CN112422490B

CN112422490B - Method and system for authenticating user equipment based on local cache

Info

Publication number: CN112422490B
Application number: CN202010296973.XA
Authority: CN
Inventors: 吴键铭
Original assignee: Lingbo Technology Beijing Co ltd
Current assignee: Lingbo Technology Beijing Co ltd
Priority date: 2020-04-15
Filing date: 2020-04-15
Publication date: 2022-07-01
Anticipated expiration: 2040-04-15
Also published as: CN112422490A

Abstract

The invention discloses a method and a system for authenticating user equipment based on local cache, wherein the method comprises the following steps: receiving a local authentication request for authenticating user equipment; comparing the device identifier of the user equipment with the identifier information of each invalid request item in the local cache to determine whether a matched invalid request item exists; when the matched invalid request item does not exist, comparing the equipment identification of the user equipment with the identification information of each valid request item in the local cache, and determining whether one or more matched valid request items exist; when one or more matched effective request items exist, acquiring the area information of each effective request item; and when the area identification of the current area of the user equipment is matched with the area information of any effective request item, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful.

Description

Method and system for authenticating user equipment based on local cache

Technical Field

The present invention relates to the field of data communication, and more particularly, to a method and system for authenticating a user equipment based on a local cache.

Background

Currently, In a conventional Authentication scheme of a network (e.g., a Wi-Fi network), a gateway (or an access point ap (access point)/access controller ac (access controller)) having an access control function and an Authentication Service (implemented In RADIUS (Remote Authentication Dial In User Service), or a WEB-based application program interface api (application Programming interface)) are deployed locally. With the more mature and popular cloud computing, authentication services are promoted to the cloud side by many manufacturers. The cloud authentication scheme can greatly reduce the use cost, for a customer, the operation points save the software and hardware investment required by local authentication service, and for an authentication provider, a set of cloud authentication service system can meet the authentication service requirements of thousands of operation points.

However, the cloud authentication scheme also brings other problems, such as 1. reliability problem. If a failure occurs inside a cloud infrastructure provider (e.g., an aristoloc, amazon AWS cloud, etc.), such as a network failure, or a failure occurs in a virtual machine, a physical machine, a storage service, or the authentication service platform itself, the validity of the authentication service may be affected, and in a serious case, even all Wi-Fi operating points may fail in the authentication service. 2. The problem of time delay. Since the cloud authentication service platform is on a wide area network, the authentication delay may be jittered between 100 ms and second, while the local authentication may be stable at 10 ms. 3. A large number of invalid authentication request problems. For some places with large passenger flow and large amount of Wi-Fi APs, repeated activation/dormancy actions of Wi-Fi connection of a user terminal or Wi-Fi detection and connection behaviors of some applications APP possibly cause a large amount of invalid authentication requests, namely, the user does not actively press Wi-Fi in the connection place because of surfing the internet, but actually causes the authentication requests. This situation causes a sudden increase in the cloud authentication service pressure, which may cause service blocking or even failure in severe cases. 4. And repeating the authentication problem. That is, when an authenticated user moves from one area to another area of a place or from one place to another place, the user needs to repeat authentication, which affects the user experience.

Disclosure of Invention

The invention aims to solve the problems and carry out targeted optimization on the gateway and the cloud authentication service, thereby solving the reliability problem of authentication, optimizing the authentication experience and realizing cross-operation-point roaming. For example, for public Wi-Fi operation places such as hotels, shopping malls, airports and the like, the invention provides the MAC authentication and roaming method based on the gateway and the cloud computing, which can improve the reliability of authentication service, realize cross-operation-point roaming of users and improve user experience.

According to an aspect of the present invention, there is provided a method for authenticating a user equipment based on a local cache, the method comprising:

receiving a local authentication request for authenticating user equipment, and analyzing the local authentication request to acquire an equipment identifier of the user equipment and an area identifier of a current area, which are included in the local authentication request;

comparing the device identifier of the user equipment with the identifier information of each invalid request item in the local cache to determine whether a matched invalid request item exists;

when the matched invalid request item does not exist, comparing the equipment identification of the user equipment with the identification information of each valid request item in the local cache, and determining whether one or more matched valid request items exist;

when one or more matched effective request items exist, acquiring the area information of each effective request item; and

and when the area identification of the current area of the user equipment is matched with the area information of any effective request item in one or more effective request items, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful.

When receiving an access request from the user equipment or when detecting that the user equipment enters a service area of the access equipment, acquiring an equipment identifier of the user equipment, and generating a local authentication request according to the equipment identifier and the area identifier of the current area.

And when the matched invalid request item is determined to exist, determining that the authentication result of the user equipment is that the local authentication fails, and returning a response message for indicating that the local authentication request associated with the user equipment is forbidden to be sent to the access equipment in the current area.

And when the matched valid request item does not exist, determining that the authentication result of the user equipment is local authentication failure and returning a response message for indicating the local authentication failure.

And when the area identification of the current area of the user equipment is not matched with the area information of any effective request item in one or more effective request items, determining that the authentication result of the user equipment is a local authentication failure and returning a response message for indicating the local authentication failure.

And prompting the user equipment to carry out cloud authentication after receiving a response message for indicating that the local authentication fails.

And the user equipment sends the equipment identification and the identity information to a cloud server for cloud authentication.

The cloud server performs cloud authentication on the user equipment according to the equipment identification and the identity information, and sends a response message for indicating the success of the cloud authentication to the access equipment when the authentication result of the user equipment is determined to be the success of the cloud authentication;

the response message for indicating successful cloud authentication comprises: identification information, identity information, regional information, location information, authorization information and cache validity period.

The access device generates an effective request item based on the identification information, the identity information, the region information, the place information, the authorization information and the cache validity period in the response message for indicating the successful cloud authentication, and stores the effective request item in the local cache.

After receiving a response message indicating that cloud authentication is successful, the access device allows the user equipment to access a service network.

And the cloud server performs cloud authentication on the user equipment according to the equipment identification and the identity information, and sends a response message for indicating the failure of the cloud authentication to the access equipment when determining that the authentication result of the user equipment is the failure of the cloud authentication.

After receiving a response message for indicating that cloud authentication fails, the access device refuses the user device to access the service network and stores an invalid request item in an invalid cache region pre-established in a local cache.

The invalid request item includes identification information and a cache validity period.

The local authentication request further includes a venue identification.

Before obtaining the area information of each valid request item, the method further comprises the following steps:

acquiring the place information of each effective request item;

acquiring a plurality of place information sets in the local cache, wherein each place information set comprises a plurality of place information;

and when the place identification of the user equipment and the place information of any effective request item in one or more effective request items belong to the same place information set, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful.

And when the place identification of the user equipment and the place information of any effective request item in the one or more effective request items do not belong to the same place information set, determining that the authentication result of the user equipment is a local authentication failure and returning a response message for indicating the local authentication failure.

And when the area identification of the current area of the user equipment is matched with the identification information of the public area, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful.

And when the communication link with the cloud server is determined to be in a connection fault state or the cloud server is determined to be in an operation fault state, determining that the authentication result of the user equipment is in an authentication-free state and returning a response message for indicating the authentication-free state.

After the response message for indicating the authentication exempt state is returned, the network connection of the user equipment in the authentication exempt state is set to a temporary connection state.

And when the communication link with the cloud server is determined to be recovered to a normal connection state from the network failure or the cloud server is determined to be recovered to a normal operation state from the failure state, starting a timer with a preset time length, and performing local authentication on the user equipment in the temporary connection state when the timer expires.

According to another aspect of the present invention, there is provided a system for authenticating a user equipment based on a local cache, the system comprising:

the analysis unit is used for receiving a local authentication request for authenticating the user equipment and analyzing the local authentication request to acquire an equipment identifier of the user equipment and an area identifier of a current area, which are included in the local authentication request;

the comparison unit is used for comparing the equipment identifier of the user equipment with the identifier information of each invalid request item in the local cache to determine whether a matched invalid request item exists or not; when the matched invalid request item does not exist, comparing the equipment identification of the user equipment with the identification information of each valid request item in the local cache, and determining whether one or more matched valid request items exist;

an acquisition unit that acquires region information of each valid request item when it is determined that there are one or more valid request items that match; and

and the authentication unit is used for determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful when the area identifier of the current area of the user equipment is matched with the area information of any effective request item in one or more effective request items.

The system further comprises a processing unit, when receiving an access request from the user equipment or when detecting that the user equipment enters a service area of the access equipment, the processing unit acquires an equipment identifier of the user equipment and generates a local authentication request according to the equipment identifier and an area identifier of a current area.

And when the matched invalid request item is determined to exist, the authentication unit determines that the authentication result of the user equipment is that the local authentication fails, and returns a response message for indicating that the local authentication request associated with the user equipment is forbidden to be sent to the access equipment in the current area.

And when the matched valid request item does not exist, the authentication unit determines that the authentication result of the user equipment is local authentication failure and returns a response message for indicating the local authentication failure.

When the area identification of the current area of the user equipment is not matched with the area information of any effective request item in one or more effective request items, the authentication unit determines that the authentication result of the user equipment is that local authentication fails and returns a response message for indicating that the local authentication fails.

And when a response message for indicating that the local authentication fails is received, the processing unit prompts the user equipment to carry out cloud authentication.

The local authentication request further includes a venue identification.

The authentication unit acquires the place information of each effective request item;

When the place identification of the user equipment and the place information of any effective request item in one or more effective request items do not belong to the same place information set, the authentication unit determines that the authentication result of the user equipment is a local authentication failure and returns a response message for indicating the local authentication failure.

When the area identification of the current area of the user equipment is matched with the identification information of the public area, the authentication unit determines that the authentication result of the user equipment is successful in local authentication and returns a response message for indicating that the local authentication is successful.

When the communication link with the cloud server is determined to be in a connection fault state or the cloud server is determined to be in an operation fault state, the authentication unit determines that the authentication result of the user equipment is in an authentication-free state and returns a response message for indicating the authentication-free state.

The processing unit sets the network connection of the user equipment in the authentication-free state to be in a temporary connection state.

When the communication link with the cloud server is determined to be recovered to a normal connection state from a network failure or the cloud server is determined to be recovered to a normal operation state from a failure state, the processing unit starts a timer with a preset time length, and local authentication is performed on the user equipment in the temporary connection state when the timer expires.

Drawings

A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:

fig. 1 is a flowchart of a method for authenticating a user equipment based on a local cache according to an embodiment of the present invention;

fig. 2 is a flow diagram of a method of MAC authentication at a gateway according to an embodiment of the present invention;

FIG. 3 is a flow diagram of a method of implementing cross-site authentication in accordance with an embodiment of the present invention;

fig. 4 is a flowchart of a method of cloud authentication according to an embodiment of the present invention;

FIG. 5 is a diagram illustrating a local cache according to an embodiment of the invention;

fig. 6 is a schematic structural diagram of a system for authenticating a user equipment based on a local cache according to an embodiment of the present invention; and

fig. 7 is a schematic structural diagram of an authentication system according to an embodiment of the present invention.

Detailed Description

The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terms used in the exemplary embodiments shown in the drawings are not intended to limit the present invention. In the drawings, the same units/elements are denoted by the same reference numerals.

Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.

In the present invention, the nouns associated with Wi-Fi authentication are explained as follows:

media Access Control (MAC) authentication, that is, when a user equipment (a mobile phone or a tablet computer) accesses a Wi-Fi network, if an MAC address of the user equipment is a newly added MAC address to the accessed Wi-Fi network, the MAC authentication is initiated once. And if the MAC authentication is passed, the user equipment is successfully accessed. MAC authentication is "imperceptible" to the user.

Portal (Portal site or Portal site) authentication, that is, when a user equipment (a mobile phone or a tablet computer) clicks and connects to a Wi-Fi network, a pop-up window is displayed on a display interface of the user equipment to display an authentication page, and a user inputs identity information (such as a mobile phone number, a membership number, a house number, an authentication code, an identity code and the like) related to authentication and a verification code or a password to authenticate. Portal authentication is authentication initiated by a user actively, and is different from the 'non-aware' MAC authentication. Portal authentication is "perceived" by the user.

Fig. 1 is a flow chart of a method 100 for authenticating a user equipment based on a local cache according to an embodiment of the present invention. As shown in fig. 1, method 100 begins at step 101. In step 101, a local authentication request for authenticating the user equipment is received, and the local authentication request is parsed to obtain the device identifier of the user equipment and the area identifier of the current area, which are included in the local authentication request. When the access equipment or the access point receives an access request from the user equipment or when the user equipment is detected to enter a service area of the access equipment, the access equipment acquires an equipment identifier of the user equipment and generates a local authentication request according to the equipment identifier and the area identifier of the current area. Wherein the device identification of the user equipment may be hardware information of the user equipment, such as a MAC address or a unique identification code. The current region is the region in which the user equipment is currently located. The current region may be a region within a particular venue. Wherein each venue may include at least one zone. The area identification may be, for example, a combination of a place name and an area name. Alternatively, the area identification may be an identifier for uniquely identifying the current area of the current location, for example, a VLAN (virtual local area network) ID (identifier) is used as the area identification within the location in the present application, and even if the same SSID is used, different VLAN IDs may be configured in (APs in) different areas. In general, one or more access devices may be present in an area or current area and each access device is used to provide network services for the area.

In the present application, a local authentication request to authenticate a user equipment may be received by a gateway device from an access device. The gateway device has a local cache, and the local cache is to store at least one invalid request entry and at least one valid request entry. The cloud server may generally be in communication with a plurality of gateway devices and may be capable of facilitating the maintenance of data consistency by the plurality of gateway devices. For example, where premises a has gateway device a and premises B has gateway device B, a valid request item or an invalid request item associated with the user device at gateway device a may also be synchronously saved to premises B when the user device moves from premises a to premises B. It should be appreciated that the present application may maintain partial or full consistency of data (valid or invalid requests) in multiple gateway devices via the cloud server.

In step 102, the device identifier of the user equipment is compared with the identifier information of each invalid request item in the local cache to determine whether a matching invalid request item exists. The invalid request entry includes at least identification information and a validity period of cache, as shown in fig. 5. Wherein the identification information of the invalid request item may be hardware information of the user equipment or equipment identification, such as a MAC address or a unique identification code. The cache expiration date is used to indicate the time to live or save the invalid request item in the local cache. When the cache validity period expires or expires, this invalidation request entry in the local cache is deleted. The cache validity period is, for example, 2 hours, 8 hours, 1 day, and the like. ,

in the application, the Cache mechanism of the invalid authentication is used for solving the problem that a large amount of invalid authentication occurs in public places. Therefore, the gateway device realizes a local invalid authentication Cache mechanism, which specifically comprises the following steps:

1. when the cloud authentication fails, the gateway device records authentication failure information into the Cache, wherein the authentication failure information or an invalid request item comprises an MAC address of the user equipment and a Cache validity period (for example, 30 minutes), and after the Cache record is automatically deleted;

2. when the user equipment triggers the MAC authentication again (for example, Portal authentication or local authentication triggered manually by a non-user), the gateway equipment firstly queries a local invalid authentication Cache according to the MAC address, and if an authentication failure record exists in the Cache, the gateway equipment directly returns authentication failure information. In addition, when the user manually triggers Portal authentication or cloud authentication and successfully passes the authentication, that is, the authentication is successful, the gateway device converts invalid authentication information in the Cache into valid authentication information, for example, converts an invalid request item into a valid request item.

And when the matched invalid request item is determined to exist, determining that the authentication result of the user equipment is that the local authentication fails, and returning a response message for indicating that the local authentication request associated with the user equipment is forbidden to be sent to the access equipment in the current area. In this way, the user equipment can be prevented from sending invalid authentication requests in the following, namely, the user does not want to access the network, thereby reducing the number of invalid authentications.

In step 103, when it is determined that there are no matching invalid request items, the device identifier of the user equipment is compared with the identification information of each valid request item in the local cache to determine whether there are one or more matching valid request items. The identification information of the valid request entry may be hardware information of the user equipment or equipment identification, such as a MAC address or a unique identification code.

Specifically, the method and the system realize a Cache authentication mechanism on gateway equipment aiming at the reliability and time delay problems of cloud authentication service, and specifically comprise the following steps:

1. and when the user passes the first Portal authentication or cloud authentication of the user equipment, the gateway equipment records the authentication success information to the Cache. The authentication success information or the valid request item includes: identification information of the user device (e.g., a device identification of the user device, e.g., a MAC address), identity information (e.g., a cell phone number, a room number, a membership number, etc.), region information (e.g., a hotel lobby, a hotel restaurant, a hotel room, etc.), location information (e.g., hotel a, hotel B), authorization information (bandwidth level, priority level, etc.), and Cache validity period (e.g., 5 days, 7 days, etc.). And the Cache record is automatically deleted after the expiration.

2. When the user equipment triggers local MAC authentication again within the validity period of the Cache (for example, the state of the user equipment is changed from power-off to power-on, or from dormancy to wakeup, or the user returns after leaving the place), the gateway equipment queries the local Cache according to the MAC address. Because the MAC address of the user equipment and the successful authentication information or the effective request item exist in the local Cache of the gateway equipment, the authentication is directly carried out through the local Cache. Since the gateway device queries the local Cache very efficiently, the local authentication delay can be on the order of 1 ms. The user is essentially unaware of this local authentication process.

3. And when the equipment identification of the user equipment is not hit in the local Cache of the gateway equipment, triggering cloud MAC authentication or Portal authentication. If the cloud MAC authentication or the Portal authentication fails, a Portal interface can be automatically popped up in the user equipment, so that the user can perform manual Portal authentication.

According to the Cache authentication mechanism, local authentication can be performed for multiple times after Portal authentication is performed for one time. The method can greatly solve the reliability of the cloud end and reduce the average authentication time delay. For example, for a hotel room, when the cloud fails, only newly arrived guests who have not used hotel Wi-Fi are affected. Guests who have used Wi-Fi are not affected at all. In addition, the Cache authentication mechanism also greatly relieves the service pressure of cloud authentication service. In practical typical applications (e.g., high-end hotels), the local MAC authentication may account for 90%, that is, the local Cache authentication bypasses the cloud authentication by more than 90% of the authentication pressure.

In step 104, when it is determined that there are one or more valid request items that match, the region information of each valid request item is acquired. In one case, when it is determined that there is no matching valid request item, the gateway device determines that the authentication result of the user equipment is a local authentication failure and returns a response message indicating the local authentication failure to the access device or the access point. And when the access equipment or the access point receives a response message for indicating that the local authentication fails, prompting the user equipment to carry out cloud authentication. For example, the access device or the access point sends a response message indicating that the local authentication fails to the user equipment, so that the user equipment performs cloud authentication. For example, the user may perform Portal authentication through the user device.

The user device then sends the device identification and identity information (either via the access device or gateway device, or directly) to the cloud server for cloud authentication. A device identification of the user equipment, e.g. a time MAC address; and the identity information is, for example, a cell phone number, a room number, a member number, etc. And the cloud server performs cloud authentication on the user equipment according to the equipment identification and the identity information, and when the cloud server determines that the authentication result of the user equipment is successful in cloud authentication, the cloud server sends a response message for indicating the successful cloud authentication to the access equipment through the gateway equipment. The response message for indicating the success of the cloud authentication includes: identification information, identity information, regional information, location information, authorization information and cache validity period. The identification information is, for example, a device identification of the user equipment, e.g. a MAC address. The identity information is, for example, a cell phone number, a room number, a member number, etc. The area information is, for example, a hotel lobby, a hotel restaurant, a hotel guest room, and the like. The location information is, for example, hotel a and hotel B. The authorization information is, for example, a bandwidth level, a priority level, etc. And the cache validity period is, for example, 5 days, 7 days, etc. The cache expiration date is used to indicate the time to live or save the valid request item in the local cache. When the cache validity period expires or expires, the valid request entry in the local cache is deleted. The cache validity period is, for example, 1 day, 2 days, 5 days, or the like.

The access device generates a valid request item based on the identification information, the identity information, the region information, the location information, the authorization information, and the cache validity period in the response message indicating that the cloud authentication is successful, and stores the valid request item in the local cache, as shown in fig. 5. Fig. 5 is a diagram illustrating a local cache according to an embodiment of the present invention. The local Cache is for example in the gateway device. The local Cache includes, for example, a plurality of Cache regions, wherein the

Cache regions

501, 503, and 505 are used for storing other types of data. The cache area 502 is used to store invalid request entries, or invalid MAC authentication information or records. The format of the invalid request entry, or the invalid MAC authentication information or record is, for example, < identification information, cache validity >. The buffer area 504 is used to store valid request entries, or valid MAC authentication information or records. The valid request item, or the valid MAC authentication information or record is, for example, < identification information, identity information, area information, location information, authorization information, cache validity period >. After the access device receives the response message for indicating that the cloud authentication is successful, the access device allows the user device to access the service network.

And the cloud server performs cloud authentication on the user equipment according to the equipment identification and the identity information, and sends a response message for indicating the failure of the cloud authentication to the access equipment when the authentication result of the user equipment is determined to be the failure of the cloud authentication. After receiving the response message for indicating that the cloud authentication fails, the access device refuses the user equipment to access the service network and stores an invalid request item in an invalid cache region which is pre-established in a local cache. For example, the gateway device records authentication failure information or an invalid request item to the Cache, where the authentication failure information or the invalid request item includes the MAC address of the user equipment, and a buffer validity period (e.g., 30 minutes).

The invention provides MAC authentication and public area roaming in a place by the following modes:

orchestration of Wi-Fi network deployments. Different VLANs are configured for different areas within a site. For example, three different VLANs, a hotel lobby VLAN, a hotel business/conference area VLAN, and a guest room area VLAN, are configured for a hotel lobby, a hotel business/conference area, and a guest room area within a hotel.

2. And triggering MAC authentication when crossing the access area. MAC authentication is triggered whenever a user device changes access area within a premises (e.g., moves from a guest room VLAN to a hotel lobby VLAN). The cloud server maintains the region attribute of the VLAN accessible to the account record. If the VLAN area moved by the user equipment is in the permitted range, the MAC authentication is passed, otherwise, Portal authentication or cloud authentication is triggered.

3. Setting a public roaming area. For some places where a public roaming area needs to be set independently, for example, a hotel lobby is a public roaming area where all guests allow to use Wi-Fi, one or more sections of public roaming areas (for example, the public roaming areas may be configured locally by a gateway or may be issued after being configured by a cloud server) may be set according to a VLAN, for example, VLANs 1000 to 1015. When the user moves to a roaming area to trigger MAC authentication, the gateway device detects that an effective request item exists in the Cache and the user is in a public roaming area VLAN, the local MAC authentication is directly passed, and cloud MAC authentication is avoided.

4. And (6) cloud MAC authentication. When the user successfully authenticates through Portal authentication or cloud authentication by the user equipment, the cloud server generates an MAC authentication record (with an MAC address as a query key) with an expiration date attribute and an allowed VLAN range, so that the cloud can quickly process cross-region MAC authentication service in a place.

In step 105, when the area identifier of the current area of the user equipment matches with the area information of any valid request item in the one or more valid request items, determining that the authentication result of the user equipment is a local authentication success, and returning a response message for indicating that the local authentication is successful. And when the area identification of the current area of the user equipment is not matched with the area information of any effective request item in the one or more effective request items, determining that the authentication result of the user equipment is the local authentication failure and returning a response message for indicating the local authentication failure.

The method and the device also realize cross-site MAC roaming of the user equipment. Some locations with the same corporate/brand identity, such as multiple hotels or malls under the same corporate, still require Portal authentication when a guest goes from location A to location B. In this regard, the cloud authentication service may be configured to roam across locations, such as allowing hotels in a hotel group to roam freely within 180 days. When a guest leaves a hotel from the hotel A and enters the hotel B, because the guest is authenticated in the hotel A and an MAC authentication record is generated, when the hotel B is connected with Wi-Fi, mobile equipment of the guest directly passes the MAC authentication without Portal authentication.

The local authentication request may also be a venue identification. Before obtaining the area information of each valid request item, the method further comprises the following steps: acquiring the place information of each effective request item; acquiring a plurality of place information sets in a local cache, wherein each place information set comprises a plurality of place information; and when the place identification of the user equipment and the place information of any effective request item in the one or more effective request items belong to the same place information set, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful.

And when the place identification of the user equipment and the place information of any effective request item in the one or more effective request items do not belong to the same place information set, determining that the authentication result of the user equipment is a local authentication failure and returning a response message for indicating the local authentication failure. And when the area identification of the current area of the user equipment is matched with the identification information of the public area, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful.

The application also realizes the validity detection of the cloud service. For example, the gateway device regularly detects the validity of the cloud authentication service: 1. when a link fault or a cloud infrastructure or service fault occurs, the gateway confirms that the cloud authentication service cannot be reached, and then the gateway can be automatically switched to an authentication-free state, namely a guest can surf the internet by connecting with Wi-Fi, so that the cloud fault is prevented from influencing the experience of the guest Wi-Fi. 2. When the failure is recovered, the gateway automatically switches back to the normal authentication state.

And when the communication link with the cloud server is determined to be in a connection fault state or the cloud server is determined to be in an operation fault state, determining that the authentication result of the user equipment is in an authentication-free state and returning a response message for indicating the authentication-free state. After returning the response message for indicating the authentication-exempt state, the network connection of the user equipment in the authentication-exempt state is set to a temporary connection state. And when the communication link with the cloud server is determined to be recovered to a normal connection state from the network failure or the cloud server is determined to be recovered to a normal operation state from the failure state, starting a timer with a preset time length, and performing local authentication on the user equipment in the temporary connection state when the timer expires. In the present application, the temporary connection has a shorter validity period attribute (e.g., 1 hour, 1.5 hours). The user equipment is required to re-authenticate after the validity period expires, rather than immediately upon failure recovery. The method is based on the consideration of user experience, and reduces the probability that the temporary connection user is suddenly interrupted and re-authenticated in the internet surfing process.

The invention adopts the various schemes and mechanisms to realize a Wi-Fi authentication scheme which has high reliability and supports in-site and cross-site roaming. In a practical case, by applying the scheme of the invention, a set of cloud authentication service terminals can effectively support more than 1600 Wi-Fi operation places, and more than 20 ten thousands of concurrent online users.

Fig. 2 is a flow diagram of a method 200 of MAC authentication at a gateway in accordance with an embodiment of the present invention. As shown in fig. 2, method 200 begins at step 201. In step 201, a new user equipment requests access. For example, when receiving an access request from a user equipment or when detecting that the user equipment enters a service area of the access equipment, acquiring a device identifier of the user equipment, and generating a MAC authentication request according to the device identifier and an area identifier of a current area. In step 202, it is determined whether the MAC address of the user equipment matches the invalid authentication information of the Cache. If the MAC address of the user equipment matches the invalid authentication information of the Cache, step 203 is performed to reject the access of the user equipment. If the MAC address of the user equipment does not match the invalid authentication information of the Cache, step 204 is performed to determine whether the MAC address of the user equipment matches the valid authentication information of the Cache.

If the MAC address of the user equipment does not match the valid authentication information of the Cache, step 206 is performed to request authentication from the cloud. If the MAC address of the ue matches the valid authentication information of the Cache, step 205 is performed to determine whether the ue conforms to the roaming rule in the venue.

If the user device does not comply with the in-venue roaming rules, then step 206 is performed to request authentication from the cloud. If the ue complies with the in-venue roaming rule, step 209 is performed to authorize the attributes of the bandwidth and validity period of the ue, and allow the ue to access.

In step 207, it is determined whether the cloud authentication of the user equipment is successful. If the cloud authentication is successful, step 208 is performed, the valid authentication information of the user equipment in the Cache is updated, and then step 209 is performed. If the cloud authentication fails, the step 210 is performed to reject the access of the user equipment, and the step 211 is performed to update the invalid authentication information of the user equipment in the Cache.

Fig. 3 is a flow diagram of a method 300 for implementing cross-venue authentication in accordance with an embodiment of the present invention. The method 300 begins at step 301. When receiving an access request from user equipment or when detecting that the user equipment enters a service area of the access equipment, acquiring an equipment identifier of the user equipment, and generating an MAC authentication request according to the equipment identifier and an area identifier of a current area. In step 301, MAC authentication is started. In step 302, it is determined whether the MAC address of the user device matches a valid authentication record for the Cache. If not, go to step 306, return MAC authentication failure message; if so, step 303 is performed to determine whether the location information of the ue matches the MAC authentication record.

If the location information of the user equipment matches the MAC authentication record, step 305 is performed to determine whether the current area of the user equipment conforms to the access area rule in the location. If the current area of the user equipment conforms to the access area rule in the site, step 307 is performed, and a MAC authentication success message is returned. If the current area of the user equipment does not conform to the access area rule in the place, step 306 is performed, and a MAC authentication failure message is returned.

If the location information of the UE does not match the MAC authentication record, go to step 304 to determine whether the UE complies with the cross-location roaming rule. If the UE conforms to the cross-location roaming rule, go to step 307 and return a MAC authentication success message. If the UE does not comply with the cross-site roaming rule, step 306 is performed, and a MAC authentication failure message is returned.

Fig. 4 is a flowchart of a method 400 of cloud authentication according to an embodiment of the present invention. As shown in fig. 4, method 400 begins at step 401. When the authentication result of the user equipment is determined to be local authentication failure and a response message indicating the local authentication failure is received, or when the user equipment wishes to perform cloud authentication. The user equipment sends the equipment identification and identity information (which can be sent through the access equipment or the gateway equipment or directly) to the cloud server for cloud authentication or Portal authentication. In step 401, cloud authentication or Portal authentication is initiated. At step 402, it is determined whether the user's identity/password or authentication code authentication is passed. If not, go to step 406 and return the cloud authentication or Portal authentication failure message. If the authentication is passed, step 403 is performed to determine whether the ue conforms to the in-venue access zone rule.

If the user equipment does not conform to the rules of the access area in the site, step 406 is performed, and a message of failure of cloud authentication or Portal authentication is returned. If the user equipment complies with the in-venue access zone rules, then step 404 is performed to generate a MAC authentication record including bandwidth, validity period, and roaming rule attributes. In step 405, a cloud authentication or Portal authentication success message is returned.

Therefore, the Wi-Fi authentication scheme which is high in reliability and supports in-place and cross-place roaming is realized by adopting at least the following five mechanisms. In a practical case, by applying the scheme of the invention, a set of cloud authentication service terminals can effectively support more than 1600 Wi-Fi operation places, and more than 20 ten thousands of concurrent online users.

First, local Cache authentication

Aiming at the problems of reliability and time delay of cloud authentication service, a Cache authentication mechanism is realized on a gateway, and the method specifically comprises the following steps:

1. when the Portal authentication of the user is successful for the first time, the gateway records authentication information to the Cache, wherein the authentication information comprises the MAC address of user equipment, identity information (such as a mobile phone number or a house number, a member number and the like), authorization information (bandwidth) and the validity period of the Cache (such as 7 days), and the Cache record is automatically eliminated after the expiration period.

2. When the user equipment triggers MAC authentication again within the validity period of the Cache (for example, the equipment state changes: power-off to start-up, dormancy to wake-up, or the user leaves the place and then returns), the gateway inquires the local Cache according to the MAC address, because the MAC address and the authentication information of the user exist in the local Cache of the gateway, the direct local authentication is passed, because the inquiry of the local Cache is very efficient, the local authentication delay can be finished at the level of 1ms, and the user basically perceives the local authentication process.

3. And when the user equipment is not hit by the local Cache, cloud MAC authentication is triggered, and if the cloud MAC authentication fails, the user equipment can automatically pop up a Portal, so that the user needs to perform manual Portal authentication.

The Cache authentication mechanism realizes local authentication for multiple times after one-time Portal authentication, can greatly solve the reliability of a cloud, and reduces the average authentication time delay. For example, for a hotel room, when a cloud fails, only newly arrived guests who have not used Wi-Fi are affected, and guests who have used Wi-Fi are not affected at all. In addition, the Cache authentication mechanism also greatly relieves the pressure of cloud authentication service. In practical typical applications (such as high-end hotels), the local MAC authentication can account for 90%, that is, the local Cache authentication divides the authentication pressure by more than 90% of the cloud.

Invalid authentication Cache

Aiming at the problem that a large amount of invalid authentications occur in public places, the gateway simultaneously realizes a local invalid authentication Cache mechanism, which specifically comprises the following steps:

1. when cloud authentication fails, recording authentication failure information to the Cache, wherein the authentication failure information comprises the MAC address of the user equipment and a validity period (such as 30 minutes), and automatically eliminating the Cache record after the expiration period.

4. When the user equipment triggers the MAC authentication again (not the Portal authentication triggered by the user manually), the gateway firstly inquires the local invalid authentication Cache according to the MAC address, and if the Cache record exists, the gateway directly returns authentication failure information.

5. When the user manually initiates Portal authentication and successfully passes the authentication, the invalid authentication Cache is converted to a valid authentication Cache, as in point 1 of the previous section.

MAC authentication and public area roaming in a venue

Orchestration of Wi-Fi network deployments: different VLANs are configured in different areas in a place, such as a hotel lobby, a hotel business/conference area and a guest room area, and three different VLANs are configured;

2. and triggering MAC authentication when crossing the access area: MAC authentication is triggered whenever a user changes access area within a premises, such as moving from a guest room VLAN to a lobby VLAN. The cloud maintenance account number has the attribute of the VLAN region which can be accessed by the cloud maintenance account number, if the VLAN region moved by the user is in the permitted range, the MAC authentication is passed, otherwise, manual Portal authentication is triggered.

3. Setting a public roaming area: for some places needing to independently set a public roaming area, for example, a hotel lobby is a Wi-Fi public roaming area which all guests allow to use, one or more sections of public roaming areas (which can be configured locally by a gateway or can be issued after cloud configuration) can be set according to the VLAN, for example, the VLAN is 1000-1015, when a user moves to the roaming area and MAC authentication is initiated, the Cache is detected to be valid by the gateway, and the user is in the public roaming area VLAN, the local MAC authentication is directly passed through, and the initiation of the cloud MAC authentication is avoided.

4. Cloud MAC authentication: when the user Portal passes the authentication, the cloud end can generate an MAC authentication record (taking the MAC address as a query main key) with an expiration date attribute and the permitted VLAN range of the point 2, so that the cloud end can rapidly process the cross-region MAC authentication service in the place.

Cross-venue MAC roaming

Some locations with the same corporate/brand identity, such as multiple hotels or malls under the same corporate, still require Portal authentication when a guest goes from location A to location B. In this regard, the cloud authentication service may be configured to roam across locations, such as allowing hotels in a hotel group to roam freely within 180 days. When a guest leaves a hotel from the hotel A and enters the hotel B, because the guest is authenticated in the hotel A and an MAC authentication record is generated, when the hotel B is connected with Wi-Fi, mobile equipment of the guest directly passes the MAC authentication without Portal authentication.

Fifth, cloud service validity detection

The gateway regularly detects the effectiveness of the cloud authentication service:

1. when a link fault or a cloud infrastructure or service fault occurs, the gateway confirms that the cloud authentication service cannot be reached, and can automatically switch to an authentication-free state, namely, a guest can surf the internet by connecting to the Wi-Fi, so that the cloud fault is prevented from influencing the experience of the guest Wi-Fi.

2. When the failure is recovered, the gateway automatically switches back to the normal authentication state.

Fig. 6 is a schematic structural diagram of a system 600 for authenticating a user equipment based on a local cache according to an embodiment of the present invention. The system 600 includes: parsing unit 601, comparing unit 602, obtaining unit 603, authenticating unit 604 and processing unit 605. The parsing unit 601 receives a local authentication request for authenticating the ue, and parses the local authentication request to obtain a device identifier of the ue and an area identifier of a current area, which are included in the local authentication request.

When the access device or the access point receives an access request from the user equipment or when it is detected that the user equipment enters the service area of the access device, the processing unit 605 acquires the device identifier of the user equipment, and generates a local authentication request according to the device identifier and the area identifier of the current area. The device identifier of the user equipment may be hardware information of the user equipment, such as a MAC address or a unique identification code. The current region is the region in which the user equipment is currently located. The current region may be a region within a particular venue. Wherein each venue may include at least one zone. The area identification may be, for example, a combination of a place name and an area name. Alternatively, the area identification may be an identifier for uniquely identifying the current area of the current location, for example, a VLAN (virtual local area network) ID (identifier) is used as the area identification within the location in the present application, and even if the same SSID is used, different VLAN IDs may be configured in (APs in) different areas. In general, one or more access devices may be present in an area or current area and each access device is used to provide network services for the area.

The comparing unit 602 compares the device identifier of the user equipment with the identifier information of each invalid request item in the local cache, and determines whether a matching invalid request item exists. The invalid request entry includes at least identification information and a validity period of cache, as shown in fig. 5. Wherein the identification information of the invalid request item may be hardware information of the user equipment or equipment identification, such as a MAC address or a unique identification code. The cache expiration date is used to indicate the time to live or save the invalid request item in the local cache. When the cache validity period expires or expires, the invalidate request entry in the local cache is deleted. The cache validity period is, for example, 2 hours, 8 hours, 1 day, and the like. ,

And when the matched invalid request item is determined to exist, determining that the authentication result of the user equipment is that the local authentication fails, and returning a response message for indicating that the local authentication request associated with the user equipment is forbidden to be sent to the access equipment of the current area. In this way, the user equipment can be prevented from sending invalid authentication requests in the following, namely, the user does not want to access the network, thereby reducing the number of invalid authentications.

When determining that there are no matching invalid request items, the comparing unit 602 compares the device identifier of the user equipment with the identifier information of each valid request item in the local cache, and determines whether there are one or more matching valid request items. The identification information of the valid request entry may be hardware information of the user equipment or equipment identification, such as a MAC address or a unique identification code.

2. When the user equipment triggers local MAC authentication again within the validity period of the Cache (for example, the state of the user equipment is changed from power-off to power-on, or from dormancy to awakening, or the user returns after leaving the place), the gateway equipment queries the local Cache according to the MAC address. Because the MAC address of the user equipment and the successful authentication information or the effective request item exist in the local Cache of the gateway equipment, the authentication is directly carried out through the local Cache. Since the gateway device queries the local Cache very efficiently, the local authentication delay can be on the order of 1 ms. The user is essentially unaware of this local authentication process.

3. And when the equipment identification of the user equipment is not hit in the local Cache of the gateway equipment, triggering cloud MAC authentication or Portal authentication. If the cloud MAC authentication or the Portal authentication fails, a Portal interface is automatically popped up in the user equipment, so that the user can perform manual Portal authentication.

According to the Cache authentication mechanism, local authentication can be performed for multiple times after Portal authentication is performed for one time. The method can solve the reliability of the cloud to a great extent and reduce the average time delay of authentication. For example, for a hotel room, when the cloud fails, only newly arrived guests who have not used hotel Wi-Fi are affected. While guests who have used Wi-Fi are not affected at all. In addition, the Cache authentication mechanism also greatly relieves the service pressure of cloud authentication service. In practical typical applications (e.g., high-end hotels), the local MAC authentication may account for 90%, that is, the local Cache authentication bypasses the cloud authentication by more than 90% of the authentication pressure.

The acquisition unit 603 acquires region information of each valid request item when it is determined that there are one or more valid request items that match. In one case, when it is determined that there is no matching valid request item, the gateway device determines that the authentication result of the user equipment is a local authentication failure and returns a response message indicating the local authentication failure to the access device or the access point. And when the access equipment or the access point receives a response message for indicating that the local authentication fails, prompting the user equipment to carry out cloud authentication. For example, the access device or the access point sends a response message indicating that the local authentication fails to the user equipment, so that the user equipment performs cloud authentication. For example, the user may perform Portal authentication through the user device.

The user device then sends the device identification and identity information (which may be via the access device or gateway device, or directly) to the cloud server for cloud authentication. A device identification of the user equipment, e.g. a time MAC address; and the identity information is, for example, a cell phone number, a room number, a member number, etc. The cloud server performs cloud authentication on the user equipment according to the equipment identification and the identity information, and when the cloud server determines that the authentication result of the user equipment is that the cloud authentication is successful, the cloud server (which can be through the gateway equipment) sends a response message for indicating that the cloud authentication is successful to the access equipment. The response message for indicating successful cloud authentication comprises: identification information, identity information, regional information, location information, authorization information and cache validity period. The identification information is, for example, a device identification of the user equipment, e.g. a MAC address. The identity information is, for example, a cell phone number, a room number, a member number, etc. The area information is, for example, a hotel lobby, a hotel restaurant, a hotel guest room, and the like. The location information is, for example, hotel a and hotel B. The authorization information is, for example, a bandwidth level, a priority level, etc. And the cache validity period is, for example, 5 days, 7 days, etc. The cache expiration date is used to indicate the time to live or save the valid request item in the local cache. When the cache validity period expires or expires, the valid request entry in the local cache is deleted. The cache validity period is, for example, 1 day, 2 days, 5 days, or the like.

The access device generates a valid request item based on the identification information, the identity information, the region information, the location information, the authorization information, and the cache validity period in the response message indicating that the cloud authentication is successful, and stores the valid request item in the local cache, as shown in fig. 5. Fig. 5 is a diagram illustrating a local cache according to an embodiment of the present invention. The local Cache is for example in the gateway device. The local Cache includes, for example, a plurality of Cache regions, where the

Cache regions

501, 503, and 505 are used for storing other types of data. The cache area 502 is used to store an invalid request entry, or invalid MAC authentication information or record. The format of the invalid request entry, or the invalid MAC authentication information or record is, for example, < identification information, cache validity >. The buffer area 504 is used to store valid request entries, or valid MAC authentication information or records. The valid request item, or the valid MAC authentication information or record is, for example, < identification information, identity information, area information, location information, authorization information, cache validity period >. After the access device receives the response message for indicating that the cloud authentication is successful, the access device allows the user device to access the service network.

And the cloud server performs cloud authentication on the user equipment according to the equipment identification and the identity information, and sends a response message for indicating the failure of the cloud authentication to the access equipment when the authentication result of the user equipment is determined to be the failure of the cloud authentication. After receiving the response message for indicating that the cloud authentication fails, the access device refuses the user equipment to access the service network and stores an invalid request item in an invalid cache region which is pre-established in a local cache. The gateway device records authentication failure information into the Cache, where the authentication failure information or the invalid request item includes the MAC address of the user equipment and a Cache validity period (e.g., 30 minutes).

2. And triggering MAC authentication when crossing the access area. MAC authentication is triggered whenever a user device changes access area within a premises (e.g., moves from a guest room VLAN to a hotel lobby VLAN). And the cloud server maintains the region attribute of the VLAN which can be accessed by the account record. If the VLAN area moved by the user equipment is in the permitted range, the MAC authentication is passed, otherwise, Portal authentication or cloud authentication is triggered.

3. Setting a public roaming area. For some places needing to independently set the public roaming area, for example, a hotel lobby is a public roaming area where all guests allow to use Wi-Fi, one or more sections of public roaming areas (for example, the public roaming areas can be configured locally by a gateway or can be configured by a cloud server and then issued) can be set according to the VLAN, such as VLANs 1000 to 1015. When the user moves to a roaming area to trigger MAC authentication, the gateway device detects that an effective request item exists in the Cache and the user is in a public roaming area VLAN, the local MAC authentication is directly passed, and cloud MAC authentication is prevented from being triggered.

4. And (6) cloud MAC authentication. When the user successfully authenticates through Portal authentication or cloud authentication by the user equipment, the cloud server generates an MAC authentication record (with an MAC address as a query main key) with an expiration date attribute and a permitted VLAN range, so that the cloud quickly processes cross-region MAC authentication service in a place.

The authentication unit 604 determines that the authentication result of the user equipment is successful in local authentication and returns a response message indicating that the local authentication is successful when the area identifier of the current area of the user equipment matches with the area information of any valid request item in the one or more valid request items. And when the area identification of the current area of the user equipment is not matched with the area information of any effective request item in the one or more effective request items, determining that the authentication result of the user equipment is the local authentication failure and returning a response message for indicating the local authentication failure.

The method and the device also realize cross-site MAC roaming of the user equipment. Some locations with the same corporate/brand identity, such as multiple hotels or malls under the same corporate, still require Portal authentication when a guest goes from location A to location B. In this regard, the cloud authentication service may be configured for cross-location roaming, such as allowing hotels in a hotel group to roam freely within 180 days. When a guest leaves a hotel from the hotel A and enters the hotel B, because the guest is authenticated in the hotel A and an MAC authentication record is generated, when the hotel B is connected with Wi-Fi, mobile equipment of the guest directly passes the MAC authentication without Portal authentication.

The application also realizes the validity detection of the cloud service. For example, the gateway device regularly detects the validity of the cloud authentication service: 1. when a link fault or a cloud infrastructure or service fault occurs, the gateway confirms that the cloud authentication service cannot be reached, and can automatically switch to an authentication-free state, namely, a guest can surf the internet by connecting to the Wi-Fi, so that the cloud fault is prevented from influencing the experience of the guest Wi-Fi. 2. When the failure is recovered, the gateway automatically switches back to the normal authentication state.

And when the communication link with the cloud server is determined to be in a connection fault state or the cloud server is determined to be in an operation fault state, determining that the authentication result of the user equipment is in an authentication-free state and returning a response message for indicating the authentication-free state. After the response message for indicating the authentication exempt state is returned, the network connection of the user equipment in the authentication exempt state is set to a temporary connection state. And when the communication link with the cloud server is determined to be recovered to a normal connection state from the network failure or the cloud server is determined to be recovered to a normal operation state from the failure state, starting a timer with a preset time length, and performing local authentication on the user equipment in the temporary connection state when the timer expires. In the present application, the temporary connection has a shorter validity period attribute (e.g., 1 hour, 1.5 hours). The user equipment is required to re-authenticate after the validity period expires, rather than immediately upon failure recovery. The method is based on the consideration of user experience, and reduces the probability that the temporary connection user is suddenly interrupted and re-authenticated in the internet surfing process.

The invention adopts the various schemes and mechanisms to realize a Wi-Fi authentication scheme which has high reliability and supports in-site and cross-site roaming. In a practical case, by applying the scheme of the invention, a set of cloud authentication server can effectively support more than 1600 Wi-Fi operating places, and more than 20 ten thousands of concurrent online users.

Fig. 7 is a schematic structural diagram of an authentication system 700 according to an embodiment of the present invention. The authentication system 700 includes a cloud server, a gateway device, an access device, and a user device. The access device comprises an access device 1, an access device 2, … … and an access device M. The user equipment comprises user equipment 1, user equipment 2, … … and user equipment N. The cloud server may communicate with the plurality of gateway devices and cause coherency of valid request entries and invalid request entries in local caches of the plurality of gateway devices. For example, the same valid request entry and invalid request entry may be stored in the local cache of each gateway device to achieve global data unification.

The gateway device receives a local authentication request for authenticating the user equipment 1, and analyzes the local authentication request to obtain the equipment identifier of the user equipment 1 and the area identifier of the current area, which are included in the local authentication request. When the access device 1 receives an access request from the user device 1 or when it is detected that the user device 1 enters the service area of the access device 1, the device identifier of the user device 1 is obtained, and a local authentication request is generated according to the device identifier and the area identifier of the current area. The access device 1 then sends a local authentication request to the gateway device.

The gateway device compares the device identifier of the user device 1 with the identifier information of each invalid request item in the local cache of the gateway device, and determines whether a matched invalid request item exists. When the gateway device determines that the matched invalid request item exists, the authentication result of the user equipment 1 is determined to be that the local authentication fails, and a response message for indicating that the local authentication request associated with the user equipment 1 is forbidden to be sent is returned to the access equipment 1 in the current area.

When the gateway device determines that there are no matching invalid request items, the device identifier of the user device 1 is compared with the identifier information of each valid request item in the local cache, and it is determined whether there are one or more matching valid request items. When the gateway device determines that there are one or more valid request items that match, the area information of each valid request item is acquired. When the gateway device determines that no matched valid request item exists, the authentication result of the user equipment 1 is determined to be local authentication failure, and a response message for indicating the local authentication failure is returned.

When the area identifier of the current area of the user equipment 1 matches with the area information of any effective request item in the one or more effective request items, determining that the authentication result of the user equipment 1 is a local authentication success and returning a response message for indicating that the local authentication is successful. When the area identifier of the current area of the user equipment 1 is not matched with the area information of any effective request item in the one or more effective request items, determining that the authentication result of the user equipment 1 is a local authentication failure and returning a response message for indicating the local authentication failure.

And when the access equipment 1 receives a response message for indicating that the local authentication fails, prompting the user equipment 1 to perform cloud authentication. The user equipment 1 sends the device identification and the identity information to the cloud server, e.g. via the gateway device, for cloud authentication. The cloud server performs cloud authentication on the user equipment 1 according to the equipment identification and the identity information, when the authentication result of the user equipment 1 is determined to be that the cloud authentication is successful, a response message for indicating the success of the cloud authentication is sent to the gateway equipment, and then the gateway equipment indicates the access equipment 1 to allow the user equipment 1 to access the network. Wherein the response message for indicating successful cloud authentication comprises: identification information, identity information, regional information, location information, authorization information and cache validity period.

The gateway device generates a valid request item based on the identification information, the identity information, the region information, the place information, the authorization information and the cache validity period in the response message for indicating the success of the cloud authentication, and stores the valid request item in the local cache. After receiving the response message forwarded by the gateway device and indicating that the cloud authentication is successful, the access device 1 allows the user device 1 to access the service network.

And the cloud server performs cloud authentication on the user equipment according to the equipment identification and the identity information, and sends a response message for indicating the failure of the cloud authentication to the access equipment 1 when the authentication result of the user equipment 1 is determined to be the failure of the cloud authentication. After receiving the response message forwarded by the gateway device indicating that the cloud authentication failed, the access device 1 denies the user device 1 to access the service network. Wherein the invalid request entry includes identification information and a cache expiration date.

The local authentication request also includes a venue identification. Before obtaining the region information of each valid request item, the method further comprises the following steps: acquiring the place information of each effective request item; acquiring a plurality of place information sets in a local cache, wherein each place information set comprises a plurality of place information; when the place identification of the user equipment 1 and the place information of any effective request item in the one or more effective request items belong to the same place information set, determining that the authentication result of the user equipment is a local authentication success and returning a response message for indicating that the local authentication is successful.

When the place identification of the user equipment 1 and the place information of any effective request item in the one or more effective request items do not belong to the same place information set, determining that the authentication result of the user equipment is a local authentication failure and returning a response message for indicating the local authentication failure. When the area identification of the current area of the user equipment 1 is matched with the identification information of the public area, the authentication result of the user equipment is determined to be the local authentication success, and a response message for indicating the local authentication success is returned. When it is determined that the communication link with the cloud server is in a connection failure state or the cloud server is in an operation failure state, it is determined that the authentication result of the user equipment 1 is in an authentication-exempt state, and a response message indicating the authentication-exempt state is returned. After the response message for indicating the authentication exempt state is returned, the network connection of the user equipment in the authentication exempt state is set to a temporary connection state. And when the communication link with the cloud server is determined to be recovered to a normal connection state from the network failure or the cloud server is determined to be recovered to a normal operation state from the failure state, starting a timer with a preset time length, and performing local authentication on the user equipment in the temporary connection state when the timer expires. In the present application, the temporary connection has a shorter validity period attribute (e.g., 1 hour, 1.5 hours). The user equipment is required to re-authenticate after the validity period expires, rather than immediately upon failure recovery. The method is based on the consideration of user experience, and reduces the probability that the temporary connection user is suddenly interrupted and re-authenticated in the internet surfing process.

The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the ones disclosed above are equally possible within the scope of these appended patent claims, as these are known to those skilled in the art.

Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a// the [ device, component, etc ]" are to be interpreted openly as at least one instance of a device, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

Claims

1. A method of authenticating a user equipment based on a local cache, the method comprising:

when the area identification of the current area of the user equipment is matched with the area information of any effective request item in one or more effective request items, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful;

acquiring the place information of each effective request item;

when the place identification of the user equipment and the place information of any effective request item in one or more effective request items belong to the same place information set, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful;

when the place identification of the user equipment and the place information of any effective request item in one or more effective request items do not belong to the same place information set, determining that the authentication result of the user equipment is a local authentication failure and returning a response message for indicating the local authentication failure;

when the area identification of the current area of the user equipment is matched with the identification information of the public area, determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful;

when the communication link with the cloud server is determined to be in a connection fault state or the cloud server is determined to be in an operation fault state, determining that the authentication result of the user equipment is in an authentication-free state and returning a response message for indicating the authentication-free state;

after returning the response message for indicating the authentication-exempt state, setting the network connection of the user equipment in the authentication-exempt state to a temporary connection state;

2. The method of claim 1, wherein when receiving an access request from the user equipment or when detecting that the user equipment enters a service area of the access equipment, obtaining an equipment identifier of the user equipment, and generating a local authentication request according to the equipment identifier and an area identifier of a current area.

3. The method as claimed in claim 1, when it is determined that there is a matching invalid request item, determining that the authentication result of the user equipment is a local authentication failure, and returning a response message indicating that transmission of a local authentication request associated with the user equipment is prohibited to the access equipment of the current area.

4. The method as claimed in claim 1, when it is determined that there is no matching valid request item, determining that the authentication result of the user equipment is a local authentication failure and returning a response message indicating the local authentication failure.

5. The method of claim 1, when the area identifier of the current area of the ue does not match with the area information of any valid request item in the one or more valid request items, determining that the authentication result of the ue is a local authentication failure, and returning a response message indicating that the local authentication failure occurs.

6. A system for authenticating a user equipment based on a local cache, the system comprising:

the authentication unit is used for determining that the authentication result of the user equipment is successful in local authentication and returning a response message for indicating that the local authentication is successful when the area identifier of the current area of the user equipment is matched with the area information of any effective request item in one or more effective request items;

when the place identification of the user equipment and the place information of any effective request item in one or more effective request items do not belong to the same place information set, the authentication unit determines that the authentication result of the user equipment is a local authentication failure and returns a response message for indicating the local authentication failure;

when the area identification of the current area of the user equipment is matched with the identification information of the public area, the authentication unit determines that the authentication result of the user equipment is successful in local authentication and returns a response message for indicating that the local authentication is successful;

when the communication link with the cloud server is determined to be in a connection fault state or the cloud server is determined to be in an operation fault state, the authentication unit determines that the authentication result of the user equipment is in an authentication-free state and returns a response message for indicating the authentication-free state;

the processing unit is used for setting the network connection of the user equipment in the authentication-free state to be in a temporary connection state;

7. The system of claim 6, further comprising a processing unit, configured to, when receiving an access request from the user equipment or when detecting that the user equipment enters a service area of an access device, obtain a device identifier of the user equipment, and generate a local authentication request according to the device identifier and an area identifier of a current area.

8. The system of claim 6, wherein when it is determined that there is a matching invalid request item, the authentication unit determines that the authentication result of the user equipment is a local authentication failure, and returns a response message indicating that transmission of a local authentication request associated with the user equipment is prohibited to the access equipment of the current area.

9. The system as claimed in claim 6, wherein the authentication unit determines that the authentication result of the user equipment is a local authentication failure and returns a response message indicating the local authentication failure when it is determined that there is no matching valid request item.

10. The system of claim 6, wherein when the area identifier of the current area of the ue does not match with the area information of any valid request item of the one or more valid request items, the authentication unit determines that the authentication result of the ue is a local authentication failure and returns a response message indicating that the local authentication failure occurs.