CN102333311B - User access control method and system for wireless local area network - Google Patents
User access control method and system for wireless local area network Download PDFInfo
- Publication number
- CN102333311B CN102333311B CN201110330669.3A CN201110330669A CN102333311B CN 102333311 B CN102333311 B CN 102333311B CN 201110330669 A CN201110330669 A CN 201110330669A CN 102333311 B CN102333311 B CN 102333311B
- Authority
- CN
- China
- Prior art keywords
- user terminal
- user
- authentication
- mse
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a user access control method and a user access control system for a wireless local area network, and relates to a wireless local area network technology. The user access control method for the wireless local area network comprises that: an authentication portal server receives an access point (AP) authentication request initiated by a user terminal; the authentication portal server transmits the related authentication information of the user terminal to an authentication, authorization and accounting (AAA) server by a multi-service edge (MSE) according to the AP authentication request initiated by the user terminal; the AAA server authenticates the user terminal, and transmits an authentication result and preset user level information to an access point (AP) by the MSE; after the user terminal passes the authentication, the AP detects current traffic; and the AP judges whether to permit the accessing of the user terminal according to the current traffic, the user level information and a preset traffic threshold value. By the method and the system, the accurate and differential user access control of the wireless local area network (WLAN) can be effectively realized, the resource utilization rate of the WLAN can be increased and user perception can be improved.
Description
Technical field
The present invention relates to wireless local area network technology, particularly relate to a kind of wireless local network user connection control method and system.
Background technology
WLAN (wireless local area network) (WLAN, Wireless Local Area Network) is the important means that realizes consumer wideband wireless access.A common wlan network comprises wireless client, access point (AP, Access Point) and wireless controller (AC:Access Controller), wherein, wireless client is the terminals such as personal computer (PC:Person Computer) with wireless network card or portable notebook computer, AP, for the bridging functionality of wireless client to local area network (LAN) is provided, carries out wireless to wired and wired to wireless frame conversion between wireless client and local area network (LAN).
, in WLAN engineering construction, by the method for static state setting access user quantity, limit the number of users simultaneously connecting on AP now, as long as there is WLAN user's access, record an access user, when number of users reaches certain thresholding, the request of refusal new access user.There is following deficiency in said method: the one, only based on number of users, carry out access control, control still aobvious accurate not because number of users is how might not flow large; The 2nd, do not consider user's priority level, particularly high priority user is not embodied the Access Control Policy of differentiation.
Summary of the invention
The present inventor finds to have problems in above-mentioned prior art, and therefore at least one problem in problem, has proposed a kind of new technical scheme.
An object of the present invention is to provide a kind of user access control method for WLAN (wireless local area network), comprising: verification portal server receives the AP authentication request that user terminal is initiated; Verification portal server sends to aaa server by multiservice edge gateway (MSE:Multi-Service Edge) by user authentication request; Aaa server authenticates user terminal, and authentication result and preset user class information exchange are crossed to MSE sends to AP; If user terminal is not by authentication, AP refusal user accesses; If user terminal is by after authenticating, AP detects present flow rate; AP is according to present flow rate and user class information, and default flow value thresholding, judges whether to allow user terminal access.
In one embodiment, AP detects present flow rate and comprises: AP detects eat dishes without rice or wine flow or detect the wired effluent amount of AP of AP.
In one embodiment, AP detects the AP flow of eating dishes without rice or wine and comprises: a plurality of sampling point averaged of continuous detecting are as the current AP flow of eating dishes without rice or wine in the given time; Or choose flow maximum as the current AP flow of eating dishes without rice or wine.
In one embodiment, verification portal server receives the AP authentication request that user terminal is initiated; Verification portal server sends to aaa server by multiservice edge gateway (MSE:Multi-Service Edge) by user authentication request, comprising: verification portal server sends to MSE by the relevant authentication information of user terminal; MSE authenticates by Radius protocol format relaying the relevant information of the user terminal receiving to aaa server.
The present invention also provides a kind of user access control system for WLAN (wireless local area network), comprise: verification portal server, the AP authentication request of initiating for receiving user terminal, the AP authentication request of initiating according to user terminal, sends the relevant authentication information of user terminal to aaa server; Aaa server, for receiving the relevant authentication information of the user terminal that verification portal server sends by MSE, authenticates user terminal, and sends to AP authentication result and preset user class information by MSE; AP, for receiving the authentication result of aaa server transmission and preset user class information, after user terminal is by authentication, detect present flow rate, and according to present flow rate and user class information, and default flow value thresholding, judge whether to allow user terminal access.In one embodiment, AP is also for detection of eat dishes without rice or wine flow or detect the wired effluent amount of AP of AP.
In one embodiment, AP also for a plurality of sampling point averaged of continuous detecting in the given time as the current AP flow of eating dishes without rice or wine; Or choose flow maximum as the current AP flow of eating dishes without rice or wine.
In one embodiment, user access control system, MSE also, for receiving the relevant authentication information of the user terminal of verification portal server transmission, authenticates by Radius protocol format relaying the relevant authentication information of the user terminal receiving to aaa server.
Based on technique scheme, according to an aspect of the present invention, by accessing the foundation of wlan network based on traffic constraints as judgement user, and according to the priority of different user, take the control strategy of differentiation, effectively realize wlan network accurately and the user access control of differentiation, realize the lifting of WLAN resource utilization and user awareness.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide further explanation of the present invention, forms a part of the present invention.Schematic description and description of the present invention is only for explaining the present invention, but do not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is according to the flow chart of the user access control method for WLAN (wireless local area network) of the embodiment of the present invention.
Fig. 2 is according to another embodiment of the present invention for the flow chart of the user access control method of WLAN (wireless local area network).
Fig. 3 is the control access strategy schematic diagram according to the embodiment of the present invention.
Fig. 4 is according to the schematic diagram of the user access control system for WLAN (wireless local area network) of the embodiment of the present invention.
Embodiment
With reference to the accompanying drawings the present invention is described in more detail, exemplary embodiment of the present invention is wherein described.In the accompanying drawings, identical label represents identical or similar assembly or element.
Fig. 1 is according to the flow chart of the user access control method 100 for WLAN (wireless local area network) of the embodiment of the present invention.
In step 102, verification portal server receives the AP authentication request that user terminal is initiated.
In step 104, the AP authentication request that verification portal server is initiated according to user terminal, sends to aaa server by MSE by the relevant authentication information of user terminal.
In step 105, aaa server authenticates user terminal, and authentication result and preset user class information exchange are crossed to MSE sends to AP.
In step 106, after user terminal is by authentication, AP detects present flow rate.
In step 108, AP is according to present flow rate and user class information, and default flow value thresholding, judges whether to allow user terminal access.
Fig. 2 is according to another embodiment of the present invention for the flow chart of the user access control method 200 of WLAN (wireless local area network).
In step 201, user user terminal sends DHCP protocol discovery message, obtains IP address.
In step 202, MSE, double DHCP (the Dynamic Host Configuration Protocal) server capability of doing, to user assignment IP address.
In step 203, the network address that user terminal input will be accessed, initiating with HTML (Hypertext Markup Language) (HTTP, HyperText Transfer Protocol) is basic HTTP request.
In step 204, MSE judges that whether this user terminal is by authentication, due to also not authentication of user terminal, so MSE force users terminal access authenticating portal server.
In step 205, user terminal access verification portal server also carries out the input of user name and password, and relevant information is sent to verification portal server on certification page.
In step 206, verification portal server sends to MSE by specification protocol by user name and password, MSE is converted to remote customer dialing authentication (Radius by the user name of receiving from verification portal server and encrypted message content, Remote Authentication Dial In User Service) protocol format, and give authentication, authorize and record keeping (AAA by Radius agreement relaying, Authentication, Authorization, Accounting) server.
In step 207, aaa server is handed down to AP by authentication result information and the corresponding precedence information of this user name that sets in advance thereof by MSE.
In step 208, now whether, the factor such as flow judges whether user can access in user class and AP current time AP according to authentication success.
In step 209, AP sends corresponding information to user terminal.
In one embodiment, specifically judge that the strategy whether user accesses can be as follows: first, AP judges whether authentication success of user, as unsuccessful, refusal access; If authentication success, now will determine whether to allow user to access according to flow and user class criterion.
Such as, set as the criterion of Fig. 3, user class is divided into high priority and domestic consumer's two-stage, and correspondence arranges W1 and two traffic thresholds of W2 (W1 < W2), so just can ensure and the in the situation that of certain network traffics, limit domestic consumer's access and the access of permission high-priority users, the differentiation operation of realization to different clients.
The method that AP detects the current flow of eating dishes without rice or wine is a lot, such as can T in the time continuous detecting N sampling point averaged as eat dishes without rice or wine flow or choose the most current flow etc. of eating dishes without rice or wine of maximum of current AP.
In addition, in concrete implementation procedure, for the division of message conveying flow, user class and the classification of threshold value and value, can according to circumstances determine, but all within the spirit and principles in the present invention, within all should being included in protection range of the present invention.
Fig. 4 is according to the schematic diagram of the user access control system 500 for WLAN (wireless local area network) of the embodiment of the present invention.Verification portal server 402, AP 404, MSE 406 and aaa server 408.
Aaa server 408, for receiving the relevant authentication information of the user terminal that verification portal server 402 sends by MSE 406, authenticates user terminal, and sends to AP authentication result and preset user class information by MSE 406.
MSE 406 also, for receiving the relevant information of the user terminal of verification portal server 402 transmissions, authenticates by Radius protocol format relaying the relevant information of the user terminal receiving to aaa server 408.
According to an aspect of the present invention, by accessing the foundation of wlan network based on traffic constraints as judgement user, and according to the priority of different user, take the control strategy of differentiation, effectively realize wlan network accurately and the user access control of differentiation, realize the lifting of WLAN resource utilization and user awareness.
Description of the invention provides for example with for the purpose of describing, and is not exhaustively or limit the invention to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Selecting and describing embodiment is for better explanation principle of the present invention and practical application, thereby and makes those of ordinary skill in the art can understand the various embodiment with various modifications that the present invention's design is suitable for special-purpose.
Claims (4)
1. for a user access control method for WLAN (wireless local area network), it is characterized in that, comprising:
Verification portal server receives the AP authentication request that user terminal is initiated;
The AP authentication request that described verification portal server is initiated according to user terminal, sends to aaa server by MSE by the relevant authentication information of described user terminal;
Described aaa server authenticates described user terminal, and authentication result and predefined preset user class information exchange are crossed to described MSE sends to AP;
After user terminal is by authentication, described AP detects present flow rate;
Described AP is according to present flow rate and user class information, and default flow value thresholding, judges whether to allow user terminal access;
Wherein, described AP detects present flow rate and comprises that described AP detects the AP flow of eating dishes without rice or wine; Described AP detects the AP flow of eating dishes without rice or wine and comprises: a plurality of sampling point averaged of continuous detecting are as the current AP flow of eating dishes without rice or wine in the given time; Or choose flow maximum as the current AP flow of eating dishes without rice or wine.
2. user access control method according to claim 1, is characterized in that, the AP authentication request that described verification portal server is initiated according to user terminal, sends to aaa server by MSE by the relevant authentication information of described user terminal, comprising:
Described verification portal server sends to described MSE by the relevant authentication information of described user terminal;
Described MSE authenticates to described aaa server by Radius protocol format relaying the relevant authentication information of the user terminal receiving.
3. for a user access control system for WLAN (wireless local area network), it is characterized in that, comprising:
Verification portal server, the AP authentication request of initiating for receiving user terminal, according to the AP authentication request of user terminal initiation, sends the relevant authentication information of described user terminal;
Aaa server, for receiving the relevant authentication information of the described user terminal that described verification portal server sends by MSE, described user terminal is authenticated, and send authentication result and the user class information that is preset in described aaa server by described MSE;
AP, for receiving the authentication result of described aaa server transmission and preset user class information, after user terminal is by authentication, detect present flow rate, and according to present flow rate and user class information, and default flow value thresholding, judge whether to allow user terminal access
Wherein, described AP detects present flow rate and comprises that described AP detects the AP flow of eating dishes without rice or wine; Described AP detects the AP flow of eating dishes without rice or wine and comprises: a plurality of sampling point averaged of continuous detecting are as the current AP flow of eating dishes without rice or wine in the given time; Or choose flow maximum as the current AP flow of eating dishes without rice or wine.
4. user access control system according to claim 3, it is characterized in that, described MSE also, for receiving the relevant authentication information of the described user terminal of described verification portal server transmission, authenticates to described aaa server by Radius protocol format relaying the relevant information of the user terminal receiving.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110330669.3A CN102333311B (en) | 2011-10-27 | 2011-10-27 | User access control method and system for wireless local area network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110330669.3A CN102333311B (en) | 2011-10-27 | 2011-10-27 | User access control method and system for wireless local area network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102333311A CN102333311A (en) | 2012-01-25 |
CN102333311B true CN102333311B (en) | 2014-01-15 |
Family
ID=45484886
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110330669.3A Active CN102333311B (en) | 2011-10-27 | 2011-10-27 | User access control method and system for wireless local area network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102333311B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103857002B (en) * | 2012-11-29 | 2017-09-29 | 中国电信股份有限公司 | Method, apparatus and system for network connection disaster tolerance |
CN104518981B (en) * | 2013-09-27 | 2018-06-05 | 深圳市腾讯计算机系统有限公司 | Flow control methods and device |
CN104581977B (en) * | 2013-10-25 | 2019-01-15 | 中兴通讯股份有限公司 | WLAN user management method, apparatus and system |
CN103906026B (en) * | 2014-03-27 | 2018-03-27 | 华为技术有限公司 | Charging method, device and system |
CN105263156B (en) * | 2015-10-19 | 2018-12-18 | 华讯方舟科技有限公司 | Flow control methods and device based on access point |
CN107872796B (en) * | 2016-09-26 | 2021-02-23 | 中国电信股份有限公司 | Authentication method and system for accessing terminal to WiFi and related equipment |
CN108810915B (en) * | 2018-05-29 | 2022-01-25 | 努比亚技术有限公司 | WiFi hotspot flow control method and device and computer readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002164887A (en) * | 2000-11-28 | 2002-06-07 | Toshiba Corp | Mobile communication system, mobile terminal device, aaah server device, authentication charging service presenting method, authentication charging service enjoying method, mobile terminal device information presenting method and callee terminal identifying method |
CN1794866A (en) * | 2005-06-24 | 2006-06-28 | 华为技术有限公司 | Method of guarantee user service quality in radio communication system |
CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
CN102014435A (en) * | 2010-12-15 | 2011-04-13 | 杭州华三通信技术有限公司 | Method and control device for sharing loads in wireless local area network (WLAN) |
-
2011
- 2011-10-27 CN CN201110330669.3A patent/CN102333311B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002164887A (en) * | 2000-11-28 | 2002-06-07 | Toshiba Corp | Mobile communication system, mobile terminal device, aaah server device, authentication charging service presenting method, authentication charging service enjoying method, mobile terminal device information presenting method and callee terminal identifying method |
CN1794866A (en) * | 2005-06-24 | 2006-06-28 | 华为技术有限公司 | Method of guarantee user service quality in radio communication system |
CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
CN102014435A (en) * | 2010-12-15 | 2011-04-13 | 杭州华三通信技术有限公司 | Method and control device for sharing loads in wireless local area network (WLAN) |
Also Published As
Publication number | Publication date |
---|---|
CN102333311A (en) | 2012-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102333311B (en) | User access control method and system for wireless local area network | |
CN102204307B (en) | WLAN authentication method based on MAC address and device thereof | |
KR100464017B1 (en) | Apparatus for packet data radio service serving mobile ip service | |
CN1781099B (en) | Automatic configuration of client terminal in public hot spot | |
EP1871065A1 (en) | Methods, arrangement and systems for controlling access to a network | |
CN1658593B (en) | Media streaming home network system and method for operating the same | |
CN103607712B (en) | The cut-in method and device of wireless network | |
US9549318B2 (en) | System and method for delayed device registration on a network | |
WO2014074721A1 (en) | Policy-based resource access via nfc | |
WO2014051535A1 (en) | Reducing core network traffic caused by migrant | |
US20130021904A1 (en) | System and method for congestion control in a core network | |
WO2015018327A1 (en) | Method and apparatus for interconnection between terminal device and gateway device | |
CN106792694B (en) | Access authentication method and access equipment | |
CN106790251A (en) | User access method and subscriber access system | |
CN103906055A (en) | Service data distribution method and service data distribution system | |
US20160094992A1 (en) | System and Method for Rapid Authentication in Wireless Communications | |
CN103179223B (en) | The method, apparatus and system of distributing IP address in a kind of WLAN (wireless local area network) | |
US20150143526A1 (en) | Access point controller and control method thereof | |
CN105635148B (en) | Portal authentication method and device | |
EP3226594B1 (en) | Method, device and system for obtaining local domain name | |
CN106954212A (en) | A kind of portal authentication method and system | |
CN110149677A (en) | A kind of method and mobile terminal of terminal selection access VoWiFi network | |
CN108712419A (en) | A kind of authorization terminal authentication method, system and aaa server | |
WO2015100874A1 (en) | Home gateway access management method and system | |
WO2016131297A1 (en) | Method and device for limiting non-permissive user equipment on access to home gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |