CN106973383B - Distributed portal authentication method - Google Patents
Distributed portal authentication method Download PDFInfo
- Publication number
- CN106973383B CN106973383B CN201610794538.3A CN201610794538A CN106973383B CN 106973383 B CN106973383 B CN 106973383B CN 201610794538 A CN201610794538 A CN 201610794538A CN 106973383 B CN106973383 B CN 106973383B
- Authority
- CN
- China
- Prior art keywords
- portal
- authentication method
- distributed
- server
- audit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Abstract
The invention discloses a distributed portal authentication method, which distributes the working load of an AC (access controller) pushed portal authentication page to APs (access points), and realizes the work of pushing the portal page to a user terminal by each AP, so that a user can experience smooth and silky internet experience.
Description
Technical Field
The invention relates to a network technology, in particular to a Portal authentication technology.
Background
In modern networking, portal increasingly becomes standard configuration, is widely applied to public WIFI of subways, buses, shopping malls and the like, and becomes a portal for surfing the internet in public places.
At present, in a WIFI hotspot in a public place, WIFI is not encrypted, but when a user accesses a network, the user is required to input a user name and a password, the network can be accessed after successful authentication, and WEB authentication has obvious characteristics, namely, a special client is not needed and a browser is provided.
Referring to fig. 1, in conventional portal networking, the operation of pushing the portal authentication page is completely completed by an AC (access controller), which results in an overwhelming AC and poor user experience. Secondly, traditional portal networking is also difficult to penetrate the limitations of nat, which are quite numerous.
Disclosure of Invention
Aiming at the problems of the portal authentication scheme in the existing portal networking, the invention aims to provide an efficient portal authentication method.
In order to achieve the purpose, the invention adopts the following technical scheme:
a distributed portal authentication method is characterized in that each AP pushes a portal authentication page to a user terminal to be authenticated.
Preferably, the authentication method intercepts an http message of the user terminal accessing the internet by an iptables on the AP, and then redirects the http message to a locally created http server.
Preferably, in the authentication method, the destination mac of the http stream is changed into local through ovs, and the http stream is introduced to the http server on the AP.
Preferably, the authentication method also establishes the NAT mapping table by sending a hello message to the portal server periodically through the AC.
Preferably, the time that the AC periodically sends the hello message to the portal server is 10 s.
Preferably, the authentication method further performs portal distributed real-name audit, and sends the user terminal information to an audit server.
Preferably, the portal distributed real-name audit acquires user terminal information through hostapd, queries a database according to an AP index number, acquires an audit server ip and a portal corresponding to the AP, issues the IP and the portal to the AP through ubus, calls an interface for sending an audit message on the AP, and sends the user terminal information to be acquired to the audit server.
According to the authentication scheme provided by the invention, the work load of the AC (access controller) pushed portal authentication page is uniformly distributed to the APs, and the APs realize the work of pushing the portal page to the user terminal, so that the user can experience smooth and silky internet experience. Meanwhile, the limitation of nat on portal networking is broken through, so that the portal networking is more flexible and changeable and is suitable for various networking environments.
Drawings
The invention is further described below in conjunction with the appended drawings and the detailed description.
FIG. 1 is a schematic diagram of a non-distributed portal authentication principle;
FIG. 2 is a schematic diagram illustrating a distributed portal authentication principle according to an embodiment of the present invention;
fig. 3 is a flow chart of an implementation across NAT in an embodiment of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
The embodiment provides a distributed trans-NAT portal authentication method based on an AC + AP framework aiming at the problems of the portal authentication mode in the existing portal networking.
According to the portal authentication method, the work load of the AC pushed portal authentication page is shared by the APs, and the work of pushing the portal page by the user terminal is realized by each AP, so that the user can experience smooth and silky internet experience.
Meanwhile, the authentication method breaks through the limitation of nat on portal networking, so that the portal networking is more flexible and changeable and is suitable for various networking environments.
The user terminal described herein is a variety of terminals that can be communicatively connected to the AP, such as a mobile handset, a PAD, and so on.
Based on the principle, the implementation scheme of the distributed cross-NAT portal authentication method is as follows:
referring to fig. 2, the authentication scheme implements distributed authentication by executing an action of completing popping the portal authentication page through each AP in the portal networking.
The AP popup portal authentication page is realized by setting iptables to intercept an http message of the user terminal on the Internet and then redirecting to a locally created http server.
When iptables is set in the scheme, the destination mac of the http stream is changed into the local via ovs, and the http stream is introduced into an http server on the AP.
By way of example, the corresponding configuration means are as follows:
ovs modify the configuration of the destination mac:
ovs-ofctl add-flow br-ovs"table=12,tcp,tp_dst=80,actions=mod_dl_dst=$br_mac,local"
iptables is configured as follows:
iptables-t nat-A PT_HTTP-p tcp--dport 80-j REDIRECT--to-ports 3030
iptables-t nat-A PT_HTTP-p tcp--dport 443-j REDIRECT--to-ports 3031
the port numbers of the local http server are 3030 and 3031.
According to the setting, when a user uses a browser to surf the internet (without portal authentication), the internet traffic can be intercepted by iptables on the AP and redirected to the local http server. The process is completed on the AP, so that the working load of the AC can be greatly reduced, a user terminal (such as a user mobile phone) can rapidly pop up a portal authentication page, and the user experience is more perfect.
Furthermore, the authentication scheme also establishes an NAT mapping table by periodically sending hello messages to a portal server (hereinafter referred to as a cloud platform) through the AC, so that the interaction of subsequent portal protocols is not limited by the NAT any more. Therefore, the NAT crossing is realized, and the limitation of NAT on portal networking is broken through.
Thus the time that the AC periodically sends hello messages to the portal server is preferably 10 s.
Accordingly, after sending the hello message, when the message passes through the ap to the NAT device A, two mapping table entries are automatically generated, wherein the two mapping table entries are respectively (SourceIP _ ap, SourcePort _ ap-SourceIP _ A and SourcePort _ A) and (DestinationIP _ ap, DestinationPort _ ap-DestinationIP _ A and DestinationPort _ A), and the message can interact between the ap and the NAT device A when the mapping table entries are provided. Similarly, a mapping table entry generated when the hello message is from the NAT device A to the NAT device B can be obtained.
In addition, the hello message is sent regularly, so that the aging of the mapping table entry can be effectively prevented.
Referring to fig. 3, the specific implementation flow across NAT in the authentication scheme is as follows:
1) the AC sends a hello message (udp message) to a cloud platform (eg: Ali cloud), the source port of the hello message is 2000, the source ip is the ip address of the AC, and the destination port and the destination ip are the port and the ip of the cloud platform.
2) One or more NAT devices exist in the network topology (i.e., the network topology between the AC and the cloud platform) in the above process, and when the cloud platform receives the hello packet, a corresponding NAT mapping table entry has already been established on the related NAT device in the network topology.
3) After the Portal protocol flow begins, the cloud platform can send a 0x03 message to the AC without limitation of the NAT, because the relevant NAT device already has the correct NAT mapping table.
4) Subsequent 0x04 response messages and other corresponding processes can be performed correctly.
According to the cross-NAT realization process, the NAT table entry can be maintained in the latest state by using very little cost (sending hello message every 10 s), so that the communication between the AC and the cloud platform is not limited by the NAT, namely the AC and the cloud platform are in a local area network, the middle network structure is not concerned, and the network distribution process is simplified. Even if the network structure is very complex, as long as the hello message of the AC can be sent to the cloud platform, the subsequent portal flow can be correctly carried out.
Furthermore, the authentication scheme also sends user terminal information (such as mobile phone number) to an audit server through portal distributed real-name audit.
When the portal distributed real-name audit is realized, the real-name audit information is sent by each ap, so that the load of the AC is effectively reduced.
The implementation process of the portal distributed real-name auditing scheme is as follows:
1) the AC acquires user terminal information (eg: mobile phone number) through hostapd;
2) the AC queries a database storing an audit server ip and a port according to the index (AP index number) to acquire the audit server ip and the port corresponding to the AP;
3) the AC sends audit information (user terminal information such as mobile phone number) and the obtained ip and port of the audit server corresponding to the AP through the uBus, calls an interface for sending the audit message on the AP and sends the audit information (the user terminal information) to the audit server.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (5)
1. A distributed portal authentication method is characterized in that the authentication method distributes the working load of an AC (access controller) pushed portal authentication page to APs (access points) in a portal networking, and each AP pushes the portal authentication page to a user terminal to be authenticated; according to the authentication method, iptables is set on the AP, when the iptables is set, a target mac of an http stream is changed into a local state through ovs, the http stream is introduced into an http server on the AP to intercept an http message of a user terminal for surfing the Internet, and then the http message is redirected to a http server created locally to achieve page ejection by the AP.
2. The distributed portal authentication method of claim 1, wherein the authentication method further establishes the NAT mapping table by the AC periodically sending hello messages to the portal server.
3. The distributed portal authentication method of claim 2, wherein the time for the AC to periodically send hello messages to the portal server is 10 s.
4. The distributed portal authentication method according to claim 1, wherein the authentication method further performs portal distributed real-name audit, and sends the user terminal information to an audit server.
5. The distributed portal authentication method according to claim 4, wherein the portal distributed real-name audit obtains the user terminal information through hostapd, queries the database according to the AP index number, obtains the audit server ip and the portal corresponding to the AP, issues the user terminal information to the audit server through ubus, and calls an interface for sending the audit message on the AP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610794538.3A CN106973383B (en) | 2016-08-31 | 2016-08-31 | Distributed portal authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610794538.3A CN106973383B (en) | 2016-08-31 | 2016-08-31 | Distributed portal authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106973383A CN106973383A (en) | 2017-07-21 |
| CN106973383B true CN106973383B (en) | 2020-06-09 |
Family
ID=59334475
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610794538.3A Active CN106973383B (en) | 2016-08-31 | 2016-08-31 | Distributed portal authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106973383B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110677460A (en) * | 2019-09-06 | 2020-01-10 | 四川天邑康和通信股份有限公司 | Portal site skipping method of access gateway |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026567A (en) * | 2007-01-29 | 2007-08-29 | 华为技术有限公司 | Address repeat listing keeping-alive method and system |
| CN101217482A (en) * | 2008-01-18 | 2008-07-09 | 杭州华三通信技术有限公司 | A method traversing NAT sending down strategy and a communication device |
| CN101562814A (en) * | 2009-05-15 | 2009-10-21 | 中兴通讯股份有限公司 | Access method and system for a third-generation network |
| CN102647715A (en) * | 2012-03-27 | 2012-08-22 | 华为技术有限公司 | Method for delivering authentication target MAC (Media Access Control) address of EAP (Extensible Authentication Protocol) authentication |
| CN105338072A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | HTTP (hyper text transport protocol) redirecting method and routing equipment |
| CN105554758A (en) * | 2016-02-23 | 2016-05-04 | 苏州云融信息技术有限公司 | Uniform authentication system and method of multiple WiFi networks based on cloud platform |
| CN105634835A (en) * | 2014-10-27 | 2016-06-01 | 任子行网络技术股份有限公司 | Internet data cloud auditing method and system, and audit router |
| CN105871881A (en) * | 2016-05-06 | 2016-08-17 | 中国科学技术大学 | Portal authentication method based on Openwrt router |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8788655B2 (en) * | 2008-12-19 | 2014-07-22 | Openpeak Inc. | Systems for accepting and approving applications and methods of operation of same |
| CN101631312B (en) * | 2009-08-19 | 2011-12-21 | 北京傲天动联技术有限公司 | Portal authentication method based on thin AP framework |
| US10623375B2 (en) * | 2014-09-16 | 2020-04-14 | International Business Machines Corporation | Auto-detection of web-based application characteristics for reverse proxy enablement |
-
2016
- 2016-08-31 CN CN201610794538.3A patent/CN106973383B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026567A (en) * | 2007-01-29 | 2007-08-29 | 华为技术有限公司 | Address repeat listing keeping-alive method and system |
| CN101217482A (en) * | 2008-01-18 | 2008-07-09 | 杭州华三通信技术有限公司 | A method traversing NAT sending down strategy and a communication device |
| CN101562814A (en) * | 2009-05-15 | 2009-10-21 | 中兴通讯股份有限公司 | Access method and system for a third-generation network |
| CN102647715A (en) * | 2012-03-27 | 2012-08-22 | 华为技术有限公司 | Method for delivering authentication target MAC (Media Access Control) address of EAP (Extensible Authentication Protocol) authentication |
| CN105634835A (en) * | 2014-10-27 | 2016-06-01 | 任子行网络技术股份有限公司 | Internet data cloud auditing method and system, and audit router |
| CN105338072A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | HTTP (hyper text transport protocol) redirecting method and routing equipment |
| CN105554758A (en) * | 2016-02-23 | 2016-05-04 | 苏州云融信息技术有限公司 | Uniform authentication system and method of multiple WiFi networks based on cloud platform |
| CN105871881A (en) * | 2016-05-06 | 2016-08-17 | 中国科学技术大学 | Portal authentication method based on Openwrt router |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106973383A (en) | 2017-07-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106878253B (en) | MAC (L2) layer authentication, security and policy control | |
| CN106330844B (en) | Cross-terminal login-free method and device | |
| CN105657746B (en) | A kind of wireless terminal fast roaming system and method based on AP syntople | |
| US10250646B2 (en) | Method and device for establishing channel | |
| EP3151509A1 (en) | Enhanced evpn mac route advertisement having mac (l2) level authentication, security and policy control | |
| WO2017097023A1 (en) | Perception-free authentication method and system, and control method and system based on method | |
| US10952114B2 (en) | Method, device, and system for selecting user plane functional entity supporting non-3GPP access | |
| CA2419853A1 (en) | Location-independent packet routing and secure access in a short-range wireless networking environment | |
| US9716719B2 (en) | Communication managing method and communication system | |
| CN107204873A (en) | A kind of method and relevant device for switching target domain name resolution server | |
| CN102546407B (en) | File transmitting method and device | |
| CN105306485B (en) | Network access authentication method, certificate server and its place Verification System | |
| CN106464596A (en) | Openflow communication method, system, controller, and service gateway | |
| EP4246936A1 (en) | Data processing method, function device and readable storage medium | |
| CN103812900A (en) | Data synchronization method, device and system | |
| WO2021169291A1 (en) | Route advertising method, network elements, system, and device | |
| CN108833605A (en) | A kind of method and system for checking local area network all devices IP and MAC | |
| CN107659930A (en) | A kind of AP connection control methods and device | |
| CN106789263B (en) | System for realizing IPv4 and IPv6 dual-stack flow unified bandwidth control based on SNMP | |
| CN106973383B (en) | Distributed portal authentication method | |
| CN104168302B (en) | Equipment manipulation implementation method, system and proxy gateway | |
| CN104717640A (en) | Realization method for wireless network communication based on positioning | |
| US8990916B2 (en) | System and method for supporting web authentication | |
| CN103812868A (en) | Method and system for realizing free Internet access based on IPv4/IPv6 conversion | |
| CN105516121B (en) | The method and system that AC is communicated with AP in WLAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |