Specific implementation mode
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related toWhen attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodimentDescribed in embodiment do not represent all implementations consistent with this disclosure.On the contrary, they be only with it is such as appendedThe example of the consistent device and method of some aspects be described in detail in claims, the disclosure.
It is the purpose only merely for description specific embodiment in the term that the disclosure uses, is not intended to be limiting the disclosure.The "an" of singulative used in disclosure and the accompanying claims book, " described " and "the" are also intended to including majorityForm, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wrapsContaining one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the disclosureA little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing fromIn the case of disclosure range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to asOne information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...When " or " in response to determination ".
Figure 1A is the L2TP access networkings for turning control separation architecture.In figure 1A, control server is both as the control layer of LACEquipment LAC-CP, and be simultaneously same control server as control layer the equipment LNS-CP, i.e. LAC-CP and LNS-CP of LNS.
After LAC-UP10 receives the message identifying of user terminal transmission, which can be sent to by LAC-UP10Server 10 is controlled, the message identifying is sent to certificate server 10 by control server 10 and is authenticated.Control serverThe authorization message that 10 reception certificate servers 10 issue, and the authorization message supported based on the only LAC in the authorization message, are generatedLAC user's list item.
After the completion of L2TP Tunnel between LAC-UP10 and LNS-UP10 is established, LAC-UP10 can be by the user terminalUser information is sent to LNS-UP10 by the L2TP Tunnel, and the message identifying of the user information will be carried by the LNS-UP10It is sent to the control server 10.Control server 10 is in the certification for carrying the user information for receiving LNS-UP10 transmissionsAfter message, which is sent to certificate server 10.Control server 10 can receive certificate server 10 certification atThe authorization message sent after work(, and the authorization message supported based on the only LNS in the authorization message, generate LNS user's list item.
It can be seen from foregoing description under the scene that LAC-UP and LNS-UP share same control server, when usefulWhen the terminal access of family, the message identifying for coming from LAC-UP can be not only sent to certificate server by control server to be recognizedCard, can also be sent to certificate server by the message identifying for coming from LNS-UP and be authenticated.When a large amount of L2TP user terminalsWhen access, a large amount of message identifying is will produce, the mechanism of this double probate can cause to control the certification report that server receivesText is double, on the one hand can cause packet congestion, on the other hand can substantially reduce the equipment performance of control server.
In view of this, the disclosure proposes a kind of authentication method, control server is in the certification report for receiving LNS-UP transmissionsWen Hou, however, it is determined that after the LNS-UP and opposite end LAC-UP shares this control server, control server can not come from thisThe message identifying of LNS-UP is sent to certificate server and is authenticated, but according to the user information that is carried in the message identifyingCorresponding LAC user's list item generates the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UPIt send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent, generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifyingQuantity, improve control server performance.
Before introducing the authentication method of the disclosure, some concepts involved by the lower disclosure are introduced first.
Above-mentioned control server, can be physical server, can also be virtual machine, mainly as control plane equipment,Play control action.Such as the association that the forwarding equipment LNS-UP of forwarding the equipment LAC-UP and/or LNS of processing LAC is sentDiscuss message etc..
The control server, can be simultaneously as the control layer equipment LAC-CP of certain LAC and certain LNS control layers equipmentLNS-CP, can also be separately as the control layer equipment LAC-CP of certain LAC, can also be separately as the control layer of certain LNSEquipment LNS-CP.
Certainly, a part of resource of the control server can also be simultaneously as the control layer equipment LAC-CP of certain LACControl layer equipment LNS-CP and another part resource with certain LNS is separately as other LAC control layer equipment LAC-CP, and separately as other LNS control layer equipment LNS-CP.
For example, it is assumed that the resource of control server 1 can be divided into three parts, first part's resource is used as LAC- simultaneouslyCP1 and LNS-CP1, second part resource is separately as LAC-CP2, and Part III resource is separately as LNS-CP3.
Above-mentioned LAC-UP refers to the forwarding equipment of LAC, which can be the equipment for having user's access function,For example NAS device, BRAS equipment etc. only illustratively illustrate, here without specifically defined.
Above-mentioned LNS-UP, refers to the forwarding equipment of LNS, which can be with BRAS equipment, NAS device etc., hereOnly illustratively illustrate, it is not carried out specifically defined.
It should be noted that LAC-UP can be individual equipment, LNS-UP can also be individual equipment.For example, such asShown in Figure 1A, LAC-UP10 is individual equipment, and LNS-UP10 is also individual equipment.
