CN109413649A - A kind of access authentication method and device - Google Patents
A kind of access authentication method and device Download PDFInfo
- Publication number
- CN109413649A CN109413649A CN201811314083.6A CN201811314083A CN109413649A CN 109413649 A CN109413649 A CN 109413649A CN 201811314083 A CN201811314083 A CN 201811314083A CN 109413649 A CN109413649 A CN 109413649A
- Authority
- CN
- China
- Prior art keywords
- wireless client
- list item
- address
- access
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention provides a kind of access authentication method, AC can be made when receiving the access request message that the wireless client accessed for the first time is sent, create the interim list item of the wireless client, the interim list item includes the first IP address of the wireless client carried in access request message and the MAC Address of the wireless client, then the user information of the wireless client is obtained from Portal server according to MAC Address, the access information of the wireless client is obtained from local according to the first IP address and MAC Address, the user information and access information are sent to certificate server to authenticate, after certification passes through, it can permit the wireless client access and handle the access request message.Therefore, the present invention can not apply for IP address in large-scale wlan network again when realizing across AC movement of client, and fast access into network improves wireless client access and experiences.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of access authentication methods and device.
Background technique
With popularizing for intelligent mobile wireless client, user is also higher and higher to the experience requirements of mobile access.At present
The wireless client that WLAN (Wireless LAN, WLAN) network can be supported to have authenticated is in an ESS (Extended
Service Set, extended service set) interior mobile handoff, switching front and back do not discharge the IP address for having application, and wireless client can
To use original IP address to carry out data communication, shorten the flow interrupt time caused by Radio Link switches.
But in fairly large wlan network, wireless client is in different AC (Access Control, access control
Device) demand that switches between wireless service provided by equipment is increasingly apparent.Since wireless client is switched fast not in ESS
Again the case where applying for IP address, cause the AC after the switching of wireless client in the short time can not obtain existing IP address and
The access information of wireless client, thus be unable to complete the certification between certificate server and interact, so as to cause wireless client
Portal certification can not be rapidly completed in end after switching AC, be continued until that wireless client perceives with not being available existing IP
It when location, can just access again to obtain IP address, user can not access network during this, seriously affect the access body of user
It tests.
Summary of the invention
In view of this, the present invention provides a kind of access authentication method and device, come use when solving client across AC movement
Existing IP address can not access the problem of network.
Specifically, the present invention is achieved through the following technical solutions:
The present invention provides a kind of access authentication method the method and is applied to AC, which comprises
When receiving the access request message that the wireless client accessed for the first time is sent, facing for the wireless client is created
When list item, the interim list item includes the first IP address and the institute of the wireless client carried in the access request message
State the MAC Address of wireless client;
The user information of the wireless client is obtained from Portal server according to the MAC Address, and according to described
First IP address and the MAC Address obtain the access information of the wireless client from local;
The user information and the access information are sent to certificate server to authenticate;
If receiving the notice of certificate server transmission passed through for the wireless client authentication, allow described wireless
Client accesses and handles the access request message.
As one embodiment, after allowing the wireless client access, the method also includes:
When listening to the ARP message or DHCP message that the wireless client is sent, judge in the interim list item
The first IP address and the ARP message or DHCP message in the second IP address for carrying it is whether identical, if they are the same, then by institute
It states interim list item and is changed to formal list item;If it is different, then deleting the interim list item, it is again online to trigger the wireless client;
When not listening to the ARP message or DHCP message that the wireless client is sent, the interim list item is deleted,
It is again online to trigger the wireless client.
As one embodiment, after the interim list item for creating the wireless client, the method also includes:
Start interim list item verification timing;
If verification time-out does not listen to the ARP message or DHCP that the wireless client is sent after being allowed access to also
Message then deletes the interim list item, and it is again online to trigger the client, deletes the verification periodically;
If the first IP address in the interim list item is identical with second IP address, the verification timing is deleted.
Based on identical design, the present invention also provides a kind of access authentication device, described device is applied to AC, described device
Include:
List item creating unit, for creating when receiving the access request message that the wireless client accessed for the first time is sent
The interim list item of the wireless client, the interim list item include the wireless client carried in the access request message
First IP address at end and the MAC Address of the wireless client;
Information acquisition unit, for obtaining the use of the wireless client from Portal server according to the MAC Address
Family information, and according to first IP address and the MAC Address from the local access information for obtaining the wireless client;
Information transmitting unit is recognized for the user information and the access information to be sent to certificate server
Card;
Message process unit, if logical for receiving passing through for the wireless client authentication for certificate server transmission
Know, then allow the wireless client access and handles the access request message.
As one embodiment, described device further include:
Unit is listened to, for after allowing the wireless client access, when listening to what the wireless client was sent
ARP message perhaps DHCP message when judge the first IP address in the interim list item and the ARP message or DHCP message
Whether the second IP address of middle carrying is identical, if they are the same, then the interim list item is changed to formal list item;If it is different, then deleting
The interim list item, it is again online to trigger the wireless client;When the ARP message for not listening to the wireless client transmission
Or when DHCP message, the interim list item is deleted, it is again online to trigger the wireless client.
As one embodiment, described device further include:
Verification unit, for after the interim list item for creating the wireless client, starting interim list item verification timing;
If verification time-out does not listen to the ARP message or DHCP message that the wireless client is sent after being allowed access to also,
The interim list item is deleted, it is again online to trigger the client, deletes the verification periodically;If in the interim list item
One IP address is identical with second IP address, then deletes the verification timing.
Based on identical design, the present invention also provides a kind of network equipment, the network equipment includes memory, processing
Device, communication interface and communication bus;
Wherein, the memory, processor, communication interface carry out mutual communication by the communication bus;
The memory, for storing computer program;
The processor, for executing the computer program stored on the memory, the processor 72 executes institute
The either step of above-mentioned access authentication method is realized when stating computer program.
Based on identical design, the present invention also provides a kind of computer readable storage medium, the computer-readable storage
Dielectric memory contains computer program, and the computer program realizes any of above-mentioned access authentication method when being executed by processor
Step.
It can be seen that the present invention can make AC in the access request message for receiving the wireless client transmission accessed for the first time
When, the interim list item of the wireless client is created, which includes the wireless client carried in access request message
The first IP address and the wireless client MAC Address, the wireless visitor is then obtained from Portal server according to MAC Address
The user information at family end, and according to the first IP address and MAC Address from the local access information for obtaining the wireless client, by this
User information and access information are sent to certificate server and are authenticated, and after certification passes through, can permit the wireless client
It accesses and handles the access request message.Therefore, the present invention can be in large-scale wlan network, when realizing across the AC movement of client
IP address is not modified, so that biggish improve wireless client access experience.
Detailed description of the invention
Fig. 1 is across the AC mobile networking schematic diagram of client in a kind of illustrative embodiments of the present invention;
Fig. 2 is a kind of process flow diagram of one of illustrative embodiments of present invention access authentication method;
Fig. 3 is the access authentication interaction diagrams in a kind of illustrative embodiments of the present invention;
A kind of building-block of logic of one of illustrative embodiments of Fig. 4 present invention access authentication device;
A kind of structural schematic diagram of one of illustrative embodiments of Fig. 5 present invention network equipment.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
In the fairly large network of wlan network, demand when wireless client wireless service provided by different AC is mobile
It is increasingly apparent, as shown in Figure 1, wherein wireless client first accesses network from the AC1 where AP1, when wireless client is moved from AP1
When moving AP2, need to access network from the AC2 where AP2.Since the prior art supports wireless client quickly to cut in ESS
The case where not applying for IP address again is changed, leads to wireless client with being also used in the old IP used on AC1 when being moved to AC2
Location accesses network, and due to not learning the IP address of the wireless client and the corresponding relationship of MAC Address on AC2,
In the access request message of the old IP address of carrying for receiving wireless client transmission, the access request message can be abandoned, and
It is interacted because AC2 is unable to complete with the certification of certificate server (AAA Server), so as to cause wireless client in switching AC
After Portal certification can not be rapidly completed, be continued until that wireless client perceives just meeting when not being available existing IP address
Again access is to obtain IP address, therefore largely will affect the access experience of user.
For above situation, existing a solution is to establish privately owned tunnel in advance between any two by AC, logical
The corresponding relationship of the IP address and MAC Address of crossing the wireless client that ARP or DHCP protocol learn is sent to each AC, makes nothing
Line client can continue to use the IP address synchronized and MAC Address when provided service is switched fast between AC
Corresponding relationship authenticated.But this requires needing to establish privately owned tunnel between AC, as network size becomes larger, two-by-two AC it
Between establish tunnel, network is excessively complicated.It needs to synchronize the IP address of all wireless clients and pair of MAC Address between AC simultaneously
It should be related to, final every AC has the information of whole net, and synchronous amount is big, while being related to aging etc., punching is be easy to cause to network, equipment
It hits, therefore feasibility is not high.
Of the existing technology in order to solve the problems, such as, the present invention provides a kind of access authentication method and device, can make AC
When receiving the access request message that the wireless client accessed for the first time is sent, the interim list item of the wireless client is created, it should
Interim list item includes the first IP address of the wireless client carried in access request message and the MAC of the wireless client
Location, then obtains the user information of the wireless client according to MAC Address from Portal server, and according to the first IP address and
The user information and access information are sent to authentication service from the local access information for obtaining the wireless client by MAC Address
Device is authenticated, and after certification passes through, be can permit the wireless client access and is handled the access request message.Therefore this hair
It is bright not apply for IP address when realizing across the AC movement of client again in large-scale wlan network, fast access into network, thus
It is biggish to improve wireless client access experience.
Referring to FIG. 2, be a kind of process flow diagram of one of illustrative embodiments of present invention access authentication method,
This method is applied to AC, which comprises
Step 201, when receiving the access request message that the wireless client that accesses for the first time is sent, create the wireless visitor
The interim list item at family end, the interim list item include the first IP of the wireless client carried in the access request message
The MAC Address of address and the wireless client;
In the present embodiment, AC after wireless client across AC movement, after being linked into wireless client movement for the first time
When, it is wireless to this also to will use the first IP address transmission access request message that the wireless client uses on the AC before movement
AC after client is mobile.It is available when the AC receives the access request message that the wireless client accessed for the first time is sent
First IP address of the wireless client and the MAC Address of wireless client, so as to create the interim of the wireless client
List item.It include first IP address and the MAC Address in the interim list item.
It should be noted that can judge the nothing by AP when sending access request message after wireless client is mobile
Whether line client is to access for the first time, if not accessing for the first time, then will record the forwarding-table item of the wireless client on AP, because
This can directly forward the access request message of the wireless client without above sending AC;If it is accessing for the first time, then since AP does not have
There is the forwarding-table item of the wireless client, it is therefore desirable to by access request message up sending AC processing, so can in the present embodiment
It is all derived from to give the access request message of AC on thinking and accesses the wireless client of the AC for the first time.Simplify in the present embodiment
The operating process of above-mentioned AP directly says the access request message that the wireless client for being received by AC and being accessed for the first time is sent.
Step 202, the user information for obtaining the wireless client from Portal server according to the MAC Address, and
The access information of the wireless client is obtained from local according to first IP address and the MAC Address;
As one embodiment, after AC creates the interim list item of wireless client, need to further determine that the wireless client
Whether the identity at end is legal, therefore can carry out unaware with Portal server by exit passageway and interact (without user's ginseng
With operation).Specifically, AC sends the request message for carrying the MAC Address of wireless client to Portal server, so that
After Portal server receives the request message, corresponding user information is searched according to the MAC Address, including user name and
Password etc. illustrates that the wireless client identity is legal, therefore the user information is fed back to AC if finding;If not searching
It arrives, then illustrates that the wireless client identity is illegal, therefore the wireless client can be redirected to Portal server by AC
Carry out authentication.After AC obtains the user information of wireless client from Portal server, it is wireless that AC further passes through this
The MAC Address of client and the first IP address are locally obtaining the corresponding access information of the wireless client.
The user information and the access information are sent to certificate server and authenticate by step 203;
In the present embodiment, the user information of the wireless client and access information can be sent to certificate server by AC
It is authenticated.If certificate server compares the user information that AC is sent and access information and the user information phase locally saved
Together, then it is assumed that the wireless client authentication passes through, and sends certification by notice to AC after certification passes through;If comparison result
Difference then illustrates that the wireless client authentication fails, then sends authentication failure notification to AC.
If step 204, the notice passed through for the wireless client authentication for receiving certificate server transmission, allow
The wireless client access simultaneously handles the access request message.
If the certification that AC receives certificate server transmission allows the wireless client access by notice, and handling should
Access request message.It should be noted that AC is notified that AP allows the wireless client access network after certification passes through, and
Forward the access request message.The operating process for simplifying above-mentioned AP in the present embodiment, directly says by permission wireless client access,
And handle access request message.
If receiving authentication failure notification, the interim list item is deleted, the wireless client is redirected and is authenticated.It is optional
, in the case where security performance is more demanding, after AC receives certification by notice, it can also notify the Portal server nothing
Line client certificate passes through, so that Portal identifying procedure is completed, if Portal server does not receive AC within a certain period of time
The certification of transmission passes through notice, it is believed that the wireless client authentication does not pass through, so as to the offline wireless client, keeps away
Exempt from security risk.
Due in the prior art, if AC receives the access for the first IP address of carrying that the wireless client accessed for the first time is sent
Request message would generally be by the access request packet loss, to lead since AC does not locally record first IP address
Cause wireless client that can not access network.And AC of the invention will not abandon the access request message, but by recording the visit
Ask that the first IP address of request message and the corresponding relationship of MAC Address, the wireless client to be determined have passed through certification really
Afterwards, allow wireless client access network and handle the access request message, this process is not necessarily to user's operation, therefore for user
For be unaware verification process, since interactive process is very fast, be not in the prior art up to one minute can not
The case where accessing network.
Wireless client is authenticated using counterfeit IP address in order to prevent, or the IP address of certification is expired, this hair
It is bright to increase proof of identity process, avoid unauthorized users to access network.As one embodiment, AC can also allow this
After wireless client access, when listening to the ARP message or DHCP message of wireless client transmission, wireless client is judged
Whether the second IP address carried in the first IP address and the ARP message or DHCP message in the interim list item at end is identical,
If they are the same, then illustrate that the wireless client is legitimate user, therefore interim list item is changed to formal list item;If it is different, then illustrating
The wireless client is illegal user, therefore deletes the interim list item of the wireless client, trigger the wireless client again on
Line;When not listening to the ARP message or DHCP message of wireless client transmission, also think that the wireless client is illegal
User can equally delete the interim list item of the wireless client, it is again online to trigger the wireless client.It needs to illustrate
It is that AC still listens to the ARP message or DHCP message of wireless client transmission by its AP managed herein, when AP receives this
ARP message perhaps DHCP message when can will be sent to AC on the ARP message perhaps DHCP message so that AC from ARP message or
The second IP address of the wireless client is obtained in DHCP message.The operating process for simplifying above-mentioned AP in the present embodiment, directly says
The ARP message or DHCP message of wireless client transmission are listened to by AC.
In addition, as one embodiment, AC can create the wireless client in order to keep authentication process itself more perfect
After the interim list item at end, it can further start interim list item verification timing, timing length can be set according to actual needs;
If verification time-out does not listen to the ARP message or DHCP message that the wireless client is sent after being allowed access to also, can
To think that the user for illegal user, therefore deletes the interim list item of the wireless client, trigger the wireless client again on
Line;If the first IP address in interim list item is identical with second IP address, then it is assumed that the wireless client is legitimate user, because
This can delete the verification timing while the interim list item is changed to formal list item.
Therefore, the access request message that the present invention is sent after new AC access by interception wireless client is established wireless
The IP address of client and the interim list item of MAC Address are authenticated in conjunction with Portal unaware, to complete wireless client in AC
Between be switched fast, shorten the break period of flow.Simultaneously again to the interim of the IP address of wireless client and MAC Address
List item is verified, to prevent IP address conflict or invalid IP address bring from interfering, to promote internet security.
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, incorporated by reference to Fig. 1 and Fig. 3 to of the invention
Scheme is described in further detail.
Fig. 3 is referred to, is the access authentication interaction diagrams in the embodiment of the present invention, including wireless client
(Client) first passage AC1 accesses the interactive process of network and wireless client moves to AC2 and is followed by interaction into network
Process, wherein the interactive process of wireless client first passage AC1 access network is consistent with existing Portal standard authentication, this
Place repeats no more;The access authentication interactive process that wireless client is moved to after AC2 has the following steps:
Step 301, wireless client are moved to the provided radio service area of AC2, by Authentication,
The AP2 that Association and AC2 are managed establishes Radio Link;
Step 302, wireless client do not apply for IP address again, (net are namely accessed on AC1 using old IP address
The IP address used when network) to AC2 transmission access request message, such as HTTP message, continue data communication;
The access request message that step 303, AC2 interception wireless client are sent using old IP address, such as HTTP message,
The old IP address and the interim list item of MAC Address of wireless client are established, and starts verification timer;
Step 304, the old IP address of AC2 transmission wireless client and MAC Address and Portal server (Portal
Server the interaction of unaware authentication challenge, triggering unaware certification) are carried out;
Step 305, Portal server carry the corresponding user information (packet deposited of the MAC Address by exit passageway
Include username and password) it is sent to AC2;
Step 306, AC2 carry the user information that Portal server is sent, and by old IP address and MAC Address from
The access information of the wireless client locally obtained carries out access authentication with aaa server (AAA Server) and interacts;
Step 307, when AC2 receive aaa server feedback certification response after, allow the wireless client access network,
The HTTP message is handled, and forwards the certification response to Portal server;
Step 308, wireless client access network successor continue data communication;
Step 309, AC2 periodically carry out charging with aaa server and interact;
Step 310, AC2 learn the reality of wireless client by the ARP message or DHCP message of listening to wireless client
IP address checks whether the real ip address and the old IP address in interim list item are consistent, if unanimously, deleting verification timing
Device;If inconsistent, the wireless client is deleted, while deleting interim list item, retriggered wireless client is online;
If step 311, timer expiry, not yet pass ARP message or DHCP message study to wireless client reality
IP address then deletes the wireless client, while deleting interim list item, and it is again online to trigger the wireless client.
Therefore, the access request message that the present invention is sent after new AC access by interception wireless client is established wireless
The IP address of client and the interim list item of MAC Address are authenticated in conjunction with Portal unaware, to complete wireless client in AC
Between be switched fast, shorten the break period of flow.Simultaneously again to the interim table of the IP address of wireless client and MAC Address
Item is verified, to prevent IP address conflict or invalid IP address, bring interference, to promote internet security.
Referring to FIG. 4, being a kind of one of illustrative embodiments of present invention access authentication device 400, the device 400
Applied to AC, from logic level, the logical construction of the device 400 includes:
List item creating unit 401, for creating when receiving the access request message that the wireless client accessed for the first time is sent
The interim list item of the wireless client is built, the interim list item includes the wireless visitor carried in the access request message
First IP address at family end and the MAC Address of the wireless client;
Information acquisition unit 402, for obtaining the wireless client from Portal server according to the MAC Address
User information, and according to first IP address and the MAC Address from the local access information for obtaining the wireless client;
Information transmitting unit 403 is carried out for the user information and the access information to be sent to certificate server
Certification;
Message process unit 404, if for receiving passing through for the wireless client authentication for certificate server transmission
Notice, then allow the wireless client access and handle the access request message.
As one embodiment, described device further include:
Unit 405 is listened to, for being sent after allowing the wireless client access when listening to the wireless client
ARP message perhaps DHCP message when judge the first IP address in the interim list item and the ARP message or DHCP report
Whether the second IP address carried in text is identical, if they are the same, then the interim list item is changed to formal list item;If it is different, then deleting
Except the interim list item, it is again online to trigger the wireless client;It is reported when not listening to the ARP that the wireless client is sent
When text or DHCP message, the interim list item is deleted, it is again online to trigger the wireless client.
As one embodiment, described device further include:
Verification unit 406, it is fixed for after the interim list item for creating the wireless client, starting interim list item verification
When;If verification time-out does not listen to the ARP message or DHCP message that the wireless client is sent after being allowed access to also,
The interim list item is then deleted, it is again online to trigger the client, deletes the verification periodically;If in the interim list item
First IP address is identical with second IP address, then deletes the verification timing.
Based on identical design, the present invention also provides a kind of network equipments, as shown in figure 5, the network equipment includes depositing
Reservoir 51, processor 52, communication interface 53 and communication bus 54;Wherein, the memory 51, processor 52, communication interface
53 carry out mutual communication by the communication bus 54;
The memory 51, for storing computer program;
The processor 52, for executing the computer program stored on the memory 51, the processor 52 is held
The either step for the access authentication method that the embodiment of the present disclosure provides is realized when the row computer program.
The present invention also provides a kind of computer readable storage medium, calculating is stored in the computer readable storage medium
Machine program realizes any step for the access authentication method that the embodiment of the present disclosure provides when the computer program is executed by processor
Suddenly.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.It is set especially for network
For standby and computer readable storage medium embodiment, since it is substantially similar to the method embodiment, so the comparison of description
Simply, the relevent part can refer to the partial explaination of embodiments of method.
In conclusion the present invention can make AC in the access request message for receiving the wireless client transmission accessed for the first time
When, the interim list item of the wireless client is created, which includes the wireless client carried in access request message
The first IP address and the wireless client MAC Address, the wireless visitor is then obtained from Portal server according to MAC Address
The user information at family end, and according to the first IP address and MAC Address from the local access information for obtaining the wireless client, by this
User information and access information are sent to certificate server and are authenticated, and after certification passes through, can permit the wireless client
It accesses and handles the access request message.Therefore the present invention can be in large-scale wlan network, when realizing across the AC movement of client
Again do not apply for IP address, fast access into network, so that biggish improve wireless client access experience.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (8)
1. a kind of access authentication method, which is characterized in that the method is applied to access controller AC, which comprises
When receiving the access request message that the wireless client accessed for the first time is sent, the interim table of the wireless client is created
, the interim list item includes the first IP address and the nothing of the wireless client carried in the access request message
The MAC Address of line client;
The user information of the wireless client is obtained from Portal server according to the MAC Address, and according to described first
IP address and the MAC Address obtain the access information of the wireless client from local;
The user information and the access information are sent to certificate server to authenticate;
If receiving the notice of certificate server transmission passed through for the wireless client authentication, allow the wireless client
End accesses and handles the access request message.
2. the method according to claim 1, wherein after allowing the wireless client access, the method
Further include:
When listening to the ARP message or DHCP message that the wireless client is sent, the in the interim list item is judged
Whether the second IP address carried in one IP address and the ARP message or DHCP message is identical, if they are the same, then faces described
When list item be changed to formal list item;If it is different, then deleting the interim list item, it is again online to trigger the wireless client;
When not listening to the ARP message or DHCP message that the wireless client is sent, the interim list item, triggering are deleted
The wireless client is again online.
3. the method according to claim 1, wherein after the interim list item for creating the wireless client,
The method also includes:
Start interim list item verification timing;
If verification time-out does not listen to the ARP message that the wireless client is sent after being allowed access to or DHCP report also
Text then deletes the interim list item, and it is again online to trigger the client, deletes the verification periodically;
If the first IP address in the interim list item is identical with second IP address, the verification timing is deleted.
4. a kind of access authentication device, which is characterized in that described device is applied to access controller AC, and described device includes:
List item creating unit, for when receiving the access request message that the wireless client that accesses for the first time is sent, described in creation
The interim list item of wireless client, the interim list item include the wireless client carried in the access request message
The MAC Address of first IP address and the wireless client;
Information acquisition unit, for being believed according to the MAC Address from the user that Portal server obtains the wireless client
It ceases, and obtains the access information of the wireless client from local according to first IP address and the MAC Address;
Information transmitting unit is authenticated for the user information and the access information to be sent to certificate server;
Message process unit, if the notice passed through for the wireless client authentication for receiving certificate server transmission,
Then allow the wireless client access and handles the access request message.
5. device according to claim 4, which is characterized in that described device further include:
Unit is listened to, for being reported after allowing the wireless client access when listening to the ARP that the wireless client is sent
Judge to take in the first IP address and the ARP message or DHCP message in the interim list item when literary perhaps DHCP message
Whether the second IP address of band is identical, if they are the same, then the interim list item is changed to formal list item;If it is different, described in then deleting
It is again online to trigger the wireless client for interim list item;When do not listen to ARP message that the wireless client is sent or
When DHCP message, the interim list item is deleted, it is again online to trigger the wireless client.
6. device according to claim 5, which is characterized in that described device further include:
Verification unit, for after the interim list item for creating the wireless client, starting interim list item verification timing;If school
It tests time-out and does not listen to the ARP message or DHCP message that the wireless client is sent after being allowed access to also, then delete
The interim list item, it is again online to trigger the client, deletes the verification periodically;If the first IP in the interim list item
Address is identical with second IP address, then deletes the verification timing.
7. a kind of network equipment, which is characterized in that the network equipment includes memory, processor, communication interface and communication
Bus;
Wherein, the memory, processor, communication interface carry out mutual communication by the communication bus;
The memory, for storing computer program;
The processor, for executing the computer program stored on the memory, the processor 72 executes the meter
The step of claim 1-3 either method is realized when calculation machine program.
8. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium
Program, when the computer program is executed by processor the step of realization claim 1-3 either method.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811314083.6A CN109413649B (en) | 2018-11-06 | 2018-11-06 | Access authentication method and device |
| PCT/CN2019/115908 WO2020094039A1 (en) | 2018-11-06 | 2019-11-06 | Access authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811314083.6A CN109413649B (en) | 2018-11-06 | 2018-11-06 | Access authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109413649A true CN109413649A (en) | 2019-03-01 |
| CN109413649B CN109413649B (en) | 2020-10-02 |
Family
ID=65471888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811314083.6A Active CN109413649B (en) | 2018-11-06 | 2018-11-06 | Access authentication method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109413649B (en) |
| WO (1) | WO2020094039A1 (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020094039A1 (en) * | 2018-11-06 | 2020-05-14 | 新华三技术有限公司 | Access authentication |
| CN113453218A (en) * | 2021-05-24 | 2021-09-28 | 新华三技术有限公司成都分公司 | Table item processing method and device |
| CN114244695A (en) * | 2021-12-31 | 2022-03-25 | 普联技术有限公司 | Terminal online configuration method and device for isolated network and network management system |
| CN114390527A (en) * | 2022-02-21 | 2022-04-22 | 北京至周科技有限公司 | Method for wireless visitor non-perception authentication |
| CN114500175A (en) * | 2022-02-21 | 2022-05-13 | 北京至周科技有限公司 | Communication method for reversely dividing home VLAN based on IP address of user equipment |
| CN114531414A (en) * | 2022-01-07 | 2022-05-24 | 锐捷网络股份有限公司 | Terminal migration acceleration method and device |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114302393A (en) * | 2021-11-17 | 2022-04-08 | 锐捷网络股份有限公司 | Communication control method, device, equipment and system based on authentication |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101711031A (en) * | 2009-12-23 | 2010-05-19 | 杭州华三通信技术有限公司 | Portal authenticating method during local forwarding and access controller (AC) |
| CN102238543A (en) * | 2010-04-27 | 2011-11-09 | 杭州华三通信技术有限公司 | Wireless Portal authentication method and access controller |
| CN102368857A (en) * | 2011-11-03 | 2012-03-07 | 广州杰赛科技股份有限公司 | Switching method in wireless Mesh network domain |
| CN104104516A (en) * | 2014-07-30 | 2014-10-15 | 杭州华三通信技术有限公司 | Portal authentication method and device |
| US20150089594A1 (en) * | 2013-09-24 | 2015-03-26 | Alcatel-Lucent Canada, Inc. | Residential gateway based policy |
| CN107370741A (en) * | 2017-07-31 | 2017-11-21 | 安徽四创电子股份有限公司 | A kind of across AC unaware authentication method based on PORTAL agreements |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413649B (en) * | 2018-11-06 | 2020-10-02 | 新华三技术有限公司 | Access authentication method and device |
-
2018
- 2018-11-06 CN CN201811314083.6A patent/CN109413649B/en active Active
-
2019
- 2019-11-06 WO PCT/CN2019/115908 patent/WO2020094039A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101711031A (en) * | 2009-12-23 | 2010-05-19 | 杭州华三通信技术有限公司 | Portal authenticating method during local forwarding and access controller (AC) |
| CN102238543A (en) * | 2010-04-27 | 2011-11-09 | 杭州华三通信技术有限公司 | Wireless Portal authentication method and access controller |
| CN102368857A (en) * | 2011-11-03 | 2012-03-07 | 广州杰赛科技股份有限公司 | Switching method in wireless Mesh network domain |
| US20150089594A1 (en) * | 2013-09-24 | 2015-03-26 | Alcatel-Lucent Canada, Inc. | Residential gateway based policy |
| CN104104516A (en) * | 2014-07-30 | 2014-10-15 | 杭州华三通信技术有限公司 | Portal authentication method and device |
| CN107370741A (en) * | 2017-07-31 | 2017-11-21 | 安徽四创电子股份有限公司 | A kind of across AC unaware authentication method based on PORTAL agreements |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020094039A1 (en) * | 2018-11-06 | 2020-05-14 | 新华三技术有限公司 | Access authentication |
| CN113453218A (en) * | 2021-05-24 | 2021-09-28 | 新华三技术有限公司成都分公司 | Table item processing method and device |
| CN113453218B (en) * | 2021-05-24 | 2023-12-26 | 新华三技术有限公司成都分公司 | Table entry processing method and apparatus |
| CN114244695A (en) * | 2021-12-31 | 2022-03-25 | 普联技术有限公司 | Terminal online configuration method and device for isolated network and network management system |
| CN114244695B (en) * | 2021-12-31 | 2024-03-19 | 普联技术有限公司 | Terminal online configuration method and device of isolated network and network management system |
| CN114531414A (en) * | 2022-01-07 | 2022-05-24 | 锐捷网络股份有限公司 | Terminal migration acceleration method and device |
| CN114390527A (en) * | 2022-02-21 | 2022-04-22 | 北京至周科技有限公司 | Method for wireless visitor non-perception authentication |
| CN114500175A (en) * | 2022-02-21 | 2022-05-13 | 北京至周科技有限公司 | Communication method for reversely dividing home VLAN based on IP address of user equipment |
| CN114500175B (en) * | 2022-02-21 | 2022-09-16 | 北京至周科技有限公司 | Communication method for reversely dividing home VLAN based on IP address of user equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109413649B (en) | 2020-10-02 |
| WO2020094039A1 (en) | 2020-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109413649A (en) | A kind of access authentication method and device | |
| CN101369893B (en) | Method for local area network access authentication of casual user | |
| US9749320B2 (en) | Method and system for wireless local area network user to access fixed broadband network | |
| CN105657746B (en) | A kind of wireless terminal fast roaming system and method based on AP syntople | |
| WO2016150327A1 (en) | Terminal remote assistance method, device and system | |
| CN105516960B (en) | Non-perception authentication method and system, and management method and system based on method and system | |
| CN102368768B (en) | Identification method, equipment and system as well as identification server | |
| CN101379795A (en) | address assignment by a DHCP server while client credentials are checked by an authentication server | |
| CN101668017B (en) | Authentication method and equipment | |
| CN104104516A (en) | Portal authentication method and device | |
| CN105873055B (en) | Wireless network access authentication method and device | |
| CN105516171B (en) | Portal keep-alive system and method, Verification System and method based on authentication service cluster | |
| CN103825881A (en) | Method and apparatus for realizing redirection of WLAN user based on wireless access controller (AC) | |
| CN102571729A (en) | Internet protocol version (IPV)6 network access authentication method, device and system | |
| CN108011754B (en) | Transfer control separation system, backup method and device | |
| WO2018196329A1 (en) | Access device, authentication server, and method and system for controlling access of terminal device | |
| CN102271133A (en) | Authentication method, device and system | |
| CN111194035B (en) | Network connection method, device and storage medium | |
| CN109451042A (en) | For matching network method without screen smart machine | |
| CN104320781A (en) | Verifying method and system for mobile terminal | |
| US20160226849A1 (en) | Portal authentication method, broadband network gateway, portal server and system | |
| CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
| CN104955036B (en) | Safe networking method and apparatus under public Wi-Fi environment | |
| US20190081946A1 (en) | Access Control Method and System, and Switch | |
| CN103199990B (en) | A kind of method and apparatus of Routing Protocol certification migration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |