CN105072129B - authentication method and system - Google Patents

authentication method and system Download PDF

Info

Publication number
CN105072129B
CN105072129B CN201510536318.6A CN201510536318A CN105072129B CN 105072129 B CN105072129 B CN 105072129B CN 201510536318 A CN201510536318 A CN 201510536318A CN 105072129 B CN105072129 B CN 105072129B
Authority
CN
China
Prior art keywords
user
association
authentication
authentication information
unicast message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510536318.6A
Other languages
Chinese (zh)
Other versions
CN105072129A (en
Inventor
吴世奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN201510536318.6A priority Critical patent/CN105072129B/en
Publication of CN105072129A publication Critical patent/CN105072129A/en
Application granted granted Critical
Publication of CN105072129B publication Critical patent/CN105072129B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention relates to the communications fields, disclose authentication method and system.The system includes:DUT equipment is arranged to intercept unicast message;Routing management module, it is arranged to the unicast message intercepted with the authentication information transmission of user-association according to storage, wherein, according in the case where the authentication information with user-association determines that user is not authenticated, the routing management module is configured as the user being redirected to authenticating device, in the case where determining the set meal that user orders according to the authentication information with user-association, intercepted unicast message is transparent to counting equipment corresponding with the user.The present invention is by changing existing certification mode, flow is imported to the set meal unit equipment of operator, it allows users to need selection operator and set meal combination according to oneself, while providing diversified service for University Users, or operator imports more flows, realizes the value-added service of operator.

Description

Authentication method and system
Technical field
The present invention relates to the communications fields, and in particular, to a kind of authentication method and system and routing management module and side Method.
Background technology
With the development of China's higher education, the informatizations of institution of higher learning also with China's higher education development and High speed development gets up.In order to college student provide at any time, everywhere, with need, immanent completely new academic environment, university campus Application type in network gradually increases, and to interactive experience, higher requirements are also raised.With the development of network technology, in net The data volume transmitted on network is also increasing, how to ensure that the safety of network and service quality become urgent problem, And fine-grained management is then the inevitable choice of campus network.
It is well known that network security is the precondition of fine-grained management, how network security and lean operation are realized It is core technology place of the present invention.Fig. 1 shows web authentication networking diagram, and in the network, core equipment can pass through unlatching Web authentication puts together the management of the whole network user, so as to facilitate network to dispose, reduces the cost that follow-up monitoring is safeguarded, The equipment for wherein opening certification is known as NAS (Network Access Security) equipment by us.After user is by certification Network can normally be accessed.
Fig. 2 shows the basic procedure of user authentication, wherein NAS intercepts any HTTP request message of unauthenticated user, And serve as purpose network address and connect with user's foundation puppet, certificate server is redirected the user to, verification process is completed.
However, since network structure shown in FIG. 1 cannot meet according to the different set meals combination of different operators offer The different demands of growing different levels client, it is therefore necessary to provide a kind of new technical solution to make client have more More selections.
Invention content
The object of the present invention is to provide a kind of authentication method and system and routing management module and methods, to be embodied as visitor Family provides different set meal combinations.
The present invention provides a kind of Verification System, which includes:DUT equipment is arranged to intercept unicast message;Routing Management module is arranged to the unicast message intercepted with the authentication information transmission of user-association according to storage, wherein according to In the case where the authentication information with user-association determines that user is not authenticated, the routing management module is configured as should User is redirected to authenticating device, will in the case where determining the set meal that user orders according to the authentication information with user-association Intercepted unicast message is transparent to counting equipment corresponding with the user.
Preferably, the unicast message is HTTP unicast messages.
Preferably, the set meal that the user orders is obtained from the authentication response of user;The certification with user-association Information storage is in the certification list item of user, and the certification list item of the user is by replicating route table items and the extension of the user Authentication field obtains;The wherein authentication information with user-association is stored in the authentication field.
Preferably, the routing management module also identifies the corresponding certification with user-association of unicast message by identifier Information.
Preferably, the routing management module is also configured to after the user is certified, and is obtained according to the identifier The set meal ordered to the user is with the unicast message of user described in transparent transmission.
The present invention provides a kind of authentication method, this method includes:Intercept unicast message;According to storage and user-association Authentication information send intercepted unicast message, wherein determine that user does not pass through according in the authentication information with user-association In the case of certification, which is redirected to authenticating device, is determining that user orders according to the authentication information with user-association Set meal in the case of, intercepted unicast message is transparent to counting equipment corresponding with the user.
Preferably, the unicast message is HTTP unicast messages.
Preferably, the set meal that the user orders is obtained from the authentication response of user, the certification with user-association Information storage is in the certification list item of user, and the certification list item of the user is by replicating route table items and the extension of the user Authentication field obtains;The wherein authentication information with user-association is stored in the authentication field.
Preferably, this method further includes:The corresponding authentication information with user-association of unicast message is identified by identifier.
Preferably, this method further includes:After the user is certified, the user is obtained according to the identifier and is ordered Set meal with the unicast message of user described in transparent transmission.
The set meal that the present invention is ordered by obtaining user from the authentication response of authenticating device, and the set ordered according to user Flow is imported the set meal unit equipment of existing operator by meal, enables a user to need selection operator according to oneself And set meal combination, while providing diversified service for University Users, or operator imports more flows, Realize the value-added service of operator.
Other features and advantages of the present invention will be described in detail in subsequent specific embodiment part.
Description of the drawings
Attached drawing is to be used to provide further understanding of the present invention, an and part for constitution instruction, with following tool Body embodiment is used to explain the present invention together, but is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is web authentication networking diagram;
Fig. 2 is user authentication flow in the prior art;
Fig. 3 is carrier network deployment schematic diagram provided by the invention;
Fig. 4 is identifying procedure figure provided by the invention;
Fig. 5 is user authentication list item Establishing process figure provided by the invention;
Fig. 6 is routing management module schematic diagram provided by the invention.
Specific implementation mode
The specific implementation mode of the present invention is described in detail below in conjunction with attached drawing.It should be understood that this place is retouched The specific implementation mode stated is merely to illustrate and explain the present invention, and is not intended to restrict the invention.
In the present invention, different set meal combinations is provided in order to be embodied as University Users, the flow of the user after certification is led Enter the counting equipment to corresponding operator, to achieve the object of the present invention.Fig. 3 shows the network deployment of operator, not Certified user needs to pass through certification when accessing network.In the present invention, different set meal combinations is provided in order to realize, used Family needs set meal corresponding with operator's signing purchase first, user that can obtain certification needs after contracting with operator Information, such as username and password.User can send out when accessing network for example, by the authentication information of username and password Web authentication request is played, web authentication request is HTTP unicast messages, equipment under test (Device under test, DUT) equipment It is transmitted to routing management module after HTTP unicast messages can be intercepted and captured, routing management module checks that the confirmation of user authentication list item does not have Certification list item corresponding with the user since the user is unauthenticated needs that the user is redirected to certification by DUT equipment Equipment can be that the user establishes certification list item according to authentication response after certification passes through, should containing characterization wherein in certification list item The parameter of set meal ordered by user, the parameter come from authentication response.Alternatively, it is also possible to be found in routing management module When not having corresponding certification list item, certification list item is established for the user, by the user authentication list item with the set ordered by user The corresponding authentication field of parameter of meal indicates that the default value indicates that the user not yet passes certification, such as default value 0 with default value It indicates user and indicates to have selected the set meal of China Mobile not over certification, 1,2 indicate the set meal of selection China Unicom, and 3 indicate Select the set meal of China Telecom.As described above, certification list item adds after being replicated by route table items corresponding to the user It is extended to obtain certification list item, such as addition certification word in the same routing table, and by route table items corresponding to the user Section, the authentication field can characterize user whether by certification, if by certification, which can also characterize use The selected set meal in family.It is all that different tables can be distinguished by IP address since each user has different IP address .Alternatively, it is possible to which route table items corresponding to the user are formed another verification table.In addition, in certification list item and routing In the case that table uses identical table, unicast message mark can also be extended for the ease of subsequent job, in certification list item, and can Think that unicast message establishes specific mark, such as 4001, when continuing unicast message upon receipt, can first inquire the mark, And the corresponding user of all unicast messages is found by the mark, and the set meal of user's order is found by the IP address of user Corresponding parameter (value of authentication authorization and accounting field can determine user has selected the set meal of which operator by the value), Ke Yijia The progress searched for soon.It, can be by DUT equipment by unicast report after obtaining the parameter corresponding to the set meal ordered by the user Text is transparent to the corresponding counting equipment of the user, to realize that the flow to operator imports, while meeting user demand, It can also realize that operator provides value-added service to the user.In the present invention, routing management module can exist with DUT integration of equipments Together.
Fig. 4 shows a kind of identifying procedure figure provided by the invention.In the flow, DUT equipment receives user's transmission Unicast message after (step 401), unicast message is uploaded into routing management module (step 403), routing management module can Whether to inquire the user in certification list item by certification, can namely whether there is in the user couple by inquiry Whether the certification list item answered determines the user by certification (step 405).If not inquiring certification corresponding with the user List item, then can be the user establish a certification list item (such as can replicate the corresponding route table items of the user and to its into Row extension, such as increase authentication field, unicast message mark can also be increased), and unicast message is sent to authenticating device (step It is rapid that 407) authenticating device can be web authentication equipment, wherein for the user establish certification list item in ordered by the user The corresponding authentication field of parameter of set meal use as default (value of authentication authorization and accounting field be default value 0).Then can with It is entrained with the set meal pair ordered by the user in the authentication response returned according to authenticating device in the case that family certification passes through Corresponding authentication field in the parameter modification certification list item answered, to which later message can be directly according to the parameter transparent transmission (step It is rapid 409).If routing management module by inquiry find the user by certification, can read with ordered by the user Corresponding parameter (the step 411) of set meal of purchase, the value in authentication authorization and accounting field other than default value 0.It is determining ordered by user Set meal after, the unicast message can be transparent to the corresponding counting equipment (step 413) of the user by DUT equipment, should Counting equipment can be the business line card that operator's set meal is connected, and the packaged service video card of multiple and different operators can be set It is placed in the same counting equipment, can also be located in different counting equipments.It hereafter, can by the unicast message of charging To be transmitted to internet.
Further, it is also possible in certification list item, the type of identity user, such as it is IPv4 types to identify the user.Because The agreement that internet uses at present is divided into IPv4 and IPv6, and the protocol class that user uses can be determined according to the type of user Type, so as to the message of the correct route user.
Fig. 5 is the flow that certification list item is established for user.The case where the user is not present in confirming user authentication list item Under (step 501), can be by replicating the route table items of the user and increasing identifier VRF fields and authentication field Classid (steps 503), as described above, the value of authentication field classid is default value at this time, the value of VRF can be default Value, such as 4001.Routing management module is established after certification list item, can directly be redirected the user to authenticating device, also may be used By the value for inquiring authentication field classid, authenticating device (step is redirected the user to after confirming as default value 505).For authenticating device after being authenticated to user, the set meal that user order can be carried in authentication response is corresponding The value of classid can be arranged according to the set meal that user orders in parameter, routing management module.So far, it is that user establishes certification The process of list item is completed, can be correct by the data of user by inquiring classid fields during subsequent data transmission Ground is routed to corresponding service card.
The authentication method and system of the present invention are illustrated from the angle of system above.It can be seen that routing management module It is in very important status in whole flow process, is described in detail below from the angle of routing management module.
As shown in fig. 6, routing management module provided by the invention includes storage unit, certification retransmission unit and transparent transmission list Member.For the modern network equipment, storage unit is essential equipment, for the present invention, the storage unit It can be used for storing the authentication information with user-association, such as can be the default value (example for characterizing the user not Jing Guo certification As 0), can also be that user passes through certification and parameter corresponding with the set meal that the user orders (such as 1,2 or 3);Certification turns The user can be redirected to authenticating device by bill member in the case where user does not pass through certification, and transparent transmission unit can be with User by certification in the case of, according to user order set meal corresponding parameter unicast message is transparent to accordingly Counting equipment.In the present invention, authenticating device can be web authentication equipment.
It correspondingly,, should if determined according to authentication information in this method the present invention also provides a kind of route management method User not yet passes certification, then the user is redirected to authenticating device, passed through if can determine according to authentication information Certification, and can determine the set meal that user orders, then unicast message can be transparent to charging corresponding with the user and set It is standby.Authentication information can be stored in the form of certification list item.
The preferred embodiment of the present invention is described in detail above in association with attached drawing, still, the present invention is not limited to above-mentioned realities The detail in mode is applied, within the scope of the technical concept of the present invention, a variety of letters can be carried out to technical scheme of the present invention Monotropic type, these simple variants all belong to the scope of protection of the present invention.
It is further to note that specific technical features described in the above specific embodiments, in not lance In the case of shield, it can be combined by any suitable means.In order to avoid unnecessary repetition, the present invention to it is various can The combination of energy no longer separately illustrates.
In addition, various embodiments of the present invention can be combined randomly, as long as it is without prejudice to originally The thought of invention, it should also be regarded as the disclosure of the present invention.

Claims (10)

1. a kind of Verification System, which is characterized in that the system includes:
DUT equipment is arranged to intercept unicast message;
Routing management module is arranged to the unicast message intercepted with the authentication information transmission of user-association according to storage, Wherein, according in the case where the authentication information with user-association determines that user is not authenticated, the routing management module quilt It is configured to the user being redirected to authenticating device, the set meal of user's order is being determined according to the authentication information with user-association In the case of, intercepted unicast message is transparent to counting equipment corresponding with the user;
Wherein, it is that the user establishes certification list item according to authentication response after certification passes through on the authenticating device, wherein Come from authentication response containing the parameter for characterizing the set meal ordered by the user, the parameter in certification list item.
2. system according to claim 1, which is characterized in that the unicast message is HTTP unicast messages.
3. system according to claim 1, which is characterized in that the set meal that the user orders is from the authentication response of user It obtains;Described to be stored in the certification list item of user with user-association authentication information, the certification list item of the user passes through again It makes the route table items of the user and extended authentication field obtains;Wherein the authentication information with user-association is stored in described In authentication field.
4. according to the system described in any one of claim 1-3, which is characterized in that the routing management module also passes through mark Know the corresponding authentication information with user-association of symbol mark unicast message.
5. system according to claim 4, which is characterized in that the routing management module is also configured in the user After being certified, the set meal of user's order is obtained with the unicast message of user described in transparent transmission according to the identifier.
6. a kind of authentication method, which is characterized in that this method includes:
Intercept unicast message;
Send intercepted unicast message according to storage and the authentication information of user-association, wherein according to user-association Authentication information determine that user is not authenticated in the case of, which is redirected to authenticating device,
It is in the case where determining the set meal that user orders according to the authentication information with user-association, intercepted unicast message is saturating Pass to counting equipment corresponding with the user;Wherein, it is institute according to authentication response after certification passes through on the authenticating device It states user and establishes certification list item, wherein come from containing the parameter for characterizing the set meal ordered by the user, the parameter in certification list item In authentication response.
7. according to the method described in claim 6, it is characterized in that, the unicast message is HTTP unicast messages.
8. according to the method described in claim 6, it is characterized in that, the set meal of user order is from the authentication response of user It obtains, described to be stored in the certification list item of user with user-association authentication information, the certification list item of the user passes through again It makes the route table items of the user and extended authentication field obtains;Wherein the authentication information with user-association is stored in described In authentication field.
9. the method according to any one of claim 6 to 8, which is characterized in that this method further includes:
The corresponding authentication information with user-association of unicast message is identified by identifier.
10. according to the method described in claim 9, it is characterized in that, this method further includes:
After the user is certified, the set meal of user's order is obtained with the list of user described in transparent transmission according to the identifier Report text.
CN201510536318.6A 2015-08-27 2015-08-27 authentication method and system Active CN105072129B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510536318.6A CN105072129B (en) 2015-08-27 2015-08-27 authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510536318.6A CN105072129B (en) 2015-08-27 2015-08-27 authentication method and system

Publications (2)

Publication Number Publication Date
CN105072129A CN105072129A (en) 2015-11-18
CN105072129B true CN105072129B (en) 2018-08-03

Family

ID=54501408

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510536318.6A Active CN105072129B (en) 2015-08-27 2015-08-27 authentication method and system

Country Status (1)

Country Link
CN (1) CN105072129B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104621B (en) * 2020-08-31 2022-04-01 新华三信息安全技术有限公司 Traffic management method and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101600185A (en) * 2009-07-14 2009-12-09 中国联合网络通信集团有限公司 Booking method, system and the Business Management Platform of across a network territory value-added service set meal
CN102378171A (en) * 2010-08-16 2012-03-14 中国移动通信集团公司 Automatic authentication method and system thereof, Portal server, and RADIUS server
CN104821940A (en) * 2015-04-16 2015-08-05 京信通信技术(广州)有限公司 Method and equipment for sending portal redirected address

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7551925B2 (en) * 2005-11-21 2009-06-23 Accenture Global Services Gmbh Unified directory system including a data model for managing access to telecommunications services

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101600185A (en) * 2009-07-14 2009-12-09 中国联合网络通信集团有限公司 Booking method, system and the Business Management Platform of across a network territory value-added service set meal
CN102378171A (en) * 2010-08-16 2012-03-14 中国移动通信集团公司 Automatic authentication method and system thereof, Portal server, and RADIUS server
CN104821940A (en) * 2015-04-16 2015-08-05 京信通信技术(广州)有限公司 Method and equipment for sending portal redirected address

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
以CNGI-IPv6升级为契机构建下一代校园网;林强等;《中国教育网络》;20110605;全文 *
校园网认证系统运维之经验;张洁卉;《中国教育网络》;20140905;全文 *

Also Published As

Publication number Publication date
CN105072129A (en) 2015-11-18

Similar Documents

Publication Publication Date Title
EP1643691B1 (en) Remote access vpn mediation method and mediation device
CN104104654A (en) Method and device for setting Wifi access authority and Wifi authentication
CN104158824B (en) Genuine cyber identification authentication method and system
CN105162777B (en) A kind of wireless network login method and device
CN106034104A (en) Verification method, verification device and verification system for network application accessing
CN107493280A (en) Method, intelligent gateway and the certificate server of user authentication
CN106851632A (en) A kind of smart machine accesses the method and device of WLAN
US10862890B2 (en) Method and system related to authentication of users for accessing data networks
CN106878135A (en) A kind of connection method and device
CN107347054A (en) A kind of auth method and device
CN104469762A (en) User grading control system of 3G/WIFI wireless router
CN108900484A (en) A kind of generation method and device of access authority information
CN102739684A (en) Portal authentication method based on virtual IP address, and server thereof
CN105592180B (en) A kind of method and apparatus of Portal certification
CN104580553A (en) Identification method and device for network address translation device
CN106357601A (en) Method for data access, device and system thereof
CN106559785A (en) Authentication method, equipment and system and access device and terminal
CN107135506B (en) A kind of portal authentication method, apparatus and system
CN109769249A (en) A kind of authentication method, system and its apparatus
CN109302397A (en) A kind of network safety managing method, platform and computer readable storage medium
CN106453349A (en) An account number login method and apparatus
CN108200039A (en) Unaware authentication and authorization system and method based on dynamic creation temporary account password
CN109726545A (en) A kind of information display method, equipment, computer readable storage medium and device
CN104469770B (en) Towards WLAN authentication methods, platform and the system of third-party application
CN106954212A (en) A kind of portal authentication method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant