CN107820246B - User authentication method, device and system - Google Patents
User authentication method, device and system Download PDFInfo
- Publication number
- CN107820246B CN107820246B CN201610827230.4A CN201610827230A CN107820246B CN 107820246 B CN107820246 B CN 107820246B CN 201610827230 A CN201610827230 A CN 201610827230A CN 107820246 B CN107820246 B CN 107820246B
- Authority
- CN
- China
- Prior art keywords
- authentication
- user terminal
- portal
- message
- portal authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A method, a device and a system for user authentication can improve authentication efficiency. The method comprises the following steps: the first AC receives first information sent by the second AC, the first information comprises an identifier of the second AC, and the first information is used for indicating the first user terminal to roam to the second AC; the method comprises the steps that a first AC receives a Portal authentication message sent by an authentication server and used for a first user terminal; the first AC sends indication information to the authentication server, wherein the indication information is used for indicating that the first user terminal has roamed to the second AC.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method, an apparatus, and a system for user authentication.
Background
A wireless local area network (W L AN) generally includes AN Access Controller (AC) and AN Access Point (AP), where a user terminal accesses a network through the AP and the AC is used for centralized control of the AP.
In some high-security scenarios, such as a gym, AN exhibition hall, etc. which can accommodate a large number of viewers, in order to meet the requirement of a large number of users for accessing a network through a W L AN, a plurality of access points are arranged and a part of the access points are controlled by a plurality of ACs respectively, so that the network coverage and communication performance of the entire high-security scenario are guaranteed.
Under the AC roaming scene, after the first authentication of the user terminal fails, the authentication server can send Portal authentication messages to all the ACs in the AC roaming group. In a high-density venue, the number of users is large, and the number of devices in the AC roaming group is large. In this case, the number of Portal authentication messages processed by the authentication server and the AC device may be large, which may cause the authentication server to fail to process the Portal authentication messages, resulting in the loss of the authentication messages, and a large number of Portal authentication messages may occupy a relatively large network bandwidth, which affects the performance of the entire network.
Disclosure of Invention
The application provides a method, a device and a system for user authentication, which can improve the authentication efficiency.
In a first aspect, a method for user authentication is provided, including: a first Access Controller (AC) receives first information sent by a second AC, wherein the first information comprises an identifier of the second AC, and the first information is used for indicating a first user terminal to roam to the second AC; the first AC receives a Portal authentication message sent by an authentication server and used for the first user terminal; and the first AC sends indication information to the authentication server, wherein the indication information is used for indicating that the first user terminal has roamed to the second AC.
Therefore, the first AC can obtain the information indicating the AC to which the user terminal belongs currently from other ACs, so that under the condition that the authentication server sends the Portal authentication message of the user terminal to the first AC, the first AC indicates the second AC to which the user terminal belongs currently to the authentication server, the authentication server can conveniently resend the Portal authentication message to the second AC, the authentication server only needs to resend the Portal authentication message to the second AC, signaling overhead is saved, and authentication performance is improved.
In a possible implementation manner, the indication information is carried in a Portal authentication response message, the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used for indicating that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
The first AC indicates the second AC to which the first user terminal belongs to the authentication server by carrying the indication information in the Portal authentication response message, so that the authentication server can only resend the Portal authentication message to the second AC without sending the Portal authentication message to all the ACs in the roaming group, the signaling overhead is saved, and the authentication performance is improved.
In a possible implementation manner, the identifier of the second AC includes an IP address of the second AC or a Media Access Control (MAC) address of the second AC, or includes the IP address of the second AC and the MAC address of the second AC.
In one possible implementation manner, the method further includes: and the first AC sends second information to other ACs except the first AC, wherein the second information comprises the identifier of the first AC, and the second information is used for indicating that a second user terminal has roamed to the first AC currently.
In a second aspect, a method for user authentication is provided, including: an authentication server receives an authentication request of a user terminal, wherein the authentication request comprises an identifier of the user terminal; the authentication server sends a first Portal authentication message to the first AC according to the authentication request; the authentication server receives indication information from the first AC, wherein the indication information indicates that the user terminal currently roams to a second AC; and the authentication server sends a second Portal authentication message to the second AC according to the indication information.
In the authentication method, after the authentication server sends the first Portal authentication message to the first AC, the authentication server can receive the indication information from the first AC, and the second AC to which the user terminal belongs is determined through the indication information, so that the Portal authentication message can be sent to the second AC again.
