CN105141618A - Authentication method of network connection and network access device - Google Patents
Authentication method of network connection and network access device Download PDFInfo
- Publication number
- CN105141618A CN105141618A CN201510584951.2A CN201510584951A CN105141618A CN 105141618 A CN105141618 A CN 105141618A CN 201510584951 A CN201510584951 A CN 201510584951A CN 105141618 A CN105141618 A CN 105141618A
- Authority
- CN
- China
- Prior art keywords
- network access
- equipment
- subscriber equipment
- authentication
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention provides an authentication method of network connection and a network access device. The authentication method of network connection comprises: a MAC (media access control) address of a user device is added into a permitting MAC address set through the network access device when an authentication server passes an identity authentication of the user device; after the network of the user device is turned off, when the network access device receives a first network access request sent by the user device, it is determined by a forwarding surface of the network access device that the user device does not pass the identity authentication, and the first network access request is sent to a control surface of the network access device; and it is determined by the control surface of the network access device that the source MAC address of the first network access request belongs to the permitting MAC address set, and the passing command of the identity authentication is sent to the forwarding surface of the network access device. According to the invention, the identity authentication of the user device may be directly performed through the network access device so as to improve the speed of authentication.
Description
Technical field
The application relates to communication technical field, is specifically related to authentication method and the network access equipment of the connection of a kind of network.
Background technology
Network generally all can arrange access rights, user is utilizing smart mobile phone, panel computer, during this network of the user equipment access such as laptop computer, it is (English: the portal) certification page that provides of server that general meeting is redirected to door by network access equipment (as router or switch), user submits verify data (such as username and password) at this certification page, by network access equipment, verify data is sent to certificate server, as certification, authorize and charging (English: authentication, authorizationandaccounting, abbreviation: AAA) server, after certificate server passes through according to the authentication of this verify data to this subscriber equipment, network access equipment can allow this network of this user equipment access.But, when reaching the standard grade again after this subscriber equipment each rolls off the production line and access this network, user is all needed manually to input the verify data such as user name, password at this certification page, and need certificate server to carry out authentication according to this verify data to this subscriber equipment, which increase the processing load of certificate server, and certification speed is slower.
Summary of the invention
This application provides authentication method and the network access equipment of the connection of a kind of network, directly can carry out authentication to subscriber equipment by network access equipment, thus improve certification speed.
First aspect provides the authentication method that a kind of network connects, and comprising:
Network access equipment is when certificate server passes through the authentication of subscriber equipment, and in permission medium access control, (English: mediaaccesscontrol, abridges: the MAC Address of MAC) adding described subscriber equipment in address set;
After described subscriber equipment disconnects network, described network access equipment is when receiving the first network access request that described subscriber equipment sends, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment;
The chain of command of described network access equipment determines that the source MAC of described first network access request belongs to the set of described permission MAC Address, then the chain of command of described network access equipment passes through instruction to the forwarding face transmission authentication of described network access equipment, passes through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In conjunction with first aspect, in the first possible implementation of first aspect, described network access equipment, when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in MAC Address set, comprising:
After described network access equipment receives the second network access request of described subscriber equipment transmission, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described second network access request being sent to the chain of command of described network access equipment, the source MAC of described second network access request is the MAC Address of described subscriber equipment;
The source MAC of described second network access request is sent to described certificate server by the chain of command of described network access equipment, carries out authentication to indicate described certificate server based on the source MAC of described second network access request to described subscriber equipment;
The chain of command of described network access equipment receives the authentication result message to described subscriber equipment of described certificate server transmission, and the identity authentication result of described authentication result message instruction be certification pass through time, the chain of command of described network access equipment adds the MAC Address of described subscriber equipment in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In conjunction with first aspect, in the implementation that the second of first aspect is possible, described network access equipment, when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in MAC Address set, comprising:
After described network access equipment receives the 3rd network access request of described subscriber equipment transmission, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described 3rd network access request is sent to the chain of command of described network access equipment;
Described 3rd network access request is redirected to door Portal server by the chain of command of described network access equipment;
The chain of command of described network access equipment receives the verify data of described Portal server transmission, and described verify data is sent to described certificate server, based on described verify data, authentication is carried out to described subscriber equipment to indicate described certificate server;
The chain of command of described network access equipment receives the authentication result message to described subscriber equipment of described certificate server transmission;
The chain of command of described network access equipment the identity authentication result that described authentication result message indicates be certification pass through time, the MAC Address of described subscriber equipment is added in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In conjunction with the implementation that the first or the second of first aspect are possible, in the third possible implementation of first aspect, the identity authentication result of described authentication result message instruction be certification pass through time, also comprise the ageing time parameter that described certificate server is arranged in described authentication result message, described method also comprises:
The chain of command of described network access equipment, according to described ageing time parameter, arranges the ageing time of MAC Address in the set of described permission MAC Address of described subscriber equipment.
Second aspect provides a kind of network access equipment, comprising:
First processing module, for when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in the set of medium access control MAC Address;
Receiver module, for receiving the first network access request that described subscriber equipment sends;
Second processing module, for after described subscriber equipment disconnects network, when described receiver module receives described first network access request, the forwarding face of network access equipment is determined, and described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment;
3rd processing module, determine that for making the chain of command of described network access equipment the source MAC of described first network access request belongs to the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In conjunction with second aspect, in the first possible implementation of second aspect, described first processing module, also for after the second network access request receiving the transmission of described subscriber equipment, the forwarding face of described network access equipment is determined, and described subscriber equipment not yet passes authentication, and described second network access request being sent to the chain of command of described network access equipment, the source MAC of described second network access request is the MAC Address of described subscriber equipment;
Described first processing module, also for making the chain of command of described network access equipment that the source MAC of described second network access request is sent to described certificate server, based on the source MAC of described second network access request, authentication is carried out to described subscriber equipment to indicate described certificate server;
Described first processing module, the authentication result message to described subscriber equipment also sent for making the chain of command of described network access equipment receive described certificate server, and the identity authentication result of described authentication result message instruction be certification pass through time, make the chain of command of described network access equipment in the set of described permission MAC Address, add the MAC Address of described subscriber equipment, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In conjunction with second aspect, in the implementation that the second of second aspect is possible, described first processing module, also for receive described subscriber equipment send the 3rd network access request after, the forwarding face of described network access equipment is determined, and described subscriber equipment not yet passes authentication, and described 3rd network access request is sent to the chain of command of described network access equipment;
Described first processing module, also for making the chain of command of described network access equipment that described 3rd network access request is redirected to door Portal server;
Described first processing module, the verify data also sent for making the chain of command of described network access equipment receive described Portal server, and described verify data is sent to described certificate server, based on described verify data, authentication is carried out to described subscriber equipment to indicate described certificate server;
Described first processing module, the authentication result message to described subscriber equipment also sent for making the chain of command of described network access equipment receive described certificate server;
Described first processing module, also for make the chain of command of described network access equipment the identity authentication result that described authentication result message indicates be certification pass through time, the MAC Address of described subscriber equipment is added in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In conjunction with the implementation that the first or the second of second aspect are possible, in the third possible implementation of second aspect, the identity authentication result of described authentication result message instruction be certification pass through time, also comprise the ageing time parameter that described certificate server is arranged in described authentication result message, described equipment also comprises:
Module is set, for making the chain of command of described network access equipment according to described ageing time parameter, the ageing time of MAC Address in the set of described permission MAC Address of described subscriber equipment is set.
In the application, network access equipment certificate server to the authentication of subscriber equipment by time allowing the MAC Address of adding this subscriber equipment in MAC Address set; After this subscriber equipment disconnects network, this network access equipment is when receiving the first network access request that this subscriber equipment sends, the forwarding face of this network access equipment determines that this subscriber equipment not yet passes authentication, and this first network access request being sent to the chain of command of this network access equipment, the source MAC of this first network access request is the MAC Address of this subscriber equipment; The chain of command of this network access equipment determines that the source MAC of this first network access request belongs to this permission MAC Address set, and pass through instruction to the forwarding face transmission authentication of this network access equipment, authentication is passed through to indicate this subscriber equipment of the forwarding face of this network access equipment, directly can carry out authentication to subscriber equipment by network access equipment, thus improve certification speed.
Term " first ", " second " and " the 3rd " etc. in specification of the present invention and claims and accompanying drawing are for distinguishing different object, instead of for describing particular order.
Subscriber equipment described in the embodiment of the present invention can be such as mobile phone, computer, panel computer, personal digital assistant's (English: personaldigitalassistant, abbreviation: PDA), mobile internet device (English: mobileInternetdevice, abbreviation: MID), wearable device and E-book reader (English: e-bookreader) etc.
Network access equipment in the embodiment of the present invention is router or the network switch.
Certificate server in the embodiment of the present invention can be such as aaa server, it is (English: remoteauthenticationdialinuserservice that this aaa server specifically can be remote customer dialing authentication service, abbreviation: RADIUS) server, terminal access controller access control system (English: terminalaccesscontrolleraccesscontrolsystem, abbreviation: TACACS) server or Light Directory Access Protocol (English: lightweightdirectoryaccessprotocol, abbreviation: LDAP) server etc.
The authentication method that a kind of network provided to better understand the embodiment of the present invention connects and network access equipment, first describe the network architecture of the embodiment of the present invention below.
Referring to Fig. 1, is a kind of network architecture schematic diagram based on Portal certification that the embodiment of the present invention provides.In the network architecture based on Portal certification shown in Fig. 1, when user is by user equipment access network, the certification page that Portal server provides is redirected to by network access equipment, user submits verify data (such as username and password) at this certification page, by network access equipment, verify data is sent to certificate server, after certificate server passes through according to the authentication of this verify data to this subscriber equipment, network access equipment can allow this network of this user equipment access.
Refer to Fig. 2, the schematic flow sheet of the authentication method that a kind of network provided on the basis of the network architecture based on Portal certification shown in Fig. 1 for the embodiment of the present invention connects.The authentication method that network described in the present embodiment connects, comprises the following steps:
S101, network access equipment, when certificate server passes through the authentication of subscriber equipment, are allowing the MAC Address of adding described subscriber equipment in the set of medium access control MAC Address.
Wherein, allow MAC Address set to be safeguarded by the chain of command of network access equipment, and still retain the MAC Address of this subscriber equipment allowed in MAC Address set after subscriber equipment disconnects network.
Wherein, the authentication that certificate server carries out subscriber equipment is directly carried out MAC certification to subscriber equipment pass through by being specifically as follows certificate server, or certificate server associating Portal server carries out Portal certification to subscriber equipment and passes through.
During subscriber equipment first time accesses network, certificate server can be combined Portal server and be carried out Portal certification to subscriber equipment.After Portal certification is passed through, network access equipment can allow the MAC Address of adding this subscriber equipment in MAC Address set.
Alternatively, during subscriber equipment first time accesses network, certificate server carries out MAC certification to subscriber equipment.Because certificate server not yet records the MAC Address of this subscriber equipment, MAC authentification failure.After MAC authentification failure, certificate server associating Portal server carries out Portal certification to subscriber equipment.After Portal certification is passed through, the MAC Address of this subscriber equipment of certificate server record, network access equipment is not allowing the MAC Address of adding this subscriber equipment in MAC Address set.After subscriber equipment disconnects network, again during accesses network, card server carries out MAC certification to subscriber equipment.Because certificate server have recorded the MAC Address of this subscriber equipment, MAC certification is passed through.After MAC certification is passed through, network access equipment can allow the MAC Address of adding this subscriber equipment in MAC Address set.
Alternatively, during subscriber equipment first time accesses network, certificate server carries out MAC certification to subscriber equipment.Because certificate server not yet records the MAC Address of this subscriber equipment, MAC authentification failure.After MAC authentification failure, certificate server associating Portal server carries out Portal certification to subscriber equipment.After Portal certification is passed through, the MAC Address of this subscriber equipment of certificate server record, network access equipment is allowing the MAC Address of adding this subscriber equipment in MAC Address set.
In specific implementation, this network access equipment can receive the authentication result message that this certificate server sends, this authentication result message instruction authentication result be certification pass through time, the MAC Address of this subscriber equipment is added in the permission MAC Address set of storage by the chain of command of this network access equipment, and send authentication by instruction to the forwarding face of this network access equipment, pass through authentication to indicate this subscriber equipment of forwarding face.If also comprise the ageing time parameter that this certificate server is arranged in authentication result message, the chain of command of network access equipment can according to the ageing time of the MAC Address of this this subscriber equipment of ageing time optimum configurations in this permission MAC Address set.If lack ageing time parameter in authentication result message, the chain of command of network access equipment can arrange the ageing time of MAC Address in this permission MAC Address set of this subscriber equipment voluntarily.
Wherein, the chain of command that ageing time is used to indicate this network access equipment is when the time arrives moment corresponding to this ageing time (such as on October 1st, 2015 00:00:00), or the time through going through after the MAC Address of this subscriber equipment adds this permission MAC Address set to is when reaching duration corresponding to this ageing time (as 7*24 hour), the MAC Address of this subscriber equipment is deleted from this permission MAC Address set.
Wherein, this authentication is by comprising the mark of this subscriber equipment in instruction, the Internet protocol of such as this subscriber equipment is (English: InternetProtocol, abbreviation: the IP) combination of address, MAC Address or IP address and MAC Address, the control table entry of the mark comprising this subscriber equipment can be set up in the forwarding face of this network access equipment, such as Access Control List (ACL) (English: accesscontrollist, abbreviation: ACL).This control table entry also comprises action, such as, allow to forward.When receiving the message of this subscriber equipment transmission in the forwarding face of this network access equipment, if the marking matched of the subscriber equipment in this message has arrived control table entry, then the forwarding face of this network access equipment is according to the action in this control table entry, allow to forward this message, now this subscriber equipment addressable network.
After S102, described subscriber equipment disconnect network, described network access equipment is when receiving the first network access request that described subscriber equipment sends, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment.
Wherein, it is (English: hypertexttransferprotocol that this first network access request specifically can be HTML (Hypertext Markup Language), abbreviation: HTTP) message or Secure Hypertext Transfer Protocol (English: HTTPSecure, abbreviation: HTTPS) message, its source MAC is the MAC Address of subscriber equipment, and its source IP address is the IP address of subscriber equipment.
Wherein, receive subscriber equipment send publish message time, the chain of command of network access equipment can determine that this subscriber equipment disconnects network, and send disconnection network instruction to the forwarding face of this network access equipment, network is disconnected to indicate this subscriber equipment of forwarding face, and then the control table entry of the mark comprising this subscriber equipment can be deleted in forwarding face, or the action of this control table entry is revised as forbid forward.When forwarding face can not receive any message that this subscriber equipment sends in long-time yet the ageing time arrival of the control table entry (time), delete and comprise the control table entry of the mark of this subscriber equipment, or the action of this control table entry is revised as forbids forwarding.
After this, when forwarding face receives the message of this subscriber equipment transmission, determine that the mark of this subscriber equipment in this message does not match control table entry, this message is sent to chain of command by the face that then forwards, or the marking matched of this subscriber equipment in this message has arrived control table entry, and the action in this control table entry forwards for forbidding, then forward face and also this message can be sent to chain of command.The message being sent to chain of command is this first network access request.
The chain of command of S103, described network access equipment determines that the source MAC of described first network access request belongs to the set of described permission MAC Address, then the chain of command of described network access equipment passes through instruction to the forwarding face transmission authentication of described network access equipment, passes through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In specific implementation, when the chain of command of this network access equipment receives first network access request (i.e. the message) of forwarding face transmission of this network access equipment, whether the source MAC inquiring about this message belongs to this permission MAC Address set, to carry out authentication to this subscriber equipment, now the chain of command of this network access equipment can determine that the source MAC of this message belongs to this permission MAC Address set, instruction is passed through in forwarding face transmission authentication then to this network access equipment, the control table entry of the mark comprising this subscriber equipment is re-established to indicate this forwarding face, or the action of the control table entry comprising the mark of this subscriber equipment is revised as and allows to forward, thus forwarding face can forward the message that this subscriber equipment sends.
If the source MAC of this message does not belong to allow MAC Address set, network access equipment sends this message to Portal server, to indicate Portal server joint qualification server, Portal certification is carried out to subscriber equipment, or send the source MAC of this message to certificate server, to indicate certificate server, MAC certification is carried out to subscriber equipment.
In the application, the authentication that the chain of command of network access equipment can carry out subscriber equipment at certificate server by time, allowing the MAC Address of adding this subscriber equipment in MAC Address set; When again initiating to reach the standard grade request after this subscriber equipment disconnects network, the chain of command of this network access equipment is when determining that the MAC Address of this subscriber equipment belongs to this permission MAC Address set, the forwarding face of this network access equipment can be indicated to allow this user equipment access network, thus realize directly carrying out authentication to subscriber equipment by network access equipment, improve certification speed.
Refer to Fig. 3, the schematic flow sheet of the authentication method that the another kind of network provided on the basis of the network architecture based on Portal certification shown in Fig. 1 for the embodiment of the present invention connects.The authentication method that network described in the present embodiment connects, comprises the following steps:
After S201, network access equipment receive the second network access request of subscriber equipment transmission, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described second network access request being sent to the chain of command of described network access equipment, the source MAC of described second network access request is the MAC Address of described subscriber equipment.
Wherein, when receiving second network access request (i.e. the message) that subscriber equipment sends, the forwarding face of network access equipment obtains the mark of this subscriber equipment that this message comprises, and whether inquiry has the marking matched control table entry with this subscriber equipment, if do not match control table entry, or match control table entry, and the action in this control table entry forwards for forbidding, then the forwarding face of this network access equipment determines that subscriber equipment not yet passes authentication, and this message is sent to the chain of command of this network access equipment.
The source MAC of described second network access request is sent to described certificate server by the chain of command of S202, described network access equipment, carries out authentication to indicate described certificate server based on the source MAC of described second network access request to described subscriber equipment.
In specific implementation, when certificate server receives the source MAC of this message of the chain of command transmission of network access equipment, can inquire about in the account list item of storage and whether there is the binding relationship corresponding with the source MAC of this message (i.e. the MAC Address of this subscriber equipment), if there is the binding relationship corresponding with the MAC Address of this subscriber equipment in this account list item, then this certificate server determines that the MAC certification to the identity of this subscriber equipment is carried out is passed through, and sends authentication result message to the chain of command of this network access equipment; If there is not the binding relationship corresponding with the MAC Address of this subscriber equipment in this account list item, then this certificate server determines that the MAC certification to the identity of this subscriber equipment is carried out is not passed through, and sends authentication result message to the chain of command of this network access equipment.
Wherein, during user equipment access network, first can carry out Portal certification, namely after the forwarding face of network access equipment receives the message of subscriber equipment transmission, determine that subscriber equipment not yet passes authentication, then message is sent to the chain of command of network access equipment, and then certification page message redirecting to be provided to Portal server by the chain of command of network access equipment, user submits verify data (such as username and password) at certification page, verify data is sent to the chain of command of network access equipment by Portal server, by the chain of command of network access equipment, verify data is sent to certificate server again, certificate server is after passing through according to the authentication of verify data to subscriber equipment, user equipment access network can be allowed by indication network access device, the MAC Address of verify data and subscriber equipment can be bound by certificate server simultaneously, create account list item, this account list item comprises the binding relationship of the MAC Address of verify data and subscriber equipment.
The chain of command of S203, described network access equipment receives the authentication result message to described subscriber equipment of described certificate server transmission, and the identity authentication result of described authentication result message instruction be certification pass through time, the chain of command of described network access equipment adds the MAC Address of described subscriber equipment in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In specific implementation, if the identity authentication result of this authentication result message instruction is that certification is passed through, then the MAC Address of this subscriber equipment can be added in this permission MAC Address set to realize the buffer memory to the MAC Address of subscriber equipment by the chain of command of this network access equipment, and send authentication by instruction, with the message indicating the forwarding face of this network access equipment can forward the transmission of this subscriber equipment to the forwarding face of this network access equipment.
Further, if the identity authentication result of this authentication result message instruction is that certification is not passed through, the then chain of command of this network access equipment certification page that this message redirecting is provided to Portal server, user submits verify data (such as username and password) at this certification page, verify data is sent to the chain of command of this network access equipment by this Portal server, by the chain of command of network access equipment, verify data is sent to certificate server, certificate server is after passing through according to the authentication of this verify data to this subscriber equipment, chain of command to this network access equipment sends the authentication result message being used to indicate this subscriber equipment authentication and passing through, thus the MAC Address of this subscriber equipment can be added in this permission MAC Address set to realize the buffer memory to the MAC Address of subscriber equipment by the chain of command of this network access equipment, and pass through instruction to the forwarding face transmission authentication of this network access equipment, with the message indicating the forwarding face of this network access equipment can forward the transmission of this subscriber equipment.
If also comprise the ageing time parameter that this certificate server is arranged in authentication result message, the chain of command of network access equipment can according to the ageing time of the MAC Address of this this subscriber equipment of ageing time optimum configurations in this permission MAC Address set.If lack ageing time parameter in authentication result message, the chain of command of network access equipment can arrange the ageing time of MAC Address in this permission MAC Address set of this subscriber equipment voluntarily.
Wherein, the chain of command that ageing time is used to indicate this network access equipment is when the time arrives moment corresponding to this ageing time (such as on October 1st, 2015 00:00:00), or the time through going through after the MAC Address of this subscriber equipment adds this permission MAC Address set to is when reaching duration corresponding to this ageing time (as 7*24 hour), the MAC Address of this subscriber equipment is deleted from this permission MAC Address set.
After S204, described subscriber equipment disconnect network, described network access equipment is when receiving the first network access request that described subscriber equipment sends, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment.
The chain of command of S205, described network access equipment determines that the source MAC of described first network access request belongs to the set of described permission MAC Address, then the chain of command of described network access equipment passes through instruction to the forwarding face transmission authentication of described network access equipment, passes through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
Wherein, when another subscriber equipment A accesses network, network access equipment is after the message receiving subscriber equipment A transmission, if subscriber equipment is determined in the forwarding face of network access equipment, A not yet passes authentication, then message is sent to the chain of command of network access equipment, the source MAC of message is the MAC Address of subscriber equipment A, the permission MAC Address set of storage whether is belonged to by the source MAC of the chain of command query message of network access equipment, if the source MAC of message belongs to the permission MAC Address set of storage, then the chain of command of network access equipment passes through instruction to the transmission authentication of forwarding face, with the message indicating forwarding face can forward subscriber equipment A transmission.
