CN103873585A - Radius authentication device and method - Google Patents
Radius authentication device and methodDownload PDFInfo
- Publication number
- CN103873585A CN103873585ACN201410113411.1ACN201410113411ACN103873585ACN 103873585 ACN103873585 ACN 103873585ACN 201410113411 ACN201410113411 ACN 201410113411ACN 103873585 ACN103873585 ACN 103873585A
- Authority
- CN
- China
- Prior art keywords
- message
- radius server
- nas
- load
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription46
- 230000004044responseEffects0.000claimsdescription21
- 238000011144upstream manufacturingMethods0.000claimsdescription13
- 230000008569processEffects0.000claimsdescription11
- 238000013475authorizationMethods0.000description9
- 238000004519manufacturing processMethods0.000description8
- 238000010586diagramMethods0.000description6
- 238000005516engineering processMethods0.000description4
- 230000006855networkingEffects0.000description4
- 230000005540biological transmissionEffects0.000description3
- 230000006870functionEffects0.000description3
- 238000012423maintenanceMethods0.000description3
- 238000004891communicationMethods0.000description2
- 238000010276constructionMethods0.000description2
- 238000009826distributionMethods0.000description2
- 230000008859changeEffects0.000description1
- 238000013461designMethods0.000description1
- 230000006872improvementEffects0.000description1
- 230000003993interactionEffects0.000description1
- 210000001503jointAnatomy0.000description1
- 230000004048modificationEffects0.000description1
- 238000012986modificationMethods0.000description1
- 238000005096rolling processMethods0.000description1
- 238000004088simulationMethods0.000description1
- 238000009827uniform distributionMethods0.000description1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Technical field
The present invention relates to data communication technology field, relate in particular to a kind of Radius authenticate device and method.
Background technology
Along with day by day popularizing with deep of network application, network security more and more comes into one's own.By the client software on terminal use, access device (NAS, Network Access Server), AAA(Authentication, Authorization, Accounting, authentication, mandate, charging) server works in coordination to achieve a butt joint and carries out into the terminal of network the important component part that access control is network security.
Please refer to Fig. 1, current terminal use is by NAS equipment access network, and by NAS equipment by user's the message repeating such as access request and charging request to AAA(Authentication, Authorization, Accounting, checking, mandate, charging) etc. certificate server verify, mandate, charging etc.
But along with network size is increasing, access way is more and more abundanter, in a network, magnanimity terminal use need to pass through a lot of platform NAS access networks conventionally, and a certificate server cannot support, so there is certificate server cluster.And the continuity that how to realize the sessions such as the load balancing of certificate server cluster and user's access, charging just becomes problem demanding prompt solution.
Summary of the invention
In view of this, the invention provides a kind of Radius authenticate device and method.
Particularly, the present invention is achieved through the following technical solutions:
A device for Radius authentication, is applied on the load-balancing device in Radius server cluster, and described device comprises:
Forwarded upstream unit, send to the uplink message of Radius server for receiving network access equipment NAS, and the identification information of described NAS is added in the Proxy-State attribute of described uplink message, in the time that described uplink message is first Access-Request message, described first Access-Request message repeating is given to the Radius server of choosing according to default load balancing;
Down forward unit, for receiving the downlink message of Radius server response, the NAS identification information carrying according to Proxy-State attribute in described downlink message is transmitted to corresponding NAS after described downlink message is removed to this Proxy-State attribute.
Further, in described downlink message, carry Radius server identification;
Described forwarded upstream unit, also for:
In the time that described uplink message is not first Access-Request message, according to the Radius server identification carrying in described uplink message, described uplink message is transmitted to corresponding Radius server.
Further, described in down forward unit, also for:
Receive the Disconnect-Request/CoA-Request message that Radius server initiatively sends, and be transmitted to corresponding NAS according to the NAS identification information carrying in described Disconnect-Request/CoA-Request message State attribute;
Described forwarded upstream unit, also for:
Receive the ACK/NAK message that NAS sends for described Disconnect-Request/CoA-Request message, and be transmitted to corresponding Radius server according to the Radius server identification carrying in described ACK/NAK message State attribute.
Further, described forwarded upstream unit comprises described first Access-Request message repeating to the process of the Radius server of choosing according to default load balancing:
Check the load number of each Radius server, described first Access-Request message repeating is counted to the Radius server of minimum to load;
Described forwarded upstream unit, also for:
Described first Access-Request message repeating is counted to load after the Radius server of minimum, the load pressure number of this Radius server is added to 1;
The described unit that down forwards, also, at described downlink message being charging while finishing response message, subtracts 1 by the load pressure number of corresponding Radius server.
A device for Radius authentication, is applied on Radius server, and described device comprises:
Uplink receiving unit, the uplink message sending for the NAS of balancing received load device forwards, carries the identification information of corresponding NAS in the Proxy-State attribute of described uplink message;
Descending transmitting element, for sending the downlink message that responds described uplink message to load-balancing device, in the Proxy-State attribute of described downlink message, former state carries described NAS identification information.
Further.Described descending transmitting element, also sends to load-balancing device for self identification being added in Access-Challenge message State attribute and Access-Accept message State attribute and Class attribute.
Further, described descending transmitting element, sends to load-balancing device after also adding self identification and corresponding NAS identification information for the State attribute at Disconnect-Request/CoA-Request message.
A method for Radius authentication, is applied on the load-balancing device in Radius server cluster, and described method comprises:
Receive the uplink message that network access equipment NAS sends to Radius server, and the identification information of described NAS is added in the Proxy-State attribute of described uplink message, in the time that described uplink message is first Access-Request message, described first Access-Request message repeating is given to the Radius server of choosing according to default load balancing;
The downlink message that receives the response of Radius server, the NAS identification information carrying according to Proxy-State attribute in described downlink message is transmitted to corresponding NAS after described downlink message is removed to this Proxy-State attribute.
Further, in described downlink message, carry Radius server identification;
Described method also comprises:
In the time that described uplink message is not first Access-Request message, according to the Radius server identification carrying in described uplink message, described uplink message is transmitted to corresponding Radius server.
Further, described method also comprises:
Receive the Disconnect-Request/CoA-Request message that Radius server initiatively sends, and be transmitted to corresponding NAS according to the NAS identification information carrying in described Disconnect-Request/CoA-Request message State attribute;
Receive the ACK/NAK message that NAS sends for described Disconnect-Request/CoA-Request message, and be transmitted to corresponding Radius server according to the Radius server identification carrying in described ACK/NAK message State attribute.
Further, describedly comprise first Access-Request message repeating to the process of the Radius server chosen according to default load balancing:
Check the load number of each Radius server, described first Access-Request message repeating is counted to the Radius server of minimum to load;
Described method also comprises:
Described first Access-Request message repeating is counted to load after the Radius server of minimum, the load pressure number of this Radius server is added to 1;
Be charging while finishing response message at described downlink message, the load pressure number of corresponding Radius server is subtracted to 1.
A method for Radius authentication, is applied on Radius server, and described method comprises:
The uplink message that the NAS of balancing received load device forwards sends, carries the identification information of corresponding NAS in the Proxy-State attribute of described uplink message;
Send the downlink message of the described uplink message of response to load-balancing device, in the Proxy-State attribute of described downlink message, former state carries described NAS identification information.
Further, described method also comprises:
Self identification is added in Access-Challenge message State attribute and in Access-Accept message State attribute and Class attribute and sends to load-balancing device.
Further, described method also comprises:
Add self identification and corresponding NAS identification information in the State of Disconnect-Request/CoA-Request message attribute after, send to load-balancing device.
Can be found out by above description, the present invention utilizes the relevant regulations to Radius protocol massages in RFC international standard, realizes the load balancing of each Radius server node in Radius server cluster with this.
Accompanying drawing explanation
Fig. 1 is the networking schematic diagram of current terminal use's access network;
Fig. 2 is a kind of Radius server cluster networking schematic diagram;
Fig. 3 is the Radius authenticate device logical construction schematic diagram operating in one embodiment of the present invention on load-balancing device;
Fig. 4 is the Radius authenticate device logical construction schematic diagram operating in one embodiment of the present invention on Radius server;
Fig. 5 is the schematic flow sheet of Radius authentication method in one embodiment of the present invention;
Fig. 6 is the message interaction schematic flow sheet of each equipment in Radius authentication method in one embodiment of the present invention;
Fig. 7 is that in one embodiment of the present invention, Radius server forces to roll off the production line/change the schematic diagram of authorization flow.
Embodiment
Please refer to Fig. 2, is current Radius server cluster networking schematic diagram.For realizing the load balancing of Radius server, comparatively common way is, for Radius server cluster, load-balancing device is set at present, the message sending for gathering all NAS, and distributed to each Radius server node in Radius server cluster, then the back message using that each Radius server node is returned is transmitted to corresponding NAS.Because the data between each node in Radius server cluster synchronously need more complicated technology, simultaneously more to the resource occupation of server, the expense of resource can increase by geometric progression along with the increase of server node quantity.Therefore, in actual applications, in Radius server cluster, the data of each node can real-time synchronization.For complete the linking up of whole conversation procedure that guarantees that user is rolled off the production line from reaching the standard grade to, this just needs load-balancing device in guaranteeing as much as possible uniform distribution Radius server node, also will guarantee that user is in whole authentication, mandate and chargeable session process, all messages are all assigned on same Radius server and process.
Particularly, the request message that load-balancing device sends over different N AS according to source IP address is assigned on different Radius servers, and the request message simultaneously different N AS being sent uses different port repeats.When Radius server returns to response message after this port, load-balancing device is transmitted to corresponding NAS again.Like this, just can realize all messages that same NAS is sent is all forwarded on same Radius server.
But there are some problems that are difficult to avoid in such scheme in realization.First, it is more that this mode is only applicable in networking NAS number of devices, and also situation comparatively uniformly of access user quantity on every NAS equipment.At NAS number of devices on less or NAS equipment the quantity difference of access user larger in, cannot guarantee the load balancing of Radius server.Secondly, although load-balancing device, except using the Rule of judgment of source IP as load distribution, also adds the judgement of the source port number of message in some scheme.But, all kinds of request messages that NAS equipment sends or all use fixing port numbers, or use the port numbers of completely random, can be seldom a fixing port numbers of once complete session distribution of each access user, therefore, this improved scope of application is also very little.In addition, such scheme cannot realize Radius server and initiatively issue the function that pressure is rolled off the production line or changed authorization flow.
In addition, also have in some schemes and use special Radius agreement load-balancing device.RADIUS(Remote Authentication Dial In User Service, remote customer dialing authentication service) agreement is the communication protocol between modal NAS and aaa server, for completing authentication, network authorization and the charging of access user.Use special Radius agreement load-balancing device on the basis that judges source IP address, increased Username(1 in Radius agreement) and judgement that Calling-Station-ID(31) etc. can identifying user identity attribute.The authentication request of same user/terminal that same NAS is sent is distributed to same Radius server node, has improved to a certain extent the problem of aforementioned schemes load maldistribution.
But the attribute of identifying user identity might not be reliable.Such as, use in the region of public account and can have the session that a large amount of Username are identical, and by the Calling-Station-ID attribute in three-layer technology access network or do not have, or be exactly fixed value.Secondly, such scheme has been used network layer (source IP address of NAS), transport layer (source port of specifying while E-Packeting) and the content of three kinds of different levels of application layer (judging Radius message attribute) to realize load balancing simultaneously, increase the complexity of software, also can affect the treatment effeciency of load-balancing device.Simultaneously, for realizing such scheme, on load-balancing device, need to safeguard an online list of dividing according to user identity attribute-bit for each online user, along with rolling off the production line on user, it is created and is deleted, and in the time E-Packeting each time, all need to inquire about this table and determine the object Radius server node forwarding, resource overhead is very large, has a strong impact on the treatment effeciency of load-balancing device.In addition, such scheme also cannot realize Radius server and initiatively issue the function that pressure is rolled off the production line or changed authorization flow.
In view of this, the invention provides a kind of Radius certificate scheme, utilize the load balancing that in RFC international standard, the relevant regulations of Radius protocol massages is realized each server node in Radius server cluster.
Be embodied as example with software below, describe specific implementation of the present invention in detail.Radius authenticate device provided by the invention, is applied in respectively on the load-balancing device and each Radius server in Radius server cluster.As the operation carrier of apparatus of the present invention, the hardware environment of described load-balancing device and Radius server at least includes CPU, internal memory and nonvolatile memory conventionally, certainly also may include the hardware such as forwarding chip and I/O interface.Please refer to Fig. 3, Fig. 4 and Fig. 5, the described device operating on load-balancing device includes: forwarded upstream unit and down forward unit.The described device operating on Radius server includes: uplink receiving unit and descending transmitting element.In an exemplary embodiment, said apparatus is carried out following steps in running:
Step 102, the uplink message that the NAS of the uplink receiving unit balancing received load device forwards of Radius server sends, carries the identification information of corresponding NAS in the Proxy-State attribute of described uplink message.
Step 103, the descending transmitting element of Radius server sends the downlink message of the described uplink message of response to load-balancing device, and in the Proxy-State attribute of described downlink message, former state carries described NAS identification information.
Step 104, the unit that down forwards of load-balancing device receives the downlink message that Radius server responds, and the NAS identification information carrying according to Proxy-State attribute in described downlink message is transmitted to corresponding NAS after described downlink message is removed to this Proxy-State attribute.
In RFC2865, No. 33 attribute Proxy-State in Radius protocol massages Attribute domain Attributes field are had to regulation: the server as agency can add this attribute when the Forward-reques class message, destination server should former state be taken back this attribute in back message using, and proxy server removes this attribute during response to NAS.The present invention design is acted on behalf of Radius server by load-balancing device simulation, and each Radius server in Radius server cluster is exactly the destination server that this load-balancing device will be accessed.
Particularly, load-balancing device is in the time receiving the first request message Access-Request of NAS transmission, choose an object Radius server according to default load balancing, give described object Radius server by described first Access-Request message repeating, realize load balancing with this.Simultaneously, load-balancing device is in the time sending to Radius server by described first Access-Request message and other kinds request message, add Proxy-State attribute No. 33, and in this Proxy-State attribute, carry the NAS information that described request message is corresponding, and such as: IP address and the port information of NAS.And in the time that load-balancing device receives the back message using that Radius server returns, read the NAS information in No. 33 Proxy-State attributes that message Central Plains belt transect returns, back message using is removed to this Proxy-State attribute and be transmitted to corresponding NAS, the request message of realizing same NAS transmission with this is safeguarded all the time on a Radius server.
Wherein, described default load balancing is the load number of checking each Radius server, in one exemplary embodiment of the present invention, described first Access-Request message repeating can be counted to the Radius server of minimum to load.Particularly, load-balancing device can be in this on-board maintenance Radius server cluster the load number of each Radius server.Described load number is used for representing to come that Radius server processed the quantity of user's queued session that NAS sends.Described forwarded upstream unit is being counted described first Access-Request message repeating after the Radius server of minimum to load, the load number of this Radius server is added to 1, the described unit that down forwards is charging while finishing response message at described downlink message, and the load number of corresponding Radius server is subtracted to 1.The loading condition that records Radius server by load number is simple, and can not take a large amount of resource of load-balancing device.Certainly, those skilled in the art also can adopt other known load balancings, and the present invention does not make particular restriction to this.
Further, described Radius server, in the time sending descending response message, carries the mark of self in downlink message.Like this, in the time that load-balancing device receives all kinds of request message of the follow-up transmission of NAS, can be transmitted to corresponding Radius server according to the Radius server identification carrying in message.Described load-balancing device just need to not be at the corresponding relation of this on-board maintenance NAS and Radius server.
Particularly, the present invention utilizes the regulation of RFC2865 to No. 24 attribute State in Radius protocol massages Attribute domain Attributes field: if State attribute appears in the Access-Challenge message of Radius server response to the Code=11 of certain authenticated user of NAS, NAS must former state carry this attribute in the follow-up Access-Request message of this user.And, the regulation of RFC2865 to No. 25 attribute Class in Radius protocol massages Attribute domain Attributes field: if Class attribute appears in the Access-Accept message of server response to the Code=2 of certain authenticated user of NAS, NAS must former state carry this attribute in the Accounting-Request of follow-up all Code=4 of this user charging request.Like this, the described descending transmitting element of Radius server adds the mark of self in No. 24 State attributes and No. 25 Class attributes in No. 24 State attributes in Access-Challenge message and in Access-Accept message to, NAS is follow-up while sending Access-Request message and Accounting-Request message again, in State wherein or Class attribute, will carry Radius server identification.Load-balancing device just can be given corresponding Radius server Access-Request message and Accounting-Request message repeating according to this Radius server identification.Wherein, described Radius server identification includes but not limited to that Radius server ip address etc. can identify the attribute of Radius server identity.
Further, the technical scheme providing of the present invention also supports Radius server initiatively to send the function that force users rolls off the production line or changes subscriber authorisation flow process.Particularly, regulation according to RFC3576 to No. 24 attribute State in Radius protocol massages Attribute domain Attributes field: if State attribute appears in the Disconnect-Request/CoA-Request message of Code=40/43 that server is handed down to certain authenticated user of NAS, NAS must carry responding former state in this user's the ACK of Code=41/42/44/45 or NAK message.Radius server can be in the time issuing Disconnect-Request/CoA-Request message, in No. 24 State attributes, add self mark and corresponding NAS identification information after send to load-balancing device.Load-balancing device is given corresponding NAS according to described NAS identification information by above-mentioned message repeating.And load-balancing device receive NAS send ACK or NAK response message in, according to the described Radius server identification that in ACK or No. 24 State attributes of NAK response message, former state is carried, it is transmitted to corresponding Radius server again, realizes with this flow process that pressure is rolled off the production line or changed mandate.
With once actual Radius identifying procedure, the present invention is described below.Please refer to Fig. 6, in an exemplary embodiment, Radius identifying procedure provided by the invention comprises the following steps:
Step 601, user reaches the standard grade, and NAS sends first Access-Request authentication request packet to load-balancing device.
Step 602, load-balancing device adds the identification information of described NAS in No. 33 Proxy-State attributes of described first Access-Request authentication request packet, and described first Access-Request authentication request packet is transmitted to present load counts the Radius server of minimum, then this Radius server load number of this on-board maintenance is added to 1.
Step 603, Radius server response Access-Challenge message is to load-balancing device, require NAS to continue to upload information, and in No. 24 State attributes of Access-Challenge message, carrying self mark, the NAS identification information simultaneously carrying in No. 33 Proxy-State attributes is constant.
Step 604, load-balancing device receives after Access-Challenge message, after described Access-Challenge message being removed to these No. 33 Proxy-State attributes according to the NAS identification information carrying in No. 33 Proxy-State attributes, be transmitted to corresponding NAS, in this process, the Radius server identification carrying in No. 24 State attributes of this Access-Challenge message is constant.
Step 605, NAS sends Access-Request message again to load-balancing device, and the Radius server identification carrying in No. 24 State attributes of described Access-Request message is constant.
Step 606, load-balancing device is transmitted to corresponding Radius server after adding NAS identification information according to the Radius server identification carrying in described Access-Request message in No. 33 Proxy-State attributes of described Access-Request message again.
Step 607, if Radius server authentication of users information exchange mistake, send Access-Accept message to load-balancing device, and adding self identification in No. 24 State attributes of Access-Accept message and No. 25 Class attributes, the NAS identification information simultaneously carrying in No. 33 Proxy-State attributes is constant.If authorization information is not passed through, send Access-Reject message to load-balancing device, the NAS identification information carrying in No. 33 Proxy-State attributes of described Access-Reject message is constant.
Step 608, load-balancing device is transmitted to corresponding NAS after described Access-Accept message or Access-Reject message being removed to No. 33 Proxy-State attributes according to the NAS identification information carrying in No. 33 Proxy-State attributes, in this process, the Radius server identification carrying in No. 24 State attributes of described Access-Accept message and No. 25 Class attributes is constant.
Step 609, NAS sends charging after Access-Accept message and starts Accounting-Request(start receiving) message is to load-balancing device, described Accounting-Request(start) former state carries Radius server identification in No. 25 Class attributes of message.
Step 610, load-balancing device is according to described Accounting-Request(start) the Radius server identification that carries in No. 25 Class attributes of message is at described Accounting-Request(start) be transmitted to corresponding Radius server after adding NAS identification information in No. 33 Proxy-State attributes of message.
Step 611, Radius server sends Accounting-Response(start) message is to load-balancing device, described Accounting-Response(start) the NAS identification information that carries in No. 33 Proxy-State attributes of message is constant.
Step 612, load-balancing device according to the NAS identification information carrying in No. 33 Proxy-State attributes by described Accounting-Response(start) message is transmitted to corresponding NAS after removing No. 33 Proxy-State attributes.
Step 613, user offline, NAS equipment sends charging and finishes Accounting-Request(stop) message is to load-balancing device, described Accounting-Request(stop) former state carries Radius server identification in No. 25 Class attributes of message.
