CN104427499B - Access authentication of WLAN method and system based on WWW - Google Patents
Access authentication of WLAN method and system based on WWW Download PDFInfo
- Publication number
- CN104427499B CN104427499B CN201310411084.3A CN201310411084A CN104427499B CN 104427499 B CN104427499 B CN 104427499B CN 201310411084 A CN201310411084 A CN 201310411084A CN 104427499 B CN104427499 B CN 104427499B
- Authority
- CN
- China
- Prior art keywords
- wlan terminal
- user
- authentication
- request
- wlan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000004044 response Effects 0.000 claims abstract description 34
- 238000012546 transfer Methods 0.000 claims description 6
- 241001269238 Data Species 0.000 abstract 1
- 238000010276 construction Methods 0.000 abstract 1
- 230000008569 process Effects 0.000 description 5
- 101001033293 Homo sapiens Interleukin enhancer-binding factor 3 Proteins 0.000 description 2
- 102100039062 Interleukin enhancer-binding factor 3 Human genes 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of access authentication of WLAN method and system based on WWW, wherein method includes:AC intercepts the dns resolution request that the WLAN terminal is sent, and judges whether the WLAN terminal has passed through user authentication;If not by user authentication, dns resolution request is redirected to the local dns being isolated with public network by AC;Local dns construction is directed toward the DNS response datas packet of portal server IP address and returns to AC;When in response to receiving HTTP request or HTTPS request that the unverified WLAN terminal is sent, the HTTP request or HTTPS request are redirected to portal server by access controller;Portal server sends WEB certification pages to WLAN terminal, obtains WLAN terminal user name input by user and password by WEB certification pages, user authentication is carried out to WLAN terminal according to user name and password.The embodiment of the present invention can solve the technical issues of unverified WLAN terminal of the prior art is illegally surfed the Internet around Portal identifying procedures.
Description
Technical Field
The invention relates to a communication technology, in particular to a Wireless Local Area Network (WLAN) access authentication method and system based on world wide WEB (WEB).
Background
When a user accesses a network through a WLAN, authentication by a WLAN operator is first required. A WLAN operator usually authenticates a user by using a WLAN access authentication method based on WEB, and the specific flow is as follows:
a user terminal (hereinafter, referred to as a WLAN terminal) supporting WLAN Access establishes physical connection with an operator Access point (Access point, AP), acquires an Internet Protocol (IP) address through an Access Controller (AC), and then initiates a hypertext transfer Protocol (HTTP) request; and the user inputs any website in the browser address bar and jumps to a Portal authentication entrance, and the operator authenticates the user of the WLAN terminal according to the user name and the password input by the terminal on the WEB page.
In the WLAN access authentication method based on WEB, in order to implement a function that a user inputs any website in a browser address bar and jumps to a Portal authentication (also referred to as WEB authentication), an operator must open a Domain Name Server (DNS) port and a WEB port. The DNS port is currently implemented by a User Datagram Protocol (UDP) 53 port, the user accesses the DNS server through a UDP53 port, sends a domain name of a WEB site to be accessed to the DNS server, and the DNS server returns an IP address corresponding to the domain name to the user through a UDP53 port, so that the user accesses the WEB site to be accessed through the IP address. The WEB ports include a Transmission Control Protocol (TCP) 80 port and a TCP443 port. When a user accesses a WEB site through unencrypted HTTP and encrypted HTTPs, the user corresponds to TCP80 and TCP443 ports, respectively.
In the process of implementing the present invention, the inventor finds that the WLAN access authentication method in the prior art has a risk that the WLAN client bypasses the Portal authentication process to implement illegal internet access:
due to the domain name resolution requirement, the operator allows the unauthenticated WLAN terminal to access the proxy server of the public network using the UDP53 port, for example, the proxy server implemented by virtual private network proxy software (loopcpvpn), through which the unauthenticated WLAN terminal can illegally get on the network when accessing the proxy server using the UDP53 port. For example, the loopvpn includes a client and a server, and the loopvpn client can send an IP packet to the loopvpn server through a secret tunnel, thereby implementing functions such as network acceleration, hiding a real IP, and breaking through IP port restriction. Therefore, when the loopvpn server opens the UDP53 port as a proxy, the unauthenticated WLAN terminal can surf the internet for free through the proxy;
the unauthenticated WLAN terminal can package the internet data packet in a DNS analysis request packet, and because the DNS does not check the content of the DNS analysis request packet of the user, when the domain name analysis requested by the user belongs to a second-level domain name, the DNS can deliver the internet data packet to DNS equipment where a proxy server such as a LoopcVPN is located. Therefore, the DNS server can be used as a relay to realize data interaction with a proxy server such as the LoopcVPN, and the operator DNS accesses the LoopcVPN server proxy to realize illegal internet surfing.
Disclosure of Invention
One of the technical problems to be solved by the embodiments of the present invention is: the method and the system for WLAN access authentication based on the world Wide Web are provided to solve the technical problem that in the WLAN access authentication based on the WEB in the prior art, an unauthenticated WLAN terminal accesses a public network server through a UDP53 port or an internet data packet is packaged in a DNS analysis request packet, so that the unauthenticated WLAN terminal bypasses a Portal authentication flow to carry out illegal internet access.
The embodiment of the invention provides a wireless local area network access authentication method based on a world wide web, which comprises the following steps:
the access controller allocates an Internet Protocol (IP) address to a Wireless Local Area Network (WLAN) terminal after the WLAN terminal establishes physical connection with an access point;
the access controller responds to a domain name server DNS analysis request intercepted and sent by the WLAN terminal and judges whether the WLAN terminal passes user authentication or not;
in response to the WLAN terminal failing to pass user authentication, an access controller redirects the DNS resolution request to a local DNS isolated from a public network;
the local DNS constructs a DNS response data packet pointing to the IP address of the portal server and returns the DNS response data packet to the access controller;
when a hypertext transfer protocol (HTTP) request or a secure hypertext transfer protocol (HTTPS) request sent by the WLAN terminal which is not authenticated is received, the access controller redirects the HTTP request or the HTTPS request to a portal server;
and the portal server sends a world wide WEB (WEB) authentication page to the WLAN terminal, acquires a user name and a password input by a WLAN terminal user through the WEB authentication page, and performs user authentication on the WLAN terminal according to the user name and the password.
In another embodiment of the WLAN-based WLAN access authentication method according to the present invention, the user authentication of the WLAN terminal according to the user name and the password comprises:
the portal server sends the user name and the password input by the WLAN terminal user to the access controller;
the access controller sends the user name and the password input by the WLAN terminal user to an authentication server;
the authentication server authenticates the user name and the password input by the WLAN terminal user according to the pre-stored user authentication information, and feeds back the user authentication result of the WLAN terminal to the access controller.
In another specific embodiment of the WLAN-based WLAN access authentication method according to the present invention, after feeding back the user authentication result for the WLAN terminal to the access controller, the method further includes:
in response to the WLAN terminal passing user authentication, the access controller stores the IP address of the WLAN terminal in an allowed access public network list.
In another embodiment of the WLAN-based WLAN access authentication method according to the present invention, the determining whether the WLAN terminal has been authenticated by the user comprises:
inquiring whether an IP address of the WLAN terminal is included in a public network access permission list;
if the IP address of the WLAN terminal is included in the public network access permission list, the WLAN terminal passes the user authentication; otherwise, the WLAN terminal fails to pass the user authentication.
In another specific embodiment of the wlan-based wlan access authentication method of the present invention, the method further includes:
responding to the WLAN terminal passing the user authentication, and normally forwarding the DNS analysis request by an access controller; and
and when responding to the received HTTP request or HTTPS request sent by the WLAN terminal, the access controller forwards the HTTP request or HTTPS request according to the destination address in the HTTP request or HTTPS request.
The embodiment of the invention provides a wireless local area network access authentication system based on a world wide web, which comprises an access point, a portal server, an access controller and a local DNS (domain name system) isolated from a public network;
the access controller is used for allocating an IP address to the WLAN terminal after the WLAN terminal establishes physical connection with the access point; responding to a DNS analysis request intercepted and sent by the WLAN terminal, and judging whether the WLAN terminal passes user authentication; in response to the WLAN terminal failing to pass user authentication, redirecting the DNS resolution request to a local DNS isolated from a public network; responding to an HTTP request or an HTTPS request sent by the unauthorized WLAN terminal according to a DNS response data packet returned by the local DNS, and redirecting the HTTP request or the HTTPS request to a portal server when the HTTP request or the HTTPS request is received;
the local DNS is used for constructing a DNS response data packet pointing to an IP address of a portal server and returning the DNS response data packet to the access controller when the DNS analysis request is received;
and the portal server is used for sending a WEB authentication page to the WLAN terminal when receiving the HTTP request or the HTTPS request, acquiring a user name and a password input by a WLAN terminal user through the WEB authentication page, and performing user authentication on the WLAN terminal according to the user name and the password.
In another embodiment of the wlan-based wlan access authentication system of the present invention, further comprises an authentication server;
when the portal server authenticates the user of the WLAN terminal according to the user name and the password, the portal server specifically sends the user name and the password input by the WLAN terminal user to the access controller;
the access controller is also used for sending the user name and the password input by the WLAN terminal user to the authentication server;
and the authentication server is used for authenticating the user name and the password input by the WLAN terminal user according to the pre-stored user authentication information and feeding back the user authentication result of the WLAN terminal to the access controller.
In another specific embodiment of the WLAN-based WLAN access authentication system according to the present invention, the access controller is further configured to store a list of allowed access public networks, and store the IP address of the WLAN terminal in the list of allowed access public networks in response to the WLAN terminal passing the user authentication, wherein the list of allowed access public networks includes the IP address of the WLAN terminal passing the user authentication.
In another embodiment of the WLAN-based WLAN access authentication system of the present invention, the access controller determines whether the WLAN terminal has been authenticated by the user, and specifically queries whether the IP address of the WLAN terminal is included in the public access permission list; if the IP address of the WLAN terminal is included in the public network access permission list, the WLAN terminal passes the user authentication; otherwise, the WLAN terminal fails to pass the user authentication.
In another specific embodiment of the WLAN-based WLAN access authentication system of the present invention, the access controller is further configured to forward the DNS resolution request normally in response to the WLAN terminal passing the user authentication; and when responding to the received HTTP request or HTTPS request sent by the WLAN terminal, forwarding the HTTP request or HTTPS request through the Internet according to the destination address in the HTTP request or HTTPS request.
Based on the method and system for WLAN access authentication provided by the above embodiments of the present invention, an access controller intercepts a DNS resolution request sent by a WLAN terminal, and determines whether the WLAN terminal passes user authentication; if the user authentication is not passed, the DNS analysis request is redirected to a local DNS isolated from the public network, and the local DNS constructs a DNS response data packet pointing to the IP address of the portal server and returns the DNS response data packet to the access controller; when an HTTP request or an HTTPS request sent by an unauthenticated WLAN terminal is received, the access controller redirects the HTTP request or the HTTPS request to a portal server; and the portal server sends a WEB authentication page to the WLAN terminal, acquires a user name and a password input by a WLAN terminal user through the WEB authentication page, and performs user authentication on the WLAN terminal according to the user name and the password. Compared with the prior art, the embodiment of the invention can intercept the flow of the public network server such as the LoopcVPN accessed by the unauthorized WLAN terminal through the UDP53 port, thereby solving the problem that the unauthorized WLAN terminal directly accesses the public network illegally through the server proxy; when the unauthenticated WLAN terminal accesses the DNS address of the operator before passing through user authentication, the DNS analysis request packet is redirected to the local DNS address isolated from the public network, and the problem that the unauthenticated WLAN terminal packs the internet data packet in the DNS analysis request packet and realizes illegal access to the public network through the DNS access proxy server of the operator public network is solved. The embodiment of the invention effectively prevents the potential safety hazard that the unauthorized WLAN terminal bypasses the user authentication to realize illegal Internet surfing in the prior art, and solves the technical problem that the unauthorized WLAN terminal bypasses the user authentication process to carry out illegal Internet surfing in the prior art because the unauthorized WLAN terminal accesses the proxy server of the public network through the UDP53 port or the Internet surfing data packet is packaged in the DNS analysis request packet in the prior art WLAN access authentication method based on WEB.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention.
The invention will be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of an embodiment of a method for authenticating wlan access based on WEB according to the present invention.
Fig. 2 is a flowchart of another embodiment of the method for authenticating wlan access based on WEB according to the present invention.
Fig. 3 is a schematic structural diagram of an embodiment of a wlan access authentication system based on WEB according to the present invention.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a flowchart of an embodiment of a WLAN access authentication method based on WEB according to the present invention. As shown in fig. 1, the WLAN access authentication method based on the world wide web of this embodiment includes:
the AC assigns an IP address to the WLAN terminal 110 after the WLAN terminal establishes a physical connection with the AP.
And 120, the AC responds to the DNS analysis request intercepted and sent by the WLAN terminal, and judges whether the WLAN terminal passes the user authentication.
If the WLAN terminal fails the user authentication, the operation 130 is performed. Otherwise, if the WLAN terminal passes the user authentication, the WLAN terminal is allowed to perform normal internet access, and the subsequent process of this embodiment is not executed.
The AC redirects the DNS resolution request to a local DNS that is isolated from the public network (i.e., the internet) 130.
The local DNS constructs a DNS response packet pointing to the portal server IP address 140 and returns an AC.
150, in response to receiving an HTTP request or a Secure Hypertext Transfer Protocol Secure (HTTPs) request sent by an unauthenticated WLAN terminal, the AC redirects the HTTP request or the HTTPs request to a Portal server, that is: the traffic of the WLAN terminal accessing the internet browsing WEB server through the TCP80 or TCP443 port is redirected to the portal server.
160, the portal server sends a world wide WEB (WEB) authentication page to the WLAN terminal, acquires a user name and a password input by the WLAN terminal user through the WEB authentication page, and performs user authentication on the WLAN terminal according to the user name and the password.
In the embodiment of the invention, the WLAN terminal is a WLAN terminal used by a user, the user corresponds to the WLAN terminal, the WLAN terminal is authenticated by user authentication, namely the WLAN terminal user is authenticated, and the IP address of the WLAN terminal is the IP address of the WLAN terminal user.
Illustratively, if the WLAN terminal is authenticated by the user, the AC allows the user to access the internet and be billed by an Authentication, Authorization, Accounting (AAA) server. If the WLAN terminal passes the user authentication, the AC only allows the WLAN terminal to access a DNS server and a portal server on the Internet, and does not allow the WLAN terminal to access other public network resources.
The wireless local area network access authentication method based on the world wide web provided by the embodiment of the invention solves the problem that the WLAN terminal without authentication directly acts to illegally access the public network through the server; when an unauthenticated WLAN terminal accesses a DNS address of an operator before passing user authentication, a DNS analysis request packet is redirected to a local DNS address isolated from a public network, the problem that the unauthenticated WLAN terminal packs an internet data packet in the DNS analysis request packet and realizes illegal access to the public network through an operator public network DNS access proxy server is solved, the potential safety hazard that the unauthenticated WLAN terminal bypasses the user authentication to realize illegal internet access in the prior art is effectively prevented, and the technical problem that the unauthenticated WLAN terminal bypasses the user authentication to carry out illegal internet access by accessing the proxy server of the public network through a UDP53 port or packs the internet data packet in the DNS analysis request packet in the WEB-based WLAN access authentication method in the prior art is solved.
Fig. 2 is a flowchart of another embodiment of the WLAN access authentication method based on WEB according to the present invention. As shown in fig. 2, the WLAN access authentication method based on WEB in this embodiment includes:
the AC assigns an IP address to the WLAN terminal after the WLAN terminal establishes a physical connection with the AP 210.
The AC queries whether the IP address of the WLAN terminal is included in the allowed access public network list in response to the DNS resolution request of the domain name server intercepted and sent to the WLAN terminal 220.
Wherein, the list of allowed access public network includes the IP address of the WLAN terminal authenticated by the user.
If the access permission public network list includes the IP address of the WLAN terminal and the WLAN terminal has passed the user authentication, the operation 300 is performed to allow the WLAN terminal to access the internet. Otherwise, if the access permission public network list does not include the IP address of the WLAN terminal, the WLAN terminal fails the user authentication, and the operation 230 is executed.
The AC redirects the DNS resolution request to a local DNS isolated from the public network 230.
The local DNS builds a DNS response packet to the portal server IP address and returns an AC 240.
250, in response to receiving the HTTP request or HTTPs request sent by the unauthenticated WLAN terminal, the AC redirects the HTTP request or HTTPs request to the portal server, that is: the request of the unauthenticated user for accessing the Internet is redirected to a WEB authentication page of the Portal Server.
260, the Portal Server (Portal Server) sends a WEB authentication page to the WLAN terminal, obtains the user name and password input by the WLAN terminal user through the WEB authentication page (i.e. the user submits the user name and password authentication information input in the WEB authentication page), and sends the user name and password input by the WLAN terminal user to the AC.
270, the AC sends the username and password entered by the WLAN end user to the authentication server (radius server).
280, the authentication server authenticates the user name and the password input by the WLAN terminal user according to the pre-stored user authentication information, compares whether the user name and the password input by the WLAN terminal user are consistent with the pre-stored user authentication information, and feeds back the user authentication result of the WLAN terminal to the AC.
If the comparison is consistent, the WLAN terminal passes the user authentication, executes 290 the operation, and allows the WLAN terminal to access the internet. Otherwise, if the WLAN terminal fails the user authentication, the subsequent process of this embodiment is not executed, and the operation of executing 230 may be further returned, or an error message indicating that the user fails the authentication is returned to the user through the portal server, so that the user is notified that the authentication fails, and the user is not allowed to access the public network.
Illustratively, the authentication server feeds back the user authentication result for the WLAN terminal to the AC, specifically through the portal server, which may display the user authentication result in the browser of the user.
The AC stores 290 the IP address of the WLAN terminal in the allowed access public network list.
The AC forwards the DNS resolution request normally 300.
There is no time sequence restriction between operations 300 and 290, and operation 300 may be performed before 290, simultaneously with 290, or later than 290.
And 310, when receiving the HTTP request or the HTTPs request sent by the WLAN terminal, the AC forwards the HTTP request or the HTTPs request according to a destination address in the HTTP request or the HTTPs request.
Fig. 3 is a schematic structural diagram of an embodiment of the WLAN access authentication system based on WEB according to the present invention. The WLAN access authentication system based on WEB in this embodiment can be used to implement the above WLAN access authentication method embodiments based on WEB according to the present invention. As shown in fig. 3, it includes also a portal server, an AC and a local DNS isolated from the public network. Wherein,
the AC is used for allocating an IP address to the WLAN terminal after the WLAN terminal establishes physical connection with the AP; responding to a DNS analysis request which is intercepted and sent to the WLAN terminal, and judging whether the WLAN terminal passes user authentication; in response to the WLAN terminal failing to pass the user authentication, redirecting the DNS resolution request to a local DNS isolated from the public network; and according to a DNS response data packet returned by the local DNS, when responding to the HTTP request or the HTTPS request sent by the unauthorized WLAN terminal, redirecting the HTTP request or the HTTPS request to the portal server.
The local DNS, which may also be referred to as a local UDP53 port server, is used to construct a DNS response packet directed to the IP address of the portal server and return an AC when a DNS resolution request is received.
And the portal server is used for sending a WEB authentication page to the WLAN terminal when receiving the HTTP request or the HTTPS request, acquiring a user name and a password input by a WLAN terminal user through the WEB authentication page, and performing user authentication on the WLAN terminal according to the user name and the password.
The WLAN terminal of the embodiment of the invention is provided with the wireless network card and the WEB browser, and the AP is used for wireless access of the WLAN terminal.
The wireless local area network access authentication system based on the world wide web provided by the embodiment of the invention solves the problem that the WLAN terminal without authentication directly acts to illegally access the public network through the server; when an unauthenticated WLAN terminal accesses a DNS address of an operator before passing user authentication, a DNS analysis request packet is redirected to a local DNS address isolated from a public network, the problem that the unauthenticated WLAN terminal packs an internet data packet in the DNS analysis request packet and realizes illegal access to the public network through an operator public network DNS access proxy server is solved, the potential safety hazard that the unauthenticated WLAN terminal bypasses the user authentication to realize illegal internet access in the prior art is effectively prevented, and the technical problem that the unauthenticated WLAN terminal bypasses the user authentication to carry out illegal internet access by accessing the proxy server of the public network through a UDP53 port or packs the internet data packet in the DNS analysis request packet in the WEB-based WLAN access authentication method in the prior art is solved.
Referring to fig. 3 again, in another embodiment of the WLAN access authentication system based on WEB according to the present invention, an authentication server is further included. In this embodiment, when the portal server performs user authentication on the WLAN terminal according to the user name and the password, the portal server may specifically send the user name and the password input by the WLAN terminal user to the AC. Accordingly, the AC may also be used to send the username and password entered by the WLAN end user to the authentication server. The authentication server is used for authenticating the user name and the password input by the WLAN terminal user according to the pre-stored user authentication information and feeding back the user authentication result of the WLAN terminal to the AC.
In another embodiment of the WLAN access authentication system based on WEB according to the present invention, the AC may be further configured to store a list of allowed access public networks, and store the IP address of the WLAN terminal in the list of allowed access public networks in response to the WLAN terminal passing the user authentication, wherein the list of allowed access public networks includes the IP address of the WLAN terminal passing the user authentication.
In another embodiment of the WLAN access authentication system based on WEB according to the present invention, when the AC determines whether the WLAN terminal has passed the user authentication, it specifically queries whether the IP address of the WLAN terminal is included in the allowed access public network list; if the access permission public network list comprises the IP address of the WLAN terminal, the WLAN terminal passes the user authentication; otherwise, the WLAN terminal fails the user authentication.
In another embodiment of the WLAN access authentication system based on WEB according to the present invention, the AC may be further configured to normally forward the DNS resolution request in response to the WLAN terminal passing the user authentication; and when responding to the received HTTP request or HTTPS request sent by the WLAN terminal, forwarding the HTTP request or the HTTPS request through the Internet according to the destination address in the HTTP request or the HTTPS request.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The method, system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (10)
1. A wireless local area network access authentication method based on the world wide web, comprising:
the access controller allocates an Internet Protocol (IP) address to a Wireless Local Area Network (WLAN) terminal after the WLAN terminal establishes physical connection with an access point;
the access controller responds to a domain name server DNS analysis request intercepted and sent by the WLAN terminal and judges whether the WLAN terminal passes user authentication or not;
responding to the WLAN terminal passing the user authentication, and normally forwarding the DNS analysis request by an access controller;
in response to the WLAN terminal failing to pass user authentication, an access controller redirects the DNS resolution request to a local DNS isolated from a public network;
the local DNS constructs a DNS response data packet pointing to the IP address of the portal server and returns the DNS response data packet to the access controller;
when a hypertext transfer protocol (HTTP) request or a secure hypertext transfer protocol (HTTPS) request sent by the WLAN terminal which is not authenticated is received, the access controller redirects the HTTP request or the HTTPS request to a portal server;
and the portal server sends a world wide WEB (WEB) authentication page to the WLAN terminal, acquires a user name and a password input by a WLAN terminal user through the WEB authentication page, and performs user authentication on the WLAN terminal according to the user name and the password.
2. The method of claim 1, wherein performing user authentication on the WLAN terminal according to the user name and the password comprises:
the portal server sends the user name and the password input by the WLAN terminal user to the access controller;
the access controller sends the user name and the password input by the WLAN terminal user to an authentication server;
the authentication server authenticates the user name and the password input by the WLAN terminal user according to the pre-stored user authentication information, and feeds back the user authentication result of the WLAN terminal to the access controller.
3. The method of claim 2, wherein after feeding back the user authentication result for the WLAN terminal to the access controller, further comprising:
in response to the WLAN terminal passing user authentication, the access controller stores the IP address of the WLAN terminal in an allowed access public network list.
4. The method of claim 3, wherein determining whether the WLAN terminal has been authenticated by the user comprises:
inquiring whether an IP address of the WLAN terminal is included in a public network access permission list;
if the IP address of the WLAN terminal is included in the public network access permission list, the WLAN terminal passes the user authentication; otherwise, the WLAN terminal fails to pass the user authentication.
5. The method of any one of claims 1 to 4, further comprising:
and when responding to the received HTTP request or HTTPS request sent by the WLAN terminal, the access controller forwards the HTTP request or HTTPS request according to the destination address in the HTTP request or HTTPS request.
6. A wireless local area network access authentication system based on world wide web comprises an access point, and is characterized by also comprising a portal server, an access controller and a local DNS isolated from a public network;
the access controller is used for allocating an IP address to the WLAN terminal after the WLAN terminal establishes physical connection with the access point; responding to a DNS analysis request intercepted and sent by the WLAN terminal, and judging whether the WLAN terminal passes user authentication; responding to the WLAN terminal passing the user authentication, and normally forwarding the DNS analysis request by an access controller; in response to the WLAN terminal failing to pass user authentication, redirecting the DNS resolution request to a local DNS isolated from a public network; responding to an HTTP request or an HTTPS request sent by the unauthorized WLAN terminal according to a DNS response data packet returned by the local DNS, and redirecting the HTTP request or the HTTPS request to a portal server when the HTTP request or the HTTPS request is received;
the local DNS is used for constructing a DNS response data packet pointing to an IP address of a portal server and returning the DNS response data packet to the access controller when the DNS analysis request is received;
and the portal server is used for sending a WEB authentication page to the WLAN terminal when receiving the HTTP request or the HTTPS request, acquiring a user name and a password input by a WLAN terminal user through the WEB authentication page, and performing user authentication on the WLAN terminal according to the user name and the password.
7. The system of claim 6, further comprising an authentication server;
when the portal server authenticates the user of the WLAN terminal according to the user name and the password, the portal server specifically sends the user name and the password input by the WLAN terminal user to the access controller;
the access controller is also used for sending the user name and the password input by the WLAN terminal user to the authentication server;
and the authentication server is used for authenticating the user name and the password input by the WLAN terminal user according to the pre-stored user authentication information and feeding back the user authentication result of the WLAN terminal to the access controller.
8. The system of claim 7, wherein the access controller is further configured to store a list of allowed access public networks, and in response to the WLAN terminal being authenticated by the user, store the IP address of the WLAN terminal in the list of allowed access public networks, wherein the list of allowed access public networks includes the IP address of the WLAN terminal authenticated by the user.
9. The system according to claim 8, wherein the access controller determines whether the WLAN terminal has been authenticated by the user, and specifically queries whether the IP address of the WLAN terminal is included in the allowed access public network list; if the IP address of the WLAN terminal is included in the public network access permission list, the WLAN terminal passes the user authentication; otherwise, the WLAN terminal fails to pass the user authentication.
10. The system according to any one of claims 6 to 9, wherein the access controller is further configured to, in response to receiving an HTTP request or an HTTPs request sent by the WLAN terminal, forward the HTTP request or the HTTPs request through the internet according to a destination address in the HTTP request or the HTTPs request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310411084.3A CN104427499B (en) | 2013-09-11 | 2013-09-11 | Access authentication of WLAN method and system based on WWW |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310411084.3A CN104427499B (en) | 2013-09-11 | 2013-09-11 | Access authentication of WLAN method and system based on WWW |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104427499A CN104427499A (en) | 2015-03-18 |
| CN104427499B true CN104427499B (en) | 2018-11-13 |
Family
ID=52975201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310411084.3A Active CN104427499B (en) | 2013-09-11 | 2013-09-11 | Access authentication of WLAN method and system based on WWW |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104427499B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104754376B (en) * | 2015-03-27 | 2017-09-29 | 深圳市九洲电器有限公司 | Advertisement placement method and system based on set top box |
| CN105554170B (en) * | 2015-12-09 | 2019-06-14 | 福建星网锐捷网络有限公司 | A kind of processing method of DNS message, apparatus and system |
| CN105915561A (en) * | 2016-07-04 | 2016-08-31 | 安徽天达网络科技有限公司 | Double authenticated network security system |
| CN106230781A (en) * | 2016-07-18 | 2016-12-14 | 杭州迪普科技有限公司 | The method and device preventing network attack of sing on web authentication techniques |
| CN106162641B (en) * | 2016-07-25 | 2019-10-11 | 中电福富信息科技有限公司 | A kind of safe public WiFi authentication method and system |
| CN107690140A (en) * | 2016-08-04 | 2018-02-13 | 深圳市信锐网科技术有限公司 | WAP authentication method, apparatus and system |
| CN106332083B (en) * | 2016-08-24 | 2019-11-22 | 上海斐讯数据通信技术有限公司 | TCP connection method and device, Intranet authentication method and system |
| CN106302513A (en) * | 2016-09-06 | 2017-01-04 | 中国互联网络信息中心 | A kind of network identity validation method and device |
| CN106330948A (en) * | 2016-09-09 | 2017-01-11 | 杭州华三通信技术有限公司 | Message control method and message control device |
| US11184318B2 (en) | 2016-09-19 | 2021-11-23 | Wangsu Science & Technology Co., Ltd. | 302 redirecting method, URL generating method and system, and domain-name resolving method and system |
| CN106453675B (en) | 2016-09-19 | 2022-07-08 | 网宿科技股份有限公司 | 302 jump method, URL (Uniform resource locator) generation method and system and domain name resolution method and system |
| CN108282783B (en) * | 2017-09-15 | 2021-03-09 | 阿里巴巴(中国)有限公司 | Public wifi authentication method, device, user terminal and storage medium |
| CN109802925B (en) * | 2017-11-17 | 2021-10-29 | 阿里巴巴(中国)有限公司 | Authentication method and system for public WiFi access |
| US10708220B2 (en) * | 2017-12-11 | 2020-07-07 | GM Global Technology Operations LLC | System and method for directing a tethered device to an in-vehicle stored landing page based on an available credit or data balance |
| CN109982321A (en) * | 2017-12-27 | 2019-07-05 | 中国移动通信集团上海有限公司 | A kind of WLAN access account authentication processing method, apparatus and system |
| CN108494761A (en) * | 2018-03-15 | 2018-09-04 | 四川斐讯信息技术有限公司 | A kind of router network address filter method and filtration system |
| CN109688127A (en) * | 2018-12-20 | 2019-04-26 | 深圳市吉祥腾达科技有限公司 | A kind of web authentication method for supporting HTTPS page jump |
| CN110719263B (en) * | 2019-09-17 | 2023-03-28 | 平安科技(深圳)有限公司 | Multi-tenant DNS security management method, device and storage medium |
| CN111064775A (en) * | 2019-12-05 | 2020-04-24 | 深圳市任子行科技开发有限公司 | Method and system for portal authentication aiming at HTTPS (hypertext transfer protocol secure) protocol in bypass deployment mode |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212297B (en) * | 2006-12-28 | 2012-01-25 | 中国移动通信集团公司 | WEB-based WLAN access authentication method and system |
| CN102111406B (en) * | 2010-12-20 | 2014-02-05 | 杭州华三通信技术有限公司 | Authentication method, system and DHCP proxy server |
| CN102572830B (en) * | 2012-01-19 | 2015-07-08 | 华为技术有限公司 | Method and customer premise equipment (CPE) for terminal access authentication |
-
2013
- 2013-09-11 CN CN201310411084.3A patent/CN104427499B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN104427499A (en) | 2015-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104427499B (en) | Access authentication of WLAN method and system based on WWW | |
| US9344426B2 (en) | Accessing enterprise resources while providing denial-of-service attack protection | |
| CN106131079B (en) | Authentication method, system and proxy server | |
| EP3095225B1 (en) | Redirect to inspection proxy using single-sign-on bootstrapping | |
| US8589675B2 (en) | WLAN authentication method by a subscriber identifier sent by a WLAN terminal | |
| CN106685932B (en) | A kind of file access system and method based on cloud service | |
| US20180060559A1 (en) | Disposition engine for single sign on (sso) requests | |
| US20210168611A1 (en) | Method for securely sharing a url | |
| CN104270250B (en) | WiFi internets online connection authentication method based on asymmetric whole encryption | |
| CN103179554B (en) | Wireless broadband network connection control method, device and the network equipment | |
| CN106789858B (en) | Access control method and device and server | |
| CN102710667B (en) | Method for realizing Portal authentication server attack prevention and broadband access server | |
| CN109040069B (en) | Cloud application program publishing method, publishing system and access method | |
| CN101986598B (en) | Authentication method, server and system | |
| US20170070486A1 (en) | Server public key pinning by url | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| CN106357601A (en) | Method for data access, device and system thereof | |
| Hossain et al. | Survey of the Protection Mechanisms to the SSL-based Session Hijacking Attacks. | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| CN109218334A (en) | Data processing method, device, access control equipment, certificate server and system | |
| GB2555108A (en) | Improvements in and relating to network communications | |
| CN108259457A (en) | A kind of WEB authentication methods and device | |
| TWI451742B (en) | Secure login method | |
| CN110430213B (en) | Service request processing method, device and system | |
| CN105119916B (en) | A kind of authentication method and system based on http |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |