CN102196434A - Authentication method and system for wireless local area network terminal - Google Patents
Authentication method and system for wireless local area network terminal Download PDFInfo
- Publication number
- CN102196434A CN102196434A CN201010121584XA CN201010121584A CN102196434A CN 102196434 A CN102196434 A CN 102196434A CN 201010121584X A CN201010121584X A CN 201010121584XA CN 201010121584 A CN201010121584 A CN 201010121584A CN 102196434 A CN102196434 A CN 102196434A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- terminal
- log
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 76
- 230000008569 process Effects 0.000 claims abstract description 45
- 238000003860 storage Methods 0.000 claims abstract description 5
- 238000012546 transfer Methods 0.000 claims description 9
- 238000004519 manufacturing process Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims 3
- 235000014510 cooky Nutrition 0.000 description 29
- 230000007246 mechanism Effects 0.000 description 5
- 238000009826 distribution Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008676 import Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000007689 inspection Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000004321 preservation Methods 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 238000002834 transmittance Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 240000005373 Panax quinquefolius Species 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种无线局域网终端认证方法,包括步骤:网络侧设备接收终端发送的携带有用户登录认证信息的访问互联网请求消息,所述用户登录认证信息是在终端前次登录成功时,由网络侧设备生成并发送到终端保存的,所述用户登录认证信息包括用户信息和免认证周期;网络侧设备根据接收到的所述用户登录认证信息中的免认证周期判断出所述终端当前处在免认证周期以内时,应用接收到的所述用户登录认证信息中的用户信息对所述终端进行认证;并在认证成功后,网络侧设备向终端发送认证成功消息。本发明解决了现有技术中存在的无线局域网的认证过程中,用户需要重复输入用户名和密码进行登录而产生的认证效率低下的问题。
The invention discloses a wireless local area network terminal authentication method, comprising the steps of: a network side device receives an Internet access request message carrying user login authentication information sent by a terminal, and the user login authentication information is obtained by the terminal when the previous login is successful. Generated by the network-side device and sent to the terminal for storage, the user login authentication information includes user information and an authentication-free period; the network-side device judges that the terminal is currently in the terminal according to the received authentication-free period in the user login authentication information When within the authentication-free period, the user information in the received user login authentication information is used to authenticate the terminal; and after the authentication is successful, the network side device sends an authentication success message to the terminal. The invention solves the problem of low authentication efficiency caused by repeatedly inputting user name and password for login in the authentication process of the wireless local area network existing in the prior art.
Description
Technical field
The present invention relates to the wireless local area network technology field, relate in particular to a kind of WLAN terminal authentication method and system.
Background technology
Present WLAN (wireless local area network) (Wireless Local Area Network, in web authentication mechanism WLAN), a kind of important authentication mode is the Portal authentication, is also referred to as web authentication usually, generally the website with the Portal authentication is called portal website.During the unauthenticated user online, the equipment force users signs in to particular station, and the user can free access service wherein.Access control schemes such as traditional 802.1x and PPPoE all need the cooperation of client, and can only control user's visit at Access Layer.The Portal authentication techniques provide a kind of access control scheme flexibly, do not need to install client, just can implement access control at Access Layer and the critical data that needs protection porch.
When the user needs out of Memory in the internet usage, must authenticate in portal website, just can the internet usage resource after having only authentication to pass through.Verification process during the wireless network user access network is by access controller (Access Controller, AC), Portal certificate server and remote authentication dialing user server (Remote Access Dial in User Service Server, Radius Server) are finished jointly.The user inserts after the WLAN (wireless local area network), and when visit Internet, the propelling movement page that needs to keep confirming authentication success is in open mode; When the propelling movement page of confirming authentication success is closed, then going up network process will interrupt, and this moment, the user need carry out the authentication that WLAN inserts again, visited the authority of Internet with acquisition.
The realization framework of existing WLAN authentication mechanism based on the Web mode as shown in Figure 1, after the user is first by authentication, in AC, can keep a session status table, be used to write down the user conversation by authenticating, the corresponding relation of maintenance customer IP address and Mobile Subscriber International ISDN Number in the state table.
Based on the authentication mechanism framework shown in the accompanying drawing 1, the network access authentication flow process of wireless local network user comprises as shown in Figure 2:
After S101, terminal and access point AP set up physical connection, AC equipment was terminal distribution IP address by the DHCP agreement;
S102, terminal are initiated the HTTP service request;
S103, AC intercept and capture user's HTTP request, if the user did not authenticate, just be forced to Portal server, and add relevant parameter in forced portal/compulsory portal URL;
S104, Portal server push the WEB certification page to the WLAN user terminal;
S105, user insert information such as user name, password on certification page, be submitted to Portal server;
S106, employing CHAP flow process are carried out authentification of user between the Portal/AC/Radius Server; Specifically comprise: Portal sends REQ_CHALLENGE[IP to AC] message, request obtains user's IP address, AC feeds back an ACK[IP, challenge, reqID] feedback message to Portal, Portal carries out encryption according to encryption rule to username and password, and encrypted result sent to AC, AC is forwarded to the RADIUS authentication server with encrypted result, the RADIUS authentication server is used identical encryption rule the same user's that preserves username and password is carried out encryption, relatively encrypted result of Sheng Chenging and the encrypted result that receives, the authentication success if the two is identical, otherwise authentification failure, the RADIUS authentication server sends to AC with authentication result Access-Accept/Access-Refuse;
S107, AC maintenance customer IP address and Mobile Subscriber International ISDN Number mapping table, and return authentication result (carrying subscriber phone number) and related service attribute are given Portal server;
S108, Portal server are according to authentication result, and the pushing certification results page is if success pushes the door Website page and gives the user; If authentification failure returns error message;
S109, Portal server are responded AC and are received the authentication result message, and the beginning charging flow.
The shortcoming of prior art mainly shows: after the user inserts wlan network, when visit Internet, need to keep " authentication success " to push the page and be in open mode; After the propelling movement page is closed, last network process interrupts, when need re-entering username and password during access internet once more, the user authenticates login, owing to login interface may occur frequently pushing, and need the user to repeat to import the situation of username and password, make that the actual authentification of user efficient of central WLAN (wireless local area network) of using is lower.
Summary of the invention
The WLAN terminal authentication method and system that the embodiment of the invention provides, in the user authentication process that solves WLAN (wireless local area network), the user need repeat to import that username and password is logined and the problem of the authentication inefficiency that produces.
The embodiment of the invention provides a kind of WLAN terminal authentication method, comprise step: the access internet request message of the user log-in authentication information that carries that the network equipment receiving terminal sends, described user log-in authentication information is last time to login when successful in terminal, generated and sent by network equipment that terminal preserves, described user log-in authentication information comprises user profile and authentication-exempt cycle; Network equipment is judged the current authentication-exempt that is in of described terminal in the cycle time according to the authentication-exempt cycle in the described user log-in authentication information that receives, and the user profile of using in the described user log-in authentication information that receives authenticates described terminal; And behind authentication success, network equipment sends authentication success message to terminal.
The embodiment of the invention also provides a kind of system of WLAN terminal authentication, comprising:
Terminal is used to send the access internet request that comprises user log-in authentication information and arrives network equipment; Described user log-in authentication information is last time to login when successful in terminal, is generated and sent by network equipment that terminal preserves, and described user log-in authentication information comprises user profile and authentication-exempt cycle;
Network equipment, be used for judging the current authentication-exempt that is in of described terminal in the cycle time according to the authentication-exempt cycle of the described user log-in authentication information that receives, user profile in the described user log-in authentication information that application receives authenticates described terminal, and behind authentication success, send authentication success message to terminal.
The embodiment of the invention also provides a kind of WLAN terminal, comprising: message pick-up is preserved the unit, is used for after logining successfully, receives and preserve the user log-in authentication information that network equipment sends;
Request transmitting unit, be used for terminal withdraw from land after, when message pick-up is preserved the unit and is preserved described user log-in authentication information, send comprise described user log-in authentication information the access internet request to network equipment.
The invention provides a kind of WLAN terminal authentication method and system, make the user after the successful login of finishing WLAN (wireless local area network) first, preserve the user log-in authentication information that network side generates in terminal.At authentication-exempt in the cycle, user terminal is not when landing state, terminal initiates will carry in the internet access request the described user log-in authentication information of preservation, the user's information terminal that network side is used in this user log-in authentication information authenticates, and needn't repeat the pushing certification interface, thereby improved the authentication efficient of wireless local network user to user terminal.
Description of drawings
Fig. 1 is the structural representation of wireless local network user webpage authentication mechanism framework in the prior art;
Fig. 2 is the authentication login process figure of wireless local network user webpage authentication in the prior art;
Fig. 3 is the flow chart that WLAN terminal authentication method that the embodiment of the invention 1 provides authenticates first;
Fig. 4 is the flow chart of the WLAN terminal authentication method that provides of the embodiment of the invention 1;
Fig. 5 is the flow chart of the WLAN terminal authentication method that provides of the embodiment of the invention 2;
Fig. 6 is the flow chart of the WLAN terminal authentication method that provides of the embodiment of the invention 3;
Fig. 7 is the structural representation of the WLAN terminal authentication system that provides of the embodiment of the invention 4;
Fig. 8 is the structural representation of the network equipment that provides of the embodiment of the invention 5;
Fig. 9 is the structural representation of the network equipment that provides of the embodiment of the invention 6;
Figure 10 is the structural representation of the network equipment that provides of the embodiment of the invention 7;
Figure 11 is the structural representation of the WLAN terminal that provides of the embodiment of the invention 8.
Embodiment
The method of the WLAN terminal authentication that the embodiment of the invention provides and device, in the Portal verification process that solves WLAN (wireless local area network), the user need repeat to import that username and password is logined and the problem of the authentication inefficiency that produces.The present invention is mainly based on following thinking: when wireless local network user is logined first, input usemame/password and authentication-exempt cycle authenticate on the authentication interface that Portal server pushes, behind authentication success, Portal server records the user log-in authentication information of generation with authentication-related information such as usemame/password, login time, authentication-exempt cycles, and with cipher mode user log-in authentication information is write user terminal; At authentication-exempt in the cycle, not when the user terminal of logging status is asked access internet once more, the broadband access controller is redirected to Portal server with the request of user terminal access the Internet, carries user log-in authentication information in the request of the access internet of user terminal at this moment.Portal server according to the user profile of carrying in the user log-in authentication information can safety the authenticated user terminal, come the requirement user terminal to login again and need not once more the pushing certification interface.User log-in authentication information stores form is an example with the Cookie form in the embodiments of the invention, still should not think only to be confined to this kind file layout.
The embodiment of the invention 1 provides a kind of method of WLAN terminal authentication, and wherein the flow process of the first login of user terminal comprises step as shown in Figure 3:
After S301, terminal and access point AP set up physical connection, access controller AC equipment was terminal distribution IP address by the DHCP agreement;
S302, terminal are initiated the HTTP service request of access internet;
S303, AC intercept and capture user's HTTP request, because not process authentication (current terminal is not to be in logging status) of user, then AC forces this HTTP to ask Portal server, opens the HTTPs escape way between Portal server and the terminal;
S304, Portal server check in the HTTP request whether carry cookie information (user log-in authentication information), this cookie information normally passes through encryption, owing to do not carry cookie information in this Http request, so push the Portal authentication interface to the WLAN user terminal;
S305, user insert information such as user name, password on authentication interface, be submitted to Portal server; Message transmission between user terminal UE and the Portal is to adopt HTTPs escape way agreement to realize, thereby has effectively protected the safety of user profile;
S306, employing CHAP flow process are carried out authentification of user between the Portal/AC/Radius Server;
S307, AC return authentication result and related service attribute are given Portal server;
S308, Portal server send authentication result message according to authentication result, and the pushing certification results page is if success pushes portal page and gives the user.Simultaneously, Portal generates and to comprise the encryption cookie information in user profile and authentication-exempt cycle and to be written to user terminal, is connected to the HTTPs escape way between this moment Portal and the client, the safety that writes with protection Cookie; If authentification failure then returns error message;
S309, AC transmit the propelling movement page of Portal server to user terminal; Portal replys authenticate-acknowledge message to AC, and AC begins charging flow.
When the user attempts carrying out the login authentication of local area network (LAN) for the first time, need Portal server to its pushing certification interface, the user fills in usemame/password on authentication interface, Portal server carries out aforesaid chap authentication flow process to it, after authentication is passed through, Portal server also will be according to user name, and information such as landing time and authentication-exempt cycle generate cookie information (user log-in authentication information) and send to the user terminal preservation.So that when the user terminal that follow-up authentication-exempt was logged off in the cycle proposed the HTTP request, Portal server can directly utilize the user profile that comprises among the Cookie to carry out user's login authentication.
For the WLAN terminal authentication method that the embodiment of the invention 1 provides, the information such as user name that the user is submitted to and authentication-exempt cycle that focus on simultaneously record in the cookie information, promptly record in the user log-in authentication information.Corresponding after the user is rolled off the production line (being the current logging status that is not in), when applying for the HTTP access request once more, its login process comprises step as shown in Figure 4:
After S401, terminal and AP set up physical connection, AC equipment was terminal distribution IP address by the DHCP agreement;
S402, terminal are initiated the HTTP service request;
S403, AC intercept and capture the HTTP request of user terminal, because the user is not through authentication (current terminal is not to be in logging status), just be forced to Portal server, carry in user's the access request at this moment by the encryption cookie information that is written to terminal before the Portal server, adopt the safety of HTTPs escape way protection Cookie message in transmittance process between Portal and the client;
Whether carry the cookie information of encryption in the HTTP request that S404, Portal server inspection user terminal are sent, if the result is for being, then obtain user profile in the Portal server deciphering cookie information, comprise the user name that the user logins herein, then according to the CHAP flow process, to AC request challenge code Challenge;
S405, AC return corresponding information and give Portal server, comprise challenge code sequence number Challenge ID and Challenge;
S406, Portal server use a predefined fixed password, for example " 9999 ", after doing the MD5 algorithm with Challenge ID and Challenge, obtain password Challenge-Password through challenge code and processing, be submitted to AC together with the user name of extracting among the Cookie, initiate authentication.
The predetermined process mode is handled password and challenge code and challenge code sequence number for utilizing the MD5 algorithm herein, is not limited to this kind mode in the practical operation, also can be the processing method of other kinds.
S407, AC deliver to subscriber authentication server RADIUS together with Challenge ID, Challenge, Challenge-Password and user name, RADIUS calculates Challenge-Password with user's original code earlier, if the value of submitting to AC is different, the password that replaces the user again with predefined fixed password " 9999 ", recomputate Challenge-Password, and by compare the authenticated user identity with the AC value of being submitted to;
S408, RADIUS Server judge according to the corresponding user profile of self storage whether the user is legal, respond authentication success/failure message then to AC.If (consultation parameter is carried in success, and user's related service attribute is given subscriber authorisation.)
S409, AC return authentication result and related service attribute are given Portal server;
S410, Portal server send authentication success/failed message to terminal according to authentication result, and the pushing certification results page is if authentication success pushes portal page and gives the user; If authentification failure returns error message and gives user terminal;
S411, AC transmit the propelling movement page of Portal server to user terminal;
S412, Portal server are replied authenticate-acknowledge message to AC, and AC begins charging flow.
The WLAN terminal authentication method that the embodiment of the invention 1 provides makes the user at authentication-exempt in the cycle, the username and password of the submission login that can repeat, thus saved login time greatly, improved the efficient of login.Owing in embodiment 1 when user terminal is current when not being in logging status and requiring access internet, adopted fixed password to carry out authentification of user, so when as long as Portal server has determined that the user is in the authentication-exempt cycle, authentication always can be passed through.Therefore the embodiment of the invention 2 provides a kind of authentification of user login method of more simplifying, and can improve the efficient of network side authentication effectively, has further reduced login time, improves login efficient.
The WLAN terminal authentication method that the embodiment of the invention 2 provides, in full accord with the first login process of embodiment 1 when user terminal is logined for the first time, recording user name in the Cookie that generates, information such as authentication-exempt cycle.Behind user offline, promptly close the authentication interface that Portal pushes after, when asking the access internet resource once more, its handling process comprises step as shown in Figure 5:
After S501, terminal and AP set up physical connection, AC equipment was terminal distribution IP address by the DHCP agreement;
S502, terminal are initiated the HTTP service request of access internet;
S503, AC intercept and capture user's HTTP request, because the user is not through authentication (current terminal is not to be in logging status), so be forced to Portal server; Can carry encryption cookie information in the redirect request this moment; Adopt the safety of HTTPs escape way protection cookie information in transmittance process between Portal server and the user terminal;
Whether carry in S504, the Portal server inspection request and encrypt Cookie, if carrying then, Portal server deciphering Cookie obtains subscriber identity information, the trust identification result no longer initiates the chap authentication flow process, directly the authentication state of informing this user of AC by the REQ_AUTH request;
[IP, username] parameter recognition that S505, AC transmit by Portal goes out this user and has finished authentication, only carries the username parameter in the Access-Request that initiates to portal, request user's related service attribute information;
S506, Radius Server go out this user by parameter recognition and need not to carry out authentication calculations, directly return user's business attribute information.
S507, AC return to Portal server with the customer service attribute information.
S508, Portal server push portal page and give the user.
S509, AC transmit the portal page that Portal server pushes to user terminal;
S510, Portal reply authenticate-acknowledge message to AC, and AC begins charging flow.
In the WLAN terminal authentication login method that the foregoing description 1 and embodiment 2 provide, the login password that in the user log-in authentication information that keeps, does not comprise the user, thereby make and when Radius Server authenticates, can't carry out authentification of user according to the user cipher of preserving in advance, make its fail safe decrease, so in the entire process flow process, the user log-in authentication information (cookie information) of preserving is encryption all the time, and when transmitting user login information, use the HTTPs safe lane between Portal server and the user terminal, thereby guarantee the fail safe of user login information in transmission course.
Yet said method is bigger to the change of the certificate server of network side and Portal server, increased the cost of technology upgrading accordingly, so the embodiment of the invention 3 provides a kind of WLAN terminal authentication method, make and only equipment is carried out simple modification at network side, promptly realize corresponding function, make the user in the cycle, needn't repeat to import username and password and login, and improve login efficient at authentication-exempt.
The WLAN terminal authentication method that the embodiment of the invention 3 provides, flow process and embodiment 1 described flow process basically identical when its user terminal is logined for the first time, difference only is, also will comprise the corresponding password of user name in the cookie information that Portal server generates.And when the user was not in logging status and asks the access internet resource, its flow process comprised step as shown in Figure 6:
S601~S603 is identical with S401~S403 step;
Whether carry the cookie information of encryption in the HTTP request that S604, Portal server inspection user terminal are sent, if the result is for being, then obtain user profile in the Portal server deciphering cookie information, comprise user name and user cipher that the user logins herein, then according to the CHAP flow process, to AC request Challenge;
S605, AC return Challenge and give Portal server, comprise Challenge ID and Challenge;
S606, Portal still use user cipher, Challenge ID and Challenge to do the MD5 algorithm, and the user name that obtains extracting among Challenge-Password and the Cookie is submitted to AC together, initiate authentication.
S607, AC deliver to radius server together with Challenge ID, Challenge, Challenge-Password and user name, the radius server subscriber authentication server uses user cipher, Challenge ID and Challenge to do the MD5 algorithm, obtain Challenge-Password, and by compare the authenticated user identity with the AC value of being submitted to.
The predetermined process mode is handled password and challenge code and challenge code sequence number for utilizing the MD5 algorithm herein, is not limited to this kind mode in the practical operation, also can be the processing method of other kinds.
S608~S612 step is identical with S408~S412 among the embodiment one.
All be to set up the HTTPs escape way between Portal server and the user terminal in the foregoing description 1~3, it sets up flow process, has provided signal and specifically comprise Step1~Step5 in Fig. 6:
Step1, wireless local network user terminal WLAN UE send Client Hello message to Portal server, comprise protocol version, random number, session identifier session_ID, the security algorithm tabulation of self supporting and compression algorithm tabulation;
Step2, Portal server are selected security algorithm and compression algorithm, send Server Hello message to WLAN UE; Portal server sends the certificate (chain) of oneself and gives WLAN UE; Provide shared key to generate data to WLAN UE; Finish the Hello process, wait for that WLAN UE responds;
Step3, WLAN UE produce pre_master_secret at random, and use the PKI of Portal server that it is carried out encryption, transmit encrypted result then and give Portal server;
WLAN UE utilize information calculations master key: master_secret=PRF such as pre_master_secret, random number (pre_master_secret, " master secret ", ClientHello.random+ServerHello.random),
Use master_secret to calculate then: Verify_data=PRF (master_secret, " clientfinished ", MD5 (Message)+SHA-1 (Message2-9) is used for proving that to Portal server it has correct session key master_secret;
The Step4.Portal server is deciphered pre_master_secret with private key; Same method is calculated mastersecret and verify_data, proves that to WLAN UE it has correct session key.
Finish HTTPs (SSL) escape way between Step5.WLAN UE and the Portal server and consult, WLAN UE, carries in the request and encrypts Cookie to the request that Portal initiates access internet by the HTTPs passage.
Accordingly, Portal server when generating Cookie, enciphering/deciphering Cookie mechanism, can but be not limited to and adopt the symmetric key encryption mode to realize.Portal configuration store key K a is used for the encryption and decryption of Cookie.Wherein encrypt the Cookie formal definition and can be but be not limited to following form commonly used:
Eka[username,password,login-time,…]@Realm
The foregoing description has provided three kinds of identifying procedures that situation lower network side apparatus authenticates terminal respectively.The corresponding embodiment of the invention provides the WLAN terminal authentication of realizing above-mentioned identifying procedure system.
The embodiment of the invention 4 provides a kind of system of WLAN terminal authentication, as shown in Figure 7, comprising:
The network equipment 42 that the embodiment of the invention 4 provides can also be used for judging the current authentication-exempt that exceeded of described terminal during the cycle according to the authentication-exempt cycle of the described user log-in authentication information that receives, and the pushing certification interface is to terminal; Receive described terminal by the request log-on message that described authentication interface sends, comprise user profile and authentication-exempt cycle in the described request log-on message; And receive described terminal by the request log-on message that described authentication interface sends, comprise user profile and authentication-exempt cycle in the described request log-on message; And the user profile of using in the described request log-on message authenticates described terminal; Behind authentication success, send authentication success message to terminal; And, send to terminal and preserve according to user profile and the new user log-in authentication information of authentication-exempt cycle generation that described request log-on message Shen comprises.
Set up the hypertext transfer protocol secure passage between described terminal 41 in the embodiment of the invention 4 and the described network equipment 42; The described user log-in authentication information that described network equipment 42 generates and the access internet request message of described terminal access the Internet are by described hypertext transfer protocol secure channel transfer.
The embodiment of the invention 5 has provided the concrete structure signal of the network equipment 42 among a kind of embodiment 4, as shown in Figure 8, comprising:
Remote authentication dialing user server 53, after being used to receive the described result and described user name that access controller 52 sends, determine self store described user name after, described preset password is carried out predetermined process, and the result that obtains and the described result that receives compared, if the two unanimity, then authentication success.
The embodiment of the invention 6 has provided the concrete structure signal of the network equipment 42 among a kind of embodiment 4, as shown in Figure 9, comprising:
Remote authentication dialing user server 63, be used to receive the described user name that access controller 62 sends after, determine self store described user name after, authentication success then.
The embodiment of the invention 7 has provided the concrete structure signal of the network equipment 42 among a kind of embodiment 4, as shown in figure 10, comprising:
Portal server 71 is used for extracting the username and password of described user profile, and described password is carried out predetermined process, and result and the described user name that obtains sent to access controller;
Access controller 72, the described result and the described user name that are used for receiving from Portal server 71 send to remote authentication dialing user server;
Remote authentication dialing user server 73, after being used to receive the described result and described user name that access controller 72 sends, determine self store described user name after, the password of described user name correspondence to self storage carries out predetermined process, result that generates and the described result that receives are compared, if the two unanimity, then authentication success.
The embodiment of the invention 8 discloses a kind of WLAN terminal accordingly, as shown in figure 11, comprising:
Message pick-up is preserved unit 81, is used for after logining successfully, receives and preserve the user log-in authentication information that network equipment sends;
Obviously, those skilled in the art can carry out various changes and modification to the utility model and not break away from spirit and scope of the present utility model.Like this, if of the present utility model these are revised and modification belongs within the scope of the utility model claim and equivalent technologies thereof, then the utility model also is intended to comprise these changes and modification interior.
Claims (13)
1. a WLAN terminal authentication method is characterized in that, comprises step:
The access internet request message of the user log-in authentication information that carries that the network equipment receiving terminal sends, described user log-in authentication information is last time to login when successful in terminal, generated and sent by network equipment that terminal preserves, described user log-in authentication information comprises user profile and authentication-exempt cycle;
Network equipment is judged the current authentication-exempt that is in of described terminal in the cycle time according to the authentication-exempt cycle in the described user log-in authentication information that receives, and the user profile of using in the described user log-in authentication information that receives authenticates described terminal; And
Behind authentication success, network equipment sends authentication success message to terminal.
2. the method for claim 1 is characterized in that, also comprises:
Network equipment is judged the current authentication-exempt that exceeded of described terminal during the cycle according to the authentication-exempt cycle in the described user log-in authentication information that receives, and the pushing certification interface is to terminal;
Network equipment receives described terminal by the request log-on message that described authentication interface sends, and comprises user profile and authentication-exempt cycle in the described request log-on message;
The user profile that network equipment is used in the described request log-on message authenticates described terminal;
Behind authentication success, network equipment sends authentication success message to terminal; And
Generate new user log-in authentication information according to user profile that comprises in the described request log-on message and authentication-exempt cycle, send to terminal and preserve.
3. the method for claim 1 is characterized in that, described network equipment comprises Portal server, access controller and remote authentication dialing user server, and described user profile comprises the user name of terminal login;
The user profile of using in the described user log-in authentication information comprises the process that described terminal authenticates:
Portal server extracts the user name in the described user profile, and preset password is carried out predetermined process, and result and the described user name that obtains sent to access controller;
Described result and described user name that access controller will receive send to remote authentication dialing user server;
After remote authentication dialing user server receives the described result and described user name that access controller sends, determine self store described user name after, described preset password is carried out predetermined process, and the result that obtains and the described result that receives compared, if the two unanimity, then authentication success.
4. the method for claim 1 is characterized in that, described network equipment comprises Portal server, access controller and remote authentication dialing user server, and described user profile comprises the user name of terminal login;
The user profile of using in the described user log-in authentication information comprises the process that described terminal authenticates:
Portal server extracts the user name in the described user profile, and described user name is sent to access controller;
The described user name that access controller will receive sends to remote authentication dialing user server;
After remote authentication dialing user server receives the described user name that access controller sends, determine self store described user name after, authentication success then.
5. the method for claim 1 is characterized in that, described network equipment comprises Portal server, access controller and remote authentication dialing user server, and described user profile comprises the username and password of terminal login;
The user profile of using in the described user log-in authentication information comprises the process that described terminal authenticates:
Portal server extracts the username and password in the described user profile, and described password is carried out predetermined process, and result and the described user name that obtains sent to access controller;
Described result and described user name that access controller will receive send to remote authentication dialing user server;
After remote authentication dialing user server receives the described result and described user name that access controller sends, determine self store described user name after, the password of described user name correspondence to self storage carries out predetermined process, result that generates and the described result that receives are compared, if the two unanimity, then authentication success.
6. as the described method of 1~5 arbitrary claim, it is characterized in that, set up the hypertext transfer protocol secure passage between described terminal and the described network equipment; The described user log-in authentication information that described network equipment generates and the access internet request message of described terminal access the Internet are by described hypertext transfer protocol secure channel transfer.
7. the system of a WLAN terminal authentication is characterized in that, comprising:
Terminal is used to send the access internet request that comprises user log-in authentication information and arrives network equipment; Described user log-in authentication information is last time logining when successful in terminal of preserving of described terminal, and by network equipment production and send to described terminal, described user log-in authentication information comprises user profile and authentication-exempt cycle;
Network equipment, be used for the access internet request that receiving terminal sends, and judge the current authentication-exempt that is in of described terminal in the cycle time according to the authentication-exempt cycle in the described user log-in authentication information, user profile in the described user log-in authentication information that application receives authenticates described terminal, and behind authentication success, send authentication success message to terminal.
8. system as claimed in claim 7, it is characterized in that, described network equipment also is used for judging the current authentication-exempt that exceeded of described terminal during the cycle according to the authentication-exempt cycle of the described user log-in authentication information that receives, and the pushing certification interface is to terminal; Receive described terminal by the request log-on message that described authentication interface sends, comprise user profile and authentication-exempt cycle in the described request log-on message; And receive described terminal by the request log-on message that described authentication interface sends, comprise user profile and authentication-exempt cycle in the described request log-on message; And the user profile of using in the described request log-on message authenticates described terminal; Behind authentication success, send authentication success message to terminal; And, send to terminal and preserve according to user profile that comprises in the described request log-on message and the new user log-in authentication information of authentication-exempt cycle generation.
9. system as claimed in claim 7 is characterized in that described network equipment comprises Portal server, access controller and remote authentication dialing user server, wherein:
Portal server is used for extracting the user name of user profile, preset password is carried out predetermined process, and result and the described user name that obtains sent to access controller;
Access controller, the described result and the described user name that are used for receiving from Portal server send to remote authentication dialing user server;
Remote authentication dialing user server, after being used to receive the described result and described user name that access controller sends, determine self store described user name after, described preset password is carried out predetermined process, and the result that obtains and the described result that receives compared, if the two unanimity, then authentication success.
10. system as claimed in claim 7 is characterized in that described network equipment comprises Portal server, access controller and remote authentication dialing user server, wherein:
Portal server is used for extracting the user name of described user profile, and described user name is sent to access controller;
Access controller, the described user name that is used for receiving from Portal server sends to remote authentication dialing user server;
Remote authentication dialing user server, be used to receive the described user name that access controller sends after, determine self store described user name after, authentication success then.
11. system as claimed in claim 7 is characterized in that, described network equipment comprises Portal server, access controller and remote authentication dialing user server, wherein:
Portal server is used for extracting the username and password of described user profile, and described password is carried out predetermined process, and result and the described user name that obtains sent to access controller;
Access controller, the described result and the described user name that are used for receiving from Portal server send to remote authentication dialing user server;
Remote authentication dialing user server, after being used to receive the described result and described user name that access controller sends, determine self store described user name after, the password of described user name correspondence to self storage carries out predetermined process, result that generates and the described result that receives are compared, if the two unanimity, then authentication success.
12. as the described system of 7~11 arbitrary claims, it is characterized in that, set up the hypertext transfer protocol secure passage between described terminal and the described network equipment; The described user log-in authentication information that described network equipment generates and the access internet request message of described terminal access the Internet are by described hypertext transfer protocol secure channel transfer.
13. a WLAN terminal is characterized in that, comprising:
Message pick-up is preserved the unit, is used for after logining successfully, receives and preserve the user log-in authentication information that network equipment sends;
Request transmitting unit, be used for terminal withdraw from land after, when message pick-up is preserved the unit and is preserved described user log-in authentication information, send comprise described user log-in authentication information the access internet request to network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010121584XA CN102196434A (en) | 2010-03-10 | 2010-03-10 | Authentication method and system for wireless local area network terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010121584XA CN102196434A (en) | 2010-03-10 | 2010-03-10 | Authentication method and system for wireless local area network terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102196434A true CN102196434A (en) | 2011-09-21 |
Family
ID=44603673
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010121584XA Pending CN102196434A (en) | 2010-03-10 | 2010-03-10 | Authentication method and system for wireless local area network terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102196434A (en) |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102364971A (en) * | 2011-10-09 | 2012-02-29 | 中兴通讯股份有限公司 | Network convergence method and system |
| CN102857508A (en) * | 2012-09-11 | 2013-01-02 | 杭州华三通信技术有限公司 | Radius identification method |
| CN103139750A (en) * | 2011-12-02 | 2013-06-05 | 中国移动通信集团上海有限公司 | Processing system, processing method, identification server and access controller for user logoff |
| CN103200159A (en) * | 2012-01-04 | 2013-07-10 | 中国移动通信集团公司 | Network access method and equipment |
| CN103475477A (en) * | 2013-09-03 | 2013-12-25 | 深圳市共进电子股份有限公司 | Safe authorized access method |
| CN103607382A (en) * | 2013-11-11 | 2014-02-26 | 中国科学院计算技术研究所 | Self-authentication service system and method |
| CN103648087A (en) * | 2013-12-23 | 2014-03-19 | 成都西加云杉科技有限公司 | Charging method and system in cross-network communication |
| CN103826226A (en) * | 2014-02-20 | 2014-05-28 | 深信服网络科技(深圳)有限公司 | Method and device for controlling wireless internet access |
| CN104105125A (en) * | 2013-04-15 | 2014-10-15 | 中国移动通信集团北京有限公司 | Service processing method, device and system |
| CN104125566A (en) * | 2014-05-23 | 2014-10-29 | 曦威胜科技开发(深圳)有限公司 | Method for wireless AP network loitering prevention for multiplex intelligent terminal |
| CN104125306A (en) * | 2014-08-14 | 2014-10-29 | 浪潮电子信息产业股份有限公司 | HTTPS (Hypertext Transfer Protocol Secure)-based acquiring method of webpage content of encryption protocol |
| CN104243625A (en) * | 2013-06-08 | 2014-12-24 | 中国移动通信集团河南有限公司 | IP address distribution method and device |
| CN104333854A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Wifi charging method and system |
| CN104469979A (en) * | 2013-09-21 | 2015-03-25 | 阿瓦亚公司 | Captive portal systems, methods, and devices |
| CN105119898A (en) * | 2015-07-17 | 2015-12-02 | 世纪龙信息网络有限责任公司 | WiFi hotspot Portal automatic authentication method and WiFi hotspot Portal automatic authentication system |
| CN105450616A (en) * | 2014-09-23 | 2016-03-30 | 中国电信股份有限公司 | Terminal authentication method, trusted determination gateway, authentication server and system |
| CN105656854A (en) * | 2014-11-12 | 2016-06-08 | 中国移动通信集团公司 | Method, device and system for verifying WLAN (Wireless Local Area Network) user source |
| CN105792200A (en) * | 2014-12-26 | 2016-07-20 | 中国移动通信集团公司 | An authentication method, system and related device |
| CN105991518A (en) * | 2015-01-29 | 2016-10-05 | 杭州迪普科技有限公司 | Network access authentication method and device |
| WO2016165477A1 (en) * | 2015-08-06 | 2016-10-20 | 中兴通讯股份有限公司 | Login method, terminal, session establishment method, and server |
| CN106453119A (en) * | 2016-11-18 | 2017-02-22 | 杭州华三通信技术有限公司 | Authentication control method and device |
| CN107395582A (en) * | 2017-07-14 | 2017-11-24 | 上海斐讯数据通信技术有限公司 | Portal authentication devices and system |
| CN107634969A (en) * | 2017-10-26 | 2018-01-26 | 迈普通信技术股份有限公司 | Data interactive method and device |
| CN108111460A (en) * | 2016-11-24 | 2018-06-01 | 飞天联合(北京)系统技术有限公司 | A kind of user authen method and system |
| CN111182541A (en) * | 2018-11-12 | 2020-05-19 | 中国移动通信集团上海有限公司 | WLAN access authentication method and server |
| CN111194031A (en) * | 2020-02-28 | 2020-05-22 | 杭州海康威视数字技术股份有限公司 | Wireless hotspot connection method and device, electronic equipment and system |
| CN112751844A (en) * | 2020-12-28 | 2021-05-04 | 杭州迪普科技股份有限公司 | Portal authentication method and device and electronic equipment |
| CN112822197A (en) * | 2021-01-10 | 2021-05-18 | 何顺民 | Method and system for controlling security access |
| CN114826692A (en) * | 2022-04-07 | 2022-07-29 | 中国联合网络通信集团有限公司 | Information login system, method, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1501636A (en) * | 2002-11-19 | 2004-06-02 | 华为技术有限公司 | A method for detecting whether or not WEB authentication user is on line |
| CN101222488A (en) * | 2007-01-10 | 2008-07-16 | 华为技术有限公司 | Method for controlling client access to network equipment and network authentication server |
| CN101631312A (en) * | 2009-08-19 | 2010-01-20 | 北京傲天动联技术有限公司 | Portal authentication method based on thin AP framework |
-
2010
- 2010-03-10 CN CN201010121584XA patent/CN102196434A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1501636A (en) * | 2002-11-19 | 2004-06-02 | 华为技术有限公司 | A method for detecting whether or not WEB authentication user is on line |
| CN101222488A (en) * | 2007-01-10 | 2008-07-16 | 华为技术有限公司 | Method for controlling client access to network equipment and network authentication server |
| CN101631312A (en) * | 2009-08-19 | 2010-01-20 | 北京傲天动联技术有限公司 | Portal authentication method based on thin AP framework |
Cited By (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102364971A (en) * | 2011-10-09 | 2012-02-29 | 中兴通讯股份有限公司 | Network convergence method and system |
| CN103139750A (en) * | 2011-12-02 | 2013-06-05 | 中国移动通信集团上海有限公司 | Processing system, processing method, identification server and access controller for user logoff |
| CN103200159B (en) * | 2012-01-04 | 2016-06-22 | 中国移动通信集团公司 | A kind of Network Access Method and equipment |
| CN103200159A (en) * | 2012-01-04 | 2013-07-10 | 中国移动通信集团公司 | Network access method and equipment |
| CN102857508A (en) * | 2012-09-11 | 2013-01-02 | 杭州华三通信技术有限公司 | Radius identification method |
| CN102857508B (en) * | 2012-09-11 | 2016-06-22 | 杭州华三通信技术有限公司 | A kind of method of Radius certification |
| CN104105125B (en) * | 2013-04-15 | 2017-08-25 | 中国移动通信集团北京有限公司 | A kind of method for processing business, apparatus and system |
| CN104105125A (en) * | 2013-04-15 | 2014-10-15 | 中国移动通信集团北京有限公司 | Service processing method, device and system |
| CN104243625B (en) * | 2013-06-08 | 2017-11-03 | 中国移动通信集团河南有限公司 | The distribution method and device of a kind of IP address |
| CN104243625A (en) * | 2013-06-08 | 2014-12-24 | 中国移动通信集团河南有限公司 | IP address distribution method and device |
| CN104333854B (en) * | 2013-07-22 | 2017-12-12 | 中国电信股份有限公司 | WiFi charging methods and system |
| CN104333854A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Wifi charging method and system |
| CN103475477A (en) * | 2013-09-03 | 2013-12-25 | 深圳市共进电子股份有限公司 | Safe authorized access method |
| CN104469979B (en) * | 2013-09-21 | 2020-01-21 | 极进网络公司 | Captive portal system, method and apparatus |
| CN104469979A (en) * | 2013-09-21 | 2015-03-25 | 阿瓦亚公司 | Captive portal systems, methods, and devices |
| CN103607382B (en) * | 2013-11-11 | 2016-12-07 | 中国科学院计算技术研究所 | A kind of Self-authentication service system and method |
| CN103607382A (en) * | 2013-11-11 | 2014-02-26 | 中国科学院计算技术研究所 | Self-authentication service system and method |
| CN103648087A (en) * | 2013-12-23 | 2014-03-19 | 成都西加云杉科技有限公司 | Charging method and system in cross-network communication |
| CN103826226A (en) * | 2014-02-20 | 2014-05-28 | 深信服网络科技(深圳)有限公司 | Method and device for controlling wireless internet access |
| CN104125566A (en) * | 2014-05-23 | 2014-10-29 | 曦威胜科技开发(深圳)有限公司 | Method for wireless AP network loitering prevention for multiplex intelligent terminal |
| CN104125566B (en) * | 2014-05-23 | 2023-06-23 | 曦威胜科技开发(深圳)有限公司 | Multiplexing intelligent terminal wireless AP network-rubbing prevention method |
| CN104125306A (en) * | 2014-08-14 | 2014-10-29 | 浪潮电子信息产业股份有限公司 | HTTPS (Hypertext Transfer Protocol Secure)-based acquiring method of webpage content of encryption protocol |
| CN105450616A (en) * | 2014-09-23 | 2016-03-30 | 中国电信股份有限公司 | Terminal authentication method, trusted determination gateway, authentication server and system |
| CN105450616B (en) * | 2014-09-23 | 2019-07-12 | 中国电信股份有限公司 | A kind of authentication method of terminal, accredited judgement gateway, certificate server and system |
| CN105656854B (en) * | 2014-11-12 | 2019-04-26 | 中国移动通信集团公司 | A method, device and system for verifying the source of wireless local area network users |
| CN105656854A (en) * | 2014-11-12 | 2016-06-08 | 中国移动通信集团公司 | Method, device and system for verifying WLAN (Wireless Local Area Network) user source |
| CN105792200A (en) * | 2014-12-26 | 2016-07-20 | 中国移动通信集团公司 | An authentication method, system and related device |
| CN105792200B (en) * | 2014-12-26 | 2019-05-10 | 中国移动通信集团公司 | A kind of authentication method, system and related device |
| CN105991518A (en) * | 2015-01-29 | 2016-10-05 | 杭州迪普科技有限公司 | Network access authentication method and device |
| CN105991518B (en) * | 2015-01-29 | 2019-08-06 | 杭州迪普科技股份有限公司 | Network access verifying method and device |
| CN105119898B (en) * | 2015-07-17 | 2019-03-22 | 世纪龙信息网络有限责任公司 | Wi-Fi hotspot Portal automatic authentication method and system |
| CN105119898A (en) * | 2015-07-17 | 2015-12-02 | 世纪龙信息网络有限责任公司 | WiFi hotspot Portal automatic authentication method and WiFi hotspot Portal automatic authentication system |
| CN106385356A (en) * | 2015-08-06 | 2017-02-08 | 中兴通讯股份有限公司 | Login method and terminal, session establishing method and server |
| WO2016165477A1 (en) * | 2015-08-06 | 2016-10-20 | 中兴通讯股份有限公司 | Login method, terminal, session establishment method, and server |
| CN106453119A (en) * | 2016-11-18 | 2017-02-22 | 杭州华三通信技术有限公司 | Authentication control method and device |
| CN108111460A (en) * | 2016-11-24 | 2018-06-01 | 飞天联合(北京)系统技术有限公司 | A kind of user authen method and system |
| CN108111460B (en) * | 2016-11-24 | 2020-12-08 | 飞天联合(北京)系统技术有限公司 | User authentication method and system |
| CN107395582A (en) * | 2017-07-14 | 2017-11-24 | 上海斐讯数据通信技术有限公司 | Portal authentication devices and system |
| CN107634969A (en) * | 2017-10-26 | 2018-01-26 | 迈普通信技术股份有限公司 | Data interactive method and device |
| CN107634969B (en) * | 2017-10-26 | 2020-07-10 | 迈普通信技术股份有限公司 | Data interaction method and device |
| CN111182541A (en) * | 2018-11-12 | 2020-05-19 | 中国移动通信集团上海有限公司 | WLAN access authentication method and server |
| CN111194031A (en) * | 2020-02-28 | 2020-05-22 | 杭州海康威视数字技术股份有限公司 | Wireless hotspot connection method and device, electronic equipment and system |
| CN111194031B (en) * | 2020-02-28 | 2021-02-26 | 杭州海康威视数字技术股份有限公司 | Wireless hotspot connection method and device, electronic equipment and system |
| CN112751844A (en) * | 2020-12-28 | 2021-05-04 | 杭州迪普科技股份有限公司 | Portal authentication method and device and electronic equipment |
| CN112822197A (en) * | 2021-01-10 | 2021-05-18 | 何顺民 | Method and system for controlling security access |
| CN114826692A (en) * | 2022-04-07 | 2022-07-29 | 中国联合网络通信集团有限公司 | Information login system, method, electronic device and storage medium |
| CN114826692B (en) * | 2022-04-07 | 2023-11-07 | 中国联合网络通信集团有限公司 | Information login system, method, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102196434A (en) | Authentication method and system for wireless local area network terminal | |
| JP5579872B2 (en) | Secure multiple UIM authentication and key exchange | |
| CN101163000B (en) | Secondary authentication method and system | |
| US8327143B2 (en) | Techniques to provide access point authentication for wireless network | |
| US8868909B2 (en) | Method for authenticating a communication channel between a client and a server | |
| CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
| CN105050081A (en) | Method, device and system for connecting network access device to wireless network access point | |
| EP1865656A1 (en) | Provision of secure communications connection using third party authentication | |
| CN104283886B (en) | A kind of implementation method of the web secure access based on intelligent terminal local authentication | |
| US9544298B2 (en) | Method for certificate-based authentication | |
| KR20180095873A (en) | Wireless network access method and apparatus, and storage medium | |
| CN101621801A (en) | Method, system, server and terminal for authenticating wireless local area network | |
| CN101714918A (en) | Safety system for logging in VPN and safety method for logging in VPN | |
| KR20110113565A (en) | Secure access to private networks over public wireless networks | |
| CN101599967B (en) | Authorization control method and system based on 802.1x authentication system | |
| CN103780397A (en) | Multi-screen multi-factor WEB identity authentication method convenient and fast to implement | |
| CN106713279A (en) | Video terminal identity authentication system | |
| CN107786515A (en) | A kind of method and apparatus of certificate verification | |
| CN106796630A (en) | User authentication | |
| US10834063B2 (en) | Facilitating provisioning of an out-of-band pseudonym over a secure communication channel | |
| US20130205374A1 (en) | Method and system for network access control | |
| JP2007259386A (en) | Communication system and communication apparatus | |
| CN110719169A (en) | Method and device for transmitting router safety information | |
| Kumar et al. | A secure, efficient and lightweight user authentication scheme for wireless LAN | |
| KR100759813B1 (en) | Method for authenticating user using biometrics information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110921 |