WO2018045798A1 - Network authentication method and related device - Google Patents

Network authentication method and related device Download PDF

Info

Publication number
WO2018045798A1
WO2018045798A1 PCT/CN2017/090606 CN2017090606W WO2018045798A1 WO 2018045798 A1 WO2018045798 A1 WO 2018045798A1 CN 2017090606 W CN2017090606 W CN 2017090606W WO 2018045798 A1 WO2018045798 A1 WO 2018045798A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
terminal
access
access controller
server
Prior art date
Application number
PCT/CN2017/090606
Other languages
French (fr)
Chinese (zh)
Inventor
袁静
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2018045798A1 publication Critical patent/WO2018045798A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a network authentication method, related apparatus, and system.
  • WLAN wireless local area network
  • WIFI wireless fidelity
  • the network side device needs to authenticate the terminal. After the authentication is passed, the terminal accesses the network.
  • the terminal is usually authenticated based on the username and password.
  • the user accesses the portal page provided by the operator through the terminal, enters the terminal user name and password, and submits the terminal user name and password of the portal web page to the access controller (AC) for access.
  • the controller does not authenticate the terminal username and password, but sends it to the authentication server, such as the Authentication, Authorization and Accounting (AAA) server, for authentication.
  • AAA Authentication, Authorization and Accounting
  • the AC passes the AC to the portal.
  • the server returns the result of successful authentication.
  • the Portal server displays the result to the user on the portal page, prompting the user to successfully authenticate.
  • the network authentication method provided by the prior art requires the Portal server to send the terminal user name and password to the AC through the Portal protocol, and the AC sends the authentication result of the authentication server to the Portal server through the Portal protocol.
  • the Portal protocol is a private protocol and there are a large number of ACs provided by different vendors in the carrier network, the Portal server needs to be adapted to the ACs of different vendors.
  • the network authentication efficiency is low, and the development and maintenance costs of the Portal server are high.
  • Embodiments of the present invention provide a network authentication method, related apparatus and system that do not require a portal server to adapt an access controller AC of different vendors.
  • an embodiment of the present invention provides a network authentication method, which is applied to an authentication server, and includes the following steps:
  • the portal server Receiving an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller;
  • the authentication server authenticates the terminal according to the authentication information
  • the authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server receives the authentication request message sent by the portal server, and authenticates the terminal according to the authentication information carried in the authentication request message, and sends the authentication result to the access controller after the authentication is passed.
  • the access controller accesses the terminal to the network according to the authentication result.
  • the authentication server directly receives the authentication information sent by the portal server, that is, the authentication information does not need to be transferred from the access controller, and the authentication information needs to be avoided.
  • the adaptation problem of the Portal protocol sent by the portal server to the access controller does not require the portal server to adapt to the access controller, which improves the efficiency of network authentication and reduces the development and maintenance cost of the portal server.
  • the authentication server further includes: before receiving the authentication request message sent by the portal server:
  • the device controls the terminal according to the control policy, and redirects the access request of the terminal according to the redirected address.
  • the authentication result sent by the authentication server carries the updated control policy and the terminal identifier, and the access controller controls the terminal to access the internet according to the updated control policy.
  • the authentication information of the terminal includes a terminal user name and a password
  • the authentication server authenticating the terminal according to the authentication information includes the following steps:
  • the authentication server verifies whether the terminal user name and password in the authentication information are consistent with the locally saved user name and password;
  • the authentication of the terminal is passed. If the terminal user name or password is inconsistent with the locally saved user name and password, the authentication is not performed. Pass, that is, the terminal is not allowed to access the network.
  • the embodiment of the present invention further provides a network authentication method, which is applied to an access controller, and includes the following steps:
  • the access controller receives the authentication result sent by the authentication server according to the address information of the access controller, where the authentication result carries the identifier of the terminal that passes the authentication;
  • the access controller accesses the terminal to the network according to the authentication result.
  • the access controller after receiving the webpage access request of the terminal, the access controller returns the address information of the access controller to the terminal, and then the subsequent authentication server authenticates the user according to the authentication information.
  • the authentication result is sent to the access controller corresponding to the address information, and the access controller accesses the terminal according to the authentication result.
  • the access controller directly receives the authentication result sent by the authentication server, does not need to receive the authentication information sent by the portal server, and thus does not need to be adapted with the portal server, thereby avoiding the access controller and the portal server pair.
  • the adaptation problem of the portal protocol does not require the access controller to adapt to the Portal protocol, which improves the efficiency of network authentication and reduces the development and maintenance costs of the portal server and the access controller.
  • the method before the access controller receives the webpage access request sent by the receiving terminal, the method further includes:
  • the access controller sends an access request message to the authentication server, where the access request message carries the default authentication information of the terminal, and then the access controller receives an access response message sent by the authentication server, where the access response message is sent. It carries the default control policy, which is based on the default control terminal.
  • the default control policy is the default control policy corresponding to the authentication information.
  • the access controller may also establish a charging session with the authentication server, where the user name of the session is a default user, and the charging is performed.
  • the session can pass billing data between the authentication server and the access controller.
  • the authentication result received by the access controller further carries the terminal user name, and after the access controller receives the authentication result, the user name of the charging session is modified to be the terminal.
  • User name thus using the terminal
  • the username is used to charge the user for accessing the internet.
  • the access response message received by the access controller carries a redirect address
  • the access controller after receiving the webpage access request sent by the terminal, according to the redirected address
  • the webpage access request is redirected, and the terminal accesses the webpage to the portal server corresponding to the redirected address.
  • an embodiment of the present invention provides an authentication server, which specifically includes the following functional modules:
  • the authentication receiving module is configured to receive an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • An authentication module configured to authenticate the terminal according to the authentication information
  • the authentication notification module is configured to send an authentication result to the access controller corresponding to the address information when the authentication is passed, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication result may also carry updated control policies, identifiers of the terminals, and the like.
  • the authentication server further includes:
  • the authentication receiving module is further configured to: before receiving the authentication request message sent by the portal server, receive an access request message sent by the access controller, where the access request message carries the default authentication information of the terminal;
  • An access processing module configured to obtain a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries the control policy and Targeted address.
  • the authentication server after the authentication server sends the access response message, the authentication server establishes a charging session with the access controller, and the charging data is transmitted between the charging session and the access controller.
  • the authentication server provided by the third aspect is corresponding to the network authentication method provided by the first aspect.
  • the process and the beneficial effect of the network authentication method refer to the network authentication method provided by the foregoing first aspect.
  • an access controller including:
  • the response receiving module is configured to receive a webpage access request sent by the terminal, and return the address information of the access controller to the terminal;
  • the response receiving module is further configured to receive an authentication result that is sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that is authenticated;
  • the terminal access module is configured to access the terminal to the network according to the authentication result.
  • the access controller further includes:
  • a request sending module configured to send an access request message to the authentication server before the webpage access request sent by the receiving terminal, where the access request message carries the default authentication information of the terminal;
  • the response receiving module is further configured to receive an access response message sent by the authentication server, where the access response message carries a default control policy.
  • the access controller further includes:
  • the session maintenance module is configured to establish a charging session with the authentication server after receiving the access response message sent by the authentication server, where the user name of the session is a default user.
  • the authentication result further carries a terminal user name
  • the session maintenance module in the access controller is further configured to modify a user name of the charging session as the terminal user name.
  • the access response message further includes a redirecting address
  • the access controller further includes a redirection module, configured to: after receiving the webpage access request sent by the terminal, according to the The redirect address redirects the web access request.
  • the access controller provided by the fourth aspect is corresponding to the network authentication method provided by the second aspect, and the specific implementation For the process and beneficial effects of the network authentication method, reference may be made to the network authentication method provided by the second aspect above.
  • an embodiment of the present invention provides a network access system, which includes the authentication server according to the third aspect, and the access controller according to the fourth aspect.
  • the authentication result may be specifically sent to the access controller by using a Change-Of-Authorization (COA) message.
  • COA Change-Of-Authorization
  • the authentication server may specifically be an AAA server.
  • the network accessed by the terminal may specifically be a wireless local area network.
  • FIG. 1 is a schematic diagram of networking of a network authentication system according to Embodiment 1 of the present invention.
  • FIG. 2 is a flowchart of a network authentication method according to Embodiment 2 of the present invention.
  • FIG. 3 is a flowchart of a network authentication method according to Embodiment 3 of the present invention.
  • FIG. 4 is a flowchart of a network authentication method according to Embodiment 4 of the present invention.
  • FIG. 5 is a flowchart of a network authentication method according to Embodiment 5 of the present invention.
  • FIG. 6 is a hardware structural diagram of an authentication server and an access controller according to Embodiment 6 of the present invention.
  • FIG. 7 is a schematic structural diagram of an authentication server according to Embodiment 7 of the present invention.
  • FIG. 8 is a schematic structural diagram of an access controller according to Embodiment 8 of the present invention.
  • FIG. 1 is a schematic diagram of networking of a network authentication system according to Embodiment 1 of the present invention.
  • the network authentication system includes an authentication server, an access controller AC, a portal server, and an access point (AP).
  • the above devices belong to devices in the carrier network.
  • the AP is a physical access point of the WLAN and is used to provide a WIFI network signal.
  • the AC is a device that controls the terminal to access the network.
  • the authentication server is specifically an AAA server, which is mainly used for authentication, authentication, and accounting of users.
  • the user equipment (User Equipment, UE) in this embodiment includes a mobile phone, a personal computer (PC), a tablet computer, and the like. User equipment can also be referred to as a terminal.
  • the terminal accesses the network through the WIFI network signal provided by the AP.
  • the terminal accesses the portal webpage provided by the portal server and enters the authentication information of the terminal.
  • the user submits the authentication information to the portal server through the portal webpage.
  • the portal server sends an authentication request message to the authentication server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • the network authentication method provided in Embodiment 2 of the present invention specifically includes the following steps:
  • Step 101 The authentication server receives an authentication request message sent by the portal server, where the authentication request message carries The identification with the terminal, the authentication information, and the address information of the access controller.
  • the AC assigns an IP address to the terminal
  • the identifier of the terminal may be an IP address or a physical address of the terminal.
  • the authentication information may be an end user name, that is, a user name of a user who uses the terminal. To enhance security, passwords can also be included in the authentication information.
  • the authentication server receives the authentication request message sent by the portal server, and the request message can be transmitted through a Simple Object Access Protocol (SOAP) between the Portal server and the authentication server.
  • SOAP Simple Object Access Protocol
  • Step 102 The authentication server authenticates the terminal according to the authentication information.
  • the authentication server can verify whether the terminal user name and password in the authentication information match the previously saved user name and password. If yes, the authentication passes, otherwise the authentication fails.
  • the password input by the user may be from a short message sent by the operator network or a password reserved by the user in the operator network. If the password input by the user is from a short message sent by the carrier network, the authentication server can also verify the validity period of the password, that is, whether the length of time between the time when the password is issued and the time when the user inputs the password exceeds the validity period, for example, 5 minutes. If the timeout expires, the authentication fails. If the timeout is not exceeded, it is further verified whether the username and password in the authentication information match the previously saved username and password.
  • the authentication server can also simply verify the terminal user name, that is, the user name in the authentication information is the same as the locally saved user name, that is, the authentication is passed, otherwise the authentication fails.
  • Step 103 The authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server may send the authentication result to the corresponding AC through a radius (RADIUS) protocol.
  • the authentication result is that the authentication is passed, and the AC accesses the terminal according to the authentication result, and the user can use the terminal to access the Internet.
  • the authentication server receives the authentication request message sent by the portal server, and authenticates the terminal according to the authentication information carried in the authentication request message, and sends the authentication result to the access controller after the authentication is passed.
  • the access controller accesses the terminal to the network according to the authentication result.
  • the authentication server directly receives the authentication information sent by the portal server, that is, the authentication information does not need to be transferred from the access controller, and the authentication information needs to be sent by the portal server to the portal caused by the access controller.
  • the protocol adaptation problem does not require the Portal server to adapt to the access controller, which improves the efficiency of network authentication and reduces the development and maintenance costs of the Portal server.
  • FIG. 3 is a flowchart of a network authentication method according to Embodiment 3 of the present invention.
  • the terminal after detecting the wireless network provided by the operator, the terminal starts to access the wireless network, and after receiving the network attach request of the terminal, the access controller sends an access request message to the authentication server, where the access controller sends the access request message to the authentication server.
  • the access request message carries the default authentication information of the terminal.
  • Step 201 The authentication server receives an access request message sent by the access controller, where the access request message carries the default authentication information of the terminal.
  • the access request message may further carry an identifier of the terminal, such as a physical address of the terminal.
  • the default authentication information of the terminal can be the default username, for example, 000.
  • the default username can be used by multiple different terminals.
  • the default password can also include the default password.
  • Step 202 The authentication server obtains a redirection address and a control policy corresponding to the default authentication information, and sends an access response message to the access controller, where the access response message carries the control policy and a redirect address.
  • the authentication server After receiving the default authentication information of the terminal sent by the access controller, the authentication server identifies that the terminal uses the default user name for authentication according to the authentication information, and obtains a control policy corresponding to the default user name, and sends the control policy to the terminal. Returning an access response message, the access response message carries the control policy and a redirect address, where the redirect address is an address of the Portal website.
  • the access controller receives the access response message sent by the authentication server, where the access response message carries a default control policy and a redirect address, so as to facilitate access to the webpage according to the redirected address after subsequently receiving the webpage access request of the terminal.
  • Request to redirect that is, redirect to the Portal server.
  • Step 203 A charging session is established between the authentication server and the access controller, and the user name of the session is a default user.
  • the authentication server may also establish a charging session with the access controller locally and exchange billing related data after interacting with the access controller.
  • the current user name of the charging session is the default user because the terminal does not report the terminal user name.
  • the AC may also establish a charging session with the authentication server locally, and transmit the charging related data.
  • the current user name of the charging session is the default user because the terminal does not report the terminal user name (the real user name) at this time.
  • the terminal initiates a webpage access request to the access controller, and the webpage access request is redirected to the portal server by the access controller, and the portal server returns a login page to the terminal, the user inputs the terminal username and password on the page, and the portal server receives the terminal user.
  • the authentication information such as the name and password
  • the Portal server then sends the authentication information to the authentication server through the authentication request message.
  • Step 204 The authentication server receives an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • Step 205 The authentication server authenticates the terminal according to the authentication information.
  • Step 206 The authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication result sent by the authentication server may further include an updated control policy.
  • the access controller After receiving the authentication result, the access controller also updates the default control policy according to the updated control policy. Bandwidth control information may be included in the updated control policy.
  • the authentication result may further carry the terminal user name in the authentication information, and the access controller further modifies the default user name of the charging session as the terminal user name, so as to facilitate subsequent charging for the user.
  • FIG. 4 is a flowchart of a network authentication method according to Embodiment 4 of the present invention.
  • the terminal after detecting the wireless network provided by the operator, the terminal starts to access the wireless network, and the access controller allocates an IP address to the terminal, and after receiving the allocated IP address, the terminal initiates a webpage. Access request.
  • the network authentication method provided by the embodiment of the present invention includes the following steps:
  • Step 301 The access controller receives a webpage access request sent by the terminal, and returns address information of the access controller to the terminal.
  • the address of the Portal server may be pre-configured in the access controller, and then the terminal is received. After the web page access request, the access request is redirected to the portal server.
  • the access controller also returns its own address information to the terminal, so that the subsequent terminal carries the address information of the access controller when initiating a login request to the Portal server.
  • the authentication server may also feed back the authentication result of the terminal to the access controller according to the address information of the access controller.
  • Step 302 The access controller receives an authentication result sent by the authentication server according to the address information of the access controller, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server authenticates the terminal according to the authentication information of the terminal, and after the authentication is passed, the authentication result is sent to the access controller through the RADIUS protocol.
  • the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication result also carries the control policy of the terminal, such as bandwidth, maximum online duration, and the like.
  • Step 303 The access controller accesses the terminal to the network according to the authentication result.
  • the access controller accesses the terminal to the network according to the authentication result, for example, allowing the terminal to access the Internet, and performing policy control on the terminal accessing the Internet.
  • the access controller after receiving the webpage access request of the terminal, the access controller returns the address information of the access controller to the terminal, and then the subsequent authentication server authenticates the user according to the authentication information.
  • the authentication result is sent to the access controller corresponding to the address information, and the access controller accesses the terminal according to the authentication result.
  • the access controller directly receives the authentication result sent by the authentication server, and does not need to receive the authentication information sent by the Portal server, and thus does not need to be adapted with the Portal server, thereby avoiding the access controller and the Portal server.
  • the adaptation of the Portal protocol does not require the access controller to adapt to the Portal protocol, which improves the efficiency of network authentication and reduces the development and maintenance costs of the Portal server and access controller.
  • the access controller before receiving the webpage access request sent by the terminal, may further send an access request message to the authentication server when receiving the network attach request of the terminal,
  • the access request message carries the default authentication information of the terminal.
  • the reason for sending the default authentication information is that the terminal has not yet authenticated through the network, thus providing default authentication information.
  • the access controller receives an access response message sent by the authentication server, where the access response message carries a default control policy and a redirect address, so as to facilitate access.
  • the controller controls the terminal according to the default control policy.
  • the access controller after receiving the webpage access request sent by the terminal, the access controller redirects the webpage access request according to the redirected address, and redirects the access request to the portal server.
  • the access controller may also establish a charging session with the authentication server, where the user name of the session is a default user.
  • the access controller may associate the identifier of the terminal, such as an IP address, with the session, so that the session is subsequently found according to the identifier of the terminal.
  • the user name of the charging session is further modified to be the terminal user name, so that the terminal user name is used to perform charging control on the online process of the terminal. .
  • FIG. 5 is a flowchart of a network authentication method according to Embodiment 5 of the present invention.
  • the user accesses the WLAN provided by the operator through the terminal (for example, the smart device), and the smart device initiates the WLAN connection after detecting the network signal of the WLAN, and the network authentication method provided by the embodiment of the present invention includes the following process. :
  • Step 401 The terminal initiates a DHCP discovery request to the AC.
  • the terminal sends a Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the request is now used to request an IP address from the access controller.
  • the physical address of the terminal can be carried in the request.
  • Step 402 The AC sends an access request message to the AAA server, where the terminal carries the default authentication information of the terminal.
  • the AC needs to request the AAA server for authentication of the terminal, and therefore needs to send an access request message to the AAA server.
  • the default authentication information carried in it includes a default username and a default password.
  • the access request message can be sent based on the RADIUS protocol.
  • Step 403 The AAA server returns an access response message to the AC, where the default control policy and the address of the Portal server are carried.
  • the AAA server can also obtain the default control policy (the control policy corresponding to the default user name) and the address of the Portal server, and send the response to the AC through the access response message.
  • the address of the Portal server may be a Uniform Resource Locator (URL) of the Portal server.
  • Step 404 The AC allocates an IP address to the terminal.
  • the AC After the AC allocates the IP address userip to the terminal, the AC sends the IP address to the terminal through a DHCP response.
  • Step 405 Establish a charging session between the AC and the AAA server.
  • the established charging session is used to transfer charging related data between the AC and the AAA server.
  • the user name of the accounting session is the default user name, and the AAA server and the AC associate the session with the IP address of the terminal, so that the associated session can be found according to the IP address of the terminal.
  • Step 406 The terminal initiates a webpage access request to the AC.
  • the user opens a browser on the terminal, enters any web page, and initiates a Hyper Text Transfer Protocol (HTTP) request to the AC.
  • HTTP Hyper Text Transfer Protocol
  • Step 407 The AC redirects the access request and sends its own address information to the terminal.
  • the AC redirects the http request of the terminal to the URL of the Portal server, and adds the AC's own IP address nasipaddr information after the URL.
  • Steps 408-409 The terminal accesses the Portal server according to the redirected address and submits the terminal username and password.
  • the user accesses the home page URL of the Portal server.
  • the page has a user name and password input box.
  • the user enters the terminal user name and password information on the portal, and clicks the login button to submit the terminal user name and password.
  • Step 410 The Portal server initiates an authentication request message to the AAA server.
  • the authentication request message sent by the Portal server to the AAA server carries the terminal user name and password, the terminal IP address userip, and the IP address of the access controller nasipaddr.
  • Step 411 The AAA server authenticates the terminal according to the terminal user name and password.
  • the AAA server performs authentication according to the terminal user name and password information sent by the Portal server and the information in the database. If the terminal user name and password information sent by the Portal server are the same as the user name and password stored in the database, the authentication is passed, otherwise the authentication fails. In this embodiment, the user enters the correct terminal username and password, and the authentication passes.
  • Step 412 The AAA server sends an authentication response message to the Portal server.
  • the authentication succeeds by sending an authentication response message to the Portal server, and the Portal server sends a notification message of the authentication pass to the terminal to notify the user that the authentication is passed.
  • Step 413 The AAA server sends an authentication result to the access controller.
  • the authentication result may be sent to the AC corresponding to the nasipaddr address information by using a Change-Of-Authorization (COA) message.
  • COA Change-Of-Authorization
  • the COA message may further include a terminal IP address userip and a terminal user name, and an updated control policy, such as bandwidth, maximum online duration, maximum available traffic, and the like.
  • the parameters included in the COA message are as follows:
  • the Acct-Session-ID is used to identify the session corresponding to the COA message.
  • the User-Name is used to identify the user name. If the user name in the User-Name is different from the user name corresponding to the session, the user name corresponding to the session is modified. Is the corresponding username in User-Name.
  • the Framed-IP-Address identifies the IP address of the terminal corresponding to the session, and the Calling-Station-Id identifies the physical address of the terminal corresponding to the session. Both the IP address and the physical address of the terminal can be used to associate the session.
  • Step 414 The AC associates the session with the terminal IP address in the COA message sent by the AAA server (the charging session established in step 405), and modifies the default user name in the session as the terminal user name, and modifies the session according to the updated control policy. Control Strategy.
  • the AC After the session is modified, the AC sends a COA Acknowledge (ACK) message to the AAA server. Subsequent billing for the AAA server will be billed using the real username.
  • ACK COA Acknowledge
  • the embodiment of the present invention bypasses the interconnection between the Portal server and the AC, and expands the function of the RADIUS protocol-based COA interface between the AAA server and the AC.
  • the AAA server notifies the AC through the COA message.
  • the authentication of the terminal has been passed, and the real user name of the AC and the updated control policy are notified, so that the policy control of the terminal is implemented, that is, the network authentication of the terminal is completed.
  • FIG. 6 is a hardware structural diagram of an authentication server and an access controller according to Embodiment 6 of the present invention.
  • the authentication server and the access controller may respectively be the authentication server and the access controller shown in FIG. 1 .
  • the authentication server and access controller employs general purpose computer hardware including a processor 601, a memory 602, a bus 603, an input device 604, an output device 605, and a network interface 606.
  • memory 602 can include computer storage media in the form of volatile and/or nonvolatile memory, such as read only memory and/or random access memory.
  • Memory 602 can store operating systems, applications, other program modules, executable code, and program data.
  • Input device 604 can be used to input commands and information to an authentication server and an access controller, such as a keyboard or pointing device such as a mouse, trackball, touch pad, microphone, joystick, game pad, satellite television antenna, scanning Instrument or similar device. These input devices can be connected to the processor 601 via the bus 603.
  • an access controller such as a keyboard or pointing device such as a mouse, trackball, touch pad, microphone, joystick, game pad, satellite television antenna, scanning Instrument or similar device.
  • the output device 605 can be used to authenticate the server and access controller output information.
  • the output device 605 can also be configured for other peripheral outputs, such as speakers and/or printing devices, which can also pass through the bus 603. Connected to the processor 601.
  • the authentication server and the access controller can be connected to the network through the network interface 106, for example, to a local area network (LAN).
  • LAN local area network
  • computer execution instructions stored in the authentication server and access controller may be stored in a remote storage device, and are not limited to being stored locally.
  • the authentication server may perform the method steps on the authentication server side in the second embodiment and the third embodiment and the fifth embodiment, for example, step 101 is performed. -103, 201-206, 403, 411, etc.
  • step 101 is performed.
  • the access controller may perform the method steps on the access controller side in the fourth and fifth embodiments above, such as performing Steps 301-303, 402, 404-405, and the like.
  • the access controller may perform the method steps on the access controller side in the fourth and fifth embodiments above, such as performing Steps 301-303, 402, 404-405, and the like.
  • FIG. 7 is a schematic structural diagram of an authentication server according to Embodiment 7 of the present invention.
  • the authentication server provided by the embodiment of the present invention includes:
  • the authentication receiving module 710 is configured to receive an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • the authentication module 720 is configured to authenticate the terminal according to the authentication information.
  • the authentication notification module 730 is configured to send an authentication result to the access controller corresponding to the address information when the authentication is passed, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server provided by the embodiment of the present invention may be used in the foregoing method embodiments 2, 3, and 5, and the implementation of the second embodiment is implemented by the cooperation between the authentication receiving module 710, the authentication module 720, and the authentication notification module 730.
  • the authentication server provided in this embodiment has the same beneficial effects as the foregoing method embodiment when performing network authentication.
  • the authentication receiving module 710 is further configured to: before receiving the authentication request message sent by the portal server, receive an access request message sent by the access controller, where the access request message carries the The default authentication information of the terminal.
  • the default authentication information carries the default username.
  • the authentication server further includes an access processing module 740, configured to acquire a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries The control policy and the redirected address, so that the access controller assigns an IP address to the terminal, and controls the terminal using a default control policy.
  • an access processing module 740 configured to acquire a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries The control policy and the redirected address, so that the access controller assigns an IP address to the terminal, and controls the terminal using a default control policy.
  • the authentication server carries the updated control policy to the authentication result sent by the access controller corresponding to the address information after the authentication is passed, so that the access controller controls the terminal according to the updated control policy, so that the terminal can access the internet.
  • the authentication server is presented in the form of a functional unit.
  • a "unit” herein may refer to an application-specific integrated circuit (ASIC), circuitry, a processor and memory that executes one or more software or firmware programs, integrated logic circuitry, and/or other functions that provide the functionality described above. Device.
  • ASIC application-specific integrated circuit
  • the authentication server may also take the form shown in FIG.
  • the functions of the authentication receiving module 710, the authentication module 720, the authentication notification module 730, and the access processing module 740 can be implemented. This is implemented by the processor 601 and the memory 602 in FIG.
  • the authentication receiving module 710 receiving the authentication request message sent by the portal server can be implemented by the processor 601 executing the code stored in the memory 602.
  • FIG. 8 is a schematic structural diagram of an access controller according to Embodiment 8 of the present invention.
  • the access controller provided by the embodiment of the present invention mainly includes:
  • the response receiving module 810 is configured to receive a webpage access request sent by the terminal, and return the address information of the access controller to the terminal;
  • the response receiving module is further configured to receive an authentication result that is sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that is authenticated;
  • the terminal access module 820 is configured to access the terminal to the network according to the authentication result.
  • the authentication access controller provided by the embodiment of the present invention can be used in the foregoing method embodiments 4 and 5, and the fourth embodiment and the fifth embodiment are completed by the cooperation between the response receiving module 810 and the terminal access module 820. Method steps on the side of the access controller. Compared with the access controller in the prior art, the access controller provided in this embodiment has the same beneficial effects as the foregoing method embodiments when performing network authentication.
  • the access controller provided by the embodiment of the present invention may further include:
  • the request sending module 830 is configured to send an access request message to the authentication server before the webpage access request sent by the receiving terminal, where the access request message carries the default authentication information of the terminal.
  • the response receiving module 810 is further configured to receive an access response message sent by the authentication server, where the access response message carries a default control policy, so as to perform policy control on the terminal according to a default control policy.
  • the foregoing access response message further includes a redirecting address
  • the access controller may further include:
  • the redirection module 840 is configured to redirect the webpage access request according to the redirected address after receiving the webpage access request sent by the terminal.
  • the redirect address may also be pre-stored in the AC.
  • the access controller provided by the embodiment of the present invention further includes:
  • the session maintenance module 850 is configured to establish a charging session with the authentication server after receiving the access response message sent by the authentication server, where the user name of the session is a default user.
  • the session maintenance module 850 is further configured to modify the user name of the charging session as the terminal user name, so as to be based on the terminal user.
  • the name is used to charge the terminal to access the internet.
  • the access controller is presented in the form of a functional unit.
  • a "unit" herein may refer to an application specific integrated circuit circuit, a processor and memory that executes one or more software or firmware programs, integrated logic circuits, and/or other devices that provide the functionality described above.
  • the access controller can also take the form shown in FIG.
  • the functions implemented by the response receiving module 810, the terminal access module 820, the request sending module 830, the redirecting module 840, and the session maintenance module 850 can be implemented by the processor 601 and the memory 602 in FIG.
  • the response receiving module 810 receives the webpage access request sent by the terminal, and returning the address information of the access controller to the terminal may be implemented by the processor 601 executing the code stored in the memory 602.
  • aspects of the present invention, or possible implementations of various aspects may be embodied as a system, method, or computer program product.
  • aspects of the invention, or possible implementations of various aspects may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," “modules,” or “systems.”
  • aspects of the invention, or possible implementations of various aspects may take the form of a computer program product, a computer program A product refers to computer readable program code stored on a computer readable medium.

Abstract

In embodiments of the present invention, an authentication server receives an authentication request message sent by a Portal server, authenticates a terminal according to authentication information carried in the authentication request message, and after the authentication is successful, sends the authentication result to an access controller, so that the access controller allows the terminal to access a network according to the authentication result. Compared to the prior art, an authentication server directly receives authentication information sent by a Portal server, that is, authentication information is not required to be transferred by an access controller, thereby avoiding Portal protocol adaptation problems caused during the process when authentication information is required to be sent to the access controller by the Portal server, so that there is no need to add an adaptation step to the Portal server with regard to the access controller, the network authentication efficiency is improved, and development and maintenance costs of the Portal server are reduced.

Description

网络认证方法、相关装置Network authentication method, related device
本申请要求于2016年9月12日提交中国专利局、申请号为201610820746.6,发明名称为“网络认证方法、相关装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. Serial No. No. No. No. No. No. No. No. No. No. No. No. No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
技术领域Technical field
本发明涉及通信技术领域,具体而言涉及一种网络认证方法、相关装置及系统。The present invention relates to the field of communications technologies, and in particular, to a network authentication method, related apparatus, and system.
背景技术Background technique
随着智能终端的普及,用户可以通过具有无线保真(WIFI)功能的智能终端接入网络运营商提供的无线局域网(wireless local area network,WLAN)中。With the popularization of smart terminals, users can access the wireless local area network (WLAN) provided by the network operator through the intelligent terminal with wireless fidelity (WIFI) function.
在终端接入网络的过程中,网络侧设备需要对终端进行认证,认证通过后才会让终端接入网络。现有的网络认证方法中,通常基于用户名和密码来对终端进行认证。During the process of the terminal accessing the network, the network side device needs to authenticate the terminal. After the authentication is passed, the terminal accesses the network. In the existing network authentication method, the terminal is usually authenticated based on the username and password.
用户通过终端访问运营商提供的门户(Portal)网页,输入终端用户名和密码并提交,Portal网页的后台服务器将接收到的终端用户名和密码发送给接入控制器(access control,AC),接入控制器不对该终端用户名和密码进行认证,而是将其发送到认证服务器,例如认证授权计费(Authentication,Authorization and Accounting,AAA)服务器,进行认证,认证服务器在认证通过后,通过AC向Portal服务器返回认证成功的结果,Portal服务器在portal页面上向用户展示该结果,提示用户认证成功。The user accesses the portal page provided by the operator through the terminal, enters the terminal user name and password, and submits the terminal user name and password of the portal web page to the access controller (AC) for access. The controller does not authenticate the terminal username and password, but sends it to the authentication server, such as the Authentication, Authorization and Accounting (AAA) server, for authentication. After the authentication server passes the authentication, the AC passes the AC to the portal. The server returns the result of successful authentication. The Portal server displays the result to the user on the portal page, prompting the user to successfully authenticate.
但是,现有技术提供的网络认证方法需要Portal服务器通过Portal协议将终端用户名和密码发送给AC,并且AC将认证服务器的认证结果通过Portal协议发送给Portal服务器。但由于Portal协议属于私有协议,且运营商网络中存在大量的不同厂商提供的AC,导致Portal服务器需要对不同厂商的AC进行适配,网络认证效率较低,且Portal服务器开发维护成本较高。However, the network authentication method provided by the prior art requires the Portal server to send the terminal user name and password to the AC through the Portal protocol, and the AC sends the authentication result of the authentication server to the Portal server through the Portal protocol. However, because the Portal protocol is a private protocol and there are a large number of ACs provided by different vendors in the carrier network, the Portal server needs to be adapted to the ACs of different vendors. The network authentication efficiency is low, and the development and maintenance costs of the Portal server are high.
发明内容Summary of the invention
本发明实施例提供了一种不需要门户服务器对不同厂商的接入控制器AC进行适配的网络认证方法,相关装置和系统。Embodiments of the present invention provide a network authentication method, related apparatus and system that do not require a portal server to adapt an access controller AC of different vendors.
在一方面,本发明实施例提供一种网络认证方法,应用于认证服务器,其包括如下的步骤:In an aspect, an embodiment of the present invention provides a network authentication method, which is applied to an authentication server, and includes the following steps:
接收门户服务器发送的认证请求消息,所述认证请求消息中携带终端的标识、认证信息以及接入控制器的地址信息;Receiving an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller;
认证服务器根据所述认证信息对所述终端进行认证;The authentication server authenticates the terminal according to the authentication information;
在认证通过时,认证服务器向所述地址信息对应的接入控制器发送认证结果,所述认证结果中携带通过认证的所述终端的标识。When the authentication is passed, the authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
在本发明实施例中,认证服务器接收来自于门户服务器发送的认证请求消息,并根据认证请求消息中携带的认证信息对终端进行认证,在认证通过后,向接入控制器发送认证结果,进而接入控制器根据认证结果将终端接入网络。与现有技术相比,认证服务器直接接收门户服务器发送的认证信息,即认证信息不需要从接入控制器进行中转,避免了认证信息需要由 门户服务器发送到接入控制器所带来的Portal协议的适配问题,即不需要门户服务器针对接入控制器进行适配,提高了网络认证的效率,降低了门户服务器的开发和维护成本。In the embodiment of the present invention, the authentication server receives the authentication request message sent by the portal server, and authenticates the terminal according to the authentication information carried in the authentication request message, and sends the authentication result to the access controller after the authentication is passed. The access controller accesses the terminal to the network according to the authentication result. Compared with the prior art, the authentication server directly receives the authentication information sent by the portal server, that is, the authentication information does not need to be transferred from the access controller, and the authentication information needs to be avoided. The adaptation problem of the Portal protocol sent by the portal server to the access controller does not require the portal server to adapt to the access controller, which improves the efficiency of network authentication and reduces the development and maintenance cost of the portal server.
在一个可能的方案中,认证服务器在接收门户服务器发送的认证请求消息之前还包括:In a possible solution, the authentication server further includes: before receiving the authentication request message sent by the portal server:
接收所述接入控制器发送的接入请求消息,所述接入请求消息中携带所述终端默认的认证信息;Receiving an access request message sent by the access controller, where the access request message carries default authentication information of the terminal;
获取所述默认的认证信息对应的控制策略以及重定向地址,向所述接入控制器发送接入响应消息,所述接入响应消息中携带所述控制策略以及重定向地址,从而接入控制器根据该控制策略对终端进行控制,并根据重定向地址对终端的访问请求进行重定向。Obtaining a control policy and a redirecting address corresponding to the default authentication information, and sending an access response message to the access controller, where the access response message carries the control policy and a redirect address, thereby access control The device controls the terminal according to the control policy, and redirects the access request of the terminal according to the redirected address.
在一个可能的方案中,认证服务器发送是的认证结果中携带更新的控制策略、终端标识,进而接入控制器根据更新的控制策略对终端访问internet进行控制。In a possible solution, the authentication result sent by the authentication server carries the updated control policy and the terminal identifier, and the access controller controls the terminal to access the internet according to the updated control policy.
在一个可能的方案中,上述终端的认证信息包括终端用户名和密码,所述认证服务器根据认证信息对终端进行认证具体包括以下步骤:In a possible solution, the authentication information of the terminal includes a terminal user name and a password, and the authentication server authenticating the terminal according to the authentication information includes the following steps:
认证服务器验证所述认证信息中的终端用户名和密码是否和本地保存的用户名、密码一致;The authentication server verifies whether the terminal user name and password in the authentication information are consistent with the locally saved user name and password;
若所述认证信息中的终端用户名和密码均和本地保存的用户名、密码一致,则对所述终端的认证通过,若终端用户名或密码和本地保存的用户名、密码不一致,则认证不通过,即不允许终端接入网络。If the terminal user name and password in the authentication information are consistent with the locally saved user name and password, the authentication of the terminal is passed. If the terminal user name or password is inconsistent with the locally saved user name and password, the authentication is not performed. Pass, that is, the terminal is not allowed to access the network.
第二方面,本发明实施例还提供一种网络认证方法,应用于接入控制器,其包括如下步骤:In a second aspect, the embodiment of the present invention further provides a network authentication method, which is applied to an access controller, and includes the following steps:
接收终端发送的网页访问请求,向所述终端返回所述接入控制器的地址信息;Receiving a webpage access request sent by the terminal, and returning address information of the access controller to the terminal;
接入控制器接收认证服务器根据所述接入控制器的地址信息发送的认证结果,所述认证结果中携带通过认证的所述终端的标识;The access controller receives the authentication result sent by the authentication server according to the address information of the access controller, where the authentication result carries the identifier of the terminal that passes the authentication;
接入控制器根据所述认证结果将所述终端接入网络。The access controller accesses the terminal to the network according to the authentication result.
在本发明实施例提供的网络认证方法中,接入控制器在接收到终端的网页访问请求后,向终端返回接入控制器的地址信息,进而后续认证服务器在根据认证信息对用户进行认证时,直接向该地址信息对应的接入控制器发送认证结果,接入控制器根据该认证结果将终端接入网络。与现有技术相比,接入控制器直接接收认证服务器发送的认证结果,不需要接收门户服务器发送的认证信息,进而不需要和门户服务器进行适配,避免了接入控制器和门户服务器对门户协议的适配问题,不需要接入控制器针对Portal协议进行适配,提高了网络认证的效率,降低了门户服务器、接入控制器的开发和维护成本。In the network authentication method provided by the embodiment of the present invention, after receiving the webpage access request of the terminal, the access controller returns the address information of the access controller to the terminal, and then the subsequent authentication server authenticates the user according to the authentication information. The authentication result is sent to the access controller corresponding to the address information, and the access controller accesses the terminal according to the authentication result. Compared with the prior art, the access controller directly receives the authentication result sent by the authentication server, does not need to receive the authentication information sent by the portal server, and thus does not need to be adapted with the portal server, thereby avoiding the access controller and the portal server pair. The adaptation problem of the portal protocol does not require the access controller to adapt to the Portal protocol, which improves the efficiency of network authentication and reduces the development and maintenance costs of the portal server and the access controller.
在一个可能的方案中,接入控制器接收在接收终端发送的网页访问请求之前,还包括:In a possible solution, before the access controller receives the webpage access request sent by the receiving terminal, the method further includes:
向所述认证服务器发送接入请求消息,所述接入请求消息中携带所述终端默认的认证信息,随后接入控制器接收所述认证服务器发送的接入响应消息,所述接入响应消息中携带默认的控制策略,从而根据默认的控制终端。其中,默认的控制策略即为默认的认证信息对应的控制策略。Sending an access request message to the authentication server, where the access request message carries the default authentication information of the terminal, and then the access controller receives an access response message sent by the authentication server, where the access response message is sent. It carries the default control policy, which is based on the default control terminal. The default control policy is the default control policy corresponding to the authentication information.
在一个可能的方案中,接入控制器在接收认证服务器发送的接入响应消息之后,还可以与所述认证服务器之间建立计费会话,所述会话的用户名为默认用户,该计费会话可以在认证服务器和接入控制器之间传递计费数据。In a possible solution, after receiving the access response message sent by the authentication server, the access controller may also establish a charging session with the authentication server, where the user name of the session is a default user, and the charging is performed. The session can pass billing data between the authentication server and the access controller.
在一个可能的方案中,接入控制器接收到的认证结果中还携带终端用户名,此时接入控制器还在接收到认证结果后,修改所述计费会话的用户名为所述终端用户名,从而使用终端 用户名对用户访问internet进行计费。In a possible solution, the authentication result received by the access controller further carries the terminal user name, and after the access controller receives the authentication result, the user name of the charging session is modified to be the terminal. User name, thus using the terminal The username is used to charge the user for accessing the internet.
在一个可能的方案中,接入控制器接收到的接入响应消息中携带重定向地址,进而接入控制器在接收到所述终端发送的网页访问请求后,根据所述重定向地址对所述网页访问请求进行重定向,进而终端向重定向地址对应的门户服务器进行网页访问。In a possible solution, the access response message received by the access controller carries a redirect address, and the access controller, after receiving the webpage access request sent by the terminal, according to the redirected address The webpage access request is redirected, and the terminal accesses the webpage to the portal server corresponding to the redirected address.
第三方面,本发明实施例提供一种认证服务器,具体包括以下的功能模块:In a third aspect, an embodiment of the present invention provides an authentication server, which specifically includes the following functional modules:
认证接收模块,用于接收门户服务器发送的认证请求消息,所述认证请求消息中携带终端的标识、认证信息以及接入控制器的地址信息;The authentication receiving module is configured to receive an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
认证模块,用于根据所述认证信息对所述终端进行认证;An authentication module, configured to authenticate the terminal according to the authentication information;
认证通知模块,用于在认证通过时,向所述地址信息对应的接入控制器发送认证结果,所述认证结果中携带通过认证的所述终端的标识。其中,该认证结果中还可以携带更新的控制策略、终端的标识等信息。The authentication notification module is configured to send an authentication result to the access controller corresponding to the address information when the authentication is passed, where the authentication result carries the identifier of the terminal that is authenticated. The authentication result may also carry updated control policies, identifiers of the terminals, and the like.
在一个可能的方案中,所述的认证服务器还包括:In a possible solution, the authentication server further includes:
所述认证接收模块还用于在接收门户服务器发送的认证请求消息之前,接收接入控制器发送的接入请求消息,所述接入请求消息中携带所述终端默认的认证信息;The authentication receiving module is further configured to: before receiving the authentication request message sent by the portal server, receive an access request message sent by the access controller, where the access request message carries the default authentication information of the terminal;
接入处理模块,用于获取所述默认的认证信息对应的控制策略以及重定向地址,向所述接入控制器发送接入响应消息,所述接入响应消息中携带所述控制策略以及重定向地址。An access processing module, configured to obtain a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries the control policy and Targeted address.
在一个可能的方案中,认证服务器还在发送接入响应消息后,与接入控制器之间建立计费会话,通过该计费会话与接入控制器之间传递计费数据。In a possible solution, after the authentication server sends the access response message, the authentication server establishes a charging session with the access controller, and the charging data is transmitted between the charging session and the access controller.
其中,第三方面提供的认证服务器是和第一方面提供的网络认证方法对应的,其具体执行网络认证方法的过程和有益效果可以参考上述第一方面提供的网络认证方法。The authentication server provided by the third aspect is corresponding to the network authentication method provided by the first aspect. For the process and the beneficial effect of the network authentication method, refer to the network authentication method provided by the foregoing first aspect.
第四方面,本发明实施例提供一种接入控制器,其包括:In a fourth aspect, an embodiment of the present invention provides an access controller, including:
响应接收模块,用于接收终端发送的网页访问请求,向所述终端返回所述接入控制器的地址信息;The response receiving module is configured to receive a webpage access request sent by the terminal, and return the address information of the access controller to the terminal;
所述响应接收模块还用于接收认证服务器根据所述接入控制器的地址信息发送的认证结果,所述认证结果中携带通过认证的所述终端的标识;The response receiving module is further configured to receive an authentication result that is sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that is authenticated;
终端接入模块,用于根据所述认证结果将所述终端接入网络。The terminal access module is configured to access the terminal to the network according to the authentication result.
在一个可能的方案中,所述的接入控制器还包括:In a possible solution, the access controller further includes:
请求发送模块,用于在所述接收终端发送的网页访问请求之前向所述认证服务器发送接入请求消息,所述接入请求消息中携带所述终端默认的认证信息;a request sending module, configured to send an access request message to the authentication server before the webpage access request sent by the receiving terminal, where the access request message carries the default authentication information of the terminal;
所述响应接收模块还用于接收所述认证服务器发送的接入响应消息,所述接入响应消息中携带默认的控制策略。The response receiving module is further configured to receive an access response message sent by the authentication server, where the access response message carries a default control policy.
在一个可能的方案中,所述的接入控制器还包括:In a possible solution, the access controller further includes:
会话维护模块,用于在接收认证服务器发送的接入响应消息之后与所述认证服务器之间建立计费会话,所述会话的用户名为默认用户。The session maintenance module is configured to establish a charging session with the authentication server after receiving the access response message sent by the authentication server, where the user name of the session is a default user.
在一个可能的方案中,所述认证结果中还携带终端用户名,所述的接入控制器中的会话维护模块还用于修改所述计费会话的用户名为所述终端用户名。In a possible solution, the authentication result further carries a terminal user name, and the session maintenance module in the access controller is further configured to modify a user name of the charging session as the terminal user name.
在一个可能的方案中,所述接入响应消息中还携带重定向地址,所述接入控制器还包括重定向模块,用于在接收到所述终端发送的网页访问请求后,根据所述重定向地址对所述网页访问请求进行重定向。In a possible solution, the access response message further includes a redirecting address, where the access controller further includes a redirection module, configured to: after receiving the webpage access request sent by the terminal, according to the The redirect address redirects the web access request.
其中,第四方面提供的接入控制器是和第二方面提供的网络认证方法对应的,其具体执 行网络认证方法的过程和有益效果可以参考上述第二方面提供的网络认证方法。The access controller provided by the fourth aspect is corresponding to the network authentication method provided by the second aspect, and the specific implementation For the process and beneficial effects of the network authentication method, reference may be made to the network authentication method provided by the second aspect above.
第五方面,本发明实施例提供一种网络接入系统,其包括如上第三方面所述的认证服务器以及第四方面所述的接入控制器。In a fifth aspect, an embodiment of the present invention provides a network access system, which includes the authentication server according to the third aspect, and the access controller according to the fourth aspect.
在以上所有方面提到的实施例中,认证结果具体可以通过修改授权(Change-Of-Authorization,COA)消息来发送给接入控制器。此外,认证服务器具体可以为AAA服务器。终端接入的网络具体可以为无线局域网。In the embodiments mentioned in all the above aspects, the authentication result may be specifically sent to the access controller by using a Change-Of-Authorization (COA) message. In addition, the authentication server may specifically be an AAA server. The network accessed by the terminal may specifically be a wireless local area network.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。其中:In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in light of the inventive work. among them:
图1是本发明实施例一提供的网络认证系统的组网示意图;1 is a schematic diagram of networking of a network authentication system according to Embodiment 1 of the present invention;
图2是本发明实施例二提供的网络认证方法的流程图;2 is a flowchart of a network authentication method according to Embodiment 2 of the present invention;
图3是本发明实施例三提供的网络认证方法的流程图;3 is a flowchart of a network authentication method according to Embodiment 3 of the present invention;
图4是本发明实施例四提供的网络认证方法的流程图;4 is a flowchart of a network authentication method according to Embodiment 4 of the present invention;
图5是本发明实施例五提供的网络认证方法的流程图;5 is a flowchart of a network authentication method according to Embodiment 5 of the present invention;
图6是本发明实施例六提供的认证服务器和接入控制器的硬件结构图;6 is a hardware structural diagram of an authentication server and an access controller according to Embodiment 6 of the present invention;
图7是本发明实施例七提供的认证服务器的结构示意图;7 is a schematic structural diagram of an authentication server according to Embodiment 7 of the present invention;
图8是本发明实施例八提供的接入控制器的结构示意图。FIG. 8 is a schematic structural diagram of an access controller according to Embodiment 8 of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性的劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention.
本发明提供一种网络认证方法、相关装置及系统,参见图1,图1是本发明实施例一提供的网络认证系统的组网示意图。The present invention provides a network authentication method, a related device, and a system. Referring to FIG. 1, FIG. 1 is a schematic diagram of networking of a network authentication system according to Embodiment 1 of the present invention.
如图1所示,本发明涉及的网络认证系统包括认证服务器、接入控制器AC、门户服务器以及接入点(Access Point,AP)。上述设备均属于运营商网络中的设备。As shown in FIG. 1, the network authentication system according to the present invention includes an authentication server, an access controller AC, a portal server, and an access point (AP). The above devices belong to devices in the carrier network.
其中,AP是WLAN的物理接入点,用于向外提供WIFI网络信号。AC是控制终端接入网络的设备。认证服务器具体为AAA服务器,主要用于对用户进行认证,鉴权和计费等。本实施例中的用户设备(User Equipment,UE)包括手机、个人电脑(Personal Computer,PC)、平板电脑等设备。用户设备也可以称为终端。The AP is a physical access point of the WLAN and is used to provide a WIFI network signal. The AC is a device that controls the terminal to access the network. The authentication server is specifically an AAA server, which is mainly used for authentication, authentication, and accounting of users. The user equipment (User Equipment, UE) in this embodiment includes a mobile phone, a personal computer (PC), a tablet computer, and the like. User equipment can also be referred to as a terminal.
终端通过AP提供的WIFI网络信号进行网络接入,终端在接入的过程中,访问Portal服务器提供的Portal网页,并输入终端的认证信息,用户通过该Portal网页提交认证信息到Portal服务器。Portal服务器向认证服务器发送认证请求消息,所述认证请求消息中携带终端的标识、认证信息以及接入控制器的地址信息。The terminal accesses the network through the WIFI network signal provided by the AP. During the access process, the terminal accesses the portal webpage provided by the portal server and enters the authentication information of the terminal. The user submits the authentication information to the portal server through the portal webpage. The portal server sends an authentication request message to the authentication server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
如图2所示,本发明实施例二提供的网络认证方法具体包括如下步骤:As shown in FIG. 2, the network authentication method provided in Embodiment 2 of the present invention specifically includes the following steps:
步骤101、认证服务器接收Portal服务器发送的认证请求消息,所述认证请求消息中携 带终端的标识、认证信息以及接入控制器的地址信息。Step 101: The authentication server receives an authentication request message sent by the portal server, where the authentication request message carries The identification with the terminal, the authentication information, and the address information of the access controller.
在本实施例中,AC给终端分配了IP地址,所述终端的标识可以为终端的IP地址或物理地址。认证信息可以为终端用户名,即使用该终端的用户的用户名。为增强安全性,认证信息中还可以包括密码。In this embodiment, the AC assigns an IP address to the terminal, and the identifier of the terminal may be an IP address or a physical address of the terminal. The authentication information may be an end user name, that is, a user name of a user who uses the terminal. To enhance security, passwords can also be included in the authentication information.
认证服务器接收Portal服务器发送的认证请求消息,该请求消息可以通过Portal服务器和认证服务器之间的简单对象访问协议(Simple Object Access Protocol,SOAP)进行传输。The authentication server receives the authentication request message sent by the portal server, and the request message can be transmitted through a Simple Object Access Protocol (SOAP) between the Portal server and the authentication server.
步骤102、认证服务器根据所述认证信息对所述终端进行认证。Step 102: The authentication server authenticates the terminal according to the authentication information.
具体的,认证服务器可以验证认证信息中的终端用户名、密码是否和之前保存的用户名、密码相匹配,若是,则认证通过,否则认证失败。其中,用户输入的密码可以来自于运营商网络发送的短信或用户在运营商网络中预留的密码。若用户输入的密码来自于运营商网络下发的短信,则认证服务器还可以认证密码的有效期,即验证从下发密码的时刻到用户输入密码的时刻之间的时长是否超过有效期,例如5分钟,若超时,则同样认证失败,若不超时,则进一步验证该认证信息中的用户名、密码是否和之前保存的用户名、密码相匹配。Specifically, the authentication server can verify whether the terminal user name and password in the authentication information match the previously saved user name and password. If yes, the authentication passes, otherwise the authentication fails. The password input by the user may be from a short message sent by the operator network or a password reserved by the user in the operator network. If the password input by the user is from a short message sent by the carrier network, the authentication server can also verify the validity period of the password, that is, whether the length of time between the time when the password is issued and the time when the user inputs the password exceeds the validity period, for example, 5 minutes. If the timeout expires, the authentication fails. If the timeout is not exceeded, it is further verified whether the username and password in the authentication information match the previously saved username and password.
此外,认证服务器也可以简单验证终端用户名,即认证信息中的用户名和本地保存的用户名一致,即为认证通过,否则认证失败。In addition, the authentication server can also simply verify the terminal user name, that is, the user name in the authentication information is the same as the locally saved user name, that is, the authentication is passed, otherwise the authentication fails.
步骤103、在认证通过时,认证服务器向所述地址信息对应的接入控制器发送认证结果,所述认证结果中携带通过认证的所述终端的标识。Step 103: The authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
具体的,认证服务器可以通过半径(RADIUS)协议向对应的AC发送认证结果。在本实施例中,认证结果为认证通过,AC根据该认证结果将该终端接入网络,用户即可使用该终端访问Internet。Specifically, the authentication server may send the authentication result to the corresponding AC through a radius (RADIUS) protocol. In this embodiment, the authentication result is that the authentication is passed, and the AC accesses the terminal according to the authentication result, and the user can use the terminal to access the Internet.
在本发明实施例中,认证服务器接收来自于Portal服务器发送的认证请求消息,并根据认证请求消息中携带的认证信息对终端进行认证,在认证通过后,向接入控制器发送认证结果,进而接入控制器根据认证结果将终端接入网络。与现有技术相比,认证服务器直接接收Portal服务器发送的认证信息,即认证信息不需要从接入控制器进行中转,避免了认证信息需要由Portal服务器发送到接入控制器所带来的Portal协议的适配问题,不需要Portal服务器针对接入控制器进行适配,提高了网络认证的效率,降低了Portal服务器的开发和维护成本。In the embodiment of the present invention, the authentication server receives the authentication request message sent by the portal server, and authenticates the terminal according to the authentication information carried in the authentication request message, and sends the authentication result to the access controller after the authentication is passed. The access controller accesses the terminal to the network according to the authentication result. Compared with the prior art, the authentication server directly receives the authentication information sent by the portal server, that is, the authentication information does not need to be transferred from the access controller, and the authentication information needs to be sent by the portal server to the portal caused by the access controller. The protocol adaptation problem does not require the Portal server to adapt to the access controller, which improves the efficiency of network authentication and reduces the development and maintenance costs of the Portal server.
参见图3,图3是本发明实施例三提供的网络认证方法的流程图。Referring to FIG. 3, FIG. 3 is a flowchart of a network authentication method according to Embodiment 3 of the present invention.
在本实施例中,终端在检测到运营商提供的无线网络后,开始接入该无线网络,接入控制器在接收到终端的网络附着请求后,将向认证服务器发送接入请求消息,该接入请求消息中携带终端默认的认证信息,本发明实施例提供的网络认证方法包括如下步骤:In this embodiment, after detecting the wireless network provided by the operator, the terminal starts to access the wireless network, and after receiving the network attach request of the terminal, the access controller sends an access request message to the authentication server, where the access controller sends the access request message to the authentication server. The access request message carries the default authentication information of the terminal. The network authentication method provided by the embodiment of the present invention includes the following steps:
步骤201、认证服务器接收接入控制器发送的接入请求消息,接入请求消息中携带终端默认的认证信息。Step 201: The authentication server receives an access request message sent by the access controller, where the access request message carries the default authentication information of the terminal.
其中,接入请求消息中还可以携带终端的标识,例如终端的物理地址。终端默认的认证信息可以为默认用户名,例如000,多个不同的终端均可以使用该默认用户名。默认的认证信息中还可以包括默认的密码。The access request message may further carry an identifier of the terminal, such as a physical address of the terminal. The default authentication information of the terminal can be the default username, for example, 000. The default username can be used by multiple different terminals. The default password can also include the default password.
步骤202、认证服务器获取重定向地址以及默认的认证信息对应的控制策略,向所述接入控制器发送接入响应消息,所述接入响应消息中携带所述控制策略以及重定向地址。 Step 202: The authentication server obtains a redirection address and a control policy corresponding to the default authentication information, and sends an access response message to the access controller, where the access response message carries the control policy and a redirect address.
其中,认证服务器在接收到接入控制器发送的终端默认的认证信息时,根据该认证信息识别该终端使用默认用户名进行认证,则获取该默认的用户名对应的控制策略,并向该终端返回接入响应消息,接入响应消息中携带所述控制策略以及重定向地址,该重定向地址为Portal网站的地址。After receiving the default authentication information of the terminal sent by the access controller, the authentication server identifies that the terminal uses the default user name for authentication according to the authentication information, and obtains a control policy corresponding to the default user name, and sends the control policy to the terminal. Returning an access response message, the access response message carries the control policy and a redirect address, where the redirect address is an address of the Portal website.
接入控制器接收认证服务器发送的接入响应消息,该接入响应消息中携带默认的控制策略以及重定向地址,以便于在后续接收到终端的网页访问请求后,根据重定向地址对网页访问请求进行重定向,即重定向到Portal服务器。The access controller receives the access response message sent by the authentication server, where the access response message carries a default control policy and a redirect address, so as to facilitate access to the webpage according to the redirected address after subsequently receiving the webpage access request of the terminal. Request to redirect, that is, redirect to the Portal server.
步骤203、认证服务器与所述接入控制器之间建立计费会话,所述会话的用户名为默认用户。Step 203: A charging session is established between the authentication server and the access controller, and the user name of the session is a default user.
认证服务器还可以在与接入控制器进行交互后,在本地建立与接入控制器之间的计费会话,传递计费相关的数据。其中,由于终端此时并未上报终端用户名,当前该计费会话的用户名为默认用户。The authentication server may also establish a charging session with the access controller locally and exchange billing related data after interacting with the access controller. The current user name of the charging session is the default user because the terminal does not report the terminal user name.
AC也可以在接收到接入响应消息后,在本地建立与认证服务器之间的计费会话,传递计费相关的数据。其中,由于终端此时并未上报终端用户名(真实的用户名),当前该计费会话的用户名为默认用户。After receiving the access response message, the AC may also establish a charging session with the authentication server locally, and transmit the charging related data. The current user name of the charging session is the default user because the terminal does not report the terminal user name (the real user name) at this time.
终端发起网页访问请求到接入控制器,该网页访问请求被接入控制器重定向到Portal服务器,Portal服务器向终端返回登录页面,用户在页面输入终端用户名和密码并提交,Portal服务器接收到终端用户名和密码等认证信息,Portal服务器随后通过认证请求消息将这些认证信息发送到认证服务器。The terminal initiates a webpage access request to the access controller, and the webpage access request is redirected to the portal server by the access controller, and the portal server returns a login page to the terminal, the user inputs the terminal username and password on the page, and the portal server receives the terminal user. The authentication information such as the name and password, the Portal server then sends the authentication information to the authentication server through the authentication request message.
步骤204、认证服务器接收门户服务器发送的认证请求消息,所述认证请求消息中携带终端的标识、认证信息以及接入控制器的地址信息。Step 204: The authentication server receives an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
步骤205、认证服务器根据认证信息对所述终端进行认证。Step 205: The authentication server authenticates the terminal according to the authentication information.
步骤206、认证服务器在认证通过时,向所述地址信息对应的接入控制器发送认证结果,所述认证结果中携带通过认证的所述终端的标识。Step 206: The authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
其中,步骤204-206的实现过程和上述实施例二中的步骤101-103相同,详情参见上述实施例的描述。The implementation process of the steps 204-206 is the same as the steps 101-103 in the second embodiment. For details, refer to the description of the foregoing embodiment.
在本发明实施例中,认证服务器发送的认证结果中还可以包括更新的控制策略。接入控制器在接收到认证结果后,还根据更新的控制策略来更新默认的控制策略。该更新的控制策略中可以包括带宽控制信息。In the embodiment of the present invention, the authentication result sent by the authentication server may further include an updated control policy. After receiving the authentication result, the access controller also updates the default control policy according to the updated control policy. Bandwidth control information may be included in the updated control policy.
进一步的,认证结果中还可以携带认证信息中的终端用户名,接入控制器还修改所述计费会话的默认用户名为所述终端用户名,以便于后续针对该用户进行计费。Further, the authentication result may further carry the terminal user name in the authentication information, and the access controller further modifies the default user name of the charging session as the terminal user name, so as to facilitate subsequent charging for the user.
为更详细的理解本发明实施例,以下描述接入控制器在实现网络认证过程中的方法流程。如图所示,图4是本发明实施例四提供的网络认证方法的流程图。For a more detailed understanding of the embodiments of the present invention, the following describes the method flow of the access controller in implementing the network authentication process. As shown in the figure, FIG. 4 is a flowchart of a network authentication method according to Embodiment 4 of the present invention.
在本实施例中,终端在检测到运营商提供的无线网络后,开始接入该无线网络,接入控制器将针对该终端分配IP地址,终端在接收到分配的IP地址后,将发起网页访问请求。本发明实施例提供的网络认证方法包括如下步骤:In this embodiment, after detecting the wireless network provided by the operator, the terminal starts to access the wireless network, and the access controller allocates an IP address to the terminal, and after receiving the allocated IP address, the terminal initiates a webpage. Access request. The network authentication method provided by the embodiment of the present invention includes the following steps:
步骤301、接入控制器接收终端发送的网页访问请求,向所述终端返回所述接入控制器的地址信息。Step 301: The access controller receives a webpage access request sent by the terminal, and returns address information of the access controller to the terminal.
在本实施例中,接入控制器中可以预先配置Portal服务器的地址,进而在接收到终端 的网页访问请求后,将该访问请求重定向到Portal服务器。接入控制器还向终端返回其本身的地址信息,便于后续终端在向Portal服务器发起登录请求时,携带上述接入控制器的地址信息。In this embodiment, the address of the Portal server may be pre-configured in the access controller, and then the terminal is received. After the web page access request, the access request is redirected to the portal server. The access controller also returns its own address information to the terminal, so that the subsequent terminal carries the address information of the access controller when initiating a login request to the Portal server.
此外,认证服务器还可以根据接入控制器的地址信息向接入控制器反馈终端的认证结果。In addition, the authentication server may also feed back the authentication result of the terminal to the access controller according to the address information of the access controller.
步骤302、接入控制器接收认证服务器根据所述接入控制器的地址信息发送的认证结果,所述认证结果中携带通过认证的所述终端的标识。Step 302: The access controller receives an authentication result sent by the authentication server according to the address information of the access controller, where the authentication result carries the identifier of the terminal that is authenticated.
在本实施例中,认证服务器在根据终端的认证信息对终端进行认证,且认证通过后,通过RADIUS协议向接入控制器发送认证结果。该认证结果中携带通过认证的所述终端的标识。可选的,该认证结果中还携带终端的控制策略,例如带宽,最大在线时长等。In this embodiment, the authentication server authenticates the terminal according to the authentication information of the terminal, and after the authentication is passed, the authentication result is sent to the access controller through the RADIUS protocol. The authentication result carries the identifier of the terminal that is authenticated. Optionally, the authentication result also carries the control policy of the terminal, such as bandwidth, maximum online duration, and the like.
步骤303、接入控制器根据所述认证结果将所述终端接入网络。Step 303: The access controller accesses the terminal to the network according to the authentication result.
接入控制器根据认证结果将终端接入网络,例如允许终端访问Internet,对终端访问Internet进行策略控制等。The access controller accesses the terminal to the network according to the authentication result, for example, allowing the terminal to access the Internet, and performing policy control on the terminal accessing the Internet.
在本发明实施例提供的网络认证方法中,接入控制器在接收到终端的网页访问请求后,向终端返回接入控制器的地址信息,进而后续认证服务器在根据认证信息对用户进行认证时,直接向该地址信息对应的接入控制器发送认证结果,接入控制器根据该认证结果将终端接入网络。与现有技术相比,接入控制器直接接收认证服务器发送的认证结果,不需要接收Portal服务器发送的认证信息,进而不需要和Portal服务器进行适配,避免了接入控制器和Portal服务器对Portal协议的适配问题,不需要接入控制器针对Portal协议进行适配,提高了网络认证的效率,降低了Portal服务器、接入控制器的开发和维护成本。In the network authentication method provided by the embodiment of the present invention, after receiving the webpage access request of the terminal, the access controller returns the address information of the access controller to the terminal, and then the subsequent authentication server authenticates the user according to the authentication information. The authentication result is sent to the access controller corresponding to the address information, and the access controller accesses the terminal according to the authentication result. Compared with the prior art, the access controller directly receives the authentication result sent by the authentication server, and does not need to receive the authentication information sent by the Portal server, and thus does not need to be adapted with the Portal server, thereby avoiding the access controller and the Portal server. The adaptation of the Portal protocol does not require the access controller to adapt to the Portal protocol, which improves the efficiency of network authentication and reduces the development and maintenance costs of the Portal server and access controller.
可选的,本发明实施例提供的网络认证方法中,接入控制器在接收终端发送的网页访问请求之前,还可以在接收到终端的网络附着请求时,向认证服务器发送接入请求消息,接入请求消息中携带所述终端默认的认证信息。此处发送默认的认证信息的原因在于终端当前还未通过网络的认证,因而提供默认的认证信息。认证服务器根据该默认的认证信息对终端进行认证后,接入控制器将接收认证服务器发送的接入响应消息,所述接入响应消息中携带默认的控制策略以及重定向地址,以便于接入控制器根据默认的控制策略对该终端进行控制。Optionally, in the network authentication method provided by the embodiment of the present invention, before receiving the webpage access request sent by the terminal, the access controller may further send an access request message to the authentication server when receiving the network attach request of the terminal, The access request message carries the default authentication information of the terminal. The reason for sending the default authentication information here is that the terminal has not yet authenticated through the network, thus providing default authentication information. After the authentication server authenticates the terminal according to the default authentication information, the access controller receives an access response message sent by the authentication server, where the access response message carries a default control policy and a redirect address, so as to facilitate access. The controller controls the terminal according to the default control policy.
此外,接入控制器还在接收到所述终端发送的网页访问请求后,根据所述重定向地址对所述网页访问请求进行重定向,即将该访问请求重定向到Portal服务器。In addition, after receiving the webpage access request sent by the terminal, the access controller redirects the webpage access request according to the redirected address, and redirects the access request to the portal server.
接入控制器在接收到认证服务器发送的接入响应消息之后,还可以与所述认证服务器之间建立计费会话,所述会话的用户名为默认用户。接入控制器可以将终端的标识,例如IP地址,与该会话进行关联,便于后续根据该终端的标识找到该会话。接入控制器在随后接到的认证结果中携带终端用户名时,则进一步修改计费会话的用户名为所述终端用户名,从而使用该终端用户名对该终端的上网过程进行计费控制。After receiving the access response message sent by the authentication server, the access controller may also establish a charging session with the authentication server, where the user name of the session is a default user. The access controller may associate the identifier of the terminal, such as an IP address, with the session, so that the session is subsequently found according to the identifier of the terminal. When the access controller carries the terminal user name in the subsequent authentication result, the user name of the charging session is further modified to be the terminal user name, so that the terminal user name is used to perform charging control on the online process of the terminal. .
参见图5,图5是本发明实施例五提供的网络认证方法的流程图。Referring to FIG. 5, FIG. 5 is a flowchart of a network authentication method according to Embodiment 5 of the present invention.
在本实施例中,用户通过终端(例如智能设备)接入运营商提供的WLAN,智能设备在检测到WLAN的网络信号后,发起WLAN连接,则本发明实施例提供的网络认证方法包括如下流程:In this embodiment, the user accesses the WLAN provided by the operator through the terminal (for example, the smart device), and the smart device initiates the WLAN connection after detecting the network signal of the WLAN, and the network authentication method provided by the embodiment of the present invention includes the following process. :
步骤401、终端向AC发起DHCP发现请求。Step 401: The terminal initiates a DHCP discovery request to the AC.
其中,终端发送动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)发 现请求用于向接入控制器请求IP地址。该请求中可以携带终端的物理地址。The terminal sends a Dynamic Host Configuration Protocol (DHCP). The request is now used to request an IP address from the access controller. The physical address of the terminal can be carried in the request.
步骤402、AC向AAA服务器发送接入请求消息,其中携带终端默认的认证信息。Step 402: The AC sends an access request message to the AAA server, where the terminal carries the default authentication information of the terminal.
具体的,AC需要向AAA服务器请求对终端的认证,因而需要向AAA服务器发送接入请求消息。其中携带的默认的认证信息包括默认用户名和默认密码。接入请求消息可以基于RADIUS协议来发送。Specifically, the AC needs to request the AAA server for authentication of the terminal, and therefore needs to send an access request message to the AAA server. The default authentication information carried in it includes a default username and a default password. The access request message can be sent based on the RADIUS protocol.
步骤403、AAA服务器向AC返回接入响应消息,其中携带默认的控制策略以及Portal服务器的地址。Step 403: The AAA server returns an access response message to the AC, where the default control policy and the address of the Portal server are carried.
其中,AAA服务器还可以在识别默认用户名后,获取本地保存的默认控制策略(默认用户名对应的控制策略)以及Portal服务器的地址,并通过接入响应消息向AC发送。具体的,Portal服务器的地址可以为Portal服务器的统一资源定位器(Uniform Resource Locator,URL)。The AAA server can also obtain the default control policy (the control policy corresponding to the default user name) and the address of the Portal server, and send the response to the AC through the access response message. Specifically, the address of the Portal server may be a Uniform Resource Locator (URL) of the Portal server.
步骤404、AC对该终端分配IP地址。Step 404: The AC allocates an IP address to the terminal.
其中,AC在对终端分配IP地址userip后,通过DHCP响应向终端发送该IP地址。After the AC allocates the IP address userip to the terminal, the AC sends the IP address to the terminal through a DHCP response.
步骤405、AC和AAA服务器之间建立计费会话。Step 405: Establish a charging session between the AC and the AAA server.
其中,建立的计费会话用于在AC和AAA服务器之间传递计费相关的数据。该计费会话的用户名为默认用户名,且AAA服务器、AC均将该会话与终端的IP地址关联起来,便于后续根据终端的IP地址找到关联的会话。The established charging session is used to transfer charging related data between the AC and the AAA server. The user name of the accounting session is the default user name, and the AAA server and the AC associate the session with the IP address of the terminal, so that the associated session can be found according to the IP address of the terminal.
步骤406、终端向AC发起网页访问请求。Step 406: The terminal initiates a webpage access request to the AC.
用户打开终端上的浏览器,输入任意一个网页,发起超文本传输协议(Hyper Text Transfer Protocol,HTTP)请求到AC。The user opens a browser on the terminal, enters any web page, and initiates a Hyper Text Transfer Protocol (HTTP) request to the AC.
步骤407、AC对该访问请求进行重定向,并向终端发送自身的地址信息。Step 407: The AC redirects the access request and sends its own address information to the terminal.
AC将终端的http请求重定向到Portal服务器的URL,并在该URL后添加AC自己的IP地址nasipaddr信息。The AC redirects the http request of the terminal to the URL of the Portal server, and adds the AC's own IP address nasipaddr information after the URL.
步骤408-409、终端根据重定向地址访问Portal服务器并提交终端用户名和密码。Steps 408-409: The terminal accesses the Portal server according to the redirected address and submits the terminal username and password.
其中,用户访问Portal服务器首页URL,页面上有用户名和密码的输入框,用户在Portal上输入终端用户名和密码信息,点击登陆按钮,提交终端用户名和密码。The user accesses the home page URL of the Portal server. The page has a user name and password input box. The user enters the terminal user name and password information on the portal, and clicks the login button to submit the terminal user name and password.
步骤410、Portal服务器向AAA服务器发起认证请求消息。Step 410: The Portal server initiates an authentication request message to the AAA server.
其中,Portal服务器发起到AAA服务器的认证请求消息中携带终端用户名和密码,终端IP地址userip以及接入控制器的IP地址nasipaddr。The authentication request message sent by the Portal server to the AAA server carries the terminal user name and password, the terminal IP address userip, and the IP address of the access controller nasipaddr.
步骤411、AAA服务器根据终端用户名和密码对终端进行认证。Step 411: The AAA server authenticates the terminal according to the terminal user name and password.
其中,AAA服务器根据Portal服务器发送的终端用户名、密码信息,和数据库中的信息比对进行认证。若Portal服务器发送的终端用户名、密码信息与数据库中保存的用户名、密码均相同,则认证通过,否则认证失败。在本实施例中,用户输入了正确的终端用户名和密码,则认证通过。The AAA server performs authentication according to the terminal user name and password information sent by the Portal server and the information in the database. If the terminal user name and password information sent by the Portal server are the same as the user name and password stored in the database, the authentication is passed, otherwise the authentication fails. In this embodiment, the user enters the correct terminal username and password, and the authentication passes.
步骤412、AAA服务器向Portal服务器发送认证响应消息。Step 412: The AAA server sends an authentication response message to the Portal server.
在本实施例中,认证通过则发送认证通过的认证响应消息给Portal服务器,Portal服务器向终端发送认证通过的通知消息,告知用户认证通过。In this embodiment, the authentication succeeds by sending an authentication response message to the Portal server, and the Portal server sends a notification message of the authentication pass to the terminal to notify the user that the authentication is passed.
步骤413、AAA服务器向接入控制器发送认证结果。Step 413: The AAA server sends an authentication result to the access controller.
在本实施例中,认证结果可以通过修改授权(Change-Of-Authorization,COA)消息向nasipaddr地址信息对应的AC发送。 In this embodiment, the authentication result may be sent to the AC corresponding to the nasipaddr address information by using a Change-Of-Authorization (COA) message.
其中,COA消息中还可以包含终端IP地址userip和终端用户名,以及更新的控制策略,例如带宽,最大在线时长,最大可使用流量等等。The COA message may further include a terminal IP address userip and a terminal user name, and an updated control policy, such as bandwidth, maximum online duration, maximum available traffic, and the like.
具体的,COA消息中包含的参数如下:Specifically, the parameters included in the COA message are as follows:
Figure PCTCN2017090606-appb-000001
Figure PCTCN2017090606-appb-000001
Acct-Session-ID用于标识该COA消息对应的会话,User-Name用于标识用户名,若User-Name中的用户名与该会话对应的用户名不同,则该会话对应的用户名被修改为User-Name中对应的用户名。Framed-IP-Address标识会话对应的终端的IP地址,Calling-Station-Id标识会话对应的终端的物理地址。终端的IP地址和物理地址均可以用来关联会话。The Acct-Session-ID is used to identify the session corresponding to the COA message. The User-Name is used to identify the user name. If the user name in the User-Name is different from the user name corresponding to the session, the user name corresponding to the session is modified. Is the corresponding username in User-Name. The Framed-IP-Address identifies the IP address of the terminal corresponding to the session, and the Calling-Station-Id identifies the physical address of the terminal corresponding to the session. Both the IP address and the physical address of the terminal can be used to associate the session.
步骤414、AC根据AAA服务器发送的COA消息中的终端IP地址关联会话(步骤405中建立的计费会话),修改会话中的默认用户名为终端用户名,根据更新的控制策略来修改会话的控制策略。Step 414: The AC associates the session with the terminal IP address in the COA message sent by the AAA server (the charging session established in step 405), and modifies the default user name in the session as the terminal user name, and modifies the session according to the updated control policy. Control Strategy.
AC在会话修改完毕后,发送送COA确认(Acknowledge,ACK)消息给AAA服务器。AAA服务器后续计费将使用真实用户名计费。After the session is modified, the AC sends a COA Acknowledge (ACK) message to the AAA server. Subsequent billing for the AAA server will be billed using the real username.
与现有技术相比,本发明实施例绕过了Portal服务器和AC之间的互联,扩展了AAA服务器和AC之间基于RADIUS协议的COA接口的功能,AAA服务器通过COA消息反向通知AC该终端的认证已经通过,并通知该AC真实用户名以及更新的控制策略,从而实现对该终端的策略控制,即完成了终端的网络认证。Compared with the prior art, the embodiment of the present invention bypasses the interconnection between the Portal server and the AC, and expands the function of the RADIUS protocol-based COA interface between the AAA server and the AC. The AAA server notifies the AC through the COA message. The authentication of the terminal has been passed, and the real user name of the AC and the updated control policy are notified, so that the policy control of the terminal is implemented, that is, the network authentication of the terminal is completed.
参见图6,图6是本发明实施例六提供的认证服务器和接入控制器的硬件结构图。Referring to FIG. 6, FIG. 6 is a hardware structural diagram of an authentication server and an access controller according to Embodiment 6 of the present invention.
其中,所述认证服务器以及接入控制器分别可以为图1所示的认证服务器和接入控制器。认证服务器和接入控制器采用了通用的计算机硬件,其包括处理器601、存储器602、总线603、输入设备604、输出设备605以及网络接口606。The authentication server and the access controller may respectively be the authentication server and the access controller shown in FIG. 1 . The authentication server and access controller employs general purpose computer hardware including a processor 601, a memory 602, a bus 603, an input device 604, an output device 605, and a network interface 606.
具体的,存储器602可以包括以易失性和/或非易失性存储器形式的计算机存储媒体,如只读存储器和/或随机存取存储器。存储器602可以存储操作系统、应用程序、其他程序模块、可执行代码和程序数据。In particular, memory 602 can include computer storage media in the form of volatile and/or nonvolatile memory, such as read only memory and/or random access memory. Memory 602 can store operating systems, applications, other program modules, executable code, and program data.
输入设备604可以用于向认证服务器和接入控制器输入命令和信息,输入设备604如键盘或指向设备,如鼠标、轨迹球、触摸板、麦克风、操纵杆、游戏垫、卫星电视天线、扫描仪或类似设备。这些输入设备可以通过总线603连接至处理器601。 Input device 604 can be used to input commands and information to an authentication server and an access controller, such as a keyboard or pointing device such as a mouse, trackball, touch pad, microphone, joystick, game pad, satellite television antenna, scanning Instrument or similar device. These input devices can be connected to the processor 601 via the bus 603.
输出设备605可以用于认证服务器和接入控制器输出信息,除了监视器之外,输出设备605还可以为其他外围输出设各,如扬声器和/或打印设备,这些输出设备也可以通过总线603连接到处理器601。The output device 605 can be used to authenticate the server and access controller output information. In addition to the monitor, the output device 605 can also be configured for other peripheral outputs, such as speakers and/or printing devices, which can also pass through the bus 603. Connected to the processor 601.
认证服务器和接入控制器可以通过网络接口106连接到网络中,例如连接到局域网(Local Area Network,LAN)。在联网环境下,认证服务器和接入控制器中存储的计算机执行指令可以存储在远程存储设备中,而不限于在本地存储。The authentication server and the access controller can be connected to the network through the network interface 106, for example, to a local area network (LAN). In a networked environment, computer execution instructions stored in the authentication server and access controller may be stored in a remote storage device, and are not limited to being stored locally.
当认证服务器中的处理器601执行存储器602中存储的可执行代码或应用程序时,认证服务器可以执行以上实施例二、实施例三、五中的认证服务器一侧的方法步骤,例如执行步骤101-103、201-206、403、411等。具体执行过程参见上述实施例二和实施例三,在此不再赘述。When the processor 601 in the authentication server executes the executable code or the application stored in the memory 602, the authentication server may perform the method steps on the authentication server side in the second embodiment and the third embodiment and the fifth embodiment, for example, step 101 is performed. -103, 201-206, 403, 411, etc. For the specific implementation process, refer to the foregoing Embodiment 2 and Embodiment 3, and details are not described herein again.
当接入控制器中的处理器601执行存储器602中存储的可执行代码或应用程序时,接入控制器可以执行以上实施例四、五中的接入控制器一侧的方法步骤,例如执行步骤301-303、402、404-405等。具体执行过程参见上述实施例四和实施例五,在此不再赘述。When the processor 601 in the access controller executes the executable code or application stored in the memory 602, the access controller may perform the method steps on the access controller side in the fourth and fifth embodiments above, such as performing Steps 301-303, 402, 404-405, and the like. For details, refer to the fourth embodiment and the fifth embodiment, and details are not described herein again.
参见图7,图7是本发明实施例七提供的认证服务器的结构示意图。Referring to FIG. 7, FIG. 7 is a schematic structural diagram of an authentication server according to Embodiment 7 of the present invention.
如图所示,本发明实施例提供的认证服务器包括:As shown in the figure, the authentication server provided by the embodiment of the present invention includes:
认证接收模块710,用于接收门户服务器发送的认证请求消息,所述认证请求消息中携带终端的标识、认证信息以及接入控制器的地址信息;The authentication receiving module 710 is configured to receive an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
认证模块720,用于根据所述认证信息对所述终端进行认证;The authentication module 720 is configured to authenticate the terminal according to the authentication information.
认证通知模块730,用于在认证通过时,向所述地址信息对应的接入控制器发送认证结果,所述认证结果中携带通过认证的所述终端的标识。The authentication notification module 730 is configured to send an authentication result to the access controller corresponding to the address information when the authentication is passed, where the authentication result carries the identifier of the terminal that is authenticated.
本发明实施例提供的认证服务器可以使用在前述方法实施例二、三和五中,其通过上述的认证接收模块710、认证模块720以及认证通知模块730之间的配合来完成实施例二、实施例三和实施例五中的认证服务器一侧的方法步骤。与现有技术中的认证服务器相比,本实施例提供的认证服务器在执行网络认证时,具有与前述方法实施例相同的有益效果。The authentication server provided by the embodiment of the present invention may be used in the foregoing method embodiments 2, 3, and 5, and the implementation of the second embodiment is implemented by the cooperation between the authentication receiving module 710, the authentication module 720, and the authentication notification module 730. The method steps on the authentication server side in the third and fifth embodiments. Compared with the authentication server in the prior art, the authentication server provided in this embodiment has the same beneficial effects as the foregoing method embodiment when performing network authentication.
在本实施例提供的认证服务器中,认证接收模块710还用于在接收门户服务器发送的认证请求消息之前,接收接入控制器发送的接入请求消息,所述接入请求消息中携带所述终端默认的认证信息。其中,默认的认证信息中携带默认的用户名。In the authentication server provided by the embodiment, the authentication receiving module 710 is further configured to: before receiving the authentication request message sent by the portal server, receive an access request message sent by the access controller, where the access request message carries the The default authentication information of the terminal. The default authentication information carries the default username.
认证服务器还包括接入处理模块740,用于获取所述默认的认证信息对应的控制策略以及重定向地址,并向所述接入控制器发送接入响应消息,所述接入响应消息中携带所述控制策略以及重定向地址,从而接入控制器对终端分配IP地址,并使用默认的控制策略对终端进行控制。The authentication server further includes an access processing module 740, configured to acquire a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries The control policy and the redirected address, so that the access controller assigns an IP address to the terminal, and controls the terminal using a default control policy.
此外,认证服务器在认证通过后向上述地址信息对应的接入控制器发送的认证结果中携带更新的控制策略,从而接入控制器根据更新的控制策略对终端进行控制,便于终端访问internet。In addition, the authentication server carries the updated control policy to the authentication result sent by the access controller corresponding to the address information after the authentication is passed, so that the access controller controls the terminal according to the updated control policy, so that the terminal can access the internet.
在本实施例中,认证服务器是以功能单元的形式来呈现。这里的“单元”可以指特定应用集成电路(application-specific integrated circuit,ASIC),电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。在一个简单的实施例中,本领域的技术人员可以想到认证服务器也可以采用图6所示的形式。认证接收模块710,认证模块720,认证通知模块730、接入处理模块740所实现的功能都可 以通过图6中的处理器601和存储器602来实现。例如,认证接收模块710接收门户服务器发送的认证请求消息可以通过由处理器601来执行存储器602中存储的代码来实现。In this embodiment, the authentication server is presented in the form of a functional unit. A "unit" herein may refer to an application-specific integrated circuit (ASIC), circuitry, a processor and memory that executes one or more software or firmware programs, integrated logic circuitry, and/or other functions that provide the functionality described above. Device. In a simple embodiment, those skilled in the art will appreciate that the authentication server may also take the form shown in FIG. The functions of the authentication receiving module 710, the authentication module 720, the authentication notification module 730, and the access processing module 740 can be implemented. This is implemented by the processor 601 and the memory 602 in FIG. For example, the authentication receiving module 710 receiving the authentication request message sent by the portal server can be implemented by the processor 601 executing the code stored in the memory 602.
参见图8,图8是本发明实施例八提供的接入控制器的结构示意图。Referring to FIG. 8, FIG. 8 is a schematic structural diagram of an access controller according to Embodiment 8 of the present invention.
如图所示,本发明实施例提供的接入控制器主要包括:As shown in the figure, the access controller provided by the embodiment of the present invention mainly includes:
响应接收模块810,用于接收终端发送的网页访问请求,向所述终端返回所述接入控制器的地址信息;The response receiving module 810 is configured to receive a webpage access request sent by the terminal, and return the address information of the access controller to the terminal;
所述响应接收模块还用于接收认证服务器根据所述接入控制器的地址信息发送的认证结果,所述认证结果中携带通过认证的所述终端的标识;The response receiving module is further configured to receive an authentication result that is sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that is authenticated;
终端接入模块820,用于根据所述认证结果将所述终端接入网络。The terminal access module 820 is configured to access the terminal to the network according to the authentication result.
本发明实施例提供的认证接入控制器可以使用在前述方法实施例四和五中,其通过上述的响应接收模块810和终端接入模块820之间的配合来完成实施例四和实施例五中的接入控制器一侧的方法步骤。与现有技术中的接入控制器相比,本实施例提供的接入控制器在执行网络认证时,具有与前述方法实施例相同的有益效果。The authentication access controller provided by the embodiment of the present invention can be used in the foregoing method embodiments 4 and 5, and the fourth embodiment and the fifth embodiment are completed by the cooperation between the response receiving module 810 and the terminal access module 820. Method steps on the side of the access controller. Compared with the access controller in the prior art, the access controller provided in this embodiment has the same beneficial effects as the foregoing method embodiments when performing network authentication.
进一步的,本发明实施例提供的接入控制器还可以包括:Further, the access controller provided by the embodiment of the present invention may further include:
请求发送模块830,用于在所述接收终端发送的网页访问请求之前向所述认证服务器发送接入请求消息,所述接入请求消息中携带所述终端默认的认证信息。The request sending module 830 is configured to send an access request message to the authentication server before the webpage access request sent by the receiving terminal, where the access request message carries the default authentication information of the terminal.
从而,上述响应接收模块810还用于接收所述认证服务器发送的接入响应消息,所述接入响应消息中携带默认的控制策略,从而根据默认的控制策略对终端进行策略控制。Therefore, the response receiving module 810 is further configured to receive an access response message sent by the authentication server, where the access response message carries a default control policy, so as to perform policy control on the terminal according to a default control policy.
可选的,上述所述接入响应消息中还携带重定向地址,进而接入控制器还可以包括:Optionally, the foregoing access response message further includes a redirecting address, and the access controller may further include:
重定向模块840,用于在接收到所述终端发送的网页访问请求后,根据所述重定向地址对所述网页访问请求进行重定向。其中,重定向地址也可以预先存储在AC中。The redirection module 840 is configured to redirect the webpage access request according to the redirected address after receiving the webpage access request sent by the terminal. The redirect address may also be pre-stored in the AC.
进一步参见图8,本发明实施例提供的接入控制器还包括:With further reference to Figure 8, the access controller provided by the embodiment of the present invention further includes:
会话维护模块850,用于在接收认证服务器发送的接入响应消息之后与所述认证服务器之间建立计费会话,所述会话的用户名为默认用户。The session maintenance module 850 is configured to establish a charging session with the authentication server after receiving the access response message sent by the authentication server, where the user name of the session is a default user.
在本实施例中,若接入控制器接收到的认证结果中还携带终端用户名,则会话维护模块850还用于修改计费会话的用户名为所述终端用户名,以便于根据终端用户名对终端访问internet进行计费。In this embodiment, if the authentication result received by the access controller further carries the terminal user name, the session maintenance module 850 is further configured to modify the user name of the charging session as the terminal user name, so as to be based on the terminal user. The name is used to charge the terminal to access the internet.
在本实施例中,接入控制器是以功能单元的形式来呈现。这里的“单元”可以指专用集成电路电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。在一个简单的实施例中,本领域的技术人员可以想到接入控制器也可以采用图6所示的形式。响应接收模块810,终端接入模块820,请求发送模块830、重定向模块840、会话维护模块850所实现的功能都可以通过图6中的处理器601和存储器602来实现。例如,响应接收模块810接收终端发送的网页访问请求,向终端返回所述接入控制器的地址信息可以通过由处理器601来执行存储器602中存储的代码来实现。In this embodiment, the access controller is presented in the form of a functional unit. A "unit" herein may refer to an application specific integrated circuit circuit, a processor and memory that executes one or more software or firmware programs, integrated logic circuits, and/or other devices that provide the functionality described above. In a simple embodiment, those skilled in the art will appreciate that the access controller can also take the form shown in FIG. The functions implemented by the response receiving module 810, the terminal access module 820, the request sending module 830, the redirecting module 840, and the session maintenance module 850 can be implemented by the processor 601 and the memory 602 in FIG. For example, the response receiving module 810 receives the webpage access request sent by the terminal, and returning the address information of the access controller to the terminal may be implemented by the processor 601 executing the code stored in the memory 602.
本领域普通技术人员将会理解,本发明的各个方面、或各个方面的可能实现方式可以被具体实施为系统、方法或者计算机程序产品。因此,本发明的各方面、或各个方面的可能实现方式可以采用完全硬件实施例、完全软件实施例(包括固件、驻留软件等等),或者组合软件和硬件方面的实施例的形式,在这里都统称为“电路”、“模块”或者“系统”。此外,本发明的各方面、或各个方面的可能实现方式可以采用计算机程序产品的形式,计算机程序 产品是指存储在计算机可读介质中的计算机可读程序代码。Those of ordinary skill in the art will appreciate that various aspects of the present invention, or possible implementations of various aspects, may be embodied as a system, method, or computer program product. Thus, aspects of the invention, or possible implementations of various aspects, may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," "modules," or "systems." Furthermore, aspects of the invention, or possible implementations of various aspects, may take the form of a computer program product, a computer program A product refers to computer readable program code stored on a computer readable medium.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims (17)

  1. 一种网络认证方法,应用于认证服务器,其特征在于,包括:A network authentication method is applied to an authentication server, which is characterized by:
    接收门户服务器发送的认证请求消息,所述认证请求消息中携带终端的标识、认证信息以及接入控制器的地址信息;Receiving an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller;
    根据所述认证信息对所述终端进行认证;And authenticating the terminal according to the authentication information;
    在认证通过时,向所述地址信息对应的接入控制器发送认证结果,所述认证结果中携带通过认证的所述终端的标识。When the authentication is passed, the authentication result is sent to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
  2. 根据权利要求1所述的方法,其特征在于,在所述接收门户服务器发送的认证请求消息之前还包括:The method according to claim 1, wherein before the receiving the authentication request message sent by the portal server, the method further comprises:
    接收所述接入控制器发送的接入请求消息,所述接入请求消息中携带所述终端默认的认证信息;Receiving an access request message sent by the access controller, where the access request message carries default authentication information of the terminal;
    获取所述默认的认证信息对应的控制策略以及重定向地址,向所述接入控制器发送接入响应消息,所述接入响应消息中携带所述控制策略以及重定向地址。Obtaining a control policy and a redirecting address corresponding to the default authentication information, and sending an access response message to the access controller, where the access response message carries the control policy and a redirect address.
  3. 根据权利要求2所述的方法,其特征在于,所述认证结果中携带更新的控制策略。The method according to claim 2, wherein the authentication result carries an updated control policy.
  4. 根据权利要求1或2所述的方法,其特征在于,所述终端的认证信息包括终端用户名和密码,所述根据认证信息对终端进行认证包括:The method according to claim 1 or 2, wherein the authentication information of the terminal includes a terminal user name and a password, and the authenticating the terminal according to the authentication information includes:
    验证所述认证信息中的终端用户名和密码是否和本地保存的用户名、密码一致;Verifying that the terminal user name and password in the authentication information are consistent with the locally saved user name and password;
    若所述认证信息中的终端用户名和密码均和本地保存的用户名、密码一致,则对所述终端的认证通过。If the terminal user name and password in the authentication information are consistent with the locally saved user name and password, the authentication of the terminal is passed.
  5. 一种网络认证方法,应用于接入控制器,其特征在于,包括:A network authentication method, applied to an access controller, includes:
    接收终端发送的网页访问请求,向所述终端返回所述接入控制器的地址信息;Receiving a webpage access request sent by the terminal, and returning address information of the access controller to the terminal;
    接收认证服务器根据所述接入控制器的地址信息发送的认证结果,所述认证结果中携带通过认证的所述终端的标识;Receiving an authentication result sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that passes the authentication;
    根据所述认证结果将所述终端接入网络。The terminal is connected to the network according to the authentication result.
  6. 根据权利要求5所述的方法,其特征在于,在所述接收终端发送的网页访问请求之前,还包括:The method according to claim 5, further comprising: before the webpage access request sent by the receiving terminal,
    向所述认证服务器发送接入请求消息,所述接入请求消息中携带所述终端默认的认证信息;Sending an access request message to the authentication server, where the access request message carries the default authentication information of the terminal;
    接收所述认证服务器发送的接入响应消息,所述接入响应消息中携带默认的认证信息对应的控制策略。Receiving an access response message sent by the authentication server, where the access response message carries a control policy corresponding to the default authentication information.
  7. 根据权利要求6所述的方法,其特征在于,在所述接收认证服务器发送的接入响应消息之后,还包括:The method according to claim 6, wherein after receiving the access response message sent by the authentication server, the method further includes:
    与所述认证服务器之间建立计费会话,所述会话的用户名为默认用户。A charging session is established with the authentication server, and the user name of the session is a default user.
  8. 根据权利要求7所述的方法,其特征在于,所述认证结果中还携带终端用户名,所述方法还包括,The method according to claim 7, wherein the authentication result further carries a terminal user name, and the method further includes
    修改所述计费会话的用户名为所述终端用户名。The user name of the charging session is modified to be the terminal user name.
  9. 根据权利要求6-8任一项所述的方法,其特征在于,所述接入响应消息中携带重定向地址,所述方法还包括,The method according to any one of claims 6-8, wherein the access response message carries a redirect address, the method further includes
    在接收到所述终端发送的网页访问请求后,根据所述重定向地址对所述网页访问请求进行重定向。 After receiving the webpage access request sent by the terminal, the webpage access request is redirected according to the redirected address.
  10. 一种认证服务器,其特征在于,包括:An authentication server, comprising:
    认证接收模块,用于接收门户服务器发送的认证请求消息,所述认证请求消息中携带终端的标识、认证信息以及接入控制器的地址信息;The authentication receiving module is configured to receive an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
    认证模块,用于根据所述认证信息对所述终端进行认证;An authentication module, configured to authenticate the terminal according to the authentication information;
    认证通知模块,用于在认证通过时,向所述地址信息对应的接入控制器发送认证结果,所述认证结果中携带通过认证的所述终端的标识。The authentication notification module is configured to send an authentication result to the access controller corresponding to the address information when the authentication is passed, where the authentication result carries the identifier of the terminal that is authenticated.
  11. 根据权利要求10所述的认证服务器,其特征在于,还包括:The authentication server according to claim 10, further comprising:
    所述认证接收模块还用于在接收门户服务器发送的认证请求消息之前,接收接入控制器发送的接入请求消息,所述接入请求消息中携带所述终端默认的认证信息;The authentication receiving module is further configured to: before receiving the authentication request message sent by the portal server, receive an access request message sent by the access controller, where the access request message carries the default authentication information of the terminal;
    接入处理模块,用于获取所述默认的认证信息对应的控制策略以及重定向地址,向所述接入控制器发送接入响应消息,所述接入响应消息中携带所述控制策略以及重定向地址。An access processing module, configured to obtain a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries the control policy and Targeted address.
  12. 根据权利要求10所述的认证服务器,其特征在于,所述认证结果中携带更新的控制策略。The authentication server according to claim 10, wherein the authentication result carries an updated control policy.
  13. 一种接入控制器,其特征在于,包括:An access controller, comprising:
    响应接收模块,用于接收终端发送的网页访问请求,向所述终端返回所述接入控制器的地址信息;The response receiving module is configured to receive a webpage access request sent by the terminal, and return the address information of the access controller to the terminal;
    所述响应接收模块还用于接收认证服务器根据所述接入控制器的地址信息发送的认证结果,所述认证结果中携带通过认证的所述终端的标识;The response receiving module is further configured to receive an authentication result that is sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that is authenticated;
    终端接入模块,用于根据所述认证结果将所述终端接入网络。The terminal access module is configured to access the terminal to the network according to the authentication result.
  14. 根据权利要求13所述的接入控制器,其特征在于,还包括:The access controller of claim 13, further comprising:
    请求发送模块,用于在所述接收终端发送的网页访问请求之前向所述认证服务器发送接入请求消息,所述接入请求消息中携带所述终端默认的认证信息;a request sending module, configured to send an access request message to the authentication server before the webpage access request sent by the receiving terminal, where the access request message carries the default authentication information of the terminal;
    所述响应接收模块还用于接收所述认证服务器发送的接入响应消息,所述接入响应消息中携带默认的控制策略。The response receiving module is further configured to receive an access response message sent by the authentication server, where the access response message carries a default control policy.
  15. 根据权利要求14所述的接入控制器,其特征在于,还包括:The access controller of claim 14, further comprising:
    会话维护模块,用于在接收认证服务器发送的接入响应消息之后与所述认证服务器之间建立计费会话,所述会话的用户名为默认用户。The session maintenance module is configured to establish a charging session with the authentication server after receiving the access response message sent by the authentication server, where the user name of the session is a default user.
  16. 根据权利要求15所述的接入控制器,其特征在于,所述认证结果中还携带终端用户名,所述会话维护模块还用于修改所述计费会话的用户名为所述终端用户名。The access controller according to claim 15, wherein the authentication result further carries a terminal user name, and the session maintenance module is further configured to modify a user name of the charging session as the terminal user name. .
  17. 根据权利要求14-16任一项所述的接入控制器,其特征在于,所述接入响应消息中还携带重定向地址,所述接入控制器还包括,The access controller according to any one of claims 14-16, wherein the access response message further carries a redirect address, and the access controller further includes
    重定向模块,用于在接收到所述终端发送的网页访问请求后,根据所述重定向地址对所述网页访问请求进行重定向。 And a redirection module, configured to redirect the webpage access request according to the redirected address after receiving the webpage access request sent by the terminal.
PCT/CN2017/090606 2016-09-12 2017-06-28 Network authentication method and related device WO2018045798A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610820746.6A CN107819728B (en) 2016-09-12 2016-09-12 Network authentication method and related device
CN201610820746.6 2016-09-12

Publications (1)

Publication Number Publication Date
WO2018045798A1 true WO2018045798A1 (en) 2018-03-15

Family

ID=61561675

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/090606 WO2018045798A1 (en) 2016-09-12 2017-06-28 Network authentication method and related device

Country Status (2)

Country Link
CN (1) CN107819728B (en)
WO (1) WO2018045798A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110808976A (en) * 2019-10-31 2020-02-18 厦门亿联网络技术股份有限公司 WIFI-BT information authentication method, system, readable storage medium and IP phone
CN115022071A (en) * 2022-06-22 2022-09-06 湖北天融信网络安全技术有限公司 Network access control method and system of authentication server

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505188B (en) * 2018-05-18 2021-10-22 华为技术有限公司 Terminal authentication method, related equipment and authentication system
CN112929188B (en) * 2019-12-05 2022-06-14 中国电信股份有限公司 Device connection method, system, apparatus and computer readable storage medium
CN114071650A (en) * 2021-09-26 2022-02-18 深圳市酷开网络科技股份有限公司 Cross-terminal network distribution method and device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697377A (en) * 2004-05-10 2005-11-16 华为技术有限公司 System and method for realizing door entry authentication service in network
CN103442359A (en) * 2013-09-02 2013-12-11 北京鹏通高科科技有限公司 Sensor node authentication method and system based on short distance wireless access mode
CN104009972A (en) * 2014-05-07 2014-08-27 华南理工大学 Network security access authentication system and authentication method thereof
CN105871853A (en) * 2016-04-11 2016-08-17 上海斐讯数据通信技术有限公司 Portal authenticating method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212297B (en) * 2006-12-28 2012-01-25 中国移动通信集团公司 WEB-based WLAN access authentication method and system
US8495714B2 (en) * 2011-07-20 2013-07-23 Bridgewater Systems Corp. Systems and methods for authenticating users accessing unsecured wifi access points
CN103634792B (en) * 2012-08-27 2016-12-21 中国移动通信集团公司 Method, device, client and the system of WLAN network user state monitoring
CN104427537B (en) * 2013-09-11 2018-02-02 中国电信股份有限公司 Control the method and system of Wifi terminals access internet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697377A (en) * 2004-05-10 2005-11-16 华为技术有限公司 System and method for realizing door entry authentication service in network
CN103442359A (en) * 2013-09-02 2013-12-11 北京鹏通高科科技有限公司 Sensor node authentication method and system based on short distance wireless access mode
CN104009972A (en) * 2014-05-07 2014-08-27 华南理工大学 Network security access authentication system and authentication method thereof
CN105871853A (en) * 2016-04-11 2016-08-17 上海斐讯数据通信技术有限公司 Portal authenticating method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110808976A (en) * 2019-10-31 2020-02-18 厦门亿联网络技术股份有限公司 WIFI-BT information authentication method, system, readable storage medium and IP phone
CN115022071A (en) * 2022-06-22 2022-09-06 湖北天融信网络安全技术有限公司 Network access control method and system of authentication server

Also Published As

Publication number Publication date
CN107819728B (en) 2021-02-12
CN107819728A (en) 2018-03-20

Similar Documents

Publication Publication Date Title
WO2018045798A1 (en) Network authentication method and related device
CN106131079B (en) Authentication method, system and proxy server
US20220060464A1 (en) Server for providing a token
JP4291213B2 (en) Authentication method, authentication system, authentication proxy server, network access authentication server, program, and recording medium
US7194763B2 (en) Method and apparatus for determining authentication capabilities
WO2015101125A1 (en) Network access control method and device
JP2020126602A (en) Method and system for seamless single sign-on (sso) for native mobile-application initiated open-id connect (oidc) flow and security assertion markup language (saml) flow
WO2017113763A1 (en) Identity authentication method and apparatus
CN104158808A (en) Portal authentication method based on APP application and device
US9549318B2 (en) System and method for delayed device registration on a network
WO2014201636A1 (en) Identity login method and device
CN102984173A (en) Network access control method and system
CN104662873A (en) Reducing core network traffic caused by migrant
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN105981345B (en) The Lawful intercept of WI-FI/ packet-based core networks access
US9288674B2 (en) Convenient WiFi network access using unique identifier value
CN111049946B (en) Portal authentication method, portal authentication system, electronic equipment and storage medium
WO2017177691A1 (en) Portal authentication method and system
WO2013002886A1 (en) Network identity for software-as-a-service authentication
CN104144163A (en) Identity verification method, device and system
CN110505188A (en) A kind of terminal authentication method, relevant device and Verification System
JP6067005B2 (en) System and method for integrating OpenID into a telecommunications network
CN112311766B (en) Method and device for acquiring user certificate and terminal equipment
KR20070078212A (en) Multimode access authentication method for public wireless lan service
CN109962897B (en) Open platform authentication and access method and system based on two-dimensional code scanning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17847971

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17847971

Country of ref document: EP

Kind code of ref document: A1