CN105516171B - Portal keep-alive system and method, Verification System and method based on authentication service cluster - Google Patents

Portal keep-alive system and method, Verification System and method based on authentication service cluster Download PDF

Info

Publication number
CN105516171B
CN105516171B CN201510995580.7A CN201510995580A CN105516171B CN 105516171 B CN105516171 B CN 105516171B CN 201510995580 A CN201510995580 A CN 201510995580A CN 105516171 B CN105516171 B CN 105516171B
Authority
CN
China
Prior art keywords
portal
access control
control equipment
service node
keep
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510995580.7A
Other languages
Chinese (zh)
Other versions
CN105516171A (en
Inventor
宗润
黄山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201510995580.7A priority Critical patent/CN105516171B/en
Publication of CN105516171A publication Critical patent/CN105516171A/en
Application granted granted Critical
Publication of CN105516171B publication Critical patent/CN105516171B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2532Clique of NAT servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1036Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers

Abstract

The present invention relates to wlan security access technologies; it discloses a kind of Portal keep-alive system and method, Verification System and method based on authentication service cluster, to solve the problems, such as that access control equipment keep-alive in the prior art and the load inconsistent Portal message that will appear of Portal service node cannot normally be sent to access control equipment.Portal keep-alive system in the present invention, including:Access control equipment continues the keep alive Packet that Portable device sequence number is sent to load balancer by NAT device;NAT device, in keep alive Packet source IP address and source port carry out NAT conversion after be sent to load balancer, and save equipment conversion front and back IP address and port numbers mapping relations;Keep alive Packet is balanced on some Portal service node by load balancer;Portal service node, the incidence relation of IP address and port numbers, the Portal service node IP addresses for receiving keep alive Packet after equipment Serial Number, NAT conversion are stored after receiving the keep alive Packet.Present invention Portal suitable for enterprise authentication service cluster is authenticated.

Description

Portal keep-alive system and method, Verification System based on authentication service cluster and Method
Technical field
The present invention relates to wlan security access technologies, and in particular to a kind of Portal keep-alive system based on authentication service cluster System and method, Verification System and method
Background technique
Along with the fast development of net application technology, Network Information Security Problem also becomes increasingly conspicuous.Currently as solution The important technology and management means of network security problem, 802.1x (access-control protocol for giving port) certification, PPPoE (with Too online point-to-point protocol) certification, Portal certification etc. network access authentications technology obtained rapid proliferation.Wherein, Portal Certification has many advantages, such as bandwagon effect easy to operate, abundant, is convenient for promoting service due to using web page to log in, It has been more and more widely used.
Simplest portal certification system structure is as shown in Figure 1, include Authentication Client, Portal server, access Four parts of equipment and aaa server are controlled, wherein Authentication Client is mounted to the FTP client FTP of user terminal, such as runs The browser of http protocol.Portal server is the service end system for receiving Authentication Client certification request, is exempted from for providing Expense service and the interface for giving web authentication, the authentication information with access control equipment interactive authentication client.Access control equipment The main work for completing three aspects:All HTTP requests in certification network segment are intercepted before certification and are redirected to Portal clothes Business device;UDP message interaction is carried out with Portal server, aaa server in verification process;After certification passes through, allow to lead to The user for crossing Portal certification accesses the Internet resources of the person's of being managed authorization.Aaa server be used for and access control equipment into Row UDP message interaction completes certification and charging to user.
Portal authentication system structure common at present is as shown in Fig. 2, enterprise headquarters' computer room disposes a set of Portal&AAA Certificate server provides authentication service for multiple sites, and each site configures access control equipment private net address, net by respectively rule It is used on point to enterprise headquarters' computer room configured with NAT (Network Address Translation, network address translation) equipment User terminal in private network is mapped in corporate intranet, by the interactive process of above-mentioned Portal server and access control equipment It is found that the Portal server in Fig. 2 can only carry out access control equipment IP address according to the certification request HTTP message received Inquiry, since the user terminal under above-mentioned application environment in enterprise network uses private net address, different sites is user The address of terminal distribution is it is possible that the case where being overlapped, Portal server is according to IP address and access control equipment IP The mapping relations of address then cannot accurately find corresponding access control equipment IP address, so that it is subsequent to establish session progress Message interaction.The existing settling mode of this problem is:It is carried in the HTTP message that user terminal is sent to Portal server User's public network and private net address, Portal server judge the consistency of public network, private net address, when there is inconsistency, according to preparatory Configured mapping relations (mapping relations of user terminal public network, private network IP address and access control equipment IP) obtain access control The IP address of control equipment, and establish session.There is the problem of configuration complexity, poor operability in the method, up to ten thousand for site Large enterprise, the mapping relations for collecting and configuring user terminal public network, private network IP address and access control equipment IP are one The thing of cumbersome and easy error.
In shown in Fig. 2, the unidirectional NAT of possible configuration between site access control equipment and general headquarters' computer room, at this time Portal Server actively sends message to equipment and cannot normally issue, and needs to rely on access control equipment and constantly services to Portal Device is transmitted messages literary keep-alive, and the link to guarantee NAT is available.
With the development of application scenarios, it is dynamic then up to ten million that separate unit Portal&AAA server is no longer satisfied present enterprise User's uses concurrency, and clustered deploy(ment) becomes certainty, as shown in figure 3, disposing a set of Portal& in enterprise headquarters' computer room AAA service cluster, cluster shared data layer, dot client authenticate HTTP request and load to any service via load balancer Node, service node and site access control equipment complete verification process by message interaction, in the process if access control , then there is the service that access device keep-alive is loaded with load balancing in control equipment and the unidirectional NAT of Portal&AAA device configuration Node is inconsistent, causes Portal message that cannot normally be sent to access control equipment.Such as site access control equipment with The 1 link keep-alive of Portal service node, when site, HTTP certification request is loaded Portal service node 2, Portal clothes Business node 2 actively cannot establish session with site access control equipment.
Summary of the invention
The technical problem to be solved by the present invention is to:It is proposed a kind of Portal keep-alive system based on authentication service cluster and Method, Verification System and method, it is different to solve access control equipment keep-alive in the prior art and load Portal service node Cause will appear the problem of Portal message cannot normally be sent to access control equipment.
The technical proposal adopted by the invention to solve the above technical problems is that the Portal keep-alive based on authentication service cluster System, including:
Access control equipment carries equipment of itself sequence number for continuing to send to load balancer by NAT device Keep alive Packet;
NAT device, for after receiving the keep alive Packet that the access control equipment is sent, to the source in keep alive Packet IP address and source port are sent to load balancer after carrying out NAT conversion, and save access control equipment conversion front and back The mapping relations of IP address and port numbers;
Load balancer, for sending some Portal service according to the rule of the load balancing of setting for keep alive Packet On node;
Portal service node, for after receiving the keep alive Packet store access control equipment equipment Serial Number, IP address and port numbers after NAT conversion receive incidence relation between the Portal service node IP addresses of keep alive Packet.
Further, the mapping relations refer to that the private network IP address of access control equipment, private network port numbers correspond to NAT device Public network IP address, the relationship between public network port number.
Portal keepalive method based on authentication service cluster, includes the following steps:
A. access control equipment continues to send the keep-alive for carrying equipment of itself sequence number to load balancer by NAT device Message;
B.NAT equipment is after receiving the keep alive Packet that the access control equipment is sent, to the source IP in keep alive Packet Address and source port are sent to load balancer after carrying out NAT conversion, and save the IP of access control equipment conversion front and back The mapping relations of address and port numbers;
C. load balancer sends some Portal service node for keep alive Packet according to the load balancing rule of setting On;
D.Portal service node stored after receiving the keep alive Packet access control equipment sequence number, IP address and port numbers after NAT conversion receive incidence relation between the Portal service node IP addresses of keep alive Packet.
Further, in step B, the mapping relations refer to the private network IP address of access control equipment, private network port numbers Relationship between the public network IP address of corresponding NAT device, public network port number.
Based on the portal certification system of authentication service cluster, including:
Authentication Client, for issuing HTTP request to access control equipment when accessing Internet resources, in HTTP request After being intercepted by access control equipment, the HTTP request after redirecting is sent to load balancer;It is also used to receiving According to the Portal service node IP carried in content of pages directly to this after the authentication interface of Portal service node push Portal service node initiates certification request;
Whether access control equipment judges the client for intercepting to the HTTP request that Authentication Client is initiated There is access authority, if the HTTP request is redirected to load balancer, and add in required parameter without access authority Equipment of itself sequence number;It is returned after the Portal message identifying for receiving the transmission of Portal service node to Portal service node Portal authentication response message;
NAT device, for saving the mapping relations between access control equipment and NAT device;Receiving Portal service When the Portal message identifying that node is sent, the Portal message identifying is sent to corresponding access control according to mapping relations Equipment;
Load balancer is sent out for the load balancing rule by the HTTP request of the redirection of Authentication Client according to setting It is sent on some Portal service node;
Portal service node is connect for carrying out parsing after the HTTP request for the redirection for receiving Authentication Client Enter to control the equipment Serial Number of equipment, and acquisition access control is inquired according to the equipment Serial Number of the access control equipment and is set The Portal service node IP of standby corresponding keep-alive, to Authentication Client pushing certification interface, and carries in content of pages and obtains The keep-alive Portal service node IP;
According to the equipment Serial Number inquiry NAT mapping carried in certification request after the certification request for receiving Authentication Client Then the IP address and port numbers of access control equipment afterwards send Portal message identifying to NAT device;And according to corresponding The certification request for the Portal authentication response message response Authentication Client that access control equipment returns.
Further, the mapping relations refer to that the private network IP address of access control equipment, private network port numbers correspond to NAT and set Relationship between standby public network IP address, public network port number.
Further, the sequence number of the access control equipment has uniqueness.
Based on the portal authentication method of authentication service cluster, include the following steps:
A. Authentication Client issues HTTP request to access control equipment when accessing Internet resources;
B. the HTTP request that access control equipment initiates Authentication Client intercepts, and judges whether the client has visit Permission is asked, if the HTTP request is redirected to load balancer, itself is added in required parameter and is set without access authority Standby sequence number;
C. load balancing rule of the load balancer by the HTTP request of the redirection of Authentication Client according to setting is sent Onto some Portal service node;
D.Portal service node carries out parsing after the HTTP request for the redirection for receiving Authentication Client and is accessed The equipment Serial Number of equipment is controlled, and is inquired according to the equipment Serial Number of access control equipment and obtains the corresponding equipment of access control The Portal service node IP of keep-alive is carried described in acquisition to Authentication Client pushing certification interface, and in content of pages The Portal service node IP of keep-alive;
E. Authentication Client is after the authentication interface for receiving the push of Portal service node according to carrying in content of pages Portal service node IP directly initiates certification request to the Portal service node;
F.Portal service node is after the certification request for receiving Authentication Client according to the equipment carried in certification request SN inquires IP address and the port of the access control equipment after NAT mapping, then sends Portal message identifying to NAT device;
The Portal message identifying is sent to corresponding access control according to the mapping relations of preservation and set by G.NAT equipment It is standby;
H. the corresponding access control equipment receives and returns to Portal to Portal service node after Portal message identifying Authentication response message;
The Portal authentication response message response that I.Portal service node is returned according to corresponding access control equipment is recognized Demonstrate,prove the certification request of client.
Further, in step G, the mapping relations refer to the private network IP address of access control equipment, private network port numbers Relationship between the public network IP address of corresponding NAT device, public network port number.
Further, the sequence number of the access control equipment has uniqueness.
The beneficial effects of the invention are as follows:The present invention is used for by carrying access control equipment sequence number in keep alive Packet It is mapped between IP address of equipment and port numbers, Portal service node IP after establishing access control equipment sequence number, NAT conversion Relationship, the later period can inquire the Portal node IP that the equipment corresponds to keep-alive according to access control equipment sequence number, after NAT conversion IP address and port numbers, to solve access control equipment keep-alive and load Portal service node inconsistent appearance Portal message cannot normally be sent to the problem of access control equipment.
Detailed description of the invention:
Fig. 1 is the structural schematic diagram of portal certification system in the prior art;
Fig. 2 is the single machine schematic diagram of a scenario of Portal certification in the prior art;
Fig. 3 is the cluster schematic diagram of a scenario of Portal certification in the prior art;
Fig. 4 is that access control equipment of the present invention and the keep-alive of Portal service node handle interaction diagrams;
Fig. 5 is the flow chart at Portal service node pushing certification interface in Portal verification process of the present invention;
Fig. 6 is the process that Authentication Client is authenticated to specified Portal service node in Portal verification process of the present invention Figure.
Specific embodiment
The present invention is directed to propose a kind of Portal keep-alive system and method, Verification System and side based on authentication service cluster Method, to solve access control equipment keep-alive in the prior art and load, Portal service node is inconsistent will appear Portal message The problem of access control equipment cannot be normally sent to.
The Portal keep-alive system based on authentication service cluster in the present invention, including:
Access control equipment carries equipment of itself sequence number for continuing to send to load balancer by NAT device Keep alive Packet;
NAT device, for after receiving the keep alive Packet that the access control equipment is sent, to the source in keep alive Packet IP address and source port are sent to load balancer after carrying out NAT conversion, and save access control equipment conversion front and back The mapping relations of IP address and port numbers;
Load balancer, for sending some Portal service according to the rule of the load balancing of setting for keep alive Packet On node;
Portal service node, for after receiving the keep alive Packet store access control equipment equipment Serial Number, IP address and port numbers after NAT conversion receive incidence relation between the Portal service node IP addresses of keep alive Packet.
As shown in figure 4, being handled based on the access control equipment that above-mentioned keep-alive system is realized with the keep-alive of Portal service node Method includes the following steps:
1, access control equipment continues to send UDP keep alive Packet to load balancer, carries access control equipment in message Sequence number (sequence number here has uniqueness, sequence number abbreviation SN in figure), when message passes through NAT device source IP address and Source port is converted (mapping relations that NAT device saves conversion front and back access control equipment IP address and port numbers)
2, keep alive Packet reaches load balancer by NAT device, and load balancer is equal according to the load of setting by message The rule of weighing apparatus is sent on the Portal service node of a survival;
3, Portal service node parses the message received, obtains the sequence number of access control equipment;And after NAT is converted IP address, port numbers, local IP address information storage is associated with the Serial No. major key of the access control equipment.
The portal certification system based on authentication service cluster in the present invention, including:
Authentication Client, for issuing HTTP request to access control equipment when accessing Internet resources, in HTTP request After being intercepted by access control equipment, the HTTP request after redirecting is sent to load balancer;It is also used to receiving According to the Portal service node IP carried in content of pages directly to this after the authentication interface of Portal service node push Portal service node initiates certification request;
Whether access control equipment judges the client for intercepting to the HTTP request that Authentication Client is initiated There is access authority, if the HTTP request is redirected to load balancer, and add in required parameter without access authority Equipment of itself sequence number;It is returned after the Portal message identifying for receiving the transmission of Portal service node to Portal service node Portal authentication response message;
NAT device, for saving the mapping relations between access control equipment and NAT device;Receiving Portal service When the Portal message identifying that node is sent, the Portal message identifying is sent to corresponding access control according to mapping relations Equipment;
Load balancer is sent out for the load balancing rule by the HTTP request of the redirection of Authentication Client according to setting It is sent on some Portal service node;
Portal service node is connect for carrying out parsing after the HTTP request for the redirection for receiving Authentication Client Enter to control the sequence number of equipment, and inquires the Portal service node for obtaining the access control equipment and corresponding to keep-alive according to sequence number IP to Authentication Client pushing certification interface, and carries in content of pages the Portal service node of the keep-alive of acquisition IP;
According to the equipment Serial Number inquiry NAT mapping carried in certification request after the certification request for receiving Authentication Client Then the IP address and port numbers of access control equipment afterwards send Portal message identifying to NAT device;And according to corresponding The certification request for the Portal authentication response message response Authentication Client that access control equipment returns.
As shown in figure 5, being based on above-mentioned Verification System, Portal service node pushing certification circle in Portal verification process The process in face includes the following steps:
1, Authentication Client connects WIFI, is linked into access control equipment, opens browser and accesses outer net resource;
2, access control equipment intercepts the access request of Authentication Client, judges whether client has access authority, if There is no access authority, redirects IP in Portal service push interface URL, URL and be directed toward load balancer, carried in interface URL The sequence number of access control equipment;
3, the push interface URL that Authentication Client request redirects, request are sent to load balancer by NAT device;
4, load balancer is transmitted the request to the Portal service node of any one survival by loading rule;
5, Portal service node inquires data storage areas according to the sequence number of access control equipment, obtains the access control Control equipment corresponds to the Portal service node IP addresses of keep-alive;
6, Portal service node response Authentication Client request, pushing certification page, and carried in content of pages The IP address that one step obtains.
Finally, the process that Authentication Client is authenticated to specified Portal service node is as shown in Figure 6 comprising following step Suddenly:
1, Authentication Client initiates certification request, and the server address of request is the Portal service node carried in webpage NAT device is passed through in IP address, this request, be forwarded directly to specified Portal service node and without load balancer, due to connecing The keep alive Packet for entering to control equipment is by load balancing, and being equal to herein have passed through load balancer;
2, Portal service node connects according to the sequence number (abbreviation SN) for requesting access control equipment in message identifying, inquiry IP address and port numbers after entering to control equipment NAT conversion;
3, Portal service node sends Portal message identifying to NAT device, and NAT device is according to IP port mapping relationship It E-Packets to specified access control equipment;
4, access control equipment returns to Portal authentication response message (access control equipment and AAA service interaction process Slightly);
5, the certification request of Portal service node response Authentication Client.

Claims (10)

1. the Portal keep-alive system based on authentication service cluster, which is characterized in that including:
Access control equipment sends the keep-alive for carrying equipment of itself sequence number to load balancer for continuing by NAT device Message;
NAT device, for after receiving the keep alive Packet that the access control equipment is sent, to the source IP in keep alive Packet Location and source port are sent to load balancer after carrying out NAT conversion, and with saving the IP of access control equipment conversion front and back The mapping relations of location and port numbers;
Load balancer is sent to some Portal service node for the rule by keep alive Packet according to the load balancing of setting On;
Portal service node, for storing the equipment Serial Number of access control equipment after receiving the keep alive Packet, NAT turns IP address and port numbers after changing receive incidence relation between the Portal service node IP addresses of keep alive Packet;It is also used to The equipment Serial Number that parsing obtains access control equipment, and root are carried out after the HTTP request for the redirection for receiving Authentication Client The Portal service node that the access control equipment corresponds to keep-alive is obtained according to the equipment Serial Number inquiry of the access control equipment IP to Authentication Client pushing certification interface, and carries in content of pages the Portal service node of the keep-alive of acquisition IP。
2. the Portal keep-alive system based on authentication service cluster as described in claim 1, which is characterized in that the mapping is closed System refers to that the private network IP address of access control equipment, private network port numbers correspond between the public network IP address of NAT device, public network port Relationship.
3. the Portal keepalive method based on authentication service cluster, which is characterized in that include the following steps:
A. access control equipment continues to send the keep-alive report for carrying equipment of itself sequence number to load balancer by NAT device Text;
B.NAT equipment is after receiving the keep alive Packet that the access control equipment is sent, to the source IP address in keep alive Packet It is sent to load balancer after carrying out NAT conversion with source port number, and with saving the IP of access control equipment conversion front and back The mapping relations of location and port numbers;
C. load balancer sends keep alive Packet on some Portal service node according to the load balancing rule of setting;
D.Portal service node stores the sequence number of the access control equipment after receiving the keep alive Packet, NAT turns IP address and port numbers after changing receive incidence relation between the Portal service node IP addresses of keep alive Packet, are used for:
In authentication phase, parsing acquisition is carried out after the HTTP request that Portal service node receives the redirection of Authentication Client The equipment Serial Number of access control equipment, and inquired according to the equipment Serial Number of the access control equipment and obtain access control Equipment corresponds to the Portal service node IP of keep-alive, to Authentication Client pushing certification interface, and carries and obtains in content of pages The Portal service node IP of the keep-alive obtained.
4. as claimed in claim 3 based on the Portal keepalive method of authentication service cluster, which is characterized in that in step B, institute It states mapping relations and refers to that the private network IP address of access control equipment, private network port numbers correspond to the public network IP address of NAT device, public network Relationship between port numbers.
5. the portal certification system based on authentication service cluster, which is characterized in that including:
Authentication Client is connect for issuing HTTP request to access control equipment when accessing Internet resources in HTTP request After entering to control equipment interception, the HTTP request after redirecting is sent to load balancer;It is also used to receiving Portal clothes It is directly serviced to the Portal after the authentication interface of node push of being engaged according to the Portal service node IP carried in content of pages Node initiates certification request;
Access control equipment judges whether the client has visit for intercepting to the HTTP request that Authentication Client is initiated Permission is asked, if the HTTP request is redirected to load balancer, and add itself in required parameter without access authority Equipment Serial Number;It is returned after the Portal message identifying for receiving the transmission of Portal service node to Portal service node Portal authentication response message;
NAT device, for saving the mapping relations between access control equipment and NAT device;Receiving Portal service node When the Portal message identifying of transmission, the Portal message identifying is sent to corresponding access control according to mapping relations and is set It is standby;
Load balancer is sent to for the load balancing rule by the HTTP request of the redirection of Authentication Client according to setting On some Portal service node;
Portal service node obtains access control for carrying out parsing after the HTTP request for the redirection for receiving Authentication Client The equipment Serial Number of control equipment, and inquired according to the equipment Serial Number of the access control equipment and obtain the access control equipment pair The Portal service node IP for answering keep-alive to Authentication Client pushing certification interface, and carries in content of pages the institute of acquisition State the Portal service node IP of keep-alive;
After being mapped after the certification request for receiving Authentication Client according to the equipment Serial Number inquiry NAT carried in certification request Then the IP address and port numbers of access control equipment send Portal message identifying to NAT device;And according to corresponding access Control the certification request for the Portal authentication response message response Authentication Client that equipment returns.
6. the portal certification system as claimed in claim 5 based on authentication service cluster, which is characterized in that the mapping is closed System refer to the private network IP address of access control equipment, private network port numbers correspond to the public network IP address of NAT device, public network port number it Between relationship.
7. the portal certification system as claimed in claim 5 based on authentication service cluster, which is characterized in that the access control The sequence number of control equipment has uniqueness.
8. the portal authentication method based on authentication service cluster, which is characterized in that include the following steps:
A. Authentication Client issues HTTP request to access control equipment when accessing Internet resources;
B. the HTTP request that access control equipment initiates Authentication Client intercepts, and judges whether the client has access right Limit, if the HTTP request is redirected to load balancer, and add setting for itself in required parameter without access authority Standby sequence number;
C. load balancing rule of the load balancer by the HTTP request of the redirection of Authentication Client according to setting is sent to certain On a Portal service node;
D.Portal service node carries out parsing after the HTTP request for the redirection for receiving Authentication Client and obtains access control The equipment Serial Number of equipment, and the access control equipment is obtained according to the inquiry of the equipment Serial Number of access control equipment and corresponds to keep-alive Portal service node IP, to Authentication Client pushing certification interface, and carry in content of pages the keep-alive of acquisition Portal service node IP;
E. Authentication Client is after the authentication interface for receiving the push of Portal service node according to carrying in content of pages Portal service node IP directly initiates certification request to the Portal service node;
F.Portal service node is looked into after the certification request for receiving Authentication Client according to the equipment SN carried in certification request The IP address of access control equipment after asking NAT mapping and port, then send Portal message identifying to NAT device;
The Portal message identifying is sent to corresponding access control equipment according to the mapping relations of preservation by G.NAT equipment;
H. the corresponding access control equipment authenticates after receiving Portal message identifying to Portal service node return Portal Response message;
I.Portal service node authenticates visitor according to the Portal authentication response message response that corresponding access control equipment returns The certification request at family end.
9. the portal authentication method as claimed in claim 8 based on authentication service cluster, which is characterized in that in step G, institute It states mapping relations and refers to that the private network IP address of access control equipment, private network port numbers correspond to the public network IP address of NAT device, public network Relationship between port numbers.
10. the portal authentication method as claimed in claim 8 based on authentication service cluster, which is characterized in that the access The equipment Serial Number for controlling equipment has uniqueness.
CN201510995580.7A 2015-12-24 2015-12-24 Portal keep-alive system and method, Verification System and method based on authentication service cluster Active CN105516171B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510995580.7A CN105516171B (en) 2015-12-24 2015-12-24 Portal keep-alive system and method, Verification System and method based on authentication service cluster

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510995580.7A CN105516171B (en) 2015-12-24 2015-12-24 Portal keep-alive system and method, Verification System and method based on authentication service cluster

Publications (2)

Publication Number Publication Date
CN105516171A CN105516171A (en) 2016-04-20
CN105516171B true CN105516171B (en) 2018-11-30

Family

ID=55723807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510995580.7A Active CN105516171B (en) 2015-12-24 2015-12-24 Portal keep-alive system and method, Verification System and method based on authentication service cluster

Country Status (1)

Country Link
CN (1) CN105516171B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603556B (en) * 2016-12-29 2019-11-15 迈普通信技术股份有限公司 Single-point logging method, apparatus and system
CN109067729B (en) * 2018-07-26 2021-12-24 新华三技术有限公司 Authentication method and device
CN109040237A (en) * 2018-08-01 2018-12-18 平安科技(深圳)有限公司 A kind of data access method and system
CN109474588A (en) * 2018-11-02 2019-03-15 杭州迪普科技股份有限公司 A kind of terminal authentication method and device
CN110120897A (en) * 2019-04-22 2019-08-13 国家计算机网络与信息安全管理中心 Link detection method, apparatus, electronic equipment and machine readable storage medium
CN110691001A (en) * 2019-10-25 2020-01-14 杭州迪普科技股份有限公司 Equipment unified management method and device
CN113660356B (en) * 2021-08-16 2024-01-23 迈普通信技术股份有限公司 Network access method, system, electronic device and computer readable storage medium
CN115334035B (en) * 2022-07-15 2023-10-10 天翼云科技有限公司 Message forwarding method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863120A (en) * 2005-10-27 2006-11-15 华为技术有限公司 User access method and apparatus based on multiple users
CN101129014A (en) * 2005-04-04 2008-02-20 思科技术公司 System and method for multi-session establishment
CN102394929A (en) * 2011-10-31 2012-03-28 广东电子工业研究院有限公司 Conversation-oriented cloud computing load balancing system and method therefor
CN102946434A (en) * 2012-11-23 2013-02-27 广东宜通世纪科技股份有限公司 Communication method of wireless local area network (WLAN)
CN103442094A (en) * 2013-08-15 2013-12-11 深圳市龙视传媒有限公司 Server address allocating method and relative devices and systems

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150188971A1 (en) * 2013-07-31 2015-07-02 Been, Inc. Data stream monitoring

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101129014A (en) * 2005-04-04 2008-02-20 思科技术公司 System and method for multi-session establishment
CN1863120A (en) * 2005-10-27 2006-11-15 华为技术有限公司 User access method and apparatus based on multiple users
CN102394929A (en) * 2011-10-31 2012-03-28 广东电子工业研究院有限公司 Conversation-oriented cloud computing load balancing system and method therefor
CN102946434A (en) * 2012-11-23 2013-02-27 广东宜通世纪科技股份有限公司 Communication method of wireless local area network (WLAN)
CN103442094A (en) * 2013-08-15 2013-12-11 深圳市龙视传媒有限公司 Server address allocating method and relative devices and systems

Also Published As

Publication number Publication date
CN105516171A (en) 2016-04-20

Similar Documents

Publication Publication Date Title
CN105516171B (en) Portal keep-alive system and method, Verification System and method based on authentication service cluster
CN104506510B (en) Method and device for equipment authentication and authentication service system
CN101166173B (en) A single-node login system, device and method
US9554276B2 (en) System and method for on the fly protocol conversion in obtaining policy enforcement information
WO2017024842A1 (en) Internet access authentication method, client, computer storage medium
US20130067550A1 (en) Private cloud server and client architecture without utilizing a routing server
CN107105033B (en) Cloud application access method, cloud proxy server and cloud application access system
CN105743670B (en) Access control method, system and access point
CN107613037B (en) Domain name redirection method and system
CN105592046B (en) A kind of authentication-exempt access method and device
CN104967590B (en) A kind of methods, devices and systems for transmitting communication information
CN105981345B (en) The Lawful intercept of WI-FI/ packet-based core networks access
CN106131066B (en) A kind of authentication method and device
CN103997479B (en) A kind of asymmetric services IP Proxy Methods and equipment
CN101582856A (en) Session setup method of Portal server and BAS (broadband access server) device and system thereof
AU2017344389B2 (en) Portal aggregation service mapping subscriber device identifiers to portal addresses to which connection and authentication requests are redirected and facilitating mass subscriber apparatus configuration
US8839396B1 (en) Providing single sign-on for wireless devices
CN103607403A (en) Method, device and system for using safety domain in NAT network environment
CN106330894B (en) SAVI proxy authentication system and method based on link-local address
CN105812499B (en) Communication means and communication system and virtual client terminal device
CN105991631B (en) A kind of client device access authentication method and device
WO2015004744A1 (en) Authentication device, authentication method, and program
WO2013034108A1 (en) Cloud service establishment system and method
US11425114B2 (en) Systems and methods for supporting a secure connectivity
CN110401952A (en) A kind of authentication method and relevant device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant