CN111405555B

Movatterモバイル変換

Info

Publication number: CN111405555B
Application number: CN202010170753.2A
Authority: CN
Inventors: 李政伟; 张建; 徐超; 史翔龙
Original assignee: Shenzhen Lenovo Connect Co ltd
Current assignee: Shenzhen Lenovo Connect Co ltd
Priority date: 2020-03-12
Filing date: 2020-03-12
Publication date: 2021-09-07
Anticipated expiration: 2040-03-12
Also published as: CN111405555A

Abstract

The invention discloses a network authentication method and a device, the network authentication method is applied to a network authentication device terminal, and comprises the following steps: receiving an online request of an object to be networked, wherein the online request carries basic information of the object to be networked; responding to the online request, and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries basic information of the object to be accessed; receiving a judgment result of authentication and authorization of the object to be accessed, which is judged by the network server according to the basic information; and performing network access authentication on the object to be accessed according to the judgment result. The embodiment of the invention effectively improves the network access efficiency and the network connection reliability of the equipment, and effectively solves the problems that the 3A system takes a mobile operator as network load bearing, the capability and the information of the existing network cannot be opened to the existing client, and the customization of the 3A system cannot be realized.

Description

Network authentication method and device

Technical Field

The present invention relates to the field of radio access network technologies, and in particular, to a network authentication method and apparatus.

Background

Along with the development of the internet of things, the terminals of the internet of things are more and more diversified, the problem that more equipment frequently goes up and down or cannot be connected with a network is solved, and in addition, part of industries have high management and control requirements and safety requirements on the terminals of the equipment of the internet of things.

At present, a 3A (Authentication, Authorization, Accounting, short for Authentication, Authorization, and charging, which is a network security Authentication system) system is mostly used to perform network security management of the internet of things. However, the existing 3A systems all use the mobile operator as a network bearer, and cannot open the capability and information of the existing network to the existing customers, and cannot realize the customization of the customized 3A system, and the existing 3A systems are all standalone software or standalone devices.

Disclosure of Invention

The embodiment of the invention provides a network authentication method and device for solving the problems that the existing 3A system uses a mobile operator as a network bearer, the capability and information of the existing network cannot be opened to the existing client, and the customization of the existing 3A system cannot be realized.

According to a first aspect of the present invention, a network authentication method is provided, which is applied to a network authentication device, and the method includes: receiving an online request of an object to be networked, wherein the online request carries basic information of the object to be networked; responding to the online request, and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries basic information of the object to be accessed; receiving a judgment result of authentication and authorization of the object to be accessed, which is judged by the network server according to the basic information; and performing network access authentication on the object to be accessed according to the judgment result.

According to an embodiment of the present invention, the performing network access authentication on the object to be accessed according to the determination result includes: and when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed opens a redundancy mode, receiving an IP address set which is sent by the network server and corresponds to the APN of the object to be accessed so as to carry out authentication for the object to be accessed for multiple times.

According to an embodiment of the present invention, the performing network access authentication on the object to be networked according to the determination result includes: and when the judgment result shows that the object to be accessed to the network is a multi-APN object, receiving an authentication result of the authentication of the object to be accessed to the network by the network server according to the APN information.

According to an embodiment of the present invention, the receiving an authentication result of the authentication and authorization performed by the network server on the object to be accessed according to the APN information includes: and when the authentication result shows that the network server successfully authenticates the object to be accessed, receiving an IP address distributed by the network server for the object to be accessed.

According to the second aspect of the present invention, there is also provided a network authentication method applied to a network authentication server, the method including: receiving an authentication and authorization request sent by the network authentication equipment end in response to an online request of an object to be accessed, wherein the online request carries basic information of the object to be accessed, and the authentication and authorization request carries the basic information; according to the basic information, carrying out authentication and verification on the object to be accessed to the network; and sending the judgment result of the authentication to a network authentication equipment terminal.

According to an embodiment of the present invention, the authenticating and authenticating the object to be accessed according to the basic information includes: determining an access point APN mode of the object to be accessed according to the basic information; when the APN mode shows that the object to be accessed to the network is a single APN object, judging whether the object to be accessed to the network starts a redundancy mode; and if the object to be accessed to the network starts a redundancy mode, sending an IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal so that the network service equipment terminal performs multiple authentication and authentication on the object to be accessed to the network.

According to an embodiment of the present invention, the basic information includes APN information of the object to be networked, and the performing network access authentication on the object to be networked according to the determination result further includes: when the APN mode shows that the object to be accessed to the network is a multi-APN object; and carrying out authentication and verification on the object to be accessed according to the APN information.

According to an embodiment of the present invention, the authenticating and authenticating the object to be accessed according to the APN information includes: judging whether the APN information is consistent with APN information pre-configured in the network server; if the authentication result is consistent with the authentication result, the authentication on the object to be accessed is judged to be successful, and the IP address distributed to the object to be accessed is sent to the network service equipment terminal.

According to the third aspect of the present invention, there is also provided a network authentication apparatus, applied to a network authentication device, the apparatus including: the device comprises a first request receiving module, a second request receiving module and a third request sending module, wherein the first request receiving module is used for receiving an online request of an object to be networked, and the online request carries basic information of the object to be networked; the response module is used for responding to the online request and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries the basic information; a result receiving module, configured to receive a determination result of authentication of the object to be networked, which is determined by the network server according to the basic information; and the authentication module is used for carrying out network access authentication on the object to be accessed according to the judgment result.

According to an embodiment of the present invention, the authentication module includes: and the first authentication submodule is used for receiving an IP address set which is sent by the network server and corresponds to the APN of the object to be accessed when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed starts a redundancy mode, so as to carry out authentication for the object to be accessed for multiple times.

According to an embodiment of the present invention, the basic information includes APN information of the object to be networked, and the authentication module includes: and the second authentication submodule is used for receiving an authentication result of the authentication and authentication of the object to be accessed by the network server according to the APN information when the judgment result shows that the object to be accessed is a multi-APN object.

According to an embodiment of the present invention, the second authentication sub-module is further configured to receive an IP address allocated by the network server to the object to be accessed when the authentication result shows that the network server successfully authenticates the object to be accessed.

According to the fourth aspect of the present invention, there is also provided a network authentication apparatus applied to a network authentication server, the apparatus including: a second request receiving module, configured to receive an authentication and authorization request sent by the network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information; the authentication module is used for authenticating and authenticating the object to be accessed to the network according to the basic information; and the result sending module is used for sending the judgment result of the authentication to the network authentication equipment terminal.

According to an embodiment of the present invention, the authentication module includes: the mode judgment submodule is used for determining the APN mode of the access point of the object to be accessed according to the basic information; the redundancy judgment submodule is used for judging whether the object to be accessed to the network starts a redundancy mode or not when the APN mode shows that the object to be accessed to the network is a single APN object; and the first authentication sub-module is used for sending an IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal when judging that the object to be accessed starts the redundancy mode, so that the network service equipment terminal performs multiple authentication and authentication on the object to be accessed.

According to an embodiment of the present invention, the authentication module further includes: and the second authentication submodule is used for authenticating and authenticating the object to be accessed according to the APN information when the APN mode shows that the object to be accessed is a multi-APN object.

According to an embodiment of the present invention, the root second authentication sub-module is configured to, when the APN information is consistent with APN information preconfigured in the network server, determine that the authentication of the object to be networked is successful, and send an IP address allocated to the object to be networked to the network service device.

According to a fifth aspect of the present invention, there is also provided a computer-readable storage medium comprising a set of computer-executable instructions which, when executed, are operable to perform any of the network authentication methods described above.

According to the network authentication method, the network authentication device and the computer readable storage medium, the authentication of the object to be accessed is carried out by responding to the online request of the object to be accessed according to the basic information carried in the online request of the object to be accessed and the information of the object to be accessed, which is pre-configured in the network server; furthermore, for the network access object in the single APN mode, an IP address set is configured so that the network authentication equipment terminal can directly authenticate the equipment to be accessed to the network, and the network access efficiency and the network connection reliability of the equipment are effectively improved. Meanwhile, the problem that the 3A system can not open the capability and information of the existing network to the existing customers and can not realize the customization of the 3A system because the mobile operator is used as the network for carrying is effectively solved.

It is to be understood that the teachings of the present invention need not achieve all of the above-described benefits, but rather that specific embodiments may achieve specific technical results, and that other embodiments of the present invention may achieve benefits not mentioned above.

Drawings

The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:

in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.

Fig. 1 is a first schematic flow chart illustrating an implementation flow of a network authentication method according to an embodiment of the present invention;

fig. 2 is a schematic diagram illustrating a flow chart of implementing the network authentication method according to the embodiment of the present invention;

fig. 3 is a schematic diagram illustrating a third implementation flow of the network authentication method according to the embodiment of the present invention;

fig. 4 is a schematic diagram illustrating a first structural diagram of a network authentication device according to an embodiment of the present invention;

fig. 5 is a schematic diagram illustrating a second configuration of a network authentication device according to an embodiment of the present invention;

fig. 6 is a schematic diagram illustrating a service architecture of a 3A system on which the network authentication method according to the embodiment of the present invention is based;

fig. 7 is a flowchart illustrating a specific application example of the network authentication method according to the embodiment of the present invention.

Detailed Description

The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given only to enable those skilled in the art to better understand and to implement the present invention, and do not limit the scope of the present invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

The technical solution of the present invention is further elaborated below with reference to the drawings and the specific embodiments.

Fig. 1 is a schematic diagram illustrating a first implementation flow of a network authentication method according to an embodiment of the present invention.

Referring to fig. 1, a network authentication method according to an embodiment of the present invention is applied to a network authentication device, and at least includes the following operation flows:operation 101, receiving an online request of an object to be networked, where the online request carries basic information of the object to be networked; anoperation 102, responding to the online request, sending an authentication and authorization request of an object to be accessed to a network server, wherein the authentication and authorization request carries basic information;operation 103, receiving a determination result of authentication of the object to be accessed, which is determined by the network server according to the basic information; andoperation 104, performing network access authentication on the object to be accessed according to the judgment result.

In an embodiment of the present invention, an LNS (Look n Stop, firewall) or a PGW (PDN GateWay, which is an important network element in a mobile communication network) device of an operator may be used as a network authentication device, where PDN (public Data network) refers to a public Data network.

Inoperation 101, the object to be networked may include: POS (Point Of Sale), CPE (Customer Premise Equipment), etc. When a user is online through equipment such as POS/CPE and the like, an operator receives an online request of the user and forwards the online request to LNS/PGW equipment.

In an embodiment of the present invention, the basic information of the object to be networked includes user name information, for example: SIM (Subscriber Identity Module) card information.

Inoperation 102, in response to the online request, an authentication and authorization request of the object to be accessed is sent to the network server, where the authentication and authorization request carries basic information of the object to be accessed.

In an embodiment of the present invention, an authentication and authorization request sent by a PGW device of an LNS/operator is sent to any server in a 3A-client cluster. The 3A-client cluster serving as the network server interacts with the CRM in advance, and receives and stores basic information of an object to be accessed to the network, information such as network service authority and the like.

Specifically, first, CRM (Customer Relationship Management, Customer Management system) can send the following information of the objects to be networked (for example, users of devices such as POS/CPE) managed and controlled by CRM to the 3A system according to the API interface provided by the 3A system: the information of the SIM card (for example, a user Name), the APN (Access Point Name, Access Point) information (for example, a user account password), whether to allow internet Access, the IP address corresponding to the APN, whether to start a redundancy mode, and the like. Alternatively, the information of the object to be networked managed and controlled by CRM can be directly operated through a 3A web portal interface, such as: adding, changing and deleting information of the object to be accessed. In the present invention, the information of the object to be networked managed and controlled by the CRM is referred to as user information unless otherwise specified.

Secondly, after receiving the user information sent by the CRM, the 3A system sends the user information to a 3A core server for processing, firstly sends the user information to a 3A client (a client, a customer and a client), and stores the user information into a 3A system database Mysql after the successful sending is determined; otherwise, go back to CRM.

Inoperation 103, a determination result of the network server performing authentication on the object to be accessed, which is determined according to the basic information, is received.

In an embodiment of the present invention, any client RADIUS (Remote Authentication Dial In User Service, Remote User Dial Authentication system, defined by RFC2865 and RFC2866, which are the most widely used 3A protocols) In a 3A client cluster performs Authentication judgment, determines whether User information, information of an APN used by User on-line dialing, and the like are available In a RADIUS library, and sends a judgment result to LNS equipment or PGW equipment of an operator.

Inoperation 104, network access authentication is performed on the object to be networked according to the determination result.

Specifically, the first authentication result of the 3A system server for the user information includes: and whether the user information corresponding to the received basic information exists in the 3A system or not. If the user information corresponding to the basic information exists, further judgment and confirmation are needed according to the user information corresponding to the basic information, whether the object to be accessed to the network corresponding to the basic information is allowed to access the network, whether the APN mode of the object to be accessed to the network is confirmed, whether the object to be accessed to the network is started to be a redundant mode or not is judged, and the like.

In an embodiment of the present invention, when the determination result shows that the object to be accessed is a single access point APN object and the object to be accessed starts a redundancy mode, an IP address set corresponding to an APN of the object to be accessed, which is sent by a network server, is received, so as to perform multiple authentication and authentication on the object to be accessed.

Specifically, if the object to be networked is a single APN object and the redundancy mode is turned on, the authentication authority of the object to be networked may be transferred to the LNS device/operator PGW device. Therefore, the authentication of the object to be accessed to the network can be realized at the equipment end of network authentication, the pressure of the 3A system server is reduced to a great extent, and the efficiency and the reliability of the authentication of the 3A system are improved.

In another embodiment of the present invention, the basic information carried in the authentication request includes APN information of the object to be accessed, and when the determination result shows that the object to be accessed is a multi-APN object, the authentication result of the authentication and authorization performed on the object to be accessed by the network server according to the APN information is received.

Specifically, if the object to be accessed is a multi-APN object, the 3A system needs to further confirm APN information of the object to be accessed, perform authentication, and feed back the obtained authentication result to the LNS device/operator PGW device.

In an embodiment of the present invention, when the authentication result of the to-be-accessed object in the 3A system shows that the authentication of the to-be-accessed object by the network server is successful, the IP address allocated to the to-be-accessed object by the network server is received.

Specifically, for a multi-APN object, the 3A system further authenticates the object to be accessed according to the APN information, and when the APN information is consistent with information preconfigured in the 3A system, the authentication is determined to be successful, and at this time, an IP address allocated by the 3A system to the object to be accessed according to the APN information is received.

Fig. 2 shows a schematic flow chart of implementing the network authentication method according to the embodiment of the present invention.

Referring to fig. 2, a network authentication method provided in an embodiment of the present invention is applied to a network authentication server, and at least includes:operation 201, receiving an authentication and authorization request sent by a network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information;operation 202, according to the basic information, performing authentication and authorization on the object to be accessed to the network;operation 203, sending the judgment result of the authentication to the network authentication device.

Inoperation 201, an authentication request sent by a network authentication device end in response to an online request of an object to be networked is received, where the online request carries basic information of the object to be networked, and the authentication request carries the basic information of the object to be networked.

In an embodiment of the present invention, the network authentication device includes an LNS device/operator PGW device, and after receiving the network access request of the object to be networked, the LNS device/operator PGW device sends an authentication and authorization request of the device to be networked to the network server, and forwards the received basic information of the object to be networked to the network server when sending the authentication and authorization request, for example: 3A system.

Inoperation 202, authentication and verification are performed on the object to be accessed according to the basic information. Specifically, the 3A system determines whether APN information carried in the received basic information of the object to be networked is consistent with user information pre-configured by CRM in the 3A system. If the basic information is consistent with the basic information, judging that the authentication of the object to be accessed is successful, and allocating an IP address for the object to be accessed corresponding to the received basic information; and if not, judging that the authentication fails, and feeding back the authentication failure result to the LNS equipment/operator PGW equipment.

Inoperation 203, the determination result of the authentication is sent to the network authentication device.

Fig. 3 is a schematic diagram illustrating a third implementation flow of the network authentication method according to the embodiment of the present invention.

Referring to fig. 3, in an embodiment of the present invention, based on the

operations

201 and 203, theabove operation 202 includes:operation 301, determining an APN mode of an access point in an object to be accessed according to basic information;operation 302, when the APN mode shows that the object to be networked is a single APN object, determining whether the object to be networked starts a redundancy mode; inoperation 303, if the object to be networked starts the redundancy mode, an IP address set corresponding to the APN of the object to be networked is sent to the network service device, so that the network service device performs multiple authentication on the object to be networked.

Specifically, if the object to be accessed is in a single APN mode, an IP address set is allocated to the object to be accessed, and the allocated IP address set is sent to a network authentication device (e.g., LNS device/operator PGW device) so that the network authentication device performs multiple authentication operations on the object to be accessed. Therefore, the pressure of a network server (such as a 3A system server) can be relieved to a great extent, so that the problems that the equipment to be accessed to the network cannot be accessed to the network and the connection is interrupted due to high communication pressure of the network server are avoided, and the network access efficiency and reliability of the equipment to be accessed to the network are effectively improved. Especially for equipment that requires frequent inline and offline operations, such as: POS equipment, CPE client equipment, etc. The redundancy mode of the equipment is subjected to targeted detection, and an IP address set can be allocated to the object to be accessed as long as the redundancy mode is started, so that the normal use of the equipment is fundamentally ensured.

In an embodiment of the present invention, the basic information includes APN information of an object to be networked, and when the APN mode shows that the object to be networked is a multi-APN object; and carrying out authentication and authentication on the object to be accessed to the network according to the APN information.

Specifically, when the object to be accessed to the network is a multi-APN object, APN information of the object to be accessed to the network is further acquired, and authentication is further performed on the object to be accessed to the network according to the APN information, so that the problem that the IP address in a single-card multi-APN scene cannot be controlled in the existing 3A system is effectively solved.

In an embodiment of the present invention, the aforementioned operation of performing authentication and verification on an object to be accessed according to APN information includes: judging whether the APN information is consistent with APN information pre-configured in a network server; if the authentication is consistent with the authentication request, the authentication of the object to be accessed is judged to be successful, and the IP address distributed for the object to be accessed is sent to the network service equipment terminal.

Specifically, when the object to be accessed to the network is determined to be a multi-APN object, authentication and authentication are performed on a user name and APN information included in basic information received by a network server, if the information such as the user name and the APN is consistent with information pre-configured in the network server (for example, a 3A system server), the authentication is judged to be successful, and an IP address allocated to the object to be accessed to the network service equipment is sent to the network service equipment so that the device to be accessed to the network can be connected to the network. And if the authentication result is inconsistent with the authentication result, the authentication result is fed back to the network authentication equipment terminal.

Thus, the invention responds to the online request of the object to be accessed, and carries out authentication and authentication on the object to be accessed according to the basic information carried in the online request of the object to be accessed and the information of the object to be accessed, which is pre-configured in the network server; furthermore, for the network access object in the single APN mode, an IP address set is configured so that the network authentication equipment terminal can directly authenticate the equipment to be accessed to the network, and the network access efficiency and the network connection reliability of the equipment are effectively improved. Meanwhile, the problem that the 3A system can not open the capability and information of the existing network to the existing customers and can not realize the customization of the customized 3A system because the mobile operator is used as the network for carrying is effectively solved.

Further, based on the above network authentication method, an embodiment of the present invention further provides a network authentication apparatus, which is applied to a network authentication device, as shown in fig. 4, where theapparatus 40 includes: a firstrequest receiving module 401, configured to receive an online request of an object to be networked, where the online request carries basic information of the object to be networked; aresponse module 402, configured to send, in response to the online request, an authentication and authorization request of the object to be networked to the network server, where the authentication and authorization request carries basic information; aresult receiving module 403, configured to receive a determination result of authentication of the object to be accessed, which is determined by the network server according to the basic information; and theauthentication module 404 is configured to perform network access authentication on the object to be accessed according to the determination result.

According to an embodiment of the invention, theauthentication module 404 includes: and the first authentication submodule is used for receiving an IP address set which is sent by a network server and corresponds to the APN of the object to be accessed when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed starts a redundancy mode so as to carry out authentication for the object to be accessed for multiple times.

According to an embodiment of the present invention, the basic information includes APN information of the object to be networked, and theauthentication module 404 includes: and the second authentication submodule is used for receiving an authentication result of the network server for authenticating the object to be accessed according to the APN information when the judgment result shows that the object to be accessed is the multi-APN object.

Further, the present invention provides a network authentication device based on the above network authentication method, which is applied to a network authentication server, as shown in fig. 5, thedevice 50 includes: a secondrequest receiving module 501, configured to receive an authentication and authorization request sent by a network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information; theauthentication module 502 is configured to authenticate and authenticate the object to be accessed to the network according to the basic information; and aresult sending module 503, configured to send the determination result of authentication to the network authentication device.

According to an embodiment of the present invention, theauthentication module 502 includes: the mode judgment submodule is used for determining an access point APN mode of an object to be accessed to the network according to the basic information; the redundancy judgment submodule is used for judging whether the object to be accessed to the network starts a redundancy mode or not when the APN mode shows that the object to be accessed to the network is a single APN object; and the first authentication sub-module is used for sending the IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal when judging that the object to be accessed starts the redundancy mode, so that the network service equipment terminal can carry out multiple authentication and authentication on the object to be accessed.

According to an embodiment of the present invention, theauthentication module 502 further includes: and the second authentication submodule is used for authenticating and authenticating the object to be accessed to the network according to the APN information when the APN mode shows that the object to be accessed to the network is a multi-APN object.

According to an embodiment of the present invention, the root second authentication sub-module is configured to, when the APN information is consistent with APN information preconfigured in the network server, determine that the authentication of the object to be accessed is successful, and send the IP address allocated to the object to be accessed to the network service device.

Here, it should be noted that: the above description of the embodiment of the network authentication apparatus is similar to the description of the method embodiments shown in fig. 1 to 3, and has similar beneficial effects to the method embodiments shown in fig. 1 to 3, and therefore, the description thereof is omitted. For technical details not disclosed in the embodiment of the display device for configuration information of the present invention, please refer to the description of the method embodiment shown in fig. 1 to 3 of the present invention for understanding, and therefore, for brevity, will not be described again.

Fig. 6 is a schematic view of a service architecture of a 3A system on which the network authentication method according to the embodiment of the present invention is based, and referring to fig. 6, in this application example, the 3A system adopts clustered management, and the authentication and authentication service of the 3A system shown in an oval frame is executed by a 3A client cluster. The RADIUS authentication and authentication service is deployed at the 3A client side, and the 3A client side can process actual authentication and authentication processing operation. A RADIUS memory bank is pre-configured in the 3Aclient cluster to store user information configured by the CRM pre-3A system, and the high-speed authentication of the RADIUS is processed, so that the processing efficiency of authentication of the 3A system can be practically guaranteed by using the memory bank, the authentication efficiency is improved, and the network connection speed and the reliability of the equipment to be networked are effectively improved.

While other service modules in the 3A system are still executed by the 3A system core server, other functional modules or service contents of the 3A system are shown in block form in fig. 6, such as: 3A service gateway, firewall/basic connection management, service monitoring, 3A API server gateway (load balancer), 3A core service, 3A database Mysql.

The 3A service portal (server WEB portal) is used for providing a WEB management interface of the 3A system, providing page operations for user query, and allowing the user to process operations such as user addition, change and deletion, addition and change of the network authentication device side, and further querying a current 3A client state. The 3A API server gateway (server gateway) provides a way to manage the 3A system using APIs, and its specific functions are consistent with the 3A service portal functions. The firewall/BASE connection Management (LNS/BASE connection Management) provides a connection Management mode of LNS/BASE, is responsible for collecting online devices of LNS/BASE, and provides Management of online devices (for example, cancel network connection, use status of network connection, etc.). The 3A database MySQL is used for storing data of the 3A system and querying a recent operation log of the 3A system. Service monitoring refers to monitoring and management of the operational status of the 3 Aclient. The 3A core service mainly refers to authentication and authorization services provided by a core server of a 3A system, for example: and the functions of abnormal authentication, authentication of a multi-APN scene, safety authentication and the like are realized.

Referring to fig. 7, in a specific application example of the network authentication method according to the embodiment of the present invention, the network authentication method may include the following steps:

s100, the CRM sends user information (including SIM card information, APN information, whether to allow to surf the internet, IP corresponding to APN, whether to start a redundancy mode and the like) to a 3A system, wherein the 3A system comprises a 3A core server and a 3A client cluster (a cluster formed by a plurality of 3A clients is configured for LNS/PGW in advance)

S200, an object to be networked (for example, a user of a POS/CPE and other types of equipment) sends an online request, wherein the online request carries basic information of the object to be networked, such as: user name and APN information.

S300, the operator receives the online request sent by the object to be accessed to the network, and forwards the online request to the PGW equipment of the LNS (network planning/operator).

S400, the PGW equipment of the LNS setting/operator responds to the received online request and sends an authentication request to the 3A system.

S500, the 3A system Radius performs authentication judgment. Specifically, S500 may include steps S510, S511, S512, S521, S522, S523.

S510, the 3A system judges the APN mode of the user equipment (namely the equipment corresponding to the object to be accessed).

And S511 and the 3A system judge whether the user equipment (namely the equipment corresponding to the object to be accessed) starts a redundancy mode when judging that the APN mode of the user equipment is a single APN mode.

And S512, when the 3A system judges that the user starts the redundancy mode, sending an equipment allocation IP address pool of the single APN for the multiple authentication and authentication of the single APN equipment by the LNS equipment/operator PGW equipment.

When the S521 and 3A systems determine that the user mode is the multi-APN mode (taking the dual-APN mode as an example), the system further authenticates the user equipment.

And S522, the 3A system further authenticates the user equipment, namely, performs strong authentication, and if the authentication is successful (the user name and the APN information are consistent with those in the 3A system), feeds back the information of the successful authentication to the LNS/PGW equipment and allocates an IP address for the network connection of the object to be accessed.

S523, if the 3A system fails to authenticate the ue, that is, if the authentication fails (the user name and the APN information are inconsistent with those in the 3A system), feeding back information of authentication failure to the LNS/PGW device.

S600, feeding back an authentication judgment result (including whether user information exists in a radius library, which APN is used by a user online for dialing, IP address allocation and the like).

The application example of the invention adopts a control mode combining cluster and control, and has higher availability. The separation of the service interface and the authentication service is realized, and the high-speed operation of the service served by the 3A system can be guaranteed with high quality, such as: the PGW client can be effectively ensured to carry out large-batch account opening and smooth execution of business operation. Meanwhile, the performance of the 3A system is improved: practice proves that the performance and the efficiency of the network authentication method provided by the embodiment of the invention are greatly improved.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as a removable Memory device, a Read Only Memory (ROM), a magnetic disk, or an optical disk.

Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a magnetic or optical disk, or other various media that can store program code.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. A network authentication method is applied to a network authentication device, and comprises the following steps:

receiving an online request of an object to be networked, wherein the online request carries basic information of the object to be networked;

responding to the online request, and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries the basic information;

receiving a judgment result of the authentication of the object to be accessed, which is judged by the network server according to the basic information, wherein the judgment result comprises whether user information corresponding to the basic information exists in a 3A system, whether the object to be accessed corresponding to the basic information is allowed to access the internet, an APN mode of the object to be accessed and whether a redundant mode is started for the object to be accessed;

according to the judgment result, performing network access authentication on the object to be accessed; wherein, the performing network access authentication on the object to be accessed according to the judgment result comprises:

and when the judgment result shows that the object to be accessed is a single access point APN object and the object to be accessed opens a redundancy mode, receiving an IP address set which is sent by the network server and corresponds to the APN of the object to be accessed so as to carry out authentication for the object to be accessed for multiple times.

2. The method of claim 1, wherein the basic information includes APN information of the to-be-networked object, and wherein performing network access authentication on the to-be-networked object according to the determination result includes:

and when the judgment result shows that the object to be accessed to the network is a multi-APN object, receiving an authentication result of the authentication of the object to be accessed to the network by the network server according to the APN information.

3. The method of claim 2, wherein the receiving the authentication result of the authentication and authorization of the network server for the object to be networked according to the APN information comprises:

and when the authentication result shows that the network server successfully authenticates the object to be accessed, receiving an IP address distributed by the network server for the object to be accessed.

4. A network authentication method is applied to a network authentication server, and comprises the following steps:

receiving an authentication and authorization request sent by a network authentication equipment end in response to an online request of an object to be accessed, wherein the online request carries basic information of the object to be accessed, and the authentication and authorization request carries the basic information;

according to the basic information, carrying out authentication and verification on the object to be accessed to the network;

sending the judgment result of the authentication to a network authentication equipment terminal, wherein the judgment result comprises whether user information corresponding to the basic information exists in a 3A system, whether an object to be accessed to the network corresponding to the basic information is allowed to access the network, an APN mode of the object to be accessed to the network and whether a redundant mode is started for the object to be accessed to the network; wherein, the authenticating and authenticating the object to be accessed according to the basic information comprises:

determining an access point APN mode of the object to be accessed according to the basic information;

when the APN mode shows that the object to be accessed to the network is a single APN object, judging whether the object to be accessed to the network starts a redundancy mode;

and if the object to be accessed to the network starts a redundancy mode, sending an IP address set corresponding to the APN of the object to be accessed to the network service equipment terminal so that the network service equipment terminal performs multiple authentication and authentication on the object to be accessed to the network.

5. The method according to claim 4, wherein the basic information includes APN information of the object to be networked, and the performing network access authentication on the object to be networked according to the determination result further includes:

when the APN mode shows that the object to be accessed to the network is a multi-APN object;

and carrying out authentication and verification on the object to be accessed according to the APN information.

6. The method of claim 5, wherein the authenticating and authenticating the object to be networked according to the APN information comprises:

judging whether the APN information is consistent with APN information pre-configured in the network server;

if the authentication result is consistent with the authentication result, the authentication on the object to be accessed is judged to be successful, and the IP address distributed to the object to be accessed is sent to the network service equipment terminal.

7. A network authentication device is applied to a network authentication equipment terminal, and the device comprises:

the device comprises a first request receiving module, a second request receiving module and a third request sending module, wherein the first request receiving module is used for receiving an online request of an object to be networked, and the online request carries basic information of the object to be networked;

the response module is used for responding to the online request and sending an authentication and authorization request of the object to be accessed to a network server, wherein the authentication and authorization request carries the basic information;

a result receiving module, configured to receive a determination result of the network server performing authentication and authorization on the object to be networked, where the determination result includes whether there is user information corresponding to the basic information in the 3A system, whether to allow the object to be networked corresponding to the basic information to surf the internet, an APN mode of the object to be networked, and whether to start a redundancy mode for the object to be networked;

the authentication module is used for carrying out network access authentication on the object to be accessed according to the judgment result;

the authentication module adopts the following operation steps to realize the network access authentication of the object to be accessed according to the judgment result:

8. A network authentication apparatus, applied to a network authentication server, the apparatus comprising:

a second request receiving module, configured to receive an authentication and authorization request sent by a network authentication device end in response to an online request of an object to be networked, where the online request carries basic information of the object to be networked, and the authentication and authorization request carries the basic information;

the authentication module is used for authenticating and authenticating the object to be accessed to the network according to the basic information;

a result sending module, configured to send a determination result of the authentication to a network authentication device, where the determination result includes whether there is user information corresponding to the basic information in the 3A system, whether to allow an object to be accessed to the internet corresponding to the basic information to access the internet, an APN mode of the object to be accessed to the internet, and whether to start a redundancy mode for the object to be accessed to the internet;

the authentication module adopts the following operation steps to authenticate and authenticate the object to be accessed to the network according to the basic information: