Patent Application
20090077635
The invention relates to the communication field, and in particular, to a method, apparatus, and system for network service authentication.
After fast development over the past years, communication networks have stepped into a mature period and operators provide more and more ways for users to use the network services. Current authentication, authorization, and accounting for network users is generally provided by a user access device and a network authentication apparatus together, where the network authentication apparatus may be an authentication, authorization, and accounting (AAA) server. The user access device mainly provides a physical path and multiple services for a user to access the network, and the AAA server is responsible for establishing service policies and managing services and users. Most of the information interactions between the user access device and the AAA server is implemented through the Remote Authentication Dial in User Service (RADIUS) protocol, which defines the interfaces of the user access device and the AAA server. The RADIUS protocol operates in a client/server mode, in which the user access device serves as the client and provides user information for the AAA server, and the AAA server makes a decision according to the user information reported by the user access device, and returns the decision to the user access device for execution. In the conventional technology, the AAA server sets a user's right to use a network service according to the user information, and authenticates the user's right to use a network service according to the user information reported by the user access device. So far, it is unfulfillable to authenticate a user's right to use a network service according to the user access device.
An embodiment of the invention provides a method for network service authentication, which can authenticate a user's right to use a network service according to a user access device.
Another embodiment of the invention provides an apparatus for network service authentication, which can authenticate a user's right to use a network service according to a user access device.
Another embodiment of the invention provides a system for network service authentication, which can authenticate a user's right to use a network service according to a user access device.
The technical solutions in accordance with the embodiments of the invention are implemented as follows:
A method for network service authentication includes: by an AAA server, receiving a network service authentication request, which contains a user access device identifier; and determining whether the requested network service can be used, according to the user access device identifier and a preset correspondence between user access device identifier(s) and network service(s).
An apparatus for network service authentication includes an information transceiver unit, an information storing unit, and an information processing unit, where: the information transceiver unit is adapted to receive a network service authentication request containing a user access device identifier sent by a user access device, transmit the request to the information processing unit, and transmit to the user access device the result of whether the requested network service can be used sent by the information processing unit; the information storing unit is adapted to store a correspondence between user access device identifier(s) and network service(s); and the information processing unit is adapted to receive the network service authentication request transmitted by the information transceiver unit, determine whether the requested network service can be used according to the user access device identifier contained in the request and the correspondence between user access device identifier(s) and network service(s) stored by the information storing unit, and send the determination result of whether the requested network service can be used to the information transceiver unit.
A system for network service authentication includes a user access device and a network service authentication unit, where: the user access unit is adapted to receive a user's request for a network service, send to the network service authentication unit a network service authentication request which contains a user access device identifier, and receive a message of whether the requested network service can be used sent by the network service authentication unit; and the network service authentication unit is adapted to store a correspondence between user access device identifier(s) and network service(s); receive a network service authentication request sent by the user access device, determine whether the requested network service can be used according to the user access device identifier contained in the request and the correspondence between user access device identifier(s) and network service(s), and send the determination result of whether the requested network service can be used to the user access device.
According to the method for network service authentication provided by an embodiment of the invention, after receiving a network service authentication request, the AAA server determines whether the requested network service can be used according to the user access device identifier contained in the request and the correspondence between user access authentication identifier(s) and network service(s), so as to authenticate the user's right to use the network service according to the user access device.
The apparatus for network service authentication provided by an embodiment of the invention stores the correspondence between user access device identifier(s) and network service(s), and determines whether the requested network service can be used according to the user access device identifier contained in the received network service authentication request and the stored correspondence between user access device identifier(s) and network service(s), so as to authenticate the user's right to use the network service according to the user access device.
The system for network service authentication provided by an embodiment of the invention includes a network service authentication unit. The network service authentication unit stores the correspondence between user access device identifier(s) and network service(s), and determines whether the requested network service can be used according to the user access device identifier in the received network service authentication request and the stored correspondence between user access device identifier(s) and network service(s), so as to authenticate the user's right to use the network service according to the user access device.
For better understanding of the technical solutions of the embodiments of the invention, the embodiments are described in detail with reference to the accompanying drawings hereunder.
Firstly, the method for network service authentication provided by an embodiment of the invention is described.
Network services may include broadband Internet service, video service and so on. A user can only use the network service which is distributed by an operator and corresponds to the user access device used by the user. For example, a user in a suburb may use a broadband Internet service of which the fee is relatively low, but a user in a city cannot use such broadband Internet service.
A user initiates a request for the network service to the user access device, and the user access device initiates a network service authentication request to a network service authentication entity to determine whether the user is allowed to use the requested network service.
A correspondence between user access device identifier(s) and network service(s) is preset. The correspondence may be a correspondence between one user access device and one network service, a correspondence between one user access device and more than one network service, or a mixed correspondence between a user access device group and one or more than one network service, where the user access device group may include more than one user access device, each user access device having its own user access device identifier.
As shown in Table 1, user access device identifier 1 corresponds to network service A, user access device identifier 2 corresponds to network service B and network service C, and the like.
As shown in Table 2, user access device identifier group (1) includes user access device identifier 1, user access device identifier 2, user access device identifier 3, and so on, and user access device identifier group (2) includes user access device identifier 4, user access device identifier 5, user access device identifier 6, etc. User access device identifier group (1) corresponds to network service A, and user access device identifier group (2) corresponds to network service A and network service B.
The user access devices in a user access device identifier group may locate in one or several particular areas, such as a county, an urban area or a suburb of a city, so that the network service may be distributed to the particular area(s).
Based on practical needs, the above correspondence may be discretionarily set to a mixed correspondence between user access device(s) and network service(s), or between user access device group(s) and network service(s), for example, the correspondence shown in Table 3.
In practice, some network services can be used by all users. For example, a video service may be used by all users under a same condition. For a network service that can be used by all users, there is no need to preset a correspondence between the network service and user access device identifier(s).
The procedure illustrated in
Step 101: The AAA server receives a network service authentication request containing a user access device identifier.
In this step, the user access device includes, but is not limited to, a network access server, a local area network (LAN) switch, and an IP telephone gateway; for example, the user access device may be a broadband access device, or a narrowband access device. A user's request for a network service may be a general request for Internet access, or a particular request, such as a request for accessing a particular network service.
Step 102: The AAA server determines whether the requested network service can be used according the user access device identifier and a preset correspondence between user access device identifier(s) and network service(s).
In this step, the AAA server determines whether the requested network service can be used according to the user access device identifier contained in the network service authentication request and the preset correspondence between user access device identifier(s) and network service(s).
In the case that the network service authentication request contains user identity data, before determining whether the requested network service can be used, the AAA server may perform identity authentication according to the user identity data, and if the identity authentication fails, directly deny the network service, or if the identity authentication succeeds, determine whether the requested network service can be used, according to the correspondence between user access device identifier(s) and network service(s).
Because some network services are not preset to correspond to any particular user access device identifier, but can be used by any user, before determining whether the requested network service can be used, the AAA server may first query for the correspondence between user access device identifier(s) and network service(s) and determine whether the requested network service is preset to correspond to a particular user access device identifier; if the requested service is not preset to correspond to a particular user access device identifier, the AAA server directly allows the user to use the requested network service; or if the requested service is preset to correspond to a particular user access device identifier, the AAA server determines whether the requested network service can be used, according to the correspondence between user access device identifier(s) and network service(s).
The AAA server may authenticate the user identity before or after determining whether the requested network service is preset to correspond to a particular user access device identifier. There is no strict requirement for the time sequence.
The specific method for determining whether the requested network service can be used may be that: the AAA server authenticates the network service authentication request according to the correspondence between user access device identifier(s) and network service(s), and if the authentication succeeds, determines that the requested network service can be used; or else, rejects the user to use the requested network service. This method is generally applicable to the situation that the user requests a particular network service, but it is not limited to this situation.
According to the method for network service authentication provided by an embodiment of the invention, the AAA server determines whether the requested network service can be used according to the user access device identifier contained in the network service authentication request and the preset correspondence between user access authentication identifier(s) and network service(s), so as to authenticate the user's right to use the network service according to the user access device.
Step 201: The AAA server receives a network service authentication request containing a user access device identifier.
In this step, the network service authentication request may further contain user identity data.
Step 202: The AAA server authenticates the user identity.
In this step, the AAA server authenticates the user identity according to the user identity data contained in the network service authentication request; if the authentication fails, the user is not a legal user, and the user is rejected to use the requested network service and the procedure ends; or if the authentication succeeds, the user is a legal user, and Step 203 is executed.
Step 203: The AAA server queries about whether the requested network service is preset to correspond to a user access device identifier, and if so, Step 204 is executed; or else, the user is allowed to use the requested network service, and the procedure ends.
In this step, for a network service that is preset to correspond to a user access device identifier, only the user corresponding to the user access device identifier which has the correspondence with the network service is allowed to use the network service. Users not corresponding to the user access devices are not allowed to use the network service; for a network service that is not preset to correspond to a user access device identifier, any user may use the network service if the user identity authentication succeeds.
Steps 204-205: The AAA server authenticates the network service authentication request according to the correspondence between user access device identifier group(s) and network service(s), and if the authentication succeeds, allows the user to use the requested network service, or if the authentication fails, rejects the user to use the requested network service.
The specific authentication procedure in Steps 204-205 may be implemented in different modes. Procedures shown in
Step 301: The AAA server queries for the user access device identifier group of the user access device identifier.
Step 302: The AAA server queries for all network services corresponding to the user access device identifier group of the user access device identifier.
Steps 303-304: The AAA server queries about whether the requested network service is among the network services corresponding to the user access device identifier group, and if so, allows the user to use the requested network service, or else, rejects the user to use the requested network service.
In the procedure shown in
Step 401: The AAA server queries for the user access device identifier group of the user access device identifier.
Step 402: The AAA server queries for all user access device identifier groups corresponding to the requested network service.
Steps 403-404: The AAA server queries about whether all the user access device identifier groups corresponding to the requested network service include the user access device identifier group of the user access device identifier, and if so, allows the user to use the requested network service; or else, rejects the user to use the requested network service.
In the procedure shown in
Secondly, an apparatus for network service authentication disclosed by an embodiment of the invention is described hereunder.
an information transceiver unit 51, adapted to receive a network service authentication request containing a user access device identifier sent by a user access device, transmit the request to an information processing unit 53, and transmit to the user access device the result of whether the requested network service can be used sent by the information processing unit 53;
the information storing unit 52, adapted to store a correspondence between user access device identifier(s) and network service(s); and
the information processing unit 53, adapted to receive the network service authentication request transmitted by the information transceiver unit 51, determine whether the requested network service can be used according to the user access device identifier contained in the request and the correspondence between user access device identifier(s) and network service(s) stored in the information storing unit 52, and send the determination result of whether the requested network service can be used to the information transceiver unit 51.
The apparatus for network service authentication provided by an embodiment of the invention stores the correspondence between user access device identifier(s) and network service(s), determines whether the user is allowed to use the requested network service according to the user access device identifier contained in the network service authentication request and the stored correspondence between user access device identifier(s) and network service(s), so as to authenticate the user's right to use the network service according to the user access device.
The information processing unit 53 of the apparatus for network service authentication provided by an embodiment of the invention may include a transmission unit 531 and an authentication processing unit 532.
The transmission unit 531 is adapted to receive the network service authentication request transmitted by the information transceiver unit 51, transmit the request to the authentication processing unit 532; receive the authentication result from the authentication processing unit 532 and transmit the authentication result to the information transceiver unit 51.
The authentication processing unit 532 is adapted to receive the network service authentication request transmitted by the transmission unit 531, authenticate the network service authentication request according to the correspondence between user access device identifier(s) and network service(s) stored by the information storing unit 52, and if the authentication succeeds, determine that the user is allowed to use the requested network service and send to the transmission unit 531 an authentication result indicating the user is allowed to use the requested network service; or if the authentication fails, send to the transmission unit 531 an authentication result indicating the user is rejected to use the requested network service.
In the apparatus for network service authentication provided by an embodiment of the invention, the information processing unit 53 may further include a query processing unit 533, adapted to receive the network service authentication request transmitted by the transmission unit 531, query the information storing unit 52 about whether the requested network service is preset to correspond to a user access device identifier, and provide the query result for the authentication processing unit 532 in the information processing unit 53.
On this basis, the apparatus for network service authentication provided by an embodiment of the invention may further include an information setting unit 54 and a user identity authentication unit 55.
The information setting unit 54 is adapted to preset a correspondence between user access device identifier(s) and network service(s), and store the correspondence in the information storing unit 52.
The user identity authentication unit 55 is adapted to receive the network service authentication request transmitted by the information transceiver unit 51, authenticate the user identity according to the user identity data contained in the request, and provide the authentication result for the authentication processing unit 532 in the information processing unit 53.
The apparatus for network service authentication provided by an embodiment of the invention may operate according to the foregoing authentication method provided by an embodiment of the invention. There may be many implementation modes, for example, the apparatus may be an AAA server, or may be another apparatus that can implement the equivalent function.
Lastly, the system for network service authentication provided by an embodiment of the invention is described.
The user access device 4 is adapted to receive a user's request for a network service, send a network service authentication request to the network service authentication unit 5, where the request contains a user access device identifier, and receive a result of whether the requested network service can be used sent by the network service authentication unit.
The network service authentication unit 5 is adapted to store a correspondence between user access device(s) and network service(s), receive the network service authentication request sent by the user access device 4, determine whether the user is allowed to use the requested network service according to the user access device identifier contained in the request and the correspondence between user access device identifier(s) and network service(s), and send the determination result of whether the requested network service can be used to the user access device 4.
The system for network service authentication provided by an embodiment of the invention determines whether the requested network service can be used according to the user access device identifier contained in the network service authentication request and the correspondence between user access device identifier(s) and network service(s) stored in the system, so as to authenticate the user's right to use the network service according to the user access device 4.
The foregoing system for network service authentication provided by an embodiment of the invention includes at least one user access device 4 and at least one network service authentication unit 5. The apparatus for network service authentication provided by an embodiment of the invention may be taken as a preferred implementation of the network service authentication unit of the foregoing system, the network service authentication 5 may include an information transceiver unit 51, an information storing unit 52, and an information processing unit 53, and the internal structure of the network service authentication unit of the system is omitted here.
The foregoing are only preferred embodiments of the invention, and not intended to limit the invention. It is apparent to those skilled in the art that various modifications and variations may be made in form or in detail without departing from the spirit and scope of protection of the invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 200610062700.9 | Sep 2006 | CN | national |
This application is a continuation of International Patent Application No. PCT/CN2007/070208, filed Jun. 29, 2007, which claims priority to Chinese Patent Application No. 200610062700.9, filed Sep. 20, 2006, both of which are hereby incorporated by reference in their entirety.
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/CN2007/070208 | Jun 2007 | US |
| Child | 12273922 | US |
