CN100464550C - Network architecture of backward compatible authentication, authorization and accounting system and implementation method - Google Patents
Network architecture of backward compatible authentication, authorization and accounting system and implementation method Download PDFInfo
- Publication number
- CN100464550C CN100464550C CNB200610038500XA CN200610038500A CN100464550C CN 100464550 C CN100464550 C CN 100464550C CN B200610038500X A CNB200610038500X A CN B200610038500XA CN 200610038500 A CN200610038500 A CN 200610038500A CN 100464550 C CN100464550 C CN 100464550C
- Authority
- CN
- China
- Prior art keywords
- message
- radius
- agreement
- request message
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
This invention relates to one back compatible identification charging system network structure, which comprises network interface servo translation agent, local servo translating agent, relay agent, and trustee agent, network interface servo and local identification charging servo, wherein, the network structure is divided into service area A, B, and C according to each local identification servo and connecting internet according to management areas of I, II and agent.
Description
Technical field
The present invention relates to a kind of communication network authentication (Authentication), authorize (Authorization) and (Accounting) system of charging, related in particular to the network topology structure and the implementation method of the AAA system of a kind of back compatible radius protocol (" radius " agreement) based on Diameter (" diameter " agreement).
Background technology
Authentication (Authentication) be meant the user when using Internet resources network system to the affirmation of user identity.Verification process by with user's mutual acquisition subscriber identity information (as user name/password, public key certificate etc.), by certificate server subscriber identity information that obtains and the user profile that is stored in lane database are carried out collation process again, confirm according to result whether user identity is correct at last.Authorize (Authorization) to be meant that the network system authorized user uses its resource in a particular manner.Licensing process has been specified authentic the user business that can use and the authority that has behind access network.Charge that (Accounting) is meant that network system is collected, recording user is to the use of Internet resources, so that collect resource accounting to the user, perhaps is used for purposes such as audit.Authentication has realized the accurate recording of network system to specific user's Internet resources operating position together.So both ensured the rights and interests of validated user effectively, and can ensure effectively that again network system security moved reliably.This shows that aaa functionality is directly connected to each ISP and user's vital interests.
Radius protocol is present most widely used aaa protocol, and other aaa protocols that use also comprise TACACS+, Kerberos etc. at present.But because radius protocol is not subjected to the restriction of certain enterprise's intellectual property, the international standard of the current internet aaa protocol on having come true.Radius protocol is proposed by Livingston company at first, original purpose is to authenticate and charge for the dial user, the back is the RFC standard by IETF (InternetEngineering Task Force, the Internet engineering duty group) in standard in 1997, becomes the general aaa protocol of a cover.Up-to-date radius protocol standard is the RFC2865 of in June, 2000 issue at present.In addition, for adapting to the development of Internet technology, the main agreement that radius protocol family also comprises has: RADIUS account agreement (RFC2866), RADIUS Extended Protocol (RFC2869), RADIUS and IPv6 (RFC3162) etc.In the RADIUS network, a large amount of network insertion service equipment (as gateway, access controller, vpn gateway etc.) is all communicated by letter with radius server by radius protocol, simultaneously as AAA system, except that radius server, also comprise supporting with it customer data base and charge system based on radius protocol communication.Radius protocol is widely adopted in the miscellaneous service field as the universal standard of aaa protocol.Especially in recent years along with the development of mobile communication technology, wireless access and mobile interconnect services are progressively carried out, and network security and information security under the wireless environment receive much concern, and this also makes radius protocol move towards the wireless access environment from traditional wired access network.Wherein the most important thing is the application of radius protocol in 3G (Third Generation) Moblie net (3G) and wireless lan (wlan).
Yet radius protocol its objective is adaptation network environment and AAA demand at that time in the early 1990s design.Along with the introducing of new access technology and the quick dilatation of access network, the router and the network access server that become increasingly complex come into operation in a large number, and traditional AAA network obviously can't satisfy the needs of current and following AAA application development.Especially show the defective of the profound level of aspect such as network configuration, make AAA technology requirement of new generation is become urgent unusually.The proposition of Diameter is just in order to solve this contradiction.
IETF has set up the AAA working group that belongs to the Internet operation and management domain in December, 1998, and set about the research and development and the standard formulation of Next Generation Internet aaa protocol, purpose is to substitute the existing aaa protocol that comprises radius protocol, with the AAA service that provides unified, open, distributes, moves.Diameter in 1999 at first after Sun Microsystems proposes, has been subjected to the extensive support of industry as new aaa protocol, and what be suggested the same period comprises multiple candidate's aaa protocols such as SNMP, RADIUS+ and COPS in addition.The AAA working group of IETF is for determining final aaa protocol, the evaluation group of setting up aaa protocol specially on May 20th, 2000, suggestion collection, discussion and assessment through 1 year, announced assessment result June calendar year 2001 with the form of RFC (RFC3127), final Diameter is shown one's talent becomes the aaa protocol of the definite a new generation of the AAA of IETF work.In September, 2003, " Diameter basic agreement " formally becomes the RFC standard (RFC3588) of IETF, its relevant application (as NASREQ, MobileIPv4, EAP, Credit-control, SIP etc.) has also been submitted to successively, and in further discussing.
Analyze Diameter and radius protocol, Diameter has kept the advantages such as extensibility of RADIUS on design philosophy, meanwhile, Diameter has not only remedied deficiency known in the radius protocol, and the brand-new function that meets following business demand is provided.Comparative descriptions by Diameter and radius protocol in the table 1 major functions and features and the outstanding advantage of Diameter.By more as can be seen, Diameter still is network configuration and the support of mobile roaming all obviously is better than RADIUS in fail safe, reliability, extensibility, and more meets characteristics unified, open, that distribute, move.
Table 1
Radius protocol is present most widely used aaa protocol, nearly all network access server is all supported radius protocol, therefore new aaa protocol whether can promote and use to depend on to a great extent whether good back compatible characteristic can be arranged smoothly, promptly with the radius protocol compatibility.Diameter has kept 0~256 command code and attribute code for compatible radius protocol, and wishes the Diameter message that the enough protocol translation agent equipments of energy become Diameter server to understand the RADIUS message translation.Yet,, make that back compatible is difficult to realize because RADIUS and Diameter session status pattern, security mechanism, message routing mechanism and network configuration is inconsistent fully.
Summary of the invention
Technical problem: the authentication, mandate, charge system network configuration and the implementation method that the objective of the invention is to propose a kind of back compatible, the FAIv1-NASREQ application protocol of describing based on the Diameter basic agreement has defined translation agency's implementation method in the AAA system, for the compatibility issue that solves Diameter and radius protocol provides feasible solution.
Technical scheme: the authenticated authorization accounting system network configuration of back compatible of the present invention is, this network configuration is followed the network configuration of stipulating in " diameter " agreement of the Internet engineering duty group formulation, and network access server translation agency, home server translation agency, relay agent and agency by agreement, network access server and local authentication mandate accounting server are arranged in this structure; The zone that network configuration is served according to each local authentication mandate accounting server is divided into service-domain A, service-domain B, service-domain C, is divided into management domain I, management domain II according to the compass of competency; In service-domain A, network access server directly is connected with network access server translation agency, and local authentication mandate accounting server directly is connected with home server translation agency; Network access server translation agency, home server translation agency are connected by local network with relay agent, and visit mutually; In management domain, comprised a plurality of service-domains, connect by management domain I network between the home server translation agency of service-domain A and service-domain B and the relay agent, and visit mutually; Agency by agreement is on the border of management domain I and outer net, by each home server translation agency and relay agent in the access to netwoks management domain I; Interconnect by the Internet between the agency by agreement of management domain I and management domain II.
Following the network configuration implementation method of stipulating in " diameter " agreement of the Internet engineering duty group formulation is:
1) in the implementation of former " diameter " agreement, introduces network access server translation agent equipment and home server translation agent equipment, they are positioned at the border of " diameter " protocol network and " radius " protocol network, be used for the protocol conversion process between " diameter " protocol message and " radius " protocol message, meet " diameter "
2) implementation method of acting on behalf of about translation in the agreement;
3) " diameter " agreement is followed in the communication between network access server translation agency and the home server translation agency;
4) communicating by letter between network access server translation agency and the network access server followed " radius " agreement, and " radius " agreement is followed in communicating by letter between home server translation agency and the local authentication mandate accounting server;
5) network access server translation agency and home server translation agency are divided into interface module, message processing module and protocol module respectively according to function;
6) two kinds of " diameter " protocol message AA-Request message of definition and AA-Answer message, the information order sign indicating number is 265;
7) definition a kind of " diameter " protocol attribute value is to being used for carrying " radius " protocol message, and it is right to be called the radius attribute value, and property value is 255 to sign indicating number;
8) handling process of implementation method is acted on behalf of in the network access server translation: when " radius " agreement request message of receiving from network access server, the end-to-end session that network access server translation agency sets up according to information retrieval of user ascription area service-domain and corresponding with service territory home server translation agency in " radius " agreement request message, if do not retrieve corresponding end-to-end session, then initiate to set up by network access server translation agency; " radius " agreement request message is through being encapsulated in the radius attribute value centering of AA-Request message after the preliminary treatment, AA-Request message is sent to home server translation agency by end-to-end session, " radius " agreement request message of home server translation proxy resolution radius attribute value centering sends to local authentication mandate accounting server through after the preliminary treatment;
9) handling process of implementation method is acted on behalf of in the translation of local authentication mandate accounting server: when " radius " agreement response message of receiving local authentication mandate accounting server, " radius " agreement response message is through being encapsulated in the radius attribute value centering of AA-Answer message after the preliminary treatment, AA-Answer message is sent to network access server translation agency by end-to-end session, " radius " agreement response message of network access server translation proxy resolution radius attribute value centering sends to network access server through after the preliminary treatment.
Network access server translation agency's implementation method is:
1.) interface module is followed " radius " agreement and is communicated by letter with network access server:
1a. monitor 1812 and 1813 ports of host-host protocol, wait for receiving " radius " agreement request message; From " radius " agreement response message of message processing module, interface module mails to corresponding network access server through after replying preliminary treatment, deletion automatically " radius " agreement response message that has sent keeps 5 seconds in response message formation after;
1b. receive " radius " agreement request message, retrieve pending message queue according to message identifier, if find the message of identical identifier then this " radius " agreement request message is the re-send request may of pending message, abandon this request message, return step 1a;
1c. retrieve response message formation according to message identifier, if find the response message of identical identifier then this " radius " agreement request message is the re-send request may of response message, retransmit corresponding " radius " agreement response message, return step 1a;
If 1d. " radius " agreement request message of receiving is not re-transmission request message, after the request preliminary treatment of finishing " radius " agreement request message, the pending message queue that message will enter message processing module returns step 1a;
2.) message processing module is responsible for encapsulation and the parsing between " radius " protocol message and " diameter " protocol message, and the mapping between " diameter " protocol message and the end-to-end session:
2a. wait for that new information enters pending message queue; When receiving AA-Answer message, parse " radius " agreement response message from radius attribute value centering from protocol module; If the right value of result code property value equals 2002 in the AA-Answer message, the access-reject message that then generates " radius " agreement is as " radius " agreement response message; Corresponding " radius " agreement request message goes out team from pending message queue, and access-reject message is mail to interface module;
Be encapsulated as AA-Request message 2b. newly enter " radius " agreement request message of pending message queue, and, return step 2a according to the corresponding with service domain end-to-end session interface that the distribution of information AA-Request message of purpose service-domain in " radius " agreement request message has been set up in the protocol module;
2c. for new purpose service-domain, message processing module initiates to set up new end-to-end session with the request protocol module, if end-to-end session is set up successfully, AA-Request message mails to this end-to-end session interface, otherwise corresponding " radius " agreement request message goes out team from pending message queue, and generate Access-Reject message and mail to interface module, return step 2a;
3.) protocol module is carried out the client functionality that defines in " diameter " agreement, request according to message processing module, route and relaying by " diameter " protocol network, set up end-to-end session with purpose service-domain home server translation agency, send and receive the AA-Request message and the AA-Answer message in corresponding with service territory by this end-to-end session; And the end-to-end session of session management mechanism management according to " diameter " protocol definition.
The implementation method of home server translation agent equipment is:
1.) interface module is followed " radius " agreement and is communicated by letter with local authentication mandate accounting server:
3a. 1812 and 1813 ports by host-host protocol and local authentication mandate accounting server connect, and wait for receiving " radius " agreement response message; " radius " agreement request message from message processing module, after the pre-interface modules handle of request, mail to local authentication mandate accounting server, " radius " agreement request message that has sent is kept in the request message formation, retransmitted once in per 5 seconds, go out team after retransmitting for three times, and the notification message processing module;
3b. receive " radius " agreement response message, retrieve request message formation according to message identifier, if do not find the message of identical identifier, then abandon this response message, return step 3a;
3c. if find the message of identical identifier in request message formation, corresponding " radius " agreement request message goes out team, finish to " radius " agreement response message reply preliminary treatment after, message will mail to message processing module, return step 3a;
2.) message processing module is responsible for encapsulation and the parsing between " radius " protocol message and " diameter " protocol message:
Enter pending message queue 4a. wait for new AA-Request message; " radius " agreement response message from interface module is encapsulated in radius attribute value centering, if receive overtime or reply error notification from the request message of interface module, then correspondence " radius " agreement request message is encapsulated in radius attribute value centering, and the result code property value is set, and right value equals 2002; Retrieve AA-Request message in the pending message queue according to the RADIUS message identifier, corresponding A A-Request message goes out team, according to the property value of AA-Request message information is generated AA-Answer message; The AA-Answer message that generates mails to protocol module;
4b. resolve " radius " agreement request message from the radius attribute value centering of the AA-Request message that newly enters pending message queue, mail to interface module, return step 4a;
3.) protocol module is followed the function of the server that defines in " diameter " agreement, route and relaying by " diameter " protocol network, set up end-to-end session with network access server translation agency, and according to the end-to-end session of session management mechanism management of " diameter " protocol definition; By the AA-Answer message and the AA-Request message in this end-to-end session transmission and reception local service territory, the AA-Request message of receiving enters the pending message queue of message processing module.
The AA-Request message and the AA-Answer message format of definition, its preamble meets the message format that defines in " diameter " protocol network access server request application protocol,
1. it is right) must to comprise the radius attribute value in AA-Request message and the AA-Answer message;
2.) when protocol error takes place, the radius attribute value is identical to content to radius attribute value in content and the corresponding A A-Request message in the AA-Answer message.
The radius attribute value of definition is to form, and its preamble meets the property value that defines in " diameter " agreement to form,
1.) M and P are designated 1 among the radius attribute value enemy, and expression radius attribute value is to must process encrypting and digital signature protection;
2.) radius attribute value data portion is 8 bit byte strings.
Interface module preprocessing process in network access server translation agency's the implementation method, its preamble meet encryption attribute and deciphering, the generation request authentication sign indicating number that defines in " radius " agreement, the method for calculating response authentication sign indicating number, calculating message authentication attribute,
1.) request preprocessing process: when receiving the access request message, use network access server translation agency and network access server cipher key shared decrypted user password attribute, and replace former attribute with plaintext,
2.) reply preprocessing process
5a. receive and insert when receiving message, use network access server translation agency and network access server cipher key shared encryption tunnel password attribute, and replace former attribute with ciphertext;
5b. calculate the request authentication sign indicating number in response authentication sign indicating number replacement " radius " agreement response message;
Replace former attribute 5c. calculate the message authentication attribute.
Interface module preprocessing process in home server translation agency's the implementation method, its preamble meets the encryption attribute that defines in " radius " agreement and the method for deciphering, generation and computation requests authentication code, calculating and inspection response authentication sign indicating number, calculating and inspection message authentication attribute
1.) request preprocessing process:
6a. receive when inserting request message, use home server translation agency and local authentication mandate accounting server cipher key shared encrypting user password attribute, and replace former attribute with ciphertext;
6b. when receiving charging request message, the computation requests authentication code is replaced former request authentication sign indicating number; Other " radius " agreement request message is then preserved the request authentication sign indicating number, generates new request authentication sign indicating number and replaces former request authentication sign indicating number;
6c. preserve the message identifier of " radius " agreement request message, use new message identifier to replace former message identifier;
Replace former attribute 6d. calculate the message authentication attribute;
2.) reply preprocessing process
7a. check whether the response authentication sign indicating number of " radius " agreement response message is correct, then send as authentication error and reply error notification to message processing module;
7b. check whether the message authentication attribute is correct, then send as authentication error and reply error notification to message processing module;
7c. receive when accepting message, use home server translation agency and local authentication mandate accounting server cipher key shared deciphering tunnel password attribute attribute, and expressly to replace former attribute;
7d. recover former message identifier;
7e. recover former request authentication sign indicating number.
Beneficial effect: the AAA system network that makes up according to the present invention, not only introduced DiameterAAA network configuration of new generation, and compatible fully existing AAA system; Distributed networking structure is convenient to expansion; For the sustainable upgrading of network provides solution.
The FAIv1-NASREQ application protocol that the present invention describes meets Diameter application protocol standard fully, and complete compatible radius protocol (comprising RADIUS account agreement and RADIUS Extended Protocol) is supported various authentications of RADIUS and charging message simultaneously.The operating process of defined NASTA of FAIv1-NASREQ application protocol and HMSTA equipment has taken into full account radius protocol and Diameter characteristics separately, emphasizing also to take into account efficient in compatible, especially when safe, reliable, efficient AAA service is provided for the roamer, do not influencing local user AAA service quality.
Description of drawings
Fig. 1 is authentication, mandate, charging (AAA) grid topological structure schematic diagram.Wherein have: network access server translation agency 1; Home server translation agency 2,6,11; Relay agent 3,7,10; Agency by agreement 8,9; Network access server 5; Local authentication mandate accounting server 4.
Fig. 2 is the message flow chart according to the embodiment that describes among the present invention.
Embodiment
Below in conjunction with accompanying drawing the specific embodiment of the invention is described further:
The authenticated authorization accounting system network configuration of back compatible of the present invention is, this network configuration is followed the network configuration of stipulating in " diameter " agreement of the Internet engineering duty group formulation, and network access server translation agency, home server translation agency, relay agent and agency by agreement, network access server and local authentication mandate accounting server are arranged in this structure; The zone that network configuration is served according to each local authentication mandate accounting server is divided into service-domain A, service-domain B, service-domain C, is divided into management domain I, management domain II according to the compass of competency; In service-domain A, network access server directly is connected with network access server translation agency, and local authentication mandate accounting server directly is connected with home server translation agency; Network access server translation agency, home server translation agency are connected by local network with relay agent, and visit mutually; In management domain, comprised a plurality of service-domains, connect by management domain I network between the home server translation agency of service-domain A and service-domain B and the relay agent, and visit mutually; Agency by agreement is on the border of management domain I and outer net, by each home server translation agency and relay agent in the access to netwoks management domain I; Interconnect by the Internet between the agency by agreement of management domain I and management domain II.
Following the network configuration implementation method of stipulating in " diameter " agreement of the Internet engineering duty group formulation is:
1.) in the implementation of former " diameter " agreement, introduce network access server translation agent equipment and home server translation agent equipment, they are positioned at the border of " diameter " protocol network and " radius " protocol network, be used for the protocol conversion process between " diameter " protocol message and " radius " protocol message, meet the implementation method of acting on behalf of about translation in " diameter " agreement;
2.) " diameter " agreement is followed in the communication between network access server translation agency and the home server translation agency;
3.) communicating by letter between network access server translation agency and the network access server followed " radius " agreement, and " radius " agreement is followed in communicating by letter between home server translation agency and the local authentication mandate accounting server;
4.) network access server translation agency and home server translation agency are divided into interface module, message processing module and protocol module respectively according to function;
5.) two kinds of " diameter " protocol message AA-Request message of definition and AA-Answer message, the information order sign indicating number is 265;
6.) definition a kind of " diameter " protocol attribute value is to being used for carrying " radius " protocol message, and it is right to be called the radius attribute value, and property value is 255 to sign indicating number;
7.) handling process of implementation method is acted on behalf of in the network access server translation: when " radius " agreement request message of receiving from network access server, the end-to-end session that network access server translation agency sets up according to information retrieval of user ascription area service-domain and corresponding with service territory home server translation agency in " radius " agreement request message, if do not retrieve corresponding end-to-end session, then initiate to set up by network access server translation agency; " radius " agreement request message is through being encapsulated in the radius attribute value centering of AA-Request message after the preliminary treatment, AA-Request message is sent to home server translation agency by end-to-end session, " radius " agreement request message of home server translation proxy resolution radius attribute value centering sends to local authentication mandate accounting server through after the preliminary treatment;
8.) handling process of implementation method is acted on behalf of in the translation of local authentication mandate accounting server: when " radius " agreement response message of receiving local authentication mandate accounting server, " radius " agreement response message is through being encapsulated in the radius attribute value centering of AA-Answer message after the preliminary treatment, AA-Answer message is sent to network access server translation agency by end-to-end session, " radius " agreement response message of network access server translation proxy resolution radius attribute value centering sends to network access server through after the preliminary treatment.
Network access server translation agency's implementation method is:
1.) interface module is followed " radius " agreement and is communicated by letter with network access server:
1a. monitor 1812 and 1813 ports of host-host protocol, wait for receiving " radius " agreement request message; From " radius " agreement response message of message processing module, interface module mails to corresponding network access server through after replying preliminary treatment, deletion automatically " radius " agreement response message that has sent keeps 5 seconds in response message formation after;
1b. receive " radius " agreement request message, retrieve pending message queue according to message identifier, if find the message of identical identifier then this " radius " agreement request message is the re-send request may of pending message, abandon this request message, return step 1a;
1c. retrieve response message formation according to message identifier, if find the response message of identical identifier then this " radius " agreement request message is the re-send request may of response message, retransmit corresponding " radius " agreement response message, return step 1a;
If 1d. " radius " agreement request message of receiving is not re-transmission request message, after the request preliminary treatment of finishing " radius " agreement request message, the pending message queue that message will enter message processing module returns step 1a;
2.) message processing module is responsible for encapsulation and the parsing between " radius " protocol message and " diameter " protocol message, and the mapping between " diameter " protocol message and the end-to-end session:
2a. wait for that new information enters pending message queue; When receiving AA-Answer message, parse " radius " agreement response message from radius attribute value centering from protocol module; If the right value of result code property value equals 2002 in the AA-Answer message, the access-reject message that then generates " radius " agreement is as " radius " agreement response message; Corresponding " radius " agreement request message goes out team from pending message queue, and access-reject message is mail to interface module;
Be encapsulated as AA-Request message 2b. newly enter " radius " agreement request message of pending message queue, and, return step 2a according to the corresponding with service domain end-to-end session interface that the distribution of information AA-Request message of purpose service-domain in " radius " agreement request message has been set up in the protocol module;
2c. for new purpose service-domain, message processing module initiates to set up new end-to-end session with the request protocol module, if end-to-end session is set up successfully, AA-Request message mails to this end-to-end session interface, otherwise corresponding " radius " agreement request message goes out team from pending message queue, and generate Access-Reject message and mail to interface module, return step 2a;
3.) protocol module is carried out the client functionality that defines in " diameter " agreement, request according to message processing module, route and relaying by " diameter " protocol network, set up end-to-end session with purpose service-domain home server translation agency, send and receive the AA-Request message and the AA-Answer message in corresponding with service territory by this end-to-end session; And the end-to-end session of session management mechanism management according to " diameter " protocol definition.
The implementation method of home server translation agent equipment is:
1.) interface module is followed " radius " agreement and is communicated by letter with local authentication mandate accounting server:
3a. 1812 and 1813 ports by host-host protocol and local authentication mandate accounting server connect, and wait for receiving " radius " agreement response message; " radius " agreement request message from message processing module, after the pre-interface modules handle of request, mail to local authentication mandate accounting server, " radius " agreement request message that has sent is kept in the request message formation, retransmitted once in per 5 seconds, go out team after retransmitting for three times, and the notification message processing module;
3b. receive " radius " agreement response message, retrieve request message formation according to message identifier, if do not find the message of identical identifier, then abandon this response message, return step 3a;
3c. if find the message of identical identifier in request message formation, corresponding " radius " agreement request message goes out team, finish to " radius " agreement response message reply preliminary treatment after, message will mail to message processing module, return step 3a;
2.) message processing module is responsible for encapsulation and the parsing between " radius " protocol message and " diameter " protocol message:
Enter pending message queue 4a. wait for new AA-Request message; " radius " agreement response message from interface module is encapsulated in radius attribute value centering, if receive overtime or reply error notification from the request message of interface module, then correspondence " radius " agreement request message is encapsulated in radius attribute value centering, and the result code property value is set, and right value equals 2002; Retrieve AA-Request message in the pending message queue according to the RADIUS message identifier, corresponding A A-Request message goes out team, according to the property value of AA-Request message information is generated AA-Answer message; The AA-Answer message that generates mails to protocol module;
4b. resolve " radius " agreement request message from the radius attribute value centering of the AA-Request message that newly enters pending message queue, mail to interface module, return step 4a;
3.) protocol module is followed the function of the server that defines in " diameter " agreement, route and relaying by " diameter " protocol network, set up end-to-end session with network access server translation agency, and according to the end-to-end session of session management mechanism management of " diameter " protocol definition; By the AA-Answer message and the AA-Request message in this end-to-end session transmission and reception local service territory, the AA-Request message of receiving enters the pending message queue of message processing module.
The AA-Request message and the AA-Answer message format of definition, its preamble meets the message format that defines in " diameter " protocol network access server request application protocol,
1. it is right) must to comprise the radius attribute value in AA-Request message and the AA-Answer message;
2.) when protocol error takes place, the radius attribute value is identical to content to radius attribute value in content and the corresponding A A-Request message in the AA-Answer message.
The radius attribute value of definition is to form, and its preamble meets the property value that defines in " diameter " agreement to form,
1.) M and P are designated 1 among the radius attribute value enemy, and expression radius attribute value is to must process encrypting and digital signature protection;
2.) radius attribute value data portion is 8 bit byte strings.
Interface module preprocessing process in network access server translation agency's the implementation method, its preamble meet encryption attribute and deciphering, the generation request authentication sign indicating number that defines in " radius " agreement, the method for calculating response authentication sign indicating number, calculating message authentication attribute,
1.) request preprocessing process: when receiving the access request message, use network access server translation agency and network access server cipher key shared decrypted user password attribute, and replace former attribute with plaintext,
2.) reply preprocessing process
5a. receive and insert when receiving message, use network access server translation agency and network access server cipher key shared encryption tunnel password attribute, and replace former attribute with ciphertext;
5b. calculate the request authentication sign indicating number in response authentication sign indicating number replacement " radius " agreement response message;
Replace former attribute 5c. calculate the message authentication attribute.
Interface module preprocessing process in home server translation agency's the implementation method, its preamble meets the encryption attribute that defines in " radius " agreement and the method for deciphering, generation and computation requests authentication code, calculating and inspection response authentication sign indicating number, calculating and inspection message authentication attribute
1.) request preprocessing process:
6a. receive when inserting request message, use home server translation agency and local authentication mandate accounting server cipher key shared encrypting user password attribute, and replace former attribute with ciphertext;
6b. when receiving charging request message, the computation requests authentication code is replaced former request authentication sign indicating number; Other " radius " agreement request message is then preserved the request authentication sign indicating number, generates new request authentication sign indicating number and replaces former request authentication sign indicating number;
6c. preserve the message identifier of " radius " agreement request message, use new message identifier to replace former message identifier;
Replace former attribute 6d. calculate the message authentication attribute;
2.) reply preprocessing process
7a. check whether the response authentication sign indicating number of " radius " agreement response message is correct, then send as authentication error and reply error notification to message processing module;
7b. check whether the message authentication attribute is correct, then send as authentication error and reply error notification to message processing module;
7c. receive when accepting message, use home server translation agency and local authentication mandate accounting server cipher key shared deciphering tunnel password attribute attribute, and expressly to replace former attribute;
7d. recover former message identifier;
7e. recover former request authentication sign indicating number.
The NASTA that the FAIv1-NASREQ application protocol is described in according to the present invention and the behavior of HMSTA equipment, NAS initiates Access-Request message (access request message) to the message flow of receiving Access-Accept message (message is accepted in access) as shown in Figure 2, and the concrete operations step of NASTA and each module of HMSTA equipment is as follows:
The interface module of a.NASTA is monitored 1812 and 1813 ports of udp protocol, receive Access-Request message, retrieve pending message queue according to message identifier, do not find the message of identical identifier, this Access-Request message is not the re-send request may of pending message; Retrieve response message formation according to message identifier, do not find the response message of identical identifier, this Access-Request message is not the re-send request may of response message; Use NASTA and NAS cipher key shared deciphering User Password attribute (user password attribute), and expressly to replace former attribute; Enter the pending message queue of message processing module;
The Access-Request message that the message processing module of b.NASTA will newly enter pending message queue is encapsulated as AA-Request message, and (uses according to RADIUS request message User Name attribute
C. the corresponding with service domain end-to-end session interface that the distribution of information AA-Request message of purpose service-domain has been set up in the protocol module name in an account book attribute); If new purpose service-domain, message processing module initiates the request protocol module to set up new end-to-end session, if end-to-end session is set up successfully, AA-Request message mails to this end-to-end session interface;
The protocol module of d.NASTA is followed the function of the client that defines in the Diameter, sends the AA-Request message in corresponding with service territory by this end-to-end session;
The protocol module of e.HMSTA is followed the function of the server that defines in the Diameter, and by the AA-Request message in end-to-end session reception local service territory, the AA-Request message of receiving enters the pending message queue of message processing module;
The message processing module of f.HMSTA waits for that new AA-Request message enters pending message queue, resolves Access-Request message from the RADIUS AVP of the AA-Request message that newly enters pending message queue, mails to interface module;
The interface module of g.HMSTA uses HMSTA and HMS cipher key shared to encrypt User Password attribute (user password attribute) to Access-Request message, and replace former attribute with ciphertext, preserve the message identifier of Access-Request message, use new message identifier to replace former message identifier, calculate Message Authenticator attribute (message authentication attribute) and replace former attribute, mail to HMS then; The Access-Request message that has sent is kept in the request message formation, retransmits once in per 5 seconds;
The interface module of h.HMSTA is received the Access-Accept message from HMS, retrieves request message formation according to message identifier, finds the message of identical identifier, and corresponding A ccess-Request message goes out team; Whether the response authentication sign indicating number of checking the RADIUS response message is correct, then sends as authentication error and replys error notification to message processing module; Check whether Message Authenticator attribute is correct, then send as authentication error and reply error notification to message processing module; Use HMSTA and HMS cipher key shared deciphering Tunnel Password attribute (tunnel password attribute), and expressly to replace former attribute; Recover former message identifier; Recover former request authentication sign indicating number; Access-Accept message after handling is mail to message processing module;
The message processing module of i.HMSTA will be encapsulated in from the Access-Accept message of interface module among the RADIUS AVP, retrieve AA-Request message in the pending message queue according to the RADIUS message identifier, corresponding A A-Request message goes out team, according to the AVP information generation AA-Answer message of AA-Request message; The AA-Answer message that generates mails to protocol module;
The protocol module of j.HMSTA sends AA-Answer message to NASTA by this end-to-end session;
The protocol module of k.NASTA receives AA-Answer message from end-to-end session;
The message processing module of l.NASTA parses Access-Accept message from RADIUSAVP when receiving AA-Answer message from protocol module; Corresponding Access-Request message goes out team from pending message queue, and Access-Accept message is mail to interface module;
The interface module of m.NASTA will use NASTA and NAS cipher key shared to encrypt Tunnel Password attribute from the Access-Accept message of message processing module, and replace former attribute with ciphertext; Calculate the request authentication sign indicating number in the response authentication sign indicating number replacement RADIUS response message; Access-Accept message after the processing mails to corresponding NAS, the deletion automatically Access-Accept message that has sent keeps 5 seconds in response message formation after.
