Search

CN-122001631-A - Network access management method, system, server and readable storage medium

CN122001631ACN 122001631 ACN122001631 ACN 122001631ACN-122001631-A

Abstract

The embodiment of the application provides a network access management method, a system, a server and a readable storage medium, relates to the technical field of communication, and can solve the problem of larger time delay when an AAA system performs authentication authorization and charging, and is applied to a network access management system. The method comprises the steps of receiving a network access request initiated by a user through gateway equipment, wherein the network access request carries a user identifier, a user address and an access mode identifier. Determining a target sub-area of a user based on a user address, routing the network access request to a target edge node corresponding to the target sub-area, and performing access authentication on the network access request through the target edge node to obtain an authentication result. And if the authentication result represents that the authentication passes, quantifying the network access resources through the target central node corresponding to the target edge node, and obtaining a network access resource quantifying result.

Inventors

  • LI SHENGGUANG
  • PEI PEI
  • XU PENG
  • ZHANG GUIYU
  • GENG ZIYUAN
  • ZHANG XIAOPING

Assignees

  • 中国联合网络通信集团有限公司
  • 中讯邮电咨询设计院有限公司

Dates

Publication Date
20260508
Application Date
20260121

Claims (20)

  1. 1. The network access management method is characterized by being applied to a network access management system, wherein the network access management system comprises a central node, a plurality of edge nodes and at least one gateway device in a preset area of a network access scene, wherein the central node is a node matched with the center of the area in the preset area, the preset area is divided into a plurality of subareas, each subarea corresponds to one edge node, and the central node in the preset area corresponds to the plurality of edge nodes; The method comprises the following steps: Receiving a network access request initiated by a user through the gateway equipment, wherein the network access request carries the user identifier, the user address and the access mode identifier; Determining a target sub-region of the user based on the user address and routing the network access request to a target edge node corresponding to the target sub-region; Performing access authentication on the network access request through the target edge node to obtain an authentication result; and if the authentication result represents that the authentication passes, carrying out network access resource quantization through the target center node corresponding to the target edge node, and obtaining a network access resource quantization result.
  2. 2. The method according to claim 1, wherein the performing access authentication on the network access request by the target edge node, and obtaining an authentication result, includes: The network access request is subjected to structural analysis through the target edge node, and authentication information of the user is obtained, wherein the authentication information comprises an analyzed user identifier, a user address and an access mode identifier; And verifying the authentication information based on the preset authentication information of the user through the target edge node, and obtaining the authentication result.
  3. 3. The method of claim 2, wherein the preset authentication information comprises first preset authentication information and second preset authentication information, wherein the first preset authentication information is preset authentication information in a first period of time in the local cache of the edge node; the step of verifying the authentication information based on the preset authentication information of the user by the target edge node to obtain the authentication result includes: verifying the authentication information based on the first preset authentication information, and acquiring the authentication result; The method further comprises the steps of: if the target preset authentication information is matched with the authentication information, determining that the network access request of the user passes authentication; If the first preset authentication information is not matched with the authentication information, verifying the authentication information based on the second preset authentication information; If the target second preset authentication information is matched with the authentication information, determining that the network access request authentication of the user passes; And if the second preset authentication information is not matched with the authentication information, determining that the network access request authentication of the user is not passed.
  4. 4. A method according to claim 3, characterized in that the method further comprises: And if the authentication of the network access request of the user is not passed, returning authentication failure information to the user through the gateway equipment.
  5. 5. The method of any of claims 1-4, wherein the method further comprises, if the authentication result characterizes an authentication pass: collecting session data of the user through the gateway equipment, generating a quantization request, and sending the quantization request to the target edge node, wherein the session data comprises session establishment time, an uplink resource quantization value, a downlink resource quantization value and access duration; Carrying out structural analysis on the quantization request through the target edge node, extracting a resource quantization core field corresponding to the quantization request, and sending the resource quantization core field to the target center node; The network access resource quantization is performed through the target central node corresponding to the target edge node, and a network access resource quantization result is obtained, including: And carrying out resource quantization on session data of the user based on a resource quantization rule and the resource quantization core field through the target center node to obtain the network access resource quantization result, wherein the resource quantization rule is used for representing the duration of a session corresponding to the network service of the user and/or the quantization rule of the resource used by the session.
  6. 6. The method of claim 5, wherein the method further comprises: And storing a network access resource quantification result corresponding to the session data of the user into a database through the target center node.
  7. 7. The method according to claim 5 or 6, characterized in that the method further comprises: If abnormal session data of the user is detected through the target center node, marking the session data of the user as abnormal data; And carrying out resource quantization on session data of the user according to a minimum resource quantization rule through the target center node to obtain the network access resource quantization result, wherein the minimum resource quantization rule is used for representing resource quantization by a preset abnormal quantization value.
  8. 8. The method according to claim 5 or 6, characterized in that after determining the target sub-area of the user based on the user address, the method further comprises: if the target edge node corresponding to the target sub-region is abnormal, routing the network access request to a target center node corresponding to the target edge node through the gateway equipment; and carrying out access authentication on the network access request through the target center node to obtain an authentication result.
  9. 9. The network access management system is characterized by comprising a center node, a plurality of edge nodes and gateway equipment in a preset area of a network access scene, wherein the center node is a node matched with the center of the area in the preset area, the preset area is divided into a plurality of subareas, each subarea corresponds to one edge node, and the center node in the preset area corresponds to the plurality of edge nodes; the gateway equipment is used for receiving a network access request initiated by a user, wherein the network access request carries a user identifier, a user address and an access mode identifier; The gateway device is further configured to determine a target sub-area of the user based on the user address, and route the network access request to a target edge node corresponding to the target sub-area; The target edge node is used for carrying out access authentication on the network access request and obtaining an authentication result; The target edge node is further configured to receive session data of the user sent by the gateway device and send the session data to a corresponding target center node when the authentication result characterizes that authentication is passed; And the target center node is used for quantifying the network access resources based on the session data and obtaining a network access resource quantification result.
  10. 10. The system of claim 9, wherein the target edge node comprises a protocol processing module and an authentication authorization module; The protocol processing module is used for carrying out structural analysis on the network access request to obtain the authentication information of the user, wherein the authentication information comprises an analyzed user identifier, a user address and an access mode identifier; the authentication authorization module is used for verifying the authentication information based on the preset authentication information of the user and obtaining an authentication result.
  11. 11. The system of claim 10, wherein the preset authentication information comprises first preset authentication information and second preset authentication information, wherein the first preset authentication information is preset authentication information in a first period of time in the local cache of the edge node; If the target first preset authentication information is matched with the authentication information, the authentication authorization module is used for determining that the network access request authentication of the user passes; If the first preset authentication information is not matched with the authentication information, the authentication authorization module is used for verifying the authentication information based on the second preset authentication information; If the target second preset authentication information is matched with the authentication information, the authentication authorization module is used for determining that the network access request authentication of the user passes; And if the second preset authentication information is not matched with the authentication information, the authentication authorization module is used for determining that the network access request authentication of the user is not passed.
  12. 12. The system of claim 10 or 11, wherein if the authentication result characterizes an authentication pass, The gateway equipment is also used for collecting session data of the user, generating a quantization request and sending the quantization request to the protocol processing module, wherein the session data comprises session establishment time, an uplink resource quantization value, a downlink resource quantization value and access duration; the protocol processing module is further configured to perform structural analysis on the quantization request, extract a resource quantization core field corresponding to the quantization request, and send the resource quantization core field to the target central node.
  13. 13. The system of claim 12, wherein the target central node comprises a resource quantization module; The resource quantization module is used for carrying out resource quantization on session data of the user based on a resource quantization rule and the resource quantization core field to obtain the network access resource quantization result, wherein the resource quantization rule is used for representing the duration of a session corresponding to the network service of the user and/or the quantization rule of the resource used by the session.
  14. 14. The system according to claim 12 or 13, wherein, The resource quantization module is further configured to, if detecting that the session data of the user is abnormal, mark the session data of the user as abnormal data; The resource quantization module is further configured to perform resource quantization on session data of the user according to a minimum resource quantization rule, and obtain the network access resource quantization result, where the minimum resource quantization rule is used to characterize resource quantization with a preset abnormal quantization value.
  15. 15. The system of claim 13 or 14, wherein the target central node comprises a database module; the database module is used for storing second preset authentication information of a plurality of users; The database module is further configured to store a network access resource quantization result corresponding to session data of the user.
  16. 16. The system according to any of claims 13-15, wherein the target central node comprises the protocol processing module, the authentication authorization module; if the edge node is abnormal, the protocol processing module of the target center node is used for carrying out structural analysis on the network access request to obtain authentication information of the user, wherein the authentication information comprises an analyzed user identifier, a user address and an access mode identifier; the authentication authorization module of the target center node is used for verifying the authentication information based on the preset authentication information of the user and obtaining an authentication result.
  17. 17. The system of any of claims 9-16, wherein the module to be processed comprises one or more of a protocol processing module, an authentication authorization module, a resource quantization module, a database module; The target center node comprises an interface registration module, wherein the interface registration module is used for carrying out service registration on the modules to be processed and obtaining route configuration among the modules to be processed.
  18. 18. The system of claim 17, wherein the system further comprises a controller configured to control the controller, The interface registration module is further used for receiving a service registration request sent by the to-be-processed module and checking service information corresponding to the service registration request to obtain a service routing table, wherein the service information in the service registration request comprises module information, interface information and deployment information corresponding to the to-be-processed module; The interface registration module is further configured to send the service routing table to the to-be-processed module, so that the to-be-processed module forwards the service request based on the service routing table.
  19. 19. The system of any one of claims 9-18, wherein the target central node includes a configuration query module therein; the configuration query module is used for carrying out first initialization configuration on the protocol processing module, wherein the first initialization configuration comprises the steps of sending protocol processing parameters to the protocol processing module based on a first preset interface, and the protocol processing parameters comprise structural analysis rules corresponding to the service request; the configuration query module is further configured to perform a second initialization configuration on the authentication and authorization module, where the second initialization configuration includes sending an initial authentication policy to the authentication and authorization module based on a second preset interface, and the initial authentication policy includes an account password authentication policy; the configuration query module is further configured to perform a third initialization configuration on the database module, where the third initialization configuration includes sending initial service data to the database module based on a third preset interface, and the initial service data includes the preset authentication data; The configuration query module is further configured to perform a fourth initialization configuration on the resource quantization module, where the fourth initialization configuration includes sending an initial charging rule to the resource quantization module based on a fourth preset interface.
  20. 20. The system of any one of claims 9-19, wherein, The protocol processing module, the authentication and authorization module, the resource quantization module, the database module, the interface registration module and the configuration query module are respectively packaged into independent containers, wherein each independent container comprises at least one container instance; And for each independent container, carrying out trend prediction of the load index based on the load index corresponding to the independent container through a layout platform, and obtaining a prediction result so that the layout platform can adjust the container instance of the independent container.

Description

Network access management method, system, server and readable storage medium Technical Field The present application relates to the field of communications technologies, and in particular, to a network access management method, a system, a server, and a readable storage medium. Background With the rapid development of broadband networks and the rapid popularization of new services, user access scenarios are increasingly complex, and different access scenarios may correspond to different network access modes, such as Point-to-Point Protocol over Ethernet (PPPoE) over ethernet, internet protocol (Internet Protocol over Ethernet, IPoE) over ethernet, dynamic host configuration protocol+portal authentication protocol (Dynamic Host Configuration Protocol + Portal Authentication Protocol, dhcp+portal, and other network access modes. Authentication, authorization, accounting (AAA) systems serve as key links for network access management, and serve the functions of user identity verification, resource authority allocation, and cost Accounting statistics of network access users. However, the existing AAA system has larger time delay when authentication, authorization and accounting are performed, and the use experience of the user is affected. Disclosure of Invention The application provides a network access management method, a network access management system, a server and a readable storage medium, which can solve the problem that an AAA system has larger time delay when performing authentication, authorization and accounting. In a first aspect, the present application provides a network access management method, applied to a network access management system, where the network access management system includes a central node, a plurality of edge nodes, and at least one gateway device in a preset area of a network access scene. The center node is a node matched with the center of the area in the preset area, the preset area is divided into a plurality of subareas, each subarea corresponds to one edge node, and the center node in the preset area corresponds to the plurality of edge nodes. The method comprises the following steps: And receiving a network access request initiated by a user through gateway equipment, wherein the network access request carries a user identifier, a user address and an access mode identifier. Determining a target sub-area of a user based on a user address, routing the network access request to a target edge node corresponding to the target sub-area, and performing access authentication on the network access request through the target edge node to obtain an authentication result. And if the authentication result represents that the authentication passes, quantifying the network access resources through the target central node corresponding to the target edge node, and obtaining a network access resource quantifying result. Based on the first aspect, by separating the authentication process and the quantization process in the network access management system, the authentication process is implemented in the edge node, and the quantization process is implemented in the center node, the load pressure at the center node can be reduced, and thus the charging efficiency of the center node can be improved, compared with the case that the authentication process and the quantization process are implemented in the center node; by implementing the high-frequency authentication process in the edge node of the network access management system, compared with the authentication process implemented in the central node, the authentication process can be implemented in the closer edge node without transmission to the farther central node, the influence of the loss in the transmission process and the load pressure of the central node on the authentication time delay is reduced, the authentication efficiency of the network access management system can be improved, the user experience can be improved, the authentication and quantification efficiency of the network access management system is further improved, the time delay of the network access management system for authentication and quantification can be reduced, and the user experience can be improved. In one possible implementation manner, the performing access authentication on the network access request through the target edge node, and obtaining an authentication result includes: And carrying out structural analysis on the network access request through the target edge node to obtain authentication information of the user, wherein the authentication information comprises an analyzed user identifier, a user address and an access mode identifier. And verifying the authentication information based on the preset authentication information of the user through the target edge node to obtain an authentication result. In another possible implementation manner, the preset authentication information includes first preset authentication information. The above-me