[go: up one dir, main page]

CN1152333C - Method for realizing portal authentication based on protocols of authentication, charging and authorization - Google Patents

Method for realizing portal authentication based on protocols of authentication, charging and authorization Download PDF

Info

Publication number
CN1152333C
CN1152333C CNB021253420A CN02125342A CN1152333C CN 1152333 C CN1152333 C CN 1152333C CN B021253420 A CNB021253420 A CN B021253420A CN 02125342 A CN02125342 A CN 02125342A CN 1152333 C CN1152333 C CN 1152333C
Authority
CN
China
Prior art keywords
authentication
server
portal
charging
network access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB021253420A
Other languages
Chinese (zh)
Other versions
CN1416072A (en
Inventor
陈国强
万斌
胡越明
宋强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB021253420A priority Critical patent/CN1152333C/en
Publication of CN1416072A publication Critical patent/CN1416072A/en
Application granted granted Critical
Publication of CN1152333C publication Critical patent/CN1152333C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The present invention discloses a method for realizing portal authentication based on the protocols of authentication, charging and authorization. In the method, first of all, a user browses a portal website accessed to a provider by accessing an IP address via a network to obtain an authentication webpage, security information is input in the authentication webpage and sent to a portal server, the security information is assembled into an authentication request data packet which is sent to NAS according to a radius protocol after the portal server receives the information, and the NAS as an agent is used for sending the authentication request data packet to a radius server which is used for returning authentication results. If the authentication results are successfully authenticated, the NAS is used for authorizing user access, an authentication response is simultaneously sent to the portal server by the NAS, and the portal server is used for informing the authentication results to a client via the authentication webpage. The scheme can be used for effectively solving the problem of the authentication of the network access of user class nodes in a local area network.

Description

基于认证、计费、授权协议的门户认证实现方法Portal Authentication Realization Method Based on Authentication, Accounting and Authorization Protocol

技术领域technical field

本发明涉及网络系统的接入方法,具体地说涉及到基于认证、计费、授权协议的网络接入中的认证、计费方法。The invention relates to an access method of a network system, in particular to an authentication and accounting method in network access based on authentication, accounting and authorization protocols.

背景技术Background technique

在局域网的发展过程中,交换式的局域网(LANswitch)很好的解决了网络性能问题,虚拟局域网(VLAN)有效的解决了网络安全性的问题。将交换局域网与虚拟局域网结合起来,组成交换式的虚拟局域网很好的解决了上述两个问题,使局域网(LAN)具备可管理的特性。但是局域网的一个基本特征并没有改变,那就是只有链路的建立和管理,而没有接入的认证和授权。而接入认证、计费是网络可运营的基本特征。不能对接入的节点进行有效的认证的网络难以被网络运营商(ISP)所采用。所以在宽带网的建设中,采用LAN组网必须解决认证计费问题。目前在局域网环境下常用的接入管理有下面两种,参考图1。In the development process of LAN, switched LAN (LAN switch) solved the problem of network performance very well, and virtual local area network (VLAN) solved the problem of network security effectively. Combining the switched local area network and the virtual local area network to form a switched virtual local area network solves the above two problems very well, and makes the local area network (LAN) have manageable characteristics. But a basic feature of the LAN has not changed, that is, only link establishment and management, but no access authentication and authorization. Access authentication and billing are the basic features of network operation. A network that cannot effectively authenticate connected nodes is difficult to be adopted by network operators (ISPs). Therefore, in the construction of broadband network, the problem of authentication and billing must be solved by adopting LAN networking. Currently, there are two types of access management commonly used in the LAN environment, as shown in Figure 1.

1、采用VLAN技术组网的网络,可以通过虚拟局域网标识(VLANID)来标识用户,所以如果每个VLAN下只有一个终端节点,可以通过VLAN ID来控制是否允许用户接入。这种方法是将链路与用户一一对应起来。1. In a network using VLAN technology, users can be identified by a virtual local area network identifier (VLANID), so if there is only one terminal node under each VLAN, the VLAN ID can be used to control whether to allow user access. This method is to link links to users one by one.

2、将点对点协议(PPP协议)应用到以太网上(PPPOE),就可以解决局域网络的认证计费问题。利用PPP协议在Ethernet网上建立点对点的逻辑链路,完成对用户的鉴权。2. Applying the point-to-point protocol (PPP protocol) to the Ethernet (PPPOE) can solve the authentication and billing problem of the local area network. Use the PPP protocol to establish a point-to-point logical link on the Ethernet network to complete user authentication.

通常,由接入层的设备和基于RADIUS(Remote Authentication Dial InUser Service)协议的AAA(认证、计费、授权,Authenticator、Accounting、Author)服务器共同为Internet接入的用户提供丰富的业务,如图1所示。接入层的设备主要为用户提供入网的物理通路和各种业务。AAA服务器主要的任务是认证用户的合法身份、业务策略的制定、业务的管理、用户的管理等。比如接入设备具有为用户分配一定带宽的功能,而AAA服务器为不同的用户制定不同的带宽策略,接入设备执行AAA服务器的决策,从而使不同的用户使用不同的带宽。Usually, the devices at the access layer and the AAA (Authentication, Accounting, Authorization, Authenticator, Accounting, Author) server based on the RADIUS (Remote Authentication Dial InUser Service) protocol provide rich services for Internet access users, as shown in the figure 1. Devices at the access layer mainly provide users with physical access to the network and various services. The main task of the AAA server is to authenticate the legal identity of the user, formulate business policies, manage business, and manage users. For example, the access device has the function of allocating a certain bandwidth for users, and the AAA server formulates different bandwidth policies for different users, and the access device executes the decision of the AAA server, so that different users use different bandwidths.

现有的基于RADIUS协议的认证、授权、计费方法如下面所述:当用户上网时,在计算机上通过PPP拨号等客户机软件将用户名和密码等信息发送到接入设备上,接入设备根据这些信息生成一个RADIUS报文(报文类型为接入请求(Access-Request)),报文包含用户名、密码、接入的物理位置信息等属性,接入设备将这个报文通过UDP/IP网络发送到AAA服务器。AAA服务器收到Access-Request报文后,根据它的数据库记录和决策方案产生认证结果,如果认证失败,就向接入设备返回拒绝接入(Access-Reject)报文,如果认证通过,则返回接受接入(Access-Accept)报文同时在返回的报文中包含授权的属性信息,如用户的IP地址、上网时限、带宽等。接入设备收到上述报文后,将通知用户认证成功和失败的消息,如果是认证通过,则根据服务器下发的授权信息,有限的开放网络权限,同时向AAA服务器发送计费请求(Accounting-Request)报文,报文中有一个属性标志计费状态为开始计费。AAA服务器收到Accounting-Request报文后,将把当前时间记入数据库中,作为计费的开始时间点,同时返回计费响应(Accounting-Response)报文。之后,接入设备每隔一定的时间间隔发送Accounting-Request报文,报文中有一个属性标志计费状态为实时计费,AAA服务器收到Accounting-Request报文后,将计费信息记录到数据库中,同时返回Accounting-Response报文。进行实时计费报文交互的目的是为避免在用户上线的过程中接入设备、RADIUS服务或网络出现异常而损失掉全部计费信息。The existing authentication, authorization, and billing methods based on the RADIUS protocol are as follows: when a user accesses the Internet, information such as user name and password are sent to the access device through client software such as PPP dialing on the computer, and the access device Generate a RADIUS message (the message type is Access-Request) based on these information. The message contains attributes such as user name, password, and access physical location information. The access device transmits this message through UDP/ The IP network is sent to the AAA server. After the AAA server receives the Access-Request message, it generates an authentication result according to its database records and decision-making scheme. If the authentication fails, it returns an Access-Reject message to the access device. If the authentication passes, it returns an Access-Reject message. Accept the access (Access-Accept) message and include authorized attribute information in the returned message, such as the user's IP address, time limit for accessing the Internet, and bandwidth. After receiving the above message, the access device will notify the user of authentication success or failure. If the authentication is successful, it will send an accounting request (Accounting -Request) message, there is an attribute in the message to indicate that the charging status is start charging. After receiving the Accounting-Request message, the AAA server will record the current time into the database as the starting time of accounting, and return an Accounting-Response message at the same time. Afterwards, the access device sends an Accounting-Request message at regular intervals. There is an attribute in the message indicating that the accounting status is real-time accounting. After receiving the Accounting-Request message, the AAA server records the accounting information in In the database, an Accounting-Response message is returned at the same time. The purpose of exchanging real-time accounting packets is to avoid loss of all accounting information due to abnormality of the access device, RADIUS service, or network when the user goes online.

在计费的过程中间,用户可能随时下网,接入设备收到用户的下网通知后,向AAA服务器发送一个Accounting-Request报文,报文中有一个属性标志计费状态为停止计费。AAA服务器收到该Accounting-Request报文后,将当前时间记录到数据库中,作为计费的结束时间点,同时返回Accounting-Response报文。During the accounting process, the user may log off the network at any time, and the access device sends an Accounting-Request message to the AAA server after receiving the user's log off notice, and there is an attribute in the message indicating that the accounting status is stop accounting . After receiving the Accounting-Request message, the AAA server records the current time in the database as the end time of accounting, and returns an Accounting-Response message at the same time.

按照上述过程,采用VLAN ID来标识用户的认证解决方案的主要缺点在于:1、认证的粒度只能做到VLAN一级,也就是说,通过同一个VLAN端口上网的几个节点不能被有效的区分,每一个节点都占用一个单独的VLANID。2、组网缺乏灵活性,并且VLAN ID的管理也是一大难题,新增、删除、移动用户都涉及到VLAN ID的修改,必须在设备上进行管理维护,当VLAN交换机的数目越来越多的时候,将耗费很大的人力物力。According to the above process, the main disadvantages of the authentication solution that uses VLAN ID to identify users are: 1. The granularity of authentication can only reach the VLAN level, that is to say, several nodes that access the Internet through the same VLAN port cannot be effectively authenticated. Each node occupies a separate VLANID. 2. The networking lacks flexibility, and the management of VLAN ID is also a big problem. Adding, deleting, and moving users all involve the modification of VLAN ID, which must be managed and maintained on the device. When the number of VLAN switches increases time, it will consume a lot of manpower and material resources.

采用PPPOE的认证实现方式的主要缺点在于:1、流程复杂,它包括PPPOE发现(Discovery)阶段和PPP会话阶段,因此连接建立费时长;在局域网的数据链路层上再建立一层链路,效率低下。2、PPPOE的客户机需要安装专门的PPPOE认证客户软件,增加客户的成本和使用上的不方便。3、PPPOE是点对点的链路,不支持组播。The main shortcoming of adopting the authentication realization mode of PPPOE is: 1, the process is complicated, it comprises PPPOE discovery (Discovery) stage and PPP session stage, so connection is set up time-consuming long; low efficiency. 2. The PPPOE client computer needs to install special PPPOE authentication client software, which increases the cost of the client and the inconvenience of use. 3. PPPOE is a point-to-point link and does not support multicast.

发明内容Contents of the invention

本发明的目的在于提供一种基于认证、计费、授权协议的门户认证实现方法,使用该方法能有效解决局域网用户级节点的网络接入的认证问题。The purpose of the present invention is to provide a method for implementing portal authentication based on the authentication, accounting and authorization protocol, which can effectively solve the authentication problem of network access of user-level nodes in the local area network.

为达到上述目的,本发明提供的第一种基于认证、计费、授权协议的门户认证实现方法,包括下述步骤:In order to achieve the above object, the first method for implementing portal authentication based on authentication, charging, and authorization protocols provided by the present invention includes the following steps:

步骤11:用户通过网络接入IP地址游览接入提供商的门户(Portal)网站,获取认证网页;Step 11: the user visits the portal (Portal) website of the access provider through the network access IP address, and obtains the authentication webpage;

步骤12:用户在认证网页中输入安全性信息并发给门户服务器(PortalServer);Step 12: The user enters security information in the authentication webpage and sends it to the portal server (PortalServer);

步骤13:Portal Server在收到该信息后,按认证、计费、授权协议(RADIUS协议)将其组装为认证请求数据包发给网络接入服务器(NAS);Step 13: After the Portal Server receives the information, it is assembled into an authentication request packet and sent to the Network Access Server (NAS) according to the authentication, accounting, and authorization protocol (RADIUS protocol);

步骤14:NAS做为代理将上述认证请求数据包进一步发给RADIUS服务器;Step 14: The NAS acts as a proxy to further send the above-mentioned authentication request data packet to the RADIUS server;

步骤15:RADIUS服务器返回认证结果,所述认证结果有接收(Accept,通过认证)和拒绝(Reject,没有通过认证)两种,如果认证结果为接收,NAS在本地对用户连接进行授权,同时NAS向Portal Server发送认证响应,由Portal Server通过认证网页通知客户端认证结果。Step 15: The RADIUS server returns an authentication result, and the authentication result has two types: acceptance (Accept, through authentication) and rejection (Reject, not through authentication). If the authentication result is acceptance, the NAS locally authorizes the user connection, and the NAS Send an authentication response to the Portal Server, and the Portal Server notifies the client of the authentication result through the authentication web page.

本发明提供的第二种基于认证、计费、授权协议的门户认证实现方法,包括下述步骤:The second method for implementing portal authentication based on authentication, charging, and authorization protocols provided by the present invention includes the following steps:

步骤21:用户通过网络接入IP地址游览接入提供商的Portal网站,获取认证网页;Step 21: The user browses the Portal website of the access provider through the network access IP address, and obtains the authentication webpage;

步骤22:用户在认证网页中输入安全性信息并发给Portal Server;Step 22: The user enters security information in the authentication web page and sends it to the Portal Server;

步骤23:Portal Server在收到该信息后,按RADIUS协议将其组装为认证请求数据包发给NAS,如果认证请求数据包中的安全性信息没有用户口令(User-Password)和采用加密算法加密的用户口令,则Step 23: After receiving the information, the Portal Server assembles it into an authentication request packet according to the RADIUS protocol and sends it to the NAS. If the security information in the authentication request packet does not have a user password (User-Password) and is encrypted with an encryption algorithm user password, then

步骤24:NAS用盘问(Access-Challenge)报文向Portal Server发送加密算法需要的盘问码(Challenge);Step 24: The NAS uses a challenge (Access-Challenge) message to send the challenge code (Challenge) required by the encryption algorithm to the Portal Server;

步骤25:Portal Server再次构造认证请求数据包,在数据包中将用户密码用加密算法加密后与用户名等信息一起发给NAS;Step 25: Portal Server constructs an authentication request packet again, encrypts the user password with an encryption algorithm in the packet and sends it to the NAS together with the user name and other information;

步骤26:NAS做为代理将上述认证请求数据包进一步发给RADIUS服务器;Step 26: The NAS acts as a proxy to further send the above-mentioned authentication request data packet to the RADIUS server;

步骤27:RADIUS服务器返回认证结果,所述认证结果有接收(Accept,通过认证)和拒绝(Reject,没有通过认证)两种,如果认证结果为接收,NAS在本地对用户连接进行授权,同时NAS向Portal Server发送认证响应,由Portal Server通过认证网页通知客户端认证结果。Step 27: The RADIUS server returns an authentication result, and the authentication result has two types of acceptance (Accept, through authentication) and rejection (Reject, not through authentication). If the authentication result is acceptance, the NAS locally authorizes the user connection, and at the same time, the NAS Send an authentication response to the Portal Server, and the Portal Server notifies the client of the authentication result through the authentication web page.

本发明提供的第三种基于认证、计费、授权协议的门户认证实现方法,包括下述步骤:The third method for implementing portal authentication based on authentication, charging, and authorization protocols provided by the present invention includes the following steps:

步骤31:用户通过网络接入IP地址游览接入提供商的Portal网站,获取认证网页;Step 31: The user browses the Portal website of the access provider through the network access IP address, and obtains the authentication webpage;

步骤32:用户在认证网页中输入安全性信息并发给Portal Server;Step 32: The user enters security information in the authentication web page and sends it to the Portal Server;

步骤33:Portal Server在收到该信息后,按RADIUS协议将其组装为认证请求数据包发给网络接入服务器(NAS);Step 33: After the Portal Server receives the information, it is assembled into an authentication request packet according to the RADIUS protocol and sent to the Network Access Server (NAS);

步骤34:NAS做为代理将上述认证请求数据包进一步发给RADIUS服务器;Step 34: The NAS acts as a proxy to further send the authentication request packet to the RADIUS server;

步骤35:RADIUS服务器向NAS发接入盘问(Access-Challenge)报文,要求再次认证;Step 35: The RADIUS server sends an Access-Challenge message to the NAS, requesting re-authentication;

步骤36:NAS将该报文转发给Portal Server,Portal Server再次对用户密码进行加密,并重新组装认证请求报文发给NAS;Step 36: The NAS forwards the message to the Portal Server, and the Portal Server encrypts the user password again, and reassembles the authentication request message and sends it to the NAS;

步骤37:NAS做为代理将上述认证请求数据包进一步发给RADIUS服务器;Step 37: The NAS acts as a proxy to further send the authentication request packet to the RADIUS server;

步骤38:RADIUS服务器返回认证结果,所述认证结果有接收(Accept,通过认证)和拒绝(Reject,没有通过认证)两种,如果认证结果为接收,NAS在本地对用户连接进行授权,同时NAS向Portal Server发送认证响应,由Portal Server通过认证网页通知客户端认证结果。Step 38: The RADIUS server returns the authentication result, and the authentication result has two kinds of acceptance (Accept, through authentication) and rejection (Reject, not through authentication). If the authentication result is acceptance, the NAS locally authorizes the user connection, and at the same time, the NAS Send an authentication response to the Portal Server, and the Portal Server notifies the client of the authentication result through the authentication webpage.

本发明提供的第四种基于认证、计费、授权协议的门户认证实现方法,包括下述步骤:The 4th kind of portal authentication realization method based on authentication, billing, authorization protocol provided by the present invention comprises the following steps:

步骤41:用户通过网络接入IP地址游览接入提供商的Portal网站,获取认证网页;Step 41: The user browses the Portal website of the access provider through the network access IP address, and obtains the authentication webpage;

步骤42:用户在认证网页中输入安全性信息并发给Portal Server;Step 42: The user enters security information in the authentication web page and sends it to the Portal Server;

步骤43:Portal Server发送接入请求报文(Access-Request)报文给NAS;Step 43: Portal Server sends an access-request message (Access-Request) message to NAS;

步骤44:NAS将接收到的Access-Request报文中的可扩展的认证协议(EAP,Extensible Authentication Protocol)属性转发给RADIUS Server;Step 44: NAS forwards the Extensible Authentication Protocol (EAP, Extensible Authentication Protocol) attribute in the received Access-Request message to the RADIUS Server;

步骤45:RADIUS Server发送响应报文Access-Challenge(接入盘问报文)到NAS设备;Step 45: RADIUS Server sends a response message Access-Challenge (access challenge message) to the NAS device;

步骤46:NAS将Access-Challenge报文中的EAP属性转发给PortalServer。Step 46: The NAS forwards the EAP attribute in the Access-Challenge message to the PortalServer.

步骤47:重复上述步骤43到步骤46,直到RADIUS服务器向NAS响应Access-Accept或者Access-Reject报文;Step 47: Repeat the above steps 43 to 46 until the RADIUS server responds to the NAS with an Access-Accept or Access-Reject message;

步骤48:RADIUS服务器返回的认证结果有接收(Accept,通过认证)和拒绝(Reject,没有通过认证)两种,如果认证结果为接收,NAS在本地对用户连接进行授权,同时NAS向Portal Server发送认证响应,由PortalServer通过认证网页通知客户端认证结果。Step 48: The authentication results returned by the RADIUS server include acceptance (Accept, passed the authentication) and rejection (Reject, not passed the authentication). Authentication response, the PortalServer notifies the client of the authentication result through the authentication webpage.

本发明提供的第五种基于认证、计费、授权协议的门户认证实现方法,包括下述步骤:The fifth kind of portal authentication implementation method based on authentication, charging and authorization protocol provided by the present invention comprises the following steps:

步骤51:用户通过网络接入IP地址游览接入提供商的Portal网站,获取认证网页;Step 51: the user browses the Portal website of the access provider through the network access IP address, and obtains the authentication webpage;

步骤52:用户在认证网页中输入安全性信息并发给Portal Server;Step 52: The user enters security information in the authentication webpage and sends it to the Portal Server;

步骤53:Portal Server直接向RADIUS Server发认证请求;Step 53: Portal Server sends authentication request directly to RADIUS Server;

步骤54:RADIUS Server向Portal Server发认证响应;Step 54: RADIUS Server sends an authentication response to Portal Server;

步骤55:Portal Server向NAS发Triger Request(触发请求)报文,所述Triger报文为自定义报文,其属性包括Framed-IP-Address(用户IP地址)、Event-Timestamp(事件时间戳)等授权信息,比较Event-Timestamp与NAS上的当前时间,在设定的时间范围内允许用户接入,如果允许用户接入,则对该用户的IP建立连接,打开连接权限;Step 55: Portal Server sends Triger Request (trigger request) message to NAS, and described Trigger message is self-defined message, and its attribute comprises Framed-IP-Address (user IP address), Event-Timestamp (event time stamp) Wait for the authorization information, compare the Event-Timestamp with the current time on the NAS, allow the user to access within the set time range, if the user is allowed to access, establish a connection to the user's IP, and open the connection permission;

步骤56:NAS对连接设置权限完成后,向Portal Server返回Triger-ack(触发响应)消息,该消息内容为权限设置成功或失败。Step 56: After the NAS completes setting the authority for the connection, it returns a Trigger-ack (trigger response) message to the Portal Server, and the content of the message is success or failure of the authority setting.

在上述各种方法中还包括:用户通过动态主机配置协议(DHCP)从NAS获取网络接入的IP地址。The various methods above also include: the user acquires the IP address for network access from the NAS through the Dynamic Host Configuration Protocol (DHCP).

在上述各种方法中,用户在认证网页中输入安全性信息通过保密的超文本传输协议(HTTPS)发给Portal Server。In the above-mentioned various methods, the user enters security information in the authentication webpage and sends it to the Portal Server through a confidential hypertext transfer protocol (HTTPS).

上述各种方法还包括:在用户认证通过后的上网过程中,采用故障检测的方法控制对用户的计费操作。The various methods above also include: in the process of surfing the Internet after the user passes the authentication, using a fault detection method to control the charging operation for the user.

本发明的优点在于:1、与采用VLAN ID来标识用户的认证解决方案相比,由于基于VLAN ID的管理方式管理粒度只能做到VLAN ID一级,并且VLAN ID的管理也是一大难题,新增、删除、移动用户都涉及到VLAN ID的修改,必须在设备上进行管理维护,而Portal认证方式的粒度可以做到用户级,而且用户可以自己选择ISP。2、与专用认证客户端(如PPPOE客户端)相比,WEB服务器的内容及认证流程由运营商控制,升级与改变可集中进行。由于在本发明提供的Portal认证方式中,WEB浏览器已经相当普及,一般不用重新安装;并且它的形式为大多用户所熟悉和接受,几乎不用培训即可操作。另外,Portal认证易于实现强制Portal认证,这种情况下用户甚至无需知道WEB服务器的IP地址,只要发出浏览任一WEB服务器的请求就可认证等等。同时Portal认证方式易于实现小区广播或存放其它内容供用户免费使用。总之,本发明提供的通过WEB门户网页认证的方式解决了对宽带网络下的用户做认证的问题,对认证设备的改动较小,而对RADIUS服务器则不需要改动。The present invention has the advantages that: 1. Compared with the authentication solution that adopts VLAN ID to identify the user, the management granularity of the management mode based on VLAN ID can only be achieved at the level of VLAN ID, and the management of VLAN ID is also a big problem. Adding, deleting, and moving users all involve modification of the VLAN ID, which must be managed and maintained on the device, while the granularity of the Portal authentication method can be achieved at the user level, and users can choose their own ISP. 2. Compared with the dedicated authentication client (such as PPPOE client), the content of the WEB server and the authentication process are controlled by the operator, and the upgrade and change can be carried out centrally. Because in the Portal authentication mode that the present invention provides, WEB browser is quite popular, generally does not need to reinstall; And its form is familiar and accepted by most users, can operate almost without training. In addition, Portal authentication is easy to implement mandatory Portal authentication. In this case, the user does not even need to know the IP address of the WEB server, as long as he sends a request to browse any WEB server, he can be authenticated and so on. At the same time, the Portal authentication method is easy to implement cell broadcasting or store other content for free use by users. In a word, the method of authenticating through the WEB portal page provided by the present invention solves the problem of authenticating users under the broadband network, and requires little modification to the authentication equipment, but does not need modification to the RADIUS server.

附图说明Description of drawings

图1是目前接入网的用户与服务器结构示意图;FIG. 1 is a structural schematic diagram of users and servers of the current access network;

图2是本发明的门户认证方式的用户网络接入结构示意图;Fig. 2 is a schematic diagram of the user network access structure of the portal authentication mode of the present invention;

图3是门户服务器只与接入设备直接交互实现用户认证的逻辑结构图;Figure 3 is a logical structure diagram in which the portal server only directly interacts with the access device to realize user authentication;

图4是代理方式中的PAP认证方式流程图;Fig. 4 is the flow chart of the PAP authentication mode in the proxy mode;

图5是代理方式中的第一种CHAP认证方式流程图;Fig. 5 is the flow chart of the first CHAP authentication mode in the proxy mode;

图6是代理方式中的第二种CHAP认证方式流程图;Fig. 6 is the second kind of CHAP authentication mode flowchart in proxy mode;

图7是代理方式中的EAP认证方式流程图;Fig. 7 is the EAP authentication mode flowchart in proxy mode;

图8是门户服务器直接与RADIUS服务器交互实现用户认证的逻辑结构图;Fig. 8 is a logical structural diagram of the portal server directly interacting with the RADIUS server to realize user authentication;

图9是直接方式的门户服务器通告认证方式流程图。Fig. 9 is a flow chart of the portal server notification authentication mode in the direct mode.

具体实施方式Detailed ways

下面结合附图对本发明作进一步详细的描述。The present invention will be described in further detail below in conjunction with the accompanying drawings.

对局域网接入的控制,可以在多个控制点实施。在图2的接入结构中,主要由边缘接入层、接入层、汇聚层组成。对接入的授权可以在边缘接入层,也可以在接入层或汇聚层实施。边缘接入层一般采用VLAN交换机等二层设备作为入网终端设备,只提供物理接入链路的功能,而接入层以上是三层的设备,具有IP转发的能力。图2中的接入层设备为NAS(网络接入服务器)。门户(Portal)认证功能是对三层接入(IP层)的访问控制,所以必须在具有IP报文识别能力的设备上实现。The control of LAN access can be implemented at multiple control points. In the access structure shown in Figure 2, it mainly consists of an edge access layer, an access layer, and an aggregation layer. Authorization for access can be implemented at the edge access layer, or at the access layer or aggregation layer. The edge access layer generally uses Layer 2 devices such as VLAN switches as network access terminal devices, which only provide the function of physical access links, while above the access layer is Layer 3 devices with IP forwarding capabilities. The access layer device in Fig. 2 is NAS (Network Access Server). The portal (Portal) authentication function is an access control to the three-layer access (IP layer), so it must be implemented on a device with the ability to identify IP packets.

首先,客户机通过DHCP(动态主机配置协议)协议获取到IP地址(也可以使用静态IP地址),但是客户使用获取到的IP地址并不能上互联网,在认证通过前只能访问特定的IP地址,这个地址通常是Portal服务器(Portal Server)的IP地址。采用Portal认证的接入设备必须具备这个能力。一般通过实施访问控制表(ACL)实现。First, the client obtains an IP address through the DHCP (Dynamic Host Configuration Protocol) protocol (a static IP address can also be used), but the client cannot access the Internet using the obtained IP address, and can only access a specific IP address before the authentication is passed. , this address is usually the IP address of the Portal Server (Portal Server). Access devices using Portal authentication must have this capability. This is typically achieved by implementing an Access Control List (ACL).

用户登录到Portal Server后,可以浏览上面的内容,比如广告、新闻等免费信息,同时用户还可以在网页上输入用户名和密码,它们会被WEB客户端应用传给Portal Server,再由Portal Server与NAS或RADIUS服务器(RADIUS Server)之间交互来实现用户的认证。本发明按照PortalServer是否直接和RADIUS Server交互而分为两种方式。把Portal Server只通过NAS做认证的方法称为代理方式,把Portal Server直接与RADIUSServer交互进行认证的方式称为直接方式。它们之间的报文交换都按照RADIUS协议规定的格式,在报文类型和属性上有扩展。After the user logs in to the Portal Server, he can browse the content above, such as advertisements, news and other free information. At the same time, the user can also enter the user name and password on the web page, which will be transmitted to the Portal Server by the WEB client application, and then the Portal Server and NAS or RADIUS server (RADIUS Server) interacts to realize user authentication. The present invention is divided into two modes according to whether the Portal Server directly interacts with the RADIUS Server. The method in which the Portal Server only authenticates through the NAS is called the proxy method, and the method in which the Portal Server directly interacts with the RADIUS Server for authentication is called the direct method. The exchange of messages between them follows the format stipulated in the RADIUS protocol, with extensions in message types and attributes.

本发明提供的Portal认证方式分为:主动Portal认证、强制Portal认证两种。前面提到的用户主动访问Portal服务器进行认证的方式为主动Portal认证。The Portal authentication methods provided by the present invention are divided into two types: active Portal authentication and mandatory Portal authentication. The aforementioned method for users to actively access the Portal server for authentication is active Portal authentication.

对于强制Portal认证,用户通过认证前,接入设备(有时称为接入服务器,NAS)丢弃所有该用户其它类型的报文,除了他的报文为TCP报文并且端口号是HTTP协议的知名端口号。如果是这样,NAS将IP重定向到特定的IP地址(通常为Portal服务器的IP地址)。也就是说,不管用户输入什么IP地址进行WEB浏览,他都将被重定向到运营商的WEB主页上(也就是认证界面)。For mandatory Portal authentication, before the user passes the authentication, the access device (sometimes called an access server, NAS) discards all other types of packets of the user, except that his packets are TCP packets and the port number is a well-known port number of the HTTP protocol. The port number. If so, the NAS redirects the IP to a specific IP address (usually the IP address of the Portal server). That is to say, no matter what IP address the user inputs to browse the web, he will be redirected to the operator's web homepage (that is, the authentication interface).

在本发明的具体应用中,强制Portal认证可以是一项可选业务,接入设备可以没有这个能力。在这种情况下,用户认证通过之前,除了他明确访问运营商的WEB网站,否则任何其它的IP报文都会被接入设备丢弃,用户必须在浏览器中显式地输入Portal Server的IP地址。In a specific application of the present invention, mandatory Portal authentication may be an optional service, and the access device may not have this capability. In this case, before the user is authenticated, unless he explicitly visits the operator's WEB website, any other IP packets will be discarded by the access device, and the user must explicitly enter the IP address of the Portal Server in the browser .

实现代理方式认证结构的组网图与各结点间的通信关系参考图3。PortalServer在获得用户的用户名和密码外,还会得到用户的IP地址。然后它与NAS之间用RADIUS协议直接通信,而NAS又与RADIUS直接通信完成用户的认证过程。Refer to Figure 3 for the network diagram for implementing the proxy authentication structure and the communication relationship between each node. In addition to obtaining the user's username and password, PortalServer will also obtain the user's IP address. Then it communicates directly with the NAS using the RADIUS protocol, and the NAS communicates directly with the RADIUS to complete the user authentication process.

图4是代理方式中的PAP(PPP认证协议)认证方式流程图,其具体的认证过程参考下述过程:Fig. 4 is the PAP (PPP authentication protocol) authentication mode flowchart in the agent mode, and its concrete authentication process refers to following process:

1、每个连接到接入设备上的用户机开机时自动通过动态主机配置协议(DHCP)过程从NAS获取唯一的IP地址;如果是静态IP地址用户,该步骤省略;1. Each user computer connected to the access device automatically obtains a unique IP address from the NAS through the Dynamic Host Configuration Protocol (DHCP) process when it is turned on; if it is a user with a static IP address, this step is omitted;

2、用户游览接入提供商的Portal网站,获取认证网页,同时还可游览社区广告、通知等内容;2. The user visits the Portal website of the access provider, obtains the authentication webpage, and at the same time browses community advertisements, notices, etc.;

3、用户在认证页面中输入安全性信息,如帐号、密码,由WEB客户端发给Portal Server。用户名、密码的安全性可以由HTTPS(保密的HTTP协议,HTTP:超文本传输协议)保证;3. The user enters security information on the authentication page, such as account number and password, and the WEB client sends it to the Portal Server. The security of user name and password can be guaranteed by HTTPS (Secret HTTP Protocol, HTTP: Hypertext Transfer Protocol);

4、Portal Server在收到该信息后,按RADIUS协议组装为以PAP(PPP认证协议)方式加密的认证请求数据包发给NAS。Portal Server与NAS间必须有一个用于MD5加密算法的共享密钥;4. After receiving the information, the Portal Server assembles an authentication request packet encrypted by PAP (PPP Authentication Protocol) according to the RADIUS protocol and sends it to the NAS. There must be a shared key for the MD5 encryption algorithm between the Portal Server and the NAS;

5、NAS做为RADIUS代理(Proxy)将认证请求进一步发给RADIUS服务器,实际中NAS设备也可能根据需要对RADIUS报文进行修改,增加某些属性;5. The NAS acts as a RADIUS proxy (Proxy) to further send the authentication request to the RADIUS server. In practice, the NAS device may also modify the RADIUS message and add some attributes as needed;

6、RADIUS服务器返回认证结果,认证结果有接收(Accept,通过认证)和拒绝(Reject,没有通过认证)两种;6. The RADIUS server returns the authentication result, which can be accepted (Accept, passed the authentication) and rejected (Reject, not passed the authentication);

7、如果成功,NAS在本地对用户连接进行授权;7. If successful, the NAS authorizes the user connection locally;

8、NAS向Portal Server发认证响应;8. The NAS sends an authentication response to the Portal Server;

9、Portal Server通过WEB方式通知客户端认证结果。9. Portal Server notifies the client of the authentication result through WEB.

图5是代理方式中的CHAP(基于盘问握手的认证协议,ChallengeHandshake Authentication Protocol)认证方式流程图,其具体的认证过程参考下述过程:Fig. 5 is the CHAP (challenge-based handshake authentication protocol, ChallengeHandshake Authentication Protocol) authentication method flowchart in the agent mode, and its specific authentication process refers to the following process:

1、每个连接到接入设备上的用户机开机时自动通过动态主机配置协议(DHCP)过程从NAS获取唯一的IP地址;如果是静态IP地址用户,该步骤省略;1. Each user computer connected to the access device automatically obtains a unique IP address from the NAS through the Dynamic Host Configuration Protocol (DHCP) process when it is turned on; if it is a user with a static IP address, this step is omitted;

2、用户游览接入提供商的Portal网站,获取认证网页,同时还可游览社区广告、通知等内容;2. The user visits the Portal website of the access provider, obtains the authentication webpage, and at the same time browses community advertisements, notices, etc.;

3、用户在认证页面中输入安全性信息,如帐号、密码,由WEB客户端发给Portal Server。用户名、密码的安全性可以有HTTPS(保密的HTTP协议,HTTP:超文本传输协议)保证;3. The user enters security information on the authentication page, such as account number and password, and the WEB client sends it to the Portal Server. The security of user name and password can be guaranteed by HTTPS (Secret HTTP Protocol, HTTP: Hypertext Transfer Protocol);

4、Portal Server将上述安全性信息按RADIUS协议组装为认证请求包发送给NAS。如果没有User-Password和CHAP-Password(采用MD5算法加密的用户口令)则表明它需要一个用于CHAP的Challenge,则,4. The Portal Server assembles the above security information into an authentication request packet according to the RADIUS protocol and sends it to the NAS. If there is no User-Password and CHAP-Password (user password encrypted by MD5 algorithm), it indicates that it needs a Challenge for CHAP, then,

5、NAS用Access-Challenge报文向Portal Server发送CHAP用的Challenge;5. The NAS uses the Access-Challenge message to send the CHAP Challenge to the Portal Server;

6、Portal Server再次构造认证请求数据包,在数据包中将用户密码用该MD5-CHAP加密后与用户名等信息一起发给NAS;6. The Portal Server constructs the authentication request data packet again, encrypts the user password with the MD5-CHAP in the data packet and sends it to the NAS together with the user name and other information;

7、NAS做为RADIUS代理(Proxy)将认证请求进一步发给RADIUS服务器,实际中NAS设备也可能根据需要对RADIUS报文进行修改,增加某些属性;7. The NAS acts as a RADIUS proxy (Proxy) to further send the authentication request to the RADIUS server. In practice, the NAS device may also modify the RADIUS message and add some attributes;

8、RADIUS服务器返回认证结果,认证结果有接收(Accept,通过认证)和拒绝(Reject,没有通过认证)两种;8. The RADIUS server returns the authentication result, which can be accepted (Accept, passed the authentication) and rejected (Reject, not passed the authentication);

9、如果成功,NAS在本地对用户连接进行授权;9. If successful, the NAS authorizes the user connection locally;

10、NAS向Portal Server发认证响应;10. The NAS sends an authentication response to the Portal Server;

11、Portal Server通过WEB方式通知客户端认证结果。11. Portal Server notifies the client of the authentication result through WEB.

由于上述加密用的Challenge也可以从RADIUS服务器获取,于是还有下述代理方式中的CHAP认证方式,参考图6,其具体的认证过程参考下述过程:Since the above-mentioned Challenge used for encryption can also be obtained from the RADIUS server, there is also the CHAP authentication method in the following proxy mode, refer to Figure 6, and refer to the following process for the specific authentication process:

1、每个连接到接入设备上的用户机开机时自动通过动态主机配置协议(DHCP)过程从NAS获取唯一的IP地址;如果是静态IP地址用户,该步骤省略;1. Each user computer connected to the access device automatically obtains a unique IP address from the NAS through the Dynamic Host Configuration Protocol (DHCP) process when it is turned on; if it is a user with a static IP address, this step is omitted;

2、用户游览接入提供商的Portal网站,获取认证网页,同时还可游览社区广告、通知等内容;2. The user visits the Portal website of the access provider, obtains the authentication webpage, and at the same time browses community advertisements, notices, etc.;

3、用户在认证页面中输入安全性信息,如帐号、密码,由WEB客户端发给Portal Server。用户名、密码的安全性可以有HTTPS(保密的HTTP协议,HTTP:超文本传输协议)保证;3. The user enters security information on the authentication page, such as account number and password, and the WEB client sends it to the Portal Server. The security of user name and password can be guaranteed by HTTPS (Secret HTTP Protocol, HTTP: Hypertext Transfer Protocol);

4、Portal Server在收到该信息后,按RADIUS协议组装为以PAP(PPP认证协议)方式加密的认证请求数据包发给NAS。Portal Server与NAS间必须有一个用MD5加密算法的共享密钥;4. After receiving the information, the Portal Server assembles an authentication request packet encrypted by PAP (PPP Authentication Protocol) according to the RADIUS protocol and sends it to the NAS. There must be a shared key using MD5 encryption algorithm between Portal Server and NAS;

5、NAS做为RADIUS代理(Proxy)将认证请求进一步发给RADIUS服务器,实际中NAS设备也可能根据需要对RADIUS报文进行修改,增加某些属性;5. The NAS acts as a RADIUS proxy (Proxy) to further send the authentication request to the RADIUS server. In practice, the NAS device may also modify the RADIUS message and add some attributes as needed;

6、RADIUS可能会向NAS发Access-Challenge报文,要求再次认证;6. RADIUS may send an Access-Challenge message to the NAS, requesting re-authentication;

7、NAS将该报文转发给Portal Server。在该过程中,NAS只作为一个中间的代理工作;7. The NAS forwards the message to the Portal Server. In this process, NAS only works as an intermediate agent;

8、Portal Server会再次对用户密码进行加密,重新组装认证请求报文发给NAS;8. The Portal Server will encrypt the user password again, reassemble the authentication request message and send it to the NAS;

9、NAS做为RADIUS代理(Proxy)将认证请求进一步发给RADIUS服务器,实际中NAS设备也可能根据需要对RADIUS报文进行修改,增加某些属性;9. The NAS acts as a RADIUS proxy (Proxy) to further send the authentication request to the RADIUS server. In practice, the NAS device may also modify the RADIUS message and add some attributes;

10、RADIUS服务器返回认证结果,认证结果有接收(Accept,通过认证)和拒绝(Reject,没有通过认证)两种;10. The RADIUS server returns the authentication result, which can be accepted (Accept, passed the authentication) and rejected (Reject, not passed the authentication);

11、如果成功,NAS在本地对用户连接进行授权;11. If successful, the NAS authorizes the user connection locally;

12、NAS向Portal Server发认证响应;12. NAS sends an authentication response to Portal Server;

13、Portal Server通过WEB方式通知客户端认证结果。13. Portal Server notifies the client of the authentication result through WEB.

上述方式都是NAS充当中间者的作用,因此它要实现RADIUS客户端和服务器端的部分功能。The above-mentioned methods all use the NAS as an intermediary, so it needs to realize some functions of the RADIUS client and server.

图7是代理方式中的EAP认证方式流程图,本发明中,EAP认证做为一种可扩展的接入认证协议,最大的特点是不需要设备干预认证的具体过程,设备需要做的只是透传。其具体的认证过程参考下述过程:Fig. 7 is the flow chart of the EAP authentication mode in the proxy mode. In the present invention, EAP authentication is used as an extensible access authentication protocol. pass. The specific certification process refers to the following process:

1、每个连接到接入设备上的用户机开机时自动通过动态主机配置协议(DHCP)过程从NAS获取唯一的IP地址;如果是静态IP地址用户,该步骤省略;1. Each user computer connected to the access device automatically obtains a unique IP address from the NAS through the Dynamic Host Configuration Protocol (DHCP) process when it is turned on; if it is a user with a static IP address, this step is omitted;

2、用户游览接入提供商的Portal网站,获取认证网页,同时还可游览社区广告、通知等内容;2. The user visits the Portal website of the access provider, obtains the authentication webpage, and at the same time browses community advertisements, notices, etc.;

3、用户在认证页面中输入安全性信息,如帐号、密码,由WEB客户端发给Portal Server。用户名、密码的安全性可以有HTTPS(保密的HTTP协议,HTTP:超文本传输协议)保证;3. The user enters security information on the authentication page, such as account number and password, and the WEB client sends it to the Portal Server. The security of user name and password can be guaranteed by HTTPS (Secret HTTP Protocol, HTTP: Hypertext Transfer Protocol);

4、Portal服务器发送Access-Request报文,报文的格式符合RFC2869中关于EAP的描述。4. The Portal server sends an Access-Request message, and the format of the message conforms to the description about EAP in RFC2869.

5、NAS设备将Portal服务器的Access-Request报文中的EAP属性转发给RADIUS服务器,报文的格式符合RFC2869中关于EAP的描述。5. The NAS device forwards the EAP attribute in the Access-Request message of the Portal server to the RADIUS server, and the format of the message conforms to the description about EAP in RFC2869.

6、RADIUS服务器发送响应报文Access-Challenge报文到NAS设备,报文的格式符合RFC2869中关于EAP的描述。6. The RADIUS server sends a response message Access-Challenge message to the NAS device, and the format of the message conforms to the description about EAP in RFC2869.

7、NAS设备将RADIUS服务器的Access-Challenge报文中的EAP属性转发给Portal服务器。7. The NAS device forwards the EAP attribute in the Access-Challenge message of the RADIUS server to the Portal server.

8、重复上述步骤4到步骤7,直到RADIUS服务器响应Access-Accept或者Access-Reject报文为止,或者这个协商的过程由于某种原因发生了中断。8. Repeat steps 4 to 7 above until the RADIUS server responds with an Access-Accept or Access-Reject message, or the negotiation process is interrupted for some reason.

9、如果成功(NAS收到Access-Accept报文)NAS在本地对用户连接进行授权;9. If successful (the NAS receives the Access-Accept message), the NAS authorizes the user connection locally;

10、NAS向Portal Server发认证响应;10. The NAS sends an authentication response to the Portal Server;

11、Portal Server通过WEB方式通知客户端认证结果。11. Portal Server notifies the client of the authentication result through WEB.

从上面的流程可以看出,对于EAP方式,NAS只是做为一个中介结构传递EAP属性,用户的认证信息如用户名、密码等则封装在EAP属性里,NAS设备不需知道。EAP的协商过程可以重复多次,直到RADIUS服务器响应了Access-Accept报文或者Access-Reject报文。RADIUS服务器响应了Access-Accept报文后,NAS设备必须执行打开用户访问权限的操作,表示用户通过认证可以访问Internet了。It can be seen from the above process that for the EAP method, the NAS is only used as an intermediary structure to transmit the EAP attributes, and the user's authentication information such as user name and password is encapsulated in the EAP attributes, and the NAS device does not need to know. The EAP negotiation process can be repeated multiple times until the RADIUS server responds with an Access-Accept message or an Access-Reject message. After the RADIUS server responds to the Access-Accept message, the NAS device must execute the operation of enabling the user's access permission, indicating that the user can access the Internet after passing the authentication.

另一种认证方式是由Portal Server作为RADIUS客户端直接与RADIUS服务器交互实现用户的认证,参考图8,这种方式下,Portal Server取得用户名和密码后不是通过NAS认证,而是直接到RADIUS Server上去认证。一种有代表性的情况是RADIUS Server和Portal Server在同一个机器上。在认证通过后再以某种方式通知NAS。其具体的认证过程参考图9所示的过程:Another authentication method is to use the Portal Server as a RADIUS client to directly interact with the RADIUS server to implement user authentication. Refer to Figure 8. In this method, after the Portal Server obtains the user name and password, it does not pass NAS authentication, but directly goes to the RADIUS Server. Go up and authenticate. A typical situation is that RADIUS Server and Portal Server are on the same machine. Notify the NAS in some way after the authentication is passed. The specific authentication process refers to the process shown in Figure 9:

1、每个连接到接入设备上的用户机开机时自动通过动态主机配置协议(DHCP)过程从NAS获取唯一的IP地址;如果是静态IP地址用户,该步骤省略;1. Each user computer connected to the access device automatically obtains a unique IP address from the NAS through the Dynamic Host Configuration Protocol (DHCP) process when it is turned on; if it is a user with a static IP address, this step is omitted;

2、用户游览接入提供商的Portal网站,获取认证网页,同时还可游览社区广告、通知等内容;2. The user visits the Portal website of the access provider, obtains the authentication webpage, and at the same time browses community advertisements, notices, etc.;

3、用户在认证页面中输入安全性信息,如帐号、密码,由WEB客户端发给Portal Server。用户名、密码的安全性可以有HTTPS(保密的HTTP协议,HTTP:超文本传输协议)保证;3. The user enters security information on the authentication page, such as account number and password, and the WEB client sends it to the Portal Server. The security of user name and password can be guaranteed by HTTPS (Secret HTTP Protocol, HTTP: Hypertext Transfer Protocol);

4、Portal Server直接向RADIUS Server发认证请求;4. Portal Server sends authentication request directly to RADIUS Server;

5、RADIUS Server向Portal Server发认证响应;5. RADIUS Server sends an authentication response to Portal Server;

6、Portal Server向NAS发Triger Request报文;该报文类型为自定义,类型码是一个与已经有标准RFC2865和RFC2866(请求注释协议)定义的RADIUS报文类型不同的值。属性包括Framed-IP-Address、Event-Timestamp和其它授权信息等。为防止第三者重发捕获的报文实施欺骗,要比较Event-Timestamp与设备上的当前时间,误差在一定范围内才允许用户接入。如果允许接入则对该用户的IP建立连接,打开权限。6. The Portal Server sends a Trigger Request message to the NAS; the message type is self-defined, and the type code is a value different from the RADIUS message type defined by the standard RFC2865 and RFC2866 (request comment protocol). Attributes include Framed-IP-Address, Event-Timestamp and other authorization information. In order to prevent the third party from resending captured messages to cheat, the Event-Timestamp must be compared with the current time on the device, and the user is allowed to access the device only if the error is within a certain range. If access is allowed, a connection is established to the user's IP and permissions are opened.

7、NAS对连接设置权限完成后,向Portal Server返回Triger-ack消息,内容为权限设置成功或失败。7. After the NAS completes setting the permissions for the connection, it returns a Trigger-ack message to the Portal Server, the content of which is the success or failure of the permission setting.

8、对用户进行配置。8. Configure the user.

9、用户接入网络。9. The user accesses the network.

由于RADIUS协议不具备RADIUS服务器主动发送协议报文到NAS设备的能力,所以需要对RADIUS协议进行扩充,在RADIUS+1.1协议中增加了两种编号的报文(Triger-Request、Triger-Ack)。Since the RADIUS protocol does not have the ability for the RADIUS server to actively send protocol packets to the NAS device, it is necessary to expand the RADIUS protocol. In the RADIUS+1.1 protocol, two types of numbered packets (Triger-Request, Triger-Ack) are added.

当RADIUS服务器完成对用户的认证后,需要通知NAS设备打开用户访问Internet的权限,RADIUS服务器通过发送一个Triger-Request报文给NAS设备来完成这个工作。NAS设备收到Triger-Request报文后,打开相应的权限,同时发送Triger-Ack给RADIUS服务器说明已经成功地开放了用户地权限,当然Triger-Ack也可以包含开放权限失败的信息,并说明失败的原因。After the RADIUS server authenticates the user, it needs to notify the NAS device to enable the user to access the Internet. The RADIUS server completes this work by sending a Trigger-Request message to the NAS device. After the NAS device receives the Trigger-Request message, it opens the corresponding permissions, and at the same time sends a Trigger-Ack to the RADIUS server to indicate that the user's permissions have been successfully opened. Of course, the Trigger-Ack can also contain information about the failure to open the permissions and indicate the failure. s reason.

本发明中,Triger-Request/Triger-Ack报文的安全机制采用与RADIUS协议中Accouting-Request/Accouting-Response(计费请求/计费响应)报文相同的安全机制,共享密钥采用RADIUS服务器与NAS之间用于加密认证报文的共享密钥。In the present invention, the security mechanism of the Triger-Request/Triger-Ack message adopts the same security mechanism as the Accouting-Request/Accouting-Response (accounting request/accounting response) message in the RADIUS protocol, and the shared key adopts the RADIUS server Shared key used to encrypt authentication packets with the NAS.

用户通过认证后,就获得了登录Internet的权利,但是在上网的过程中,有可能随时出现故障或各种异常情况,如:After the user passes the authentication, he has obtained the right to log in to the Internet, but in the process of surfing the Internet, failures or various abnormal situations may occur at any time, such as:

1、客户机浏览器故障,不能浏览Web网页;1. The client browser is faulty and cannot browse the web pages;

2、客户机停止或者网络中断,不能与NAS设备通信;2. The client computer stops or the network is interrupted, and cannot communicate with the NAS device;

3、NAS设备故障,不能为客户提供接入服务。3. The NAS device fails and cannot provide access services for customers.

当出现故障时,用户不能继续占用网络资源,所以应该及时检测出上述故障,并且停止计费。针对各种异常情况,本发明采用以下几种异常检测的机制:When a fault occurs, the user cannot continue to occupy network resources, so the above fault should be detected in time, and billing should be stopped. For various abnormal situations, the present invention adopts the following abnormal detection mechanisms:

1、ARP探测:ARP探测可以检测出网络层(IP层的故障),比如当客户机宕机、网卡失灵、网线被卡断等。如果NAS设备探测到客户机的IP地址连续若干次都没有响应ARP报文,就可以认为客户机出现了故障;1. ARP detection: ARP detection can detect network layer (IP layer faults), such as when the client machine crashes, the network card fails, and the network cable is cut off. If the NAS device detects that the IP address of the client does not respond to the ARP message for several consecutive times, it can be considered that the client is faulty;

2、用户认证通过后,用户在上网过程中维持一个用于握手的WEB小窗口,用于与Portal服务器的握手,握手报文可以是标准的HTTP的GET/POST请求,也可以是通过Java Applet定制的IP报文。WEB小窗口还可以在完成握手功能的同时,从Portal服务器获取已经上网的流量、剩余的费用等信息。Portal服务器如果连续一定时间都没有收到客户WEB小窗口发送的握手信息,就可以认为客户机出现故障,通知NAS设备停止计费,禁止用户访问Internet。2. After the user is authenticated, the user maintains a small WEB window for handshaking during the Internet access process, which is used for handshaking with the Portal server. The handshake message can be a standard HTTP GET/POST request, or through a Java Applet Customized IP packets. The WEB small window can also obtain information such as the traffic that has been connected to the Internet and the remaining fees from the Portal server while completing the handshake function. If the Portal server does not receive the handshake information sent by the client's WEB window for a certain period of time, it can consider the client to be faulty, notify the NAS device to stop billing, and prohibit the user from accessing the Internet.

以上两种异常检测的机制通常可以结合使用,也可以单独使用。The above two anomaly detection mechanisms can usually be used in combination, or they can be used alone.

Claims (9)

1, a kind of gate verification implementation method based on authentication, charging, authorized agreement comprises the steps:
Step 11: client computer is obtained the authentication webpage by the portal website of the IP address visit access provider of portal server;
Step 12: the safety information that the portal server subscribing client is imported in the authentication webpage;
Step 13: portal server is assembled into the authentication request packet by authentication, charging, authorized agreement with it and issues network access server after receiving this information;
Step 14: network access server is further issued authentication, charging, authorization server as the agency with above-mentioned authentication request packet;
Step 15: authentication, charging, authorization server return authentication result, described authentication result has reception and refuses two kinds, if authentication result is for receiving, network access server is authorized user's connection in this locality, network access server sends authentication response to portal server simultaneously, notifies the client certificate result by portal server by the authentication webpage.
2, a kind of gate verification implementation method based on authentication, charging, authorized agreement comprises the steps:
Step 21: client computer is obtained the authentication webpage by the portal website of the IP address visit access provider of portal server;
Step 22: the safety information that the portal server subscribing client is imported in the authentication webpage;
Step 23: portal server is after receiving this information, by authentication, charging, authorized agreement it is assembled into the authentication request packet and issues network access server, if the user password that the safety information in the authentication request packet does not have user password and adopts cryptographic algorithm to encrypt, then
Step 24: network access server usefulness cross-examinees that message sends the sign indicating number of cross-examining of cryptographic algorithm needs to portal server;
Step 25: portal server is constructed the authentication request packet once more, in packet user cipher is encrypted the back with cryptographic algorithm and issues network access server with information such as user names;
Step 26: network access server is further issued authentication, charging, authorization server as the agency with above-mentioned authentication request packet;
Step 27: authentication, charging, authorization server return authentication result, described authentication result has reception and refuses two kinds, if authentication result is for receiving, network access server is authorized user's connection in this locality, network access server sends authentication response to portal server simultaneously, notifies the client certificate result by portal server by the authentication webpage.
3, a kind of gate verification implementation method based on authentication, charging, authorized agreement comprises the steps:
Step 31: client computer is obtained the authentication webpage by the portal website of the IP address visit access provider of portal server;
Step 32: the safety information that the portal server subscribing client is imported in the authentication webpage;
Step 33: portal server is assembled into the authentication request packet by authentication, charging, authorized agreement with it and issues network access server after receiving this information;
Step 34: network access server is further issued authentication, charging, authorization server as the agency with above-mentioned authentication request packet;
Step 35: authentication, charging, authorization server are sent out to insert to network access server and are cross-examined message, require authentication once more;
Step 36: network access server is transmitted to portal server with this message, and portal server is encrypted user cipher once more, and re-assemblies the authentication request packet and issue network access server;
Step 37: network access server is further issued authentication, charging, authorization server as the agency with above-mentioned authentication request packet;
Step 38: authentication, charging, authorization server return authentication result, described authentication result has reception and refuses two kinds, if authentication result is for receiving, network access server is authorized user's connection in this locality, network access server sends authentication response to portal server simultaneously, notifies the client certificate result by portal server by the authentication webpage.
4, a kind of gate verification implementation method based on authentication, charging, authorized agreement comprises the steps:
Step 41: client computer is obtained the authentication webpage by the portal website of the IP address visit access provider of portal server;
Step 42: the safety information that the portal server subscribing client is imported in the authentication webpage;
Step 43: portal server sends and inserts request message to network access server;
Step 44: the extendible authentication protocol attribute in the access request message that network access server will receive is transmitted to authentication, charging, authorization server;
Step 45: authentication, charging, authorization server send to insert cross-examinees that message is to network access server equipment;
Step 46: network access server cross-examinees that with access the extendible authentication protocol attribute in the message is transmitted to portal server.
Step 47: repeat above-mentioned steps 43 to step 46, insert message to network access server response reception access message or refusal up to authentication, charging, authorization server;
Step 48: the authentication result that authentication, charging, authorization server return has reception and refuses two kinds, if authentication result is for receiving, network access server is authorized user's connection in this locality, network access server sends authentication response to portal server simultaneously, notifies the client certificate result by portal server by the authentication webpage.
5, a kind of gate verification implementation method based on authentication, charging, authorized agreement comprises the steps:
Step 51: client computer is browsed the portal website that inserts provider by the IP address of portal server, obtains the authentication webpage;
Step 52: the safety information that the portal server subscribing client is imported in the authentication webpage;
Step 53: portal server is directly sent out authentication request to authentication, charging, authorization server;
Step 54: authentication, charging, authorization server are sent out authentication response to portal server;
Step 55: portal server is sent out the trigger request message to network access server, described trigger request message is self-defined message, its attribute comprises IP address, Event Timestamp, compare the current time on Event Timestamp and the network access server, in the time range of setting, allow the user to insert, if allow the user to insert, then the IP to this user connects, and opens the connection authority;
Step 56: network access server returns triggered response message to portal server after connection is provided with authority and finishes, and this message content is that authority is provided with success or failure.
6, according to claim 1,2,3,4 or 5 described gate verification implementation methods based on authentication, charging, authorized agreement, it is characterized in that described method also comprises: client computer is obtained the IP address of network insertion from network access server by DHCP.
7, the gate verification implementation method based on authentication, charging, authorized agreement according to claim 6 is characterized in that: the safety information that portal server is imported in the authentication webpage by the HTML (Hypertext Markup Language) subscribing client of maintaining secrecy.
8, the gate verification implementation method based on authentication, charging, authorized agreement according to claim 7, it is characterized in that described method also comprises: in the network process, adopt the billing operation of the method control of fault detect on after client authentication is passed through to client computer.
9, the gate verification implementation method based on authentication, charging, authorized agreement according to claim 2 is characterized in that described cryptographic algorithm is the information-digest algorithm of the 5th version.
CNB021253420A 2002-07-31 2002-07-31 Method for realizing portal authentication based on protocols of authentication, charging and authorization Expired - Fee Related CN1152333C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB021253420A CN1152333C (en) 2002-07-31 2002-07-31 Method for realizing portal authentication based on protocols of authentication, charging and authorization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB021253420A CN1152333C (en) 2002-07-31 2002-07-31 Method for realizing portal authentication based on protocols of authentication, charging and authorization

Publications (2)

Publication Number Publication Date
CN1416072A CN1416072A (en) 2003-05-07
CN1152333C true CN1152333C (en) 2004-06-02

Family

ID=4745529

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB021253420A Expired - Fee Related CN1152333C (en) 2002-07-31 2002-07-31 Method for realizing portal authentication based on protocols of authentication, charging and authorization

Country Status (1)

Country Link
CN (1) CN1152333C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056179B (en) * 2007-06-13 2010-06-09 中兴通讯股份有限公司 Method and system for controlling the user to visit the network at the specific area

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100337229C (en) * 2003-06-02 2007-09-12 华为技术有限公司 Network verifying, authorizing and accounting system and method
CN100386999C (en) * 2003-07-23 2008-05-07 华为技术有限公司 Method for monitoring user connection state
CN100456766C (en) * 2003-08-06 2009-01-28 华为技术有限公司 Method for realizing network-visit control
CN1298145C (en) * 2003-12-24 2007-01-31 中兴通讯股份有限公司 Control device and method for realizing broad band connecting server multiple business united interface
CN1652535B (en) * 2004-02-03 2010-06-23 华为技术有限公司 Method for managing network layer address
CN100505625C (en) * 2004-03-19 2009-06-24 华为技术有限公司 A method for implementing charging in communication system based on Web agent
CN100344099C (en) * 2004-03-24 2007-10-17 华为技术有限公司 Method for realizing small window of customer end in wideband data intelligent network
CN1697386B (en) * 2004-05-14 2010-04-07 华为技术有限公司 Method of charging base on infrastructure architecture of authentication and security in WLAN
CN1783780B (en) * 2004-12-04 2010-09-08 华为技术有限公司 Implementation method and device for domain authentication and network authority authentication
US8775586B2 (en) * 2005-09-29 2014-07-08 Avaya Inc. Granting privileges and sharing resources in a telecommunications system
CN100370733C (en) * 2006-02-21 2008-02-20 华为技术有限公司 System and method for realizing NSP and ISP simultaneously charging
CN101094226B (en) * 2006-06-19 2011-11-09 华为技术有限公司 Security framework of managing network, and information processing method
CN100433625C (en) * 2006-07-12 2008-11-12 华为技术有限公司 Multi-service selective network and implementation method for service supporting same
CN1917427B (en) * 2006-08-28 2010-08-11 杭州华三通信技术有限公司 Method and equipment for quick recovering environment of portal authentication
CN101163000B (en) * 2006-10-13 2011-03-02 中兴通讯股份有限公司 Secondary authentication method and system
CN101127603B (en) * 2007-08-16 2010-08-04 中兴通讯股份有限公司 A method for single point login of portal website and IMS client
CN101651682B (en) * 2009-09-15 2012-08-29 杭州华三通信技术有限公司 Method, system and device of security certificate
CN102437946B (en) * 2010-09-29 2014-08-20 杭州华三通信技术有限公司 Access control method, network access server (NAS) equipment and authentication server
CN102387083B (en) * 2011-11-28 2014-11-26 中国联合网络通信集团有限公司 Network access control method and system
CN102378178B (en) * 2011-12-09 2015-01-28 武汉虹旭信息技术有限责任公司 WLAN (Wireless Local Area Network) user comprehensive authentication system and method
CN102802275B (en) * 2012-08-22 2015-11-25 汉柏科技有限公司 A kind of wireless encryption cut-in method
CN103997479B (en) * 2013-02-17 2018-06-15 新华三技术有限公司 A kind of asymmetric services IP Proxy Methods and equipment
CN104852919B (en) * 2015-05-14 2018-05-08 新华三技术有限公司 Realize the method and device of door Portal certifications
CN108616490B (en) * 2016-12-13 2020-11-03 腾讯科技(深圳)有限公司 Network access control method, device and system
CN109005154A (en) * 2018-07-01 2018-12-14 甘肃万维信息技术有限责任公司 One kind being based on 3DES algorithm telecommunications broadband AAA network access authentication decryption method
CN111193647A (en) * 2020-02-25 2020-05-22 北京数立通科技有限责任公司 User autonomous selection exit device based on pppoe and network access method
CN112688923A (en) * 2020-12-14 2021-04-20 杭州迪普科技股份有限公司 User login processing method and system
CN113660201B (en) * 2021-07-08 2023-05-30 上海二三四五网络科技有限公司 Control method and control device for high concurrency primary key conflict

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056179B (en) * 2007-06-13 2010-06-09 中兴通讯股份有限公司 Method and system for controlling the user to visit the network at the specific area

Also Published As

Publication number Publication date
CN1416072A (en) 2003-05-07

Similar Documents

Publication Publication Date Title
CN1152333C (en) Method for realizing portal authentication based on protocols of authentication, charging and authorization
US7194763B2 (en) Method and apparatus for determining authentication capabilities
EP2051432B1 (en) An authentication method, system, supplicant and authenticator
CN101651682B (en) Method, system and device of security certificate
CN1781099B (en) Automatic configuration of client terminal in public hot spot
CN1753364A (en) Method of controlling network access and its system
US20050132229A1 (en) Virtual private network based on root-trust module computing platforms
CN1553368A (en) Network authentication, authorization and accounting system and method
CN101061454A (en) Systems and methods for managing a network
JP2009538478A5 (en)
WO2004034645A1 (en) Identification information protection method in wlan interconnection
CN101212374A (en) Method and system for realizing remote access to campus network resources
JP2008518533A (en) Method and system for transparently authenticating mobile users and accessing web services
CN1553741A (en) Method and system for providing users with network roaming
CN114995214A (en) Method, system, device, equipment and storage medium for remotely accessing application
CN1874226A (en) Terminal access method and system
CN103200159B (en) A kind of Network Access Method and equipment
CN1403952A (en) Ethernet confirming access method
CN1243434C (en) Method for implementing EAP authentication in remote authentication based network
CN1809072A (en) Network architecture of backward compatible authentication, authorization and accounting system and implementation method
WO2013056619A1 (en) Method, idp, sp and system for identity federation
CN1756155A (en) Mobile authentication for web access
CN1142662C (en) Authentication method for supporting network switching in based on different devices at same time
US20080155678A1 (en) Computer system for controlling communication to/from terminal
WO2003081839A1 (en) A method for implementing handshaking between the network accessing device and the user based on 802.1x protocol

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20040602

Termination date: 20150731

EXPY Termination of patent right or utility model