WO2009089773A1 - Procédé et système d'authentification d'accès multi-hôte pour réseau wimax - Google Patents

Procédé et système d'authentification d'accès multi-hôte pour réseau wimax Download PDF

Info

Publication number
WO2009089773A1
WO2009089773A1 PCT/CN2009/070035 CN2009070035W WO2009089773A1 WO 2009089773 A1 WO2009089773 A1 WO 2009089773A1 CN 2009070035 W CN2009070035 W CN 2009070035W WO 2009089773 A1 WO2009089773 A1 WO 2009089773A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
host
network element
message
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2009/070035
Other languages
English (en)
Chinese (zh)
Inventor
Wenliang Liang
Wei Zhang
Liang Gu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2009089773A1 publication Critical patent/WO2009089773A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a global interoperability for microwave access.
  • the WiMAX system is an Internet wireless access system. With the rapid development of Internet services and the widespread use of wireless networks, existing WiMAX systems can be divided into multi-host scenarios and non-multi-host scenarios in the form of networking.
  • FIG. 1 it is a flow chart of access authentication signaling for a non-multi-host scenario.
  • the Supplicant mobile station (Mobile Station, the so-called: MS) carries the Extensible Authentication Protocol (EAP) message on the air interface in the private key management (Privacy Key Management).
  • PKM Extensible Authentication Protocol
  • ASN Access Service Network
  • BSN Base Station, cartridge: BS
  • gateway gateway
  • Auth. Relay The authentication delay
  • the ESN message is carried in the RADIUS message between the ASN and the Connective Service Network (CSN).
  • CSN Connective Service Network
  • PKMv2 is a set of private key management protocol version 2 defined in the 802.16e protocol, used for key security association management on the air interface, and carries EAP data; the authentication delay protocol is a set defined by the WiMAX access network. Protocol for EAP data.
  • LAN Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAPoL is an authentication bearer protocol on the LAN. It is mainly used to encapsulate EAP data through Ethernet packets.
  • NSP Network Service Provider
  • Multi-host scenarios are another form of networking for WiMAX systems that can be deployed in multiple locations at different locations, such as at airports, coffee bars or trains.
  • FIG 2 it is a schematic diagram of the WiMAX system networking structure in a multi-host scenario.
  • the ASN is composed of one or more wireless base stations and an Access Service Network GateWay (ASN-GW).
  • ASN-GW Access Service Network GateWay
  • the ASN acts as a logical entity to manage the IEEE 802.16 air interface and provides wireless access for WiMAX users.
  • the CSN is composed of an accounting server, such as an Authentication Authorization and Accounting (AAA) server, a Home Agent (HA), and an IP Multimedia Subsystem (Internet Protocol Multimedia Subsystem).
  • AAA Authentication Authorization and Accounting
  • HA Home Agent
  • IMS IP Multimedia Subsystem
  • the core component for providing IP connectivity, services and management.
  • HOST wireless Fidelity
  • Ethernet Due to the price advantage of wireless Fidelity (Wireless Fidelity) and Ethernet access, and the high market share, WiFi and Ethernet can be used at the end of the layout.
  • HOST wireless Fidelity
  • GMS gateway mobile station
  • the connection between the GMS and the ASN can be via a WiMAX wireless connection.
  • the GMS can access the ASN/CSN network before the HOST access; it can also access the ASN/CSN network after the HOST access.
  • a disadvantage of the prior art is that when an existing WiMAX system performs access authentication for a host in a multi-host scenario, the EAP message is transmitted as data on the air interface, which is transparent to the BS/GMS. Therefore, neither BS nor GMS knows the results of HOST certification. In some scenarios, GMS needs to know the result of HOST authentication. For example, GMS needs to decide whether to open or close the port according to the authentication result of HOST to avoid illegal access by illegal users. Summary of the invention
  • the problem to be solved by the present invention is to provide a multi-host access authentication method and system for a WiMAX network capable of enabling the GMS to obtain an authentication result when performing host access authentication.
  • an embodiment of the present invention provides a multi-host access authentication method for a WiMAX network, including:
  • the identifier information of the host is carried in the authentication start message and sent to the authentication network element;
  • the authentication server forwarding, according to the identifier information that is received in the authentication response message from the authentication network element, the authentication response message to a host corresponding to the identifier information, where the host receives the authentication After receiving the response message, the authentication server receives the authentication result sent by the authentication network element.
  • a network element node including:
  • a first network element module configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending;
  • the second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message.
  • another embodiment of the present invention provides a multi-host access authentication system for a WiMAX network, including a network element node, a base station, a NAS, and an authentication server, where:
  • the network element node includes:
  • a first network element module configured to: after receiving an access request message from a host, carry the identifier information of the host in an authentication start message for sending;
  • the second network element module is configured to forward the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the received first authentication response message;
  • the base station includes:
  • a first base station module configured to send a first authentication request message after receiving an authentication start message from the network element node
  • a second base station module configured to send the received first authentication response message to the network element node
  • the NAS includes:
  • a first network module configured to: after receiving the first authentication request message from the base station, reply to the first authentication response message;
  • a second network module configured to send, by the base station, a first authentication confirmation message from the authentication server to the network element node
  • the authentication server includes:
  • a first authentication module configured to perform access authentication with the host after receiving the first authentication response message by the host;
  • the second authentication module is configured to send the authentication result of the first authentication module to the NAS in the first authentication confirmation message.
  • the network element node obtains the authentication result of the host, and according to the authentication result, the network element node can decide whether to open or close the authorized port, avoid illegal access by the illegal user, and improve the security of the system.
  • another embodiment of the present invention further provides a multi-host access authentication system for a WiMAX network, including a host, a network element node, an authentication network element, and an authentication server, where:
  • the host is configured to send an access request message to the network element node
  • the network element node is configured to: after receiving the access request message from a host, the identifier information of the host is carried in the authentication start message and sent to the authentication network element; according to the received authentication network The identifier information carried in the authentication response message is forwarded to the host corresponding to the identifier information, so that the host receives the authentication response message and accesses the authentication server. Certification, and by The result of the certification sent;
  • the authentication network element is configured to: after receiving an authentication start message from the network element node, reply an authentication response message to the network element node;
  • the authentication server is configured to perform access authentication with the host, and send the authentication result to the authentication network element.
  • FIG. 1 is a flow chart of access authentication signaling of a WiMAX system in an existing non-multi-host scenario
  • FIG. 2 is a schematic structural diagram of a WiMAX system networking in an existing multi-host scenario
  • FIG. 3 is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 1 of the present invention
  • FIG. 4A is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 2 of the present invention.
  • 4B is a signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 2 of the present invention.
  • 5A is a flowchart of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention.
  • 5B is a signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention.
  • 5C is another signaling diagram of a multi-host access authentication method for a WiMAX network according to Embodiment 3 of the present invention.
  • FIG. 5D is a signaling diagram of a tunnel establishment process according to Embodiment 3 of the method of the present invention
  • FIG. 5E is a diagram illustrating a data plane protocol stack of a tunnel establishment process according to Embodiment 3 of the present invention
  • FIG. 6 is a multi-host access authentication of the WiMAX network according to Embodiment 1 of the system of the present invention. Schematic diagram of the structure of the certificate system;
  • FIG. 7 is a schematic structural diagram of a multi-host access authentication system of a WiMAX network according to Embodiment 2 of the present invention.
  • FIG. 8 is a schematic structural diagram of a multi-host access authentication system of another WiMAX network according to Embodiment 2 of the present invention. detailed description
  • This embodiment provides a multi-host access authentication method for a WiMAX network, as shown in FIG. 3, including:
  • Step 101 After receiving the access request message from a host, the network element node carries the identifier information of the host in the authentication start message and sends it to the base station (Base Station, BS: BS) of the network side.
  • Base Station Base Station
  • the network element node may be a node having a gateway access function or the like, such as a GMS.
  • a GMS gateway access function
  • the GMS is used as an example.
  • the corresponding method or structure is similar to that of the GMS, and details are not described herein again.
  • the above host refers to a host in the WiMAX system in a multi-host scenario. Specifically, when the access authentication is requested, the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used. /EAP-START signaling is converted into PKMv2/EAP-START signaling, and the identifier information of the host is carried in the PKMv2/EAP-START signaling and sent to the base station, where the identifier information may be media access control with the host (Media Access Control, cartridge: MAC) Address associated information.
  • the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used.
  • Step 102 After receiving the authentication start message, the base station sends an authentication request message to the authentication network element.
  • the authentication NE is the network element used to authenticate the host.
  • the specific network architecture of WiMAX varies. For example, a network dedicated to authenticating a host can be given to a network authentication server (NAS), or a remote broadband access server ( Broadband) connected to a back-end network.
  • NAS network authentication server
  • Broadband remote broadband access server
  • Remote Access Server, cartridge: BRAS Remote Access Server
  • Step 103 The authentication network element returns an authentication response message to the GMS.
  • the authentication response message may be first replied to the base station, and then the base station encapsulates the authentication response message into a corresponding signaling format and forwards the message to the GMS.
  • Step 104 The GMS forwards the authentication response message to the host corresponding to the identifier information according to the identifier information carried in the authentication response message.
  • the authentication response message may be first converted into a corresponding signaling format and then forwarded to the host.
  • Step 105 After receiving the authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the authentication confirmation message and sends the authentication result to the authentication network element.
  • Step 106 The authentication network element sends the authentication confirmation message to the GMS by using the base station.
  • the authentication request is sent to the authentication server by the authentication network element after the signaling format is converted in the uplink direction.
  • the authentication confirmation message is converted to the signaling format by the authentication network element, and then sent to the GMS. .
  • Step 107 the GMS may forward the authentication confirmation message to the host corresponding to the identifier information according to the identifier information carried in the authentication confirmation message when needed.
  • the network element node obtains the authentication result of the host. According to the authentication result, the network element node can determine whether to open or close the authorized port, thereby avoiding illegal access by the illegal user, and improving the security of the system. .
  • the embodiment provides a multi-host access authentication method when the authentication network element in the WiMAX network is a NAS. As shown in FIG. 4A, the method includes:
  • Step 201 After receiving the access request message from a host, the GMS: The identification information of the machine is carried in the authentication start message and sent to the base station.
  • the above host refers to a host in the WiMAX system in a multi-host scenario. Specifically, when the access authentication is requested, the host may send the EAPoL/EAP-START signaling as an access request message, and after the GMS detects that the EAPoL/EAP-START signaling is an EAPoL format data packet, the EAPoL may be used. /EAP-START signaling is converted into PKMv2/EAP-START signaling, and the identity information of the host is carried in the PKMv2/EAP-START signaling and sent to the base station.
  • Step 202 The base station sends a first authentication request message to the NAS after receiving the authentication start message.
  • GMS is the first authentication control point; therefore, the NAS at this time actually plays the role of accessing the AAA proxy on the network, and may also have some control functions.
  • the NAS may be a default NAS configured for the BS in advance, and the access terminal under the BS uses the NAS.
  • the first authentication request message may be AR-EAP-START signaling.
  • Step 203 The NAS returns a first authentication response message to the GMS.
  • the AR-EAP-Transfer/Identity-Req signaling may be replied to the base station; and the AR-EAP-Transfer/Identity-Req signaling is encapsulated by the base station into a PKM-RSP/EAP Letter. The order is forwarded to the GMS.
  • Step 204 The GMS forwards the first authentication response message to the host corresponding to the identifier information according to the identifier information carried in the first authentication response message.
  • the received PKM-RSP/EAP Transfer signaling may be converted into EAPoL-Request signaling and sent to the host.
  • Step 205 After receiving the first authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the first authentication confirmation message and sends the authentication result to the NAS.
  • the authentication data packet includes the foregoing first authentication confirmation message, and the authentication data packet is sent to the authentication server after being converted by the NAS.
  • the signaling format conversion includes conversion from R4/R6 signaling AR-EAP-Transfer to an IP-based RADIUS or DIAMETER authentication protocol on the R3 interface.
  • Step 206 The NAS sends the first authentication confirmation message to the GMS by using the base station.
  • the NAS converts the authentication data packet of the IP-based RADIUS or DIAMETER authentication protocol on the R3 interface into R4/R6 signaling, and then sends the authentication data packet to the PKM message through the base station on the air interface. Send to GMS.
  • Step 207 the GMS may further forward the first authentication confirmation message to the host corresponding to the identification information according to the identifier information carried in the first authentication confirmation message.
  • FIG. 4B it is a signaling diagram of the method in this embodiment.
  • the host is authenticated, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding illegal access by the illegal user. , improve the security of the system.
  • the embodiment provides a multi-host access authentication method when the authentication network element in the WiM AX network is a BRAS. As shown in FIG. 5A, the method includes:
  • Step 301 After receiving the access request message from a host, the GMS carries the identifier information of the host in the authentication start message and sends the message to the base station.
  • Step 302 After receiving the authentication start message, the base station sends a second authentication request message to the BRAS.
  • the sending the second authentication request message may be in various forms.
  • the base station first converts the authentication start message into a second authentication request message in an EAPoL format, and then sends the message to the BRAS.
  • the second authentication request message may be EAPoL-START signaling. It should be noted that, when the message format is converted, the authentication start message may be sent to the NAS first, and then the NAS converts the authentication start message into a second authentication request message in the EAPoL format, and then sends the message to the BRAS.
  • the second authentication request message is forwarded to the BRAS.
  • the second authentication request message may be EAPoPPP (EAP over Point to Point Protocol, EAP based on peer-to-peer ten) -START Signaling.
  • EAPoPPP EAP over Point to Point Protocol, EAP based on peer-to-peer ten
  • Step 303 The BRAS replies to the GMS with a second authentication response message.
  • the second authentication response message may be EAPoL-Request/Identity signaling; in the signaling process shown in FIG. 5C, the second authentication response message may be EAPoPPP-Request/Identity Signaling.
  • Step 304 The GMS forwards the second authentication response message to the host corresponding to the identifier information according to the identifier information carried in the second authentication response message.
  • the received PKM-RSP/EAP Transfer signaling may be converted into EAPoL-Request signaling and sent to the host.
  • Step 305 After receiving the second authentication response message, the host performs access authentication with the authentication server, and the authentication server carries the authentication result in the second authentication confirmation message and sends the authentication result to the BRAS.
  • the authentication data packet includes the foregoing second authentication confirmation message, and the authentication data packet is converted to a signaling format by the BRAS, and then sent to the authentication server.
  • the signaling format conversion includes: an IP-based RADIUS or DIAMETER authentication protocol converted from EAPoL or EAPoPPP signaling to an R3 interface (an interface between the BRAS and the AAA); or in the opposite direction, based on the R3 interface
  • the authentication data packet of the RADIUS or DIAMETER authentication protocol of the IP is converted into EAPoL or EAPoPPP signaling and sent to the base station, and then encapsulated into a PKM message on the air interface by the base station and sent to the GMS.
  • the tunnel establishment process can be started. Specifically, the tunnel between the BRAS and the HA and the tunnel between the HA and the ASN are established.
  • the tunnel between the BRAS and the HA may be a Mobile IP (Mobile IP: MIP) tunnel; the tunnel between the HA and the ASN may be a Proxy Mobile IP (PMIP) tunnel.
  • MIP Mobile IP
  • PMIP Proxy Mobile IP
  • the host is notified of the authentication result.
  • the Ethernet tunnel can be directly used to transmit the Ethernet packet. Specifically, the host may first send the Ethernet packet to the GMS; the GMS sends the Ethernet Convergence Sublayer (Eth-CS) through the air interface.
  • Ether Agent called FA
  • FA encapsulates the MIP data, and then forwards it to the HA, and finally forwards it to the BRAS by the HA package.
  • the specific tunnel establishment process mainly includes the following steps: After the authentication server obtains the successful authentication result, the HA is notified to establish a tunnel to the BRAS and the key information required for the HA to establish the MIP tunnel, and the authentication is also performed. The successful result is returned to the ASN. After the NAS in the ASN receives the successful authentication result returned by the authentication server, it sends a MIP request (memory: MIP-RRQ) to establish a PMIP tunnel. Its specific data plane protocol stack is shown in Figure 5E.
  • Step 306 The BRAS sends the second authentication confirmation message to the GMS by using the base station.
  • Step 307 the GMS may further forward the second authentication confirmation message to the host corresponding to the identification information according to the identifier information carried in the second authentication confirmation message.
  • the ASN can continue to perform the Point-to-Point Protocol (PPP) network core protocol (the Point-to-Point Protocol).
  • PPP Point-to-Point Protocol
  • NCP Network Core Protocol
  • the process is called: NCP
  • the result is informed to the host; or the host uses the established PPP channel to obtain the high-level configuration information through the dynamic host configuration protocol (Dynamic Host Configuration Protocol).
  • the host is authenticated by the BRAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
  • the embodiment provides a multi-host access authentication system for a WiM AX network.
  • the network element includes a network element node 10, a base station 20, a NAS 30, and an authentication server 40.
  • the network element node 10 includes a first network element. Module 11 and second network element module 12; the base station 20 includes a first base station module 21 and a second base station module 22; the NAS 30 includes a first network The network module 31 and the second network module 32; the authentication server 40 includes a first authentication module 41 and a first authentication module 42.
  • the network element node 10 may specifically be a node having a gateway access function or the like, such as a GMS. Its working principle is as follows:
  • the first network element module 11 of the network element node 10 after receiving the access request message from a host, carries the identifier information of the host in the authentication start message for transmission; the first base station module 21 in the base station 20 Receiving the first authentication request message after receiving the authentication start message from the network element node 10; the first network module 31 of the NAS 30, after receiving the first authentication request message sent by the base station 20, replying to the first authentication response
  • the second base station module 22 in the base station 20 sends the received first authentication response message from the NAS 30 to the network element node 10; the second network element module 12 of the network element node 10 receives the received from the base station 20 And the identifier information carried in the first authentication response message is forwarded to the host corresponding to the identifier information;
  • the host After receiving the first authentication response message, the host performs access authentication with the first authentication module 41 of the authentication server 40; the second authentication module 42 of the authentication server 40 carries the authentication result of the first authentication module 41
  • the first authentication confirmation message is sent to the NAS 30; the second network module 32 of the NAS 30 sends the first authentication confirmation message from the authentication server 40 to the network element node 10 through the 20 base stations.
  • the host is authenticated by the NAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
  • the BRAS 50 includes a first remote module 51 and a second remote module 52.
  • the base station 20 further includes: a third base station module 23. Its working principle is as follows:
  • the third base station module 23 of the base station 20 After receiving the authentication start message from the network element node 10, the third base station module 23 of the base station 20 converts the authentication start message into the second authentication request cancellation in the EAPoL format. And transmitting to the BRAS 50; the first remote module 51 in the BRAS 50, after receiving the second authentication request message from the base station 20, replies to the base station 20 with a second authentication response message.
  • the second base station module 22 in the base station 20 sends the received second authentication response message from the BRAS 50 to the network element node 10; the second network element module 12 of the network element node 10 receives the second from the base station 20 according to the received And the identifier information carried in the authentication response message is forwarded to the host corresponding to the identifier information;
  • the first authentication module 41 of the authentication server 40 After the host receives the second authentication response message, the first authentication module 41 of the authentication server 40 performs access authentication; the second authentication module 42 of the authentication server 40 carries the authentication result of the first authentication module 41.
  • the second authentication confirmation message is sent to the BRAS 50; the second remote module 52 of the BRAS 50 sends the second authentication confirmation message from the authentication server to the network element node 10 through the base station 20.
  • NAS and BRAS can exist at the same time on the physical level.
  • one of them can be selected to implement the function of the authentication network element.
  • the multi-host access authentication system of the WiMAX network in this implementation may further include an HA 60, where the authentication server carries the authentication result in the second authentication confirmation message.
  • a tunnel is established with the BRAS. Specifically, a MIP tunnel can be established. The tunnel is established with the ASN where the NAS is located. Specifically, a PMIP tunnel can be established to further improve data transmission efficiency.
  • the host is authenticated by the BRAS, and the GMS is informed of the authentication result of the host. According to the authentication result, the GMS can determine whether to open or close the authorized port, thereby avoiding the illegality of the illegal user. Access improves the security of the system.
  • the form of a software product is stored in a storage medium, comprising instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the embodiments of the present invention. method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un système d'authentification d'accès multi-hôte pour réseau WiMAX. Selon ce procédé, après réception d'un message de demande d'accès d'un hôte, des informations d'étiquette propres à l'hôte, acheminées dans un message de démarrage d'authentification sont envoyées à un élément du réseau d'authentification, en fonction des informations d'étiquette reçues acheminées dans un message de réponse d'authentification provenant de l'élément du réseau d'authentification, le message de réponse d'authentification est transmis à l'hôte correspondant aux informations d'étiquette pour que l'hôte effectue l'authentification d'accès auprès d'un serveur d'authentification après qu'il a reçu le message de réponse d'authentification, le serveur d'authentification envoie un résultat d'authentification à l'élément du réseau d'authentification, et le résultat d'authentification envoyé par l'élément du réseau d'authentification est reçu. Le système comprend un noeud de l'élément du réseau, une station de base, un serveur d'authentification de réseau (NAS), et un serveur d'authentification. L'application de la présente invention permet au noeud de l'élément du réseau d'acquérir le résultat d'authentification de l'hôte, et de décider si un port d'autorisation sera ouvert ou fermé en fonction du résultat d'authentification. L'application de la présente invention permet également d'éviter un accès illégal d'un utilisateur illégal et d'améliorer la sécurité du système.
PCT/CN2009/070035 2008-01-08 2009-01-05 Procédé et système d'authentification d'accès multi-hôte pour réseau wimax Ceased WO2009089773A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810055741.4 2008-01-08
CN2008100557414A CN101483521B (zh) 2008-01-08 2008-01-08 WiMAX网络的多主机接入认证方法及系统

Publications (1)

Publication Number Publication Date
WO2009089773A1 true WO2009089773A1 (fr) 2009-07-23

Family

ID=40880466

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070035 Ceased WO2009089773A1 (fr) 2008-01-08 2009-01-05 Procédé et système d'authentification d'accès multi-hôte pour réseau wimax

Country Status (2)

Country Link
CN (1) CN101483521B (fr)
WO (1) WO2009089773A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102223347B (zh) * 2010-04-13 2015-01-28 中兴通讯股份有限公司 下一代网络中多接入认证方法及系统
CN103124422B (zh) * 2012-12-04 2016-05-25 华为终端有限公司 关联设备的方法、装置及系统
CN103095721B (zh) * 2013-01-31 2015-11-25 北京惠银通联科技有限公司 一种建立安全连接的方法、终端和系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455551A (zh) * 2003-05-28 2003-11-12 东华大学 宽带网络接入智能控制系统及控制方法
CN1486029A (zh) * 2002-09-23 2004-03-31 华为技术有限公司 基于远程认证的网络中实现eap认证的方法
CN1972505A (zh) * 2005-11-24 2007-05-30 华为技术有限公司 一种获取IPv6家乡地址相关信息配置模式的方法和系统

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100474834C (zh) * 2005-12-08 2009-04-01 华为技术有限公司 宽带无线网络和有线网络互连的方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1486029A (zh) * 2002-09-23 2004-03-31 华为技术有限公司 基于远程认证的网络中实现eap认证的方法
CN1455551A (zh) * 2003-05-28 2003-11-12 东华大学 宽带网络接入智能控制系统及控制方法
CN1972505A (zh) * 2005-11-24 2007-05-30 华为技术有限公司 一种获取IPv6家乡地址相关信息配置模式的方法和系统

Also Published As

Publication number Publication date
CN101483521A (zh) 2009-07-15
CN101483521B (zh) 2012-05-23

Similar Documents

Publication Publication Date Title
CN101651682B (zh) 一种安全认证的方法、系统和装置
WO2007019771A1 (fr) Méthode de contrôle d’accès d’un utilisateur changeant de réseau à visiter, son unité et son système
EP2572491B1 (fr) Systèmes et procédés d'authentification d'hôte
CN102150447B (zh) 用于在wimax网络环境中供应流的系统和方法
JP2008236754A (ja) 移動通信ネットワークと移動通信ネットワークにおける移動ノードの認証を遂行する方法及び装置
WO2007131426A1 (fr) Système aaa et procédé d'authentification de réseau d'hôtes multiples
WO2010130191A1 (fr) Procédé d'authentification en commutation de réseaux d'accès, système et dispositif correspondants
WO2008110099A1 (fr) Procédé, système et dispositif associé pour accès d'un appareil d'authentification à un réseau de communication
US8453211B2 (en) Method of obtaining proxy call session control function address while roaming
WO2010069202A1 (fr) Procédé de négociation d'authentification et système associé, passerelle de sécurité, noeud local b
CN101765232B (zh) Dsl网络接入方法和系统、以及宽带远程接入服务器
WO2010130118A1 (fr) Système et procédé permettant de réaliser une authentification des utilisateurs d'un noeud b domestique
JP6861285B2 (ja) 緊急アクセス中のパラメータ交換のための方法およびデバイス
WO2012142867A1 (fr) Procédé et système d'authentification de notification
CN101079786B (zh) 互连系统、互连系统中的认证方法和终端
WO2009089773A1 (fr) Procédé et système d'authentification d'accès multi-hôte pour réseau wimax
US7715562B2 (en) System and method for access authentication in a mobile wireless network
CN101577915B (zh) Dsl网络接入的认证方法以及系统
CN102143601A (zh) 宽带接入处理方法、无线接入网和通信系统
WO2012152102A1 (fr) Procédé et système de notification d'informations d'utilisateur
CN104640111A (zh) 网络接入处理方法、装置及系统
CN103687049B (zh) 多连接建立的方法及系统
CN103108324A (zh) 一种接入认证方法及系统
CN101098221A (zh) 一种无线蜂窝网络中网络层安全认证方法
CN101483580B (zh) 初始业务流建立方法、装置及通信系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09702250

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2592/KOLNP/2010

Country of ref document: IN

122 Ep: pct application non-entry in european phase

Ref document number: 09702250

Country of ref document: EP

Kind code of ref document: A1