1. Field of the Invention
The present invention relates to a method for verifying authorization with extensibility in an authentication, authorization, and accounting (AAA) server, and more particularly, to a method for verifying authorization in an AAA server capable of uniformly performing an authorization verification framework regardless of a variety of authorization verification methods required for a user service provided through a network.
The fields to which the present invention is applied include wired applications, and also include where a service providing authentication, authorization, and accounting is implemented when a predetermined service is received by accessing a network of a service provider of a mobile communication system such as cellular, personal communication system (PCS), International Mobile Telecommunication 2000 (IMT-2000), mobile Internet, wireless local area network (WLAN) systems, and so on, and when a user moves into another domain and wants to receive a mobile roaming service.
2. Description of the Related Art
Authentication, authorization and accounting (AAA) means subscriber authentication, authorization verification and accounting functions required when a user wants to receive a predetermined service through a network.
The strongest point of mobile communication is that it enables to communicate with anybody wherever and whenever through a roaming function and a hand-off function. When this roaming or hand-off function uses an IP-based wireless Internet, IP allocation is required and a mobile IP protocol is used. For this, currently, mobile IP of and SeaMoby WG of the Internet engineering task force (IETF) is addressing many issues such as mobile network security, fast hand-off support, and context transmission.
In a mobile communication environment supporting a mobile IP, when roaming, a mobile communication user uses a dual mode mobile phone or PDA to automatically select and/or access a wireless LAN public network or a mobile communication network. In order to receive a wireless Internet service, the user should be authenticated in a visited network and allocated an IP. Also, for accounting of the user's using the service, a predetermined accounting method is applied between the home network and the visited network, and in order to authorize the roaming user, a predetermined authorization setting method is applied. At this time, as an identifier (ID) to distinguish the user or mobile terminal, network access identifier (NAI) expressed in the form of user@realm is applied. Heterogeneous networks parse the NAI, distinguishes the home network of the user, and performs user authentication, authorization verification, and accounting functions.
In order to implement the AAA protocol, remote access dial in user service (RADIUS) protocol is used in the conventional technology. However, since the protocol is simply for a small-sized network supporting a small number of subscribers requiring server-based authentication, there is a drawback that the protocol is not appropriate to the AAA service for communication companies that should support hundreds to thousands of users at the same time. Also, the AAA should be supported safely among Internet service providers (ISPs) in a manner that the capacity can be expanded, but the RADIUS cannot satisfy this. Accordingly, in order to solve these problems, a protocol, a Diameter protocol, has been developed.
The Diameter protocol is an extensible peer-based AAA protocol to provide the AAA service for new policies, conventional technologies such as a point-to-point protocol (PPP), and new technologies such as roaming and mobile IP. The Diameter protocol supports a longer attribute/value length and a diameter server supports window communication based transport that can transmit messages enough to be processed by a network access server (NAS), and is reliable enough to prepare failures.
While the RADIUS server does not transmit a message if an AAA client that is an intermediate server does not request it, the Diameter server can transmit by itself a message to the AAA client if the Diameter server should indicate accounting information or connection termination in an NAS. Also, the Diameter server improves re-transmission and failure recovery functions and has a network recovery power much better than that of the weak and slow RADIUS server. In addition, the Diameter protocol is designed to provide a security technique between terminals that is not supported by the RADIUS protocol, and to support a next-generation extensible AAA such as that for roaming and mobile IP networks.
In the structure of the AAA protocol (Diameter protocol), a base protocol is basically disposed and application protocols are disposed on high level. The base protocol itself processes accounting and basically, real time accounting is a requirement. In the structure, if authentication of a user is completed, authorization is verified, and the result information is transferred to the terminal, accounting is processed and accounting information is periodically transferred to the AAA server.
Meanwhile, in the user authentication method, in order to support a variety of authentication methods, an access point (AP) uses an extensible authentication protocol (EAP) performing user authentication regardless of an authentication method provided by a service provider. Recently, the EAP has been gradually employed by all authentication methods such that the EAP is becoming a standard to provide an authentication framework between a user and an authentication server. Also, even when a new authentication algorithm emerges, a variety of authentication methods such as EAP-MD5, EAP-TLS, EAP-TTLS, EAP-SRP, and EAP-PEAP, can be accommodated. In addition, since a unified EAP in a wireless interval between a terminal and a network is supported, only by applying the EPA to designing a new wireless protocol, authentication can be performed appropriately enough.
On the other hand, though user authorization verification should be performed through direct interworking between a user terminal and an AAA server, it is not so in the real situation, and in many cases, authorization verification is omitted. This is because necessity of authorization verification is not recognized, and so far, even a format for verifying authorization has not been made.
Accordingly, authorization verification after authentication in the conventional AAA protocol is performed without a separate procedure, and in this structure, a desired service authority cannot be requested interworking with a subscriber in real time.
That is, authorization verification is performed immediately after the authentication, but definition of processing authorization verification itself has been unclear such that it is not too much to say that authorization verification has been actually omitted. Also, by some predetermined field values in application services, identical authorization verification has been performed for all users.
However, authorization setting for users becomes more diversified, and necessity for setting authorization for a variety of services from payment methods, to a desired service quality type of a user, an IP service type, privacy of a service to be used, and a security setting type is increasing, and therefore, the need to provide verification services for more diversified authorization is also increasing.
In order to meet this service environment, an authorization verification protocol should have a structure capable of satisfying the needs of users, that is, an extensible structure as in the authentication. That is, in the structure, authorization verification should be used with extensibility for various services newly expanding. Also, when a user requests service change even in the middle of receiving a service, authorization verification appropriate to the changed service should be able to be performed.
Accordingly, processing of authorization verification should be able to be appropriately connected to the AAA protocol together with an extensible authentication protocol in order to provide a variety of services in the future, and with respect to accounting, a network structure and protocol capable of processing detailed accounting information according to an agreed profile of a service authorization level are needed.
However, though the Diameter protocol currently being standardized has much flexibility in order to accommodate a variety of services, basic functions such as authentication, authorization verification and accounting, are performed as the base protocol.
When it is considered from the practical system's viewpoint, EAP-based authentication is performed to receive user services, but unlike the authentication, in the authorization verification, overload of the AAA server becomes an obstacle in enabling verification for various authorization. Accordingly, authorization verification is performed by separate specialized servers, and the MA server that should be connected to these servers takes more burden corresponding to the diversity of the connection protocols.
Accordingly, a structure which unifies authorization verification protocols and enables much more effective connection services between a terminal and the AAA server and even when a service with a new authorization level is added, can be interworked with a separate authorization verification server without the burden of upgrading the AAA server is needed.