CN102282800A - Terminal authentication method and apparatus - Google Patents
Terminal authentication method and apparatus Download PDFInfo
- Publication number
- CN102282800A CN102282800A CN2011800007378A CN201180000737A CN102282800A CN 102282800 A CN102282800 A CN 102282800A CN 2011800007378 A CN2011800007378 A CN 2011800007378A CN 201180000737 A CN201180000737 A CN 201180000737A CN 102282800 A CN102282800 A CN 102282800A
- Authority
- CN
- China
- Prior art keywords
- wireless terminal
- eap
- authentication
- address
- web
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
Abstract
A WEB authentication method, apparatus and system in Extensible Authentication Protocol (EAP) authentication are provided. In the method, apparatus and system, Internet Protocol (IP) address allocation and EAP authentication are regarded as two independent processes. When the EAP authentication fails, an IP address is still allocated to a wireless terminal, which provides a necessary condition for WEB authentication. The method, apparatus and system on one hand decrease control difficulty of the wireless terminal terminating or initiating the IP address allocation, and on the other hand do not influence the IP address allocation and the WEB authentication performed by an access device on the wireless terminal, thereby improving reliability of the wireless terminal.
Description
Technical field
The present invention relates to a kind of network communications technology field, WEB authentication method, device and system in particularly a kind of EAP authentication.
Background technology
At present, the comprehensive operator of mobile network communication provides cellular mobile network and the authentication of wireless compatibility (Wireless Fidelity, Wi-Fi) network simultaneously.The Wi-Fi network is as a kind of widely used WLAN (wireless local area network) (Wireless Local Area Networks, WLAN), increasing user metropolitan area network or the wide area network that provides by Wi-Fi network insertion operator is provided and is obtained the network of relation resource, the network of relation resource comprises service and uses, the service of for example enter the Internet (Internet).No matter WLAN, metropolitan area network or wide area network, the transmission of most Internet resources all based on transmission control/Internet protocol (Transmission Control Protocol/Internet Protocol, TCP/IP).Consider the reason of aspect such as data security, need carry out authentication, only allow to insert metropolitan area network or the wide area network that above-mentioned operator provides by the user of authentication to the user who inserts the Wi-Fi network.
The authentication mode that generally adopts in the Wi-Fi network comprises: webpage (WEB) authentication and Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) authentication.Wherein the architecture of EAP authentication is very flexible, has multiple authentication mode, for example: in the cellular mobile network based on Extensible Authentication Protocol (the Extensible Authentication Protocol for GSM SubscriberIdentity Modules of global system for mobile communications authentication module, EAP-SIM) authentication and based on the Extensible Authentication Protocol of 3G (Third Generation) Moblie authentication and key (Authentication Protocol for 3G Authentication and Key Agreement EAP-AKA) authenticates.The authentication system that authenticates generally includes three parts: authentication requester, Verification System and certificate server.Authentication requester is the entity that is connected the Verification System two ends respectively with certificate server, and by Verification System exchange message, certificate server is according to the identity of message identification authentication requester between authentication requester and the certificate server.Each physical port inside of Verification System includes controlled ports and uncontrolled port, with the EAP authentication is example, uncontrolled port is in the diconnected state all the time, can guarantee at any time to receive that authentication requester sends comprises local area network (LAN) Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAPoL) the EAPoL message of protocol frame; Controlled ports is only just opened under the state of EAP authentication success, to authentication requester delivery network resource, service and application.
The advantage of EAP-AKA/SIM authentication mode is, had in the system of cellular mobile network can the unique identity of identifying user SIM card, utilize the subscriber identity information in the SIM card can conveniently realize ground authentication (Authentication, Authorization, access controller counting, AAA).The WEB authentication then is based on a kind of service of TCP/IP, adopts the mode of browser input username and password to authenticate, and both compare, the EAP-AKA/SIM authentication need not to import username and password, thereby more convenient, user experience is better, is accepted by operator therefore easilier.
With the authentication of the EAP-AKA/SIM in the WI-FI network is example, authentication requester is to insert (the Wireless Terminal of the wireless terminal with SIM card of Wi-Fi network, WT), Verification System is that certificate server is the EAP certificate server by the WLAN (wireless local area network) access device (WLAN-ASN) with wireless routing function.In order to illustrate in the prior art,, the concrete steps of this method are described below in conjunction with Fig. 1 at the EAP-AKA/SIM of Wi-Fi network authentication method:
Step 101, wireless terminal and access device connect;
In this step, in the Wi-Fi network authentication, access device specifically is meant WLAN-ASN, mainly comprise access point (Access Point, AP) and access controller (Access Control, AC), access point and access controller provide the access service of Wi-Fi network jointly, and wireless terminal can be linked in the Wi-Fi network in the scope that any one access point covers.In general, access point only is used for setting up physical connection with wireless terminal, the wireless routing function of control data and message transmissions is not provided for wireless terminal, wireless terminal is managed the wireless terminal that inserts access point by the access controller that wireless routing function is provided by access point and access controller exchange message.If access point is supported wireless routing function, then need not access controller, by access point as access controller directly and wireless terminal set up physical connection and provide wireless routing function wireless terminal.
By physical layer protocol is the network interface card of Wi-Fi procotol, and after connecting between wireless terminal and the access point, wireless terminal is connected to access controller by access point, thereby sets up being connected of wireless terminal and WLAN-ASN.In order to save IP address (Internet Protocol, IP), before the EAP of wireless terminal authentication success, access controller can not given wireless terminal distributing IP address, concrete control method has two kinds: a kind of is to stop wireless terminal to initiate the IP Address requests, another kind is after access controller receives the IP Address requests of wireless terminal transmission, stops the further response of access controller to the IP Address requests.
Step 102, wireless terminal carry out the EAP-AKA/SIM authentication by the Wi-Fi network;
In this step, the user initiates the EAP-AKA/SIM authentication request by the client software that starts in the wireless terminal, by exchange EAPoL message between WLAN-ASN and the EAP certificate server, carries out the EAP-AKA/SIM authentication, concrete EAP-AKA/SIM authenticating step is a prior art, and this does not give unnecessary details;
Step 103, judge whether to be wireless terminal distributing IP address according to receiving the EAP-AKA/SIM authentication result: if the EAP-AKA/SIM authentication success, execution in step 104, if the EAP-AKA/SIM authentification failure, execution in step 105;
Step 104, access controller are wireless terminal distributing IP address, and begin to charge;
In this step, when the EAP-AKA/SIM authentication result was the EAP-AKA/SIM authentication success, the EAP certificate server was to the wireless terminal mandate and begin charging, and wherein, the licensing process of wireless terminal comprises that by access controller be wireless terminal distributing IP address.For the wireless terminal in the Wi-Fi network, only obtain and correct configuration of IP address after, could initiate to carry the WEB authentication request of IP address to access controller, access controller provides WEB authentication based on the IP address for wireless terminal according to the WEB authentication request that receives.
In this step, finish DHCP, wireless terminal obtains after the IP address, and WLAN-ASN can also initiate this wireless terminal charging to the EAP certificate server and begin request; The EAP certificate server sends wireless terminal charging to WLAN-ASN and begins to reply after beginning to ask to begin to charge according to this wireless terminal charging that receives.
As seen, only behind the EAP-AKA/SIM authentication success, wireless terminal just can obtain the IP address and begin the WEB authentication based on the IP address.
Step 105, this flow process finish.
As seen, under the situation of EAP-AKA/SIM authentification failure, access controller can't be wireless terminal distributing IP address.As everyone knows, the wireless terminal that only has an IP address just can carry out service and the application based on TCP/IP, for example WEB authentication.Therefore when wireless terminal can not obtain the IP address by the EAP-AKA/SIM authentication, the WEB authentication of wireless terminal can't be carried out.If the user wants to carry out the WEB authentication, before initiating the WEB authentication request.The control wireless terminal is initiated the IP Address requests again earlier, and the control access controller is wireless terminal distributing IP address to further response of new IP Address requests.
There is the problem of following two aspects in WEB authentication method in the EAP-AKA/SIM authentication in the prior art WLAN (wireless local area network): first, concerning wireless terminal, before the EAP-AKA/SIM authentication, stop on the one hand and initiate the IP Address requests, also will after the EAP-AKA/SIM authentication success, initiate the IP Address requests more on the other hand.At the different operating system (OS) of wireless terminal, as Windows, Linux and M access controller OS need write the initiation process of driver with control IP Address requests, implementation procedure complexity respectively; The second, concerning access controller,, can't be wireless terminal distributing IP address if the EAP-AKA/SIM authentification failure then can not be finished the IP address assignment process.Can not carry out the WEB authentication owing to do not have the wireless terminal of IP address.Therefore press for the WEB authentication method in a kind of EAP authentication,, improve the wireless terminal reliability even the EAP-AKA/SIM authentification failure also can carry out the WEB authentication.
