[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2009089773A1 - Multi-host access authentication method and system for wimax network - Google Patents

Multi-host access authentication method and system for wimax network Download PDF

Info

Publication number
WO2009089773A1
WO2009089773A1 PCT/CN2009/070035 CN2009070035W WO2009089773A1 WO 2009089773 A1 WO2009089773 A1 WO 2009089773A1 CN 2009070035 W CN2009070035 W CN 2009070035W WO 2009089773 A1 WO2009089773 A1 WO 2009089773A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
host
network element
message
access
Prior art date
Application number
PCT/CN2009/070035
Other languages
French (fr)
Chinese (zh)
Inventor
Wenliang Liang
Wei Zhang
Liang Gu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009089773A1 publication Critical patent/WO2009089773A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a global interoperability for microwave access.
  • the WiMAX system is an Internet wireless access system. With the rapid development of Internet services and the widespread use of wireless networks, existing WiMAX systems can be divided into multi-host scenarios and non-multi-host scenarios in the form of networking.
  • FIG. 1 it is a flow chart of access authentication signaling for a non-multi-host scenario.
  • the Supplicant mobile station (Mobile Station, the so-called: MS) carries the Extensible Authentication Protocol (EAP) message on the air interface in the private key management (Privacy Key Management).
  • PKM Extensible Authentication Protocol
  • ASN Access Service Network
  • BSN Base Station, cartridge: BS
  • gateway gateway
  • Auth. Relay The authentication delay
  • the ESN message is carried in the RADIUS message between the ASN and the Connective Service Network (CSN).
  • CSN Connective Service Network
  • PKMv2 is a set of private key management protocol version 2 defined in the 802.16e protocol, used for key security association management on the air interface, and carries EAP data; the authentication delay protocol is a set defined by the WiMAX access network. Protocol for EAP data.
  • LAN Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAPoL is an authentication bearer protocol on the LAN. It is mainly used to encapsulate EAP data through Ethernet packets.
  • NSP Network Service Provider
  • Multi-host scenarios are another form of networking for WiMAX systems that can be deployed in multiple locations at different locations, such as at airports, coffee bars or trains.
  • FIG 2 it is a schematic diagram of the WiMAX system networking structure in a multi-host scenario.
  • the ASN is composed of one or more wireless base stations and an Access Service Network GateWay (ASN-GW).
  • ASN-GW Access Service Network GateWay
  • the ASN acts as a logical entity to manage the IEEE 802.16 air interface and provides wireless access for WiMAX users.
  • the CSN is composed of an accounting server, such as an Authentication Authorization and Accounting (AAA) server, a Home Agent (HA), and an IP Multimedia Subsystem (Internet Protocol Multimedia Subsystem).
  • AAA Authentication Authorization and Accounting
  • HA Home Agent
  • IMS IP Multimedia Subsystem
  • the core component for providing IP connectivity, services and management.
  • HOST wireless Fidelity
  • Ethernet Due to the price advantage of wireless Fidelity (Wireless Fidelity) and Ethernet access, and the high market share, WiFi and Ethernet can be used at the end of the layout.
  • HOST wireless Fidelity
  • GMS gateway mobile station
  • the connection between the GMS and the ASN can be via a WiMAX wireless connection.
  • the GMS can access the ASN/CSN network before the HOST access; it can also access the ASN/CSN network after the HOST access.
  • a disadvantage of the prior art is that when an existing WiMAX system performs access authentication for a host in a multi-host scenario, the EAP message is transmitted as data on the air interface, which is transparent to the BS/GMS. Therefore, neither BS nor GMS knows the results of HOST certification. In some scenarios, GMS needs to know the result of HOST authentication. For example, GMS needs to decide whether to open or close the port according to the authentication result of HOST to avoid illegal access by illegal users. Summary of the invention
  • the problem to be solved by the present invention is to provide a multi-host access authentication method and system for a WiMAX network capable of enabling the GMS to obtain an authentication result when performing host access authentication.
  • an embodiment of the present invention provides a multi-host access authentication method for a WiMAX network, including:
  • the identifier information of the host is carried in the authentication start message and sent to the authentication network element;
  • the authentication server forwarding, according to the identifier information that is received in the authentication response message from the authentication network element, the authentication response message to a host corresponding to the identifier information, where the host receives the authentication After receiving the response message, the authentication server receives the authentication result sent by the authentication network element.
  • a network element node including:
  • a first network element module configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending;
  • the second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message.
  • another embodiment of the present invention provides a multi-host access authentication system for a WiMAX network, including a network element node, a base station, a NAS, and an authentication server, where:
  • the network element node includes:
  • a first network element module configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending;
  • the second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message;
  • the base station includes:
  • a first base station module configured to send a first authentication request message after receiving an authentication start message from the network element node
  • a second base station module configured to send the received first authentication response message to the network element node
  • the NAS includes:
  • a first network module configured to: after receiving the first authentication request message from the base station, reply to the first authentication response message;
  • a second network module configured to send, by the base station, a first authentication confirmation message from the authentication server to the network element node
  • the authentication server includes:
  • a first authentication module configured to perform access authentication with the host after receiving the first authentication response message by the host;
  • the second authentication module is configured to send the authentication result of the first authentication module to the NAS in the first authentication confirmation message.
  • the network element node obtains the authentication result of the host, and according to the authentication result, the network element node can decide whether to open or close the authorized port, avoid illegal access by the illegal user, and improve the security of the system.
  • another embodiment of the present invention further provides a multi-host access authentication system for a WiMAX network, including a host, a network element node, an authentication network element, and an authentication server, where:
  • the host is configured to send an access request message to the network element node
  • the network element node is configured to: after receiving the access request message from a host, the identifier information of the host is carried in the authentication start message and sent to the authentication network element; according to the received authentication network The identifier information carried in the authentication response message is forwarded to the host corresponding to the identifier information, so that the host receives the authentication response message and accesses the authentication server. Certification, and by The result of the certification sent;
  • the authentication network element is configured to: after receiving an authentication start message from the network element node, reply an authentication response message to the network element node;
  • the authentication server is configured to perform access authentication with the host, and send the authentication result to the authentication network element.
  • FIG. 1 is a flow chart of access authentication signaling of a WiMAX system in an existing non-multi-host scenario
  • FIG. 2 is a schematic structural diagram of a WiMAX system networking in an existing multi-host scenario
  • FIG. 3 is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 1 of the present invention
  • FIG. 4A is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 2 of the present invention.
  • 4B is a signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 2 of the present invention.
  • 5A is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention.
  • 5B is a signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention.
  • 5C is another signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention.
  • FIG. 5D is a signaling diagram of a tunnel establishment process according to Embodiment 3 of the method of the present invention
  • FIG. 5E is a diagram illustrating a data plane protocol stack of a tunnel establishment process according to Embodiment 3 of the present invention
  • FIG. 6 is a multi-host access authentication of the WiMAX network according to Embodiment 1 of the system of the present invention. Schematic diagram of the structure of the certificate system;
  • FIG. 7 is a schematic structural diagram of a multi-host access authentication system of a WiMAX network according to Embodiment 2 of the present invention.
  • FIG. 8 is a schematic structural diagram of a multi-host access authentication system of another WiMAX network according to Embodiment 2 of the present invention. detailed description
  • This embodiment provides a multi-host access authentication method for a WiMAX network, as shown in FIG. 3, including:
  • Step 101 After receiving the access request message from a host, the network element node carries the identifier information of the host in the authentication start message and sends it to the base station (Base Station, BS: BS) of the network side.
  • Base Station Base Station
  • the network element node may be a node having a gateway access function or the like, such as a GMS.
  • a GMS gateway access function
  • the GMS is used as an example.
  • the corresponding method or structure is similar to that of the GMS, and details are not described herein again.
  • the above host refers to a host in the WiMAX system in a multi-host scenario. Specifically, when the access authentication is requested, the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used. /EAP-START signaling is converted into PKMv2/EAP-START signaling, and the identifier information of the host is carried in the PKMv2/EAP-START signaling and sent to the base station, where the identifier information may be media access control with the host (Media Access Control, cartridge: MAC) Address associated information.
  • the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used.
  • Step 102 After receiving the authentication start message, the base station sends an authentication request message to the authentication network element.
  • the authentication NE is the network element used to authenticate the host.
  • the specific network architecture of WiMAX varies. For example, a network dedicated to authenticating a host can be given to a network authentication server (NAS), or a remote broadband access server ( Broadband) connected to a back-end network.
  • NAS network authentication server
  • Broadband remote broadband access server
  • Remote Access Server, cartridge: BRAS Remote Access Server
  • Step 103 The authentication network element returns an authentication response message to the GMS.
  • the authentication response message may be first replied to the base station, and then the base station encapsulates the authentication response message into a corresponding signaling format and forwards the message to the GMS.
  • Step 104 The GMS forwards the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the authentication response message.
  • the authentication response message may be first converted into a corresponding signaling format and then forwarded to the host.
  • Step 105 After receiving the authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the authentication confirmation message and sends the authentication result to the authentication network element.
  • Step 106 The authentication network element sends the authentication confirmation message to the GMS by using the base station.
  • the authentication request is sent to the authentication server by the authentication network element after the signaling format is converted in the uplink direction.
  • the authentication confirmation message is converted to the signaling format by the authentication network element, and then sent to the GMS. .
  • Step 107 the GMS may forward the authentication confirmation message to the host corresponding to the identifier information according to the identifier information carried in the authentication confirmation message when needed.
  • the network element node obtains the authentication result of the host. According to the authentication result, the network element node can determine whether to open or close the authorized port, thereby avoiding illegal access by the illegal user, and improving the security of the system. .
  • the embodiment provides a multi-host access authentication method when the authentication network element in the WiMAX network is a NAS. As shown in FIG. 4A, the method includes:
  • Step 201 After receiving the access request message from a host, the GMS: The identification information of the machine is carried in the authentication start message and sent to the base station.
  • the above host refers to a host in the WiMAX system in a multi-host scenario. Specifically, when the access authentication is requested, the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used. /EAP-START signaling is converted into PKMv2/EAP-START signaling, and the identity information of the host is carried in the PKMv2/EAP-START signaling and sent to the base station.
  • Step 202 The base station sends a first authentication request message to the NAS after receiving the authentication start message.
  • GMS is the first authentication control point; therefore, the NAS at this time actually plays the role of accessing the AAA proxy on the network, and may also have some control functions.
  • the NAS may be a default NAS configured for the BS in advance, and the access terminal under the BS uses the NAS.
  • the first authentication request message may be AR-EAP-START signaling.
  • Step 203 The NAS returns a first authentication response message to the GMS.
  • the AR-EAP-Transfer/Identity-Req signaling may be replied to the base station; and the AR-EAP-Transfer/Identity-Req signaling is encapsulated by the base station into a PKM-RSP/EAP Letter. The order is forwarded to the GMS.
  • Step 204 The GMS forwards the first authentication response message to the host corresponding to the identifier information according to the identifier information carried in the first authentication response message.
  • the received PKM-RSP/EAP Transfer signaling may be converted into EAPoL-Request signaling and sent to the host.
  • Step 205 After receiving the first authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the first authentication confirmation message and sends the authentication result to the NAS.
  • the authentication data packet includes the foregoing first authentication confirmation message, and the authentication data packet is sent to the authentication server after being converted by the NAS.
  • the signaling format conversion includes conversion from R4/R6 signaling AR-EAP-Transfer to an IP-based RADIUS or DIAMETER authentication protocol on the R3 interface.
  • Step 206 The NAS sends the first authentication confirmation message to the GMS by using the base station.
  • the NAS converts the authentication data packet of the IP-based RADIUS or DIAMETER authentication protocol on the R3 interface into R4/R6 signaling, and then sends the authentication data packet to the PKM message through the base station on the air interface. Send to GMS.
  • Step 207 the GMS may further forward the first authentication confirmation message to the host corresponding to the identification information according to the identifier information carried in the first authentication confirmation message.
  • FIG. 4B it is a signaling diagram of the method in this embodiment.
  • the host is authenticated, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding illegal access by the illegal user. , improve the security of the system.
  • the embodiment provides a multi-host access authentication method when the authentication network element in the WiM AX network is a BRAS. As shown in FIG. 5A, the method includes:
  • Step 301 After receiving the access request message from a host, the GMS carries the identifier information of the host in the authentication start message and sends the message to the base station.
  • Step 302 After receiving the authentication start message, the base station sends a second authentication request message to the BRAS.
  • the sending the second authentication request message may be in various forms.
  • the base station first converts the authentication start message into a second authentication request message in an EAPoL format, and then sends the message to the BRAS.
  • the second authentication request message may be EAPoL-START signaling. It should be noted that, when the message format is converted, the authentication start message may be sent to the NAS first, and then the NAS converts the authentication start message into a second authentication request message in the EAPoL format, and then sends the message to the BRAS.
  • the second authentication request message is forwarded to the BRAS.
  • the second authentication request message may be EAPoPPP (EAP over Point to Point Protocol, EAP based on peer-to-peer ten) -START Signaling.
  • EAPoPPP EAP over Point to Point Protocol, EAP based on peer-to-peer ten
  • Step 303 The BRAS replies to the GMS with a second authentication response message.
  • the second authentication response message may be EAPoL-Request/Identity signaling; in the signaling process shown in FIG. 5C, the second authentication response message may be EAPoPPP-Request/Identity Signaling.
  • Step 304 The GMS forwards the second authentication response message to the host corresponding to the identifier information according to the identifier information carried in the second authentication response message.
  • the received PKM-RSP/EAP Transfer signaling may be converted into EAPoL-Request signaling and sent to the host.
  • Step 305 After receiving the second authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the second authentication confirmation message and sends the authentication result to the BRAS.
  • the authentication data packet includes the foregoing second authentication confirmation message, and the authentication data packet is converted to a signaling format by the BRAS, and then sent to the authentication server.
  • the signaling format conversion includes: an IP-based RADIUS or DIAMETER authentication protocol converted from EAPoL or EAPoPPP signaling to an R3 interface (an interface between the BRAS and the AAA); or in the opposite direction, based on the R3 interface
  • the authentication data packet of the RADIUS or DIAMETER authentication protocol of the IP is converted into EAPoL or EAPoPPP signaling and sent to the base station, and then encapsulated into a PKM message on the air interface by the base station and sent to the GMS.
  • the tunnel establishment process can be started. Specifically, the tunnel between the BRAS and the HA and the tunnel between the HA and the ASN are established.
  • the tunnel between the BRAS and the HA may be a Mobile IP (Mobile IP: MIP) tunnel; the tunnel between the HA and the ASN may be a Proxy Mobile IP (PMIP) tunnel.
  • MIP Mobile IP
  • PMIP Proxy Mobile IP
  • the host is notified of the authentication result.
  • the Ethernet tunnel can be directly used to transmit the Ethernet packet. Specifically, the host may first send the Ethernet packet to the GMS; the GMS sends the Ethernet Convergence Sublayer (Eth-CS) through the air interface.
  • Ether Agent called FA
  • FA encapsulates the MIP data, and then forwards it to the HA, and finally forwards it to the BRAS by the HA package.
  • the specific tunnel establishment process mainly includes the following steps: After the authentication server obtains the successful authentication result, the HA is notified to establish a tunnel to the BRAS and the key information required for the HA to establish the MIP tunnel, and the authentication is also performed. The successful result is returned to the ASN. After the NAS in the ASN receives the successful authentication result returned by the authentication server, it sends a MIP request (memory: MIP-RRQ) to establish a PMIP tunnel. Its specific data plane protocol stack is shown in Figure 5E.
  • Step 306 The BRAS sends the second authentication confirmation message to the GMS by using the base station.
  • Step 307 the GMS may further forward the second authentication confirmation message to the host corresponding to the identification information according to the identifier information carried in the second authentication confirmation message.
  • the ASN can continue to perform the Point-to-Point Protocol (PPP) network core protocol (the Point-to-Point Protocol).
  • PPP Point-to-Point Protocol
  • NCP Network Core Protocol
  • the process is called: NCP
  • the result is informed to the host; or the host uses the established PPP channel to obtain the high-level configuration information through the dynamic host configuration protocol (Dynamic Host Configuration Protocol).
  • the host is authenticated by the BRAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
  • the embodiment provides a multi-host access authentication system for a WiM AX network.
  • the network element includes a network element node 10, a base station 20, a NAS 30, and an authentication server 40.
  • the network element node 10 includes a first network element. Module 11 and second network element module 12; the base station 20 includes a first base station module 21 and a second base station module 22; the NAS 30 includes a first network The network module 31 and the second network module 32; the authentication server 40 includes a first authentication module 41 and a first authentication module 42.
  • the network element node 10 may specifically be a node having a gateway access function or the like, such as a GMS. Its working principle is as follows:
  • the first network element module 11 of the network element node 10 after receiving the access request message from a host, carries the identifier information of the host in the authentication start message for transmission; the first base station module 21 in the base station 20 Receiving the first authentication request message after receiving the authentication start message from the network element node 10; the first network module 31 of the NAS 30, after receiving the first authentication request message sent by the base station 20, replying to the first authentication response
  • the second base station module 22 in the base station 20 sends the received first authentication response message from the NAS 30 to the network element node 10; the second network element module 12 of the network element node 10 receives the received from the base station 20 And the identifier information carried in the first authentication response message is forwarded to the host corresponding to the identifier information;
  • the host After receiving the first authentication response message, the host performs access authentication with the first authentication module 41 of the authentication server 40; the second authentication module 42 of the authentication server 40 carries the authentication result of the first authentication module 41
  • the first authentication confirmation message is sent to the NAS 30; the second network module 32 of the NAS 30 sends the first authentication confirmation message from the authentication server 40 to the network element node 10 through the 20 base stations.
  • the host is authenticated by the NAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
  • the BRAS 50 includes a first remote module 51 and a second remote module 52.
  • the base station 20 further includes: a third base station module 23. Its working principle is as follows:
  • the third base station module 23 of the base station 20 After receiving the authentication start message from the network element node 10, the third base station module 23 of the base station 20 converts the authentication start message into the second authentication request cancellation in the EAPoL format. And transmitting to the BRAS 50; the first remote module 51 in the BRAS 50, after receiving the second authentication request message from the base station 20, replies to the base station 20 with a second authentication response message.
  • the second base station module 22 in the base station 20 sends the received second authentication response message from the BRAS 50 to the network element node 10; the second network element module 12 of the network element node 10 receives the second from the base station 20 according to the received And the identifier information carried in the authentication response message is forwarded to the host corresponding to the identifier information;
  • the first authentication module 41 of the authentication server 40 After the host receives the second authentication response message, the first authentication module 41 of the authentication server 40 performs access authentication; the second authentication module 42 of the authentication server 40 carries the authentication result of the first authentication module 41.
  • the second authentication confirmation message is sent to the BRAS 50; the second remote module 52 of the BRAS 50 sends the second authentication confirmation message from the authentication server to the network element node 10 through the base station 20.
  • NAS and BRAS can exist at the same time on the physical level.
  • one of them can be selected to implement the function of the authentication network element.
  • the multi-host access authentication system of the WiMAX network in this implementation may further include an HA 60, where the authentication server carries the authentication result in the second authentication confirmation message.
  • a tunnel is established with the BRAS. Specifically, a MIP tunnel can be established. The tunnel is established with the ASN where the NAS is located. Specifically, a PMIP tunnel can be established to further improve data transmission efficiency.
  • the host is authenticated by the BRAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
  • the form of a software product is stored in a storage medium, comprising instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the embodiments of the present invention. method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A multi-host access authentication method and system for WiMAX network, the method includes that: after an access request message from a host is received, a label information of the host which is carried in an authentication start message is sent to an authentication network element; according to the received label information carried in an authentication response message which is from the authentication network element, the authentication response message is transmitted to the host corresponding to the label information, in order to the host performs access authentication with an authentication server after it receives the authentication response message, and the authentication server sends an authentication result to the authentication network element; and the authentication result sent by the authentication network element is received. The system includes a node of network element, a base station, a NAS, and an authentication server. Application of the present invention enables the node of network element to acquire the authentication result of the host, and decide whether an authorization port will be opened or closed according to the authentication result, application of the present invention also can avoid the lawless access of a lawless user, and improve the security of the system.

Description

WiMAX网络的多主才 入认证方法及系统 本申请要求于 2008 年 1 月 8 日提交中国专利局, 申请号为 200810055741.4, 发明名称为 "WiMAX 网络的多主机接入认证方法 及系统" 的中国专利申请的优先权, 其全部内容通过引用结合在本申 请中。 技术领域  Multi-master authentication method and system for WiMAX network This application claims to be submitted to the Chinese Patent Office on January 8, 2008, application number 200810055741.4, and the Chinese patent entitled "Multi-host Access Authentication Method and System for WiMAX Network" Priority of the application, the entire contents of which are incorporated herein by reference. Technical field
本发明涉及通信技术领域, 尤其涉及一种微波接入全球互通 The present invention relates to the field of communications technologies, and in particular, to a global interoperability for microwave access.
( Worldwide Interoperability Microwave Access , 筒称: WiMAX ) 网 络的多主机接入认证方法及系统。 背景技术 ( Worldwide Interoperability Microwave Access, Cartridge: WiMAX) Multi-host access authentication method and system for the network. Background technique
WiMAX系统是一种互联网无线接入系统。 随着因特网业务的蓬 勃发展和无线网络的广泛应用,现有的 WiMAX系统在组网形态上可 以分为多主机( Multi-Host )场景和非多主机场景。  The WiMAX system is an Internet wireless access system. With the rapid development of Internet services and the widespread use of wireless networks, existing WiMAX systems can be divided into multi-host scenarios and non-multi-host scenarios in the form of networking.
如图 1所示, 为非多主机场景的接入认证信令流程图。 其中, 请 求方 ( Supplicant )移动台 ( Mobile Station, 筒称: MS )在空口上将 可扩展认证协议 ( Extensible Authentication Protocol, 筒称: EAP )消 息承载在私钥管理(Privacy Key Management, 筒称: PKM ) v2协议 消息上; 接入服务网络( Access Service Network , 筒称: ASN ) 内部 的基站(Base Station, 筒称: BS )和网关( GateWay, 筒称: GW ) 之间将 EAP消息承载在认证延迟(Auth. Relay )协议消息上; ASN 和连接服务网络(Connective Service Network, 筒称: CSN )之间则 将 EAP消息承载在 RADIUS消息中。 其中, PKMv2是 802.16e协议 中定义的一套私钥管理协议版本 2, 用于空中接口上的密钥安全联盟 管理, 以及承载 EAP数据; 认证延迟协议则是 WiMAX接入网定义 的一套 载 EAP数据的协议。 局域网可扩展认证协议(Extensible Authentication Protocol over LAN , 筒称: EAPoL )是一种局域网上的 认证承载协议, 主要用于通过太网数据包封装 EAP数据。 As shown in FIG. 1 , it is a flow chart of access authentication signaling for a non-multi-host scenario. The Supplicant mobile station (Mobile Station, the so-called: MS) carries the Extensible Authentication Protocol (EAP) message on the air interface in the private key management (Privacy Key Management). PKM) v2 protocol message; access service network (Access Service Network, ASN) internal base station (Base Station, cartridge: BS) and gateway (gateWay, cartridge: GW) carry EAP messages between The authentication delay (Auth. Relay) protocol message; the ESN message is carried in the RADIUS message between the ASN and the Connective Service Network (CSN). PKMv2 is a set of private key management protocol version 2 defined in the 802.16e protocol, used for key security association management on the air interface, and carries EAP data; the authentication delay protocol is a set defined by the WiMAX access network. Protocol for EAP data. LAN Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAPoL is an authentication bearer protocol on the LAN. It is mainly used to encapsulate EAP data through Ethernet packets.
在非多主机场景中, 进行 WiMAX 网络接入过程选择时, 不同 ASN会广播其所连接的网络服务提供商 ( Network Service Provider, 筒称: NSP )信息, 包括直接相连的 NSP以及可以通过漫游协议到达 的 NSP。 然后, 由移动台根据自己的签约信息选择一个 ASN/NAP进 行接入, 在接入认证消息中的网络接入标识 ( Network Access Identifier, 筒称: NAI )上给出网络选择的结果。  In a non-multi-host scenario, when a WiMAX network access process is selected, different ASNs broadcast the network service provider (Network Service Provider, NSP) information to which they are connected, including the directly connected NSP and the roaming protocol. Arrived NSP. Then, the mobile station selects an ASN/NAP to access according to its own subscription information, and gives a network selection result on the network access identifier (NAI) in the access authentication message.
多主机场景是 WiMAX系统的另一种组网形态,它可以在不同地 点, 例如在机场、 咖啡吧或火车上利用多主机形式进行布局。 如图 2 所示, 为多主机场景下的 WiMAX系统组网结构示意图。 其中, ASN 由一个或多个无线基站和接入服务网络网关( Access Service Network GateWay,筒称: ASN-GW )组成, ASN作为一个逻辑实体,管理 IEEE 802.16空中接口, 为 WiMAX用户提供无线接入; CSN由计费服务 器 , 例如认证授权计费 ( Authentication Authorization and Accounting , 筒称: AAA )服务器、 家乡代理(Home Agent, 筒称: HA )和 IP多 媒体子系统( Internet Protocol Multimedia Subsystem, 筒称: IMS ) 核心组成, 用于提供 IP连接、 服务和管理。  Multi-host scenarios are another form of networking for WiMAX systems that can be deployed in multiple locations at different locations, such as at airports, coffee bars or trains. As shown in Figure 2, it is a schematic diagram of the WiMAX system networking structure in a multi-host scenario. The ASN is composed of one or more wireless base stations and an Access Service Network GateWay (ASN-GW). The ASN acts as a logical entity to manage the IEEE 802.16 air interface and provides wireless access for WiMAX users. The CSN is composed of an accounting server, such as an Authentication Authorization and Accounting (AAA) server, a Home Agent (HA), and an IP Multimedia Subsystem (Internet Protocol Multimedia Subsystem). IMS) The core component for providing IP connectivity, services and management.
由于无线高保真(Wireless Fidelity, 筒称: WiFi )接入方式和以 太网接入方式的价格优势, 以及市场的高占有率, 在布局的最末端可 以使用 WiFi和以太网进行接入,主机( HOST )和网关移动台( Gateway MS , 筒称: GMS )之间可以采用 WiMAX接入方式进行连接。 GMS 和 ASN之间的连接可以采用 WiMAX无线连接。 GMS可以在 HOST 接入之前就接入 ASN/CSN 网络; 也可以在 HOST接入之后再接入 ASN/CSN网络。  Due to the price advantage of wireless Fidelity (Wireless Fidelity) and Ethernet access, and the high market share, WiFi and Ethernet can be used at the end of the layout. HOST) and the gateway mobile station (Gateway MS, cartridge: GMS) can be connected by WiMAX access. The connection between the GMS and the ASN can be via a WiMAX wireless connection. The GMS can access the ASN/CSN network before the HOST access; it can also access the ASN/CSN network after the HOST access.
现有技术的缺陷在于:现有 WiMAX系统在多主机场景下对主机 进行接入认证时,是把 EAP消息作为空中接口上的数据进行发送的, 这对于 BS/GMS都是透明的。 因此, BS和 GMS都并不知道 HOST 认证的结果。 而在某些场景中, GMS是需要知道 HOST认证结果的, 例如, GMS需要根据 HOST的认证结果决定是否要开启或封闭端口, 以避免非法用户的非法接入。 发明内容 A disadvantage of the prior art is that when an existing WiMAX system performs access authentication for a host in a multi-host scenario, the EAP message is transmitted as data on the air interface, which is transparent to the BS/GMS. Therefore, neither BS nor GMS knows the results of HOST certification. In some scenarios, GMS needs to know the result of HOST authentication. For example, GMS needs to decide whether to open or close the port according to the authentication result of HOST to avoid illegal access by illegal users. Summary of the invention
本发明要解决的问题是: 提供一种在对主机进行接入认证时, 能 够使 GMS获知认证结果的 WiMAX网络的多主机接入认证方法及系 统。  The problem to be solved by the present invention is to provide a multi-host access authentication method and system for a WiMAX network capable of enabling the GMS to obtain an authentication result when performing host access authentication.
为了解决上述问题,本发明的一个实施例提供了一种 WiMAX网 络的多主机接入认证方法, 其中包括:  In order to solve the above problem, an embodiment of the present invention provides a multi-host access authentication method for a WiMAX network, including:
接收到来自于一主机的接入请求消息后,将所述主机的标识信息 携带于认证开始消息中发送给认证网元;  After receiving the access request message from a host, the identifier information of the host is carried in the authentication start message and sent to the authentication network element;
根据接收到的来自于所述认证网元的认证响应消息中携带的所 述标识信息, 将所述认证响应消息转发给与所述标识信息相应的主 机, 以供所述主机接收到所述认证响应消息后, 与认证服务器进行接 接收所述认证网元发送的所述认证结果。  And forwarding, according to the identifier information that is received in the authentication response message from the authentication network element, the authentication response message to a host corresponding to the identifier information, where the host receives the authentication After receiving the response message, the authentication server receives the authentication result sent by the authentication network element.
为了解决上述问题,本发明的另一个实施例是提供了一种网元节 点, 包括:  In order to solve the above problem, another embodiment of the present invention provides a network element node, including:
第一网元模块, 用于当接收到来自于一主机的接入请求消息后, 将所述主机的标识信息携带于认证开始消息中进行发送;  a first network element module, configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending;
第二网元模块,用于根据接收到的第一认证响应消息中携带的标 识信息, 将所述认证响应消息转发给与所述标识信息相应的主机。  The second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message.
为了解决上述问题, 本发明的另一个实施例提供了一种 WiMAX 网络的多主机接入认证系统, 包括网元节点、 基站、 NAS 和认证服 务器, 其中:  In order to solve the above problem, another embodiment of the present invention provides a multi-host access authentication system for a WiMAX network, including a network element node, a base station, a NAS, and an authentication server, where:
所述网元节点包括:  The network element node includes:
第一网元模块, 用于当接收到来自于一主机的接入请求消息后, 将所述主机的标识信息携带于认证开始消息中进行发送; 第二网元模块,用于根据接收到的第一认证响应消息中携带的标 识信息, 将所述认证响应消息转发给与所述标识信息相应的主机; 所述基站包括: a first network element module, configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending; The second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message; the base station includes:
第一基站模块,用于当接收到来自于网元节点的认证开始消息后 发出第一认证请求消息;  a first base station module, configured to send a first authentication request message after receiving an authentication start message from the network element node;
第二基站模块,用于将接收到的第一认证响应消息发送给所述网 元节点;  a second base station module, configured to send the received first authentication response message to the network element node;
所述 NAS包括:  The NAS includes:
第一网络模块,用于当接收到来自于基站的所述第一认证请求消 息后, 回复第一认证响应消息;  a first network module, configured to: after receiving the first authentication request message from the base station, reply to the first authentication response message;
第二网络模块,用于将来自于认证服务器的第一认证确认消息通 过所述基站发送给所述网元节点;  a second network module, configured to send, by the base station, a first authentication confirmation message from the authentication server to the network element node;
所述认证服务器包括:  The authentication server includes:
第一认证模块, 用于当所述主机接收到所述第一认证响应消息 后, 与该主机进行接入认证;  a first authentication module, configured to perform access authentication with the host after receiving the first authentication response message by the host;
第二认证模块,用于将第一认证模块的认证结果携带于第一认证 确认消息中发送给所述 NAS。  The second authentication module is configured to send the authentication result of the first authentication module to the NAS in the first authentication confirmation message.
