CN105791290A - Authentication method and device for network connection - Google Patents
Authentication method and device for network connection Download PDFInfo
- Publication number
- CN105791290A CN105791290A CN201610117809.1A CN201610117809A CN105791290A CN 105791290 A CN105791290 A CN 105791290A CN 201610117809 A CN201610117809 A CN 201610117809A CN 105791290 A CN105791290 A CN 105791290A
- Authority
- CN
- China
- Prior art keywords
- tcp
- message
- authentication
- authentication equipment
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention discloses an authentication method and an authentication device for network connection, wherein a TCP connection is established between an access point and an unauthenticated device and an application layer session is redirected to a portal server for authentication. In this way, the problem that authentication cannot be completed when the TCP connection between the user device and the target address cannot be successfully established is avoided.
Description
Technical field
The present invention relates to the connection of network, be specifically related to authentication method and equipment that network connects.
Background technology
In a network, the connection protocol adopted is ICP/IP protocol.Under this agreement, the process accessing the address in network is generally as follows: 1) if by domain name access, then first obtaining the IP address of remote host according to the parsing of name server;2) access end or access equipment and remote host carry out three TCP and shake hands, and connect thus setting up TCP;3), after setting up connection, application layer protocol is used to conversate, such as HTTP or File Transfer Protocol.
Such as, subscriber equipment accesses Baidu by network, as it is shown in figure 1, its process is as follows:
First, subscriber equipment obtains the address of Baidu by name server;
Then, subscriber equipment is shaken hands to Baidu server initiation TCP;
After TCP successful connection, subscriber equipment uses http protocol to send application layer message to Baidu's server, initiates a session request.
After Baidu's server receives the application layer conversation request that subscriber equipment is initiated, send a reply message with http protocol equally, set up application layer conversation.
So, subscriber equipment just can carry out application layer conversation with Baidu's server such that it is able to accesses the content of www.baidu.com.
Under some application scenarios, the network equipment needs subscriber equipment is authenticated.Only could access network by the network equipment by the equipment of certification.
Such as, along with the rise of mobile network, the layout of hotspot also gets more and more.For safety and avoid being abused, many WAPs are all provided with authentication mechanism.
In common authentication mode, authentication mechanism is operated in application layer, namely when access equipment and accessed address TCP shake hands after successfully, begin at application layer when conversating, the message that access equipment can be sent by the access point of focus resolves, if it find that be the message of unauthenticated device, then this connection is redirected to portal server.Access equipment needs again to carry out TCP with this portal server and shakes hands and set up and be connected, and then completes certification, for instance, fill in phone number, and fill in the identifying code being sent on mobile phone.After certification completes, access point adds access equipment to certification list.Afterwards, access equipment needs again to carry out TCP with this accessed address and be connected.Further, this access equipment also normally can access other addresses.
Same to access Baidu, referring to Fig. 2, under this scene, the process of user equipment access Baidu server.
Unauthenticated user equipment is connected with access point foundation by Ethernet or WLAN.
When unauthenticated user equipment accesses Baidu, this subscriber equipment first passes through dns server and obtains the IP address of Baidu's server.
Then, this subscriber equipment sends TCP message to Baidu's server, initiates TCP and shakes hands.Now, access point forwards the TCP message between this subscriber equipment and Baidu's server.
After the success of TCP connection establishment, unauthenticated user equipment sends http protocol request message to Baidu's server, and destination host field therein is Baidu's server, the ip that purpose ip address is Baidu's server of message.
When access point receives HTTP message from this unauthenticated user equipment, this message is carried out analysis judgment, when judging that this message is from unauthenticated user equipment, and resolve host field therein when being not portal server, then with the destination address in this HTTP request message the most oneself address to this unauthenticated device reply a HTTP redirection message, in this instance, being namely the IP address using the IP address of Baidu's server as oneself, the domain name of Redirect Address is portal server.
Unauthenticated user equipment obtains the address of portal server after receiving this HTTP redirection message by dns resolution, then can start to set up TCP with portal server and be connected, carry out TCP three-way handshake.
After unauthenticated user equipment is successful with portal server TCP connection establishment, sending HTTP request message to portal server, host field is portal server.
After access point receives the HTTP request message that this unauthenticated user equipment sends, resolving this message host field is portal server, then be normally carried out forwarding.
When portal server receives the HTTP request message from this unauthenticated device, send http response message to this unauthenticated device.Thus this unauthenticated device and this portal server set up application layer conversation, it is authenticated.
After certification completes, this subscriber equipment is added in certification list by access point.Hereafter, this user can normally surf the Net.
Above-mentioned authentication mechanism has the disadvantage that, when access equipment can not set up with accessed address TCP be connected time, this authentication mechanism cannot perform.
Summary of the invention
It is an object of the invention to provide authentication method and equipment that a kind of new network connects.
According to one aspect of the present invention, the authentication method that a kind of network connects, comprise the steps:
S1, whether the TCP message that receives of detection is from non-authentication equipment;
S2, if this TCP message is from non-authentication equipment, then sets up TCP at described access point with this non-authentication equipment and is connected;
S3, shakes hands after successfully with this non-authentication equipment TCP at this access point, application layer is connected and is redirected to portal server;
S4, sets up TCP at this portal server with this non-authentication equipment and is connected, and be authenticated session in application layer;
S5, after certification success, adds this non-authentication equipment to certification list.
Further, in step s 2, send TCP using the destination address of described TCP message as the address of described access point to this non-authentication equipment and connect message.
Further, in step s 2, forward this non-authentication equipment to connect message to the TCP that described destination address sends, and abandon the TCP connection message that this destination address sends to this non-authentication equipment.
It is another aspect of this invention to provide that the authentication method that a kind of network connects, comprise the steps:
S1, whether the TCP message that receives of detection is from non-authentication equipment;
S2, if this TCP message is from non-authentication equipment, then sets up TCP as the address of access point with this non-authentication equipment using the destination address of described TCP message and is connected;
S3, what forward described non-authentication equipment sends TCP message;
S4, abandons described destination address and issues the TCP message of described non-authentication equipment.
According to another aspect of the present invention, the authenticating device that a kind of network connects, including:
Authenticating device identifying unit, in order to judge that the TCP message that receives is whether from non-authentication equipment;
TCP communication unit, it is connected for using the destination address in described TCP message to set up TCP with described non-authentication equipment.
Wherein, the TCP message that non-authentication equipment described in this TCP communication unit forwards sends.And, this TCP communication unit abandons the TCP message that described destination address sends to described non-authentication equipment.
The method have technical effect that: solve subscriber equipment in prior art and be connected with the TCP of destination address when cannot be successfully established, the problem that cannot complete certification, it also is able to cover subscriber equipment simultaneously and is connected situation about can normally set up with the TCP of destination address, it is thus possible to complete inlet function better.
Accompanying drawing explanation
Below by the way of clearly understandable, accompanying drawings preferred implementation, above-mentioned characteristic, technical characteristic, advantage and implementation thereof are further described.
Fig. 1 illustrates that subscriber equipment accesses the process of Baidu's server either directly through network;
Fig. 2 illustrates in prior art, and unauthenticated user equipment connects network by access point and portal server and accesses the process of Baidu's server;
Fig. 3 illustrates the method according to the present invention, and unauthenticated user equipment connects network by access point and portal server and accesses the process of Baidu's server;
Fig. 4 is the schematic diagram of the authenticating device that network provided by the invention connects.
Drawing reference numeral illustrates:
100 unauthenticated device, the authenticating device that 200 networks connect, 210 authenticating device identifying units, 220TCP communication unit.
Detailed description of the invention
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below comparison accompanying drawing is illustrated the specific embodiment of the present invention.It should be evident that the accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings, and obtain other embodiment.
Although in examples below, application layer conversation adopts http protocol as an example, but, the method for the present invention is also applicable for other agreements.
It addition, in the following description, Baidu's server is accessed for subscriber equipment by http protocol.Certainly, this is only example, and is not limitation of the present invention.
Access Baidu's server for unauthenticated device below to illustrate according to the authentication method that network provided by the invention connects.It should be noted that the order related in the following description is illustrative of, and limitation of the present invention can not be considered as.
Unauthenticated user equipment can obtain the address of Baidu's server by dns resolution, then, as it is shown on figure 3,
(1) beginning setting up TCP with Baidu server to be connected, the destination address of the TCP message sent is the address of Baidu's server.
(2) access point detects the TCP message in step (1), when judgement is the TCP message of unauthenticated device, a TCP message being replied with this destination address (i.e. the address of Baidu's server), shaking hands thus starting TCP with this unauthenticated device.The normal TCP message forwarding this unauthenticated device to send simultaneously.
(3) Baidu's server receives the TCP message normally forwarded in step (2), can reply to this unauthenticated device TCP message.
As it was previously stated, Baidu's server likely can not receive the TCP message that access point forwards.
(4) if access point receives Baidu's server in step (3) and replies to the TCP message of this unauthenticated user equipment, then this bag is abandoned.
Because TCP message has been replied to this unauthenticated device in access point address with Baidu's server in step (2).
Can not receive the situation of TCP message if there is Baidu's server, would not the action of (4) in steps, but without influence on subsequent step.
(5) unauthenticated user equipment receives the TCP message that access point is replied with the address of Baidu's server, completes the TCP with access point and shakes hands.
(6) unauthenticated user equipment is thought that oneself is connected with the TCP of Baidu server and is successfully established, and sends HTTP request message, and its host field is Baidu's server, and the destination address of this message is the address of Baidu's server.
(7) access point receives HTTP request message in step (6), judgement is the HTTP request message of unauthenticated user, and its host field is when being not portal server, the destination address address of Baidu's server (destination address now be) then simulating this HTTP request message replys a HTTP redirection message, and the domain name of Redirect Address is portal server.
(8) after unauthenticated user equipment receives the HTTP redirection message in step (7), address by dns resolution gateway server, then starting to send TCP message to portal server and set up TCP connection with request, its destination address address is the address of portal server.
(9) access point receives the TCP message in step (8), when judgement is the TCP message of unauthenticated user, the action of step (2) can be repeated, namely can send TCP message with the destination address (address that destination address now is portal server) of the TCP message of step (8) to this unauthenticated device.
Meanwhile, access point normally forwards the TCP message in step (8).
(10) access point can abandon portal server to this for authenticating device send TCP message.
Because this access point has replied unauthenticated user equipment TCP message with the address of portal server in step (9).
(11) during the unauthenticated user equipment TCP message that access point is replied with the address of portal server in receiving step (9), will be considered that now oneself establishes TCP with portal server to be connected, then send HTTP request bag to portal server, its host field is portal server, and destination address is the address of portal server.
(12) access point receives HTTP request message in step 15, it is judged that be the HTTP request message of unauthenticated user, but when parsing host field is portal server, normally forwards, do not reply redirection message.
(13) portal server is because receiving the TCP message that access point forwards, and will be considered that and oneself is successfully established TCP with unauthenticated user equipment and is connected.So in receiving step (12) after the message of the HTTP request that access point forwards, can normally reply http response message.
(16) HTTP message received is normally carried out forwarding by access point.
(17) unauthenticated user equipment and this portal server set up http session, after carrying out the success of corresponding acts of authentication, can be added in the list of certification of access point.Hereafter, the internet behavior of this subscriber equipment is normal.
Principles of the invention is: the TCP message of detection unauthenticated device, carry out TCP with the destination address in this TCP message with this unauthenticated device to be connected, make this unauthenticated device complete TCP and shake hands thus initiating application layer conversation, thus may be employed layer and redirect to be authenticated.Wherein, access point always forwards the TCP message that unauthenticated device sends, and can intercept or abandon the TCP message that distance host or portal server send to this unauthenticated device.It is, access point is the sending destination location not differentiating between TCP message, and always carries out TCP using this destination address as oneself address and this unauthenticated device and shake hands.Such benefit is, it is just passable that access point has only to repeat identical action, as long as checking that in TCP connection procedure subscriber equipment is whether in authentication list, it is not necessary to the destination address judging TCP message is distance host or portal server.
As shown in Figure 4, it is proposed, according to the invention, the authenticating device 200 that a kind of network connects, including authenticating device identifying unit 210, in order to judge that the TCP message that receives is whether from non-authentication equipment 100.When TCP is from non-authentication equipment 100, then send signal to TCP communication unit 220.
TCP communication unit 220 its be connected for using the destination address in described TCP message to set up TCP with described non-authentication equipment.
Meanwhile, this TCP communication unit 220 can forward the TCP message that described non-authentication equipment 100 sends.And, when receiving the TCP message that destination address sends to unauthenticated device 100, this TCP communication unit abandons the message received.
The method of the present invention is in that compared to the advantage of existing authentication method:
(1) access point is when receiving the TCP message of unauthenticated user equipment, by simulating the destination address in TCP message, construct a TCP message (now, the source address of this TCP message is the destination address in TCP message), reply to this unauthenticated user equipment;Meanwhile, the TCP message received normally is forwarded.TCP can be set up with public network address is connected thus whether the no matter unauthenticated user equipment that reaches is actual, all can allow unauthenticated user equipment after receiving the TCP message that this access point is simulated, it is believed that oneself to be successfully established TCP with public network equipment and be connected.
(2) access point is when receiving the TCP message being transmitted to unauthenticated user equipment, abandons this bag, has simulated because of it and has replied TCP message.
By above 2 improvement, the present invention can not only solve unauthenticated user equipment and be connected the problem that when cannot be successfully established, authentication function cannot complete with destination address (on such as public network the address of Baidu's server) TCP, can also cover in the front certificate scheme of improvement, unauthenticated user equipment can normally set up the TCP user's scene being connected with destination address, thus reaching better to complete the purpose of authentication function.
It should be noted that, above-described embodiment all can independent assortment as required.The above is only the preferred embodiment of the present invention; it should be pointed out that, for those skilled in the art, under the premise without departing from the principles of the invention; can also making some improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.
Claims (7)
1. the authentication method that network connects, comprises the steps:
S1, whether the TCP message that receives of detection is from non-authentication equipment;
S2, if this TCP message is from non-authentication equipment, then sets up TCP at access point with this non-authentication equipment and is connected;
S3, shakes hands after successfully with this non-authentication equipment TCP at this access point, application layer is connected and is redirected to portal server;
S4, sets up TCP at this portal server with this non-authentication equipment and is connected, and be authenticated session in application layer;
S5, after certification success, adds this non-authentication equipment to certification list.
2. the authentication method that network as claimed in claim 1 connects, it is characterised in that in step s 2, sends TCP using the destination address of described TCP message as the address of described access point to this non-authentication equipment and connects message.
3. the authentication method that network as claimed in claim 2 connects, it is characterised in that in step s 2, forwards this non-authentication equipment to connect message to the TCP that described destination address sends, and abandons the TCP connection message that this destination address sends to this non-authentication equipment.
4. the authentication method that network connects, comprises the steps:
S1, whether the TCP message that receives of detection is from non-authentication equipment;
S2, if this TCP message is from non-authentication equipment, then sets up TCP as the address of access point with this non-authentication equipment using the destination address of described TCP message and is connected;
S3, what forward described non-authentication equipment sends TCP message;
S4, abandons described destination address and issues the TCP message of described non-authentication equipment.
5. the authenticating device that a network connects, it is characterised in that also include:
Authenticating device identifying unit, in order to judge that the TCP message that receives is whether from non-authentication equipment;
TCP communication unit, it is connected for using the destination address in described TCP message to set up TCP with described non-authentication equipment.
6. the authenticating device that network according to claim 5 connects, it is characterised in that the TCP message that non-authentication equipment described in this TCP communication unit forwards sends.
7. the authenticating device that network according to claim 6 connects, it is characterised in that this TCP communication unit abandons the TCP message that described destination address sends to described non-authentication equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610117809.1A CN105791290A (en) | 2016-03-02 | 2016-03-02 | Authentication method and device for network connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610117809.1A CN105791290A (en) | 2016-03-02 | 2016-03-02 | Authentication method and device for network connection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105791290A true CN105791290A (en) | 2016-07-20 |
Family
ID=56387183
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610117809.1A Pending CN105791290A (en) | 2016-03-02 | 2016-03-02 | Authentication method and device for network connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105791290A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106332083A (en) * | 2016-08-24 | 2017-01-11 | 上海斐讯数据通信技术有限公司 | TCP connection method and device and intranet authentication method and system |
| CN106657082A (en) * | 2016-12-27 | 2017-05-10 | 杭州盈高科技有限公司 | Fast HTTP redirection method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010037466A1 (en) * | 2000-04-28 | 2001-11-01 | Konami Corporation | Network connection control method and connection control system |
| CN1538706A (en) * | 2003-10-23 | 2004-10-20 | 港湾网络有限公司 | HTTP relocation method for WEB identification |
| CN101873332A (en) * | 2010-07-15 | 2010-10-27 | 杭州华三通信技术有限公司 | WEB authentication method and equipment based on proxy server |
| CN102158492A (en) * | 2011-04-14 | 2011-08-17 | 福建星网锐捷网络有限公司 | Web authentication method, device and network equipment |
| CN103179554A (en) * | 2011-12-22 | 2013-06-26 | 中国移动通信集团广东有限公司 | Control method and device for wireless broadband network access and network equipment |
| CN104158808A (en) * | 2014-08-19 | 2014-11-19 | 杭州华三通信技术有限公司 | Portal authentication method based on APP application and device |
-
2016
- 2016-03-02 CN CN201610117809.1A patent/CN105791290A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010037466A1 (en) * | 2000-04-28 | 2001-11-01 | Konami Corporation | Network connection control method and connection control system |
| CN1538706A (en) * | 2003-10-23 | 2004-10-20 | 港湾网络有限公司 | HTTP relocation method for WEB identification |
| CN101873332A (en) * | 2010-07-15 | 2010-10-27 | 杭州华三通信技术有限公司 | WEB authentication method and equipment based on proxy server |
| CN102158492A (en) * | 2011-04-14 | 2011-08-17 | 福建星网锐捷网络有限公司 | Web authentication method, device and network equipment |
| CN103179554A (en) * | 2011-12-22 | 2013-06-26 | 中国移动通信集团广东有限公司 | Control method and device for wireless broadband network access and network equipment |
| CN104158808A (en) * | 2014-08-19 | 2014-11-19 | 杭州华三通信技术有限公司 | Portal authentication method based on APP application and device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106332083A (en) * | 2016-08-24 | 2017-01-11 | 上海斐讯数据通信技术有限公司 | TCP connection method and device and intranet authentication method and system |
| CN106332083B (en) * | 2016-08-24 | 2019-11-22 | 上海斐讯数据通信技术有限公司 | TCP connection method and device, Intranet authentication method and system |
| CN106657082A (en) * | 2016-12-27 | 2017-05-10 | 杭州盈高科技有限公司 | Fast HTTP redirection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110300117B (en) | IOT device and user binding authentication method, device and medium | |
| CN104158808B (en) | Portal authentication method and its device based on APP applications | |
| CN101702717B (en) | Method, system and equipment for authenticating Portal | |
| EP3032859B1 (en) | Access control method and system, and access point | |
| CN106878135B (en) | Connection method and device | |
| CN102884819A (en) | System and method for WLAN roaming traffic authentication | |
| CN105981345B (en) | The Lawful intercept of WI-FI/ packet-based core networks access | |
| CN110248364B (en) | IOT equipment network distribution method, device, equipment and medium | |
| CN110505188B (en) | Terminal authentication method, related equipment and authentication system | |
| CN102695236B (en) | A kind of data routing method and system | |
| WO2015032253A1 (en) | Service authority determination method and device | |
| CN106657035B (en) | A kind of network message transmission method and device | |
| EP3043509A1 (en) | Portal authentication method, broadband network gateway (bng), portal server and system | |
| WO2018045798A1 (en) | Network authentication method and related device | |
| CN102215486B (en) | Network access method, system, network authentication method, equipment and terminal | |
| CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
| CN103906055A (en) | Service data distribution method and service data distribution system | |
| CN1538706A (en) | HTTP relocation method for WEB identification | |
| CN106330948A (en) | Message control method and message control device | |
| WO2020248368A1 (en) | Intranet accessing method, system, and related device | |
| CN109495362B (en) | Access authentication method and device | |
| CN105764056B (en) | Web authentication system and method for public wifi access | |
| JP6678160B2 (en) | Communication management system, access point, communication management device, connection control method, communication management method, and program | |
| CN105635148B (en) | Portal authentication method and device | |
| WO2008099254A2 (en) | Authorizing n0n-3gpp ip access during tunnel establishment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160720 |
|
| RJ01 | Rejection of invention patent application after publication |