Summary of the invention
The embodiment of the invention proposes WEB authentication method, device and the system in a kind of EAP authentication, and these methods, devices and systems do not rely on the EAP authentication result, guarantee that wireless terminal carries out the service based on TCP/IP, thereby improves the reliability of wireless terminal.
The embodiment of the invention specifically is achieved in that
WEB authentication method in a kind of Extensible Authentication Protocol EAP authentication, after access device connected by physical layer protocol and wireless terminal, this method also comprised:
Before described wireless terminal is initiated the EAP authentication or in the EAP verification process, the IP Address requests that described access device is initiated according to described wireless terminal is described wireless terminal distributing IP address;
Described access device provides WEB authentication based on described IP address for described wireless terminal.
The authentication mode of described EAP authentication is EAP-AKA authentication or EAP-SIM authentication.
WEB authentication method in a kind of EAP authentication, this method further comprises:
Initiate in the EAP verification process at described wireless terminal, the EAP authentication request that described access device is initiated according to described wireless terminal is transmitted local area network (LAN) Extensible Authentication Protocol EAPoL message between described wireless terminal and EAP certificate server, carry out the EAP authentication;
Described access device receives the described IP Address requests that described wireless terminal is initiated, the request of described IP address be described wireless terminal according to the described EAPoL message that does not comprise key, determine to initiate behind the EAP authentification failure.
A kind of access device, this device comprises: control module, IP address assignment module and WEB authentication module;
Described control module is positioned at central processor CPU, is used for before wireless terminal is initiated the EAP authentication or the EAP verification process, and the IP Address requests according to described wireless terminal is initiated sends the IP address assignment instruction to described IP address assignment module; IP address-based WEB authentication request according to described wireless terminal is initiated sends the WEB authentication instruction of carrying described IP address to described WEB authentication module;
Described IP address assignment module is positioned at gateway, is used for being described wireless terminal distributing IP address according to described IP address assignment instruction;
Described WEB authentication module is positioned at router, is used for authenticating for described wireless terminal provides the WEB based on described IP address according to described WEB authentication instruction.
WEB Verification System in a kind of EAP authentication, this system comprises: wireless terminal, access device, EAP certificate server and WEB certificate server;
Described wireless terminal is used for before initiating the EAP authentication to described access device or the EAP verification process, initiates the IP Address requests to described access device; Accept described access device IP address allocated; To the WEB authentication request of described access device initiation based on described IP address;
Described access device is used for the IP Address requests according to described wireless terminal initiation, is described wireless terminal distributing IP address; Described WEB authentication request according to described wireless terminal is initiated authenticates for described wireless terminal provides the WEB based on described IP address;
Described WEB server is used for exchange WEB message between forwarding by described access device and the described wireless terminal; According to described WEB message described wireless terminal is carried out authenticating based on the WEB of described IP address.
WEB Verification System in a kind of EAP authentication, this system also comprises: the EAP certificate server;
Described wireless terminal also is used for initiating the EAP authentication request to described access device, exchanges the EAPoL message between the forwarding by described access device and the described EAP certificate server; After determining the EAP authentification failure according to the EAPoL message that does not comprise key that receives, initiate WEB authentication request based on described IP address to described access device;
Described access device also is used for the EAP authentication request according to described wireless terminal initiation, transmits described EAPoL message between described wireless terminal and EAP certificate server;
Described EAP certificate server is used for according to exchange EAPoL message between the forwarding of described access device and the described wireless terminal; According to described EAPoL message described wireless terminal is carried out the EAP authentication.
WEB Verification System in a kind of EAP authentication, described EAP certificate server, be used for transmitting according to described access device and described wireless terminal between the EAPoL message that exchanges, described wireless terminal is carried out EAP-AKA authentication or EAP-SIM authentication.
As seen from the above technical solutions, the present invention proposes WEB authentication method, device and the system in a kind of EAP authentication, these methods, devices and systems as two processes independently, have reduced wireless terminal to ending and initiate the control difficulty of IP address assignment with IP address assignment and EAP authentication on the one hand; Also do not influence the IP address assignment of access device to wireless terminal on the other hand when the EAP authentification failure, for wireless terminal obtains service based on TCP/IP, especially precondition has been created in the WEB authentication, improves the reliability of wireless terminal.
Description of drawings
Fig. 1 is the EAP authentication sequential chart of prior art Wi-Fi network;
Fig. 2 is the WEB authentication sequential chart during the EAP of the Wi-Fi network of the embodiment of the invention authenticates.
Fig. 3 is the WEB Verification System figure during the EAP of the Wi-Fi network of the embodiment of the invention authenticates.
Embodiment
For make purpose of the present invention, technical scheme, and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
The embodiment of the invention proposes the WEB authentication method in a kind of EAP authentication, and after access device connected by physical layer protocol and wireless terminal, this method also comprised:
Before described wireless terminal is initiated the EAP authentication or in the EAP verification process, the IP Address requests that described access device is initiated according to described wireless terminal is described wireless terminal distributing IP address;
Described access device provides WEB authentication based on described IP address for described wireless terminal.
This shows, because wireless terminal is before EAP authentication or obtained the IP address in the EAP verification process, therefore, even under the situation that wireless terminal can't authenticate by EAP, wireless terminal still can send the WEB authentication request of carrying described IP address to access device according to IP address allocated, and access device provides WEB authentication according to the wireless terminal based on described IP address.Wherein, the authentication mode of EAP authentication is EAP-AKA authentication or EAP-SIM authentication.
In the WEB verification process, the WEB message switching between wireless terminal and the WEB certificate server is transmitted by described access device; Wherein, authentication requester is a wireless terminal, and certificate server is the WEB certificate server, and Verification System is an access device.
WEB authentication method in a kind of EAP authentication, this method further comprises:
Initiate in the EAP verification process at described wireless terminal, the EAP authentication request that described access device is initiated according to described wireless terminal is transmitted local area network (LAN) Extensible Authentication Protocol EAPoL message between described wireless terminal and EAP certificate server, carry out the EAP authentication;
Described access device receives the described IP Address requests that described wireless terminal is initiated, described IP Address requests be described wireless terminal according to the described EAPoL message that does not comprise key, determine to initiate behind the EAP authentification failure.
A kind of access device, this device comprises: control module, IP address assignment module and WEB authentication module;
Described control module is positioned at central processor CPU, is used for before wireless terminal is initiated the EAP authentication or the EAP verification process, and the IP Address requests according to described wireless terminal is initiated sends the IP address assignment instruction to described IP address assignment module; IP address-based WEB authentication request according to described wireless terminal is initiated sends the WEB authentication instruction of carrying described IP address to described WEB authentication module;
Described IP address assignment module is positioned at gateway, is used for being described wireless terminal distributing IP address according to described IP address assignment instruction;
Described WEB authentication module is positioned at router, is used for authenticating for described wireless terminal provides the WEB based on described IP address according to described WEB authentication instruction.
WEB Verification System in a kind of EAP authentication, this system comprises: wireless terminal, access device, EAP certificate server and WEB certificate server;
Described wireless terminal is used for before initiating the EAP authentication to described access device or the EAP verification process, initiates the IP Address requests to described access device; Accept described access device IP address allocated; To the WEB authentication request of described access device initiation based on described IP address;
Described access device is used for the IP Address requests according to described wireless terminal initiation, is described wireless terminal distributing IP address; Described WEB authentication request according to described wireless terminal is initiated authenticates for described wireless terminal provides the WEB based on described IP address;
Described WEB server is used for exchange WEB message between forwarding by described access device and the described wireless terminal; According to described WEB message described wireless terminal is carried out authenticating based on the WEB of described IP address.
WEB Verification System in a kind of EAP authentication, this system also comprises: the EAP certificate server;
Described wireless terminal also is used for initiating the EAP authentication request to described access device, exchanges the EAPoL message between the forwarding by described access device and the described EAP certificate server; After determining the EAP authentification failure according to the EAPoL message that does not comprise key that receives, initiate WEB authentication request based on described IP address to described access device;
Described access device also is used for the EAP authentication request according to described wireless terminal initiation, transmits described EAPoL message between described wireless terminal and EAP certificate server;
Described EAP certificate server is used for according to exchange EAPoL message between the forwarding of described access device and the described wireless terminal; According to described EAPoL message described wireless terminal is carried out the EAP authentication.
WEB Verification System in a kind of EAP authentication, described EAP certificate server, be used for transmitting according to described access device and described wireless terminal between the EAPoL message that exchanges, described wireless terminal is carried out EAP-AKA authentication or EAP-SIM authentication.
WEB authentication method, device and system in a kind of EAP authentication of the embodiment of the invention, these methods, devices and systems are before initiating the EAP authentication or in the EAP verification process, do not end IP address assignment to wireless terminal, IP address assignment and EAP authentication as two processes independently, has been reduced wireless terminal on the one hand to ending and initiate the control difficulty of IP address assignment; When the EAP authentification failure, do not influence the IP address assignment of access device on the other hand yet, created precondition, improve the reliability of wireless terminal for wireless terminal carries out the WEB authentication to wireless terminal.
Specific embodiment one
The embodiment of the invention provides WEB authentication method, device and the system in a kind of EAP authentication, this method was not ended the IP address assignment of wireless terminal before the EAP authentication, reduced the control difficulty of wireless terminal initiation IP Address requests on the one hand, make the IP address assignment of wireless terminal not be subjected to the influence of EAP authentication result on the other hand, even EAP authentification failure, wireless terminal also can initiate to comprise the service and the application based on TCP/IP of WEB authentication by WLAN (wireless local area network) to access device.Thereby, wireless terminal is under the situation of EAP authentification failure, need not to initiate again the IP Address requests, also can in WLAN (wireless local area network), carry out the WEB authentication, especially can carry out EAP authentication and WEB authentication independently of each other, thereby improved the reliability of wireless terminal, for inserting the Internet after the wireless terminal authentication, the resource that obtaining operator provides provides precondition.
Below in conjunction with the Wi-Fi network authentication system figure of the embodiment of the invention of Fig. 3, the WEB authentication sequential chart in the EAP authentication of the Wi-Fi network of as shown in Figure 2 the embodiment of the invention specifies as follows:
Step 201, wireless terminal (wireless terminal) 300 connect with access device;
In this step, in the Wi-Fi of embodiment of the invention network authentication, access device specifically is meant WLAN (wireless local area network) access device (WLAN-ASN), mainly comprise access point (Access Point, AP) and access controller (Access Control, AC), access point (not drawing among Fig. 3) and access controller 301 provide the access service of Wi-Fi network jointly, and wireless terminal 300 can be linked in the Wi-Fi network in the scope that any one AP covers.In general, access point only is used for setting up physical connection with wireless terminal 300, control is not to the wireless routing function of wireless terminal 300 data and message transmissions, wireless terminal 300 is managed by 301 pairs of wireless terminals 300 that insert access point of the access controller that wireless routing function is provided by access point and access controller 301 exchange messages.If access point is supported wireless routing function, then need not access controller 301, by access point as access controller 301 directly and wireless terminal 300 set up physical connection and provide wireless routing function wireless terminal 300.
Step 202, wireless terminal 300 obtain the IP address by WLAN-ASN;
In this step, by physical layer protocol is the network interface card of Wi-Fi procotol, after connecting between wireless terminal 300 and the access point, wireless terminal 300 is connected to access controller 301 by access point, wireless terminal 300 sends the IP Address requests to access controller 301, is wireless terminal 300 distributing IP addresses by access controller 301 according to the IP Address requests.The main dynamic IP addressing that adopts is distributed (Dynamic Host Configuration Protocol in the prior art, DHCP) method is wireless terminal 300 distributing IP addresses, its process comprises: DHCP finds (discover), DHCP invites (offer), four steps of DHCP request (request) and DHCP ACK (access controller K).In the present embodiment, the control unit 3011 of access controller 301 is positioned at central processor CPU, the IP address assignment module is arranged in the gateway of access controller 301, control unit 3011 is according to the IP Address requests, and the dynamic IP addressing that further comprises in IP address assignment module 3010 distributes (DHCP) submodule 3012 to send the IP address assignment instruction; DHCP submodule 3012 is wireless terminal 300 distributing IP addresses according to the DHCP agreement.The DHCP submodule 3012 of access controller 301 repeats no more for the process of wireless terminal 300 distributing IP addresses is a prior art.
After the dhcp process of this step was finished, wireless terminal 300 obtained the IP address, but since wireless terminal 300 not by authentication, access controller 301 still can't be to wireless terminal 300 delivery network resources.
After step 203, wireless terminal 300 are initiated the EAP-AKA/SIM authentication request, carry out the EAP-AKA/SIM authentication;
In this step, wireless terminal 300 is after 301 transmission EAP-AKA/SIM authentication request, 301 control unit 3011 is according to the EAP-AKA/SIM authentication request that receives, control EAP authentication module 3013 exchanges the EAPoL message between wireless terminal 300 and EAP certificate server 302,302 pairs of wireless terminals of EAP certificate server 300 carry out the EAP-AKA/SIM authentication, concrete EAP-AKA/SIM authenticating step is a prior art, and this does not give unnecessary details.
Step 204, wireless terminal 300 are judged execution in step 205 or step 206 according to the EAP-AKA/SIM authentication result: if the EAP-AKA/SIM authentication success, execution in step 205, if the EAP-AKA/SIM authentification failure, execution in step 206;
In this step, after the EAP-AKA/SIM authentication is finished, EAP certificate server 302 sends different EAPoL message by WLAN-ASN to wireless terminal 300 according to the EAP-AKA/SIM authentication result, and the access controller 301 of WLAN-ASN also can be received different EAPoL messages.
Step 205, EAP-AKA/SIM authentication success, access controller 301 allow wireless terminal 300 to insert the Internet or particular server carries out the Internet resources transmission, and EAP certificate server 302 begins to charge;
In this step, when the EAP-AKA/SIM authentication result is the EAP-AKA/SIM authentication success, 302 pairs of wireless terminals of EAP certificate server 300 are authorized, and after allowing wireless terminal 300 access the Internets or particular server to carry out the Internet resources transmission, access controller 301 begins to charge, wherein, the licensing process of wireless terminal 300 is: EAP certificate server 302 is according to the EAP-AKA/SIM authentication result, send the EAPoL message that comprises key by WLAN-ASN to wireless terminal 300, wireless terminal 300 and access controller 301 all can receive the EAPoL message that comprises key.The wireless terminal 300 that access controller 301 allows the Internet (Internet) or particular server according to the EAPoL message that comprises key and has a same key carries out the Internet resources transmission.
In this step, access controller 301 allows the Internet or particular servers and the wireless terminal 300 with same key to carry out Internet resources when transmitting, and WLAN-ASN initiates this wireless terminal 300 to EAP certificate server 302 and charges and begin to ask; EAP certificate server 302 sends these wireless terminal 300 chargings to WLAN-ASN and begins to reply after beginning to charge according to this wireless terminal 300 chargings beginning request that receives.
Step 206, EAP-AKA/SIM authentification failure, EAP-AKA/SIM authenticates end;
In this step, behind the EAP-AKA/SIM authentification failure, EAP certificate server 302 sends the EAPoL message that does not comprise key by WLAN-ASN to wireless terminal 300, when wireless terminal 300 and access controller 301 received the EAPoL message that does not comprise key, access controller 301 does not still allow wireless terminal 300 to insert the Internet or particular server carries out the Internet resources transmission.
Step 207, when the EAP-AKA/SIM authentification failure, wireless terminal 300 is initiated the WEB authentication request, carries out the WEB authentication.
In this step, because in the step 202, access controller 301 has distributed the IP address for wireless terminal 300, so wireless terminal 300 can carry out the application and service based on TCP/IP, for example, the wireless terminal 300 with IP address can pass through to open webpage to the IP address-based WEB authentication request of access controller 301 transmissions.After the control unit 3011 of access controller 301 is determined the EAP-AKA/SIM authentification failure of wireless terminal 300 according to the EAPoL message that does not comprise key that receives, according to the IP address-based WEB authentication request that receives from wireless terminal, send the WEB authentication instruction of carrying described IP address to WEB authentication module 3014; WEB authentication module 3014 is according to described WEB authentication instruction, for wireless terminal 300 provides IP address-based WEB authentication, concrete, WEB authentication module 3014 is arranged in the router of access controller 301, WEB authentication module 3014 is transmitted the WEB message of exchange between wireless terminal 300 and WEB certificate server 303 based on the IP address, by the WEB message of exchange between WEB certificate server 303 bases and the wireless terminal 300 wireless terminal 300 is carried out WEB and authenticates.This shows, the present invention is under the situation of EAP-AKA/SIM authentification failure, because wireless terminal 300 has obtained the IP address in step 202, so wireless terminal 300 possesses the necessary condition of initiating the WEB authentication, can carry out WEB authentication, for wireless terminal 300 provides another kind of alternative authentication mode except the EAP authentication.
So far, the step of the embodiment of the invention is finished.
By above-mentioned steps as can be known, the embodiment of the invention provides WEB authentication method, device and the system in a kind of EAP authentication, these methods, devices and systems are separate with the dhcp process and the EAP verification process of distributing IP address, no matter whether the EAP authentication is successful, wireless terminal can obtain the IP address, even therefore under the situation of EAP authentification failure, can also carry out application and service, for example carry out the WEB authentication based on TCP/IP.The methods, devices and systems that the embodiment of the invention provides, on the one hand owing to the step that needs to end and initiate again IP address assignment in the EAP authentication of having avoided prior art, must write driver respectively according to the different operating system of wireless terminal thereby overcome, be difficult to realize and the shortcoming of process complexity, obtain service for wireless terminal on the other hand based on TCP/IP, especially precondition has been created in the WEB authentication, has improved the reliability of wireless terminal.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (7)
1. the WEB authentication method during an Extensible Authentication Protocol EAP authenticates comprises, after access device connects by physical layer protocol and wireless terminal, it is characterized in that this method also comprises:
Before described wireless terminal is initiated the EAP authentication or in the EAP verification process, the IP Address requests that described access device is initiated according to described wireless terminal is described wireless terminal distributing IP address;
Described access device provides WEB authentication based on described IP address for described wireless terminal.
2. method according to claim 1 and 2 is characterized in that, the authentication mode of described EAP authentication is EAP-AKA authentication or EAP-SIM authentication.
3. method according to claim 1 is characterized in that, this method further comprises:
Initiate in the EAP verification process at described wireless terminal, the EAP authentication request that described access device is initiated according to described wireless terminal is transmitted local area network (LAN) Extensible Authentication Protocol EAPoL message between described wireless terminal and EAP certificate server, carry out the EAP authentication;
Described access device receives the described IP Address requests that described wireless terminal is initiated, described IP Address requests be described wireless terminal according to the described EAPoL message that does not comprise key, determine to initiate behind the EAP authentification failure.
4. an access device is characterized in that, this device comprises: control module, IP address assignment module and WEB authentication module;
Described control module is positioned at central processor CPU, is used for before wireless terminal is initiated the EAP authentication or the EAP verification process, and the IP Address requests according to described wireless terminal is initiated sends the IP address assignment instruction to described IP address assignment module; IP address-based WEB authentication request according to described wireless terminal is initiated sends the WEB authentication instruction of carrying described IP address to described WEB authentication module;
Described IP address assignment module is positioned at gateway, is used for being described wireless terminal distributing IP address according to described IP address assignment instruction;
Described WEB authentication module is positioned at router, is used for authenticating for described wireless terminal provides the WEB based on described IP address according to described WEB authentication instruction.
5. the WEB Verification System during an EAP authenticates is characterized in that this system comprises: wireless terminal, access device, EAP certificate server and WEB certificate server;
Described wireless terminal is used for before initiating the EAP authentication to described access device or the EAP verification process, initiates the IP Address requests to described access device; Accept described access device IP address allocated; To the WEB authentication request of described access device initiation based on described IP address;
Described access device is used for the IP Address requests according to described wireless terminal initiation, is described wireless terminal distributing IP address; Described WEB authentication request according to described wireless terminal is initiated authenticates for described wireless terminal provides the WEB based on described IP address;
Described WEB server is used for exchange WEB message between forwarding by described access device and the described wireless terminal; According to described WEB message described wireless terminal is carried out authenticating based on the WEB of described IP address.
6. system according to claim 5 is characterized in that, this system also comprises: the EAP certificate server;
Described wireless terminal also is used for initiating the EAP authentication request to described access device, exchanges the EAPoL message between the forwarding by described access device and the described EAP certificate server; After determining the EAP authentification failure according to the EAPoL message that does not comprise key that receives, initiate WEB authentication request based on described IP address to described access device;
Described access device also is used for the EAP authentication request according to described wireless terminal initiation, transmits described EAPoL message between described wireless terminal and EAP certificate server;
Described EAP certificate server is used for according to exchange EAPoL message between the forwarding of described access device and the described wireless terminal; According to described EAPoL message described wireless terminal is carried out the EAP authentication.
7. according to claim 5 or 6 described systems, it is characterized in that, described EAP certificate server, be used for transmitting according to described access device and described wireless terminal between the EAPoL message that exchanges, described wireless terminal is carried out EAP-AKA authentication or EAP-SIM authentication.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2011/075299 WO2011150867A2 (en) | 2011-06-03 | 2011-06-03 | Terminal authentication method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102282800A true CN102282800A (en) | 2011-12-14 |
Family
ID=45067119
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011800007378A Pending CN102282800A (en) | 2011-06-03 | 2011-06-03 | Terminal authentication method and apparatus |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102282800A (en) |
| WO (1) | WO2011150867A2 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102647715A (en) * | 2012-03-27 | 2012-08-22 | 华为技术有限公司 | Method for delivering authentication target MAC (Media Access Control) address of EAP (Extensible Authentication Protocol) authentication |
| CN103067407A (en) * | 2013-01-17 | 2013-04-24 | 中兴通讯股份有限公司 | Authentication method and authentication device of user terminal access network |
| CN110769482A (en) * | 2019-09-16 | 2020-02-07 | 浙江大华技术股份有限公司 | Method and device for network connection of wireless equipment and wireless router equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070214270A1 (en) * | 2006-03-08 | 2007-09-13 | Luc Absillis | Triggering DHCP actions from IEEE 802.1x state changes |
| CN101163000A (en) * | 2006-10-13 | 2008-04-16 | 中兴通讯股份有限公司 | Secondary authentication method and system |
| CN101902507A (en) * | 2010-08-02 | 2010-12-01 | 华为技术有限公司 | Method, device and system for distributing addresses |
-
2011
- 2011-06-03 WO PCT/CN2011/075299 patent/WO2011150867A2/en active Application Filing
- 2011-06-03 CN CN2011800007378A patent/CN102282800A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070214270A1 (en) * | 2006-03-08 | 2007-09-13 | Luc Absillis | Triggering DHCP actions from IEEE 802.1x state changes |
| CN101163000A (en) * | 2006-10-13 | 2008-04-16 | 中兴通讯股份有限公司 | Secondary authentication method and system |
| CN101902507A (en) * | 2010-08-02 | 2010-12-01 | 华为技术有限公司 | Method, device and system for distributing addresses |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102647715A (en) * | 2012-03-27 | 2012-08-22 | 华为技术有限公司 | Method for delivering authentication target MAC (Media Access Control) address of EAP (Extensible Authentication Protocol) authentication |
| CN103067407A (en) * | 2013-01-17 | 2013-04-24 | 中兴通讯股份有限公司 | Authentication method and authentication device of user terminal access network |
| WO2014110984A1 (en) * | 2013-01-17 | 2014-07-24 | 中兴通讯股份有限公司 | Authentication method and apparatus for accessing network by user terminal |
| CN103067407B (en) * | 2013-01-17 | 2018-06-01 | 中兴通讯股份有限公司 | The authentication method and device of accessing user terminal to network |
| CN110769482A (en) * | 2019-09-16 | 2020-02-07 | 浙江大华技术股份有限公司 | Method and device for network connection of wireless equipment and wireless router equipment |
| CN110769482B (en) * | 2019-09-16 | 2022-03-01 | 浙江大华技术股份有限公司 | Method and device for network connection of wireless equipment and wireless router equipment |
| US11729141B2 (en) | 2019-09-16 | 2023-08-15 | Zhejiang Dahua Technology Co., Ltd. | Network connection systems and methods and network access devices |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011150867A3 (en) | 2012-05-03 |
| WO2011150867A2 (en) | 2011-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| CN101616410B (en) | Access method and access system for cellular mobile communication network | |
| CN101150594B (en) | Integrated access method and system for mobile cellular network and WLAN | |
| CN101127600B (en) | A method for user access authentication | |
| US9749320B2 (en) | Method and system for wireless local area network user to access fixed broadband network | |
| US9775032B2 (en) | Method for controlling access point in wireless local area network, and communication system | |
| US20040162105A1 (en) | Enhanced general packet radio service (GPRS) mobility management | |
| US20070180499A1 (en) | Authenticating clients to wireless access networks | |
| US8433286B2 (en) | Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network | |
| US20090055898A1 (en) | PANA for Roaming Wi-Fi Access in Fixed Network Architectures | |
| EP2894904B1 (en) | Wlan user fixed network access method and system | |
| CN1567868A (en) | Authentication method based on Ethernet authentication system | |
| CN114070597B (en) | Private network cross-network authentication method and device | |
| CN100583759C (en) | Method for realizing synchronous identification between different identification control equipments | |
| CN103796245A (en) | Data message management method, device and system | |
| US8051464B2 (en) | Method for provisioning policy on user devices in wired and wireless networks | |
| KR100670791B1 (en) | Method for verifying authorization with extensibility in AAA server | |
| CN102282800A (en) | Terminal authentication method and apparatus | |
| CN101272297B (en) | EAP authentication method of WiMAX network user | |
| WO2012151933A1 (en) | Owned service authentication method and system | |
| JP4584776B2 (en) | Gateway device and program | |
| CN100546305C (en) | A kind of forced verifying from end-to-end protocol method and apparatus | |
| CN101902507B (en) | Method, device and system for distributing addresses | |
| CN102710422B (en) | Node authentication method for avoiding authentication congestion | |
| CN104011699A (en) | System and Method for Concurrent Address Allocation and Authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111214 |