通过本发明, 使网元节点获知了主机的认证结果, 根据该认证结 果, 网元节点可以决定是否开启或封闭授权端口, 避免了非法用户的 非法接入, 提高了系统的安全性。  Through the invention, the network element node obtains the authentication result of the host, and according to the authentication result, the network element node can decide whether to open or close the authorized port, avoid illegal access by the illegal user, and improve the security of the system.
为了解决上述问题, 本发明的另一个实施例还提供了一种 WiMAX网络的多主机接入认证系统, 包括主机、 网元节点、 认证网 元和认证服务器, 其中:  In order to solve the above problem, another embodiment of the present invention further provides a multi-host access authentication system for a WiMAX network, including a host, a network element node, an authentication network element, and an authentication server, where:
所述主机, 用于向所述网元节点发送接入请求消息;  The host is configured to send an access request message to the network element node;
所述网元节点, 用于接收到来自于一主机的接入请求消息后, 将 所述主机的标识信息携带于认证开始消息中发送给认证网元;根据接 收到的来自于所述认证网元的认证响应消息中携带的所述标识信息, 将所述认证响应消息转发给与所述标识信息相应的主机,以供所述主 机接收到所述认证响应消息后, 与认证服务器进行接入认证, 并由所 送的所述认证结果; The network element node is configured to: after receiving the access request message from a host, the identifier information of the host is carried in the authentication start message and sent to the authentication network element; according to the received authentication network The identifier information carried in the authentication response message is forwarded to the host corresponding to the identifier information, so that the host receives the authentication response message and accesses the authentication server. Certification, and by The result of the certification sent;
所述认证网元, 用于接收来自所述网元节点的认证开始消息后, 向所述网元节点回复认证响应消息;  The authentication network element is configured to: after receiving an authentication start message from the network element node, reply an authentication response message to the network element node;
所述认证服务器, 用于与所述主机进行接入认证, 并将认证结果 发送给所述认证网元。  The authentication server is configured to perform access authentication with the host, and send the authentication result to the authentication network element.
下面通过附图和实施例,对本发明的技术方案做进一步的详细描 述。 附图说明  The technical solution of the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. DRAWINGS
图 1为现有的非多主机场景下的 WiMAX系统的接入认证信令流 程图;  FIG. 1 is a flow chart of access authentication signaling of a WiMAX system in an existing non-multi-host scenario;
图 2为现有的多主机场景下的 WiMAX系统组网结构示意图; 图 3为本发明方法实施例 1所述的 WiMAX网络的多主机接入认 证方法的流程图;  2 is a schematic structural diagram of a WiMAX system networking in an existing multi-host scenario; FIG. 3 is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 1 of the present invention;
图 4A为本发明方法实施例 2所述的 WiMAX网络的多主机接入 认证方法的流程图;  4A is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 2 of the present invention;
图 4B为本发明方法实施例 2所述的 WiMAX网络的多主机接入 认证方法的信令图;  4B is a signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 2 of the present invention;
图 5A为本发明方法实施例 3所述的 WiMAX网络的多主机接入 认证方法的流程图;  5A is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention;
图 5B为本发明方法实施例 3所述的 WiMAX网络的多主机接入 认证方法的信令图;  5B is a signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention;
图 5C为本发明方法实施例 3所述的 WiMAX网络的多主机接入 认证方法的另一信令图;  5C is another signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention;
图 5D为本发明方法实施例 3所述的隧道建立过程的信令图; 图 5E为本发明方法实施例 3所述的隧道建立过程的数据面协议 栈说明图;  5D is a signaling diagram of a tunnel establishment process according to Embodiment 3 of the method of the present invention; FIG. 5E is a diagram illustrating a data plane protocol stack of a tunnel establishment process according to Embodiment 3 of the present invention;
图 6为本发明系统实施例 1所述的 WiMAX网络的多主机接入认 证系统的结构示意图; 6 is a multi-host access authentication of the WiMAX network according to Embodiment 1 of the system of the present invention; Schematic diagram of the structure of the certificate system;
图 7为本发明系统实施例 2所述的 WiMAX网络的多主机接入认 证系统的结构示意图;  7 is a schematic structural diagram of a multi-host access authentication system of a WiMAX network according to Embodiment 2 of the present invention;
图 8为本发明系统实施例 2所述的另一种 WiMAX网络的多主机 接入认证系统的结构示意图。 具体实施方式  FIG. 8 is a schematic structural diagram of a multi-host access authentication system of another WiMAX network according to Embodiment 2 of the present invention. detailed description
方法实施例 1  Method embodiment 1
本实施例提供了一种 WiMAX网络的多主机接入认证方法,如图 3所示, 包括:  This embodiment provides a multi-host access authentication method for a WiMAX network, as shown in FIG. 3, including:
步骤 101 , 网元节点接收到来自于一主机的接入请求消息后, 将 该主机的标识信息携带于认证开始消息中发送给网络侧的基站( Base Station, 筒称: BS )。  Step 101: After receiving the access request message from a host, the network element node carries the identifier information of the host in the authentication start message and sends it to the base station (Base Station, BS: BS) of the network side.
此处首先需要说明的是, 上述网元节点具体可以为 GMS等具有 网关接入功能或类似功能的节点。 为了叙述方便, 在本实施例及以下 各实施例中, 仅以 GMS为例进行说明, 对于其他类型的网元节点, 其相应的方法或结构与 GMS的情况类似, 此处不再赘述。  It should be noted that the network element node may be a node having a gateway access function or the like, such as a GMS. For the convenience of the description, in the embodiment and the following embodiments, only the GMS is used as an example. For other types of network element nodes, the corresponding method or structure is similar to that of the GMS, and details are not described herein again.
其中, 上述主机是指在多主机场景下 WiMAX 系统中的某一主 机。 具体地, 在请求接入认证时, 主机可发送 EAPoL/EAP-START信 令作为接入请求消息, GMS检测到所述 EAPoL/EAP-START信令为 EAPoL格式的数据包后, 可以将该 EAPoL/EAP-START信令转换为 PKMv2/EAP-START 信令, 并将该主机的标识信息携带于该 PKMv2/EAP-START信令中发送给基站, 其中, 标识信息可以为与主 机的媒体访问控制(Media Access Control, 筒称: MAC )地址相关联 的信息。  The above host refers to a host in the WiMAX system in a multi-host scenario. Specifically, when the access authentication is requested, the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used. /EAP-START signaling is converted into PKMv2/EAP-START signaling, and the identifier information of the host is carried in the PKMv2/EAP-START signaling and sent to the base station, where the identifier information may be media access control with the host (Media Access Control, cartridge: MAC) Address associated information.
步骤 102, 所述基站接收到所述认证开始消息后向认证网元发送 认证请求消息。  Step 102: After receiving the authentication start message, the base station sends an authentication request message to the authentication network element.
其中, 认证网元是指用于对主机进行认证的网元, 可以根据 WiMAX的具体网络架构而有所不同。 例如, 可以为网络中专门用于 对主机进行认证的网给认证月良务器( Network Authentication Server, 筒称: NAS ), 或者也可以为与一个后端网络连接的远程宽带接入服 务器 ( Broadband Remote Access Server, 筒称: BRAS )。 The authentication NE is the network element used to authenticate the host. The specific network architecture of WiMAX varies. For example, a network dedicated to authenticating a host can be given to a network authentication server (NAS), or a remote broadband access server ( Broadband) connected to a back-end network. Remote Access Server, cartridge: BRAS).
步骤 103 , 所述认证网元向所述 GMS回复认证响应消息。  Step 103: The authentication network element returns an authentication response message to the GMS.
具体地, 可以先将认证响应消息回复给所述基站, 再由所述基站 将该认证响应消息封装为相应的信令格式后转发给所述 GMS。  Specifically, the authentication response message may be first replied to the base station, and then the base station encapsulates the authentication response message into a corresponding signaling format and forwards the message to the GMS.
步骤 104, GMS根据所述认证响应消息中携带的标识信息,将该 认证响应消息转发给与所述标识信息相应的主机。  Step 104: The GMS forwards the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the authentication response message.
具体地,可以先将该认证响应消息转换为相应的信令格式后再转 发给所述主机。  Specifically, the authentication response message may be first converted into a corresponding signaling format and then forwarded to the host.
步骤 105, 所述主机接收到所述认证响应消息后, 与认证服务器 进行接入认证,并由所述认证服务器将认证结果携带于认证确认消息 中发送给所述认证网元。  Step 105: After receiving the authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the authentication confirmation message and sends the authentication result to the authentication network element.
步骤 106, 所述认证网元将所述认证确认消息通过所述基站发送 给所述 GMS。  Step 106: The authentication network element sends the authentication confirmation message to the GMS by using the base station.
在主机认证过程中, 在上行方向上, 将认证请求经由认证网元进 行信令格式转换后发送给认证服务器; 在下行方向上, 将认证确认消 息经由认证网元进行信令格式转换后发送给 GMS。  In the host authentication process, the authentication request is sent to the authentication server by the authentication network element after the signaling format is converted in the uplink direction. In the downlink direction, the authentication confirmation message is converted to the signaling format by the authentication network element, and then sent to the GMS. .
步骤 107, 另外, 所述 GMS当需要时还可以根据所述认证确认 消息中携带的标识信息,将该认证确认消息转发给与所述标识信息相 应的主机。  Step 107: In addition, the GMS may forward the authentication confirmation message to the host corresponding to the identifier information according to the identifier information carried in the authentication confirmation message when needed.
通过本实施例所述方法, 网元节点获知了主机的认证结果, 根据 该认证结果, 网元节点可以决定是否开启或封闭授权端口, 避免了非 法用户的非法接入, 提高了系统的安全性。  Through the method in this embodiment, the network element node obtains the authentication result of the host. According to the authentication result, the network element node can determine whether to open or close the authorized port, thereby avoiding illegal access by the illegal user, and improving the security of the system. .
方法实施例 2  Method embodiment 2
本实施例提供了一种当 WiMAX网络中的认证网元为 NAS时的 多主机接入认证方法, 如图 4A所示, 包括:  The embodiment provides a multi-host access authentication method when the authentication network element in the WiMAX network is a NAS. As shown in FIG. 4A, the method includes:
步骤 201 , GMS接收到来自于一主机的接入请求消息后,将该主 机的标识信息携带于认证开始消息中发送给基站。 Step 201: After receiving the access request message from a host, the GMS: The identification information of the machine is carried in the authentication start message and sent to the base station.
其中, 上述主机是指在多主机场景下 WiMAX 系统中的某一主 机。 具体地, 在请求接入认证时, 主机可发送 EAPoL/EAP-START信 令作为接入请求消息, GMS检测到所述 EAPoL/EAP-START信令为 EAPoL格式的数据包后, 可以将该 EAPoL/EAP-START信令转换为 PKMv2/EAP-START 信令, 并将该主机的标识信息携带于该 PKMv2/EAP-START信令中发送给基站。  The above host refers to a host in the WiMAX system in a multi-host scenario. Specifically, when the access authentication is requested, the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used. /EAP-START signaling is converted into PKMv2/EAP-START signaling, and the identity information of the host is carried in the PKMv2/EAP-START signaling and sent to the base station.
步骤 202, 所述基站接收到所述认证开始消息后向 NAS发送第 一认证请求消息。  Step 202: The base station sends a first authentication request message to the NAS after receiving the authentication start message.
其中, 在多主机场景中, GMS 作为第一个认证控制点; 因此, 此时的 NAS实际上发挥了接入网上的 AAA代理的作用,同时也可能 具有一些控制功能。 具体地, NAS可以为预先为所述 BS配置好的一 个默认的 NAS , 所述 BS下的接入终端都使用该 NAS。  Among them, in the multi-host scenario, GMS is the first authentication control point; therefore, the NAS at this time actually plays the role of accessing the AAA proxy on the network, and may also have some control functions. Specifically, the NAS may be a default NAS configured for the BS in advance, and the access terminal under the BS uses the NAS.
具体地, 所述第一认证请求消息可以为 AR-EAP-START信令。 步骤 203, 所述 NAS向所述 GMS回复第一认证响应消息。  Specifically, the first authentication request message may be AR-EAP-START signaling. Step 203: The NAS returns a first authentication response message to the GMS.
具体地, 可以先向所述基站回复 AR-EAP-Transfer/Identity-Req 信令;再由所述基站将所述 AR-EAP-Transfer/Identity-Req信令封装为 PKM-RSP/EAP Transfer信令后转发给所述 GMS。  Specifically, the AR-EAP-Transfer/Identity-Req signaling may be replied to the base station; and the AR-EAP-Transfer/Identity-Req signaling is encapsulated by the base station into a PKM-RSP/EAP Letter. The order is forwarded to the GMS.
步骤 204, GMS根据所述第一认证响应消息中携带的标识信息, 将该第一认证响应消息转发给与所述标识信息相应的主机。  Step 204: The GMS forwards the first authentication response message to the host corresponding to the identifier information according to the identifier information carried in the first authentication response message.
具体地, 可以将接收到的所述 PKM-RSP/EAP Transfer信令转换 为 EAPoL-Request信令后发送给所述主机。  Specifically, the received PKM-RSP/EAP Transfer signaling may be converted into EAPoL-Request signaling and sent to the host.
步骤 205, 所述主机接收到所述第一认证响应消息后, 与认证服 务器进行接入认证,并由所述认证服务器将认证结果携带于第一认证 确认消息中发送给所述 NAS。  Step 205: After receiving the first authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the first authentication confirmation message and sends the authentication result to the NAS.
具体地, 在主机认证过程中, 认证数据包中包括上述第一认证确 认消息, 该认证数据包经由 NAS进行信令格式转换后发送给认证服 务器。其中的信令格式转换包括从 R4/R6信令 AR-EAP-Transfer转换 成 R3接口上的基于 IP的 RADIUS或者 DIAMETER等认证协议。 步骤 206, 所述 NAS将所述第一认证确认消息通过所述基站发 送给所述 GMS。 Specifically, in the host authentication process, the authentication data packet includes the foregoing first authentication confirmation message, and the authentication data packet is sent to the authentication server after being converted by the NAS. The signaling format conversion includes conversion from R4/R6 signaling AR-EAP-Transfer to an IP-based RADIUS or DIAMETER authentication protocol on the R3 interface. Step 206: The NAS sends the first authentication confirmation message to the GMS by using the base station.
具体地, NAS将 R3接口上的基于 IP的 RADIUS或者 DIAMETER 等认证协议的认证数据包,转换成 R4/R6信令发送给基站, 然后通过 基站在空中接口上将上述认证数据包封装为 PKM消息发送给 GMS。  Specifically, the NAS converts the authentication data packet of the IP-based RADIUS or DIAMETER authentication protocol on the R3 interface into R4/R6 signaling, and then sends the authentication data packet to the PKM message through the base station on the air interface. Send to GMS.
步骤 207, 另外, 所述 GMS当需要时还可以根据所述第一认证 确认消息中携带的标识信息,将该第一认证确认消息转发给与所述标 识信息相应的主机。 如图 4B所示, 为本实施例所述方法的信令图。  Step 207: In addition, the GMS may further forward the first authentication confirmation message to the host corresponding to the identification information according to the identifier information carried in the first authentication confirmation message. As shown in FIG. 4B, it is a signaling diagram of the method in this embodiment.
通过本实施例所述方法, 对主机进行了接入认证, 并且使 GMS 获知了该主机的认证结果, 根据该认证结果, GMS 可以决定是否开 启或封闭授权端口, 避免了非法用户的非法接入, 提高了系统的安全 性。  Through the method in this embodiment, the host is authenticated, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding illegal access by the illegal user. , improve the security of the system.
方法实施例 3  Method embodiment 3
本实施例提供了一种当 WiM AX网络中的认证网元为 BRAS时的 多主机接入认证方法, 如图 5 A所示, 包括:  The embodiment provides a multi-host access authentication method when the authentication network element in the WiM AX network is a BRAS. As shown in FIG. 5A, the method includes:
步骤 301 , GMS接收到来自于一主机的接入请求消息后,将该主 机的标识信息携带于认证开始消息中发送给基站。  Step 301: After receiving the access request message from a host, the GMS carries the identifier information of the host in the authentication start message and sends the message to the base station.
步骤 302, 所述基站接收到所述认证开始消息后向 BRAS发送第 二认证请求消息。  Step 302: After receiving the authentication start message, the base station sends a second authentication request message to the BRAS.
具体地, 发送第二认证请求消息可以有多种形式, 例如可以如图 5B所示,先由所述基站将所述认证开始消息转换为 EAPoL格式的第 二认证请求消息后发送给所述 BRAS。 其中, 第二认证请求消息可以 为 EAPoL-START信令。此处需要说明的是,进行消息格式的转换时, 也可以将所述认证开始消息先发送给 NAS , 再由 NAS将该认证开始 消息转换为 EAPoL格式的第二认证请求消息后发送给所述 BRAS。  Specifically, the sending the second authentication request message may be in various forms. For example, as shown in FIG. 5B, the base station first converts the authentication start message into a second authentication request message in an EAPoL format, and then sends the message to the BRAS. . The second authentication request message may be EAPoL-START signaling. It should be noted that, when the message format is converted, the authentication start message may be sent to the NAS first, and then the NAS converts the authentication start message into a second authentication request message in the EAPoL format, and then sends the message to the BRAS.
或者, 也可以如图 5C所示, 与所述 BRAS建立以太网上点对点 协议( PPP over Ethernet, 筒称: PPPoE )会话连接后, 将第二认证请 求消息转发给所述 BRAS。此时,第二认证请求消息可以为 EAPoPPP ( EAP over Point to Point Protocol, 基于点对点十办议的 EAP ) -START 信令。 Alternatively, as shown in FIG. 5C, after establishing a PPP over Ethernet (PPPoE) session connection with the BRAS, the second authentication request message is forwarded to the BRAS. At this time, the second authentication request message may be EAPoPPP (EAP over Point to Point Protocol, EAP based on peer-to-peer ten) -START Signaling.
步骤 303 , 所述 BRAS向所述 GMS回复第二认证响应消息。 具体地, 在图 5B 所示信令流程中, 第二认证响应消息可以为 EAPoL-Request/Identity信令; 在图 5C所示信令流程中, 第二认证响 应消息可以为 EAPoPPP-Request/Identity信令。  Step 303: The BRAS replies to the GMS with a second authentication response message. Specifically, in the signaling process shown in FIG. 5B, the second authentication response message may be EAPoL-Request/Identity signaling; in the signaling process shown in FIG. 5C, the second authentication response message may be EAPoPPP-Request/Identity Signaling.
步骤 304, GMS根据所述第二认证响应消息中携带的标识信息, 将该第二认证响应消息转发给与所述标识信息相应的主机。  Step 304: The GMS forwards the second authentication response message to the host corresponding to the identifier information according to the identifier information carried in the second authentication response message.
具体地, 可以将接收到的所述 PKM-RSP/EAP Transfer信令转换 为 EAPoL-Request信令后发送给所述主机。  Specifically, the received PKM-RSP/EAP Transfer signaling may be converted into EAPoL-Request signaling and sent to the host.
步骤 305, 所述主机接收到所述第二认证响应消息后, 与认证服 务器进行接入认证,并由所述认证服务器将认证结果携带于第二认证 确认消息中发送给所述 BRAS。  Step 305: After receiving the second authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the second authentication confirmation message and sends the authentication result to the BRAS.
具体地, 在主机认证过程中, 认证数据包中包括上述第二认证确 认消息,该认证数据包经由 BRAS进行信令格式转换后发送给认证服 务器。 其中, 信令格式转换包括: 从 EAPoL或者 EAPoPPP信令转换 成 R3接口 ( BRAS和 AAA之间的接口)上的基于 IP的 RADIUS或 者 DIAMETER等认证协议;或者在相反方向上, R3接口上的基于 IP 的 RADIUS 或者 DIAMETER 等认证协议的认证数据包, 转换成 EAPoL或者 EAPoPPP信令发送给基站, 然后通过基站在空中接口上 封装为 PKM消息发送给 GMS。  Specifically, in the host authentication process, the authentication data packet includes the foregoing second authentication confirmation message, and the authentication data packet is converted to a signaling format by the BRAS, and then sent to the authentication server. The signaling format conversion includes: an IP-based RADIUS or DIAMETER authentication protocol converted from EAPoL or EAPoPPP signaling to an R3 interface (an interface between the BRAS and the AAA); or in the opposite direction, based on the R3 interface The authentication data packet of the RADIUS or DIAMETER authentication protocol of the IP is converted into EAPoL or EAPoPPP signaling and sent to the base station, and then encapsulated into a PKM message on the air interface by the base station and sent to the GMS.
此处需要特别指出的是, 为了进一步提高数据传输的效率, 当认 证通过时, 即可以开始隧道建立过程。 具体包括建立所述 BRAS 与 HA之间的隧道及所述 HA与 ASN之间的隧道。 其中, BRAS与 HA 之间的隧道可以为移动 IP ( Mobile IP, 筒称: MIP )隧道; HA与 ASN 之间的隧道可以为代理移动 IP ( Proxy Mobile IP, 筒称: PMIP )隧道。 隧道建立后, 再将认证结果通知所述主机, 当主机得到认证通过的结 果后,可以直接利用已建立的隧道进行以太网数据包的传输。具体地, 主机可以先将以太网数据包发送到 GMS;由 GMS通过空中接口的以 太网会聚子层(Ethernet Convergence Sublayer, 筒称: Eth-CS )发送 到外部代理(Foreign Agent, 筒称 FA ); FA进行 MIP数据的封装, 进而转发给 HA, 最后由 HA封装转发给 BRAS。 It should be specially pointed out here that in order to further improve the efficiency of data transmission, when the authentication is passed, the tunnel establishment process can be started. Specifically, the tunnel between the BRAS and the HA and the tunnel between the HA and the ASN are established. The tunnel between the BRAS and the HA may be a Mobile IP (Mobile IP: MIP) tunnel; the tunnel between the HA and the ASN may be a Proxy Mobile IP (PMIP) tunnel. After the tunnel is established, the host is notified of the authentication result. After the host obtains the result of the authentication, the Ethernet tunnel can be directly used to transmit the Ethernet packet. Specifically, the host may first send the Ethernet packet to the GMS; the GMS sends the Ethernet Convergence Sublayer (Eth-CS) through the air interface. To the foreign agent (Foreign Agent, called FA); FA encapsulates the MIP data, and then forwards it to the HA, and finally forwards it to the BRAS by the HA package.
具体的隧道建立过程如信令图 5D所示, 主要包括以下步骤: 当 认证服务器得到认证成功结果后,通知 HA建立到 BRAS的隧道以及 HA建立 MIP隧道所需要的密钥信息,并且还将认证成功结果返回给 ASN; 当 ASN中的 NAS收到认证服务器返回的认证成功结果后, 发 送 MIP请求(筒称: MIP-RRQ ), 建立 PMIP隧道。 其具体的数据面 协议栈如图 5E所示。  The specific tunnel establishment process, as shown in the signaling diagram 5D, mainly includes the following steps: After the authentication server obtains the successful authentication result, the HA is notified to establish a tunnel to the BRAS and the key information required for the HA to establish the MIP tunnel, and the authentication is also performed. The successful result is returned to the ASN. After the NAS in the ASN receives the successful authentication result returned by the authentication server, it sends a MIP request (memory: MIP-RRQ) to establish a PMIP tunnel. Its specific data plane protocol stack is shown in Figure 5E.
步骤 306, 所述 BRAS将所述第二认证确认消息通过所述基站发 送给所述 GMS。  Step 306: The BRAS sends the second authentication confirmation message to the GMS by using the base station.
步骤 307, 另外, 所述 GMS当需要时还可以根据所述第二认证 确认消息中携带的标识信息,将该第二认证确认消息转发给与所述标 识信息相应的主机。  Step 307: In addition, the GMS may further forward the second authentication confirmation message to the host corresponding to the identification information according to the identifier information carried in the second authentication confirmation message.
另外, 如果在上述步骤的执行过程中, 主机还把网络层配置的信 息告知了 ASN , 则 ASN 可以继续代理主机完成点对点协议 ( Point-to-Point Protocol, 筒称: PPP )的网络核心协议( Network Core Protocol, 筒称: NCP )过程, 然后把结果告知主机; 或者主机利用建 立起来的 PPP 信道, 通过动态主机配置协议 ( Dynamic Host Configuration Protocol, 筒称: DHCP )等形式进行高层配置信息的获 取。  In addition, if the host also informs the ASN of the network layer configuration information during the execution of the above steps, the ASN can continue to perform the Point-to-Point Protocol (PPP) network core protocol (the Point-to-Point Protocol). Network Core Protocol, the process is called: NCP), and then the result is informed to the host; or the host uses the established PPP channel to obtain the high-level configuration information through the dynamic host configuration protocol (Dynamic Host Configuration Protocol). .
通过本实施例所述方法,通过 BRAS对主机进行了接入认证, 并 且使 GMS获知了该主机的认证结果,根据该认证结果, GMS可以决 定是否开启或封闭授权端口, 避免了非法用户的非法接入, 提高了系 统的安全性。  Through the method in this embodiment, the host is authenticated by the BRAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
系统实施例 1  System embodiment 1
本实施例提供了一种 WiM AX网络的多主机接入认证系统,如图 6所示, 包括网元节点 10、基站 20、 NAS30和认证服务器 40, 其中: 网元节点 10包括第一网元模块 11和第二网元模块 12; 所述基站 20 包括第一基站模块 21和第二基站模块 22; 所述 NAS30包括第一网 络模块 31和第二网络模块 32; 所述认证服务器 40包括第一认证模 块 41和第一认证模块 42。 其中, 网元节点 10具体可以为 GMS等具 有网关接入功能或类似功能的节点。 其工作原理如下: The embodiment provides a multi-host access authentication system for a WiM AX network. As shown in FIG. 6, the network element includes a network element node 10, a base station 20, a NAS 30, and an authentication server 40. The network element node 10 includes a first network element. Module 11 and second network element module 12; the base station 20 includes a first base station module 21 and a second base station module 22; the NAS 30 includes a first network The network module 31 and the second network module 32; the authentication server 40 includes a first authentication module 41 and a first authentication module 42. The network element node 10 may specifically be a node having a gateway access function or the like, such as a GMS. Its working principle is as follows:
网元节点 10的第一网元模块 11当接收到来自于一主机的接入请 求消息后, 将该主机的标识信息携带于认证开始消息中进行发送; 基 站 20中的第一基站模块 21当接收到来自于网元节点 10的认证开始 消息后发出第一认证请求消息; NAS30的第一网络模块 31当接收到 来自于基站 20发出的所述第一认证请求消息后, 回复第一认证响应 消息; 基站 20中的第二基站模块 22将接收到的来自于 NAS30的第 一认证响应消息发送给网元节点 10; 网元节点 10的第二网元模块 12 根据接收到的来自于基站 20第一认证响应消息中携带的标识信息, 将该第一认证响应消息转发给与所述标识信息相应的主机;  The first network element module 11 of the network element node 10, after receiving the access request message from a host, carries the identifier information of the host in the authentication start message for transmission; the first base station module 21 in the base station 20 Receiving the first authentication request message after receiving the authentication start message from the network element node 10; the first network module 31 of the NAS 30, after receiving the first authentication request message sent by the base station 20, replying to the first authentication response The second base station module 22 in the base station 20 sends the received first authentication response message from the NAS 30 to the network element node 10; the second network element module 12 of the network element node 10 receives the received from the base station 20 And the identifier information carried in the first authentication response message is forwarded to the host corresponding to the identifier information;
当所述主机接收到所述第一认证响应消息后, 与认证服务器 40 的第一认证模块 41 进行接入认证; 认证服务器 40的第二认证模块 42将第一认证模块 41的认证结果携带于第一认证确认消息中发送给 NAS30; NAS30的第二网络模块 32将来自于认证服务器 40的第一 认证确认消息通过 20基站发送给网元节点 10。  After receiving the first authentication response message, the host performs access authentication with the first authentication module 41 of the authentication server 40; the second authentication module 42 of the authentication server 40 carries the authentication result of the first authentication module 41 The first authentication confirmation message is sent to the NAS 30; the second network module 32 of the NAS 30 sends the first authentication confirmation message from the authentication server 40 to the network element node 10 through the 20 base stations.
通过本实施例所述系统, 通过 NAS对主机进行了接入认证, 并 且使 GMS获知了该主机的认证结果,根据该认证结果, GMS可以决 定是否开启或封闭授权端口, 避免了非法用户的非法接入, 提高了系 统的安全性。  Through the system in this embodiment, the host is authenticated by the NAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
系统实施例 2  System embodiment 2
本实施例在系统实施例 1 的基础上进行了改进, 提供了另一种 WiMAX网络的多主机接入认证系统, 如图 7所示, 其中除了包括系 统实施例 1所述各模块以外, 还包括 BRAS50, 该 BRAS50中包括第 一远程模块 51和第二远程模块 52; 另外, 基站 20中还包括: 第三 基站模块 23。 其工作原理如下:  This embodiment is improved on the basis of the system embodiment 1, and provides a multi-host access authentication system of another WiMAX network, as shown in FIG. 7, except that each module described in the system embodiment 1 is included. The BRAS 50 includes a first remote module 51 and a second remote module 52. In addition, the base station 20 further includes: a third base station module 23. Its working principle is as follows:
基站 20的第三基站模块 23接收到来自于网元节点 10的认证开 始消息后, 将该认证开始消息转换为 EAPoL格式的第二认证请求消 息, 并发送给 BRAS50; BRAS50中的第一远程模块 51 当接收到来 自于基站 20的第二认证请求消息后,向基站 20回复第二认证响应消 息。 After receiving the authentication start message from the network element node 10, the third base station module 23 of the base station 20 converts the authentication start message into the second authentication request cancellation in the EAPoL format. And transmitting to the BRAS 50; the first remote module 51 in the BRAS 50, after receiving the second authentication request message from the base station 20, replies to the base station 20 with a second authentication response message.
基站 20中的第二基站模块 22将接收到的来自于 BRAS50的第二 认证响应消息发送给网元节点 10; 网元节点 10的第二网元模块 12 根据接收到的来自于基站 20第二认证响应消息中携带的标识信息, 将该第二认证响应消息转发给与所述标识信息相应的主机;  The second base station module 22 in the base station 20 sends the received second authentication response message from the BRAS 50 to the network element node 10; the second network element module 12 of the network element node 10 receives the second from the base station 20 according to the received And the identifier information carried in the authentication response message is forwarded to the host corresponding to the identifier information;
当所述主机接收到所述第二认证响应消息后, 与认证服务器 40 的第一认证模块 41 进行接入认证; 认证服务器 40的第二认证模块 42将第一认证模块 41的认证结果携带于第二认证确认消息中发送给 BRAS50; BRAS50的第二远程模块 52将来自于认证服务器的第二认 证确认消息通过基站 20发送给网元节点 10。  After the host receives the second authentication response message, the first authentication module 41 of the authentication server 40 performs access authentication; the second authentication module 42 of the authentication server 40 carries the authentication result of the first authentication module 41. The second authentication confirmation message is sent to the BRAS 50; the second remote module 52 of the BRAS 50 sends the second authentication confirmation message from the authentication server to the network element node 10 through the base station 20.
上述 NAS和 BRAS在物理层面上可以同时存在, 在实际实现本 发明实施例提供的方法时,可以选择其中的一个来实现认证网元的功 h  The above-mentioned NAS and BRAS can exist at the same time on the physical level. When the method provided by the embodiment of the present invention is actually implemented, one of them can be selected to implement the function of the authentication network element.
匕。  dagger.
另夕卜, 如图 8所示, 本实施中所述的 WiMAX网络的多主机接入 认证系统中还可以进一步包括 HA60, 用于当所述认证服务器将认证 结果携带于第二认证确认消息中发送给所述 BRAS 之后, 与所述 BRAS建立隧道, 具体地, 可以建立 MIP隧道; 并与所述 NAS所在 的 ASN建立隧道, 具体地, 可以建立 PMIP隧道, 以进一步提高数 据传输的效率。  In addition, as shown in FIG. 8, the multi-host access authentication system of the WiMAX network in this implementation may further include an HA 60, where the authentication server carries the authentication result in the second authentication confirmation message. After the BRAS is sent to the BRAS, a tunnel is established with the BRAS. Specifically, a MIP tunnel can be established. The tunnel is established with the ASN where the NAS is located. Specifically, a PMIP tunnel can be established to further improve data transmission efficiency.
通过本实施例所述系统,通过 BRAS对主机进行了接入认证, 并 且使 GMS获知了该主机的认证结果,根据该认证结果, GMS可以决 定是否开启或封闭授权端口, 避免了非法用户的非法接入, 提高了系 统的安全性。  Through the system in this embodiment, the host is authenticated by the BRAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解 到本发明可借助软件加必需的通用硬件平台的方式来实现, 当然也可 以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解, 本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以 软件产品的形式体现出来, 该计算机软件产品存储在一个存储介质 中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服 务器, 或者网络设备等)执行本发明各个实施例所述的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is a better implementation. the way. Based on such understanding, the technical solution of the present invention can contribute in essence or to the part that contributes to the prior art. The form of a software product is stored in a storage medium, comprising instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the embodiments of the present invention. method.
以上公开的仅为本发明的几个具体实施例, 但是, 本发明并非局 限于此,任何本领域的技术人员能思之的变化都应落入本发明的保护 范围。  The above disclosure is only a few specific embodiments of the present invention, but the present invention is not limited thereto, and any changes that can be made by those skilled in the art should fall within the protection scope of the present invention.

Claims

权利要求 Rights request
1、一种微波接入全球互通 WiMAX网络的多主机接入认证方法, 其特征在于, 包括: A multi-host access authentication method for a microwave access global interworking WiMAX network, which is characterized by comprising:
接收到来自于一主机的接入请求消息后,将所述主机的标识信息 携带于认证开始消息中发送给认证网元;  After receiving the access request message from a host, the identifier information of the host is carried in the authentication start message and sent to the authentication network element;
根据接收到的来自于所述认证网元的认证响应消息中携带的所 述标识信息, 将所述认证响应消息转发给与所述标识信息相应的主 机, 以供所述主机接收到所述认证响应消息后, 与认证服务器进行接 接收所述认证网元发送的所述认证结果。  And forwarding, according to the identifier information that is received in the authentication response message from the authentication network element, the authentication response message to a host corresponding to the identifier information, where the host receives the authentication After receiving the response message, the authentication server receives the authentication result sent by the authentication network element.
2、根据权利要求 1所述的 WiMAX网络的多主机接入认证方法, 其特征在于,将所述主机的标识信息携带于认证开始消息中发送给认 证网元包括:  The multi-host access authentication method of the WiMAX network according to claim 1, wherein the identifier information of the host is carried in the authentication start message and sent to the authentication network element, including:
所述网络侧中的基站接收到所述认证开始消息后向认证网元发 送认证请求消息;  After receiving the authentication start message, the base station in the network side sends an authentication request message to the authentication network element.
所述认证请求消息携带所述主机的标识信息。  The authentication request message carries identification information of the host.
3、根据权利要求 2所述的 WiMAX网络的多主机接入认证方法, 其特征在于, 所述认证网元为网络认证服务器 NAS, 所述基站向所 述认证网元发送认证请求消息包括: 向所述 NAS发送第一认证请求 消息。  The multi-host access authentication method of the WiMAX network according to claim 2, wherein the authentication network element is a network authentication server NAS, and the sending, by the base station, the authentication request message to the authentication network element includes: The NAS sends a first authentication request message.
4、根据权利要求 2所述的 WiMAX网络的多主机接入认证方法, 其特征在于, 所述认证网元为远程宽带接入服务器 BRAS, 所述基站 向所述认证网元发送认证请求消息包括:向所述 BRAS发送第二认证 请求消息。  The multi-host access authentication method of the WiMAX network according to claim 2, wherein the authentication network element is a remote broadband access server BRAS, and the base station sends an authentication request message to the authentication network element, including : Send a second authentication request message to the BRAS.
5、根据权利要求 4所述的 WiMAX网络的多主机接入认证方法, 其特征在于,所述基站向 BRAS发送第二认证请求消息包括: 将所述 认证开始消息转换为局域网可扩展认证协议 EAPoL格式的第二认证 请求消息后发送给所述 BRAS。 The multi-host access authentication method of the WiMAX network according to claim 4, wherein the sending, by the base station, the second authentication request message to the BRAS comprises: converting the authentication start message into a local area network scalable authentication protocol EAPoL The formatted second authentication request message is sent to the BRAS.
6、根据权利要求 4所述的 WiMAX网络的多主机接入认证方法, 其特征在于, 所述基站向 BRAS发送第二认证请求消息包括: The multi-host access authentication method of the WiMAX network according to claim 4, wherein the sending, by the base station, the second authentication request message to the BRAS comprises:
将所述认证开始消息发送给 NAS;  Sending the authentication start message to the NAS;
所述 NAS将所述认证开始消息转换为 EAPoL格式的第二认证请 求消息后发送给所述 BRAS。  The NAS converts the authentication start message into a second authentication request message in the EAPoL format and sends the message to the BRAS.
7、根据权利要求 4所述的 WiMAX网络的多主机接入认证方法, 其特征在于,所述基站向 BRAS发送第二认证请求消息包括: 与所述 BRAS建立以太网上点对点协议 PPPoE会话连接后,将第二认证请求 消息转发给所述 BRAS。  The multi-host access authentication method of the WiMAX network according to claim 4, wherein the sending, by the base station, the second authentication request message to the BRAS comprises: after establishing a PPPoE session connection on the Ethernet on the BRAS, Forwarding a second authentication request message to the BRAS.
8、根据权利要求 6所述的 WiMAX网络的多主机接入认证方法, 其特征在于, 当所述认证网元为 BRAS时,所述认证服务器将认证结 果发送给所述认证网元, 包括:  The multi-host access authentication method of the WiMAX network according to claim 6, wherein, when the authentication network element is a BRAS, the authentication server sends the authentication result to the authentication network element, including:
认证服务器将携带所述认证结果的认证确认消息发送给所述 BRAS; 所述方法还包括:  The authentication server sends an authentication confirmation message carrying the authentication result to the BRAS; the method further includes:
在所述 BRAS与家乡代理 HA之间建立隧道;  Establishing a tunnel between the BRAS and the home agent HA;
在所述 HA与所述 NAS所在的 ASN之间建立隧道。  A tunnel is established between the HA and the ASN where the NAS is located.
9、根据权利要求 1所述的 WiMAX网络的多主机接入认证方法, 其特征在于, 在所述主机与所述认证服务器的认证过程中, 所述认证 网元对携带有所述认证结果的认证数据包进行信令格式转换。  The multi-host access authentication method of the WiMAX network according to claim 1, wherein in the authentication process of the host and the authentication server, the authentication network element pair carries the authentication result. The authentication data packet is converted into a signaling format.
10、根据权利要求 1所述的 WiMAX网络的多主机接入认证方法, 其特征在于, 所述接收所述认证网元发送的所述认证结果之后, 还包 括: 根据携带所述认证结果的认证确认消息中的标识信息, 将该认证 确认消息转发给与所述标识信息相应的主机。  The multi-host access authentication method of the WiMAX network according to claim 1, wherein after receiving the authentication result sent by the authentication network element, the method further includes: authenticating according to the carrying the authentication result The identification information in the confirmation message is forwarded to the host corresponding to the identification information.
11、 一种网元节点, 其特征在于, 包括:  11. A network element node, comprising:
第一网元模块, 用于当接收到来自于一主机的接入请求消息后, 将所述主机的标识信息携带于认证开始消息中进行发送;  a first network element module, configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending;
第二网元模块,用于根据接收到的第一认证响应消息中携带的标 识信息, 将所述认证响应消息转发给与所述标识信息相应的主机。  The second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message.
12、 一种 WiMAX网络的多主机接入认证系统, 包括网元节点、 基站、 NAS和认证服务器, 其特征在于: 12. A multi-host access authentication system for a WiMAX network, including a network element node, Base station, NAS, and authentication server, characterized by:
所述网元节点包括:  The network element node includes:
第一网元模块, 用于当接收到来自于一主机的接入请求消息后, 将所述主机的标识信息携带于认证开始消息中进行发送;  a first network element module, configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending;
第二网元模块,用于根据接收到的第一认证响应消息中携带的标 识信息, 将所述认证响应消息转发给与所述标识信息相应的主机; 所述基站包括:  The second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message; the base station includes:
第一基站模块,用于当接收到来自于网元节点的认证开始消息后 发出第一认证请求消息;  a first base station module, configured to send a first authentication request message after receiving an authentication start message from the network element node;
第二基站模块,用于将接收到的第一认证响应消息发送给所述网 元节点;  a second base station module, configured to send the received first authentication response message to the network element node;
所述 NAS包括:  The NAS includes:
第一网络模块,用于当接收到来自于基站的所述第一认证请求消 息后, 回复第一认证响应消息;  a first network module, configured to: after receiving the first authentication request message from the base station, reply to the first authentication response message;
第二网络模块,用于将来自于认证服务器的第一认证确认消息通 过所述基站发送给所述网元节点;  a second network module, configured to send, by the base station, a first authentication confirmation message from the authentication server to the network element node;
所述认证服务器包括:  The authentication server includes:
第一认证模块, 用于当所述主机接收到所述第一认证响应消息 后, 与该主机进行接入认证;  a first authentication module, configured to perform access authentication with the host after receiving the first authentication response message by the host;
第二认证模块,用于将第一认证模块的认证结果携带于第一认证 确认消息中发送给所述 NAS。  The second authentication module is configured to send the authentication result of the first authentication module to the NAS in the first authentication confirmation message.
13、 根据权利要求 12所述的 WiMAX网络的多主机接入认证系 统, 其特征在于, 还包括 BRAS,  13. The multi-host access authentication system for a WiMAX network according to claim 12, further comprising a BRAS,
所述基站还包括:  The base station further includes:
第三基站模块,用于将来自于网元节点的所述认证开始消息转换 为 EAPoL格式的第二认证请求消息后发送给所述 BRAS;  a third base station module, configured to convert the authentication start message from the network element node into a second authentication request message in an EAPoL format, and send the message to the BRAS;
所述 BRAS包括:  The BRAS includes:
第一远程模块, 用于当接收到来自于基站的第二认证请求消息 后, 回复第二认证响应消息; 第二远程模块,用于将来自于认证服务器的第二认证确认消息通 过所述基站发送给所述网元节点。 a first remote module, configured to: after receiving the second authentication request message from the base station, reply to the second authentication response message; And a second remote module, configured to send, by the base station, a second authentication confirmation message from the authentication server to the network element node.
14、 根据权利要求 13所述的 WiMAX网络的多主机接入认证系 统,其特征在于,所述基站还包括:第四基站模块,用于与所述 BRAS 建立 PPPoE会话连接。  The multi-host access authentication system of the WiMAX network according to claim 13, wherein the base station further comprises: a fourth base station module, configured to establish a PPPoE session connection with the BRAS.
15、 根据权利要求 14所述的 WiMAX网络的多主机接入认证系 统, 其特征在于, 还包括: HA, 用于与所述 BRAS建立隧道; 并与 所述 NAS所在的 ASN建立隧道。  The multi-host access authentication system of the WiMAX network according to claim 14, further comprising: HA, configured to establish a tunnel with the BRAS; and establish a tunnel with the ASN where the NAS is located.
16、 一种 WiMAX网络的多主机接入认证系统, 包括主机、 网元 节点、 认证网元和认证服务器, 其特征在于:  A multi-host access authentication system for a WiMAX network, comprising a host, a network element node, an authentication network element, and an authentication server, wherein:
所述主机, 用于向所述网元节点发送接入请求消息;  The host is configured to send an access request message to the network element node;
所述网元节点, 用于接收到来自于一主机的接入请求消息后, 将 所述主机的标识信息携带于认证开始消息中发送给认证网元;根据接 收到的来自于所述认证网元的认证响应消息中携带的所述标识信息, 将所述认证响应消息转发给与所述标识信息相应的主机,以供所述主 机接收到所述认证响应消息后, 与认证服务器进行接入认证, 并由所 送的所述认证结果;  The network element node is configured to: after receiving the access request message from a host, the identifier information of the host is carried in the authentication start message and sent to the authentication network element; according to the received authentication network The identifier information carried in the authentication response message is forwarded to the host corresponding to the identifier information, so that the host receives the authentication response message and accesses the authentication server. Certification, and the result of the certification sent;
所述认证网元, 用于接收来自所述网元节点的认证开始消息后, 向所述网元节点回复认证响应消息;  The authentication network element is configured to: after receiving an authentication start message from the network element node, reply an authentication response message to the network element node;
所述认证服务器, 用于与所述主机进行接入认证, 并将认证结果 发送给所述认证网元。  The authentication server is configured to perform access authentication with the host, and send the authentication result to the authentication network element.
PCT/CN2009/070035 2008-01-08 2009-01-05 Multi-host access authentication method and system for wimax network WO2009089773A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810055741.4 2008-01-08
CN2008100557414A CN101483521B (en) 2008-01-08 2008-01-08 Multi-host access authentication method and system for WiMAX network

Publications (1)

Publication Number Publication Date
WO2009089773A1 true WO2009089773A1 (en) 2009-07-23

Family

ID=40880466

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070035 WO2009089773A1 (en) 2008-01-08 2009-01-05 Multi-host access authentication method and system for wimax network

Country Status (2)

Country Link
CN (1) CN101483521B (en)
WO (1) WO2009089773A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102223347B (en) * 2010-04-13 2015-01-28 中兴通讯股份有限公司 Multi-access authentication method and system in next generation network
CN103124422B (en) * 2012-12-04 2016-05-25 华为终端有限公司 The method of associate device, Apparatus and system
CN103095721B (en) * 2013-01-31 2015-11-25 北京惠银通联科技有限公司 A kind of method, terminal and system setting up secure connection

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455551A (en) * 2003-05-28 2003-11-12 东华大学 Wideband network connecting-in intelligent control system and method
CN1486029A (en) * 2002-09-23 2004-03-31 华为技术有限公司 Method for implementing EAP authentication in remote authentication based network
CN1972505A (en) * 2005-11-24 2007-05-30 华为技术有限公司 A method and system for acquiring information of configuration mode related to IPv6 home address

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100474834C (en) * 2005-12-08 2009-04-01 华为技术有限公司 Method for interconnecting wide-band wireless network and wired network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1486029A (en) * 2002-09-23 2004-03-31 华为技术有限公司 Method for implementing EAP authentication in remote authentication based network
CN1455551A (en) * 2003-05-28 2003-11-12 东华大学 Wideband network connecting-in intelligent control system and method
CN1972505A (en) * 2005-11-24 2007-05-30 华为技术有限公司 A method and system for acquiring information of configuration mode related to IPv6 home address

Also Published As

Publication number Publication date
CN101483521A (en) 2009-07-15
CN101483521B (en) 2012-05-23

Similar Documents

Publication Publication Date Title
CN101651682B (en) Method, system and device of security certificate
US8665819B2 (en) System and method for providing mobility between heterogenous networks in a communication environment
WO2007019771A1 (en) An access control method of the user altering the visited network, the unit and the system thereof
US20070211659A1 (en) Method for implementing eap authentication relay in a wireless access system
EP2572491B1 (en) Systems and methods for host authentication
WO2010075745A1 (en) Authentication processing method and system, 3gpp authentication authorization accounting server and user device
JP2008236754A (en) Mobile communication network, and method and apparatus for carrying out authentication of mobile node in mobile communication network
WO2010130191A1 (en) Authentication method of switching access networks, system and device thereof
US7715562B2 (en) System and method for access authentication in a mobile wireless network
WO2008110099A1 (en) Method, system and associated device for authenticating apparatus access to a communication network
US8453211B2 (en) Method of obtaining proxy call session control function address while roaming
WO2010069202A1 (en) Authentication negotiation method and the system thereof, security gateway, home node b
WO2010130118A1 (en) System and method for carrying out authentication on users of home nodeb
TWI428031B (en) Authentication method and apparatus for user equipment and lipa network eneities
JP6861285B2 (en) Methods and devices for parameter exchange during emergency access
WO2012142867A1 (en) Authentication notification method and system
WO2009089773A1 (en) Multi-host access authentication method and system for wimax network
CN101098221A (en) Network layer safety authentication method in wireless cellular network
WO2009155863A1 (en) Method and system for supporting mobility security in the next generation network
WO2012152102A1 (en) User information notification method and system
WO2009018774A1 (en) A session connection method,apparatus and system in communication system
WO2014032542A1 (en) Method and system for setting up multiple connections
WO2014121613A1 (en) Method and corresponding device for acquiring location information
CN101483580B (en) Initial service stream establishment method, apparatus and communication system
Korhonen et al. HIP based network access protocol in operator network deployments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09702250

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2592/KOLNP/2010

Country of ref document: IN

122 Ep: pct application non-entry in european phase

Ref document number: 09702250

Country of ref document: EP

Kind code of ref document: A1