Step 614, load-balancing device is according to described Accounting-Request(stop) the Radius server identification that carries in No. 25 Class attributes of message is at described Accounting-Request(stop) be transmitted to corresponding Radius server after adding NAS identification information in the Proxy-State attribute of message.
Step 615, Radius server sends Accounting-Response(stop) message is to load-balancing device, described Accounting-Response(stop) the NAS identification information that carries in No. 33 Proxy-State attributes of message is constant.
Step 616, load-balancing device according to the NAS identification information carrying in No. 33 Proxy-State attributes by described Accounting-Response(stop) message is transmitted to corresponding NAS after removing Proxy-State attribute, and the load number of this Radius server subtracted to 1.
Please refer to Fig. 7, in one embodiment of the present invention, Radius server force users rolls off the production line or the process that changes authorization flow includes:
Step 701, Radius server sends Disconnect-Request/CoA-Request message to load-balancing device.After carrying self identification and corresponding NAS identification information in No. 24 State attributes of described Disconnect-Request/CoA-Request message, send to load-balancing device.
Step 702, load-balancing device is given corresponding NAS according to the NAS identification information carrying in No. 24 State attributes by Disconnect-Request/CoA-Request message repeating.
Step 703, NAS sends ACK or the NAK message of the described Disconnect-Request/CoA-Request message of response, and in No. 24 State attributes of described ACK or NAK message, former state carries Radius server identification and NAS identification information.
Step 704, load-balancing device is given corresponding Radius server according to the Radius server identification carrying in No. 24 State attributes by described ACK or NAK message repeating.
Can be found out by above description, the present invention utilizes the relevant regulations to Radius protocol massages in RFC international standard, realizes the load balancing of each Radius server node in Radius server cluster with this.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (14)
1. a device for Radius authentication, is applied on the load-balancing device in Radius server cluster, it is characterized in that, described device comprises:
Forwarded upstream unit, send to the uplink message of Radius server for receiving network access equipment NAS, and the identification information of described NAS is added in the Proxy-State attribute of described uplink message, in the time that described uplink message is first Access-Request message, described first Access-Request message repeating is given to the Radius server of choosing according to default load balancing;
Down forward unit, for receiving the downlink message of Radius server response, the NAS identification information carrying according to Proxy-State attribute in described downlink message is transmitted to corresponding NAS after described downlink message is removed to this Proxy-State attribute.
2. device according to claim 1, is characterized in that,
In described downlink message, carry Radius server identification;
Described forwarded upstream unit, is further used for:
In the time that described uplink message is not first Access-Request message, according to the Radius server identification carrying in described uplink message, described uplink message is transmitted to corresponding Radius server.
3. device according to claim 1, is characterized in that,
The described unit that down forwards, is further used for:
Receive the Disconnect-Request/CoA-Request message that Radius server initiatively sends, and be transmitted to corresponding NAS according to the NAS identification information carrying in described Disconnect-Request/CoA-Request message State attribute;
Described forwarded upstream unit, is further used for:
Receive the ACK/NAK message that NAS sends for described Disconnect-Request/CoA-Request message, and be transmitted to corresponding Radius server according to the Radius server identification carrying in described ACK/NAK message State attribute.
4. device according to claim 1, is characterized in that,
Described forwarded upstream unit comprises described first Access-Request message repeating to the process of the Radius server of choosing according to default load balancing:
Check the load number of each Radius server, described first Access-Request message repeating is counted to the Radius server of minimum to load;
Described forwarded upstream unit, is further used for:
Described first Access-Request message repeating is counted to load after the Radius server of minimum, the load pressure number of this Radius server is added to 1;
The described unit that down forwards, being further used at described downlink message is charging while finishing response message, and the load pressure number of corresponding Radius server is subtracted to 1.
5. a device for Radius authentication, is applied on Radius server, it is characterized in that, described device comprises:
Uplink receiving unit, the uplink message sending for the NAS of balancing received load device forwards, carries the identification information of corresponding NAS in the Proxy-State attribute of described uplink message;
Descending transmitting element, for sending the downlink message that responds described uplink message to load-balancing device, in the Proxy-State attribute of described downlink message, former state carries described NAS identification information.
6. device according to claim 5, is characterized in that,
Described descending transmitting element, is further used for self identification to add in Access-Challenge message State attribute and in Access-Accept message State attribute and Class attribute and send to load-balancing device.
7. device according to claim 5, is characterized in that,
Described descending transmitting element, sends to load-balancing device be further used for adding self identification and corresponding NAS identification information in the State of Disconnect-Request/CoA-Request message attribute after.
8. a method for Radius authentication, is applied on the load-balancing device in Radius server cluster, it is characterized in that, described method comprises:
Receive the uplink message that network access equipment NAS sends to Radius server, and the identification information of described NAS is added in the Proxy-State attribute of described uplink message, in the time that described uplink message is first Access-Request message, described first Access-Request message repeating is given to the Radius server of choosing according to default load balancing;
The downlink message that receives the response of Radius server, the NAS identification information carrying according to Proxy-State attribute in described downlink message is transmitted to corresponding NAS after described downlink message is removed to this Proxy-State attribute.
9. method according to claim 8, is characterized in that,
In described downlink message, carry Radius server identification;
Described method also comprises:
In the time that described uplink message is not first Access-Request message, according to the Radius server identification carrying in described uplink message, described uplink message is transmitted to corresponding Radius server.
10. method according to claim 8, is characterized in that, described method also comprises:
Receive the Disconnect-Request/CoA-Request message that Radius server initiatively sends, and be transmitted to corresponding NAS according to the NAS identification information carrying in described Disconnect-Request/CoA-Request message State attribute;
Receive the ACK/NAK message that NAS sends for described Disconnect-Request/CoA-Request message, and be transmitted to corresponding Radius server according to the Radius server identification carrying in described ACK/NAK message State attribute.
11. methods according to claim 8, is characterized in that,
Describedly comprise first Access-Request message repeating to the process of the Radius server chosen according to default load balancing:
Check the load number of each Radius server, described first Access-Request message repeating is counted to the Radius server of minimum to load;
Described method also comprises:
Described first Access-Request message repeating is counted to load after the Radius server of minimum, the load pressure number of this Radius server is added to 1;
Be charging while finishing response message at described downlink message, the load pressure number of corresponding Radius server is subtracted to 1.
The method of 12. 1 kinds of Radius authentications, is applied on Radius server, it is characterized in that, described method comprises:
The uplink message that the NAS of balancing received load device forwards sends, carries the identification information of corresponding NAS in the Proxy-State attribute of described uplink message;
Send the downlink message of the described uplink message of response to load-balancing device, in the Proxy-State attribute of described downlink message, former state carries described NAS identification information.
13. methods according to claim 12, is characterized in that, described method also comprises:
Self identification is added in Access-Challenge message State attribute and in Access-Accept message State attribute and Class attribute and sends to load-balancing device.
14. methods according to claim 12, is characterized in that, described method also comprises:
Add self identification and corresponding NAS identification information in the State of Disconnect-Request/CoA-Request message attribute after, send to load-balancing device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410113411.1ACN103873585B (en) | 2014-03-25 | 2014-03-25 | A kind of Radius authentication devices and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410113411.1ACN103873585B (en) | 2014-03-25 | 2014-03-25 | A kind of Radius authentication devices and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103873585Atrue CN103873585A (en) | 2014-06-18 |
| CN103873585B CN103873585B (en) | 2018-01-09 |
Family
ID=50911699
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410113411.1AActiveCN103873585B (en) | 2014-03-25 | 2014-03-25 | A kind of Radius authentication devices and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103873585B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105578454A (en)* | 2014-10-17 | 2016-05-11 | 任子行网络技术股份有限公司 | Method and device for forcing WLAN user into disconnection |
| CN108429742A (en)* | 2018-02-28 | 2018-08-21 | 新华三技术有限公司 | Authentication method, device and certificate server |
| CN109302381A (en)* | 2018-08-21 | 2019-02-01 | 新华三大数据技术有限公司 | Radius attribute expansion method, device, electronic equipment and computer-readable medium |
| CN109981521A (en)* | 2017-12-27 | 2019-07-05 | 中国电信股份有限公司 | Message correlating method, message associated apparatus and message interconnected system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1722702A (en)* | 2004-11-01 | 2006-01-18 | 杭州华为三康技术有限公司 | Message Interaction Method for Improving Device Forwarding Performance |
| US20110185065A1 (en)* | 2010-01-28 | 2011-07-28 | Vladica Stanisic | Stateless forwarding of load balanced packets |
- 2014
- 2014-03-25CNCN201410113411.1Apatent/CN103873585B/enactiveActive
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1722702A (en)* | 2004-11-01 | 2006-01-18 | 杭州华为三康技术有限公司 | Message Interaction Method for Improving Device Forwarding Performance |
| US20110185065A1 (en)* | 2010-01-28 | 2011-07-28 | Vladica Stanisic | Stateless forwarding of load balanced packets |
Non-Patent Citations (5)
| Title |
|---|
| CHIBA ET AL: "RFC5176 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", 《THE INETERNET ENGINEERING TASK FORCE》* |
| GPC888: "F5用户会话完整性的保持", 《百度文库》* |
| M. CHIBA ET AL: "RFC3576 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", 《THE INETERNET ENGINEERING TASK FORCE》* |
| RIGNEY ET AL: "RFC2865 Remote Authentication Dial In User Service (RADIUS)", 《THE INETERNET ENGINEERING TASK FORCE》* |
| 王融丽等: "RADIUS服务器负载平衡的设计与实现", 《中国科技信息》* |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105578454A (en)* | 2014-10-17 | 2016-05-11 | 任子行网络技术股份有限公司 | Method and device for forcing WLAN user into disconnection |
| CN105578454B (en)* | 2014-10-17 | 2018-10-23 | 任子行网络技术股份有限公司 | A kind of method and device for forcing WLAN user offline |
| CN109981521A (en)* | 2017-12-27 | 2019-07-05 | 中国电信股份有限公司 | Message correlating method, message associated apparatus and message interconnected system |
| CN109981521B (en)* | 2017-12-27 | 2021-10-15 | 中国电信股份有限公司 | Message correlation method, message correlation device, and message correlation system |
| CN108429742A (en)* | 2018-02-28 | 2018-08-21 | 新华三技术有限公司 | Authentication method, device and certificate server |
| CN108429742B (en)* | 2018-02-28 | 2021-06-08 | 新华三技术有限公司 | Authentication method, device and authentication server |
| CN109302381A (en)* | 2018-08-21 | 2019-02-01 | 新华三大数据技术有限公司 | Radius attribute expansion method, device, electronic equipment and computer-readable medium |
| CN109302381B (en)* | 2018-08-21 | 2022-05-10 | 新华三大数据技术有限公司 | Radius attribute extension method, device, electronic equipment and computer readable medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103873585B (en) | 2018-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| US11036557B2 (en) | Dynamic transaction-persistent server load balancing | |
| EP2472815A1 (en) | User online bandwidth adjustment method and remote authentication dial in user service server | |
| WO2015180364A1 (en) | Network access point hosting method and system | |
| CN108022100B (en) | Cross authentication system and method based on block chain technology | |
| CN103200159A (en) | Network access method and equipment | |
| CN111565165B (en) | Cloud mobile phone authentication, maintenance and state change system and method | |
| CN106899642A (en) | A kind of Internet of Things link management method and equipment | |
| CN103873585A (en) | Radius authentication device and method | |
| CN109104475A (en) | Connect restoration methods, apparatus and system | |
| CN102611683B (en) | A kind of method, device, equipment and system for performing Third Party Authentication | |
| CN101980496A (en) | Message processing method and system, exchange board and access server equipment | |
| CN104837134B (en) | A kind of web authentication user login method, equipment and system | |
| CN104093135B (en) | A kind of RADIUS authentication charging rate method of adjustment and device | |
| CN102215486A (en) | Network access method, system, network authentication method, equipment and terminal | |
| CN103957194A (en) | IP access method and device | |
| CN103986793B (en) | A kind of method and system of lifting Portal certification IP address service efficiencies | |
| CN107770772B (en) | A kind of method and apparatus that unaware certification online is realized by APP | |
| CN100596071C (en) | A Method for Realizing Session Control and Duration Acquisition Through DHCP Extension | |
| CN102307098A (en) | Method and device for authentication and authorization | |
| CN109462568B (en) | Portal authentication method, system and Portal proxy server | |
| CN106549918A (en) | A kind of method and device of the transmission service abnormal cause page | |
| CN105978774B (en) | A kind of method and apparatus of access authentication | |
| CN104285458A (en) | Wireless network access method, system and terminal | |
| CN110401666B (en) | Network authority distribution method based on user identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | Address after:310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after:Xinhua three Technology Co., Ltd. Address before:310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before:Huasan Communication Technology Co., Ltd. | |
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |