CN102739684B - Portal authentication method based on virtual IP address, and server thereof - Google Patents
Portal authentication method based on virtual IP address, and server thereof Download PDFInfo
- Publication number
- CN102739684B CN102739684B CN201210228247.XA CN201210228247A CN102739684B CN 102739684 B CN102739684 B CN 102739684B CN 201210228247 A CN201210228247 A CN 201210228247A CN 102739684 B CN102739684 B CN 102739684B
- Authority
- CN
- China
- Prior art keywords
- arp
- address
- portal
- server
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
A Portal authentication method based on a virtual IP address is applied in an authentication device. A network comprises an access device and a gateway. The Portal server is configured with the virtual IP address which is the same as a gateway IP address. The upstream port and the downstream port of the authentication device are configured in a same VLAN. The method comprises: monitoring an ARP message sent by other nodes, adding a sender IP address and an MAC address in the ARP message as an ARP list item to an ARP buffer memory, and correspondingly setting the ARP list item to a reachable state; the Portal server is configured to prohibit sending or responding to an ARP request; and in the Portal authentication process, according to the ARP list item recorded in the ARP buffer memory, acquiring the MAC addresses of other nodes involved in the Portal authentication for the communication with other nodes. According to the invention, in a scene of lack of IP address resources, a user does not need to adjust IP address panning or a networking mode.
Description
Technical field
The present invention relates to Portal authentication techniques, particularly relate to a kind of portal authentication method based on virtual ip address and server.
Background technology
Portal certification is a kind of authentication techniques based on WEB, and its advantage does not need user to download any client software in basic Portal verification process.Please refer to Fig. 2, during user terminal online, Portal server (accessible site is on authenticating device) force users has access to specific URL.If user needs connecting Internet just must carry out certification on the page that Portal server forces propelling movement, only have and could access Internet resources by certification.Such as: when user accesses www.sina.com.cn, if user is not also by Portal certification, so Portal server the IP address of counterfeit Sina can be set up TCP with user terminal and is connected, and using the IP address of Sina to send redirection message to user, redirection message mainly requires that user accesses the certification page of Portal server.The web browser of user terminal can send http request to Portal server and obtain described certification page subsequently.User can be allowed under this certification page to carry out authentication, the software of user's download terminal certification also can be provided.Now on user terminal, the object IP of web browser access has not been the IP address of the Sina of initial access, but the IP address of Portal server self.The request of Portal server response web browser, user authentication accesses Internet resources by rear just can continuation.
Existing method all needs Portal server to have independently IP address to communicate with subscriber terminal equipment, in IPv6 technology today that also immature IPv4 address is very in short supply again, be do not have unnecessary IP address can use to Portal server in some networking plan.Please refer to Fig. 2, suppose that the address of access device is 10.11.1.254, mask is 255.255.255.252, gateway address is 10.11.1.253, mask is 255.255.255.252, now Portal server has not had available IP address, can not proper communication between each equipment and server, causes the authentication function of Portal server normally to use.In this case, user is usually forced to change original networking plan or again plan IP address, otherwise authentication function just can not normally be implemented.But bringing not convenient greatly to user to readjusting of original networking plan or IP addresses assign, user is very low to the acceptance of such solution.
Summary of the invention
The invention provides a kind of Portal server based on virtual ip address, be applied on authenticating device, Portal authentication service is provided with the user terminal thought in network, access device and gateway is also comprised in described network, described Portal server is configured with the virtual ip address identical with gateway ip address, the port of port and connection gateway that described authenticating device connects access device is configured in same double layer network, and this server comprises:
ARP processing unit monitors the ARP message that other nodes send, and using adding in arp cache as ARP of the transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP is set to reachable state; Wherein this ARP processing unit is configured to forbid sending and response ARP request;
Portal authentication ' unit, for obtaining the MAC Address of other nodes participating in Portal certification in Portal verification process according to the ARP that records in arp cache, with other node communications described.
The present invention also provides a kind of portal authentication method based on virtual ip address, be applied on authenticating device and provide Portal authentication service with the user terminal thought in network, access device and gateway is also comprised in described network, described Portal server is configured with the virtual ip address identical with gateway ip address, the port of port and connection gateway that described authenticating device connects access device is configured in same double layer network, and the method comprises:
A, monitor the ARP message that other nodes send, using adding in arp cache as ARP of the transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP is set to reachable state; Wherein said Portal server is configured to forbid sending and response ARP request;
B, Portal server obtain the MAC Address of other nodes participating in Portal certification in Portal verification process according to the ARP that records in arp cache, with other node communications described.
The present invention to Portal verification process also without any changes, and allow Portal server to reuse the IP address of gateway, and user can not be had influence on and go up network process normally, also can not be detected the behavior that any doubtful ARP attacks by the ARP attack protection mechanism of disposing in user network.In the application scenarios of user network IP address depletion, do not need user to adjust IP addresses assign or adjustment networking mode, for the experience promoted in user network planning, there is significant meaning.
Accompanying drawing explanation
Fig. 1 is the building-block of logic of Portal server in one embodiment of the present invention.
Fig. 2 is the networking diagram of a kind of typical Portal certification of the present invention.
Fig. 3 is ARP message format schematic diagram.
Embodiment
The present invention when lack IP address can with or user want save IP address resource provide the deployment of a kind of new Portal server of user to select, is embodied as example with computer program below and is introduced, but the present invention does not get rid of other implementations.Please refer to Fig. 1, a kind of Portal server based on virtual ip address of the present invention, be applied on authenticating device, Portal authentication service is provided with the user terminal thought in network, described network comprises multiple user terminal, access device and gateway, and this server comprises: ARP processing unit and Portal authentication ' unit.This Portal server is configured with the IP address identical with gateway.Please refer to Fig. 1 and Fig. 2, the general handling process of Portal server of the present invention comprises in the present embodiment:
Step 101, is connected the port arrangement of gateway to (such as in same VLAN) in same double layer network by the port be connected with access device of authenticating device and authenticating device; And by IP address identical with gateway for Portal server configuration.
Step 102, ARP processing unit monitors the ARP message that other nodes send, and using adding in arp cache as ARP of the transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP is set to reachable state; Wherein this ARP processing unit is configured to forbid sending and response ARP request.
Portal server is configured with an IP address identical with gateway, and the present invention is referred to as virtual ip address, but virtual ip address is only one figuratively method, does not affect the use of IP address.Under this network configuration, the identical problem that can cause IP address conflict in the IP address of two nodes in network obviously, must do special process and just can guarantee two nodes Each performs its own functions ground work.The upper gateway A RP list item preserved of other nodes (such as user terminal) will certainly be caused to be modified if Portal server responds ARP request that other nodes send or externally sends ARP request.The MAC Address of filling in due to user's access outer net (such as Internet) is the MAC Address of gateway, once the gateway A RP list item in its arp cache is modified, the message that so user sends to outer net all can be sent on Portal server, and this will cause user terminal cannot visit outer net by gateway.And the network equipment (access device in such as Fig. 2) of a lot of user may dispose ARP attack protection mechanism.If Portal server sends ARP request or response ARP request, be considered as ARP by the ARP attack protection mechanism on the network equipment so possibly and attack, keeper will receive alarm, causes the exception of network.Therefore, in the present invention, ARP processing unit can be configured to forbid sending and response ARP request, avoids user terminal to find the existence of Portal server alternately by ARP.
On the other hand, because the port of authenticating device connection access device and the port of connection gateway are in same VLAN, because ARP request message is sent by broadcast mode in double layer network, gateway MAC address can be asked by ARP request message (message format please refer to Fig. 3) during all user terminal access outer nets, due to the port arrangement in step 101, such ARP request message can be received by the ARP processing unit of Portal server.So, ARP processing unit just can know IP address and the MAC Address of user terminal.In normal ARP handling process, before ARP request is not by response, the state of ARP can only be set to provisional state (such as incomplete or Probe), also can not respond ARP request because ARP processing unit can not send ARP request, the ARP being so in provisional state then can be aging very soon.In the present invention, then skip normal ARP handling process, ARP is set to reachable state (Reachable), its objective is in order to Portal authentication ' unit follow-up mutual with user terminal time can know the mac address information of user terminal, if ARP is aging very soon as prior art, Portal authentication ' unit, in needs and the MAC Address of not knowing user terminal during user terminal communication, cannot communicate certainly.
Same reason, ARP processing unit equally can using the ensemble learning of the IP address of other network equipments such as access device and gateway and MAC Address in arp cache as corresponding ARP.That is Portal server has had the foundation communicated with other nodes (the such as network equipment or user terminal), because in a normal Portal verification process, Portal server may communicate with multiple node.
Step 103, Portal authentication ' unit obtains the MAC Address of other nodes participating in Portal certification in Portal verification process according to the ARP that records in arp cache, with other node communications described.In a typical Portal verification process, the processing procedure of Portal authentication ' unit mainly comprises the following steps:
(1) HTTP message of user terminal is through authenticating device, and Portal server can check that whether this user terminal is by certification, if it is lets pass; If not, then judge whether this HTTP message accesses the HTTP message of the free access address of Portal server or setting, if it is lets pass further; Otherwise access device will require the web authentication page of user terminal access Portal server by redirection message.Portal server provides the web authentication page to input username and password to carry out certification for user to user terminal.
(2) Portal server can configure corresponding authentication method, if fruit is local authentication, Portal certificate server directly carries out the verification of username and password, if Radius certification, Ldap certification or Tacacs+ certification, then carries out flow process below.
(3) Portal server connects the port of third-party server is the port not opening certification, this port can send and corresponding ARP message normally, carry out the mutual of protocol massages between Portal server and third-party server, complete the certification to user identity by Third Party Authentication server.
(4) if user authentication passes through, third party's conscientious server notice Portal server.
(5) Portal server sends certification by message to client, the success of notice client certificate.
The present invention to Portal verification process also without any changes, Portal authentication ' unit needs to communicate with multiple node in a verification process, because ARP processing unit obtains by the mode monitoring ARP message the ARP that each participates in Portal authentication node in a step 102, like this when Portal server needs to communicate with access device or user terminal, the MAC Address of other nodes can be obtained exactly by searching ARP, and then communicate with the other side.In the prior art, Portal authentication ' unit just must complete when Portal server possesses independently IP address, and the present invention can allow Portal server to reuse the IP address of gateway, and user can not be had influence on and go up network process normally, also can not be detected the behavior that any doubtful ARP attacks by the ARP attack protection mechanism of disposing in user network.In the application scenarios of user network IP address depletion, do not need user to adjust IP addresses assign or adjustment networking mode, for the experience promoted in user network planning, there is significant meaning.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (8)
1. the Portal server based on virtual ip address, be applied on authenticating device, Portal authentication service is provided with the user terminal thought in network, access device and gateway is also comprised in described network, described Portal server is configured with the virtual ip address identical with gateway ip address, the port of port and connection gateway that described authenticating device connects access device is configured in same double layer network, and this server comprises:
ARP processing unit monitors the ARP message that other nodes send, and using adding in arp cache as ARP of the transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP is set to reachable state; Wherein this ARP processing unit is configured to forbid sending and response ARP request;
Portal authentication ' unit, for obtaining the MAC Address of other nodes participating in Portal certification in Portal verification process according to the ARP that records in arp cache, with other node communications described.
2. server as claimed in claim 1, it is characterized in that, wherein said ARP message is ARP request message.
3. server as claimed in claim 1, it is characterized in that, other nodes wherein said at least comprise user terminal and access device.
4. server as claimed in claim 1, it is characterized in that, described Portal authentication ' unit is further used for, at user terminal not by the web authentication page being sent to user terminal during certification, receive the username and password that user inputs on certification page, and notify this user when user authentication success.
5. the portal authentication method based on virtual ip address, be applied on the Portal server of authenticating device, Portal authentication service is provided with the user terminal thought in network, access device and gateway is also comprised in described network, described Portal server is configured with the virtual ip address identical with gateway ip address, the port of port and connection gateway that described authenticating device connects access device is configured in same double layer network, and the method comprises:
A, monitor the ARP message that other nodes send, using adding in arp cache as ARP of the transmit leg IP address of carrying in this ARP message and MAC Address, and correspondingly this ARP is set to reachable state; Wherein said Portal server is configured to forbid sending and response ARP request;
B, Portal server obtain the MAC Address of other nodes participating in Portal certification in Portal verification process according to the ARP that records in arp cache, with other node communications described.
6. method as claimed in claim 5, it is characterized in that, wherein said ARP message is ARP request message.
7. method as claimed in claim 5, it is characterized in that, other nodes wherein said at least comprise user terminal and access device.
8. method as claimed in claim 5, is characterized in that, also comprise:
C, at user terminal not by the web authentication page being sent to user terminal during certification, receive the username and password that inputs on certification page of user, and notify this user terminal and access device when user authentication success.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210228247.XA CN102739684B (en) | 2012-06-29 | 2012-06-29 | Portal authentication method based on virtual IP address, and server thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210228247.XA CN102739684B (en) | 2012-06-29 | 2012-06-29 | Portal authentication method based on virtual IP address, and server thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102739684A CN102739684A (en) | 2012-10-17 |
| CN102739684B true CN102739684B (en) | 2015-03-18 |
Family
ID=46994467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210228247.XA Active CN102739684B (en) | 2012-06-29 | 2012-06-29 | Portal authentication method based on virtual IP address, and server thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102739684B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532717B (en) * | 2013-10-16 | 2016-10-12 | 杭州华三通信技术有限公司 | A kind of Portal authentication method, certification assisted method and device |
| CN104009999B (en) * | 2014-06-10 | 2017-06-23 | 北京星网锐捷网络技术有限公司 | Prevent method, device and network access server that ARP is cheated |
| CN104104516B (en) * | 2014-07-30 | 2018-12-25 | 新华三技术有限公司 | A kind of portal authentication method and equipment |
| CN104869571B (en) * | 2015-05-19 | 2019-05-07 | 新华三技术有限公司 | A kind of method and apparatus of Portal rapid authentication |
| CN105262791A (en) * | 2015-09-09 | 2016-01-20 | 深圳前海华视移动互联有限公司 | Internet data access method, vehicle-mounted multimedia terminal and proxy server of vehicle-mounted multimedia terminal |
| CN105306448A (en) * | 2015-09-22 | 2016-02-03 | 深圳前海华视移动互联有限公司 | Method for accessing extranet data, car-mounted multimedia terminal and kernel Netfilter module of car-mounted multimedia terminal |
| CN106936804B (en) * | 2015-12-31 | 2020-04-28 | 华为技术有限公司 | Access control method and authentication equipment |
| CN106982234A (en) * | 2017-05-26 | 2017-07-25 | 杭州迪普科技股份有限公司 | A kind of ARP attack defense methods and device |
| CN106973126A (en) * | 2017-05-26 | 2017-07-21 | 杭州迪普科技股份有限公司 | A kind of arp reply method and device |
| CN107241461B (en) * | 2017-07-14 | 2019-09-13 | 迈普通信技术股份有限公司 | MAC Address acquisition methods, gateway, network authentication apparatus and network system |
| CN109831360A (en) * | 2019-02-27 | 2019-05-31 | 深圳市吉祥腾达科技有限公司 | Automated testing method and test macro for multi-user concurrent web authentication |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621802A (en) * | 2009-08-13 | 2010-01-06 | 杭州华三通信技术有限公司 | Method, system and device for authenticating portal in wireless network |
| CN101719939A (en) * | 2009-12-09 | 2010-06-02 | 赛尔网络有限公司 | Method for accessing network and certification of IPv6/IPv4 dual stack mainframe |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090106401A1 (en) * | 2007-10-22 | 2009-04-23 | Inventec Corporation | System and method for Intra Network Internet Protocol (IP) address modification by dual controller |
-
2012
- 2012-06-29 CN CN201210228247.XA patent/CN102739684B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621802A (en) * | 2009-08-13 | 2010-01-06 | 杭州华三通信技术有限公司 | Method, system and device for authenticating portal in wireless network |
| CN101719939A (en) * | 2009-12-09 | 2010-06-02 | 赛尔网络有限公司 | Method for accessing network and certification of IPv6/IPv4 dual stack mainframe |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102739684A (en) | 2012-10-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102739684B (en) | Portal authentication method based on virtual IP address, and server thereof | |
| CN104158808B (en) | Portal authentication method and its device based on APP applications | |
| RU2639696C2 (en) | Method, device and system for maintaining activity of access session on 802,1x standard | |
| CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
| JP6085891B2 (en) | Access control method and system, and access point | |
| CN103916490B (en) | DNS tamper-proof method and device | |
| CN101582856B (en) | Session setup method of portal server and BAS (broadband access server) device and system thereof | |
| EP2939454A1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
| US10033769B2 (en) | Lawful interception in a WI-FI/packet core network access | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| WO2014028614A2 (en) | Ip address allocation | |
| CN105141621A (en) | Network access monitoring method and device | |
| CN105516061A (en) | Remote server access method and web server | |
| CN103795581B (en) | Address processing method and equipment | |
| CN105722072A (en) | Business authorization method, device, system and router | |
| WO2014206152A1 (en) | Network safety monitoring method and system | |
| CN102075504B (en) | Method and system for realizing two-layer Portal authentication and Portal server | |
| CN101945053B (en) | Method and device for transmitting message | |
| CN104683500B (en) | A kind of safe list item generation method and device | |
| CN104023001A (en) | Method for AC equipment to forward unauthorized message information | |
| CN104301294B (en) | A kind of response method, device and the network side equipment of DNS query request | |
| US20230164119A1 (en) | Network device protection | |
| CN104580178A (en) | Method and equipment for Portal authentication | |
| CN108243261A (en) | A kind of connection control method and access device of double stack terminals | |
| CN109451074B (en) | Server load balancing processing method based on portal protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 6 storey building Patentee after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 6 storey building Patentee before: Hangzhou Dipu Technology Co., Ltd. |