In a possible implementation manner, the indication information is carried in a Portal authentication response message, the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used to indicate that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
The first AC indicates the second AC to which the first user terminal belongs to the authentication server by carrying the indication information in the Portal authentication response message, so that the authentication server can only resend the Portal authentication message to the second AC without sending the Portal authentication message to all the ACs in the roaming group, the signaling overhead is saved, and the authentication performance is improved.
In a possible implementation manner, the indication information includes an identifier of the second AC; the identity of the second AC may be an IP address of the second AC, or a MAC address of the second AC, or both an IP address and a MAC address of the second AC.
In one possible implementation, the identity of the user terminal includes an IP address of the user terminal.
In a third aspect, an apparatus is provided that includes means for performing the method of the first aspect. Based on the same inventive concept, as the principle of the device to solve the problem corresponds to the scheme in the method design of the first aspect, the implementation of the device can refer to the implementation of the method, and repeated details are not repeated.
In a fourth aspect, an apparatus is provided that includes means for performing the method of the second aspect. Based on the same inventive concept, as the principle of the device to solve the problem corresponds to the scheme in the method design of the second aspect, the implementation of the device can refer to the implementation of the method, and repeated details are not repeated.
In a fifth aspect, a communication system is provided, which comprises the apparatus of the third aspect and the apparatus of the fourth aspect.
In a sixth aspect, an apparatus is provided that includes a memory to store a program; a transceiver for communicating with other devices; a processor for executing the program in the memory, the processor being adapted to perform the method of the first aspect when the program is executed.
In a seventh aspect, an apparatus is provided that includes a memory to store a program; a transceiver for communicating with other devices; a processor for executing the program in the memory, the processor being adapted to perform the method of the second aspect when the program is executed.
In an eighth aspect, a communication system is provided, which includes the apparatus of the sixth aspect and the apparatus of the seventh aspect.
In a ninth aspect, there is provided a computer storage medium storing a computer program comprising instructions for performing the method of the first aspect or any of its possible implementations.
In a tenth aspect, there is provided a computer storage medium for storing a computer program comprising instructions for performing the method of the second aspect or any possible implementation of the second aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic block diagram of a method of user authentication of an embodiment of the present invention.
Fig. 2 is a schematic application scenario diagram of a method for user authentication according to an embodiment of the present invention.
Fig. 3 is a flowchart of another method for user authentication according to an embodiment of the present invention.
Fig. 4 is a flowchart of a method for user authentication according to an embodiment of the present invention.
Fig. 5 is a schematic block diagram of a method for user authentication provided by an embodiment of the present invention.
Fig. 6 is a schematic diagram of a format of a Portal message according to an embodiment of the present invention.
Fig. 7 is a schematic structural diagram of a user authentication device according to an embodiment of the present invention.
Fig. 8 is a schematic structural diagram of another user authentication apparatus according to an embodiment of the present invention.
Fig. 9 is a schematic structural diagram of a device for user authentication according to an embodiment of the present invention.
Fig. 10 is a schematic structural diagram of another user authentication apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The user terminal may be a mobile phone, a laptop (laptop), a car-mounted mobile device, etc. supporting the W L AN technology.
Fig. 2 is a schematic view of AN application scenario of a method for user authentication according to AN embodiment of the present invention, as shown in fig. 2, in a high-density scenario, AN AC roaming group includes multiple ACs, each AC may need to manage multiple APs, and data may be transmitted between ACs in the AC roaming group through a communication link, where the communication link may be a tunnel.
Fig. 3 is a schematic block diagram of a method 300 of user authentication of an embodiment of the present invention. As shown in fig. 3, the method 300 includes:
s301, a first AC receives first information sent by a second AC, wherein the first information comprises an identifier of the second AC, and the first information is used for indicating a first user terminal to roam to the second AC.
The first AC and the second AC may be ACs belonging to the same AC roaming group. The AC roaming group may include a plurality of ACs. Communication links exist among all ACs in the AC roaming group, and all ACs in the AC roaming group can carry out data synchronization and message forwarding through the communication links.
Optionally, the first AC may be an AC to which the first user terminal belongs before roaming. Optionally, the current network configuration of the user terminal may be that the first AC configures the user terminal.
Alternatively, when the first user terminal roams to a new AC in the AC roaming group, the new AC may be obtained by indicating to other ACs in the roaming group the AC to which the first user terminal is currently roaming. For example, when a first user terminal roams to a second AC, the second AC may send first information to each AC in the AC roaming group, where the first information is used to indicate that the first user terminal currently roams to the second AC. The second AC may be any AC in the roaming group. Or the second AC determines that the IP address of the first user terminal belongs to the first AC management by analyzing the IP address of the first user terminal. The second AC may send the first information only to the first AC to save signaling overhead. Other ACs in the roaming group may locally save or update the first information after receiving the first information. Alternatively, the first AC may store a mapping relationship between the first user terminal and a second AC to which the first user terminal is currently roaming.
For example, the IP address of the user terminal, the AC L information of the user terminal and the V L AN information of the user terminal can be synchronized between the ACs.
Optionally, the identifier of the second AC may include at least one of the following information: an IP address of the second AC and a MAC address of the second AC.
Alternatively, the AC in the embodiment of the present invention may be a radio access controller. Optionally, the roaming of the first user terminal to the first AC may refer to the roaming of the first user terminal into a coverage area of an AP managed by the first AC. Or, the AP to which the first user terminal is currently connected is an AP managed by the first AC.
S302, the first AC receives a Portal authentication message sent by an authentication server and used for the first user terminal.
Alternatively, an authentication server may be used to control access rights. For example, the authentication server may be used to verify the user's account and password during the access of the user terminal to the network.
Optionally, before the authentication server sends the Portal authentication message of the first user terminal, the first user terminal may send a Portal authentication request to the authentication server, where the Portal authentication request may be used to request the authentication server to authenticate the access right of the first user terminal.
Alternatively, the authentication server may send a Portal authentication message to the first AC based on the Portal authentication request. As will be appreciated by those skilled in the art, since the network configuration of the first user terminal after roaming has not changed, that is, the network configuration of the first user terminal is still the network configuration before roaming (i.e., the network configuration of the first AC configuration). The authentication server determines that the first user terminal is managed by the first AC after analyzing the network configuration information of the first user terminal. Therefore, the authentication server sends the Portal authentication message to the first AC according to the Portal authentication request. As an example, the Portal authentication request sent by the first user terminal to the authentication server may include an IP address of the first user terminal, and the first AC determines that the first user terminal is managed by the first AC according to the IP address of the first user terminal. Or before the first user terminal sends a Portal authentication request to the authentication server, the first user terminal needs to establish a hypertext Transfer Protocol (HTTP) link with the authentication server. Since the IP address adopted by the first user terminal when establishing the HTTP link is the IP address managed by the first AC, the first AC may also obtain the IP address of the first user terminal by querying the HTTP link, and further determine that the first user terminal is managed by the first AC. Thus, the authentication server will send the Portal authentication message of the first user terminal to the first AC.
S303, the first AC sends indication information to the authentication server, where the indication information is used to indicate that the first user terminal has roamed to the second AC.
Optionally, the first AC is after receiving a Portal authentication message of the first user terminal. The first AC may locally query the status of the first user terminal. Since the first AC may locally save the mapping relationship between the first user terminal and the second AC according to the first information, the first AC may determine that the first user terminal currently belongs to the management range of the second AC according to the mapping relationship or according to the first information. Accordingly, the first AC may send the above-mentioned indication information to the authentication server. So that the authentication server can send the Portal authentication message to the second AC again according to the indication information.
In the embodiment of the invention, the first AC can acquire the information indicating the AC to which the user terminal belongs currently from other ACs, so that under the condition that the authentication server sends the Portal authentication message of the user terminal to the first AC, the first AC indicates the second AC to which the user terminal belongs currently to the authentication server, and the authentication server can conveniently resend the Portal authentication message to the second AC, therefore, the authentication server only needs to resend the Portal authentication message to the second AC, the signaling overhead is saved, and the authentication performance is improved.
Optionally, in the method 300, the indication information may be carried in a Portal authentication response message, where the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used to indicate that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
For example, after receiving the Portal authentication packet of the first user terminal, the first user terminal may query the state of the first user terminal in the local user table entry. Since the first user terminal has roamed to the second AC. The first AC can not inquire the matching information of the first user terminal in the user list item. Thus, the first AC may send a Portal authentication response message to the authentication server. And the Portal authentication response message carries the indication information. Meanwhile, the Portal authentication response message can carry authentication failure type information to indicate that the authentication failure type is authentication failure caused by user terminal roaming.
In the embodiment of the invention, the first AC indicates the second AC to which the first user terminal belongs currently to the authentication server by carrying the indication information in the Portal authentication failure message, so that the authentication server can only resend the Portal authentication message to the second AC without sending the Portal authentication message to all the ACs in the roaming group, the signaling overhead is saved, and the authentication performance is improved.
Optionally, in the method 300, the indication information includes at least one of the following information: an IP address of the second AC and a MAC address of the second AC.
For example, in a scenario where the first user terminal is not authenticated, after the first user terminal roams from the first AC to the second AC, the second AC notifies the first AC through a communication link between the ACs, and the first user terminal is connected to the second AC, and reports the IP address or the MAC address of the second AC to the first AC. The first AC needs to maintain the mapping relationship between the first user terminal and the second AC, and is used for informing the authentication server of the IP address of the second AC or the MAC address of the second AC to which the first user terminal actually roams through the indication information after the roaming authentication of the first user terminal fails, so that the authentication server can conveniently resend the Portal authentication message to the second AC.
Optionally, in the method 300, the method further includes: and the first AC sends second information to other ACs except the first AC, wherein the second information comprises the identifier of the first AC, and the second information is used for indicating that a second user terminal has roamed to the first AC currently.
Wherein the other AC may be an AC located in the same AC roaming group as the first AC. When the second user terminal roams into the management range of the first AC, the first AC may send second information to other ACs in the same AC roaming group over the communication link to indicate that the second user terminal is currently roaming to the first AC. So that the other ACs in the roaming group perform information synchronization, for example, the other ACs may maintain a mapping relationship between the second user terminal and the first AC.
Optionally, fig. 4 shows a schematic block diagram of a method 400 of user authentication of an embodiment of the invention, which method 400 may be performed by an authentication server. The same or similar contents to those in fig. 3 in the method shown in fig. 4 may refer to the description related to fig. 2, and are not repeated here. The method 400 includes:
s401, an authentication server receives an authentication request of a user terminal, wherein the authentication request comprises an identifier of the user terminal.
Optionally, the identity of the user terminal comprises an IP address of the user terminal. The IP address of the user terminal may be assigned to the user terminal by the first AC.
S402, the authentication server sends a first Portal authentication message to the first AC according to the authentication request.
Optionally, the first AC may be an AC to which the user terminal belongs before roaming.
Optionally, the authentication server determines that the AC corresponding to the user terminal is the first AC by analyzing the authentication request. The authentication server may also determine the first AC from network configuration information of the user terminal. As an example, the Portal authentication request sent by the first user terminal to the authentication server may include an IP address of the first user terminal, and the first AC determines that the first user terminal is managed by the first AC according to the IP address of the first user terminal. Alternatively, before the first user terminal sends a Portal authentication request to the authentication server, the first user terminal needs to establish an HTTP link with the authentication server. Since the IP address adopted by the first user terminal when establishing the HTTP link is the IP address managed by the first AC, the first AC may also obtain the IP address of the first user terminal by querying the HTTP link, and further determine that the first user terminal is managed by the first AC. Thus, the authentication server will send the Portal authentication message of the first user terminal to the first AC.
S403, the authentication server receives indication information from the first AC, where the indication information indicates that the user terminal has currently roamed to a second AC.
Optionally, the indication information may be carried in a Portal authentication response message, where the Portal authentication response message is used to respond to the first Portal authentication message. The Portal authentication response message comprises authentication failure type information, and the authentication failure type information is used for indicating that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
Optionally, the indication information may include at least one of the following information: an IP address of the second AC and a MAC address of the second AC.
S404, the authentication server sends a second Portal authentication message to the second AC according to the indication information.
Optionally, the authentication server may determine an IP address and/or a MAC address of the second AC according to the indication information, and send a second Portal authentication packet to the second AC.
In the embodiment of the invention, after the authentication server sends the first Portal authentication message to the first AC, the authentication server can receive the indication information from the first AC, and the second AC to which the user terminal belongs is determined through the indication information, so that the Portal authentication message can be sent to the second AC again.
The embodiments of the present invention will be described in more detail with reference to specific examples. It should be noted that the example of fig. 5 is only for assisting the skilled person in understanding the embodiments of the present invention, and is not intended to limit the embodiments of the present invention to the specific values or specific scenarios illustrated. It will be apparent to those skilled in the art that various equivalent modifications or variations are possible in light of the example given in figure 5, and such modifications or variations also fall within the scope of the embodiments of the invention. As shown in FIG. 5, AP1 is managed by a first AC and AP2 is managed by a second AC. The method 500 of user authentication shown in fig. 5 includes:
s501, after the ue roams from the area covered by AP1 to the area covered by AP2 (the IP address does not change when the ue roams between ACs), it sends a Portal authentication request to the authentication server.
Optionally, after the user terminal roams into the coverage area of AP2, the second AC may send first information to the first AC over the inter-AC communication link to indicate that the user terminal is currently roaming into the coverage area of the second AC. The first information may include an IP address and a MAC address of the second AC.
S502, after receiving the Portal authentication request of the user terminal, the authentication server encapsulates the Portal authentication request into a first Portal authentication message and sends the first Portal authentication message to the first AC.
For example, the Portal authentication request may include a username and password. After receiving the Portal authentication request and verifying the user name and the password, the authentication server encapsulates the Portal authentication request into a Portal authentication message and sends the Portal authentication message to the first AC.
S503, the first AC locally inquires that the user terminal roams to the second AC, and sends a Portal authentication failure message to the authentication server.
Optionally, the message may include a roaming authentication error code, and an IP address and/or a MAC address of the second AC. Wherein, the roaming authentication error code is used for indicating that Portal authentication fails due to roaming.
S504, after receiving the Portal authentication failure message, the authentication server determines that the AC to which the user terminal roams currently is the second AC, and re-initiates a second Portal authentication request to the second AC.
And S505, after receiving the second Portal authentication request, the second AC sends an authentication success message to the authentication server, and the user terminal successfully gets on line at the second AC.
In the embodiment of the invention, aiming at the problem of Portal authentication failure caused by roaming of the user terminal under the condition of non-authentication, the AC to which the user terminal actually belongs after roaming can be found only by carrying out authentication once again, so that the burden on an authentication server, equipment and bandwidth is reduced, and the authentication performance of the authentication server in a roaming scene is improved.
Optionally, in the method described in fig. 3 to fig. 5, after the roaming authentication fails, the first AC may carry the IP address and the MAC address of the AC to which the user terminal actually belongs at present in an authentication failure message, and return the authentication failure message to the authentication server.
The Portal message consists of a message field and an Attribute field, and FIG. 6 shows a format schematic diagram of the Portal message according to the embodiment of the invention, see FIG. 6, wherein the message field may include version number (Ver), message Type (Type), authentication Type (AuthType), reserved field (Rsvd), message serial number (Serial No), message ID (RequestID), user IP address (UserIP) and port number (UserPort), error Type (ErrorCode) and Attribute number (Attribute), and the Attribute field (Attribute Data) may include Attribute Type (Attribute), Attribute length (Atttr L en), Attribute value (Data) for describing user information, such as user name, password, etc.
In the embodiment of the invention, a roaming authentication error code, for example 99, may be carried in an ErrorCode field of a Portal message, and is used to identify a type (cause) of authentication failure as a roaming authentication failure, in addition, a type-length-value (abbreviated as T L V) may be newly added in an Attribute Data field to carry an IP address and/or MAC address of a second AC to which a user terminal currently roams, an Attribute number (Attribute) may be newly added to identify an IP address and a MAC address of an AC to which a user terminal currently roams, as an example, the Attribute number of the IP address may be 0xE1, and the Attribute number of the MAC address may be 0xE 2.
The method for user authentication according to the embodiment of the present invention is introduced above with reference to fig. 1 to 6, and the apparatus according to the embodiment of the present invention will be described in detail below with reference to fig. 7 to 10.
Fig. 7 shows a schematic block diagram of an apparatus 700 for user authentication of an embodiment of the present invention. The apparatus 700 may be an AC, or the apparatus 700 may also be an entity module having AC functionality. The apparatus 700 may perform the steps performed by the first AC in the methods of fig. 1-6. In an embodiment of the present invention, the apparatus 700 may be referred to as a first AC. The apparatus 700 comprises:
a receiving module 710, configured to receive first information sent by a second AC, where the first information includes an identifier of the second AC, and the first information is used to indicate that a first user terminal roams to the second AC;
the receiving module 710 receives a Portal authentication message sent by an authentication server to the first user terminal;
a sending module 720, configured to send indication information to the authentication server, where the indication information is used to indicate that the first user terminal has roamed to the second AC.
In the embodiment of the invention, the first AC can acquire the information indicating the AC to which the user terminal belongs currently from other ACs, so that under the condition that the authentication server sends the Portal authentication message of the user terminal to the first AC, the first AC indicates the second AC to which the user terminal belongs currently to the authentication server, and the authentication server can conveniently resend the Portal authentication message to the second AC, therefore, the authentication server only needs to resend the Portal authentication message to the second AC, the signaling overhead is saved, and the authentication performance is improved.
Fig. 8 shows a schematic block diagram of an apparatus 800 of an embodiment of the invention. The apparatus 800 may be an authentication server, or the apparatus 800 may also be an entity module having a function of an authentication server. The apparatus 800 may perform the steps performed by the authentication server in the methods of fig. 1-6. In an embodiment of the present invention, the apparatus 800 may be referred to as an authentication server. The apparatus 800 comprises:
a receiving module 810, configured to receive an authentication request of a user equipment, where the authentication request includes an identifier of the user equipment;
a sending module 820, configured to send a first Portal authentication packet to the first access controller AC according to the authentication request;
the receiving module 810 is further configured to receive indication information from the first AC, where the indication information indicates that the user terminal has currently roamed to a second AC;
the sending module 820 is further configured to send a second Portal authentication packet to the second AC according to the indication information.
In the embodiment of the invention, after the authentication server sends the first Portal authentication message to the first AC, the authentication server can receive the indication information from the first AC, and the second AC to which the user terminal belongs is determined through the indication information, so that the Portal authentication message can be sent to the second AC again.
Fig. 9 shows a schematic block diagram of an apparatus 900 of an embodiment of the invention. The apparatus 900 may be an AC, or the apparatus 900 may also be an entity module having AC functionality. The apparatus 900 may perform the steps performed by the first AC in the methods of fig. 1-6. In an embodiment of the present invention, the apparatus 900 may be referred to as a first AC. The apparatus 900 comprises:
a memory 910 for storing programs;
a transceiver 920 for communicating with other devices;
a processor 930 configured to execute the program in the memory 910, wherein when the program is executed, the processor 930 is configured to receive first information sent by a second AC, where the first information includes an identifier of the second AC, and the first information is used to instruct a first user terminal to roam to the second AC; and receiving a Portal authentication message for the first user terminal sent by an authentication server through the transceiver 920; and transmitting indication information to the authentication server through the transceiver 920, the indication information indicating that the first user terminal has roamed to the second AC.
In the embodiment of the invention, the first AC can acquire the information indicating the AC to which the user terminal belongs currently from other ACs, so that under the condition that the authentication server sends the Portal authentication message of the user terminal to the first AC, the first AC indicates the second AC to which the user terminal belongs currently to the authentication server, and the authentication server can conveniently resend the Portal authentication message to the second AC, therefore, the authentication server only needs to resend the Portal authentication message to the second AC, the signaling overhead is saved, and the authentication performance is improved.
Fig. 10 shows a schematic block diagram of an apparatus 1000 of an embodiment of the invention. The apparatus 1000 may be an authentication server, or the apparatus 1000 may be an entity module having a function of the authentication server. The device 1000 may perform the steps performed by the authentication server in the methods of fig. 1-6. In an embodiment of the present invention, the apparatus 1000 may be referred to as an authentication server. The apparatus 1000 comprises:
a memory 1010 for storing a program;
a transceiver 1020 for communicating with other devices;
a processor 1030 configured to execute a program in memory 1010, the processor 1030 configured to receive, via the transceiver 1020, an authentication request of a user equipment user terminal, the authentication request including an identification of the user terminal, when the program is executed; and for sending a first Portal authentication message to the first access controller AC via the transceiver 1020, according to the authentication request; and for receiving, by the transceiver 1020, indication information from the first AC indicating that the user terminal has currently roamed to a second AC; and for sending a second Portal authentication packet to the second AC via the transceiver 1020, according to the indication information.
In the embodiment of the invention, after the authentication server sends the first Portal authentication message to the first AC, the authentication server can receive the indication information from the first AC, and the second AC to which the user terminal belongs is determined through the indication information, so that the Portal authentication message can be sent to the second AC again.
Additionally, the terms "system" and "network" are often used interchangeably herein. The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
It is understood that the processor in the embodiments of the present invention may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
It is to be understood that the Memory in embodiments of the present invention may be either volatile Memory or non-volatile Memory, or may include both volatile and non-volatile Memory, wherein non-volatile Memory may be Read-Only Memory (ROM), Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), or flash Memory volatile Memory may be Random Access Memory (RAM), which serves as external cache Memory, by way of illustrative but not limiting illustration, many forms of RAM are available, such as Static Random Access Memory (Static RAM, SRAM), Dynamic Random Access Memory (Dynamic RAM, DRAM), Synchronous Dynamic Random Access Memory (Synchronous DRAM, SDRAM), Double Data rate Synchronous Dynamic Random Access Memory (Double Data, ddrsrs), Enhanced Synchronous DRAM (Enhanced DRAM), Synchronous DRAM, or SDRAM L, and other types of RAM suitable for direct Access systems including, SDRAM, and SDRAM, and RAM.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method of user authentication, comprising:
a first Access Controller (AC) receives first information sent by a second AC, wherein the first information comprises an identifier of the second AC, and the first information is used for indicating a first user terminal to roam to the second AC;
the first AC receives a first Portal authentication message sent by an authentication server to the first user terminal, wherein the first Portal authentication message is used for verifying a Portal authentication request sent by the first user terminal;
the first AC sends a Portal authentication response message to the authentication server, the Portal authentication response message is used for indicating that the first Portal authentication message fails to be authenticated, the Portal authentication response message comprises indication information, and the indication information is used for indicating that the first user terminal roams to the second AC, so that the authentication server sends a second Portal authentication message to the second AC.
2. The method of claim 1, wherein the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used to indicate that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
3. The method of claim 1 or 2, wherein the method further comprises:
and the first AC sends second information to other ACs except the first AC, wherein the second information comprises the identifier of the first AC, and the second information is used for indicating that a second user terminal has roamed to the first AC currently.
4. A method of user authentication, comprising:
an authentication server receives an authentication request of a user terminal, wherein the authentication request comprises an identifier of the user terminal;
the authentication server sends a first Portal authentication message to a first Access Controller (AC) according to the authentication request, wherein the first Portal authentication message is used for verifying a Portal authentication request sent by the user terminal;
the authentication server receives a Portal authentication response message from the first AC, the Portal authentication response message is used for indicating that the first Portal authentication message fails to authenticate, the Portal authentication response message comprises indication information, and the indication information indicates that the user terminal has roamed to a second AC currently;
and the authentication server sends a second Portal authentication message to the second AC according to the indication information, wherein the second Portal authentication message is used for verifying the Portal authentication message.
5. The method according to claim 4, wherein the indication information is carried in the Portal authentication response message, the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used for indicating that the authentication failure type of the Portal authentication message of the user terminal is authentication failure caused by user terminal roaming.
6. An apparatus for user authentication, comprising:
a receiving module, configured to receive first information sent by a second access controller AC, where the first information includes an identifier of the second AC, and the first information is used to indicate that a first user terminal roams to the second AC;
the receiving module is further configured to receive a first Portal authentication message sent by an authentication server to the first user terminal, where the first Portal authentication message is used to verify a Portal authentication request sent by the first user terminal;
and the sending module is used for sending a Portal authentication response message to the authentication server, wherein the Portal authentication response message is used for indicating that the first Portal authentication message fails to be authenticated, and the Portal authentication response message comprises indication information which is used for indicating that the first user terminal roams to the second AC so that the authentication server can send a second Portal authentication message to the second AC.
7. The apparatus of claim 6, wherein the Portal authentication response message includes authentication failure type information indicating that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
8. The apparatus according to claim 6 or 7, wherein the apparatus is a first AC, and the sending module is further configured to send second information to other ACs except the first AC, where the second information includes an identifier of the first AC, and the second information is used to indicate that a second user terminal has currently roamed to the first AC.
9. An apparatus for user authentication, comprising:
a receiving module, configured to receive an authentication request of a user terminal, where the authentication request includes an identifier of the user terminal;
a sending module, configured to send a first Portal authentication packet of the user terminal to a first access controller AC according to the authentication request, where the first Portal authentication packet is used to verify a Portal authentication request sent by the user terminal;
the receiving module is further configured to receive a Portal authentication response message from the first AC, where the Portal authentication response message is used to indicate that the first Portal authentication message fails to authenticate, and the Portal authentication response message includes indication information indicating that the user terminal has currently roamed to a second AC;
the sending module is further configured to send a second Portal authentication packet to the second AC according to the indication information, where the second Portal authentication packet is used to verify the Portal authentication packet.
10. The apparatus of claim 9, wherein the Portal authentication response message includes authentication failure type information indicating that the authentication failure type of the Portal authentication message of the user terminal is authentication failure caused by user terminal roaming.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610827230.4A CN107820246B (en) | 2016-09-14 | 2016-09-14 | User authentication method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610827230.4A CN107820246B (en) | 2016-09-14 | 2016-09-14 | User authentication method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107820246A CN107820246A (en) | 2018-03-20 |
| CN107820246B true CN107820246B (en) | 2020-07-21 |
Family
ID=61601117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610827230.4A Active CN107820246B (en) | 2016-09-14 | 2016-09-14 | User authentication method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107820246B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109067788B (en) | 2018-09-21 | 2020-06-09 | 新华三技术有限公司 | Access authentication method and device |
| CN109661015B (en) * | 2018-12-10 | 2021-01-19 | 杭州全维技术股份有限公司 | Method for realizing data sharing of wireless controllers of different manufacturers |
| CN110493783A (en) * | 2019-08-28 | 2019-11-22 | 上海连尚网络科技有限公司 | Wireless network connecting method, device, electronic equipment and medium |
| CN111698747B (en) * | 2020-04-30 | 2023-10-20 | 新华三技术有限公司 | Roaming method and device |
| CN114513784B (en) * | 2022-02-10 | 2023-10-31 | 新华三技术有限公司 | Terminal authentication method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1964576A (en) * | 2006-12-11 | 2007-05-16 | 杭州华为三康技术有限公司 | A method for wireless access and access controller |
| CN101945388A (en) * | 2010-10-14 | 2011-01-12 | 杭州华三通信技术有限公司 | Wireless roaming authentication method, wireless roaming method and device thereof |
| CN102014391A (en) * | 2010-11-29 | 2011-04-13 | 北京星网锐捷网络技术有限公司 | Wireless network safety access method, system and wireless controller |
| CN102075904A (en) * | 2010-12-24 | 2011-05-25 | 杭州华三通信技术有限公司 | Method and device for preventing re-authentication of roaming user |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5616917B2 (en) * | 2012-03-14 | 2014-10-29 | 富士フイルム株式会社 | Operation management system, control system, and operation control method thereof |
-
2016
- 2016-09-14 CN CN201610827230.4A patent/CN107820246B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1964576A (en) * | 2006-12-11 | 2007-05-16 | 杭州华为三康技术有限公司 | A method for wireless access and access controller |
| CN101945388A (en) * | 2010-10-14 | 2011-01-12 | 杭州华三通信技术有限公司 | Wireless roaming authentication method, wireless roaming method and device thereof |
| CN102014391A (en) * | 2010-11-29 | 2011-04-13 | 北京星网锐捷网络技术有限公司 | Wireless network safety access method, system and wireless controller |
| CN102075904A (en) * | 2010-12-24 | 2011-05-25 | 杭州华三通信技术有限公司 | Method and device for preventing re-authentication of roaming user |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107820246A (en) | 2018-03-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107820246B (en) | User authentication method, device and system | |
| US9439069B2 (en) | Subscriber identity module provider apparatus for over-the-air provisioning of subscriber identity module containers and methods | |
| EP4087298B1 (en) | Device access method, device, and system | |
| US11595206B2 (en) | Key update method and apparatus | |
| EP3700142A1 (en) | Data processing method, apparatus and device | |
| US20160302058A1 (en) | Methods and nodes for updating of mac address | |
| US11337147B2 (en) | Dynamic roaming partner prioritization based on service quality feedback | |
| US11622268B2 (en) | Secure communication method and secure communications apparatus | |
| US11381973B2 (en) | Data transmission method, related device, and related system | |
| US11864149B2 (en) | Systems and methods for user equipment (UE) registration | |
| US20220078605A1 (en) | Method for handling of terminal capabilities in a wireless communication network | |
| CN110086839B (en) | Dynamic access method and device for remote equipment | |
| CN114450991A (en) | Wireless communication method for registration procedure | |
| CN111886884B (en) | Method, apparatus and computer readable medium for authentication in communications | |
| EP3412050A1 (en) | An agent-based authentication and key agreement method for devices without sim card | |
| CN110831247A (en) | Communication method and device | |
| EP3834444B1 (en) | Method for identifying terminal capabilities in a wireless communication system | |
| CN113260014A (en) | Method and device for IOT (Internet of things) equipment to automatically access WLAN (wireless local area network) | |
| CN114915966A (en) | Method and related device for configuring non-access stratum security algorithm of evolved packet system | |
| US11881961B2 (en) | Communication method and related apparatus | |
| KR20190044104A (en) | A method for transmitting data to at least one device, a data transmission control server, a storage server, a processing server and a system | |
| CN112469043B (en) | Authentication method and device | |
| CN116318633A (en) | Communication method and device | |
| WO2023055342A1 (en) | Enabling distributed non-access stratum terminations | |
| CN117242811A (en) | Wireless communication method, station equipment and access point equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |