CN106789884A - A kind of portal authentication method and system - Google Patents
A kind of portal authentication method and system Download PDFInfo
- Publication number
- CN106789884A CN106789884A CN201611024960.7A CN201611024960A CN106789884A CN 106789884 A CN106789884 A CN 106789884A CN 201611024960 A CN201611024960 A CN 201611024960A CN 106789884 A CN106789884 A CN 106789884A
- Authority
- CN
- China
- Prior art keywords
- wireless
- address
- devices
- wireless terminal
- portal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of portal authentication method and system, including step:Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200;Otherwise, step S400 is performed;S200 wireless AP devices judge whether IP address is the corresponding IP address of certificate server;If performing step S400;Otherwise, step S300 is performed;S300 wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server, wireless AP devices is carried out TCP with wireless terminal and are connected;S400 wireless terminals redirect request Portal authentication pages, complete Portal certifications.The present invention is realized and avoids the inaccessible IP address of user input network from causing to be unable to Portal authentication questions, while can be also authenticated to the situation of user input domain name.
Description
Technical field
The present invention relates to network authentication security fields, more particularly to a kind of portal authentication method and system.
Background technology
In business environment, a kind of such wifi network is there is, after wireless terminal accesses this wifi network, can not be straight
Internet is connect in succession to be surfed the Net, but ejects a specific webpage in browser, allow user input authentication
Information, is then submitted to background server, after server authentication subscriber identity information is errorless, user can be allowed to access internet
Network, this authentication mode is " portal authentication ", also known as " Portal certifications ".Wireless AP devices:WAP (Access
Point), equivalent to wireless exchange board, it is the access point that wireless terminal uses cable network, is mainly used in home broadband, enterprise
Network design etc. in portion's network design and business environment in the industry.Portal certifications, also referred to as " web portal certification ", when user's
Network access by wireless terminal, when unauthenticated user needs online, forces User logs in a specific authentication website first,
Then user fills in associated login information, and is sent to certificate server, after server background is proved to be successful, the use of letting pass
Family, now the user can use Internet resources.
Portal certifications are one of popular techniques of wireless network access authentication, when user accesses a certain wireless network,
Can the automatic spring Portal pages, prompting user input accounts information, completion access authentication.Wireless network operator sometimes for
Facilitate user access network, can temporarily remember the MAC Address of user STA, i.e. its physical address, hardware address, recognize again next time
User input account is not needed during card, direct authentication-exempt passes through.Also the wireless network operator having in order to improve making for user
Hair efficiency is thrown with experience and advertisement, when user accesses wireless, advertisement is forced, user clicks on or finishes watching advertisement page can be straight
Net is connected, the authentication mode of these optimizations improves the real experiences of access efficiency and user really, but also generates safety wind
Danger.Existing Portal verification process is first accessed some SSID of wireless AP devices by STA, and wireless AP devices requirement STA enters
Row Portal certifications, and kidnap first HTTP Request online requests of user.Wireless AP devices respond the HTTP of user
Request messages, Portal server URL addresses are redirected to by HTTP 302, and take STA in the original messages of STA
MAC, URL addresses and the MAC of STA that then STA acquisitions wireless AP devices are redirected, is taken to Portal again with this URL and MAC
Business device initiates HTTP Request requests.Current protocols are users in browser inputs domain name (such as HTTP://
Www.sina.com.cn/ or " www.sina.com.cn "), browser can send out DNS query bag and inquire about this domain to dns server
The corresponding IP address of name, gets rear browser and carries out TCP with this IP address and be connected for tri- times, and after the completion of connection, browser is sent out again
Send HTTP packets that the home tip of the website is asked to this IP address.
The shortcoming of prior art is directly input into an IP address it is obvious that working as user in browser, and according to HTTP request
Agreement, will not send DNS query message, but directly set up TCP with the IP address and be connected.And if the IP address is not divided
Dispensing Intranet or any main frame of outer net, or be assigned with but the main frame be in off-mode, then now TCP connect
Connecing to fail, and TCP connection failures, follow-up HTTP request would not be carried out again, not to mention Portal certifications.
The content of the invention
It is of the invention there is provided a kind of portal authentication method and system, be input into browser its object is to solve user
Also Portal authentication pages can be redirected to after IP address carries out the problem of Portal certifications.
The technical scheme that the present invention is provided is as follows:
A kind of portal authentication method, including step:
Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200;
Otherwise, step S400 is performed;
S200 wireless AP devices judge whether the IP address is the corresponding IP address of certificate server;If performing step
S400;Otherwise, step S300 is performed;
Wireless AP devices described in S300 intercept the TCP connection data bag for being transmitted to the certificate server, set wireless aps
It is connected for TCP is carried out with wireless terminal;
Wireless terminal described in S400 redirects request Portal authentication pages, completes Portal certifications.
When wireless terminal device opens webpage or other application program, can trigger and send online request message, Many times,
User is directly entered by Web side navigation homepage, if but user in browser IP address, if the IP address not by
Distribute to certain Intranet or any main frame of outer net, or be assigned with but the main frame is in off-mode, then now TCP
Connection will fail, and TCP connection failures, follow-up HTTP request would not be carried out again, so as to cause wireless terminal certification knot
Fruit failure, wireless terminal cannot be by certification, so as to access authority cannot be obtained.Here, by judging in Portal authentication pages
Whether address field is input into IP address, and determines whether whether the IP address being input into is the corresponding IP address of certificate server, such as
What fruit was input into is IP address and is not the corresponding IP address of certificate server, then wireless AP devices are intercepted and are transmitted to authentication service
The TCP connection data bag of device, makes wireless AP devices carry out TCP with wireless terminal and is connected, and then recognizes in redirection request Portal
Card page, completes Portal certifications.If input is not IP address, that is to say, that input is domain name, then certificate server
After getting the online request of the wireless terminal, the MAC Address of the wireless terminal is just parsed from the request message, then
The online request of wireless terminal is responded, wireless terminal redirection message is returned to, message carries address and the parsing of redirection
The MAC Address of the wireless terminal for going out, wireless terminal opens Portal authentication interfaces according to this redirection message, according to resetting
To address send authentication request packet, complete Portal certifications.If input is IP address, but the address is Portal
The corresponding IP address of URL, then wireless AP devices are sent to the corresponding IP address of Portal URL to wireless terminal and do not intercept, and
It is directly to let pass to forward, allows wireless terminal directly and Portal certificate servers are set up TCP and connected.User can be avoided defeated
Entering the inaccessible IP address of network causes to be unable to Portal authentication questions, while the situation of user input domain name is not produced yet appointing
What is negatively affected.In the case where Intranet and external network congestion or network speed are very slow, user can be according to the URL being known a priori by
Corresponding IP address, directly inputting the IP address carries out Portal certification connections, can greatly accelerate Portal verification process.
Further, the step S300 includes step:
Wireless AP devices described in S310 intercept the SYN handshake data bags that the wireless terminal sends, and construct SYN ACK and hold
Hand packet;
Wireless AP devices described in S320 send the SYN ACK handshake datas bag to the wireless terminal;And abandon described
SYN handshake data bags;
SYN ACK handshake data bags described in wireless terminal reception described in S330;And send ACK handshake datas bag to the nothing
Line AP equipment;
Wireless terminal described in S340 sends HTTP packets to the wireless AP devices.
In the present invention, wireless AP devices are worked under bridge mode, are registered in the embedded Linux kernel of wireless AP devices
Hook Function (also known as HOOK functions) directly intercepts the SYN packets of TCP that wireless terminal is sent, i.e. TCP shakes hands number for the first time
According to bag, then in Hook Function, the message of TCP second handshakes, i.e. SYN ACK messages are directly constructed, and send out by kernel
Send function to be sent directly to wireless terminal, then abandon the data message shaken hands of first time, now first time handshake message is not
Can be forwarded by wireless AP devices, after the completion of second handshake, after wireless terminal receives SYN ACK messages, ACK can be sent
Packet carries out third time and shakes hands.TCP connections are completed between wireless terminal and wireless AP devices, and the used time is very short, carries significantly
Connection speed high.
Further, the step S310 includes step:
Wireless terminal described in S311 sends the TCP connection requests packet to the wireless AP devices;
Wireless AP devices described in S312 obtain the first time packet that the wireless terminal sends;
Wireless AP devices described in S313 are parsed to the first time packet, obtain data message and field parameter;
Wireless AP devices described in S314 judge whether flag meets default Rule of judgment according to the data message;If
It is to perform step S314;
The first time packet that S315 is obtained is the SYN handshake datas bag;
Wireless AP devices described in S316 intercept instruction according to default, intercept the wireless wireless AP devices forwarding described
SYN handshake datas bag is to certificate server;
Wireless AP devices described in S317 construct SYN ACK handshake data bags according to the field parameter.
In the present invention, a Hook Function is registered in kernel, be to wireless because wireless AP devices are operated under bridge mode
The packet of AP device forwards is intercepted (do not make any treatment to being dealt into wireless AP devices packet in itself), so HOOK
Point is placed on NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head is 1, and parsing is ticked from kernel
Come skb_buf data messages, when parse TCP message head when judged, when flag bit meet " URG=0, ACK=0,
When PSH=0, RST=0, SYN=1, FIN=0 " conditions, the packet that this packet is shaken hands for the first time for TCP connections is illustrated.
The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address, this
Secondary important field parameter is that follow-up construction SYN ACK bags make data preparation, then according to the parameter structure that these are parsed
SYN ack msg bags are made, SYN ack msg bags is constructed in kernel and is easy to, do not describe how to construct SYN ACK one by one here
Bag, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are the numbers that TCP connects second handshake
According to bag, so being directly sent to wireless terminal from wireless AP devices kernel after construction is good, directly first time is held after being sent
The SYN bags of hand abandon (kernel code NF_DROP) inside wireless AP devices, and wireless AP devices IP address main frame is not sent to.
When wireless terminal receives the SYN ack msg bags that wireless AP devices are sent, after confirmation is errorless, the ACK bags that third time is shaken hands are replied,
Then HTTP bags are sent to wireless AP devices, ensuing flow just as routine Portal flows, is no longer described, but is needed
It should be noted that the corresponding IP address of Portal URL should pretend white list, that is to say, that wireless terminal is sent to Portal
The corresponding IP address of URL is not intercepted, but is directly let pass and forwarded, and allows wireless terminal directly and Portal server is set up
TCP is connected.
Further, the field parameter includes:Source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address;
The default Rule of judgment is that flag meets " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 ".
Further, the wireless AP devices mode of operation is bridge mode;The wireless AP devices kernel is provided with default
Interception instruction.
In the present invention, Hook Function or call back function are registered in the embedded Linux kernel of wireless AP devices, as long as energy
Enough to realize intercepting instruction, the mode that wireless AP devices are intercepted with the SYN packets of the TCP that wireless terminal is sent is not limited.
The present invention also provides a kind of portal certification system, including:
Wireless terminal, the wireless terminal is connected with wireless AP devices communication;The wireless terminal judges to recognize in Portal
Whether card page address column is input into IP address;
Wireless AP devices, the wireless AP devices are connected with certificate server communication;The wireless AP devices judge described
Whether IP address is the corresponding IP address of the certificate server;
When being input into IP address in Portal authentication pages address field, and the IP address is not certificate server correspondence
IP address block;The wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server;Wireless AP devices with it is wireless
Terminal carries out TCP connections;
When the wireless terminal is not input into IP address in Portal authentication page address fields;Or,
When the wireless terminal is input into IP address in Portal authentication pages address field, the IP address is the authentication service
The corresponding IP address of device is blocked, and the wireless terminal redirects request Portal authentication pages, completes Portal certifications.
In the present invention, whether wireless terminal judges be input into IP address, and wireless AP devices in Portal authentication pages address field
Judge whether the IP address is the corresponding IP address of the certificate server.If input be IP address and be not certification clothes
The corresponding IP address of business device, then wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server, set wireless aps
It is connected for TCP is carried out with wireless terminal, is then redirecting request Portal authentication pages, completes Portal certifications.If input
Be not IP address, that is to say, that input is domain name, then certificate server carries out TCP and is connected with wireless terminal, complete
Portal certifications.If input is IP address, but the address is the corresponding IP address of Portal URL, then wireless AP devices
The corresponding IP address of Portal URL is sent to wireless terminal not intercept, but is directly let pass and is forwarded, allow wireless terminal
Directly set up TCP and connect with Portal certificate servers.The inaccessible IP address of user input network can be avoided to cause can not
Portal authentication questions, while also not producing any negative effect to the situation of user input domain name.In Intranet and external network
In the case that congestion or network speed are very slow, user can directly input IP ground according to the corresponding IP address of URL being known a priori by
Location carries out Portal certification connections, can greatly accelerate Portal verification process.
Further, the wireless AP devices include:
Judge module, the judge module is connected with blocking module communication;Judge whether the IP address is the certification
The corresponding IP address of server;
Control module, the wireless AP devices intercept the SYN handshake data bags that the wireless terminal sends;Construction SYN
ACK handshake data bags;Send the SYN ACK handshake datas bag to the wireless terminal;And abandon the SYN handshake datas
Bag;
The wireless terminal includes:
Sending module, the sending module is connected with receiver module communication;Send the TCP connection requests packet to institute
State wireless AP devices;Send ACK handshake datas bag to the wireless AP devices;HTTP packets to the wireless aps are sent to set
It is standby;
Receiver module, receives the SYN ACK handshake data bags.
Wireless AP devices are worked under bridge mode, and Hook Function is registered in the embedded Linux kernel of wireless AP devices
(also known as HOOK functions) directly intercepts the SYN packets of the TCP that wireless terminal is sent, i.e. TCP first time handshake datas bag, then
In Hook Function, the message of TCP second handshakes, i.e. SYN ACK messages are directly constructed, and it is direct to send function by kernel
Wireless terminal is sent to, the data message that then first time shakes hands is abandoned, and now first time handshake message will not be by wireless
AP device forwards are gone out, and after the completion of second handshake, after wireless terminal receives SYN ACK messages, can send ack msg bag is carried out
Third time is shaken hands.TCP connections are completed between wireless terminal and wireless AP devices, and the used time is very short, substantially increase connection speed
Rate.
Further, the control module includes:
Acquisition submodule, the acquisition submodule is connected with analyzing sub-module communication;Obtain what the wireless terminal sent
First time packet;
Analyzing sub-module, the analyzing sub-module is connected with judging submodule communication;The first time packet is carried out
Parsing, obtains data message and field parameter;
Judging submodule, the judging submodule is connected with output sub-module communication;According to the data message, mark is judged
Know whether position meets default Rule of judgment;
Output sub-module, the output sub-module is connected with submodule communication is intercepted;Export first number for obtaining
It is the TCP SYN handshake data bags according to bag;
Submodule is intercepted, the interception submodule is connected with constructor module communication;Instruction is intercepted according to default, is intercepted
The wireless wireless AP devices forward the TCP SYN handshake datas bag to certificate server;
Construction submodule, TCP SYN ACK handshake data bags are constructed according to the field parameter.
A Hook Function is registered in kernel, is that wireless AP devices are turned because wireless AP devices are operated under bridge mode
The packet of hair is intercepted (do not make any treatment to being dealt into wireless AP devices packet in itself), so HOOK points are placed on
NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head is 1, and parsing ticks what is come from kernel
Skb_buf data messages, are judged when TCP message head is parsed, when flag bit meets " URG=0, ACK=0, PSH
When=0, RST=0, SYN=1, FIN=0 " conditions, the packet that this packet is shaken hands for the first time for TCP connections is illustrated.Will
The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address, specifically
Important field parameter is that follow-up construction SYN ACK bags make data preparation, then according to the parametric configuration that these are parsed
SYN ack msg bags, construction SYN ack msg bags are easy in kernel, do not describe how to construct SYN ACK one by one here
Bag, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are the numbers that TCP connects second handshake
According to bag, so being directly sent to wireless terminal from wireless AP devices kernel after construction is good, directly first time is held after being sent
The SYN bags of hand abandon (kernel code NF_DROP) inside wireless AP devices, and wireless AP devices IP address main frame is not sent to.
When wireless terminal receives the SYN ack msg bags that wireless AP devices are sent, after confirmation is errorless, the ACK bags that third time is shaken hands are replied,
Then HTTP bags are sent to wireless AP devices, ensuing flow just as routine Portal flows, is no longer described, but is needed
It should be noted that the corresponding IP address of Portal URL should pretend white list, that is to say, that wireless terminal is sent to Portal
The corresponding IP address of URL is not intercepted, but is directly let pass and forwarded, and allows wireless terminal directly and Portal server is set up
TCP is connected.
Further, the field parameter includes:Source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address;
The default Rule of judgment is that flag meets " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 ".
Further, the wireless AP devices mode of operation is bridge mode;The wireless AP devices kernel is provided with default
Interception instruction.
In the present invention, Hook Function or call back function are registered in the embedded Linux kernel of wireless AP devices, as long as energy
Enough to realize intercepting instruction, the mode that wireless AP devices are intercepted with the SYN packets of the TCP that wireless terminal is sent is not limited.
Compared with prior art, the present invention provides a kind of portal authentication method and system, at least brings a kind of following skill
Art effect:
1st, can avoid the inaccessible IP address of user input network causes to be unable to Portal authentication questions, while to user
The situation of inputs domain name does not produce any negative effect yet.
2nd, in the case where Intranet and external network congestion or network speed are very slow, according to the corresponding IP of URL being known a priori by
Address, directly inputting the IP address carries out Portal certification connections, can greatly accelerate Portal verification process.
Brief description of the drawings
Below by clearly understandable mode, preferred embodiment is described with reference to the drawings, to a kind of portal authentication method
Characteristic, technical characteristic, advantage and its implementation with system are further described.
Fig. 1 is a kind of flow chart of portal authentication method one embodiment of the invention;
Fig. 2 is a kind of flow chart of another embodiment of portal authentication method of the invention;
Fig. 3 is a kind of procedure chart of another embodiment of portal authentication method of the invention;
Fig. 4 is a kind of structural representation of portal certification system one embodiment of the invention;
Fig. 5 is a kind of structural representation of another embodiment of portal certification system of the invention.
Specific embodiment
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, control is illustrated below
Specific embodiment of the invention.It should be evident that drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings
Accompanying drawing, and obtain other implementation methods.
To make simplified form, part related to the present invention is only schematically show in each figure, they are not represented
Its as product practical structures.In addition, so that simplified form is readily appreciated, there is identical structure or function in some figures
Part, only symbolically depicts one of those, or has only marked one of those.Herein, " one " is not only represented
" only this ", it is also possible to represent the situation of " more than one ".
Shown in reference picture 1, the invention provides a kind of one embodiment of portal authentication method, including step:
Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200;
Otherwise, step S400 is performed;
S200 wireless AP devices judge whether the IP address is the corresponding IP address of certificate server;If performing step
S400;Otherwise, step S300 is performed;
Wireless AP devices described in S300 intercept the TCP connection data bag for being transmitted to the certificate server, set wireless aps
It is connected for TCP is carried out with wireless terminal;
Wireless terminal described in S400 redirects request Portal authentication pages, completes Portal certifications.
When wireless terminal device opens webpage or other application program, can trigger and send online request message, Many times,
User is directly entered by Web side navigation homepage, if but user in browser IP address, if the IP address not by
Distribute to certain Intranet or any main frame of outer net, or be assigned with but the main frame is in off-mode, then now TCP
Connection will fail, and TCP connection failures, follow-up HTTP request would not be carried out again, so as to cause wireless terminal certification knot
Fruit failure, wireless terminal cannot be by certification, so as to access authority cannot be obtained.Here, by judging in Portal authentication pages
Whether address field is input into IP address, and determines whether whether the IP address being input into is the corresponding IP address of certificate server, such as
What fruit was input into is IP address and is not the corresponding IP address of certificate server, then wireless AP devices are intercepted and are transmitted to authentication service
The TCP connection data bag of device, makes wireless AP devices carry out TCP with wireless terminal and is connected, and then recognizes in redirection request Portal
Card page, completes Portal certifications.If input is not IP address, that is to say, that input is domain name, then certificate server
After getting the online request of the wireless terminal, the MAC Address of the wireless terminal is just parsed from the request message, then
The online request of wireless terminal is responded, wireless terminal redirection message is returned to, message carries address and the parsing of redirection
The MAC Address of the wireless terminal for going out, wireless terminal opens Portal authentication interfaces according to this redirection message, according to resetting
To address send authentication request packet, complete Portal certifications.If input is IP address, but the address is Portal
The corresponding IP address of URL, then wireless AP devices are sent to the corresponding IP address of Portal URL to wireless terminal and do not intercept, and
It is directly to let pass to forward, allows wireless terminal directly and Portal certificate servers are set up TCP and connected.User can be avoided defeated
Entering the inaccessible IP address of network causes to be unable to Portal authentication questions, while the situation of user input domain name is not produced yet appointing
What is negatively affected.In the case where Intranet and external network congestion or network speed are very slow, user can be according to the URL being known a priori by
Corresponding IP address, directly inputting the IP address carries out Portal certification connections, can greatly accelerate Portal verification process.
Shown in reference picture 2, identical part repeats no more.The present invention provides a kind of another reality of portal authentication method
Apply example, including step:
Wireless terminal described in S311 sends the TCP connection requests packet to the wireless AP devices;
Wireless AP devices described in S312 obtain the first time packet that the wireless terminal sends;
Wireless AP devices described in S313 are parsed to the first time packet, obtain data message and field parameter;
Wireless AP devices described in S314 judge whether flag meets default Rule of judgment according to the data message;If
It is to perform step S314;
The first time packet that S315 is obtained is the SYN handshake datas bag;
Wireless AP devices described in S316 intercept instruction according to default, intercept the wireless wireless AP devices forwarding described
SYN handshake datas bag is to certificate server;
Wireless AP devices described in S317 construct SYN ACK handshake data bags according to the field parameter;
Wireless AP devices described in S320 send the SYN ACK handshake datas bag to the wireless terminal;And abandon described
SYN handshake data bags;
SYN ACK handshake data bags described in wireless terminal reception described in S330;And send ACK handshake datas bag to the nothing
Line AP equipment;
Wireless terminal described in S340 sends HTTP packets to the wireless AP devices.
In the embodiment of the present invention, wireless AP devices are worked under bridge mode, in the embedded Linux kernel of wireless AP devices
Middle registration Hook Function (also known as HOOK functions) directly intercepts the SYN packets of the TCP that wireless terminal is sent, i.e. TCP is for the first time
Handshake data bag, then in Hook Function, directly constructs the message of TCP second handshakes, i.e. SYN ACK messages, and pass through
Kernel sends function and is sent directly to wireless terminal, and the data message that then first time shakes hands is abandoned, and is now shaken hands for the first time
Message will not be forwarded by wireless AP devices, after the completion of second handshake, after wireless terminal receives SYN ACK messages, and meeting
Sending ack msg bag shake hands for the third time.TCP connections are completed between wireless terminal and wireless AP devices, and the used time is very short,
Substantially increase connection speed.In the embodiment of the present invention, a Hook Function is registered in kernel, because wireless AP devices are operated in
It is that the packet of wireless AP devices forwarding is intercepted (not make to being dealt into wireless AP devices packet in itself under bridge mode
Any treatment), so HOOK points are placed on NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head
It is 1, the skb_buf data messages for coming are ticked in parsing from kernel, is judged when TCP message head is parsed, works as flag bit
When meeting " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 " condition, illustrate that this packet is connected for TCP
The packet shaken hands for the first time.The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP
Address, purpose IP address etc., current important field parameter are that follow-up construction SYN ACK bags make data preparation, then basis
The parametric configuration SYN ack msg bags that these are parsed, construction SYN ack msg bags are easy in kernel, differ here
How one description constructs SYN ACK bags, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are
TCP connects the packet of second handshake, so being directly sent to wireless terminal from wireless AP devices kernel after construction is good, sends
The SYN bags that first time shakes hands directly are abandoned into (kernel code NF_DROP) inside wireless AP devices after finishing, nothing is not sent to
Line AP IP address of equipment main frames.When wireless terminal receives the SYN ack msg bags that wireless AP devices are sent, after confirmation is errorless, return
The multiple ACK bags shaken hands for the third time, then send HTTP bags to wireless AP devices, ensuing flow with regard to routine Portal flows
Equally, no longer describe, it is however noted that, the corresponding IP address of Portal URL should pretend white list, that is to say, that
Wireless terminal is sent to the corresponding IP address of Portal URL and does not intercept, but directly lets pass and forward, and makes wireless terminal straight
Connect and set up TCP connections with Portal server.The wireless AP devices mode of operation is bridge mode;In the wireless AP devices
Core is provided with default interception and instructs.In the embodiment of the present invention, hook letter is registered in the embedded Linux kernel of wireless AP devices
Wireless AP devices, as long as can realize intercepting instruction, are intercepted the SYN of the TCP that wireless terminal is sent by number or call back function
The mode of packet is not limited.As shown in Fig. 2 wireless terminal user directly inputs source IP address+purpose IP in browser first
Address (purpose IP address are not to any host assignment), if according to conventional Portal schemes, then now wireless aps set
It is standby to forward SYN packets, due in the absence of the main frame, so not having the return of SYN ack msgs bag, repeatedly attempting
Afterwards, connection time-out terminates, and now just there is no any response, wireless AP devices construct SYN ACK numbers to browser in this programme
According to bag, (source IP address is the Wireless terminal-IP address that user uses, rather than the IP address of wireless AP devices;Purpose IP address are not
It is the IP address of certificate server, but the corresponding host IP address of network address that desires access to of user) it is sent to wireless terminal, nothing
Line terminal retransmits ACK bags to wireless AP devices, then consistent with conventional Portal schemes again to carry out HTTP request, redirects
The steps such as request Portal authentication pages, certification (Portal.com is Portal certifications page address).
Shown in reference picture 3, the present invention provides a kind of one embodiment of portal certification system, portal certification system
1000 include:
Wireless terminal 100, the wireless terminal 100 is connected with the communication of wireless AP devices 200;The wireless terminal 100 is sentenced
Break whether Portal authentication pages address field is input into IP address;
Wireless AP devices 200, the wireless AP devices 200 are connected with the communication of certificate server 300;The wireless AP devices
200 judge whether the IP address is the corresponding IP address of the certificate server 300;
When IP address is input into Portal authentication pages address field, and the IP address is not the certificate server 300
Corresponding IP address is blocked;The wireless AP devices 200 intercept the TCP connection data bag for being transmitted to certificate server 300;Wireless aps
Equipment 200 carries out TCP and is connected with wireless terminal 100;
When the wireless terminal 100 is not input into IP address in Portal authentication page address fields;Or,
When the wireless terminal 100 is input into IP address in Portal authentication pages address field, the IP address is the certification
The corresponding IP address of server 300 is blocked, and the wireless terminal 100 redirects request Portal authentication pages, completes Portal certifications.
In the embodiment of the present invention, whether wireless terminal 100 judges be input into IP address in Portal authentication pages address field, has no
Line AP equipment 200 judges whether the IP address is the corresponding IP address of the certificate server 300.If input is IP ground
Location and be not the corresponding IP address of certificate server 300, then wireless AP devices 200 are intercepted and are transmitted to certificate server 300
TCP connection data bag, makes wireless AP devices 200 carry out TCP with wireless terminal 100 and is connected, and is then redirecting request Portal
Authentication page, completes Portal certifications.If input is not IP address, that is to say, that input is domain name, then authentication service
Device 300 carries out TCP and is connected with wireless terminal 100, completes Portal certifications.If input is IP address, but the address is
The corresponding IP address of Portal URL, then wireless AP devices 200 are sent to the corresponding IP of Portal URL to wireless terminal 100
Address does not intercept, but directly lets pass and forward, and allows wireless terminal 100 directly and Portal certificate servers 300 set up TCP
Connection.The inaccessible IP address of user input network can be avoided to be caused to be unable to Portal authentication questions, while to user input
The situation of domain name does not produce any negative effect yet.In the case where Intranet and external network congestion or network speed are very slow, user
Can be according to the corresponding IP address of URL being known a priori by, directly inputting the IP address carries out Portal certification connections, can be significantly
Accelerate Portal verification process.
Shown in reference picture 4, identical part repeats no more.The present invention provides a kind of another reality of portal certification system
Example is applied, the wireless AP devices 200 include:
Judge module 210, the judge module 210 is connected with blocking module communication;Judge whether the IP address is institute
State the corresponding IP address of certificate server 300;
Control module 220, the wireless AP devices 200 intercept the SYN handshake data bags of the transmission of the wireless terminal 100;
Construction SYN ACK handshake data bags;Send the SYN ACK handshake datas bag to the wireless terminal 100;And abandon described
SYN handshake data bags;
Further, the control module 220 includes:
Acquisition submodule 221, the acquisition submodule 221 is connected with the communication of analyzing sub-module 222;Obtain the wireless end
The first time packet that end 100 sends;
Analyzing sub-module 222, the analyzing sub-module 222 is connected with the communication of judging submodule 223;To first number
Parsed according to bag, obtained data message and field parameter;
Judging submodule 223, the judging submodule 223 is connected with the communication of output sub-module 224;According to the datagram
Text, judges whether flag meets default Rule of judgment;
Output sub-module 224, the output sub-module 224 is connected with the communication of submodule 225 is intercepted;It is described that output is obtained
First time packet is the TCP SYN handshake data bags;
Submodule 225 is intercepted, the interception submodule 225 is connected with the construction communication of submodule 226;According to default interception
Instruction, intercepts the wireless wireless AP devices 200 and forwards the TCP SYN handshake datas bag to certificate server 300;
Construction submodule 226, TCP SYN ACK handshake data bags are constructed according to the field parameter.
The wireless terminal 100 includes:
Sending module 110, the sending module 110 is connected with the communication of receiver module 120;Send the TCP connection requests
Packet is to the wireless AP devices 200;Send ACK handshake datas bag to the wireless AP devices 200;Send HTTP packets
To the wireless AP devices 200;
Receiver module 120, receives the SYN ACK handshake data bags.
Wireless AP devices 200 are worked under bridge mode, and hook is registered in the embedded Linux kernel of wireless AP devices 200
Subfunction (also known as HOOK functions) directly intercepts the SYN packets of TCP that wireless terminal 100 is sent, i.e. TCP shakes hands number for the first time
According to bag, then in Hook Function, the message of TCP second handshakes, i.e. SYN ACK messages are directly constructed, and send out by kernel
Function is sent to be sent directly to wireless terminal 100, the data message that then first time shakes hands is abandoned, now first time handshake message
Will not be forwarded by wireless AP devices 200, after the completion of second handshake, after wireless terminal 100 receives SYN ACK messages,
Ack msg bag can be sent shake hands for the third time.TCP connections are completed between wireless terminal 100 and wireless AP devices 200,
Used time is very short, substantially increases connection speed.
A Hook Function is registered in kernel, is to wireless AP devices because wireless AP devices 200 are operated under bridge mode
The packets of 200 forwardings are intercepted (do not make any treatment to being dealt into wireless AP devices 200 packets of itself), so HOOK
Point is placed on NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head is 1, and parsing is ticked from kernel
Come skb_buf data messages, when parse TCP message head when judged, when flag bit meet " URG=0, ACK=0,
When PSH=0, RST=0, SYN=1, FIN=0 " conditions, the packet that this packet is shaken hands for the first time for TCP connections is illustrated.
The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address, this
Secondary important field parameter is that follow-up construction SYN ACK bags make data preparation, then according to the parameter structure that these are parsed
SYN ack msg bags are made, SYN ack msg bags is constructed in kernel and is easy to, do not describe how to construct SYN ACK one by one here
Bag, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are the numbers that TCP connects second handshake
It is direct by the after being sent so be directly sent to wireless terminal 100 from the kernel of wireless AP devices 200 after construction is good according to bag
The SYN bags once shaken hands abandon (kernel code NF_DROP) inside wireless AP devices 200, are not sent to wireless AP devices
200IP addresses main frame.When wireless terminal 100 receives the SYN ack msg bags that wireless AP devices 200 are sent, after confirmation is errorless, return
The multiple ACK bags shaken hands for the third time, then send HTTP bags to wireless AP devices 200, ensuing flow with regard to routine Portal
Flow is the same, no longer describes, it is however noted that, the corresponding IP address of Portal URL should pretend white list, also
It is to say that wireless terminal 100 is sent to the corresponding IP address of Portal URL and does not intercept, but directly lets pass and forward, allows wireless
Terminal 100 is directly and Portal server sets up TCP connections.
The mode of operation of the wireless AP devices 200 is bridge mode;The kernel of the wireless AP devices 200 is provided with default blocking
Cut instruction.In the embodiment of the present invention, Hook Function or readjustment letter are registered in the embedded Linux kernel of wireless AP devices 200
Wireless AP devices 200, as long as can realize intercepting instruction, are intercepted the SYN data of the TCP that wireless terminal 100 is sent by number
The mode of bag is not limited.
It should be noted that above-described embodiment can independent assortment as needed.The above is only of the invention preferred
Implementation method, it is noted that for those skilled in the art, is not departing from the premise of the principle of the invention
Under, some improvements and modifications can also be made, these improvements and modifications also should be regarded as protection scope of the present invention.
Claims (10)
1. a kind of portal authentication method, it is characterised in that including step:
Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200;Otherwise,
Perform step S400;
S200 wireless AP devices judge whether the IP address is the corresponding IP address of certificate server;If performing step
S400;Otherwise, step S300 is performed;
Wireless AP devices described in S300 are intercepted and are transmitted to the TCP connection data bag of the certificate server, make wireless AP devices with
Wireless terminal carries out TCP connections;
Wireless terminal described in S400 redirects request Portal authentication pages, completes Portal certifications.
2. portal authentication method according to claim 1, it is characterised in that the step S300 includes step:
Wireless AP devices described in S310 intercept the SYN handshake data bags that the wireless terminal sends, and construct SYN ACK and shake hands number
According to bag;
Wireless AP devices described in S320 send the SYN ACK handshake datas bag to the wireless terminal;And abandon the SYN and hold
Hand packet;
SYN ACK handshake data bags described in wireless terminal reception described in S330;And send ACK handshake datas bag to the wireless aps
Equipment;
Wireless terminal described in S340 sends HTTP packets to the wireless AP devices.
3. portal authentication method according to claim 1, it is characterised in that the step S310 includes step:
Wireless terminal described in S311 sends the TCP connection requests packet to the wireless AP devices;
Wireless AP devices described in S312 obtain the first time packet that the wireless terminal sends;
Wireless AP devices described in S313 are parsed to the first time packet, obtain data message and field parameter;
Wireless AP devices described in S314 judge whether flag meets default Rule of judgment according to the data message;If holding
Row step S314;
The first time packet that S315 is obtained is the SYN handshake datas bag;
Wireless AP devices described in S316 intercept instruction according to default, intercept the wireless wireless AP devices and forward the SYN to hold
Hand packet is to certificate server;
Wireless AP devices described in S317 construct SYN ACK handshake data bags according to the field parameter.
4. portal authentication method according to claim 3, it is characterised in that:The field parameter include source MAC,
Target MAC (Media Access Control) address, source IP address, purpose IP address;The default Rule of judgment be flag meet " URG=0, ACK=0,
PSH=0, RST=0, SYN=1, FIN=0 ".
5. the portal authentication method according to claim 1-4, it is characterised in that:The wireless AP devices mode of operation is
Bridge mode;The wireless AP devices kernel is provided with default interception and instructs.
6. a kind of portal certification system, it is characterised in that including:
Wireless terminal, the wireless terminal is connected with wireless AP devices communication;The wireless terminal is judged in Portal authentication pages
Whether address field is input into IP address;
Wireless AP devices, the wireless AP devices are connected with certificate server communication;The wireless AP devices judge the IP ground
Whether location is the corresponding IP address of the certificate server;
When IP address is input into Portal authentication pages address field, and the IP address is not the corresponding IP of the certificate server
Block address;The wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server;Wireless AP devices and wireless terminal
Carry out TCP connections;
When the wireless terminal is not input into IP address in Portal authentication page address fields;Or,
When the wireless terminal is input into IP address in Portal authentication pages address field, the IP address is the certificate server pair
The IP address answered is blocked, and the wireless terminal redirects request Portal authentication pages, completes Portal certifications.
7. portal certification system according to claim 6, it is characterised in that the wireless AP devices include:
Judge module, the judge module is connected with blocking module communication;Judge whether the IP address is the authentication service
The corresponding IP address of device;
Control module, the wireless AP devices intercept the SYN handshake data bags that the wireless terminal sends;Construction SYN ACK hold
Hand packet;Send the SYN ACK handshake datas bag to the wireless terminal;And abandon the SYN handshake datas bag;
The wireless terminal includes:
Sending module, the sending module is connected with receiver module communication;Send the TCP connection requests packet to the nothing
Line AP equipment;Send ACK handshake datas bag to the wireless AP devices;Send HTTP packets to the wireless AP devices;
Receiver module, receives the SYN ACK handshake data bags.
8. portal certification system according to claim 6, it is characterised in that the control module includes:
Acquisition submodule, the acquisition submodule is connected with analyzing sub-module communication;Obtain the wireless terminal sends first
Secondary data bag;
Analyzing sub-module, the analyzing sub-module is connected with judging submodule communication;The first time packet is parsed,
Obtain data message and field parameter;
Judging submodule, the judging submodule is connected with output sub-module communication;According to the data message, flag is judged
Whether default Rule of judgment is met;
Output sub-module, the output sub-module is connected with submodule communication is intercepted;Export the first time packet for obtaining
It is the TCP SYN handshake data bags;
Submodule is intercepted, the interception submodule is connected with constructor module communication;Instruction is intercepted according to default, is intercepted described
Wireless wireless AP devices forward the TCP SYN handshake datas bag to certificate server;
Construction submodule, TCP SYN ACK handshake data bags are constructed according to the field parameter.
9. portal certification system according to claim 8, it is characterised in that:The field parameter include source MAC,
Target MAC (Media Access Control) address, source IP address, purpose IP address;The default Rule of judgment be flag meet " URG=0, ACK=0,
PSH=0, RST=0, SYN=1, FIN=0 ".
10. the portal certification system according to claim 6-9, it is characterised in that:The wireless AP devices mode of operation
It is bridge mode;The wireless AP devices kernel is provided with default interception and instructs.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611024960.7A CN106789884A (en) | 2016-11-16 | 2016-11-16 | A kind of portal authentication method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611024960.7A CN106789884A (en) | 2016-11-16 | 2016-11-16 | A kind of portal authentication method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106789884A true CN106789884A (en) | 2017-05-31 |
Family
ID=58969918
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611024960.7A Pending CN106789884A (en) | 2016-11-16 | 2016-11-16 | A kind of portal authentication method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106789884A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109587087A (en) * | 2018-12-10 | 2019-04-05 | 杭州迪普科技股份有限公司 | A kind of message processing method and system |
CN109729104A (en) * | 2019-03-19 | 2019-05-07 | 北京百度网讯科技有限公司 | Client source address acquiring method, device, server and computer-readable medium |
CN111669753A (en) * | 2020-05-19 | 2020-09-15 | 武汉领芯智能科技有限公司 | WLAN network connection method and electronic equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1464425A (en) * | 2002-06-28 | 2003-12-31 | 华为技术有限公司 | A method of simplified access of internet service provider's portal websites |
CN101030908A (en) * | 2007-02-06 | 2007-09-05 | 西安西电捷通无线网络通信有限公司 | Method for applying for certificate in wireless LAN WAPI safety mechanism |
CN101217560A (en) * | 2007-12-29 | 2008-07-09 | 杭州华三通信技术有限公司 | A webpage push method, system and device |
CN102065067A (en) * | 2009-11-11 | 2011-05-18 | 杭州华三通信技术有限公司 | Method and device for preventing replay attack between portal server and client |
CN102624729A (en) * | 2012-03-12 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Web authentication method, device and system |
CN102710659A (en) * | 2012-06-18 | 2012-10-03 | 杭州华三通信技术有限公司 | Wireless access equipment and automatic authentication method |
-
2016
- 2016-11-16 CN CN201611024960.7A patent/CN106789884A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1464425A (en) * | 2002-06-28 | 2003-12-31 | 华为技术有限公司 | A method of simplified access of internet service provider's portal websites |
CN101030908A (en) * | 2007-02-06 | 2007-09-05 | 西安西电捷通无线网络通信有限公司 | Method for applying for certificate in wireless LAN WAPI safety mechanism |
CN101217560A (en) * | 2007-12-29 | 2008-07-09 | 杭州华三通信技术有限公司 | A webpage push method, system and device |
CN102065067A (en) * | 2009-11-11 | 2011-05-18 | 杭州华三通信技术有限公司 | Method and device for preventing replay attack between portal server and client |
CN102624729A (en) * | 2012-03-12 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Web authentication method, device and system |
CN102710659A (en) * | 2012-06-18 | 2012-10-03 | 杭州华三通信技术有限公司 | Wireless access equipment and automatic authentication method |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109587087A (en) * | 2018-12-10 | 2019-04-05 | 杭州迪普科技股份有限公司 | A kind of message processing method and system |
CN109587087B (en) * | 2018-12-10 | 2020-12-29 | 杭州迪普科技股份有限公司 | Message processing method and system |
CN109729104A (en) * | 2019-03-19 | 2019-05-07 | 北京百度网讯科技有限公司 | Client source address acquiring method, device, server and computer-readable medium |
CN109729104B (en) * | 2019-03-19 | 2021-08-17 | 北京百度网讯科技有限公司 | Client source address acquisition method, device, server and computer readable medium |
CN111669753A (en) * | 2020-05-19 | 2020-09-15 | 武汉领芯智能科技有限公司 | WLAN network connection method and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110300117B (en) | IOT device and user binding authentication method, device and medium | |
CN104158808B (en) | Portal authentication method and its device based on APP applications | |
CN103825881B (en) | The reorientation method and device of WLAN user are realized based on wireless access controller AC | |
US11831629B2 (en) | Server for providing a token | |
US10721320B2 (en) | Redirection method, apparatus, and system | |
CN102710667B (en) | Method for realizing Portal authentication server attack prevention and broadband access server | |
CN106603491A (en) | Portal authentication method based on https protocol, and router | |
CN101217512B (en) | A client-end state maintenance method, system, client-end and application server | |
CN102739684B (en) | Portal authentication method based on virtual IP address, and server thereof | |
CN105991640B (en) | Handle the method and device of HTTP request | |
CN106470136B (en) | Platform test method and platform test system | |
CN110505188B (en) | Terminal authentication method, related equipment and authentication system | |
CN106789884A (en) | A kind of portal authentication method and system | |
CN105338072A (en) | HTTP (hyper text transport protocol) redirecting method and routing equipment | |
CN106162640A (en) | A kind of portal authentication method and system | |
CN104980461A (en) | Page pushing method, page pushing device, page pushing server and centralized network management controller | |
WO2017181800A1 (en) | Adaptive portal authentication page system based on operating system, and method for same | |
CN106330948A (en) | Message control method and message control device | |
CN104735050B (en) | A kind of fusion mac certifications and the authentication method of web authentication | |
CN107395582A (en) | Portal authentication devices and system | |
KR20200002778A (en) | Portal aggregation service that maps subcarrier device identifiers to portal addresses where access and authentication requests are redirected and facilitates mass subscriber device setup | |
CN106954213A (en) | A kind of system of real name wireless authentication cut-in method and system | |
CN104994113A (en) | ADSL wireless router, method and system for using the same to realize captive portal under bridge pattern | |
CN108833410A (en) | A kind of means of defence and system for HTTP Flood attack | |
CN105791290A (en) | Authentication method and device for network connection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170531 |