Certainly, LAC-UP and LNS-UP can also be same equipment.For example, shown in Figure 1B, the LTS (L2TP in Figure 1BTunnel Switch, L2TP Tunnel exchange) equipment is both LAC-UP equipment and LNS-UP equipment.LAC-UP11 is comeIt says, LTS equipment is LNS-UP equipment, and for LNS-UP11, LTS equipment is LAC-UP equipment.
It is a kind of flow chart of authentication method shown in one exemplary embodiment of the disclosure referring to Fig. 2, Fig. 2.This method canIt applies in control server, it may include step as follows.
The step of introducing disclosure identifying procedure before, lower LAC user's list item is first introduced.
1) LAC user's list item of the disclosure.
LAC user's list item of the disclosure can be as shown in table 1.
Table 1
Certainly, table 1 illustrates only the content that LAC user's list item includes mainly, and certainly, which can be withIncluding other content, such as user access port, list item serial number and other extensions etc. are only illustratively said hereIt is bright, it is not carried out specifically defined.
The disclosure increases shared tag field, such as free-auth fields in LAC user's list item.When the shared markWhen remembering that the value of field is the first preset value, show that LAC-UP and opposite end LNS-UP share same control server, when shared markRemember that the value of field is not the first preset value, for example, for the second preset value when, show that LAC-UP and opposite end LNS-UP be not shared sameOne control server.
In addition, the authorization message in traditional LAC user's list item is only the authorization message that LAC is supported, and the disclosure carriesAuthorization message in LAC user's list item of confession includes the authorization message that LAC is supported but LNS is not supported, LAC and LNS are supportedAuthorization message, the authorization message and LAC that LAC and LNS are not supported do not support but LNS support authorization message.
The purpose done so essentially consists in the flow for adapting to the disclosure.Furthermore, it is understood that in the disclosure, when control servicesAfter device determines that above-mentioned LNS-UP and opposite end LAC-UP share this control server.Controlling server, there is no need to will come from LNS-The message identifying of UP is sent to certificate server and is authenticated, but based on corresponding with the user information in the message identifyingThe authorization message that the LNS recorded in LAC user's list item is supported generates LNS user's list item.
So when generating LAC user's list item, by the authorization message that LAC is supported but LNS is not supported, LAC and LNS are equalThe authorization message that the authorization message and LAC that the authorization message of support, LAC and LNS are not supported are not supported but LNS is supported is allIt is recorded, so that need not be authenticated to the LNS-UP message identifyings sent, so that it may with according to LAC user's list item, lifeAt LNS user's list item.
2) how above-mentioned LAC user's list item generates.
When the message identifying that LAC-UP receives user terminal transmission (describes, LAC-UP is received and is used for convenience hereThe message identifying that family terminal is sent is referred to as the second message identifying) after, which can be sent to control by LAC-UPSecond message identifying can be sent to certificate server and is authenticated by server, control server.
After certification passes through, certificate server can be to control server distributing authentication information.What certificate server issued awardsInclude in power information:The authorization message that LAC is supported but LNS is not supported, the authorization message that LAC and LNS are supported, LAC and LNSThe authorization message that the authorization message and LAC that do not support are not supported but LNS is supported.
In addition, when L2TP entirety service deployments are planned, developer just by the LAC-UP of shared this control server withThe correspondence of LNS-UP configures on this control server.Server is controlled to search and be somebody's turn to do in the correspondenceThe corresponding LNS-UP of LAC-UP.If can find, show that the LNS-UP of LAC-UP and lookup shares this control server, thisWhen, control server can set the value of shared tag field to the first preset value.If cannot search, show no LNS-UP and this LAC-UP shares this control server, at this point, the value of shared tag field can be set as second by control serverPreset value.
Wherein, the first preset value indicates that LAC-UP and the LNS-UP found share this control server, the second preset valueShow that the no LNS-UP and LAC-UP shares this control server.
Then, the authorization message that control server is issued based on the certificate server, shares tag field and its value, withAnd the user information carried in second message identifying generates the corresponding LAC user's list item of the user information.
Then, the user information carried in second message identifying can be sent to LNS-UP by LAC-UP.LNS-UP can baseIn the user information, construction message identifying (describes, the LNS-UP message identifyings constructed is denoted as the first certification for convenience hereMessage).Then first message identifying is sent to control server by LNS-UP.
It controls server and executes step 201 to step 202.
Step 201:It controls server and receives the first message identifying from LNS-UP;First message identifying, which carries, to be usedFamily information;
Wherein, the user information refers to the information of one user of unique mark, which may include user name,The MAC Address of user terminal and combination of the two etc..Here only user information is illustratively illustrated, it is not rightIt is specifically limited.
