CN114944927A - Portal authentication-based client-side-free mutual exclusion access platform - Google Patents

Portal authentication-based client-side-free mutual exclusion access platform Download PDF

Info

Publication number
CN114944927A
CN114944927A CN202210267422.XA CN202210267422A CN114944927A CN 114944927 A CN114944927 A CN 114944927A CN 202210267422 A CN202210267422 A CN 202210267422A CN 114944927 A CN114944927 A CN 114944927A
Authority
CN
China
Prior art keywords
portal
user
network
address
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210267422.XA
Other languages
Chinese (zh)
Other versions
CN114944927B (en
Inventor
钱锦
徐汉麟
徐李冰
倪夏冰
李强强
徐晓华
杜猛俊
向新宇
陈元中
杨谊
周昕悦
卢科帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority to CN202210267422.XA priority Critical patent/CN114944927B/en
Publication of CN114944927A publication Critical patent/CN114944927A/en
Application granted granted Critical
Publication of CN114944927B publication Critical patent/CN114944927B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • H04L12/1403Architecture for metering, charging or billing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a client-side-free mutual exclusion access platform based on Portal authentication, which comprises a Portal client, a network controller, a Portal server, an AAA server, an RADIUS server and an equipment fingerprint memory, wherein the Portal client is connected with the network controller; the network controller is used for acquiring the identity information of the access user and opening the network access authority of the user; the portal client is used for inputting the identity authentication information of the access user; the Portal server receives an identity verification request of an access user from a Portal client, provides free Portal service and a Web-based identity verification interface, and interacts with the network controller by the AAA server to complete user authentication, charging and authorization; the RADIUS server carries out identity authentication on identity authentication information of the access user terminal equipment; the device fingerprint memory stores device fingerprint information used for identity authentication of the handheld terminal device. The scheme monitors the networked handheld terminal based on various charging modes and access rights, and customizes more intelligent and personalized network services.

Description

Portal authentication-based client-side-free mutual exclusion access platform
Technical Field
The invention relates to the technical field of network security authentication, in particular to a client-side-free mutual exclusion access platform based on Portal authentication.
Background
In industries such as governments, enterprises, and medical care, there are often multiple scenarios of safe physical isolation, such as intranet and extranet, for safety reasons. Such as an electronic government affair outer network and the Internet, an inspection work network and the Internet, a tax private network and the Internet, an enterprise research and development inner network and the Internet and the like, and meets the high security requirement of multi-network users on office access.
In a traditional scene of multiple safe physical isolation of internal and external networks and the like, if an internal network terminal meets the requirement of accessing the internet along with the change of the requirement, the configuration of network equipment (such as a switch and the like) needs to be adjusted, and even the physical position of the terminal needs to be changed so as to change the internal network terminal into an external network terminal; if the user has the requirement of simultaneously accessing the intranet and the internet, two terminals, namely an intranet terminal and an extranet terminal, are provided.
With the development of mobile internet, internet of things and the like, the access requirements of users, internet of things terminals and the like on the network are not as pure as before, such as a hospital charging system, medical charging information on an intranet server needs to be accessed, and the internet needs to be accessed to realize mobile payment. Network boundaries are increasingly blurred, and in a traditional scene of multiple network security physical isolation, not only more network devices need to be consumed to build different physical networks, but also implementation difficulty is very complex, and requirements of users in related scenes on the networks cannot be met. A technology for integrating multiple networks and facilitating network switching is urgently needed, and different network channels are set according to different user identities and user access requirements, so that network access is not interfered.
Portal authentication is also commonly referred to as Web authentication, and Portal authentication Web sites are commonly referred to as portals. The method provides a simpler user authentication method, and is easier for users to use compared with other authentication methods. It has two major characteristics: 1. The method comprises the following steps of (1) avoiding a client: only needing the support of a web browser (such as IE), the authentication service can be provided for the user, and a special client or a dialing program is not required to be installed; the client-free software is a basic requirement for public network nodes such as hotels, hotels and the like;
2. new service bearer: by using Portal function of Portal certification, the operator can put cell broadcast, advertisement, information inquiry, online shopping and other services on the Portal. The user can forcibly see the information when surfing the internet.
The basic mode of Portal authentication is that an authentication window is arranged at a remarkable position of a Portal page, a user logs in the Portal authentication page to authenticate after starting up to obtain an IP address, and the Internet can be accessed after the authentication is passed.
The terminal access technology based on identity authentication actually uses portal authentication technology, and comprises: the method has the advantages that the authentication client does not need to be installed, the maintenance workload of the client is reduced, the operation is convenient, the service expansion and the technical maturity can be developed on a Portal page, and the method is widely applied to networks such as electric power, operators, schools and the like. Portal authentication is not encrypted in a network access stage, but when a user accesses a network, the user is required to input a user name and a password, the internet can be accessed after the authentication is successful, the Portal authentication has obvious characteristics, a special client is not needed, a browser is available, and therefore the mobile phone can be used in other aspects; however, the disadvantages are obvious, for different terminal users, the networking cost is high, the user connectivity is poor, and it is not easy to detect the user offline, so that the charging based on time is difficult to implement, the IP address is allocated before the user authentication, if the user is not an online user, the address waste is caused, and the support of multiple ISPs is inconvenient.
Disclosure of Invention
The invention aims to design a client-side-free mutual exclusion access platform based on Portal authentication, without installing various client sides in forms on a handheld terminal, the user identity can be authenticated through a Portal website, the ID of an access user and the MAC address of the handheld terminal are automatically bound, and based on various charging modes and access authorities, the networked handheld terminal can be monitored and verified according to different user identities and network requirements, and more intelligent and personalized network services can be customized.
In order to achieve the technical purpose, the invention provides a technical scheme that a client-side-exclusive access platform based on Portal authentication comprises a Portal client side, a network controller, a Portal server, an AAA server, an RADIUS server and an equipment fingerprint memory;
the network controller is used as an access port of the user equipment and is used for acquiring the identity information of an access user and opening the network access right of the user;
the portal client serves as a browser carrier running an HTTP (hyper text transport protocol) and is used for inputting the identity authentication information of an access user; the Portal server receives an authentication request of an access user from a Portal client, provides free Portal service and a Web-based authentication interface, and interacts with handheld terminal equipment of the access user to acquire equipment fingerprint information of the handheld terminal equipment;
the AAA server interacts with the network controller to complete user identity authentication, charging and authorization;
the RADIUS server stores an account number and a password of the access user terminal equipment and performs authentication on authentication information of the access user terminal equipment;
the device fingerprint memory stores device fingerprint information used for identity authentication of the handheld terminal device.
Preferably, the step of acquiring the network access right for the first time by the access user comprises the following steps:
s1, the hand-held terminal device is connected with the network controller and then sends a network request to the portal server;
s2, the portal server feeds back the webpage link of the portal client and initiates a user identity request;
s3, the access user inputs the account and the password through the portal client displayed by the hand-held terminal equipment and submits a connection request; the account comprises a domain user name and a password;
s4, the network controller sends the obtained account and the obtained password to the RADIUS server for verification and matching; if the matching is successful, executing S5, and if the matching is unsuccessful, feeding back an abnormal prompt message to the portal client;
s5, the network controller feeds back the successful result of the access user identity authentication to the portal server;
s6, authorizing the network connection request of the protection user by the portal server, commanding the network controller to open the network and allocate an IP address according to the authority of the AAA server, and binding the relationship between the user identity and the VRF by the network controller; and feeding back the identity confirmation success result to the portal client.
Preferably, in S6, the method for the network controller to open the network according to the authority of the AAA server includes the steps of: the AAA server acquires an account number of an access user and opens corresponding authority according to the limiting condition of the corresponding account number;
the limiting conditions include network connection duration, network data flow size and speed, and network access domain.
Preferably, the handheld terminal accesses the network for the first time, namely, the automatic entry and archiving of the fingerprint information of the device are completed, and the method comprises the following steps:
after the handheld terminal is connected with the network controller through the network, the AAA server carries out real-time monitoring according to the limiting conditions corresponding to the IP address;
when the corresponding IP address touches any one of the limiting conditions, the AAA server interacts with a portal server, and the portal server sends a network service interruption instruction to a network controller;
the portal server inquires whether fingerprint information of the handheld device exists in the device fingerprint memory; if yes, feeding back corresponding authority prompting information to the portal client; if not, the access user sends an authentication request again through the account and the password;
the network controller acquires the MAC address of the handheld terminal, sends a storage bit expansion request to the equipment fingerprint memory, binds the MAC address and the IP address and then sends the binding result to an expansion position.
Preferably, the user requests the network connection for the second time, which includes the following steps:
if the permission prompt message is not released, continuing waiting or releasing the appointment according to the limiting condition for operation;
if the authority prompt information is removed, the network controller carries out network connection according to the IP address of the handheld terminal;
the AAA server feeds back the limiting conditions corresponding to the IP address to a portal server, and the portal server calls the fingerprint information in the device fingerprint storage; performing authority verification by matching the IP address with the MAC address; if the MAC address is successfully matched with the IP address, the network communication is unlimited, and the flow information is forwarded through a dedicated channel through a routing table in a VRF; and if the MAC address is not successfully matched with the IP address, monitoring the network according to the limiting conditions of the original IP address.
Preferably, if the MAC address is unsuccessfully matched with the IP address, the abnormal user is indicated, the user identity information needs to be verified again, after the user identity information is successfully verified, the new MAC address and the IP address are bound, the new MAC address and the IP address are sent to the storage bit of the original IP address after the binding is completed, and the new MAC address serves as the standby fingerprint information of the original MAC address.
Preferably, the memory bit expansion follows the following principle:
if a user logs in user information at different handheld terminals, binding corresponding IP addresses with MAC addresses of new handheld terminals, forming an MAC address pool by a plurality of MAC addresses, setting a threshold value H for the MAC address pool of the user according to the authority of the user, reserving H MAC addresses according to the use frequency of the MAC addresses in unit time, and unbinding the rest MAC addresses from the IP addresses; when the unbound MAC address or a new MAC address is accessed into the network controller again, the user identity needs to be verified separately, and a MAC address use log is generated, so that the MAC address pool can be updated conveniently according to the use frequency.
The invention has the beneficial effects that: the invention designs a client-side-free mutual exclusion access platform based on Portal authentication, without installing clients in various forms on a handheld terminal, the user identity can be authenticated through a Portal website, the ID of the access user and the MAC address of the handheld terminal are automatically bound, and the networked handheld terminal is monitored based on various charging modes and access permissions, so that more intelligent and personalized network services are customized.
Drawings
FIG. 1 is a schematic diagram of a Portal authentication-based client-less mutual exclusion access platform structure according to the present invention.
Fig. 2 is a flowchart of the present invention for an accessing user to obtain network access right for the first time.
The symbols in the figure illustrate: 1-hand-held terminal, 2-Portal client, 3-network controller, 4-Portal server, 5-AAA server, 6-RADIUS server, 7-device fingerprint memory.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail with reference to the accompanying drawings and examples, it is to be understood that the specific embodiment described herein is only a preferred embodiment of the present invention, and is used for illustration only and not for limiting the scope of the present invention, and that all other embodiments obtained by a person of ordinary skill in the art without making any creative efforts shall fall within the scope of the present invention.
Example (b):
as shown in fig. 1, the Portal authentication-based client-less mutual exclusion access platform includes a Portal client 2, a network controller 3, a Portal server 4, an AAA server 5, an RADIUS server 6, and an apparatus fingerprint memory 7;
the network controller is used as an access port of the user equipment and is used for acquiring the identity information of an access user and opening the network access right of the user;
the portal client serves as a browser carrier running an HTTP (hyper text transport protocol) and is used for inputting the identity authentication information of an access user; the Portal server receives an identity authentication request of an access user from a Portal client, provides free Portal service and a Web-based identity authentication interface, and interacts with the handheld terminal 1 equipment of the access user to acquire equipment fingerprint information of the handheld terminal equipment;
the AAA server interacts with the network controller to complete user authentication, charging and authorization;
the RADIUS server stores an account number and a password of the access user terminal equipment and performs authentication on authentication information of the access user terminal equipment;
the device fingerprint memory stores device fingerprint information used for identity authentication of the handheld terminal device.
As shown in fig. 2, the step of the access user obtaining the network access right for the first time includes the following steps:
s1, the hand-held terminal device is connected with the network controller and then sends a network request to the portal server;
s2, the portal server feeds back the webpage link of the portal client and initiates a user identity request;
s3, the access user inputs the account and the password and submits the connection request through the portal client displayed by the handheld terminal device; the account comprises a domain user name and a password;
s4, the network controller sends the obtained account and the obtained password to the RADIUS server for verification and matching; if the matching is successful, executing S5, and if the matching is unsuccessful, feeding back abnormal prompt information to the portal client to re-authenticate the user identity;
s5, the network controller feeds back the successful result of the access user identity authentication to the portal server;
s6, authorizing the network connection request of the protection user by the portal server, commanding the network controller to open the network and allocate an IP address according to the authority of the AAA server, and binding the relationship between the user identity and the VRF by the network controller; and feeding back the successful identity confirmation result to the portal client.
In S6, the network controller opening the network according to the authority of the AAA server includes the steps of: the AAA server acquires an account number of an access user and opens corresponding authority according to the limiting condition of the corresponding account number;
the limiting conditions include network connection duration, network data flow size and speed, and network access domain.
The network controller may be configured as follows:
on a network controller, the association between an authentication domain and a Virtual Router Forwarding (VRF) can be realized by configuring configurations such as a domain name, a VRF (virtual router forwarding), and network isolation, and a specific embodiment is as follows: the user identity is input through a handheld terminal and consists of a user name plus a domain name: for example zhangsan @ inner, if the user authentication is successful, the user is bound with VRF1, and all traffic of the user is forwarded in the routing table of VRF 1; if the user exits the current authentication and uses the user identity zhangsan @ outer authentication, the user is bound with the VRF 2, and all traffic of the user is forwarded in a routing table of the VRF 2.
The handheld terminal accesses the network for the first time, namely, the automatic input and archiving of the fingerprint information of the equipment are completed, and the method comprises the following steps: after the handheld terminal is connected with the network controller through the network, the AAA server carries out real-time monitoring according to the limiting conditions corresponding to the IP address;
when the corresponding IP address touches any one of the limiting conditions, the AAA server interacts with the portal server, and the portal server sends a network service interruption instruction to the network controller; when the AAA server detects that the handheld terminal and the network controller have no data flow within the time T, the portal server sends a network service interruption instruction to the network controller;
the portal server inquires whether fingerprint information of the handheld device exists in the device fingerprint memory; if yes, feeding back corresponding authority prompt information to the portal client; if not, the access user sends an authentication request again through the account and the password;
the network controller acquires the MAC address of the handheld terminal, sends a storage bit expansion request to the equipment fingerprint memory, binds the MAC address and the IP address and then sends the binding result to an expansion position.
Storage bit expansion follows the following principle:
if a user logs in user information at different handheld terminals, binding corresponding IP addresses with MAC addresses of new handheld terminals, forming an MAC address pool by a plurality of MAC addresses, setting a threshold value H for the MAC address pool of the user according to the authority of the user, reserving H MAC addresses according to the use frequency of the MAC addresses in unit time, and unbinding the rest MAC addresses from the IP addresses; when the unbound MAC address or a new MAC address is accessed to the network controller again, the user identity needs to be verified separately, and an MAC address use log is generated, so that the MAC address pool can be updated conveniently according to the use frequency.
One specific example is: if a certain user has MAC addresses (a1, a2, a3, a4, a5) in the MAC address pool used by daily accumulation, and if the user authority is a general user and the number of the authority of the MAC addresses is 3, the MAC addresses are sorted according to the usage frequency of the MAC addresses in a unit time, for example, the usage frequency of the MAC addresses in one month: a1> a2> a3> a4> a 5; the extension bit stores MAC addresses of (a1, a2, a3), unbinding a4 and a 5; when the MAC address a4 or a5 accesses the network controller again, the user identity needs to be verified and a usage log is generated, so that the MAC address pool can be updated according to the usage frequency.
The user requests network connection for the second time, which comprises the following steps:
if the permission prompt message is not released, continuing waiting or releasing the contract according to the limit condition for operation;
if the authority prompt information is removed, the network controller carries out network connection according to the IP address of the handheld terminal;
the AAA server feeds back the limiting condition corresponding to the IP address to a portal server, and the portal server calls the fingerprint information in the device fingerprint memory; performing authority verification by matching the IP address with the MAC address; if the MAC address is successfully matched with the IP address, the network communication is unlimited, and the flow information is forwarded through a dedicated channel through a routing table in a VRF; and if the MAC address is unsuccessfully matched with the IP address, carrying out network monitoring according to the limiting conditions of the original IP address.
If the MAC address is not matched with the IP address successfully, the abnormal user is indicated, the user information needs to be verified again, after the user information is verified successfully, the new MAC address is bound with the IP address and sent to the storage bit of the original IP address after the binding is completed, and the new MAC address serves as the standby fingerprint information of the original MAC address.
The above embodiments are preferred embodiments of the present invention based on Portal authentication, and are not intended to limit the scope of the present invention, which includes but is not limited to the present embodiments, and all equivalent variations in shape and structure according to the present invention are within the scope of the present invention.

Claims (7)

1. The client-side-free mutual exclusion access platform based on Portal authentication is characterized in that: the system comprises a Portal client, a network controller, a Portal server, an AAA server, an RADIUS server and an equipment fingerprint memory;
the network controller is used as an access port of the user equipment and is used for acquiring identity information of an access user and opening network access authority of the user;
the portal client serves as a browser carrier running an HTTP (hyper text transport protocol) and is used for inputting the identity authentication information of an access user;
the Portal server receives an authentication request of an access user from a Portal client, provides free Portal service and a Web-based authentication interface, and interacts with handheld terminal equipment of the access user to acquire equipment fingerprint information of the handheld terminal equipment;
the AAA server interacts with the network controller to complete user identity authentication, charging and authorization;
the RADIUS server stores an account number and a password of the access user terminal equipment and performs identity authentication on identity authentication information of the access user terminal equipment;
the device fingerprint memory stores device fingerprint information used for identity authentication of the handheld terminal device.
2. The Portal authentication-based clientless mutually exclusive access platform according to claim 1, wherein: the method for the access user to acquire the network access right for the first time comprises the following steps:
s1, the hand-held terminal device is connected with the network controller and then sends a network request to the portal server;
s2, the portal server feeds back the webpage link of the portal client and initiates a user identity request;
s3, the access user inputs the account and the password and submits the connection request through the portal client displayed by the handheld terminal device; the account comprises a domain user name and a password;
s4, the network controller sends the obtained account and the obtained password to the RADIUS server for verification and matching; if the matching is successful, S5 is executed, and if the matching is unsuccessful, abnormal prompt information is fed back to the portal client;
s5, the network controller feeds back the successful result of the access user identity authentication to the portal server;
s6, authorizing the network connection request of the protection user by the portal server, commanding the network controller to open the network and allocate an IP address according to the authority of the AAA server, and binding the relationship between the user identity and the VRF by the network controller; and feeding back the identity confirmation success result to the portal client.
3. The Portal authentication-based clientless mutually exclusive access platform according to claim 2, wherein: in S6, the network controller opening the network according to the authority of the AAA server includes the steps of:
the AAA server acquires an account number of an access user and opens corresponding authority according to the limiting condition of the corresponding account number;
the limiting conditions include network connection duration, network data flow size and speed, and network access domain.
4. The Portal authentication-based clientless exclusive access platform according to claim 1 or 2, characterized in that: the handheld terminal accesses the network for the first time, namely, the automatic input and archiving of the fingerprint information of the equipment are completed, and the method comprises the following steps: after the handheld terminal is connected with the network controller through the network, the AAA server carries out real-time monitoring according to the limiting conditions corresponding to the IP address;
when the corresponding IP address touches any one of the limiting conditions, the AAA server interacts with the portal server, and the portal server sends a network service interruption instruction to the network controller;
the portal server inquires whether fingerprint information of the handheld device exists in the device fingerprint memory; if yes, feeding back corresponding authority prompt information to the portal client; if not, the access user sends an authentication request again through the account and the password;
the network controller acquires the MAC address of the handheld terminal, sends a storage bit expansion request to the equipment fingerprint memory, binds the MAC address and the IP address and then sends the MAC address and the IP address to an expansion position.
5. The Portal authentication-based clientless mutually exclusive access platform according to claim 4, wherein:
the user requests network connection for the second time, which comprises the following steps:
if the permission prompt message is not released, continuing waiting or releasing the contract according to the limit condition for operation;
if the authority prompt information is removed, the network controller carries out network connection according to the IP address of the handheld terminal;
the AAA server feeds back the limiting conditions corresponding to the IP address to a portal server, and the portal server calls the fingerprint information in the device fingerprint memory; performing authority verification by matching the IP address with the MAC address; if the MAC address is successfully matched with the IP address, the network communication is unlimited, and the flow information is forwarded through a dedicated channel through a routing table in a VRF; and if the MAC address is not successfully matched with the IP address, monitoring the network according to the limiting conditions of the original IP address.
6. The Portal authentication-based clientless mutually exclusive access platform according to claim 5, wherein:
if the MAC address is not matched with the IP address successfully, the abnormal user is indicated, the user identity information needs to be verified again, after the user identity information is verified successfully, a new MAC address is bound with the IP address, the new MAC address is sent to a storage bit of the original IP address after the binding is completed, and the new MAC address serves as the standby fingerprint information of the original MAC address.
7. The Portal authentication-based client-less mutually exclusive access platform according to claim 4, 5 or 6, wherein: the memory bit expansion follows the following principle:
if a user logs in user information at different handheld terminals, binding corresponding IP addresses with MAC addresses of new handheld terminals, forming an MAC address pool by a plurality of MAC addresses, setting a threshold value H for the MAC address pool of the user according to the authority of the user, reserving H MAC addresses according to the use frequency of the MAC addresses in unit time, and unbinding the rest MAC addresses from the IP addresses; when the unbound MAC address or a new MAC address is accessed into the network controller again, the user identity needs to be verified separately, and a MAC address use log is generated, so that the MAC address pool can be updated conveniently according to the use frequency.
CN202210267422.XA 2022-03-17 2022-03-17 Portal authentication-based client-free mutual exclusion access platform Active CN114944927B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210267422.XA CN114944927B (en) 2022-03-17 2022-03-17 Portal authentication-based client-free mutual exclusion access platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210267422.XA CN114944927B (en) 2022-03-17 2022-03-17 Portal authentication-based client-free mutual exclusion access platform

Publications (2)

Publication Number Publication Date
CN114944927A true CN114944927A (en) 2022-08-26
CN114944927B CN114944927B (en) 2023-08-08

Family

ID=82906174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210267422.XA Active CN114944927B (en) 2022-03-17 2022-03-17 Portal authentication-based client-free mutual exclusion access platform

Country Status (1)

Country Link
CN (1) CN114944927B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389032A (en) * 2022-12-29 2023-07-04 国网甘肃省电力公司庆阳供电公司 SDN architecture-based power information transmission link identity verification method

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1753364A (en) * 2005-10-26 2006-03-29 杭州华为三康技术有限公司 Method of controlling network access and its system
CN101127600A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A method for user access authentication
CN101163000A (en) * 2006-10-13 2008-04-16 中兴通讯股份有限公司 Secondary authentication method and system
CN101442793A (en) * 2008-12-30 2009-05-27 杭州华三通信技术有限公司 Access method, apparatus and system for wireless network
KR20090072687A (en) * 2007-12-28 2009-07-02 주식회사 케이티 Network access authentication system and method for internet access service
CN101702717A (en) * 2009-11-24 2010-05-05 杭州华三通信技术有限公司 Method, system and equipment for authenticating Portal
CN101895526A (en) * 2009-05-20 2010-11-24 中国电信股份有限公司 Dial-up authentication method and system
CN102984173A (en) * 2012-12-13 2013-03-20 迈普通信技术股份有限公司 Network access control method and system
US20130347073A1 (en) * 2012-06-22 2013-12-26 Ellison W. Bryksa Authorizing secured wireless access at hotspot having open wireless network and secure wireless network
US20140052860A1 (en) * 2012-08-14 2014-02-20 Benu Networks, Inc. Ip address allocation
US20150089592A1 (en) * 2013-09-21 2015-03-26 Avaya Inc. Captive portal systems, methods, and devices
CN105764056A (en) * 2016-04-13 2016-07-13 北京国创富盛通信股份有限公司 web certification system and method for public wifi access
CN105915550A (en) * 2015-11-25 2016-08-31 北京邮电大学 SDN-based Portal/Radius authentication method
CN106375348A (en) * 2016-11-17 2017-02-01 杭州华三通信技术有限公司 Portal authentication method and Portal authentication device
CN108600207A (en) * 2018-04-12 2018-09-28 清华大学 Network authentication based on 802.1X and SAVI and access method
US20180309756A1 (en) * 2015-12-28 2018-10-25 Huawei Technologies Co., Ltd. Identity Authentication Method and Apparatus
CN109862565A (en) * 2019-02-11 2019-06-07 广东省城乡规划设计研究院 A kind of WLAN unaware control method, system and readable storage medium storing program for executing
CN110831003A (en) * 2018-08-13 2020-02-21 广东亿迅科技有限公司 Authentication method and system based on WLAN flexible access network

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1753364A (en) * 2005-10-26 2006-03-29 杭州华为三康技术有限公司 Method of controlling network access and its system
CN101127600A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A method for user access authentication
CN101163000A (en) * 2006-10-13 2008-04-16 中兴通讯股份有限公司 Secondary authentication method and system
KR20090072687A (en) * 2007-12-28 2009-07-02 주식회사 케이티 Network access authentication system and method for internet access service
CN101442793A (en) * 2008-12-30 2009-05-27 杭州华三通信技术有限公司 Access method, apparatus and system for wireless network
CN101895526A (en) * 2009-05-20 2010-11-24 中国电信股份有限公司 Dial-up authentication method and system
CN101702717A (en) * 2009-11-24 2010-05-05 杭州华三通信技术有限公司 Method, system and equipment for authenticating Portal
US20130347073A1 (en) * 2012-06-22 2013-12-26 Ellison W. Bryksa Authorizing secured wireless access at hotspot having open wireless network and secure wireless network
US20140052860A1 (en) * 2012-08-14 2014-02-20 Benu Networks, Inc. Ip address allocation
CN102984173A (en) * 2012-12-13 2013-03-20 迈普通信技术股份有限公司 Network access control method and system
US20150089592A1 (en) * 2013-09-21 2015-03-26 Avaya Inc. Captive portal systems, methods, and devices
CN105915550A (en) * 2015-11-25 2016-08-31 北京邮电大学 SDN-based Portal/Radius authentication method
US20180309756A1 (en) * 2015-12-28 2018-10-25 Huawei Technologies Co., Ltd. Identity Authentication Method and Apparatus
CN105764056A (en) * 2016-04-13 2016-07-13 北京国创富盛通信股份有限公司 web certification system and method for public wifi access
CN106375348A (en) * 2016-11-17 2017-02-01 杭州华三通信技术有限公司 Portal authentication method and Portal authentication device
CN108600207A (en) * 2018-04-12 2018-09-28 清华大学 Network authentication based on 802.1X and SAVI and access method
CN110831003A (en) * 2018-08-13 2020-02-21 广东亿迅科技有限公司 Authentication method and system based on WLAN flexible access network
CN109862565A (en) * 2019-02-11 2019-06-07 广东省城乡规划设计研究院 A kind of WLAN unaware control method, system and readable storage medium storing program for executing

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
冯雷;林初建;赵君;高艳;朱悦;: "MAC与Portal相结合的无感知认证技术研究", 华中师范大学学报(自然科学版), no. 1 *
王玮: "高校WLAN无感知认证系统的设计与实现", 《软件工程》, vol. 22, no. 9, pages 23 - 27 *
董学森;: "校园网的身份认证及IP地址管理方案", 泰州职业技术学院学报, no. 03 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389032A (en) * 2022-12-29 2023-07-04 国网甘肃省电力公司庆阳供电公司 SDN architecture-based power information transmission link identity verification method
CN116389032B (en) * 2022-12-29 2023-12-08 国网甘肃省电力公司庆阳供电公司 SDN architecture-based power information transmission link identity verification method

Also Published As

Publication number Publication date
CN114944927B (en) 2023-08-08

Similar Documents

Publication Publication Date Title
US10237732B2 (en) Mobile device authentication in heterogeneous communication networks scenario
CN1781099B (en) Automatic configuration of client terminal in public hot spot
CN100437550C (en) Ethernet confirming access method
WO2008022589A1 (en) A system and method for authenticating the accessing request for the home network
US20020042883A1 (en) Method and system for controlling access by clients to servers over an internet protocol network
WO2015180192A1 (en) Network connection method, hotspot terminal, and management terminal
CN101212374A (en) Method and system for remote access to campus network resources
CN103200159B (en) A kind of Network Access Method and equipment
CN108092988B (en) Non-perception authentication and authorization network system and method based on dynamic temporary password creation
CN108900484B (en) Access right information generation method and device
CN106790251B (en) User access method and user access system
WO2013060129A1 (en) Rapid authentication method, access controller and system for wireless local area network
JP2002118562A (en) Lan which permits authentification rejected terminal to have access under specific conditions
CN107864475A (en) The quick authentication methods of WiFi based on Portal+ dynamic passwords
EP3043509A1 (en) Portal authentication method, broadband network gateway (bng), portal server and system
CN102916949A (en) Web authentication method and device
CN103023856A (en) Single sign-on method, single sign-on system, information processing method and information processing system
CN108200039B (en) Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password
CN114944927A (en) Portal authentication-based client-side-free mutual exclusion access platform
CN105635148B (en) Portal authentication method and device
AU2017344389B2 (en) Portal aggregation service mapping subscriber device identifiers to portal addresses to which connection and authentication requests are redirected and facilitating mass subscriber apparatus configuration
CN104936177A (en) Access authentication method and access authentication system
KR101506594B1 (en) Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof
CN108429624B (en) QOS dynamic adjustment method, equipment and system
CN113411286B (en) Access processing method and device based on 5G technology, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant