CN107517189B - Method and equipment for WLAN user access authentication and configuration information issuing - Google Patents

Method and equipment for WLAN user access authentication and configuration information issuing Download PDF

Info

Publication number
CN107517189B
CN107517189B CN201610437725.6A CN201610437725A CN107517189B CN 107517189 B CN107517189 B CN 107517189B CN 201610437725 A CN201610437725 A CN 201610437725A CN 107517189 B CN107517189 B CN 107517189B
Authority
CN
China
Prior art keywords
authentication
wlan user
user
access
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610437725.6A
Other languages
Chinese (zh)
Other versions
CN107517189A (en
Inventor
邬立保
池艳广
刘杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201610437725.6A priority Critical patent/CN107517189B/en
Publication of CN107517189A publication Critical patent/CN107517189A/en
Application granted granted Critical
Publication of CN107517189B publication Critical patent/CN107517189B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information

Abstract

A WLAN user access authentication and configuration information issuing method and device, AP intercepts the hypertext transfer protocol HTTP request sent by the WLAN user through the station STA; and when the AP determines that the WLAN user is not subjected to access authentication, sending a redirection message to the STA, wherein the redirection message carries a Uniform Resource Locator (URL) address of an authentication page on an access authentication server, and the redirection message is used for redirecting the HTTP request to the access authentication server. The AC receives and stores configuration information of an Access Point (AP) issued by a network management system, wherein the configuration information comprises a Uniform Resource Locator (URL) address of an individualized authentication page provided for a Wireless Local Area Network (WLAN) user, and then the configuration information is issued to the AP when the AP is accessed. The method and the device avoid the problems that the existing method for intercepting the HTTP request message of the WLAN user on the AC has certain influence on the processing performance of the AC and the access authentication efficiency is low.

Description

Method and equipment for WLAN user access authentication and configuration information issuing
Technical Field
The present invention relates to the field of wireless communications, and in particular, to a method and an apparatus for WLAN user access authentication and configuration information delivery.
Background
In recent years, with the popularization of mobile terminals such as smart phones and tablet computers, the demand of wireless data is explosively increased, the application of WLAN technology as a 3G/4G coverage supplement is more and more extensive, more and more service places such as shopping malls, hotels and restaurants need to provide free WiFi for customers, and authentication and advertisement information aiming at WLAN users become basic requirements of public wireless networks of the type. Portal authentication is also commonly referred to as Web authentication, and Portal authentication Web sites are commonly referred to as Web portals. When the user is not authenticated to surf the internet, the access equipment forces the user terminal to log in the specific site, and the user terminal can freely access the service of the specific site. When the user terminal needs to access other information in the internet, authentication must be performed on the portal site, and the internet resources can be used only after the authentication is passed. Portal service can provide convenient management function for operators, and Portal sites can develop advertisement, community service, personalized service and the like, so that broadband operators, equipment providers and content service providers form an industrial ecosystem.
The traditional WLAN network is based on a fat AP architecture, the WLAN network is composed of mutually independent Access Points (AP), and the traditional WLAN architecture is very complex in networking, management, configuration and the like and is difficult to meet the requirement of large-scale deployment. At present, WLAN networks deployed by operators generally adopt a network architecture including an AP and an Access Controller (AC), and refer to fig. 1, which is called a "thin" AP architecture; under the thin AP architecture, the AC performs unified management And configuration on all APs in the WLAN mainly through a Control And Provisioning Protocol (CAPWAP). Under the thin AP network architecture, the method is further divided into a local forwarding mode and a centralized forwarding mode according to different forwarding flow directions of the AP to the STA data message. In the local forwarding mode, the AP does not perform CAPWAP packaging on the user data message, and the message can be directly forwarded without passing through the AC; and in the centralized forwarding mode, the user data message is packaged into a CAPWAP tunnel and must be forwarded uniformly through the AC.
In the AP centralized forwarding mode, the AC is generally used as an access authentication point of the WLAN user, the AC intercepts an HTTP request message sent by a WLAN user terminal, checks whether the WLAN user is authenticated, and completes authentication of the WLAN user together with a Portal server and a Radius authentication server. Meanwhile, the AC is used as a service control point and is also used for service control of a user in a WLAN access process, including a mandatory Portal function and the like. With the centralized deployment of a large number of APs, the performance requirement on the AC in the centralized forwarding mode is higher and higher, so the AP local forwarding mode is also widely applied.
For Portal authentication in an AP local forwarding mode, the related technology provides that after an AP receives an authentication request of an STA, the AP sends the authentication request to an Access Controller (AC) through a CAPWAP tunnel, and then the AC forwards the authentication request to a Portal server. The method can realize Portal authentication under the condition of AP local forwarding by using the existing network authentication architecture, but the method needs to transmit all authentication request messages of the STA to the AC for processing before the STA passes the authentication, and the AC redirects all HTTP requests of WLAN users to the Portal server, thereby having certain influence on the processing performance of the AC.
On the other hand, most of the currently pushed uniform authentication pages are customized based on each operator, and the customization requirements of real personalized Portal authentication pages of AP users of a plurality of merchants cannot be met.
Disclosure of Invention
In view of this, the present invention provides the following.
A WLAN user access authentication method is applied to a network architecture comprising an Access Point (AP) and an Access Controller (AC), and comprises the following steps:
an AP intercepts a hypertext transfer protocol (HTTP) request sent by a WLAN user through a station STA;
and when the AP determines that the WLAN user is not subjected to access authentication, sending a redirection message to the STA, wherein the redirection message carries a Uniform Resource Locator (URL) address of an authentication page on an access authentication server, and the redirection message is used for redirecting the HTTP request to the access authentication server.
An access point, AP, for use in a network comprising an access controller, AC, the AP comprising:
the intercepting module is used for intercepting a hypertext transfer protocol (HTTP) request sent by a WLAN user through a Station (STA);
and the redirection module is used for sending a redirection message to the STA when the WLAN user is determined not to be subjected to access authentication, wherein the redirection message carries a Uniform Resource Locator (URL) address of an authentication page on an access authentication server, and the redirection message is used for redirecting the HTTP request to the access authentication server.
According to the scheme, in a thin AP framework comprising the AP and the AC, the AP directly intercepts the HTTP request of the WLAN user and redirects the HTTP request to the access authentication server for access authentication, so that the problems that the existing method for intercepting the HTTP request message of the WLAN user on the AC has certain influence on the processing performance of the AC and the access authentication efficiency is low are solved.
In view of the above, the present invention also provides the following solutions.
A method for issuing access point configuration information comprises the following steps:
the access controller AC receives and stores configuration information of an access point AP issued by a network management system, wherein the configuration information comprises a Uniform Resource Locator (URL) address of an individualized authentication page provided for a WLAN user;
and the AC issues the configuration information to the AP when the AP accesses.
An access point controller, AC, comprising:
the information receiving submodule is used for receiving and storing configuration information of an access point AP issued by a network management system, wherein the configuration information comprises a Uniform Resource Locator (URL) address of an individualized authentication page provided for a WLAN user;
and the information issuing sub-module is used for issuing the configuration information to the AP when the AP is accessed.
According to the scheme, the customized URL address of the personalized authentication page is issued to the AP, and the AP can redirect the WLAN user to the corresponding personalized authentication page conveniently, so that the pushing function of the personalized authentication page is realized.
Drawings
Fig. 1 is a schematic diagram of a network having a "thin" AP architecture;
FIG. 2 is a flow chart of a method for user authentication according to an embodiment of the present invention;
fig. 3 is a block diagram of an access point AP according to an embodiment of the present invention;
FIG. 4 is a flowchart of a configuration information issuing method according to a second embodiment of the present invention;
fig. 5 is a block diagram of a second access controller AC according to the second embodiment of the present invention;
fig. 6 is a block diagram of a triple cloud network management system and a schematic connection diagram with an AC according to an embodiment of the present invention;
FIG. 7 is a functional block diagram of a quad AC according to an embodiment of the present invention;
FIG. 8 is a flowchart of intercepting a WLAN user HTTP request and implementing Portal authentication in an exemplary two AP local forwarding mode of the present invention;
fig. 9 is a flowchart illustrating a configuration related to issuing a Portal authentication by a triple cloud network management system according to an example of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
Example one
The present embodiment provides a method for user access authentication, which is applied to a network architecture including an access point AP and an access controller AC, as shown in fig. 1, and includes:
step 110, an AP intercepts a hypertext transfer protocol (HTTP) request sent by a WLAN user through a station STA;
step 120, when determining that the WLAN user is not authenticated, the AP sends a redirection packet to the STA, where the redirection packet carries a URL address of an authentication page on an access authentication server, and the redirection packet is used to redirect the HTTP request to the access authentication server.
In this embodiment, the access authentication server is a Portal server, but is not limited thereto.
In this embodiment, the AP obtains the URL address carried in the redirection packet by the following method: the AP searches the binding relationship information according to the SSID carried in the HTTP request to obtain a URL address bound with the SSID, and the URL address is used as a URL address carried in the redirection message; and the binding relationship information is the binding relationship information between the SSID issued by the AC and the URL address of the authentication page on the access authentication server. The AP can fill redirection parameters according to virtual access equipment names WLAN0, WLAN1 and the like corresponding to the SSID associated with the WLAN user STA terminal, and knows the virtual access equipment names SSID1-WLAN0 and SSID2-WLAN1 corresponding to the message when the AP receives the air interface processing message.
In this embodiment, in the binding relationship information, the URL address bound to each SSID is a URL address of a personalized authentication page customized for a WLAN user of a network identified by the SSID. However, the present invention is not limited thereto, and the URL address may be a URL address of a uniform authentication page or a URL address of an authentication page customized in other ways. It should be noted that the binding of the URL address and the SSID includes the binding of the URL with the SSID and the AP identifier, that is, the personalized authentication pages may be customized for SSIDs under different APs, or the same personalized authentication page may be customized for the same SSID under different APs.
In this embodiment, before intercepting the HTTP request, the AP may receive a user authentication parameter that needs to be inserted in a URL and is issued by the AC, and the user authentication parameter is carried in a redirection packet sent to the STA.
In this embodiment, the AP may forward the data packet in a local forwarding mode, or may forward the data packet in a centralized forwarding mode. When a centralized forwarding module is adopted, the AP intercepts the HTTP request before packaging an access point control and provisioning protocol CAPWAP tunnel of the HTTP request. In this embodiment, in the AP centralized forwarding mode or the local forwarding mode, the interception and redirection of the HTTP request can be implemented.
In this embodiment, the AP intercepts the HTTP request through an AP-side network firewall. However, the present invention is not limited to this, and other modules, such as a newly added function module, may also be used to implement this function.
In this embodiment, the AP may determine that the WLAN user is not authenticated according to the access authentication information of the WLAN user in a packet filtering rule set in the AP-side network firewall; and after the AP sends a redirection message to the STA, if an access control rule issued by the AC after the WLAN user passes the access authentication is received, the access authentication information of the WLAN user in the packet filtering rule is updated to indicate that the WLAN user passes the access authentication, and the access restriction of the WLAN user is released.
In this embodiment, after the AP updates the access authentication information of the WLAN user in the packet filtering rule, the method further includes: and if the AP receives the notification that the WLAN user is offline sent by the AC or receives the disassociation message sent by the STA, deleting the information of the WLAN user in the packet filtering rule, wherein the information of the WLAN user comprises the access authentication information of the WLAN user.
This embodiment also provides an AP, where the AP is applied to a network including an access controller AC, and as shown in fig. 3, the AP includes:
the system comprises an interception module 10, a data processing module and a data processing module, wherein the interception module is used for intercepting a hypertext transfer protocol (HTTP) request sent by a WLAN user through a Station (STA);
a redirection module 20, configured to send a redirection packet to the STA when it is determined that the WLAN user is not authenticated, where the redirection packet carries a Uniform Resource Locator (URL) address of an authentication page on an access authentication server, and the redirection packet is used to redirect the HTTP request to the access authentication server.
Alternatively,
the redirection module obtains the URL address carried in the redirection message through the following modes: searching the binding relationship information according to the SSID carried in the HTTP request to obtain a URL address bound with the SSID, and using the URL address as the URL address carried in the redirection message; and the binding relationship information is the binding relationship information between the SSID issued by the AC and the URL address of the authentication page on the access authentication server.
Alternatively,
in the binding relationship information, the URL address bound to each SSID is the URL address of a personalized authentication page customized for the WLAN user of the network identified by the SSID.
Alternatively,
the AP further comprises: a receiving module, configured to receive a user authentication parameter that needs to be inserted in a URL and is issued by the AC;
and the redirection message sent by the redirection module to the STA also carries the user authentication parameter.
Alternatively,
the AP also comprises a forwarding module;
the forwarding module forwards the data message in a local forwarding mode; or
The forwarding module forwards the data message in a centralized forwarding mode; the intercepting module intercepts the HTTP request, and comprises: intercepting the HTTP request before carrying out access point control and provisioning protocol CAPWAP tunnel encapsulation on the HTTP request.
Alternatively,
the interception module is realized by using an AP side network firewall.
Alternatively,
the redirection module determining that the WLAN user is not authenticated for access, comprising: determining that the WLAN user is not subjected to access authentication according to access authentication information of the WLAN user in a packet filtering rule, wherein the packet filtering rule is arranged in the AP side network firewall;
the AP further comprises: and the updating module is used for receiving an access control rule issued by the AC after the WLAN user passes the access authentication, and updating the access authentication information of the WLAN user in the packet filtering rule to indicate that the WLAN user has passed the access authentication.
Alternatively,
the updating module is further configured to delete the information of the WLAN user in the packet filtering rule after receiving the notification that the WLAN user is offline sent by the AC or after receiving the disassociation message sent by the STA, where the information of the WLAN user includes access authentication information of the WLAN user.
In the embodiment, in a thin AP framework comprising an AP and an AC, the AP directly intercepts the HTTP request of the WLAN user and redirects the HTTP request to the access authentication server for access authentication, and a Portal client between the AP and the AC is not required to interact, so that the problems that the processing performance of the AC is influenced to a certain extent by the existing method for intercepting the HTTP request message of the WLAN user on the AC, and the access authentication efficiency is low are solved.
In addition, in the related art, generally, an AC or a Portal server realizes personalized Portal push pages according to user attribute information carried in an HTTP request message sent by an STA, and the method of first querying and then pushing personalized authentication pages at a server consumes time and has slow response time. The scheme is a dynamic pre-configuration method, and personalized Portal authentication page pushing is realized on an AP side directly according to the AP and SSID identification associated with a WLAN user.
In this embodiment, frequent interaction between the AP and the AC is not required by the Portal client, after the Radius server and the AC confirm that the STA user authentication is successful, the Portal authentication management module on the AC directly notifies the AP side through a CAPWAP message (that is, the ACL rule related to the STA user access control is issued to the AP), and after the AP side CAPWAP module receives the ACL rule, the AP side CAPWAP module may notify the network firewall module to release the limitation of the user's access to the internet.
Example two
The present embodiment provides a method for issuing access point configuration information, as shown in fig. 4, including:
step 210, an Access Controller (AC) receives and stores configuration information of an Access Point (AP) issued by a network management system, wherein the configuration information comprises a Uniform Resource Locator (URL) address of an individualized authentication page provided for a WLAN user;
step 220, the AC issues the configuration information to the AP when the AP accesses.
In this embodiment, when an AP is opened, the AC may receive and store the configuration information of the AP from the network management system.
In this embodiment, the configuration information may further include a user authentication parameter that needs to be inserted into the URL. The AC sends the user authentication parameters to the AP, and the AP and the URL address can be written into a redirection message sent to the WLAN user.
In this embodiment, the network management system may be a cloud network management system, the cloud network management system virtualizes corresponding access authentication servers for different ACs, and the personalized authentication page is an authentication page on the access authentication server.
In this embodiment, the URL address and the SSIDs have a binding relationship, where the URL address bound to each SSID is a URL address of a personalized authentication page customized for a WLAN user of a network identified by the SSID. The configuration information further includes information of an SSID bound to the URL address. But the invention is not limited thereto. The URL address may or may not be bound to other information, such as the AP identity.
The conventional AC is deployed based on the network of each operator, most of pushed unified authentication pages are customized based on each operator, and customization of real personalized Portal authentication pages of AP users of a plurality of merchants cannot be met. And the cloud network management system can provide a uniform customization interface, and conveniently realizes customization of individual pages for WLAN users of APs under various ACs.
This embodiment further provides an access point controller AC, including an access point AP management module, as shown in fig. 5, where the AP management module includes:
the information receiving sub-module 30 is configured to receive and store configuration information of an access point AP, which is issued by a network management system, where the configuration information includes a Uniform Resource Locator (URL) address of an individualized authentication page provided for a WLAN user;
and the information issuing sub-module 40 is configured to issue the configuration information to the AP when the AP accesses the AP.
Alternatively,
the configuration information received by the information receiving submodule also comprises user authentication parameters which need to be inserted into the URL.
Alternatively,
the network management system is a cloud network management system, the cloud network management system virtualizes corresponding access authentication servers aiming at different ACs, and the personalized authentication page is an authentication page on the access authentication server.
Alternatively,
the URL address in the configuration information received by the information receiving submodule has a binding relationship with the SSID, wherein the URL address bound with each SSID is the URL address of a personalized authentication page customized for a WLAN user of a network identified by the SSID;
the configuration information received by the information receiving submodule also comprises information of SSID bound with the URL address.
In this embodiment, the URL address may be bound to the SSID only, that is, the URL address to be provided may be determined according to the SSID; the URL address to be provided may also be bound to the SSID and other information, such as binding to the SSID and the AP, where the URL address to be provided is determined together according to the SSID and AP identification information.
The AC personalized Portal push technology can push a customized personalized Portal authentication page to a WLAN user terminal by a Portal server according to a certain strategy. In this embodiment, the URL address of the customized personalized authentication page is issued to the AP, and the AP redirects the WLAN user to the corresponding personalized authentication page directly, so that the function of pushing the personalized authentication page can be more conveniently implemented.
EXAMPLE III
The traditional AC is generally deployed on the basis of networks of operators, the AC network maintenance cost is high, and the requirements of novel IT architectures, such as a large amount of virtualization, cloud computing, unified storage technology and the like, cannot be met. The embodiment provides a network management system based on a cloud platform, which is also called a cloud network management system, an AC cloud network management platform, a cloud platform network management, and the like). The cloud network management system of the embodiment can manage or configure the AC or the AP hung under the AC through the SNMP protocol. Basic configuration of the access AC and the AP equipment is supported through a network management system, and the basic configuration comprises configuration of AP wireless interface parameters (SSID, channel selection, security encryption related parameters, transmission power parameters, QoS related parameter configuration and the like). The AC needs to register to the cloud platform first, and after the AC is successfully registered to the cloud network management system, the AC can subsequently issue relevant parameter configuration information required by authentication through the cloud platform.
As shown In fig. 6, the cloud network management system of this embodiment includes an AC registration server, an AC configuration management module, and a database, and may further include a virtualized access Authentication server and a Radius server,
Wherein
And the AC registration service module is used for receiving a registration request of the AC, storing the registration information of the AC to the database after the authentication is passed, and also can be responsible for maintaining a communication link with the AC. The step of registering the AC with the cloud network management system may include: after the AC equipment acquires the public network address, the AC equipment actively performs connection registration to the cloud network management system, and a registration request can be sent to the cloud network management system in a UDP or TCP mode, wherein the content comprises the model, name, MAC address, IP address, SN, software and hardware version number and the like of the AC equipment; after verifying the validity of the AC, the cloud network management system stores the concerned book information into the DB database, and the subsequent cloud network management system can carry out unified configuration and management on the AC equipment.
And the AC configuration management module is used for managing the global parameter configuration of all the accessed ACs, the issuing of configuration information such as the access authentication mode of the ACs and the like, the AP and STA capacity planning of the AC access, the DHCP address pool capacity planning, the SSID planning, the corresponding radio frequency parameter configuration and the like of the AC. The AP can be realized in a zero configuration mode, all configuration information of the AP when the AP is powered on needs to be issued by the AC, namely when the AP is accessed to the AC, the AC uniformly issues the configuration information of the AP to the AP through CAPWAP protocol interaction.
The Porta server is used for storing the configuration information of the AC, wherein the configuration information comprises a personalized authentication page customized for the WLAN user under the AC, and the personalized authentication page is pushed in the authentication process, wherein the personalized authentication page can comprise some advertisement push information. The personalized authentication pages can be customized according to the SSID, and URL addresses of the personalized authentication pages can be bound with the corresponding SSID. The configuration information may include at least one of: the method comprises the steps of providing uniform resource location identifier (URL) addresses of the personalized authentication pages for WLAN users, wherein the URL addresses have binding relations with SSIDs, and the URL address bound with each SSID is the URL address of the personalized authentication page customized for the WLAN users of the network identified by the SSID.
The Radius server is used for Radius authentication of the WLAN user.
A database for storing and maintaining basic configuration information of the AC. The configuration information may include one or more of the following: SSID planning of the AP, configuration information of corresponding radio frequency parameters, URL addresses of the Portal server, SSID information bound by the Portal server and the like are stored in a database of the cloud platform. And the related configuration information can be issued to the AC through the AC configuration management module, and the unified storage and management of the AC can be realized.
Under the existing AC framework, the personalized Portal authentication page of each AP is inconvenient to be managed in a unified way. Generally, each AC needs to have a corresponding Portal authentication server, and resource sharing cannot be realized between different ACs and authentication servers. The cloud network management system of the embodiment issues required configuration parameter information to each AC through an SNTP protocol, and the AC informs the configuration information to an AP side through a CAPWAP protocol; corresponding virtualized Portal/Radius authentication servers can be set for different ACs, the ACs deployed in different operator networks are compatible, and unified management is achieved; and the customization of the personalized Portal authentication page can be directly realized according to the needs of the AP merchant user.
Example four
The present embodiment relates to a functional module of an AC, and as shown in fig. 7, the AC of the present embodiment includes the following functional modules: the system comprises a cloud platform interface management module, a database, an AP management module, an STA management module, a WLAN management module, a Portal authentication management module and a CAPWAP protocol module.
Wherein:
the cloud platform interface module is used for registering to the cloud network management system and maintaining the status of the heartbeat link, for example, heartbeat messages can be periodically reported to the cloud network management system so as to ensure that a communication channel between the AC and the cloud network management system is normal, and the AC can also be selectively registered to other backup AC network managers on the cloud platform when the communication between the AC and the main network management server fails.
The AP management module is used for issuing the related configuration of the AP, the version upgrade of the AP, the state maintenance and the like when the AP is accessed; the URL address of the Portal authentication page, the SSID identification bound with the Portal authentication page and the user authentication parameters needing to be inserted into the URL can be issued to the corresponding AP.
The STA management module is used for managing the on-line authentication and the off-line authentication of the STA, the roaming processing of the STA and the like; the STA management module may record the MAC address of the WLAN user and analyze the user's behavior. When a WLAN user accesses for the first time, if the user passes authentication, the information of the user name, MAC, the accessed original URL and the like passing the authentication is reported and recorded in the cloud server, and when the user roams or accesses again, the authentication-free or quick authentication function of the user can be realized.
And the CAPWAP protocol module is used for interacting the control protocol messages between the AC and the AP and realizing the issuing of the AP configuration parameters.
The system comprises a Portal authentication module, a WLAN user data area of the Portal client and the Radius client and a data area created in an STA management module when the STA is online, wherein the Portal authentication module is used for realizing Portal authentication and policy control, the Portal authentication module simultaneously supports the functions of the Portal client and the Radius client, the WLAN user data area of the Portal client and the Radius client is shared with the data area created in the STA management module when the STA is online, the data area created by the STA management module records the information of the WALN user, and the information comprises the identity verification parameters of the WLAN user required in the authentication process.
The WLAN management module is used for setting the radio frequency parameters of the SSID of the WLAN interface;
the invention is described below using specific examples in several applications.
Example 1
The example is based on a thin "AP" architecture, where the AP implements interception and redirection functions for local user HTTP requests. After the WLAN user STA terminal successfully associates with the SSID, the AP firstly informs the AC of the STA going on line through a CAPWAP message, the STA at the AC side manages and creates a corresponding STA data area, and the relevant identity information of the STA is recorded.
When a WLAN user initiates an external network HTTP request, a network firewall module at the AP side intercepts and confirms whether the request needs to be redirected to a Portal server, the Portal server pushes an authentication page, and the user fills user authentication information in the authentication page and submits the user authentication information to the Portal server.
The Portal server receives the user information, sends a user information query request to the Radius server, the Radius verifies the user Password and queries the user information, and returns a query result to the Portal, if the query is successful, the Portal server requests Challenge to the AC according to the CHAP process, the AC returns Challenge ID and Challenge, and the subsequent Portal server submits the Password, Challenge ID and Challenge to the AC together with the Challenge-Password and account number after the Challenge is subjected to MD5 algorithm, and initiates authentication. The AC sends the Challenge ID, Challenge-pass, and account number to the RADIUS authentication server, which authenticates them. And the RADIUS server judges whether the user is legal or not according to the user information. And if the authentication is successful, the RADIUS returns an authentication success message to the AC. If the authentication fails, the RADIUS returns an authentication failure message to the AC, and the AC further returns an authentication result to the Portal server.
And the Portal server pushes an authentication result page according to the authentication result. If the WLAN user STA terminal is successful, the Portal server pushes a customized personalized page and releases the Internet access limit of the WLAN user STA terminal; if the failure occurs, the page prompts the user for the reason for the failure.
After the Radius server confirms that the STA user is successfully authenticated, a Portal authentication management module on the AC further issues ACL rules related to STA user access control to related APs through a CAPWAP protocol, and after the CAPWAP module on the AP side receives the ACL rules, the CAPWAP module on the AP side can inform a network firewall module to configure IPTABLE rules and the like aiming at the STA user so as to release the limitation of the user on surfing.
The Portal server and the Radius server which are butted by the AC can provide personalized Portal authentication pages for users, and the URL addresses of the personalized Portal authentication pages can be bound with the SSID of a certain AP under the AC. After the AC acquires the configurations from the cloud network management system, the configuration such as the URL address parameters bound by the AP and the SSID is further issued to the related AP through the CAPWAP protocol. And when the STA is associated with the AP, the network firewall on the AP side directly redirects the user to the URL of the personalized customization demand access page according to the SSID information associated with the WLAN user terminal. The content of the Portal server authentication page on the cloud platform can be customized by an administrator so as to update and publish the related advertisement information in time.
In this example, in the AP centralized forwarding or local forwarding mode, the network firewall on the AP side intercepts the HTTP request packet of the user to implement the URL redirection function of the user, and directly implements personalized Portal authentication page push on the AP side according to the SSID associated with the WLAN user. In the local forwarding mode, after the message AP is intercepted, the message AP is directly redirected to a Portal Server Server locally by the AP; in the centralized forwarding mode, the AP needs to intercept data messages of the STA before the data messages are packaged by the CAPWAP tunnel and judge whether the user passes the authentication, namely if the data messages do not pass the authentication, the messages are packaged by the CAPWAP tunnel and sent to the AC for forwarding, and the AC does not need to intercept and process the messages, so that the influence on the AC processing performance caused by the AC processing HTTP request messages is reduced.
In this example, the AP side can conveniently obtain information such as IP and MAC of the WLAN user, and is convenient to carry relevant parameters required for authentication of the Portal server.
Example two
FIG. 4 is a flowchart illustrating an example of an AP intercepting a WLAN user HTTP request and implementing Portal authentication in the AP local forwarding mode, including the following steps:
1: the STA user successfully probes for a certain SSID associated with the AP.
2: the STA obtains the IP address through DHCP, and the DHCP request message can be forwarded locally by the AP or forwarded to a DHCP server through AC centralization.
3: the user opens a browser, accesses a certain website and initiates an HTTP request.
4: and the AP side network firewall module intercepts the HTTP request of the user and confirms whether the user passes the authentication. If the authentication is passed, the HTTP request message is directly forwarded;
if the user is not authenticated, whether the access is a URL (uniform resource locator) address of a Portal authentication server is judged, if the access is approved, otherwise, the original HTTP request is discarded, SSID information associated with the user is further obtained, the URL address bound by the SSID and relevant authentication parameters needing to be carried (such as AC/AP names, SSID names, user IP addresses and the like needing to be inserted after the URL) are obtained according to configuration issued by the AC, a redirection message (which can be a 30X message, such as redirection operation with a state code of the HTTP protocol being 302) of the HTTP protocol is further constructed and sent to the STA, and the STA user directly accesses the next hop according to the new URL address, so that the URL redirection function is realized.
In the centralized forwarding mode, the AP in this step needs to intercept and determine whether the user has been authenticated before the STA data packet is encapsulated by the CAPWAP tunnel.
5: the STA initiates an authentication request to a URL address of a designated Portal server according to Portal URL address information bound by the SSID;
6: the Portal server pushes a customized personalized WEB authentication page to the WLAN user terminal;
7: the user fills information such as account number, password and the like into the authentication page and submits the information to the Portal server.
8: the Portal server receives the user information and sends a user information query request to the Radius server.
9: radius verifies the user password, queries the user information, and returns the query result to Portal.
10: if the inquiry is successful, the Portal server requests Challenge from the AC according to the CHAP flow; if the inquiry is failed, the Portal directly returns a prompt message to the user, and the process is ended.
11: the AC returns Challenge, which includes Challenge ID and Challenge.
12: the Portal server submits the Password, the Challenge ID, the Challenge-Password after the Challenge is subjected to the MD5 algorithm and the account to the AC, and authentication is initiated.
13: the AC sends the Challenge ID, Challenge-pass, and account number to the RADIUS authentication server, which authenticates them.
14: and the RADIUS server judges whether the user is legal or not according to the user information. And if the authentication is successful, the RADIUS returns an authentication success message to the AC. If the authentication fails, the RADIUS returns an authentication failure message to the AC.
15: the AC returns the authentication result to the Portal server.
The steps 7 to 15 are the process of finishing authentication by the interaction of the Portal server, the AC and the Radius, and the process can adopt the existing flow.
16: after the Radius server confirms that the STA user is successfully authenticated, the Portal authentication management module on the AC further issues ACL rules related to STA user access control to related APs through CAPWAP, and after the AP side CAPWAP module receives the ACL rules, the AP side CAPWAP module can inform the network firewall module to configure IPTABLE rules and the like aiming at the STA user so as to release the limitation of the user on surfing.
17: and the Portal server pushes an authentication result page according to the authentication result. If the user succeeds, pushing a customized personalized page; if the failure occurs, the page prompts the user for the reason for the failure.
18: the Portal server responds that the AC receives the authentication result message. If the authentication is successful, the AC subsequently initiates a charging opening request message to the Radius server, and the charging process is not detailed here; if authentication fails, the flow ends here.
The offline process of the WLAN user generally includes two cases, i.e., active offline and abnormal offline. The active offline means that when the WLAN user needs to be offline, an offline mechanism on an authentication end page is clicked, and an offline request is actively sent to a Portal server; the abnormal offline includes that the AC equipment detects the abnormal offline of the user, the Portal server detects the abnormal offline of the user, the AC forces the abnormal offline of the user and the like. After the AC knows that the WLAN user is offline, the AP needs to be notified to delete the associated ACL rule of the WLAN user.
Example three
Fig. 9 is a flowchart of the configuration related to issuing Portal authentication by the cloud network management system of this example, and the main steps are as follows:
s501: the method comprises the steps that an AC cloud network management system virtualizes corresponding Portal/Radius authentication servers for different ACs, corresponding personalized authentication page content is customized for each SSID of a designated AP under an AC according to user requirements, and then a uniform resource location identifier (URL) address of the personalized authentication page is bound with the SSID of the AP.
The SSID associated with a general WLAN user corresponds to a certain WLAN service set, and the AP can generally support multiple SSIDs, and service access control, a user authentication mode, a local forwarding or centralized forwarding mode, and the like based on the SSIDs are basic service requirements in WLAN applications.
S502: when the AP is opened, the cloud network management system issues URL address information bound by each SSID of the AP and user authentication parameter contents (such as AC and AP names, SSID names, user IP addresses and the like) needing to be inserted into the URL to the AC.
S503: after the AC receives the configuration, the related configuration information is distributed to a specific service module through the cloud platform interface management module, and if the URL address information of the Portal server bound by each SSID of the AP to be opened is configured to the Portal authentication management module. When the AP is found to be accessed, the AC dynamically issues the AP basic configuration, the general configuration of the wireless radio frequency parameters of each SSID, the URL address information bound by each SSID and the like to the related AP through the CAPWAP protocol. For the AP local forwarding mode, the AC needs to send the routing information of the next hop address of the user gateway to the AP at the same time.
S504: after the AP receives the configuration, the CAPWAP module decodes the configuration and calls a related configuration interface to configure the URL address information of the Portal server bound by the SSIDs of the AP to a URL redirection module of a network firewall of the AP.
S505: and a network firewall URL redirection module at the AP side intercepts an HTTP request of a user, acquires a mandatory Portal URL address bound by the SSID and related authentication parameters required to be carried according to SSID information associated with the user, further constructs a 30X message of an HTTP protocol to the STA, and the STA user directly accesses the next hop according to a new URL address, thereby realizing the personalized Portal authentication page pushing function.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (12)

1. A method for WLAN user access authentication, comprising:
intercepting a hypertext transfer protocol (HTTP) request sent by a WLAN user through a Station (STA) by an Access Point (AP) in a network architecture comprising the AP and an Access Controller (AC);
when the AP in the network architecture comprising the AP and the AC determines that the WLAN user is not subjected to access authentication according to the access authentication information of the WLAN user in the packet filtering rule of the AP side network firewall, sending a redirection message carrying a uniform resource location identifier (URL) address of an authentication page on an access authentication server to the STA;
after the AP in the network architecture comprising the AP and the AC sends a redirection message carrying a URL address of an authentication page on an access authentication server to the STA, receiving an access control rule issued by the AC after the WLAN user passes the access authentication, and updating the access authentication information of the WLAN user in the packet filtering rule to indicate that the WLAN user has passed the access authentication;
after the AP updates the access authentication information of the WLAN user in the packet filtering rule, the method further includes:
and after receiving the notification of the WLAN user offline sent by the AC or the disassociation message sent by the STA, the AP deletes the information of the WLAN user in the packet filtering rule, wherein the information of the WLAN user comprises the access authentication information of the WLAN user.
2. The method of claim 1, wherein:
the AP obtains the URL address carried in the redirection message through the following modes: the AP searches binding relation information according to a Service Set Identifier (SSID) carried in the HTTP request to obtain a URL address bound with the SSID, and the URL address is used as a URL address carried in the redirection message; and the binding relationship information is the binding relationship information between the SSID issued by the AC and the URL address of the authentication page on the access authentication server.
3. The method of claim 2, wherein:
in the binding relationship information, the URL address bound to each SSID is the URL address of a personalized authentication page customized for the WLAN user of the network identified by the SSID.
4. The method of claim 1, wherein:
before the AP intercepts the HTTP request, the method further includes: the AP receives a user authentication parameter which is issued by the AC and needs to be inserted into the URL;
and the redirection message sent by the AP to the STA also carries the user authentication parameter.
5. The method of claim 1, wherein:
the AP adopts a local forwarding mode to forward the data message; or
The AP adopts a centralized forwarding mode to forward the data message, and the AP intercepts the HTTP request, and the method comprises the following steps: and intercepting the HTTP request by the AP before carrying out access point control and provisioning protocol CAPWAP tunnel encapsulation on the HTTP request.
6. The method of any of claims 1-5, wherein:
the AP intercepts the HTTP request, and comprises the following steps: and the AP intercepts the HTTP request through an AP side network firewall.
7. An access point, AP, comprising:
the intercepting module is used for intercepting a hypertext transfer protocol (HTTP) request sent by a WLAN user through a Station (STA) in a network architecture comprising the AP and the Access Controller (AC);
a redirection module, configured to send, to the STA, a redirection packet carrying a Uniform Resource Locator (URL) address of an authentication page on an access authentication server when it is determined that the WLAN user is not authenticated according to access authentication information of the WLAN user set in a packet filtering rule of an AP-side network firewall in a network architecture including the AP and the AC;
an updating module, configured to send, to the STA in a network architecture including the AP and the AC, a redirection packet carrying a URL address of an authentication page on an access authentication server, receive an access control rule issued by the AC after the WLAN user passes access authentication, and update access authentication information of the WLAN user in the packet filtering rule to indicate that the WLAN user has passed access authentication;
the updating module is further configured to delete the information of the WLAN user in the packet filtering rule after receiving the notification that the WLAN user is offline sent by the AC or after receiving the disassociation message sent by the STA, where the information of the WLAN user includes access authentication information of the WLAN user.
8. The access point, AP, of claim 7 wherein:
the redirection module obtains the URL address carried in the redirection message through the following modes: searching binding relation information according to an SSID (service set identifier) carried in the HTTP request, and using the binding relation information as a URL (uniform resource locator) address carried in the redirection message; and the binding relationship information is the binding relationship information between the SSID issued by the AC and the URL address of the authentication page on the access authentication server.
9. The access point, AP, of claim 8 wherein:
in the binding relationship information, the URL address bound to each SSID is the URL address of a personalized authentication page customized for the WLAN user of the network identified by the SSID.
10. The access point, AP, of claim 7 wherein:
the AP further comprises: a receiving module, configured to receive a user authentication parameter that needs to be inserted in a URL and is issued by the AC;
and the redirection message sent by the redirection module to the STA also carries the user authentication parameter.
11. The access point, AP, of claim 7 wherein:
the AP also comprises a forwarding module;
the forwarding module forwards the data message in a local forwarding mode; or
The forwarding module forwards the data message in a centralized forwarding mode; the intercepting module intercepts the HTTP request, and comprises: intercepting the HTTP request before carrying out access point control and provisioning protocol CAPWAP tunnel encapsulation on the HTTP request.
12. The access point AP according to any of claims 7-11, characterized by:
the interception module is realized by using an AP side network firewall.
CN201610437725.6A 2016-06-17 2016-06-17 Method and equipment for WLAN user access authentication and configuration information issuing Active CN107517189B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610437725.6A CN107517189B (en) 2016-06-17 2016-06-17 Method and equipment for WLAN user access authentication and configuration information issuing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610437725.6A CN107517189B (en) 2016-06-17 2016-06-17 Method and equipment for WLAN user access authentication and configuration information issuing

Publications (2)

Publication Number Publication Date
CN107517189A CN107517189A (en) 2017-12-26
CN107517189B true CN107517189B (en) 2022-03-29

Family

ID=60720182

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610437725.6A Active CN107517189B (en) 2016-06-17 2016-06-17 Method and equipment for WLAN user access authentication and configuration information issuing

Country Status (1)

Country Link
CN (1) CN107517189B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108601022B (en) * 2018-03-30 2021-05-14 新华三技术有限公司 Portal authentication method and device
CN110839050B (en) * 2018-08-16 2023-01-17 中国电信股份有限公司 Method, system and wireless access point for detecting user offline
CN108989348A (en) * 2018-08-31 2018-12-11 福建星网智慧科技股份有限公司 The optimization method of wifidog based on gateway
CN109558172B (en) * 2018-11-13 2021-11-30 Oppo(重庆)智能科技有限公司 Machine computer and parameter management method thereof, server and parameter management method thereof
CN111225376A (en) * 2018-11-26 2020-06-02 中国电信股份有限公司 Authentication method, system, wireless access point AP and computer readable storage medium
CN110022538B (en) * 2019-05-28 2020-12-25 新华三技术有限公司 Method and device for identifying traffic type
CN111314286B (en) * 2019-12-20 2022-11-01 杭州迪普科技股份有限公司 Configuration method and device of security access control policy
CN111107106A (en) * 2019-12-31 2020-05-05 奇安信科技集团股份有限公司 Authentication method, authentication system, firewall device and storage medium
CN111654535A (en) * 2020-05-26 2020-09-11 迈普通信技术股份有限公司 Method for accessing Portal server and access equipment
CN113079518A (en) * 2021-03-29 2021-07-06 新华三技术有限公司 Message forwarding method, device and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1842000A (en) * 2005-03-29 2006-10-04 华为技术有限公司 Method for realizing access authentication of WLAN
CN101741888A (en) * 2008-11-11 2010-06-16 中国移动通信集团上海有限公司 Method, system and device for pushing certification page
CN104821940A (en) * 2015-04-16 2015-08-05 京信通信技术(广州)有限公司 Method and equipment for sending portal redirected address

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596085C (en) * 2007-11-23 2010-03-24 杭州华三通信技术有限公司 Login method and apparatus for AP
KR102143441B1 (en) * 2013-11-15 2020-08-11 삼성전자주식회사 Electronic device and method for updating authentication information in electronic device
CN104378382A (en) * 2014-11-28 2015-02-25 上海斐讯数据通信技术有限公司 Multiple client wireless authentication system and authentication method thereof
CN104780168A (en) * 2015-03-30 2015-07-15 杭州华三通信技术有限公司 Portal authentication method and equipment
CN105049457A (en) * 2015-09-06 2015-11-11 武汉虹信通信技术有限责任公司 Cloud platform distributed system and method based on Internet and wifi mode

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1842000A (en) * 2005-03-29 2006-10-04 华为技术有限公司 Method for realizing access authentication of WLAN
CN101741888A (en) * 2008-11-11 2010-06-16 中国移动通信集团上海有限公司 Method, system and device for pushing certification page
CN104821940A (en) * 2015-04-16 2015-08-05 京信通信技术(广州)有限公司 Method and equipment for sending portal redirected address

Also Published As

Publication number Publication date
CN107517189A (en) 2017-12-26

Similar Documents

Publication Publication Date Title
CN107517189B (en) Method and equipment for WLAN user access authentication and configuration information issuing
CN109842906B (en) Communication method, device and system
US9654970B2 (en) Method and device for web redirect authentication in WiFi roaming based on AC and AP interworking
US11451510B2 (en) Method and apparatus for processing service request
US8179840B2 (en) Method for extending mobile IP and AAA to enable integrated support for local access and roaming access connectivity
US8924459B2 (en) Support for WISPr attributes in a TAL/CAR PWLAN environment
RU2583723C2 (en) Method and apparatus for controlling transmission of service
US10715999B2 (en) Selective key caching for fast roaming of wireless stations in communication networks
CN109981316A (en) The switching method and session management network element, terminal device of application server
US8621572B2 (en) Method, apparatus and system for updating authentication, authorization and accounting session
CN110830538B (en) Message transmission method, device and storage medium
JP2005209194A (en) User profile service
EP4210297A1 (en) Edge application discovery method and apparatus, and edge application service support method and apparatus
CN113572835B (en) Data processing method, network element equipment and readable storage medium
CN104780168A (en) Portal authentication method and equipment
US20200367155A1 (en) Application based routing of data packets in multi-access communication networks
EP4246936A1 (en) Data processing method, function device and readable storage medium
KR20210144490A (en) Method and apparatus for providing local data network to a user equipment in a wireless communication system
KR20120098215A (en) Method for providing virtualized information
JP2023530608A (en) Network slice switching method, terminal, storage medium, and electronic device
JP6138136B2 (en) A method, system, computer program, and software image originated by an online provider are dynamically present on the edge network of the cellular network to provide online services from the service provider to the user through the wireless cellular network How to enable
CN105493540A (en) Wireless local area network user side device and information processing method
KR20140059494A (en) Method for application hosting by access node and appratus therefor
CN113824789B (en) Configuration method, device, equipment and storage medium of access descriptor
KR102273390B1 (en) Method and Apparatus for Integrating Network Function

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant