[go: up one dir, main page]

CN107820246B - User authentication method, device and system - Google Patents

User authentication method, device and system Download PDF

Info

Publication number
CN107820246B
CN107820246B CN201610827230.4A CN201610827230A CN107820246B CN 107820246 B CN107820246 B CN 107820246B CN 201610827230 A CN201610827230 A CN 201610827230A CN 107820246 B CN107820246 B CN 107820246B
Authority
CN
China
Prior art keywords
authentication
user terminal
portal
portal authentication
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610827230.4A
Other languages
Chinese (zh)
Other versions
CN107820246A (en
Inventor
周明志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201610827230.4A priority Critical patent/CN107820246B/en
Publication of CN107820246A publication Critical patent/CN107820246A/en
Application granted granted Critical
Publication of CN107820246B publication Critical patent/CN107820246B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

一种用户认证的方法、装置和系统,能够提高认证效率。包括:第一AC接收第二AC发送的第一信息,第一信息中包括第二AC的标识,第一信息用于指示第一用户终端漫游至第二AC;第一AC接收认证服务器发送的对第一用户终端的Portal认证报文;第一AC向认证服务器发送指示信息,指示信息用于指示第一用户终端已漫游至第二AC。

Figure 201610827230

A method, device and system for user authentication, which can improve authentication efficiency. It includes: the first AC receives the first information sent by the second AC, the first information includes the identifier of the second AC, and the first information is used to instruct the first user terminal to roam to the second AC; the first AC receives the information sent by the authentication server. Portal authentication message to the first user terminal; the first AC sends indication information to the authentication server, where the indication information is used to indicate that the first user terminal has roamed to the second AC.

Figure 201610827230

Description

用户认证的方法、装置和系统User authentication method, device and system

技术领域technical field

本发明涉及通信领域,尤其涉及用户认证的方法、装置和系统。The present invention relates to the field of communications, and in particular, to a method, device and system for user authentication.

背景技术Background technique

无线局域网(wireless local area network,简称WLAN)中通常包括接入控制器(access controller,简称AC)以及接入点(access point,简称AP)。其中,用户终端通过AP接入网络,AC用于集中化控制AP。A wireless local area network (wireless local area network, WLAN for short) generally includes an access controller (AC for short) and an access point (AP for short). The user terminal accesses the network through the AP, and the AC is used to centrally control the AP.

在一些高密场景中,例如,可容纳大量观众的体育馆、展览馆等,为了满足大量用户通过WLAN访问网络的需求,会布放很多接入点,并通过多个ACs分别控制一部分接入点,保证整个高密场景的网络覆盖和通信性能。用户终端可以在多个AC之间漫游。为确保用户终端的业务不会中断,用户终端在同一AC漫游组中的多个ACs之间漫游的过程中,用户终端的网络配置不会变更。上述网络配置可以包括用户终端的互联网协议(InternetProtocol,简称IP)地址。例如,图1示出了现有技术的用户认证的方法的场景示意图。如图1所示,用户终端从第一AC漫游至第二AC后,用户终端仍然使用第一AC为用户终端分配的IP地址。当用户终端需要进行门户(英文:Portal)认证服务时,认证服务器获取的仍是第一AC为用户终端配置的IP地址,认证服务器根据该IP地址,确定该IP地址属于第一AC的管理范围,所以认证服务器会将请求封装成Portal认证报文发送至用户终端漫游前所属的第一AC上。因为用户终端此时已漫游到第二AC,所以第一AC在本地用户表项中查询不到用户终端的匹配信息,这时候第一AC会向认证服务器发送Portal认证响应报文,指示认证失败。在接收到指示认证失败的Portal认证响应报文之后,认证服务器会向第一AC所在的AC漫游组中的所有AC发送Portal认证报文。直至该AC漫游组中某一台AC(例如,第二AC)向认证服务器返回指示认证成功的Portal认证响应报文,认证服务器才会认为该用户终端认证成功;否则认为认证失败,拒绝该用户终端上线。In some high-density scenarios, such as gymnasiums and exhibition halls that can accommodate a large number of spectators, in order to meet the needs of a large number of users accessing the network through WLAN, many access points will be deployed, and some of the access points will be controlled by multiple ACs. Ensure the network coverage and communication performance of the entire high-density scenario. User terminals can roam among multiple ACs. To ensure that the service of the user terminal will not be interrupted, the network configuration of the user terminal will not be changed during the process of the user terminal roaming among multiple ACs in the same AC roaming group. The above-mentioned network configuration may include an Internet Protocol (Internet Protocol, IP for short) address of the user terminal. For example, FIG. 1 shows a schematic diagram of a scenario of a method for user authentication in the prior art. As shown in FIG. 1 , after the user terminal roams from the first AC to the second AC, the user terminal still uses the IP address allocated to the user terminal by the first AC. When the user terminal needs to perform the portal (English: Portal) authentication service, the authentication server still obtains the IP address configured by the first AC for the user terminal, and the authentication server determines that the IP address belongs to the management scope of the first AC according to the IP address. , so the authentication server encapsulates the request into a Portal authentication packet and sends it to the first AC to which the user terminal belongs before roaming. Because the user terminal has roamed to the second AC, the first AC cannot find the matching information of the user terminal in the local user entry. At this time, the first AC will send a Portal authentication response packet to the authentication server, indicating that the authentication fails. . After receiving the Portal authentication response message indicating that the authentication fails, the authentication server sends the Portal authentication message to all ACs in the AC roaming group to which the first AC belongs. Until an AC (for example, the second AC) in the AC roaming group returns a Portal authentication response message indicating successful authentication to the authentication server, the authentication server will not consider the authentication of the user terminal successful; otherwise, it will consider the authentication failed and reject the user Terminal is online.

AC漫游场景下,用户终端的第一次认证失败后,认证服务器会向AC漫游组内所有AC发送Portal认证报文。在高密场馆,通常用户量比较大,AC漫游组内的设备比较多。在这种情况下,认证服务器和AC设备处理的Portal认证报文的数量会很大,有可能导致认证服务器处理不来,造成认证报文丢失的情况,并且大量的Portal认证报文会占用比较大的网络带宽,影响整个网络的性能。In the AC roaming scenario, after the first authentication of the user terminal fails, the authentication server sends Portal authentication packets to all ACs in the AC roaming group. In high-density venues, there are usually a large number of users and more devices in an AC roaming group. In this case, the number of Portal authentication packets processed by the authentication server and the AC device will be very large, which may cause the authentication server to fail to process them, resulting in the loss of authentication packets. In addition, a large number of Portal authentication packets will be occupied. Large network bandwidth affects the performance of the entire network.

发明内容SUMMARY OF THE INVENTION

本申请提供了一种用户认证的方法、装置和系统,能够提高认证效率。The present application provides a method, device and system for user authentication, which can improve authentication efficiency.

第一方面,提供了一种用户认证的方法,包括:第一访问控制器AC接收第二AC发送的第一信息,所述第一信息中包括所述第二AC的标识,所述第一信息用于指示第一用户终端漫游至所述第二AC;所述第一AC接收认证服务器发送的对所述第一用户终端的门户Portal认证报文;所述第一AC向所述认证服务器发送指示信息,所述指示信息用于指示所述第一用户终端已漫游至所述第二AC。In a first aspect, a method for user authentication is provided, including: a first access controller AC receiving first information sent by a second AC, where the first information includes an identifier of the second AC, and the first access controller AC receives first information sent by a second AC. The information is used to instruct the first user terminal to roam to the second AC; the first AC receives the Portal authentication packet for the first user terminal sent by the authentication server; the first AC sends the authentication server Sending indication information, where the indication information is used to indicate that the first user terminal has roamed to the second AC.

这样,第一AC可以从其他AC获取指示用户终端当前所属的AC的信息,从而在认证服务器向第一AC发送用户终端的Portal认证报文的情况下,第一AC向认证服务器指示用户终端当前所属的第二AC,以便于认证服务器向第二AC重新发送Portal认证报文,因此认证服务器只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In this way, the first AC can obtain information indicating the AC to which the user terminal currently belongs from other ACs, so that when the authentication server sends the Portal authentication packet of the user terminal to the first AC, the first AC indicates to the authentication server the current state of the user terminal. It belongs to the second AC, so that the authentication server can re-send Portal authentication packets to the second AC. Therefore, the authentication server only needs to re-send Portal authentication packets to the second AC, which saves signaling overhead and improves authentication performance.

在一种可能的实现方式中,指示信息承载于Portal认证响应报文中,所述Portal认证响应报文包括认证失败类型信息,所述认证失败类型信息用于指示所述第一用户终端的Portal认证报文的认证失败类型为用户终端漫游导致认证失败。In a possible implementation manner, the indication information is carried in a Portal authentication response packet, and the Portal authentication response packet includes authentication failure type information, and the authentication failure type information is used to indicate the Portal authentication of the first user terminal. The authentication failure type of the authentication packet is authentication failure caused by user terminal roaming.

第一AC通过在Portal认证响应报文中携带指示信息,向认证服务器指示第一用户终端当前所属的第二AC,以便于认证服务器仅向第二AC重新发送Portal认证报文,而无需向漫游组内所有AC发送Portal认证报文,节省了信令开销,提高了认证性能。The first AC indicates to the authentication server the second AC to which the first user terminal currently belongs by carrying the indication information in the Portal authentication response packet, so that the authentication server only re-sends the Portal authentication packet to the second AC, without the need for roaming. All ACs in the group send Portal authentication packets, saving signaling overhead and improving authentication performance.

在一种可能的实现方式中,所述第二AC的标识包括所述第二AC的IP地址或所述第二AC的媒体访问控制(Media Access Control,简称MAC)地址,或包括所述第二AC的IP地址和所述第二AC的MAC地址。In a possible implementation manner, the identifier of the second AC includes an IP address of the second AC or a media access control (Media Access Control, MAC for short) address of the second AC, or includes the first AC address. The IP address of the second AC and the MAC address of the second AC.

在一种可能的实现方式中,还包括:所述第一AC向除所述第一AC之外的其他AC发送第二信息,所述第二信息中包括所述第一AC的标识,所述第二信息用于指示第二用户终端当前已漫游至所述第一AC。In a possible implementation manner, the method further includes: the first AC sends second information to other ACs except the first AC, where the second information includes an identifier of the first AC, and The second information is used to indicate that the second user terminal has currently roamed to the first AC.

第二方面,提供了一种用户认证的方法,包括:认证服务器接收用户终端的认证请求,所述认证请求包括所述用户终端的标识;所述认证服务器根据所述认证请求,向第一AC发送第一门户Portal认证报文;所述认证服务器从所述第一AC接收指示信息,所述指示信息指示所述用户终端当前已漫游至第二AC;所述认证服务器根据所述指示信息,向所述第二AC发送第二Portal认证报文。In a second aspect, a method for user authentication is provided, including: an authentication server receiving an authentication request from a user terminal, where the authentication request includes an identifier of the user terminal; and the authentication server sends a request to a first AC according to the authentication request. Sending a first Portal authentication message; the authentication server receives indication information from the first AC, the indication information indicates that the user terminal has currently roamed to the second AC; the authentication server, according to the indication information, Send a second Portal authentication packet to the second AC.

上述认证方法中,认证服务器在向第一AC发送第一Portal认证报文之后,可以从第一AC接收指示信息,通过该指示信息确定用户终端当前所属的第二AC,从而可以向第二AC重新发送Portal认证报文,因此认证服务器在第一次Portal认证失败后,只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In the above authentication method, after sending the first Portal authentication message to the first AC, the authentication server may receive indication information from the first AC, and determine the second AC to which the user terminal currently belongs through the indication information, so that the authentication server can send the second AC to the second AC. Portal authentication packets are resent. Therefore, after the first Portal authentication fails, the authentication server only needs to resend Portal authentication packets to the second AC, which saves signaling overhead and improves authentication performance.

在一种可能的实现方式中,所述指示信息承载于Portal认证响应报文中,所述Portal认证响应报文包括认证失败类型信息,所述认证失败类型信息用于指示所述第一用户终端的Portal认证报文的认证失败类型为用户终端漫游导致认证失败。In a possible implementation manner, the indication information is carried in a Portal authentication response packet, and the Portal authentication response packet includes authentication failure type information, and the authentication failure type information is used to indicate the first user terminal The authentication failure type of the Portal authentication packet is authentication failure caused by user terminal roaming.

第一AC通过在Portal认证响应报文中携带指示信息,向认证服务器指示第一用户终端当前所属的第二AC,以便于认证服务器仅向第二AC重新发送Portal认证报文,而无需向漫游组内所有AC发送Portal认证报文,节省了信令开销,提高了认证性能。The first AC indicates to the authentication server the second AC to which the first user terminal currently belongs by carrying the indication information in the Portal authentication response packet, so that the authentication server only re-sends the Portal authentication packet to the second AC, without the need for roaming. All ACs in the group send Portal authentication packets, saving signaling overhead and improving authentication performance.

在一种可能的实现方式中,所述指示信息中包括所述第二AC的标识;所述第二AC的标识可以是所述第二AC的IP地址,或所述第二AC的MAC地址,或所述第二AC的IP地址和MAC地址。In a possible implementation manner, the indication information includes an identifier of the second AC; the identifier of the second AC may be the IP address of the second AC, or the MAC address of the second AC , or the IP address and MAC address of the second AC.

在一种可能的实现方式中,所述用户终端的标识包括所述用户终端的IP地址。In a possible implementation manner, the identifier of the user terminal includes the IP address of the user terminal.

第三方面,提供了一种装置,所述装置包括用于执行第一方面的方法的模块。基于同一发明构思,由于该装置解决问题的原理与第一方面的方法设计中的方案对应,因此该装置的实施可以参见方法的实施,重复之处不再赘述。In a third aspect, there is provided an apparatus comprising means for performing the method of the first aspect. Based on the same inventive concept, since the principle of the device for solving the problem corresponds to the solution in the method design of the first aspect, the implementation of the device can refer to the implementation of the method, and repeated details will not be repeated.

第四方面,提供了一种装置,所述装置包括用于执行第二方面的方法的模块。基于同一发明构思,由于该装置解决问题的原理与第二方面的方法设计中的方案对应,因此该装置的实施可以参见方法的实施,重复之处不再赘述。In a fourth aspect, there is provided an apparatus comprising means for performing the method of the second aspect. Based on the same inventive concept, since the principle of the device for solving the problem corresponds to the solution in the method design of the second aspect, the implementation of the device can refer to the implementation of the method, and the repetition will not be repeated.

第五方面,提供了一种通信系统,所述通信系统包括上述第三方面的装置以及上述第四方面的装置。In a fifth aspect, a communication system is provided, where the communication system includes the apparatus of the third aspect and the apparatus of the fourth aspect.

第六方面,提供了一种装置,包括存储器,用于存储程序;收发器,用于和其他设备进行通信;处理器,用于执行存储器中的程序,当所述程序被执行时,当所述程序被执行时,所述处理器用于执行第一方面的方法。In a sixth aspect, an apparatus is provided, comprising a memory for storing a program; a transceiver for communicating with other devices; a processor for executing a program in the memory, when the program is executed, when all When the program is executed, the processor is configured to execute the method of the first aspect.

第七方面,提供了一种装置,包括存储器,用于存储程序;收发器,用于和其他设备进行通信;处理器,用于执行存储器中的程序,当所述程序被执行时,当所述程序被执行时,所述处理器用于执行第二方面的方法。In a seventh aspect, an apparatus is provided, comprising a memory for storing a program; a transceiver for communicating with other devices; a processor for executing a program in the memory, when the program is executed, when all When the program is executed, the processor is configured to execute the method of the second aspect.

第八方面,提供了一种通信系统,所述通信系统包括上述第六方面的装置以及上述第七方面的装置。In an eighth aspect, a communication system is provided, where the communication system includes the device of the sixth aspect and the device of the seventh aspect.

第九方面,提供了一种计算机存储介质,用于储存计算机程序,该计算机程序包括用于执行第一方面或第一方面的任一可能的实现方式中的方法的指令。In a ninth aspect, a computer storage medium is provided for storing a computer program, the computer program comprising instructions for performing the method in the first aspect or any possible implementation manner of the first aspect.

第十方面,提供了一种计算机存储介质,用于储存计算机程序,该计算机程序包括用于执行第二方面或第二方面的任一可能的实现方式中的方法的指令。In a tenth aspect, a computer storage medium is provided for storing a computer program, the computer program comprising instructions for performing the method in the second aspect or any possible implementation manner of the second aspect.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍,显而易见地,下面所描述的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings that need to be used in the embodiments of the present invention. Obviously, the drawings described below are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

图1是本发明实施例的用户认证的方法的示意框图。FIG. 1 is a schematic block diagram of a method for user authentication according to an embodiment of the present invention.

图2是本发明实施例提供的一种用户认证的方法的应用场景示意图。FIG. 2 is a schematic diagram of an application scenario of a method for user authentication provided by an embodiment of the present invention.

图3是本发明实施例提供的另一种用户认证的方法的流程图。FIG. 3 is a flowchart of another user authentication method provided by an embodiment of the present invention.

图4是本发明实施例提供的用户认证的方法的流程图。FIG. 4 is a flowchart of a method for user authentication provided by an embodiment of the present invention.

图5是本发明实施例提供的用户认证的方法的示意框图。FIG. 5 is a schematic block diagram of a method for user authentication provided by an embodiment of the present invention.

图6是本发明实施例提供的Portal报文的格式示意图。FIG. 6 is a schematic diagram of a format of a Portal packet provided by an embodiment of the present invention.

图7是本发明实施例提供的一种用户认证的装置的结构示意图。FIG. 7 is a schematic structural diagram of an apparatus for user authentication provided by an embodiment of the present invention.

图8是本发明实施例提供的另一种用户认证的装置的结构示意图。FIG. 8 is a schematic structural diagram of another apparatus for user authentication provided by an embodiment of the present invention.

图9是本发明实施例提供的用户认证的装置的结构示意图。FIG. 9 is a schematic structural diagram of an apparatus for user authentication provided by an embodiment of the present invention.

图10是本发明实施例提供的另一种用户认证的装置的结构示意图。FIG. 10 is a schematic structural diagram of another apparatus for user authentication provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the present invention. examples, but not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

用户终端可以是支持WLAN技术的移动电话,便携式电脑(laptop),车载移动装置等。The user terminal may be a mobile phone supporting WLAN technology, a laptop (laptop), a vehicle-mounted mobile device, and the like.

图2是本发明实施例的用户认证的方法的应用场景示意图。如图2所示,在高密场景中,AC漫游组中包括多个ACs,每个AC可能需要管理很多个APs。AC漫游组中的各AC之间可以通过通信链路传输数据,该通信链路可以是隧道。用户终端可以通过AP接入网络之中,用户终端在同一AC漫游组中漫游时,可以不变更网络配置信息。即用户终端可以一直使用初次接入AC漫游组中的某个AC时,该AC为其分配的网络配置信息。网络配置信息可以包括用户终端的IP地址、用户终端的访问控制列表(access control lists,简称ACL)、用户终端所在的虚拟局域网(virtual local area network,简称VLAN)等。例如,图2中用户终端在漫游过程中的IP地址可以是用户终端在初始接入AC漫游组中的第一AC时,该第一AC为该用户终端配置的IP地址。FIG. 2 is a schematic diagram of an application scenario of a method for user authentication according to an embodiment of the present invention. As shown in Figure 2, in a high-density scenario, an AC roaming group includes multiple ACs, and each AC may need to manage many APs. The ACs in the AC roaming group may transmit data through a communication link, and the communication link may be a tunnel. The user terminal can access the network through the AP. When the user terminal roams in the same AC roaming group, the network configuration information may not be changed. That is, the user terminal can always use the network configuration information allocated by the AC when it first accesses an AC in the AC roaming group. The network configuration information may include an IP address of the user terminal, an access control list (access control list, ACL) of the user terminal, a virtual local area network (virtual local area network, VLAN) where the user terminal is located, and the like. For example, the IP address of the user terminal in the roaming process in FIG. 2 may be the IP address configured for the user terminal by the first AC when the user terminal initially accesses the first AC in the AC roaming group.

图3是本发明实施例的用户认证的方法300的示意性框图。如图3所示,该方法300包括:FIG. 3 is a schematic block diagram of a method 300 for user authentication according to an embodiment of the present invention. As shown in Figure 3, the method 300 includes:

S301,第一AC接收第二AC发送的第一信息,所述第一信息中包括所述第二AC的标识,所述第一信息用于指示第一用户终端漫游至所述第二AC。S301. A first AC receives first information sent by a second AC, where the first information includes an identifier of the second AC, and the first information is used to instruct a first user terminal to roam to the second AC.

上述第一AC和第二AC可以是属于同一AC漫游组的AC。该AC漫游组中可以包括多个AC。AC漫游组中的各AC之间存在通信链路,AC漫游组中的各AC可以通过该通信链路进行数据同步和报文转发。The first AC and the second AC may be ACs belonging to the same AC roaming group. The AC roaming group may include multiple ACs. A communication link exists between the ACs in the AC roaming group, and each AC in the AC roaming group can perform data synchronization and packet forwarding through the communication link.

可选地,所述第一AC可以是所述第一用户终端漫游前所属的AC。可选地,所述用户终端的当前网络配置可以是所述第一AC为所述用户终端配置的。Optionally, the first AC may be an AC to which the first user terminal belongs before roaming. Optionally, the current network configuration of the user terminal may be configured by the first AC for the user terminal.

可选地,当第一用户终端在AC漫游组中漫游至新的AC时,该新的AC可以通过向漫游组中的其他AC指示第一用户终端当前漫游至的AC。例如,当第一用户终端漫游至第二AC时,第二AC可以向AC漫游组中的各AC发送第一信息,该第一信息用于指示所述第一用户终端当前漫游至第二AC。第二AC可以是漫游组中的任一AC。或者,第二AC通过解析第一用户终端的IP地址,确定第一用户终端的IP地址属于第一AC管理。第二AC可以仅向第一AC发送第一信息,以节约信令开销。漫游组中的其他AC在接收第一信息之后,可以在本地保存或更新该第一信息。或者说,第一AC可以保存第一用户终端和第一用户终端当前漫游至的第二AC之间的映射关系。Optionally, when the first user terminal roams to a new AC in the AC roaming group, the new AC may indicate to other ACs in the roaming group the AC to which the first user terminal currently roams. For example, when the first user terminal roams to the second AC, the second AC may send first information to each AC in the AC roaming group, where the first information is used to indicate that the first user terminal is currently roaming to the second AC . The second AC can be any AC in the roaming group. Alternatively, the second AC determines that the IP address of the first user terminal belongs to the management of the first AC by parsing the IP address of the first user terminal. The second AC may only send the first information to the first AC to save signaling overhead. After receiving the first information, other ACs in the roaming group may locally save or update the first information. In other words, the first AC may store the mapping relationship between the first user terminal and the second AC to which the first user terminal currently roams.

漫游组中的AC可以通过AC之间的通信链路进行信息同步。AC间同步的信息可以包括各AC管理的用户终端的网络配置信息。例如,AC间可以同步用户终端的IP地址、用户终端的ACL信息以及用户终端的VLAN信息。可选地,AC漫游组中的AC也可以同步用户终端与用户终端当前所属的第二AC的映射关系。ACs in a roaming group can synchronize information through communication links between ACs. Information synchronized between ACs may include network configuration information of user terminals managed by each AC. For example, the IP addresses of the user terminals, the ACL information of the user terminals, and the VLAN information of the user terminals can be synchronized between the ACs. Optionally, the ACs in the AC roaming group may also synchronize the mapping relationship between the user terminal and the second AC to which the user terminal currently belongs.

可选地,上述第二AC的标识可以包括以下信息中的至少一种:第二AC的IP地址和第二AC的MAC地址。Optionally, the identifier of the second AC may include at least one of the following information: an IP address of the second AC and a MAC address of the second AC.

可选地,本发明实施例中的AC可以是无线访问控制器。可选地,上述第一用户终端漫游至第一AC,可以指第一用户终端漫游至第一AC管理的AP的覆盖范围内。或者说,第一用户终端当前连接的AP为第一AC管理的AP。Optionally, the AC in this embodiment of the present invention may be a wireless access controller. Optionally, the above-mentioned roaming of the first user terminal to the first AC may refer to the roaming of the first user terminal to the coverage of the AP managed by the first AC. In other words, the AP currently connected to by the first user terminal is an AP managed by the first AC.

S302,所述第一AC接收认证服务器发送的对所述第一用户终端的Portal认证报文。S302, the first AC receives a Portal authentication packet for the first user terminal sent by an authentication server.

可选地,认证服务器可以用于控制访问权限。例如,认证服务器可以用于在用户终端接入网络的过程中,验证用户的账户和密码。Optionally, an authentication server can be used to control access rights. For example, the authentication server can be used to verify the user's account and password during the process of the user terminal accessing the network.

可选地,在认证服务器发送第一用户终端的Portal认证报文之前,第一用户终端可以向认证服务器发送Portal认证请求,该Portal认证请求可以用于请求认证服务器认证第一用户终端的访问权限。Optionally, before the authentication server sends the Portal authentication message of the first user terminal, the first user terminal may send a Portal authentication request to the authentication server, and the Portal authentication request may be used to request the authentication server to authenticate the access authority of the first user terminal. .

可选地,认证服务器可以根据该Portal认证请求,向第一AC发送Portal认证报文。本领域技术人员能够理解,由于第一用户终端在漫游后的网络配置并未更改,即所述第一用户终端的网络配置依然是漫游前的网络配置(即第一AC配置的网络配置)。所以认证服务器在分析第一用户终端的网络配置信息之后,确定第一用户终端由第一AC管理。所以认证服务器根据该Portal认证请求,向第一AC发送所述Portal认证报文。作为一个示例,第一用户终端向认证服务器发送的Portal认证请求中可以包含第一用户终端的IP地址,第一AC根据第一用户终端的IP地址,确定第一用户终端由第一AC管理。或者,在第一用户终端向认证服务器发送Portal认证请求之前,第一用户终端需要和认证服务器建立超文本传输协议(Hyper Text Transfer Protocol,HTTP)链接。由于第一用户终端在建立HTTP链接时采用的IP地址为第一AC管理的IP地址,所以第一AC也可以通过查询HTTP链接获取第一用户终端的IP地址,进一步确定第一用户终端由第一AC管理。因此,认证服务器将向第一AC发送第一用户终端的Portal认证报文。Optionally, the authentication server may send a Portal authentication packet to the first AC according to the Portal authentication request. Those skilled in the art can understand that since the network configuration of the first user terminal after roaming is not changed, that is, the network configuration of the first user terminal is still the network configuration before roaming (ie the network configuration configured by the first AC). Therefore, after analyzing the network configuration information of the first user terminal, the authentication server determines that the first user terminal is managed by the first AC. Therefore, the authentication server sends the Portal authentication packet to the first AC according to the Portal authentication request. As an example, the Portal authentication request sent by the first user terminal to the authentication server may include the IP address of the first user terminal, and the first AC determines that the first user terminal is managed by the first AC according to the IP address of the first user terminal. Alternatively, before the first user terminal sends the Portal authentication request to the authentication server, the first user terminal needs to establish a hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) link with the authentication server. Since the IP address used by the first user terminal when establishing the HTTP link is the IP address managed by the first AC, the first AC can also obtain the IP address of the first user terminal by querying the HTTP link, and further determine that the first user terminal is managed by the first AC. One AC management. Therefore, the authentication server will send the Portal authentication packet of the first user terminal to the first AC.

S303,所述第一AC向所述认证服务器发送指示信息,所述指示信息用于指示所述第一用户终端已漫游至所述第二AC。S303, the first AC sends indication information to the authentication server, where the indication information is used to indicate that the first user terminal has roamed to the second AC.

可选地,第一AC在接收到第一用户终端的Portal认证报文之后。第一AC可以在本地查询第一用户终端的状态。由于第一AC可以根据第一信息在本地保存第一用户终端和第二AC之间的映射关系,所以第一AC可以根据该映射关系或者根据第一信息,确定第一用户终端当前属于第二AC的管理范围。因此,第一AC可以向认证服务器发送上述指示信息。以便于认证服务器根据该指示信息,重新向第二AC发送Portal认证报文。Optionally, after the first AC receives the Portal authentication packet of the first user terminal. The first AC may locally query the status of the first user terminal. Since the first AC can locally save the mapping relationship between the first user terminal and the second AC according to the first information, the first AC can determine that the first user terminal currently belongs to the second AC according to the mapping relationship or the first information. AC's management scope. Therefore, the first AC can send the above-mentioned indication information to the authentication server. In order to facilitate the authentication server to re-send the Portal authentication packet to the second AC according to the indication information.

在本发明实施例中,第一AC可以从其他AC获取指示用户终端当前所属的AC的信息,从而在认证服务器向第一AC发送用户终端的Portal认证报文的情况下,第一AC向认证服务器指示用户终端当前所属的第二AC,以便于认证服务器向第二AC重新发送Portal认证报文,因此认证服务器只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In this embodiment of the present invention, the first AC may obtain information indicating the AC to which the user terminal currently belongs from other ACs, so that when the authentication server sends the Portal authentication packet of the user terminal to the first AC, the first AC sends the authentication message to the authentication server. The server indicates the second AC to which the user terminal currently belongs, so that the authentication server can re-send the Portal authentication packet to the second AC. Therefore, the authentication server only needs to re-send the Portal authentication packet to the second AC, which saves signaling overhead and improves the Certified performance.

可选地,在方法300中,所述指示信息可以承载于Portal认证响应报文中,所述Portal认证响应报文包括认证失败类型信息,所述认证失败类型信息用于指示所述第一用户终端的Portal认证报文的认证失败类型为用户终端漫游导致认证失败。Optionally, in method 300, the indication information can be carried in a Portal authentication response message, and the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used to indicate the first user. The authentication failure type of the Portal authentication packet of the terminal is authentication failure caused by user terminal roaming.

例如,第一用户终端在接收到第一用户终端的Portal认证报文之后,可以在本地的用户表项中查询第一用户终端的状态。由于第一用户终端已经漫游至第二AC。第一AC在用户表项中查询不到第一用户终端的匹配信息。因此,第一AC可以向认证服务器发送Portal认证响应报文。并在该Portal认证响应报文中携带该指示信息。同时,该Portal认证响应报文中可以携带认证失败类型信息,以指示认证失败的类型是用户终端漫游导致认证失败。For example, after receiving the Portal authentication packet of the first user terminal, the first user terminal may query the state of the first user terminal in a local user table entry. Since the first user terminal has roamed to the second AC. The first AC cannot query the matching information of the first user terminal in the user entry. Therefore, the first AC can send a Portal authentication response message to the authentication server. and carry the indication information in the Portal authentication response message. At the same time, the Portal authentication response packet may carry authentication failure type information to indicate that the authentication failure type is authentication failure caused by user terminal roaming.

在本发明实施例中,第一AC通过在Portal认证失败报文中携带指示信息,向认证服务器指示第一用户终端当前的所属的第二AC,以便于认证服务器仅向第二AC重新发送Portal认证报文,而无需向漫游组内所有AC发送Portal认证报文,节省了信令开销,提高了认证性能。In the embodiment of the present invention, the first AC indicates the second AC to which the first user terminal currently belongs to the authentication server by carrying the indication information in the Portal authentication failure packet, so that the authentication server only re-sends the Portal to the second AC authentication packets, instead of sending Portal authentication packets to all ACs in the roaming group, saving signaling overhead and improving authentication performance.

可选地,在方法300中,所述指示信息包括以下信息中的至少一种:所述第二AC的IP地址和所述第二AC的MAC地址。Optionally, in method 300, the indication information includes at least one of the following information: an IP address of the second AC and a MAC address of the second AC.

例如,在第一用户终端未认证场景下,当第一用户终端从第一AC漫游到第二AC后,第二AC会通过AC间的通信链路通知第一AC,第一用户终端已连接到第二AC,并将第二AC的IP地址或MAC地址上报给第一AC。第一AC需要维护第一用户终端和第二AC的映射关系,用于第一用户终端漫游认证失败后,通过指示信息告知认证服务器第一用户终端实际漫游至的第二AC的IP地址或第二AC的MAC地址,以便于认证服务器向第二AC重新发送Portal认证报文。For example, in a scenario where the first user terminal is not authenticated, after the first user terminal roams from the first AC to the second AC, the second AC notifies the first AC through the communication link between the ACs that the first user terminal has been connected to the second AC, and report the IP address or MAC address of the second AC to the first AC. The first AC needs to maintain the mapping relationship between the first user terminal and the second AC, which is used to inform the authentication server of the IP address or the second AC to which the first user terminal actually roams through instruction information after the first user terminal fails to roam authentication. MAC address of the second AC, so that the authentication server can resend Portal authentication packets to the second AC.

可选地,在方法300中,还包括:所述第一AC向除所述第一AC之外的其他AC发送第二信息,所述第二信息中包括所述第一AC的标识,所述第二信息用于指示第二用户终端当前已漫游至所述第一AC。Optionally, in the method 300, the method further includes: the first AC sends second information to other ACs except the first AC, where the second information includes an identifier of the first AC, and the second information includes an identifier of the first AC. The second information is used to indicate that the second user terminal has currently roamed to the first AC.

其中,上述其他AC可以是与第一AC位于同一AC漫游组中的AC。当第二用户终端漫游至第一AC的管理范围时,第一AC可以通过通信链路向同一AC漫游组中的其他AC发送第二信息,以指示第二用户终端当前漫游至第一AC。以便于漫游组中的其他AC进行信息同步,例如,其他AC可以保存第二用户终端和第一AC之间的映射关系。The above-mentioned other ACs may be ACs located in the same AC roaming group as the first AC. When the second user terminal roams to the management range of the first AC, the first AC may send second information to other ACs in the same AC roaming group through the communication link to indicate that the second user terminal is currently roaming to the first AC. In order to facilitate information synchronization of other ACs in the roaming group, for example, the other ACs may save the mapping relationship between the second user terminal and the first AC.

可选地,图4示出了本发明实施例的用户认证的方法400的示意性框图,该方法400可以由认证服务器执行。其中,图4所示的方法中与图3相同或相似的内容可以参考图2相关的描述,此处不再赘述。方法400包括:Optionally, FIG. 4 shows a schematic block diagram of a method 400 for user authentication according to an embodiment of the present invention, and the method 400 may be executed by an authentication server. The content in the method shown in FIG. 4 that is the same as or similar to that in FIG. 3 can be referred to the description related to FIG. 2 , and details are not repeated here. Method 400 includes:

S401,认证服务器接收用户终端的认证请求,所述认证请求包括所述用户终端的标识。S401. An authentication server receives an authentication request from a user terminal, where the authentication request includes an identifier of the user terminal.

可选地,用户终端的标识包括用户终端的IP地址。用户终端的IP地址可以是第一AC为用户终端分配的。Optionally, the identifier of the user terminal includes the IP address of the user terminal. The IP address of the user terminal may be allocated by the first AC for the user terminal.

S402,所述认证服务器根据所述认证请求,向第一AC发送第一Portal认证报文。S402, the authentication server sends a first Portal authentication packet to the first AC according to the authentication request.

可选地,所述第一AC可以是所述用户终端漫游前所属的AC。Optionally, the first AC may be an AC to which the user terminal belongs before roaming.

可选地,认证服务器通过分析该认证请求,确定用户终端对应的AC为第一AC。认证服务器也可以根据用户终端的网络配置信息确定第一AC。作为一个示例,第一用户终端向认证服务器发送的Portal认证请求中可以包含第一用户终端的IP地址,第一AC根据第一用户终端的IP地址,确定第一用户终端由第一AC管理。或者,在第一用户终端向认证服务器发送Portal认证请求之前,第一用户终端需要和认证服务器建立HTTP链接。由于第一用户终端在建立HTTP链接时采用的IP地址为第一AC管理的IP地址,所以第一AC也可以通过查询HTTP链接获取第一用户终端的IP地址,进一步确定第一用户终端由第一AC管理。因此,认证服务器将向第一AC发送第一用户终端的Portal认证报文。Optionally, the authentication server determines that the AC corresponding to the user terminal is the first AC by analyzing the authentication request. The authentication server may also determine the first AC according to the network configuration information of the user terminal. As an example, the Portal authentication request sent by the first user terminal to the authentication server may include the IP address of the first user terminal, and the first AC determines that the first user terminal is managed by the first AC according to the IP address of the first user terminal. Or, before the first user terminal sends the Portal authentication request to the authentication server, the first user terminal needs to establish an HTTP link with the authentication server. Since the IP address used by the first user terminal when establishing the HTTP link is the IP address managed by the first AC, the first AC can also obtain the IP address of the first user terminal by querying the HTTP link, and further determine that the first user terminal is managed by the first AC. One AC management. Therefore, the authentication server will send the Portal authentication packet of the first user terminal to the first AC.

S403,所述认证服务器从所述第一AC接收指示信息,所述指示信息指示所述用户终端当前已漫游至第二AC。S403: The authentication server receives indication information from the first AC, where the indication information indicates that the user terminal has currently roamed to the second AC.

可选地,所述指示信息可以承载于Portal认证响应报文中,所述Portal认证响应报文用于回应所述第一Portal认证报文。所述Portal认证响应报文包括认证失败类型信息,所述认证失败类型信息用于指示所述第一用户终端的Portal认证报文的认证失败类型为用户终端漫游导致认证失败。Optionally, the indication information may be carried in a Portal authentication response packet, and the Portal authentication response packet is used to respond to the first Portal authentication packet. The Portal authentication response message includes authentication failure type information, and the authentication failure type information is used to indicate that the authentication failure type of the Portal authentication message of the first user terminal is an authentication failure caused by user terminal roaming.

可选地,所述指示信息可以包括以下信息中的至少一种:所述第二AC的IP地址和所述第二AC的MAC地址。Optionally, the indication information may include at least one of the following information: the IP address of the second AC and the MAC address of the second AC.

S404,所述认证服务器根据所述指示信息,向所述第二AC发送第二Portal认证报文。S404, the authentication server sends a second Portal authentication packet to the second AC according to the indication information.

可选地,所述认证服务器可以根据所述指示信息,确定第二AC的IP地址和/或MAC地址,并向第二AC发送第二Portal认证报文。Optionally, the authentication server may determine the IP address and/or MAC address of the second AC according to the indication information, and send the second Portal authentication packet to the second AC.

在本发明实施例中,认证服务器在向第一AC发送第一Portal认证报文之后,可以从第一AC接收指示信息,通过该指示信息确定用户终端当前所属的第二AC,从而可以向第二AC重新发送Portal认证报文,因此认证服务器在第一次Portal认证失败后,只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In this embodiment of the present invention, after sending the first Portal authentication packet to the first AC, the authentication server may receive indication information from the first AC, and use the indication information to determine the second AC to which the user terminal currently belongs, so that the authentication server can send the first AC to the first AC. The second AC resends Portal authentication packets. Therefore, after the first Portal authentication fails, the authentication server only needs to resend Portal authentication packets to the second AC. This saves signaling overhead and improves authentication performance.

下面结合具体例子,更加详细地介绍本发明实施例。应注意,图5的例子仅仅是为了帮助本领域技术人员理解本发明实施例,而非要将本发明实施例限于所例示的具体数值或具体场景。本领域技术人员根据所给出的图5的例子,显然可以进行各种等价的修改或变化,这样的修改或变化也落入本发明实施例的范围内。如图5所示,AP1由第一AC管理,AP2由第二AC管理。图5所示的用户认证的方法500包括:The following describes the embodiments of the present invention in more detail with reference to specific examples. It should be noted that the example in FIG. 5 is only for helping those skilled in the art to understand the embodiment of the present invention, and is not intended to limit the embodiment of the present invention to the exemplified specific numerical values or specific scenarios. According to the example shown in FIG. 5 , those skilled in the art can obviously make various equivalent modifications or changes, and such modifications or changes also fall within the scope of the embodiments of the present invention. As shown in FIG. 5 , AP1 is managed by the first AC, and AP2 is managed by the second AC. The method 500 of user authentication shown in FIG. 5 includes:

S501,用户终端从AP1覆盖的区域漫游至AP2覆盖区域后(用户终端在AC间漫游时IP地址不会变更),向认证服务器发起Portal认证请求。S501, after the user terminal roams from the area covered by AP1 to the area covered by AP2 (the IP address of the user terminal will not change when roaming between ACs), a Portal authentication request is initiated to the authentication server.

可选地,在用户终端漫游至AP2的覆盖区域之后,第二AC可以通过AC间通信链路向第一AC发送第一信息,以指示用户终端当前漫游至第二AC覆盖范围内。该第一信息可以包括第二AC的IP地址和MAC地址。Optionally, after the user terminal roams to the coverage area of AP2, the second AC may send first information to the first AC through the inter-AC communication link to indicate that the user terminal is currently roaming within the coverage area of the second AC. The first information may include the IP address and MAC address of the second AC.

S502,认证服务器接收到用户终端的Portal认证请求后,将Portal认证请求封装成第一Portal认证报文发送给第一AC。S502, after receiving the Portal authentication request from the user terminal, the authentication server encapsulates the Portal authentication request into a first Portal authentication packet and sends it to the first AC.

例如,该Portal认证请求可以包括用户名和密码。认证服务器在接收到该Portal认证请求并验证用户名和密码之后,将Portal认证请求封装成Portal认证报文,发送给第一AC。For example, the Portal authentication request may include a username and password. After receiving the Portal authentication request and verifying the user name and password, the authentication server encapsulates the Portal authentication request into a Portal authentication packet and sends it to the first AC.

S503,第一AC在本地查询到用户终端已漫游到第二AC,向认证服务器发送Portal认证失败报文。S503, the first AC locally inquires that the user terminal has roamed to the second AC, and sends a Portal authentication failure message to the authentication server.

可选地,报文中可以包含漫游认证错误码,以及第二AC的IP地址和/或MAC地址。其中,漫游认证错误码用于指示因漫游导致Portal认证失败。Optionally, the packet may include a roaming authentication error code, and the IP address and/or MAC address of the second AC. The roaming authentication error code is used to indicate that Portal authentication fails due to roaming.

S504,认证服务器接收到Portal认证失败报文后,确定用户终端当前漫游至的AC为第二AC,并向第二AC重新发起第二Portal认证请求。S504, after receiving the Portal authentication failure message, the authentication server determines that the AC to which the user terminal currently roams is the second AC, and re-sends the second Portal authentication request to the second AC.

S505,第二AC接收到第二Portal认证请求之后,向认证服务器发送认证成功报文,用户终端在第二AC上线成功。S505, after receiving the second Portal authentication request, the second AC sends an authentication success message to the authentication server, and the user terminal successfully goes online on the second AC.

在本发明实施例中,针对用户终端在未认证情况下,发生漫游导致Portal认证失败问题,只需重新进行一次认证,就能找到用户终端漫游后实际所属的AC,降低了对认证服务器、设备和带宽的负担,提高了漫游场景下,认证服务器的认证性能。In the embodiment of the present invention, for the problem that Portal authentication fails due to roaming of the user terminal without authentication, the AC to which the user terminal actually belongs after roaming only needs to be re-authenticated to find out, which reduces the need for authentication servers and equipment. and bandwidth burden, which improves the authentication performance of the authentication server in the roaming scenario.

可选地,在图3至图5所述的方法中,漫游认证失败后,第一AC可以将用户终端当前实际所属的AC的IP地址和MAC地址携带到认证失败报文中,返回给认证服务器。Optionally, in the methods described in FIGS. 3 to 5 , after the roaming authentication fails, the first AC may carry the IP address and MAC address of the AC to which the user terminal actually belongs to the authentication failure message, and return it to the authentication failure message. server.

Portal报文由报文字段和属性字段组成,图6示出了本发明实施例的Portal报文的格式示意图。参见图6所示,其中报文字段中可以包括:版本号(Ver)、报文类型(Type)、认证方式(AuthType)、保留字段(Rsvd)、报文序列号(SerialNo)、报文ID(RequestID)、用户的IP地址(UserIP)和端口号(UserPort)、错误类型(ErrorCode)和属性数量(AttrNum);属性字段(Attribute Data)中包括:属性类型(AttrType)、属性长度(AttrLen)、属性值(Data)。属性字段用于描述用户信息,如用户名、密码等,一个报文中可以包含多个属性字段。报文类型用于指示Portal报文的类型。例如,报文类型可以包括Portal认证请求报文、Portal认证响应报文。A Portal packet consists of a packet field and an attribute field, and FIG. 6 shows a schematic diagram of the format of the Portal packet according to an embodiment of the present invention. Referring to Figure 6, the message fields may include: version number (Ver), message type (Type), authentication mode (AuthType), reserved field (Rsvd), message serial number (SerialNo), message ID (RequestID), user's IP address (UserIP) and port number (UserPort), error type (ErrorCode) and attribute number (AttrNum); the attribute field (Attribute Data) includes: attribute type (AttrType), attribute length (AttrLen) , attribute value (Data). Attribute fields are used to describe user information, such as user name, password, etc. A packet can contain multiple attribute fields. The packet type is used to indicate the type of Portal packet. For example, the packet types may include Portal authentication request packets and Portal authentication response packets.

在本发明实施例中,可以在Portal报文的ErrorCode字段中携带漫游认证错误码,例如99,用于标识认证失败的类型(原因)是漫游认证失败。另外,可以在Attribute Data(属性数据)字段中新增类型-长度-值(type-length-vlaue,缩写TLV),用于携带用户终端当前漫游至的第二AC的IP地址和/或MAC地址。可以新增属性号(Attribute)以标识用户终端当前漫游至的AC的IP地址和MAC地址;作为一个示例,IP地址的属性号可以采用0xE1,MAC地址的属性号可以采用0xE2。In this embodiment of the present invention, a roaming authentication error code, such as 99, may be carried in the ErrorCode field of the Portal packet, which is used to identify the type (cause) of the authentication failure that the roaming authentication fails. In addition, a type-length-value (type-length-vlaue, abbreviated TLV) may be added to the Attribute Data field, which is used to carry the IP address and/or MAC address of the second AC to which the user terminal is currently roaming. . An attribute number (Attribute) may be added to identify the IP address and MAC address of the AC to which the user terminal currently roams; as an example, the attribute number of the IP address may be 0xE1, and the attribute number of the MAC address may be 0xE2.

上文结合图1至图6介绍了本发明实施例的用户认证的方法,下文将结合图7至图10详细描述本发明实施例的装置。The user authentication method according to the embodiment of the present invention is described above with reference to FIG. 1 to FIG. 6 , and the apparatus of the embodiment of the present invention will be described in detail below with reference to FIG. 7 to FIG. 10 .

图7示出了本发明实施例的用户认证的装置700的示意性框图。装置700可以是AC,或者装置700也可以是具有AC功能的实体模块。装置700可以执行图1至图6的方法中由第一AC执行的各步骤。在本发明实施例中,装置700可以称为第一AC。装置700包括:FIG. 7 shows a schematic block diagram of an apparatus 700 for user authentication according to an embodiment of the present invention. The apparatus 700 may be an AC, or the apparatus 700 may also be a physical module having an AC function. The apparatus 700 may perform the steps performed by the first AC in the methods of FIGS. 1 to 6 . In this embodiment of the present invention, the apparatus 700 may be referred to as the first AC. Apparatus 700 includes:

接收模块710,用于接收第二AC发送的第一信息,所述第一信息中包括所述第二AC的标识,所述第一信息用于指示第一用户终端漫游至所述第二AC;A receiving module 710, configured to receive first information sent by a second AC, where the first information includes an identifier of the second AC, and the first information is used to instruct the first user terminal to roam to the second AC ;

所述接收模块710接收认证服务器发送的对所述第一用户终端的门户Portal认证报文;The receiving module 710 receives the Portal authentication message to the first user terminal sent by the authentication server;

发送模块720,用于向所述认证服务器发送指示信息,所述指示信息用于指示所述第一用户终端已漫游至所述第二AC。The sending module 720 is configured to send indication information to the authentication server, where the indication information is used to indicate that the first user terminal has roamed to the second AC.

在本发明实施例中,第一AC可以从其他AC获取指示用户终端当前所属的AC的信息,从而在认证服务器向第一AC发送用户终端的Portal认证报文的情况下,第一AC向认证服务器指示用户终端当前所属的第二AC,以便于认证服务器向第二AC重新发送Portal认证报文,因此认证服务器只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In this embodiment of the present invention, the first AC may obtain information indicating the AC to which the user terminal currently belongs from other ACs, so that when the authentication server sends the Portal authentication packet of the user terminal to the first AC, the first AC sends the authentication message to the authentication server. The server indicates the second AC to which the user terminal currently belongs, so that the authentication server can re-send the Portal authentication packet to the second AC. Therefore, the authentication server only needs to re-send the Portal authentication packet to the second AC, which saves signaling overhead and improves the Certified performance.

图8示出了本发明实施例的装置800的示意性框图。装置800可以是认证服务器,或者装置800也可以是具有认证服务器功能的实体模块。装置800可以执行图1至图6的方法中由认证服务器执行的各步骤。在本发明实施例中,装置800可以称为认证服务器。装置800包括:FIG. 8 shows a schematic block diagram of an apparatus 800 according to an embodiment of the present invention. The apparatus 800 may be an authentication server, or the apparatus 800 may also be an entity module having an authentication server function. The apparatus 800 may perform the steps performed by the authentication server in the methods of FIGS. 1 to 6 . In this embodiment of the present invention, the apparatus 800 may be referred to as an authentication server. Apparatus 800 includes:

接收模块810,用于接收用户设备用户终端的认证请求,所述认证请求包括所述用户终端的标识;A receiving module 810, configured to receive an authentication request from a user equipment user terminal, where the authentication request includes an identifier of the user terminal;

发送模块820,用于根据所述认证请求,向第一访问控制器AC发送第一Portal认证报文;A sending module 820, configured to send a first Portal authentication message to the first access controller AC according to the authentication request;

所述接收模块810还用于从所述第一AC接收指示信息,所述指示信息指示所述用户终端当前已漫游至第二AC;The receiving module 810 is further configured to receive indication information from the first AC, where the indication information indicates that the user terminal has currently roamed to the second AC;

所述发送模块820还用于根据所述指示信息,向所述第二AC发送第二Portal认证报文。The sending module 820 is further configured to send a second Portal authentication packet to the second AC according to the indication information.

在本发明实施例中,认证服务器在向第一AC发送第一Portal认证报文之后,可以从第一AC接收指示信息,通过该指示信息确定用户终端当前所属的第二AC,从而可以向第二AC重新发送Portal认证报文,因此认证服务器在第一次Portal认证失败后,只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In this embodiment of the present invention, after sending the first Portal authentication packet to the first AC, the authentication server may receive indication information from the first AC, and use the indication information to determine the second AC to which the user terminal currently belongs, so that the authentication server can send the first AC to the first AC. The second AC resends Portal authentication packets. Therefore, after the first Portal authentication fails, the authentication server only needs to resend Portal authentication packets to the second AC. This saves signaling overhead and improves authentication performance.

图9示出了本发明实施例的装置900的示意性框图。装置900可以是AC,或者装置900也可以是具有AC功能的实体模块。装置900可以执行图1至图6的方法中由第一AC执行的各步骤。在本发明实施例中,装置900可以称为第一AC。装置900包括:FIG. 9 shows a schematic block diagram of an apparatus 900 according to an embodiment of the present invention. The apparatus 900 may be an AC, or the apparatus 900 may also be a physical module having an AC function. The apparatus 900 may perform the steps performed by the first AC in the methods of FIGS. 1 to 6 . In this embodiment of the present invention, the apparatus 900 may be referred to as the first AC. Apparatus 900 includes:

存储器910,用于存储程序;a memory 910 for storing programs;

收发器920,用于和其他设备进行通信;A transceiver 920 for communicating with other devices;

处理器930,用于执行存储器910中的程序,当所述程序被执行时,所述处理器930用于接收第二AC发送的第一信息,所述第一信息中包括所述第二AC的标识,所述第一信息用于指示第一用户终端漫游至所述第二AC;以及通过收发器920接收认证服务器发送的对所述第一用户终端的Portal认证报文;以及通过所述收发器920向所述认证服务器发送指示信息,所述指示信息用于指示所述第一用户终端已漫游至所述第二AC。The processor 930 is configured to execute the program in the memory 910. When the program is executed, the processor 930 is configured to receive first information sent by the second AC, where the first information includes the second AC , the first information is used to instruct the first user terminal to roam to the second AC; and receive the Portal authentication message for the first user terminal sent by the authentication server through the transceiver 920; The transceiver 920 sends indication information to the authentication server, where the indication information is used to indicate that the first user terminal has roamed to the second AC.

在本发明实施例中,第一AC可以从其他AC获取指示用户终端当前所属的AC的信息,从而在认证服务器向第一AC发送用户终端的Portal认证报文的情况下,第一AC向认证服务器指示用户终端当前所属的第二AC,以便于认证服务器向第二AC重新发送Portal认证报文,因此认证服务器只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In this embodiment of the present invention, the first AC may obtain information indicating the AC to which the user terminal currently belongs from other ACs, so that when the authentication server sends the Portal authentication packet of the user terminal to the first AC, the first AC sends the authentication message to the authentication server. The server indicates the second AC to which the user terminal currently belongs, so that the authentication server can re-send the Portal authentication packet to the second AC. Therefore, the authentication server only needs to re-send the Portal authentication packet to the second AC, which saves signaling overhead and improves the Certified performance.

图10示出了本发明实施例的装置1000的示意性框图。装置1000可以是认证服务器,或者装置1000也可以是具有认证服务器功能的实体模块。装置1000可以执行图1至图6的方法中由认证服务器执行的各步骤。在本发明实施例中,装置1000可以称为认证服务器。装置1000包括:FIG. 10 shows a schematic block diagram of an apparatus 1000 according to an embodiment of the present invention. The apparatus 1000 may be an authentication server, or the apparatus 1000 may also be an entity module having an authentication server function. The apparatus 1000 may perform the steps performed by the authentication server in the methods of FIGS. 1 to 6 . In this embodiment of the present invention, the apparatus 1000 may be referred to as an authentication server. Apparatus 1000 includes:

存储器1010,用于存储程序;a memory 1010 for storing programs;

收发器1020,用于和其他设备进行通信;A transceiver 1020 for communicating with other devices;

处理器1030,用于执行存储器1010中的程序,当所述程序被执行时,所述处理器1030用于通过所述收发器1020接收用户设备用户终端的认证请求,所述认证请求包括所述用户终端的标识;以及用于根据所述认证请求,通过所述收发器1020向第一访问控制器AC发送第一Portal认证报文;以及用于通过所述收发器1020从所述第一AC接收指示信息,所述指示信息指示所述用户终端当前已漫游至第二AC;以及用于根据所述指示信息,通过所述收发器1020向所述第二AC发送第二Portal认证报文。The processor 1030 is configured to execute the program in the memory 1010. When the program is executed, the processor 1030 is configured to receive, through the transceiver 1020, an authentication request from a user terminal of user equipment, where the authentication request includes the the identifier of the user terminal; and for sending a first Portal authentication message to the first access controller AC through the transceiver 1020 according to the authentication request; and for sending the first Portal authentication message from the first AC through the transceiver 1020 receiving indication information, where the indication information indicates that the user terminal has currently roamed to the second AC; and being configured to send a second Portal authentication packet to the second AC through the transceiver 1020 according to the indication information.

在本发明实施例中,认证服务器在向第一AC发送第一Portal认证报文之后,可以从第一AC接收指示信息,通过该指示信息确定用户终端当前所属的第二AC,从而可以向第二AC重新发送Portal认证报文,因此认证服务器在第一次Portal认证失败后,只需向第二AC重新发送Portal认证报文,节省了信令开销,提高了认证性能。In this embodiment of the present invention, after sending the first Portal authentication packet to the first AC, the authentication server may receive indication information from the first AC, and use the indication information to determine the second AC to which the user terminal currently belongs, so that the authentication server can send the first AC to the first AC. The second AC resends Portal authentication packets. Therefore, after the first Portal authentication fails, the authentication server only needs to resend Portal authentication packets to the second AC. This saves signaling overhead and improves authentication performance.

另外,本文中术语“系统”和“网络”在本文中常被可互换使用。本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。Additionally, the terms "system" and "network" are often used interchangeably herein. The term "and/or" in this article is only an association relationship to describe the associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, A and B exist at the same time, and A and B exist independently B these three cases. In addition, the character "/" in this document generally indicates that the related objects are an "or" relationship.

应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, rather than the embodiments of the present invention. implementation constitutes any limitation.

可以理解,本发明实施例中的处理器可以是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(DigitalSignal Processor,简称DSP)、专用集成电路(Application Specific IntegratedCircuit,简称ASIC)、或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。It can be understood that the processor in the embodiment of the present invention may be an integrated circuit chip, which has signal processing capability. In the implementation process, each step of the above method embodiments may be completed by a hardware integrated logic circuit in a processor or an instruction in the form of software. The above-mentioned processor may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP for short), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware. components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present invention can be implemented or executed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present invention may be directly embodied as executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware.

可以理解,本发明实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data RateSDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(DirectRambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory in the embodiment of the present invention may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Wherein, the non-volatile memory may be Read-Only Memory (ROM), Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (Erasable PROM, EPROM), Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synchlink DRAM, SLDRAM) And direct memory bus random access memory (DirectRambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, but not be limited to, these and any other suitable types of memory.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of the present invention.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes .

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed by the present invention. should be included within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (10)

1. A method of user authentication, comprising:
a first Access Controller (AC) receives first information sent by a second AC, wherein the first information comprises an identifier of the second AC, and the first information is used for indicating a first user terminal to roam to the second AC;
the first AC receives a first Portal authentication message sent by an authentication server to the first user terminal, wherein the first Portal authentication message is used for verifying a Portal authentication request sent by the first user terminal;
the first AC sends a Portal authentication response message to the authentication server, the Portal authentication response message is used for indicating that the first Portal authentication message fails to be authenticated, the Portal authentication response message comprises indication information, and the indication information is used for indicating that the first user terminal roams to the second AC, so that the authentication server sends a second Portal authentication message to the second AC.
2. The method of claim 1, wherein the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used to indicate that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
3. The method of claim 1 or 2, wherein the method further comprises:
and the first AC sends second information to other ACs except the first AC, wherein the second information comprises the identifier of the first AC, and the second information is used for indicating that a second user terminal has roamed to the first AC currently.
4. A method of user authentication, comprising:
an authentication server receives an authentication request of a user terminal, wherein the authentication request comprises an identifier of the user terminal;
the authentication server sends a first Portal authentication message to a first Access Controller (AC) according to the authentication request, wherein the first Portal authentication message is used for verifying a Portal authentication request sent by the user terminal;
the authentication server receives a Portal authentication response message from the first AC, the Portal authentication response message is used for indicating that the first Portal authentication message fails to authenticate, the Portal authentication response message comprises indication information, and the indication information indicates that the user terminal has roamed to a second AC currently;
and the authentication server sends a second Portal authentication message to the second AC according to the indication information, wherein the second Portal authentication message is used for verifying the Portal authentication message.
5. The method according to claim 4, wherein the indication information is carried in the Portal authentication response message, the Portal authentication response message includes authentication failure type information, and the authentication failure type information is used for indicating that the authentication failure type of the Portal authentication message of the user terminal is authentication failure caused by user terminal roaming.
6. An apparatus for user authentication, comprising:
a receiving module, configured to receive first information sent by a second access controller AC, where the first information includes an identifier of the second AC, and the first information is used to indicate that a first user terminal roams to the second AC;
the receiving module is further configured to receive a first Portal authentication message sent by an authentication server to the first user terminal, where the first Portal authentication message is used to verify a Portal authentication request sent by the first user terminal;
and the sending module is used for sending a Portal authentication response message to the authentication server, wherein the Portal authentication response message is used for indicating that the first Portal authentication message fails to be authenticated, and the Portal authentication response message comprises indication information which is used for indicating that the first user terminal roams to the second AC so that the authentication server can send a second Portal authentication message to the second AC.
7. The apparatus of claim 6, wherein the Portal authentication response message includes authentication failure type information indicating that the authentication failure type of the Portal authentication message of the first user terminal is authentication failure caused by user terminal roaming.
8. The apparatus according to claim 6 or 7, wherein the apparatus is a first AC, and the sending module is further configured to send second information to other ACs except the first AC, where the second information includes an identifier of the first AC, and the second information is used to indicate that a second user terminal has currently roamed to the first AC.
9. An apparatus for user authentication, comprising:
a receiving module, configured to receive an authentication request of a user terminal, where the authentication request includes an identifier of the user terminal;
a sending module, configured to send a first Portal authentication packet of the user terminal to a first access controller AC according to the authentication request, where the first Portal authentication packet is used to verify a Portal authentication request sent by the user terminal;
the receiving module is further configured to receive a Portal authentication response message from the first AC, where the Portal authentication response message is used to indicate that the first Portal authentication message fails to authenticate, and the Portal authentication response message includes indication information indicating that the user terminal has currently roamed to a second AC;
the sending module is further configured to send a second Portal authentication packet to the second AC according to the indication information, where the second Portal authentication packet is used to verify the Portal authentication packet.
10. The apparatus of claim 9, wherein the Portal authentication response message includes authentication failure type information indicating that the authentication failure type of the Portal authentication message of the user terminal is authentication failure caused by user terminal roaming.
CN201610827230.4A 2016-09-14 2016-09-14 User authentication method, device and system Active CN107820246B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610827230.4A CN107820246B (en) 2016-09-14 2016-09-14 User authentication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610827230.4A CN107820246B (en) 2016-09-14 2016-09-14 User authentication method, device and system

Publications (2)

Publication Number Publication Date
CN107820246A CN107820246A (en) 2018-03-20
CN107820246B true CN107820246B (en) 2020-07-21

Family

ID=61601117

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610827230.4A Active CN107820246B (en) 2016-09-14 2016-09-14 User authentication method, device and system

Country Status (1)

Country Link
CN (1) CN107820246B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067788B (en) * 2018-09-21 2020-06-09 新华三技术有限公司 Access authentication method and device
CN109661015B (en) * 2018-12-10 2021-01-19 杭州全维技术股份有限公司 Method for realizing data sharing of wireless controllers of different manufacturers
CN110493783A (en) * 2019-08-28 2019-11-22 上海连尚网络科技有限公司 Wireless network connecting method, device, electronic equipment and medium
CN111698747B (en) * 2020-04-30 2023-10-20 新华三技术有限公司 Roaming method and device
CN114513784B (en) * 2022-02-10 2023-10-31 新华三技术有限公司 Terminal authentication method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964576A (en) * 2006-12-11 2007-05-16 杭州华为三康技术有限公司 A method for wireless access and access controller
CN101945388A (en) * 2010-10-14 2011-01-12 杭州华三通信技术有限公司 Wireless roaming authentication method, wireless roaming method and device thereof
CN102014391A (en) * 2010-11-29 2011-04-13 北京星网锐捷网络技术有限公司 Wireless network safety access method, system and wireless controller
CN102075904A (en) * 2010-12-24 2011-05-25 杭州华三通信技术有限公司 Method and device for preventing re-authentication of roaming user

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5616917B2 (en) * 2012-03-14 2014-10-29 富士フイルム株式会社 Operation management system, control system, and operation control method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964576A (en) * 2006-12-11 2007-05-16 杭州华为三康技术有限公司 A method for wireless access and access controller
CN101945388A (en) * 2010-10-14 2011-01-12 杭州华三通信技术有限公司 Wireless roaming authentication method, wireless roaming method and device thereof
CN102014391A (en) * 2010-11-29 2011-04-13 北京星网锐捷网络技术有限公司 Wireless network safety access method, system and wireless controller
CN102075904A (en) * 2010-12-24 2011-05-25 杭州华三通信技术有限公司 Method and device for preventing re-authentication of roaming user

Also Published As

Publication number Publication date
CN107820246A (en) 2018-03-20

Similar Documents

Publication Publication Date Title
US11812496B2 (en) User group session management method and apparatus
KR102478442B1 (en) Method for setting pdu type, method for setting ue policy, and related entities
US9769732B2 (en) Wireless network connection establishment method and terminal device
CN107820246B (en) User authentication method, device and system
US20220240131A1 (en) Data transmission method, communications device, and communications system
CN108574969A (en) Connection processing method in multiple access scene and device
WO2019011203A1 (en) Device access method, device and system
WO2017097023A1 (en) Perception-free authentication method and system, and control method and system based on method
US8031872B2 (en) Pre-expiration purging of authentication key contexts
US9025448B2 (en) Methods and apparatuses for accessing internet
WO2019144719A1 (en) Remote terminal device dynamic access method and apparatus
WO2016192572A1 (en) Method, device and system for improving concurrent processing ability of wireless local area network
CN108738019A (en) User authen method in converged network and device
US20160308824A1 (en) Method for determining gre tunnel, gateway device, and access site
US9356908B2 (en) Method and system for causing a client device to renew a dynamic IP address
WO2022237693A1 (en) Method for authenticating nswo service, and device and storage medium
US8990916B2 (en) System and method for supporting web authentication
EP2945345B1 (en) Method and apparatus for configuring packet forwarding manner
EP3300405A1 (en) Equipment identifier checking method, system, equipment and storage medium
KR102055911B1 (en) Signaling method for session connection, and apparatus implementing the same method
WO2018170703A1 (en) Connection establishment method and device
CN110351721A (en) Access method and device, the storage medium, electronic device of network slice
CN111586691A (en) Method and device for configuring wireless connection and wireless connectable equipment
KR102104844B1 (en) Data transmission method, first device and second device
CN103973570B (en) A kind of method of message transmissions, AP and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant