CN105516171B - Portal keep-alive system and method, Verification System and method based on authentication service cluster - Google Patents
Portal keep-alive system and method, Verification System and method based on authentication service cluster Download PDFInfo
- Publication number
- CN105516171B CN105516171B CN201510995580.7A CN201510995580A CN105516171B CN 105516171 B CN105516171 B CN 105516171B CN 201510995580 A CN201510995580 A CN 201510995580A CN 105516171 B CN105516171 B CN 105516171B
- Authority
- CN
- China
- Prior art keywords
- portal
- access control
- control equipment
- service node
- keep
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
- H04L61/2532—Clique of NAT servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1036—Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
Abstract
The present invention relates to wlan security access technologies; it discloses a kind of Portal keep-alive system and method, Verification System and method based on authentication service cluster, to solve the problems, such as that access control equipment keep-alive in the prior art and the load inconsistent Portal message that will appear of Portal service node cannot normally be sent to access control equipment.Portal keep-alive system in the present invention, including:Access control equipment continues the keep alive Packet that Portable device sequence number is sent to load balancer by NAT device;NAT device, in keep alive Packet source IP address and source port carry out NAT conversion after be sent to load balancer, and save equipment conversion front and back IP address and port numbers mapping relations;Keep alive Packet is balanced on some Portal service node by load balancer;Portal service node, the incidence relation of IP address and port numbers, the Portal service node IP addresses for receiving keep alive Packet after equipment Serial Number, NAT conversion are stored after receiving the keep alive Packet.Present invention Portal suitable for enterprise authentication service cluster is authenticated.
Description
Technical field
The present invention relates to wlan security access technologies, and in particular to a kind of Portal keep-alive system based on authentication service cluster
System and method, Verification System and method
Background technique
Along with the fast development of net application technology, Network Information Security Problem also becomes increasingly conspicuous.Currently as solution
The important technology and management means of network security problem, 802.1x (access-control protocol for giving port) certification, PPPoE (with
Too online point-to-point protocol) certification, Portal certification etc. network access authentications technology obtained rapid proliferation.Wherein, Portal
Certification has many advantages, such as bandwagon effect easy to operate, abundant, is convenient for promoting service due to using web page to log in,
It has been more and more widely used.
Simplest portal certification system structure is as shown in Figure 1, include Authentication Client, Portal server, access
Four parts of equipment and aaa server are controlled, wherein Authentication Client is mounted to the FTP client FTP of user terminal, such as runs
The browser of http protocol.Portal server is the service end system for receiving Authentication Client certification request, is exempted from for providing
Expense service and the interface for giving web authentication, the authentication information with access control equipment interactive authentication client.Access control equipment
The main work for completing three aspects:All HTTP requests in certification network segment are intercepted before certification and are redirected to Portal clothes
Business device;UDP message interaction is carried out with Portal server, aaa server in verification process;After certification passes through, allow to lead to
The user for crossing Portal certification accesses the Internet resources of the person's of being managed authorization.Aaa server be used for and access control equipment into
Row UDP message interaction completes certification and charging to user.
Portal authentication system structure common at present is as shown in Fig. 2, enterprise headquarters' computer room disposes a set of Portal&AAA
Certificate server provides authentication service for multiple sites, and each site configures access control equipment private net address, net by respectively rule
It is used on point to enterprise headquarters' computer room configured with NAT (Network Address Translation, network address translation) equipment
User terminal in private network is mapped in corporate intranet, by the interactive process of above-mentioned Portal server and access control equipment
It is found that the Portal server in Fig. 2 can only carry out access control equipment IP address according to the certification request HTTP message received
Inquiry, since the user terminal under above-mentioned application environment in enterprise network uses private net address, different sites is user
The address of terminal distribution is it is possible that the case where being overlapped, Portal server is according to IP address and access control equipment IP
The mapping relations of address then cannot accurately find corresponding access control equipment IP address, so that it is subsequent to establish session progress
Message interaction.The existing settling mode of this problem is:It is carried in the HTTP message that user terminal is sent to Portal server
User's public network and private net address, Portal server judge the consistency of public network, private net address, when there is inconsistency, according to preparatory
Configured mapping relations (mapping relations of user terminal public network, private network IP address and access control equipment IP) obtain access control
The IP address of control equipment, and establish session.There is the problem of configuration complexity, poor operability in the method, up to ten thousand for site
Large enterprise, the mapping relations for collecting and configuring user terminal public network, private network IP address and access control equipment IP are one
The thing of cumbersome and easy error.
In shown in Fig. 2, the unidirectional NAT of possible configuration between site access control equipment and general headquarters' computer room, at this time Portal
Server actively sends message to equipment and cannot normally issue, and needs to rely on access control equipment and constantly services to Portal
Device is transmitted messages literary keep-alive, and the link to guarantee NAT is available.
With the development of application scenarios, it is dynamic then up to ten million that separate unit Portal&AAA server is no longer satisfied present enterprise
User's uses concurrency, and clustered deploy(ment) becomes certainty, as shown in figure 3, disposing a set of Portal& in enterprise headquarters' computer room
AAA service cluster, cluster shared data layer, dot client authenticate HTTP request and load to any service via load balancer
Node, service node and site access control equipment complete verification process by message interaction, in the process if access control
, then there is the service that access device keep-alive is loaded with load balancing in control equipment and the unidirectional NAT of Portal&AAA device configuration
Node is inconsistent, causes Portal message that cannot normally be sent to access control equipment.Such as site access control equipment with
The 1 link keep-alive of Portal service node, when site, HTTP certification request is loaded Portal service node 2, Portal clothes
Business node 2 actively cannot establish session with site access control equipment.
Summary of the invention
The technical problem to be solved by the present invention is to:It is proposed a kind of Portal keep-alive system based on authentication service cluster and
Method, Verification System and method, it is different to solve access control equipment keep-alive in the prior art and load Portal service node
Cause will appear the problem of Portal message cannot normally be sent to access control equipment.
The technical proposal adopted by the invention to solve the above technical problems is that the Portal keep-alive based on authentication service cluster
System, including:
Access control equipment carries equipment of itself sequence number for continuing to send to load balancer by NAT device
Keep alive Packet;
NAT device, for after receiving the keep alive Packet that the access control equipment is sent, to the source in keep alive Packet
IP address and source port are sent to load balancer after carrying out NAT conversion, and save access control equipment conversion front and back
The mapping relations of IP address and port numbers;
Load balancer, for sending some Portal service according to the rule of the load balancing of setting for keep alive Packet
On node;
Portal service node, for after receiving the keep alive Packet store access control equipment equipment Serial Number,
IP address and port numbers after NAT conversion receive incidence relation between the Portal service node IP addresses of keep alive Packet.
Further, the mapping relations refer to that the private network IP address of access control equipment, private network port numbers correspond to NAT device
Public network IP address, the relationship between public network port number.
Portal keepalive method based on authentication service cluster, includes the following steps:
A. access control equipment continues to send the keep-alive for carrying equipment of itself sequence number to load balancer by NAT device
Message;
B.NAT equipment is after receiving the keep alive Packet that the access control equipment is sent, to the source IP in keep alive Packet
Address and source port are sent to load balancer after carrying out NAT conversion, and save the IP of access control equipment conversion front and back
The mapping relations of address and port numbers;
C. load balancer sends some Portal service node for keep alive Packet according to the load balancing rule of setting
On;
D.Portal service node stored after receiving the keep alive Packet access control equipment sequence number,
IP address and port numbers after NAT conversion receive incidence relation between the Portal service node IP addresses of keep alive Packet.
Further, in step B, the mapping relations refer to the private network IP address of access control equipment, private network port numbers
Relationship between the public network IP address of corresponding NAT device, public network port number.
Based on the portal certification system of authentication service cluster, including:
Authentication Client, for issuing HTTP request to access control equipment when accessing Internet resources, in HTTP request
After being intercepted by access control equipment, the HTTP request after redirecting is sent to load balancer;It is also used to receiving
According to the Portal service node IP carried in content of pages directly to this after the authentication interface of Portal service node push
Portal service node initiates certification request;
Whether access control equipment judges the client for intercepting to the HTTP request that Authentication Client is initiated
There is access authority, if the HTTP request is redirected to load balancer, and add in required parameter without access authority
Equipment of itself sequence number;It is returned after the Portal message identifying for receiving the transmission of Portal service node to Portal service node
Portal authentication response message;
NAT device, for saving the mapping relations between access control equipment and NAT device;Receiving Portal service
When the Portal message identifying that node is sent, the Portal message identifying is sent to corresponding access control according to mapping relations
Equipment;
Load balancer is sent out for the load balancing rule by the HTTP request of the redirection of Authentication Client according to setting
It is sent on some Portal service node;
Portal service node is connect for carrying out parsing after the HTTP request for the redirection for receiving Authentication Client
Enter to control the equipment Serial Number of equipment, and acquisition access control is inquired according to the equipment Serial Number of the access control equipment and is set
The Portal service node IP of standby corresponding keep-alive, to Authentication Client pushing certification interface, and carries in content of pages and obtains
The keep-alive Portal service node IP;
According to the equipment Serial Number inquiry NAT mapping carried in certification request after the certification request for receiving Authentication Client
Then the IP address and port numbers of access control equipment afterwards send Portal message identifying to NAT device;And according to corresponding
The certification request for the Portal authentication response message response Authentication Client that access control equipment returns.
Further, the mapping relations refer to that the private network IP address of access control equipment, private network port numbers correspond to NAT and set
Relationship between standby public network IP address, public network port number.
Further, the sequence number of the access control equipment has uniqueness.
Based on the portal authentication method of authentication service cluster, include the following steps:
A. Authentication Client issues HTTP request to access control equipment when accessing Internet resources;
B. the HTTP request that access control equipment initiates Authentication Client intercepts, and judges whether the client has visit
Permission is asked, if the HTTP request is redirected to load balancer, itself is added in required parameter and is set without access authority
Standby sequence number;
C. load balancing rule of the load balancer by the HTTP request of the redirection of Authentication Client according to setting is sent
Onto some Portal service node;
D.Portal service node carries out parsing after the HTTP request for the redirection for receiving Authentication Client and is accessed
The equipment Serial Number of equipment is controlled, and is inquired according to the equipment Serial Number of access control equipment and obtains the corresponding equipment of access control
The Portal service node IP of keep-alive is carried described in acquisition to Authentication Client pushing certification interface, and in content of pages
The Portal service node IP of keep-alive;
E. Authentication Client is after the authentication interface for receiving the push of Portal service node according to carrying in content of pages
Portal service node IP directly initiates certification request to the Portal service node;
F.Portal service node is after the certification request for receiving Authentication Client according to the equipment carried in certification request
SN inquires IP address and the port of the access control equipment after NAT mapping, then sends Portal message identifying to NAT device;
The Portal message identifying is sent to corresponding access control according to the mapping relations of preservation and set by G.NAT equipment
It is standby;
H. the corresponding access control equipment receives and returns to Portal to Portal service node after Portal message identifying
Authentication response message;
The Portal authentication response message response that I.Portal service node is returned according to corresponding access control equipment is recognized
Demonstrate,prove the certification request of client.
Further, in step G, the mapping relations refer to the private network IP address of access control equipment, private network port numbers
Relationship between the public network IP address of corresponding NAT device, public network port number.
Further, the sequence number of the access control equipment has uniqueness.
The beneficial effects of the invention are as follows:The present invention is used for by carrying access control equipment sequence number in keep alive Packet
It is mapped between IP address of equipment and port numbers, Portal service node IP after establishing access control equipment sequence number, NAT conversion
Relationship, the later period can inquire the Portal node IP that the equipment corresponds to keep-alive according to access control equipment sequence number, after NAT conversion
IP address and port numbers, to solve access control equipment keep-alive and load Portal service node inconsistent appearance
Portal message cannot normally be sent to the problem of access control equipment.
Detailed description of the invention:
Fig. 1 is the structural schematic diagram of portal certification system in the prior art;
Fig. 2 is the single machine schematic diagram of a scenario of Portal certification in the prior art;
Fig. 3 is the cluster schematic diagram of a scenario of Portal certification in the prior art;
Fig. 4 is that access control equipment of the present invention and the keep-alive of Portal service node handle interaction diagrams;
Fig. 5 is the flow chart at Portal service node pushing certification interface in Portal verification process of the present invention;
Fig. 6 is the process that Authentication Client is authenticated to specified Portal service node in Portal verification process of the present invention
Figure.
Specific embodiment
The present invention is directed to propose a kind of Portal keep-alive system and method, Verification System and side based on authentication service cluster
Method, to solve access control equipment keep-alive in the prior art and load, Portal service node is inconsistent will appear Portal message
The problem of access control equipment cannot be normally sent to.
The Portal keep-alive system based on authentication service cluster in the present invention, including:
Access control equipment carries equipment of itself sequence number for continuing to send to load balancer by NAT device
Keep alive Packet;
NAT device, for after receiving the keep alive Packet that the access control equipment is sent, to the source in keep alive Packet
IP address and source port are sent to load balancer after carrying out NAT conversion, and save access control equipment conversion front and back
The mapping relations of IP address and port numbers;
Load balancer, for sending some Portal service according to the rule of the load balancing of setting for keep alive Packet
On node;
Portal service node, for after receiving the keep alive Packet store access control equipment equipment Serial Number,
IP address and port numbers after NAT conversion receive incidence relation between the Portal service node IP addresses of keep alive Packet.
As shown in figure 4, being handled based on the access control equipment that above-mentioned keep-alive system is realized with the keep-alive of Portal service node
Method includes the following steps:
1, access control equipment continues to send UDP keep alive Packet to load balancer, carries access control equipment in message
Sequence number (sequence number here has uniqueness, sequence number abbreviation SN in figure), when message passes through NAT device source IP address and
Source port is converted (mapping relations that NAT device saves conversion front and back access control equipment IP address and port numbers)
2, keep alive Packet reaches load balancer by NAT device, and load balancer is equal according to the load of setting by message
The rule of weighing apparatus is sent on the Portal service node of a survival;
3, Portal service node parses the message received, obtains the sequence number of access control equipment;And after NAT is converted
IP address, port numbers, local IP address information storage is associated with the Serial No. major key of the access control equipment.
The portal certification system based on authentication service cluster in the present invention, including:
Authentication Client, for issuing HTTP request to access control equipment when accessing Internet resources, in HTTP request
After being intercepted by access control equipment, the HTTP request after redirecting is sent to load balancer;It is also used to receiving
According to the Portal service node IP carried in content of pages directly to this after the authentication interface of Portal service node push
Portal service node initiates certification request;
Whether access control equipment judges the client for intercepting to the HTTP request that Authentication Client is initiated
There is access authority, if the HTTP request is redirected to load balancer, and add in required parameter without access authority
Equipment of itself sequence number;It is returned after the Portal message identifying for receiving the transmission of Portal service node to Portal service node
Portal authentication response message;
NAT device, for saving the mapping relations between access control equipment and NAT device;Receiving Portal service
When the Portal message identifying that node is sent, the Portal message identifying is sent to corresponding access control according to mapping relations
Equipment;
Load balancer is sent out for the load balancing rule by the HTTP request of the redirection of Authentication Client according to setting
It is sent on some Portal service node;
Portal service node is connect for carrying out parsing after the HTTP request for the redirection for receiving Authentication Client
Enter to control the sequence number of equipment, and inquires the Portal service node for obtaining the access control equipment and corresponding to keep-alive according to sequence number
IP to Authentication Client pushing certification interface, and carries in content of pages the Portal service node of the keep-alive of acquisition
IP;
According to the equipment Serial Number inquiry NAT mapping carried in certification request after the certification request for receiving Authentication Client
Then the IP address and port numbers of access control equipment afterwards send Portal message identifying to NAT device;And according to corresponding
The certification request for the Portal authentication response message response Authentication Client that access control equipment returns.
As shown in figure 5, being based on above-mentioned Verification System, Portal service node pushing certification circle in Portal verification process
The process in face includes the following steps:
1, Authentication Client connects WIFI, is linked into access control equipment, opens browser and accesses outer net resource;
2, access control equipment intercepts the access request of Authentication Client, judges whether client has access authority, if
There is no access authority, redirects IP in Portal service push interface URL, URL and be directed toward load balancer, carried in interface URL
The sequence number of access control equipment;
3, the push interface URL that Authentication Client request redirects, request are sent to load balancer by NAT device;
4, load balancer is transmitted the request to the Portal service node of any one survival by loading rule;
5, Portal service node inquires data storage areas according to the sequence number of access control equipment, obtains the access control
Control equipment corresponds to the Portal service node IP addresses of keep-alive;
6, Portal service node response Authentication Client request, pushing certification page, and carried in content of pages
The IP address that one step obtains.
Finally, the process that Authentication Client is authenticated to specified Portal service node is as shown in Figure 6 comprising following step
Suddenly:
1, Authentication Client initiates certification request, and the server address of request is the Portal service node carried in webpage
NAT device is passed through in IP address, this request, be forwarded directly to specified Portal service node and without load balancer, due to connecing
The keep alive Packet for entering to control equipment is by load balancing, and being equal to herein have passed through load balancer;
2, Portal service node connects according to the sequence number (abbreviation SN) for requesting access control equipment in message identifying, inquiry
IP address and port numbers after entering to control equipment NAT conversion;
3, Portal service node sends Portal message identifying to NAT device, and NAT device is according to IP port mapping relationship
It E-Packets to specified access control equipment;
4, access control equipment returns to Portal authentication response message (access control equipment and AAA service interaction process
Slightly);
5, the certification request of Portal service node response Authentication Client.
Claims (10)
1. the Portal keep-alive system based on authentication service cluster, which is characterized in that including:
Access control equipment sends the keep-alive for carrying equipment of itself sequence number to load balancer for continuing by NAT device
Message;
NAT device, for after receiving the keep alive Packet that the access control equipment is sent, to the source IP in keep alive Packet
Location and source port are sent to load balancer after carrying out NAT conversion, and with saving the IP of access control equipment conversion front and back
The mapping relations of location and port numbers;
Load balancer is sent to some Portal service node for the rule by keep alive Packet according to the load balancing of setting
On;
Portal service node, for storing the equipment Serial Number of access control equipment after receiving the keep alive Packet, NAT turns
IP address and port numbers after changing receive incidence relation between the Portal service node IP addresses of keep alive Packet;It is also used to
The equipment Serial Number that parsing obtains access control equipment, and root are carried out after the HTTP request for the redirection for receiving Authentication Client
The Portal service node that the access control equipment corresponds to keep-alive is obtained according to the equipment Serial Number inquiry of the access control equipment
IP to Authentication Client pushing certification interface, and carries in content of pages the Portal service node of the keep-alive of acquisition
IP。
2. the Portal keep-alive system based on authentication service cluster as described in claim 1, which is characterized in that the mapping is closed
System refers to that the private network IP address of access control equipment, private network port numbers correspond between the public network IP address of NAT device, public network port
Relationship.
3. the Portal keepalive method based on authentication service cluster, which is characterized in that include the following steps:
A. access control equipment continues to send the keep-alive report for carrying equipment of itself sequence number to load balancer by NAT device
Text;
B.NAT equipment is after receiving the keep alive Packet that the access control equipment is sent, to the source IP address in keep alive Packet
It is sent to load balancer after carrying out NAT conversion with source port number, and with saving the IP of access control equipment conversion front and back
The mapping relations of location and port numbers;
C. load balancer sends keep alive Packet on some Portal service node according to the load balancing rule of setting;
D.Portal service node stores the sequence number of the access control equipment after receiving the keep alive Packet, NAT turns
IP address and port numbers after changing receive incidence relation between the Portal service node IP addresses of keep alive Packet, are used for:
In authentication phase, parsing acquisition is carried out after the HTTP request that Portal service node receives the redirection of Authentication Client
The equipment Serial Number of access control equipment, and inquired according to the equipment Serial Number of the access control equipment and obtain access control
Equipment corresponds to the Portal service node IP of keep-alive, to Authentication Client pushing certification interface, and carries and obtains in content of pages
The Portal service node IP of the keep-alive obtained.
4. as claimed in claim 3 based on the Portal keepalive method of authentication service cluster, which is characterized in that in step B, institute
It states mapping relations and refers to that the private network IP address of access control equipment, private network port numbers correspond to the public network IP address of NAT device, public network
Relationship between port numbers.
5. the portal certification system based on authentication service cluster, which is characterized in that including:
Authentication Client is connect for issuing HTTP request to access control equipment when accessing Internet resources in HTTP request
After entering to control equipment interception, the HTTP request after redirecting is sent to load balancer;It is also used to receiving Portal clothes
It is directly serviced to the Portal after the authentication interface of node push of being engaged according to the Portal service node IP carried in content of pages
Node initiates certification request;
Access control equipment judges whether the client has visit for intercepting to the HTTP request that Authentication Client is initiated
Permission is asked, if the HTTP request is redirected to load balancer, and add itself in required parameter without access authority
Equipment Serial Number;It is returned after the Portal message identifying for receiving the transmission of Portal service node to Portal service node
Portal authentication response message;
NAT device, for saving the mapping relations between access control equipment and NAT device;Receiving Portal service node
When the Portal message identifying of transmission, the Portal message identifying is sent to corresponding access control according to mapping relations and is set
It is standby;
Load balancer is sent to for the load balancing rule by the HTTP request of the redirection of Authentication Client according to setting
On some Portal service node;
Portal service node obtains access control for carrying out parsing after the HTTP request for the redirection for receiving Authentication Client
The equipment Serial Number of control equipment, and inquired according to the equipment Serial Number of the access control equipment and obtain the access control equipment pair
The Portal service node IP for answering keep-alive to Authentication Client pushing certification interface, and carries in content of pages the institute of acquisition
State the Portal service node IP of keep-alive;
After being mapped after the certification request for receiving Authentication Client according to the equipment Serial Number inquiry NAT carried in certification request
Then the IP address and port numbers of access control equipment send Portal message identifying to NAT device;And according to corresponding access
Control the certification request for the Portal authentication response message response Authentication Client that equipment returns.
6. the portal certification system as claimed in claim 5 based on authentication service cluster, which is characterized in that the mapping is closed
System refer to the private network IP address of access control equipment, private network port numbers correspond to the public network IP address of NAT device, public network port number it
Between relationship.
7. the portal certification system as claimed in claim 5 based on authentication service cluster, which is characterized in that the access control
The sequence number of control equipment has uniqueness.
8. the portal authentication method based on authentication service cluster, which is characterized in that include the following steps:
A. Authentication Client issues HTTP request to access control equipment when accessing Internet resources;
B. the HTTP request that access control equipment initiates Authentication Client intercepts, and judges whether the client has access right
Limit, if the HTTP request is redirected to load balancer, and add setting for itself in required parameter without access authority
Standby sequence number;
C. load balancing rule of the load balancer by the HTTP request of the redirection of Authentication Client according to setting is sent to certain
On a Portal service node;
D.Portal service node carries out parsing after the HTTP request for the redirection for receiving Authentication Client and obtains access control
The equipment Serial Number of equipment, and the access control equipment is obtained according to the inquiry of the equipment Serial Number of access control equipment and corresponds to keep-alive
Portal service node IP, to Authentication Client pushing certification interface, and carry in content of pages the keep-alive of acquisition
Portal service node IP;
E. Authentication Client is after the authentication interface for receiving the push of Portal service node according to carrying in content of pages
Portal service node IP directly initiates certification request to the Portal service node;
F.Portal service node is looked into after the certification request for receiving Authentication Client according to the equipment SN carried in certification request
The IP address of access control equipment after asking NAT mapping and port, then send Portal message identifying to NAT device;
The Portal message identifying is sent to corresponding access control equipment according to the mapping relations of preservation by G.NAT equipment;
H. the corresponding access control equipment authenticates after receiving Portal message identifying to Portal service node return Portal
Response message;
I.Portal service node authenticates visitor according to the Portal authentication response message response that corresponding access control equipment returns
The certification request at family end.
9. the portal authentication method as claimed in claim 8 based on authentication service cluster, which is characterized in that in step G, institute
It states mapping relations and refers to that the private network IP address of access control equipment, private network port numbers correspond to the public network IP address of NAT device, public network
Relationship between port numbers.
10. the portal authentication method as claimed in claim 8 based on authentication service cluster, which is characterized in that the access
The equipment Serial Number for controlling equipment has uniqueness.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510995580.7A CN105516171B (en) | 2015-12-24 | 2015-12-24 | Portal keep-alive system and method, Verification System and method based on authentication service cluster |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510995580.7A CN105516171B (en) | 2015-12-24 | 2015-12-24 | Portal keep-alive system and method, Verification System and method based on authentication service cluster |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105516171A CN105516171A (en) | 2016-04-20 |
CN105516171B true CN105516171B (en) | 2018-11-30 |
Family
ID=55723807
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510995580.7A Active CN105516171B (en) | 2015-12-24 | 2015-12-24 | Portal keep-alive system and method, Verification System and method based on authentication service cluster |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105516171B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106603556B (en) * | 2016-12-29 | 2019-11-15 | 迈普通信技术股份有限公司 | Single-point logging method, apparatus and system |
CN109067729B (en) * | 2018-07-26 | 2021-12-24 | 新华三技术有限公司 | Authentication method and device |
CN109040237A (en) * | 2018-08-01 | 2018-12-18 | 平安科技(深圳)有限公司 | A kind of data access method and system |
CN109474588A (en) * | 2018-11-02 | 2019-03-15 | 杭州迪普科技股份有限公司 | A kind of terminal authentication method and device |
CN110120897A (en) * | 2019-04-22 | 2019-08-13 | 国家计算机网络与信息安全管理中心 | Link detection method, apparatus, electronic equipment and machine readable storage medium |
CN110691001A (en) * | 2019-10-25 | 2020-01-14 | 杭州迪普科技股份有限公司 | Equipment unified management method and device |
CN113660356B (en) * | 2021-08-16 | 2024-01-23 | 迈普通信技术股份有限公司 | Network access method, system, electronic device and computer readable storage medium |
CN115334035B (en) * | 2022-07-15 | 2023-10-10 | 天翼云科技有限公司 | Message forwarding method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1863120A (en) * | 2005-10-27 | 2006-11-15 | 华为技术有限公司 | User access method and apparatus based on multiple users |
CN101129014A (en) * | 2005-04-04 | 2008-02-20 | 思科技术公司 | System and method for multi-session establishment |
CN102394929A (en) * | 2011-10-31 | 2012-03-28 | 广东电子工业研究院有限公司 | Conversation-oriented cloud computing load balancing system and method therefor |
CN102946434A (en) * | 2012-11-23 | 2013-02-27 | 广东宜通世纪科技股份有限公司 | Communication method of wireless local area network (WLAN) |
CN103442094A (en) * | 2013-08-15 | 2013-12-11 | 深圳市龙视传媒有限公司 | Server address allocating method and relative devices and systems |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150188971A1 (en) * | 2013-07-31 | 2015-07-02 | Been, Inc. | Data stream monitoring |
-
2015
- 2015-12-24 CN CN201510995580.7A patent/CN105516171B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101129014A (en) * | 2005-04-04 | 2008-02-20 | 思科技术公司 | System and method for multi-session establishment |
CN1863120A (en) * | 2005-10-27 | 2006-11-15 | 华为技术有限公司 | User access method and apparatus based on multiple users |
CN102394929A (en) * | 2011-10-31 | 2012-03-28 | 广东电子工业研究院有限公司 | Conversation-oriented cloud computing load balancing system and method therefor |
CN102946434A (en) * | 2012-11-23 | 2013-02-27 | 广东宜通世纪科技股份有限公司 | Communication method of wireless local area network (WLAN) |
CN103442094A (en) * | 2013-08-15 | 2013-12-11 | 深圳市龙视传媒有限公司 | Server address allocating method and relative devices and systems |
Also Published As
Publication number | Publication date |
---|---|
CN105516171A (en) | 2016-04-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105516171B (en) | Portal keep-alive system and method, Verification System and method based on authentication service cluster | |
CN104506510B (en) | Method and device for equipment authentication and authentication service system | |
CN101166173B (en) | A single-node login system, device and method | |
US9554276B2 (en) | System and method for on the fly protocol conversion in obtaining policy enforcement information | |
WO2017024842A1 (en) | Internet access authentication method, client, computer storage medium | |
US20130067550A1 (en) | Private cloud server and client architecture without utilizing a routing server | |
CN107105033B (en) | Cloud application access method, cloud proxy server and cloud application access system | |
CN105743670B (en) | Access control method, system and access point | |
CN107613037B (en) | Domain name redirection method and system | |
CN105592046B (en) | A kind of authentication-exempt access method and device | |
CN104967590B (en) | A kind of methods, devices and systems for transmitting communication information | |
CN105981345B (en) | The Lawful intercept of WI-FI/ packet-based core networks access | |
CN106131066B (en) | A kind of authentication method and device | |
CN103997479B (en) | A kind of asymmetric services IP Proxy Methods and equipment | |
CN101582856A (en) | Session setup method of Portal server and BAS (broadband access server) device and system thereof | |
AU2017344389B2 (en) | Portal aggregation service mapping subscriber device identifiers to portal addresses to which connection and authentication requests are redirected and facilitating mass subscriber apparatus configuration | |
US8839396B1 (en) | Providing single sign-on for wireless devices | |
CN103607403A (en) | Method, device and system for using safety domain in NAT network environment | |
CN106330894B (en) | SAVI proxy authentication system and method based on link-local address | |
CN105812499B (en) | Communication means and communication system and virtual client terminal device | |
CN105991631B (en) | A kind of client device access authentication method and device | |
WO2015004744A1 (en) | Authentication device, authentication method, and program | |
WO2013034108A1 (en) | Cloud service establishment system and method | |
US11425114B2 (en) | Systems and methods for supporting a secure connectivity | |
CN110401952A (en) | A kind of authentication method and relevant device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |