CN100334850C - A method for implementing access authentication of wireless local area network - Google Patents
A method for implementing access authentication of wireless local area network Download PDFInfo
- Publication number
- CN100334850C CN100334850C CNB031591787A CN03159178A CN100334850C CN 100334850 C CN100334850 C CN 100334850C CN B031591787 A CNB031591787 A CN B031591787A CN 03159178 A CN03159178 A CN 03159178A CN 100334850 C CN100334850 C CN 100334850C
- Authority
- CN
- China
- Prior art keywords
- client
- password
- message
- authentication
- otp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention discloses a method for implementing the access authentication of a wireless local-area network, which comprises the steps: a) a current wireless local-area network subscriber terminal is used as a client, self subscriber identification information is sent to an authentication server via equipment terminal to initiate access authentication; b) the authentication server is used for judging whether a disposable password (OTP) needs to be obtained or not according to received subscriber identification information, if true, the authentication server can randomly generate the OTP needed by the authentication and then transmit the generated password to the client, and a message for refusing access is simultaneously transmitted to the equipment terminal to execute step c; else, normal access authentication is carried out to finish current processes; c) the client receiving the password initiates authentication processes to the equipment terminal again, and the user name and the received password of the client receiving the password are sent to the authentication server via the equipment terminal to finish self wireless local-area network access authentication. The method can enhance the safety and the reliability of the wireless local-area network access authentication.
Description
Technical field
The present invention relates to access authentication technique, be meant a kind of method especially at wireless local network disposal password access authentication.
Background technology
Along with the user is more and more higher to the requirement of wireless access rate, WLAN (wireless local area network) (WLAN, WirelessLocal Area Network) arises at the historic moment, it can provide wireless data access at a high speed in more among a small circle, being one of the most popular technology of present IT industry, also is present most popular wireless access way.WLAN (wireless local area network) comprises multiple different technologies, a widely used technical standard is IEEE 802.11b at present, it adopts the 2.4GHz frequency range, the maximum data transmission rate can reach 11Mbps, use the IEEE802.11g and bluetooth (Bluetooth) technology in addition of this frequency range, wherein, 802.11g the maximum data transmission rate can reach 54Mbps.Other new technology such as IEEE 802.11a and ETSI BRAN Hiperlan2 use the 5GHz frequency range, and maximum transmission rate also can reach 54Mbps.
Present wlan network mainly adopts the 802.1X serial protocols, and so-called 802.1X agreement is the access to netwoks control protocol based on port that Institute of Electrical and Electric Engineers in June calendar year 2001 (IEEE) standardization body formally passes through.IEEE 802.1X has defined the network insertion control protocol based on port, and wherein, port can be a physical port, also can be logic port.
The architecture of IEEE 802.1X as shown in Figure 1, the 802.1X system has three entities: FTP client FTP (Supplicant System), equipment end system (Authenticator System), certificate server system (Authentication Server System).Further comprise the client port ontology of states (PAE) in client, further comprise service and the equipment end port status entity that the equipment end system provides, in the certificate server system, further comprise certificate server in equipment end; This certificate server links to each other with the port status entity of equipment end, come authentication information between switching equipment end and certificate server by Extensible Authentication Protocol (EAP), the port status entity of client is directly linked on the Local Area Network, the service of equipment end and port status entity are connected on the local area network (LAN) by controlled ports (Controlled Port) and uncontrolled port respectively, and client and equipment end communicate by the authentication protocol between client and equipment end (EAPoL).Wherein, Controlled Port is responsible for Control Network resource and professional visit.
As shown in Figure 1, there are controlled ports (Controlled Port) and uncontrolled port (Uncontrolled Port) in the inside of equipment end system, this uncontrolled port is in the diconnected state all the time, is mainly used to transmit the EAPoL protocol frame, can guarantee to receive at any time and send the EAPoL protocol frame; And controlled ports only passes through in authentication, be just to open under the licensing status, be used for delivery network resource and service, that is to say, the authentication not by the time this controlled ports be unauthorized port, that controlled ports can be configured to is bi-direction controlled, only import controlled dual mode, to adapt to the needs of different application environment.
Based on structure shown in Figure 1, the basic implementation procedure of IEEE 802.1X authentication may further comprise the steps as shown in Figure 2:
Step 201: when user's logging in network, after client is received user login information, send authentication start message EAPoL-Start, triggering authentication process to equipment end.Here, if client is a dynamically allocate address, the authentication start message also may be the DHCP request message; If client is the manual configuration address, the authentication start message also may be the ARP request message.
Step 202~203: after equipment end is received the EAPoL-Start message that client sends, send request user name message EAP-Request[Identity to client], the request user name; After client is received, with user name by response user name message EAP-Response[Identity] issue equipment end.
Step 204: equipment end is received the EAP-Response[Identity of client] behind the message, user name is passed through certificate server by inserting request message Access-Request (EAP-Response[Identity]).
Step 205: after certificate server is received and inserted request message, send request user cipher message EAP-Request[MD5 Challenge to equipment end], and pass through equipment end by password request message Access-Challenge (EAP-Request[MD5 Challenge]), carry out MD5 to client and address inquires to.
Step 206~208: equipment end is received the EAP-Request[MD5 Challenge that certificate server is sent] behind the message, by EAP-Request[MD5 Challenge] pass through client; After client is received, with password by response user cipher message EAP-Response[MD5 Challenge] issue equipment end; Equipment end is given certificate server by Access-Request (EAP-Response[MD5 Challenge]) message transmission again.
Step 209~210: certificate server authenticates according to the message of receiving, then authentication result is sent to equipment end by Access-Accept or Access-Reject message; After equipment end is received, give client with authentication result by EAP-Success or EAP-Failure message transmission again, success of notice authentification of user or failure.
In the prior art, mode of operation from personal terminal, the main access authentication mode of WLAN has two kinds: based on the authentication mode of EAP-SIM with based on the authentication mode of usemame/password, wherein the EAP-SIM mode is to utilize subscriber identification module (SIM) card, inserts by IEEE 802.1X and realizes unified certification, charging.In the mode based on usemame/password, be divided into dual mode again: fixing usemame/password and disposal password (OTP, One Time Password) mode, wherein the OTP mode is meant that the different password of each employing carries out access authentication.
Usually, the WLAN access authentication adopts fixed-line subscriber name/pin mode, this mode is meant that the user obtains a fixing usemame/password by opening an account to usemame/password of operator's application or by buying prepaid card, carries out 802.1x client access authentication then.In this mode, it all is to use same usemame/password that the user surfed the Net in a period of time.So, password is stolen easily, causes fail safe to reduce.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of implementation method of access authentication of WLAN, can improve the fail safe and the reliability of WLAN access authentication.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of implementation method of access authentication of WLAN, this method may further comprise the steps:
A. previous WLAN user terminal acts is as client, by equipment end self user totem information sent to certificate server, initiates access authentication;
B. certificate server is according to the user totem information of being received, judge whether to obtain disposal password OTP, if, then certificate server generates the required OTP of this authentication at random, give client with the password transmission that is generated then, send refusal to equipment end simultaneously and insert message, execution in step c; Otherwise, carry out normal access authentication, finish current flow process;
C. the client of receiving password is once more to equipment end initiation identifying procedure, and this client of receiving password sends to certificate server with its own user name and the password of being received by equipment end, finishes the self radio local area network access authentication.
In the such scheme, previous WLAN user terminal acts is initiated access authentication as client in the 802.1X mode;
Then step a is: previous WLAN user terminal acts sends the authentication start message as client to equipment end, equipment end receives that the back is to the client-requested user name, client is returned the response message that carries user identification field to equipment end, after equipment end is received, this response message is passed through certificate server;
Step b is: certificate server is resolved the response message of being received, and judge whether that according to the user identification field that parses needs obtain OTP, if, then certificate server generates the required OTP of this authentication at random, give client with the password transmission that is generated then, send refusal to equipment end simultaneously and insert message, execution in step c; Otherwise, carry out normal 802.1X authentication, finish current flow process;
Step c is: the client of receiving password sends the authentication start message to equipment end once more, again initiate the 802.1X identifying procedure, this client of receiving password sends to certificate server with its own user name and the password of being received by equipment end, finishes the self radio local area network access authentication.
In the such scheme, previous WLAN user terminal acts is initiated access authentication as client with PPP over Ethernet; Then step a is: previous WLAN user terminal acts is as client, finds that by PPPoE the stage message interaction finds current available equipment end earlier, and the available devices end that self user totem information is passed through to be found sends to certificate server again.
When authenticating based on 802.1X, client described in the step a sends response message to equipment end and is: client sends the response message that expression need be obtained OTP to equipment end.Wherein, client is the response message of user identification field to the equipment end transmission with Yong Huming @OTP among the step a, then is judged as described in the step b: certificate server judges whether the domain name part that parses is OTP, if then need to obtain OTP; Otherwise, do not need to obtain OTP, carry out normal 802.1X authentication.
When authenticating based on 802.1X, step b further comprises: certificate server is before generating OTP, earlier according to the username information in the receiving response message, from attaching position register, obtain the CAMEL-Subscription-Information of active client, and judge according to the CAMEL-Subscription-Information that is obtained whether active client has the WLAN service authority, if have, generate the required OTP of this authentication more at random; Otherwise, return refusal to equipment end and insert message.
In the such scheme, will generate password transmission described in the step b and to client be: certificate server sends to the password that is generated the cellphone subscriber of active client correspondence with short message way.The described transmission with short message way further comprises: certificate server is packaged into short message with the password that is generated by Short Message Peer to Peer, submit to SMS service center, the short message that will contain password by SMS service center sends to the cellphone subscriber of active client correspondence again.So, this method further comprises: after SMS service center is received the short message that contains password, represent successfully to receive the response message of short message to the certificate server loopback.
In the such scheme, the described OTP that generates at random of step b is: certificate server parses user name according to the user totem information of being received; Certificate server generates the required OTP of this authentication at random according to the user name that parses.Wherein, travelling carriage International ISDN (integrated services digital network) number of described user previous WLAN user terminal acts by name.
In the such scheme, the refusal described in the step b inserts the reason that carries this failure in the message.Wherein, the form that carries of failure cause is in the described refusal access message: the value of [OTP] Error code=failure cause correspondence; The implication of Message=failure reason value.After equipment end receives that the refusal that carries failure cause inserts message among the step b, send the failure reason prompt of response to client according to concrete failure cause.
This method further comprises: use the term of validity for the OTP of each generation is provided with one.The client of then receiving password among the step c sends the access authentication request to equipment end at any time in the use term of validity of this password correspondence, trigger the access authentication flow process.
This method further comprises: the virtual connections of setting up certificate server and SMS service center in advance.
Therefore, the implementation method of access authentication of WLAN provided by the present invention, OTP and WLAN are combined, in the networking mode of WLAN, realize user's online control with the OTP authentication mode, realize that by IEEE 802.1X OTP gets password, authentication whole process, guarantee that in certain time limit password is effective, and the password that the each online of user is adopted is all inequality, thereby reduced the stolen possibility of password, for the WLAN access authentication provides a kind of security reliability height, convenient easy-to-use certification mode, more effectively guaranteed user benefit.
In addition, adopt the implementation of disposal password, not only flexible operation, be easy to realize; And, remedied the defective that 802.1X can only authenticate by fixed-line subscriber name/pin mode, enriched the access authentication means of WLAN.And, realize OTP by IEEE 802.1X access way, made full use of advantage and the degree of safety high characteristics of IEEE802.1X based on port authentication, practical.
Description of drawings
Fig. 1 is the architectural schematic of IEEE 802.1X;
Fig. 2 is the realization flow figure of 802.1X access authentication;
Fig. 3 realizes the WLAN networking structure schematic diagram of OTP access authentication one embodiment for the present invention;
The flow chart of Fig. 4 for realizing based on the OTP access authentication of 802.1X among the present invention.
Embodiment
Core concept of the present invention is: when adopting the OTP mode to realize the access authentication of WLAN, utilize the access procedure of 802.1X to obtain the required disposal password of this authentication earlier; Then, utilize the password that is obtained to carry out real 802.1X verification process again, finish the access authentication of WLAN.That is to say that the present invention has realized that by twice 802.1X access procedure the password of OTP obtains the overall process with access authentication.Here, each disposal password is generated at random by certificate server.
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Fig. 3 is for realizing the networking structure schematic diagram of an embodiment of WLAN access authentication in the OTP mode among the present invention, as shown in Figure 3, access point (AP) is the micro radio base station equipment in the WLAN business network, is used to finish the wireless access function of 802.11b series standard; Access control equipment (AC) is used to control the user and inserts wlan network; Certificate server (AS) is used for the user is carried out authentication; SMS service center (SMSC) is used for the OTP password is sent to the user by short message way; Attaching position register (HLR) is used for storing subscriber information; Charging gateway (CG) is used for generating charging bill according to the communication information of being received; Charging center (BOSS) is used for the user is chargeed, and mainly is the customer charging information that reception and record network transmit, and adds up and control that wherein customer charging information can comprise the online cost information of online user's fee.
Usually, in WLAN (wireless local area network), the WLAN user terminal passes through self current affiliated AP access wlan network, and carries out access authentication via AC to AS, after authentication is passed through, can communicate in WLAN.For the 802.1X access authentication, the WLAN user terminal is exactly a client, and AC is equivalent to equipment end, and AS is equivalent to certificate server.
The present invention is earlier by in the 802.1X verification process, and WLAN user terminal STA response user name message request to the step of AC transmission self user name, utilizes special form notice AC will obtain disposal password; AS generates this at random, behind the disposal password of active user's terminal, the mode by safety is notified the WLAN user of current initiation access authentication with the password that is generated, such as: pass through short message way; Simultaneously, AS also inserts this verification process of the end of message by sending refusal; The active user initiates the 802.1X verification process after receiving disposal password again, finishes the access authentication of WLAN.
Based on network configuration shown in Figure 3, be example so that disposal password is sent to WLAN user with short message way, specific implementation flow process of the present invention is described.In the present embodiment, owing to adopt short message to send the disposal password mode, so after the normal operation of AS, at first to set up and SMSC between the transmission virtual connections, detailed process is: AS transmits to SMSC and sends binding message bind_transmitter, and the transmission virtual connections between AS and the SMSC is set up in request; After SMSC receives, then send binding response message bind_transmitter_resp to the AS loopback, the virtual connections success is set up in expression.
As shown in Figure 4, present embodiment realizes that in the OTP mode WLAN access authentication specifically comprises:
Step 401~403: similar with step 201 of the prior art~203, different is: when the user logins, import MSISDN@OTP and send EAPoL-Start by AP to AC on client, initiate verification process; Then, client sends to AC with MSISDN@OTP in the user name response message after receiving the request user name message that AC sends.
Here, MSISDN@OTP is a user identification field, user totem information just, comprise user name and domain name two parts, wherein MSISDN is the user name part, and OTP is a domain name part, and client is that domain name is represented to obtain disposal password with OTP, certainly, Verification System also can define other special domain name and represents.And Verification System can also adopt other form to represent to obtain disposal password, such as: by extended message attribute, field, increase the modes such as field that password is obtained in expression.
Step 404:AC is receiving user's EAP-Response[Identify] behind the message, with this EAP-Response[Identify] message sends to AS after encapsulating, promptly send out to insert request message Access-Request and give AS.
Here, suppose between equipment end AC and the certificate server AS and communicate by EAPoR (EAP over Radius) agreement, then AC is with EAP-Response[Identify] message is encapsulated in user's remote dial authentication service (RADIUS) message, sends to AS by EAPoR message form.
After step 405~406:AS receives and inserts request message, parse the user identification field in the message, and determine whether to get the password flow process for OTP according to the domain name part after wherein " ", if " @ " back is " OTP ", then currently get the password flow process for OTP, otherwise,, finish authentication by the handling process of prior art and get final product for normal 802.1X verification process.
If OTP gets the password flow process, then AS can directly generate this disposal password as required, in such cases, and direct execution in step 407; Perhaps, AS is carrying out determining whether to generate disposal password again after the WLAN service authority is judged, in this case, AS initiates to take the message of family IMSI International Mobile Subscriber Identity (IMSI) earlier to HLR according to the MSISDN in the user identification field; After AS obtains user IMSI, send to HLR again and take family subscription data message, require to obtain this user's CAMEL-Subscription-Information, checking this user's WLAN service attribute, and then judge whether this user has authority to carry out the OTP business.Here, if active user's terminal does not possess the WLAN service authority, then AS can send refusal to AC and insert message, and AC sends the message of access failure again to active user's terminal, finish this access authentication flow process.
Step 407~408:AS generates disposal password Key at random according to MSISDN that parse, the user, then, AS is packaged into the form of short message with the password Key that generates by Short Message Peer to Peer (SMPP), and Submit_SM sends to SMSC with password Key by submission short message message; After SMSC receives, send SMS message to AS and to submit response message Submit_SM_resp to, Submit_SM message is responded, represent successfully to receive short message; Afterwards, SMSC sends the password Key that AS generates by short message to active user's mobile phone again.
In this step, AS can be not generate disposal password according to user's MSISDN yet, AS can be according to password generating algorithm arbitrarily, such as: utilize random number, random seed to add that certain existing cryptographic algorithm obtains an encryption key, with this key as disposal password.In addition, AS also can pack short message by other protocol mode, submits to SMSC, such as: pack by No. 7 signalling.
Step 409~410: when the AS success password is issued short message service center after, AS sends refusal to AC and inserts message Access-Reject, can carry the reason of this failure in this message.
In order to realize issuing of failure reason value, can expand the attribute Reply-Message of Radius standard message, according to form " [OTP] Error code=<code 〉; Message=<string〉" definition a series of relevant failure causes; wherein, Error code is the value of failure cause correspondence, and Message is meant the implication of this failure reason value; promptly represent which kind of the failure, AC can according to the code value not in the same way the user export different promptings.
AC parses concrete failure cause after receiving the Access-Reject message that AS issues, notify the user then.In the present embodiment, AC separates failure message EAP-Failure wherein after the refusal of receiving AS inserts message Access-Reject, send to client, and simultaneously, AC can be according to failure cause to user prompt " password sends by short message ".
Above-mentioned steps 401~410 is the OTP password and obtains flow process, shown in step in the frame of broken lines among Fig. 4, obtain password after, active user's terminal can use the password that is obtained to carry out access authentication, promptly execution in step 411~422.After obtaining password, active user's terminal can be carried out access authentication immediately, also can behind certain interval of time, carry out access authentication again, therefore can be provided with one to each disposal password and use the term of validity, the value of the term of validity can be set in real time, also can preestablish a default value, such as: establishing term of validity default value is half an hour, so, active user's terminal utilizes the disposal password that is obtained to initiate a 802.1X authentication in half an hour at any time.
Step 411: the user is after obtaining disposal password, and the password of importing MSISDN@Simple and obtaining from mobile phone on client is initiated a new 802.1x access authentication flow process again by the EAPoL_Start message again.Here, adopting Simple is in order to be different from the verification process that password obtains as domain name, illustrates that this is normal identifying procedure, and in fact this domain name can be provided with arbitrarily according to operator's needs.
Step 412~414:AC sends EAP-Request[Identity to client after receiving authentication start message EAPoL_Start], require client that user name Identity is sent up; Client end response AC request sends EAP-Response[Identity], MSISDN@Simple is sent to AC; After AC receives, again with EAP-Response[Identify] message is encapsulated in the RADIUS message, sends to AS by EAPoR message form.
Step 415~417:AS sends password request message Access-Challenge (EAP-Request[MD5 Challenge]) to AC, and the request password authenticates; After AC receives the password request message, separate EAP-Request[MD5 Challenge wherein] message, send to client, the request md5 authentication; Client is received EAP-Request[MD5 Challenge] behind the message, according to the password of md5 encryption algorithm to user's input, the disposal password Key that is this employing encrypts, then by password response message EAP-Response[MD5 Challenge] password is responded to AC.
After step 418~420:AC receives client end response, with EAP-Response[MD5 Challenge] message is encapsulated in the Radius request message and sends to AS, as the response of Access-Challenge (EAP-Request[MD5 Challenge]); After AS receives Access-Request (EAP-Response[MD5Challenge]) message, according to same md5 encryption algorithm disposal password Key that once produced, corresponding active user's terminal is encrypted, judge then whether the result after encrypting is identical with the password that parses from message, if equate, then AS sends authentication success message Access-Accept to AC; Otherwise, send authentication refusal message Access-Reject;
If AC receives the Access-Accept message, then send authentication success message EAP-Success, the success of sign access authentication to client; Otherwise, send authentification failure message EAP-Failure to client, the failure of sign access authentication.
Step 421~422: after inserting successfully, client is carried out DHCP, and begins to charge.
Certainly, WLAN can also realize the access authentication of OTP by PPP over Ethernet, this mode with active user's terminal as pppoe client, cell-phone number application password by the input user, certificate server sends to the password that is generated on the user's that files an application the mobile phone by short message, and the user who obtains password then carries out access authentication by the password that input is obtained again from mobile phone.Wherein, PPPoE specifically will insert through two processes: discovery stage and session stage, and the discovery stage can be divided into for four steps, and this process also is a process of the exchange of four kinds of data messages of PPPOE in fact.After finishing this four step, subscriber's main station and equipment end both sides just can be known the other side's MAC Address and unique session id number, thereby enter into session stage; Session stage is exactly typical PPP process, in link negotiation, consult authentication mode with equipment end earlier, such as: adopt PAP or chap authentication mode, equipment end is by the identification information of Radius message with the user then, deliver to certificate server as MSISDN@domain information, realize whole process.
The above is preferred embodiment of the present invention only, is not to be used for limiting protection scope of the present invention.
Claims (17)
1, a kind of implementation method of access authentication of WLAN is characterized in that, this method may further comprise the steps:
A. previous WLAN user terminal acts is as client, by equipment end self user totem information sent to certificate server, initiates access authentication;
B. certificate server is according to the user totem information of being received, judge whether to obtain disposal password OTP, if, then certificate server generates the required OTP of this authentication at random, give client with the password transmission that is generated then, send refusal to equipment end simultaneously and insert message, execution in step c; Otherwise, carry out normal access authentication, finish current flow process;
C. the client of receiving password is once more to equipment end initiation identifying procedure, and this client of receiving password sends to certificate server with its own user name and the password of being received by equipment end, finishes the self radio local area network access authentication.
2, method according to claim 1 is characterized in that, previous WLAN user terminal acts is initiated access authentication as client in the 802.1X mode;
Then step a is: previous WLAN user terminal acts sends the authentication start message as client to equipment end, equipment end receives that the back is to the client-requested user name, client is returned the response message that carries user identification field to equipment end, after equipment end is received, this response message is passed through certificate server;
Step b is: certificate server is resolved the response message of being received, and judge whether that according to the user identification field that parses needs obtain OTP, if, then certificate server generates the required OTP of this authentication at random, give client with the password transmission that is generated then, send refusal to equipment end simultaneously and insert message, execution in step c; Otherwise, carry out normal 802.1X authentication, finish current flow process;
Step c is: the client of receiving password sends the authentication start message to equipment end once more, again initiate the 802.1X identifying procedure, this client of receiving password sends to certificate server with its own user name and the password of being received by equipment end, finishes the self radio local area network access authentication.
3, method according to claim 1 is characterized in that, previous WLAN user terminal acts is initiated access authentication as client with PPP over Ethernet;
Then step a is: previous WLAN user terminal acts is as client, finds that by PPPoE the stage message interaction finds current available equipment end earlier, and the available devices end that self user totem information is passed through to be found sends to certificate server again.
4, method according to claim 2 is characterized in that, client described in the step a sends response message to equipment end and is: client sends the response message that expression need be obtained OTP to equipment end.
5, method according to claim 4, it is characterized in that, client is the response message of user identification field to the equipment end transmission with Yong Huming @OTP among the step a, then be judged as described in the step b: certificate server judges whether the domain name part that parses is OTP, if then need to obtain OTP; Otherwise, do not need to obtain OTP, carry out normal 802.1X authentication.
6, method according to claim 2, it is characterized in that, step b further comprises: certificate server is before generating OTP, earlier according to the username information in the receiving response message, from attaching position register, obtain the CAMEL-Subscription-Information of active client, and judge according to the CAMEL-Subscription-Information that is obtained whether active client has the WLAN service authority, if having, generate the required OTP of this authentication more at random; Otherwise, return refusal to equipment end and insert message.
7, method according to claim 1 and 2 is characterized in that, will generate password transmission described in the step b to client to be: certificate server sends to the password that is generated the cellphone subscriber of active client correspondence with short message way.
8, method according to claim 7, it is characterized in that, the described transmission with short message way further comprises: certificate server is packaged into short message with the password that is generated by Short Message Peer to Peer, submit to SMS service center, the short message that will contain password by SMS service center sends to the cellphone subscriber of active client correspondence again.
9, method according to claim 8 is characterized in that, this method further comprises: after SMS service center is received the short message that contains password, represent successfully to receive the response message of short message to the certificate server loopback.
10, method according to claim 1 and 2 is characterized in that, the described OTP that generates at random of step b is: certificate server parses user name according to the user totem information of being received; Certificate server generates the required OTP of this authentication at random according to the user name that parses.
11, method according to claim 10 is characterized in that, the international integrated services digital network ISDN number of the travelling carriage of described user previous WLAN user terminal acts by name.
12, method according to claim 1 and 2 is characterized in that, the refusal described in the step b inserts the reason that carries this failure in the message.
13, method according to claim 12 is characterized in that, the form that carries that described refusal inserts failure cause in the message is: the value of [OTP] Error code=failure cause correspondence; The implication of Message=failure reason value.
14, method according to claim 12 is characterized in that, after equipment end receives that the refusal that carries failure cause inserts message among the step b, sends the failure reason prompt of response to client according to concrete failure cause.
15, method according to claim 1 and 2 is characterized in that, this method further comprises: use the term of validity for the OTP of each generation is provided with one.
16, method according to claim 15 is characterized in that, receives among the step c that the client of password sends the access authentication request to equipment end at any time in the use term of validity of this password correspondence, triggers the access authentication flow process.
17, method according to claim 1 and 2 is characterized in that, this method further comprises: the virtual connections of setting up certificate server and SMS service center in advance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031591787A CN100334850C (en) | 2003-09-10 | 2003-09-10 | A method for implementing access authentication of wireless local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031591787A CN100334850C (en) | 2003-09-10 | 2003-09-10 | A method for implementing access authentication of wireless local area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1595894A CN1595894A (en) | 2005-03-16 |
| CN100334850C true CN100334850C (en) | 2007-08-29 |
Family
ID=34660600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031591787A Expired - Lifetime CN100334850C (en) | 2003-09-10 | 2003-09-10 | A method for implementing access authentication of wireless local area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100334850C (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100428853C (en) | 2005-10-19 | 2008-10-22 | 华为技术有限公司 | Method for controlling access-in base station of subscriber station under malti-base-station environment |
| CN1805441B (en) * | 2005-11-23 | 2011-01-05 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| CN101150390B (en) * | 2006-09-22 | 2013-05-08 | 周卫 | Fingerprint communication method and system based on trust detection |
| CN101237325B (en) * | 2008-03-12 | 2010-10-27 | 杭州华三通信技术有限公司 | Ethernet access authentication method, downlink authentication method and Ethernet device |
| CN101895831B (en) * | 2009-05-20 | 2014-06-25 | 中国电信股份有限公司 | Realization method for wireless local area network (WLAN) verification and communication terminal |
| CN102088702B (en) * | 2009-12-03 | 2014-02-26 | 中国电信股份有限公司 | Method and system for accessing wireless network into user residential gateway |
| CN102026195B (en) * | 2010-12-17 | 2013-05-15 | 北京交通大学 | One-time password (OTP) based mobile terminal identity authentication method and system |
| CN102255904B (en) * | 2011-07-07 | 2015-04-22 | 上海顶竹通讯技术有限公司 | Communication network and terminal authentication method thereof |
| CN103379485A (en) * | 2012-04-24 | 2013-10-30 | 中国联合网络通信集团有限公司 | Wireless access equipment and encryption processing method thereof |
| CN103763321A (en) * | 2014-01-22 | 2014-04-30 | 天津大学 | Sniffing defense method based on authentication method in WLAN |
| CN105101191B (en) * | 2014-05-23 | 2019-03-22 | 宇龙计算机通信科技(深圳)有限公司 | The method and device of wlan security mechanism setting |
| CN105682093A (en) * | 2014-11-20 | 2016-06-15 | 中兴通讯股份有限公司 | Wireless network access method and access device, and client |
| WO2016189357A1 (en) * | 2015-05-28 | 2016-12-01 | Pismo Labs Technology Limited | Methods and systems for printing messages |
| CN106169989A (en) * | 2016-05-19 | 2016-11-30 | 成都逸动无限网络科技有限公司 | A kind of authentication gateway |
| CN107659935B (en) * | 2017-11-03 | 2020-11-10 | 迈普通信技术股份有限公司 | Authentication method, authentication server, network management system and authentication system |
| CN110535696A (en) * | 2019-08-21 | 2019-12-03 | 新华三技术有限公司合肥分公司 | Method for configuring network equipment, controller and the network equipment |
| CN115250203A (en) * | 2022-07-26 | 2022-10-28 | 浙江中控技术股份有限公司 | Method and device for controlling equipment access and related products |
| CN116016725B (en) * | 2023-03-24 | 2023-06-13 | 深圳开鸿数字产业发展有限公司 | Information transmission method, computer device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2379040A (en) * | 2001-08-22 | 2003-02-26 | Int Computers Ltd | Controlling user access to a remote service by sending a one-time password to a portable device after normal login |
| US20030055924A1 (en) * | 2001-09-18 | 2003-03-20 | Kazuoki Matsugatani | Method for downloading data |
| CN1414731A (en) * | 2002-04-11 | 2003-04-30 | 深圳汇丰信息技术开发有限公司 | Dynamic word command identification method and its system |
| JP2003186837A (en) * | 2001-12-19 | 2003-07-04 | Ntt Advanced Technology Corp | Apparatus and method for one-time password authentication and its authentication program |
| CN1435985A (en) * | 2002-01-30 | 2003-08-13 | 鸿联九五信息产业股份有限公司 | Dynamic cipher safety system and dynamic cipher generating method |
-
2003
- 2003-09-10 CN CNB031591787A patent/CN100334850C/en not_active Expired - Lifetime
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2379040A (en) * | 2001-08-22 | 2003-02-26 | Int Computers Ltd | Controlling user access to a remote service by sending a one-time password to a portable device after normal login |
| US20030055924A1 (en) * | 2001-09-18 | 2003-03-20 | Kazuoki Matsugatani | Method for downloading data |
| JP2003186837A (en) * | 2001-12-19 | 2003-07-04 | Ntt Advanced Technology Corp | Apparatus and method for one-time password authentication and its authentication program |
| CN1435985A (en) * | 2002-01-30 | 2003-08-13 | 鸿联九五信息产业股份有限公司 | Dynamic cipher safety system and dynamic cipher generating method |
| CN1414731A (en) * | 2002-04-11 | 2003-04-30 | 深圳汇丰信息技术开发有限公司 | Dynamic word command identification method and its system |
Non-Patent Citations (3)
| Title |
|---|
| 无线局域网技术和应用 王军明,伏海文,现代电信技术,第11期 2002 * |
| 无线局域网技术和应用 王军明,伏海文,现代电信技术,第11期 2002;移动运营商WLAN的用户认证 夏国良,通讯世界,第4期 2003 * |
| 移动运营商WLAN的用户认证 夏国良,通讯世界,第4期 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1595894A (en) | 2005-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2003243680B2 (en) | Key generation in a communication system | |
| CN100334850C (en) | A method for implementing access authentication of wireless local area network | |
| EP1540878B1 (en) | Linked authentication protocols | |
| US8094821B2 (en) | Key generation in a communication system | |
| US8630414B2 (en) | Inter-working function for a communication system | |
| CN101212296B (en) | Certificate and SIM based WLAN access authentication method and system | |
| JP2007525731A (en) | Method and system for providing SIM-based roaming to an existing WLAN public access infrastructure | |
| KR20030019336A (en) | Authentication in a packet data network | |
| WO2006024969A1 (en) | Wireless local area network authentication method | |
| WO2004102884A1 (en) | A method for performing authentication in a wireless lan | |
| CN106921965A (en) | A kind of method that EAP authentication is realized in wlan network | |
| CN101272297A (en) | EAP authentication method of WiMAX network user | |
| CN1706150A (en) | A method for implementing high speed packet data service authentication | |
| Lee et al. | Performance of an efficient performing authentication to obtain access to public wireless LAN with a cache table | |
| Lee | Secure authentication and accounting mechanism on WLAN with interaction of mobile message service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20070829 |
|
| CX01 | Expiry of patent term |