Nothing Special   »   [go: up one dir, main page]

CN104780168A - Portal authentication method and equipment - Google Patents

Portal authentication method and equipment Download PDF

Info

Publication number
CN104780168A
CN104780168A CN201510144054.XA CN201510144054A CN104780168A CN 104780168 A CN104780168 A CN 104780168A CN 201510144054 A CN201510144054 A CN 201510144054A CN 104780168 A CN104780168 A CN 104780168A
Authority
CN
China
Prior art keywords
mac address
authentication
terminal equipment
portal
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510144054.XA
Other languages
Chinese (zh)
Inventor
郑涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201510144054.XA priority Critical patent/CN104780168A/en
Publication of CN104780168A publication Critical patent/CN104780168A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a Portal authentication method and equipment. The method comprises the following steps: APs (access points) redirect an HTTP (hyper text transfer protocol) message to a Portal server when receiving the HTTP message from terminal devices failing in the Portal authentication, wherein a redirecting URL (uniform resource locator) carries an MAC (media access control) address of each terminal device, so that the Portal server carries the MAC addresses of the terminal devices when initiating authentication to ACs (access controllers); the APs receive an authentication success message and a control strategy from the ACs, the authentication success message carries the MAC addresses of the terminal devices, and the terminal devices passing the Portal authentication are determined according to the MAC addresses; the APs locally forward the HTTP message of the terminal devices passing the Portal authentication according to the control strategy. According to the embodiment, AC centralized Portal authentication in local forwarding by the APs is realized, and the problem about centralized Portal authentication of users in a branch deployment scene is solved.

Description

Portal authentication method and equipment
Technical Field
The invention relates to the technical field of communication, in particular to a Portal authentication method and Portal authentication equipment.
Background
As shown in fig. 1, a schematic diagram of an application scenario for Portal centralized authentication and local forwarding. In the branch enterprise deployment, an enterprise branch organization deploys an AP (Access Point) and an egress router, and a headquarters organization deploys an AC (Access Controller). In the networking, the data traffic is locally forwarded, that is, after receiving the data traffic from the terminal device, the AP directly forwards the data traffic to the Internet without sending the data traffic to the AC. Further, since the Portal authentication is controlled by the AC in a unified manner, when the data traffic does not pass through the AC, the AC cannot redirect the access of the terminal device, cannot control the authority of the terminal device to access the network, and cannot perform the Portal authentication.
Disclosure of Invention
The embodiment of the invention provides a Portal Portal authentication method, an Access Point (AP) works in a local forwarding mode, and the method comprises the following steps:
when the AP receives a hypertext transfer protocol (HTTP) message from a terminal device which does not pass Portal authentication, the AP redirects the HTTP message to a Portal server, wherein the redirected Uniform Resource Locator (URL) carries an MAC address of the terminal device, so that the Portal server carries the MAC address of the terminal device when initiating authentication to an Access Controller (AC);
the AP receives an authentication success message and a control strategy from the AC, the authentication success message carries the MAC address of the terminal equipment, and the terminal equipment which passes Portal authentication is determined according to the MAC address; the authentication success message and the control strategy are sent to the AP by the AC by using the MAC address of the AP corresponding to the MAC address of the terminal equipment;
and the AP locally forwards the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
After the AP receives the HTTP message from the terminal equipment which is not authenticated by Portal, the method further comprises the following steps:
the AP sends the MAC address of the terminal device and the MAC address of the AP to the AC, so that the AC establishes a corresponding relation between the MAC address of the terminal device and the MAC address of the AP; or,
the AP carries the MAC address of the AP in the redirected URL, so that the Portal server carries the MAC address of the AP when initiating authentication to the AC, and the AC establishes a corresponding relation between the MAC address of the terminal equipment and the MAC address of the AP.
The method further comprises:
when terminal equipment roams to the AP across the AP, the AP receives an association request message from the currently roamed terminal equipment and sends the association request message to the AC; the AC inquires the Portal authentication state of the current roaming terminal equipment according to the MAC address in the association request message;
when the Portal authentication state of the current roaming terminal equipment is Portal authentication success, the AP receives an authentication success message containing the MAC address of the current roaming terminal equipment from the AC and a control strategy, and determines the current roaming terminal equipment passing Portal authentication according to the MAC address;
and the AP locally forwards the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
The embodiment of the invention provides a Portal Portal authentication method, an Access Point (AP) works in a local forwarding mode, and the method comprises the following steps:
the access controller AC establishes a corresponding relation between a Media Access Control (MAC) address of the terminal equipment and an MAC address of the AP; the terminal equipment is the terminal equipment which is not authenticated;
the AC receives an authentication request message which is from a Portal server and carries an MAC address of terminal equipment and user information corresponding to the terminal equipment;
when the user information is used for successfully authenticating the terminal equipment, the AC uses the MAC address of the terminal equipment to inquire the corresponding relation to obtain the MAC address of the corresponding AP, and uses the MAC address of the AP to send an authentication success message containing the MAC address of the terminal equipment and a control strategy to the AP, the AP determines the terminal equipment passing Portal authentication according to the MAC address, and locally forwards the HTTP message of the terminal equipment passing Portal authentication according to the control strategy.
The process of the AC establishing the correspondence between the MAC address of the terminal device and the MAC address of the AP specifically includes:
the AC receives an MAC address of terminal equipment from an AP and an MAC address of the AP, and establishes a corresponding relation between the MAC address of the terminal equipment and the MAC address of the AP; the MAC address of the terminal equipment and the MAC address of the AP are sent after the AP receives a hypertext transfer protocol (HTTP) message from the terminal equipment which does not pass Portal authentication; or,
when the authentication request message also carries an MAC address of an AP, after the AC receives the authentication request message, establishing a corresponding relation between the MAC address of the terminal equipment carried in the authentication request message and the MAC address of the AP; and the MAC address of the AP is obtained from the URL redirected by the AP through the Portal server and is carried in the authentication request message when the AC initiates authentication.
The method further comprises:
the AC receives an association request message from the AP, wherein the association request message is sent by the AP after receiving an association request message of terminal equipment roaming to the AP across the AP;
and the AC inquires the Portal authentication state of the current roaming terminal equipment according to the MAC address in the association request message, and sends an authentication success message containing the MAC address of the current roaming terminal equipment and a control strategy to the AP when the Portal authentication state of the current roaming terminal equipment is Portal authentication success, the AP determines the current roaming terminal equipment passing Portal authentication according to the MAC address, and locally forwards the HTTP message of the terminal equipment passing Portal authentication according to the control strategy.
After the AC sends an authentication success message including the MAC address of the currently roaming terminal device and the control policy to the AP, the method further includes:
and the AC sends a charging updating request message to an authentication server, wherein the charging updating request message carries the MAC address of the AP.
The embodiment of the present invention provides an AP, where the AP operates in a local forwarding mode, and the AP specifically includes:
the system comprises a sending module, a controller and a Portal server, wherein the sending module is used for redirecting a hypertext transfer protocol (HTTP) message to the Portal server when the HTTP message from a terminal device which does not pass through Portal authentication is received, and the redirected Uniform Resource Locator (URL) carries an MAC (media access control) address of the terminal device, so that the Portal server carries the MAC address of the terminal device when the Portal server initiates authentication to an Access Controller (AC);
the receiving module is used for receiving an authentication success message and a control strategy from the AC, wherein the authentication success message carries the MAC address of the terminal equipment, and the terminal equipment which passes Portal authentication is determined according to the MAC address; the authentication success message and the control strategy are sent to the AP by the AC by using the MAC address of the AP corresponding to the MAC address of the terminal equipment; and locally forwarding the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
The sending module is further configured to send the MAC address of the terminal device and the MAC address of the AP to the AC after receiving an HTTP message from a terminal device that does not pass Portal authentication, so that the AC establishes a correspondence between the MAC address of the terminal device and the MAC address of the AP; or the redirected URL carries the MAC address of the AP, so that the Portal server carries the MAC address of the AP when initiating authentication to the AC, and the AC establishes the corresponding relation between the MAC address of the terminal equipment and the MAC address of the AP.
The sending module is further configured to receive an association request message from a currently roaming terminal device when a terminal device roams to the AP across the APs, and send the association request message to the AC; the AC inquires the Portal authentication state of the current roaming terminal equipment according to the MAC address in the association request message;
the receiving module is further configured to receive an authentication success message and a control policy from the AC, where the authentication success message includes an MAC address of the currently roaming terminal device, when the Portal authentication status of the currently roaming terminal device is that Portal authentication is successful, and determine the currently roaming terminal device that passes the Portal authentication according to the MAC address; and locally forwarding the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
The embodiment of the present invention provides an access controller AC, where an access point AP works in a local forwarding mode, where the AC specifically includes:
the establishing module is used for establishing the corresponding relation between the Media Access Control (MAC) address of the terminal equipment and the MAC address of the AP; the terminal equipment is the terminal equipment which is not authenticated;
the receiving module is used for receiving an MAC address of the portable terminal equipment from a Portal server and an authentication request message of user information corresponding to the terminal equipment;
and the sending module is used for inquiring the corresponding relation by using the MAC address of the terminal equipment when the terminal equipment is successfully authenticated by using the user information, obtaining the MAC address of the corresponding AP, sending an authentication success message containing the MAC address of the terminal equipment and a control strategy to the AP by using the MAC address of the AP, determining the terminal equipment passing Portal authentication by the AP according to the MAC address, and locally forwarding the HTTP message of the terminal equipment passing Portal authentication according to the control strategy.
The establishing module is specifically configured to receive an MAC address of a terminal device from an AP and an MAC address of the AP, and establish a correspondence between the MAC address of the terminal device and the MAC address of the AP; the MAC address of the terminal equipment and the MAC address of the AP are sent by the AP after receiving a hypertext transfer protocol (HTTP) message from the terminal equipment which is not authenticated by Portal; or when the authentication request message also carries an MAC address of an AP, after receiving the authentication request message, establishing a corresponding relation between the MAC address of the terminal device carried in the authentication request message and the MAC address of the AP; and the MAC address of the AP is obtained from the URL redirected by the AP through the Portal server and is carried in the authentication request message when the AC initiates authentication.
The receiving module is further configured to receive an association request message from an AP, where the association request message is sent by the AP after receiving an association request message of a terminal device roaming to the AP across the AP;
the sending module is further configured to query a Portal authentication state of the currently roaming terminal device according to the MAC address in the association request message, send an authentication success message including the MAC address of the currently roaming terminal device and a control policy to the AP when the Portal authentication state of the currently roaming terminal device is a Portal authentication success, determine, by the AP, the currently roaming terminal device that passes the Portal authentication according to the MAC address, and locally forward the HTTP message of the terminal device that passes the Portal authentication according to the control policy.
The sending module is further configured to send a charging update request message to an authentication server after sending an authentication success message including the MAC address of the currently roaming terminal device and the control policy to the AP, where the charging update request message carries the MAC address of the AP.
Based on the technical scheme, in the embodiment of the invention, the redirection function is locally configured on the AP, and Portal authentication on the terminal equipment is completed by matching with the AC, so that AC centralized Portal authentication locally forwarded by the AP is realized, and the problem of Portal centralized authentication of users in a branch deployment scene and a branch mechanism data flow local forwarding (flow does not pass through the AC) scene is solved. Furthermore, through information linkage between the AP and the AC, the problems of authentication avoidance, strategy accompanying and the like when the user roams across the AP are solved.
Drawings
FIG. 1 is a schematic diagram of an application scenario in which Portal centrally authenticates local forwarding in the prior art;
FIG. 2 is a flowchart illustrating a Portal authentication method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an AP according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an AC according to an embodiment of the present invention.
Detailed Description
To solve the problems in the prior art, an embodiment of the present invention provides a method for Portal authentication, and fig. 1 is a schematic view of an application scenario of the embodiment of the present invention, and the method may be applied to a network including a terminal device, an AP, an AC, an egress router, a Portal server, and an authentication server (e.g., an AAA (authentication authorization and Accounting) server). The enterprise branch office deploys the AP and the egress router, and the headquarters office deploys the AC, the Portal server and the authentication server. In the application scenario, as shown in fig. 2, the method for Portal authentication may specifically include the following steps:
in step 201, when the AP receives an HTTP (HyperText Transfer Protocol) message from a terminal device that does not pass Portal authentication, the AP redirects the HTTP message to a Portal server. The redirected URL (Uniform Resource Locator) carries a Media Access Control (MAC) address of the terminal device, so that the Portal server carries the MAC address of the terminal device when initiating authentication to the AC.
In the embodiment of the invention, the AP works in a local forwarding mode, and based on the local forwarding mode, after receiving the HTTP message from the terminal equipment authenticated by Portal, the AP directly utilizes the destination IP address of the HTTP message to send the HTTP message to the Internet, and the process is not described in detail herein.
In the process that the AP redirects the HTTP message to the Portal server, the redirected URL can carry the IP address of the terminal equipment, the MAC address of the terminal equipment and the IP address of the AC.
In the embodiment of the invention, after the AP receives the HTTP message from the terminal equipment, when the terminal equipment does not pass the Portal authentication, the AP triggers the terminal equipment to carry out the Portal authentication to the Portal server by sending the HTTP 302 response message to the terminal equipment, and redirects the HTTP message to the Portal server.
Step 202, the AC establishes a correspondence between the MAC address of the terminal device and the MAC address of the AP. Wherein, the terminal device is a terminal device which is not authenticated (such as Portal authentication).
In step 203, the AC receives an authentication request message from the Portal server carrying the MAC address of the terminal device and user information (such as a user name and a password) corresponding to the terminal device.
In the embodiment of the present invention, the process of the AC establishing the correspondence between the MAC address of the terminal device and the MAC address of the AP may specifically include, but is not limited to, the following manners:
in the first mode, after receiving an HTTP message from a terminal device which does not pass Portal authentication, the AP sends the MAC address of the terminal device and the MAC address of the AP to the AC. Further, the AC receives the MAC address of the terminal device from the AP and the MAC address of the AP, and establishes a correspondence between the MAC address of the terminal device and the MAC address of the AP.
In the embodiment of the invention, when the terminal equipment fails to pass the authentication, the AP carries out CAPWAP (Control And Provisioning of Wireless Access Point Protocol) tunnel encapsulation on the MAC address of the terminal equipment And the MAC address of the AP, And the MAC address of the terminal equipment And the MAC address of the AP after the CAPWAP tunnel encapsulation are sent to the AC.
And secondly, in the process that the AP redirects the HTTP message of the terminal equipment to the Portal server, the AP carries the MAC address of the AP in the redirected URL, so that the Portal server carries the MAC address of the AP when initiating authentication to the AC, namely, the Portal server obtains the MAC address of the AP from the URL redirected by the AP and carries the MAC address of the AP in the authentication request message when initiating authentication to the AC. Based on this, the authentication request message from the Portal server can also carry the MAC address of the AP. After receiving the authentication request message, the AC establishes a correspondence between the MAC address of the terminal device and the MAC address of the AP, which are carried in the authentication request message.
And 204, when the user information corresponding to the terminal equipment is used for successfully authenticating the terminal equipment, the AC uses the MAC address of the terminal equipment to inquire the corresponding relation to obtain the MAC address of the corresponding AP, and uses the MAC address of the AP to send an authentication success message containing the MAC address of the terminal equipment and a control strategy to the AP.
Step 205, the AP receives the successful authentication message and the control policy of the MAC address of the portable terminal device from the AC, determines the terminal device that passes the Portal authentication according to the MAC address, and locally forwards the HTTP message of the terminal device that passes the Portal authentication according to the control policy.
In the embodiment of the invention, after receiving the HTTP message redirected to the Portal server, the Portal server performs Portal authentication on the terminal equipment. In the process that the Portal server performs Portal authentication on the terminal equipment, the Portal server returns an authentication page to the terminal equipment, and a user inputs user information (such as user name, password and other information) corresponding to the terminal equipment on the authentication page. And then, the Portal server sends the user information corresponding to the terminal equipment to the AC through the authentication request message.
Further, when the Portal server sends an authentication request message to the AC, the authentication request message may also carry the MAC address of the terminal device. In addition, when the Portal server sends an authentication request message to the AC, the authentication request message can also carry the MAC address of the AP.
In the embodiment of the invention, the AC receives an authentication request message from a Portal server carrying user information corresponding to the terminal equipment and an MAC address of the terminal equipment, and sends the user information corresponding to the terminal equipment and the MAC address of the terminal equipment to the authentication server, and the authentication server carries out Portal authentication on the terminal equipment by utilizing the user information corresponding to the terminal equipment. And when the Portal authentication of the terminal equipment is successfully carried out by using the user information corresponding to the terminal equipment, the AC sends an authentication success message and a control strategy to the AP, and the authentication success message contains the MAC address corresponding to the terminal equipment.
The AC can perform CAPWAP tunnel encapsulation on the authentication success message and the control strategy and send the authentication success message and the control strategy after CAPWAP tunnel encapsulation to the AP.
In the embodiment of the present invention, after receiving the authentication success message from the AC, the AP may record the MAC address of the terminal device in an ACL (Access Control List). Based on the ACL, after receiving the HTTP message from the terminal equipment, the AP judges whether the address information (namely the source IP address of the HTTP message) of the terminal equipment is recorded in the ACL; if yes, the AP determines that the terminal equipment passes Portal authentication; if not, the AP determines that the terminal equipment is not authenticated by the Portal.
In the embodiment of the invention, when terminal equipment roams to the AP across the APs, the AP receives the association request message from the currently roamed terminal equipment and sends the association request message to the AC. And the AC receives the association request message from the AP and inquires the Portal authentication state of the currently roaming terminal equipment according to the MAC address in the association request message. Further, when the Portal authentication status of the currently roaming terminal device is that Portal authentication is successful, the AC sends an authentication success message containing the MAC address of the currently roaming terminal device and the control policy to the AP. The AP receives an authentication success message containing the MAC address of the current roaming terminal device from the AC and a control strategy, determines the current roaming terminal device passing through Portal authentication according to the MAC address carried in the authentication success message, and locally forwards an HTTP message of the terminal device passing through Portal authentication according to the control strategy, namely, the MAC address of the current roaming terminal device is recorded in the ACL.
In the embodiment of the invention, after the AC sends the successful authentication message containing the MAC address of the current roaming terminal equipment and the control strategy to the AP, the AC can also send a charging updating request message to the authentication server, wherein the charging updating request message carries the MAC address of the AP.
Based on the technical scheme, in the embodiment of the invention, the redirection function is locally configured on the AP, and Portal authentication on the terminal equipment is completed by matching with the AC, so that AC centralized Portal authentication locally forwarded by the AP is realized, and the problem of Portal centralized authentication of users in a branch deployment scene and a branch mechanism data flow local forwarding (flow does not pass through the AC) scene is solved. Furthermore, through information linkage between the AP and the AC, the problems of authentication avoidance, strategy accompanying and the like when the user roams across the AP are solved.
The above process of the embodiment of the present invention is described in detail below with reference to specific application scenarios.
Step 1, configuring an AP as a local forwarding mode on the AC, and starting a WEB redirection function on the AP.
And 2, associating the terminal equipment with a wireless network, and acquiring an IP address and an IP address of a DNS (Domain Name System) server from an exit router of the enterprise branch office.
And 3, when the terminal equipment accesses the website with any domain name, sending a DNS request message to the DNS by using the IP address of the DNS, receiving a DNS response message returned by the DNS, and sending an HTTP message to the website IP address carried in the DNS response message.
And 4, after receiving the HTTP message from the terminal equipment, the AP sends an HTTP 302 response message to the terminal equipment to trigger the terminal equipment to carry out Portal authentication on the Portal server because the terminal equipment does not pass Portal authentication currently, namely, the AP forces the terminal equipment to be redirected to the Portal server to carry out Portal authentication. And carrying the IP address of the AC, the IP address of the terminal equipment and the MAC address in the redirected URL. In addition, the AP sends information such as the IP address of the terminal equipment, the MAC address of the AP and the like to the AC through the CAPWAP control tunnel.
And 5, after receiving the information such as the IP address of the terminal equipment, the MAC address of the AP and the like from the AP, the AC records the corresponding relation among the IP address of the terminal equipment, the MAC address of the terminal equipment and the MAC address of the AP in a relation list.
And 6, when the terminal equipment is redirected to a Portal server for Portal authentication, the redirected URL carries the IP address of the AC, the IP address of the terminal equipment and the MAC address of the terminal equipment.
And 7, the Portal server returns an authentication page to the terminal equipment through the browser.
And 8, inputting user information (such as user name, password and other information) corresponding to the terminal equipment on the authentication page by the user, and sending the user information to the Portal server by the terminal equipment.
And 9, the Portal server packages the user information corresponding to the terminal equipment and the MAC address of the terminal equipment into an authentication request message, and sends the authentication request message to the AC. The authentication request message carries user information corresponding to the terminal device and the MAC address of the terminal device. As shown in table 1, for an example that the authentication request message carries content, the authentication request message carries a user MAC attribute.
TABLE 1
And step 10, the AC receives an authentication request message from the Portal server, sends the user information corresponding to the terminal equipment to an authentication server (such as an AAA server), and the authentication server performs Portal authentication on the terminal equipment by using the user information corresponding to the terminal equipment and returns a Portal authentication result.
And 11, when Portal authentication on the terminal equipment is successful, the AC queries the relation list based on the MAC address of the terminal equipment to obtain the MAC address of the AP corresponding to the terminal equipment.
And step 12, based on the MAC address of the AP, the AC sends an authentication success message to the AP through the CAPWAP control tunnel, wherein the authentication success message can contain information such as the IP address of the terminal equipment, the MAC address of the AP, a control strategy and the like. Further, the control policy is an ACL and QoS (Quality of Service) rate-limiting policy preconfigured by the AC.
And step 13, the AP receives the successful authentication message from the AC, records the MAC address of the terminal equipment carried in the successful authentication message in the ACL, and returns a successful authentication response message to the AC.
And step 14, after receiving the authentication success response message from the AP, the AC sends an authentication success message to the Portal server, and the Portal server pushes an authentication success page to the terminal equipment.
When the terminal equipment roams across the AP, in order to solve the problem that the roamed AP does not have the authenticated user information, in the embodiment of the invention, the processing flow of the terminal equipment roaming across the AP comprises the following steps:
step 1, when terminal equipment roams to the AP across the APs, the AP receives an association request message from the currently roamed terminal equipment and sends the association request message to the AC.
And 2, the AC receives the association request message from the AP, judges that the terminal equipment is a roaming user based on the MAC address of the currently roaming terminal equipment, finds that the terminal equipment passes Portal authentication by inquiring Portal online user information, and acquires QoS strategy information matched with the terminal equipment. In this process, the AC does not need to interact with the authentication server to relieve the authentication server of burden.
And step 3, the AC sends an authentication success message containing the address information of the terminal equipment to the AP through the CAPWAP control tunnel, and the authentication success message can also carry QoS strategy information.
And 4, the AP receives the successful authentication message, records the address information of the current roaming terminal equipment in the ACL to allow the terminal equipment to be associated with the AP, and implements a QoS speed limit strategy to the terminal equipment.
And step 5, the AP returns an instruction execution success message (namely an authentication success response message) to the AC.
And 6, the AC sends a charging updating message to the Authentication server, and the charging updating message carries the MAC address of the AP after roaming through the attribute of number 30 of RADIUS (Remote Authentication Dial In User Service), so that the Authentication server accurately positions the User access position In real time.
Based on the same inventive concept as the above method, an embodiment of the present invention further provides an AP, where the AP operates in a local forwarding mode, and as shown in fig. 3, the AP specifically includes:
the system comprises a sending module 11, a Portal server and a controller AC, wherein the sending module is used for redirecting a hypertext transfer protocol (HTTP) message to a Portal server when the HTTP message from a terminal device which does not pass through Portal authentication is received, and the redirected Uniform Resource Locator (URL) carries an MAC address of the terminal device, so that the Portal server carries the MAC address of the terminal device when the Portal server initiates authentication to the access controller AC;
a receiving module 12, configured to receive an authentication success message and a control policy from the AC, where the authentication success message carries an MAC address of the terminal device, and determine, according to the MAC address, a terminal device that passes Portal authentication; the authentication success message and the control strategy are sent to the AP by the AC by using the MAC address of the AP corresponding to the MAC address of the terminal equipment; and locally forwarding the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
The sending module 11 is further configured to send, after receiving an HTTP message from a terminal device that does not pass Portal authentication, an MAC address of the terminal device and an MAC address of the AP to the AC, so that the AC establishes a correspondence between the MAC address of the terminal device and the MAC address of the AP; or the redirected URL carries the MAC address of the AP, so that the Portal server carries the MAC address of the AP when initiating authentication to the AC, and the AC establishes the corresponding relation between the MAC address of the terminal equipment and the MAC address of the AP.
The sending module 11 is further configured to receive an association request packet from a currently roaming terminal device when a terminal device roams to the AP across APs, and send the association request packet to an AC; the AC inquires the Portal authentication state of the current roaming terminal equipment according to the MAC address in the association request message;
the receiving module 12 is further configured to receive an authentication success message and a control policy from the AC, where the authentication success message includes an MAC address of the currently roaming terminal device, when the Portal authentication status of the currently roaming terminal device is that Portal authentication is successful, and determine the currently roaming terminal device that passes the Portal authentication according to the MAC address; and locally forwarding the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Based on the same inventive concept as the above method, an embodiment of the present invention further provides an access controller AC, where an access point AP operates in a local forwarding mode, as shown in fig. 4, where the AC specifically includes:
an establishing module 21, configured to establish a correspondence between a media access control MAC address of the terminal device and an MAC address of the AP; the terminal equipment is the terminal equipment which is not authenticated;
a receiving module 22, configured to receive an authentication request packet from a Portal server, where the authentication request packet carries an MAC address of a terminal device and user information corresponding to the terminal device;
the sending module 23 is configured to, when the user information is used to successfully authenticate the terminal device, query the corresponding relationship by using the MAC address of the terminal device to obtain the MAC address of the corresponding AP, send an authentication success packet including the MAC address of the terminal device and a control policy to the AP by using the MAC address of the AP, determine, by the AP, the terminal device that passes Portal authentication according to the MAC address, and locally forward, according to the control policy, the HTTP packet of the terminal device that passes Portal authentication.
The establishing module 21 is specifically configured to receive an MAC address of a terminal device from an AP and an MAC address of the AP, and establish a correspondence between the MAC address of the terminal device and the MAC address of the AP; the MAC address of the terminal equipment and the MAC address of the AP are sent by the AP after receiving a hypertext transfer protocol (HTTP) message from the terminal equipment which is not authenticated by Portal; or when the authentication request message also carries an MAC address of an AP, after receiving the authentication request message, establishing a corresponding relation between the MAC address of the terminal device carried in the authentication request message and the MAC address of the AP; and the MAC address of the AP is obtained from the URL redirected by the AP through the Portal server and is carried in the authentication request message when the AC initiates authentication.
The receiving module 21 is further configured to receive an association request message from an AP, where the association request message is sent by the AP after receiving an association request message of a terminal device roaming to the AP across the AP; the sending module 22 is further configured to query a Portal authentication status of the currently roaming terminal device according to the MAC address in the association request message, send an authentication success message including the MAC address of the currently roaming terminal device and a control policy to the AP when the Portal authentication status of the currently roaming terminal device is that Portal authentication is successful, determine, by the AP, the currently roaming terminal device that passes Portal authentication according to the MAC address, and locally forward the HTTP message of the terminal device that passes Portal authentication according to the control policy.
The sending module 22 is further configured to send a charging update request message to an authentication server after sending an authentication success message including the MAC address of the currently roaming terminal device and the control policy to the AP, where the charging update request message carries the MAC address of the AP.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention. Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention. Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules. The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. The above disclosure is only for a few specific embodiments of the present invention, but the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.

Claims (14)

1. A method for Portal authentication, wherein an access point AP operates in a local forwarding mode, the method comprising the steps of:
when the AP receives a hypertext transfer protocol (HTTP) message from a terminal device which does not pass Portal authentication, the AP redirects the HTTP message to a Portal server, wherein the redirected Uniform Resource Locator (URL) carries an MAC address of the terminal device, so that the Portal server carries the MAC address of the terminal device when initiating authentication to an Access Controller (AC);
the AP receives an authentication success message and a control strategy from the AC, the authentication success message carries the MAC address of the terminal equipment, and the terminal equipment which passes Portal authentication is determined according to the MAC address; the authentication success message and the control strategy are sent to the AP by the AC by using the MAC address of the AP corresponding to the MAC address of the terminal equipment;
and the AP locally forwards the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
2. The method of claim 1, wherein the AP, after receiving an HTTP message from a terminal device that is not authenticated by Portal, further comprises:
the AP sends the MAC address of the terminal device and the MAC address of the AP to the AC, so that the AC establishes a corresponding relation between the MAC address of the terminal device and the MAC address of the AP;
or the AP carries the MAC address of the AP in the redirected URL, so that the Portal server carries the MAC address of the AP when initiating authentication to the AC, and the AC establishes the corresponding relation between the MAC address of the terminal equipment and the MAC address of the AP.
3. The method of claim 1, wherein the method further comprises:
when terminal equipment roams to the AP across the AP, the AP receives an association request message from the currently roamed terminal equipment and sends the association request message to the AC; the AC inquires the Portal authentication state of the current roaming terminal equipment according to the MAC address in the association request message;
when the Portal authentication state of the current roaming terminal equipment is Portal authentication success, the AP receives an authentication success message containing the MAC address of the current roaming terminal equipment from the AC and a control strategy, and determines the current roaming terminal equipment passing Portal authentication according to the MAC address;
and the AP locally forwards the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
4. A method for Portal authentication, wherein an access point AP operates in a local forwarding mode, the method comprising the steps of:
the access controller AC establishes a corresponding relation between a Media Access Control (MAC) address of the terminal equipment and an MAC address of the AP; the terminal equipment is the terminal equipment which is not authenticated;
the AC receives an authentication request message which is from a Portal server and carries an MAC address of terminal equipment and user information corresponding to the terminal equipment;
when the user information is used for successfully authenticating the terminal equipment, the AC uses the MAC address of the terminal equipment to inquire the corresponding relation to obtain the MAC address of the corresponding AP, and uses the MAC address of the AP to send an authentication success message containing the MAC address of the terminal equipment and a control strategy to the AP, the AP determines the terminal equipment passing Portal authentication according to the MAC address, and locally forwards the HTTP message of the terminal equipment passing Portal authentication according to the control strategy.
5. The method according to claim 4, wherein the process of the AC establishing the correspondence between the MAC address of the terminal device and the MAC address of the AP specifically includes:
the AC receives an MAC address of terminal equipment from an AP and an MAC address of the AP, and establishes a corresponding relation between the MAC address of the terminal equipment and the MAC address of the AP; the MAC address of the terminal equipment and the MAC address of the AP are sent after the AP receives a hypertext transfer protocol (HTTP) message from the terminal equipment which does not pass Portal authentication; or,
when the authentication request message also carries an MAC address of an AP, after the AC receives the authentication request message, establishing a corresponding relation between the MAC address of the terminal equipment carried in the authentication request message and the MAC address of the AP; and the MAC address of the AP is obtained from the URL redirected by the AP through the Portal server and is carried in the authentication request message when the AC initiates authentication.
6. The method of claim 4, wherein the method further comprises:
the AC receives an association request message from the AP, wherein the association request message is sent by the AP after receiving an association request message of terminal equipment roaming to the AP across the AP;
and the AC inquires the Portal authentication state of the current roaming terminal equipment according to the MAC address in the association request message, and sends an authentication success message containing the MAC address of the current roaming terminal equipment and a control strategy to the AP when the Portal authentication state of the current roaming terminal equipment is Portal authentication success, the AP determines the current roaming terminal equipment passing Portal authentication according to the MAC address, and locally forwards the HTTP message of the terminal equipment passing Portal authentication according to the control strategy.
7. The method of claim 6, wherein after the AC sends an authentication success message containing the MAC address of the currently roaming terminal device and a control policy to the AP, the method further comprises:
and the AC sends a charging updating request message to an authentication server, wherein the charging updating request message carries the MAC address of the AP.
8. An access point, AP, wherein the AP operates in a local forwarding mode, and the AP specifically includes:
the system comprises a sending module, a controller and a Portal server, wherein the sending module is used for redirecting a hypertext transfer protocol (HTTP) message to the Portal server when the HTTP message from a terminal device which does not pass through Portal authentication is received, and the redirected Uniform Resource Locator (URL) carries an MAC (media access control) address of the terminal device, so that the Portal server carries the MAC address of the terminal device when the Portal server initiates authentication to an Access Controller (AC);
the receiving module is used for receiving an authentication success message and a control strategy from the AC, wherein the authentication success message carries the MAC address of the terminal equipment, and the terminal equipment which passes Portal authentication is determined according to the MAC address; the authentication success message and the control strategy are sent to the AP by the AC by using the MAC address of the AP corresponding to the MAC address of the terminal equipment; and locally forwarding the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
9. The AP of claim 8,
the sending module is further configured to send the MAC address of the terminal device and the MAC address of the AP to the AC after receiving an HTTP message from a terminal device that does not pass Portal authentication, so that the AC establishes a correspondence between the MAC address of the terminal device and the MAC address of the AP; or the redirected URL carries the MAC address of the AP, so that the Portal server carries the MAC address of the AP when initiating authentication to the AC, and the AC establishes the corresponding relation between the MAC address of the terminal equipment and the MAC address of the AP.
10. The AP of claim 8,
the sending module is further configured to receive an association request message from a currently roaming terminal device when a terminal device roams to the AP across the APs, and send the association request message to the AC; the AC inquires the Portal authentication state of the current roaming terminal equipment according to the MAC address in the association request message;
the receiving module is further configured to receive an authentication success message and a control policy from the AC, where the authentication success message includes an MAC address of the currently roaming terminal device, when the Portal authentication status of the currently roaming terminal device is that Portal authentication is successful, and determine the currently roaming terminal device that passes the Portal authentication according to the MAC address; and locally forwarding the HTTP message of the terminal equipment which passes Portal authentication according to the control strategy.
11. An access controller, AC, wherein an access point, AP, operates in a local forwarding mode, and the AC specifically includes:
the establishing module is used for establishing the corresponding relation between the Media Access Control (MAC) address of the terminal equipment and the MAC address of the AP; the terminal equipment is the terminal equipment which is not authenticated;
the receiving module is used for receiving an MAC address of the portable terminal equipment from a Portal server and an authentication request message of user information corresponding to the terminal equipment;
and the sending module is used for inquiring the corresponding relation by using the MAC address of the terminal equipment when the terminal equipment is successfully authenticated by using the user information, obtaining the MAC address of the corresponding AP, sending an authentication success message containing the MAC address of the terminal equipment and a control strategy to the AP by using the MAC address of the AP, determining the terminal equipment passing Portal authentication by the AP according to the MAC address, and locally forwarding the HTTP message of the terminal equipment passing Portal authentication according to the control strategy.
12. The AC of claim 11,
the establishing module is specifically configured to receive an MAC address of a terminal device from an AP and an MAC address of the AP, and establish a correspondence between the MAC address of the terminal device and the MAC address of the AP; the MAC address of the terminal equipment and the MAC address of the AP are sent by the AP after receiving a hypertext transfer protocol (HTTP) message from the terminal equipment which is not authenticated by Portal; or when the authentication request message also carries an MAC address of an AP, after receiving the authentication request message, establishing a corresponding relation between the MAC address of the terminal device carried in the authentication request message and the MAC address of the AP; and the MAC address of the AP is obtained from the URL redirected by the AP through the Portal server and is carried in the authentication request message when the AC initiates authentication.
13. The AC of claim 11,
the receiving module is further configured to receive an association request message from an AP, where the association request message is sent by the AP after receiving an association request message of a terminal device roaming to the AP across the AP;
the sending module is further configured to query a Portal authentication state of the currently roaming terminal device according to the MAC address in the association request message, send an authentication success message including the MAC address of the currently roaming terminal device and a control policy to the AP when the Portal authentication state of the currently roaming terminal device is a Portal authentication success, determine, by the AP, the currently roaming terminal device that passes the Portal authentication according to the MAC address, and locally forward the HTTP message of the terminal device that passes the Portal authentication according to the control policy.
14. The AC of claim 13,
the sending module is further configured to send a charging update request message to an authentication server after sending an authentication success message including the MAC address of the currently roaming terminal device and the control policy to the AP, where the charging update request message carries the MAC address of the AP.
CN201510144054.XA 2015-03-30 2015-03-30 Portal authentication method and equipment Pending CN104780168A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510144054.XA CN104780168A (en) 2015-03-30 2015-03-30 Portal authentication method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510144054.XA CN104780168A (en) 2015-03-30 2015-03-30 Portal authentication method and equipment

Publications (1)

Publication Number Publication Date
CN104780168A true CN104780168A (en) 2015-07-15

Family

ID=53621412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510144054.XA Pending CN104780168A (en) 2015-03-30 2015-03-30 Portal authentication method and equipment

Country Status (1)

Country Link
CN (1) CN104780168A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105554039A (en) * 2016-02-25 2016-05-04 上海斐讯数据通信技术有限公司 Portal certification method and certification system for wireless network
CN105871853A (en) * 2016-04-11 2016-08-17 上海斐讯数据通信技术有限公司 Portal authenticating method and system
CN105898745A (en) * 2016-04-05 2016-08-24 深圳市信锐网科技术有限公司 Wireless network authentication method and system
CN106559405A (en) * 2015-09-30 2017-04-05 华为技术有限公司 A kind of portal authentication method and equipment
CN107360266A (en) * 2017-06-16 2017-11-17 北京星网锐捷网络技术有限公司 A kind of method and system that terminal STA roaming is realized in big double layer network
CN107517189A (en) * 2016-06-17 2017-12-26 中兴通讯股份有限公司 Method, the equipment that a kind of WLAN user access authentication and configuration information issue
CN108259454A (en) * 2017-06-22 2018-07-06 新华三技术有限公司 A kind of portal authentication method and device
CN105050088B (en) * 2015-08-20 2019-01-29 北京星网锐捷网络技术有限公司 A kind of wireless authentication method and the network equipment
CN110022538A (en) * 2019-05-28 2019-07-16 新华三技术有限公司 A kind of method and device identifying discharge pattern

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN103118064A (en) * 2012-11-22 2013-05-22 杭州华三通信技术有限公司 Method and device of Portal centralized authentication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN103118064A (en) * 2012-11-22 2013-05-22 杭州华三通信技术有限公司 Method and device of Portal centralized authentication

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105050088B (en) * 2015-08-20 2019-01-29 北京星网锐捷网络技术有限公司 A kind of wireless authentication method and the network equipment
CN106559405B (en) * 2015-09-30 2020-11-03 华为技术有限公司 Portal authentication method and equipment
CN106559405A (en) * 2015-09-30 2017-04-05 华为技术有限公司 A kind of portal authentication method and equipment
CN105554039A (en) * 2016-02-25 2016-05-04 上海斐讯数据通信技术有限公司 Portal certification method and certification system for wireless network
CN105554039B (en) * 2016-02-25 2018-10-12 上海斐讯数据通信技术有限公司 A kind of portal authentication method and Verification System of wireless network
CN105898745A (en) * 2016-04-05 2016-08-24 深圳市信锐网科技术有限公司 Wireless network authentication method and system
CN105871853A (en) * 2016-04-11 2016-08-17 上海斐讯数据通信技术有限公司 Portal authenticating method and system
CN107517189A (en) * 2016-06-17 2017-12-26 中兴通讯股份有限公司 Method, the equipment that a kind of WLAN user access authentication and configuration information issue
CN107360266A (en) * 2017-06-16 2017-11-17 北京星网锐捷网络技术有限公司 A kind of method and system that terminal STA roaming is realized in big double layer network
CN108259454A (en) * 2017-06-22 2018-07-06 新华三技术有限公司 A kind of portal authentication method and device
CN108259454B (en) * 2017-06-22 2020-12-04 新华三技术有限公司 Portal authentication method and device
CN110022538A (en) * 2019-05-28 2019-07-16 新华三技术有限公司 A kind of method and device identifying discharge pattern
CN110022538B (en) * 2019-05-28 2020-12-25 新华三技术有限公司 Method and device for identifying traffic type

Similar Documents

Publication Publication Date Title
CN104780168A (en) Portal authentication method and equipment
US20230224803A1 (en) Provisioning a device in a network
US10715999B2 (en) Selective key caching for fast roaming of wireless stations in communication networks
US9113332B2 (en) Method and device for managing authentication of a user
EP3526947B1 (en) Improvements in and relating to network communication
CN107517189B (en) Method and equipment for WLAN user access authentication and configuration information issuing
CN108029017A (en) The method that safe wifi calling connections are carried out by managed public WLAN accesses
US7853705B2 (en) On demand session provisioning of IP flows
CN105873055B (en) Wireless network access authentication method and device
CN104811439B (en) A kind of method and apparatus of Portal certifications
CN101711031A (en) Portal authenticating method during local forwarding and access controller (AC)
CN109891921A (en) The certification of Successor-generation systems
CN111327599B (en) Authentication process processing method and device
KR102359070B1 (en) A portal aggregation service that maps subcarrier device identifiers to portal addresses to which access and authentication requests are redirected and facilitates mass subscriber device setup.
JP6678160B2 (en) Communication management system, access point, communication management device, connection control method, communication management method, and program
CN104168564A (en) Authentication method and device based on GPRS network and integrated identification network
Nguyen et al. An SDN‐based connectivity control system for Wi‐Fi devices
EP3556127A1 (en) Controlling access and accessing a traffic network in a high density environment
CN104735749A (en) Network accessing method, wireless router, and portal platform server
JP5947763B2 (en) COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM
US11818572B2 (en) Multiple authenticated identities for a single wireless association
US20240259804A1 (en) Methods and entities for end-to-end security in communication sessions
JP2018029233A (en) Client terminal authentication system and client terminal authentication method
Hung et al. sRAMP: secure reconfigurable architecture and mobility platform
CN117040965A (en) Communication method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20150715