Claims (8)
1. the authenticated authorization accounting system network configuration of a back compatible, it is characterized in that this network configuration follows the network configuration of stipulating in " diameter " agreement that the Internet engineering duty group formulates, network access server translation agency (1), home server translation agency (2,6,11), relay agent (3,7,10) and agency by agreement (8,9), network access server (5) and local authentication mandate accounting server (4) are arranged in this structure; The zone that network configuration is served according to each local authentication mandate accounting server is divided into service-domain A, service-domain B, service-domain C, is divided into management domain I, management domain II according to the compass of competency; In service-domain A, network access server (5) directly is connected with network access server translation agency (1), and local authentication mandate accounting server (4) directly is connected with home server translation agency (2); Network access server translation agency (1), home server translation agency (2) are connected by local network with relay agent (3), and visit mutually; In management domain, comprised a plurality of service-domains, connect by management domain I network between the home server translation agency (2,6) of service-domain A and service-domain B and the relay agent (3,7), and visit mutually; Agency by agreement (8) is on the border of management domain I and outer net, by each home server translation agency (2,6) and relay agent (3,7) in the access to netwoks management domain I; The agency by agreement of management domain I and management domain II interconnects by the Internet between (8,9).
2. the implementation method of the authenticated authorization accounting system network configuration of a back compatible as claimed in claim 1 is characterized in that: following the network configuration implementation method of stipulating in " diameter " agreement that the Internet engineering duty group formulates is:
1) in the implementation of former " diameter " agreement, introduces network access server translation agent equipment and home server translation agent equipment, they are positioned at the border of " diameter " protocol network and " radius " protocol network, be used for the protocol conversion process between " diameter " protocol message and " radius " protocol message, meet the implementation method of acting on behalf of about translation in " diameter " agreement;
2) " diameter " agreement is followed in the communication between network access server translation agency and the home server translation agency;
3) communicating by letter between network access server translation agency and the network access server followed " radius " agreement, and " radius " agreement is followed in communicating by letter between home server translation agency and the local authentication mandate accounting server;
4) network access server translation agency and home server translation agency are divided into interface module, message processing module and protocol module respectively according to function;
5) two kinds of " diameter " protocol message AA-Request message of definition and AA-Answer message, the information order sign indicating number is 265;
6) definition a kind of " diameter " protocol attribute value is to being used for carrying " radius " protocol message, and it is right to be called the radius attribute value, and property value is 255 to sign indicating number;
7) handling process of implementation method is acted on behalf of in the network access server translation: when " radius " agreement request message of receiving from network access server, the end-to-end session that network access server translation agency sets up according to information retrieval of user ascription area service-domain and corresponding with service territory home server translation agency in " radius " agreement request message, if do not retrieve corresponding end-to-end session, then initiate to set up by network access server translation agency; " radius " agreement request message is through being encapsulated in the radius attribute value centering of AA-Request message after the preliminary treatment, AA-Request message is sent to home server translation agency by end-to-end session, " radius " agreement request message of home server translation proxy resolution radius attribute value centering sends to local authentication mandate accounting server through after the preliminary treatment;
8) handling process of implementation method is acted on behalf of in the home server translation: when " radius " agreement response message of receiving local authentication mandate accounting server, " radius " agreement response message is through being encapsulated in the radius attribute value centering of AA-Answer message after the preliminary treatment, AA-Answer message is sent to network access server translation agency by end-to-end session, " radius " agreement response message of network access server translation proxy resolution radius attribute value centering sends to network access server through after the preliminary treatment.
3. the implementation method of the authenticated authorization accounting system network configuration of back compatible according to claim 2 is characterized in that: network access server translation agency's implementation method is:
1) interface module is followed " radius " agreement and is communicated by letter with network access server:
1a. monitor 1812 and 1813 ports of host-host protocol, wait for receiving " radius " agreement request message; From " radius " agreement response message of message processing module, interface module mails to corresponding network access server through after replying preliminary treatment, deletion automatically " radius " agreement response message that has sent keeps 5 seconds in response message formation after;
1b. receive " radius " agreement request message, retrieve pending message queue according to message identifier, if find the message of identical identifier then this " radius " agreement request message is the re-send request may of pending message, abandon this request message, return step 1a;
1c. retrieve response message formation according to message identifier, if find the response message of identical identifier then this " radius " agreement request message is the re-send request may of response message, retransmit corresponding " radius " agreement response message, return step 1a;
1d. if " radius " agreement request message of receiving is not re-transmission request message, after the request preliminary treatment of finishing " radius " agreement request message, this asks pretreated message will enter the pending message queue of message processing module, returns step 1a;
2) message processing module is responsible for encapsulation and the parsing between " radius " protocol message and " diameter " protocol message, and the mapping between " diameter " protocol message and the end-to-end session:
2a. wait for that new information enters pending message queue; When receiving AA-Answer message, parse " radius " agreement response message from radius attribute value centering from protocol module; If the right value of result code property value equals 2002 in the AA-Answer message, the access-reject message that then generates " radius " agreement is as " radius " agreement response message; Corresponding " radius " agreement request message goes out team from pending message queue, and access-reject message is mail to interface module;
Be encapsulated as AA-Request message 2b. newly enter " radius " agreement request message of pending message queue, and, return step 2a according to the corresponding with service domain end-to-end session interface that the distribution of information AA-Request message of purpose service-domain in " radius " agreement request message has been set up in the protocol module;
2c. for new purpose service-domain, message processing module initiates to set up new end-to-end session with the request protocol module, if end-to-end session is set up successfully, AA-Request message mails to this end-to-end session interface, otherwise corresponding " radius " agreement request message goes out team from pending message queue, and generate Access-Reject message and mail to interface module, return step 2a;
3) protocol module is carried out the client functionality that defines in " diameter " agreement, request according to message processing module, route and relaying by " diameter " protocol network, set up end-to-end session with purpose service-domain home server translation agency, send and receive the AA-Request message and the AA-Answer message in corresponding with service territory by this end-to-end session; And the end-to-end session of session management mechanism management according to " diameter " protocol definition.
4. the implementation method of the authenticated authorization accounting system network configuration of back compatible according to claim 2 is characterized in that home server translation agency's implementation method is:
1) interface module is followed " radius " agreement and is communicated by letter with local authentication mandate accounting server:
3a. 1812 and 1813 ports by host-host protocol and local authentication mandate accounting server connect, and wait for receiving " radius " agreement response message; " radius " agreement request message from message processing module, after the pre-interface modules handle of request, mail to local authentication mandate accounting server, " radius " agreement request message that has sent is kept in the request message formation, retransmitted once in per 5 seconds, go out team after retransmitting for three times, and the notification message processing module;
3b. receive " radius " agreement response message, retrieve request message formation according to message identifier, if do not find the message of identical identifier, then abandon this response message, return step 3a;
If 3c. in request message formation, find the message of identical identifier, corresponding " radius " agreement request message goes out team, finish to " radius " agreement response message reply preliminary treatment after, this replys pretreated message will mail to message processing module, return step 3a;
2) message processing module is responsible for encapsulation and the parsing between " radius " protocol message and " diameter " protocol message:
Enter pending message queue 4a. wait for new AA-Request message; " radius " agreement response message from interface module is encapsulated in radius attribute value centering, if receive overtime or reply error notification from the request message of interface module, then correspondence " radius " agreement request message is encapsulated in radius attribute value centering, and the result code property value is set, and right value equals 2002; Retrieve AA-Request message in the pending message queue according to the RADIUS message identifier, corresponding A A-Request message goes out team, according to the property value of AA-Request message information is generated AA-Answer message; The AA-Answer message that generates mails to protocol module;
4b. resolve " radius " agreement request message from the radius attribute value centering of the AA-Request message that newly enters pending message queue, mail to interface module, return step 4a;
3) protocol module is followed the function of the server that defines in " diameter " agreement, route and relaying by " diameter " protocol network, set up end-to-end session with network access server translation agency, and according to the end-to-end session of session management mechanism management of " diameter " protocol definition; By the AA-Answer message and the AA-Request message in this end-to-end session transmission and reception local service territory, the AA-Request message of receiving enters the pending message queue of message processing module.
5. the implementation method of the authenticated authorization accounting system network configuration of back compatible according to claim 2, it is characterized in that the AA-Request message and the AA-Answer message format that define, its preamble meets the message format that defines in " diameter " protocol network access server request application protocol
1) it is right to comprise the radius attribute value in AA-Request message and the AA-Answer message;
2) when protocol error takes place, the radius attribute value is identical to content to radius attribute value in content and the corresponding A A-Request message in the AA-Answer message.
6. the implementation method of the authenticated authorization accounting system network configuration of back compatible according to claim 2, the radius attribute value that it is characterized in that defining be to form, and its preamble meets the property value that defines in " diameter " agreement to form,
1) M and P are designated 1 among the radius attribute value enemy, and expression radius attribute value is to must process encrypting and digital signature protection;
2) radius attribute value data portion is 8 bit byte strings.
7. the implementation method of the authenticated authorization accounting system network configuration of back compatible according to claim 3, the preamble that it is characterized in that interface module preprocessing process in network access server translation agency's the implementation method meets the encryption attribute and deciphering, the generation request authentication sign indicating number that define in " radius " agreement, calculate the response authentication sign indicating number, calculate the method for message authentication attribute
1) request preprocessing process: when receiving the access request message, use network access server translation agency and network access server cipher key shared decrypted user password attribute, and replace former attribute with plaintext,
2) reply preprocessing process
5a. receive and insert when receiving message, use network access server translation agency and network access server cipher key shared encryption tunnel password attribute, and replace former attribute with ciphertext;
5b. calculate the request authentication sign indicating number in response authentication sign indicating number replacement " radius " agreement response message;
Replace former attribute 5c. calculate the message authentication attribute.
8. the implementation method of the authenticated authorization accounting system network configuration of back compatible according to claim 4, the preamble that it is characterized in that interface module preprocessing process in home server translation agency's the implementation method meets the encryption attribute that defines in " radius " agreement and the method for deciphering, generation and computation requests authentication code, calculating and inspection response authentication sign indicating number, calculating and inspection message authentication attribute
1) request preprocessing process:
6a. receive when inserting request message, use home server translation agency and local authentication mandate accounting server cipher key shared encrypting user password attribute, and replace former attribute with ciphertext;
6b. when receiving charging request message, the computation requests authentication code is replaced former request authentication sign indicating number; Other " radius " agreement request message is then preserved the request authentication sign indicating number, generates new request authentication sign indicating number and replaces former request authentication sign indicating number;
6c. preserve the message identifier of " radius " agreement request message, use new message identifier to replace former message identifier;
Replace former attribute 6d. calculate the message authentication attribute;
2) reply preprocessing process
7a. check whether the response authentication sign indicating number of " radius " agreement response message is correct, then send as authentication error and reply error notification to message processing module;
7b. check whether the message authentication attribute is correct, then send as authentication error and reply error notification to message processing module;
7c. receive when accepting message, use home server translation agency and local authentication mandate accounting server cipher key shared deciphering tunnel password attribute, and expressly to replace former attribute;
7d. recover former message identifier;
7e. recover former request authentication sign indicating number.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200610038500XA CN100464550C (en) | 2006-02-27 | 2006-02-27 | Network architecture of backward compatible authentication, authorization and accounting system and implementation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200610038500XA CN100464550C (en) | 2006-02-27 | 2006-02-27 | Network architecture of backward compatible authentication, authorization and accounting system and implementation method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1809072A CN1809072A (en) | 2006-07-26 |
CN100464550C true CN100464550C (en) | 2009-02-25 |
Family
ID=36840754
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB200610038500XA Expired - Fee Related CN100464550C (en) | 2006-02-27 | 2006-02-27 | Network architecture of backward compatible authentication, authorization and accounting system and implementation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100464550C (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101197838B (en) * | 2007-12-26 | 2012-12-05 | 中国联合网络通信集团有限公司 | Authentication and authorization accounting system and method |
CN101222494B (en) * | 2007-12-29 | 2010-10-20 | 北京邮电大学 | Mobility managing system and method for layered AAA in mobile internet |
CN102656845B (en) | 2009-10-16 | 2015-04-01 | 泰克莱克股份有限公司 | Methods, systems, and computer readable media for providing diameter signaling router with integrated monitoring and/or firewall functionality |
WO2011100594A2 (en) | 2010-02-12 | 2011-08-18 | Tekelec | Methods, systems, and computer readable media for source peer capacity-based diameter load sharing |
US9537775B2 (en) | 2013-09-23 | 2017-01-03 | Oracle International Corporation | Methods, systems, and computer readable media for diameter load and overload information and virtualization |
US9888001B2 (en) | 2014-01-28 | 2018-02-06 | Oracle International Corporation | Methods, systems, and computer readable media for negotiating diameter capabilities |
US10951519B2 (en) | 2015-06-17 | 2021-03-16 | Oracle International Corporation | Methods, systems, and computer readable media for multi-protocol stateful routing |
US10554661B2 (en) | 2015-08-14 | 2020-02-04 | Oracle International Corporation | Methods, systems, and computer readable media for providing access network session correlation for policy control |
US9668134B2 (en) | 2015-08-14 | 2017-05-30 | Oracle International Corporation | Methods, systems, and computer readable media for providing access network protocol interworking and authentication proxying |
US10084755B2 (en) | 2015-08-14 | 2018-09-25 | Oracle International Corporation | Methods, systems, and computer readable media for remote authentication dial in user service (RADIUS) proxy and diameter agent address resolution |
US9668135B2 (en) | 2015-08-14 | 2017-05-30 | Oracle International Corporation | Methods, systems, and computer readable media for providing access network signaling protocol interworking for user authentication |
US9923984B2 (en) | 2015-10-30 | 2018-03-20 | Oracle International Corporation | Methods, systems, and computer readable media for remote authentication dial in user service (RADIUS) message loop detection and mitigation |
US11283883B1 (en) | 2020-11-09 | 2022-03-22 | Oracle International Corporation | Methods, systems, and computer readable media for providing optimized binding support function (BSF) packet data unit (PDU) session binding discovery responses |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1356812A (en) * | 2002-01-08 | 2002-07-03 | 广东省电信科学技术研究院 | Distributed authentication/charge server system and its implementation method |
EP1317159A1 (en) * | 2001-11-30 | 2003-06-04 | Motorola, Inc. | Authentication, authorisation and accounting for a roaming user terminal |
CN1429005A (en) * | 2001-12-25 | 2003-07-09 | 深圳市中兴通讯股份有限公司上海第二研究所 | Wide-band network authentication, authorization and accounting method |
CN1464682A (en) * | 2002-06-24 | 2003-12-31 | 华为技术有限公司 | Method for implementing broad band pre-payment based on authentication, authorization and charging protocol |
-
2006
- 2006-02-27 CN CNB200610038500XA patent/CN100464550C/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1317159A1 (en) * | 2001-11-30 | 2003-06-04 | Motorola, Inc. | Authentication, authorisation and accounting for a roaming user terminal |
CN1429005A (en) * | 2001-12-25 | 2003-07-09 | 深圳市中兴通讯股份有限公司上海第二研究所 | Wide-band network authentication, authorization and accounting method |
CN1356812A (en) * | 2002-01-08 | 2002-07-03 | 广东省电信科学技术研究院 | Distributed authentication/charge server system and its implementation method |
CN1464682A (en) * | 2002-06-24 | 2003-12-31 | 华为技术有限公司 | Method for implementing broad band pre-payment based on authentication, authorization and charging protocol |
Non-Patent Citations (4)
Title |
---|
开放无线接入网AAA功能实现方案. 沈平,曹秀英.通信学报,第24卷第3期. 2003 |
开放无线接入网AAA功能实现方案. 沈平,曹秀英. 通信学报,第24卷第3期. 2003 * |
无线局域网中RADIUS协议原理与实现. 朱恺,曹秀英.微计算机信息(测控自动化),第20卷第9期. 2004 |
无线局域网中RADIUS协议原理与实现. 朱恺,曹秀英. 微计算机信息(测控自动化),第20卷第9期. 2004 * |
Also Published As
Publication number | Publication date |
---|---|
CN1809072A (en) | 2006-07-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100464550C (en) | Network architecture of backward compatible authentication, authorization and accounting system and implementation method | |
TWI426762B (en) | Method and system for managing network identity | |
CN101160924B (en) | Method for distributing certificates in a communication system | |
CN100539501C (en) | Unified Identity sign and authentication method based on domain name | |
CN1534921B (en) | Method of public authentication and authorization between independent networks | |
CN100456739C (en) | Remote access vpn mediation method and mediation device | |
JP4291213B2 (en) | Authentication method, authentication system, authentication proxy server, network access authentication server, program, and recording medium | |
CN101252788B (en) | Diameter-AAA server supporting RADIUS protocol and working method thereof | |
US7298847B2 (en) | Secure key distribution protocol in AAA for mobile IP | |
JP4892008B2 (en) | Certificate authentication method, certificate issuing device, and authentication device | |
CN101946455B (en) | One-pass authentication mechanism and system for heterogeneous networks | |
CN101681402A (en) | Method and arrangement for certificate handling | |
CN101388774A (en) | Method for automatically authenticate and recognize customer identity between different customers and login | |
CN101114900A (en) | Multicast service authentication method and device, system | |
JP2004241976A (en) | Mobile communication network system and method for authenticating mobile terminal | |
JP4987820B2 (en) | Authentication system, connection control device, authentication device, and transfer device | |
CN102299924A (en) | Information interaction and authentication methods between RADIUS server and 8.2.1x client and RADIUS system | |
Sterman et al. | RADIUS extension for digest authentication | |
CN101656963B (en) | Method and system for managing network identities | |
CN108400967A (en) | A kind of method for authenticating and right discriminating system | |
Chen Yang et al. | A solution to mobile IP registration for AAA | |
JP4009273B2 (en) | Communication method | |
CN101471773B (en) | Negotiation method and system for network service | |
CN101742507A (en) | System and method for accessing Web application site for WAPI terminal | |
JP4760122B2 (en) | Virtual closed network system, common key synchronous distribution server apparatus, common key distribution method used therefor, and program thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090225 Termination date: 20120227 |