[go: up one dir, main page]

CN1416241A - Authentication method for supporting network switching in based on different devices at same time - Google Patents

Authentication method for supporting network switching in based on different devices at same time Download PDF

Info

Publication number
CN1416241A
CN1416241A CN 02145637 CN02145637A CN1416241A CN 1416241 A CN1416241 A CN 1416241A CN 02145637 CN02145637 CN 02145637 CN 02145637 A CN02145637 A CN 02145637A CN 1416241 A CN1416241 A CN 1416241A
Authority
CN
China
Prior art keywords
user
authentication
access
access point
point apparatus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 02145637
Other languages
Chinese (zh)
Other versions
CN1142662C (en
Inventor
金涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB021456372A priority Critical patent/CN1142662C/en
Publication of CN1416241A publication Critical patent/CN1416241A/en
Application granted granted Critical
Publication of CN1142662C publication Critical patent/CN1142662C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种同时支持基于不同设备网络接入认证的方法。该方法为:在采用基于接入点设备的认证方式的网络中,将基于接入控制设备的认证方式的认证报文经接入点设备的非受控端口在用户与接入控制设备间传送,进行用户接入网络的认证;且用户通过认证后,将接入点设备的受控端口打开。本发明实现了在网络接入过程中,用户既可以选择基于接入点设备的认证方式,如802.1x认证等;也可以选择基于接入控制设备的认证方式,如WEB认证方式等;使得用户可以根据需要动态自由地选择认证方式,方便了用户在许多公共场所进行网络接入。

Figure 02145637

The invention relates to a method for simultaneously supporting network access authentication based on different devices. The method is: in a network adopting the authentication method based on the access point device, the authentication message based on the authentication method of the access control device is transmitted between the user and the access control device through an uncontrolled port of the access point device , to authenticate the user to access the network; and after the user passes the authentication, open the controlled port of the access point device. The present invention realizes that in the process of network access, the user can choose the authentication method based on the access point device, such as 802.1x authentication, etc.; also can choose the authentication method based on the access control device, such as the WEB authentication method; so that the user The authentication method can be dynamically and freely selected according to the needs, which is convenient for users to access the network in many public places.

Figure 02145637

Description

同时支持基于不同设备网络接入认证的方法At the same time, it supports the method of network access authentication based on different devices

技术领域technical field

本发明涉及网络通信技术领域,尤其涉及一种同时支持基于不同设备网络接入认证的方法。The invention relates to the technical field of network communication, in particular to a method for simultaneously supporting network access authentication based on different devices.

背景技术Background technique

目前常用的以太网组网方式如图1所示,一个LANSwitch(以太网交换机)可以接多个PC(计算机),LANSwitch通过以太网线路连接在接入控制设备上。对于无线局域网技术,计算机的无线网卡和无线接入点相连,一个接入点可以接多个计算机,无线接入点通过以太网线路接在接入控制设备上。接入控制设备可以是具有用户管理功能的LANSwitch或者路由器,或者具有类似功能的以太网用户接入管理设备。The currently commonly used Ethernet networking method is shown in Figure 1. One LANSwitch (Ethernet switch) can be connected to multiple PCs (computers), and the LANSwitch is connected to the access control device through an Ethernet line. For wireless local area network technology, the wireless network card of the computer is connected to the wireless access point, and one access point can be connected to multiple computers, and the wireless access point is connected to the access control device through an Ethernet line. The access control device may be a LANSwitch or a router with user management functions, or an Ethernet user access management device with similar functions.

在实际的组网中,PC可以直接接在接入点设备中,也可以通过接入点设备下的HUB(网络集线器)、LanSwitch等设备连接到接入点设备中,PC也可以通过VDSL和VDSL Switch(VDSL交换机)相连,其中在VDSL线路中传递的是以太网格式的报文。在无线局域网中,可以使用但不限于802.11、802.11a、802.11b、802.11g等无线以太网协议来连接PC和接入点。同时,在网络中还需要放置RADIUS认证服务器,进行用户身份合法性的认证,实现网络接入控制,方便网络运营商对网络接入用户的管理。In the actual networking, the PC can be directly connected to the access point device, or can be connected to the access point device through the HUB (network hub), LanSwitch and other devices under the access point device. The VDSL Switch (VDSL switch) is connected, and the packets in the Ethernet format are transmitted in the VDSL line. In a wireless local area network, wireless Ethernet protocols such as 802.11, 802.11a, 802.11b, 802.11g, etc. can be used, but not limited to, to connect PCs and access points. At the same time, a RADIUS authentication server needs to be placed in the network to authenticate the legality of user identities, realize network access control, and facilitate network operators to manage network access users.

目前,网络运营商所采用的网络接入控制方法包括WEB认证、802.1x认证等多种已经被广泛应用的认证方法。802.1x即IEEE 802.1x,是一种基于端口的访问控制协议,且为一种基于以太网技术的认证协议。目前,802.1x以其协议安全、实现简单,和其他认证协议一起,给使用ADSL(非对称数字用户环线)、VDSL(甚高速数字用户线路)、LAN(局域网)等多种宽带接入方式的用户提供了新的认证方式;802.1x认证通常是在最接近用户的设备上实现,所以802.1x认证是在接入点设备上实现接入认证过程,如在LANSwitch(以太网交换机)和无线接入点)上。而另一种广泛应用的WEB认证方法,通常是在以太网的接入控制设备上实现的,用户进行WEB认证时,需要将认证报文经接入点设备发送至接入控制设备进行认证。At present, network access control methods adopted by network operators include WEB authentication, 802.1x authentication and other widely used authentication methods. 802.1x, namely IEEE 802.1x, is a port-based access control protocol and an authentication protocol based on Ethernet technology. At present, 802.1x, with its protocol security and simple implementation, together with other authentication protocols, provides broadband access methods such as ADSL (Asymmetric Digital Subscriber Line), VDSL (Very High Speed Digital Subscriber Line), and LAN (Local Area Network). The user provides a new authentication method; 802.1x authentication is usually implemented on the device closest to the user, so 802.1x authentication is to implement the access authentication process on the access point device, such as LANSwitch (Ethernet switch) and wireless access entry point). Another widely used WEB authentication method is usually implemented on an Ethernet access control device. When a user performs WEB authentication, an authentication message needs to be sent to the access control device via the access point device for authentication.

但由于802.1x协议规定,接入点设备上仅有主要用来传递EAPOL(基于局域网的可扩展认证协议)认证报文的非受控端口始终处于双向连通状态,保证客户端始终可以发出或接受认证;而其他报文都经接入点设备的受控端口进行传送,但受控端口在未授权时处于被阻塞状态,无法进行报文的传递。只有在802.1x认证通过后,授权受控端口开通,才能够传递业务报文。However, due to the 802.1x protocol, the only uncontrolled port on the access point device that is mainly used to transmit EAPOL (Extensible Authentication Protocol on LAN) authentication packets is always in a bidirectional connection state, ensuring that the client can always send or receive Authentication; while other messages are transmitted through the controlled port of the access point device, but the controlled port is in a blocked state when it is not authorized, and cannot transmit messages. Service packets can be delivered only after the 802.1x authentication is passed and the authorized controlled port is opened.

因此,当用户需要使用WEB认证方法时,或者使用802.1x认证方法进行认证将接入点的非受控端口打开,或者在接入点上为用户配置打开非受控端口,使得用户可以进行WEB认证,否则,用户无法动态自由选择认证方式,而只能使用某一种认证方法进行网络的接入,限制了用户的认证选择。Therefore, when the user needs to use the WEB authentication method, or use the 802.1x authentication method to authenticate and open the uncontrolled port of the access point, or configure the uncontrolled port for the user on the access point, so that the user can perform WEB authentication. Authentication, otherwise, the user cannot dynamically choose the authentication method freely, but can only use a certain authentication method to access the network, which limits the user's authentication options.

而在许多公共场所上网,即使某用户只用一种认证方法,由于用户接入网络前,网络无法获取用户信息,因此无法事先给用户配置对应的认证方法。这必将限制部分未使用该网络默认的认证方法进行网络接入的用户正常接入网络,为用户正常使用网络带来了不便。In many public places, even if a user only uses one authentication method, the network cannot obtain user information before the user accesses the network, so the corresponding authentication method cannot be configured for the user in advance. This will inevitably restrict the normal access of some users who do not use the default authentication method of the network to access the network, which brings inconvenience to the normal use of the network by users.

因此,现有技术无法满足用户希望任意选择多种认证方法中的一种进行网络接入认证的需求。Therefore, the existing technology cannot meet the requirement that the user wishes to arbitrarily select one of multiple authentication methods for network access authentication.

发明内容Contents of the invention

本发明的目的是提供一种同时支持基于不同设备网络接入认证的方法,从而使用户在接入网络过程中,可以根据需要选择基于接入点设备的认证方式或基于接入控制设备的认证方式接入网络。The purpose of the present invention is to provide a method that supports network access authentication based on different devices at the same time, so that the user can choose the authentication method based on the access point device or the authentication method based on the access control device when accessing the network. way to access the network.

本发明的目的是这样实现的:同时支持基于不同设备网络接入认证的方法,其特征在于:在采用基于接入点设备的认证方式的网络中,将基于接入控制设备的认证方式的认证报文经接入点设备的非受控端口在用户与接入控制设备间传送,进行用户接入网络的认证;且用户通过认证后,将接入点设备的受控端口打开。The object of the present invention is achieved by: simultaneously supporting the method for network access authentication based on different devices, characterized in that: in a network using the authentication method based on the access point device, the authentication method based on the authentication method of the access control device The message is transmitted between the user and the access control device through the uncontrolled port of the access point device to authenticate the user's access to the network; and after the user passes the authentication, the controlled port of the access point device is opened.

用户进行认证之前还包括:通过DHCP过程为用户分配IP地址。Before the authentication of the user, it also includes: assigning an IP address to the user through the DHCP process.

所述的基于接入控制设备的认证方式为WEB(环球网)认证方式时,所述的认证报文包括:基于DHCP(动态主机配置协议)的报文和基于HTTP(超文本传输协议)的报文,及DNS(域名服务)报文。When the authentication method based on the access control device is the WEB (World Wide Web) authentication method, the authentication message includes: a message based on DHCP (Dynamic Host Configuration Protocol) and a message based on HTTP (Hypertext Transfer Protocol) message, and DNS (Domain Name Service) message.

所述的基于接入点设备的认证方式为802.1x认证方式时,具体认证过程包括:When the authentication method based on the access point device is the 802.1x authentication method, the specific authentication process includes:

a、用户向接入点设备发送认证开始报文,并根据接入点设备发来的用户身份请求报文,将用户的身份信息发送给接入点设备;a. The user sends an authentication start message to the access point device, and sends the user's identity information to the access point device according to the user identity request message sent by the access point device;

b、接入点设备将用户的身份信息发送给认证服务器,并由认证服务器为其生成一个CHALLENGE(挑战码)返回给接入点设备;b. The access point device sends the user's identity information to the authentication server, and the authentication server generates a CHALLENGE (challenge code) for it and returns it to the access point device;

c、接入点设备将该CHALLENGE发送给用户,由用户采用MD5加密算法对其进行加密,加密后的CHALLENGE通过接入点设备发送给认证服务器;c. The access point device sends the CHALLENGE to the user, and the user encrypts it with the MD5 encryption algorithm, and the encrypted CHALLENGE is sent to the authentication server through the access point device;

d、认证服务器接收加密后的CHALLENGE,并对其进行认证;d. The authentication server receives the encrypted CHALLENGE and authenticates it;

e、将认证结果通过接入点设备发送给用户。e. Send the authentication result to the user through the access point device.

对于认证前通过DHCP过程分配了IP地址的用户,所述的步骤e还包括:对于认证通过的用户,如果需要更换IP地址,则重新通过DHCP过程为其分配新的IP地址。For the user who has been assigned an IP address through the DHCP process before authentication, the step e further includes: for the user who has passed the authentication, if the IP address needs to be changed, then re-allocate a new IP address to it through the DHCP process.

所述的其于接入控制设备的认证过程包括:The described authentication process on the access control device includes:

f、用户将HTTP请求报文通过接入点设备的非受控端口发送给接入控制设备,并强制到Portal服务器;f. The user sends the HTTP request message to the access control device through the uncontrolled port of the access point device, and forces it to the Portal server;

g、Portal服务器获取的用户的身份认证信息,及由接入控制设备为该用户生成的CHALLENGE;g. The identity authentication information of the user obtained by the Portal server, and the CHALLENGE generated by the access control device for the user;

h、Portal服务器将CHALLENGE利用MD5加密算法加密后与用户身份一起发送给接入控制设备;h. The Portal server encrypts the CHALLENGE with the MD5 encryption algorithm and sends it to the access control device together with the user identity;

i、接入控制设备将上述信息发送给RADIUS认证服务器进行用户认证;i. The access control device sends the above information to the RADIUS authentication server for user authentication;

g、将认证结果通过Portal服务器发送给接入控制设备,对于认证通过的用户,通知接入点设备打开该用户对应的受控端口。g. Send the authentication result to the access control device through the Portal server, and notify the access point device to open the controlled port corresponding to the user for the user who passes the authentication.

所述的步骤f还包括:用户通过接入点设备的非受控端口在用户与接入控制设备间进行DHCP报文的传送,以为用户分配IP地址。The step f further includes: the user transmits a DHCP message between the user and the access control device through the uncontrolled port of the access point device, so as to assign an IP address to the user.

所述的步骤g还包括:对于认证通过的用户,如果需要为其分配新的IP地址,则通过DHCP过程重新为其分配IP地址。The step g further includes: for the authenticated user, if a new IP address needs to be assigned to the user, re-assigning the IP address through the DHCP process.

由上述技术方案可以看出,本发明实现了在网络接入过程中,用户既可以选择基于接入点设备的认证方式,如802.1x认证等;也可以选择基于接入控制设备的认证方式,如WEB认证方式等。基于不同设备的多种认证方式同时支持,使得用户可以根据需要动态自由地选择认证方式,使用户在许多公共场所接入网络时,无需事先为其配置对应的认证方法,方便了用户的接入网络,提高了网络运营商的服务质量。It can be seen from the above technical solution that the present invention realizes that in the process of network access, the user can choose the authentication method based on the access point device, such as 802.1x authentication, etc.; or the authentication method based on the access control device, Such as WEB authentication method, etc. Multiple authentication methods based on different devices are supported at the same time, so that users can dynamically and freely choose authentication methods according to their needs, so that when users access the network in many public places, they do not need to configure corresponding authentication methods in advance, which facilitates user access. network, improving the service quality of network operators.

附图说明Description of drawings

图1为本发明应用的网络环境示意图;Fig. 1 is the network environment schematic diagram of application of the present invention;

图2为本发明所述的WEB认证的具体实施流程图;Fig. 2 is the specific implementation flowchart of WEB authentication described in the present invention;

图3为本发明所述的802.1x认证的具体实施流程图。FIG. 3 is a flow chart of the specific implementation of 802.1x authentication described in the present invention.

具体实施方式Detailed ways

目前的局域网络组网结构如图1所示,PC(个人计算机)通过接入点(AP)设备接入网络,接入点设备与接入控制设备相连。本发明的实现使用户既可以采用基于接入点设备的认证过程进行身份认证,如802.1x认证,又可以采用基于接入控制设备的认证过程进行身份认证,如WEB认证。The current LAN networking structure is shown in FIG. 1 . A PC (personal computer) accesses the network through an access point (AP) device, and the access point device is connected to an access control device. The realization of the present invention enables the user not only to use the authentication process based on the access point device for identity authentication, such as 802.1x authentication, but also to use the authentication process based on the access control device for identity authentication, such as WEB authentication.

本发明的具体实现过程如图2、图3所示:Concrete implementation process of the present invention is as shown in Figure 2 and Figure 3:

步骤1:用户通过标准的DHCP(动态主机配置协议)过程,从接入控制设备获取到相应的IP地址。此时,接入点设备允许DHCP协议流走非受控端口,因此可以DHCP协议流通过接入点设备;Step 1: The user obtains the corresponding IP address from the access control device through a standard DHCP (Dynamic Host Configuration Protocol) process. At this time, the access point device allows the DHCP protocol to flow away from the uncontrolled port, so the DHCP protocol flow can pass through the access point device;

如果是手工配置IP地址的用户,则省略步骤1;If the user configures the IP address manually, omit step 1;

用户获取相应的IP地址后,便可以根据需要选择认证方式,即可以选择基于接入点设备的认证方式,也可以选择基于接入控制设备的认证方式,如果用户选择了基于接入控制设备的WEB认证方式,则可以通过执行步骤2至步骤14进行用户接入网络的认证,如图2所示:After the user obtains the corresponding IP address, he can choose the authentication method according to his needs, that is, the authentication method based on the access point device or the authentication method based on the access control device. If the user chooses the authentication method based on the access control device In the WEB authentication mode, you can perform steps 2 to 14 to authenticate users accessing the network, as shown in Figure 2:

步骤2:用户选择WEB认证,此时用户打开IE,访问某个网站,用户通过向接入控制设备发送“HTTP Request user-url”消息发起HTTP(超文本传输协议)请求;Step 2: The user selects WEB authentication. At this time, the user opens IE and visits a certain website. The user initiates an HTTP (Hypertext Transfer Protocol) request by sending an "HTTP Request user-url" message to the access control device;

接入点设备允许WEB认证的HTTP/HTTPs流走非受控端口,因此HTTP/HTTPs流可以通过接入点设备;如果允许强制Portal(入口),此时用户访问网站的可能是任意IP地址,因此此时应该允许所有的HTTP/HTTPs流通过;如果不允许强制Portal,就只允许到指定Portal服务器进行WEB认证的HTTP/HTTPs流通过接入点设备;特别的,在HTTP请求前,可能还有DNS(域名服务)报文交互,此时应该允许指定的或者任意的URL(统一资源定位,也就是我们常说的WWW网址)DNS请求通过;The access point device allows WEB-authenticated HTTP/HTTPs to flow through uncontrolled ports, so the HTTP/HTTPs flow can pass through the access point device; if mandatory Portal (entry) is allowed, the user may access the website from any IP address at this time. Therefore, all HTTP/HTTPs streams should be allowed to pass through at this time; if forced Portal is not allowed, only HTTP/HTTPs streams to the specified Portal server for WEB authentication are allowed to pass through the access point device; in particular, before the HTTP request, there may be There is DNS (Domain Name Service) message interaction. At this time, the specified or arbitrary URL (Uniform Resource Locator, which is what we often call WWW URL) DNS requests should be allowed to pass;

步骤3:接入控制设备截获用户的HTTP请求,由于用户没有认证过,就强制到Portal服务器,即向强制Portal服务器发送“HTTP Requestportal-url”消息,请求相应的认证WEB页面;Step 3: The access control device intercepts the user's HTTP request, and since the user has not been authenticated, it is forced to the Portal server, that is, sends an "HTTP Requestportal-url" message to the mandatory Portal server, requesting the corresponding authentication WEB page;

步骤4:Portal服务器根据收到的消息通过发送“HTTP Responseportal-url”消息,向用户终端推送WEB认证页面;Step 4: The Portal server pushes the WEB authentication page to the user terminal by sending the "HTTP Responseportal-url" message according to the received message;

步骤5:用户在WEB认证页面上填入用户名、密码等信息,提交到Portal服务器,即用户向Portal服务器发送“HTTPs POST portal-url”消息,消息中承载有用户名username和密码pwd;Step 5: The user fills in the user name, password and other information on the WEB authentication page and submits it to the Portal server, that is, the user sends an "HTTPs POST portal-url" message to the Portal server, and the message carries the username username and password pwd;

步骤6:Portal服务器接收到用户信息,必须按照CHAP(质询握手认证协议)流程,向接入控制设备请求Challenge;Step 6: After receiving user information, the Portal server must request Challenge from the access control device according to the CHAP (Challenge Handshake Authentication Protocol) process;

步骤7:接入控制设备为该用户生成一个Challenge,包括ChallengeID(挑战码标识)和Challenge,并将返回给用户;Step 7: The access control device generates a Challenge for the user, including ChallengeID (challenge code identification) and Challenge, and returns it to the user;

步骤8:Porta服务器将密码和Challenge ID和Challenge做MD5算法后的Challenge-Password(挑战码密码),和用户名一起通过“REQAUTH”消息提交到接入控制设备,发起认证过程;Step 8: The Porta server submits the password, Challenge ID and Challenge-Password (challenge code password) after the MD5 algorithm, together with the user name, to the access control device through the "REQAUTH" message, and initiates the authentication process;

步骤9:接入控制设备将Challenge ID(即chaID)、Challenge、Challenge-Password(即Pwd)和用户名(即usemame)等用户信息通过“Access-Request”消息发送到RADIUS(远程)认证服务器,由RADIUS认证服务器进行认证;Step 9: the access control device sends user information such as Challenge ID (i.e. chaID), Challenge, Challenge-Password (i.e. Pwd) and user name (i.e. usemame) to the RADIUS (remote) authentication server through an "Access-Request" message, Authenticated by the RADIUS authentication server;

步骤10:RADIUS认证服务器根据上述用户信息判断该用户是否合法,然后将认证成功/失败“Access-Accept/Access-Reject”消息发送到接入控制设备;如果成功,携带协商参数,以及用户的相关业务属性给用户授权;Step 10: The RADIUS authentication server judges whether the user is legal according to the above user information, and then sends the authentication success/failure "Access-Accept/Access-Reject" message to the access control device; if successful, it carries the negotiation parameters and the user's relevant information. Business attributes authorize users;

步骤11:接入控制设备通过发送“ACK AUTH”消息将认证结果发送给Portal服务器,还包括相关业务属性,如用户开通的业务、用户的帐单情况等;Step 11: The access control device sends the authentication result to the Portal server by sending an "ACK AUTH" message, which also includes relevant service attributes, such as the service opened by the user, the billing status of the user, etc.;

步骤12:Portal服务器根据认证结果,向用户发送“HTTP Responseportal-url”消息,进行认证结果页面的推送;Step 12: The Portal server sends the "HTTP Response portal-url" message to the user according to the authentication result, and pushes the authentication result page;

步骤13:同时,Portal服务器还通过发送“AFF ACK AUTH”消息回应接入控制设备收到认证结果报文;Step 13: At the same time, the Portal server also responds to the access control device receiving the authentication result message by sending an "AFF ACK AUTH" message;

步骤14:用户认证成功后,通知接入点设备打开该用户的受控端口,用户通过打开的受控端口进行相应的网络访问;如果认证失败,则流程到此结束,并通知用户无法进行网络访问。Step 14: After the user authentication is successful, notify the access point device to open the user's controlled port, and the user can access the corresponding network through the opened controlled port; if the authentication fails, the process ends here, and the user is notified that the network cannot be accessed. access.

对于认证成功的用户,接入控制设备还需要对其进行后续的授权、计费等流程。由于已经分配了IP地址,此时用户可以直接使用原来的IP地址进行网络访问;如果认证成功后,ISP(网络服务提供商)要求用户更换IP地址,则用户重新通过DHCP过程获取IP地址。For users who are successfully authenticated, the access control device also needs to perform subsequent procedures such as authorization and accounting. Since the IP address has been allocated, the user can directly use the original IP address for network access at this time; if the ISP (Internet Service Provider) requires the user to change the IP address after the authentication is successful, the user obtains the IP address through the DHCP process again.

如果用户选择了基于接入点设备的802.1x认证方式,则可以通过执行步骤15至步骤25进行用户接入网络的认证,如图3所示:If the user selects the 802.1x authentication method based on the access point device, the authentication of the user's access to the network can be performed by performing steps 15 to 25, as shown in Figure 3:

步骤15:用户选择802.1x认证,以EAP-MD5(基于MD5的可扩展认证协议)为例,用户向接入点设备发送一个“EAPoL-Start”报文,开始802.1x接入认证过程;Step 15: The user selects 802.1x authentication. Taking EAP-MD5 (Extensible Authentication Protocol based on MD5) as an example, the user sends an "EAPoL-Start" message to the access point device to start the 802.1x access authentication process;

步骤16:接入点设备向用户发送“EAP-Request/Identity”(身份请求)报文,请求用户将用户名发送过来;Step 16: The access point device sends an "EAP-Request/Identity" (identity request) message to the user, requesting the user to send the username;

步骤17:用户接到身份请求报文后,回应“EAP-Response/Identity”报文给接入点设备,将用户的用户名发送给接入点设备;Step 17: After receiving the identity request message, the user responds with an "EAP-Response/Identity" message to the access point device, and sends the user's username to the access point device;

步骤18:接入点设备以EAP Over RADIUS(基于RADIUS协议的EAP)的报文格式向RADIUS认证服务器发送“Access-Request”(接入请求)报文,报文中包含有用户发给接入点设备的EAP-Message(EAP认证信息)、“EAP-Response/Identity”(EAP认证身份响应)报文,将用户名提交RADIUS认证服务器;Step 18: The access point device sends an "Access-Request" (access request) message to the RADIUS authentication server in the message format of EAP Over RADIUS (EAP based on RADIUS protocol). Point the device's EAP-Message (EAP authentication information), "EAP-Response/Identity" (EAP authentication identity response) message, and submit the user name to the RADIUS authentication server;

步骤19:接入点设备为该用户产生一个128bit的Challenge,RADIUS认证服务器回应接入点设备一个“Access-Challenge”(接入挑战码)报文,包含有EAP-Message和“EAP-Request/MD5-Challenge”报文,“EAP-Request/MD5-Challenge”报文需要发送给接入点设备中用户对应的Challenge;Step 19: The access point device generates a 128bit Challenge for the user, and the RADIUS authentication server responds to the access point device with an "Access-Challenge" (access challenge code) message, including EAP-Message and "EAP-Request/ MD5-Challenge" message, "EAP-Request/MD5-Challenge" message needs to be sent to the Challenge corresponding to the user in the access point device;

步骤20:接入点设备向用户发送“EAP-Request/MD5-Challenge”报文,请求用户对Challenge采用MD5算法进行处理;Step 20: The access point device sends an "EAP-Request/MD5-Challenge" message to the user, requesting the user to process the Challenge using the MD5 algorithm;

步骤21:用户收到“EAP-Request/MD5-Challenge”报文后,对Challenge做MD5算法后生成Challenge-Password(挑战码密码),并通过“EAP-Response/MD5-Challenge”报文将其发送给接入点设备;Step 21: After receiving the "EAP-Request/MD5-Challenge" message, the user performs MD5 algorithm on the Challenge to generate a Challenge-Password (challenge code password), and sends it to the "EAP-Response/MD5-Challenge" message. sent to the access point device;

步骤22:接入点设备再将Challenge-Password、EAP-Message及EAP-Response通过“Access-Request”报文送到RADIUS认证服务器,由RADIUS认证服务器对用户进行认证,RADIUS认证服务器根据用户信息判断用户是否可以通过认证;Step 22: The access point device sends the Challenge-Password, EAP-Message and EAP-Response to the RADIUS authentication server through the "Access-Request" message, and the RADIUS authentication server authenticates the user, and the RADIUS authentication server judges based on the user information Whether the user can be authenticated;

步骤23:RADIUS认证服务器向接入点设备发送认证成功或认证失败报文;如果用户认证成功,报文中携带协商参数,如授权信息等,以及用户的相关业务属性,如预付费信息、开通的业务等;Step 23: The RADIUS authentication server sends an authentication success or authentication failure message to the access point device; if the user authentication is successful, the message carries negotiation parameters, such as authorization information, and user-related service attributes, such as prepaid information, subscription business, etc.;

如果认证成功还需要通知接入点设备打开受控端口,用户可以通过打开的受控端口进行相应的网络访问;If the authentication is successful, it is also necessary to notify the access point device to open the controlled port, and the user can perform corresponding network access through the opened controlled port;

步骤24:接入点设备根据认证结果,向用户发送“EAP-Success/EAP-Failure”(认证成功或认证失败)报文,通知用户认证结果;如果认证失败,则流程结束;Step 24: The access point device sends an "EAP-Success/EAP-Failure" (authentication success or authentication failure) message to the user according to the authentication result to notify the user of the authentication result; if the authentication fails, the process ends;

步骤25:由于已经分配了IP地址,此时用户可以直接使用原来的IP地址进行网络访问;Step 25: Since the IP address has been allocated, the user can directly use the original IP address for network access at this time;

如果认证成功后,ISP(网络服务提供商)要求用户更换IP地址,则用户重新通过DHCP过程获取IP地址;If the ISP (Internet Service Provider) requires the user to change the IP address after the authentication is successful, the user will obtain the IP address through the DHCP process again;

用户获取相应的IP地址并接入网络后,还需要进行后续的授权、计费等流程。After the user obtains the corresponding IP address and accesses the network, subsequent procedures such as authorization and billing are required.

由于接入点设备上802.1x认证信息均通过接入控制设备,接入控制设备可以侦听接入点设备发起的认证信息,比如RADIUS协议报文,从中获取用户认证信息,从而方便在接入控制设备上对用户进行管理控制。Because the 802.1x authentication information on the access point device passes through the access control device, the access control device can listen to the authentication information initiated by the access point device, such as RADIUS protocol packets, and obtain user authentication information from it. Manage and control users on the control device.

Claims (8)

1, a kind of method of supporting simultaneously based on the distinct device network access authentication, it is characterized in that: in the network of employing based on the authentication mode of access point apparatus, to transmit between user and access control equipment through the uncontrolled port of access point apparatus based on the message identifying of the authentication mode of access control equipment, carry out the authentication of user access network; And the user opens the controlled ports of access point apparatus by after authenticating.
2, the method for supporting simultaneously based on the distinct device network access authentication according to claim 1 is characterized in that the user also comprises before authenticating: be user's distributing IP (the Internet) address by dhcp process.
3, the method for supporting simultaneously based on the distinct device network access authentication according to claim 1, when it is characterized in that described authentication mode based on access control equipment is WEB (World Wide Web) authentication mode, described message identifying comprises: based on the message of DHCP (DHCP) with based on the message of HTTP (HTML (Hypertext Markup Language)), and DNS (domain name service) message.
4, the method for supporting simultaneously based on the distinct device network access authentication according to claim 1 and 2, when it is characterized in that described authentication mode based on access point apparatus is the 802.1x authentication mode, concrete verification process comprises:
A, user send authentication beginning message to access point apparatus, and the user identity request message of sending according to access point apparatus, and user's identity information is sent to access point apparatus;
B, access point apparatus send to certificate server with user's identity information, and return to access point apparatus by certificate server for it generates a CHALLENGE (challenge code);
C, access point apparatus send to the user with this CHALLENGE, adopt the md5 encryption algorithm that it is encrypted by the user, and the CHALLENGE after the encryption sends to certificate server by access point apparatus;
D, certificate server receive the CHALLENGE after encrypting, and it is authenticated;
E, authentication result is sent to the user by access point apparatus.
5, the method for supporting simultaneously based on the distinct device network access authentication according to claim 4, it is characterized in that for having distributed the IP address user by dhcp process before the authentication, described step e also comprises: the user who passes through for authentication, change the IP address if desired, then distribute new IP address by dhcp process for it again.
6, the method for supporting simultaneously based on the distinct device network access authentication according to claim 1 and 2 is characterized in that described its verification process in access control equipment comprises:
F, user send to access control equipment with the uncontrolled port of HTTP request message by access point apparatus, and are forced to Portal server;
The user's that g, Portal server obtain authentication information, and by the CHALLENGE of access control equipment for this user's generation;
H, Portal server send to access control equipment with user identity after CHALLENGE is utilized the md5 encryption algorithm for encryption;
I, access control equipment send to the RADIUS authentication server with above-mentioned information and carry out authentification of user;
G, authentication result is sent to access control equipment by Portal server, for the user that authentication is passed through, the notice access point apparatus is opened the controlled ports of this user's correspondence.
7, the method for supporting simultaneously based on the distinct device network access authentication according to claim 6, it is characterized in that described step f also comprises: the user carries out the transmission of DHCP message by the uncontrolled port of access point apparatus between user and access control equipment, thinks user's distributing IP address.
8, the method for supporting simultaneously based on the distinct device network access authentication according to claim 7, it is characterized in that described step g also comprises: the user who passes through for authentication, if desired for it distributes new IP address, be its distributing IP address again then by dhcp process.
CNB021456372A 2002-10-16 2002-10-16 Authentication method for supporting network switching in based on different devices at same time Expired - Fee Related CN1142662C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB021456372A CN1142662C (en) 2002-10-16 2002-10-16 Authentication method for supporting network switching in based on different devices at same time

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB021456372A CN1142662C (en) 2002-10-16 2002-10-16 Authentication method for supporting network switching in based on different devices at same time

Publications (2)

Publication Number Publication Date
CN1416241A true CN1416241A (en) 2003-05-07
CN1142662C CN1142662C (en) 2004-03-17

Family

ID=4750952

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB021456372A Expired - Fee Related CN1142662C (en) 2002-10-16 2002-10-16 Authentication method for supporting network switching in based on different devices at same time

Country Status (1)

Country Link
CN (1) CN1142662C (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005076532A1 (en) * 2004-02-02 2005-08-18 Huawei Technologies Co., Ltd. The interactive method for re-selecting the operation network by the wireless area network wlan user terminal
WO2006125359A1 (en) * 2005-05-27 2006-11-30 Huawei Technologies Co., Ltd. A method for implementing the access domain security of an ip multimedia subsystem
CN100438446C (en) * 2006-07-25 2008-11-26 杭州华三通信技术有限公司 Switch-in control equipment, Switch-in control system and switch-in control method
CN1655504B (en) * 2005-02-21 2010-05-05 西安西电捷通无线网络通信有限公司 Port-based homologue access controlling method
CN1652535B (en) * 2004-02-03 2010-06-23 华为技术有限公司 Method for managing network layer address
CN101925065A (en) * 2010-08-05 2010-12-22 北京星网锐捷网络技术有限公司 Authentication method, device, system and wireless access point
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN1551576B (en) * 2003-05-08 2011-06-15 日本电气株式会社 Accessing control device and accessing control method
CN1957561B (en) * 2004-03-03 2012-03-21 法国电讯公司 Method and system for authenticating a user requesting access to a virtual network to allow use of a service item
CN101299694B (en) * 2007-04-30 2012-04-25 华为技术有限公司 Method and system for visitor management in home network, and home gateway
CN102740298A (en) * 2012-07-20 2012-10-17 北京傲天动联技术有限公司 Hybrid authentication method and wireless access controller
US8335487B2 (en) 2005-04-30 2012-12-18 Huawei Technologies Co., Ltd. Method for authenticating user terminal in IP multimedia sub-system
CN102917354A (en) * 2011-08-03 2013-02-06 中兴通讯股份有限公司 Access method and system as well as mobile intelligent access point
CN103297968A (en) * 2012-03-02 2013-09-11 华为技术有限公司 Wireless terminal identifying method, wireless terminal identifying device and wireless terminal identifying system
CN104113418A (en) * 2014-07-15 2014-10-22 浪潮通用软件有限公司 Rule-configuration-based compound identity authentication method in ERP (enterprise resource planning) system
CN107483456A (en) * 2017-08-25 2017-12-15 北京元心科技有限公司 Identity identifying method and device
CN107690140A (en) * 2016-08-04 2018-02-13 深圳市信锐网科技术有限公司 WAP authentication method, apparatus and system
CN115278660A (en) * 2021-04-29 2022-11-01 华为技术有限公司 Access authentication method, device and system

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1551576B (en) * 2003-05-08 2011-06-15 日本电气株式会社 Accessing control device and accessing control method
WO2005076532A1 (en) * 2004-02-02 2005-08-18 Huawei Technologies Co., Ltd. The interactive method for re-selecting the operation network by the wireless area network wlan user terminal
US7904087B2 (en) 2004-02-02 2011-03-08 Huawei Technologies Co., Ltd. Method and system for WLAN user equipment accessing new operation network
CN1652535B (en) * 2004-02-03 2010-06-23 华为技术有限公司 Method for managing network layer address
CN1957561B (en) * 2004-03-03 2012-03-21 法国电讯公司 Method and system for authenticating a user requesting access to a virtual network to allow use of a service item
CN1655504B (en) * 2005-02-21 2010-05-05 西安西电捷通无线网络通信有限公司 Port-based homologue access controlling method
US8176325B2 (en) 2005-02-21 2012-05-08 China Iwncomm Co., Ltd. Peer-to-peer access control method based on ports
US8335487B2 (en) 2005-04-30 2012-12-18 Huawei Technologies Co., Ltd. Method for authenticating user terminal in IP multimedia sub-system
CN100461942C (en) * 2005-05-27 2009-02-11 华为技术有限公司 Selection Method of Security Mechanism in Access Domain of IP Multimedia Subsystem
WO2006125359A1 (en) * 2005-05-27 2006-11-30 Huawei Technologies Co., Ltd. A method for implementing the access domain security of an ip multimedia subsystem
CN100438446C (en) * 2006-07-25 2008-11-26 杭州华三通信技术有限公司 Switch-in control equipment, Switch-in control system and switch-in control method
CN101299694B (en) * 2007-04-30 2012-04-25 华为技术有限公司 Method and system for visitor management in home network, and home gateway
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN102065067B (en) * 2009-11-11 2014-06-25 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN101925065A (en) * 2010-08-05 2010-12-22 北京星网锐捷网络技术有限公司 Authentication method, device, system and wireless access point
CN102917354A (en) * 2011-08-03 2013-02-06 中兴通讯股份有限公司 Access method and system as well as mobile intelligent access point
CN102917354B (en) * 2011-08-03 2018-04-13 中兴通讯股份有限公司 A kind of cut-in method, system and intelligent movable access point
CN103297968A (en) * 2012-03-02 2013-09-11 华为技术有限公司 Wireless terminal identifying method, wireless terminal identifying device and wireless terminal identifying system
CN103297968B (en) * 2012-03-02 2017-12-29 华为技术有限公司 A kind of method, equipment and the system of wireless terminal certification
CN102740298A (en) * 2012-07-20 2012-10-17 北京傲天动联技术有限公司 Hybrid authentication method and wireless access controller
CN102740298B (en) * 2012-07-20 2016-02-24 北京华信傲天网络技术有限公司 Hybrid authentication method and Radio Access Controller
CN104113418A (en) * 2014-07-15 2014-10-22 浪潮通用软件有限公司 Rule-configuration-based compound identity authentication method in ERP (enterprise resource planning) system
CN107690140A (en) * 2016-08-04 2018-02-13 深圳市信锐网科技术有限公司 WAP authentication method, apparatus and system
CN107483456A (en) * 2017-08-25 2017-12-15 北京元心科技有限公司 Identity identifying method and device
CN115278660A (en) * 2021-04-29 2022-11-01 华为技术有限公司 Access authentication method, device and system
CN115278660B (en) * 2021-04-29 2025-08-01 华为技术有限公司 Access authentication method, device and system

Also Published As

Publication number Publication date
CN1142662C (en) 2004-03-17

Similar Documents

Publication Publication Date Title
CN1152333C (en) Method for realizing portal authentication based on protocols of authentication, charging and authorization
CN1293720C (en) Method and apparatus for initiating secure communication between wireless devices and dedicated pairing thereto
CN1416241A (en) Authentication method for supporting network switching in based on different devices at same time
JP4782139B2 (en) Method and system for transparently authenticating mobile users and accessing web services
EP2051432B1 (en) An authentication method, system, supplicant and authenticator
CN1265676C (en) Method for realizing roaming user to visit network inner service
US20080222714A1 (en) System and method for authentication upon network attachment
CN1756156A (en) Be used for coming at access to netwoks the equipment and the method for authenticated user in communication system
JP2009538478A5 (en)
CN1756148A (en) Mobile authentication for web access
CN1977514A (en) Authenticating users
CN1523811A (en) Method and system for authenticating a user for network access when the user is connected to the internet
EP1969761A1 (en) Wireless device authentication between different networks
CN105007579A (en) Wireless local area network access authentication method and terminal
CN103200159B (en) A kind of Network Access Method and equipment
EP3182672B1 (en) Result reporting for authentication, authorization and accounting protocols
CN1243434C (en) Method for implementing EAP authentication in remote authentication based network
CN1874226A (en) Terminal access method and system
US20090113522A1 (en) Method for Translating an Authentication Protocol
CN1756155A (en) Mobile authentication for web access
CN1595894A (en) A method for implementing access authentication of wireless local area network
CN1266910C (en) A method choosing 802.1X authentication mode
CN1309213C (en) Network access anthentication method for improving network management performance
CN103685201A (en) Method and system for WLAN user fixed network access
CN1790985A (en) Method for realizing synchronous identification between different identification control equipments

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20040317

Termination date: 20201016