CN106789884A - A kind of portal authentication method and system - Google Patents

A kind of portal authentication method and system Download PDF

Info

Publication number
CN106789884A
CN106789884A CN201611024960.7A CN201611024960A CN106789884A CN 106789884 A CN106789884 A CN 106789884A CN 201611024960 A CN201611024960 A CN 201611024960A CN 106789884 A CN106789884 A CN 106789884A
Authority
CN
China
Prior art keywords
wireless
address
devices
wireless terminal
portal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611024960.7A
Other languages
Chinese (zh)
Inventor
张德黎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Feixun Data Communication Technology Co Ltd
Original Assignee
Shanghai Feixun Data Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Feixun Data Communication Technology Co Ltd filed Critical Shanghai Feixun Data Communication Technology Co Ltd
Priority to CN201611024960.7A priority Critical patent/CN106789884A/en
Publication of CN106789884A publication Critical patent/CN106789884A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of portal authentication method and system, including step:Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200;Otherwise, step S400 is performed;S200 wireless AP devices judge whether IP address is the corresponding IP address of certificate server;If performing step S400;Otherwise, step S300 is performed;S300 wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server, wireless AP devices is carried out TCP with wireless terminal and are connected;S400 wireless terminals redirect request Portal authentication pages, complete Portal certifications.The present invention is realized and avoids the inaccessible IP address of user input network from causing to be unable to Portal authentication questions, while can be also authenticated to the situation of user input domain name.

Description

A kind of portal authentication method and system
Technical field
The present invention relates to network authentication security fields, more particularly to a kind of portal authentication method and system.
Background technology
In business environment, a kind of such wifi network is there is, after wireless terminal accesses this wifi network, can not be straight Internet is connect in succession to be surfed the Net, but ejects a specific webpage in browser, allow user input authentication Information, is then submitted to background server, after server authentication subscriber identity information is errorless, user can be allowed to access internet Network, this authentication mode is " portal authentication ", also known as " Portal certifications ".Wireless AP devices:WAP (Access Point), equivalent to wireless exchange board, it is the access point that wireless terminal uses cable network, is mainly used in home broadband, enterprise Network design etc. in portion's network design and business environment in the industry.Portal certifications, also referred to as " web portal certification ", when user's Network access by wireless terminal, when unauthenticated user needs online, forces User logs in a specific authentication website first, Then user fills in associated login information, and is sent to certificate server, after server background is proved to be successful, the use of letting pass Family, now the user can use Internet resources.
Portal certifications are one of popular techniques of wireless network access authentication, when user accesses a certain wireless network, Can the automatic spring Portal pages, prompting user input accounts information, completion access authentication.Wireless network operator sometimes for Facilitate user access network, can temporarily remember the MAC Address of user STA, i.e. its physical address, hardware address, recognize again next time User input account is not needed during card, direct authentication-exempt passes through.Also the wireless network operator having in order to improve making for user Hair efficiency is thrown with experience and advertisement, when user accesses wireless, advertisement is forced, user clicks on or finishes watching advertisement page can be straight Net is connected, the authentication mode of these optimizations improves the real experiences of access efficiency and user really, but also generates safety wind Danger.Existing Portal verification process is first accessed some SSID of wireless AP devices by STA, and wireless AP devices requirement STA enters Row Portal certifications, and kidnap first HTTP Request online requests of user.Wireless AP devices respond the HTTP of user Request messages, Portal server URL addresses are redirected to by HTTP 302, and take STA in the original messages of STA MAC, URL addresses and the MAC of STA that then STA acquisitions wireless AP devices are redirected, is taken to Portal again with this URL and MAC Business device initiates HTTP Request requests.Current protocols are users in browser inputs domain name (such as HTTP:// Www.sina.com.cn/ or " www.sina.com.cn "), browser can send out DNS query bag and inquire about this domain to dns server The corresponding IP address of name, gets rear browser and carries out TCP with this IP address and be connected for tri- times, and after the completion of connection, browser is sent out again Send HTTP packets that the home tip of the website is asked to this IP address.
The shortcoming of prior art is directly input into an IP address it is obvious that working as user in browser, and according to HTTP request Agreement, will not send DNS query message, but directly set up TCP with the IP address and be connected.And if the IP address is not divided Dispensing Intranet or any main frame of outer net, or be assigned with but the main frame be in off-mode, then now TCP connect Connecing to fail, and TCP connection failures, follow-up HTTP request would not be carried out again, not to mention Portal certifications.
The content of the invention
It is of the invention there is provided a kind of portal authentication method and system, be input into browser its object is to solve user Also Portal authentication pages can be redirected to after IP address carries out the problem of Portal certifications.
The technical scheme that the present invention is provided is as follows:
A kind of portal authentication method, including step:
Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200; Otherwise, step S400 is performed;
S200 wireless AP devices judge whether the IP address is the corresponding IP address of certificate server;If performing step S400;Otherwise, step S300 is performed;
Wireless AP devices described in S300 intercept the TCP connection data bag for being transmitted to the certificate server, set wireless aps It is connected for TCP is carried out with wireless terminal;
Wireless terminal described in S400 redirects request Portal authentication pages, completes Portal certifications.
When wireless terminal device opens webpage or other application program, can trigger and send online request message, Many times, User is directly entered by Web side navigation homepage, if but user in browser IP address, if the IP address not by Distribute to certain Intranet or any main frame of outer net, or be assigned with but the main frame is in off-mode, then now TCP Connection will fail, and TCP connection failures, follow-up HTTP request would not be carried out again, so as to cause wireless terminal certification knot Fruit failure, wireless terminal cannot be by certification, so as to access authority cannot be obtained.Here, by judging in Portal authentication pages Whether address field is input into IP address, and determines whether whether the IP address being input into is the corresponding IP address of certificate server, such as What fruit was input into is IP address and is not the corresponding IP address of certificate server, then wireless AP devices are intercepted and are transmitted to authentication service The TCP connection data bag of device, makes wireless AP devices carry out TCP with wireless terminal and is connected, and then recognizes in redirection request Portal Card page, completes Portal certifications.If input is not IP address, that is to say, that input is domain name, then certificate server After getting the online request of the wireless terminal, the MAC Address of the wireless terminal is just parsed from the request message, then The online request of wireless terminal is responded, wireless terminal redirection message is returned to, message carries address and the parsing of redirection The MAC Address of the wireless terminal for going out, wireless terminal opens Portal authentication interfaces according to this redirection message, according to resetting To address send authentication request packet, complete Portal certifications.If input is IP address, but the address is Portal The corresponding IP address of URL, then wireless AP devices are sent to the corresponding IP address of Portal URL to wireless terminal and do not intercept, and It is directly to let pass to forward, allows wireless terminal directly and Portal certificate servers are set up TCP and connected.User can be avoided defeated Entering the inaccessible IP address of network causes to be unable to Portal authentication questions, while the situation of user input domain name is not produced yet appointing What is negatively affected.In the case where Intranet and external network congestion or network speed are very slow, user can be according to the URL being known a priori by Corresponding IP address, directly inputting the IP address carries out Portal certification connections, can greatly accelerate Portal verification process.
Further, the step S300 includes step:
Wireless AP devices described in S310 intercept the SYN handshake data bags that the wireless terminal sends, and construct SYN ACK and hold Hand packet;
Wireless AP devices described in S320 send the SYN ACK handshake datas bag to the wireless terminal;And abandon described SYN handshake data bags;
SYN ACK handshake data bags described in wireless terminal reception described in S330;And send ACK handshake datas bag to the nothing Line AP equipment;
Wireless terminal described in S340 sends HTTP packets to the wireless AP devices.
In the present invention, wireless AP devices are worked under bridge mode, are registered in the embedded Linux kernel of wireless AP devices Hook Function (also known as HOOK functions) directly intercepts the SYN packets of TCP that wireless terminal is sent, i.e. TCP shakes hands number for the first time According to bag, then in Hook Function, the message of TCP second handshakes, i.e. SYN ACK messages are directly constructed, and send out by kernel Send function to be sent directly to wireless terminal, then abandon the data message shaken hands of first time, now first time handshake message is not Can be forwarded by wireless AP devices, after the completion of second handshake, after wireless terminal receives SYN ACK messages, ACK can be sent Packet carries out third time and shakes hands.TCP connections are completed between wireless terminal and wireless AP devices, and the used time is very short, carries significantly Connection speed high.
Further, the step S310 includes step:
Wireless terminal described in S311 sends the TCP connection requests packet to the wireless AP devices;
Wireless AP devices described in S312 obtain the first time packet that the wireless terminal sends;
Wireless AP devices described in S313 are parsed to the first time packet, obtain data message and field parameter;
Wireless AP devices described in S314 judge whether flag meets default Rule of judgment according to the data message;If It is to perform step S314;
The first time packet that S315 is obtained is the SYN handshake datas bag;
Wireless AP devices described in S316 intercept instruction according to default, intercept the wireless wireless AP devices forwarding described SYN handshake datas bag is to certificate server;
Wireless AP devices described in S317 construct SYN ACK handshake data bags according to the field parameter.
In the present invention, a Hook Function is registered in kernel, be to wireless because wireless AP devices are operated under bridge mode The packet of AP device forwards is intercepted (do not make any treatment to being dealt into wireless AP devices packet in itself), so HOOK Point is placed on NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head is 1, and parsing is ticked from kernel Come skb_buf data messages, when parse TCP message head when judged, when flag bit meet " URG=0, ACK=0, When PSH=0, RST=0, SYN=1, FIN=0 " conditions, the packet that this packet is shaken hands for the first time for TCP connections is illustrated. The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address, this Secondary important field parameter is that follow-up construction SYN ACK bags make data preparation, then according to the parameter structure that these are parsed SYN ack msg bags are made, SYN ack msg bags is constructed in kernel and is easy to, do not describe how to construct SYN ACK one by one here Bag, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are the numbers that TCP connects second handshake According to bag, so being directly sent to wireless terminal from wireless AP devices kernel after construction is good, directly first time is held after being sent The SYN bags of hand abandon (kernel code NF_DROP) inside wireless AP devices, and wireless AP devices IP address main frame is not sent to. When wireless terminal receives the SYN ack msg bags that wireless AP devices are sent, after confirmation is errorless, the ACK bags that third time is shaken hands are replied, Then HTTP bags are sent to wireless AP devices, ensuing flow just as routine Portal flows, is no longer described, but is needed It should be noted that the corresponding IP address of Portal URL should pretend white list, that is to say, that wireless terminal is sent to Portal The corresponding IP address of URL is not intercepted, but is directly let pass and forwarded, and allows wireless terminal directly and Portal server is set up TCP is connected.
Further, the field parameter includes:Source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address; The default Rule of judgment is that flag meets " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 ".
Further, the wireless AP devices mode of operation is bridge mode;The wireless AP devices kernel is provided with default Interception instruction.
In the present invention, Hook Function or call back function are registered in the embedded Linux kernel of wireless AP devices, as long as energy Enough to realize intercepting instruction, the mode that wireless AP devices are intercepted with the SYN packets of the TCP that wireless terminal is sent is not limited.
The present invention also provides a kind of portal certification system, including:
Wireless terminal, the wireless terminal is connected with wireless AP devices communication;The wireless terminal judges to recognize in Portal Whether card page address column is input into IP address;
Wireless AP devices, the wireless AP devices are connected with certificate server communication;The wireless AP devices judge described Whether IP address is the corresponding IP address of the certificate server;
When being input into IP address in Portal authentication pages address field, and the IP address is not certificate server correspondence IP address block;The wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server;Wireless AP devices with it is wireless Terminal carries out TCP connections;
When the wireless terminal is not input into IP address in Portal authentication page address fields;Or,
When the wireless terminal is input into IP address in Portal authentication pages address field, the IP address is the authentication service The corresponding IP address of device is blocked, and the wireless terminal redirects request Portal authentication pages, completes Portal certifications.
In the present invention, whether wireless terminal judges be input into IP address, and wireless AP devices in Portal authentication pages address field Judge whether the IP address is the corresponding IP address of the certificate server.If input be IP address and be not certification clothes The corresponding IP address of business device, then wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server, set wireless aps It is connected for TCP is carried out with wireless terminal, is then redirecting request Portal authentication pages, completes Portal certifications.If input Be not IP address, that is to say, that input is domain name, then certificate server carries out TCP and is connected with wireless terminal, complete Portal certifications.If input is IP address, but the address is the corresponding IP address of Portal URL, then wireless AP devices The corresponding IP address of Portal URL is sent to wireless terminal not intercept, but is directly let pass and is forwarded, allow wireless terminal Directly set up TCP and connect with Portal certificate servers.The inaccessible IP address of user input network can be avoided to cause can not Portal authentication questions, while also not producing any negative effect to the situation of user input domain name.In Intranet and external network In the case that congestion or network speed are very slow, user can directly input IP ground according to the corresponding IP address of URL being known a priori by Location carries out Portal certification connections, can greatly accelerate Portal verification process.
Further, the wireless AP devices include:
Judge module, the judge module is connected with blocking module communication;Judge whether the IP address is the certification The corresponding IP address of server;
Control module, the wireless AP devices intercept the SYN handshake data bags that the wireless terminal sends;Construction SYN ACK handshake data bags;Send the SYN ACK handshake datas bag to the wireless terminal;And abandon the SYN handshake datas Bag;
The wireless terminal includes:
Sending module, the sending module is connected with receiver module communication;Send the TCP connection requests packet to institute State wireless AP devices;Send ACK handshake datas bag to the wireless AP devices;HTTP packets to the wireless aps are sent to set It is standby;
Receiver module, receives the SYN ACK handshake data bags.
Wireless AP devices are worked under bridge mode, and Hook Function is registered in the embedded Linux kernel of wireless AP devices (also known as HOOK functions) directly intercepts the SYN packets of the TCP that wireless terminal is sent, i.e. TCP first time handshake datas bag, then In Hook Function, the message of TCP second handshakes, i.e. SYN ACK messages are directly constructed, and it is direct to send function by kernel Wireless terminal is sent to, the data message that then first time shakes hands is abandoned, and now first time handshake message will not be by wireless AP device forwards are gone out, and after the completion of second handshake, after wireless terminal receives SYN ACK messages, can send ack msg bag is carried out Third time is shaken hands.TCP connections are completed between wireless terminal and wireless AP devices, and the used time is very short, substantially increase connection speed Rate.
Further, the control module includes:
Acquisition submodule, the acquisition submodule is connected with analyzing sub-module communication;Obtain what the wireless terminal sent First time packet;
Analyzing sub-module, the analyzing sub-module is connected with judging submodule communication;The first time packet is carried out Parsing, obtains data message and field parameter;
Judging submodule, the judging submodule is connected with output sub-module communication;According to the data message, mark is judged Know whether position meets default Rule of judgment;
Output sub-module, the output sub-module is connected with submodule communication is intercepted;Export first number for obtaining It is the TCP SYN handshake data bags according to bag;
Submodule is intercepted, the interception submodule is connected with constructor module communication;Instruction is intercepted according to default, is intercepted The wireless wireless AP devices forward the TCP SYN handshake datas bag to certificate server;
Construction submodule, TCP SYN ACK handshake data bags are constructed according to the field parameter.
A Hook Function is registered in kernel, is that wireless AP devices are turned because wireless AP devices are operated under bridge mode The packet of hair is intercepted (do not make any treatment to being dealt into wireless AP devices packet in itself), so HOOK points are placed on NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head is 1, and parsing ticks what is come from kernel Skb_buf data messages, are judged when TCP message head is parsed, when flag bit meets " URG=0, ACK=0, PSH When=0, RST=0, SYN=1, FIN=0 " conditions, the packet that this packet is shaken hands for the first time for TCP connections is illustrated.Will The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address, specifically Important field parameter is that follow-up construction SYN ACK bags make data preparation, then according to the parametric configuration that these are parsed SYN ack msg bags, construction SYN ack msg bags are easy in kernel, do not describe how to construct SYN ACK one by one here Bag, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are the numbers that TCP connects second handshake According to bag, so being directly sent to wireless terminal from wireless AP devices kernel after construction is good, directly first time is held after being sent The SYN bags of hand abandon (kernel code NF_DROP) inside wireless AP devices, and wireless AP devices IP address main frame is not sent to. When wireless terminal receives the SYN ack msg bags that wireless AP devices are sent, after confirmation is errorless, the ACK bags that third time is shaken hands are replied, Then HTTP bags are sent to wireless AP devices, ensuing flow just as routine Portal flows, is no longer described, but is needed It should be noted that the corresponding IP address of Portal URL should pretend white list, that is to say, that wireless terminal is sent to Portal The corresponding IP address of URL is not intercepted, but is directly let pass and forwarded, and allows wireless terminal directly and Portal server is set up TCP is connected.
Further, the field parameter includes:Source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address; The default Rule of judgment is that flag meets " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 ".
Further, the wireless AP devices mode of operation is bridge mode;The wireless AP devices kernel is provided with default Interception instruction.
In the present invention, Hook Function or call back function are registered in the embedded Linux kernel of wireless AP devices, as long as energy Enough to realize intercepting instruction, the mode that wireless AP devices are intercepted with the SYN packets of the TCP that wireless terminal is sent is not limited.
Compared with prior art, the present invention provides a kind of portal authentication method and system, at least brings a kind of following skill Art effect:
1st, can avoid the inaccessible IP address of user input network causes to be unable to Portal authentication questions, while to user The situation of inputs domain name does not produce any negative effect yet.
2nd, in the case where Intranet and external network congestion or network speed are very slow, according to the corresponding IP of URL being known a priori by Address, directly inputting the IP address carries out Portal certification connections, can greatly accelerate Portal verification process.
Brief description of the drawings
Below by clearly understandable mode, preferred embodiment is described with reference to the drawings, to a kind of portal authentication method Characteristic, technical characteristic, advantage and its implementation with system are further described.
Fig. 1 is a kind of flow chart of portal authentication method one embodiment of the invention;
Fig. 2 is a kind of flow chart of another embodiment of portal authentication method of the invention;
Fig. 3 is a kind of procedure chart of another embodiment of portal authentication method of the invention;
Fig. 4 is a kind of structural representation of portal certification system one embodiment of the invention;
Fig. 5 is a kind of structural representation of another embodiment of portal certification system of the invention.
Specific embodiment
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, control is illustrated below Specific embodiment of the invention.It should be evident that drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing, and obtain other implementation methods.
To make simplified form, part related to the present invention is only schematically show in each figure, they are not represented Its as product practical structures.In addition, so that simplified form is readily appreciated, there is identical structure or function in some figures Part, only symbolically depicts one of those, or has only marked one of those.Herein, " one " is not only represented " only this ", it is also possible to represent the situation of " more than one ".
Shown in reference picture 1, the invention provides a kind of one embodiment of portal authentication method, including step:
Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200; Otherwise, step S400 is performed;
S200 wireless AP devices judge whether the IP address is the corresponding IP address of certificate server;If performing step S400;Otherwise, step S300 is performed;
Wireless AP devices described in S300 intercept the TCP connection data bag for being transmitted to the certificate server, set wireless aps It is connected for TCP is carried out with wireless terminal;
Wireless terminal described in S400 redirects request Portal authentication pages, completes Portal certifications.
When wireless terminal device opens webpage or other application program, can trigger and send online request message, Many times, User is directly entered by Web side navigation homepage, if but user in browser IP address, if the IP address not by Distribute to certain Intranet or any main frame of outer net, or be assigned with but the main frame is in off-mode, then now TCP Connection will fail, and TCP connection failures, follow-up HTTP request would not be carried out again, so as to cause wireless terminal certification knot Fruit failure, wireless terminal cannot be by certification, so as to access authority cannot be obtained.Here, by judging in Portal authentication pages Whether address field is input into IP address, and determines whether whether the IP address being input into is the corresponding IP address of certificate server, such as What fruit was input into is IP address and is not the corresponding IP address of certificate server, then wireless AP devices are intercepted and are transmitted to authentication service The TCP connection data bag of device, makes wireless AP devices carry out TCP with wireless terminal and is connected, and then recognizes in redirection request Portal Card page, completes Portal certifications.If input is not IP address, that is to say, that input is domain name, then certificate server After getting the online request of the wireless terminal, the MAC Address of the wireless terminal is just parsed from the request message, then The online request of wireless terminal is responded, wireless terminal redirection message is returned to, message carries address and the parsing of redirection The MAC Address of the wireless terminal for going out, wireless terminal opens Portal authentication interfaces according to this redirection message, according to resetting To address send authentication request packet, complete Portal certifications.If input is IP address, but the address is Portal The corresponding IP address of URL, then wireless AP devices are sent to the corresponding IP address of Portal URL to wireless terminal and do not intercept, and It is directly to let pass to forward, allows wireless terminal directly and Portal certificate servers are set up TCP and connected.User can be avoided defeated Entering the inaccessible IP address of network causes to be unable to Portal authentication questions, while the situation of user input domain name is not produced yet appointing What is negatively affected.In the case where Intranet and external network congestion or network speed are very slow, user can be according to the URL being known a priori by Corresponding IP address, directly inputting the IP address carries out Portal certification connections, can greatly accelerate Portal verification process.
Shown in reference picture 2, identical part repeats no more.The present invention provides a kind of another reality of portal authentication method Apply example, including step:
Wireless terminal described in S311 sends the TCP connection requests packet to the wireless AP devices;
Wireless AP devices described in S312 obtain the first time packet that the wireless terminal sends;
Wireless AP devices described in S313 are parsed to the first time packet, obtain data message and field parameter;
Wireless AP devices described in S314 judge whether flag meets default Rule of judgment according to the data message;If It is to perform step S314;
The first time packet that S315 is obtained is the SYN handshake datas bag;
Wireless AP devices described in S316 intercept instruction according to default, intercept the wireless wireless AP devices forwarding described SYN handshake datas bag is to certificate server;
Wireless AP devices described in S317 construct SYN ACK handshake data bags according to the field parameter;
Wireless AP devices described in S320 send the SYN ACK handshake datas bag to the wireless terminal;And abandon described SYN handshake data bags;
SYN ACK handshake data bags described in wireless terminal reception described in S330;And send ACK handshake datas bag to the nothing Line AP equipment;
Wireless terminal described in S340 sends HTTP packets to the wireless AP devices.
In the embodiment of the present invention, wireless AP devices are worked under bridge mode, in the embedded Linux kernel of wireless AP devices Middle registration Hook Function (also known as HOOK functions) directly intercepts the SYN packets of the TCP that wireless terminal is sent, i.e. TCP is for the first time Handshake data bag, then in Hook Function, directly constructs the message of TCP second handshakes, i.e. SYN ACK messages, and pass through Kernel sends function and is sent directly to wireless terminal, and the data message that then first time shakes hands is abandoned, and is now shaken hands for the first time Message will not be forwarded by wireless AP devices, after the completion of second handshake, after wireless terminal receives SYN ACK messages, and meeting Sending ack msg bag shake hands for the third time.TCP connections are completed between wireless terminal and wireless AP devices, and the used time is very short, Substantially increase connection speed.In the embodiment of the present invention, a Hook Function is registered in kernel, because wireless AP devices are operated in It is that the packet of wireless AP devices forwarding is intercepted (not make to being dealt into wireless AP devices packet in itself under bridge mode Any treatment), so HOOK points are placed on NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head It is 1, the skb_buf data messages for coming are ticked in parsing from kernel, is judged when TCP message head is parsed, works as flag bit When meeting " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 " condition, illustrate that this packet is connected for TCP The packet shaken hands for the first time.The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP Address, purpose IP address etc., current important field parameter are that follow-up construction SYN ACK bags make data preparation, then basis The parametric configuration SYN ack msg bags that these are parsed, construction SYN ack msg bags are easy in kernel, differ here How one description constructs SYN ACK bags, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are TCP connects the packet of second handshake, so being directly sent to wireless terminal from wireless AP devices kernel after construction is good, sends The SYN bags that first time shakes hands directly are abandoned into (kernel code NF_DROP) inside wireless AP devices after finishing, nothing is not sent to Line AP IP address of equipment main frames.When wireless terminal receives the SYN ack msg bags that wireless AP devices are sent, after confirmation is errorless, return The multiple ACK bags shaken hands for the third time, then send HTTP bags to wireless AP devices, ensuing flow with regard to routine Portal flows Equally, no longer describe, it is however noted that, the corresponding IP address of Portal URL should pretend white list, that is to say, that Wireless terminal is sent to the corresponding IP address of Portal URL and does not intercept, but directly lets pass and forward, and makes wireless terminal straight Connect and set up TCP connections with Portal server.The wireless AP devices mode of operation is bridge mode;In the wireless AP devices Core is provided with default interception and instructs.In the embodiment of the present invention, hook letter is registered in the embedded Linux kernel of wireless AP devices Wireless AP devices, as long as can realize intercepting instruction, are intercepted the SYN of the TCP that wireless terminal is sent by number or call back function The mode of packet is not limited.As shown in Fig. 2 wireless terminal user directly inputs source IP address+purpose IP in browser first Address (purpose IP address are not to any host assignment), if according to conventional Portal schemes, then now wireless aps set It is standby to forward SYN packets, due in the absence of the main frame, so not having the return of SYN ack msgs bag, repeatedly attempting Afterwards, connection time-out terminates, and now just there is no any response, wireless AP devices construct SYN ACK numbers to browser in this programme According to bag, (source IP address is the Wireless terminal-IP address that user uses, rather than the IP address of wireless AP devices;Purpose IP address are not It is the IP address of certificate server, but the corresponding host IP address of network address that desires access to of user) it is sent to wireless terminal, nothing Line terminal retransmits ACK bags to wireless AP devices, then consistent with conventional Portal schemes again to carry out HTTP request, redirects The steps such as request Portal authentication pages, certification (Portal.com is Portal certifications page address).
Shown in reference picture 3, the present invention provides a kind of one embodiment of portal certification system, portal certification system 1000 include:
Wireless terminal 100, the wireless terminal 100 is connected with the communication of wireless AP devices 200;The wireless terminal 100 is sentenced Break whether Portal authentication pages address field is input into IP address;
Wireless AP devices 200, the wireless AP devices 200 are connected with the communication of certificate server 300;The wireless AP devices 200 judge whether the IP address is the corresponding IP address of the certificate server 300;
When IP address is input into Portal authentication pages address field, and the IP address is not the certificate server 300 Corresponding IP address is blocked;The wireless AP devices 200 intercept the TCP connection data bag for being transmitted to certificate server 300;Wireless aps Equipment 200 carries out TCP and is connected with wireless terminal 100;
When the wireless terminal 100 is not input into IP address in Portal authentication page address fields;Or,
When the wireless terminal 100 is input into IP address in Portal authentication pages address field, the IP address is the certification The corresponding IP address of server 300 is blocked, and the wireless terminal 100 redirects request Portal authentication pages, completes Portal certifications.
In the embodiment of the present invention, whether wireless terminal 100 judges be input into IP address in Portal authentication pages address field, has no Line AP equipment 200 judges whether the IP address is the corresponding IP address of the certificate server 300.If input is IP ground Location and be not the corresponding IP address of certificate server 300, then wireless AP devices 200 are intercepted and are transmitted to certificate server 300 TCP connection data bag, makes wireless AP devices 200 carry out TCP with wireless terminal 100 and is connected, and is then redirecting request Portal Authentication page, completes Portal certifications.If input is not IP address, that is to say, that input is domain name, then authentication service Device 300 carries out TCP and is connected with wireless terminal 100, completes Portal certifications.If input is IP address, but the address is The corresponding IP address of Portal URL, then wireless AP devices 200 are sent to the corresponding IP of Portal URL to wireless terminal 100 Address does not intercept, but directly lets pass and forward, and allows wireless terminal 100 directly and Portal certificate servers 300 set up TCP Connection.The inaccessible IP address of user input network can be avoided to be caused to be unable to Portal authentication questions, while to user input The situation of domain name does not produce any negative effect yet.In the case where Intranet and external network congestion or network speed are very slow, user Can be according to the corresponding IP address of URL being known a priori by, directly inputting the IP address carries out Portal certification connections, can be significantly Accelerate Portal verification process.
Shown in reference picture 4, identical part repeats no more.The present invention provides a kind of another reality of portal certification system Example is applied, the wireless AP devices 200 include:
Judge module 210, the judge module 210 is connected with blocking module communication;Judge whether the IP address is institute State the corresponding IP address of certificate server 300;
Control module 220, the wireless AP devices 200 intercept the SYN handshake data bags of the transmission of the wireless terminal 100; Construction SYN ACK handshake data bags;Send the SYN ACK handshake datas bag to the wireless terminal 100;And abandon described SYN handshake data bags;
Further, the control module 220 includes:
Acquisition submodule 221, the acquisition submodule 221 is connected with the communication of analyzing sub-module 222;Obtain the wireless end The first time packet that end 100 sends;
Analyzing sub-module 222, the analyzing sub-module 222 is connected with the communication of judging submodule 223;To first number Parsed according to bag, obtained data message and field parameter;
Judging submodule 223, the judging submodule 223 is connected with the communication of output sub-module 224;According to the datagram Text, judges whether flag meets default Rule of judgment;
Output sub-module 224, the output sub-module 224 is connected with the communication of submodule 225 is intercepted;It is described that output is obtained First time packet is the TCP SYN handshake data bags;
Submodule 225 is intercepted, the interception submodule 225 is connected with the construction communication of submodule 226;According to default interception Instruction, intercepts the wireless wireless AP devices 200 and forwards the TCP SYN handshake datas bag to certificate server 300;
Construction submodule 226, TCP SYN ACK handshake data bags are constructed according to the field parameter.
The wireless terminal 100 includes:
Sending module 110, the sending module 110 is connected with the communication of receiver module 120;Send the TCP connection requests Packet is to the wireless AP devices 200;Send ACK handshake datas bag to the wireless AP devices 200;Send HTTP packets To the wireless AP devices 200;
Receiver module 120, receives the SYN ACK handshake data bags.
Wireless AP devices 200 are worked under bridge mode, and hook is registered in the embedded Linux kernel of wireless AP devices 200 Subfunction (also known as HOOK functions) directly intercepts the SYN packets of TCP that wireless terminal 100 is sent, i.e. TCP shakes hands number for the first time According to bag, then in Hook Function, the message of TCP second handshakes, i.e. SYN ACK messages are directly constructed, and send out by kernel Function is sent to be sent directly to wireless terminal 100, the data message that then first time shakes hands is abandoned, now first time handshake message Will not be forwarded by wireless AP devices 200, after the completion of second handshake, after wireless terminal 100 receives SYN ACK messages, Ack msg bag can be sent shake hands for the third time.TCP connections are completed between wireless terminal 100 and wireless AP devices 200, Used time is very short, substantially increases connection speed.
A Hook Function is registered in kernel, is to wireless AP devices because wireless AP devices 200 are operated under bridge mode The packets of 200 forwardings are intercepted (do not make any treatment to being dealt into wireless AP devices 200 packets of itself), so HOOK Point is placed on NF_IP_FORWARD, because TCP First Contact Connections, the flag bit SYN of TCP message head is 1, and parsing is ticked from kernel Come skb_buf data messages, when parse TCP message head when judged, when flag bit meet " URG=0, ACK=0, When PSH=0, RST=0, SYN=1, FIN=0 " conditions, the packet that this packet is shaken hands for the first time for TCP connections is illustrated. The necessary field of this packet is parsed, such as source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address, this Secondary important field parameter is that follow-up construction SYN ACK bags make data preparation, then according to the parameter structure that these are parsed SYN ack msg bags are made, SYN ack msg bags is constructed in kernel and is easy to, do not describe how to construct SYN ACK one by one here Bag, it is assumed here that constructed to have got well the packet, according to Transmission Control Protocol, SYN ACK bags are the numbers that TCP connects second handshake It is direct by the after being sent so be directly sent to wireless terminal 100 from the kernel of wireless AP devices 200 after construction is good according to bag The SYN bags once shaken hands abandon (kernel code NF_DROP) inside wireless AP devices 200, are not sent to wireless AP devices 200IP addresses main frame.When wireless terminal 100 receives the SYN ack msg bags that wireless AP devices 200 are sent, after confirmation is errorless, return The multiple ACK bags shaken hands for the third time, then send HTTP bags to wireless AP devices 200, ensuing flow with regard to routine Portal Flow is the same, no longer describes, it is however noted that, the corresponding IP address of Portal URL should pretend white list, also It is to say that wireless terminal 100 is sent to the corresponding IP address of Portal URL and does not intercept, but directly lets pass and forward, allows wireless Terminal 100 is directly and Portal server sets up TCP connections.
The mode of operation of the wireless AP devices 200 is bridge mode;The kernel of the wireless AP devices 200 is provided with default blocking Cut instruction.In the embodiment of the present invention, Hook Function or readjustment letter are registered in the embedded Linux kernel of wireless AP devices 200 Wireless AP devices 200, as long as can realize intercepting instruction, are intercepted the SYN data of the TCP that wireless terminal 100 is sent by number The mode of bag is not limited.
It should be noted that above-described embodiment can independent assortment as needed.The above is only of the invention preferred Implementation method, it is noted that for those skilled in the art, is not departing from the premise of the principle of the invention Under, some improvements and modifications can also be made, these improvements and modifications also should be regarded as protection scope of the present invention.

Claims (10)

1. a kind of portal authentication method, it is characterised in that including step:
Whether S100 wireless terminals judge be input into IP address in Portal authentication pages address field;If performing step S200;Otherwise, Perform step S400;
S200 wireless AP devices judge whether the IP address is the corresponding IP address of certificate server;If performing step S400;Otherwise, step S300 is performed;
Wireless AP devices described in S300 are intercepted and are transmitted to the TCP connection data bag of the certificate server, make wireless AP devices with Wireless terminal carries out TCP connections;
Wireless terminal described in S400 redirects request Portal authentication pages, completes Portal certifications.
2. portal authentication method according to claim 1, it is characterised in that the step S300 includes step:
Wireless AP devices described in S310 intercept the SYN handshake data bags that the wireless terminal sends, and construct SYN ACK and shake hands number According to bag;
Wireless AP devices described in S320 send the SYN ACK handshake datas bag to the wireless terminal;And abandon the SYN and hold Hand packet;
SYN ACK handshake data bags described in wireless terminal reception described in S330;And send ACK handshake datas bag to the wireless aps Equipment;
Wireless terminal described in S340 sends HTTP packets to the wireless AP devices.
3. portal authentication method according to claim 1, it is characterised in that the step S310 includes step:
Wireless terminal described in S311 sends the TCP connection requests packet to the wireless AP devices;
Wireless AP devices described in S312 obtain the first time packet that the wireless terminal sends;
Wireless AP devices described in S313 are parsed to the first time packet, obtain data message and field parameter;
Wireless AP devices described in S314 judge whether flag meets default Rule of judgment according to the data message;If holding Row step S314;
The first time packet that S315 is obtained is the SYN handshake datas bag;
Wireless AP devices described in S316 intercept instruction according to default, intercept the wireless wireless AP devices and forward the SYN to hold Hand packet is to certificate server;
Wireless AP devices described in S317 construct SYN ACK handshake data bags according to the field parameter.
4. portal authentication method according to claim 3, it is characterised in that:The field parameter include source MAC, Target MAC (Media Access Control) address, source IP address, purpose IP address;The default Rule of judgment be flag meet " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 ".
5. the portal authentication method according to claim 1-4, it is characterised in that:The wireless AP devices mode of operation is Bridge mode;The wireless AP devices kernel is provided with default interception and instructs.
6. a kind of portal certification system, it is characterised in that including:
Wireless terminal, the wireless terminal is connected with wireless AP devices communication;The wireless terminal is judged in Portal authentication pages Whether address field is input into IP address;
Wireless AP devices, the wireless AP devices are connected with certificate server communication;The wireless AP devices judge the IP ground Whether location is the corresponding IP address of the certificate server;
When IP address is input into Portal authentication pages address field, and the IP address is not the corresponding IP of the certificate server Block address;The wireless AP devices intercept the TCP connection data bag for being transmitted to certificate server;Wireless AP devices and wireless terminal Carry out TCP connections;
When the wireless terminal is not input into IP address in Portal authentication page address fields;Or,
When the wireless terminal is input into IP address in Portal authentication pages address field, the IP address is the certificate server pair The IP address answered is blocked, and the wireless terminal redirects request Portal authentication pages, completes Portal certifications.
7. portal certification system according to claim 6, it is characterised in that the wireless AP devices include:
Judge module, the judge module is connected with blocking module communication;Judge whether the IP address is the authentication service The corresponding IP address of device;
Control module, the wireless AP devices intercept the SYN handshake data bags that the wireless terminal sends;Construction SYN ACK hold Hand packet;Send the SYN ACK handshake datas bag to the wireless terminal;And abandon the SYN handshake datas bag;
The wireless terminal includes:
Sending module, the sending module is connected with receiver module communication;Send the TCP connection requests packet to the nothing Line AP equipment;Send ACK handshake datas bag to the wireless AP devices;Send HTTP packets to the wireless AP devices;
Receiver module, receives the SYN ACK handshake data bags.
8. portal certification system according to claim 6, it is characterised in that the control module includes:
Acquisition submodule, the acquisition submodule is connected with analyzing sub-module communication;Obtain the wireless terminal sends first Secondary data bag;
Analyzing sub-module, the analyzing sub-module is connected with judging submodule communication;The first time packet is parsed, Obtain data message and field parameter;
Judging submodule, the judging submodule is connected with output sub-module communication;According to the data message, flag is judged Whether default Rule of judgment is met;
Output sub-module, the output sub-module is connected with submodule communication is intercepted;Export the first time packet for obtaining It is the TCP SYN handshake data bags;
Submodule is intercepted, the interception submodule is connected with constructor module communication;Instruction is intercepted according to default, is intercepted described Wireless wireless AP devices forward the TCP SYN handshake datas bag to certificate server;
Construction submodule, TCP SYN ACK handshake data bags are constructed according to the field parameter.
9. portal certification system according to claim 8, it is characterised in that:The field parameter include source MAC, Target MAC (Media Access Control) address, source IP address, purpose IP address;The default Rule of judgment be flag meet " URG=0, ACK=0, PSH=0, RST=0, SYN=1, FIN=0 ".
10. the portal certification system according to claim 6-9, it is characterised in that:The wireless AP devices mode of operation It is bridge mode;The wireless AP devices kernel is provided with default interception and instructs.
CN201611024960.7A 2016-11-16 2016-11-16 A kind of portal authentication method and system Pending CN106789884A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611024960.7A CN106789884A (en) 2016-11-16 2016-11-16 A kind of portal authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611024960.7A CN106789884A (en) 2016-11-16 2016-11-16 A kind of portal authentication method and system

Publications (1)

Publication Number Publication Date
CN106789884A true CN106789884A (en) 2017-05-31

Family

ID=58969918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611024960.7A Pending CN106789884A (en) 2016-11-16 2016-11-16 A kind of portal authentication method and system

Country Status (1)

Country Link
CN (1) CN106789884A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587087A (en) * 2018-12-10 2019-04-05 杭州迪普科技股份有限公司 A kind of message processing method and system
CN109729104A (en) * 2019-03-19 2019-05-07 北京百度网讯科技有限公司 Client source address acquiring method, device, server and computer-readable medium
CN111669753A (en) * 2020-05-19 2020-09-15 武汉领芯智能科技有限公司 WLAN network connection method and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1464425A (en) * 2002-06-28 2003-12-31 华为技术有限公司 A method of simplified access of internet service provider's portal websites
CN101030908A (en) * 2007-02-06 2007-09-05 西安西电捷通无线网络通信有限公司 Method for applying for certificate in wireless LAN WAPI safety mechanism
CN101217560A (en) * 2007-12-29 2008-07-09 杭州华三通信技术有限公司 A webpage push method, system and device
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN102710659A (en) * 2012-06-18 2012-10-03 杭州华三通信技术有限公司 Wireless access equipment and automatic authentication method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1464425A (en) * 2002-06-28 2003-12-31 华为技术有限公司 A method of simplified access of internet service provider's portal websites
CN101030908A (en) * 2007-02-06 2007-09-05 西安西电捷通无线网络通信有限公司 Method for applying for certificate in wireless LAN WAPI safety mechanism
CN101217560A (en) * 2007-12-29 2008-07-09 杭州华三通信技术有限公司 A webpage push method, system and device
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN102710659A (en) * 2012-06-18 2012-10-03 杭州华三通信技术有限公司 Wireless access equipment and automatic authentication method

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587087A (en) * 2018-12-10 2019-04-05 杭州迪普科技股份有限公司 A kind of message processing method and system
CN109587087B (en) * 2018-12-10 2020-12-29 杭州迪普科技股份有限公司 Message processing method and system
CN109729104A (en) * 2019-03-19 2019-05-07 北京百度网讯科技有限公司 Client source address acquiring method, device, server and computer-readable medium
CN109729104B (en) * 2019-03-19 2021-08-17 北京百度网讯科技有限公司 Client source address acquisition method, device, server and computer readable medium
CN111669753A (en) * 2020-05-19 2020-09-15 武汉领芯智能科技有限公司 WLAN network connection method and electronic equipment

Similar Documents

Publication Publication Date Title
CN110300117B (en) IOT device and user binding authentication method, device and medium
CN104158808B (en) Portal authentication method and its device based on APP applications
CN103825881B (en) The reorientation method and device of WLAN user are realized based on wireless access controller AC
US11831629B2 (en) Server for providing a token
US10721320B2 (en) Redirection method, apparatus, and system
CN102710667B (en) Method for realizing Portal authentication server attack prevention and broadband access server
CN106603491A (en) Portal authentication method based on https protocol, and router
CN101217512B (en) A client-end state maintenance method, system, client-end and application server
CN102739684B (en) Portal authentication method based on virtual IP address, and server thereof
CN105991640B (en) Handle the method and device of HTTP request
CN106470136B (en) Platform test method and platform test system
CN110505188B (en) Terminal authentication method, related equipment and authentication system
CN106789884A (en) A kind of portal authentication method and system
CN105338072A (en) HTTP (hyper text transport protocol) redirecting method and routing equipment
CN106162640A (en) A kind of portal authentication method and system
CN104980461A (en) Page pushing method, page pushing device, page pushing server and centralized network management controller
WO2017181800A1 (en) Adaptive portal authentication page system based on operating system, and method for same
CN106330948A (en) Message control method and message control device
CN104735050B (en) A kind of fusion mac certifications and the authentication method of web authentication
CN107395582A (en) Portal authentication devices and system
KR20200002778A (en) Portal aggregation service that maps subcarrier device identifiers to portal addresses where access and authentication requests are redirected and facilitates mass subscriber device setup
CN106954213A (en) A kind of system of real name wireless authentication cut-in method and system
CN104994113A (en) ADSL wireless router, method and system for using the same to realize captive portal under bridge pattern
CN108833410A (en) A kind of means of defence and system for HTTP Flood attack
CN105791290A (en) Authentication method and device for network connection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170531