CN102739684A - Portal authentication method based on virtual IP address, and server thereof - Google Patents
Portal authentication method based on virtual IP address, and server thereof Download PDFInfo
- Publication number
- CN102739684A CN102739684A CN201210228247XA CN201210228247A CN102739684A CN 102739684 A CN102739684 A CN 102739684A CN 201210228247X A CN201210228247X A CN 201210228247XA CN 201210228247 A CN201210228247 A CN 201210228247A CN 102739684 A CN102739684 A CN 102739684A
- Authority
- CN
- China
- Prior art keywords
- arp
- address
- portal
- authentication
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A Portal authentication method based on a virtual IP address is applied in an authentication device. A network comprises an access device and a gateway. The Portal server is configured with the virtual IP address which is the same as a gateway IP address. The upstream port and the downstream port of the authentication device are configured in a same VLAN. The method comprises: monitoring an ARP message sent by other nodes, adding a sender IP address and an MAC address in the ARP message as an ARP list item to an ARP buffer memory, and correspondingly setting the ARP list item to a reachable state; the Portal server is configured to prohibit sending or responding to an ARP request; and in the Portal authentication process, according to the ARP list item recorded in the ARP buffer memory, acquiring the MAC addresses of other nodes involved in the Portal authentication for the communication with other nodes. According to the invention, in a scene of lack of IP address resources, a user does not need to adjust IP address panning or a networking mode.
Description
Technical field
The present invention relates to the Portal authentication techniques, relate in particular to a kind of Portal authentication method and server based on virtual ip address.
Background technology
The Portal authentication is a kind of authentication techniques based on WEB, and its advantage is in basic Portal verification process, not need any client software of user's download.Please refer to Fig. 2, during the user terminal online, Portal server (can be integrated on the authenticating device) force users has access to specific URL.The user connects the Internet if desired just must carry out authentication on the page that Portal server is forced to push, having only could the access internet resource through authentication.Such as: during user capture www.sina.com.cn; If the user is not also through the Portal authentication; The IP address that Portal server can counterfeit Sina is so set up TCP with user terminal and is connected; And using the IP address of Sina to send redirection message to the user, redirection message mainly is the certification page of requirement user capture Portal server.The web browser of user terminal can send the http request to Portal server and obtain said certification page subsequently.Under this certification page, can allow the user to carry out authentication, the software of user's download terminal authentication also can be provided.The purpose IP of web browser access has not been the IP address of the initial Sina that visits on the user terminal at this moment, but the Portal server its own IP address.The request of Portal server response web browser, authentification of user just can continue the access internet resource through the back.
Existing method all needs Portal server to have independent IP address and subscriber terminal equipment to communicate; Be not have unnecessary IP address to use to Portal server today very in short supply again in IPv6 technology is that all right ripe IPv4 address in some networking plan.Please refer to Fig. 2; The address of supposing access device is 10.11.1.254, and mask is 255.255.255.252, and gateway address is 10.11.1.253; Mask is 255.255.255.252; This moment, Portal server did not have available IP address, can not proper communication between each equipment and the server, and cause the authentication function of Portal server normally to use.In this case, the original networking plan of the usually compelled change of user is perhaps planned the IP address again, otherwise authentication function just can not normally be implemented.Yet readjusting of original networking plan or IP address planning brought great not convenient to the user, the user is very low to the acceptance of such solution.
Summary of the invention
The present invention provides a kind of Portal server based on virtual ip address; Be applied on the authenticating device; With thinking that the user terminal in the network provides Portal authentication service, also comprise access device and gateway in the said network, said Portal server disposes the virtual ip address identical with gateway ip address; Said authenticating device connects the port of access device and the port of connection gateway is configured in the same double layer network, and this server comprises:
The ARP processing unit is monitored the ARP message that other nodes send, and with adding in the arp cache as the ARP list item of transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP list item is changed to reachable state; Wherein this ARP processing unit is configured to forbid send and response ARP request;
The Portal authentication ' unit is used for obtaining at the ARP list item that the Portal verification process writes down in according to arp cache the MAC Address of other nodes of participating in the Portal authentication, with said other node communications.
The present invention also provides a kind of Portal authentication method based on virtual ip address; Be applied on the authenticating device with thinking that the user terminal in the network provides Portal authentication service; Also comprise access device and gateway in the said network; Said Portal server disposes the virtual ip address identical with gateway ip address, and said authenticating device connects the port of access device and the port of connection gateway is configured in the same double layer network, and this method comprises:
A, monitor the ARP message that other nodes send,, and correspondingly this ARP list item is changed to reachable state adding in the arp cache of transmit leg IP address of carrying in this ARP message and MAC Address as the ARP list item; Wherein said Portal server is configured to forbid send and response ARP request;
The ARP list item that B, Portal server write down in according to arp cache in the Portal verification process obtains the MAC Address of other nodes of participating in the Portal authentication, with said other node communications.
The present invention does not do any change to the Portal verification process; And allow Portal server to reuse the IP address of gateway; And can not have influence on the user and go up network process normally, the ARP attack protection mechanism that also can not disposed in the user network detects the behavior that any doubtful ARP attacks.In the application scenarios of user network IP address depletion, do not need the user to adjust the planning of IP address and perhaps adjust networking mode, have significant meaning for the experience that promotes in the user network planning.
Description of drawings
Fig. 1 is the building-block of logic of Portal server in one embodiment of the present invention.
Fig. 2 is the networking diagram of a kind of typical Portal authentication of the present invention.
Fig. 3 is an ARP message format sketch map.
Embodiment
The present invention lack the IP address can with or the user want to practice thrift and provide the deployment of a kind of new Portal server of user to select under the situation of IP address resource, below be embodied as example introduction, yet the present invention does not get rid of other implementations with computer program.Please refer to Fig. 1; A kind of Portal server of the present invention based on virtual ip address; Be applied on the authenticating device; With thinking that the user terminal in the network provides Portal authentication service, comprise a plurality of user terminals, access device and gateway in the said network, this server comprises: ARP processing unit and Portal authentication ' unit.This Portal server disposes the IP address identical with gateway.Please refer to Fig. 1 and Fig. 2, the general handling process of Portal server of the present invention comprises in this execution mode:
Step 101, the port arrangement (in same VLAN) in same double layer network that the port that links to each other with access device and the authenticating device of authenticating device is connected gateway; And with the Portal server configuration IP address identical with gateway.
Step 102, the ARP processing unit is monitored the ARP message that other nodes send, and with adding in the arp cache as the ARP list item of transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP list item is changed to reachable state; Wherein this ARP processing unit is configured to forbid send and response ARP request.
Portal server has disposed an IP address identical with gateway, and the present invention is referred to as virtual ip address, but virtual ip address only is a kind of saying of image, does not influence the use of IP address.Under this network configuration, identical problems that can cause IP address conflicts of two IP addresses of nodes in the network obviously must be done particular processing and just can guarantee two nodes Each performs its own functions ground work.If will certainly causing other nodes (such as user terminal) to go up the gateway A RP list item of preserving, ARP request that other nodes of Portal server response send or the external ARP of transmission request be modified.Because the MAC Address that user capture visit outer net (such as Internet) is filled in is the MAC Address of gateway; In case the gateway A RP list item in its arp cache is modified; The user can be sent on the Portal server to the message that outer net sends so, and this will cause user terminal to visit outer net through gateway.And it is machine-processed to dispose the ARP attack protection on a lot of users' the network equipment (such as the access device among Fig. 2).If Portal server sends the ARP request or responds the ARP request, be regarded as ARP by the ARP attack protection mechanism on the network equipment so possibly and attack, the keeper will receive alarm, causes the unusual of network.Therefore, in the present invention, the ARP processing unit can be configured to forbid send and response ARP request, avoids user terminal to pass through the existence that ARP finds Portal server alternately.
On the other hand; Because the port of authenticating device connection access device and the port of connection gateway are in same VLAN; Because the ARP request message sends through broadcast mode in double layer network; Can ask the gateway MAC Address through ARP request message (message format please refer to Fig. 3) during all access outer nets, because the port arrangement in the step 101, such ARP request message can be received by the ARP processing unit of Portal server.So, the ARP processing unit just can be known the IP address and the MAC Address of user terminal.In normal ARP handling process; Before the ARP request is not by response; The state of ARP list item can only be changed to provisional state (such as incomplete or Probe); Also can not respond the ARP request because the ARP processing unit can not send the ARP request, the ARP list item that is in provisional state so then can be worn out very soon.In the present invention; Then skip normal ARP handling process; The ARP list item is changed to reachable state (Reachable), its objective is for the Portal authentication ' unit is follow-up and can know the mac address information of user terminal when mutual, if the ARP list item is worn out very soon as prior art with user terminal; The Portal authentication ' unit is not known the MAC Address of user terminal need be with user terminal communication the time, can't communicate certainly.
Same reason, ARP processing unit equally can with the ensemble learning of the IP address of other network equipments such as access device and gateway and MAC Address in the arp cache as corresponding ARP list item.Portal server that is to say that Portal server has had the foundation of communicating by letter with other nodes (such as the network equipment or user terminal), because in normal Portal verification process, may communicate with a plurality of nodes.
The ARP list item that step 103, Portal authentication ' unit write down in according to arp cache in the Portal verification process obtains the MAC Address of other nodes of participating in the Portal authentication, with said other node communications.In a typical Portal verification process, the processing procedure of Portal authentication ' unit mainly may further comprise the steps:
When (1) the HTTP message of user terminal was through authenticating device, whether Portal server can check this user terminal through authentication, if then let pass; If not, judge further then whether this HTTP message visits the HTTP message of the free access address of Portal server or setting, if then let pass; Otherwise access device will require the web authentication page of access Portal server through redirection message.Portal server provides the web authentication page to supply the user to import username and password to user terminal to carry out authentication.
(2) can dispose corresponding authentication method on the Portal server; If fruit is local authentication; On the Portal certificate server, directly carry out the verification of username and password, if following flow process is then carried out in Radius authentication, Ldap authentication or Tacacs+ authentication.
(3) port of Portal server connection third-party server is a port of not opening authentication; This port can send and corresponding ARP message normally; Carry out the mutual of protocol massages between Portal server and the third-party server, accomplish authentication user identity by third party's certificate server.
(4) if authentification of user passes through, the conscientious server notification Portal server of third party.
(5) Portal server sends authentication through message to client, the success of notice client certificate.
The present invention does not do any change to the Portal verification process; The Portal authentication ' unit need communicate with a plurality of nodes in a verification process; Because the ARP processing unit obtains the ARP list item that each participates in the Portal authentication node through the mode of monitoring the ARP message in step 102; Like this when Portal server need communicate with access device or user terminal, exactly can be through searching the MAC Address that the ARP list item obtains other nodes, and then communicate with the other side.In the prior art; The Portal authentication ' unit must possess at Portal server just to be accomplished under the situation of independent IP address; And the present invention can allow Portal server to reuse the IP address of gateway; And can not have influence on the user and go up network process normally, the ARP attack protection mechanism that also can not disposed in the user network detects the behavior that any doubtful ARP attacks.In the application scenarios of user network IP address depletion, do not need the user to adjust the planning of IP address and perhaps adjust networking mode, have significant meaning for the experience that promotes in the user network planning.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.
Claims (8)
1. Portal server based on virtual ip address; Be applied on the authenticating device; With thinking that the user terminal in the network provides Portal authentication service, also comprise access device and gateway in the said network, said Portal server disposes the virtual ip address identical with gateway ip address; Said authenticating device connects the port of access device and the port of connection gateway is configured in the same double layer network, and this server comprises:
The ARP processing unit is monitored the ARP message that other nodes send, and with adding in the arp cache as the ARP list item of transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP list item is changed to reachable state; Wherein this ARP processing unit is configured to forbid send and response ARP request;
The Portal authentication ' unit is used for obtaining at the ARP list item that the Portal verification process writes down in according to arp cache the MAC Address of other nodes of participating in the Portal authentication, with said other node communications.
2. server as claimed in claim 1 is characterized in that, wherein said ARP message is the ARP request message.
3. server as claimed in claim 1 is characterized in that, wherein said other nodes comprise user terminal and access device at least.
4. server as claimed in claim 1; It is characterized in that; Said Portal authentication ' unit is further used for; When user terminal leads to authentication, the web authentication page is sent to user terminal, receive the username and password that the user imports on certification page, and when the authentification of user success, notify this user.
5. Portal authentication method based on virtual ip address; Be applied on the Portal server of authenticating device; With thinking that the user terminal in the network provides Portal authentication service, also comprise access device and gateway in the said network, saidly dispose the virtual ip address identical with gateway ip address; Said authenticating device connects the port of access device and the port of connection gateway is configured in the same double layer network, and this method comprises:
A, monitor the ARP message that other nodes send,, and correspondingly this ARP list item is changed to reachable state adding in the arp cache of transmit leg IP address of carrying in this ARP message and MAC Address as the ARP list item; Wherein said Portal server is configured to forbid send and response ARP request;
The ARP list item that B, Portal server write down in according to arp cache in the Portal verification process obtains the MAC Address of other nodes of participating in the Portal authentication, with said other node communications.
6. method as claimed in claim 5 is characterized in that, wherein said ARP message is the ARP request message.
7. method as claimed in claim 5 is characterized in that, wherein said other nodes comprise user terminal and access device at least.
8. method as claimed in claim 5 is characterized in that, also comprises:
C, when the logical authentication of user terminal, the web authentication page is sent to user terminal, receive the username and password that the user imports on certification page, and when the authentification of user success, notify this user terminal and access device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210228247.XA CN102739684B (en) | 2012-06-29 | 2012-06-29 | Portal authentication method based on virtual IP address, and server thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210228247.XA CN102739684B (en) | 2012-06-29 | 2012-06-29 | Portal authentication method based on virtual IP address, and server thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102739684A true CN102739684A (en) | 2012-10-17 |
| CN102739684B CN102739684B (en) | 2015-03-18 |
Family
ID=46994467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210228247.XA Active CN102739684B (en) | 2012-06-29 | 2012-06-29 | Portal authentication method based on virtual IP address, and server thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102739684B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532717A (en) * | 2013-10-16 | 2014-01-22 | 杭州华三通信技术有限公司 | Portal authentication processing method, Portal authentication assisting method and Portal authentication assisting device |
| CN104009999A (en) * | 2014-06-10 | 2014-08-27 | 北京星网锐捷网络技术有限公司 | Method and device for preventing ARP cheating and network access server |
| CN104104516A (en) * | 2014-07-30 | 2014-10-15 | 杭州华三通信技术有限公司 | Portal authentication method and device |
| CN104869571A (en) * | 2015-05-19 | 2015-08-26 | 杭州华三通信技术有限公司 | Rapid portal authentication method and device |
| CN105262791A (en) * | 2015-09-09 | 2016-01-20 | 深圳前海华视移动互联有限公司 | Internet data access method, vehicle-mounted multimedia terminal and proxy server of vehicle-mounted multimedia terminal |
| CN105306448A (en) * | 2015-09-22 | 2016-02-03 | 深圳前海华视移动互联有限公司 | Method for accessing extranet data, car-mounted multimedia terminal and kernel Netfilter module of car-mounted multimedia terminal |
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN106973126A (en) * | 2017-05-26 | 2017-07-21 | 杭州迪普科技股份有限公司 | A kind of arp reply method and device |
| CN106982234A (en) * | 2017-05-26 | 2017-07-25 | 杭州迪普科技股份有限公司 | A kind of ARP attack defense methods and device |
| CN107241461A (en) * | 2017-07-14 | 2017-10-10 | 迈普通信技术股份有限公司 | MAC Address acquisition methods, gateway device, network authentication apparatus and network system |
| CN109831360A (en) * | 2019-02-27 | 2019-05-31 | 深圳市吉祥腾达科技有限公司 | Automated testing method and test macro for multi-user concurrent web authentication |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090106401A1 (en) * | 2007-10-22 | 2009-04-23 | Inventec Corporation | System and method for Intra Network Internet Protocol (IP) address modification by dual controller |
| CN101621802A (en) * | 2009-08-13 | 2010-01-06 | 杭州华三通信技术有限公司 | Method, system and device for authenticating portal in wireless network |
| CN101719939A (en) * | 2009-12-09 | 2010-06-02 | 赛尔网络有限公司 | Method for accessing network and certification of IPv6/IPv4 dual stack mainframe |
-
2012
- 2012-06-29 CN CN201210228247.XA patent/CN102739684B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090106401A1 (en) * | 2007-10-22 | 2009-04-23 | Inventec Corporation | System and method for Intra Network Internet Protocol (IP) address modification by dual controller |
| CN101621802A (en) * | 2009-08-13 | 2010-01-06 | 杭州华三通信技术有限公司 | Method, system and device for authenticating portal in wireless network |
| CN101719939A (en) * | 2009-12-09 | 2010-06-02 | 赛尔网络有限公司 | Method for accessing network and certification of IPv6/IPv4 dual stack mainframe |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532717A (en) * | 2013-10-16 | 2014-01-22 | 杭州华三通信技术有限公司 | Portal authentication processing method, Portal authentication assisting method and Portal authentication assisting device |
| CN103532717B (en) * | 2013-10-16 | 2016-10-12 | 杭州华三通信技术有限公司 | A kind of Portal authentication method, certification assisted method and device |
| CN104009999A (en) * | 2014-06-10 | 2014-08-27 | 北京星网锐捷网络技术有限公司 | Method and device for preventing ARP cheating and network access server |
| CN104009999B (en) * | 2014-06-10 | 2017-06-23 | 北京星网锐捷网络技术有限公司 | Prevent method, device and network access server that ARP is cheated |
| CN104104516B (en) * | 2014-07-30 | 2018-12-25 | 新华三技术有限公司 | A kind of portal authentication method and equipment |
| CN104104516A (en) * | 2014-07-30 | 2014-10-15 | 杭州华三通信技术有限公司 | Portal authentication method and device |
| CN104869571A (en) * | 2015-05-19 | 2015-08-26 | 杭州华三通信技术有限公司 | Rapid portal authentication method and device |
| CN104869571B (en) * | 2015-05-19 | 2019-05-07 | 新华三技术有限公司 | A kind of method and apparatus of Portal rapid authentication |
| CN105262791A (en) * | 2015-09-09 | 2016-01-20 | 深圳前海华视移动互联有限公司 | Internet data access method, vehicle-mounted multimedia terminal and proxy server of vehicle-mounted multimedia terminal |
| CN105306448A (en) * | 2015-09-22 | 2016-02-03 | 深圳前海华视移动互联有限公司 | Method for accessing extranet data, car-mounted multimedia terminal and kernel Netfilter module of car-mounted multimedia terminal |
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN106936804B (en) * | 2015-12-31 | 2020-04-28 | 华为技术有限公司 | Access control method and authentication equipment |
| CN106973126A (en) * | 2017-05-26 | 2017-07-21 | 杭州迪普科技股份有限公司 | A kind of arp reply method and device |
| CN106982234A (en) * | 2017-05-26 | 2017-07-25 | 杭州迪普科技股份有限公司 | A kind of ARP attack defense methods and device |
| CN107241461A (en) * | 2017-07-14 | 2017-10-10 | 迈普通信技术股份有限公司 | MAC Address acquisition methods, gateway device, network authentication apparatus and network system |
| CN107241461B (en) * | 2017-07-14 | 2019-09-13 | 迈普通信技术股份有限公司 | MAC Address acquisition methods, gateway, network authentication apparatus and network system |
| CN109831360A (en) * | 2019-02-27 | 2019-05-31 | 深圳市吉祥腾达科技有限公司 | Automated testing method and test macro for multi-user concurrent web authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102739684B (en) | 2015-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102739684B (en) | Portal authentication method based on virtual IP address, and server thereof | |
| Al‐Turjman et al. | An overview of security and privacy in smart cities' IoT communications | |
| CN104980920B (en) | Intelligent terminal establishes the method and device of communication connection | |
| CN104144163B (en) | Auth method, apparatus and system | |
| CN101582856B (en) | Session setup method of portal server and BAS (broadband access server) device and system thereof | |
| CN112468518B (en) | Access data processing method and device, storage medium and computer equipment | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| CN104967590B (en) | A kind of methods, devices and systems for transmitting communication information | |
| CN106899500B (en) | Message processing method and device for cross-virtual extensible local area network | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| CN103997479B (en) | A kind of asymmetric services IP Proxy Methods and equipment | |
| CN107508822A (en) | Access control method and device | |
| CN109962913A (en) | Proxy server and Proxy Method based on secure socket layer protocol | |
| CN109617753A (en) | A kind of platform management method, system and electronic equipment and storage medium | |
| TW201535141A (en) | Network device and method for avoiding ARP attacks | |
| CN108156092A (en) | message transmission control method and device | |
| Metongnon et al. | Fast and efficient probing of heterogeneous IoT networks | |
| CN113422768B (en) | Application access method and device in zero trust and computing equipment | |
| CN101945053B (en) | Method and device for transmitting message | |
| CN102510386A (en) | Distributed attack prevention method and device | |
| US20230164119A1 (en) | Network device protection | |
| CN106537962B (en) | Wireless network configuration, access and access method, device and equipment | |
| CN103368967A (en) | Security access method and equipment for IP phone | |
| Shukla et al. | Security challenges and issues of internet of things: possible Solutions | |
| JP2014155095A (en) | Communication control device, program and communication control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 6 storey building Patentee after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 6 storey building Patentee before: Hangzhou Dipu Technology Co., Ltd. |