CN107995212B

CN107995212B - Authentication method and device

Info

Publication number: CN107995212B
Application number: CN201711376997.0A
Authority: CN
Inventors: 何巧
Original assignee: Hangzhou H3C Technologies Co Ltd
Current assignee: Hangzhou H3C Technologies Co Ltd
Priority date: 2017-12-19
Filing date: 2017-12-19
Publication date: 2020-11-06
Anticipated expiration: 2037-12-19
Also published as: CN107995212A

Abstract

The application provides an authentication method and an authentication device, which can comprise the following steps: after receiving a network access request message sent by a terminal, searching an authentication template identifier for authenticating the terminal in recorded authentication template identifiers, wherein the recorded authentication template identifiers comprise authentication template identifiers issued by a Portal server to an AC (access controller) and/or an AP (access point) associated with the AC; based on the searched authentication template identification, constructing a URL link for redirecting to the Portal server, and returning the URL link to the terminal, so that the Portal server searches an authentication template corresponding to the searched authentication template identification carried in the login page request after receiving the login page request sent by the terminal through the URL link, and authenticates the terminal. By using the method provided by the application, the authentication template can be selected for authentication based on multiple dimensions while the authentication efficiency is improved.

Description

Authentication method and device

Technical Field

The present application relates to the field of computer communications, and in particular, to an authentication method and apparatus.

Background

Portal authentication is also commonly referred to as Web authentication, and Portal authentication Web sites are commonly referred to as Web portals. When the unauthenticated user surfs the internet, the equipment forces the user to log in a specific site, and the user can access the service in the site free of charge. When the user needs to use other information in the internet, authentication must be performed on the portal site, and the internet resources can be used only after the authentication is passed.

In the Portal authentication mechanism, after receiving a network access request message sent by an unauthenticated terminal, the access device may return a URL (Uniform Resource Locator) redirected to a Portal server to the terminal, the terminal sends a login page request to the Portal server through the URL, the Portal server may return a login page to the terminal, and after a user inputs a user name and a password to be authenticated on the login page, the access device may forward the user name and the password to be authenticated to the Portal server, and the Portal server completes authentication of the terminal device.

However, the Portal server adopts the same authentication template to authenticate each terminal, and it is difficult to meet the personalized requirements of users.

Disclosure of Invention

In view of the above, the present application provides an authentication method and apparatus, which can select an authentication template for authentication based on multiple dimensions while improving authentication efficiency.

Specifically, the method is realized through the following technical scheme:

according to a first aspect of the present application, there is provided an authentication method, applied to an AC, including:

after receiving a network access request message sent by a terminal, searching an authentication template identifier for authenticating the terminal in recorded authentication template identifiers, wherein the recorded authentication template identifiers comprise authentication template identifiers issued by a Portal server to an AC (access controller) and/or an AP (access point) associated with the AC;

based on the searched authentication template identification, constructing a URL link for redirecting to the Portal server, and returning the URL link to the terminal, so that the Portal server searches an authentication template corresponding to the searched authentication template identification carried in the login page request after receiving the login page request sent by the terminal through the URL link, and authenticates the terminal.

Optionally, the Portal server issues the authentication template identifier to the AC, and records the authentication template identifier in at least one of the following ways:

when equipment configuration sent by the Portal server is received, a first authentication template identifier carried by the equipment configuration is stored in a designated field of a Network Access Server (NAS) identifier of the AC;

when receiving a service template configuration sent by the Portal server, recording the corresponding relation between a second authentication template identifier carried by the service template configuration and a service set identifier SSID carried by the service template configuration; and/or the presence of a gas in the gas,

the Portal server issues an authentication template identification of the AP associated with the AC, and records the authentication template identification in the following mode:

recording the obtained corresponding relation between the NAS identification of the AP associated with the AC and the AP identification; the NAS mark of the AP associated with the AC comprises an authentication template mark which is issued to the AP by the Portal server.

Optionally, the searching for the authentication template identifier for authenticating the terminal from the recorded authentication template identifiers includes:

searching for a second authentication template identifier corresponding to the SSID carried in the network access request message in the recorded corresponding relationship between the second authentication template identifier and the SSID; and the number of the first and second groups,

in the recorded correspondence between the AP identifier and the NAS identifier, searching the NAS identifier corresponding to the AP identifier carried in the network access request message, if the searched NAS identifier records the authentication template identifier, taking the searched NAS identifier as a target NAS identifier, and if the searched NAS identifier does not record the authentication template identifier, taking the NAS identifier of the AC as the target NAS identifier;

taking the searched second authentication template identification and the target NAS identification as the authentication template identification for authenticating the terminal;

constructing a Uniform Resource Locator (URL) link for redirecting to the Portal server based on the found authentication template identifier, comprising:

and constructing a URL (uniform resource locator) redirected to the Portal server based on the target NAS identification and the searched second authentication template identification.

According to a second aspect of the present application, there is provided an authentication method, applied to a Portal server, comprising:

after an issuing instruction for issuing the authentication template identification is detected, issuing the authentication template identification carried by the issuing instruction to an AC or AP indicated by the issuing instruction;

receiving a login page request sent by a terminal, searching an authentication template corresponding to an authentication template identifier carried in the login page request, and authenticating the terminal by using the searched authentication template.

Optionally, after detecting an issuing instruction for issuing an authentication template identifier, issuing the authentication template identifier carried by the issuing instruction to the AC or AP indicated by the issuing instruction, where the issuing instruction includes at least one of the following modes:

if an issuing instruction for issuing the authentication template identifier distributed for the AC or the AP is detected, adding a first authentication template identifier carried by the issuing instruction into the equipment configuration of the AC or the AP indicated by the issuing instruction, and issuing the equipment configuration to the AC or the AP indicated by the issuing instruction;

if an issuing instruction for issuing the authentication template identifier allocated to the SSID on the AC is detected, adding a second authentication template identifier carried by the issuing instruction and the SSID corresponding to the second authentication template identifier into the service template configuration corresponding to the SSID, and issuing the service template configuration to the AC associated with the SSID.

Optionally, the receiving a login page request sent by the terminal, and searching for an authentication template corresponding to an authentication template identifier carried in the login page request includes:

when the NAS identification carried by the login page request contains an authentication template identification, the login page request contains a second authentication template identification, and the authentication template identification contained in the NAS identification is inconsistent with the second authentication template identification, searching an authentication template corresponding to the second authentication template identification;

if the NAS identification carried by the login page request contains an authentication template identification, the login page request contains a second authentication template identification, and the authentication template identification contained in the NAS identification is consistent with the second authentication template identification, searching an authentication template corresponding to any one authentication template identification in the login page request;

if the NAS identification carried by the login page request does not contain an authentication template identification and the login page request carries a second authentication template identification, searching an authentication template corresponding to the second authentication template identification;

and if the NAS identification carried by the login page request contains an authentication template identification and the login page request does not carry a second authentication template identification, searching an authentication template corresponding to the authentication template identification contained by the NAS identification.

According to a third aspect of the present application, there is provided an authentication apparatus, which is applied to an AC, including:

the search unit is used for searching an authentication template identifier for authenticating the terminal in the recorded authentication template identifiers after receiving a network access request message sent by the terminal, wherein the recorded authentication template identifiers comprise authentication template identifiers issued by a Portal server to the AC and/or issued to an AP (access point) associated with the AC;

and the construction unit is used for constructing a URL link for redirecting to the Portal server based on the searched authentication template identifier and returning the URL link to the terminal, so that the Portal server searches the authentication template corresponding to the searched authentication template identifier carried in the login page request after receiving the login page request sent by the terminal through the URL link and authenticates the terminal.

Optionally, the searching unit is specifically configured to search, in the recorded correspondence between the second authentication template identifier and the SSID, the second authentication template identifier corresponding to the SSID carried in the network access request packet; and searching NAS identification corresponding to the AP identification carried in the network access request message in the recorded corresponding relation between the AP identification and the NAS identification, if the searched NAS identification records an authentication template identification, taking the searched NAS identification as a target NAS identification, and if the searched NAS identification does not record the authentication template identification, taking the NAS identification of the AC as the target NAS identification; taking the searched second authentication template identification and the target NAS identification as the authentication template identification for authenticating the terminal;

the constructing unit is specifically configured to construct a URL redirected to the Portal server based on the target NAS identifier and the found second authentication template identifier.

According to a fourth aspect of the present application, there is provided an authentication apparatus applied to a Portal server, comprising:

the issuing unit is used for issuing the authentication template identifier carried by the issuing instruction to the AC or AP indicated by the issuing instruction after detecting the issuing instruction for issuing the authentication template identifier;

and the authentication unit is used for receiving the login page request sent by the terminal, searching an authentication template corresponding to the authentication template identifier carried in the login page request, and authenticating the terminal by using the searched authentication template.

Optionally, the issuing unit is specifically configured to, if an issuing instruction for issuing an authentication template identifier allocated to the AC or AP is detected, add a first authentication template identifier carried by the issuing instruction to the device configuration of the AC or AP indicated by the issuing instruction, and issue the device configuration to the AC or AP indicated by the issuing instruction; if an issuing instruction for issuing the authentication template identifier allocated to the SSID on the AC is detected, adding a second authentication template identifier carried by the issuing instruction and the SSID corresponding to the second authentication template identifier into the service template configuration corresponding to the SSID, and issuing the service template configuration to the AC associated with the SSID.

Optionally, the authentication unit is specifically configured to, when the NAS identifier carried in the login page request includes an authentication template identifier, and the login page request carries a second authentication template identifier, and the authentication template identifier included in the NAS identifier is inconsistent with the second authentication template identifier, search for an authentication template corresponding to the second authentication template identifier; if the NAS identification carried by the login page request contains an authentication template identification, the login page request contains a second authentication template identification, and the authentication template identification contained in the NAS identification is consistent with the second authentication template identification, searching an authentication template corresponding to any one authentication template identification in the login page request; if the NAS identification carried by the login page request does not contain an authentication template identification and the login page request carries a second authentication template identification, searching an authentication template corresponding to the second authentication template identification; and if the NAS identification carried by the login page request contains an authentication template identification and the login page request does not carry a second authentication template identification, searching an authentication template corresponding to the authentication template identification contained by the NAS identification.

Different authentication templates are configured according to different dimensions, for example, different SSIDs correspond to different authentication templates, different ACs correspond to different authentication templates, and different APs correspond to different authentication templates, so that the authentication templates are richer, the authentication templates are set from different dimensions, and the individual requirements of users are met.

According to the method and the device, the corresponding relation between the authentication template identification and the SSID is not stored on the Portal server, but the authentication template identification is issued to each AC or AP, and after the AC receives a network access request message sent by a terminal and finds the authentication template identification for authenticating the terminal, the AC can construct the URL redirected to the Portal server based on the authentication template identification. When the terminal uses the URL to send a login page request to the Portal server, the login page request carries the searched authentication template identification, and the server can authenticate the terminal by using the authentication template corresponding to the authentication template identification.

On one hand, the Portal server does not maintain the corresponding relation between the authentication template identification and parameters such as SSID and the like, so that when the SSID is changed, the Portal server does not need to be changed and synchronized, and the maintenance of the corresponding relation is greatly simplified. On the other hand, the Portal server does not maintain the corresponding relation between the authentication template identifier and parameters such as SSID and the like, so that the Portal server does not need to search the authentication template identifier first, but extracts the authentication template identifier from the login page request sent by the terminal, and the process of searching the authentication template by the server is greatly simplified.

Drawings

FIG. 1 is a schematic diagram illustrating an exemplary embodiment of Portal authentication networking;

FIG. 2 is a flow chart illustrating a method of authentication in accordance with an exemplary embodiment of the present application;

FIG. 3 is an interaction diagram illustrating a method of authentication in accordance with an exemplary embodiment of the present application;

fig. 4 is a hardware configuration diagram of an AC where an authentication apparatus is located according to an exemplary embodiment of the present application;

fig. 5 is a block diagram of an authentication apparatus corresponding to fig. 4 according to an exemplary embodiment of the present application;

FIG. 6 is a hardware configuration diagram of a Portal server where an authentication device is located according to an exemplary embodiment of the present application;

fig. 7 is a block diagram of an authentication apparatus corresponding to fig. 6 according to an exemplary embodiment of the present application.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.

In a related mechanism, in order to meet the personalization requirement of the authentication template, different authentication templates are generally configured for different SSIDs (service set identifiers).

On one hand, the mode of configuring different authentication templates only by using SSID dimension is relatively single, and the requirement of configuring different authentication templates based on multiple dimensions such as device dimension and the like cannot be met.

On the other hand, in the related mechanism, the correspondence between the SSID and the authentication template identification is typically maintained on the Portal server.

After receiving the login page request sent by the terminal, the Portal server can search the authentication template identification corresponding to the SSID carried in the login page request in the corresponding relationship between the SSID and the authentication template stored locally, and then search the authentication template corresponding to the authentication template identification by taking the authentication template identification as an index to authenticate the terminal.

However, when the SSID is changed, the AC needs to report an SSID change message to the Portal server, and the Portal server needs to change the correspondence between the SSID and the authentication template identifier. Because a large amount of change messages are generated between the AC and the Portal server, a link is seriously blocked, and the transmission efficiency of normal data messages is reduced.

The authentication method comprises the steps that different authentication templates are configured according to different dimensions, for example, different SSIDs correspond to different authentication templates, different ACs correspond to different authentication templates, and different APs correspond to different authentication templates, so that the authentication templates are richer, the authentication templates are set from different dimensions, and the personalized requirements of users are met.

In the second aspect, the corresponding relation between the authentication template identifier and the SSID, etc., is not stored in the Portal server, but the authentication template identifier is issued to each AC or AP, and after the AC receives the network access request message sent by the terminal, the AC can construct the URL redirected to the Portal server based on the authentication template identifier after finding the authentication template identifier for authenticating the terminal. When the terminal uses the URL to send a login page request to the Portal server, the login page request carries the searched authentication template identification, and the server can authenticate the terminal by using the authentication template corresponding to the authentication template identification.

Referring to fig. 1, fig. 1 is a schematic diagram illustrating a Portal authenticated networking according to an exemplary embodiment of the present application. In the Portal authentication networking, a terminal, an AC, an AP and a Portal server can be included.

The AC may provide access service, and generally includes at least the following three functions:

all network access requests of the terminal are redirected to the Portal server before authentication.

In the authentication process, the system interacts with a Portal server and an authentication server to complete the functions of identity authentication/authorization/charging.

And after the authentication is passed, allowing the terminal to access the authorized internet resource.

The above-described AP, typically an AC, may manage a plurality of APs associated with the AC. After the terminal is associated with the AP, a message sent by the terminal may be sent to the AC associated with the AP through the AP.

In the Portal server, the Portal server can return the login page to the terminal after receiving the login page access request sent by the terminal, so that a user of the terminal can input a user name and a password. In addition, the Portal server can also integrate an authentication function, and can also receive an authentication request carrying a user name and a password sent by the terminal to authenticate the terminal. Of course, the Portal server can also forward the received authentication request to the authentication server for authentication by the authentication server, and the like.

Before introducing the methods, several terms mentioned in the present application will be explained.

The authentication template may include a general name of an authentication method and a page style returned in the authentication process.

The authentication method may refer to what parameter combination is used for authentication, for example, an authentication method using a user name and a password. For example, a mobile phone number and a verification code are used for authentication.

Page style refers to the format of the returned page, such as a login page, login success page, etc.

The authentication mode corresponds to the page style, for example, when the authentication mode is authentication of a user name and a password, the returned login page includes controls such as options of the user name and the password input by the user.

The NAS (Network Access Server) identifier may refer to an identifier related to the device, and is usually carried in a URL link returned from the AC to the terminal for redirection to the Portal Server. In this embodiment of the present application, the NAS identity is redefined, for example, the NAS identity of the AC generally includes 64 bits, and the format of the NAS identity redefined is as follows:

version number (2 bits) -template ID (19 bits) -site ID (19 bits) -device serial number (20 bits).

The template ID is an authentication template identifier.

The place ID is a place identifier, and the place includes a region such as a store, a shop, a campus, etc.

This is merely an exemplary illustration of the redefinition of NAS identity and is not specifically limited.

For convenience of description, in the present application, the authentication template identifier corresponding to the AC is referred to as a first authentication template identifier, and the authentication template identifier corresponding to the SSID is referred to as a second authentication template identifier. The first authentication template identifier and the second authentication template identifier are named here for convenience of description. Referring to fig. 2, fig. 2 is a flowchart illustrating an authentication method according to an exemplary embodiment of the present application. The process may include the steps shown below.

Step 201: after detecting an issuing instruction for issuing the authentication template identification, the Portal server issues the authentication template identification carried by the issuing instruction to the AC or AP indicated by the issuing instruction.

Generally, the Portal server may provide a visual interactive interface through which developers may perform operations such as configuration of the Portal server.

The developer may import a plurality of authentication templates on a Portal server, which may store the authentication templates, such as locally, or in a storage server corresponding to the Portal server. The index of the authentication template, or the primary key ID of the authentication template, may be the authentication template identification.

In addition, the developer may also register the AC and AP on the Portal server. The registration information of the AC may include a location identifier of a location where the AC is located, and information such as an SSID associated with the AC. The registration information of the AP may include information such as a location identifier of a location where the AP is located. The registration information of the AC and the AP is not particularly limited herein.

The developer may issue the authentication template identifier from multiple dimensions, such as the developer may issue from the dimension of the AC, the dimension of the AP, and the dimension of the SSID, etc. After selection, the Portal server can detect the issuing command input by the user.

For example, a developer may batch issue authentication template identifications to multiple ACs or APs in a site.

Typically, the visual interactive interface may have options, and the developer may choose to send the information to the AC in a locale mode, select locale 1, and select authentication template identifier 1, and the Portal server may detect the sending instruction input by the user. The issue instruction instructs to issue the authentication template identifier 1 to the AC in the place 1. At this time, the issued instruction carries the identification of all ACs in site 1, and authentication template identification 1.

For another example, the developer may also autonomously select multiple ACs and then issue the authentication template identifier to the selected multiple ACs.

For example, a developer may select an issuing policy issued in a device manner, then select a plurality of ACs to be issued, and then select an authentication template identifier issued to the AC, such as authentication template identifier 1, and then may generate an issuing instruction. The Portal server can detect the issuing instruction input by the user, and the issuing instruction indicates the selected AC to issue the authentication template identifier 1. At this time, the issued instruction carries the identifier of the AC selected by the developer and the authentication template identifier 1.

For another example, the developer may issue an authentication template identifier for ACs with the same SSID.

For example, the developer may select the distribution policy distributed in the SSID mode, then select the SSID1, and after selecting the authentication template identifier 1, may generate a distribution instruction. The Portal server may detect the issue instruction entered by the user, which indicates that authentication template identification 1 was issued to the AC associated with SSID 1. At this time, the issuing command carries SSID1, an identifier of the AC associated with the SSID1, and authentication template identifier 1.

Of course, the developer may also issue the authentication template identifier to the AP, which is described above only with the AC as an example.

After detecting the issuing instruction, the Portal server can issue the authentication template identifier carried in the issuing instruction to the AC or AP indicated by the issuing instruction together through some configurations.

Generally, a page where the user allocates the authentication template identifier to the AC or the AP is different from a page where the user allocates the authentication template identifier to the SSID on the AC, so that an issuing instruction for the user to allocate the authentication template identifier to the AC or the AP is also different from an issuing instruction for the user to allocate the authentication template identifier to the SSID.

The different issued instructions may be distinguished by fields carried in the issued instructions or by page interfaces, and are not specifically limited herein.

If the Portal server detects that the issuing instruction is used for issuing the authentication template identifier distributed for the AC or AP, the Portal server may add the authentication template identifier (here, denoted as the first authentication template identifier) carried in the issuing instruction to the device configuration corresponding to the identifier of the AC or AP carried in the issuing instruction, and then issue the device configuration to the AC or AP.

If the Portal server detects that the issuing instruction is used for issuing the authentication template identifier allocated to the SSID on the AC, the Portal server may add the authentication template identifier (here, denoted as the second authentication template identifier) carried in the issuing instruction to the service template configuration, and then issue the service template configuration to the AC indicated by the issuing instruction.

In addition, the Portal server also records an issuing record, and the issuing record records the issued AC, AP, the issued authentication template identification, the issuing time, the SSID and the like.

It should be noted that the Portal server may issue only one of the two configurations, or may issue both the two configurations to the AC. This depends on the issuing instruction input by the user.

Step 202: and the AC recording server issues the authentication template identifier of the AC and the authentication template identifier of the AP associated with the AC.

Firstly, after the AC receives the configuration sent by the Portal server, whether the configuration sent by the Portal server is the device configuration or the service template configuration can be distinguished by receiving the configured port or the identifier carried in the configuration.

Taking the port zone as an example, assuming that the first port corresponds to the device configuration, the second port corresponds to the service template configuration,

after the AC receives the configuration from the first port, the AC may determine the configuration issued by the Portal server as the device configuration. When the AC receives the configuration from the second port, the AC may determine that the configuration issued by the Portal server is a service template configuration.

When the AC determines to receive the equipment configuration sent by the Portal server, the first authentication template identifier carried by the equipment configuration can be stored in the appointed field of the NAS identifier of the AC.

It should be noted that, for the specified field of the NAS identifier of the AC, still taking the redefinition of the NAS identifier as an example, the 3 rd bit to 21 th bit fields of the NAS identifier are specified fields, when the device configuration is not received, the specified fields are default values, and after the device configuration is received, the first authentication template identifier carried in the device configuration is stored in the specified field of the NAS, and the default values are overwritten. If the AC does not receive the device configuration, the specified field of the NAS identifier is still a default value and does not carry the first authentication template identifier.

When the AC determines to receive the service template configuration sent by the Portal server, the corresponding relation between the SSID carried by the service template configuration and the second authentication template identification carried by the service template configuration can be recorded.

It should be noted that the AC may receive only one of the above two configurations, or both configurations.

In addition, when the AP receives the device configuration delivered by the Portal server, the AP may store the authentication template identifier for the AP, carried in the device configuration, into the specified field of the NAS identifier of the AP.

The AC may obtain NAS identifiers of the APs associated with the AC, and record a correspondence between the AP identifier and the NAS identifier corresponding to the AP identifier. And after the server issues the AP authentication template identification, the NAS identification of the AP records the authentication template identification issued by the Portal server for the AP.

Step 203: after receiving a network access request message sent by a terminal, the AC searches the recorded authentication template identifier for the authentication of the terminal.

The network access request packet carries an SSID and an AP identifier, such as an MAC address of an AP.

After receiving a network access request message sent by the terminal, the AC may search for a second authentication template identifier corresponding to the SSID carried in the access request message in the recorded correspondence between the SSID and the second authentication template identifier. And

the AC may search the NAS identifier corresponding to the AP identifier carried in the network access request packet in the recorded correspondence between the AP identifier and the NAS identifier. Then, the AC may determine whether the specified field position in the found identifier records the authentication template identifier. And if the authentication template identifier is recorded in the specified field position of the searched NAS identifier, the searched NAS identifier is taken as the target NAS identifier. And if the specified field position of the searched NAS identification does not record the authentication template identification, taking the NAS identification of the AC as the target NAS identification.

And the searched second authentication template identifier and the target NAS identifier can be used as the authentication template identifier for authenticating the terminal.

It should be noted that, after the Portal server issues the device configuration carrying the authentication template identifier for the AC or AP, the NAS identifier of the AC or AP carries the authentication template identifier. Finding the authentication template identity that authenticates the terminal may translate into finding the NAS identity of the AC or AP.

When the NAS identity of the AC is taken as the target NAS identity, the first authentication template identity may be recorded in the target NAS identity, or the authentication template identity may not be recorded in the target NAS identity. This depends on whether the Portal server issues the authentication template ID corresponding to the AC.

In addition, the NAS identity of the AP is preferentially selected from the NAS identities of the selection targets, and the NAS identity of the local AC is selected only after the NAS identity of the AP does not carry the authentication template identity. This is because, in the present application, the authentication templates are differentiated in the AP dimension and the authentication templates are differentiated in the AC dimension, and the granularity of the partition in the AP dimension is smaller than that in the AC dimension, so that the partition of the authentication templates is made finer.

Step 204: and the AC constructs a URL link for redirecting to the Portal server based on the searched authentication template identification and returns the URL link to the terminal.

After the authentication template identifier for authenticating the terminal is found, namely the second authentication template identifier and the target NAS identifier are found, the URL link redirected to the Portal server can be constructed based on the second authentication template identifier and the target NAS identifier.

For example, the URL link may be:

https://portalserver:port/portal？response_type＝code&redirect_uri＝xxx&nas_id＝xxx&ssid＝xxx&usermac＝MAC&userip＝ip&userurl＝http://baidu.com&apmac＝xxx&template_id＝xxx

and the template _ id carried by the URL is the second authentication template identifier, and the NAS _ id is the target NAS identifier.

In the embodiment of the application, if the second authentication template identifier is not found, a URL link for redirecting to a Portal server is constructed only based on the target NAS identifier, and the URL link does not carry the second authentication template identifier either.

The AC may return the constructed URL link to the terminal.

After receiving the URL link, the terminal may generate a login page request message based on the URL link. The login page request message carries some information in the URL, such as the NAS identifier, the second authentication template identifier, and the like. The terminal may then send the landing page request message to the Portal server indicated by the URL.

Step 205: the Portal server receives a login page request sent by a terminal, searches an authentication template corresponding to an authentication template identifier carried in the login page request, and authenticates the terminal by using the searched authentication template.

After receiving the login page request message, the Portal server can acquire the NAS identification and the second authentication template identification carried in the login page request message.

If the NAS mark records the authentication template mark, the login page request message also carries a second authentication template mark, and the authentication template mark in the NAS mark is inconsistent with the second authentication template mark, the Portal server can preferentially select the authentication template mark in the NAS mark and then search the authentication template corresponding to the authentication template mark.

And if the NAS identification records the authentication template identification, the login page request message also carries a second authentication template identification, and the authentication template identification in the NAS identification is consistent with the second authentication template identification, randomly selecting one authentication template identification from the authentication template identification recorded by the NAS identification and the second authentication template identification, and searching for the authentication template corresponding to the randomly selected authentication template identification.

If the NAS identification does not record the authentication template identification and the login page request message carries the second authentication template identification, searching the authentication template corresponding to the second authentication template identification.

And if the NAS identification records the authentication template identification and the login page request message does not carry the second authentication template identification, searching the authentication template corresponding to the authentication template identification recorded in the NAS identification.

Then, the Portal server can utilize the searched authentication template to authenticate the terminal and return a corresponding authentication page. The process of the Portal server authenticating with the authentication template can be seen in steps 306-316 below.

Referring to fig. 3, fig. 3 is an interaction diagram illustrating an authentication method according to an exemplary embodiment of the present application; the authentication method proposed by the present application can be applied to the oAuth 2.0-based protocol, and certainly, the authentication method proposed by the present application can also be applied to a conventional Portal authentication mechanism, and here, the description is given by taking the Portal authentication based on the oAuth protocol as an example.

Step 301: and the terminal sends a network access request message.

The user inputs the unlawful URL in the browser, and the terminal can send a network access request message.

Step 302: the AC may look up the authentication template identification that authenticates the terminal and construct a URL that is redirected to the Portal server.

The AC may search for the second authentication template identifier corresponding to the SSID carried in the access request packet in the recorded correspondence between the SSID and the second authentication template identifier. And

The AC may construct a URL link that is redirected to the Portal server based on the found second authentication template identification and the target NAS identification.

For example, the URL link may be:

Step 303: the AC may return the constructed URL link to the terminal.

Step 304: the terminal may send a login page request to the Portal server based on the URL link.

After receiving the URL link, the terminal may generate a login page request message based on the URL link. The login page request message carries some information in the URL link, such as the NAS identifier, the second authentication template identifier, and the like. The terminal may then send the landing page request message to the Portal server indicated by the URL link.

Step 305: and searching a corresponding authentication template based on the authentication template identifier carried in the login page request message.

If the NAS mark records the authentication template mark, the login page request message also carries a second authentication template mark, and the authentication template mark in the NAS mark is inconsistent with the second authentication template mark, the Portal server can select the authentication template mark in the NAS mark and then search the authentication template corresponding to the authentication template mark.

Step 306: the Portal server may return a login page matching the found authentication template to the terminal.

For example, assume that the authentication template 1 found includes the following authentication methods: and authenticating by adopting the user name and the password, wherein the login page matched with the authentication template 1 is a page containing a control for inputting the user name and the password by the user. The Portal server may return a page containing user input username and password controls to the terminal.

Step 307: the terminal sends an authentication request to the Portal server.

And after receiving the login page, the terminal can display the login page to the user. The user may enter user information, such as a username, password, mobile phone number, etc., on the login page. The terminal may then generate an authentication request carrying the user information. The terminal may send the authentication request to the Portal server.

Step 308: the Portal server can use the searched authentication template to authenticate the user information sent by the terminal.

After receiving the authentication request sent by the terminal, the Portal server may authenticate the user information carried in the authentication request by using the authentication method described in the authentication template found in step 305.

Step 309: after the authentication is passed, the Portal server returns an authentication success message carrying the authorization code.

If the authentication fails, the Portal server can return authentication failure information to the terminal.

Step 310: the terminal may send the authorization code to the AC.

Step 311: the AC may send an application access token request carrying an authorization code to the Portal server.

Step 312: the Portal server returns an access token.

After receiving the request for applying for the access token sent by the AC, the Portal server may obtain the authorization code in the request for applying for the access token, and then find the access token corresponding to the authorization code. The Portal server may then return an access token to the AC.

Step 313: the AC may send a user authentication information request to the Portal server.

The AC can send a user authentication information request to the Portal server, wherein the user authentication information request carries an access token returned by the Portal server.

Step 314: the Portal server may return user authentication information to the AC.

The Portal server can obtain the access token carried by the AC after receiving the user authentication information request sent by the AC, and returns the user authentication information to the AC based on the access token. The user authentication information returned to the AC carries a URL link which can access the user authentication result on the Portal server.

Step 315: the AC may return to the terminal a URL link to access the user authentication result on the Portal server.

Step 316: the terminal can send an authentication result page request to the Portal server using the URL link that accessed the user authentication result.

Step 317: the Portal server may return an authentication result page matching the found authentication template.

After receiving the authentication result page request, the Portal server may return the authentication result page matched with the authentication template found in step 305 to the terminal.

Referring to fig. 4, fig. 4 is a hardware structure diagram of an AC where an authentication device is located according to an exemplary embodiment of the present application.

The present application also provides a hardware architecture diagram of an AC, the AC comprising: a communication interface 401, a processor 402, a memory 403, and a bus 404; wherein, the communication interface 401, the processor 402 and the memory 403 complete the communication with each other through the bus 404.

Among them, the communication interface 401 is used for communicating with the Portal server and the terminal. The processor 402 may be a CPU, the memory 403 may be a non-volatile memory (non-volatile memory), and the authenticated logic instructions stored in the memory 403 may be executed by the processor 402 to implement the above-mentioned authenticated logic instructions stored in the memory 403.

Up to this point, the description of the hardware configuration shown in fig. 4 is completed.

Referring to fig. 5, fig. 5 is a block diagram of an authentication apparatus corresponding to fig. 4 according to an exemplary embodiment of the present application. The device is applicable to AC and may include the following elements.

A searching unit 501, configured to search, after receiving a network access request message sent by a terminal, an authentication template identifier for authenticating the terminal from among recorded authentication template identifiers, where the recorded authentication template identifiers include an authentication template identifier issued by a Portal server to an AC and/or an authentication template identifier issued to an AP associated with the AC;

a constructing unit 502, configured to construct, based on the found authentication template identifier, a URL link for redirecting to the Portal server, and return the URL link to the terminal, so that the Portal server, after receiving a login page request sent by the terminal through the URL link, searches for an authentication template corresponding to the found authentication template identifier carried in the login page request, and authenticates the terminal.

when equipment configuration sent by a Portal server is received, a first authentication template identifier carried by the equipment configuration is stored in a designated field of an NAS (network attached storage) identifier of the AC;

when receiving a service template configuration sent by a Portal server, recording the corresponding relation between a second authentication template identifier carried by the service template configuration and a service set identifier SSID carried by the service template configuration; and/or the presence of a gas in the gas,

Optionally, the searching unit 501 is specifically configured to search, in a correspondence between the second authentication template identifier and a service set identifier SSID carried in the service template configuration, a second authentication template identifier corresponding to an SSID carried in the network access request packet; and searching NAS identification corresponding to the AP identification carried in the network access request message in the recorded corresponding relation between the AP identification and the NAS identification, if the searched NAS identification records an authentication template identification, taking the searched NAS identification as a target NAS identification, and if the searched NAS identification does not record the authentication template identification, taking the NAS identification of the AC as the target NAS identification; taking the searched second authentication template identification and the target NAS identification as the authentication template identification for authenticating the terminal;

the constructing unit 502 is specifically configured to construct a URL redirected to the Portal server based on the target NAS identifier and the found second authentication template identifier.

Referring to fig. 6, fig. 6 is a hardware structure diagram of a Portal server where an authentication device is located according to an exemplary embodiment of the present application.

The present application also provides a hardware architecture diagram of a Portal server, the Portal server comprising: a communication interface 601, a processor 602, a memory 603, and a bus 604; the communication interface 601, the processor 602 and the memory 603 communicate with each other via a bus 604.

Among other things, a communication interface 601 for communicating with the AC and the terminals. The processor 602 may be a CPU, the memory 603 may be a non-volatile memory (non-volatile memory), the memory 603 stores authenticated logic instructions, and the processor 602 may execute the authenticated logic instructions stored in the memory 603 to implement the above-mentioned authentication function.

Up to this point, the description of the hardware configuration shown in fig. 6 is completed.

Referring to fig. 7, fig. 7 is a block diagram of an authentication apparatus corresponding to fig. 6 according to an exemplary embodiment of the present application. The device is applied to a Portal server and can comprise the following units.

The issuing unit 701 is configured to, after detecting an issuing instruction for issuing an authentication template identifier, issue the authentication template identifier carried in the issuing instruction to an AC or an AP indicated by the issuing instruction;

the authentication unit 702 is configured to receive a login page request sent by a terminal, search for an authentication template corresponding to an authentication template identifier carried in the login page request, and authenticate the terminal using the searched authentication template.

Optionally, the issuing unit 701 is specifically configured to, if an issuing instruction for issuing an authentication template identifier allocated to an AC or an AP is detected, add a first authentication template identifier carried by the issuing instruction to the device configuration of the AC or the AP indicated by the issuing instruction, and issue the device configuration to the AC or the AP indicated by the issuing instruction; and if an issuing instruction for issuing the authentication template identifier distributed to the SSID on the AC is detected, adding a second authentication template identifier carried by the issuing instruction and the SSID corresponding to the second authentication template identifier into the service template configuration corresponding to the SSID, and issuing the service template configuration to the AC associated with the service set.

Optionally, the authentication unit 702 is specifically configured to, when the NAS identifier carried in the login page request includes an authentication template identifier, and the login page request carries a second authentication template identifier, and the authentication template identifier included in the NAS identifier is inconsistent with the second authentication template identifier, search for an authentication template corresponding to the second authentication template identifier; if the NAS identification carried by the login page request contains an authentication template identification, the login page request contains a second authentication template identification, and the authentication template identification contained in the NAS identification is consistent with the second authentication template identification, searching an authentication template corresponding to any one authentication template identification in the login page request; if the NAS identification carried by the login page request does not contain an authentication template identification and the login page request carries a second authentication template identification, searching an authentication template corresponding to the second authentication template identification; and if the NAS identification carried by the login page request contains an authentication template identification and the login page request does not carry a second authentication template identification, searching an authentication template corresponding to the authentication template identification contained by the NAS identification.

The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.

For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.

The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims

1. An authentication method, applied to an Access Controller (AC), includes:

after receiving a network access request message sent by a terminal, according to an SSID (service set identifier) and an AP (access point) identifier carried by the network access request, searching an authentication template identifier for authenticating the terminal in a recorded authentication template identifier, wherein the recorded authentication template identifier comprises an authentication template identifier issued by a Portal server to an AC (access controller) and/or issued to a wireless access point AP (access point) associated with the AC;

based on the searched authentication template identification, constructing a Uniform Resource Locator (URL) link for redirecting to the Portal server, and returning the URL link to the terminal, so that the Portal server searches an authentication template corresponding to the searched authentication template identification carried in a login page request after receiving the login page request sent by the terminal through the URL link, and authenticates the terminal;

the authentication template includes: authentication mode and page style returned in the authentication process.

2. The method of claim 1, wherein the authentication template id issued by the Portal server to the AC is recorded by at least one of:

3. The method according to claim 2, wherein the searching for the authentication template identifier for authenticating the terminal from the recorded authentication template identifiers comprises:

4. An authentication method, applied to a Portal server, includes:

receiving a login page request sent by a terminal, searching an authentication template corresponding to an authentication template identifier carried in the login page request, and authenticating the terminal by using the searched authentication template; the login page request is that after an Access Controller (AC) receives a network access request message sent by a terminal, according to an SSID (service set identifier) and an AP (access point) identifier carried by a network access request, an authentication template identifier for authenticating the terminal is searched in a recorded authentication template identifier, a Uniform Resource Locator (URL) link for redirecting to the Portal server is constructed based on the searched authentication template identifier, and the URL link is returned to the terminal; the terminal generates the login page request through the URL link;

5. The method according to claim 4, wherein after detecting an issuing instruction for issuing an authentication template identifier, issuing the authentication template identifier carried by the issuing instruction to an AC or AP indicated by the issuing instruction includes at least one of the following modes:

6. The method according to claim 4, wherein the receiving a login page request sent by a terminal, searching for an authentication template corresponding to an authentication template identifier carried in the login page request, comprises:

7. An authentication apparatus, applied to an AC, comprising:

the device comprises a searching unit, a judging unit and a judging unit, wherein the searching unit is used for searching an authentication template mark for authenticating a terminal in a recorded authentication template mark according to an SSID (service set identifier) and an AP (access point) mark carried by a network access request after receiving the network access request message sent by the terminal, and the recorded authentication template mark comprises an authentication template mark which is issued to an AC (access controller) and/or a wireless access point AP (access point) associated with the AC by a Portal server;

a construction unit, configured to construct, based on the found authentication template identifier, a URL link for redirecting to the Portal server, and return the URL link to the terminal, so that the Portal server, after receiving a login page request sent by the terminal through the URL link, finds an authentication template corresponding to the found authentication template identifier carried in the login page request, and authenticates the terminal;

8. The apparatus of claim 7, wherein the authentication template id issued by the Portal server to the AC is recorded by at least one of:

9. The apparatus according to claim 7, wherein the searching unit is specifically configured to search, in the recorded correspondence between the second authentication template identifier and the SSID, for the second authentication template identifier corresponding to the SSID carried in the network access request packet; and searching NAS identification corresponding to the AP identification carried in the network access request message in the recorded corresponding relation between the AP identification and the NAS identification, if the searched NAS identification records an authentication template identification, taking the searched NAS identification as a target NAS identification, and if the searched NAS identification does not record the authentication template identification, taking the NAS identification of the AC as the target NAS identification; taking the searched second authentication template identification and the target NAS identification as the authentication template identification for authenticating the terminal;

10. An authentication apparatus applied to a Portal server, comprising:

the authentication unit is used for receiving a login page request sent by a terminal, searching an authentication template corresponding to an authentication template identifier carried in the login page request, and authenticating the terminal by using the searched authentication template; the login page request is that after an Access Controller (AC) receives a network access request message sent by a terminal, according to an SSID (service set identifier) and an AP (access point) identifier carried by a network access request, an authentication template identifier for authenticating the terminal is searched in a recorded authentication template identifier, a Uniform Resource Locator (URL) link for redirecting to the Portal server is constructed based on the searched authentication template identifier, and the URL link is returned to the terminal; the terminal generates the login page request through the URL link;

11. The apparatus according to claim 10, wherein the issuing unit is specifically configured to, if an issuing instruction for issuing an authentication template identifier allocated to an AC or an AP is detected, add a first authentication template identifier carried by the issuing instruction to the device configuration of the AC or the AP indicated by the issuing instruction, and issue the device configuration to the AC or the AP indicated by the issuing instruction; if an issuing instruction for issuing the authentication template identifier allocated to the SSID on the AC is detected, adding a second authentication template identifier carried by the issuing instruction and the SSID corresponding to the second authentication template identifier into the service template configuration corresponding to the SSID, and issuing the service template configuration to the AC associated with the SSID.

12. The apparatus according to claim 10, wherein the authentication unit is specifically configured to, when the NAS identifier carried in the login page request includes an authentication template identifier, and the login page request carries a second authentication template identifier, and the authentication template identifier included in the NAS identifier is inconsistent with the second authentication template identifier, search for an authentication template corresponding to the second authentication template identifier; if the NAS identification carried by the login page request contains an authentication template identification, the login page request contains a second authentication template identification, and the authentication template identification contained in the NAS identification is consistent with the second authentication template identification, searching an authentication template corresponding to any one authentication template identification in the login page request; if the NAS identification carried by the login page request does not contain an authentication template identification and the login page request carries a second authentication template identification, searching an authentication template corresponding to the second authentication template identification; and if the NAS identification carried by the login page request contains an authentication template identification and the login page request does not carry a second authentication template identification, searching an authentication template corresponding to the authentication template identification contained by the NAS identification.