Step 202:Control server detects whether the LNS-UP and opposite end LAC-UP shares this control server;ItsIn, the opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP.
When realizing, control server can be searched in LAC user's table of local record comprising in first message identifyingLAC user's list item of the user information of carrying.
Then the value of the shared identification field of LAC user's list item is checked.
If the value of the shared identification field of LAC user's list item is the first preset value, it is determined that the LNS-UP and rightEnd LAC-UP shares this control server.
If the value of the shared identification field of LAC user's list item is the second preset value, it is determined that the LNS-UP and rightEnd LAC-UP does not share this control server.
Wherein, the first preset value shows that the LNS-UP and opposite end LAC-UP share this control server;
Second preset value shows that the LNS-UP and opposite end LAC-UP do not share this control server.
Step 203:If so, control server has been based on having recorded LAC user's list item corresponding with the user information,Generate the corresponding LNS user's list item of the user information.
In the embodiments of the present disclosure, when control server determines that the LNS-UP and opposite end LAC-UP share this control serverAfterwards, control server, which is forbidden first message identifying being sent to certificate server, is authenticated, and by first message identifyingIt abandons.
In addition, the authorization message that control server can also be supported based on the LNS recorded in the LAC user's list item found(authorization attribute that LAC is not supported but LNS is supported, the authorization attribute that LAC and LNS are supported) and first message identifying are takenThe user information of band generates the corresponding LNS user's list item of the user information.
In addition, control server after generating the corresponding LNS user's list item of user information that the first message identifying carries, is controlledThe authorization message that control server can also not support the LAC recorded in LAC user's list item that this finds delete (such as LAC,The authorization message that LNS is not supported, the authorization message that LAC is not supported but LNS is supported).
In the embodiments of the present disclosure, when control server determines that the LNS-UP and opposite end LAC-UP do not share this control serviceAfter device, which can be sent to certificate server and be authenticated by control server.After certification passes through, control clothesBusiness device receives the authorization message that certificate server issues, and is then based on the use carried in the authorization message and first message identifyingFamily information generates the corresponding LNS user's list item of the user information.
Server is controlled it can be seen from foregoing description after the message identifying for receiving LNS-UP transmissions, however, it is determined that shouldAfter LNS-UP and opposite end LAC-UP shares this control server, this can not be come from the message identifying of LNS-UP by control serverCertificate server is sent to be authenticated, but according to LAC user's table corresponding with the user information carried in the message identifying, generate the corresponding LNS user's list item of the user information.
In the case where sharing same control server scene, control server need not send out the message identifying for coming from LNS-UPIt send to certificate server and is authenticated, but according to generation LAC user's table after being authenticated to the message identifying that LAC-UP is sent, generate LNS user's list item.Due to being reduced to primary certification by traditional double probate, so greatly reducing message identifyingQuantity, improve control server performance.
Below by Fig. 3, the authentication method provided the disclosure is described in detail.
In figure 3, LAC-UP31 and LNS-UP31 shares CP31 (CP31, that is, control described herein server), and CP31 is logicalIt crosses the tunnels VXLAN 31 with LAC-UP31 to be connected, CP31 is connected by the tunnels VXLAN 32 with LNS-UP31.CP31 and authentication serviceDevice is connected.
Assuming that the entitled test1 of the user of user terminal 31, the MAC Address of user terminal is 1-1-1.
After LAC-UP31 receives the message identifying of the transmission of user terminal 31, which can send out the message identifyingIt send to certificate server and is authenticated.The user information of user terminal 31 is carried in the message identifying, such as carries user's endThe user name test1 at end 31 and the MAC Address of user terminal are 1-1-1.
After certificate server passes through the user information authentication, certificate server can be with distributing authentication information.It issuesInclude the authorization message that LAC is supported but LNS is not supported in authorization message, LAC is not supported, but the authorization message that LNS is supported is (such asIP address, the IP address of IPv6), LAC support and the authorization messages (such as bandwidth Car attributes) also supported of LNS and LAC andThe authorization message that LNS is not supported.
In addition, when L2TP entirety service deployments are planned, developer is just by the LAC-UP's of shared CP31 and LNS-UPCorrespondence configures on the CP31.After CP31 receives the above-mentioned message identifying of LAC-UP31 transmissions, CP31 can sharedIn the correspondence of the LAC and LNS of this CP31, LNS-UP corresponding with LAC-UP31 has been searched whether.If can find,Then set the value of shared field free-auth fields to Y.If cannot find, by the value of free-auth fieldsIt is set as N.
In this example, since LAC-UP31 and LNS-UP31 share this CP31, so the value of free-auth fields is setIt is set to Y.
Then, CP31 can according to the authorization message, user terminal 31 that above-mentioned certificate server issues user information andFree-auth fields and its value generate LAC user's list item corresponding with the user terminal 31 31.LAC user's list item 31 canAs shown in table 2.
Table 2
Wherein, SeqNum indicates the serial number of this user's list item;
Interface indicates to receive the interface of the message identifying;
Username is user's name, and MAC-Address is the MAC Address of user terminal;
IP-address, ipv6-address and Car (bandwidth) are the authorization message that certificate server issues;
Free-auth is shared field;
Role indicates the attribute of the list item, for example, the list item is LAC user's list item or LNS user's list item.
Certainly, which further includes other authorization messages that certificate server issues, here only illustrativelyIllustrate, without specifically defined.
Then, LAC-UP31 can negotiate to establish L2TP Tunnel with LNS-UP31.After the completion of L2TP Tunnel is established, LAC-The user information of the user terminal 31 can be sent to LNS-UP31 by UP31 by the L2TP Tunnel.
LNS-UP31 can construct message identifying, be taken in the message identifying after the user information for receiving the user terminal 31With the user information of user terminal 31.Then, LNS-UP can be sent the message identifying constructed by the tunnels VXLAN 32To CP31.
CP31, can be in LAC user's table after the message identifying for receiving LNS-UP31 transmissions, and it includes the user to searchLAC user's list item 31 of the user information of terminal 31.
Then check whether the value of the shared field free-auth fields of LAC user's list item 31 is Y.
If the value of the shared field free-auth fields of LAC user's list item 31 is Y, show LAC-UP31 andLNS-UP31 shares CP31.
If the shared field free-auth fields value of LAC user's list item 31 is not Y (for example being N etc.), showLAC-UP31 and LNS-UP31 does not share CP31.
1) when the value of the free-auth fields of LAC user's list item 31 is Y, CP31 can be based on LAC user's list item 31(such as table 1) generates LNS user's list item 31.
In an optional implementation manner, CP31 can based in LAC user's list item 31 LNS support authorization message, withAnd the user information of user terminal 31 generates LNS user's list item 31, and the mandate that LAC is not supported in LAC user's list item 31 is believedBreath is deleted.
For example, the LAC in LAC user's list item 31 is supported, but the authorization message that LNS is not supported (is denoted as mandate hereInformation 1), CP31 is not using the value of the authorization message 1 in LAC user's list item 31 as corresponding with the authorization message 1 in LNS list itemsValue.
LAC in LAC user's list item 31 is not supported but the authorization message of LNS supports (is denoted as authorization message here2), CP31 can be using the value of the authorization message 2 in LAC list items 31 as the value of the authorization message 2 in LNS user's list item 31.MeanwhileCP31 can delete the value of authorization message 2 in LAC user's list item 31.
For example, the value of IP-address, ipv6-address in LAC user's list item 31 are deleted, by LAC user's list itemThe value of IP-address, ipv6-address in 31 are as IP-address, ipv6-address in LNS user's list item 31Value.
(authorization message is denoted as here for the authorization message that the LAC in LAC user's list item 31 is not supported, LNS is not also supported3), CP31 is not using the value of the authorization message 3 in LAC user's list item 31 as value corresponding with the authorization message 3 in LNS list items.Meanwhile CP31 can delete the value of the authorization message 3 in LAC user's list item 31.
LAC in LAC user's list item 31 is supported, the authorization message (being denoted as authorization message 4 here) that LNS is also supported,CP31 can be using the value of the authorization message 4 in LAC user's list item 31 as value corresponding with the authorization message 4 in LNS list items.
For example, using the value of the Car in LAC user's list item 31 as the value of the Car in LNS user's list item 31.
The LNS user's list item 31 for user terminal 31 generated, as shown in table 3.
Table 3
Wherein, SeqNum indicates the serial number of this user's list item;
Interface indicates to receive the interface of the message identifying;
Username is user's name, and MAC-Address is the MAC Address of user terminal;
IP-address, ipv6-address and Car (bandwidth) are that certificate server issues, and awarding of supporting of LNSWeigh information;
Free-auth is shared field;
Role indicates the attribute of the list item, for example, the list item is LAC user's list item or LNS user's list item.
Certainly, which further includes other authorization messages that certificate server issues, here only illustrativelyIllustrate, without specifically defined.
LAC user's list item 31 that LAC is not supported is deleted, as shown in table 4.
Table 4
2) when the value of the free-auth fields of LAC user's list item 31 is N, CP31 can will come from LNS-UP31'sMessage identifying is sent to certificate server and is authenticated.After certification passes through, authorization message can be handed down to by certificate serverCP31.CP31 can generate LNS user's list item according to the authorization message and the user information of user terminal 31.
By CP31 it can be seen from foregoing description after the message identifying for receiving LNS-UP31 transmissions, however, it is determined that the LNS-After UP31 and LAC-UP31 shares this CP31, the message identifying that this can not be come from LNS-UP31 by CP31 is sent to authentication serviceDevice is authenticated, but according to LAC user's list item 31 corresponding with the user information carried in the message identifying, generate the userThe corresponding LNS user's list item of information 31.
Under shared CP31 scenes, the message identifying for coming from LNS-UP31 need not be sent to certification by control serverServer is authenticated, but according to LAC user's list item is generated after being authenticated to the message identifying that LAC-UP is sent, it generatesLNS user's list item.Due to being reduced to primary certification by traditional double probate, so the quantity of message identifying is greatly reduced,Improve the performance of control server.
Referring to Fig. 4, the disclosure also provides a kind of hardware architecture diagram of authentication method place control server, the control serviceDevice includes:Communication interface 401, processor 402, memory 403 and bus 404;Wherein, communication interface 401,402 and of processorMemory 403 completes mutual communication by bus 404.
Wherein, processor 402 can be a CPU, and memory 403 can be nonvolatile memory (non-Volatile memory), and the logical order of certification is stored in memory 403, processor 402 can execute memoryThe logical order of the certification stored in 403, to realize the function of reducing certification number.
Machine readable storage medium 403 referred to herein can be any electronics, magnetism, optics or other physical storesDevice can include or store information, such as executable instruction, data, etc..For example, machine readable storage medium can be:RAM (Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, storage are drivenDynamic device (such as hard disk drive), solid state disk, any kind of storage dish (such as CD, dvd) or similar storage are situated betweenMatter or combination thereof.
So far, hardware configuration description shown in Fig. 4 is completed.
It is a kind of block diagram of authentication device shown in one exemplary embodiment of the disclosure referring to Fig. 5, Fig. 5.The device can answerUsed in control server, it may include device as follows.
Receiving unit 501, for receiving the first message identifying from LNS-UP;First message identifying carries userInformation;
Detection unit 502, for detecting whether the LNS-UP and opposite end LAC-UP shares this control server;Wherein,The opposite end LAC-UP is the LAC-UP that the user information is sent to the LNS-UP;
Generation unit 503, for if so, based on LAC user's list item corresponding with the user information has been recorded, giving birth toAt the corresponding LNS user's list item of the user information.
Optionally, the detection unit 502, specifically in LAC user's table, lookup includes the first of the user informationLAC user's list item;Check the value of the shared tag field in the first LAC user's list item;If the shared tag fieldValue be the first preset value, it is determined that the LNS-UP and opposite end LAC-UP share this control server.
Optionally, the generation unit 503 is awarded specifically for what is supported based on the LNS recorded in LAC user's list itemInformation and the user information are weighed, LNS user's list item is generated.
Optionally, described device further includes:
Deleting unit 504, the authorization message for not supporting the LAC recorded in LAC user's list item are deleted.
Optionally, LAC user's list item generates in the following way:
After carrying the second message identifying of the user information receive that the LAC-UP sends, by described secondMessage identifying is sent to certificate server and is authenticated, and receives the target authorization message that certificate server issues;
In LAC-UP the and LNS-UP correspondences for sharing this control server of pre-configuration, search and the LAC-UPCorresponding LNS-UP, if can find, the LAC-CP sets the value of shared tag field to the first preset value;If cannotIt finds, the LAC-CP sets the value of shared tag field to the second preset value;
Based on the target authorization message, the shared tag field and its value and the user information, institute is generatedState LAC user's list item;
The target authorization message includes:What the authorization message that LAC is supported but LNS is not supported, LAC and LNS were supported awardsWeigh information, the authorization message that the authorization message and LAC that LAC and LNS are not supported are not supported but LNS is supported.
The function of each unit and the realization process of effect specifically refer to and correspond to step in the above method in above-mentioned apparatusRealization process, details are not described herein.
For device embodiments, since it corresponds essentially to embodiment of the method, so related place is referring to method realityApply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating componentThe unit of explanation may or may not be physically separated, and the component shown as unit can be or can alsoIt is not physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to actualIt needs that some or all of module therein is selected to realize the purpose of disclosure scheme.Those of ordinary skill in the art are not payingIn the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiments of the disclosure, not limiting the disclosure, all essences in the disclosureWith within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of the disclosure protection god.