Further, if the source MAC of message does not belong to the permission MAC Address set of storage, then network access equipment chain of command so that the source MAC of message is sent to certificate server, according to the source MAC of message, MAC certification is carried out to the identity of subscriber equipment A by certificate server, if certificate server to the authentication result message that the chain of command of network access equipment sends be certification pass through time, then the chain of command of network access equipment is allowing the MAC Address of adding subscriber equipment A in MAC Address set, and pass through instruction to the transmission authentication of forwarding face, with the message indicating forwarding face can forward subscriber equipment A transmission.
Further, if the authentication result message that certificate server sends to the chain of command of network access equipment is that certification is obstructed out-of-date, the certification page that message redirecting can provide to Portal server by the chain of command of network access equipment, user submits verify data (such as username and password) at certification page, verify data is sent to the chain of command of network access equipment by Portal server, by the chain of command of network access equipment, verify data is sent to certificate server, certificate server is after passing through according to the authentication of verify data to subscriber equipment A, chain of command to network access equipment sends the authentication result message being used to indicate subscriber equipment A authentication and passing through, thus the chain of command of network access equipment can allow the MAC Address of adding subscriber equipment A in MAC Address set, and pass through instruction to the transmission authentication of forwarding face, with the message indicating forwarding face can forward subscriber equipment A transmission.
In the application, during the MAC certification that the chain of command of network access equipment can carry out the identity of subscriber equipment at certificate server, or combine with Portal server again after the MAC authentification failure that this certificate server carries out the identity of this subscriber equipment Portal certification that the identity of this subscriber equipment is carried out by time, allowing the MAC Address of adding this subscriber equipment in MAC Address set; When again initiating to reach the standard grade request after this subscriber equipment disconnects network, the chain of command of this network access equipment is when determining that the MAC Address of this subscriber equipment belongs to this permission MAC Address set, the forwarding face of this network access equipment can be indicated to allow this user equipment access network, thus realize directly carrying out authentication to subscriber equipment by network access equipment, improve certification speed.
Refer to Fig. 4, the schematic flow sheet of the authentication method that another network provided on the basis of the network architecture based on Portal certification shown in Fig. 1 for the embodiment of the present invention connects.The authentication method that network described in the present embodiment connects, comprises the following steps:
After S301, network access equipment receive the 3rd network access request of subscriber equipment transmission, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described 3rd network access request is sent to the chain of command of described network access equipment.
Wherein, when receiving the 3rd network access request (i.e. the message) that subscriber equipment sends, the forwarding face of network access equipment obtains the mark of this subscriber equipment that this message comprises, and whether inquiry has the marking matched control table entry with this subscriber equipment, if do not match control table entry, or match control table entry, and the action in this control table entry forwards for forbidding, then the forwarding face of this network access equipment determines that subscriber equipment not yet passes authentication, and this message is sent to the chain of command of this network access equipment.
Described 3rd network access request is redirected to door Portal server by the chain of command of S302, described network access equipment, receive the verify data that described Portal server sends, and described verify data is sent to described certificate server, based on described verify data, authentication is carried out to described subscriber equipment to indicate described certificate server.
The chain of command of S303, described network access equipment receives the authentication result message to described subscriber equipment of described certificate server transmission.
Concrete, the certification page that this message redirecting to Portal server can provide by the chain of command of this network access equipment, user inputs user name by this subscriber equipment on this certification page, the verify datas such as password, this verify data is obtained by this Portal server, and this verify data is sent to the chain of command of this network access equipment, by the chain of command of this network access equipment, this verify data is sent to certificate server again, this certificate server carries out authentication according to this verify data to this subscriber equipment, and send authentication result message to the chain of command of this network access equipment.
The chain of command of S304, described network access equipment the identity authentication result that described authentication result message indicates be certification pass through time, the MAC Address of described subscriber equipment is added in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
If also comprise the ageing time parameter that this certificate server is arranged in authentication result message, the chain of command of network access equipment can according to the ageing time of the MAC Address of this this subscriber equipment of ageing time optimum configurations in this permission MAC Address set.If lack ageing time parameter in authentication result message, the chain of command of network access equipment can arrange the ageing time of MAC Address in this permission MAC Address set of this subscriber equipment voluntarily.
Wherein, the chain of command that ageing time is used to indicate this network access equipment is when the time arrives moment corresponding to this ageing time (such as on October 1st, 2015 00:00:00), or the time through going through after the MAC Address of this subscriber equipment adds this permission MAC Address set to is when reaching duration corresponding to this ageing time (as 7*24 hour), the MAC Address of this subscriber equipment is deleted from this permission MAC Address set.
After S305, described subscriber equipment disconnect network, described network access equipment is when receiving the first network access request that described subscriber equipment sends, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment.
The chain of command of S306, described network access equipment determines that the source MAC of described first network access request belongs to the set of described permission MAC Address, then the chain of command of described network access equipment passes through instruction to the forwarding face transmission authentication of described network access equipment, passes through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In the application, the chain of command of network access equipment can certificate server to combine with Portal server Portal certification that the identity of subscriber equipment is carried out by time, allowing the MAC Address of adding this subscriber equipment in MAC Address set; When again initiating to reach the standard grade request after this subscriber equipment disconnects network, the chain of command of this network access equipment is when determining that the MAC Address of this subscriber equipment belongs to this permission MAC Address set, the forwarding face of this network access equipment can be indicated to allow this user equipment access network, thus realize directly carrying out authentication to subscriber equipment by network access equipment, improve certification speed.
Referring to Fig. 5, is the structural representation of a kind of network access equipment that the embodiment of the present invention provides.Network access equipment described in the present embodiment, comprising: the first processing module 401, receiver module 402, second processing module 403 and the 3rd processing module 404, wherein:
First processing module 401, for when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in the set of medium access control MAC Address.
Receiver module 402, for receiving the first network access request that described subscriber equipment sends.
Second processing module 403, for after described subscriber equipment disconnects network, when described receiver module receives described first network access request, the forwarding face of network access equipment is determined, and described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment.
3rd processing module 404, determine that for making the chain of command of described network access equipment the source MAC of described first network access request belongs to the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
Wherein, this first network access request specifically can be HTTP message or HTTPS message, and its source MAC is the MAC Address of subscriber equipment, and its source IP address is the IP address of subscriber equipment.
Wherein, receive subscriber equipment send publish message time, 3rd processing module 404 can make the chain of command of this network access equipment determine, and this subscriber equipment disconnects network, and send disconnection network instruction to the forwarding face of this network access equipment, network is disconnected to indicate this subscriber equipment of forwarding face, and then the control table entry of the mark comprising this subscriber equipment can be deleted in forwarding face, or the action of control table entry is revised as forbid forward.Forwarding face can when receiver module 402 receive any message of this subscriber equipment transmission for a long time (when the ageing time of control table entry arrives) yet, delete and comprise the control table entry of the mark of this subscriber equipment, or the action of this control table entry is revised as forbids forwarding.
After this, when receiver module 402 receives the message of this subscriber equipment transmission, the mark of this subscriber equipment that the second processing module 403 makes the forwarding face of this network access equipment determine in this message does not match control table entry, this message is sent to the chain of command of this network access equipment, or the marking matched of this subscriber equipment in this message has arrived control table entry, and the action in this control table entry forwards for forbidding, then this message also can be sent to the chain of command of this network access equipment by the forwarding face of this network access equipment, the message being sent to chain of command is this first network access request.Whether the source MAC that the 3rd processing module 404 makes the chain of command of this network access equipment inquire about this message belongs to this permission MAC Address set, to carry out authentication to this subscriber equipment, now the chain of command of this network access equipment can determine that the source MAC of this message belongs to this permission MAC Address set, and pass through instruction to the forwarding face transmission authentication of this network access equipment, the control table entry of the mark of this subscriber equipment is comprised to indicate the forwarding face of this network access equipment to re-establish, or the action of the control table entry comprising the mark of this subscriber equipment is revised as and allows to forward, thus the forwarding face of this network access equipment can forward the message that this subscriber equipment sends.
If the chain of command of this network access equipment determines that the source MAC of this message does not belong to allow MAC Address set, then the 3rd processing module 404 makes the chain of command of this network access equipment send this message to Portal server, to indicate Portal server joint qualification server, Portal certification is carried out to subscriber equipment, or send the source MAC of this message to certificate server, to indicate certificate server, MAC certification is carried out to subscriber equipment.
In the application, the authentication that the chain of command of network access equipment can carry out subscriber equipment at certificate server by time, allowing the MAC Address of adding this subscriber equipment in MAC Address set; When again initiating to reach the standard grade request after this subscriber equipment disconnects network, the chain of command of this network access equipment is when determining that the MAC Address of this subscriber equipment belongs to this permission MAC Address set, the forwarding face of this network access equipment can be indicated to allow this user equipment access network, thus realize directly carrying out authentication to subscriber equipment by network access equipment, improve certification speed.
Referring to Fig. 6, is the structural representation of the another kind of network access equipment that the embodiment of the present invention provides.Network access equipment described in the present embodiment, comprising: the first processing module 501, arrange module 502, receiver module 503, second processing module 504 and the 3rd processing module 505, wherein:
First processing module 501, for after the second network access request receiving subscriber equipment transmission, the forwarding face of network access equipment is determined, and described subscriber equipment not yet passes authentication, and described second network access request being sent to the chain of command of described network access equipment, the source MAC of described second network access request is the MAC Address of described subscriber equipment.
Described first processing module 501, also for making the chain of command of described network access equipment that the source MAC of described second network access request is sent to described certificate server, based on the source MAC of described second network access request, authentication is carried out to described subscriber equipment to indicate described certificate server.
Described first processing module 501, the authentication result message to described subscriber equipment also sent for making the chain of command of described network access equipment receive described certificate server, and the identity authentication result of described authentication result message instruction be certification pass through time, make the chain of command of described network access equipment in the set of described permission MAC Address, add the MAC Address of described subscriber equipment, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In specific implementation, after first processing module 501 receives the second network access request (i.e. message) of subscriber equipment transmission, the source MAC of this message is sent to certificate server, the binding relationship corresponding with the source MAC of this message (i.e. the MAC Address of this subscriber equipment) whether is there is in the account list item that the inquiry of this certificate server stores, if there is the binding relationship corresponding with the MAC Address of this subscriber equipment in this account list item, then this certificate server determines that the MAC certification to the identity of this subscriber equipment is carried out is passed through, and send authentication result message to the chain of command of this network access equipment, if there is not the binding relationship corresponding with the MAC Address of this subscriber equipment in this account list item, then this certificate server determines that the MAC certification to the identity of this subscriber equipment is carried out is not passed through, and sends authentication result message to the chain of command of this network access equipment.
Further, if the identity authentication result of this authentication result message instruction is that certification is passed through, then the first processing module 501 can make the chain of command of this network access equipment the MAC Address of this subscriber equipment be added in this permission MAC Address set to realize the buffer memory to the MAC Address of subscriber equipment, and send authentication by instruction, with the message indicating the forwarding face of this network access equipment can forward the transmission of this subscriber equipment to the forwarding face of this network access equipment.
Module 502 is set, for the ageing time parameter making the chain of command of described network access equipment comprise according to described authentication result message, the ageing time of MAC Address in the set of described permission MAC Address of described subscriber equipment is set.
If also comprise the ageing time parameter that this certificate server is arranged in authentication result message, module 502 is set and makes the chain of command of this network access equipment according to the ageing time of the MAC Address of this this subscriber equipment of ageing time optimum configurations in this permission MAC Address set.If lack ageing time parameter in authentication result message, module 502 is set and can makes the chain of command of this network access equipment that the ageing time of MAC Address in this permission MAC Address set of this subscriber equipment is set voluntarily.
Wherein, the chain of command that ageing time is used to indicate this network access equipment is when the time arrives moment corresponding to this ageing time (such as on October 1st, 2015 00:00:00), or the time through going through after the MAC Address of this subscriber equipment adds this permission MAC Address set to is when reaching duration corresponding to this ageing time (as 7*24 hour), the MAC Address of this subscriber equipment is deleted from this permission MAC Address set.
Receiver module 503, for receiving the first network access request that described subscriber equipment sends.
Second processing module 504, for after described subscriber equipment disconnects network, when described receiver module receives described first network access request, the forwarding face of network access equipment is determined, and described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment.
3rd processing module 505, determine that for making the chain of command of described network access equipment the source MAC of described first network access request belongs to the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In the application, during the MAC certification that the chain of command of network access equipment can carry out the identity of subscriber equipment at certificate server, or combine with Portal server again after the MAC authentification failure that this certificate server carries out the identity of this subscriber equipment Portal certification that the identity of this subscriber equipment is carried out by time, allowing the MAC Address of adding this subscriber equipment in MAC Address set; When again initiating to reach the standard grade request after this subscriber equipment disconnects network, the chain of command of this network access equipment is when determining that the MAC Address of this subscriber equipment belongs to this permission MAC Address set, the forwarding face of this network access equipment can be indicated to allow this user equipment access network, thus realize directly carrying out authentication to subscriber equipment by network access equipment, improve certification speed.
Referring to Fig. 7, is the structural representation of another network access equipment that the embodiment of the present invention provides.Network access equipment described in the present embodiment, comprising: the first processing module 601, arrange module 602, receiver module 603, second processing module 604 and the 3rd processing module 605, wherein:
First processing module 601, for receive subscriber equipment send the 3rd network access request after, the forwarding face of network access equipment is determined, and described subscriber equipment not yet passes authentication, and described 3rd network access request is sent to the chain of command of described network access equipment.
Described first processing module 601, also for making the chain of command of described network access equipment that described 3rd network access request is redirected to door Portal server.
Described first processing module 601, the verify data also sent for making the chain of command of described network access equipment receive described Portal server, and described verify data is sent to described certificate server, based on described verify data, authentication is carried out to described subscriber equipment to indicate described certificate server.
Described first processing module 601, the authentication result message to described subscriber equipment also sent for making the chain of command of described network access equipment receive described certificate server.
Described first processing module 601, also for make the chain of command of described network access equipment the identity authentication result that described authentication result message indicates be certification pass through time, the MAC Address of described subscriber equipment is added in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
Concrete, the certification page that first processing module 601 can make the chain of command of this network access equipment be provided by this message redirecting to Portal server, user inputs user name by this subscriber equipment on this certification page, the verify datas such as password, this verify data is obtained by this Portal server, and this verify data is sent to the chain of command of this network access equipment, first processing module 601 makes the chain of command of this network access equipment that this verify data is sent to certificate server, this certificate server carries out authentication according to this verify data to this subscriber equipment, and send authentication result message to the chain of command of this network access equipment.
Module 602 is set, for the ageing time parameter making the chain of command of described network access equipment comprise according to described authentication result message, the ageing time of MAC Address in the set of described permission MAC Address of described subscriber equipment is set.
If also comprise the ageing time parameter that this certificate server is arranged in authentication result message, module 602 is set and makes the chain of command of this network access equipment according to the ageing time of the MAC Address of this this subscriber equipment of ageing time optimum configurations in this permission MAC Address set.If lack ageing time parameter in authentication result message, module 602 is set and can makes the chain of command of this network access equipment that the ageing time of MAC Address in this permission MAC Address set of this subscriber equipment is set voluntarily.
Wherein, the chain of command that ageing time is used to indicate this network access equipment is when the time arrives moment corresponding to this ageing time (such as on October 1st, 2015 00:00:00), or the time through going through after the MAC Address of this subscriber equipment adds this permission MAC Address set to is when reaching duration corresponding to this ageing time (as 7*24 hour), the MAC Address of this subscriber equipment is deleted from this permission MAC Address set.
Receiver module 603, for receiving the first network access request that described subscriber equipment sends.
Second processing module 604, for after described subscriber equipment disconnects network, when described receiver module receives described first network access request, the forwarding face of network access equipment is determined, and described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment.
3rd processing module 605, determine that for making the chain of command of described network access equipment the source MAC of described first network access request belongs to the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
In the application, the chain of command of network access equipment can certificate server to combine with Portal server Portal certification that the identity of subscriber equipment is carried out by time, allowing the MAC Address of adding this subscriber equipment in MAC Address set; When again initiating to reach the standard grade request after this subscriber equipment disconnects network, the chain of command of this network access equipment is when determining that the MAC Address of this subscriber equipment belongs to this permission MAC Address set, the forwarding face of this network access equipment can be indicated to allow this user equipment access network, thus realize directly carrying out authentication to subscriber equipment by network access equipment, improve certification speed.
Referring to Fig. 8, is the structural representation of another network access equipment that the embodiment of the present invention provides.Network access equipment described in the present embodiment, comprising: repeat circuit 701, control circuit 702 and interface 703, can be connected, also can otherwise connect between above-mentioned repeat circuit 701, control circuit 702, interface 703 by bus.
Above-mentioned interface 703 is connected with other network equipments.Such as, interface 703 comprises multiple interface, and respectively with subscriber equipment, Portal server and service equipment are connected.Interface 703 can be wireline interface, wave point or its combination.Wireline interface can be such as Ethernet interface.Ethernet interface can be optical interface, electrical interface or its combination.Wave point can be such as WLAN (wireless local area network) (English: wirelesslocalareanetwork, abbreviation: WLAN) interface, cellular network interface or its combination.
Control circuit 702 is for realizing the chain of command of the embodiment of the present invention, control circuit 702 can be that central processing unit is (English: centralprocessingunit, abbreviation: CPU), network processing unit (English: networkprocessor, NP) or the combination of CPU and NP abbreviation:.Control circuit 702 also can be for realizing the core of chain of command in multi-core CPU or multinuclear NP.
Repeat circuit 701 is for realizing the forwarding face of the embodiment of the present invention, and repeat circuit 701 can comprise in NP (or for realizing the core in forwarding face in multinuclear NP), hardware chip and multi-core CPU for realizing the core in forwarding face.Above-mentioned hardware chip can be that application-specific integrated circuit (ASIC) is (English: application-specificintegratedcircuit, abbreviation: ASIC), programmable logic device (English: programmablelogicdevice, PLD) or its combination abbreviation:.Above-mentioned PLD can be that CPLD is (English: complexprogrammablelogicdevice, abbreviation: CPLD), field programmable gate array is (English: field-programmablegatearray, abbreviation: FPGA), GAL (English: genericarraylogic, GAL) or its combination in any abbreviation:.
If control circuit 702 or repeat circuit 701 comprise CPU, above-mentioned network access equipment can also comprise memory.In memory, storage program realizes the work in chain of command or the face of forwarding with instruction CPU.Memory can comprise volatile memory, and (English: volatilememory), such as (English: random-accessmemory, abridges: RAM) random access memory; It is (English: non-volatilememory) that memory also can comprise nonvolatile memory, such as read-only memory is (English: read-onlymemory, abbreviation: ROM), flash memory is (English: flashmemory), hard disk is (English: harddiskdrive, abbreviation: HDD) or solid state hard disc (English: solid-statedrive, abbreviation: SSD); Memory can also comprise the combination of the memory of mentioned kind.
Wherein, above-mentioned control circuit 702, for when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in the set of medium access control MAC Address.
Above-mentioned interface 703, for after described subscriber equipment disconnects network, receives the first network access request that described subscriber equipment sends.
Above-mentioned repeat circuit 701, for determining that described subscriber equipment not yet passes authentication according to the source MAC of described first network access request, and described first network access request is sent to control circuit 702, the source MAC of described first network access request is the MAC Address of described subscriber equipment.
Above-mentioned control circuit 702, also for determining that the source MAC of described first network access request belongs to the set of described permission MAC Address, and send authentication by instruction to repeat circuit 701, pass through authentication to indicate subscriber equipment described in repeat circuit 701.
Wherein, above-mentioned control circuit 702, when certificate server passes through the authentication of subscriber equipment, allowing the concrete mode of adding the MAC Address of described subscriber equipment in MAC Address set can be:
Above-mentioned interface 703 receives the second network access request that described subscriber equipment sends.
According to the source MAC of described second network access request, above-mentioned repeat circuit 701 determines that described subscriber equipment not yet passes authentication, and described second network access request is sent to control circuit 702, the source MAC of described second network access request is the MAC Address of described subscriber equipment.
The source MAC of described second network access request is sent to described certificate server by above-mentioned control circuit 702, carries out authentication to indicate described certificate server based on the source MAC of described second network access request to described subscriber equipment.
Above-mentioned control circuit 702 receives the authentication result message to described subscriber equipment that described certificate server sends, and the identity authentication result of described authentication result message instruction be certification pass through time, above-mentioned control circuit 702 adds the MAC Address of described subscriber equipment in the set of described permission MAC Address, and send authentication by instruction to repeat circuit 701, pass through authentication to indicate subscriber equipment described in repeat circuit 701.
Wherein, above-mentioned control circuit 702, when certificate server passes through the authentication of subscriber equipment, allowing the concrete mode of adding the MAC Address of described subscriber equipment in MAC Address set can be:
Above-mentioned interface 703 receives the 3rd network access request that described subscriber equipment sends.
According to the source MAC of described 3rd network access request, above-mentioned repeat circuit 701 determines that described subscriber equipment not yet passes authentication, and described 3rd network access request is sent to control circuit 702.
Described 3rd network access request is redirected to door Portal server by above-mentioned control circuit 702.
Above-mentioned control circuit 702 receives the verify data that described Portal server sends, and described verify data is sent to described certificate server, carries out authentication to indicate described certificate server based on described verify data to described subscriber equipment.
Above-mentioned control circuit 702 receives the authentication result message to described subscriber equipment that described certificate server sends.
Above-mentioned control circuit 702 the identity authentication result that described authentication result message indicates be certification pass through time, the MAC Address of described subscriber equipment is added in the set of described permission MAC Address, and send authentication by instruction to repeat circuit 701, pass through authentication to indicate subscriber equipment described in repeat circuit 701.
Wherein, the identity authentication result of described authentication result message instruction be certification pass through time, the ageing time parameter that described certificate server is arranged also is comprised in described authentication result message, above-mentioned control circuit 702, also for according to described ageing time parameter, the ageing time of MAC Address in the set of described permission MAC Address of described subscriber equipment is set.
In the application, the authentication that the chain of command of network access equipment can carry out subscriber equipment at certificate server by time, allowing the MAC Address of adding this subscriber equipment in MAC Address set; When again initiating to reach the standard grade request after this subscriber equipment disconnects network, the chain of command of this network access equipment is when determining that the MAC Address of this subscriber equipment belongs to this permission MAC Address set, the forwarding face of this network access equipment can be indicated to allow this user equipment access network, thus realize directly carrying out authentication to subscriber equipment by network access equipment, improve certification speed.
One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, that the hardware that can carry out instruction relevant by computer program has come, described program can be stored in a computer read/write memory medium, this program, when performing, can comprise the flow process of the embodiment as above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only memory (English: read-onlymemory, abbreviation: ROM) or random access memory (English: random-accessmemory, abbreviation: RAM) etc.
Above disclosedly be only present pre-ferred embodiments, certainly can not limit the interest field of the present invention with this, therefore according to the equivalent variations that the claims in the present invention are done, still belong to the scope that the present invention is contained.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of network architecture schematic diagram based on Portal certification that the embodiment of the present invention provides;
Fig. 2 is the schematic flow sheet of the authentication method of a kind of network connection that the embodiment of the present invention provides;
Fig. 3 is the schematic flow sheet of the authentication method of the another kind of network connection that the embodiment of the present invention provides;
Fig. 4 is the schematic flow sheet of the authentication method of another network connection that the embodiment of the present invention provides;
Fig. 5 is the structural representation of a kind of network access equipment that the embodiment of the present invention provides;
Fig. 6 is the structural representation of the another kind of network access equipment that the embodiment of the present invention provides;
Fig. 7 is the structural representation of another network access equipment that the embodiment of the present invention provides;
Fig. 8 is the structural representation of another network access equipment that the embodiment of the present invention provides.
Embodiment
In order to simplify user operation, certificate server after passing through the first time Portal certification of this subscriber equipment, can record the MAC Address of this subscriber equipment.When this network accessed again by this subscriber equipment, by network access equipment, the MAC Address of this subscriber equipment is sent to certificate server, whether certificate server inquiry has the record mated with the MAC Address of this subscriber equipment, if had, then indication network access device allows this network of this user equipment access, thus without the need to the manual input authentication data of user.But, in this certificate scheme, when reaching the standard grade again after this subscriber equipment rolls off the production line at every turn and access this network, all need certificate server to carry out certification to the MAC Address of this subscriber equipment, which increase the processing load of certificate server, and certification speed is slower.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly described.
Embodiments provide authentication method and the network access equipment of the connection of a kind of network, directly can carry out authentication to subscriber equipment by network access equipment, thus improve certification speed.Below be described in detail respectively.
Claims (8)
1. an authentication method for network connection, is characterized in that, comprising:
Network access equipment, when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in the set of medium access control MAC Address;
After described subscriber equipment disconnects network, described network access equipment is when receiving the first network access request that described subscriber equipment sends, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment;
The chain of command of described network access equipment determines that the source MAC of described first network access request belongs to the set of described permission MAC Address, then the chain of command of described network access equipment passes through instruction to the forwarding face transmission authentication of described network access equipment, passes through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
2. method according to claim 1, is characterized in that, described network access equipment, when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in MAC Address set, comprising:
After described network access equipment receives the second network access request of described subscriber equipment transmission, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described second network access request being sent to the chain of command of described network access equipment, the source MAC of described second network access request is the MAC Address of described subscriber equipment;
The source MAC of described second network access request is sent to described certificate server by the chain of command of described network access equipment, carries out authentication to indicate described certificate server based on the source MAC of described second network access request to described subscriber equipment;
The chain of command of described network access equipment receives the authentication result message to described subscriber equipment of described certificate server transmission, and the identity authentication result of described authentication result message instruction be certification pass through time, the chain of command of described network access equipment adds the MAC Address of described subscriber equipment in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
3. method according to claim 1, is characterized in that, described network access equipment, when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in MAC Address set, comprising:
After described network access equipment receives the 3rd network access request of described subscriber equipment transmission, the forwarding face of described network access equipment determines that described subscriber equipment not yet passes authentication, and described 3rd network access request is sent to the chain of command of described network access equipment;
Described 3rd network access request is redirected to door Portal server by the chain of command of described network access equipment;
The chain of command of described network access equipment receives the verify data of described Portal server transmission, and described verify data is sent to described certificate server, based on described verify data, authentication is carried out to described subscriber equipment to indicate described certificate server;
The chain of command of described network access equipment receives the authentication result message to described subscriber equipment of described certificate server transmission;
The chain of command of described network access equipment the identity authentication result that described authentication result message indicates be certification pass through time, the MAC Address of described subscriber equipment is added in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
4. according to the method in claim 2 or 3, it is characterized in that, the identity authentication result of described authentication result message instruction be certification by time, also comprise the ageing time parameter that described certificate server is arranged in described authentication result message, described method also comprises:
The chain of command of described network access equipment, according to described ageing time parameter, arranges the ageing time of MAC Address in the set of described permission MAC Address of described subscriber equipment.
5. a network access equipment, is characterized in that, comprising:
First processing module, for when certificate server passes through the authentication of subscriber equipment, is allowing the MAC Address of adding described subscriber equipment in the set of medium access control MAC Address;
Receiver module, for receiving the first network access request that described subscriber equipment sends;
Second processing module, for after described subscriber equipment disconnects network, when described receiver module receives described first network access request, the forwarding face of network access equipment is determined, and described subscriber equipment not yet passes authentication, and described first network access request being sent to the chain of command of described network access equipment, the source MAC of described first network access request is the MAC Address of described subscriber equipment;
3rd processing module, determine that for making the chain of command of described network access equipment the source MAC of described first network access request belongs to the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
6. equipment according to claim 5, it is characterized in that, described first processing module, also for after the second network access request receiving the transmission of described subscriber equipment, the forwarding face of described network access equipment is determined, and described subscriber equipment not yet passes authentication, and described second network access request being sent to the chain of command of described network access equipment, the source MAC of described second network access request is the MAC Address of described subscriber equipment;
Described first processing module, also for making the chain of command of described network access equipment that the source MAC of described second network access request is sent to described certificate server, based on the source MAC of described second network access request, authentication is carried out to described subscriber equipment to indicate described certificate server;
Described first processing module, the authentication result message to described subscriber equipment also sent for making the chain of command of described network access equipment receive described certificate server, and the identity authentication result of described authentication result message instruction be certification pass through time, make the chain of command of described network access equipment in the set of described permission MAC Address, add the MAC Address of described subscriber equipment, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
7. equipment according to claim 5, it is characterized in that, described first processing module, also for receive described subscriber equipment send the 3rd network access request after, the forwarding face of described network access equipment is determined, and described subscriber equipment not yet passes authentication, and described 3rd network access request is sent to the chain of command of described network access equipment;
Described first processing module, also for making the chain of command of described network access equipment that described 3rd network access request is redirected to door Portal server;
Described first processing module, the verify data also sent for making the chain of command of described network access equipment receive described Portal server, and described verify data is sent to described certificate server, based on described verify data, authentication is carried out to described subscriber equipment to indicate described certificate server;
Described first processing module, the authentication result message to described subscriber equipment also sent for making the chain of command of described network access equipment receive described certificate server;
Described first processing module, also for make the chain of command of described network access equipment the identity authentication result that described authentication result message indicates be certification pass through time, the MAC Address of described subscriber equipment is added in the set of described permission MAC Address, and send authentication by instruction to the forwarding face of described network access equipment, pass through authentication to indicate subscriber equipment described in the forwarding face of described network access equipment.
8. the equipment according to claim 6 or 7, it is characterized in that, the identity authentication result of described authentication result message instruction be certification by time, also comprise the ageing time parameter that described certificate server is arranged in described authentication result message, described equipment also comprises:
Module is set, for making the chain of command of described network access equipment according to described ageing time parameter, the ageing time of MAC Address in the set of described permission MAC Address of described subscriber equipment is set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510584951.2A CN105141618A (en) | 2015-09-15 | 2015-09-15 | Authentication method of network connection and network access device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510584951.2A CN105141618A (en) | 2015-09-15 | 2015-09-15 | Authentication method of network connection and network access device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105141618A true CN105141618A (en) | 2015-12-09 |
Family
ID=54726826
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510584951.2A Withdrawn CN105141618A (en) | 2015-09-15 | 2015-09-15 | Authentication method of network connection and network access device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105141618A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603491A (en) * | 2016-11-10 | 2017-04-26 | 上海斐讯数据通信技术有限公司 | Portal authentication method based on https protocol, and router |
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN107682372A (en) * | 2017-11-21 | 2018-02-09 | 北京安博通科技股份有限公司 | User profile for Portal escapes obtains and authentication method, device and access device |
| CN108600207A (en) * | 2018-04-12 | 2018-09-28 | 清华大学 | Network authentication based on 802.1X and SAVI and access method |
| CN109391601A (en) * | 2017-08-10 | 2019-02-26 | 华为技术有限公司 | A kind of method, device and equipment of granting terminal network legal power |
| CN109391699A (en) * | 2018-12-04 | 2019-02-26 | 深圳绿米联创科技有限公司 | Device network configuration method, device and server |
| CN112054908A (en) * | 2020-09-08 | 2020-12-08 | 上海市特种设备监督检验技术研究院 | Forklift safety supervision system and supervision method based on biological recognition |
| CN112839331A (en) * | 2019-11-22 | 2021-05-25 | 武汉神州数码云科网络技术有限公司 | User information authentication method for wireless local area network Portal authentication escape |
| CN113329454A (en) * | 2020-02-29 | 2021-08-31 | 华为技术有限公司 | Method, network element, system and equipment for releasing route |
| CN115243258A (en) * | 2022-06-30 | 2022-10-25 | 上海兴容信息技术有限公司 | Network access authentication method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101668017A (en) * | 2009-09-16 | 2010-03-10 | 杭州华三通信技术有限公司 | Authentication method and equipment |
| CN102238543A (en) * | 2010-04-27 | 2011-11-09 | 杭州华三通信技术有限公司 | Wireless Portal authentication method and access controller |
| CN102984173A (en) * | 2012-12-13 | 2013-03-20 | 迈普通信技术股份有限公司 | Network access control method and system |
| CN104869571A (en) * | 2015-05-19 | 2015-08-26 | 杭州华三通信技术有限公司 | Rapid portal authentication method and device |
-
2015
- 2015-09-15 CN CN201510584951.2A patent/CN105141618A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101668017A (en) * | 2009-09-16 | 2010-03-10 | 杭州华三通信技术有限公司 | Authentication method and equipment |
| CN102238543A (en) * | 2010-04-27 | 2011-11-09 | 杭州华三通信技术有限公司 | Wireless Portal authentication method and access controller |
| CN102984173A (en) * | 2012-12-13 | 2013-03-20 | 迈普通信技术股份有限公司 | Network access control method and system |
| CN104869571A (en) * | 2015-05-19 | 2015-08-26 | 杭州华三通信技术有限公司 | Rapid portal authentication method and device |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN106936804B (en) * | 2015-12-31 | 2020-04-28 | 华为技术有限公司 | Access control method and authentication equipment |
| CN106603491B (en) * | 2016-11-10 | 2020-09-25 | 深圳维盟科技股份有限公司 | Portal authentication method based on https protocol and router |
| CN106603491A (en) * | 2016-11-10 | 2017-04-26 | 上海斐讯数据通信技术有限公司 | Portal authentication method based on https protocol, and router |
| CN109391601A (en) * | 2017-08-10 | 2019-02-26 | 华为技术有限公司 | A kind of method, device and equipment of granting terminal network legal power |
| CN109391601B (en) * | 2017-08-10 | 2021-02-12 | 华为技术有限公司 | Method, device and equipment for granting terminal network permission |
| CN107682372A (en) * | 2017-11-21 | 2018-02-09 | 北京安博通科技股份有限公司 | User profile for Portal escapes obtains and authentication method, device and access device |
| CN108600207A (en) * | 2018-04-12 | 2018-09-28 | 清华大学 | Network authentication based on 802.1X and SAVI and access method |
| CN108600207B (en) * | 2018-04-12 | 2020-05-15 | 清华大学 | Network authentication and access method based on 802.1X and SAVI |
| CN109391699A (en) * | 2018-12-04 | 2019-02-26 | 深圳绿米联创科技有限公司 | Device network configuration method, device and server |
| CN109391699B (en) * | 2018-12-04 | 2022-01-21 | 深圳绿米联创科技有限公司 | Equipment network configuration method and device and server |
| CN112839331A (en) * | 2019-11-22 | 2021-05-25 | 武汉神州数码云科网络技术有限公司 | User information authentication method for wireless local area network Portal authentication escape |
| CN113329454A (en) * | 2020-02-29 | 2021-08-31 | 华为技术有限公司 | Method, network element, system and equipment for releasing route |
| CN112054908A (en) * | 2020-09-08 | 2020-12-08 | 上海市特种设备监督检验技术研究院 | Forklift safety supervision system and supervision method based on biological recognition |
| CN115243258A (en) * | 2022-06-30 | 2022-10-25 | 上海兴容信息技术有限公司 | Network access authentication method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105141618A (en) | Authentication method of network connection and network access device | |
| US20180309756A1 (en) | Identity Authentication Method and Apparatus | |
| JP6515207B2 (en) | Internet access authentication method and client, and computer storage medium | |
| CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
| CN104364790B (en) | System and method for implementing dual factor anthentication | |
| CN105101194A (en) | Terminal security authentication method, device and system | |
| KR20140064957A (en) | Mobile device authentication and access to a social network | |
| CN104507080A (en) | File processing method and terminal | |
| US8910261B2 (en) | Radius policy multiple authenticator support | |
| CN105554146A (en) | Remote access method and device | |
| CN105471824A (en) | Method, device and system for invoking local service assembly by means of browser | |
| CN103024043A (en) | Method, server and system for sharing data | |
| US20120131076A1 (en) | File sharing method and file sharing system utilizing the same | |
| US20160261573A1 (en) | Enrollment in a Device-to-Device Network | |
| CN105657781A (en) | Method and device for accessing WiFi network | |
| CN104468552A (en) | Access control method and device | |
| CN104065674A (en) | Terminal device and information processing method | |
| CN102984261A (en) | Network service login method, equipment and system based on mobile telephone terminal | |
| CN105099874A (en) | Method and device for group establishment | |
| CN103067465B (en) | Sharing files method and system | |
| CN104869107A (en) | Identity authentication method, wearable equipment, authentication server and system thereof | |
| CN104469772A (en) | Website equipment authentication method and device and authentication system | |
| CN112261003A (en) | Safety authentication method and system for industrial internet edge computing node | |
| CN105451228A (en) | Information processing method and device | |
| JP2015158838A (en) | Portable terminal device, authentication server, and authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20151209 |
|
| WW01 | Invention patent application withdrawn after publication |