanation
Fig. 1 is the networking schematic diagram of 802.1x verification process;
Fig. 2 is a kind of authentication method schematic flow sheet that the embodiment of the present invention provides;
Fig. 3 is the structural representation of a kind of authenticating device of providing of the embodiment of the present invention.
Embodiment
For problems of the prior art, the embodiment of the present invention provides a kind of authentication method, and the method is applied to comprise in the network (as 802.1x authenticating network) of Authentication Client, certificate server and a plurality of authenticating devices.In 802.1x authenticating network, Authentication Client is the entity that is positioned at local area network (LAN) link one end, by the authenticating device that is connected to this link other end, it is authenticated, Authentication Client is normally supported the subscriber terminal equipment of 802.1x authentication function, and user authenticates by starting Authentication Client software initiation 802.lx.Authenticating device carries out authentication processing as Verification System to being connected to the Authentication Client of link opposite end, and authenticating device is generally the network equipment of supporting 802.1x agreement, and it provides serve port for requestor, and this port is physical port or logic port.Certificate server is that the entity of authentication service is provided for authenticating device.
The application scenarios schematic diagram that the Fig. 1 of take is the embodiment of the present invention, a plurality of authenticating devices form authentication aggregation group, a plurality of authenticating devices comprise convergence-level equipment, access layer equipment 1, access layer equipment 2 and access layer equipment 3, therefore convergence-level equipment, access layer equipment 1, access layer equipment 2 and access layer equipment 3 are formed to authentication aggregation group.Wherein, authentication aggregation group identifies to represent to authenticate by polymerization the authenticating device comprising in aggregation group.For example, set up authentication aggregation group on each authenticating device, and be authentication aggregation group configuration polymerization sign 1, this polymerization sign 1 represents to comprise convergence-level equipment, access layer equipment 1, access layer equipment 2 and access layer equipment 3 in authentication aggregation group.In authentication aggregation group on authenticating device, can also configure the IP address of certificate server, and the IP address of the certificate server in the authentication aggregation group on each authenticating device is identical.
Under above-mentioned application scenarios, as shown in Figure 2, this authentication method specifically can comprise the following steps:
Step 201, authenticating device is safeguarded authentication capability table, records the role of each authenticating device in authentication aggregation group in this authentication capability table, disposal ability and the Authentication Client number of working as pre-treatment.
In the embodiment of the present invention, authenticating device is safeguarded the process of authentication capability table, specifically comprise: the jumping figure that authenticating device arrives this authenticating device in certificate server is notified to other authenticating device, and receive the jumping figure that arrives certificate server from other authenticating device of other authenticating device.Afterwards, authenticating device utilizes this authenticating device to arrive the jumping figure of certificate server and the jumping figure that other authenticating device arrives certificate server, the role who determines this authenticating device for Slave (from) authenticating device or Master (master) authenticating device; Wherein, when the jumping figure of this authenticating device arrival certificate server is less than the jumping figure of other authenticating device arrival certificate server, the role who determines this authenticating device is Master authenticating device; When the jumping figure of this authenticating device arrival certificate server is greater than the jumping figure of other authenticating device arrival certificate server, the role who determines this authenticating device is Slave authenticating device.Further, if the role of this authenticating device is Master authenticating device, this authenticating device sends authentication statistics request message to authenticating each Slave authenticating device in aggregation group, and receive the authentication statistics response message that each Slave authenticating device returns, in each authentication statistics response message, carried respectively the disposal ability of corresponding Slave authenticating device and the Authentication Client number of working as pre-treatment; Afterwards, this authenticating device utilizes the authentication statistics response message that each Slave authenticating device returns to safeguard authentication capability table, and this authentication capability table is sent to each Slave authenticating device, by each Slave authenticating device, safeguards this authentication capability table.Further, if the role of this authenticating device is Slave authenticating device, this authenticating device receives the authentication statistics request message of Master authenticating device in Self-certified aggregation group, and to Master authenticating device return authentication statistics response message, and in this authentication statistics response message, carried the disposal ability of this authenticating device and the Authentication Client number of working as pre-treatment, the authentication of being received by the utilization of Master authenticating device statistics response message is safeguarded authentication capability table; Afterwards, this authenticating device receives the authentication capability table from Master authenticating device, and safeguards the authentication capability table that this authenticating device is received.
In the embodiment of the present invention, can on each authenticating device, configure the jumping figure that authenticating device arrives certificate server.As shown in Figure 1, due to convergence-level equipment and certificate server direct-connected, therefore on convergence-level equipment, configuring the jumping figure that convergence-level equipment arrives certificate server is 0; Due between access layer equipment 1 (or access layer equipment 2, access layer equipment 3) and certificate server every an equipment (being convergence-level equipment), therefore on access layer equipment 1, configuring the jumping figure that access layer equipment 1 arrives certificate server is 1.Further, can also on each authenticating device, configure the disposal ability of authenticating device, the disposal ability of authenticating device represents that authenticating device can carry out the Authentication Client number of authentication processing; If the disposal ability of authenticating device changes, on authenticating device, reconfigure the disposal ability of authenticating device.For example, the disposal ability that configures convergence-level equipment on convergence-level equipment is 10000, the disposal ability that configures access layer equipment 1 on access layer equipment 1 is 1000, the disposal ability that configures access layer equipment 2 on access layer equipment 2 is 1000, and the disposal ability that configures access layer equipment 3 on access layer equipment 3 is 1000.
Further, authenticating device based on configuring on each authenticating device arrives the jumping figure of certificate server, and the disposal ability of the authenticating device configuring on each authenticating device, each authenticating device can be safeguarded authentication capability table in the manner described above, and in this authentication capability table, record the role of each authenticating device in authentication aggregation group, disposal ability and the Authentication Client number of working as pre-treatment.
Under the application scenarios shown in Fig. 1, the jumping figure that arrives certificate server due to convergence-level equipment is 0, the jumping figure that each access layer equipment (access layer equipment 1, access layer equipment 2, access layer equipment 3) arrives certificate server is 1, therefore the role of convergence-level equipment is Master authenticating device, and the role of each access layer equipment is Slave authenticating device.Based on this, convergence-level equipment sends authentication statistics request message to each access layer equipment, each access layer equipment is after receiving authentication statistics request message, to convergence-level equipment return authentication statistics response message, and the disposal ability of having carried access layer equipment in authentication statistics response message, access layer equipment is when the Authentication Client number of pre-treatment.Convergence-level equipment receives the authentication statistics response message that each access layer equipment returns, and utilizes the information of carrying in authentication statistics response message on this convergence-level equipment, to safeguard authentication capability table, and authentication capability table is sent to each access layer equipment.Each access layer equipment receives the authentication capability table from convergence-level equipment, and on this access layer equipment, safeguards this authentication capability table.
As shown in table 1, be the example of the authentication capability table safeguarded on convergence-level equipment and each access layer equipment.
Table 1
? Jumping figure Role Disposal ability Authentication Client number
Convergence-level equipment 0 Master authenticating device 10000 2000
Access layer equipment 1 1 Slave authenticating device 1000 500
Access layer equipment 2 1 Slave authenticating device 1000 500
Access layer equipment 3 1 Slave authenticating device 1000 500
In the embodiment of the present invention, convergence-level equipment periodic to each access layer equipment, send authentication statistics request message, be that the authentication capability table shown in convergence-level equipment meeting his-and-hers watches 1 regularly upgrades, and the authentication capability table after upgrading is sent to each access layer equipment, by each access layer equipment, upgrade authentication capability table.
In the embodiment of the present invention, can control VLAN (Virtual Local Area Network for the configuration of authentication aggregation group, VLAN), and above-mentioned authentication statistics request message, authentication statistics response message and the message that has carried the information of authentication capability table all need to be propagated in this controls VLAN.
In the embodiment of the present invention, by above-mentioned control VLAN interface, the interface towards network authentication server side is called to east orientation interface, the interface towards user's side is called to west to interface.For example, on convergence-level equipment, interface 1 is east orientation interface, and interface 2, interface 3 and interface 4 are that west is to interface.On access layer equipment 1, interface 5 is east orientation interface, and interface 8 is that west is to interface.On access layer equipment 2, interface 6 is east orientation interface, and interface 9 is that west is to interface.On access layer equipment 3, interface 7 is east orientation interface, and interface 10 is that west is to interface.
In the embodiment of the present invention, in authentication statistics response message, also carry the IP address and the IP address of west to interface of the east orientation interface of access layer equipment, make convergence-level equipment can utilize the information of carrying in authentication statistics response message in authentication capability table, to record IP address and the western IP address to interface of east orientation interface.
Step 202, Slave authenticating device, when receiving message identifying, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from authentication capability table; If do not reached, perform step 203; If reached, perform step 206.
As shown in Figure 1, in the verification process of Authentication Client, Authentication Client can send message identifying, access layer equipment 1 is when receiving this message identifying by west to interface, authentication capability table shown in question blank 1, to determine whether access layer equipment 1 reaches the disposal ability of access layer equipment 1 when the Authentication Client number of pre-treatment.In table 1, the Authentication Client number that access layer equipment 1 is worked as pre-treatment is 500, and the disposal ability of access layer equipment 1 is 1000, therefore judgment result is that and does not reach, execution step 203.
Step 203, Slave authenticating device carries out authentication processing to message identifying.
Step 204, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying of Slave authenticating device after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and the message identifying after authentication processing is sent to Master authenticating device.
Step 205, Master authenticating device, after having received from carrying of Slave authenticating device the message identifying of the second mark, directly sends to certificate server by this message identifying.
As shown in Figure 1, after 1 pair of message identifying of access layer equipment carries out authentication processing, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and by east orientation interface, the message identifying after authentication processing is sent to convergence-level equipment.Convergence-level equipment is after receiving by west the message identifying that has carried the second mark to interface, because the second mark is used for representing that message identifying is current has carried out authentication processing, so convergence-level equipment can directly send to certificate server by message identifying.
Step 206, Slave authenticating device adds for representing current the first mark that does not carry out authentication processing of this message identifying in message identifying, and this message identifying is sent to Master authenticating device.
Step 207, Master authenticating device, when receiving the message identifying that has carried the first mark, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from authentication capability table; If not, perform step 208; If so, perform step 209.
Step 208, Master authenticating device carries out authentication processing to message identifying.
Wherein, if the message identifying after authentication processing need to be sent to certificate server, Master authenticating device also needs the message identifying after authentication processing to send to certificate server.
Step 209, Master authenticating device is inquired about the disposal ability that the Authentication Client number that whether has Slave authenticating device to work as pre-treatment does not reach this Slave authenticating device from authentication capability table; If so, perform step 210; If not, can abandon this message identifying, and perform step 211.
Step 210, Master authenticating device sends to message identifying the Slave authenticating device (not reaching the Slave authenticating device of disposal ability when the Authentication Client number of pre-treatment) inquiring, and by this Slave authenticating device, message identifying is carried out to authentication processing.Further, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying of this Slave authenticating device after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and the message identifying after authentication processing is sent to Master authenticating device.Master authenticating device, after having received from carrying of Slave authenticating device the message identifying of the second mark, directly sends to certificate server by this message identifying.
Step 211, Master authenticating device sends warning message to Network Management Equipment, and in this warning message, has carried this authenticating device and each Slave authenticating device all cannot carry out to Authentication Client the information of authentication processing.Wherein, described warning message specifically includes but not limited to SNMP (Simple Network Management Protocol, Simple Network Management Protocol) warning message.
For step 206-step 211, as shown in Figure 1, access layer equipment 1 is when receiving message identifying, message identifying is not carried out to authentication processing, directly in message identifying, add for representing current the first mark that does not carry out authentication processing of message identifying, and by east orientation interface, message identifying is sent to convergence-level equipment.Convergence-level equipment is when receiving to interface the message identifying that has carried the first mark by west, because the first mark is used for representing the current authentication processing of not carrying out of message identifying, therefore the authentication capability table shown in convergence-level equipment query table 1, to determine whether convergence-level equipment reaches the disposal ability of convergence-level equipment when the Authentication Client number of pre-treatment; If do not reach the disposal ability of convergence-level equipment, convergence-level equipment carries out authentication processing to message identifying, and the message identifying after authentication processing is sent to certificate server.
If reach the disposal ability of convergence-level equipment, the authentication capability table shown in convergence-level equipment query table 1, to determine that the Authentication Client number that whether has access layer equipment to work as pre-treatment in authentication capability table does not reach the disposal ability of this access layer equipment.If not, convergence-level equipment abandons message identifying, and sends warning message to Network Management Equipment.If, suppose that access layer equipment 2 does not reach the disposal ability of access layer equipment 2 when the Authentication Client number of pre-treatment, convergence-level equipment sends to access layer equipment 2 by message identifying, 2 pairs of message identifyings of access layer equipment carry out authentication processing, if the message identifying after authentication processing need to be sent to certificate server, message identifying is carried out after authentication processing, in message identifying after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and by east orientation interface, the message identifying after authentication processing is sent to convergence-level equipment.Convergence-level equipment, after receiving by west the message identifying that has carried the second mark to interface, because the second mark is used for representing the current authentication processing of having carried out of message identifying, therefore can directly send to certificate server by message identifying.
In the embodiment of the present invention, the message identifying that Slave authenticating device sends to Master authenticating device, can adopt the packaged type of two layers of unicast message or the packaged type of employing multicast message.
In the embodiment of the present invention, Master authenticating device, after Network Management Equipment sends warning message, can be analyzed by Network Management Equipment the fail safe of current network, and when network is dangerous, authenticating device be protected.For example, Network Management Equipment can be analyzed the attack whether network is subject to message identifying, and whether analytical attack person has forged a large amount of message identifyings, thereby has taken the resource of a large amount of authenticating devices.
Further, Master authenticating device is after Network Management Equipment sends warning message, Master authenticating device can also send warning message to each Slave authenticating device, has carried Master authenticating device and each Slave authenticating device and all cannot carry out to Authentication Client the information of authentication processing in this warning message.By each Slave authenticating device, after receiving warning message, directly abandon the message identifying of receiving, no longer this message identifying is carried out to authentication processing, also no longer this message identifying is sent to Master authenticating device.
In the embodiment of the present invention, convergence-level equipment and each access layer equipment are after safeguarding authentication capability table, if the disposal ability of convergence-level equipment has actual value (as 10000), and the disposal ability of each access layer equipment do not have actual value (as 0 or Null) or each access layer equipment do not support Authentication Client to carry out authentication processing, the authentication processing of all clients is undertaken by convergence-level equipment, in this situation embodiment of the present invention, repeats no more.If the disposal ability of convergence-level equipment do not have actual value (as 0 or Null) or convergence-level equipment do not support Authentication Client to carry out authentication processing, and the disposal ability of each access layer equipment has actual value (as 1000), the authentication processing of all clients is undertaken by each access layer equipment, in this situation embodiment of the present invention, repeats no more.
Based on technique scheme, in the embodiment of the present invention, by a plurality of authenticating devices (as a convergence-level equipment and a plurality of access layer equipment) being formed to authentication aggregation group, and use a convergence-level equipment and a plurality of access layer equipment in authentication aggregation group to carry out authentication processing to Authentication Client, thereby avoid only using a convergence-level equipment to carry out authentication processing, alleviate the processing load of convergence-level equipment, avoid causing the bottleneck of network authentication, and can promote the inclusive authentication ability of network, improve the reliability of authentication.
Inventive concept based on same with said method, a kind of authenticating device is also provided in the embodiment of the present invention, in described authenticating device and network, other authenticating device forms authentication aggregation group, as shown in Figure 3, described authenticating device comprises: maintenance module 11, enquiry module 12, authentication module 13 and sending module 14; Wherein:
When the role of this authenticating device is Slave authenticating device, described maintenance module 11, for safeguarding authentication capability table, records the role of each authenticating device in authentication aggregation group, disposal ability and the Authentication Client number of working as pre-treatment in described authentication capability table; Described enquiry module 12 for when receiving message identifying, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from authentication capability table; Described authentication module 13, for when not reaching the disposal ability of this authenticating device, carries out authentication processing to message identifying; Described sending module 14, for when reaching the disposal ability of this authenticating device, in message identifying, add for representing current the first mark that does not carry out authentication processing of described message identifying, described message identifying is sent to Master authenticating device in authentication aggregation group;
When the role of this authenticating device is Master authenticating device, described maintenance module 11, be used for safeguarding authentication capability table, in described authentication capability table, record the role of each authenticating device in authentication aggregation group, disposal ability and the Authentication Client number of working as pre-treatment; Described enquiry module 12 for when receiving the message identifying that has carried the first mark, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from described authentication capability table; Described authentication module 13, for when not reaching the disposal ability of this authenticating device, carries out authentication processing to described message identifying.
In the embodiment of the present invention, described authenticating device also comprises: determination module 15, for this authenticating device being arrived to the jumping figure of certificate server, notify to other authenticating device, and reception arrives the jumping figure of certificate server from described other authenticating device of other authenticating device, and utilizing this authenticating device to arrive the jumping figure of certificate server and the jumping figure that other authenticating device arrives certificate server, the role who determines this authenticating device is Master authenticating device or Slave authenticating device;
When the role of this authenticating device is Master authenticating device, described maintenance module 11, specifically for each Slave authenticating device in authentication aggregation group, send authentication statistics request message, and the authentication that described in receiving, each Slave authenticating device returns statistics response message, in described each authentication statistics response message, carried respectively the disposal ability of corresponding Slave authenticating device and the Authentication Client number of working as pre-treatment; Utilize the authentication statistics response message that described each Slave authenticating device returns to safeguard authentication capability table, described authentication capability table is sent to described each Slave authenticating device, by described each Slave authenticating device, safeguard described authentication capability table;
When the role of this authenticating device is Slave authenticating device, described maintenance module 11, specifically for receiving the authentication statistics request message of Master authenticating device in Self-certified aggregation group, and to described Master authenticating device return authentication statistics response message, in described authentication statistics response message, the disposal ability of this authenticating device and the Authentication Client number of working as pre-treatment have been carried; Receive and safeguard the authentication capability table from described Master authenticating device.
When the role of this authenticating device is Slave authenticating device, described sending module 14, also for after described message identifying is carried out to authentication processing, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and send to Master authenticating device;
When the role of this authenticating device is Master authenticating device, described sending module 14, also, for after receiving the message identifying that has carried the second mark, sends to described certificate server by described message identifying.
When the role of this authenticating device is Master authenticating device, described enquiry module 12, also, for inquiring this authenticating device when the Authentication Client number of pre-treatment reaches the disposal ability of this authenticating device from described authentication capability table, the Authentication Client number that whether has Slave authenticating device to work as pre-treatment from described authentication capability table in authentication query aggregation group does not reach the disposal ability of this Slave authenticating device; Described sending module 14, also, for when Query Result is when being, sends to this Slave authenticating device inquiring by described message identifying, by this Slave authenticating device, described message identifying is carried out to authentication processing.
When the role of this authenticating device is Master authenticating device, described sending module 14, also for whether having Slave authenticating device after the Authentication Client number of pre-treatment does not reach the disposal ability of this Slave authenticating device from described authentication capability table authentication query aggregation group, if Query Result is no, to Network Management Equipment, send Simple Network Management Protocol SNMP warning message; Wherein, in described SNMP warning message, carry this authenticating device and each Slave authenticating device and all cannot carry out to Authentication Client the information of authentication processing.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can separatedly dispose.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add essential general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Understanding based on such, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in a storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) carry out the method described in each embodiment of the present invention.It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.It will be appreciated by those skilled in the art that the module in the device in embodiment can be distributed in the device of embodiment according to embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from the present embodiment.The module of above-described embodiment can be merged into a module, also can further split into a plurality of submodules.The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.Disclosed is above only several specific embodiment of the present invention, and still, the present invention is not limited thereto, and the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.

Claims (10)

1. an authentication method, is applied to the first authenticating device in network, it is characterized in that, in described the first authenticating device and network, other authenticating device forms authentication aggregation group, and the method comprises:
Described the first authenticating device is safeguarded authentication capability table, records the role of each authenticating device in authentication aggregation group in described authentication capability table, disposal ability and the Authentication Client number of working as pre-treatment;
If the role of described the first authenticating device is Slave authenticating device, described the first authenticating device, when receiving message identifying, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from described authentication capability table; If do not reached, described message identifying is carried out to authentication processing; If reached, in described message identifying, add for representing current the first mark that does not carry out authentication processing of described message identifying, described message identifying is sent to Master authenticating device in authentication aggregation group;
If the role of described the first authenticating device is Master authenticating device, described the first authenticating device is when receiving the message identifying that has carried the first mark, described the first authenticating device inquires this authenticating device when the Authentication Client number of pre-treatment does not reach the disposal ability of this authenticating device from described authentication capability table, and described message identifying is carried out to authentication processing.
2. the method for claim 1, is characterized in that, described the first authenticating device is safeguarded the process of authentication capability table, specifically comprises:
The jumping figure that described the first authenticating device arrives this authenticating device in certificate server is notified to other authenticating device, and reception arrives the jumping figure of certificate server from described other authenticating device of other authenticating device, and utilizing this authenticating device to arrive the jumping figure of certificate server and the jumping figure that other authenticating device arrives certificate server, the role who determines this authenticating device is Slave authenticating device or Master authenticating device;
If the role of described the first authenticating device is Master authenticating device, described the first authenticating device sends authentication statistics request message to authenticating each Slave authenticating device in aggregation group, and the authentication that described in receiving, each Slave authenticating device returns statistics response message, in described each authentication statistics response message, carried respectively the disposal ability of corresponding Slave authenticating device and the Authentication Client number of working as pre-treatment; Utilize the authentication statistics response message that described each Slave authenticating device returns to safeguard authentication capability table, described authentication capability table is sent to described each Slave authenticating device, by described each Slave authenticating device, safeguard described authentication capability table;
If the role of described the first authenticating device is Slave authenticating device, described the first authenticating device receives the authentication statistics request message of Master authenticating device in Self-certified aggregation group, and to described Master authenticating device return authentication statistics response message, in described authentication statistics response message, the disposal ability of this authenticating device and the Authentication Client number of working as pre-treatment have been carried; Described the first authenticating device receives and safeguards the authentication capability table from described Master authenticating device.
3. the method for claim 1, is characterized in that, described method further comprises:
If the role of described the first authenticating device is Slave authenticating device, after described the first authenticating device carries out authentication processing to described message identifying, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying of described the first authenticating device after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and send to Master authenticating device;
If the role of described the first authenticating device is Master authenticating device, described the first authenticating device, after receiving the message identifying that has carried the second mark, directly sends to described certificate server by described message identifying.
4. the method for claim 1, is characterized in that, described method further comprises:
Described the first authenticating device inquires this authenticating device when the Authentication Client number of pre-treatment reaches the disposal ability of this authenticating device from described authentication capability table, and the Authentication Client number that whether has Slave authenticating device to work as pre-treatment from described authentication capability table in authentication query aggregation group does not reach the disposal ability of this Slave authenticating device;
If had, described the first authenticating device sends to this Slave authenticating device inquiring by described message identifying, by this Slave authenticating device, described message identifying is carried out to authentication processing.
5. method as claimed in claim 4, is characterized in that, described method further comprises:
Whether described the first authenticating device has Slave authenticating device after the Authentication Client number of pre-treatment does not reach the disposal ability of this Slave authenticating device from described authentication capability table in authentication query aggregation group, if Query Result is no, described the first authenticating device sends Simple Network Management Protocol SNMP warning message to Network Management Equipment; Wherein, in described SNMP warning message, carry described the first authenticating device and each Slave authenticating device and all cannot carry out to Authentication Client the information of authentication processing.
6. an authenticating device, is characterized in that, in described authenticating device and network, other authenticating device forms authentication aggregation group, and described authenticating device specifically comprises: maintenance module, enquiry module, authentication module and sending module; Wherein:
When the role of this authenticating device is Slave authenticating device, described maintenance module, for safeguarding authentication capability table, records the role of each authenticating device in authentication aggregation group, disposal ability and the Authentication Client number of working as pre-treatment in described authentication capability table; Described enquiry module for when receiving message identifying, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from described authentication capability table; Described authentication module, for when not reaching the disposal ability of this authenticating device, carries out authentication processing to described message identifying; Described sending module, for when reaching the disposal ability of this authenticating device, in described message identifying, add for representing current the first mark that does not carry out authentication processing of described message identifying, described message identifying is sent to Master authenticating device in authentication aggregation group;
When the role of this authenticating device is Master authenticating device, described maintenance module, for safeguarding authentication capability table, records the role of each authenticating device in authentication aggregation group, disposal ability and the Authentication Client number of working as pre-treatment in described authentication capability table; Described enquiry module for when receiving the message identifying that has carried the first mark, is inquired about this authenticating device and is worked as the disposal ability whether the Authentication Client number of pre-treatment reaches this authenticating device from described authentication capability table; Described authentication module, for when not reaching the disposal ability of this authenticating device, carries out authentication processing to described message identifying.
7. authenticating device as claimed in claim 6, is characterized in that, also comprises:
Determination module, for this authenticating device being arrived to the jumping figure of certificate server, notify to other authenticating device, and reception arrives the jumping figure of certificate server from described other authenticating device of other authenticating device, and utilizing this authenticating device to arrive the jumping figure of certificate server and the jumping figure that other authenticating device arrives certificate server, the role who determines this authenticating device is Master authenticating device or Slave authenticating device;
When the role of this authenticating device is Master authenticating device, described maintenance module, specifically for each Slave authenticating device in authentication aggregation group, send authentication statistics request message, and the authentication that described in receiving, each Slave authenticating device returns statistics response message, in described each authentication statistics response message, carried respectively the disposal ability of corresponding Slave authenticating device and the Authentication Client number of working as pre-treatment; Utilize the authentication statistics response message that described each Slave authenticating device returns to safeguard authentication capability table, described authentication capability table is sent to described each Slave authenticating device, by described each Slave authenticating device, safeguard described authentication capability table;
When the role of this authenticating device is Slave authenticating device, described maintenance module, specifically for receiving the authentication statistics request message of Master authenticating device in Self-certified aggregation group, and to described Master authenticating device return authentication statistics response message, in described authentication statistics response message, the disposal ability of this authenticating device and the Authentication Client number of working as pre-treatment have been carried; Receive and safeguard the authentication capability table from described Master authenticating device.
8. authenticating device as claimed in claim 6, is characterized in that,
When the role of this authenticating device is Slave authenticating device, described sending module, also for after described message identifying is carried out to authentication processing, if the message identifying after authentication processing need to be sent to certificate server, in the message identifying after authentication processing, add for representing current the second mark that has carried out authentication processing of message identifying, and send to Master authenticating device;
When the role of this authenticating device is Master authenticating device, described sending module, also, for after receiving the message identifying that has carried the second mark, sends to described certificate server by described message identifying.
9. authenticating device as claimed in claim 6, is characterized in that,
When the role of this authenticating device is Master authenticating device, described enquiry module, also, for inquiring this authenticating device when the Authentication Client number of pre-treatment reaches the disposal ability of this authenticating device from described authentication capability table, the Authentication Client number that whether has Slave authenticating device to work as pre-treatment from described authentication capability table in authentication query aggregation group does not reach the disposal ability of this Slave authenticating device;
Described sending module, also, for when Query Result is when being, sends to this Slave authenticating device inquiring by described message identifying, by this Slave authenticating device, described message identifying is carried out to authentication processing.
10. authenticating device as claimed in claim 9, is characterized in that,
When the role of this authenticating device is Master authenticating device, described sending module, also for whether having Slave authenticating device after the Authentication Client number of pre-treatment does not reach the disposal ability of this Slave authenticating device from described authentication capability table authentication query aggregation group, if Query Result is no, to Network Management Equipment, send Simple Network Management Protocol SNMP warning message; Wherein, in described SNMP warning message, carry this authenticating device and each Slave authenticating device and all cannot carry out to Authentication Client the information of authentication processing.
CN201410298084.1A 2014-06-26 2014-06-26 A kind of authentication method and equipment Active CN104052753B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410298084.1A CN104052753B (en) 2014-06-26 2014-06-26 A kind of authentication method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410298084.1A CN104052753B (en) 2014-06-26 2014-06-26 A kind of authentication method and equipment

Publications (2)

Publication Number Publication Date
CN104052753A true CN104052753A (en) 2014-09-17
CN104052753B CN104052753B (en) 2017-10-17

Family

ID=51505117

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410298084.1A Active CN104052753B (en) 2014-06-26 2014-06-26 A kind of authentication method and equipment

Country Status (1)

Country Link
CN (1) CN104052753B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878199A (en) * 2016-12-20 2017-06-20 新华三技术有限公司 The collocation method and device of a kind of access information
CN112019653A (en) * 2020-09-09 2020-12-01 迈普通信技术股份有限公司 Access switch, IP address deployment method, device and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030084282A1 (en) * 2001-10-31 2003-05-01 Yamaha Corporation Method and apparatus for certification and authentication of users and computers over networks
CN1937572A (en) * 2005-09-23 2007-03-28 中兴通讯股份有限公司 Method for realizing access device long-distance identification-dialing user service proxy authentication
CN101453341A (en) * 2008-12-19 2009-06-10 中兴通讯股份有限公司 Automatic switching system for remote authentication dialing user server and implementation method thereof
CN101959304A (en) * 2009-07-15 2011-01-26 中国移动通信集团设计院有限公司 Method for scheduling wireless access protocol (WAP) gateway resources and associated equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030084282A1 (en) * 2001-10-31 2003-05-01 Yamaha Corporation Method and apparatus for certification and authentication of users and computers over networks
CN1937572A (en) * 2005-09-23 2007-03-28 中兴通讯股份有限公司 Method for realizing access device long-distance identification-dialing user service proxy authentication
CN101453341A (en) * 2008-12-19 2009-06-10 中兴通讯股份有限公司 Automatic switching system for remote authentication dialing user server and implementation method thereof
CN101959304A (en) * 2009-07-15 2011-01-26 中国移动通信集团设计院有限公司 Method for scheduling wireless access protocol (WAP) gateway resources and associated equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878199A (en) * 2016-12-20 2017-06-20 新华三技术有限公司 The collocation method and device of a kind of access information
CN106878199B (en) * 2016-12-20 2020-02-11 新华三技术有限公司 Configuration method and device of access information
CN112019653A (en) * 2020-09-09 2020-12-01 迈普通信技术股份有限公司 Access switch, IP address deployment method, device and readable storage medium
CN112019653B (en) * 2020-09-09 2022-08-12 迈普通信技术股份有限公司 Access switch, IP address deployment method, device and readable storage medium

Also Published As

Publication number Publication date
CN104052753B (en) 2017-10-17

Similar Documents

Publication Publication Date Title
US9197639B2 (en) Method for sharing data of device in M2M communication and system therefor
CN104753887B (en) Security management and control implementation method, system and cloud desktop system
CN103329091B (en) Cross access login controller
CN109271776A (en) Micro services system single-point logging method, server and computer readable storage medium
CN103888265A (en) Login system and method based on mobile terminal
CN106656547B (en) Method and device for updating network configuration of household electrical appliance
CN107404485A (en) A kind of self-validation cloud connection method and its system
CN103634119B (en) Authentication method, application client, application server and authentication server
CN103973658A (en) Static user terminal authentication processing method and device
CN104580116B (en) A kind of management method and equipment of security strategy
CN102984169A (en) Single sign-on method, equipment and system
CN108900484B (en) Access right information generation method and device
CN105981345B (en) The Lawful intercept of WI-FI/ packet-based core networks access
CN107040495B (en) Multi-level combined identity authentication method applied to industrial communication and service
CN101414907A (en) Method and system for accessing network based on user identification authorization
CN105027529A (en) Method and device for secure network access
CN107534664A (en) For the multifactor mandate for the network for enabling IEEE 802.1X
CN107493293A (en) A kind of method of sip terminal access authentication
CN103414732A (en) Application integration device and application integration processing method
CN103546286A (en) Authentication processing method and device
CN104052753A (en) Authentication method and device
KR100819942B1 (en) Method for access control in wire and wireless network
CN109361659B (en) Authentication method and device
US7631344B2 (en) Distributed authentication framework stack
CN103516683A (en) Remote server system with offline terminals

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant