CN109413649B - Access authentication method and device - Google Patents
Access authentication method and device Download PDFInfo
- Publication number
- CN109413649B CN109413649B CN201811314083.6A CN201811314083A CN109413649B CN 109413649 B CN109413649 B CN 109413649B CN 201811314083 A CN201811314083 A CN 201811314083A CN 109413649 B CN109413649 B CN 109413649B
- Authority
- CN
- China
- Prior art keywords
- wireless client
- address
- access
- table entry
- temporary table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The invention provides an access authentication method, which can enable an AC to create a temporary table entry of a wireless client when receiving an access request message sent by the wireless client which is accessed for the first time, wherein the temporary table entry comprises a first IP address of the wireless client and an MAC address of the wireless client which are carried in the access request message, then user information of the wireless client is obtained from a Portal server according to the MAC address, access information of the wireless client is obtained from the local according to the first IP address and the MAC address, the user information and the access information are sent to an authentication server for authentication, and after the authentication is passed, the wireless client can be allowed to access and process the access request message. Therefore, the invention can realize that the client does not reapply the IP address when moving across the AC in a large WLAN network, and can quickly access the network, thereby improving the access experience of the wireless client.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an access authentication method and apparatus.
Background
With the popularization of intelligent mobile wireless clients, the user experience requirements for mobile access are higher and higher. At present, a Wireless client authenticated by a WLAN (Wireless LAN) network can be supported to move and switch within an ESS (extended service Set), an IP address of an existing application is not released before and after switching, and the Wireless client can use the original IP address to perform data communication, thereby shortening the flow interruption time caused by Wireless link switching.
However, in larger WLAN networks, the need for wireless clients to switch between wireless services provided by different AC (Access controller) devices is becoming more apparent. Due to the fact that the wireless client is switched in the ESS quickly without reapplying for the IP address, the AC after the wireless client is switched in a short time cannot acquire the existing IP address and the access information of the wireless client, authentication interaction between the AC and the authentication server cannot be completed, therefore, the wireless client cannot complete Portal authentication quickly after the AC is switched, the IP address cannot be acquired through re-access until the wireless client senses that the existing IP address cannot be used, and the user cannot access the network in the process, and access experience of the user is seriously influenced.
Disclosure of Invention
In view of this, the present invention provides an access authentication method and apparatus to solve the problem that a client cannot access a network by using an existing IP address when moving across ACs.
Specifically, the invention is realized by the following technical scheme:
the invention provides an access authentication method, which is applied to an AC and comprises the following steps:
when an access request message sent by a wireless client which is accessed for the first time is received, a temporary table entry of the wireless client is created, wherein the temporary table entry comprises a first IP address of the wireless client and an MAC address of the wireless client which are carried in the access request message;
acquiring user information of the wireless client from a Portal server according to the MAC address, and acquiring access information of the wireless client from the local according to the first IP address and the MAC address;
sending the user information and the access information to an authentication server for authentication;
and if receiving a notification which is sent by an authentication server and aims at passing the authentication of the wireless client, allowing the wireless client to access and process the access request message.
As an embodiment, after allowing the wireless client access, the method further comprises:
when an ARP message or a DHCP message sent by the wireless client is intercepted, whether a first IP address in the temporary table entry is the same as a second IP address carried in the ARP message or the DHCP message or not is judged, and if the first IP address and the second IP address are the same, the temporary table entry is changed into a formal table entry; if the difference is not the same, deleting the temporary table entry and triggering the wireless client to be on-line again;
and when the ARP message or the DHCP message sent by the wireless client is not monitored, deleting the temporary table entry and triggering the wireless client to be on-line again.
As one embodiment, after creating the temporary entry for the wireless client, the method further comprises:
starting the verification timing of the temporary table entry;
if the ARP message or DHCP message sent by the wireless client after the access is allowed is not intercepted after the check is overtime, deleting the temporary table entry, triggering the client to be on-line again, and deleting the check timing;
and if the first IP address and the second IP address in the temporary table entry are the same, deleting the verification timing.
Based on the same concept, the present invention also provides an access authentication apparatus, which is applied to an AC, the apparatus comprising:
the table item creating unit is used for creating a temporary table item of the wireless client when receiving an access request message sent by a wireless client which is accessed for the first time, wherein the temporary table item comprises a first IP address of the wireless client and an MAC address of the wireless client, which are carried in the access request message;
the information acquisition unit is used for acquiring the user information of the wireless client from a Portal server according to the MAC address and acquiring the access information of the wireless client from the local according to the first IP address and the MAC address;
the information sending unit is used for sending the user information and the access information to an authentication server for authentication;
and the message processing unit is used for allowing the wireless client to access and process the access request message if receiving a notice which is sent by an authentication server and aims at passing the authentication of the wireless client.
As an embodiment, the apparatus further comprises:
the monitoring unit is used for judging whether a first IP address in the temporary table entry is the same as a second IP address carried in an ARP message or a DHCP message or not when monitoring the ARP message or the DHCP message sent by the wireless client after the wireless client is allowed to access, and if the first IP address and the second IP address are the same, the temporary table entry is changed into a formal table entry; if the difference is not the same, deleting the temporary table entry and triggering the wireless client to be on-line again; and when the ARP message or the DHCP message sent by the wireless client is not monitored, deleting the temporary table entry and triggering the wireless client to be on-line again.
As an embodiment, the apparatus further comprises:
the checking unit is used for starting the checking timing of the temporary table entry after the temporary table entry of the wireless client is created; if the ARP message or DHCP message sent by the wireless client after the access is allowed is not intercepted after the check is overtime, deleting the temporary table entry, triggering the client to be on-line again, and deleting the check timing; and if the first IP address and the second IP address in the temporary table entry are the same, deleting the verification timing.
Based on the same conception, the invention also provides a network device, which comprises a memory, a processor, a communication interface and a communication bus;
the memory, the processor and the communication interface are communicated with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to execute the computer program stored in the memory, and when the processor 72 executes the computer program, any step of the above access authentication method is implemented.
Based on the same concept, the present invention also provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any one of the steps of the above-mentioned access authentication method.
Therefore, the invention can enable the AC to create the temporary table entry of the wireless client when receiving the access request message sent by the wireless client which is accessed for the first time, the temporary table entry comprises the first IP address of the wireless client and the MAC address of the wireless client which are carried in the access request message, then the user information of the wireless client is obtained from the Portal server according to the MAC address, the access information of the wireless client is obtained from the local according to the first IP address and the MAC address, the user information and the access information are sent to the authentication server for authentication, and after the authentication is passed, the wireless client can be allowed to access and process the access request message. Therefore, the invention can realize that the client does not modify the IP address when moving across the AC in a large WLAN network, thereby greatly improving the access experience of the wireless client.
Drawings
FIG. 1 is a schematic diagram of client cross-AC mobile networking in an exemplary embodiment of the invention;
fig. 2 is a process flow diagram of a method of access authentication in an exemplary embodiment of the invention;
FIG. 3 is an access authentication interaction flow diagram in an exemplary embodiment of the invention;
fig. 4 is a logical block diagram of an access authentication apparatus in an exemplary embodiment of the invention;
fig. 5 is a schematic structural diagram of a network device in an exemplary embodiment of the invention.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In a larger scale WLAN network, the demand of wireless clients is becoming more and more obvious when wireless services provided by different ACs move, as shown in fig. 1, in which a wireless client first accesses the network from AC1 where AP1 is located, and when a wireless client moves from AP1 to AP2, the wireless client needs to access the network from AC2 where AP2 is located. Because the prior art supports the situation that the wireless client does not apply for an IP address again in the ESS through fast switching, the wireless client still uses an old IP address used on the AC1 to access the network when moving to the AC2, and the AC2 does not learn the corresponding relation between the IP address and the MAC address of the wireless client, so when receiving an access request message carrying the old IP address sent by the wireless client, the access request message is discarded, and because the AC2 cannot complete authentication interaction with an authentication Server (AAA Server), the wireless client cannot complete Portal authentication quickly after switching the AC, and the wireless client can not re-access to obtain the IP address until the wireless client senses that the existing IP address cannot be used, thereby greatly influencing the access experience of the user.
In view of the above situation, an existing solution is to establish a private tunnel between two ACs in advance, and send the correspondence between the IP address and the MAC address of the wireless client learned through the ARP or DHCP protocol to each AC, so that the wireless client can continue to use the correspondence between the synchronized IP address and MAC address for authentication when the services provided by the wireless client are rapidly switched between the ACs. However, this requires a private tunnel to be established between the ACs, and as the network size becomes larger, the tunnel is established between two ACs, which makes the network too complex. Meanwhile, the corresponding relation between the IP addresses and the MAC addresses of all the wireless clients needs to be synchronized between the ACs, and finally, each AC has information of the whole network, so that the synchronization amount is large, aging and the like are involved, and impact on the network and equipment is easily caused, and therefore, the feasibility is not high.
In order to solve the problems existing in the prior art, the invention provides an access authentication method and an access authentication device, which can enable an AC to create a temporary table entry of a wireless client when receiving an access request message sent by a wireless client which is accessed for the first time, wherein the temporary table entry comprises a first IP address of the wireless client and an MAC address of the wireless client which are carried in the access request message, then user information of the wireless client is obtained from a Portal server according to the MAC address, access information of the wireless client is obtained from the local according to the first IP address and the MAC address, the user information and the access information are sent to an authentication server for authentication, and after the authentication is passed, the wireless client can be allowed to access and process the access request message. Therefore, the invention can realize that the client does not reapply the IP address when moving across the AC in the large WLAN network and can quickly access the network, thereby greatly improving the access experience of the wireless client.
Referring to fig. 2, a flowchart of a processing of an access authentication method according to an exemplary embodiment of the present invention is shown, where the method is applied to an AC, and the method includes:
in this embodiment, when the wireless client moves across the AC and first accesses the AC after the wireless client moves, the first IP address used by the wireless client on the AC before moving is also used to send an access request message to the AC after the wireless client moves. When the AC receives an access request packet sent by a wireless client that is accessed for the first time, the AC may obtain the first IP address of the wireless client and the MAC address of the wireless client, so that a temporary entry of the wireless client may be created. The temporary table entry includes the first IP address and the MAC address.
It should be noted that, when the wireless client sends the access request message after moving, it can be determined whether the wireless client is accessed for the first time through the AP, and if not, the AP records the forwarding table entry of the wireless client, so that the access request message of the wireless client can be directly forwarded without sending the AC; if the access request message is the first access, the AP does not have the forwarding entry of the wireless client, and therefore the access request message needs to be sent to the AC for processing, so in this embodiment, it may be considered that the access request message sent to the AC is all from the wireless client accessing the AC for the first time. In this embodiment, the operation flow of the AP is simplified, and it is directly said that the AC receives an access request packet sent by a first-time access wireless client.
as an embodiment, after the AC creates the temporary entry of the wireless client, it needs to further determine whether the identity of the wireless client is legal, so that it can perform unaware interaction with the Portal server through the secure channel (without user involvement). Specifically, the AC sends a request message carrying the MAC address of the wireless client to the Portal server, so that after receiving the request message, the Portal server searches corresponding user information including a user name, a password and the like according to the MAC address, and if the user information is found, the identity of the wireless client is legal, and the user information is fed back to the AC; if not, the wireless client is illegal, so the AC can redirect the wireless client to a Portal server for authentication. After the AC obtains the user information of the wireless client from the Portal server, the AC further obtains the access information corresponding to the wireless client locally through the MAC address and the first IP address of the wireless client.
in this embodiment, the AC may send the user information and the access information of the wireless client to the authentication server for authentication. If the authentication server compares that the user information and the access information sent by the AC are the same as the locally stored user information, the wireless client is considered to pass the authentication, and after the authentication passes, the authentication passing notification is sent to the AC; and if the comparison result is different, the authentication failure of the wireless client is indicated, and an authentication failure notice is sent to the AC.
And step 204, if receiving the notification which is sent by the authentication server and passes the authentication of the wireless client, allowing the wireless client to access and process the access request message.
And if the AC receives the authentication passing notice sent by the authentication server, the wireless client is allowed to access, and the access request message is processed. It should be noted that, after the authentication is passed, the AC notifies the AP to allow the wireless client to access the network, and forwards the access request message. In this embodiment, the operation flow of the AP is simplified, and the access is directly allowed by the wireless client, and the access request packet is processed.
If receiving the authentication failure notice, deleting the temporary table entry, and redirecting the wireless client to perform authentication. Optionally, under the condition that the security requirement is high, after receiving the authentication passing notification, the AC may further notify the Portal server that the wireless client passes the authentication, thereby completing the Portal authentication process, and if the Portal server does not receive the authentication passing notification sent by the AC within a certain time, it may be considered that the wireless client fails the authentication, thereby taking the wireless client off the line, and avoiding the potential safety hazard.
In the prior art, if the AC receives an access request packet carrying a first IP address sent by a wireless client that is accessed for the first time, the AC usually discards the access request packet because the AC does not locally record the first IP address, so that the wireless client cannot access the network. The AC of the invention does not discard the access request message, but records the corresponding relation between the first IP address and the MAC address of the access request message, and allows the wireless client to access the network and process the access request message after the wireless client is confirmed to pass the authentication.
In order to prevent the wireless client from using the counterfeit IP address for authentication or the authenticated IP address is overdue, the invention can also increase the identity verification process and avoid the illegal user from accessing the network. As an embodiment, after allowing the access of the wireless client, when intercepting an ARP message or a DHCP message sent by the wireless client, the AC may also determine whether a first IP address in a temporary entry of the wireless client is the same as a second IP address carried in the ARP message or the DHCP message, and if so, the wireless client is a valid user, so that the temporary entry is changed into a formal entry; if the difference is not the same, the wireless client is an illegal user, so that the temporary table entry of the wireless client is deleted, and the wireless client is triggered to be on-line again; when the ARP message or the DHCP message sent by the wireless client is not sensed, the wireless client is also considered as an illegal user, and the temporary table entry of the wireless client can be deleted to trigger the wireless client to be on-line again. It should be noted that, here, the AC is also configured to intercept the ARP message or the DHCP message sent by the wireless client through the AP managed by the AC, and when the AP receives the ARP message or the DHCP message, the AP may send the ARP message or the DHCP message to the AC, so that the AC obtains the second IP address of the wireless client from the ARP message or the DHCP message. In this embodiment, the operation flow of the AP is simplified, and the AC intercepts the ARP packet or the DHCP packet sent by the wireless client.
In addition, in order to make the authentication process more complete, as an embodiment, the AC may further start the temporary table entry verification timing after creating the temporary table entry of the wireless client, and the timing duration may be set according to actual needs; if the ARP message or the DHCP message sent by the wireless client after the access is allowed is not sensed after the check overtime, the user can be considered as an illegal user, so that the temporary table entry of the wireless client is deleted, and the wireless client is triggered to be on-line again; if the first IP address and the second IP address in the temporary table entry are the same, the wireless client is considered to be a legal user, so that the verification timing can be deleted while the temporary table entry is changed into a formal table entry.
Therefore, the invention establishes the temporary table items of the IP address and the MAC address of the wireless client by intercepting the access request message sent by the wireless client after the new AC is accessed, and combines the Portal non-perception authentication, thereby completing the quick switching of the wireless client between the ACs and shortening the interruption time of the flow. Meanwhile, the IP address of the wireless client and the temporary table entry of the MAC address are verified, so that the interference caused by IP address conflict or invalid IP addresses is prevented, and the network security is improved.
In order to make the objects, technical solutions and advantages of the present invention more apparent, please refer to fig. 1 and 3 for further detailed description of the solution of the present invention.
Please refer to fig. 3, which is an access authentication interaction flowchart in an embodiment of the present invention, including an interaction process in which a wireless Client (Client) accesses a network through an AC1 for the first time, and an interaction process in which the wireless Client accesses the network after migrating to an AC2, where the interaction process in which the wireless Client accesses the network through an AC1 for the first time is consistent with the existing Portal standard authentication, and is not described herein again; the access authentication interaction process after the wireless client moves to the AC2 comprises the following steps:
step 301, the wireless client moves to the wireless service area provided by AC2, and establishes a wireless link with AP2 managed by AC2 through Authentication, Association and Association;
step 302, the wireless client does not re-apply for the IP address, and sends an access request message, such as an HTTP message, to the AC2 using the old IP address (i.e., the IP address used when accessing the network on the AC 1), and continues data communication;
step 303, the AC2 intercepts an access request message, such as an HTTP message, sent by the wireless client using the old IP address, establishes an old IP address and an MAC address temporary table entry of the wireless client, and starts a check timer;
step 304, the AC2 sends the old IP address and MAC address of the wireless client to carry out non-inductive authentication inquiry interaction with a Portal server (Portal Server) to trigger non-inductive authentication;
step 305, the Portal server sends the stored user information (including the user name and the password) corresponding to the MAC address to the AC2 through a secure channel;
step 306, the AC2 carries user information sent by the Portal Server and the access information of the wireless client acquired from the local through the old IP address and the MAC address, and performs access authentication interaction with an AAA Server (AAA Server);
step 307, after the AC2 receives the authentication response fed back by the AAA server, allowing the wireless client to access the network, processing the HTTP message, and forwarding the authentication response to the Portal server;
step 308, the wireless client continues data communication after accessing the network;
step 309, the AC2 periodically performs accounting interaction with the AAA server;
step 310, the AC2 learns the actual IP address of the wireless client by monitoring the ARP message or the DHCP message of the wireless client, checks whether the actual IP address is consistent with the old IP address in the temporary table entry, and if so, deletes the check timer; if not, deleting the wireless client, deleting the temporary table entry, and triggering the wireless client to be on-line again;
and 311, if the timer is overtime and the actual IP address of the wireless client is not learned through the ARP message or the DHCP message, deleting the wireless client, deleting the temporary table entry, and triggering the wireless client to be on-line again.
Therefore, the invention establishes the temporary table items of the IP address and the MAC address of the wireless client by intercepting the access request message sent by the wireless client after the new AC is accessed, and combines the Portal non-perception authentication, thereby completing the quick switching of the wireless client between the ACs and shortening the interruption time of the flow. Meanwhile, the IP address of the wireless client and the temporary table entry of the MAC address are verified, so that interference caused by IP address conflict or invalid IP addresses is prevented, and the network security is improved.
Referring to fig. 4, an access authentication apparatus 400 according to an exemplary embodiment of the present invention is shown, where the apparatus 400 is applied to an AC, and a logical structure of the apparatus 400 includes, from a logical level:
an entry creating unit 401, configured to create a temporary entry of a wireless client when receiving an access request packet sent by a wireless client that is accessed for the first time, where the temporary entry includes a first IP address of the wireless client and an MAC address of the wireless client that are carried in the access request packet;
an information obtaining unit 402, configured to obtain user information of the wireless client from a Portal server according to the MAC address, and obtain access information of the wireless client from local according to the first IP address and the MAC address;
an information sending unit 403, configured to send the user information and the access information to an authentication server for authentication;
a message processing unit 404, configured to allow the wireless client to access and process the access request message if receiving a notification that the authentication of the wireless client is passed, where the notification is sent by an authentication server.
As an embodiment, the apparatus further comprises:
a monitoring unit 405, configured to, after allowing the wireless client to access, when an ARP packet or a DHCP packet sent by the wireless client is monitored, determine whether a first IP address in the temporary entry is the same as a second IP address carried in the ARP packet or the DHCP packet, and if the first IP address and the second IP address are the same, change the temporary entry into a formal entry; if the difference is not the same, deleting the temporary table entry and triggering the wireless client to be on-line again; and when the ARP message or the DHCP message sent by the wireless client is not monitored, deleting the temporary table entry and triggering the wireless client to be on-line again.
As an embodiment, the apparatus further comprises:
a checking unit 406, configured to start a temporary table entry checking timing after creating the temporary table entry of the wireless client; if the ARP message or DHCP message sent by the wireless client after the access is allowed is not intercepted after the check is overtime, deleting the temporary table entry, triggering the client to be on-line again, and deleting the check timing; and if the first IP address and the second IP address in the temporary table entry are the same, deleting the verification timing.
Based on the same concept, the present invention also provides a network device, as shown in fig. 5, including a memory 51, a processor 52, a communication interface 53, and a communication bus 54; wherein, the memory 51, the processor 52 and the communication interface 53 communicate with each other through the communication bus 54;
the memory 51 is used for storing computer programs;
the processor 52 is configured to execute the computer program stored in the memory 51, and when the processor 52 executes the computer program, any step of the access authentication method provided in the embodiment of the present disclosure is implemented.
The present invention also provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the computer program implements any step of the access authentication method provided in the embodiments of the present disclosure.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for embodiments of the network device and the computer-readable storage medium, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some portions of the description of the method embodiments.
In summary, the present invention enables an AC to create a temporary entry of a wireless client when receiving an access request packet sent by a wireless client that is accessed for the first time, where the temporary entry includes a first IP address of the wireless client and an MAC address of the wireless client that are carried in the access request packet, then obtains user information of the wireless client from a Portal server according to the MAC address, obtains access information of the wireless client from the local according to the first IP address and the MAC address, sends the user information and the access information to an authentication server for authentication, and after the authentication is passed, can allow the wireless client to access and process the access request packet. Therefore, the invention can realize that the client does not reapply the IP address when moving across the AC in the large WLAN network and can quickly access the network, thereby greatly improving the access experience of the wireless client.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (8)
1. An access authentication method, applied to an Access Controller (AC), the method comprising:
when an access request message sent by a wireless client which is accessed for the first time is received, a temporary table entry of the wireless client is created, wherein the temporary table entry comprises a first IP address of the wireless client and an MAC address of the wireless client which are carried in the access request message;
when the Portal server confirms that the identity of the wireless client is legal according to the MAC address, acquiring user information of the wireless client from the Portal server, and acquiring access information of the wireless client from the local according to the first IP address and the MAC address;
sending the user information and the access information to an authentication server for authentication;
and if receiving a notification which is sent by an authentication server and aims at passing the authentication of the wireless client, allowing the wireless client to access and process the access request message.
2. The method of claim 1, wherein after allowing access by the wireless client, the method further comprises:
when an ARP message or a DHCP message sent by the wireless client is intercepted, whether a first IP address in the temporary table entry is the same as a second IP address carried in the ARP message or the DHCP message or not is judged, and if the first IP address and the second IP address are the same, the temporary table entry is changed into a formal table entry; if the difference is not the same, deleting the temporary table entry and triggering the wireless client to be on-line again;
and when the ARP message or the DHCP message sent by the wireless client is not monitored, deleting the temporary table entry and triggering the wireless client to be on-line again.
3. The method of claim 2, wherein after creating the temporary entry for the wireless client, the method further comprises:
starting the verification timing of the temporary table entry;
if the ARP message or DHCP message sent by the wireless client after the access is allowed is not intercepted after the check is overtime, deleting the temporary table entry, triggering the client to be on-line again, and deleting the check timing;
and if the first IP address and the second IP address in the temporary table entry are the same, deleting the verification timing.
4. An access authentication apparatus, the apparatus being applied to an Access Controller (AC), the apparatus comprising:
the table item creating unit is used for creating a temporary table item of the wireless client when receiving an access request message sent by a wireless client which is accessed for the first time, wherein the temporary table item comprises a first IP address of the wireless client and an MAC address of the wireless client, which are carried in the access request message;
the information acquisition unit is used for acquiring the user information of the wireless client from the Portal server when the Portal server confirms that the identity of the wireless client is legal according to the MAC address, and acquiring the access information of the wireless client from the local according to the first IP address and the MAC address;
the information sending unit is used for sending the user information and the access information to an authentication server for authentication;
and the message processing unit is used for allowing the wireless client to access and process the access request message if receiving a notice which is sent by an authentication server and aims at passing the authentication of the wireless client.
5. The apparatus of claim 4, further comprising:
the monitoring unit is used for judging whether a first IP address in the temporary table entry is the same as a second IP address carried in an ARP message or a DHCP message or not when monitoring the ARP message or the DHCP message sent by the wireless client after the wireless client is allowed to access, and if the first IP address and the second IP address are the same, the temporary table entry is changed into a formal table entry; if the difference is not the same, deleting the temporary table entry and triggering the wireless client to be on-line again; and when the ARP message or the DHCP message sent by the wireless client is not monitored, deleting the temporary table entry and triggering the wireless client to be on-line again.
6. The apparatus of claim 5, further comprising:
the checking unit is used for starting the checking timing of the temporary table entry after the temporary table entry of the wireless client is created; if the ARP message or DHCP message sent by the wireless client after the access is allowed is not intercepted after the check is overtime, deleting the temporary table entry, triggering the client to be on-line again, and deleting the check timing; and if the first IP address and the second IP address in the temporary table entry are the same, deleting the verification timing.
7. A network device, comprising a memory, a processor, a communication interface, and a communication bus;
the memory, the processor and the communication interface are communicated with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to execute the computer program stored in the memory, and the processor implements the steps of the method according to any one of claims 1 to 3 when executing the computer program.
8. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 3.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811314083.6A CN109413649B (en) | 2018-11-06 | 2018-11-06 | Access authentication method and device |
| PCT/CN2019/115908 WO2020094039A1 (en) | 2018-11-06 | 2019-11-06 | Access authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811314083.6A CN109413649B (en) | 2018-11-06 | 2018-11-06 | Access authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109413649A CN109413649A (en) | 2019-03-01 |
| CN109413649B true CN109413649B (en) | 2020-10-02 |
Family
ID=65471888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811314083.6A Active CN109413649B (en) | 2018-11-06 | 2018-11-06 | Access authentication method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109413649B (en) |
| WO (1) | WO2020094039A1 (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413649B (en) * | 2018-11-06 | 2020-10-02 | 新华三技术有限公司 | Access authentication method and device |
| CN113453218B (en) * | 2021-05-24 | 2023-12-26 | 新华三技术有限公司成都分公司 | Table entry processing method and apparatus |
| CN114302393A (en) * | 2021-11-17 | 2022-04-08 | 锐捷网络股份有限公司 | Communication control method, device, equipment and system based on authentication |
| CN114244695B (en) * | 2021-12-31 | 2024-03-19 | 普联技术有限公司 | Terminal online configuration method and device of isolated network and network management system |
| CN114531414A (en) * | 2022-01-07 | 2022-05-24 | 锐捷网络股份有限公司 | Terminal migration acceleration method and device |
| CN114500175B (en) * | 2022-02-21 | 2022-09-16 | 北京至周科技有限公司 | Communication method for reversely dividing home VLAN based on IP address of user equipment |
| CN114390527A (en) * | 2022-02-21 | 2022-04-22 | 北京至周科技有限公司 | Method for wireless visitor non-perception authentication |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101711031B (en) * | 2009-12-23 | 2012-07-11 | 杭州华三通信技术有限公司 | Portal authenticating method during local forwarding and access controller (AC) |
| CN102238543A (en) * | 2010-04-27 | 2011-11-09 | 杭州华三通信技术有限公司 | Wireless Portal authentication method and access controller |
| CN102368857B (en) * | 2011-11-03 | 2012-12-19 | 广州杰赛科技股份有限公司 | Switching method in wireless Mesh network domain |
| US9445259B2 (en) * | 2013-09-24 | 2016-09-13 | Alcatel Lucent | Service provider certified device policy management |
| CN104104516B (en) * | 2014-07-30 | 2018-12-25 | 新华三技术有限公司 | A kind of portal authentication method and equipment |
| CN107370741A (en) * | 2017-07-31 | 2017-11-21 | 安徽四创电子股份有限公司 | A kind of across AC unaware authentication method based on PORTAL agreements |
| CN109413649B (en) * | 2018-11-06 | 2020-10-02 | 新华三技术有限公司 | Access authentication method and device |
-
2018
- 2018-11-06 CN CN201811314083.6A patent/CN109413649B/en active Active
-
2019
- 2019-11-06 WO PCT/CN2019/115908 patent/WO2020094039A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020094039A1 (en) | 2020-05-14 |
| CN109413649A (en) | 2019-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109413649B (en) | Access authentication method and device | |
| CN110800331B (en) | Network verification method, related equipment and system | |
| US11743728B2 (en) | Cross access login controller | |
| US9749320B2 (en) | Method and system for wireless local area network user to access fixed broadband network | |
| CN106878135B (en) | Connection method and device | |
| CN101379795A (en) | address assignment by a DHCP server while client credentials are checked by an authentication server | |
| US20180048633A1 (en) | Perception-free authentication method and system, and control method and system based on the same | |
| CN105072613A (en) | Wireless network system and wireless network access method | |
| CN105873055B (en) | Wireless network access authentication method and device | |
| WO2010000185A1 (en) | A method, apparatus, system and server for network authentication | |
| CN106686592B (en) | Network access method and system with authentication | |
| EP3855695B1 (en) | Access authentication | |
| WO2010000157A1 (en) | Configuration method, device and system for access device | |
| CN107257558B (en) | Message forwarding method and device | |
| CN104754689B (en) | home gateway access management method and system | |
| CN106341374B (en) | Method and device for limiting access of unlicensed user equipment to home gateway | |
| US20020042820A1 (en) | Method of establishing access from a terminal to a server | |
| CN110856145A (en) | IOT device and user binding method, device and medium based on near field authentication | |
| CN108259420B (en) | Message processing method and device | |
| CN113556337A (en) | Terminal address identification method, network system, electronic device and storage medium | |
| KR101434750B1 (en) | Geography-based pre-authentication for wlan data offloading in umts-wlan networks | |
| CN107222856B (en) | Method and device for realizing roaming between wireless controllers (AC) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |