CN103152332A - Method and equipment for authenticating extensible authentication protocol (EAP) with WEB service assistance - Google Patents
Method and equipment for authenticating extensible authentication protocol (EAP) with WEB service assistance Download PDFInfo
- Publication number
- CN103152332A CN103152332A CN2013100518302A CN201310051830A CN103152332A CN 103152332 A CN103152332 A CN 103152332A CN 2013100518302 A CN2013100518302 A CN 2013100518302A CN 201310051830 A CN201310051830 A CN 201310051830A CN 103152332 A CN103152332 A CN 103152332A
- Authority
- CN
- China
- Prior art keywords
- eap
- authentication
- user terminal
- web server
- bng
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and equipment for authenticating an extensible authentication protocol (EAP) with WEB service assistance, wherein the method for authenticating the EAP in a broadband network gateway (BNG) comprises the steps of: learning that the EAP authentication of a user terminal fails from an authentication, authorization and accounting (AAA) server, judging whether the user terminal needs to be pushed to a WEB server or not, and if the user terminal needs to be pushed to the WEB server, redirecting a hyper text transmission protocol (HTTP) request after receiving the HTTP request from the user terminal to the WEB server which can eliminate EAP authentication failure reasons; after receiving a continuous EAP authentication inform from the WEB server, sending an EAP authentication request for the user terminal to the AAA server again. By utilizing the method and the equipment, the existing internet self service is combined with the EAP authentication.
Description
Technical field
The authentication protocol that the present invention relates to expand (EAP) field of authentication relates in particular to EAP authentication method and equipment under a kind of WEB service assist.
Background technology
Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) is an authentication mechanism that generally uses, and it often is used in the connection of wireless network or point-to-point.EAP not only can be used for WLAN (wireless local area network), and can be used for cable LAN.By based on the network access equipment (such as 802.11a/b/g, WAP (wireless access point)) of IEEE 802.1X when calling, modern EAP method can provide a security authentication mechanism as EAP.The IEEE802.1X+EAP authentication method mainly comprises EAP-SIM, EAP-AKA, EAP-PEAP, EAP-TLS and EAP-TTLS.When by EAP-SIM/EAP-AKA, user terminal being authenticated, whether checking, authorization and accounting (Authentication, Authorization, Accounting, AAA) server final authentication successfully also depend on the CAMEL-Subscription-Information (for example contract user's contract period, prepaid user's business rental period and residual flow) of user terminal and operator; The factors such as the user subscribes service contract is expired, subscriber arrearage can cause aaa server to this user end certification failure, and user terminal can't accesses network.When by EAP-TLS/EAP-TTLS, user terminal being authenticated, the EAP-TLS/EAP-TTLS authentication method depends on the term of validity of digital certificate, if the user terminal digital certificate lost efficacy, aaa server is to this user end certification failure so, and user terminal is access network normally.In this case, for continuing aaa authentication, usually need the user upgrade digital certificate or re-rent business to the agency of operator at present, this mode inefficiency affects customer service and experiences.
Along with the appearance of online Self-Service, the user can handle multiple business by network, as online recharge, renewal digital certificate etc.If existing online Self-Service and EAP authentication can be combined, will certainly improve existing EAP authentication efficiency, promote user's business experience.
Summary of the invention
The invention provides EAP authentication method and equipment under a kind of WEB service assist, to solve the technical problem that how to realize existing online Self-Service and EAP authentication combination.
For solving the problems of the technologies described above, the invention provides the method that a kind of wideband network gateway (BNG) carries out Extensible Authentication Protocol (EAP) authentication, described method comprises:
Know the EAP failed authentication of user terminal from aaa server, judge whether user terminal to be pushed to the WEB server, if user terminal need to be pushed to the WEB server, after the HTTP(Hypertext Transport Protocol) request that receives from described user terminal, described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason;
After receiving from described WEB server the notice that EAP continues authentication, again send EAP authentication request to described user terminal to aaa server.
Further, judge whether and user terminal need to be pushed to the WEB server, comprising:
Judge whether the failed authentication reason belongs to the default failed authentication reason that user terminal need to be pushed to the WEB server;
Or,
Judge whether to receive that aaa server sends user terminal is pushed to the indication of WEB server.
Further,
When described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason, also carry the failure cause in described EAP failed authentication message.
For solving the problems of the technologies described above, the present invention also provides a kind of WEB server to assist the method for Extensible Authentication Protocol (EAP) authentication, and described method comprises:
Receive the HTTP(Hypertext Transport Protocol) request of the user terminal of wideband network gateway (BNG) forwarding;
Connect with described user terminal, receive the self-help operation that described user terminal is eliminated EAP failed authentication reason;
After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication.
Further:
After the HTTP request of the user terminal that described reception BNG forwards, also judge whether carry EAP failed authentication reason in this request;
If carry EAP failed authentication reason in this request, push the webpage that is used for eliminating described EAP failed authentication reason to the user by described BNG, receive the self-help operation that described user terminal is eliminated EAP failed authentication reason;
After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication, comprise: whether the operation that judges the elimination EAP failed authentication reason that described user terminal is completed is the operation of eliminating the EAP failed authentication reason of carrying in described HTTP request, if so, send to described BNG the notice that indication EAP continues authentication.
For solving the problems of the technologies described above, the present invention also provides the authentication method of the Extensible Authentication Protocol (EAP) under a kind of WEB service assist, and described method comprises:
Wideband network gateway (BNG) adopts any one method as above to carry out the EAP authentication;
The WEB server adopts any one method as above to carry out EAP and assists authentication.
For solving the problems of the technologies described above, the present invention also provides a kind of wideband network gateway (BNG) that carries out Extensible Authentication Protocol (EAP) authentication, and described BNG comprises EAP authentication module and WEB redirection module, wherein,
Described EAP authentication module for the EAP authentication request of sending to aaa server user terminal, and receives described user terminal EAP authenticating result from aaa server, and notifies described WEB redirection module with authenticating result;
Described WEB redirection module, after being used for knowing that authenticating result is user terminal EAP failed authentication message, judge whether user terminal to be pushed to the WEB server, if user terminal need to be pushed to the WEB server, after the HTTP(Hypertext Transport Protocol) request that receives from described user terminal, described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason; And after receiving from described WEB server the notice that EAP continues authentication, notice EAP authentication module is sent EAP authentication request to described user terminal to aaa server again.
Further,
Described WEB redirection module is used for judging whether and user terminal need to being pushed to the WEB server, comprising:
Described WEB redirection module judges whether the failed authentication reason belongs to the default failed authentication reason that user terminal need to be pushed to the WEB server; Or, judge whether to receive that aaa server sends user terminal is pushed to the indication of WEB server.
Further,
Described WEB redirection module when also being used for described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason, is carried the failure cause in described EAP failed authentication message.
For solving the problems of the technologies described above, the present invention also provides the WEB server of a kind of assistance Extensible Authentication Protocol (EAP) authentication, and described WEB server comprises that authentication indicating module and network connect and set up module, wherein,
Described network connects sets up module, is used for the HTTP(Hypertext Transport Protocol) request of the user terminal of reception wideband network gateway (BNG) forwarding, and connects with described user terminal;
Described authentication indicating module is used for the connection by described foundation, receives the self-help operation that described user terminal is eliminated EAP failed authentication reason; After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication.
Further,
Described network connects sets up module, also after the HTTP of the user terminal that receives BNG forwarding request, judge and whether carry EAP failed authentication reason in this request, if carry EAP failed authentication reason in this request, push the webpage that is used for eliminating described EAP failed authentication reason to the user by described BNG;
Described authentication indicating module be used for to receive the self-help operation of the elimination EAP failed authentication reason that user terminal undertakies by described webpage; After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication, comprise: whether the operation that judges the elimination EAP failed authentication reason that described user terminal is completed is the operation of eliminating the EAP failed authentication reason of carrying in described HTTP request, if so, send to described BNG the notice that indication EAP continues authentication.
For solving the problems of the technologies described above, the present invention also provides the system of Extensible Authentication Protocol (EAP) authentication under a kind of WEB service assist, and described system comprises wideband network gateway (BNG) and WEB server, wherein,
Described BNG adopts the as above described BNG of any one;
Described WEB server adopts the as above described WEB server of any one.
Technique scheme, after the authentication operations failure of AAA to user terminal, do not need user terminal in person to go to the agency of operator to eliminate the operation of failed authentication reason, BNG can directly be pushed to the user relevant WEB server, utilize online Self-Service to help the user to eliminate the failed authentication reason by network, effectively improve existing EAP authentication efficiency, promoted user's business experience.
Description of drawings
Fig. 1 is the method flow diagram that the BNG of the present embodiment carries out the EAP authentication;
Fig. 2 is the method flow diagram that the WEB server of the present embodiment is assisted the EAP authentication;
Fig. 3 is the network topological diagram that this first application example and second is used example;
Fig. 4 is that the BNG of the present embodiment forms module map;
Fig. 5 is that the WEB server of the present embodiment forms module map.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, hereinafter in connection with accompanying drawing, embodiments of the invention are elaborated.Need to prove, in the situation that do not conflict, the embodiment in the application and the feature in embodiment be combination in any mutually.
Fig. 1 is the method flow diagram that the BNG of the present embodiment carries out the EAP authentication.
S101 is to the EAP authentication request of aaa server transmission to user terminal;
S102 receives user terminal EAP failed authentication message from aaa server;
S103 judges whether and user terminal need to be pushed to the WEB server, if necessary, and execution in step S104; Otherwise, execution in step S107;
BNG can judge that whether the failed authentication reason belongs to the default failed authentication reason that user terminal need to be pushed to the WEB server, if belong to, needs user terminal is pushed to the WEB server;
Or,
BNG judges whether to receive that aaa server sends user terminal is pushed to the indication of WEB server, if receive the indication from the AA server, needs user terminal is pushed to the WEB server;
The failed authentication reason that user terminal need to be pushed to the WEB server generally can comprise: EAP failed authentication reason can be that arrearage causes failed authentication, expired failed authentication, the expired failed authentication etc. that causes of user terminal digital certificate of causing of business rental period; Except the failed authentication reason that these are enumerated, also any is eliminable failed authentication reason by Self-Service on user network;
S104 judges whether to receive the HTTP request from user terminal, if receive HTTP request, execution in step S105; Otherwise, execution in step S107;
S105 is redirected to described HTTP request the WEB server that can eliminate EAP failed authentication reason;
The WEB server that can eliminate EAP failed authentication reason can be the server at the portal website place that uses the business; This server can comprise the webpage of explanation authentification failure reason and the webpage that reminding subscriber terminal is eliminated the failure cause Self-Service;
S106 receives from described WEB server the notice that EAP continues authentication, again sends EAP authentication request to described user terminal to aaa server;
The S107 flow process finishes.
In above-described embodiment, BNG can judge first also whether this failed authentication message carries failure cause after the user terminal EAP failed authentication message that receives from aaa server; If carry failure cause in failed authentication message, when user terminal being sent HTTP request and is redirected to the WEB server that to eliminate EAP failed authentication reason, described failure cause can be carried in described HTTP request and be sent to described WEB server, help the WEB server to navigate to fast the webpage that reminding subscriber terminal is eliminated this failure cause Self-Service, improve the response speed of WEB server, promote the user and experience.
Fig. 2 is the method flow diagram that the WEB server of the present embodiment is assisted the EAP authentication.
S201 receives the HTTP(Hypertext Transport Protocol) request of the user terminal of BNG forwarding;
After receiving the HTTP request of the user terminal that BNG forwards, also can first judge whether carry EAP failed authentication reason in this request, if carry the failed authentication reason, can navigate to be used to the webpage of eliminating described failure cause according to this failed authentication reason;
S202 and user terminal connect, and receive the self-help operation that described user terminal is eliminated EAP failed authentication reason;
After S203 completes at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication.
The present invention also provides the embodiment of Extensible Authentication Protocol (EAP) authentication method under a kind of WEB service assist, this embodiment relates to wideband network gateway (BNG) and WEB server, wherein, BNG adopts method as above to carry out the EAP authentication, the WEB server also adopts method as above to carry out the EAP authentication, is not repeated herein.
The below uses examples with 2, and the embodiment of the EAP authentication method under above-mentioned WEB service assist is further elaborated.
Use example one: common access in radio scene, network topological diagram as shown in Figure 3.
In this application example, AN can be the front end access network that DSLAM+SW forms, but is not limited to DSLAM+SW.
In this application example because terminal use's arrearage causes the EAP failed authentication.
Step 1: BNG receives the EAPoL-Start message that user terminal is initiated via the AN network;
If user terminal is supported the above agreement of EAPoL-v3, user terminal can be by the TLV scaling option in the EAPoL-Start-Annoncement message, whether whether whether notice BNG support WEB to praise and admire by force business when failed authentication, allow BNG to obtain IP address, self address by DHCP is the professional qualifications such as static ip address, so that the strategy that BNG is correlated with processing;
BNG also can be defaulted as when failed authentication, adopts WEB to praise and admire by force business to user terminal; Or after the failed authentication result that receives from aaa server, judge whether to carry in this failed authentication result and adopt WEB to praise and admire by force the indication of business to user terminal, if receive described indication, adopt WEB to praise and admire by force business to user terminal;
Step 2: BNG receives EAPoL-Start message, begins to create the EAPoL user conversation; BNG sends EAPoL-EAP-Request-Identity message via the AN network and obtains identity information to user terminal;
Step 3: BNG obtains the EAPoL-EAP-Response-Identity that user terminal sends via the AN network;
Step 4: BNG encapsulation EAPoL-EAP-Response-Identity message sends this authentication request message to authentication server AAA in authentication request message (as the Access-Request message of radius protocol);
Step 5: aaa server and user terminal are consulted concrete authentication method (as EAP-PEAP, EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS), according to the concrete grammar of consulting, client are carried out authentication; Simultaneously, aaa server also collaborative HLR checks user's CAMEL-Subscription-Information and traffic performance, judges whether this user terminal is legal; If it is legal that aaa server is judged this user terminal, and successful to the EAP authentication of user terminal, execution in step 14; Otherwise, execution in step six;
Step 6: aaa server returns to the failed authentication message of indicating user arrearage to BNG, and BNG returns to this failed message to user terminal; Simultaneously, BNG determines and need to adopt WEB to praise and admire by force business to user terminal;
Step 7: BNG and user terminal carry out the DHCP message interaction, obtain the IP address of user terminal; The corresponding relation of IP address and portal website of operator is set;
Step 8: BNG receives from the HTTP request of described IP address (this HTTP request comprises the information of indicating user arrearage), according to the corresponding relation that arranges, this HTTP request is redirected the WEB server at the portal website place of operator;
Step 9: the WEB server is supplemented webpage with money according to subscriber arrearage Information locating user;
Step 10: BNG sets up user terminal and is connected with TCP between this WEB server; The WEB server is supplemented the user with money webpage by BNG and is promoted to user terminal, and the WEB server is mutual by described webpage and described user terminal, receives the self-help operation that described user terminal is supplemented with money;
Step 11: after operation was supplemented in described user terminal execution with money, the WEB server informed that by the portal protocol authentication request packet of expansion BNG continues the user is carried out the session of EAP authentication;
Step 12: BNG sends EAPoL-EAP-Request-Identity message to user terminal, again triggers user terminal and AAA and carries out the EAP authentication alternately;
Step 13: aaa server sends user terminal EAP authentication success message to BNG;
Step 14: flow process finishes.
Use example two: the wireless access scene.
In using example, AN can be the front end access network that AP-FAT forms, and can be also the front end access network of AP-FIT+AC networking.
In this application example due to the signing expired subscription authentication failure that causes of end-user service.
Step 1: BNG receives the EAPoL-Start message that user terminal is initiated via AP;
Step 2: BNG receives the EAPoL-Start message that AP forwards, and creates the EAP session, sends the EAPoL-EAP-Request-Identity message and obtains identity information to user terminal;
Step 3: BNG obtains the EAPoL-EAP-Response-Identity that user terminal sends via AP;
Step 4: BNG encapsulation EAPoL-EAP-Response-Identity message sends this authentication request message to authentication server AAA in authentication request message (as: the Access-Request message in radius protocol);
Step 5: aaa server and user terminal are consulted concrete authentication method (EAP-PEAP, EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS), according to the concrete grammar of consulting, client are carried out authentication; Simultaneously, aaa server also collaborative HLR judges to user's CAMEL-Subscription-Information and traffic performance inspection whether this user terminal is legal, and obtains PMK; If it is legal that aaa server is judged this user terminal, and successful to the EAP authentication of user terminal, execution in step 14; Otherwise, execution in step six;
Step 6: aaa server returns to the overdue failed authentication message of indicating user service contracting to BNG, and BNG returns to this failed message to user terminal; Simultaneously, BNG determines and need to adopt WEB to praise and admire by force business to user terminal;
The signing overdue indication information of customer service is carried in EAPoL-Announcement message or direct in the expansion TLV of EAPoL-EAP-Fail message option;
User terminal is after receiving EAPoL-Announcement or EAPoL-EAP-Fail message, if need continuation and AP mutual, keep the PMK that the EAP authentication phase is learned, continuation and AP carry out key agreement, so that AP guarantees the fail safe through eating dishes without rice or wine to E-Packet at DHCP message and other service messages of eating dishes without rice or wine to encrypt normal forwarding user terminal under environment of WPA/WPA2;
Step 7: BNG and user terminal carry out the DHCP message interaction, obtain the IP address of user terminal; The corresponding relation of IP address and portal website of operator is set;
Step 8: BNG receives from the HTTP request of described IP address (this HTTP request comprises indicating user arrearage information), according to the corresponding relation that arranges, this HTTP request is redirected the WEB server at the portal website place of operator;
Step 9: webpage is re-rented in the overdue indication information positioning service signing according to customer service of WEB server;
Step 10: BNG sets up user terminal and is connected with TCP between this WEB server; The WEB server is re-rented webpage by BNG with business and is promoted to user terminal, and the WEB server is mutual by described webpage and described user terminal, receives the self-help operation that described user terminal is re-rented;
Step 11: after operation was re-rented in described user terminal execution, the WEB server informed that by the portal protocol authentication request packet of expansion BNG carries out the session of EAP authentication to the user again;
Step 12: BNG sends EAPoL-EAP-Request-Identity message to user terminal, again triggers user terminal and AAA and carries out the EAP authentication alternately;
Step 13: aaa server sends user terminal EAP authentication success message to BNG;
Step 14: flow process finishes.
Fig. 4 is that the BNG of the present embodiment forms module map.
This BNG comprises EAP authentication module and WEB redirection module, wherein,
The EAP authentication module for the EAP authentication request of sending to aaa server user terminal, and receives described user terminal EAP authenticating result from aaa server, and notifies described WEB redirection module with authenticating result;
The WEB redirection module, after being used for knowing that authenticating result is user terminal EAP failed authentication message, judge whether user terminal to be pushed to the WEB server, if user terminal need to be pushed to the WEB server, after the HTTP(Hypertext Transport Protocol) request that receives from described user terminal, described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason; And after receiving from described WEB server the notice that EAP continues authentication, notice EAP authentication module is sent EAP authentication request to described user terminal to aaa server again;
Above-mentioned WEB redirection module, be used for judging whether user terminal to be pushed to the WEB server, comprise: judge whether the failed authentication reason belongs to the default failed authentication reason that user terminal need to be pushed to the WEB server, if belong to, need user terminal is pushed to the WEB server; Or, judge whether to receive that aaa server sends user terminal is pushed to the indication of WEB server; If receive the indication from the AA server, need user terminal is pushed to the WEB server;
Above-mentioned WEB redirection module, when also being used for described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason, carry the failure cause in described EAP failed authentication message, help the WEB server to navigate to fast the webpage that reminding subscriber terminal is eliminated this failure cause Self-Service, improve the response speed of WEB server, promote the user and experience.
Fig. 5 is that the WEB server of the present embodiment forms module map.
This WEB server comprises that authentication indicating module and network connect and sets up module, wherein,
Described network connects sets up module, is used for the HTTP(Hypertext Transport Protocol) request of the user terminal of reception wideband network gateway (BNG) forwarding, and connects with described user terminal;
Described authentication indicating module is used for the connection by described foundation, receives the self-help operation that described user terminal is eliminated EAP failed authentication reason; After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication.
Above-mentioned network connects sets up module, also can be after the HTTP of the user terminal that receives BNG forwarding request, judge and whether carry EAP failed authentication reason in this request, if carry EAP failed authentication reason in this request, push the webpage that is used for eliminating described EAP failed authentication reason to the user by described BNG;
The authentication indicating module be used for to receive the self-help operation of the elimination EAP failed authentication reason that user terminal undertakies by described webpage; After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication, comprise: whether the operation that judges the elimination EAP failed authentication reason that described user terminal is completed is the operation of eliminating the EAP failed authentication reason of carrying in described HTTP request, if so, send to described BNG the notice that indication EAP continues authentication.
The present invention also provides the embodiment of Extensible Authentication Protocol (EAP) Verification System under a kind of WEB service assist, this embodiment relates to wideband network gateway (BNG) and WEB server, wherein, BNG adopts the BNG that as above forms module, the WEB server also adopts the WEB server that as above forms module, is not repeated herein.
One of ordinary skill in the art will appreciate that all or part of step in said method can come the instruction related hardware to complete by program, described program can be stored in computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of above-described embodiment also can realize with one or more integrated circuits, and correspondingly, each the module/unit in above-described embodiment can adopt the form of hardware to realize, also can adopt the form of software function module to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.
Need to prove; the present invention also can have other various embodiments; in the situation that do not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art can make according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (12)
1. a wideband network gateway (BNG) carries out the method for Extensible Authentication Protocol (EAP) authentication, it is characterized in that, described method comprises:
Know the EAP failed authentication of user terminal from aaa server, judge whether user terminal to be pushed to the WEB server, if user terminal need to be pushed to the WEB server, after the HTTP(Hypertext Transport Protocol) request that receives from described user terminal, described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason;
After receiving from described WEB server the notice that EAP continues authentication, again send EAP authentication request to described user terminal to aaa server.
2. the method for claim 1 is characterized in that:
Judge whether and user terminal need to be pushed to the WEB server, further comprise:
Judge whether the failed authentication reason belongs to the default failed authentication reason that user terminal need to be pushed to the WEB server;
Or,
Judge whether to receive that aaa server sends user terminal is pushed to the indication of WEB server.
3. the method for claim 1 is characterized in that:
When described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason, also carry the failure cause in described EAP failed authentication message.
4. the method that the WEB server assists Extensible Authentication Protocol (EAP) to authenticate, is characterized in that, described method comprises:
Receive the HTTP(Hypertext Transport Protocol) request of the user terminal of wideband network gateway (BNG) forwarding;
Connect with described user terminal, receive the self-help operation that described user terminal is eliminated EAP failed authentication reason;
After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication.
5. method as claimed in claim 4 is characterized in that:
After the HTTP request of the user terminal that described reception BNG forwards, also judge whether carry EAP failed authentication reason in this request;
If carry EAP failed authentication reason in this request, push the webpage that is used for eliminating described EAP failed authentication reason to the user by described BNG, receive the self-help operation that described user terminal is eliminated EAP failed authentication reason;
After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication, comprise: whether the operation that judges the elimination EAP failed authentication reason that described user terminal is completed is the operation of eliminating the EAP failed authentication reason of carrying in described HTTP request, if so, send to described BNG the notice that indication EAP continues authentication.
6. Extensible Authentication Protocol (EAP) authentication method under a WEB service assist, is characterized in that, described method comprises:
Wideband network gateway (BNG) adopts method as described in any one in claim 1 ~ 3 to carry out the EAP authentication;
The WEB server adopts method as described in claim 4 or 5 to carry out EAP and assists authentication.
7. a wideband network gateway (BNG) that carries out Extensible Authentication Protocol (EAP) authentication, is characterized in that, described BNG comprises EAP authentication module and WEB redirection module, wherein,
Described EAP authentication module for the EAP authentication request of sending to aaa server user terminal, and receives described user terminal EAP authenticating result from aaa server, and notifies described WEB redirection module with authenticating result;
Described WEB redirection module, after being used for knowing that authenticating result is user terminal EAP failed authentication message, judge whether user terminal to be pushed to the WEB server, if user terminal need to be pushed to the WEB server, after the HTTP(Hypertext Transport Protocol) request that receives from described user terminal, described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason; And after receiving from described WEB server the notice that EAP continues authentication, notice EAP authentication module is sent EAP authentication request to described user terminal to aaa server again.
8. BNG as claimed in claim 7, is characterized in that,
Described WEB redirection module is used for judging whether and user terminal need to being pushed to the WEB server, comprising:
Described WEB redirection module judges whether the failed authentication reason belongs to the default failed authentication reason that user terminal need to be pushed to the WEB server; Or, judge whether to receive that aaa server sends user terminal is pushed to the indication of WEB server.
9. BNG as claimed in claim 7 or 8, is characterized in that,
Described WEB redirection module when also being used for described HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reason, is carried the failure cause in described EAP failed authentication message.
10. a WEB server of assisting Extensible Authentication Protocol (EAP) authentication, is characterized in that, described WEB server comprises that authentication indicating module and network connect and set up module, wherein,
Described network connects sets up module, is used for the HTTP(Hypertext Transport Protocol) request of the user terminal of reception wideband network gateway (BNG) forwarding, and connects with described user terminal;
Described authentication indicating module is used for the connection by described foundation, receives the self-help operation that described user terminal is eliminated EAP failed authentication reason; After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication.
11. WEB server as claimed in claim 10 is characterized in that,
Described network connects sets up module, also after the HTTP of the user terminal that receives BNG forwarding request, judge and whether carry EAP failed authentication reason in this request, if carry EAP failed authentication reason in this request, push the webpage that is used for eliminating described EAP failed authentication reason to the user by described BNG;
Described authentication indicating module be used for to receive the self-help operation of the elimination EAP failed authentication reason that user terminal undertakies by described webpage; After completing at described user terminal the operation of eliminating EAP failed authentication reason, send to described BNG the notice that indication EAP continues authentication, comprise: whether the operation that judges the elimination EAP failed authentication reason that described user terminal is completed is the operation of eliminating the EAP failed authentication reason of carrying in described HTTP request, if so, send to described BNG the notice that indication EAP continues authentication.
12. the system of the authentication of the Extensible Authentication Protocol (EAP) under a WEB service assist is characterized in that described system comprises wideband network gateway (BNG) and WEB server, wherein,
Described BNG adopts the described BNG of any one in claim 7 ~ 9;
Described WEB server adopts the described WEB server of any one in claim 10 ~ 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310051830.2A CN103152332B (en) | 2013-02-17 | 2013-02-17 | A kind of EAP authentication method and apparatus under WEB service assistance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310051830.2A CN103152332B (en) | 2013-02-17 | 2013-02-17 | A kind of EAP authentication method and apparatus under WEB service assistance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103152332A true CN103152332A (en) | 2013-06-12 |
| CN103152332B CN103152332B (en) | 2018-02-16 |
Family
ID=48550195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310051830.2A Active CN103152332B (en) | 2013-02-17 | 2013-02-17 | A kind of EAP authentication method and apparatus under WEB service assistance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103152332B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243522A (en) * | 2013-06-19 | 2014-12-24 | 华为技术有限公司 | Method for hypertext transfer protocol (HTTP) network and broadband network gateway (BNG) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1909456A (en) * | 2006-08-24 | 2007-02-07 | 华为技术有限公司 | Method, system and identification server for configuring service channel after identification failure |
| CN1968094A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | Method, system and server for prompting the cause for user terminal authentication failure |
| CN101656684A (en) * | 2008-08-21 | 2010-02-24 | ***通信集团公司 | Content access authentication method, equipment and system for dynamic content delivery |
| WO2012142867A1 (en) * | 2011-04-21 | 2012-10-26 | 中兴通讯股份有限公司 | Authentication notification method and system |
-
2013
- 2013-02-17 CN CN201310051830.2A patent/CN103152332B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1909456A (en) * | 2006-08-24 | 2007-02-07 | 华为技术有限公司 | Method, system and identification server for configuring service channel after identification failure |
| CN1968094A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | Method, system and server for prompting the cause for user terminal authentication failure |
| CN101656684A (en) * | 2008-08-21 | 2010-02-24 | ***通信集团公司 | Content access authentication method, equipment and system for dynamic content delivery |
| WO2012142867A1 (en) * | 2011-04-21 | 2012-10-26 | 中兴通讯股份有限公司 | Authentication notification method and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243522A (en) * | 2013-06-19 | 2014-12-24 | 华为技术有限公司 | Method for hypertext transfer protocol (HTTP) network and broadband network gateway (BNG) |
| WO2014201933A1 (en) * | 2013-06-19 | 2014-12-24 | 华为技术有限公司 | Method for hypertext transfer protocol network and broadband network gateway |
| CN104243522B (en) * | 2013-06-19 | 2018-02-06 | 华为技术有限公司 | Method and wideband network gateway for HTTP network |
| US10225318B2 (en) | 2013-06-19 | 2019-03-05 | Huawei Technologies Co., Ltd. | Method used for hypertext transfer protocol network, and broadband network gateway |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103152332B (en) | 2018-02-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9450951B2 (en) | Secure over-the-air provisioning solution for handheld and desktop devices and services | |
| US8176327B2 (en) | Authentication protocol | |
| CN101867476B (en) | 3G virtual private dialing network user safety authentication method and device thereof | |
| AU2004214799B2 (en) | Fast re-authentication with dynamic credentials | |
| CN106105134B (en) | Method and apparatus for improving end-to-end data protection | |
| US8769647B2 (en) | Method and system for accessing 3rd generation network | |
| US8341702B2 (en) | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol | |
| US20060155822A1 (en) | System and method for wireless access to an application server | |
| US20050114680A1 (en) | Method and system for providing SIM-based roaming over existing WLAN public access infrastructure | |
| US20160105410A1 (en) | OMA DM Based Terminal Authentication Method, Terminal and Server | |
| US9226153B2 (en) | Integrated IP tunnel and authentication protocol based on expanded proxy mobile IP | |
| WO2008118638A1 (en) | Method and apparatus for secure immediate wireless access in a telecommunications network | |
| CN100469196C (en) | Identification method for multi-mode terminal roaming among heterogenous inserting technology networks | |
| US20070022476A1 (en) | System and method for optimizing tunnel authentication procedure over a 3G-WLAN interworking system | |
| WO2006024969A1 (en) | Wireless local area network authentication method | |
| Kim et al. | Improving mobile authentication with new AAA protocols | |
| CN103067337A (en) | Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system | |
| US20080070544A1 (en) | Systems and methods for informing a mobile node of the authentication requirements of a visited network | |
| WO2008086749A1 (en) | A system and method for realizing interfusion of multi-type communication networks | |
| WO2006079953A1 (en) | Authentication method and device for use in wireless communication system | |
| CN101783806B (en) | Portal certificate authentication method and device | |
| US8200191B1 (en) | Treatment of devices that fail authentication | |
| CN103152332A (en) | Method and equipment for authenticating extensible authentication protocol (EAP) with WEB service assistance | |
| KR101490549B1 (en) | Wireless Internet Access Authentication Method for Web Based Advertisement Service | |
| CN103002443A (en) | Acceptance control method and acceptance control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |