CN108092988B - Non-perception authentication and authorization network system and method based on dynamic temporary password creation - Google Patents
Non-perception authentication and authorization network system and method based on dynamic temporary password creation Download PDFInfo
- Publication number
- CN108092988B CN108092988B CN201711462151.9A CN201711462151A CN108092988B CN 108092988 B CN108092988 B CN 108092988B CN 201711462151 A CN201711462151 A CN 201711462151A CN 108092988 B CN108092988 B CN 108092988B
- Authority
- CN
- China
- Prior art keywords
- authentication
- server
- client
- user
- aaa server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A non-perception authentication authorization network system based on dynamic temporary password establishment and a working method thereof, the system comprises two IP charging networks which are provided with proxy AAA servers or not provided with the proxy AAA servers, and the system comprises network elements which are as follows: the authentication client, the DHCP server, the NAS server and an external Internet network, a Portal server, an AAA server and a proxy AAA server which are connected through the NAS server; and the added non-perception authentication device is used for binding the authentication client or the intelligent terminal. The non-inductive authentication device dynamically creates the one-time-use temporary password OTP corresponding to the user account, realizes non-inductive authentication authorization, and avoids the complication that the user needs to manually input the password every time the user surfs the internet for the first time; meanwhile, because the one-time temporary password authentication generated dynamically is used, the original password of the user is not needed; and in the authentication process, only the trusted node is interacted, so that the user account information is prevented from being revealed, and the communication safety is ensured.
Description
Technical Field
The invention relates to an imperceptible authentication and authorization network system based on dynamic temporary password creation and a working method thereof, belonging to the technical field of computer network management and control.
Background
AAA is short for Authentication, Authorization and Accounting, and is also a mechanism or system for network security management that can process a request from a user to access a network and provide Authentication, Authorization, Accounting and account services for a client, and has a main function of managing the user to access the network and providing services of corresponding levels to users with access rights. AAA adopts a client/server model, the client runs on a Network Access Server (NAS) and the AAA server manages the client information in a centralized way. The AAA server typically works in conjunction with network access control, gateway servers, and network element devices including databases of user information, directories, etc.
In existing IP charging networks (including different types of networks that charge on a per-flow basis or a per-online duration basis), a common solution is to use Portal protocol in conjunction with AAA server to perform control and management of authentication, authorization, and charging of clients. Referring to fig. 1, a typical networking mode and structure thereof will be described:
in the system of the networking mode architecture, the set network elements comprise: authentication client, NAS server, Dynamic Host Configuration Protocol (DHCP) server, Portal server, AAA server and external Internet network connected via NAS. The authentication client is a user terminal computer or an intelligent terminal comprising an intelligent mobile phone and a set top box; the DHCP server is used for distributing an IP address for the authentication client when the client is accessed to the network; the NAS server is a general term of gateway equipment such as a router, a charging gateway and the like, has the functions of controlling network access of an authentication client, redirecting all hypertext transfer protocol (HTTP) requests to a Portal server before the authentication client completes authentication, completing the functions of identity authentication, authorization and charging of the authentication client through interaction with the Portal server and an AAA server in the authentication process of the client, and allowing the client to access authorized Internet resources after the client passes authentication (including identity authentication and authorization); the Portal server provides a WEB Portal and an authentication interface for a server system receiving an authentication request of an authentication client, and completes authentication, authorization and charging of the authentication client by interacting authentication information of the authentication client with the NAS server and interacting with the AAA server by the NAS server.
The interactive process of the authentication client, the NAS server, the Portal server and the AAA server is a traditional Portal verification process in the existing network system, and the process is as follows:
(1) the authentication client sends an IP address request to the DHCP server, and the DHCP server issues an IP address for the authentication client.
(2) When the authentication client side is not authenticated, an HTTP access request of an Internet Uniform Resource Locator (URL) address is input into the browser, and the HTTP access request is redirected to a WEB authentication webpage of the Portal server when passing through the NAS server.
(3) The authentication information input by the authentication client in the browser is submitted to the Portal server, and the Portal server receives the authentication information input by the user and then sends the authentication information to the NAS server.
(4) The NAS server interactively communicates with the AAA server and sends the authentication information of the authentication client to the AAA server so that the AAA server can execute the authentication and authorization operation of the client.
(5) After the authentication and authorization pass, the NAS server opens a passage between the authentication client and the Internet and allows the IP address of the authentication client to access the Internet; while the NAS server sends accounting (i.e., accounting) information to the AAA server.
(6) When the authentication client end finishes Internet access, the logout page of the Portal server is accessed and the access request for finishing the access is submitted, and the Portal server informs the NAS server to disconnect the access between the authentication client end and the Internet and forbid the authentication client end from accessing the Internet by the IP address. The NAS server informs the AAA server to end accounting for the authenticated client.
In addition, if the authentication client does not actively log off the Internet connection (for example, the authentication client directly disconnects the network connection, closes the operating system, and the mobile client closes the wireless WIFI network), the NAS server actively disconnects the access between the IP address of the authentication client and the Internet after the set idle time is over, and notifies the AAA server to stop charging for the authentication client.
Based on the above analysis, the charging management of the authentication client currently has the following disadvantages:
when the authentication client accesses the network, the authentication client needs to enter a WEB authentication page, and can access the network only after manually inputting an account number and a password for identity authentication. Some terminal devices (such as printers, special servers and the like) without graphical operation interfaces can not be verified through the Portal server. Therefore, how to improve the authentication process of identity and charging when the current client requests to access the network system becomes a new topic that is concerned by technical personnel in the industry.
Disclosure of Invention
In view of the above, the present invention provides a non-aware authentication and authorization network system based on dynamic temporary password creation and a working method thereof, and the system and the method of the present invention can be applied to two networking modes of a proxy AAA server and a network system without a proxy AAA server. The system is additionally provided with a non-perception authentication device, an authentication client or an intelligent terminal is bound to the non-perception authentication device, a one-time-use temporary password corresponding to a user account is dynamically created, and non-perception authentication authorization is realized; the trouble that a user needs to manually input an account password for authentication every time when the user accesses the network for the first time is avoided. Meanwhile, in the authentication process, a dynamically generated one-time temporary password is used, so that the original password of the user is not needed; and only interacting with trusted nodes (DHCP server, NAS server, Portal server, non-sensing authentication device and AAA server), therefore, the invention can also avoid the risk of user account or password information leakage and ensure the communication security.
In order to achieve the above object, the present invention provides a non-aware authentication and authorization network system based on dynamic temporary password creation, wherein the system includes two IP charging network systems with or without a proxy AAA server, and the two network systems respectively include the following network elements: an authentication client, a Dynamic Host Configuration Protocol (DHCP) server, a Network Access Server (NAS) and an external Internet network, an entrance Portal server, an AAA server and a proxy AAA server which are connected through the NAS server; the method is characterized in that:
the non-inductive authentication authorization system comprises two network IP charging network systems, wherein a non-inductive authentication device for binding an authentication client or an intelligent terminal is additionally arranged in each of the two network IP charging network systems, and dynamically establishes a One-time Password (OTP) corresponding to a user account, so that the non-inductive authentication authorization is realized, and the trouble that a user needs to manually input a Password every time the user surfs the internet is avoided; meanwhile, because the one-time temporary password authentication generated dynamically is used, the original password of the user is not needed; in the authentication process, only the trusted node is interacted, so that the user account information is prevented from being revealed, and the communication safety is ensured; wherein:
the authentication client is a user terminal computer or an intelligent terminal comprising an intelligent mobile phone and a set top box;
the DHCP server is used for distributing an IP address for the authentication client when the authentication client accesses the network;
NAS server and external Internet network connected via it, NAS is the gateway equipment including router, charging gateway is known as a general name, is used for controlling and managing the network access of the authentication customer end: before the authentication client finishes authentication, all hypertext transfer protocol (HTTP) requests of the client are redirected to a Portal server; in the authentication process of the authentication client, the authentication client interacts with an imperceptible authentication device, a Portal server, a proxy AAA server or/and an AAA server respectively to complete the functions of identity authentication, safety authentication, authorization and charging of the authentication client; after the authentication client finishes authentication and authorization, allowing the authentication client to access authorized Internet resources;
the non-perception authentication device is responsible for interacting with a Portal server, a DHCP server, an NAS server and a proxy AAA server or an AAA server respectively, executing the binding of an authentication client or an intelligent terminal, dynamically creating a corresponding one-time-use temporary password OTP, and realizing non-perception authentication;
the Portal server is an access server for receiving the authentication request of the authentication client and is used for providing a WEB Portal and an authentication interface;
AAA server, which is used to cooperate with the relative network element and execute the complete identity authentication, safety authentication, authorization and accounting functions of the authentication client; and when necessary, the user is forced to be offline;
the proxy AAA server is only arranged in a network system with the proxy AAA server and is responsible for identifying and authenticating the one-time-use temporary password OTP of the authentication client, processing AAA messages except the OTP authentication and then forwarding the AAA messages to the AAA server.
In order to achieve the above object, the present invention further provides a working method of the imperceptible authentication authorization network system based on dynamic temporary password creation, which is characterized in that: when an authentication client accesses a network for the first time, a user account and an original password are manually input, and identity authentication and authorization are carried out; when the authentication client is accessed into the network every time later, the DHCP server also interacts with the non-sensing authentication device while issuing an IP address for the authentication client, searches the internet access account number of the user according to the characteristic information of the client, and dynamically generates a one-time-use temporary password OTP corresponding to the user account number for the user account number by the non-sensing authentication device; the non-perception authentication device initiates a login request and identity authentication to the NAS server by the user account and the one-time temporary password OTP corresponding to the user account, so that the user does not need to manually input the account password for identity authentication every time of surfing the Internet, and the non-perception authentication is realized; and the leakage of user password information is avoided, and the communication safety is ensured.
The invention relates to a non-perception authentication authorization network system based on dynamic creation of temporary passwords and a working method thereof, and the innovative advantages and the technical characteristics are as follows:
the technical key of the invention is that a non-perception authentication device is added in the system, an authentication client or an intelligent terminal is bound in the non-perception authentication device, and a one-time-use temporary password corresponding to a user account is dynamically created to realize non-perception authentication authorization.
Other key technologies of the invention also include: the non-perception authentication device in the system can dynamically create a one-time temporary password with working time limit for an authentication client or an intelligent terminal of a bound account, the dynamically generated one-time temporary password is randomly generated and can be authenticated within the set working time limit for one time to be effective, and the authentication is invalid after one time; or, if the time limit exceeds the set time limit, the temporary password is invalidated even if it is not used for authentication. In addition, the AAA service in the system can complete the authentication of the user identity according to the one-time temporary password, and the rest operations of the authorization and accounting flow steps are still performed according to the original flow.
The invention well solves the technical defect that the prior art can not safely and effectively implement the non-inductive authentication in the Portal authentication mode, and after the system and the method are used, a user can automatically and directly access the network when accessing the network again after finishing binding the terminal; therefore, the trouble that the account number and the password are manually input to carry out Portal authentication every time the internet is accessed is avoided when the internet is not accessed for the first time. Moreover, in the authentication process, the operation of the user account and the original password is not involved, and a dynamically generated one-time temporary password is used; and only with node network elements such as trusted DHCP server, NAS server, Portal server, unaware authentication device, AAA server, etc., communicate and interact, even if the user modifies the account password again after the first binding is finished, do not need to carry on any other operation step any more, can avoid revealing user's account or password, guarantee the communication security.
The system and the working method thereof can be matched with NAS equipment (comprising a plurality of gateway network elements such as routers and gateways) of a plurality of manufacturers, and are suitable for network systems with proxy AAA servers and network systems without proxy AAA servers. The invention only slightly modifies the partial flow of the authentication operation of the AAA server: in the network system using proxy AAA server, transferring the authentication part function of AAA server to proxy AAA server; and in a network system without using the proxy AAA server, the authentication operation of the AAA server needs to add a verification operation step of the one-time temporary password. Other subsequent authorization and accounting operation flows have no change, and the charging policy of the user (including the condition that the identity authentication is valid but the access authorization is denied) is not influenced. The invention can also carry out the output control, namely, the Portal authentication is supported; because the interface workflow and the service processing logic of any NAS server and AAA server are not changed, the compatibility is very strong, and the implementation and the popularization are simple and easy.
In a word, the system and the working method thereof have good popularization and application prospects.
Drawings
Fig. 1 is a schematic diagram of the architecture of an IP charging network system currently in use.
Fig. 2 is an imperceptible authentication and authorization network system based on dynamic creation of temporary passwords according to the present invention: the system structure with the proxy AAA server is formed into a schematic diagram.
Fig. 3 is another non-perceptual authentication authorization network system based on dynamically creating a temporary password according to the present invention: the system structure without proxy AAA server is shown in figure.
Fig. 4 is a flowchart of the operation steps of the working method of the non-perceptual authentication and authorization network system based on the dynamic creation of the temporary password.
Fig. 5 is a flowchart of operation step one of the working method of the unaware authentication and authorization network system of the present invention.
Fig. 6 is a flowchart of the second operation step of the operation method of the unaware authentication and authorization network system of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the accompanying drawings.
Referring to fig. 2 and fig. 3, the structural components of a non-perceptual authentication authorization network system based on dynamic temporary password creation according to the present invention include two IP charging network systems: with or without a proxy AAA server (as shown in fig. 2).
The two network systems respectively comprise the following network elements: the authentication client, the dynamic host configuration protocol DHCP server, the network access server NAS, the external Internet network, the entrance Portal server, the AAA server and the proxy AAA server which are connected through the network access server NAS, and the added key equipment and the non-inductive authentication device for binding the authentication client or the intelligent terminal, wherein the non-inductive authentication device dynamically creates a one-time-use temporary password OTP corresponding to a user account number, realizes non-inductive authentication authorization, and avoids the complexity that the user needs to manually input the password every time the user surfs the Internet; meanwhile, because the one-time temporary password authentication generated dynamically is used, the original password of the user is not needed; in the authentication process, only the trusted node is interacted (comprising a DHCP server, an NAS server, a Portal server, an unaware authentication device, an AAA server and a proxy AAA server), so that the user account information is prevented from being leaked, and the communication safety is ensured. Wherein:
and the authentication client is a user terminal computer or an intelligent terminal comprising an intelligent mobile phone and a set top box.
And the DHCP server is used for allocating an IP address for the client when the client is authenticated to access the network.
NAS server and external Internet network connected via it, NAS is the gateway equipment including router, charging gateway is known as a general name, is used for controlling and managing the network access of the authentication customer end: before the authentication client finishes authentication, all hypertext transfer protocol (HTTP) requests of the client are redirected to a Portal server; in the authentication process of the authentication client, the authentication client interacts with an imperceptible authentication device, a Portal server, a proxy AAA server or/and an AAA server respectively to complete the functions of identity authentication, safety authentication, authorization and charging of the authentication client; and after the authentication client finishes authentication and authorization, allowing the authentication client to access the authorized Internet resources.
And the non-perception authentication device is responsible for interacting with a Portal server, a DHCP server, an NAS server and a proxy AAA server or an AAA server respectively, executing the binding of an authentication client or an intelligent terminal, dynamically creating a corresponding one-time-use temporary password OTP, and realizing non-perception authentication.
And the Portal server is an access server for receiving the authentication request of the authentication client and is used for providing a WEB Portal and an authentication interface.
AAA server, which is used to cooperate with the relative network element and execute the complete identity authentication, safety authentication, authorization and accounting functions of the authentication client; and when necessary, the user is forced to be offline.
The proxy AAA server is only arranged in a network system with the proxy AAA server and is responsible for identifying and authenticating the one-time temporary password (OTP) of the authentication client, processing AAA messages except the OTP authentication and then forwarding the AAA messages to the AAA server.
The invention also provides a working method of the non-perception authentication authorization network system based on the dynamic establishment of the temporary password, which comprises the following steps: when an authentication client accesses a network for the first time, a user account and an original password are manually input, and identity authentication and authorization are carried out; when the authentication client accesses the network every time later, the DHCP server also interacts with the non-sensing authentication device while issuing an IP address for the authentication client, searches the internet access account number of the user according to the characteristic information (at least comprising the media access control MAC address, namely the hardware address) of the client, and dynamically generates a one-time-use temporary password OTP corresponding to the user account number by the non-sensing authentication device; the non-perception authentication device initiates a login request and identity authentication to the NAS server by the user account and the one-time temporary password OTP corresponding to the user account, so that the user does not need to manually input the account password for identity authentication every time of surfing the Internet, and the non-perception authentication is realized; and the leakage of user password information is avoided, and the communication safety is ensured.
Referring to fig. 4, the specific operation steps of the working method of the present invention are described:
step 1, when the authentication client is accessed to the network for the first time, the user account and the original password are manually input, and identity authentication and authorization are carried out.
Step 2, when the authentication client accesses the network for the first time, the DHCP server issues an IP address for the authentication client, and interacts with the non-sensing authentication device according to the characteristic information of the client at least comprising a Media Access Control (MAC) address; the non-perception authentication device finds the internet access account bound to the authentication client, dynamically generates a one-time-use temporary password OTP for the internet access account, and then initiates a login request and identity authentication to the NAS server by using the user account and the corresponding one-time-use temporary password OTP, so that non-perception authentication authorization is realized, the user does not need to repeatedly perform the tedious operation of manually inputting an original password to perform identity authentication every time the user surfs the internet, and the communication is safe.
Referring to fig. 5, the specific operation steps of step 1 of the working method of the present invention are described:
step 11, the authentication client initiates an IP address request to the DHCP server.
And step 12, the DHCP server issues an IP address for the authentication client.
Step 13, the authentication client side initiates an HTTP access request, and the NAS server redirects the access request to a WEB Portal and an authentication interface of the Portal server.
And step 14, the user inputs identity authentication information comprising a user account and an original password in the WEB Portal and the authentication interface, and the Portal server sends the identity authentication information to the NAS server.
Step 15, the NAS server sends the authentication information to a proxy AAA server or an AAA server, and the proxy AAA server forwards the identity authentication request information to an upstream AAA server to verify the identity authentication information; or the AAA server directly performs authentication information verification.
If the verification is not passed, the verification result is returned to the NAS server, the NAS server prohibits the authentication client from accessing other network resources except the WEB portal and the authentication interface, and the flow is ended.
If the verification is passed, the verification result is returned to the NAS server, and the NAS server returns the verification result to the Portal server again, and the step 16 is continuously executed.
And step 16, the NAS server releases the authentication client, allows the authentication client to access network resources, and sends an accounting message to the proxy AAA server, or the NAS server directly sends the accounting message to the AAA server.
The non-sensing authentication device receives the authenticated authentication result information of the authentication client side comprising the internet access account number and the associated IP address from the Portal server, and acquires the identity characteristic information of the authentication client side comprising the MAC address from the DHCP server, so as to automatically execute and finish the binding of the authentication client side and the user account number.
And step 17, the proxy AAA server transmits the accounting message to an upstream AAA server, so that the AAA server triggers and detects the online and charging strategy of the user by using the accounting message, and executes the charging operation.
Or the NAS server directly sends the accounting message to the AAA server, and the AAA server triggers and detects the online and charging strategies of the user by using the accounting message and executes the charging operation.
When the user net charge balance is not enough and the user needs to be forced to be offline, the AAA server adopts an authorization change CoA (Change of authorization) message to force the authentication client to be offline.
It should be noted that, in step 1, if the authentication client is an intelligent terminal which cannot access the WEB portal using a browser and includes a set-top box, the following two steps are executed to perform corresponding operation contents as follows:
and step 13a, the user accesses the WEB portal and the authentication interface on other clients.
Step 14a, the user manually selects the IP address of the authentication client to be bound on the authentication interface, and the Portal server sends the authentication information and the client information selected by the user to the NAS server.
And the contents of other operation steps from step 11 to step 17 are kept consistent.
Another need to be mentioned is that: in the above method of the present invention, step 14 and step 15, there is another processing method: the non-perception authentication device does not check whether the user identity is legal through an NAS server, but directly acquires a user account number, an original password and an IP address of an authentication client from a Portal server and then automatically executes a check operation; the method comprises the following specific operation contents:
and step 14b, the user inputs identity authentication information comprising a user account number and an original password in the WEB Portal and the authentication interface, and the Portal server directly sends the identity authentication information to the unaware authentication device.
And step 15b, the non-sensing authentication device sends the user account number, the original password and the identity authentication information of the IP address of the authentication client to the proxy AAA server or the AAA server, and the proxy AAA server forwards the identity authentication request information to an upstream AAA server for identity authentication information verification. Or the AAA server directly performs authentication information verification.
The specific operation content of verifying whether the operation is passed is the same as that of step 15, and is not described herein again.
Referring to fig. 6, the specific operation steps of step 2 of the working method of the present invention are described:
step 21, the authentication client initiates an IP address request to the DHCP server.
Step 22, the DHCP server issues an IP address for the authentication client and sends the online information of the authentication client to the unaware authentication device; and the non-sensing authentication equipment finds the Internet access account bound by the user according to the characteristic information of the authentication client, and dynamically generates a one-time temporary password (OTP) for the Internet access account.
In this step, the non-sensing authentication device sets a one-time working time limit for a one-time temporary password OTP dynamically generated by authenticating the internet account bound to the client: namely, the authentication can be effective only once within the set working time limit, and the authentication becomes invalid after once; or, if the password exceeds the set time limit, the password is invalidated even if it is not used for authentication.
And step 23, the non-sensing authentication device initiates a login request to the NAS server by using the Internet access account, and sends the user Internet access account and the one-time temporary password created in the step (22) to the NAS server for identity authentication.
And step 24, after receiving the login request, the user account and the corresponding one-time temporary password, the NAS server sends the data to the proxy AAA server or the AAA server for authentication.
Step 25, the proxy AAA server or AAA server receives the user account and temporary password, and compares the user account and temporary password with the actual original password of the user account for verification; and if the verification fails, verifying the correctness of the temporary password to the non-perception authentication device.
If the verification fails, returning the verification failure result to the NAS server, and the NAS server forbidding the authentication client side to access other network resources except the WEB portal and the authentication interface, and ending the flow; or the user continues to execute the traditional authentication operation flow of the Portal server: the user account and the original password are manually entered.
If the verification is passed, the verification result is sent to the NAS server, and the NAS server releases the authentication client, and continues to perform step 26 after sending the accounting message to the proxy AAA server or the AAA server.
And step 26, the proxy AAA server forwards the accounting message and the user account to an upstream AAA server, and the AAA server triggers and detects the online and charging strategy of the user by using the accounting message to perform charging operation.
Or after receiving the accounting message from the NAS server, the AAA server directly uses the accounting message and the user account to trigger and detect the online and charging strategies of the user so as to carry out charging operation.
Step 27, when the user network charge balance is not enough and the user needs to be forced to be off-line, the AAA server sends an authorization change CoA message to the proxy AAA server; the proxy AAA server sends the CoA message to the NAS server, and the NAS server forces the non-sensing user to be offline and returns an accounting message.
Or the AAA server directly sends the CoA message to the NAS server, forces the non-sensing user to be offline and returns an accounting message.
The invention has carried out a plurality of implementation tests, one of which is in the five-stage optimization of the campus network of Beijing post and telecommunications university: the invention adopts the structural composition of the non-perception authentication and authorization system based on dynamic temporary password creation and the working method thereof in the network system without the proxy AAA server. The authentication client is connected with the NAS server, the DHCP server, the Portal server, the AAA server and the non-perception authentication device through the campus network, the authentication client which is accessed into the network system for the first time is authenticated by manually inputting a user account and an original password by a user, and the non-perception authentication device binds the terminal equipment and the user account and creates a corresponding one-time temporary password. The non-sensing authentication device initiates a login request by adopting a one-time temporary password corresponding to a user account of the terminal equipment without manually authenticating by a user when the authentication client is not accessed to a network for the first time.
The multiple tests of the embodiment of the invention are successful, and the aim of the invention is achieved.
Claims (8)
1. A non-perception authentication and authorization network system based on dynamic temporary password establishment comprises two IP accounting network systems which are provided with a proxy AAA server or not provided with the proxy AAA server, wherein the IP accounting network system provided with the proxy AAA server comprises the following network elements: an authentication client, a Dynamic Host Configuration Protocol (DHCP) server, a Network Access Server (NAS) and an external Internet network, an entrance Portal server, an AAA server and a proxy AAA server which are connected through the NAS server; the IP accounting network system without the proxy AAA server comprises the following network elements: an authentication client, a Dynamic Host Configuration Protocol (DHCP) server, a Network Access Server (NAS) and an external Internet network, an entrance Portal server and an AAA server which are connected through the NAS server; the method is characterized in that:
the non-inductive authentication authorization system comprises two network IP charging network systems, wherein a non-inductive authentication device for binding an authentication client or an intelligent terminal is additionally arranged in each of the two network IP charging network systems, and dynamically establishes a One-time Password (OTP) corresponding to a user account, so that the non-inductive authentication authorization is realized, and the trouble that a user needs to manually input a Password every time the user surfs the internet is avoided; meanwhile, because the one-time temporary password authentication generated dynamically is used, the original password of the user is not needed; in the authentication process, only the trusted node is interacted, so that the user account information is prevented from being revealed, and the communication safety is ensured; wherein:
the authentication client is a user terminal computer or an intelligent terminal comprising an intelligent mobile phone and a set top box; when the network is accessed for the first time, the user account and the original password are manually input, and identity authentication and authorization are carried out;
the DHCP server is used for allocating an IP address for the authentication client when the authentication client accesses the network, interacting with the non-perception authentication device and sending the characteristic information of the authentication client to the non-perception authentication device;
NAS server and external Internet network connected via it, NAS is the gateway equipment including router, charging gateway is known as a general name, is used for controlling and managing the network access of the authentication customer end: before the authentication client finishes authentication, all hypertext transfer protocol (HTTP) requests of the client are redirected to a Portal server; in the authentication process of the authentication client, the authentication client interacts with an imperceptible authentication device, a Portal server, a proxy AAA server or an AAA server respectively to complete the functions of identity authentication, safety authentication, authorization and charging of the authentication client; after the authentication client finishes authentication and authorization, allowing the authentication client to access authorized Internet resources;
the non-perception authentication device is responsible for interacting with a Portal server, a DHCP server, an NAS server and a proxy AAA server or an AAA server respectively, searching the internet surfing account number of the user according to the characteristic information of the client, and dynamically generating a one-time-use temporary password OTP corresponding to the user account number for the user account number; initiating a login request and identity authentication to the NAS server by the user account and the corresponding one-time temporary password OTP to realize the non-perception authentication;
the Portal server is an access server for receiving the authentication request of the authentication client and is used for providing a WEB Portal and an authentication interface;
AAA server, which is used to cooperate with the relative network element and execute the complete identity authentication, safety authentication, authorization and accounting functions of the authentication client; and when necessary, the user is forced to be offline;
the proxy AAA server is only arranged in a network system with the proxy AAA server and is responsible for identifying and authenticating the one-time-use temporary password OTP of the authentication client, processing AAA messages except the OTP authentication and then forwarding the AAA messages to the AAA server.
2. The system of claim 1, wherein: the trusted node comprises a DHCP server, an NAS server, a Portal server, an unaware authentication device, an AAA server and a proxy AAA server.
3. The system of claim 1, wherein: the characteristic information of the client at least includes a media Access control (mac) address, i.e., a hardware address.
4. The working method of the imperceptible authentication and authorization network system based on the dynamic creation of the temporary password as claimed in claim 1, wherein: when an authentication client accesses a network for the first time, a user account and an original password are manually input, and identity authentication and authorization are carried out; when the authentication client accesses the network every time later, the DHCP server also interacts with the non-perception authentication device while issuing an IP address for the authentication client, and sends the characteristic information of the authentication client to the non-perception authentication device; the non-sensing authentication device searches the internet surfing account of the user according to the characteristic information of the client, and dynamically generates a one-time-use temporary password OTP corresponding to the user account; the non-perception authentication device initiates a login request and identity authentication to the NAS server by the user account and the one-time temporary password OTP corresponding to the user account, so that the user does not need to manually input the account password for identity authentication every time of surfing the Internet, and the non-perception authentication is realized; and the leakage of user password information is avoided, and the communication safety is ensured.
5. The method of operation of claim 4, wherein: the method comprises the following operation steps:
step 1, when an authentication client is accessed to a network for the first time, a user account and an original password are manually input, and identity authentication and authorization are carried out; the step 1 comprises the following operation contents:
(11) the authentication client side initiates an IP address request to the DHCP server;
(12) the DHCP server issues an IP address for the authentication client;
(13) the authentication client side initiates an HTTP access request, and the NAS server redirects the access request to a WEB Portal and an authentication interface of the Portal server;
(14) the user inputs identity authentication information comprising a user account and an original password in a WEB Portal and an authentication interface, and the Portal server sends the identity authentication information to the NAS server;
(15) the NAS server sends the authentication information to a proxy AAA server or an AAA server, and the proxy AAA server forwards the identity authentication request information to an upstream AAA server for identity authentication information verification; or the AAA server directly executes the identity authentication information verification;
if the authentication is not passed, returning the authentication result to the NAS server, and the NAS server forbids the authentication client to access other network resources except the WEB portal and the authentication interface and ends the flow;
if the verification is passed, returning the verification result to the NAS server, and the NAS server returns the verification result to the Portal server to continue to execute the step (16);
(16) the NAS server releases the authentication client, allows the authentication client to access network resources, and sends an accounting message to the proxy AAA server, or the NAS server directly sends the accounting message to the AAA server;
the non-sensing authentication device receives the authenticated authentication client authentication result information which comprises the internet access account number and the associated IP address from the Portal server, and acquires the identity characteristic information of the authentication client comprising the MAC address from the DHCP server, so as to automatically execute and complete the binding of the authentication client and the user account number;
(17) the proxy AAA server transmits the accounting message to an upstream AAA server, so that the AAA server triggers and detects the online and charging strategies of the user by using the accounting message and executes the charging operation;
or the NAS server directly sends an accounting message to the AAA server, and the AAA server triggers and detects the online and charging strategies of the user by using the accounting message and executes the charging operation;
when the balance of the user network charge is not enough and the user needs to be forced to be offline, the AAA server adopts an authorization change CoA (Change of authorization) message to force the authentication client to be offline;
step 2, when the authentication client accesses the network for the first time, the DHCP server issues an IP address for the authentication client, and interacts with the non-sensing authentication device according to the characteristic information of the client at least comprising a Media Access Control (MAC) address; the non-perception authentication device finds the internet surfing account bound by the authentication client, dynamically generates a one-time-use temporary password OTP for the internet surfing account, and then initiates a login request and identity authentication to the NAS server by using the user account and the corresponding one-time-use temporary password OTP, so that non-perception authentication authorization is realized, the user does not need to repeatedly perform the tedious operation of manually inputting an original password to perform identity authentication every time the internet surfing is on line, and the communication is safe;
the step 2 comprises the following operation contents:
(21) the authentication client side initiates an IP address request to the DHCP server;
(22) the DHCP server issues an IP address for the authentication client and sends the online information of the authentication client to the unaware authentication device; the non-sensing authentication equipment finds the internet account bound by the user according to the characteristic information of the authentication client, and dynamically generates a one-time temporary password (OTP) for the internet account;
(23) the unaware authentication device initiates a login request to the NAS server by the Internet account, and sends the user Internet account and the one-time temporary password created in the step (22) to the NAS server for identity authentication;
(24) after receiving the login request, the user account and the corresponding one-time temporary password, the NAS server sends the data to a proxy AAA server or an AAA server for authentication;
(25) the proxy AAA server or AAA server receives the user account and temporary password, and compares the user account and the temporary password with the actual original password of the user account for verification; if the verification fails, verifying the correctness of the temporary password to the non-perception authentication device;
if the verification fails, returning the verification failure result to the NAS server, and the NAS server forbidding the authentication client side to access other network resources except the WEB portal and the authentication interface, and ending the flow; or the user continues to execute the traditional authentication operation flow of the Portal server: manually inputting the user account and an original password;
if the authentication is passed, the authentication result is sent to the NAS server, the NAS server releases the authentication client, and the step (26) is continuously executed after the NAS server sends an accounting message to the agent AAA server or the AAA server;
(26) the proxy AAA server transmits the accounting message and the user account to an upstream AAA server, and the AAA server triggers and detects the online and charging strategies of the user by using the accounting message to perform charging operation;
or after receiving the accounting message from the NAS server, the AAA server directly triggers and detects the online and charging strategies of the user by using the accounting message and the user account number to perform charging operation;
(27) when the user network charge balance is not enough and the user needs to be forced to be offline, the AAA server sends an authorization change CoA message to the proxy AAA server; the proxy AAA server sends the CoA message to the NAS server, the NAS server forces the user to be offline, and an accounting message is returned;
or the AAA server directly sends the CoA message to the NAS server, forces the user to be offline and returns an accounting message.
6. The method of operation of claim 5, wherein; in step 1 of the method, if the authentication client is an intelligent terminal which cannot access a WEB portal by using a browser and comprises a set top box, the following two steps are executed to execute corresponding operation contents as follows:
(13) a user accesses a WEB portal and an authentication interface on other clients;
(14) the user manually selects an IP address of an authentication client to be bound on an authentication interface, and the Portal server sends authentication information and client information selected by the user to the NAS server;
and the other operation contents of the steps (11) to (17) are kept consistent.
7. The working method according to claim 5 or 6, characterized in that; another processing method of steps (14) and (15) of the method is: the non-perception authentication device does not check whether the user identity is legal through an NAS server, but directly acquires a user account number, an original password and an IP address of an authentication client from a Portal server and then automatically executes a check operation; the method comprises the following specific operation contents:
(14a) the user inputs identity authentication information comprising a user account and an original password in a WEB Portal and an authentication interface, and the Portal server directly sends the identity authentication information to the unaware authentication device;
(15a) the identity authentication information of the user account number, the original password and the IP address of the authentication client is sent to a proxy AAA server or an AAA server by the unaware authentication device, and the proxy AAA server forwards the identity authentication request information to an upstream AAA server for identity authentication information verification; or the AAA server directly executes the identity authentication information verification;
the specific operation contents of verifying whether the operation is passed are the same as those in step (15).
8. The method of operation of claim 5, wherein: in the step (22), the non-sensing authentication device sets a one-time working time limit for a one-time temporary password OTP dynamically generated by authenticating the internet account bound to the client: namely, the authentication can be effective only once within the set working time limit, and the authentication becomes invalid after once; or, if the password exceeds the set time limit, the password is invalidated even if it is not used for authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711462151.9A CN108092988B (en) | 2017-12-28 | 2017-12-28 | Non-perception authentication and authorization network system and method based on dynamic temporary password creation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711462151.9A CN108092988B (en) | 2017-12-28 | 2017-12-28 | Non-perception authentication and authorization network system and method based on dynamic temporary password creation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108092988A CN108092988A (en) | 2018-05-29 |
| CN108092988B true CN108092988B (en) | 2021-06-22 |
Family
ID=62180952
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711462151.9A Active CN108092988B (en) | 2017-12-28 | 2017-12-28 | Non-perception authentication and authorization network system and method based on dynamic temporary password creation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108092988B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109299617A (en) * | 2018-09-19 | 2019-02-01 | 中国农业银行股份有限公司贵州省分行 | A kind of file encryption and decryption system |
| CN109040148A (en) * | 2018-11-01 | 2018-12-18 | 四川长虹电器股份有限公司 | A kind of mobile terminal sends the safety certifying method of logging request to server |
| CN110012032B (en) * | 2019-04-28 | 2021-11-23 | 新华三技术有限公司 | User authentication method and device |
| CN110535696A (en) * | 2019-08-21 | 2019-12-03 | 新华三技术有限公司合肥分公司 | Method for configuring network equipment, controller and the network equipment |
| CN110719276B (en) * | 2019-09-30 | 2021-12-24 | 北京网瑞达科技有限公司 | Network equipment safety access system based on cache password and working method thereof |
| CN110856174B (en) * | 2019-12-13 | 2020-11-27 | 上海兴容信息技术有限公司 | Access authentication system, method, device, computer equipment and storage medium |
| CN113361723B (en) * | 2021-05-12 | 2022-06-17 | 北京网瑞达科技有限公司 | IT operation and maintenance management system and method based on rule tree automatic matching |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932785A (en) * | 2011-08-12 | 2013-02-13 | 中国移动通信集团浙江有限公司 | Rapid authentication method, system and equipment of wireless local area network |
| CN103501495A (en) * | 2013-10-16 | 2014-01-08 | 苏州汉明科技有限公司 | Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication |
| CN104954508A (en) * | 2015-06-24 | 2015-09-30 | 北京网瑞达科技有限公司 | System for DHCP (dynamic host configuration protocol) auxiliary accounting and auxiliary accounting method of system |
| CN106059802A (en) * | 2016-05-25 | 2016-10-26 | 杭州华三通信技术有限公司 | Terminal access authentication method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137401B (en) * | 2010-12-09 | 2018-07-20 | 华为技术有限公司 | WLAN centralization 802.1X authentication methods and device and system |
-
2017
- 2017-12-28 CN CN201711462151.9A patent/CN108092988B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932785A (en) * | 2011-08-12 | 2013-02-13 | 中国移动通信集团浙江有限公司 | Rapid authentication method, system and equipment of wireless local area network |
| CN103501495A (en) * | 2013-10-16 | 2014-01-08 | 苏州汉明科技有限公司 | Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication |
| CN104954508A (en) * | 2015-06-24 | 2015-09-30 | 北京网瑞达科技有限公司 | System for DHCP (dynamic host configuration protocol) auxiliary accounting and auxiliary accounting method of system |
| CN106059802A (en) * | 2016-05-25 | 2016-10-26 | 杭州华三通信技术有限公司 | Terminal access authentication method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108092988A (en) | 2018-05-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108092988B (en) | Non-perception authentication and authorization network system and method based on dynamic temporary password creation | |
| EP1872558B1 (en) | Connecting vpn users in a public network | |
| CN101369893B (en) | Method for local area network access authentication of casual user | |
| US10356612B2 (en) | Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access | |
| CN100563158C (en) | Access control method and system | |
| US7568107B1 (en) | Method and system for auto discovery of authenticator for network login | |
| CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
| CN113949573A (en) | Zero-trust service access control system and method | |
| EP3117578B1 (en) | Disposition engine for single sign on (sso) requests | |
| US10425419B2 (en) | Systems and methods for providing software defined network based dynamic access control in a cloud | |
| CN105027529B (en) | Method and apparatus for verifying user's access to Internet resources | |
| CN108293053A (en) | Single sign-on authentication is carried out to client application via browser | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| CN103179554B (en) | Wireless broadband network connection control method, device and the network equipment | |
| JP2005339093A (en) | Authentication method, authentication system, authentication proxy server, network access authenticating server, program, and storage medium | |
| CN102984173A (en) | Network access control method and system | |
| US9548982B1 (en) | Secure controlled access to authentication servers | |
| CN101986598B (en) | Authentication method, server and system | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device | |
| CA3040804C (en) | Portal aggregation service mapping subscriber device identifiers to portal addresses to which connection and authentication requests are redirected and facilitating mass subscriber apparatus configuration | |
| CN102045398B (en) | Portal-based distributed control method and equipment | |
| US20120106399A1 (en) | Identity management system | |
| US20230315830A1 (en) | Web-based authentication for desktop applications | |
| CN103001928A (en) | Communication method of terminals interconnected among different networks | |
| Cisco | Cisco Access Registrar Environment Variables |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information |
Inventor after: Deng Yuting Inventor after: Zhang Yuming Inventor after: Wang Junyan Inventor after: Wang Daojia Inventor after: Weng Yuan Inventor after: Yang Chengfei Inventor after: Cluster Inventor before: Wang Junyan Inventor before: Wang Daojia Inventor before: Weng Yuan Inventor before: Yang Chengfei Inventor before: Cluster |
|
| CB03 | Change of inventor or designer information |