WO2018045798A1 - Procédé d'authentification de réseau et dispositif associé - Google Patents

Procédé d'authentification de réseau et dispositif associé Download PDF

Info

Publication number
WO2018045798A1
WO2018045798A1 PCT/CN2017/090606 CN2017090606W WO2018045798A1 WO 2018045798 A1 WO2018045798 A1 WO 2018045798A1 CN 2017090606 W CN2017090606 W CN 2017090606W WO 2018045798 A1 WO2018045798 A1 WO 2018045798A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
terminal
access
access controller
server
Prior art date
Application number
PCT/CN2017/090606
Other languages
English (en)
Chinese (zh)
Inventor
袁静
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2018045798A1 publication Critical patent/WO2018045798A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a network authentication method, related apparatus, and system.
  • WLAN wireless local area network
  • WIFI wireless fidelity
  • the network side device needs to authenticate the terminal. After the authentication is passed, the terminal accesses the network.
  • the terminal is usually authenticated based on the username and password.
  • the user accesses the portal page provided by the operator through the terminal, enters the terminal user name and password, and submits the terminal user name and password of the portal web page to the access controller (AC) for access.
  • the controller does not authenticate the terminal username and password, but sends it to the authentication server, such as the Authentication, Authorization and Accounting (AAA) server, for authentication.
  • AAA Authentication, Authorization and Accounting
  • the AC passes the AC to the portal.
  • the server returns the result of successful authentication.
  • the Portal server displays the result to the user on the portal page, prompting the user to successfully authenticate.
  • the network authentication method provided by the prior art requires the Portal server to send the terminal user name and password to the AC through the Portal protocol, and the AC sends the authentication result of the authentication server to the Portal server through the Portal protocol.
  • the Portal protocol is a private protocol and there are a large number of ACs provided by different vendors in the carrier network, the Portal server needs to be adapted to the ACs of different vendors.
  • the network authentication efficiency is low, and the development and maintenance costs of the Portal server are high.
  • Embodiments of the present invention provide a network authentication method, related apparatus and system that do not require a portal server to adapt an access controller AC of different vendors.
  • an embodiment of the present invention provides a network authentication method, which is applied to an authentication server, and includes the following steps:
  • the portal server Receiving an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller;
  • the authentication server authenticates the terminal according to the authentication information
  • the authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server receives the authentication request message sent by the portal server, and authenticates the terminal according to the authentication information carried in the authentication request message, and sends the authentication result to the access controller after the authentication is passed.
  • the access controller accesses the terminal to the network according to the authentication result.
  • the authentication server directly receives the authentication information sent by the portal server, that is, the authentication information does not need to be transferred from the access controller, and the authentication information needs to be avoided.
  • the adaptation problem of the Portal protocol sent by the portal server to the access controller does not require the portal server to adapt to the access controller, which improves the efficiency of network authentication and reduces the development and maintenance cost of the portal server.
  • the authentication server further includes: before receiving the authentication request message sent by the portal server:
  • the device controls the terminal according to the control policy, and redirects the access request of the terminal according to the redirected address.
  • the authentication result sent by the authentication server carries the updated control policy and the terminal identifier, and the access controller controls the terminal to access the internet according to the updated control policy.
  • the authentication information of the terminal includes a terminal user name and a password
  • the authentication server authenticating the terminal according to the authentication information includes the following steps:
  • the authentication server verifies whether the terminal user name and password in the authentication information are consistent with the locally saved user name and password;
  • the authentication of the terminal is passed. If the terminal user name or password is inconsistent with the locally saved user name and password, the authentication is not performed. Pass, that is, the terminal is not allowed to access the network.
  • the embodiment of the present invention further provides a network authentication method, which is applied to an access controller, and includes the following steps:
  • the access controller receives the authentication result sent by the authentication server according to the address information of the access controller, where the authentication result carries the identifier of the terminal that passes the authentication;
  • the access controller accesses the terminal to the network according to the authentication result.
  • the access controller after receiving the webpage access request of the terminal, the access controller returns the address information of the access controller to the terminal, and then the subsequent authentication server authenticates the user according to the authentication information.
  • the authentication result is sent to the access controller corresponding to the address information, and the access controller accesses the terminal according to the authentication result.
  • the access controller directly receives the authentication result sent by the authentication server, does not need to receive the authentication information sent by the portal server, and thus does not need to be adapted with the portal server, thereby avoiding the access controller and the portal server pair.
  • the adaptation problem of the portal protocol does not require the access controller to adapt to the Portal protocol, which improves the efficiency of network authentication and reduces the development and maintenance costs of the portal server and the access controller.
  • the method before the access controller receives the webpage access request sent by the receiving terminal, the method further includes:
  • the access controller sends an access request message to the authentication server, where the access request message carries the default authentication information of the terminal, and then the access controller receives an access response message sent by the authentication server, where the access response message is sent. It carries the default control policy, which is based on the default control terminal.
  • the default control policy is the default control policy corresponding to the authentication information.
  • the access controller may also establish a charging session with the authentication server, where the user name of the session is a default user, and the charging is performed.
  • the session can pass billing data between the authentication server and the access controller.
  • the authentication result received by the access controller further carries the terminal user name, and after the access controller receives the authentication result, the user name of the charging session is modified to be the terminal.
  • User name thus using the terminal
  • the username is used to charge the user for accessing the internet.
  • the access response message received by the access controller carries a redirect address
  • the access controller after receiving the webpage access request sent by the terminal, according to the redirected address
  • the webpage access request is redirected, and the terminal accesses the webpage to the portal server corresponding to the redirected address.
  • an embodiment of the present invention provides an authentication server, which specifically includes the following functional modules:
  • the authentication receiving module is configured to receive an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • An authentication module configured to authenticate the terminal according to the authentication information
  • the authentication notification module is configured to send an authentication result to the access controller corresponding to the address information when the authentication is passed, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication result may also carry updated control policies, identifiers of the terminals, and the like.
  • the authentication server further includes:
  • the authentication receiving module is further configured to: before receiving the authentication request message sent by the portal server, receive an access request message sent by the access controller, where the access request message carries the default authentication information of the terminal;
  • An access processing module configured to obtain a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries the control policy and Targeted address.
  • the authentication server after the authentication server sends the access response message, the authentication server establishes a charging session with the access controller, and the charging data is transmitted between the charging session and the access controller.
  • the authentication server provided by the third aspect is corresponding to the network authentication method provided by the first aspect.
  • the process and the beneficial effect of the network authentication method refer to the network authentication method provided by the foregoing first aspect.
  • an access controller including:
  • the response receiving module is configured to receive a webpage access request sent by the terminal, and return the address information of the access controller to the terminal;
  • the response receiving module is further configured to receive an authentication result that is sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that is authenticated;
  • the terminal access module is configured to access the terminal to the network according to the authentication result.
  • the access controller further includes:
  • a request sending module configured to send an access request message to the authentication server before the webpage access request sent by the receiving terminal, where the access request message carries the default authentication information of the terminal;
  • the response receiving module is further configured to receive an access response message sent by the authentication server, where the access response message carries a default control policy.
  • the access controller further includes:
  • the session maintenance module is configured to establish a charging session with the authentication server after receiving the access response message sent by the authentication server, where the user name of the session is a default user.
  • the authentication result further carries a terminal user name
  • the session maintenance module in the access controller is further configured to modify a user name of the charging session as the terminal user name.
  • the access response message further includes a redirecting address
  • the access controller further includes a redirection module, configured to: after receiving the webpage access request sent by the terminal, according to the The redirect address redirects the web access request.
  • the access controller provided by the fourth aspect is corresponding to the network authentication method provided by the second aspect, and the specific implementation For the process and beneficial effects of the network authentication method, reference may be made to the network authentication method provided by the second aspect above.
  • an embodiment of the present invention provides a network access system, which includes the authentication server according to the third aspect, and the access controller according to the fourth aspect.
  • the authentication result may be specifically sent to the access controller by using a Change-Of-Authorization (COA) message.
  • COA Change-Of-Authorization
  • the authentication server may specifically be an AAA server.
  • the network accessed by the terminal may specifically be a wireless local area network.
  • FIG. 1 is a schematic diagram of networking of a network authentication system according to Embodiment 1 of the present invention.
  • FIG. 2 is a flowchart of a network authentication method according to Embodiment 2 of the present invention.
  • FIG. 3 is a flowchart of a network authentication method according to Embodiment 3 of the present invention.
  • FIG. 4 is a flowchart of a network authentication method according to Embodiment 4 of the present invention.
  • FIG. 5 is a flowchart of a network authentication method according to Embodiment 5 of the present invention.
  • FIG. 6 is a hardware structural diagram of an authentication server and an access controller according to Embodiment 6 of the present invention.
  • FIG. 7 is a schematic structural diagram of an authentication server according to Embodiment 7 of the present invention.
  • FIG. 8 is a schematic structural diagram of an access controller according to Embodiment 8 of the present invention.
  • FIG. 1 is a schematic diagram of networking of a network authentication system according to Embodiment 1 of the present invention.
  • the network authentication system includes an authentication server, an access controller AC, a portal server, and an access point (AP).
  • the above devices belong to devices in the carrier network.
  • the AP is a physical access point of the WLAN and is used to provide a WIFI network signal.
  • the AC is a device that controls the terminal to access the network.
  • the authentication server is specifically an AAA server, which is mainly used for authentication, authentication, and accounting of users.
  • the user equipment (User Equipment, UE) in this embodiment includes a mobile phone, a personal computer (PC), a tablet computer, and the like. User equipment can also be referred to as a terminal.
  • the terminal accesses the network through the WIFI network signal provided by the AP.
  • the terminal accesses the portal webpage provided by the portal server and enters the authentication information of the terminal.
  • the user submits the authentication information to the portal server through the portal webpage.
  • the portal server sends an authentication request message to the authentication server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • the network authentication method provided in Embodiment 2 of the present invention specifically includes the following steps:
  • Step 101 The authentication server receives an authentication request message sent by the portal server, where the authentication request message carries The identification with the terminal, the authentication information, and the address information of the access controller.
  • the AC assigns an IP address to the terminal
  • the identifier of the terminal may be an IP address or a physical address of the terminal.
  • the authentication information may be an end user name, that is, a user name of a user who uses the terminal. To enhance security, passwords can also be included in the authentication information.
  • the authentication server receives the authentication request message sent by the portal server, and the request message can be transmitted through a Simple Object Access Protocol (SOAP) between the Portal server and the authentication server.
  • SOAP Simple Object Access Protocol
  • Step 102 The authentication server authenticates the terminal according to the authentication information.
  • the authentication server can verify whether the terminal user name and password in the authentication information match the previously saved user name and password. If yes, the authentication passes, otherwise the authentication fails.
  • the password input by the user may be from a short message sent by the operator network or a password reserved by the user in the operator network. If the password input by the user is from a short message sent by the carrier network, the authentication server can also verify the validity period of the password, that is, whether the length of time between the time when the password is issued and the time when the user inputs the password exceeds the validity period, for example, 5 minutes. If the timeout expires, the authentication fails. If the timeout is not exceeded, it is further verified whether the username and password in the authentication information match the previously saved username and password.
  • the authentication server can also simply verify the terminal user name, that is, the user name in the authentication information is the same as the locally saved user name, that is, the authentication is passed, otherwise the authentication fails.
  • Step 103 The authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server may send the authentication result to the corresponding AC through a radius (RADIUS) protocol.
  • the authentication result is that the authentication is passed, and the AC accesses the terminal according to the authentication result, and the user can use the terminal to access the Internet.
  • the authentication server receives the authentication request message sent by the portal server, and authenticates the terminal according to the authentication information carried in the authentication request message, and sends the authentication result to the access controller after the authentication is passed.
  • the access controller accesses the terminal to the network according to the authentication result.
  • the authentication server directly receives the authentication information sent by the portal server, that is, the authentication information does not need to be transferred from the access controller, and the authentication information needs to be sent by the portal server to the portal caused by the access controller.
  • the protocol adaptation problem does not require the Portal server to adapt to the access controller, which improves the efficiency of network authentication and reduces the development and maintenance costs of the Portal server.
  • FIG. 3 is a flowchart of a network authentication method according to Embodiment 3 of the present invention.
  • the terminal after detecting the wireless network provided by the operator, the terminal starts to access the wireless network, and after receiving the network attach request of the terminal, the access controller sends an access request message to the authentication server, where the access controller sends the access request message to the authentication server.
  • the access request message carries the default authentication information of the terminal.
  • Step 201 The authentication server receives an access request message sent by the access controller, where the access request message carries the default authentication information of the terminal.
  • the access request message may further carry an identifier of the terminal, such as a physical address of the terminal.
  • the default authentication information of the terminal can be the default username, for example, 000.
  • the default username can be used by multiple different terminals.
  • the default password can also include the default password.
  • Step 202 The authentication server obtains a redirection address and a control policy corresponding to the default authentication information, and sends an access response message to the access controller, where the access response message carries the control policy and a redirect address.
  • the authentication server After receiving the default authentication information of the terminal sent by the access controller, the authentication server identifies that the terminal uses the default user name for authentication according to the authentication information, and obtains a control policy corresponding to the default user name, and sends the control policy to the terminal. Returning an access response message, the access response message carries the control policy and a redirect address, where the redirect address is an address of the Portal website.
  • the access controller receives the access response message sent by the authentication server, where the access response message carries a default control policy and a redirect address, so as to facilitate access to the webpage according to the redirected address after subsequently receiving the webpage access request of the terminal.
  • Request to redirect that is, redirect to the Portal server.
  • Step 203 A charging session is established between the authentication server and the access controller, and the user name of the session is a default user.
  • the authentication server may also establish a charging session with the access controller locally and exchange billing related data after interacting with the access controller.
  • the current user name of the charging session is the default user because the terminal does not report the terminal user name.
  • the AC may also establish a charging session with the authentication server locally, and transmit the charging related data.
  • the current user name of the charging session is the default user because the terminal does not report the terminal user name (the real user name) at this time.
  • the terminal initiates a webpage access request to the access controller, and the webpage access request is redirected to the portal server by the access controller, and the portal server returns a login page to the terminal, the user inputs the terminal username and password on the page, and the portal server receives the terminal user.
  • the authentication information such as the name and password
  • the Portal server then sends the authentication information to the authentication server through the authentication request message.
  • Step 204 The authentication server receives an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • Step 205 The authentication server authenticates the terminal according to the authentication information.
  • Step 206 The authentication server sends an authentication result to the access controller corresponding to the address information, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication result sent by the authentication server may further include an updated control policy.
  • the access controller After receiving the authentication result, the access controller also updates the default control policy according to the updated control policy. Bandwidth control information may be included in the updated control policy.
  • the authentication result may further carry the terminal user name in the authentication information, and the access controller further modifies the default user name of the charging session as the terminal user name, so as to facilitate subsequent charging for the user.
  • FIG. 4 is a flowchart of a network authentication method according to Embodiment 4 of the present invention.
  • the terminal after detecting the wireless network provided by the operator, the terminal starts to access the wireless network, and the access controller allocates an IP address to the terminal, and after receiving the allocated IP address, the terminal initiates a webpage. Access request.
  • the network authentication method provided by the embodiment of the present invention includes the following steps:
  • Step 301 The access controller receives a webpage access request sent by the terminal, and returns address information of the access controller to the terminal.
  • the address of the Portal server may be pre-configured in the access controller, and then the terminal is received. After the web page access request, the access request is redirected to the portal server.
  • the access controller also returns its own address information to the terminal, so that the subsequent terminal carries the address information of the access controller when initiating a login request to the Portal server.
  • the authentication server may also feed back the authentication result of the terminal to the access controller according to the address information of the access controller.
  • Step 302 The access controller receives an authentication result sent by the authentication server according to the address information of the access controller, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server authenticates the terminal according to the authentication information of the terminal, and after the authentication is passed, the authentication result is sent to the access controller through the RADIUS protocol.
  • the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication result also carries the control policy of the terminal, such as bandwidth, maximum online duration, and the like.
  • Step 303 The access controller accesses the terminal to the network according to the authentication result.
  • the access controller accesses the terminal to the network according to the authentication result, for example, allowing the terminal to access the Internet, and performing policy control on the terminal accessing the Internet.
  • the access controller after receiving the webpage access request of the terminal, the access controller returns the address information of the access controller to the terminal, and then the subsequent authentication server authenticates the user according to the authentication information.
  • the authentication result is sent to the access controller corresponding to the address information, and the access controller accesses the terminal according to the authentication result.
  • the access controller directly receives the authentication result sent by the authentication server, and does not need to receive the authentication information sent by the Portal server, and thus does not need to be adapted with the Portal server, thereby avoiding the access controller and the Portal server.
  • the adaptation of the Portal protocol does not require the access controller to adapt to the Portal protocol, which improves the efficiency of network authentication and reduces the development and maintenance costs of the Portal server and access controller.
  • the access controller before receiving the webpage access request sent by the terminal, may further send an access request message to the authentication server when receiving the network attach request of the terminal,
  • the access request message carries the default authentication information of the terminal.
  • the reason for sending the default authentication information is that the terminal has not yet authenticated through the network, thus providing default authentication information.
  • the access controller receives an access response message sent by the authentication server, where the access response message carries a default control policy and a redirect address, so as to facilitate access.
  • the controller controls the terminal according to the default control policy.
  • the access controller after receiving the webpage access request sent by the terminal, the access controller redirects the webpage access request according to the redirected address, and redirects the access request to the portal server.
  • the access controller may also establish a charging session with the authentication server, where the user name of the session is a default user.
  • the access controller may associate the identifier of the terminal, such as an IP address, with the session, so that the session is subsequently found according to the identifier of the terminal.
  • the user name of the charging session is further modified to be the terminal user name, so that the terminal user name is used to perform charging control on the online process of the terminal. .
  • FIG. 5 is a flowchart of a network authentication method according to Embodiment 5 of the present invention.
  • the user accesses the WLAN provided by the operator through the terminal (for example, the smart device), and the smart device initiates the WLAN connection after detecting the network signal of the WLAN, and the network authentication method provided by the embodiment of the present invention includes the following process. :
  • Step 401 The terminal initiates a DHCP discovery request to the AC.
  • the terminal sends a Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the request is now used to request an IP address from the access controller.
  • the physical address of the terminal can be carried in the request.
  • Step 402 The AC sends an access request message to the AAA server, where the terminal carries the default authentication information of the terminal.
  • the AC needs to request the AAA server for authentication of the terminal, and therefore needs to send an access request message to the AAA server.
  • the default authentication information carried in it includes a default username and a default password.
  • the access request message can be sent based on the RADIUS protocol.
  • Step 403 The AAA server returns an access response message to the AC, where the default control policy and the address of the Portal server are carried.
  • the AAA server can also obtain the default control policy (the control policy corresponding to the default user name) and the address of the Portal server, and send the response to the AC through the access response message.
  • the address of the Portal server may be a Uniform Resource Locator (URL) of the Portal server.
  • Step 404 The AC allocates an IP address to the terminal.
  • the AC After the AC allocates the IP address userip to the terminal, the AC sends the IP address to the terminal through a DHCP response.
  • Step 405 Establish a charging session between the AC and the AAA server.
  • the established charging session is used to transfer charging related data between the AC and the AAA server.
  • the user name of the accounting session is the default user name, and the AAA server and the AC associate the session with the IP address of the terminal, so that the associated session can be found according to the IP address of the terminal.
  • Step 406 The terminal initiates a webpage access request to the AC.
  • the user opens a browser on the terminal, enters any web page, and initiates a Hyper Text Transfer Protocol (HTTP) request to the AC.
  • HTTP Hyper Text Transfer Protocol
  • Step 407 The AC redirects the access request and sends its own address information to the terminal.
  • the AC redirects the http request of the terminal to the URL of the Portal server, and adds the AC's own IP address nasipaddr information after the URL.
  • Steps 408-409 The terminal accesses the Portal server according to the redirected address and submits the terminal username and password.
  • the user accesses the home page URL of the Portal server.
  • the page has a user name and password input box.
  • the user enters the terminal user name and password information on the portal, and clicks the login button to submit the terminal user name and password.
  • Step 410 The Portal server initiates an authentication request message to the AAA server.
  • the authentication request message sent by the Portal server to the AAA server carries the terminal user name and password, the terminal IP address userip, and the IP address of the access controller nasipaddr.
  • Step 411 The AAA server authenticates the terminal according to the terminal user name and password.
  • the AAA server performs authentication according to the terminal user name and password information sent by the Portal server and the information in the database. If the terminal user name and password information sent by the Portal server are the same as the user name and password stored in the database, the authentication is passed, otherwise the authentication fails. In this embodiment, the user enters the correct terminal username and password, and the authentication passes.
  • Step 412 The AAA server sends an authentication response message to the Portal server.
  • the authentication succeeds by sending an authentication response message to the Portal server, and the Portal server sends a notification message of the authentication pass to the terminal to notify the user that the authentication is passed.
  • Step 413 The AAA server sends an authentication result to the access controller.
  • the authentication result may be sent to the AC corresponding to the nasipaddr address information by using a Change-Of-Authorization (COA) message.
  • COA Change-Of-Authorization
  • the COA message may further include a terminal IP address userip and a terminal user name, and an updated control policy, such as bandwidth, maximum online duration, maximum available traffic, and the like.
  • the parameters included in the COA message are as follows:
  • the Acct-Session-ID is used to identify the session corresponding to the COA message.
  • the User-Name is used to identify the user name. If the user name in the User-Name is different from the user name corresponding to the session, the user name corresponding to the session is modified. Is the corresponding username in User-Name.
  • the Framed-IP-Address identifies the IP address of the terminal corresponding to the session, and the Calling-Station-Id identifies the physical address of the terminal corresponding to the session. Both the IP address and the physical address of the terminal can be used to associate the session.
  • Step 414 The AC associates the session with the terminal IP address in the COA message sent by the AAA server (the charging session established in step 405), and modifies the default user name in the session as the terminal user name, and modifies the session according to the updated control policy. Control Strategy.
  • the AC After the session is modified, the AC sends a COA Acknowledge (ACK) message to the AAA server. Subsequent billing for the AAA server will be billed using the real username.
  • ACK COA Acknowledge
  • the embodiment of the present invention bypasses the interconnection between the Portal server and the AC, and expands the function of the RADIUS protocol-based COA interface between the AAA server and the AC.
  • the AAA server notifies the AC through the COA message.
  • the authentication of the terminal has been passed, and the real user name of the AC and the updated control policy are notified, so that the policy control of the terminal is implemented, that is, the network authentication of the terminal is completed.
  • FIG. 6 is a hardware structural diagram of an authentication server and an access controller according to Embodiment 6 of the present invention.
  • the authentication server and the access controller may respectively be the authentication server and the access controller shown in FIG. 1 .
  • the authentication server and access controller employs general purpose computer hardware including a processor 601, a memory 602, a bus 603, an input device 604, an output device 605, and a network interface 606.
  • memory 602 can include computer storage media in the form of volatile and/or nonvolatile memory, such as read only memory and/or random access memory.
  • Memory 602 can store operating systems, applications, other program modules, executable code, and program data.
  • Input device 604 can be used to input commands and information to an authentication server and an access controller, such as a keyboard or pointing device such as a mouse, trackball, touch pad, microphone, joystick, game pad, satellite television antenna, scanning Instrument or similar device. These input devices can be connected to the processor 601 via the bus 603.
  • an access controller such as a keyboard or pointing device such as a mouse, trackball, touch pad, microphone, joystick, game pad, satellite television antenna, scanning Instrument or similar device.
  • the output device 605 can be used to authenticate the server and access controller output information.
  • the output device 605 can also be configured for other peripheral outputs, such as speakers and/or printing devices, which can also pass through the bus 603. Connected to the processor 601.
  • the authentication server and the access controller can be connected to the network through the network interface 106, for example, to a local area network (LAN).
  • LAN local area network
  • computer execution instructions stored in the authentication server and access controller may be stored in a remote storage device, and are not limited to being stored locally.
  • the authentication server may perform the method steps on the authentication server side in the second embodiment and the third embodiment and the fifth embodiment, for example, step 101 is performed. -103, 201-206, 403, 411, etc.
  • step 101 is performed.
  • the access controller may perform the method steps on the access controller side in the fourth and fifth embodiments above, such as performing Steps 301-303, 402, 404-405, and the like.
  • the access controller may perform the method steps on the access controller side in the fourth and fifth embodiments above, such as performing Steps 301-303, 402, 404-405, and the like.
  • FIG. 7 is a schematic structural diagram of an authentication server according to Embodiment 7 of the present invention.
  • the authentication server provided by the embodiment of the present invention includes:
  • the authentication receiving module 710 is configured to receive an authentication request message sent by the portal server, where the authentication request message carries the identifier of the terminal, the authentication information, and the address information of the access controller.
  • the authentication module 720 is configured to authenticate the terminal according to the authentication information.
  • the authentication notification module 730 is configured to send an authentication result to the access controller corresponding to the address information when the authentication is passed, where the authentication result carries the identifier of the terminal that is authenticated.
  • the authentication server provided by the embodiment of the present invention may be used in the foregoing method embodiments 2, 3, and 5, and the implementation of the second embodiment is implemented by the cooperation between the authentication receiving module 710, the authentication module 720, and the authentication notification module 730.
  • the authentication server provided in this embodiment has the same beneficial effects as the foregoing method embodiment when performing network authentication.
  • the authentication receiving module 710 is further configured to: before receiving the authentication request message sent by the portal server, receive an access request message sent by the access controller, where the access request message carries the The default authentication information of the terminal.
  • the default authentication information carries the default username.
  • the authentication server further includes an access processing module 740, configured to acquire a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries The control policy and the redirected address, so that the access controller assigns an IP address to the terminal, and controls the terminal using a default control policy.
  • an access processing module 740 configured to acquire a control policy and a redirect address corresponding to the default authentication information, and send an access response message to the access controller, where the access response message carries The control policy and the redirected address, so that the access controller assigns an IP address to the terminal, and controls the terminal using a default control policy.
  • the authentication server carries the updated control policy to the authentication result sent by the access controller corresponding to the address information after the authentication is passed, so that the access controller controls the terminal according to the updated control policy, so that the terminal can access the internet.
  • the authentication server is presented in the form of a functional unit.
  • a "unit” herein may refer to an application-specific integrated circuit (ASIC), circuitry, a processor and memory that executes one or more software or firmware programs, integrated logic circuitry, and/or other functions that provide the functionality described above. Device.
  • ASIC application-specific integrated circuit
  • the authentication server may also take the form shown in FIG.
  • the functions of the authentication receiving module 710, the authentication module 720, the authentication notification module 730, and the access processing module 740 can be implemented. This is implemented by the processor 601 and the memory 602 in FIG.
  • the authentication receiving module 710 receiving the authentication request message sent by the portal server can be implemented by the processor 601 executing the code stored in the memory 602.
  • FIG. 8 is a schematic structural diagram of an access controller according to Embodiment 8 of the present invention.
  • the access controller provided by the embodiment of the present invention mainly includes:
  • the response receiving module 810 is configured to receive a webpage access request sent by the terminal, and return the address information of the access controller to the terminal;
  • the response receiving module is further configured to receive an authentication result that is sent by the authentication server according to the address information of the access controller, where the authentication result carries an identifier of the terminal that is authenticated;
  • the terminal access module 820 is configured to access the terminal to the network according to the authentication result.
  • the authentication access controller provided by the embodiment of the present invention can be used in the foregoing method embodiments 4 and 5, and the fourth embodiment and the fifth embodiment are completed by the cooperation between the response receiving module 810 and the terminal access module 820. Method steps on the side of the access controller. Compared with the access controller in the prior art, the access controller provided in this embodiment has the same beneficial effects as the foregoing method embodiments when performing network authentication.
  • the access controller provided by the embodiment of the present invention may further include:
  • the request sending module 830 is configured to send an access request message to the authentication server before the webpage access request sent by the receiving terminal, where the access request message carries the default authentication information of the terminal.
  • the response receiving module 810 is further configured to receive an access response message sent by the authentication server, where the access response message carries a default control policy, so as to perform policy control on the terminal according to a default control policy.
  • the foregoing access response message further includes a redirecting address
  • the access controller may further include:
  • the redirection module 840 is configured to redirect the webpage access request according to the redirected address after receiving the webpage access request sent by the terminal.
  • the redirect address may also be pre-stored in the AC.
  • the access controller provided by the embodiment of the present invention further includes:
  • the session maintenance module 850 is configured to establish a charging session with the authentication server after receiving the access response message sent by the authentication server, where the user name of the session is a default user.
  • the session maintenance module 850 is further configured to modify the user name of the charging session as the terminal user name, so as to be based on the terminal user.
  • the name is used to charge the terminal to access the internet.
  • the access controller is presented in the form of a functional unit.
  • a "unit" herein may refer to an application specific integrated circuit circuit, a processor and memory that executes one or more software or firmware programs, integrated logic circuits, and/or other devices that provide the functionality described above.
  • the access controller can also take the form shown in FIG.
  • the functions implemented by the response receiving module 810, the terminal access module 820, the request sending module 830, the redirecting module 840, and the session maintenance module 850 can be implemented by the processor 601 and the memory 602 in FIG.
  • the response receiving module 810 receives the webpage access request sent by the terminal, and returning the address information of the access controller to the terminal may be implemented by the processor 601 executing the code stored in the memory 602.
  • aspects of the present invention, or possible implementations of various aspects may be embodied as a system, method, or computer program product.
  • aspects of the invention, or possible implementations of various aspects may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," “modules,” or “systems.”
  • aspects of the invention, or possible implementations of various aspects may take the form of a computer program product, a computer program A product refers to computer readable program code stored on a computer readable medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Dans des modes de réalisation de la présente invention, un serveur d'authentification reçoit un message de demande d'authentification envoyé par un serveur de portail, authentifie un terminal conformément aux informations d'authentification contenues dans le message de demande d'authentification, et après que l'authentification a réussi, envoie le résultat d'authentification à un régisseur d'accès, de façon que ce régisseur d'accès permette au terminal d'accéder à un réseau conformément au résultat d'authentification. Par comparaison avec l'état de la technique, un serveur d'authentification reçoit directement des informations d'authentification envoyées par un serveur de portail, c'est-à-dire qu'il n'est pas nécessaire que des informations d'authentification soient transférées par un régisseur d'accès, ce qui permet d'éviter des problèmes d'adaptation de protocole de portail provoqués pendant le processus lorsque des informations d'authentification doivent être envoyées au régisseur d'accès par le serveur de portail ; ainsi, il n'est pas nécessaire d'ajouter une étape d'adaptation au serveur de portail par rapport au régisseur d'accès, l'efficacité d'authentification de réseau est améliorée, et les coûts de développement et de maintenance du serveur de portail sont réduits.
PCT/CN2017/090606 2016-09-12 2017-06-28 Procédé d'authentification de réseau et dispositif associé WO2018045798A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610820746.6A CN107819728B (zh) 2016-09-12 2016-09-12 网络认证方法、相关装置
CN201610820746.6 2016-09-12

Publications (1)

Publication Number Publication Date
WO2018045798A1 true WO2018045798A1 (fr) 2018-03-15

Family

ID=61561675

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/090606 WO2018045798A1 (fr) 2016-09-12 2017-06-28 Procédé d'authentification de réseau et dispositif associé

Country Status (2)

Country Link
CN (1) CN107819728B (fr)
WO (1) WO2018045798A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110808976A (zh) * 2019-10-31 2020-02-18 厦门亿联网络技术股份有限公司 Wifi-bt信息认证方法、系统、可读存储介质及ip话机
CN115022071A (zh) * 2022-06-22 2022-09-06 湖北天融信网络安全技术有限公司 一种认证服务器的网络接入控制方法及系统

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124452B (zh) * 2018-05-18 2023-03-10 华为技术有限公司 一种终端认证方法、相关设备和认证系统
CN112929188B (zh) * 2019-12-05 2022-06-14 中国电信股份有限公司 设备连接方法、系统、装置及计算机可读存储介质
CN114071650A (zh) * 2021-09-26 2022-02-18 深圳市酷开网络科技股份有限公司 跨端配网方法、装置、计算机设备及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697377A (zh) * 2004-05-10 2005-11-16 华为技术有限公司 网络中实现门户认证服务的系统及其方法
CN103442359A (zh) * 2013-09-02 2013-12-11 北京鹏通高科科技有限公司 基于短距离无线接入方式的传感器节点认证方法和系统
CN104009972A (zh) * 2014-05-07 2014-08-27 华南理工大学 网络安全接入的认证系统及其认证方法
CN105871853A (zh) * 2016-04-11 2016-08-17 上海斐讯数据通信技术有限公司 一种入口认证方法和系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212297B (zh) * 2006-12-28 2012-01-25 中国移动通信集团公司 基于web的wlan接入认证方法及系统
US8495714B2 (en) * 2011-07-20 2013-07-23 Bridgewater Systems Corp. Systems and methods for authenticating users accessing unsecured wifi access points
CN103634792B (zh) * 2012-08-27 2016-12-21 中国移动通信集团公司 Wlan网络用户状态监测的方法、装置、客户端及系统
CN104427537B (zh) * 2013-09-11 2018-02-02 中国电信股份有限公司 控制Wifi终端接入互联网的方法与系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697377A (zh) * 2004-05-10 2005-11-16 华为技术有限公司 网络中实现门户认证服务的系统及其方法
CN103442359A (zh) * 2013-09-02 2013-12-11 北京鹏通高科科技有限公司 基于短距离无线接入方式的传感器节点认证方法和系统
CN104009972A (zh) * 2014-05-07 2014-08-27 华南理工大学 网络安全接入的认证系统及其认证方法
CN105871853A (zh) * 2016-04-11 2016-08-17 上海斐讯数据通信技术有限公司 一种入口认证方法和系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110808976A (zh) * 2019-10-31 2020-02-18 厦门亿联网络技术股份有限公司 Wifi-bt信息认证方法、系统、可读存储介质及ip话机
CN115022071A (zh) * 2022-06-22 2022-09-06 湖北天融信网络安全技术有限公司 一种认证服务器的网络接入控制方法及系统

Also Published As

Publication number Publication date
CN107819728B (zh) 2021-02-12
CN107819728A (zh) 2018-03-20

Similar Documents

Publication Publication Date Title
WO2018045798A1 (fr) Procédé d'authentification de réseau et dispositif associé
CN106131079B (zh) 一种认证方法、系统及代理服务器
US20220060464A1 (en) Server for providing a token
CN101702717B (zh) 一种Portal认证的方法、系统及设备
JP4291213B2 (ja) 認証方法、認証システム、認証代行サーバ、ネットワークアクセス認証サーバ、プログラム、及び記録媒体
US7194763B2 (en) Method and apparatus for determining authentication capabilities
WO2015101125A1 (fr) Procédé et dispositif de contrôle d'accès au réseau
JP2020126602A (ja) ネイティブモバイルアプリケーション起点のOpenID Connect(OIDC)フロー及びセキュリティアサーションマークアップ言語(SAML)フローのためのシームレスなシングルサインオン(SSO)のための方法及びシステム
WO2017113763A1 (fr) Procédé et appareil d'authentification d'identité
CN104158808A (zh) 基于APP应用的Portal认证方法及其装置
US9549318B2 (en) System and method for delayed device registration on a network
CN102984173A (zh) 网络接入控制方法及系统
CN104662873A (zh) 减少由迁移引起的核心网络流量
CN105981345B (zh) Wi-fi/分组核心网接入的合法侦听
WO2017177691A1 (fr) Procédé et système d'authentification de portail
US9288674B2 (en) Convenient WiFi network access using unique identifier value
CN111049946B (zh) 一种Portal认证方法、系统及电子设备和存储介质
WO2013002886A1 (fr) Identité de réseau pour authentification de logiciel comme service
CN104144163A (zh) 身份验证方法、装置及系统
CN110505188A (zh) 一种终端认证方法、相关设备和认证系统
CN105635148B (zh) 一种Portal认证方法及装置
JP6067005B2 (ja) OpenIDを電気通信ネットワークに統合するシステムおよび方法
CN112311766B (zh) 一种用户证书的获取方法及装置、终端设备
KR20070078212A (ko) 공중 무선랜에서의 다중 모드 접속 인증 방법
CN109962897B (zh) 一种基于二维码扫描的开放平台认证、访问方法及其系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17847971

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17847971

Country of ref document: EP

Kind code of ref document: A1