CN101621802B - Method, system and device for authenticating portal in wireless network - Google Patents

Method, system and device for authenticating portal in wireless network Download PDF

Info

Publication number
CN101621802B
CN101621802B CN2009100912302A CN200910091230A CN101621802B CN 101621802 B CN101621802 B CN 101621802B CN 2009100912302 A CN2009100912302 A CN 2009100912302A CN 200910091230 A CN200910091230 A CN 200910091230A CN 101621802 B CN101621802 B CN 101621802B
Authority
CN
China
Prior art keywords
sta
authentication
address
forwarding capability
local forwarding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2009100912302A
Other languages
Chinese (zh)
Other versions
CN101621802A (en
Inventor
赵玄
王君菠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009100912302A priority Critical patent/CN101621802B/en
Publication of CN101621802A publication Critical patent/CN101621802A/en
Application granted granted Critical
Publication of CN101621802B publication Critical patent/CN101621802B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a method, a system and a device for authenticating a portal in a wireless network. The method comprises the following steps: after receiving an authenticating request of a mobile terminal (STA) by a wireless access point (AP), transmitting the authenticating request to an accessing controller (AC) through the control of the wireless accessing point and a supply protocol (CAPWAP) tunnel, and forwarding the authenticating request to a portal server by the AC; after the AC successfully authenticates the STA by the Portal server, transmitting configuration information to indicate the AP to start a local forwarding function to the STA through the CAPWAP tunnel by the AC; and after learning a condition that the STA quits the authentication, transmitting configuration information to indicate the AP to close the local retransmission function to the STA through the CAPWAP tunnel. The invention is capable of using a prior network authentication framework to perform a Portal authentication under the condition of an AP local retransmission without extra increasing authenticating apparatuses, thereby saving the networking cost.

Description

Portal authentication method in a kind of wireless network, system and device
Technical field
The present invention relates to the wireless lan (wlan) technical field, portal authentication method, system and device in particularly a kind of wireless network.
Background technology
In present wireless network, Centralized Wireless LAN since its managerial strong be applicable to that the advantage of large scale deployment obtains application more and more widely.In Centralized Wireless LAN; Can be connected through proprietary protocol tunnel between AC and the AP; That commonly used is wireless access point control and supply (CAPWAP; Controlling and Provisioning of Wireless Access Point) agreement can be carried out the transmission and the configuration management of data between AP and the AC through CAPWAP tunnel.
In traditional Centralized Wireless LAN; Inlet (Portal) authentication is sent to Portal server through AC and carries out; After user's Portal authentication is passed through, carry out the forwarding of data of this user's portable terminal (STA) by AC, the existing authentication architecture of Centralized Wireless LAN is as shown in Figure 1.
But continuous development along with wireless communication technology; The user data that the performance of AC can't satisfy under each AP is gradually transmitted; Therefore, local retransmission technique arises at the historic moment, and promptly AP and STA are still managed by AC through CAPWAP tunnel; But the data of STA are then transmitted through connected AP, no longer concentrate through CAPWAP tunnel and are transmitted by AC.Because data are no longer through AC, therefore, can't be through existing authentication architecture realization user's Portal authentication, and need be at the local extra Portal server of setting up that can reach with two layers of AP, as shown in Figure 2.Like this, adopting under the local situation about transmitting of AP, just can't directly utilize the existing network architecture, and have to increase the number of devices of networking, and then increase cost.
Summary of the invention
In view of this, the invention provides Portal authentication method, system and device in a kind of wireless network, facilitate the use existing network authentication framework and realize the Portal authentication under the local forwarding situation of AP, not extra increase authenticating device is practiced thrift networking cost.
Portal authentication method in a kind of wireless network, this method comprises:
After A, AP receive the authentication request of STA, this authentication request is sent to AC through CAPWAP tunnel;
B, said AC send to Portal server with said authentication request, are knowing that said Portal server to behind the authentication success of said STA, sends configuration messages through said CAPWAP tunnel and indicates the local forwarding capability of said AP activation pin to said STA;
After C, said AC know that said STA withdraws from authentication, send configuration messages through said CAPWAP tunnel and indicate said AP to close local forwarding capability to said STA.
A kind of AP, this AP comprises: packet sending and receiving unit and functional configuration unit;
Said packet sending and receiving unit after being used to receive the authentication request of STA, sends to AC through CAPWAP tunnel with this authentication request; Receive the configuration messages that AC sends through CAPWAP tunnel; Opened to behind the local forwarding capability of said STA in said functional configuration unit, adopted the local mode of transmitting that said STA is carried out message and transmit;
Said functional configuration unit, when being used for receiving in said packet sending and receiving unit the indication activation pin to the configuration messages of the local forwarding capability of said STA, activation pin is to the local forwarding capability of said STA; Receive when indicating the configuration messages of closing the local forwarding capability that is directed against said STA in said packet sending and receiving unit, close local forwarding capability to said STA.
A kind of AC, this AC comprises: unit and administration configuration unit are confirmed in packet sending and receiving unit, authentication;
Said packet sending and receiving unit after being used for receiving the authentication request of the STA that AP sends through CAPWAP tunnel, sends to Portal server with this authentication request;
The unit is confirmed in said authentication, is used for knowing that said Portal server to behind the authentication success of said STA, sends first configuration notification to said administration configuration unit; After knowing that said STA withdraws from authentication, send second configuration notification to said administration configuration unit;
Said administration configuration unit, be used to receive said first configuration notification after, send configuration messages through said CAPWAP tunnel and indicate the local forwarding capability of said AP activation pin said STA; After receiving said second configuration notification, send configuration messages through said CAPWAP tunnel and indicate said AP to close local forwarding capability to said STA.
Inlet Portal Verification System in a kind of wireless network, this system comprises: AP, AC and Portal server;
Said AP after being used to receive the authentication request of STA, sends to said AC through CAPWAP tunnel with this authentication request; After receiving first configuration messages, activation pin is to the local forwarding capability of said STA; After receiving second configuration messages, close local forwarding capability to said STA;
Said AC is used for the said authentication request that receives is sent to said Portal server, is knowing that said Portal server to behind the authentication success of said STA, sends first configuration messages through said CAPWAP tunnel to said AP; After knowing that said STA withdraws from authentication, send second configuration messages to said AP through said CAPWAP tunnel;
Said Portal server, be used to receive said authentication request after, said STA is carried out authentication.
Can find out by above technical scheme; In the mthods, systems and devices provided by the invention; AP sends to AC with the authentication request of STA through CAPWAP tunnel; Be transmitted to Portal server by AC, and AC sends the local forwarding capability of configuration messages indication AP activation pin to this STA through CAPWAP tunnel after knowing that Portal server is directed against this STA authentication success; After knowing that STA withdraws from authentication, send configuration messages indication AP through CAPWAP tunnel and close local forwarding capability to this STA.That is to say that before authentication was passed through, authentication request was concentrated and is sent to AC, after authentication was passed through, AP opened the local forwarding capability through the STA of authentication by the AC configuration.Can utilize existing network authentication framework to realize the Portal authentication under the local forwarding situation of AP through the present invention, need not extra increase authenticating device, practice thrift networking cost.
Description of drawings
Fig. 1 is the existing authentication architecture figure of centralized wireless networking;
Fig. 2 is the authentication architecture figure under the local forwarding situation of AP in the prior art;
The main method flow chart that Fig. 3 provides for the embodiment of the invention;
The detailed method flow chart that Fig. 4 provides for the embodiment of the invention;
Fig. 5 is that DHCP message flow in the embodiment of the invention one is to sketch map;
Fig. 6 flows to sketch map for the message identifying in the embodiment of the invention one;
The detailed method flow chart that Fig. 7 provides for the embodiment of the invention two;
The AP structural representation that Fig. 8 provides for the embodiment of the invention;
The AC structural representation that Fig. 9 provides for the embodiment of the invention.
Embodiment
In order to make the object of the invention, technical scheme and advantage clearer, describe the present invention below in conjunction with accompanying drawing and specific embodiment.
Method provided by the present invention can be as shown in Figure 3, mainly may further comprise the steps:
After step 301:AP receives the authentication request of STA, this authentication request is sent to AC through CAPWAP tunnel.
Step 302:AC is transmitted to Portal server with this authentication request, after knowing that Portal server is directed against the authentication success of this STA, sends the local forwarding capability of configuration messages indication AP activation pin to this STA through CAPWAP tunnel.
After step 303:AC knows that this STA withdraws from authentication, send configuration messages indication AP through CAPWAP tunnel and close local forwarding capability to this STA.
Below in conjunction with specific embodiment said method provided by the invention is described in detail.
Embodiment one:
The detailed method flow chart that Fig. 4 provides for the embodiment of the invention one; In this flow process, still use existing authentication architecture as shown in Figure 1 to realize the authentication under the local forwarding situation of AP; In the method; Configuration STA authentication is through preceding closing local forwarding capability on AP, and acquiescence is opened descending local forwarding capability.As shown in Figure 4, this method can may further comprise the steps:
After step 401:STA is connected to AP, send DHCP (DHCP) request message.
After STA is initially connected to AP; Can find that this STA has no the IP address setting; Will send a DHCP request message that carries the MAC Address of this STA, the source address of this DHCP request message can be 0.0.0.0, and destination address then is 255.255.255.255.
Step 402:AP through and AC between CAPWAP tunnel the DHCP request message is sent to AC, be transmitted to Dynamic Host Configuration Protocol server by AC.
Because AP does not open local forwarding capability at authentification of user through preceding, therefore, AP can send to AC through CAPWAP tunnel with all messages that STA sends.After AC receives the DHCP request message, this DHCP request message is carried out DHCP relay (DHCP Relay) operation, be forwarded to connected Dynamic Host Configuration Protocol server.
Step 403:DHCP server is this STA distributing IP address, and confirms the user gateway IP address that this STA uses when the local forwarding of follow-up AP, and these IP address informations are sent to AC.
Step 404:AC sends to AP with this IP address information through CAPWAP tunnel, sends to STA by AP again.
In this step, the IP address information of still through the DHCP Relay function of AC Dynamic Host Configuration Protocol server being replied sends to AP through CAPWAP tunnel, further sends to STA by AP again.
Through after the above-mentioned steps, STA just gets access to IP address allocated, and AC is last can to preserve the ARP list item of corresponding relation between IP address and the MAC Address of STA.AP is last can to store the corresponding relation between the corresponding user gateway IP address of IP address, MAC Address and this STA of this STA, behind the local forwarding capability of activation pin to this STA, uses this corresponding relation to carry out this locality use when transmitting.
The message flow of above-mentioned DHCP request process is to can be as shown in Figure 5.
It is the HTTP request message of user gateway IP address that step 405:STA sends purpose IP address, and AP is sent to AC through CAPWAP tunnel after receiving this HTTP request message.
After the user opens the HTTP(Hypertext Transport Protocol) page on the Internet, because this user still not through authentication, understands the beginning of triggering authentication process.The HTTP request message that at first can send purpose IP address and be user gateway IP address obtains the MAC Address of user gateway, so that carry out two layers of follow-up forwarding.After AP receives this HTTP request message, still can this HTTP request message be sent to AC through CAPWAP tunnel.
After step 406:AC receives this HTTP request message, utilize pre-configured ARP list item to replace user gateway to carry out arp reply to STA through CAPWAP tunnel.
Because still there is not the mac address information of user gateway in AC, therefore, need the ARP list item of each user gateway of configuration on this AC in advance, i.e. corresponding relation between IP address and the MAC Address, and on AC ARP generation of configure user gateway answer function.After AC receives the HTTP request message, the MAC Address of user gateway is sent to AP through CAPWAP tunnel, send to STA by AP again.AP and STA can store the ARP list item of this user gateway.
Step 407:STA sends authentication request, and AP sends to AC through CAPWAP tunnel with authentication request, and AC is redirected to Portal server with this authentication request after receiving this authentication request.
Usually, the destination address in this authentication request is the address of user gateway, and AC can reply the IP address that Portal server is informed in HTTP redirection to STA after receiving authentication request.STA resends authentication request according to this HTTP redirection, by AC this authentication request is forwarded to Portal server.
Need to prove, if the user directly uses login page, also execution in step 405 and 406 not, directly execution in step 407 is sent authentication request, and in step 407, carries out arp reply.
After step 408:Portal server receives authentication request, this user is carried out authentication, after authentication is passed through, inform the AC authentication success, and send the authentication success response to STA.
Wherein, inform that the AC authentication success can realize that this mode is a Portal authentication existing standard mode through the mode of sending authentication success message to AC.
The purpose IP address of this authentication success response is the IP address of STA.The authentication success response of sending to STA at first is sent to central router, because the IP address of STA is the network segment IP address down, place, IP address of user gateway, therefore, central router can respond this authentication success be sent to user gateway.
After user gateway receives this authentication success response, can comprise the ARP request of the IP address of this STA to all AP broadcasting that it connected, because the AP acquiescence has been opened descending local forwarding capability; Therefore; The AP that is connected with this STA can replace STA to carry out arp reply after receiving this ARP request, informs the MAC Address of this STA of this user gateway; The IP address of this STA of user gateway storage and the ARP list item of MAC Address, and utilize this list item to carry out follow-up message and transmit.User gateway utilizes this ARP list item that the authentication success response is sent to AP, is transmitted to STA by AP.
Need to prove that central router is router or the general designation of router network between AC and the Portal server.
After step 409:AC is known authentication success, send the configuration messages of activation pin to the up local forwarding capability of this STA to AP, after AP received this configuration messages, activation pin was to the up local forwarding capability of this STA.
AC can comprise the mac address information of this STA in the configuration messages that AP sends, after AP receives this configuration messages, enable up local the forwarding to the MAC Address of this STA.
AP can at first judge whether to have opened up local forwarding capability to this STA behind the message that receives the STA transmission, if, then this message is carried out this locality and transmit, otherwise, through CAPWAP tunnel this message is sent to AC.
That is to say; Behind the STA authentication success, AP just can activation pin to the up local forwarding capability of this STA, and this AP has had descending local forwarding capability; Therefore; Follow-up message to this STA just can be transmitted through the local forwarding capability of AP, is sent to AC and transmits and needn't concentrate.
If authentification failure, then the Protal server can be informed the AC authentification failure, and sends authentication failure response to STA, and the forward-path of this authentication failure response is identical with the authentication success response.After AC is known authentification failure, just can not send the configuration messages of activation pin, then then can not realize this locality forwarding of upstream data, thereby reach the purpose of Portal authentication to this STA to AP to the up local forwarding capability of this STA.
The Portal verification process, promptly the message flow of step 407 to 409 is to can be as shown in Figure 6.
If the user withdraws from authentication, then can continue to carry out following steps:
Step 410: when the user withdraws from authentication, withdraw from identifying procedure according to existing Portal and carry out, promptly Portal server informs that to AC this user's STA logs off.AC sends to AP through CAPWAP tunnel and closes the configuration messages to the up local forwarding capability of this STA.
The user withdraws from authentication possibly exist two kinds of situation: the first; User offline, STA can send authentication to Portal server and withdraw from request message, and Portal server receives after this withdraws from request message; This STA of notice AC withdraws from authentication, the relevant ARP list item of this STA of AC deletion storage; They are two years old; The STA shutdown; Can periodically send heartbeat message between Portal server and the STA,, then think the STA fault if Portal server is not received the heartbeat message of STA in setting-up time; This STA of Portal server notice AC withdraws from authentication, the relevant ARP list item of this STA of AC deletion storage.
After the user withdrawed from authentication, AC can correspondingly notify AP to close the up local forwarding capability to this STA.Like this, this STA still opens AP according to the complete identifying procedure of flow performing shown in Figure 4 and transmits to this locality of this STA when reaching the standard grade next time.
What embodiment one adopted in the reciprocal process of message identifying is asymmetry path, and this is through acquiescence activation pin on AP the descending local forwarding capability of STA to be realized.In addition; Can also in the reciprocal process of message identifying, adopt symmetric path all the time; Need not to give tacit consent to the descending local forwarding capability of activation pin like this to this STA; And behind authentication success at the same time activation pin the local forwarding capability of the uplink and downlink of this STA is described in detail this situation in embodiment two below.
Embodiment two:
The detailed method flow chart that Fig. 7 provides for the embodiment of the invention two, same, in this flow process, still use existing authentication architecture as shown in Figure 1 to realize the authentication under the local forwarding situation of AP, as shown in Figure 7, this method can may further comprise the steps:
Step 701-707 is identical with step 401-407, repeats no more.
In this embodiment, AP acquiescence when initial is closed the local forwarding capability of uplink and downlink of STA.
After step 708:Portal server receives authentication request, this user is carried out authentication, after authentication is passed through, send the authentication success response to STA.
The purpose IP address of this authentication success response is the IP address of this STA.
In this embodiment, because AP closes the descending local forwarding capability of STA when initial, therefore, the authentication success response still need be transmitted to STA through AC, and can not carry out the descending transmission of authentication success response through user gateway.At this moment; Can on AC, start dynamic routing protocol such as ospf (OSPF); The detailed route of the main frame of this STA that AC will collect is sent to central router; Make this central router after the authentication success response that receives the Protal server, this authentication success response is sent to AC according to the detailed route of the main frame of this STA of main frame.
Suppose that STA and the user gateway place network segment is 10.0.0.0; The concrete IP address of STA is 10.0.0.10; The IP address of user gateway is 10.0.0.1, if AC is not sent to central router with the detailed route of main frame, then central router is only known STA in the network segment of user gateway place; Therefore, can the authentication success response be sent to user gateway; If AC is that the corresponding route of 10.0.0.10 is sent to central router with the detailed route of main frame, then central router can be selected this authentication success response is sent according to the detailed route of main frame, promptly sends to AC.
After step 709:AC receives the authentication success response, this authentication success response is sent to AP through CAPWAP tunnel, and send the configuration messages of activation pin to AP the local forwarding capability of uplink and downlink of this STA through CAPWAP tunnel.
Step 710:AP sends to STA with the authentication success response that receives, and according to the uplink and downlink this locality forwarding capability of the configuration messages activation pin that receives to this STA.
Step 711: when the user withdraws from authentication; Withdrawing from identifying procedure according to existing Portal carries out; AC is known when this user's STA logs off; AC sends the configuration messages of closing to the local forwarding capability of uplink and downlink of this STA through CAPWAP tunnel to AP, and the detailed route of main frame of this STA of notice central router deletion.
In this embodiment two, need central router to upgrade in time from the main frame route of the STA of AC, the router in a pair of networking of this embodiment that compares has certain performance requirement.
More than be the detailed description that method provided by the present invention is carried out, face system provided by the present invention and device down and be described in detail.
Portal Verification System provided by the present invention can be as shown in Figure 1 framework, just change has taken place in the function of some equipment, this system can comprise: AP, AC and Portal server.
AP after being used to receive the authentication request of STA, sends to AC through CAPWAP tunnel with this authentication request; After receiving first configuration messages, activation pin is to the local forwarding capability of STA; After receiving second configuration messages, close local forwarding capability to STA.
AC is used for the authentication request that receives is sent to Portal server, after knowing that Portal server is directed against the authentication success of STA, sends first configuration messages through CAPWAP tunnel to AP; After knowing that STA withdraws from authentication, send second configuration messages to AP through CAPWAP tunnel.
Portal server after being used to receive authentication request, carries out authentication to STA.
Because connect afterwards and before carrying out authentication, need carry out dhcp process at STA and AP usually, therefore, this system can also comprise: Dynamic Host Configuration Protocol server.
AP also is used to receive STA and is being connected to the DHCP request message that sends behind this AP, and this DHCP request message is sent to AC through CAPWAP tunnel; The IP address of the STA that receives and the user gateway IP address of STA are transmitted to STA, and IP address, the MAC Address of STA and the corresponding relation between the user gateway IP address of storage STA.
AC also is used for the DHCP message that receives is sent to Dynamic Host Configuration Protocol server; The IP address of the STA that Dynamic Host Configuration Protocol server is returned and the user gateway IP address of STA send to AP through CAPWAP tunnel.
Dynamic Host Configuration Protocol server, be used to receive the DHCP message after, be STA distributing IP address, and the IP address of the STA that distributes and the user gateway IP address of STA returned to AC.
In addition, AC can also be used to utilize the pre-configured IP address that comprises user gateway and the ARP list item of MAC Address, is directed against the arp reply of user gateway.
This system can also comprise: user gateway and the central router between Portal server and AC.Authentication success response Recovery Process for concrete, can adopt following dual mode:
First kind of mode:
AP initial default activation pin is closed the up local forwarding capability to STA to the descending local forwarding capability of STA; After receiving first configuration messages, activation pin is to the up local forwarding capability of STA, receive second configuration messages after, close up local forwarding capability to STA.
Portal server can also be used for sending authentication success message to behind the STA authentication success to AC, and sends the authentication success response that purpose IP address is the IP address of STA.
After AC receives authentication success message, know that Portal server is directed against the authentication success of STA.
Central router, be used to receive authentication success response after, the authentication success response is sent to user gateway.
User gateway is used for the authentication success response that receives is sent to STA via AP.
The second way:
AC utilizes the dynamic routing protocol that starts in advance, and the detailed route of the main frame of the STA that collects is sent to central router.
Portal server can also be used for after being directed against the STA authentication success, and sending purpose IP address is the authentication success response of the IP address of STA.
Central router is used for according to the detailed route of the main frame of STA, and the authentication success response that Portal server is sent sends to AC.
AC knows that Portal server is directed against the authentication success of STA after receiving the authentication success response, and through CAPWAP tunnel the authentication success response is sent to AP; After knowing that STA withdraws from authentication, the detailed route of main frame of notice central router deletion STA.
AP also is used for the authentication success response that receives is sent to STA; After receiving first configuration messages, activation pin is to the local forwarding capability of the uplink and downlink of STA; After receiving second configuration messages, close to the local forwarding capability of the uplink and downlink of STA.
The AP structural representation that Fig. 8 provides for the embodiment of the invention, as shown in Figure 8, this AP can comprise: packet sending and receiving unit 801 and functional configuration unit 802.
Packet sending and receiving unit 801 after being used to receive the authentication request of STA, sends to AC through CAPWAP tunnel with this authentication request; Receive the configuration messages that AC sends through CAPWAP tunnel; Opened to behind the local forwarding capability of STA in functional configuration unit 802, adopted the local mode of transmitting that STA is carried out message and transmit.
Functional configuration unit 802, when being used for receiving in packet sending and receiving unit 801 the indication activation pin to the configuration messages of the local forwarding capability of STA, activation pin is to the local forwarding capability of STA; Receive indication in packet sending and receiving unit 801 when closing the configuration messages to the local forwarding capability of STA, close local forwarding capability to STA.
In addition, packet sending and receiving unit 801 can also be used for the DHCP request message that receives is sent to AC through CAPWAP tunnel; Receive the IP address of the STA that AC sends and the user gateway IP address of STA through CAPWAP tunnel; IP address and the user gateway IP address of this STA are transmitted to STA, and IP address, the MAC Address of STA and the corresponding relation between the user gateway IP address of storage STA.
To the mode of two kinds of above-mentioned authentications, AP also can adopt following two kinds of structures:
One of which, functional configuration unit 802 initial default activation pins are closed the up local forwarding capability to STA to the descending local forwarding capability of STA; When receiving the indication activation pin to the configuration messages of the local forwarding capability of STA in packet sending and receiving unit 801, activation pin is to the up local forwarding capability of STA; Receive indication in packet sending and receiving unit 801 when closing the configuration messages to the local forwarding capability of STA, close up local forwarding capability to STA.
Message retransmission unit 801, also be used to receive the authentication success response that Portal server sends via central router and user gateway after, this authentication success response is sent to STA.
At this moment, this AP can also comprise: ARP is for answering unit 803.
Packet sending and receiving unit 801 after also being used to receive the ARP request of user gateway, sends to ARP for answering unit 803 with this ARP request; The arp response that ARP generation is answered unit 803 and provides sends to user gateway.
In ARP generation, answered unit 803, is used for judging that whether IP address that the ARP request comprises is the IP address of self connection STA of institute, if then the MAC Address of the STA of this IP address correspondence is included in and offers packet sending and receiving unit 801 in the arp response.
When two, functional configuration unit 802 received the indication activation pin to the configuration messages of the local forwarding capability of STA in packet sending and receiving unit 801, activation pin was to the local forwarding capability of the uplink and downlink of STA; Receive indication in packet sending and receiving unit 801 when closing the configuration messages to the local forwarding capability of STA, close to the local forwarding capability of the uplink and downlink of STA.
Message retransmission unit 801, also be used to receive the authentication success response that Portal server sends via AC after, this authentication success response is sent to STA.
The AC structural representation that Fig. 9 provides for the embodiment of the invention, as shown in Figure 9, this AC can comprise: unit 902 and administration configuration unit 903 are confirmed in packet sending and receiving unit 901, authentication.
Packet sending and receiving unit 901 after being used for receiving the authentication request of the STA that AP sends through CAPWAP tunnel, sends to Portal server with this authentication request.
Unit 902 is confirmed in authentication, is used for after knowing that Portal server is directed against the authentication success of STA, sends first configuration notification to administration configuration unit 903; After knowing that STA withdraws from authentication, send second configuration notification to administration configuration unit 903.
Administration configuration unit 903, be used to receive first configuration notification after, send the local forwarding capability of configuration messages indication AP activation pin through CAPWAP tunnel to STA; After receiving second configuration notification, send configuration messages indication AP through CAPWAP tunnel and close local forwarding capability to STA.
In addition, this AC can also comprise: in ARP generation, answered unit 904, is used for being directed against the arp reply of user gateway according to the IP address that comprises user gateway and the ARP list item of MAC Address that are pre-configured on this AC.
Same to two kinds of above-mentioned authentication responses answer modes, also can there be following two kinds of structures in AC:
One of which, when the descending local forwarding capability of AP initial default activation pin to STA; When closing the up local forwarding capability to STA; Authentication knows that Portal server is directed against the authentication success of STA after confirming that unit 902 receives the authentication success message of Portal server transmission in packet sending and receiving unit 901.
Two, this AC can also comprise: route transmitting element 905, be used to utilize the dynamic routing protocol that on this AC, starts in advance, and the detailed route of the main frame of the STA that collects is sent to central router; After authentication confirms that unit 902 knows that STA withdraws from authentication, the detailed route of main frame of notice central router deletion STA; Wherein, central router is router or the router network between Portal server and the AC.
Authentication knows that Portal server is directed against the authentication success of STA after confirming that unit 902 receives the authentication success response of Portal server transmission in packet sending and receiving unit 901.
Packet sending and receiving unit 901, also be used to receive authentication success response after, the authentication success response is sent to AP through CAPWAP tunnel.
Can find out by above description; In the mthods, systems and devices provided by the invention; AP sends to AC with the authentication request of STA through CAPWAP tunnel; Be transmitted to Portal server by AC, and AC sends the local forwarding capability of configuration messages indication AP activation pin to this STA through CAPWAP tunnel after knowing that Portal server is directed against this STA authentication success; After knowing that STA withdraws from authentication, send configuration messages indication AP through CAPWAP tunnel and close local forwarding capability to this STA.That is to say that before authentication was passed through, authentication request was concentrated and is sent to AC, after authentication was passed through, AP opened the local forwarding capability through the STA of authentication by the AC configuration.Can utilize existing network authentication framework to realize the Portal authentication under the local forwarding situation of AP through the present invention, need not extra increase authenticating device, practice thrift networking cost.
In addition; Among the present invention, AP only need be forwarded to AC with all messages that receive and focus on before authentication and in the verification process; After authentication success is accomplished; Just opened local forwarding capability, accomplished message forwarding in AP this locality, thereby alleviated the performance burden of AC through the STA of authentication.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.

Claims (22)

1. the inlet Portal authentication method in the wireless network is characterized in that this method comprises:
After A, wireless access point AP receive the authentication request of portable terminal STA, this authentication request is sent to access controller AC through wireless access point control and supply agreement CAPWAP tunnel;
B, said AC send to Portal server with said authentication request, are knowing that said Portal server to behind the authentication success of said STA, sends configuration messages through said CAPWAP tunnel and indicates the local forwarding capability of said AP activation pin to said STA;
After C, said AC know that said STA withdraws from authentication, send configuration messages through said CAPWAP tunnel and indicate said AP to close local forwarding capability to said STA.
2. method according to claim 1 is characterized in that, before said steps A, also comprises:
After D1, said STA are connected to said AP, send the dynamic host configuration protocol DHCP request message;
D2, said AP send to said AC with said DHCP request message through CAPWAP tunnel, and are sent to Dynamic Host Configuration Protocol server by said AC;
The IP address of the said STA that D3, said AC return said Dynamic Host Configuration Protocol server and the user gateway IP address of said STA send to said AP through CAPWAP tunnel;
D4, said AP are transmitted to said STA with IP address and the said user gateway IP address of said STA, and store the IP address of said STA, the MAC Address of STA and the corresponding relation between the user gateway IP address.
3. method according to claim 2 is characterized in that, this method also comprises: configuration comprises the IP address of user gateway and the ARP list item of MAC Address on said AC in advance, utilizes this ARP list item to be directed against the arp reply of said user gateway.
4. according to claim 1 or the described method of 3 arbitrary claims, it is characterized in that AP initial default activation pin is closed the up local forwarding capability to said STA to the descending local forwarding capability of said STA;
Know among the step B that said Portal server comprises to the authentication success of said STA: said Portal server is after being directed against said STA authentication success; Send authentication success message to said AC, and send the authentication success response that purpose IP address is the IP address of STA; Central router sends to user gateway with said authentication success response, by said user gateway this authentication success response is sent to said STA via said AP; Wherein, said central router is router or the router network between said Portal server and the said AC.
5. method according to claim 4 is characterized in that, by said user gateway this authentication success response is sent to said STA via said AP and comprises:
After said user gateway receives said authentication success response, comprise the ARP request of the IP address of said STA to the AP broadcasting that is connected with this user gateway;
After the AP that is connected with said STA receives said ARP request, reply the arp response of the MAC Address that comprises said STA to said user gateway;
After said user gateway received said arp response, storage comprised the IP address of said STA and the ARP list item of MAC Address, and utilized this ARP list item to send said authentication success response.
6. method according to claim 4 is characterized in that, activation pin described in the step B to the local forwarding capability of said STA is: activation pin is to the up local forwarding capability of said STA;
The local forwarding capability of closing described in the step C to said STA is: close the up local forwarding capability to said STA.
7. according to the described method of the arbitrary claim of claim 1 to 3, it is characterized in that this method also comprises: on said AC, start dynamic routing protocol in advance, the detailed route of the main frame of the said STA that AC will collect is sent to central router;
Know among the step B that said Portal server comprises to the authentication success of said STA: said Portal server is after being directed against said STA authentication success, and sending purpose IP address is the authentication success response of the IP address of STA; Central router sends to said AC according to the detailed route of the main frame of said STA with said authentication success response; Wherein, said central router is router or the router network between said Portal server and the said AC; Said AC sends to said AP through said CAPWAP tunnel with said authentication success response, sends to said STA by said AP.
8. method according to claim 7 is characterized in that, activation pin described in the step B to the local forwarding capability of said STA is: activation pin is to the local forwarding capability of the uplink and downlink of said STA;
The local forwarding capability of closing described in the step C to said STA is: close to the local forwarding capability of the uplink and downlink of said STA;
Said step C also comprises: the detailed route of the main frame that said AC notifies said central router to delete said STA.
9. a wireless access point AP is characterized in that, this AP comprises: packet sending and receiving unit and functional configuration unit;
Said packet sending and receiving unit after being used to receive the authentication request of portable terminal STA, sends to wireless controller AC through wireless access point control and supply agreement CAPWAP tunnel with this authentication request; Receive the configuration messages that AC sends through CAPWAP tunnel; Opened to behind the local forwarding capability of said STA in said functional configuration unit, adopted the local mode of transmitting that said STA is carried out message and transmit;
Said functional configuration unit, when being used for receiving in said packet sending and receiving unit the indication activation pin to the configuration messages of the local forwarding capability of said STA, activation pin is to the local forwarding capability of said STA; Receive when indicating the configuration messages of closing the local forwarding capability that is directed against said STA in said packet sending and receiving unit, close local forwarding capability to said STA.
10. AP according to claim 9 is characterized in that, said packet sending and receiving unit also is used for the dynamic host configuration protocol DHCP request message that receives is sent to said AC through CAPWAP tunnel; Receive the IP address of the said STA that AC sends and the user gateway IP address of STA through CAPWAP tunnel; IP address and the said user gateway IP address of this said STA are transmitted to said STA, and store the IP address of said STA, the MAC Address of STA and the corresponding relation between the user gateway IP address.
11., it is characterized in that said functional configuration unit initial default activation pin is closed the up local forwarding capability to said STA to the descending local forwarding capability of said STA according to claim 9 or 10 described AP; When receiving the indication activation pin to the configuration messages of the local forwarding capability of said STA in said packet sending and receiving unit, activation pin is to the up local forwarding capability of said STA; Receive when indicating the configuration messages of closing the local forwarding capability that is directed against said STA in said packet sending and receiving unit, close up local forwarding capability to said STA.
Said message retransmission unit, also be used to receive the authentication success response that the inlet Portal server sends via central router and user gateway after, this authentication success responded sends to said STA.
12. AP according to claim 11 is characterized in that, this AP also comprises: ARP is for answering the unit;
Said packet sending and receiving unit after also being used to receive the ARP request of said user gateway, sends to ARP for answering the unit with this ARP request; The arp response that said ARP generation is answered the unit and provides sends to said user gateway;
In said ARP generation, answered the unit, is used for judging that whether IP address that said ARP request comprises is the IP address of self connection STA of institute, if then the MAC Address of the STA of this IP address correspondence is included in and offers said packet sending and receiving unit in the arp response.
13. according to claim 9 or 10 described AP; It is characterized in that; When said functional configuration unit received the indication activation pin to the configuration messages of the local forwarding capability of said STA in said packet sending and receiving unit, activation pin was to the local forwarding capability of the uplink and downlink of said STA; Receive when indicating the configuration messages of closing the local forwarding capability that is directed against said STA in said packet sending and receiving unit, close to the local forwarding capability of the uplink and downlink of said STA.
Said message retransmission unit, also be used to receive the authentication success response that Portal server sends via said AC after, this authentication success response is sent to said STA.
14. a wireless controller AC is characterized in that, this AC comprises: unit and administration configuration unit are confirmed in packet sending and receiving unit, authentication;
Said packet sending and receiving unit after being used for receiving the authentication request of the portable terminal STA that wireless access point AP sends through wireless access point control and supply agreement CAPWAP tunnel, sends to the inlet Portal server with this authentication request;
The unit is confirmed in said authentication, is used for knowing that said Portal server to behind the authentication success of said STA, sends first configuration notification to said administration configuration unit; After knowing that said STA withdraws from authentication, send second configuration notification to said administration configuration unit;
Said administration configuration unit, be used to receive said first configuration notification after, send configuration messages through said CAPWAP tunnel and indicate the local forwarding capability of said AP activation pin said STA; After receiving said second configuration notification, send configuration messages through said CAPWAP tunnel and indicate said AP to close local forwarding capability to said STA.
15. AC according to claim 14 is characterized in that, this AC also comprises: in ARP generation, answered the unit, is used for being directed against the arp reply of said user gateway according to the IP address that comprises user gateway and the ARP list item of MAC Address that are pre-configured on this AC.
16. according to claim 14 or 15 described AC; It is characterized in that; When the descending local forwarding capability of said AP initial default activation pin to said STA; When closing the up local forwarding capability to said STA, said authentication confirms that the unit after said packet sending and receiving unit receives the authentication success message that said Portal server sends, knows the authentication success of said Portal server to said STA.
17., it is characterized in that this AC also comprises according to claim 14 or 15 described AC: the route transmitting element, be used to utilize the dynamic routing protocol that on this AC, starts in advance, the detailed route of the main frame of the said STA that collects is sent to central router; After said authentication confirms that the unit knows that said STA withdraws from authentication, the detailed route of the main frame of notifying said central router to delete said STA; Wherein, said central router is router or the router network between said Portal server and the said AC;
Said authentication is known the authentication success of said Portal server to said STA after confirming that the unit receives the authentication success response of said Portal server transmission in said packet sending and receiving unit;
Said packet sending and receiving unit, also be used to receive the response of said authentication success after, said authentication success response is sent to said AP through said CAPWAP tunnel.
18. the inlet Portal Verification System in the wireless network is characterized in that this system comprises: wireless access point AP, wireless controller AC and Portal server;
Said AP after being used to receive the authentication request of portable terminal STA, sends to said AC through wireless access point control and supply agreement CAPWAP tunnel with this authentication request; After receiving first configuration messages, activation pin is to the local forwarding capability of said STA; After receiving second configuration messages, close local forwarding capability to said STA;
Said AC is used for the said authentication request that receives is sent to said Portal server, is knowing that said Portal server to behind the authentication success of said STA, sends first configuration messages through said CAPWAP tunnel to said AP; After knowing that said STA withdraws from authentication, send second configuration messages to said AP through said CAPWAP tunnel;
Said Portal server, be used to receive said authentication request after, said STA is carried out authentication.
19. system according to claim 18 is characterized in that, this system also comprises: the dynamic host configuration protocol DHCP server;
Said AP also is used to receive said STA and is being connected to the DHCP request message that sends behind this AP, and this DHCP request message is sent to said AC through CAPWAP tunnel; The IP address of the STA that receives and the user gateway IP address of STA are transmitted to said STA, and store the IP address of said STA, the MAC Address of STA and the corresponding relation between the user gateway IP address;
Said AC also is used for the DHCP message that receives is sent to Dynamic Host Configuration Protocol server; The IP address of the STA that said Dynamic Host Configuration Protocol server is returned and the user gateway IP address of STA send to said AP through CAPWAP tunnel;
Said Dynamic Host Configuration Protocol server, be used to receive said DHCP message after, be said STA distributing IP address, and the IP address of the STA that distributes and the user gateway IP address of STA returned to said AC.
20. system according to claim 19 is characterized in that, said AC also is used to utilize the pre-configured IP address that comprises user gateway and the ARP list item of MAC Address, is directed against the arp reply of said user gateway.
21., it is characterized in that this system also comprises: user gateway and the central router between said Portal server and said AC according to the described system of the arbitrary claim of claim 18 to 20;
Said AP initial default activation pin is closed the up local forwarding capability to said STA to the descending local forwarding capability of said STA; After receiving said first configuration messages, activation pin is to the up local forwarding capability of said STA, receive said second configuration messages after, close up local forwarding capability to said STA;
Said Portal server also is used for sending authentication success message to behind the said STA authentication success to said AC, and sends the authentication success response that purpose IP address is the IP address of STA;
After said AC receives said authentication success message, know the authentication success of said Portal server to said STA;
Central router, be used to receive the response of said authentication success after, said authentication success response is sent to user gateway;
Said user gateway is used for the said authentication success response that receives is sent to said STA via said AP.
22., it is characterized in that this system also comprises: user gateway and the central router between said Portal server and said AC according to the described system of the arbitrary claim of claim 18 to 20;
Said AC also is used to utilize the dynamic routing protocol that starts in advance, and the detailed route of the main frame of the said STA that collects is sent to said central router;
Said Portal server also is used for after being directed against said STA authentication success, and sending purpose IP address is the authentication success response of the IP address of STA;
Said central router is used for according to the detailed route of the main frame of said STA, and the authentication success response that said Portal server is sent sends to said AC;
Said AC is known the authentication success of said Portal server to said STA after receiving said authentication success response, and through said CAPWAP tunnel said authentication success response is sent to said AP; After knowing that said STA withdraws from authentication, the detailed route of the main frame of notifying said central router to delete said STA;
Said AP also is used for the said authentication success response that receives is sent to said STA; After receiving said first configuration messages, activation pin is to the local forwarding capability of the uplink and downlink of said STA; After receiving said second configuration messages, close to the local forwarding capability of the uplink and downlink of said STA.
CN2009100912302A 2009-08-13 2009-08-13 Method, system and device for authenticating portal in wireless network Active CN101621802B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100912302A CN101621802B (en) 2009-08-13 2009-08-13 Method, system and device for authenticating portal in wireless network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100912302A CN101621802B (en) 2009-08-13 2009-08-13 Method, system and device for authenticating portal in wireless network

Publications (2)

Publication Number Publication Date
CN101621802A CN101621802A (en) 2010-01-06
CN101621802B true CN101621802B (en) 2012-02-08

Family

ID=41514775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100912302A Active CN101621802B (en) 2009-08-13 2009-08-13 Method, system and device for authenticating portal in wireless network

Country Status (1)

Country Link
CN (1) CN101621802B (en)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404720B (en) 2010-09-19 2014-10-08 华为技术有限公司 Sending method and sending device of secret key in wireless local area network
CN102869065B (en) * 2011-07-07 2015-04-08 中国科学院上海高等研究院 Rapid route updating method for rail traffic communication system based on WLAN (wireless local area network)
CN102281594B (en) 2011-09-06 2014-06-11 华为技术有限公司 Message forwarding method, wireless access point (AP) and message forwarding system
CN103220650B (en) * 2012-01-18 2016-04-06 华为技术有限公司 A kind of method and apparatus of WiFi terminal access different business territory
CN102647715A (en) * 2012-03-27 2012-08-22 华为技术有限公司 Method for delivering authentication target MAC (Media Access Control) address of EAP (Extensible Authentication Protocol) authentication
CN103428697B (en) * 2012-05-22 2016-12-07 华为技术有限公司 Method for network access based on CAPWAP agreement, device and system
CN102739684B (en) * 2012-06-29 2015-03-18 杭州迪普科技有限公司 Portal authentication method based on virtual IP address, and server thereof
CN103702312B (en) * 2012-09-27 2017-06-16 华为技术有限公司 Wireless information transfer method and apparatus
CN103118064A (en) * 2012-11-22 2013-05-22 杭州华三通信技术有限公司 Method and device of Portal centralized authentication
CN104283858B (en) 2013-07-09 2018-02-13 华为技术有限公司 Control the method, apparatus and system of user terminal access
CN105635327B (en) * 2014-10-28 2019-08-06 新华三技术有限公司 A kind of method and apparatus of address distribution
US10623502B2 (en) 2015-02-04 2020-04-14 Blackberry Limited Link indication referring to content for presenting at a mobile device
US10505913B2 (en) * 2015-03-23 2019-12-10 Biglobe Inc. Communication management system, access point, communication management device, connection control method, communication management method, and program
CN106686635B (en) * 2015-11-09 2020-05-15 大唐软件技术股份有限公司 Data transmission method and device based on control and configuration protocol of wireless access point
CN106570099A (en) * 2016-10-24 2017-04-19 上海斐讯数据通信技术有限公司 Method for storing and acquiring media file in Portal page, Portal server and terminal
CN106488458B (en) * 2016-12-21 2020-04-24 锐捷网络股份有限公司 Method and device for detecting gateway ARP spoofing
CN108011742A (en) * 2017-02-17 2018-05-08 湖北亘华工科有限公司 A kind of WLAN data concentrates the device and method that forwarding switching locally forwards
CN107612741B (en) * 2017-09-30 2021-04-16 迈普通信技术股份有限公司 Information processing method, device and system
CN107529166B (en) * 2017-10-16 2020-12-01 安科讯(福建)科技有限公司 Portal authentication method and wireless access controller
CN111225376A (en) * 2018-11-26 2020-06-02 中国电信股份有限公司 Authentication method, system, wireless access point AP and computer readable storage medium
CN109889389B (en) * 2019-03-12 2022-02-11 苏州汉明科技有限公司 System supporting cloud AC (access control Unit) to carry out centralized forwarding and message forwarding method thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455556A (en) * 2003-05-14 2003-11-12 东南大学 Wireless LAN safety connecting-in control method
CN101212297A (en) * 2006-12-28 2008-07-02 中国移动通信集团公司 WEB-based WLAN access authentication method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455556A (en) * 2003-05-14 2003-11-12 东南大学 Wireless LAN safety connecting-in control method
CN101212297A (en) * 2006-12-28 2008-07-02 中国移动通信集团公司 WEB-based WLAN access authentication method and system

Also Published As

Publication number Publication date
CN101621802A (en) 2010-01-06

Similar Documents

Publication Publication Date Title
CN101621802B (en) Method, system and device for authenticating portal in wireless network
US10536211B2 (en) Mobile device relay service for reliable internet of things
CN102084712B (en) Mobile device and method for selectively communicating data over short-range unlicensed wireless networks and wide area wireless networks
KR101246993B1 (en) Direct wireless client-to-client communication
CN112106397A (en) Wireless access point and method for providing alternate network connections
CN103118064A (en) Method and device of Portal centralized authentication
JP2009533985A (en) Pseudowiring for mobility management
US9998962B2 (en) Method for processing radio access, forwarding device, and network controller
CN102812749A (en) Redirecting Of Data Traffic Between WAN And LAN
JPWO2009096121A1 (en) Wireless communication system, base station apparatus, gateway apparatus, and wireless communication method
CN102724666A (en) Terminal data relay method, device thereof and system thereof
CN103491005A (en) Method for controlling transmission of message, access point device and relevant system
EP2432262B1 (en) Method and system for switching station in centralized wlan when wpi is performed by access controller
CN101815106A (en) Method and equipment for establishing dynamic GRE (Generic Routing Encapsulation) tunnel
CN106921473B (en) Data transmission method of rail transit wireless local area network and related equipment
CN102215515B (en) Data processing method, communication system and related equipment
JP5392493B2 (en) Processing method of IP-based emergency service in WiMAX
JP2006352371A (en) Wireless base station apparatus
JP5752018B2 (en) Base station selection method for radio terminal using carrier aggregation, radio terminal, access point, and program
CN102811153B (en) VLAN state negotiating method and edge device
US20230093763A1 (en) Bearer configuration method and apparatus, and terminal
EP2979436B1 (en) Wlan resource management in an access network system
WO2019062527A1 (en) Discovery method and configuration method of local data network, terminal, core network device and base station
CN110138796A (en) Multicast control method and device
JP5921050B2 (en) Wireless terminal, system, and program for selecting base station used for carrier aggregation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address