[go: up one dir, main page]

CN105007579B - A wireless local area network access authentication method and terminal - Google Patents

A wireless local area network access authentication method and terminal Download PDF

Info

Publication number
CN105007579B
CN105007579B CN201410168868.2A CN201410168868A CN105007579B CN 105007579 B CN105007579 B CN 105007579B CN 201410168868 A CN201410168868 A CN 201410168868A CN 105007579 B CN105007579 B CN 105007579B
Authority
CN
China
Prior art keywords
terminal
authentication
server
local area
area network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410168868.2A
Other languages
Chinese (zh)
Other versions
CN105007579A (en
Inventor
王文杰
罗芸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Group Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Guangdong Co Ltd filed Critical China Mobile Group Guangdong Co Ltd
Priority to CN201410168868.2A priority Critical patent/CN105007579B/en
Publication of CN105007579A publication Critical patent/CN105007579A/en
Application granted granted Critical
Publication of CN105007579B publication Critical patent/CN105007579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a kind of access authentication of WLAN method and terminal, wherein, this method includes sending online request message to certificate server system, so that the certificate server system carries out the access authentication of WLAN based on MAC Address to the terminal according to the terminal MAC address information carried in the online request message;After the access authentication of WLAN passes through, authentication request message is sent to the certificate server system, so that the safety certificate that is used to identify terminal of the certificate server system according to the pre- first to file carried in the authentication request message, carries out terminal user identity authentication to the terminal;After terminal user identity authentication passes through, WLAN is accessed, and after terminal user identity authentication is obstructed, disconnects the connection with WLAN.Access authentication of WLAN method of the invention, which avoids terminal and only relies on MAC Address as the mark of unique identification user, has very big risk.

Description

A kind of access authentication of WLAN method and terminal
Technical field
The present invention relates to the communications fields, more particularly to a kind of access authentication of WLAN method and terminal.
Background technique
Network operator is when runing WLAN WLAN business, in order to guarantee to realize that its service is held to client with charge Promise needs to authenticate for client using the access of WLAN business.Common authentication method has based on the interface portal PORTAL Certification, based on expansible authentication protocol EAP (Extensible Authentication Protocol) protocol frame Identify that SIM card user accesses the EAP-SIM certification of Wireless LAN, based on certificate+user name password realization based on 2G user User WLAN access authentication EAP-PEAP certification, extensible protocol+hash algorithm EAP-MD5 certification etc., there are also utilize WLAN net The MAC certification etc. that the medium access control MAC Address binding of card carries out.
Portal PORTAL certification is widely used on computer terminal, and user is accustomed to manually entering password, and relatively solid Fixed position uses WLAN business.But due to there is the inconvenience of input password in mobile phone terminal, browser supports characteristic to multi-page There is the features such as fairly large number of WLAN application is not based on web browser on inconsistent, mobile phone, and mobile phone user is usually moving WLAN business is used in dynamic, is authenticated once losing connection and needing to re-enter password, is improved business using threshold, is reduced User experience, PORTAL certification cannot apply on mobile phone terminal well.
Wherein, PORTAL identifying procedure is divided into following several stages:
1, establishment stage is connected
Terminal access service set identifier SSID establishes physical connection with access control AC server.
2, the dynamic host configuration protocol DHCP stage
AC server detects that terminal does not have IP information, is the stage of terminal distribution identity ID.
3, the PORTAL stage is forced
Terminal after a connection is established, attempts access public network address, and AC server detects that user does not have network access right Limit can redirect user's request to the fixed PORTAL page.
4, the identifying procedure stage
User submits request after the PORTAL page inputs user name, password, and certification request reaches PORTAL service Device, PORTAL server triggers PORTAL identifying procedure.After authenticating successfully, PORTAL server returns to the successful log page and arrives Terminal.
5, the charging incipient stage
After remote user dials in Verification System RADIUS return charging success message to AC server, AC server hair It rises and starts accounting request to RADIUS, request starts charging.
6, the real time billing stage
For real time billing user, charging message can be converted to verifying by RADIUS, authorization, billing agreements DIAMETER disappear Breath, is transmitted to real time billing engine, is deducted fees in real time.
7, stop charging
After reaching RADIUS by the accounting request message that terminal or AC server are initiated, RADIUS stops charging.
The certification of EAP class is established in network layer data interaction and is realized, and can in order to avoid input password or an only defeated password, Automated validation when access later.But the certification of EAP class needs the support of terminal operating system, market a big chunk cell phone customer EAP class is not supported to authenticate in end.
Medium access control MAC certification is the uniqueness using cell phone client MAC Address, authenticates and carries out for PORTAL One kind exempt from the optimization that inputs password.Its principle is after terminal user is authenticated by PORTAL, by the MAC of server-side record terminal The authentication information (including user name, password) of address and corresponding certification user.Server-side is according to previous note when logging in next time The MAC corresponding relationship of record is automatically performed certification for client.The advantages of this scheme is that certification is automatically initiated using server end to drop The difficulty of low authenticated client, improves user experience.
Wherein, as shown in Figure 1, MAC identifying procedure is divided into following several stages:
1, terminal is associated with AC server, and obtains IP address.
2, terminal initiation surpasses this transfer protocol HTTP request, and the type of browser is carried in the request message head.
3, AC server increases the HTTP request message redirecting of terminal to PORTAL server, and in heading The MAC Address of terminal.
4, PORTAL server obtains the information in heading, terminal type is judged, if it is mobile phone, then to MAC Address It is verified, and is verified successfully, then continue next step process.
5, the corresponding phone number of PORTAL/MAC server inquiry MAC Address and user password, pass through PORTAL agreement Issue AC server.
6~8, user name encrypted message is issued radius server and verified by AC server, after completing verification, by Result is returned to PORTAL server by AC server, this process is consistent with PORTAL process.
If 9, be proved to be successful, PORTAL/MAC server issues reminding short message to user.
10, business operation support system BOSS receives the refusal online short message of user.
11, BOSS is issued to PORTAL server removes the request of MAC binding information.
12, BOSS issues offline request to verifying, authorization, book keeping operation aaa server.
13, AAA issues the offline request of client DM to AC server.
14, AC server logs out a particular user.
But MAC certification has several insurmountable problems
The counterfeit problem of MAC Address:
MAC Address is theoretically that each terminal is uniquely distributed, but client modifies MAC Address simultaneously by hand in actual use It is uncomplicated, if only there is very big risk in the mark by MAC Address as unique identification user.
Billing issues
Since MAC certification is the scheme optimized on the basis of PORTAL certification, that is, MAC certification and PORTAL Authentication protocol used in authenticating is completely the same, therefore the side RADIUS, which cannot be distinguished from active user, to be recognized by MAC mode Card still inputs pin mode certification by PORTAL, cannot provide differentiation rate.
Summary of the invention
The object of the present invention is to provide a kind of access authentication of WLAN method and terminal, can solve current mobile whole If terminated into WLAN only with MAC address authentication, it is easy to cause the problem of being usurped by other people.
In order to solve the above-mentioned technical problem, the embodiment of the present invention provides a kind of access authentication of WLAN method, answers For having opened the terminal based on medium access control MAC address authentication, wherein the described method includes:
Online request message is sent to certificate server system, so that the certificate server system is asked according to the online The terminal MAC address information carried in message is asked to carry out the access authentication of WLAN based on MAC Address to the terminal;
After the access authentication of WLAN passes through, transmission authentication request message to the certificate server system, So that the certificate server system is according to the pre- first to file carried in the authentication request message for identifying the peace of terminal Full certificate carries out terminal user identity authentication to the terminal;
After terminal user identity authentication passes through, WLAN is accessed, and do not pass through in terminal user identity authentication Afterwards, the connection with WLAN is disconnected.
Further, the transmission online request message is to certificate server system, so that the certificate server system The wireless office based on MAC Address is carried out to the terminal according to the terminal MAC address information carried in the online request message The step of domain net access authentication includes:
Online request message is sent to portal server, so that portal server is carried according in the online request message Terminal MAC address information, send terminal wireless LAN subscriber information to verifying, authorization, book keeping operation aaa server so that institute It states aaa server and the terminal wireless LAN subscriber received is believed according to the terminal wireless LAN subscriber information prestored Breath carries out authentication, obtains authentication as a result, and the authentication result is returned to access control AC server;Its In, the terminal wireless LAN subscriber information includes: that terminal wireless local area network account information and/or terminal wireless local area network are close Code information;
After the AC server receives the successful result of authentication, WLAN is accessed.
Further, described after the AC server receives the successful result of authentication, access WLAN Later the step of further include:
Charging request message is sent to the aaa server, so that the aaa server is according to the charging request message Middle carrying include terminal type charging distinguish information, charging is distinguished to the terminal.
Further, described after the access authentication of WLAN passes through, it sends authentication request message and recognizes to described Server system is demonstrate,proved, so that the certificate server system is used for according to the pre- first to file carried in the authentication request message Identify terminal safety certificate, to the terminal carry out terminal user identity authentication the step of include:
After the access authentication of WLAN passes through, the safety for being used to identify terminal for carrying pre- first to file is sent The authentication request message of certificate and terminal wireless local area network account information is to portal server, so that portal server is according to institute It states terminal wireless local area network account information and inquires User Status from media access control service device to wait terminal user ID After authentication state, sends the safety certificate to user identity and IDP server is provided, so that the IDP server is according in advance The terminal security certificate of storage, the legitimacy of the safety certificate received described in verification obtain check results, and send the school Result is tested to portal server, so that portal server carries out the terminal for having accessed WLAN according to the check results WLAN connection control;Wherein, the User Status is that media access control service device is being received by access control clothes It is engaged in after the successful result of authentication of device forwarding, is revised as waiting terminal user identity authentication state.
Further, the safety certificate can be applied as follows:
Send the unique sequence code of encryption generated at random comprising international mobile subscriber identity, terminal MAC address and one The information of number SID makes to Short Message Service Gateway so that the Short Message Service Gateway forwards the information to user identity to provide IDP server The IDP server be decrypted by the phone number obtained from Short Message Service Gateway and by the information of encryption after obtain International mobile subscriber identity is sent to portal server and is verified, so that portal server has opened MAC according to what is prestored The terminal phone number of certification and the mapping table of international mobile subscriber identity, to the phone number received with And international mobile subscriber identity carries out search comparison, and obtains search comparison result, and the search comparison result is sent To the IDP server, so that the IDP server indicates the international mobile subscriber identity in the search comparison result With the phone number corresponding relationship it is legal after, generate safety certificate;Wherein, the safety certificate carries MAC Address, the world The binding information of mobile identification number and phone number;
Certificate request request message is sent to the IDP server, so that the IDP server is according to the certificate request The terminal MAC address information carried in request message sends safety certificate corresponding with the terminal MAC address to the end End.
In order to solve the above-mentioned technical problem, the embodiment of the present invention also provides a kind of terminal, comprising:
First sending module, for sending online request message to certificate server system, so that the certificate server System carries out the nothing based on MAC Address to the terminal according to the terminal MAC address information carried in the online request message Line local area network access authentication;
Second sending module, for after the access authentication of WLAN passes through, sending authentication request message to institute Certificate server system is stated, so that the certificate server system is according to the pre- first to file carried in the authentication request message For identifying the safety certificate of terminal, terminal user identity authentication is carried out to the terminal;
Processing module, for accessing WLAN, and in terminal user's body after terminal user identity authentication passes through After part certification is obstructed, the connection with WLAN is disconnected.
Further, first sending module includes:
First sending submodule, for sending online request message to portal server, so that portal server is according to institute State the terminal MAC address information that carries in online request message, send terminal wireless LAN subscriber information to verifying, authorization, It keeps accounts aaa server, so that the aaa server is received according to the terminal wireless LAN subscriber information that prestores to described Terminal wireless LAN subscriber information carries out authentication, obtains authentication as a result, and returning to the authentication result Access control AC server;Wherein, the terminal wireless LAN subscriber information includes: terminal wireless local area network account information And/or terminal wireless local area network encrypted message;
Submodule is accessed, for accessing wireless local area after the AC server receives the successful result of authentication Net.
Further, the terminal further include:
Third sending module, for sending charging request message to the aaa server, so that the aaa server root According to carried in the charging request message include terminal type charging distinguish information, meter is distinguished to the terminal Take.
Further, second sending module includes:
Second sending submodule, for after the access authentication of WLAN passes through, transmission to carry pre- first to file The safety certificate for identifying terminal and terminal wireless local area network account information authentication request message to portal server, So that portal server inquires user's shape from media access control service device according to the terminal wireless local area network account information State is to send the safety certificate to user identity after waiting terminal user identity authentication state and provide IDP server, so that institute IDP server terminal security certificate according to the pre-stored data is stated, the legitimacy of the safety certificate received described in verification obtains school Test as a result, and send the check results to portal server so that portal server is according to the check results to having accessed The terminal of WLAN carries out WLAN connection control;Wherein, the User Status is media access control service device After receiving the successful result of authentication by accessing control server forwarding, it is revised as waiting terminal user identity authentication State.
Further, the terminal further include:
4th sending module, for send encryption comprising international mobile subscriber identity, terminal MAC address and one with The information for the unique sequence numbers SID that machine generates is to Short Message Service Gateway, so that the Short Message Service Gateway forwards the information to user identity IDP server is provided, so that the IDP server is by the phone number obtained from Short Message Service Gateway and by the information of encryption The international mobile subscriber identity obtained after being decrypted is sent to portal server and is verified so that portal server according to The mapping table of the terminal phone number for having opened MAC certification and international mobile subscriber identity that prestore, to receiving The phone number and international mobile subscriber identity carry out search comparison, and obtain search comparison result, and will be described It searches comparison result and is sent to the IDP server, so that the IDP server indicates the state in the search comparison result After border mobile identification number and the phone number corresponding relationship are legal, safety certificate is generated;Wherein, the safety certificate is taken Binding information with MAC Address, international mobile subscriber identity and phone number;
5th sending module, for sending certificate request request message to the IDP server, so that the IDP is serviced Device is sent corresponding with the terminal MAC address according to the terminal MAC address information carried in the certificate request request message Safety certificate is to the terminal.
Beneficial effects of the present invention are as follows:
The scheme authenticated using two steps: access authentication of WLAN method of the invention and terminal use base first In the certificate scheme of MAC Address, the scheme of terminal security certificate verification is used herein, and two schemes are combined, effectively prevented Terminal only relies on the mark easily stolen the problem of using of MAC Address as unique identification user.
Detailed description of the invention
Fig. 1 shows MAC identifying procedure figures;
Fig. 2 indicates that terminal opens the flow chart of MAC certification;
Fig. 3 indicates that terminal cancels the flow chart of MAC certification;
Fig. 4 indicates access authentication of WLAN method flow schematic diagram one of the invention;
Fig. 5 indicates access authentication of WLAN method flow schematic diagram two of the invention;
Fig. 6 indicates that terminal opens flow chart of surfing the Internet for the first time after MAC is authenticated;
The flow diagram of Fig. 7 expression terminal application safety certificate;
Fig. 8 shows terminal structure schematic diagrames one of the invention;
Fig. 9 indicates terminal structure schematic diagram two of the invention;
Figure 10 indicates terminal structure schematic diagram two of the invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, right below in conjunction with the accompanying drawings and the specific embodiments The present invention is described in detail.
If the present invention is for current mobile terminal access WLAN only with MAC address authentication, it is easy to cause The problem of being usurped by other people provides a kind of access authentication of WLAN method, applied to having opened based on medium access control The terminal of MAC address authentication, this method comprises: sending online request message to certificate server system, so that the certification takes Business device system carries out based on MAC Address the terminal according to the terminal MAC address information carried in the online request message Access authentication of WLAN;After the access authentication of WLAN passes through, sends authentication request message and recognize to described Server system is demonstrate,proved, so that the certificate server system is used for according to the pre- first to file carried in the authentication request message The safety certificate for identifying terminal carries out terminal user identity authentication to the terminal;After terminal user identity authentication passes through, connect Enter WLAN, and after terminal user identity authentication is obstructed, disconnects the connection with WLAN.It is i.e. of the invention Access authentication of WLAN method uses the scheme of two steps certification: using the certificate scheme based on MAC Address first, furthermore adopts The scheme authenticated with terminal certificate, two schemes combine, and effectively prevent terminal and only rely on MAC Address as unique identification use The mark at family easily stolen the problem of using.
Firstly, above-mentioned terminal, which is discussed in detail, in conjunction with attached drawing and specific embodiment opens the stream based on MAC address authentication Journey:
As shown in Fig. 2, the process comprises the following steps:
Step 21, terminal or client connect wireless access points AP;
Step 22, accessing control server AC server is that terminal or client distribute IP;
Step 23, terminal or the network service interface of client call portal server are initiated open-minded to portal server The request of MAC+ client rapid authentication function;
Step 24, portal server calls the network service interface initiation of business operation support system BOSS to open MAC+ visitor The request of family end rapid authentication function;
Step 25, BOSS calls verifying, authorizes, the human-computer interaction command M ML of Accounting Server AAA, services in the AAA MAC+ client rapid authentication function is opened on device;
Step 26, the aaa server saves user information;Including terminal wireless LAN subscriber account, password And/or terminal MAC address, phone number and the binding corresponding relationship of international mobile subscriber identity for opening MAC certification etc. are believed Breath.
Step 27, AAA and return open successful result to BOSS;
Step 28, BOSS return handles successful result to portal server;
Step 29, portal server saves user information, i.e. portal server notice MAC service device saves user information;
Step 30, portal server return handles successful result to terminal.
Certainly, if user is intended to using PORTAL certification or other authentication modes, when so that terminal accessing WLAN, Certainly it can cancel the above-mentioned business based on MAC address authentication, cancel process as shown in figure 3, including the following steps:
Step 31, terminal or client connect wireless access points AP;
Step 32, accessing control server AC server is that terminal or client distribute IP;
Step 33, terminal or the network service interface of client call portal server are initiated to cancel to portal server The request of MAC+ client rapid authentication function;
Step 34, portal server calls the network service interface of business operation support system BOSS to initiate to cancel MAC+ visitor The request of family end rapid authentication function;
Step 35, BOSS calls verifying, authorizes, the human-computer interaction command M ML of Accounting Server AAA, services in the AAA Cancel MAC+ client rapid authentication function on device;
Step 36, the aaa server deletes user information;Including terminal wireless LAN subscriber account, password And/or terminal MAC address, phone number and the binding corresponding relationship of international mobile subscriber identity for opening MAC certification etc. are believed Breath.
Step 37, it AAA and returns and cancels successful result to BOSS;
Step 38, BOSS, which is returned, cancels successful result to portal server;
Step 39, portal server deletes user information;I.e. portal server notice MAC service device deletes terminal wireless office The binding corresponding relationship of domain net account information and terminal MAC address.
Step 40, portal server, which returns, cancels successful result to terminal.
As shown in figure 4, in the case where having opened for terminal or client based on MAC address authentication, what user surfed the Internet for the first time Process, the process include the following steps:
Firstly, step 41, sends online request message to certificate server system, so that the certificate server system root The wireless local area based on MAC Address is carried out to the terminal according to the terminal MAC address information carried in the online request message Net access authentication;
The realization of the step 41 specifically includes step 411 as shown in Figure 5, sends online request message to portal service Device, so that portal server sends terminal wireless local according to the terminal MAC address information carried in the online request message Network users information is to verifying, authorization, book keeping operation aaa server, so that the aaa server is according to the terminal wireless local area network prestored User information carries out authentication to the terminal wireless LAN subscriber information received, obtains authentication as a result, simultaneously The authentication result is returned into access control AC server;Wherein, the terminal wireless LAN subscriber information includes: end Hold WLAN account information and/or terminal wireless local area network encrypted message;
Wherein, above-mentioned steps 411, corresponding to the step 61 in Fig. 6 to step 70, specifically:
Step 61, terminal connects wireless access points AP;
Step 62, accessing control server AC server is terminal distribution address ip;
Step 63, terminal sends online request message to AC server, in online request comprising AC server info, use The information such as family MAC Address, station address IP;
Step 64, when online request has reached flow threshold, AC server just triggers inquiry MAC Address binding information (binding information of MAC Address and terminal wireless local area network account and password), i.e. AC server send MAC Address binding information and look into Solicited message is ask to media access control service device.
Wherein, there is the access authentication based on MAC Address MAC to authenticate trigger mechanism, and AC server should be defaulted useful to institute Family flow is let pass, but after integrated flow reaches certain threshold values (such as 10K) in certain Subscriber Unit time, AC server starts to touch Send out MAC certification.The advantages of above-mentioned mechanism is to avoid WLAN association just triggering MAC certification immediately, is frequently moved to reduce terminal Dynamic, association WLAN bring RADIUS authentication load, while avoiding user that the continuous WLAN of association again is needed to recognize to initiate MAC Card.When terminal applies may cope with MAC certification because waiting MAC certification to influence service operation and experience due to completion, therefore in pilot Prolong and is verified and optimized.
After the threshold values that flow reaches the setting of AC server, AC server is to PORTAL/MAC server initiation MAC Location binding inquiry, inquiry request and response are as follows:
1.MAC binds query interface definition
MAC binding query interface belongs to an interface in PORTAL agreement.Wherein, the protocol version in PORTAL agreement Number field Ver=0x01, type of message field Type=0x30, sequence of message field SerialNo=AC server are given birth at random At value, terminal user's internet address UserIP=MAC corresponding station address IP, variable length field Attrnum=2.Attribute Including content in following table:
AAA binds central server by whether inquiring the session id (i.e. terminal MAC address) after the message request Binding, result is replied by following (Type=0x31) MAC inquiry response message.
2.MAC binds inquiry response interface
The SerialNo that wherein Ver=0x01, Type=0x31, SerialNo=0x30 message are initiated, UserIP=should The corresponding User IP of MAC, AttrNum=0.
Error coded ErrCode, which is equal to 0, indicates that the MAC has been bound.
Error coded ErrCode, which is equal to 1, indicates that the MAC is unbound.
After AAA binding central server receives 0x30 request message, the corresponding binding state of the MAC Address is inquired, if It is bound, returns to response message, Errcode is equal to 0x00, and expression has been bound, while PORTAL server should be notified to initiate Automatic PORTAL verification process;If unbound, MAC inquiry response message is returned to, ErrCode is equal to 0x01, indicates unbound.
Step 65, media access control service device is receiving the MAC Address binding information inquiry sent by AC server After request message, the request is handled, i.e., according to the mac address information carried in the request message, inquires whether MAC Address is tied up Whether fixed or terminal has opened the certification based on MAC Address, and (media access control service device is opened based on MAC in terminal After the certification of location, terminal wireless local area network account and password are prestored);
Step 66, if media access control service device inquires terminal and opened the certification based on MAC Address, nothing Whether bound by MAC Address, has returned to the result bound to AC server, the purpose done so is primarily to compatible use The situation that family is opened for the first time carries out following steps after returning to the result bound:
Step 67, the state of user is modified to wait MAC authentication state;Later
Step 68, portal server is asked after receiving the terminal online request message of AC server forwarding according to online Seek the terminal MAC address carried in message, the terminal wireless LAN subscriber information of inquiry and MAC Address binding (including end Hold WLAN account information and/or terminal wireless local area network encrypted message), and inquiring and MAC Address binding After terminal wireless LAN subscriber information, sends and carry the message identifying of the terminal wireless LAN subscriber information and service to AC Device;
Step 69, AC server forwards this message to aaa server;
Step 70, aaa server obtains terminal wireless LAN subscriber information after receiving this message, and according to pre- The terminal wireless LAN subscriber information deposited carries out authentication to the terminal wireless LAN subscriber information received, obtains Authentication is taken as a result, and the authentication result is returned to AC server.
The realization of the step 41 specifically include thes steps that as shown in Figure 5 412, receives authentication in the AC server and recognizes After demonstrate,proving successful result, WLAN is accessed.Fig. 6 is combined at this time, and step 71, AC server can forward this successful authentication result To media access control service device, so that, media access control service device modification User Status is to wait eventually in step 72 Hold (mobile phone) certification.
To sum up, step 41 (corresponds to Fig. 6 step 61 to step 70), access authentication of WLAN step is described in detail In use the certificate scheme based on MAC Address first, which automatically initiates certification using server end to reduce client The difficulty of certification, simplifies access operation, improves the rate of being successfully accessed, and shortens the time that user accesses WLAN, mentions The experience perception of client is risen.
But even if being had the above advantages using terminal access WLAN when certification based on MAC Address, still, Since MAC certification is the scheme optimized on the basis of PORTAL certification, that is, MAC certification is made with PORTAL certification Authentication protocol be it is completely the same, therefore, the side RADIUS, which cannot be distinguished from active user, to be authenticated by MAC mode, still Pin mode certification is inputted by PORTAL, differentiation rate cannot be provided.Based on the above issues, in step 312 in institute It states after AC server receives the successful result of authentication, accesses after WLAN, further include following steps:
Charging request message is sent to the aaa server, so that the aaa server is according to the charging request message Middle carrying include terminal type charging distinguish information, charging is distinguished to the terminal.
Corresponding to the step in Fig. 6, specifically:
Step 73, terminal forwards charging request message Accounting-Request to aaa server via AC server, Carrying in the charging request message includes that information is distinguished in the charging of terminal type, such as in the charging request message The NasPortType field of Accounting-Request fills in special value, and (this example uses 30, and expression terminal type is hand Machine), when distinguishing computer terminal and mobile phone terminal using WLAN, to use different charging policy, to encourage client WLAN is used by mobile phone, plays the network shunt effect of WLAN, the client of WLAN is used for mobile phone user, use is more excellent The rate of favour;
Step 74, AAA returns to charging and responds to AC server according to the accounting request received, to having quickly accessed The terminal of WLAN starts to carry out charging.
Certainly, when terminal sends certification request to server system, while going application for marking as follows Know the safety certificate of terminal, the application process of the safety certificate is as shown in fig. 7, comprises following steps:
Step 711, generating at random comprising international mobile subscriber identity, terminal MAC address and one for encryption is sent The information of unique sequence numbers SID is to Short Message Service Gateway, so that the Short Message Service Gateway forwards the information to user identity to provide IDP clothes Business device, so that the IDP server is decrypted by the phone number obtained from Short Message Service Gateway and by the information of encryption The international mobile subscriber identity obtained afterwards is sent to portal server and is verified, so that portal server is according to prestoring The terminal phone number of MAC certification and the mapping table of international mobile subscriber identity are opened, to the hand received Machine number and international mobile subscriber identity carry out search comparison, and obtain search comparison result, and the search is compared As a result it is sent to the IDP server, so that the IDP server is in the search comparison result instruction international mobile use After family identification code and the phone number corresponding relationship are legal, safety certificate is generated;Wherein, the safety certificate carries MAC The binding information of address, international mobile subscriber identity and phone number;
Above-mentioned steps 711, corresponding to the step 75 in Fig. 6 to step 81, specifically:
Step 75, contain SIM card in terminal, terminal is recognized according to terminal MAC address and having opened based on MAC Address first The international mobile subscriber identity IMSI of the terminal of card generates unique sequence numbers SID, and prepares the asymmetric of IDP certificate center and add The public-key cryptography PKI of close algorithm;
Step 76, terminal using the public-key cryptography PKI of the rivest, shamir, adelman of IDP certificate center to above-mentioned SID and Terminal MAC address, IMSI are sent to Short Message Service Gateway (can be for Short Message Service Gateway IOD) with short message mode;
Step 77, Short Message Service Gateway forwards the information of the encryption to certificate center IDP, and certificate center IDP is to above-mentioned encryption Information is decrypted, and obtains the binding corresponding relationship of the IMSI, terminal MAC address and SID, and obtain eventually from Short Message Service Gateway Hold phone number;
Step 78, the IMSI obtained after phone number and decryption is sent to portal server and carried out by certificate center IDP Verification;
Step 79, because terminal is opened based on after MAC address authentication, portal server can preserve terminal phone number with And the mapping table of IMSI can pass through this after portal server receives the phone number and IMSI of certificate center IDP transmission Table inquiry whether there is the corresponding relationship of this phone number and IMSI that receive, and inquire the legitimacy of this corresponding relationship, i.e., Whether phone number has been bound with corresponding IMSI, if portal server inquires the phone number that this is received and IMSI's Corresponding relationship, and inquire this corresponding relationship it is legal after, then carry out step 60;
Step 80, portal server returns to result that whether phone number and corresponding IMSI have bound to certificate center IDP;
Step 81, certificate center IDP generates terminal security certificate according to the result that this has bound, wherein the safety certificate Carry the binding information of terminal MAC address, IMSI and corresponding phone number.
As shown in fig. 7, the application process of the safety certificate further includes step 712, certificate request request message is sent to institute IDP server is stated, so that the IDP server is according to the terminal MAC address information carried in the certificate request request message, Safety certificate corresponding with the terminal MAC address is sent to the terminal.
Above-mentioned steps 712, corresponding to the step 82 in Fig. 6 to step 87, specifically:
Step 82, terminal sends certificate request request message to portal server;
Step 83, this message of portal server transparent transmission is to certificate center IDP;
Step 84, certificate center IDP is according to the terminal MAC address information carried in certificate request request message, generate with The corresponding safety certificate of the terminal MAC address.
Step 85, certificate center IDP returns to the safety certificate to portal server;
Step 86, this certificate is back to terminal by portal server;
Step 87, terminal is receiving this certificate and is saving.
Secondly, as shown in figure 4, the process that user surfs the Internet for the first time further includes following steps:
Step 42, after the access authentication of WLAN passes through, authentication request message is sent to the authentication service Device system, so that the certificate server system is according to the pre- first to file carried in the authentication request message for identifying end The safety certificate at end carries out terminal user identity authentication to the terminal;
Step 43, after terminal user identity authentication passes through, WLAN is accessed, and in terminal user identity authentication After obstructed, the connection with WLAN is disconnected.
Wherein, the realization of the step 42 specifically comprises the following steps:
After the access authentication of WLAN passes through, the safety for being used to identify terminal for carrying pre- first to file is sent The authentication request message of certificate and terminal wireless local area network account information is to portal server, so that portal server is according to institute It states terminal wireless local area network account information and inquires User Status from media access control service device to wait terminal user ID After authentication state, sends the safety certificate to user identity and IDP server is provided, so that the IDP server is according in advance The terminal security certificate of storage, the legitimacy of the safety certificate received described in verification obtain check results, and send the school Result is tested to portal server, so that portal server carries out the terminal for having accessed WLAN according to the check results WLAN connection control;Wherein, the User Status is that media access control service device is being received by access control clothes It is engaged in after the successful result of authentication of device forwarding, is revised as waiting terminal user identity authentication state.
Above-mentioned 42~step 43, corresponding to the step 88 in Fig. 6~step 94, specifically:
Step 88, after the access authentication of WLAN passes through, send carry pre- first to file for identifying end The authentication request message of the safety certificate at end and terminal wireless local area network account information is to portal server;
Step 89, portal server is after receiving this authentication request message, according to what is carried in the authentication request message Terminal wireless local area network account information sends the request message of inquiry user state information to media access control service device;
Step 90, media access control service device inquires User Status after receiving this request message, obtains inquiry knot Fruit, and this result is back to portal server;
Step 91-1 is that mobile phone authentication state is waited (terminal user ID to be waited to recognize in the above results instruction User Status Card state), then it is pass-through to certificate center IDP;
Step 91-2 is non-camp mobile phone authentication state in the above results instruction User Status, then returns to this result to end End, and repeat step 68;
Step 92, on the basis step 91-1, IDP server terminal security certificate according to the pre-stored data, verification is connect The legitimacy of information in the safety certificate received obtains check results;
Step 93, above-mentioned check results are returned to portal server, portal server is according to the check results to having connect The terminal for entering WLAN carries out WLAN connection control;
Step 94, after portal server receives security cerificate information valid result, back-checking successful result to end End, while control has accessed the terminal of WLAN and has continued to surf the Internet;Do not conform to if portal server receives security cerificate information After method result, while control has accessed the terminal of WLAN and has disconnected with WLAN.
Terminal process of surfing the Internet for the first time terminates.Terminal is in the process of later access WLAN, it is not necessary to carry out Shen again Please the process of certificate if terminal has been replaced and SIM card or replaced mobile phone terminal, MAC should be opened again certainly and recognized Card, and apply for terminal security certificate again.
Access authentication of WLAN method of the invention uses the scheme of two steps certification: first using based on MAC Address Certificate scheme, use the scheme of terminal security certificate verification herein, two schemes combine, effectively prevent terminal and only rely on The mark easily stolen the problem of using of MAC Address as unique identification user.For example, MAC Address is easy through software modification, this Scheme is authenticated using two steps, if user A, has opened MAC certification for the first time, in the process opened, terminal can be by short message side Formula submits data to IDP certificate center, generates safety certificate by IDP certificate center, wherein the certificate includes end as described above End MAC Address and the information such as phone number for opening MAC certification, if the counterfeit MAC Address of party A-subscriber of other users, Then the MAC certification of the first step can be by authenticating in next second step: carrying out terminal user ID to the terminal Certification, i.e., the signature authentication initiated by terminal, whether the certification is correct in addition to certification MAC Address, also: terminal wireless local area network Account information and/or terminal wireless local area network encrypted message and the sequence number SID encrypted by special algorithm, counterfeit terminal It is these no above-mentioned data, therefore certification necessarily fails, user can be kicked offline.
As shown in figure 8, the embodiment of the present invention also provides a kind of terminal, comprising:
First sending module 811, for sending online request message to certificate server system, so that the authentication service Device system carries out based on MAC Address the terminal according to the terminal MAC address information carried in the online request message Access authentication of WLAN;
Second sending module 812, for sending authentication request message extremely after the access authentication of WLAN passes through The certificate server system, so that the certificate server system is according to the pre- first to file carried in the authentication request message For identifying the safety certificate of terminal, terminal user identity authentication is carried out to the terminal;
Processing module 813 is used for after terminal user identity authentication passes through, accessing WLAN, and in terminal After family authentication is obstructed, the connection with WLAN is disconnected.
Terminal of the invention uses the scheme of two steps certification: using the certificate scheme based on MAC Address first, furthermore uses The scheme of terminal certificate certification, two schemes combine, effectively prevent terminal and only rely on MAC Address as unique identification user Mark easily stolen the problem of using.
Wherein, as shown in figure 9, the first sending module 811 includes:
First sending submodule 911, for sending online request message to portal server so that portal server according to The terminal MAC address information carried in the online request message sends terminal wireless LAN subscriber information to verifying, award Power, book keeping operation aaa server, so that the aaa server is according to the terminal wireless LAN subscriber information prestored to the reception The terminal wireless LAN subscriber information that arrives carries out authentication, obtains authentication as a result, and by the authentication result Return to access control AC server;Wherein, the terminal wireless LAN subscriber information includes: terminal wireless local area network account letter Breath and/or terminal wireless local area network encrypted message;
Submodule 912 is accessed, for accessing wireless office after the AC server receives the successful result of authentication Domain net.
Above-mentioned terminal uses the certificate scheme based on MAC Address first, which is automatically initiated using server end It authenticates to reduce the difficulty of authenticated client, simplifies access operation, improve the rate of being successfully accessed, shorten user and access wireless office The time of domain net improves the experience perception of client.
Wherein, the terminal further include:
Third sending module, for sending charging request message to the aaa server, so that the aaa server root According to carried in the charging request message include terminal type charging distinguish information, meter is distinguished to the terminal Take.Using charging is distinguished, when distinguishing computer terminal and mobile phone terminal using WLAN, to use different charging plans Slightly, to encourage client to use WLAN by mobile phone, the network shunt effect of WLAN is played, the visitor of WLAN is used for mobile phone user Family, the more preferential rate of use.
Wherein, second sending module includes:
Second sending submodule, for after the access authentication of WLAN passes through, transmission to carry pre- first to file The safety certificate for identifying terminal and terminal wireless local area network account information authentication request message to portal server, So that portal server inquires user's shape from media access control service device according to the terminal wireless local area network account information State is to send the safety certificate to user identity after waiting terminal user identity authentication state and provide IDP server, so that institute IDP server terminal security certificate according to the pre-stored data is stated, the legitimacy of the safety certificate received described in verification obtains school Test as a result, and send the check results to portal server so that portal server is according to the check results to having accessed The terminal of WLAN carries out WLAN connection control;Wherein, the User Status is media access control service device After receiving the successful result of authentication by accessing control server forwarding, it is revised as waiting terminal user identity authentication State.
Terminal further uses terminal security certificate verification, effectively prevents terminal after above-mentioned MAC identifying procedure Only rely on the mark easily stolen the problem of using of MAC Address as unique identification user.
Wherein, as shown in Figure 10, the terminal further include:
4th sending module 1011, for send encryption comprising international mobile subscriber identity, terminal MAC address and The information of the one unique sequence numbers SID generated at random is to Short Message Service Gateway, so that the Short Message Service Gateway forwards the information to user Identity provides IDP server, so that the IDP server is by the phone number obtained from Short Message Service Gateway and will be described in encryption The international mobile subscriber identity that information obtains after being decrypted is sent to portal server and is verified, so that portal server According to the mapping table of the terminal phone number for having opened MAC certification and international mobile subscriber identity that prestore, docking The phone number and international mobile subscriber identity received carries out search comparison, and obtains search comparison result, and will The search comparison result is sent to the IDP server, so that the IDP server indicates institute in the search comparison result State international mobile subscriber identity and the phone number corresponding relationship it is legal after, generate safety certificate;Wherein, the safe-conduct Book carries the binding information of MAC Address, international mobile subscriber identity and phone number;
5th sending module 1012, for sending certificate request request message to the IDP server, so that the IDP Server is sent and the terminal MAC address pair according to the terminal MAC address information carried in the certificate request request message The safety certificate answered is to the terminal.
It should be noted that the terminal is system corresponding with above method embodiment, own in above method embodiment Implementation can also reach identical technical effect suitable for the embodiment of the terminal.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (8)

1.一种无线局域网接入认证方法,应用于已开通基于介质访问控制MAC地址认证的终端,其特征在于,所述方法包括:1. A wireless local area network access authentication method, which is applied to a terminal that has been activated for authentication based on a medium access control MAC address, wherein the method comprises: 发送上网请求消息至认证服务器系统,使得所述认证服务器系统根据所述上网请求消息中携带的终端MAC地址信息对所述终端进行基于MAC地址的无线局域网接入认证;sending an Internet access request message to an authentication server system, so that the authentication server system performs MAC address-based wireless local area network access authentication for the terminal according to the terminal MAC address information carried in the Internet access request message; 在所述无线局域网接入认证通过后,发送认证请求消息至所述认证服务器系统,使得所述认证服务器系统根据所述认证请求消息中携带的预先申请的用于标识终端的安全证书,对所述终端进行终端用户身份认证;After the wireless local area network access authentication is passed, an authentication request message is sent to the authentication server system, so that the authentication server system, according to the pre-applied security certificate used to identify the terminal carried in the authentication request message, authenticates the The terminal performs end-user identity authentication; 在终端用户身份认证通过后,接入无线局域网,以及在终端用户身份认证不通过后,断开与无线局域网的连接;After the end user identity authentication is passed, access the wireless local area network, and after the end user identity authentication fails, disconnect the connection with the wireless local area network; 其中,所述安全证书能够通过如下步骤申请:Wherein, the security certificate can be applied for through the following steps: 发送加密的包含国际移动用户识别码、终端MAC地址以及一随机生成的唯一序列号SID的信息至短信网关,使得所述短信网关转发所述信息至用户身份提供IDP服务器,使得所述IDP服务器将从短信网关获取的手机号码以及将加密的所述信息进行解密后获取的国际移动用户识别码发送至门户服务器进行校验,使得门户服务器根据预存的已开通MAC地址认证的终端手机号码以及国际移动用户识别码的对应关系表,对接收到的所述手机号码以及国际移动用户识别码进行搜寻比对,并获取搜寻比对结果,并将所述搜寻比对结果发送至所述IDP服务器,使得所述IDP服务器在所述搜寻比对结果指示所述国际移动用户识别码与所述手机号码对应关系合法后,生成安全证书;其中,所述安全证书携带有MAC地址、国际移动用户识别码以及手机号码的绑定信息;Send the encrypted information including the international mobile subscriber identity code, the terminal MAC address and a randomly generated unique serial number SID to the SMS gateway, so that the SMS gateway forwards the information to the user identity providing IDP server, so that the IDP server will The mobile phone number obtained from the SMS gateway and the international mobile subscriber identity code obtained after decrypting the encrypted information are sent to the portal server for verification, so that the portal server can verify the terminal mobile phone number and the mobile phone number of the terminal with the pre-stored MAC address authentication and the mobile phone number. The correspondence table of subscriber identification codes, searches and compares the mobile phone number and the international mobile subscriber identification code received, and obtains the search and comparison results, and sends the search and comparison results to the IDP server, so that The IDP server generates a security certificate after the search and comparison result indicates that the corresponding relationship between the International Mobile Subscriber Identity and the mobile phone number is legal; wherein, the security certificate carries the MAC address, the International Mobile Subscriber Identity and Mobile phone number binding information; 发送证书申请请求消息至所述IDP服务器,使得所述IDP服务器根据所述证书申请请求消息中携带的终端MAC地址信息,发送与所述终端MAC地址对应的安全证书至所述终端。Send a certificate application request message to the IDP server, so that the IDP server sends a security certificate corresponding to the terminal MAC address to the terminal according to the terminal MAC address information carried in the certificate application request message. 2.根据权利要求1所述的无线局域网接入认证方法,其特征在于,所述发送上网请求消息至认证服务器系统,使得所述认证服务器系统根据所述上网请求消息中携带的终端MAC地址信息对所述终端进行基于MAC地址的无线局域网接入认证的步骤包括:2 . The wireless local area network access authentication method according to claim 1 , wherein the sending an Internet access request message to an authentication server system makes the authentication server system according to the terminal MAC address information carried in the Internet access request message. 3 . The step of performing MAC address-based wireless local area network access authentication on the terminal includes: 发送上网请求消息至门户服务器,使得门户服务器根据所述上网请求消息中携带的终端MAC地址信息,发送终端无线局域网用户信息至验证、授权、记账AAA服务器,使得所述AAA服务器根据预存的终端无线局域网用户信息对所述接收到的终端无线局域网用户信息进行鉴权认证,获取鉴权认证结果,并将所述鉴权认证结果返回接入控制AC服务器;其中,所述终端无线局域网用户信息包括:终端无线局域网账号信息和/或终端无线局域网密码信息;Send the Internet access request message to the portal server, so that the portal server sends the terminal wireless local area network user information to the verification, authorization, and accounting AAA server according to the terminal MAC address information carried in the Internet access request message, so that the AAA server The wireless local area network user information performs authentication and authentication on the received terminal wireless local area network user information, obtains an authentication and authentication result, and returns the authentication and authentication result to the access control AC server; wherein the terminal wireless local area network user information Including: terminal wireless LAN account information and/or terminal wireless LAN password information; 在所述AC服务器接收到鉴权认证成功的结果后,接入无线局域网。After the AC server receives the result of successful authentication and authentication, it accesses the wireless local area network. 3.根据权利要求2所述的无线局域网接入认证方法,其特征在于,所述在所述AC服务器接收到鉴权认证成功的结果后,接入无线局域网之后的步骤还包括:3. The wireless local area network access authentication method according to claim 2, wherein after the AC server receives a successful authentication and authentication result, the step after accessing the wireless local area network further comprises: 发送计费请求消息至所述AAA服务器,使得所述AAA服务器根据所述计费请求消息中携带的包含有终端类型的计费区分信息,对所述终端进行区分计费。Sending an accounting request message to the AAA server, so that the AAA server performs differentiated accounting for the terminal according to the accounting differentiation information including the terminal type carried in the accounting request message. 4.根据权利要求2所述的无线局域网接入认证方法,其特征在于,所述在所述无线局域网接入认证通过后,发送认证请求消息至所述认证服务器系统,使得所述认证服务器系统根据所述认证请求消息中携带的预先申请的用于标识终端的安全证书,对所述终端进行终端用户身份认证的步骤包括:4. The wireless local area network access authentication method according to claim 2, wherein after the wireless local area network access authentication is passed, an authentication request message is sent to the authentication server system, so that the authentication server system According to the pre-applied security certificate used to identify the terminal carried in the authentication request message, the step of performing terminal user identity authentication on the terminal includes: 在所述无线局域网接入认证通过后,发送携带有预先申请的用于标识终端的安全证书以及终端无线局域网账号信息的认证请求消息至门户服务器,使得门户服务器根据所述终端无线局域网账号信息从介质访问控制服务器查询到用户状态为等待终端用户身份认证状态后,发送所述安全证书至用户身份提供IDP服务器,使得所述IDP服务器根据预先存储的终端安全证书,校验所述接收到的安全证书的合法性,获取校验结果,并发送所述校验结果至门户服务器,使得门户服务器根据所述校验结果对已接入无线局域网的终端进行无线局域网连接控制;其中,所述用户状态为介质访问控制服务器在接收到由接入控制服务器转发的鉴权认证成功的结果后,修改为等待终端用户身份认证状态。After the wireless local area network access authentication is passed, the authentication request message carrying the pre-applied security certificate for identifying the terminal and the terminal wireless local area network account information is sent to the portal server, so that the portal server can access from the terminal according to the terminal wireless local area network account information. After the medium access control server finds that the user status is waiting for the terminal user identity authentication status, it sends the security certificate to the user identity providing IDP server, so that the IDP server verifies the received security certificate according to the pre-stored terminal security certificate. The validity of the certificate, obtain the verification result, and send the verification result to the portal server, so that the portal server performs wireless local area network connection control on the terminal that has accessed the wireless local area network according to the verification result; wherein, the user status After receiving the successful authentication result forwarded by the access control server, the medium access control server modifies it to the state of waiting for the terminal user identity authentication. 5.一种终端,其特征在于,包括:5. A terminal, characterized in that, comprising: 第一发送模块,用于发送上网请求消息至认证服务器系统,使得所述认证服务器系统根据所述上网请求消息中携带的终端MAC地址信息对所述终端进行基于MAC地址的无线局域网接入认证;a first sending module, configured to send an Internet access request message to an authentication server system, so that the authentication server system performs MAC address-based wireless local area network access authentication for the terminal according to the terminal MAC address information carried in the Internet access request message; 第二发送模块,用于在所述无线局域网接入认证通过后,发送认证请求消息至所述认证服务器系统,使得所述认证服务器系统根据所述认证请求消息中携带的预先申请的用于标识终端的安全证书,对所述终端进行终端用户身份认证;The second sending module is configured to send an authentication request message to the authentication server system after the wireless local area network access authentication is passed, so that the authentication server system can identify the pre-applied identifier carried in the authentication request message according to the a security certificate of the terminal, which performs terminal user identity authentication on the terminal; 处理模块,用于在终端用户身份认证通过后,接入无线局域网,以及在终端用户身份认证不通过后,断开与无线局域网的连接;The processing module is used to access the wireless local area network after the end user identity authentication is passed, and disconnect the connection with the wireless local area network after the end user identity authentication fails; 第四发送模块,用于发送加密的包含国际移动用户识别码、终端MAC地址以及一随机生成的唯一序列号SID的信息至短信网关,使得所述短信网关转发所述信息至用户身份提供IDP服务器,使得所述IDP服务器将从短信网关获取的手机号码以及将加密的所述信息进行解密后获取的国际移动用户识别码发送至门户服务器进行校验,使得门户服务器根据预存的已开通MAC认证的终端手机号码以及国际移动用户识别码的对应关系表,对接收到的所述手机号码以及国际移动用户识别码进行搜寻比对,并获取搜寻比对结果,并将所述搜寻比对结果发送至所述IDP服务器,使得所述IDP服务器在所述搜寻比对结果指示所述国际移动用户识别码与所述手机号码对应关系合法后,生成安全证书;其中,所述安全证书携带有MAC地址、国际移动用户识别码以及手机号码的绑定信息;The fourth sending module is used to send the encrypted information including the international mobile subscriber identity code, the terminal MAC address and a randomly generated unique serial number SID to the short message gateway, so that the short message gateway forwards the information to the user identity providing IDP server , so that the IDP server will send the mobile phone number obtained from the SMS gateway and the International Mobile Subscriber Identity code obtained after decrypting the encrypted information to the portal server for verification, so that the portal server can be verified according to the pre-stored MAC authentication. The correspondence table of the terminal mobile phone number and the international mobile subscriber identity code, searches and compares the received mobile phone number and the international mobile subscriber identity code, and obtains the search and comparison results, and sends the search and comparison results to The IDP server enables the IDP server to generate a security certificate after the search and comparison result indicates that the corresponding relationship between the International Mobile Subscriber Identity and the mobile phone number is legal; wherein, the security certificate carries the MAC address, International Mobile Subscriber Identity and binding information of mobile phone number; 第五发送模块,用于发送证书申请请求消息至所述IDP服务器,使得所述IDP服务器根据所述证书申请请求消息中携带的终端MAC地址信息,发送与所述终端MAC地址对应的安全证书至所述终端。The fifth sending module is configured to send a certificate application request message to the IDP server, so that the IDP server sends a security certificate corresponding to the terminal MAC address to the terminal according to the terminal MAC address information carried in the certificate application request message. the terminal. 6.根据权利要求5所述的终端,其特征在于,所述第一发送模块包括:6. The terminal according to claim 5, wherein the first sending module comprises: 第一发送子模块,用于发送上网请求消息至门户服务器,使得门户服务器根据所述上网请求消息中携带的终端MAC地址信息,发送终端无线局域网用户信息至验证、授权、记账AAA服务器,使得所述AAA服务器根据预存的终端无线局域网用户信息对所述接收到的终端无线局域网用户信息进行鉴权认证,获取鉴权认证结果,并将所述鉴权认证结果返回接入控制AC服务器;其中,所述终端无线局域网用户信息包括:终端无线局域网账号信息和/或终端无线局域网密码信息;The first sending submodule is used to send the Internet access request message to the portal server, so that the portal server sends the terminal wireless local area network user information to the verification, authorization, and accounting AAA server according to the terminal MAC address information carried in the Internet access request message, so that The AAA server performs authentication and authentication on the received terminal WLAN user information according to the pre-stored terminal WLAN user information, obtains an authentication authentication result, and returns the authentication authentication result to the access control AC server; wherein , the terminal wireless local area network user information includes: terminal wireless local area network account information and/or terminal wireless local area network password information; 接入子模块,用于在所述AC服务器接收到鉴权认证成功的结果后,接入无线局域网。The access sub-module is configured to access the wireless local area network after the AC server receives a successful authentication result. 7.根据权利要求6所述的终端,其特征在于,所述终端还包括:7. The terminal according to claim 6, wherein the terminal further comprises: 第三发送模块,用于发送计费请求消息至所述AAA服务器,使得所述AAA服务器根据所述计费请求消息中携带的包含有终端类型的计费区分信息,对所述终端进行区分计费。The third sending module is configured to send an accounting request message to the AAA server, so that the AAA server differentiates and counts the terminal according to the accounting differentiation information including the terminal type carried in the accounting request message. fee. 8.根据权利要求6所述的终端,其特征在于,所述第二发送模块包括:8. The terminal according to claim 6, wherein the second sending module comprises: 第二发送子模块,用于在所述无线局域网接入认证通过后,发送携带有预先申请的用于标识终端的安全证书以及终端无线局域网账号信息的认证请求消息至门户服务器,使得门户服务器根据所述终端无线局域网账号信息从介质访问控制服务器查询到用户状态为等待终端用户身份认证状态后,发送所述安全证书至用户身份提供IDP服务器,使得所述IDP服务器根据预先存储的终端安全证书,校验所述接收到的安全证书的合法性,获取校验结果,并发送所述校验结果至门户服务器,使得门户服务器根据所述校验结果对已接入无线局域网的终端进行无线局域网连接控制;其中,所述用户状态为介质访问控制服务器在接收到由接入控制服务器转发的鉴权认证成功的结果后,修改为等待终端用户身份认证状态。The second sending submodule is configured to send an authentication request message carrying the pre-applied security certificate for identifying the terminal and the terminal wireless local area network account information to the portal server after the wireless local area network access authentication is passed, so that the portal server according to After the terminal wireless local area network account information is queried from the media access control server to find that the user status is waiting for the terminal user identity authentication status, the security certificate is sent to the user identity providing IDP server, so that the IDP server, according to the pre-stored terminal security certificate, Verifying the validity of the received security certificate, obtaining the verification result, and sending the verification result to the portal server, so that the portal server performs a wireless LAN connection to the terminal that has been connected to the wireless LAN according to the verification result control; wherein, the user state is that the medium access control server modifies the state of waiting for the terminal user identity authentication after receiving the successful authentication and authentication result forwarded by the access control server.
CN201410168868.2A 2014-04-24 2014-04-24 A wireless local area network access authentication method and terminal Active CN105007579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410168868.2A CN105007579B (en) 2014-04-24 2014-04-24 A wireless local area network access authentication method and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410168868.2A CN105007579B (en) 2014-04-24 2014-04-24 A wireless local area network access authentication method and terminal

Publications (2)

Publication Number Publication Date
CN105007579A CN105007579A (en) 2015-10-28
CN105007579B true CN105007579B (en) 2019-03-15

Family

ID=54380058

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410168868.2A Active CN105007579B (en) 2014-04-24 2014-04-24 A wireless local area network access authentication method and terminal

Country Status (1)

Country Link
CN (1) CN105007579B (en)

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105450637A (en) * 2015-11-09 2016-03-30 歌尔声学股份有限公司 Single sign-on method and device for multiple application systems
CN105657746B (en) * 2016-01-05 2019-09-13 上海斐讯数据通信技术有限公司 A wireless terminal fast roaming system and method based on AP adjacency
CN105897724A (en) * 2016-05-05 2016-08-24 张胜利 Method for wireless terminal networking based on fat APs and method for wandering among fat APs
CN106341413A (en) * 2016-09-29 2017-01-18 上海斐讯数据通信技术有限公司 Portal authentication method and device
CN107968803B (en) * 2016-10-20 2021-06-15 中国电信股份有限公司 Remote evidence obtaining method and device for mobile terminal, mobile terminal and system
CN106604276A (en) * 2016-11-30 2017-04-26 深圳众思科技有限公司 Wireless local area network access method and wireless local area network access device
CN106850401A (en) * 2017-01-11 2017-06-13 上海斐讯数据通信技术有限公司 A kind of wireless authentication device, system and its authentication method
CN106954213A (en) * 2017-03-07 2017-07-14 上海斐讯数据通信技术有限公司 A kind of system of real name wireless authentication cut-in method and system
CN107342998A (en) * 2017-07-04 2017-11-10 四川云物益邦科技有限公司 The personal information extracting method realized by movable storage device
CN107864475B (en) * 2017-12-20 2021-05-28 中电福富信息科技有限公司 WiFi (Wireless Fidelity) shortcut authentication method based on Portal + dynamic password
CN108337651A (en) * 2018-03-21 2018-07-27 中国铁路西安局集团有限公司 The method, apparatus of mobile terminal and the server communication in LAN
CN110324287B (en) * 2018-03-31 2020-10-23 华为技术有限公司 Access authentication method, device and server
CN109347841B (en) * 2018-10-26 2021-08-10 深圳市元征科技股份有限公司 MAC address authentication method, device, terminal, server and storage medium
CN109617895A (en) * 2018-12-27 2019-04-12 东莞见达信息技术有限公司 Access security control method and system
CN109818936A (en) * 2018-12-29 2019-05-28 北京奇安信科技有限公司 IP address-based server info processing method and processing device
CN109561431B (en) * 2019-01-17 2021-07-27 西安电子科技大学 WLAN access control system and method based on multi-password identity authentication
CN109769249B (en) * 2019-01-30 2022-03-01 新华三技术有限公司 Authentication method, system and device
JP6833906B2 (en) 2019-05-28 2021-02-24 Necプラットフォームズ株式会社 Wireless systems, wireless system control methods and wireless system control programs
CN110247917B (en) * 2019-06-20 2021-09-10 北京百度网讯科技有限公司 Method and apparatus for authenticating identity
CN111240867B (en) * 2020-01-21 2023-11-03 中移(杭州)信息技术有限公司 Information communication system and method
CN111953658A (en) * 2020-07-20 2020-11-17 广州灏博信息技术有限公司 Paperless intelligent conference management system and method
CN112311766B (en) * 2020-09-29 2022-04-01 新华三大数据技术有限公司 Method and device for acquiring user certificate and terminal equipment
CN113630405B (en) * 2021-07-30 2023-05-02 北京达佳互联信息技术有限公司 Network access authentication method and device, electronic equipment and storage medium
CN113612780B (en) * 2021-08-05 2023-04-07 中国电信股份有限公司 Certificate request, generation and access methods, devices, communication equipment and medium
CN114050901B (en) * 2021-09-28 2023-10-27 新华三大数据技术有限公司 Authentication method and device of terminal, electronic equipment and readable storage medium
CN115118489B (en) * 2022-06-24 2024-04-30 广州根链国际网络研究院有限公司 User, equipment, IPv6 network address binding network access authentication system and method
CN115175118B (en) * 2022-07-05 2024-02-13 中国联合网络通信集团有限公司 Communication service complementary system and method based on cooperative WiFi
CN117062075B (en) * 2023-08-30 2024-12-17 中移互联网有限公司 Private network security authentication method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1842000A (en) * 2005-03-29 2006-10-04 华为技术有限公司 Method for realizing access authentication of WLAN
CN103079200A (en) * 2011-10-26 2013-05-01 国民技术股份有限公司 Wireless access authentication method, system and wireless router
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212297B (en) * 2006-12-28 2012-01-25 中国移动通信集团公司 WEB-based WLAN access authentication method and system
CN103079201B (en) * 2011-10-26 2015-06-03 中兴通讯股份有限公司 Fast authentication method, access controller (AC) and system for wireless local area network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1842000A (en) * 2005-03-29 2006-10-04 华为技术有限公司 Method for realizing access authentication of WLAN
CN103079200A (en) * 2011-10-26 2013-05-01 国民技术股份有限公司 Wireless access authentication method, system and wireless router
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication

Also Published As

Publication number Publication date
CN105007579A (en) 2015-10-28

Similar Documents

Publication Publication Date Title
CN105007579B (en) A wireless local area network access authentication method and terminal
US9020467B2 (en) Method of and system for extending the WISPr authentication procedure
US11743728B2 (en) Cross access login controller
US9237142B2 (en) Client and server group SSO with local openID
JP4291213B2 (en) Authentication method, authentication system, authentication proxy server, network access authentication server, program, and recording medium
CN103905401B (en) A kind of identity identifying method and equipment
US20070178885A1 (en) Two-phase SIM authentication
CN105024980B (en) A kind of online near-field payment system and method based on phone number
US20050114680A1 (en) Method and system for providing SIM-based roaming over existing WLAN public access infrastructure
WO2011017924A1 (en) Method, system, server, and terminal for authentication in wireless local area network
DK2924944T3 (en) Presence authentication
CA2656919A1 (en) Method and system for controlling access to networks
WO2006125359A1 (en) A method for implementing the access domain security of an ip multimedia subsystem
CN101867476A (en) 3G virtual private dialing network user safety authentication method and device thereof
WO2009074050A1 (en) A method, system and apparatus for authenticating an access point device
CN104936177B (en) A kind of access authentication method and access authentication system
TW200814703A (en) Method and system of authenticating the identity of the client
JP6155237B2 (en) Network system and terminal registration method
WO2015100874A1 (en) Home gateway access management method and system
CN101621505B (en) Access authentication method, system and terminal
CN109361659B (en) Authentication method and device
CN102905258A (en) Own business authentication method and system
CN104683979B (en) A kind of authentication method and equipment
CN108271152B (en) WLAN authentication method, authentication platform and portal server
WO2013127342A2 (en) Ims single sign on combined authentication method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant