CN103152332B - A kind of EAP authentication method and apparatus under WEB service assistance - Google Patents

A kind of EAP authentication method and apparatus under WEB service assistance Download PDF

Info

Publication number
CN103152332B
CN103152332B CN201310051830.2A CN201310051830A CN103152332B CN 103152332 B CN103152332 B CN 103152332B CN 201310051830 A CN201310051830 A CN 201310051830A CN 103152332 B CN103152332 B CN 103152332B
Authority
CN
China
Prior art keywords
eap
authentication
user terminal
bng
web server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310051830.2A
Other languages
Chinese (zh)
Other versions
CN103152332A (en
Inventor
梁乾灯
石磊
王姝懿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201310051830.2A priority Critical patent/CN103152332B/en
Publication of CN103152332A publication Critical patent/CN103152332A/en
Application granted granted Critical
Publication of CN103152332B publication Critical patent/CN103152332B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

A kind of EAP authentication method and apparatus under being assisted the invention provides WEB service, wherein, the method that BNG carries out EAP authentication includes:The EAP failed authentications of user terminal are known from aaa server, judge whether to need user terminal being pushed to WEB server, if necessary to which user terminal is pushed into WEB server, after receiving and carrying out the HTTP request of user terminal, HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reasons;After the notice for receiving that EAP continues authentication from WEB server, the EAP authentication requests to user terminal are sent to aaa server again.The present invention realizes existing online Self-Service and is combined with EAP authentication.

Description

A kind of EAP authentication method and apparatus under WEB service assistance
Technical field
The present invention relates to the authentication protocol of extension(EAP)EAP under field of authentication, more particularly to a kind of assistance of WEB service Authentication method and equipment.
Background technology
Extensible Authentication Protocol(Extensible Authentication Protocol,EAP), it is one and generally uses Authentication mechanism, it is commonly used in the connection of wireless network or point-to-point.EAP can be not only used for WLAN, Er Qieke For cable LAN.When EAP is by the network access equipment based on IEEE 802.1X(Such as 802.11a/b/g, wirelessly connect Access point)During calling, modern EAP methods can provide a security authentication mechanism.IEEE802.1X+EAP authentication methods are main Including EAP-SIM, EAP-AKA, EAP-PEAP, EAP-TLS and EAP-TTLS.By EAP-SIM/EAP-AKA to user terminal When being authenticated, checking, authorization and accounting(Authentication, Authorization, Accounting, AAA)Server Whether final authentication successfully also relies on the signing information of user terminal and operator(Such as contract period, the prepayment of contract user Take customer service rental period and residual flow);The factors such as user's order business contract is expired, subscriber arrearage can result in AAA clothes Business device fails to the user end certification, and user terminal can not access network.By EAP-TLS/EAP-TTLS to user terminal When being authenticated, EAP-TLS/EAP-TTLS authentication methods depend on the term of validity of digital certificate, if user terminal numeral card Book fails, then aaa server fails to the user end certification, and user terminal can not normally access network.In such case Under, to continue aaa authentication, user is usually required at present and updates digital certificate to the agency of operator or re-rents business, it is this Mode efficiency is low, influences customer service experience.
With the appearance of online Self-Service, user can handle multiple business by network, such as online recharge, renewal number Word certificate etc..If can combine existing online Self-Service with EAP authentication, existing EAP authentication effect will certainly be improved Rate, lift the business experience of user.
The content of the invention
A kind of EAP authentication method and apparatus under being assisted the invention provides WEB service, will be existing so that how solution is realized The technical problem that is combined with EAP authentication of online Self-Service.
In order to solve the above technical problems, the invention provides a kind of wideband network gateway(BNG)It is extended authentication protocol (EAP)The method of certification, methods described include:
The EAP failed authentications of user terminal are known from aaa server, judge whether to need user terminal being pushed to WEB Server, if necessary to which user terminal is pushed into WEB server, receiving the Hyper text transfer from the user terminal Agreement(HTTP)After request, the HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reasons;
After the notice for receiving that EAP continues authentication from the WEB server, sent again to aaa server to the user The EAP authentication requests of terminal.
Further, judge whether to need user terminal being pushed to WEB server, including:
Judge whether failed authentication reason belongs to the default failed authentication for needing for user terminal to be pushed to WEB server Reason;
Or,
Judge whether to receive the instruction that user terminal is pushed to WEB server that aaa server is sent.
Further,
When the HTTP request to be redirected to the WEB server that can eliminate EAP failed authentication reasons, also described in carrying Failure cause in EAP failed authentication message.
In order to solve the above technical problems, present invention also offers a kind of WEB server to assist Extensible Authentication Protocol(EAP)Recognize The method of card, methods described include:
Receive wideband network gateway(BNG)The HTTP of the user terminal of forwarding(HTTP)Request;
Establish and connect with the user terminal, receive the self-help operation that the user terminal eliminates EAP failed authentication reasons;
The user terminal complete eliminate EAP failed authentication reasons operation after, to the BNG send instruction EAP after The notice of continuous authentication.
Further:
After the HTTP request of the user terminal of the reception BNG forwardings, also judge that EAP authentications whether are carried in the request to be lost Lose reason;
If carrying EAP failed authentication reasons in the request, pushed by the BNG to user described for eliminating The webpage of EAP failed authentication reasons, receive the self-help operation that the user terminal eliminates EAP failed authentication reasons;
The user terminal complete eliminate EAP failed authentication reasons operation after, to the BNG send instruction EAP after The notice of continuous authentication, including:Whether the operation for judging the elimination EAP failed authentication reasons that the user terminal is completed is to eliminate institute The operation of the EAP failed authentication reasons carried in HTTP request is stated, if it is, sending instruction EAP to the BNG continues authentication Notice.
A kind of in order to solve the above technical problems, Extensible Authentication Protocol under being assisted present invention also offers WEB service(EAP) Authentication method, methods described include:
Wideband network gateway(BNG)EAP authentication is carried out using method any one of as described above;
WEB server carries out EAP using method any one of as described above and assists certification.
In order to solve the above technical problems, present invention also offers one kind to be extended authentication protocol(EAP)The broadband of certification Network gateway(BNG), the BNG includes EAP authentication modules and WEB redirection modules, wherein,
The EAP authentication modules, taken for sending the EAP authentication requests to user terminal to aaa server, and from AAA Business device receives the user terminal EAP authenticating results, and authenticating result is notified into the WEB redirection modules;
The WEB redirection modules, for knowing authenticating result for after user terminal EAP failed authentication message, judgement is It is no to need user terminal being pushed to WEB server, if necessary to which user terminal is pushed into WEB server, come receiving From the HTTP of the user terminal(HTTP)After request, the HTTP request, which is redirected to, can eliminate EAP mirror Weigh the WEB server of failure cause;And after WEB server reception EAP continues the notice of authentication, notice EAP authentications Module sends the EAP authentication requests to the user terminal to aaa server again.
Further,
The WEB redirection modules, for judging whether to need user terminal being pushed to WEB server, including:
The WEB redirection modules, judge whether failed authentication reason belongs to default and need user terminal being pushed to The failed authentication reason of WEB server;Or, judge whether that the WEB that is pushed to user terminal for receiving aaa server transmission takes The instruction of business device.
Further,
The WEB redirection modules, EAP failed authentication reasons can be eliminated by being additionally operable to the HTTP request being redirected to During WEB server, the failure cause in the EAP failed authentications message is carried.
In order to solve the above technical problems, present invention also offers one kind to assist Extensible Authentication Protocol(EAP)The WEB clothes of certification Business device, the WEB server includes authentication indicating module and module is established in network connection, wherein,
Module is established in the network connection, for receiving wideband network gateway(BNG)The hypertext of the user terminal of forwarding Host-host protocol(HTTP)Request, and establish and connect with the user terminal;
The authentication indicating module, for the connection by the foundation, receive the user terminal and eliminate EAP authentication mistakes Lose the self-help operation of reason;After the operation that the user terminal completes elimination EAP failed authentication reasons, sent to the BNG Indicate that EAP continues the notice of authentication.
Further,
Module is established in the network connection, also after the HTTP request of user terminal of BNG forwardings is received, judges to ask EAP failed authentication reasons whether are carried in asking, if in the request carry EAP failed authentication reasons, by the BNG to Family pushes the webpage for eliminating the EAP failed authentications reason;
The authentication indicating module, the elimination EAP failed authentications original carried out for receiving user terminal by the webpage The self-help operation of cause;After the operation that the user terminal completes elimination EAP failed authentication reasons, send and indicate to the BNG EAP continues the notice of authentication, including:Judge the elimination EAP failed authentication reasons that the user terminal is completed operation whether be The operation of the EAP failed authentication reasons carried in the HTTP request is eliminated, is continued if it is, sending instruction EAP to the BNG The notice of authentication.
A kind of in order to solve the above technical problems, Extensible Authentication Protocol under being assisted present invention also offers WEB service(EAP) The system of certification, the system include wideband network gateway(BNG)And WEB server, wherein,
The BNG is using the as above BNG described in any one;
The WEB server is using the as above WEB server described in any one.
Above-mentioned technical proposal, after AAA fails to the authentication operations of user terminal, it is not necessary to which user terminal goes to run in person The agency of business eliminate the operation of failed authentication reason, and user can directly be pushed to the WEB server of correlation, profit by BNG Help user to eliminate failed authentication reason by network with online Self-Service, be effectively improved existing EAP authentication efficiency, Improve the business experience of user.
Brief description of the drawings
Fig. 1 is that the BNG of the present embodiment carries out the method flow diagram of EAP authentication;
Fig. 2 is that the WEB server of the present embodiment assists the method flow diagram of EAP authentication;
Fig. 3 is the network topological diagram of this first application example and the second application example;
Fig. 4 is the BNG comprising modules figures of the present embodiment;
Fig. 5 is the WEB server comprising modules figure of the present embodiment.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing to the present invention Embodiment be described in detail.It should be noted that in the case where not conflicting, in the embodiment and embodiment in the application Feature can mutually be combined.
Fig. 1 is that the BNG of the present embodiment carries out the method flow diagram of EAP authentication.
S101 sends the EAP authentication requests to user terminal to aaa server;
S102 receives user terminal EAP failed authentication message from aaa server;
S103 judges whether to need user terminal being pushed to WEB server, if it is desired, performs step S104;Otherwise, Perform step S107;
BNG can determine whether failed authentication reason belongs to the default mirror for needing for user terminal to be pushed to WEB server Failure cause is weighed, if belonged to, needs user terminal being pushed to WEB server;
Or,
BNG judges whether to receive the instruction that user terminal is pushed to WEB server of aaa server transmission, if The instruction from AA servers is received, then needs user terminal being pushed to WEB server;
The failed authentication reason for needing for user terminal to be pushed to WEB server typically may include:EAP failed authentication reasons Can be that arrearage causes failed authentication, business rental period are expired to cause failed authentication, user terminal digital certificate are expired to cause to authenticate Failure etc.;In addition to these failed authentication enumerated reasons, it can also be any by the i.e. eliminable mirror of the online Self-Service of user Weigh failure cause;
S104 judges whether to receive the HTTP request for carrying out user terminal, if receiving HTTP request, performs step S105;Otherwise, step S107 is performed;
The HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reasons by S105;
The WEB server that EAP failed authentication reasons can be eliminated can be with the server where the portal website of business;Should Server can include the webpage of explanation authentification failure reason and prompting user terminal carries out eliminating failure cause Self-Service Webpage;
S106 continues the notice of authentication from WEB server reception EAP, is sent again to aaa server to the use The EAP authentication requests of family terminal;
S107 flows terminate.
In above-described embodiment, BNG may be used also after the user terminal EAP failed authentication message from aaa server is received First judge whether the failed authentication message carries failure cause;If carrying failure cause in failed authentication message, will use , can be by the failure cause when family terminal transmission HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reasons Carry and sent in the HTTP request to the WEB server, help WEB server fast positioning to enter to prompting user terminal Row eliminates the webpage of the failure cause Self-Service, improves the response speed of WEB server, lifts Consumer's Experience.
Fig. 2 is that the WEB server of the present embodiment assists the method flow diagram of EAP authentication.
S201 receives the HTTP of the user terminal of BNG forwardings(HTTP)Request;
After the HTTP request for receiving the user terminal of BNG forwardings, it can also first judge EAP authentications whether are carried in the request Failure cause, if carrying failed authentication reason, it can be navigated to according to the failed authentication reason for eliminating the failure cause Webpage;
S202 is established with user terminal and connected, and receives the self-help operation that the user terminal eliminates EAP failed authentication reasons;
S203 sends to the BNG and indicated after the operation that the user terminal completes elimination EAP failed authentication reasons EAP continues the notice of authentication.
A kind of Extensible Authentication Protocol under being assisted present invention also offers WEB service(EAP)The embodiment of authentication method, should Embodiment is related to wideband network gateway(BNG)And WEB server, wherein, BNG carries out EAP authentication using method as described above, WEB server also carries out EAP authentication using method as described above, is not repeated herein.
Example is applied with 2 below, the embodiment of the EAP authentication method under being assisted to above-mentioned WEB service is carried out further Describe in detail.
Using example one:Common wireline accesses scene, and network topological diagram is as shown in Figure 3.
AN can be the front end access network of DSLAM+SW compositions in this application example, but be not limited to DSLAM+SW.
Because terminal user's arrearage causes EAP failed authentications in this application example.
Step 1:BNG receives the EAPoL-Start messages that user terminal is initiated via AN networks;
If user terminal supports more than EAPoL-v3 agreements, user terminal can pass through EAPoL-Start- TLV scaling options in Annoncement messages, notice BNG whether in failed authentication support WEB praise and admire business by force, whether permit Perhaps BNG obtains IP address by DHCP, whether Self address is the professional qualifications such as static ip address, so that BNG carries out correlation Strategy processing;
BNG can also be defaulted as in failed authentication, and business is praised and admired by force using WEB to user terminal;Or come from receiving After the failed authentication result of aaa server, judge whether to carry in the failed authentication result and user terminal is praised and admired by force using WEB The instruction of business, if receiving the instruction, business is praised and admired by force using WEB to user terminal;
Step 2:BNG receives EAPoL-Start message, starts to create EAPoL user conversations;BNG is sent via AN networks EAPoL-EAP-Request-Identity message obtains identity information to user terminal;
Step 3:BNG obtains the EAPoL-EAP-Response-Identity that user terminal is sent via AN networks;
Step 4:BNG encapsulates EAPoL-EAP-Response-Identity message to authentication request message (such as RADIUS The Access-Request messages of agreement) in, send the authentication request message and give authentication server AAA;
Step 5:Aaa server consults specific authentication method (such as EAP-PEAP, EAP-SIM, EAP- with user terminal AKA, EAP-TLS, EAP-TTLS), client is authenticated according to the specific method of negotiation;Meanwhile aaa server also cooperates with HLR is checked the signing information and traffic performance of user, judges whether the user terminal is legal;If aaa server is sentenced Break and that the user terminal is legal, and the EAP of user terminal is authenticated successfully, perform step 14;Otherwise, step 6 is performed;
Step 6:Aaa server returns to the failed authentication message of instruction user arrearage to BNG, and BNG returns to the failed message To user terminal;Meanwhile BNG determines to need to praise and admire business by force using WEB to user terminal;
Step 7:BNG carries out DHCP message with user terminal and interacted, and obtains the IP address of user terminal;IP address is set With the corresponding relation of portal website of operator;
Step 8:BNG receives the HTTP request from the IP address(The HTTP request includes instruction user arrearage Information), according to the corresponding relation of setting, the HTTP request is redirected to the WEB server where the portal website of operator;
Step 9:WEB server supplements webpage with money according to subscriber arrearage Information locating user;
Step 10:The TCP connections that BNG is established between user terminal and the WEB server;WEB server will be used by BNG Family is supplemented webpage with money and promoted to be interacted to user terminal, WEB server by the webpage with the user terminal, receives the user The self-help operation that terminal is supplemented with money;
Step 11:After the user terminal performs and supplements operation with money, WEB server is recognized by the portal protocol of extension Card request message informs that BNG continues to carry out user EAP authentication sessions;
Step 12:BNG sends EAPoL-EAP-Request-Identity message to user terminal, retriggered user Terminal and AAA carry out EAP authentication interaction;
Step 13:Aaa server sends user terminal EAP authentication successful messages to BNG;
Step 14:Flow terminates.
Using example two:Wireless access scene.
In application example, AN can be front end access network or the AP-FIT+AC networkings of AP-FAT compositions Network is accessed in front end.
Subscription authentication is caused to fail because end-user service signing is expired in this application example.
Step 1:BNG receives the EAPoL-Start messages that user terminal is initiated via AP;
Step 2:BNG receives the EAPoL-Start messages of AP forwardings, creates EAP sessions, sends EAPoL-EAP- Request-Identity messages obtain identity information to user terminal;
Step 3:BNG obtains the EAPoL-EAP-Response-Identity that user terminal is sent via AP;
Step 4:BNG encapsulates EAPoL-EAP-Response-Identity message to authentication request message(Such as:RADIUS Access-Request messages in agreement)In, send the authentication request message and give authentication server AAA;
Step 5:Aaa server consults specific authentication method (EAP-PEAP, EAP-SIM, EAP- with user terminal AKA, EAP-TLS, EAP-TTLS), client is authenticated according to the specific method of negotiation;Meanwhile aaa server also cooperates with HLR is checked the signing information and traffic performance of user to judge whether the user terminal is legal, and obtains PMK;Such as Fruit aaa server judges that the user terminal is legal, and the EAP of user terminal is authenticated successfully, performs step 14;Otherwise, Perform step 6;
Step 6:Aaa server returns to the overdue failed authentication message of instruction user service contracting to BNG, and BNG is returned should Failed message is to user terminal;Meanwhile BNG determines to need to praise and admire business by force using WEB to user terminal;
The overdue configured information of customer service signing is carried in EAPoL-Announcement message or directly existed In the extension TLV options of EAPoL-EAP-Fail message;
User terminal is after EAPoL-Announcement or EAPoL-EAP-Fail message is received, if necessary to continue Interacted with AP, the PMK that the reservation EAP authentication stage learns, continue and AP carries out key agreement, so that AP eats dishes without rice or wine in WPA/WPA2 The DHCP message and other service messages of normal forwarding user terminal under environment are encrypted, is ensured through the safety to E-Packet of eating dishes without rice or wine Property;
Step 7:BNG carries out DHCP message with user terminal and interacted, and obtains the IP address of user terminal;IP address is set With the corresponding relation of portal website of operator;
Step 8:BNG receives the HTTP request from the IP address(The HTTP request is believed comprising instruction user arrearage Breath), according to the corresponding relation of setting, the HTTP request is redirected to the WEB server where the portal website of operator;
Step 9:WEB server re-rents webpage according to the overdue configured information positioning service of customer service signing;
Step 10:The TCP connections that BNG is established between user terminal and the WEB server;WEB server is by BNG by industry Business is re-rented webpage and promoted to be interacted to user terminal, WEB server by the webpage with the user terminal, receives the user The self-help operation that terminal is re-rented;
Step 11:After the user terminal performs and re-rents operation, WEB server is recognized by the portal protocol of extension Card request message informs that BNG carries out EAP authentication sessions to user again;
Step 12:BNG sends EAPoL-EAP-Request-Identity message to user terminal, retriggered user Terminal and AAA carry out EAP authentication interaction;
Step 13:Aaa server sends user terminal EAP authentication successful messages to BNG;
Step 14:Flow terminates.
Fig. 4 is the BNG comprising modules figures of the present embodiment.
The BNG includes EAP authentication modules and WEB redirection modules, wherein,
EAP authentication modules, for sending the EAP authentication requests to user terminal to aaa server, and from aaa server The user terminal EAP authenticating results are received, and authenticating result is notified into the WEB redirection modules;
WEB redirection modules, for know authenticating result be user terminal EAP failed authentication message after, judge whether need User terminal is pushed to WEB server, if necessary to which user terminal is pushed into WEB server, institute is come from receiving State the HTTP of user terminal(HTTP)After request, the HTTP request, which is redirected to, which can eliminate EAP authentications, loses Lose the WEB server of reason;And after WEB server reception EAP continues the notice of authentication, notify EAP authentication modules Again the EAP authentication requests to the user terminal are sent to aaa server;
Above-mentioned WEB redirection modules, for judging whether to need user terminal being pushed to WEB server, including:Judge Whether failed authentication reason belongs to the default failed authentication reason for needing for user terminal to be pushed to WEB server, if category In then needing user terminal being pushed to WEB server;Or, judge whether to receive aaa server transmission by user terminal It is pushed to the instruction of WEB server;If receiving the instruction from AA servers, need user terminal being pushed to WEB Server;
Above-mentioned WEB redirection modules, EAP failed authentication reasons can be eliminated by being additionally operable to the HTTP request being redirected to During WEB server, the failure cause in the EAP failed authentications message is carried, helps WEB server fast positioning to be used to prompting Family terminal eliminate the webpage of the failure cause Self-Service, improves the response speed of WEB server, lifts Consumer's Experience.
Fig. 5 is the WEB server comprising modules figure of the present embodiment.
The WEB server includes authentication indicating module and module is established in network connection, wherein,
Module is established in the network connection, for receiving wideband network gateway(BNG)The hypertext of the user terminal of forwarding Host-host protocol(HTTP)Request, and establish and connect with the user terminal;
The authentication indicating module, for the connection by the foundation, receive the user terminal and eliminate EAP authentication mistakes Lose the self-help operation of reason;After the operation that the user terminal completes elimination EAP failed authentication reasons, sent to the BNG Indicate that EAP continues the notice of authentication.
Module is established in above-mentioned network connection, can also be after the HTTP request of user terminal of BNG forwardings is received, and judging should EAP failed authentication reasons whether are carried in request, if in the request carry EAP failed authentication reasons, by the BNG to User pushes the webpage for eliminating the EAP failed authentications reason;
Indicating module is authenticated, the elimination EAP failed authentication reasons carried out for receiving user terminal by the webpage Self-help operation;The user terminal complete eliminate EAP failed authentication reasons operation after, to the BNG send instruction EAP after The notice of continuous authentication, including:Whether the operation for judging the elimination EAP failed authentication reasons that the user terminal is completed is to eliminate institute The operation of the EAP failed authentication reasons carried in HTTP request is stated, if it is, sending instruction EAP to the BNG continues authentication Notice.
A kind of Extensible Authentication Protocol under being assisted present invention also offers WEB service(EAP)The embodiment of Verification System, should Embodiment is related to wideband network gateway(BNG)And WEB server, wherein, BNG is using the BNG of as above comprising modules, WEB service Device also using the WEB server of as above comprising modules, is not repeated herein.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program Related hardware is completed, and described program can be stored in computer-readable recording medium, such as read-only storage, disk or CD Deng.Alternatively, all or part of step of above-described embodiment can also be realized using one or more integrated circuits, accordingly Ground, each module/unit in above-described embodiment can be realized in the form of hardware, can also use the shape of software function module Formula is realized.The present invention is not restricted to the combination of the hardware and software of any particular form.
It should be noted that the present invention can also have other various embodiments, without departing substantially from of the invention spiritual and its essence In the case of, those skilled in the art can make various corresponding changes and deformation according to the present invention, but these are corresponding Change and deform the protection domain that should all belong to appended claims of the invention.

Claims (8)

1. a kind of method that wideband network gateway BNG is extended authentication protocol EAP authentication, it is characterised in that methods described bag Include:
The EAP failed authentications of user terminal are known from aaa server, judge whether to need user terminal being pushed to WEB service Device, if necessary to which user terminal is pushed into WEB server, receiving the HTTP from the user terminal After HTTP request, the HTTP request is redirected to the WEB server that can eliminate EAP failed authentication reasons;
After the notice for receiving that EAP continues authentication from the WEB server, sent again to aaa server to the user terminal EAP authentication requests;
Judge whether to need user terminal being pushed to WEB server, further comprise:
Judge whether failed authentication reason belongs to default and need the failed authentication that user terminal is pushed to WEB server former Cause;
Or,
Judge whether to receive the instruction that user terminal is pushed to WEB server that aaa server is sent.
2. the method as described in claim 1, it is characterised in that:
When the HTTP request to be redirected to the WEB server that can eliminate EAP failed authentication reasons, the EAP mirror are also carried Weigh the failure cause in failed message.
3. a kind of method that WEB server assists Extensible Authentication Protocol EAP authentication, it is characterised in that methods described includes:
Receive the HTTP request of the user terminal of wideband network gateway BNG forwardings;
Establish and connect with the user terminal, receive the self-help operation that the user terminal eliminates EAP failed authentication reasons;
After the operation that the user terminal completes elimination EAP failed authentication reasons, send instruction EAP to the BNG and continue to reflect The notice of power;
After the HTTP request of the user terminal of the reception BNG forwardings, also judge EAP failed authentications original whether is carried in the request Cause;
If carrying EAP failed authentication reasons in the request, pushed to user by the BNG and reflected for eliminating the EAP The webpage of failure cause is weighed, receives the self-help operation that the user terminal eliminates EAP failed authentication reasons;
After the operation that the user terminal completes elimination EAP failed authentication reasons, send instruction EAP to the BNG and continue to reflect The notice of power, including:Whether the operation for judging the elimination EAP failed authentication reasons that the user terminal is completed is described in elimination The operation of the EAP failed authentication reasons carried in HTTP request, if it is, sending instruction EAP to the BNG continues the logical of authentication Know.
4. a kind of Extensible Authentication Protocol EAP authentication method under WEB service assistance, it is characterised in that methods described includes:
Wideband network gateway BNG uses method according to any one of claims 1 to 2 such as to carry out EAP authentication;
WEB server carries out EAP using method as claimed in claim 3 and assists certification.
5. a kind of wideband network gateway BNG for being extended authentication protocol EAP authentication, it is characterised in that the BNG includes EAP Authentication module and WEB redirection modules, wherein,
The EAP authentication modules, for sending the EAP authentication requests to user terminal to aaa server, and from aaa server The user terminal EAP authenticating results are received, and authenticating result is notified into the WEB redirection modules;
The WEB redirection modules, for know authenticating result be user terminal EAP failed authentication message after, judge whether need User terminal is pushed to WEB server, if necessary to which user terminal is pushed into WEB server, institute is come from receiving After the HTTP request for stating user terminal, the HTTP request, which is redirected to, can eliminate EAP failed authentications The WEB server of reason;And after WEB server reception EAP continues the notice of authentication, notify EAP authentication module weights Newly the EAP authentication requests to the user terminal are sent to aaa server;
The WEB redirection modules, for judging whether to need user terminal being pushed to WEB server, including:
The WEB redirection modules, judge whether failed authentication reason belongs to default and need user terminal being pushed to WEB clothes The failed authentication reason of business device;Or, judge whether to receive aaa server transmission is pushed to WEB server by user terminal Instruction.
6. BNG as claimed in claim 5, it is characterised in that
The WEB redirection modules, it is additionally operable to for the HTTP request to be redirected to the WEB that can eliminate EAP failed authentication reasons During server, the failure cause in the EAP failed authentications message is carried.
7. a kind of WEB server for assisting Extensible Authentication Protocol EAP authentication, it is characterised in that the WEB server includes authentication Module is established in indicating module and network connection, wherein,
Module is established in the network connection, the Hyper text transfer association of the user terminal for receiving wideband network gateway BNG forwardings HTTP request is discussed, and establishes and connects with the user terminal;
The authentication indicating module, for the connection by the foundation, receive the user terminal and eliminate EAP failed authentications original The self-help operation of cause;After the operation that the user terminal completes elimination EAP failed authentication reasons, send and indicate to the BNG EAP continues the notice of authentication;
Module is established in the network connection, also after the HTTP request of user terminal of BNG forwardings is received, is judged in the request EAP failed authentication reasons whether are carried, if carrying EAP failed authentication reasons in the request, are pushed away by the BNG to user Send the webpage for eliminating the EAP failed authentications reason;
The authentication indicating module, the elimination EAP failed authentication reasons carried out for receiving user terminal by the webpage Self-help operation;The user terminal complete eliminate EAP failed authentication reasons operation after, to the BNG send instruction EAP after The notice of continuous authentication, including:Whether the operation for judging the elimination EAP failed authentication reasons that the user terminal is completed is to eliminate institute The operation of the EAP failed authentication reasons carried in HTTP request is stated, if it is, sending instruction EAP to the BNG continues authentication Notice.
8. the system of the Extensible Authentication Protocol EAP authentication under a kind of WEB service assistance, it is characterised in that the system includes width Band network gateway BNG and WEB server, wherein,
The BNG is using the BNG any one of claim 5~6;
The WEB server is using the WEB server described in claim 7.
CN201310051830.2A 2013-02-17 2013-02-17 A kind of EAP authentication method and apparatus under WEB service assistance Active CN103152332B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310051830.2A CN103152332B (en) 2013-02-17 2013-02-17 A kind of EAP authentication method and apparatus under WEB service assistance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310051830.2A CN103152332B (en) 2013-02-17 2013-02-17 A kind of EAP authentication method and apparatus under WEB service assistance

Publications (2)

Publication Number Publication Date
CN103152332A CN103152332A (en) 2013-06-12
CN103152332B true CN103152332B (en) 2018-02-16

Family

ID=48550195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310051830.2A Active CN103152332B (en) 2013-02-17 2013-02-17 A kind of EAP authentication method and apparatus under WEB service assistance

Country Status (1)

Country Link
CN (1) CN103152332B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243522B (en) * 2013-06-19 2018-02-06 华为技术有限公司 Method and wideband network gateway for HTTP network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909456A (en) * 2006-08-24 2007-02-07 华为技术有限公司 Method, system and identification server for configuring service channel after identification failure
CN1968094A (en) * 2006-11-23 2007-05-23 华为技术有限公司 Method, system and server for prompting the cause for user terminal authentication failure
CN101656684A (en) * 2008-08-21 2010-02-24 ***通信集团公司 Content access authentication method, equipment and system for dynamic content delivery
WO2012142867A1 (en) * 2011-04-21 2012-10-26 中兴通讯股份有限公司 Authentication notification method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909456A (en) * 2006-08-24 2007-02-07 华为技术有限公司 Method, system and identification server for configuring service channel after identification failure
CN1968094A (en) * 2006-11-23 2007-05-23 华为技术有限公司 Method, system and server for prompting the cause for user terminal authentication failure
CN101656684A (en) * 2008-08-21 2010-02-24 ***通信集团公司 Content access authentication method, equipment and system for dynamic content delivery
WO2012142867A1 (en) * 2011-04-21 2012-10-26 中兴通讯股份有限公司 Authentication notification method and system

Also Published As

Publication number Publication date
CN103152332A (en) 2013-06-12

Similar Documents

Publication Publication Date Title
US9020467B2 (en) Method of and system for extending the WISPr authentication procedure
CN105007579B (en) A kind of access authentication of WLAN method and terminal
US8769647B2 (en) Method and system for accessing 3rd generation network
AU2004214799B2 (en) Fast re-authentication with dynamic credentials
CN101032142B (en) Means and methods for signal sign-on access to service network through access network
CN101867476B (en) 3G virtual private dialing network user safety authentication method and device thereof
CN106105134B (en) Method and apparatus for improving end-to-end data protection
CN105027529B (en) Method and apparatus for verifying user's access to Internet resources
US20050114680A1 (en) Method and system for providing SIM-based roaming over existing WLAN public access infrastructure
WO2011017924A1 (en) Method, system, server, and terminal for authentication in wireless local area network
US20090119742A1 (en) Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol
WO2012145134A1 (en) Method of and system for utilizing a first network authentication result for a second network
US20090328167A1 (en) Network access method and system
CN101163000A (en) Secondary authentication method and system
KR101260648B1 (en) Online activation method and system of user subscription for wireless internet service
CN106686589A (en) VoWiFi business achieving method, system and AAA server
US20080070544A1 (en) Systems and methods for informing a mobile node of the authentication requirements of a visited network
Zhang et al. Virtual operator based AAA in wireless LAN hot spots with ad-hoc networking support
WO2012163159A1 (en) Method and device for unifying corporate network aaa server and public network aaa server
CN103152332B (en) A kind of EAP authentication method and apparatus under WEB service assistance
US9532218B2 (en) Implementing a security association during the attachment of a terminal to an access network
KR101119869B1 (en) Web Based Authentication Method for Wireless Internet Access Service at Business Places
US20210090087A1 (en) Methods for access point systems and payment systems therefor
WO2017107745A1 (en) Terminal authentication method, device and system
WO2017185589A1 (en) Virtual sim card-based method and device for accessing wifi hotspot

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant