There are a lot of different service providers such as operators, ISP (Internet Service Provider) and ICP (Internet Content Provider) in current communication networks, and each of the service providers can provide various services for the access users independently or cooperatively, and perform the authentication and accounting processing independently or cooperatively.
When they cooperate with each other, there are various corresponding cooperating modes, wherein the relatively typical cooperating mode is to implement the operation and the cooperation via exchanging the authentication and accounting information of the users among the AAA (Authentication, Authorization, and Accounting) systems.
The network architecture of the AAA system is shown in FIG. 1. When a user accesses the network via an access device, an authentication control device is responsible for carrying the identity information of the access user, and initiating the access and authentication processing for the access user toward an AAA server. There are a lot of generally adopted measures for the user authentication, such as PPPoE (Point-to-Point Protocol over Ethernet) authentication, WEB authentication and 802.1x authentication etc.
The network architecture of a cooperating mode currently adopted among different service providers is shown in FIG. 2, and taking the PPPoE access authentication as example, the detailed authentication processing flow for the access user in the network shown in FIG. 2 is shown in FIG. 3, including the following steps:
Step 31: a user terminal sends a PADI message, i.e. a PPPoE Active Discovery Initiation message, to an authentication control device (i.e. PPPoE server) to start a PPPoE access;
Step 32: the authentication control device (PPPoE server) sends a PADO message, i.e. a PPPoE Active Discovery Offer message, to the user terminal;
Step 33: the user terminal initiates a PADR request (a PPPoE Active Discovery Request message) to the authentication control device (PPPoE server) according to the PADO message responded by the authentication control device;
Step 34: the authentication control device (PPPoE server) generates a session id (session identifier), and sends it to the user terminal via PADS (PPPoE Active Discovery Session message);
Step 35: the user terminal and the authentication control device (PPPoE server) perform a PPP LCP (Link Control protocol) negotiation to establish link layer communication and synchronously negotiate for using a CHAP (Challenge Handshake Authentication Protocol) authentication mode;
Step 36: the authentication control device (PPPoE server) sends and provides a Challenge (challenge code) of 128 bits to the authentication user terminal via a Challenge message;
Step 37: after receiving the Challenge message, the user terminal makes an MD5 algorithm encryption for a password and the Challenge message and then sends the encrypted Challenge-Password and challenge message in a Response message to the authentication control device (PPPoE server);
Step 38: the authentication control device (PPPoE server) sends the encrypted Challenge message and Challenge-Password and the username to a RADIUS (Remote Authentication Dial in User Service) user authentication server of service provider A for authentication;
Step 39: If the RADIUS user authentication server of service provider A recognizes that it is a user of service provider B according to the username, forward the authentication message to the RADIUS user authentication server of service provider B for real authentication;
That is, the authentication server of service provider A sends an Access-Request message to the authentication server of service provider B;
Step 310: the RADIUS user authentication server of service provider B determines whether the user is legal according to the user information, and then responds with an authentication Success/Failure message to the RADIUS user authentication server of service provider A;
That is, the authentication server of service provider B sends an Access-Accept/Access-Reject message to the authentication server of the service provider A;
Step 311: the RADIUS user authentication server of service provider A forwards the authentication Success/Failure message to the authentication control device (PPPoE server); if succeeds, carry the negotiation parameter and the user's relevant service attribute to authorize the user; after obtaining the user authorization, the authentication control device (PPPoE server) can perform various control and management on the user network; if fails, the flow is ended here.
Step 312: the authentication control device (PPPoE server) returns an authentication result (i.e. Success/Failure) to the user terminal; if the authentication is successful, continue to execute step 313, or else the flow is ended here;
Step 313: the user terminal conducts an NCP (Network Control Protocol) negotiation such as IPCP (IP Control Protocol) protocol etc, and obtains, via the authentication control device (PPPoE server), parameters such as the planning IP address;
Step 314: if the authentication is successful, the authentication control device (PPPoE server) initiates an Accounting-Start request to the RADIUS user accounting server of service provider A;
The authentication control device can send accounting/start/stop message to service provider A, that is, the Accounting-Response/Start/Stop message;
Step 315: if the RADIUS user accounting server of service provider A discovers that the user is a roaming user whose service provider is service provider B, forward the accounting message to the RADIUS user accounting server of service provider B for real accounting;
Step 316: the RADIUS user accounting server of service provider B responds with an Accounting-Accept message to the RADIUS user accounting server of service provider A; and
Step 317: the RADIUS user accounting server of service provider A forwards the Accounting-Accept message to the authentication control device (PPPoE server).
Here the access user passes the authentication, and obtains the legal authority, and can launch its network service normally.
When the user wants to terminate the network service, it can cut off the network connection via PPPoE; specifically, it can send an Accounting-Stop message in the message format transmitted in step 314 to step 317, so as to implement the Accounting-Stop processing.
Via the above processing, the mutual communication of the authentication and accounting information is implemented between service provider A and service provider B. However, because the core devices for authentication and accounting (i.e. the authentication control device) are in the network of service provider A and meanwhile the AAA information is forwarded from the AAA server of service provider A to the AAA server of service provider B, actually the control right on the users is completely held by service provider A. Therefore, if service provider A modifies the parameters of the authentication control device and the AAA server, there is a great possibility that service provider B will suffer losses.
To avoid occurrence of the case that the controlled service provider suffers possible losses due to the inequitable status among different service providers, now each service provider needs to set and apply its own authentication control device. The corresponding network architecture is shown in FIG. 4. Still taking the PPPoE access authentication mode as example, here gives the description of the authentication processing flow for the access user in FIG. 4 with reference to FIG. 5, and the corresponding processing flow includes:
The processing procedure from Step 51 to Step 58 is the same as that from step 31 to step 38 shown in FIG. 3, and therefore detailed description is omitted;
Step 59: the RADIUS user authentication server of service provider A determines whether or not the user is legal according to the user information, and then executes step 510 by responding with the authentication Success/Failure message to the authentication control device;
If succeeds, carry the negotiation parameter and the user's relevant service attribute to authorize the user, and executes step 511; after obtaining the user authorization, the authentication control device (PPPoE server) can perform various control and management on the user network; if fails, the flow is ended here.
Step 511: the user terminal conducts an NCP (such as IPCP) negotiation, and obtains, via the authentication control device (PPPoE server), parameters such as the planning IP address;
Step 512: if the authentication is successful, the authentication control device (PPPoE server) initiates an Accounting-Start request to the RADIUS user accounting server of service provider A;
Step 513: the RADIUS user accounting server of service provider A responds with an Account-Accept message to the authentication control device (PPPoE server).
Here, the access user passes the authentication, and obtains the legal authority, and can launch its network service normally. However, because the user does not get the authorization of service provider B, it can only visit the network of service provider A. Thus, when the user wants to visit service provider B and external networks, the user needs to be re-authenticated by service provider B. That is, the user terminal initiates a secondary authentication request for the authentication control device of service provider B, and generally the WEB authentication mode is adopted currently. The detailed authentication processing procedure is also shown in FIG. 5, and includes:
Step 514: the authentication control device of service provider B sends the user information to the RADIUS user authentication server of service provider B for authentication;
Step 515: the RADIUS user authentication server of service provider B determines whether or not the user is legal according to the user information, and then execute step 516, that is, responding with the Authentication Success/Failure message to the authentication control device of service provider B;
If succeeds, carry the negotiation parameter and the user's relevant service attribute to authorize the user; after obtaining the user authorization, the authentication control device (PPPoE server) can perform the various control and management on the user network; if fails, the flow is ended here.
Step 517: the authentication control device of service provider B returns the authentication result to the user terminal, and if the authentication is successful, continue to execute step 518;
Step 518: the authentication control device of service provider B initiates an Accounting-Start request for the RADIUS user accounting server of service provider B;
Step 519: the RADIUS user accounting server of service provider B responds with an Accounting-Accept message to the authentication control device of service provider B;
Here, the access user has passed the authentication, and obtained the legal authority of the network of service provider B/the external network, and can launch its network service normally. That is, if the user passes the authentication twice, it can visit service provider A, service provider B and the external network.
In this solution, if there are multiple service providers, the user needs to be authenticated for many times to obtain the authority layer by layer. That is, the user is required to login for each service provider, which makes the user's operation procedure complicated. Furthermore, each service provider maintains its operation information individually, thus making the operation cost of the service provider increased greatly.