CN106656911A

CN106656911A - Portal authentication method, access device and management server

Info

Publication number: CN106656911A
Application number: CN201510715637.3A
Authority: CN
Inventors: 谢永方
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2015-10-29
Filing date: 2015-10-29
Publication date: 2017-05-10
Anticipated expiration: 2035-10-29
Also published as: CN106656911B

Abstract

The invention discloses a Portal authentication method, an access device, a management server, and a Portal server. An access device sends a result query request to a management server and receives a first corresponding relation returned by the management server in response to the result query request, wherein the first corresponding relation comprises first authentication ID and a first authorization result, and the first corresponding relation is provided by a Portal server for the management server; and the access device, according to authentication indication in the first authorization result and the first authentication ID, determines whether a first terminal succeeds in Portal authentication, and according to authorization information in the first authorization result, determines whether to forward a hyper text transfer protocol (HTTP) message of the first terminal such that Portal authentication can be completed under the condition that an NAT device exists between the first terminal and the Portal server.

Description

A kind of portal authentication method, access device and management server

Technical field

The present invention relates to communication technical field, more particularly to a kind of door (Portal) authentication method, access Equipment, management server and Portal server.

Background technology

Portal certifications are a kind of authentication modes of conventional accessing terminal to network, during accessing terminal to network, are visited Arbitrary internet (WEB) page is asked, so as to initiate HTTP (Hyper Text Transfer Protocol, abbreviation HTTP) message, by network access equipment (referred to as access device) by the HTTP Message redirecting is to Portal server, and it is close that terminal is input into account in the certification page that Portal server is provided Code is authenticated, and certification just can normally access network after passing through.Because Portal certifications need not install certification Client software, terminal is capable of achieving certification by browser, therefore is widely used.

Portal certifications be usually directed to Portal server and checking, authorization and accounting (Authentication, Authorization, Accounting, abbreviation AAA) server, wherein, Portal server is used to show Authentication information and show authentication result that certification page, receiving terminal are input on certification page, AAA clothes Business device is used for terminal identity certification and notifies the Authorization result of access device terminal, specific Portal certifications stream Journey includes：

Step one：Any webpage of terminal access, initiates HTTP (Hyper Text Transfer Protocol, abbreviation HTTP) message, if access device finds that this terminal is also unverified passing through, will be described HTTP message is redirected to Portal server.

Step 2：Terminal input the certifications such as user name, password letter in the certification page that Portal server is provided Cease, and authentication information is submitted to into Portal server and be authenticated.

Step 3：Portal server sends the authentication request packet of proprietary protocol to access device, the privately owned association The authentication information such as the user name of carried terminal, password in the authentication request packet of view.

Step 4：Access device sends remote subscriber and dials in the service for checking credentials (Remote Authentication Dial in User Service, abbreviation RADIUS) agreement authentication request packet to aaa server, the RADIUS The authentication information such as the user name of carried terminal, password in the authentication request packet of agreement.

Step 5：The use carried in the authentication request packet of the radius protocol that aaa server verification is received The authentication informations such as name in an account book, password, it is determined whether the terminal that certification is characterized by the authentication information, Yi Jigen Determine the Authorization result of the terminal according to authentication result.

Step 6：Authorization result is returned to access device by aaa server by radius protocol message.

Step 7：Access device is authorized according to Authorization result to terminal.

Step 8：Access device sends certification response message to Portal server by proprietary protocol.

Step 9：Portal server return authentication results page is to terminal.

Step 10：If certification passes through, access device allows terminal access network.

However, now in increasing Portal certification scenes, between access device and Portal server, Need to carry out network address translation (Network Address between access device and aaa server Translation, abbreviation NAT), such as WLAN (wireless local area network, abbreviation WLAN) In certification scene, the access device of WLAN --- access point (Access Point, AP) is dispersed in each Place, Portal server and aaa server are deployed in the data center of public cloud, and AP and Portal takes NAT device is there may be between business device, aaa server so that Portal server and AAA are serviced Device is sent to the message of access device and can not be received by access device sometimes, and then may cause above-mentioned steps The Portal server being located in three in public cloud directly can not send Portal certification requests to access device, Lead to not complete Portal certifications.

The content of the invention

The embodiment of the present invention provides a kind of portal authentication method, access device, management server and Portal Server, there is nothing in the case of NAT device between access device and Portal server, aaa server Method completes the problem of Portal certifications.

A kind of first aspect, there is provided portal authentication method, is applied to carry out network address translation In the network of NAT, access device to management server sends result queries request, the result queries request Include the device identification ID of the access device；The access device receives the management server and responds institute The result queries response that result queries request is returned is stated, the result queries response includes that the first correspondence is closed System, first corresponding relation includes the first certification ID and the first Authorization result；First corresponding relation The management server is supplied to by Portal server；The access device is according to first Authorization result In certification indicate and the first certification ID, determine first terminal whether by Portal certifications, and according to Authorization message in first Authorization result determines whether to forward the Hyper text transfer of the first terminal to assist View HTTP message, so as to there is NAT device between the first terminal and the Portal server In the case of complete Portal certifications.

With reference in a first aspect, in the first possible implementation of first aspect, in the access device Send before result queries request to management server, also include：

If the not actuated timer that the result queries request is sent for triggering, the access device starts The timer；

The access device to management server sends result queries request, including：

If the timer expiry, the access device sends the result queries to management server please Ask.

With reference to the first possible implementation of first aspect, in second possible realization of first aspect In mode, after the expiry of the timer, also include：

The access device deletes the timer；Or

The access device resets the timer and reclocking.

Access device is asked by arranging timers trigger result queries, with the pipe in NAT device outer net Reason server sets up connection so that follow-up management server can issue Authorization result to being in by this connection The access device of NAT device Intranet, so as to exist between the first terminal and the Portal server Portal certifications are completed in the case of NAT device.

With reference to first aspect and first aspect the first to any one in second possible implementation Kind, in the third possible implementation of first aspect, send out to management server in the access device Before sending result queries request, also include：

The access device receives the HTTP message from the first terminal for not passing through Portal certifications；

The access device sends the uniform resource position mark URL for redirecting to the first terminal so that The first terminal initiates certification request according to the URL of the redirection to the Portal server, with The Portal server is set Portal certifications to be carried out to the first terminal and is provided to the management server First corresponding relation；The URL of the redirection includes the device id and the first certification ID.

With reference to the third possible implementation of first aspect, in the 4th kind of possible realization of first aspect In mode, also include the second corresponding relation in result queries response, second corresponding relation includes the Two certification ID and the second Authorization result；The second certification ID is different with the first certification ID.

Multiple corresponding relations are once carried in by responding in result queries, access device can once obtain many Individual Authorization result, completes multiple Portal certifications, so as to improve Portal authentication efficiencies.

With reference to first aspect and first aspect the first to any one in the 4th kind of possible implementation Kind, in the 5th kind of possible implementation of first aspect, the device id is to connect described in unique mark Enter the MAC address or numbering of equipment.

With reference to first aspect and first aspect the first to any one in the 5th kind of possible implementation Kind, in the 6th kind of possible implementation of first aspect, the first certification ID is based on described first The address of terminal generates, and is

The MAC Address of the first terminal and random number and value；Or

The internet protocol address of the first terminal and random number and value；Or

MAC Address and random number and value to the first terminal does the value obtained after Hash operation；Or

IP address and random number and value to the first terminal does the value obtained after Hash operation.

The certification ID that access device is generated by using this mode, can identifying Portal certifications each time To increase the security of certification.

A kind of second aspect, there is provided portal authentication method, is applied to carry out network address translation In the network of NAT, management server receives the result queries request that access device sends, the result queries Request includes the device identification ID of the access device；The management server please according to the result queries Ask, determine corresponding first corresponding relation of the device id, first corresponding relation includes the first certification ID and the first Authorization result；First corresponding relation is supplied to the management service by Portal server Device；The management server to the access device returning result inquiry response, in the result queries response Including first corresponding relation so that the access device according to first corresponding relation in terminal and institute Stating and Portal certifications are completed in the case of exist between Portal server NAT device.

With reference to second aspect, in the first possible implementation of second aspect, in the management service Device is received before the result queries request that access device sends, and is also included：

The management server receives the device id that the Portal server provides and described first pair Should be related to, first corresponding relation is stored in into the first buffer queue, the queue ID of first buffer queue For the device id.

Management server arranges buffer queue storage corresponding relation according to device id, can improve search efficiency.

With reference to the first possible implementation of second aspect, in second possible realization of second aspect In mode, the management server is asked according to the result queries, determines the device id corresponding One corresponding relation, including：

The management server determines first buffer queue according to the device id,

First corresponding relation is obtained from first buffer queue.

With reference to the first possible implementation of second aspect, in the third possible realization of second aspect In mode, the management server is asked according to the result queries, determines the device id corresponding One corresponding relation, including：

The management server determines first buffer queue according to the device id；

Obtain all corresponding relations in first buffer queue, including first corresponding relation and second Corresponding relation, second corresponding relation includes the second certification ID and the second Authorization result, described second Certification ID is different with the first certification ID；

Correspondingly, second corresponding relation is also included in the result queries response.

So, in the result queries of one access device of response, all correspondences are obtained from buffer queue and is closed System so that the one query of access device can complete multiple Portal certifications, so as to improve Portal certifications Efficiency.

With reference to the first possible implementation of second aspect or second aspect, at the 4th kind of second aspect In possible implementation, the management server to the access device returning result inquiry response it Afterwards, also include：

The management server notifies the device id and the first certification ID to service to the Portal Device so that the Portal server return authentication results page gives corresponding terminal.

Access device in NAT device Intranet is replaced by the management server in NAT device outer net, To notify that Portal server which Authorization result is issued, it is possible to reduce access device and Portal server Between through NAT device interaction times, improve authentication efficiency.

A kind of third aspect, there is provided portal authentication method, is applied to carry out network address translation In the network of NAT, Portal server obtains the first Authorization result according to the authentication information that terminal is submitted to, with First Authorization result distinguishes the device identification ID and the first certification ID of corresponding access device；Described One Authorization result includes certification instruction and authorization message；The Portal server by the first corresponding relation and The device id is sent to management server preservation, and first corresponding relation includes that described first authorizes knot Fruit and the first certification ID, so that the access device inquires about first correspondence according to the device id Relation, and existed between terminal and the Portal server according to first corresponding relation for getting Portal certifications are completed in the case of NAT device.

With reference to the third aspect, in the first possible implementation of the third aspect, the Portal services Device obtains the first Authorization result according to the authentication information that terminal is submitted to, corresponding respectively with first Authorization result Access device device id and the first certification ID, including：

The Portal server receives the terminal by the uniform resource position mark URL of redirection to institute State the certification request of Portal server initiation；The URL of the redirection is supplied to by the access device The terminal, the URL of the redirection includes the device id and the first certification ID；

The Portal server return authentication page includes described setting to the terminal, the certification page Standby ID and the first certification ID；

The Portal server receives the authentication information that the terminal is submitted to, and the authentication information includes described The equipment that the end message and the certification page that terminal is input on the certification page includes ID and the first certification ID；

The end message is sent to checking, authorization and accounting aaa server by the Portal server It is authenticated；

The Portal server receives described that the aaa server is returned based on the end message One Authorization result；Or, the Portal server receives the aaa server is based on the end message The authentication result of return, and first Authorization result is generated based on the authentication result；

The Portal server obtains corresponding with the first Authorization result difference from the authentication information The device id and the first certification ID.

The authentication information that terminal is submitted to is sent to aaa server by Portal server by direct, without Access device is forwarding, it is possible to reduce pass through between access device and Portal server, aaa server The interaction times of NAT device.

With reference to the first possible implementation of the third aspect or the third aspect, at second of the third aspect In possible implementation, in the Portal server by first corresponding relation and the device id After being sent to management server preservation, also include：

The Portal server receives the device id and described first of the management server notice to be recognized Card ID；

The Portal server determines the terminal according to the device id and the first certification ID Address；

The Portal server sends the authentication result page according to the address of the terminal to the terminal.

A kind of fourth aspect, there is provided access device, the access device has to be realized being accessed in said method The function of equipment behavior.The function can be realized by hardware, it is also possible to be performed by hardware corresponding soft Part is realized.The hardware or software include one or more modules corresponding with above-mentioned functions.

In a kind of possible implementation, the access device includes transmitter, receiver and processor, institute State and be connected with each other by bus between transmitter, the receiver and the processor；Wherein

The transmitter, for sending result queries request to management server, in the result queries request Including the device identification ID of the access device；

The receiver, for receiving the management server result that the result queries request is returned is responded Inquiry response, result queries response includes the first corresponding relation, and first corresponding relation includes the One certification ID and the first Authorization result；First corresponding relation is supplied to the pipe by Portal server Reason server；

The processor, indicates and first certification for the certification in first Authorization result Whether ID, determine first terminal by Portal certifications, and the mandate letter in first Authorization result Breath determines whether to forward the HTTP HTTP message of the first terminal, so as to described first Portal certifications are completed in the case of there is NAT device between terminal and the Portal server.

In alternatively possible implementation, the access device includes：

Transmitting element, for sending result queries request to management server, wraps in the result queries request Include the device identification ID of the access device；

Receiving unit, the result that the result queries request return is responded for receiving the management server is looked into Response is ask, the result queries response includes the first corresponding relation, and first corresponding relation includes first Certification ID and the first Authorization result；First corresponding relation is supplied to the management by Portal server Server；

Processing unit, indicates and the first certification ID for the certification in first Authorization result, Whether first terminal is determined by Portal certifications, and the authorization message in first Authorization result is true The HTTP HTTP message for whether forwarding the first terminal is determined, so as in the first terminal Portal certifications are completed in the case of there is NAT device and the Portal server between.

A kind of 5th aspect, there is provided management server, the management server has to be realized in said method The function of management server behavior.The function can be realized by hardware, it is also possible to perform phase by hardware The software answered is realized.The hardware or software include one or more modules corresponding with above-mentioned functions.

In a kind of possible implementation, the management server includes transmitter, receiver and processor, It is connected with each other by bus between the transmitter, the receiver and the processor；Wherein

The receiver, for receiving the result queries request of access device transmission, the result queries request Include the device identification ID of the access device；

The processor, for asking according to the result queries, determines the device id corresponding first Corresponding relation, first corresponding relation includes the first certification ID and the first Authorization result；Described first pair Should be related to and the management server is supplied to by door Portal server；

The transmitter, for the access device returning result inquiry response, the result queries response Include first corresponding relation so that the access device according to first corresponding relation in terminal and Portal certifications are completed in the case of there is NAT device between the Portal server.

In alternatively possible implementation, the access device includes：

Receiving unit, for receiving the result queries request of access device transmission, in the result queries request Including the device identification ID of the access device；

Processing unit, for asking according to the result queries, determines that the device id is corresponding first pair Should be related to, first corresponding relation includes the first certification ID and the first Authorization result；First correspondence Relation is supplied to the management server by door Portal server；

Transmitting element, for the access device returning result inquiry response, in the result queries response Including first corresponding relation so that the access device according to first corresponding relation in terminal and institute Stating and Portal certifications are completed in the case of exist between Portal server NAT device.

A kind of 6th aspect, there is provided Portal server, the Portal server has realizes above-mentioned side The function of Portal server behavior in method.The function can be realized by hardware, it is also possible to by hardware Perform corresponding software to realize.The hardware or software include one or more moulds corresponding with above-mentioned functions Block.

In a kind of possible implementation, the Portal server includes transmitter, receiver and processor, It is connected with each other by bus between the transmitter, the receiver and the processor；Wherein

The receiver, for the authentication information that receiving terminal is submitted to；

The processor, for obtaining the first Authorization result according to the authentication information, authorizes with described first As a result the device identification ID and the first certification ID of corresponding access device are distinguished；

The transmitter, preserves for the first corresponding relation and the device id to be sent to into management server, First corresponding relation includes first Authorization result and the first certification ID, so that the access sets It is standby that first corresponding relation is inquired about according to the device id, and closed according to first correspondence for getting Tie up to and Portal certifications are completed in the case of there is NAT device between terminal and the Portal server.

In alternatively possible implementation, the Portal server includes：

Receiving unit, for the authentication information that receiving terminal is submitted to；

Processing unit, for obtaining the first Authorization result according to the authentication information, with described first knot is authorized The device identification ID and the first certification ID of the corresponding access device of fruit difference；

Transmitting element, preserves for the first corresponding relation and the device id to be sent to into management server, First corresponding relation includes first Authorization result and the first certification ID, so that the access sets It is standby that first corresponding relation is inquired about according to the device id, and closed according to first correspondence for getting Tie up to and Portal certifications are completed in the case of there is NAT device between terminal and the Portal server.

The scheme provided using the application, will be authorized by the Portal server in NAT device outer net Result cache is being in together in the management server of NAT device outer net, by connecing in NAT device Intranet Enter equipment and actively obtain Authorization result to management server, solve access device and Portal server, AAA The problem of Portal certifications cannot be carried out in the case of there are NAT networks between server, and is reduced and is connect Enter the interaction times between equipment and Portal server, aaa server, improve across NAT networks Authentication performance under Portal certification scenes.

Description of the drawings

Fig. 1 is networking schematic diagram when there is NAT device between a kind of access device and Portal server；

Fig. 2 is a kind of signal of the system architecture of portal authentication method application provided in an embodiment of the present invention Figure；

Fig. 3 is a kind of interaction diagrams of portal authentication method provided in an embodiment of the present invention；

Fig. 4 A are a kind of structural representation of access device provided in an embodiment of the present invention；

Fig. 4 B are the structural representation of another kind of access device provided in an embodiment of the present invention；

Fig. 5 A are a kind of structural representation of management server provided in an embodiment of the present invention；

Fig. 5 B are the structural representation of another kind of management server provided in an embodiment of the present invention；

Fig. 6 A are a kind of structural representation of Portal server provided in an embodiment of the present invention；

Fig. 6 B are the structural representation of another kind of Portal server provided in an embodiment of the present invention.

Specific embodiment

In traditional Portal certifications, communication between devices need not move through NAT device, access device and It is two-way intercommunication between Portal server, between access device and aaa server, but there is NAT Under the scene of equipment, between access device and Portal server, between access device and aaa server Two-way intercommunication can not be accomplished.

The networking being illustrated in figure 1 between a kind of access device and Portal server when there is NAT device Schematic diagram, Intranet of the access device in NAT device, Portal server is located at the outer net of NAT device, Message between access device and Portal server will be forwarded by NAT device.Connecing in Intranet Enter equipment actively can be connected with Portal server foundation, but the Portal server in outer net can not be led Dynamic foundation with access device is connected.

By taking Fig. 1 as an example, service to the Portal positioned at outer net when the access device 1 positioned at Intranet sends message During device, NAT device can be changed to the message that access device 1 sends, by the source internet protocol of message View (Internet Protocol, abbreviation IP) address 192.168.1.10 (i.e. the IP address of access device 1) Be converted to outer net IP address 210.32.122.58 of NAT device, and by the source port of message, for example, Port numbers are 8000, are converted to a new port, and such as port numbers are 11000, and NAT device meeting Record port 11000, IP address 210.32.122.58 and port 8000, IP address 192.168.1.10 are reflected Relation is penetrated, now access device 1 and Portal server establish connection, it is possible to communicated.And such as Fruit is that the Portal server for being located at outer net actively sends message to the access device 1 positioned at Intranet, and message is only The outer net IP address of NAT device can be destined to, but now have outer net on NAT device to Intranet Port and IP address mapping relations, therefore NAT device cannot forward the message to access device 1. Even if access device is established with Portal server being connected, port and IP address on NAT device is reflected Penetrate relation also will not long-term existence, if do not had between access device and Portal server in setting time section Message comes and goes, then mapping relations will be aging, deleted, the message that afterwards Portal server is returned Will be unable to be sent to again and (be now equivalent to Portal server and actively send report to access device to access device The situation of text), the communication failure between access device and Portal server.After mapping relations are deleted, Only access device actively sends message and sets up new mapping relations, Portal server to Portal server Communication and between access device just can be carried out, and newly-established mapping relations and the last mapping relations set up It is not necessarily identical.

For the scene for having NAT device between this access device and Portal server, aaa server, In order to solve the problems, such as two-way intercommunication, it may be considered that in access device and Portal server, aaa server Between set up the long connection of transmission control protocol (Transmission Control Protocol, abbreviation TCP). So-called TCP length connection, does not have even if representing between access device and Portal server, aaa server During the message of transmission in need, the TCP length connection also will not be interrupted.The passage connected by TCP length, Portal server and aaa server can send message to access device at any time.But in order to ensure TCP Long connection is not interrupted, and access device is needed periodically by the passage of TCP length connection to Portal server Heartbeat message is sent with aaa server, to ensure that the port and IP address that store on NAT device are reflected Penetrate relation not to be deleted.Setting up the mode of TCP length connection needs to take with Portal server and AAA always Business device keeps connection, can consume the memory source and port resource of Portal server and aaa server.

A kind of portal authentication method is embodiments provided, by the Portal server positioned at outer net Authorization result is buffered in the management server for being located on outer net, from the access device in Intranet actively to Management server obtains Authorization result, solves between access device and Portal server, aaa server Cannot complete Portal certifications in the case of there is NAT device, and reduce access device and Interaction times between Portal server, aaa server, improve communication between devices need through The authentication performance of the Portal certifications under NAT device scene.Compare access device and Portal server, TCP length is set up between aaa server and connects this mode, reduced to Portal server and AAA The memory source of server and the consumption of port resource.

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu, it is fully described by, it is clear that described embodiment is a part of embodiment of the invention, rather than all Embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative labor The every other embodiment obtained under the premise of dynamic, belongs to the scope of protection of the invention.

Portal authentication method provided in an embodiment of the present invention, is applied in the system shown in Fig. 2, the system Including terminal, access device, NAT device, management server, Portal server and aaa server, Wherein,

Terminal, also referred to as user equipment (User Equipment, abbreviation UE), terminal can be moved Mobile phone, computer or vehicle-mounted mobile etc..Terminal do not pass through Portal certifications before, by clear Device of looking at accesses external network, and the certification page of Portal server, terminal can be redirected to by access device Account and password are input on certification page carries out Portal certifications, after by Portal certifications, you can It is normal to access external network.

Access device, is the network equipment that terminal is connected to network, can be the hardware such as switch, router Equipment, for the HTTP message not sent by the terminal of Portal certifications to be redirected to into Portal services Device carries out authentication, the Authorization result of institute's management terminal is obtained, according to the Authorization result for getting to terminal Authorized.

NAT device, can be plugged on access device, or autonomous device, terminal and access device Positioned at the Intranet of NAT device, management server, Portal server and aaa server set positioned at NAT Standby outer net.

Management server, for preserving the Authorization result of Portal server offer, and sets access is received Device identification (Identifier, the abbreviation ID) correspondence with the access device is returned when standby result queries are asked Authorization result, under can also notifying the Authorization result of terminal under Portal server which access device Send out.

Portal server, for showing the certification letter that certification page, receiving terminal are input on certification page Breath, the authentication information of reception is transmitted directly to into aaa server carries out terminal identity certification, and will authorize As a result management server preservation is sent to, and is receiving the notice that management server Authorization result has been issued When return authentication results page to the corresponding terminal of Authorization result for having issued.

Aaa server, the information for having all terminals, for terminal identity certification.Aaa server has Polytype, conventional aaa server have Active Directory (Active Directory, AD) server, LDAP (Lightweight Directory Access Protocol, LDAP) server, Radius server etc..

In the embodiment of the present invention, management server, Portal server and aaa server may be incorporated in one On individual physical server, it is also possible to separately deployment.

Management server and Portal server are separately disposed, it is possible to reduce the company of access device and outer net equipment Connect.Because Portal server there may be multiple stage, if the function of management server is by Portal server reality Existing, i.e., management server and Portal server merge deployment, then need on every Portal server all Deployment management server, access device is also required to connect multiple stage Portal server.And if management server and Portal server is separately disposed, then can be connect by management server unification connection multiple stage Portal server Enter equipment to only need to be connected with management server.

In addition, management server and Portal server are separately disposed, can also avoid exposing access device Interface.Reason is, if management server and Portal server merge deployment, when Portal server by Third party then needs to open the interface of access device to third-party Portal server when providing, in order to the The Portal server of tripartite knows the interface protocol of access device, and then interacts with access device.And if managing Reason server and Portal server are separately disposed, due to not requiring that access device and Portal server do right Connect, therefore the interface of access device can be shielded to Portal server, in addition this mode is also reduced and connect Enter the coupling between equipment and Portal server.

Fig. 3 show the interaction diagrams of portal authentication method provided in an embodiment of the present invention, methods described In may be applicable to the network for carry out NAT, methods described includes：

S301：Access device receives the HTTP message from the first terminal for not passing through Portal certifications.

Wherein, the HTTP message is sent by the first terminal when arbitrary webpage is accessed.

In practical application, the row for having a terminal that have recorded by Portal certifications are generally safeguarded on access device Table, access device after HTTP message is received, by the terminal that judges to send the HTTP message whether Determine the terminal for sending the HTTP message whether by Portal certifications in list.

S302：The access device sends URL (the Uniform Resource for redirecting Locator, abbreviation URL) give the first terminal.

In the embodiment of the present invention, the access device returns to the URL of the redirection of the first terminal In include the access device device id and based on the first terminal address generate the first certification ID。

Follow-up Portal server carries out Portal certifications to the first terminal and sends out to the management server When sending the first Authorization result, will be first Authorization result together with the device id and first certification ID sends jointly to management server.

The management server according to the corresponding device id of Authorization result, can distinguish each Authorization result should under Which access device issued.The device id can be the media interviews of access device described in energy unique mark Control (Media Access Control, abbreviation MAC) address or the numbering of access device.

Certification ID is used to identify Portal certifications each time.The Portal certifications that different terminals are initiated, generate Certification ID be different.The multiple Portal certifications that same terminal is initiated, the certification ID for generating each time It is also different, can so increases the security of certification, prevents someone from intercepting and capturing the mandate before certain terminal As a result, and by the Authorization result intercepted and captured carry out counterfeit certification.Certification ID is generated by the access device that terminal connects, Can be generated according to the address of terminal；For example, it may be the MAC Address of terminal and random number and value, Or can be the IP address and random number and value of terminal, or can be the MAC Address to terminal and Random number and value do the value obtained after Hash operation, or can also be the IP address to terminal with it is random Several and value does the value obtained after Hash operation.

As follows is the URL examples of a redirection：

http://portalserver/portalDeviceid=a123c56312bd＆authid=ab238463c523

Wherein, deviceid=a123c56312bd represents device id, and authid=ab238463c523 is represented and recognized Card ID.

S303：The first terminal initiates certification according to the URL of the redirection to Portal server please Ask.

S304：The Portal server is received after the certification request of the first terminal, to described first The terminal return authentication page.

In the embodiment of the present invention, will be including above-mentioned redirection in the certification page that the Portal server is returned The device ids of the access device that include of URL and the first certification ID.The device id and The first certification ID may be stored in the hiding field of certification page, be not terminal finding.

S305：The first terminal input the end messages such as user name, password on certification page.

S306：The first terminal submits authentication information to the Portal server, the authentication information bag Including end message and the certification page that the first terminal is input on the certification page includes The device id and the first certification ID.

S307：End message in the authentication information is sent to AAA services by the Portal server Device is authenticated.

In the embodiment of the present invention, end message is directly sent to aaa server by Portal server, is not required to To forward through access device, so can reduce access device and Portal server, aaa server it Between through NAT device interaction times.

For different types of aaa server, Portal server sends terminal letter using different agreements Breath, for example, if aaa server is Radius servers, Portal server is assisted using Radius View, if aaa server is AD servers, Portal server adopts AD agreements, if AAA Server is ldap server, then Portal server adopts ldap protocol.

S308：The aaa server determines the first Authorization result of the first terminal according to authentication result.

An Authorization result mapping table can be safeguarded on aaa server, the Authorization result mapping table is used for The terminal for indicating different IP addresses passes through in certification or which type of should issue in the case that certification does not pass through Authorization result.

In the embodiment of the present invention, Authorization result includes that certification is indicated, whether Portal is passed through for instruction terminal Certification.Optionally, authorization message is also included in the Authorization result, for the IP that instruction terminal is able to access that Address realm.Certainly, terminal unrestricted can also access any IP address.Access device is based on and awards Power result is able to decide whether the HTTP message that forwarding terminal sends.

S309：First Authorization result is returned to the Portal server by the aaa server.

Optionally, in another embodiment of the invention, the Authorization result mapping table can be taken by Portal It is engaged in device to safeguard, the authentication result of terminal is directly sent to Portal server by aaa server, by Portal The authentication result that server is returned according to aaa server is determining the Authorization result of terminal.

S310：The Portal server by first Authorization result, and with first Authorization result Respectively the device id of the corresponding access device and the first certification ID send jointly to management server Preserve.

The Portal server can obtain right respectively with first Authorization result from the authentication information The device id answered and the first certification ID.

Optionally, in another embodiment of the invention, Portal server can be by the device id and institute State the first certification ID and connect end message and be together sent to aaa server, and by aaa server it is determined that After first Authorization result, directly by first Authorization result, the device id and described first is recognized Card ID is sent to management server preservation.

In the embodiment of the present invention, the management server can be stored according to device id to Authorization result packet. The management server typically can be, but not limited to store Authorization result by the form of buffer queue, for example also Authorization result can be stored by the form of form, the embodiment of the present invention is said by taking buffer queue as an example It is bright, do not constitute limitation of the invention.

The management server is receiving first Authorization result, device id and the first certification ID Afterwards, if the queue ID that there is the first buffer queue is identical with the device id, the management server will First Authorization result and the first certification ID, i.e. the first corresponding relation are stored in the first caching team Row.The buffer queue be used to preserving it is receiving from Portal server or aaa server but also not under Issue the information such as Authorization result, device id and the certification ID of access device.If there is no first caching Queue, then the management server the first buffer queue is set, the queue ID of first buffer queue is The device id, and by first Authorization result and the first certification ID, i.e., described first correspondence is closed System is stored in together in first buffer queue.

Alternatively, can also be by the device id and first corresponding relation (first Authorization result With the first certification ID) it is collectively stored in buffer queue.

S311：The access device to the management server sends result queries request, the result queries Request includes the device id of the access device.

Optionally, the result queries request can be authorized dedicated for obtaining by what proprietary protocol was defined As a result message.

Optionally, in another embodiment, if access device on startup just with the management server set up The connection of TCP length, then the management server can preserve and it establishes setting for the access device of connection The information of standby ID, the such as corresponding relation of the device id of the IP address of access device and access device, it is described Management server can determine the access according to the IP address of the access device for sending the result queries request The equipment that can not also include the access device in the device id of equipment, therefore result queries request ID。

Optionally, access device described in the embodiment of the present invention can be being received from the first terminal After HTTP message, if the not actuated timer that the result queries request is sent for triggering, described Access device starts the timer.If having been turned on the timer, then it represents that access device is receiving Before stating the HTTP message of first terminal, also have received another not by the second terminal of Portal certifications HTTP message and start the timer, then access device is without the need for repeated priming timer.

If the timer expiry, trigger the access device and send the result queries to management server Request.Because result queries ask actively to be initiated by the access device in NAT device Intranet, therefore tie Fruit inquiry request can be forwarded to management server, and connection is established between access device and management server can With proper communication, need under the scene of NAT device, positioned at NAT so as to solve communication between devices The Portal server of equipment outer net issues Authorization result without the access device that normal direction is located at NAT device Intranet Problem.

Optionally, in the embodiment of the present invention after the expiry of the timer, the access device can be deleted The timer, it is also possible to which reset the timer and reclocking.

That is, timer can be periodic, or disposable described in the embodiment of the present invention. During peak period, access device can be considered as periodic timer, in non-peak period, access device Disposable timer can be considered as.In practical application, the cycle of periodic timer can be set It is set to the 2-3 seconds.

S312：The management server is received after the result queries request of the access device, according to The result queries request, determines that the device id that the result queries request includes is corresponding first pair Should be related to, first corresponding relation includes the first certification ID and first Authorization result.

Optionally, management server can first determine that the result queries request includes in the embodiment of the present invention Access device device id, or the equipment for being to determine the access device for sending result queries request ID, then according to the device id determined, determines that first buffer queue, i.e. queue ID are described true The buffer queue of the device id made, and first corresponding relation is obtained from first buffer queue.

In the embodiment of the present invention, the management server is determining first caching according to the device id After queue, all corresponding relations in first buffer queue, including first correspondence can also be obtained Relation and the second corresponding relation, second corresponding relation includes the second certification ID and the second Authorization result, The second certification ID is different with the first certification ID.Correspondingly, manage described in follow-up S313 In the result queries response that reason server is returned in addition to including first corresponding relation, will also be including institute The second corresponding relation is stated, so described access device, just can be once by sending a result queries request Property gets the Authorization result of multiple terminals that the access device is managed.

S313：The management server is to the access device returning result inquiry response, the result queries Response includes first corresponding relation.

In the embodiment of the present invention, except including described first in the result queries response that the access device is received Corresponding relation, i.e., outside described first Authorization result and the first certification ID, can also include other many The Authorization result of the Authorization result of individual terminal and the plurality of terminal distinguishes corresponding certification ID, wherein, it is described The corresponding certification ID of Authorization result of multiple terminals is different.Optionally, in the result queries response The Authorization result that the plurality of terminal can also be included distinguishes corresponding device id, wherein, the plurality of terminal The corresponding device id of Authorization result be identical.

The all corresponding relations included in first buffer queue are sent to into institute in the management server After stating access device, the management server will delete first buffer queue, will have been issued to connect The corresponding relation for entering equipment is deleted from the management server.

Optionally, in the embodiment of the present invention, can return to the access device in the management server and tie After fruit inquiry response, the Authorization result correspondence of the access device will be handed down to by the management server The device id and the first certification ID directly notify the Portal server, connect so as to reduce Enter between equipment and Portal server, aaa server through the interaction times of NAT device.

Because when terminal is connected to Portal server by the URL for redirecting, terminal and Portal are serviced The short connection of TCP is established between device, short being connected in setting time of the TCP can be always maintained at Until Portal server is short to TCP during terminal by the passage returned packet of the short connections of the TCP Connection will be switched off；The equipment that the URL of address and the redirection that Portal server can record terminal includes The corresponding relation of ID and certification ID, therefore, Portal server is receiving what the management server was notified After the device id and the first certification ID, can according to the device id and the first certification ID, The address of corresponding terminal is determined, and based on the short connections of TCP between Portal server and the terminal Passage, according to the address of the terminal for determining, sends the authentication result page, to notify to the terminal The flow process for stating terminal its Portal certification terminates.

S314：The access device receives the management server and responds the upper of the result queries request return After stating result queries response, the certification in first Authorization result is indicated and the first certification ID, Whether the first terminal is determined by Portal certifications, and the mandate letter in first Authorization result Breath determines whether to forward the HTTP message of the first terminal, so as in the first terminal and the Portal Portal certifications are completed in the case of there is NAT device between server.

In the embodiment of the present invention, the access device, can be with when the address based on terminal generates certification ID Preserve the certification ID for generating；Subsequently received result queries response, access device is wrapped during result queries are responded The certification ID for including, the certification ID preserved with the access device compares.If the access device is preserved Certification ID in there are a certification ID and result queries to respond the 3rd certification ID for including consistent, then The authentication result that can be included according to corresponding 3rd Authorization results of the 3rd certification ID is determining described Whether, by certification, further, access device can be according to the described 3rd for the terminal that three certification ID are characterized The IP address range that the terminal of Authorization result defined can be accessed, it is determined whether forward the terminal to send HTTP message.Access device is to deleting the preserve on access device the described 3rd after the authorization terminal Certification ID.

If there is no any one certification ID in the certification ID that the access device is preserved to respond with result queries The 4th certification ID for including is consistent, then show that corresponding 4th Authorization results of the 4th certification ID are imitative Emit, access device can ignore the 4th Authorization result.

If there is no any one certification ID in the certification ID that result queries response includes to set with the access Standby the 5th certification ID for preserving is consistent, then show that the access device does not also receive the 5th certification ID Corresponding Authorization result, the access device continues to preserve the 5th certification ID.

Based on the portal authentication method that above-described embodiment is provided, the embodiment of the present invention provides a kind of access device 400, for realizing above-mentioned portal authentication method in access device function, as shown in Figure 4 A, access sets Standby 400 include transmitter 401, receiver 402 and processor 403, wherein, the transmitter 401, institute State and be connected with each other by bus 404 between receiver 402 and the processor 403.

The transmitter 401, for sending result queries request to management server, the result queries please Asking includes the device id of the access device.

The receiver 402, responds what the result queries request was returned for receiving the management server Result queries are responded, and the result queries response includes the first corresponding relation, the first corresponding relation bag Include the first certification ID and the first Authorization result；First corresponding relation is supplied to institute by Portal server State management server.

The processor 403, indicates for the certification in first Authorization result and described first recognizes Card ID, determines whether first terminal passes through Portal certifications, and the mandate in first Authorization result Information determines whether the HTTP message for forwarding the first terminal, so as in the first terminal and described Portal certifications are completed in the case of there is NAT device between Portal server.

The access device 400 also connects respectively the management server and the end including some communication interfaces End.

Optionally, before the transmitter 401 sends result queries request to management server, the place Reason device 403 is additionally operable to：If the not actuated timer that the result queries request is sent for triggering, starts The timer.

Optionally, the transmitter 401 sends result queries request to management server, specifically includes：If The timer expiry, then the transmitter 401 is to the management server transmission result queries request.

Optionally, after the expiry of the timer, the processor 403 is additionally operable to：Delete the timing Device；Or, the reset timer and reclocking.

Optionally, it is described to connect before the transmitter 401 sends result queries request to management server Receive device 402 to be additionally operable to：Receive the HTTP message from the first terminal for not passing through Portal certifications. Accordingly, the transmitter 401 is additionally operable to, and sends the URL for redirecting to the first terminal so that The first terminal initiates certification request according to the URL of the redirection to Portal server, so that institute Stating Portal server carries out Portal certifications to the first terminal and provides described to the management server First corresponding relation；The URL of the redirection includes the device id and the first certification ID.

Optionally, the second corresponding relation is also included in the result queries request that the receiver 402 is received, Second corresponding relation includes the second certification ID and the second Authorization result；The second certification ID with it is described First certification ID is different.

Optionally, the device id is the MAC Address or numbering of access device described in energy unique mark.

Optionally, the first certification ID is given birth to by the processor 403 according to the address of the first terminal It can be the MAC Address and random number and value of the first terminal into, such as the first certification ID； Or, the first certification ID can be the IP address and random number and value of the first terminal；Or, institute State the first certification ID can be the MAC Address to the first terminal with random number and value do Hash fortune The value obtained after calculation；Or, the first certification ID can be the IP address to the first terminal with it is random Several and value does the value obtained after Hash operation.

The processor 403 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.；Can also be Digital signal processor (Digital Signal Processing, abbreviation DSP), special IC (Application Specific Integrated Circuit, abbreviation ASIC), field programmable gate array (Field - Programmable Gate Array, abbreviation FPGA) or other PLDs etc..

When the processor 403 is CPU, the access device 400 can also include：Memory, uses In storage program.Specifically, program can include program code, and described program code includes computer operation Instruction.Memory may include random access memory (random access memory, abbreviation RAM), It is likely to also include nonvolatile memory (non-volatile memory), for example, at least one disk is deposited Reservoir.The processor 403 performs the program code stored in the memory, realizes above-mentioned functions.

The embodiment of the present invention also provides a kind of access device 4000, for realizing above-mentioned portal authentication method in The function of access device.As shown in Figure 4 B, the access device 4000 includes transmitting element 4001, connects Receive unit 4002 and processing unit 4003；Wherein

The transmitting element 4001, for sending result queries request, the result queries to management server Request includes the device id of the access device.

The receiving unit 4002, for receiving the management server result queries request return is responded Result queries response, result queries response includes the first corresponding relation, first corresponding relation Including the first certification ID and the first Authorization result；First corresponding relation is supplied to by Portal server The management server.

The processing unit 4003, indicates and described first for the certification in first Authorization result Certification ID, determines whether first terminal passes through Portal certifications, and awarding in first Authorization result Power information determines whether the HTTP message for forwarding the first terminal, so as in the first terminal and described Portal certifications are completed in the case of there is NAT device between Portal server.

It should be noted that the transmitting element 4001 can also carry out the transmitter 401 shown in Fig. 4 A Other performed operations, the receiving unit 4002 can also carry out the receiver 402 shown in Fig. 4 A Other performed operations, the processing unit 4003 can also carry out the processor 403 shown in Fig. 4 A Other performed operations.For sake of simplicity, will not be described here.

Based on the portal authentication method that above-described embodiment is provided, the embodiment of the present invention provides a kind of management service Device 500, for realizing above-mentioned portal authentication method in access device function, as shown in Figure 5A, pipe Reason server 500 includes transmitter 501, receiver 502 and processor 503, wherein, the transmitter 501st, receiver 502 and processor 503 are connected with each other by bus 504.

The receiver 502, for receiving the result queries request of access device transmission, the result queries Request includes the device id of the access device.

The processor 503, for asking according to the result queries, determines the device id corresponding the One corresponding relation, first corresponding relation includes the first certification ID and the first Authorization result；Described first Corresponding relation is supplied to the management server by Portal server.

The transmitter 501, for the access device returning result inquiry response, the result queries Response includes first corresponding relation so that the access device according to first corresponding relation at end Portal certifications are completed in the case of there is NAT device between end and the Portal server.

The management server 500 also connects respectively the access device and described including some communication interfaces Portal server.

Optionally, it is described before the receiver 502 receives the result queries request that access device sends Receiver 502 is additionally operable to, and receives the device id that the Portal server is provided, and described first authorizes As a result with the first certification ID.

The processor 503 is additionally operable to, by first corresponding relation, i.e., described first Authorization result and institute The first certification ID is stated, the first buffer queue is stored in, the queue ID of first buffer queue is the equipment ID。

Optionally, the processor 503 is determining the device id correspondence according to result queries request The first corresponding relation when, specifically include：According to the device id, first buffer queue is determined, from First corresponding relation is obtained in first buffer queue.

Optionally, the processor 503 is determining the device id correspondence according to result queries request The first corresponding relation when, specifically include：According to the device id, first buffer queue is determined；Obtain The all corresponding relations in first buffer queue are taken, including first corresponding relation and the second correspondence are closed System, second corresponding relation includes the second certification ID and the second Authorization result, the second certification ID It is different with the first certification ID；Correspondingly, the result queries that the transmitter 501 is returned Also include second corresponding relation in response.

In the transmitter 501 to after the access device returning result inquiry response, the processor 503 are additionally operable to：Delete first buffer queue.

Optionally, it is described in the transmitter 501 to after the access device returning result inquiry response Transmitter 501 is additionally operable to：The device id and the first certification ID are notified to service to the Portal Device so that the Portal server return authentication results page gives corresponding terminal.

The processor 503 can be general processor, including central processing unit, network processing unit etc.；Also Can be digital signal processor, special IC, field programmable gate array or other programmable patrol Collect device etc..

When the processor 503 is CPU, the management server 500 can also include：Memory, For storage program.Specifically, program can include program code, and described program code is grasped including computer Instruct.Memory may include random access memory, it is also possible to also including nonvolatile memory, example Such as at least one magnetic disc store.The processor 503 performs the program code stored in the memory, Realize above-mentioned functions.

The embodiment of the present invention also provides a kind of management server 5000, for realizing above-mentioned portal authentication method The function of middle management server.As shown in Figure 5 B, the management server 5000 include transmitting element 5001, Receiving unit 5002 and processing unit 5003；Wherein

The receiving unit 5002, for receiving the result queries request of access device transmission, the result is looked into Asking request includes the device id of the access device.

The processing unit 5003, for asking according to the result queries, determines the device id correspondence The first corresponding relation, first corresponding relation includes the first certification ID and the first Authorization result；It is described First corresponding relation is supplied to the management server by door Portal server.

The transmitting element 5001, for the access device returning result inquiry response, the result to be looked into Asking response includes first corresponding relation, so that the access device exists according to first corresponding relation Portal certifications are completed in the case of there is NAT device between terminal and the Portal server.

It should be noted that transmitting element 5001 can also carry out the transmitter 501 shown in Fig. 5 A being held Other capable operations, receiving unit 5002 can also carry out performed by the receiver 502 shown in Fig. 5 A Other operations, processing unit 5003 can also carry out other performed by the processor 503 shown in Fig. 5 A Operation.For sake of simplicity, will not be described here.

Based on the portal authentication method that above-described embodiment is provided, the embodiment of the present invention provides a kind of Portal clothes Business device 600, for realizing above-mentioned portal authentication method in Portal server function, as shown in Figure 6A, Portal server 600 includes transmitter 601, receiver 602 and processor 603, wherein, the transmission Connected by bus 604 between device 601, the receiver 602 and the processor 603.

The receiver 602, for the authentication information that receiving terminal is submitted to.

The processor 603, for obtaining the first Authorization result according to the authentication information, with described first Authorization result distinguishes the device id and the first certification ID of corresponding access device.

The transmitter 601, protects for the first corresponding relation and the device id to be sent to into management server Deposit, first corresponding relation includes first Authorization result and the first certification ID, connects so as to described Enter equipment and first corresponding relation is inquired about according to the device id, and according to described first pair for getting Should be related to that completing Portal in the case of there is NAT device between terminal and the Portal server recognizes Card.

The Portal server 600 also includes that some communication interfaces connect the management server and the end End.

Optionally, the first Authorization result is obtained in the processor 603, with first Authorization result difference Before the device id of corresponding access device and the first certification ID, the receiver 602 is additionally operable to：Receive The certification request that the terminal is initiated by the URL for redirecting to the Portal server, it is described to reset To URL be supplied to the URL of the terminal, the redirection to include described setting by the access device Standby ID and the first certification ID.

Accordingly, the transmitter 601 is additionally operable to, and the return authentication page gives the terminal, the authentication page Face includes the device id and the first certification ID.

Accordingly, the receiver 602 is additionally operable to, and receives the authentication information that the terminal is submitted to, described to recognize Card information is included in the end message that the terminal is input on the certification page and the certification page Including the device id and the first certification ID.

Accordingly, the transmitter 601 is additionally operable to, and the end message is sent to into aaa server and is entered Row certification.

Optionally, the processor 603 is obtaining the first Authorization result and first Authorization result difference When the device id of corresponding access device and the first certification ID, specifically include：Obtain the receiver 602 First Authorization result that the aaa server for receiving is returned based on the end message, or obtain The authentication result that the aaa server that the receiver 602 is received is returned based on the end message, And first Authorization result is generated based on the authentication result；Obtain from the authentication information and described One Authorization result distinguishes the corresponding device id and the first certification ID.

Optionally, first corresponding relation and the device id are sent to into pipe in the transmitter 601 After reason server is preserved, the receiver 602 is additionally operable to：Receive the described of the management server notice Device id and the first certification ID.

The optional processor 603 is additionally operable to, according to the device id and the first certification ID, really The address of the fixed terminal.

Optionally, the transmitter 601 is additionally operable to, and according to the address of the terminal, sends to the terminal The authentication result page.

The processor 603 can be general processor, including central processing unit, network processing unit etc.；Also Can be digital signal processor, special IC, field programmable gate array or other programmable patrol Collect device etc..

When the processor 603 is CPU, the Portal server 600 can also include：Memory, For storage program.Specifically, program can include program code, and described program code is grasped including computer Instruct.Memory may include random access memory, it is also possible to also including nonvolatile memory, example Such as at least one magnetic disc store.The processor 603 performs the program code stored in the memory, Realize above-mentioned functions.

The embodiment of the present invention also provides a kind of Portal server 6000, for realizing above-mentioned Portal authenticating parties The function of Portal server in method.As shown in Figure 6B, the Portal server 6000 includes sending single Unit 6001, receiving unit 6002 and processing unit 6003；Wherein

The receiving unit 6002, for the authentication information that receiving terminal is submitted to.

The processing unit 6003, for obtaining the first Authorization result according to the authentication information, with described the One Authorization result distinguishes the device identification ID and the first certification ID of corresponding access device.

The transmitting element 6001, for the first corresponding relation and the device id to be sent to into management service Device is preserved, and first corresponding relation includes first Authorization result and the first certification ID, with toilet State access device and first corresponding relation is inquired about according to the device id, and according to described for getting One corresponding relation completes Portal in the case of there is NAT device between terminal and the Portal server Certification.

It should be noted that processing unit 6003 can also carry out the processor 603 shown in Fig. 6 A being held Other capable operations, transmitting element 6001 can also carry out performed by the transmitter 601 shown in Fig. 6 A Other operations, receiving unit 6002 can also carry out other performed by the receiver 602 shown in Fig. 6 A Operation.For sake of simplicity, will not be described here.

In sum, using technical scheme provided in an embodiment of the present invention, will be authorized by Portal server As a result preserve on the management server, from the access device positioned at Intranet actively to the management service positioned at outer net Device obtains Authorization result, solves and have between access device and Portal server, aaa server NAT The problem of Portal certifications cannot be completed in the case of equipment.And technical scheme provided in an embodiment of the present invention The interaction times between access device and Portal server, aaa server can be effectively reduced, for example, Assume that each access device has the terminal access authentication of 50 times peak period is per second, according to above-mentioned steps one to The Portal certificate schemes of step 10, each certification needs access device and Portal server, AAA services Have between device and interact twice, interaction is shown in above-mentioned steps three and step 4, and step 6 and step 8, 6000 interactions are needed between access device so per minute and Portal server, aaa server；And Using new flow process provided in an embodiment of the present invention, if the cycle of timer be set to 2 seconds, access It is per minute between equipment and Portal server, management server to only need to 30 interactions, total interaction time Number only has one of two percentages of tradition Portal certificate schemes.It is reduced to only have if each access device is per second The terminal access authentication of 0.25 time, reaches according to the traditional Portal certificate schemes described in step one to step 10 Interaction times just maintain an equal level with the interaction times reached using the scheme of the embodiment of the present invention.

Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter Calculation machine program product.Therefore, the present invention can be using complete hardware embodiment, complete software embodiment or knot Close the form of the embodiment in terms of software and hardware.And, the present invention can be adopted and wherein wrapped at one or more Computer non-volatile memory medium (including but not limited to disk storage containing computer usable program code Device, CD-ROM, optical memory etc.) on implement computer program form.

The present invention is produced with reference to method according to embodiments of the present invention, equipment (system) and computer program The flow chart and/or block diagram of product is describing.It should be understood that can by computer program instructions flowchart and / or block diagram in each flow process and/or square frame and flow chart and/or the flow process in block diagram and/ Or the combination of square frame.These computer program instructions can be provided to all-purpose computer, special-purpose computer, embedded The processor of formula processor or other programmable data processing devices is producing a machine so that by calculating The instruction of the computing device of machine or other programmable data processing devices is produced for realizing in flow chart one The device of the function of specifying in individual flow process or one square frame of multiple flow processs and/or block diagram or multiple square frames.

These computer program instructions may be alternatively stored in can guide computer or other programmable datas process to set In the standby computer-readable memory for working in a specific way so that in being stored in the computer-readable memory Instruction produce and include the manufacture of command device, command device realization is in one flow process or multiple of flow chart The function of specifying in one square frame of flow process and/or block diagram or multiple square frames.

These computer program instructions also can be loaded in computer or other programmable data processing devices, made Obtain and series of operation steps is performed on computer or other programmable devices to produce computer implemented place Reason, so as to the instruction performed on computer or other programmable devices is provided for realizing in flow chart one The step of function of specifying in flow process or one square frame of multiple flow processs and/or block diagram or multiple square frames.

Those skilled in the art can carry out various changes and modification without deviating from this to the embodiment of the present invention The scope of inventive embodiments.So, if these modifications of the embodiment of the present invention and modification belong to power of the present invention Within the scope of profit requirement and its equivalent technologies, then the present invention is also intended to comprising these changes and modification.

Claims

1. a kind of door portal authentication method, is applied to carry out the network of network address translation NAT In, it is characterised in that methods described includes：

Access device to management server sends result queries request, and the result queries request includes described The device identification ID of access device；

The access device receives the result of the management server response result queries request return and looks into Response is ask, the result queries response includes the first corresponding relation, and first corresponding relation includes first Certification ID and the first Authorization result；First corresponding relation is supplied to the management by Portal server Server；

Certification instruction and the first certification ID of the access device in first Authorization result, really Whether first terminal is determined by Portal certifications, and the authorization message in first Authorization result determines Whether forward the HTTP HTTP message of the first terminal, so as in the first terminal and Portal certifications are completed in the case of there is NAT device between the Portal server.

2. the method for claim 1, it is characterised in that in the access device to management service Device is sent before result queries request, is also included：

3. method as claimed in claim 2, it is characterised in that also include in the result queries response Second corresponding relation, second corresponding relation includes the second certification ID and the second Authorization result；Described Two certification ID are different with the first certification ID.

4. the method as described in any one in claim 1-3, it is characterised in that the device id is The MAC address or numbering of access device described in unique mark.

5. the method as described in any one in claim 1-4, it is characterised in that first certification Addresses of the ID based on the first terminal generates, and is

The MAC Address of the first terminal and random number and value；Or

6. a kind of door portal authentication method, is applied to carry out the network of network address translation NAT In, it is characterised in that methods described includes：

Management server receives the result queries request that access device sends, and the result queries request includes The device identification ID of the access device；

The management server is asked according to the result queries, determines that the device id is corresponding first pair Should be related to, first corresponding relation includes the first certification ID and the first Authorization result；First correspondence Relation is supplied to the management server by Portal server；

The management server to the access device returning result inquiry response, in the result queries response Including first corresponding relation so that the access device according to first corresponding relation in terminal and institute Stating and Portal certifications are completed in the case of exist between Portal server NAT device.

7. method as claimed in claim 6, it is characterised in that receive in the management server and access Before the result queries request that equipment sends, also include：

8. method as claimed in claim 7, it is characterised in that

The management server is asked according to the result queries, determines that the device id is corresponding first pair Should be related to, including：

9. a kind of door portal authentication method, is applied to carry out the network of network address translation NAT In, it is characterised in that methods described includes：

Portal server obtains the first Authorization result according to the authentication information that terminal is submitted to, awards with described first Power result distinguishes the device identification ID and the first certification ID of corresponding access device；First Authorization result Include certification instruction and authorization message；

First corresponding relation and the device id are sent to management server and are preserved by the Portal server, First corresponding relation includes first Authorization result and the first certification ID, so that the access sets It is standby that first corresponding relation is inquired about according to the device id, and closed according to first correspondence for getting Tie up to and Portal certifications are completed in the case of there is NAT device between terminal and the Portal server.

10. method as claimed in claim 9, it is characterised in that the Portal server is according to terminal The authentication information of submission obtains the first Authorization result, with the corresponding access device of the first Authorization result difference Device id and the first certification ID, including：

11. methods as described in claim 9 or 10, it is characterised in that in the Portal server First corresponding relation and the device id are sent to after management server preservation, are also included：

12. a kind of access device, it is characterised in that include：

Transmitter, for sending result queries request to management server, the result queries request includes The device identification ID of the access device；

Receiver, for receiving the management server result queries that the result queries request is returned are responded Response, the result queries response includes the first corresponding relation, and first corresponding relation is recognized including first Card ID and the first Authorization result；First corresponding relation is supplied to the management clothes by Portal server Business device；

Processor, indicates and the first certification ID, really for the certification in first Authorization result Whether first terminal is determined by Portal certifications, and the authorization message in first Authorization result determines Whether forward the HTTP HTTP message of the first terminal, so as in the first terminal and Portal certifications are completed in the case of there is NAT device between the Portal server.

13. access devices as claimed in claim 12, it is characterised in that in the transmitter to management Server is sent before result queries request,

The receiver is additionally operable to, and receives the HTTP from the first terminal for not passing through Portal certifications Message；

The transmitter is additionally operable to, and sends the uniform resource position mark URL for redirecting to the first terminal, So that the first terminal initiates certification request according to the URL of the redirection to the Portal server, So that the Portal server carries out Portal certifications to the first terminal and carries to the management server For first corresponding relation；The URL of the redirection includes the device id and first certification ID。

14. access devices as claimed in claim 13, it is characterised in that the institute that the receiver is received State and also include in result queries response the second corresponding relation, second corresponding relation includes the second certification ID With the second Authorization result；The second certification ID is different with the first certification ID.

15. access devices as described in any one in claim 12-14, it is characterised in that described to set Standby ID is the MAC address or numbering of access device described in unique mark.

16. access devices as described in any one in claim 12-15, it is characterised in that described Addresses of the one certification ID by the processor based on the first terminal generates, and is

The MAC Address of the first terminal and random number and value；Or

17. a kind of management servers, it is characterised in that include：

Receiver, for receiving the result queries request of access device transmission, wraps in the result queries request Include the device identification ID of the access device；

Processor, for asking according to the result queries, determines corresponding first correspondence of the device id Relation, first corresponding relation includes the first certification ID and the first Authorization result；First correspondence is closed System is supplied to the management server by door Portal server；

Transmitter, for the access device returning result inquiry response, wrapping in the result queries response Include first corresponding relation so that the access device according to first corresponding relation in terminal and described Portal certifications are completed in the case of there is NAT device between Portal server.

18. management servers as claimed in claim 17, it is characterised in that receive in the receiver Before the result queries request that access device sends,

The receiver is additionally operable to, and receives the device id that the Portal server provides and described the One corresponding relation；

The processor is additionally operable to, and first corresponding relation is stored in into the first buffer queue, and described first delays The queue ID for depositing queue is the device id.

19. management servers as claimed in claim 18, it is characterised in that the processor is in basis Result queries request, when determining corresponding first corresponding relation of the device id, specifically includes：

According to the device id, first buffer queue is determined；

Correspondingly, also include that the described second correspondence is closed in the result queries response that the transmitter is returned System.

20. a kind of door Portal server, it is characterised in that include：

Receiver, for the authentication information that receiving terminal is submitted to；

Processor, for obtaining the first Authorization result according to the authentication information, with first Authorization result The device identification ID and the first certification ID of the corresponding access device of difference；

Transmitter, preserves, institute for the first corresponding relation and the device id to be sent to into management server The first corresponding relation is stated including first Authorization result and the first certification ID, so as to the access device First corresponding relation is inquired about according to the device id, and according to first corresponding relation for getting Portal certifications are completed in the case of there is NAT device between terminal and the Portal server.

21. Portal server as claimed in claim 20, it is characterised in that in the processor root The authentication information submitted to according to terminal obtains the first Authorization result, corresponding respectively with first Authorization result to connect Before entering the device id and the first certification ID of equipment,

The receiver is additionally operable to, receive the terminal by the uniform resource position mark URL that redirects to The certification request that the Portal server is initiated, the URL of the redirection is provided by the access device To the terminal, the URL of the redirection includes the device id and the first certification ID；

The transmitter is additionally operable to, and the return authentication page gives the terminal, and the certification page includes described Device id and the first certification ID；

The receiver is additionally operable to, and receives the authentication information that the terminal is submitted to, and the authentication information includes institute State the end message and the certification page that terminal is input on the certification page include described in set Standby ID and the first certification ID；

The transmitter is additionally operable to, and the end message is sent to into checking, authorization and accounting AAA services Device is authenticated；

The processor obtains the first Authorization result in the authentication information submitted to according to terminal, awards with described first When power result distinguishes the device id and the first certification ID of corresponding access device, specifically include：

Obtain the aaa server that the receiver receives is returned based on the end message described the One Authorization result；Or, the aaa server for obtaining the receiver reception is based on the end message The authentication result of return, and first Authorization result is generated based on the authentication result；

The device id corresponding with the first Authorization result difference and institute are obtained from the authentication information State the first certification ID.

22. Portal server as described in claim 20 or 21, it is characterised in that the transmitter First corresponding relation and the device id are sent to after management server preservation,

The receiver is additionally operable to, and receives the device id and described first that the management server is notified Certification ID；

The processor is additionally operable to, and according to the device id and the first certification ID, determines the terminal Address；

The transmitter is additionally operable to, and according to the address of the terminal, to the terminal authentication result page is sent.