CN1801703A - Method for broadband network access authentication - Google Patents
Method for broadband network access authentication Download PDFInfo
- Publication number
- CN1801703A CN1801703A CN 200410103248 CN200410103248A CN1801703A CN 1801703 A CN1801703 A CN 1801703A CN 200410103248 CN200410103248 CN 200410103248 CN 200410103248 A CN200410103248 A CN 200410103248A CN 1801703 A CN1801703 A CN 1801703A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- software
- page
- authentication software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The access identification method for broad band comprises: setup user identification software on Web by redirecting user browser to software setup page of Web server by AC to automatic or manual setup identification software; starting the software by user or self to input information for identification; returning the identification information to AC by software; returning result by AC, if pass, opening right. This invention avoids the un-closed browser window.
Description
Affiliated field
The present invention relates to broadband network access field in the telecom operation, more specifically, relate to the broadband network access authentication.
Background technology
A kind of method of broadband user's access authentication is DHCP+Web (DHCP:Dynamic HostConfiguration Protocol, a DHCP at present; Web: authentication mode World Wide Web).Its process is as follows: user capture browse network link service provider's web authentication server (WAS) at first, obtain the authentication webpage, input safety information (is generally user name in the authentication webpage, password) and issue the web authentication server, by WAS after receiving this information, by radius protocol it is encapsulated as the authentication request packet and issues access controller (AC:Access Controler), AC will send to radius server after the above-mentioned authentication request processing data packets again as the agency, AC receives the authentication result that radius server returns, if authentication result is an authentication success, AC authorizes user's connection in this locality, AC sends authentication response to WAS simultaneously, notifies the client certificate result by WAS by the authentication webpage; Adopt such scheme can effectively solve the authentication question of the network insertion of LAN subscriber level node.
In this mode, in order to allow the user can understand its network entry state and to provide the function that rolls off the production line to the user, must there be the browser window that can not close on the user computer, otherwise, the user can't know the network state of oneself, does not also have method to remove the state of logging off.And often relatively more disagreeable this browser window that can not turn off of user.
Summary of the invention
The technical problem to be solved in the present invention is to propose a kind of access authentication method that can overcome the above-mentioned shortcoming of prior art.
The access user authen method that the present invention proposes may further comprise the steps
1, authentication software Web installs, and can comprise:
User browser is installed the page by the software that AC is redirected to Web server;
Software is installed the page and is is manually downloaded and installed authentication software for the user installation authentication software or by the user automatically;
2, the user starts or starts automatically authentication software, the information that user's input authentication needs;
3, authentication software sends to AC with authentication information;
4, AC return authentication result is if open authority is passed through in authentication.
The present invention has avoided in the web authentication mode to the defective that the browser window that can not close must be arranged on the function computer that rolls off the production line is provided to the user.
Description of drawings
Fig. 1 is the system group network mode schematic diagram that the present invention uses;
Fig. 2 is identifying procedure figure of the present invention.
Embodiment
Fig. 1 is the system group network mode schematic diagram that the present invention uses, access network 2 layer switch normally among the figure, but also can be other access device, as DSL (Digital Subscriber Line Digital Subscriber Line).
Fig. 2 is a flow chart of the present invention.Below in conjunction with Fig. 2 enforcement of the present invention is elaborated.
One, authentication software Web installs
1, user browser is access in the software installation page that controller (AC) is redirected to Web server;
1) after user's start, distributes an IP address by the DHCP agreement for it, referring to the 1st, 2 steps among Fig. 2 by AC;
2) the AC access privilege is set to the user and can only visits Web server;
3) start browser as the user, when opening any one website and webpage, AC installs the page with page reorientation to the authentication software (AuthClient) of Web server; See the 3rd, 4,5,6 steps among Fig. 2.
Reorientation method can be: AC checks all messages that do not send by the user computer that authenticates, and if not the HTTP message, then abandons.If find it is the HTTP message, then analyze this message, and the pseudo-Http response message of producing a destination server, message content then is that a Http is redirected bag, Redirect Address points to the AuthClient software of Web server the page is installed, after user's browser is received this response packet, will open the AuthClient software of Web server the page is installed.
2, software is installed the page and is is manually downloaded and installed authentication software for the user installation authentication software or by the user automatically
AuthClient software is installed the page and is adopted dynamic web page technique, as ASP (the Active Server Page activity service page), JSP (Java Server Page, the Java service page), PHP (Hypertext Preprocessor, hypertext is handled language) etc., the operating system and the browser kind of detection user computer.
If find it is Windows operating system, browser is IE (Internet Explorer), Web server can forward User Page to the AuthClient software of IE special use the page is installed, this AuthClient software is installed and is embedded an ActiveX control (this control needs the user to agree operation) in the page, and this control can check whether the user had installed AuthClient.
If AuthClient is not installed, then this ActiveX control is downloaded AuthClient automatically and is installed on the user computer and starts AuthClient, after startup finishes, this ActiveX control can be by the address of Inter-Process Communication to AuthClient transmission such as AC, information such as authentication port number, AuthClient is recorded in these information in the registration table.See the 7th, 8 steps among Fig. 2.
If AuthClient has installed, then this ActiveX control directly starts AuthClient, and equally relevant parameter is passed to AuthClient.See the 8th step among Fig. 2.
If what find user's use is other operating system, the AuthClient that then user is redirect to a Java version installs the page, and the user manually downloads and move the AuthClient of Java version.
The AuthClient of Java version can utilize the Web Start technology of U.S.'s Sun Microsystems to finish and install and operation.
Two, the user starts or starts automatically authentication software, the information that user's input authentication needs
If the user has installed AuthClient, then can not start AuthClient, but AuthClient is set to the start operation or directly starts AuthClient software by top step.
The user imports authentication informations such as the user name and password on AuthClient software login interface, click " login " button.
Three, authentication software sends to AC with authentication information
AuthClient sends to AC by IP bag after with encrypted authentication informations such as IP address, the user name and passwords.See the 9th step among Fig. 2.
The encryption method of AuthClient and AC can adopt challenge-response mode, be that AuthClient is at first to AC request Chanllege, AC generates length at random when receiving request Challenge message be that 16 byte random numbers return to AuthClient, and this random number is exactly Chanllege.
AuthClient carries out issuing AC after CHAP (CHAP:Challenge HandshakeAuthentication Protocol challenge-handshake authentication protocol) encrypts to user cipher with the Chanllege that obtains, AC delivers to Radius Server with authentication informations such as the user name and passwords and authenticates, or carries out local authentication;
Four, AC return authentication result is if open authority is passed through in authentication
AC notifies AuthClient with authentication result.If authentication is passed through, AC revises user's authority, allows the user can visit outside network (as Internet).See the 10th step among Fig. 2.
Can minimize to the tray zone (right part of taskbar on the user computer taskbar by the AuthClient after the authentication, the common demonstration time) on, when the user need be rolled off the production line, open the AuthClient interface of rolling off the production line, AC is issued in the request of will rolling off the production line, AC receives that back notice Radius stops to charge, and closes user right.
AuthClient can start a port (as 1814) and monitor the message that AC sends, and AC also its enable port (as 2000) monitors the message of AuthClient.AuthClient and AC come the understanding state by regular message switching, thereby reach more accurate timing.
Claims (6)
1, a kind of method for broadband network access authentication may further comprise the steps:
1.1 authentication software Web installs;
1.2 the user starts or starts automatically authentication software, the information that user's input authentication needs;
1.3 authentication software sends to access controller with authentication information;
1.4 access controller return authentication result is if open authority is passed through in authentication.
2, the described method for broadband network access authentication of claim 1 is characterized in that, described authentication software Web installs and comprises:
2.1 user browser is access in the software installation page that controller is redirected to Web server;
2.2 software is installed the page and is is manually downloaded and installed the authentication software installation for the user installation authentication software or by the user automatically.
3, the described method for broadband network access authentication of claim 2 is characterized in that, described step 2.1 comprises:
3.1 after user's start, distribute an IP address by DHCP for it by access controller;
3.2 being set to the user, the access controller access privilege can only visit Web server;
Start browser 3.3 work as the user, when opening any one website and webpage, access controller is installed the page with page reorientation to the authentication software of Web server.
4, claim 2 or 3 described method for broadband network access authentication is characterized in that described reorientation method is: all messages that the access controller inspection is not sent by the user computer that authenticates if not the Http message, then abandon; If Http message, then analyze this message, and the pseudo-Http response message of producing a destination server, message content then is that a Http is redirected bag, Redirect Address points to the authentication software of Web server the page is installed, after user's browser is received this response packet, will open the authentication software of Web server the page is installed.
5, the described method for broadband network access authentication of claim 2 is characterized in that, described step 2.2 comprises:
5.1 authentication software is installed the page and is adopted dynamic web page technique, detects the operating system and the browser kind of user computer;
If 5.2 find it is Windows operating system, browser is IE, Web server is installed the page with the authentication software that User Page forwards the IE special use to, and this authentication software is installed and embedded an ActiveX control in the page, and this control can check whether the user had installed authentication software; If authentication software is not installed, then this ActiveX control is downloaded authentication software automatically and is installed on the user computer and starts authentication software, after startup finishes, this ActiveX control can be by the address of Inter-Process Communication to authentication software transmission such as access controller, information such as authentication port number, authentication software is recorded in these information in the registration table; If authentication software has been installed, then this ActiveX control directly starts authentication software, and equally relevant parameter is passed to authentication software; If what find user's use is other operating system, the authentication software that then user is redirect to a Java version is installed the page, and the user manually downloads and move the authentication software of Java version.
6, the described method for broadband network access authentication of claim 1, it is characterized in that, described authentication software sends to access controller with authentication information, is meant to send to access controller by the IP bag behind the encrypted authentication informations such as IP address, the user name and password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410103248 CN1801703B (en) | 2004-12-31 | 2004-12-31 | Method for broadband network access authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410103248 CN1801703B (en) | 2004-12-31 | 2004-12-31 | Method for broadband network access authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1801703A true CN1801703A (en) | 2006-07-12 |
| CN1801703B CN1801703B (en) | 2011-04-06 |
Family
ID=36811488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410103248 Expired - Fee Related CN1801703B (en) | 2004-12-31 | 2004-12-31 | Method for broadband network access authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1801703B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895526A (en) * | 2009-05-20 | 2010-11-24 | 中国电信股份有限公司 | Dial-up authentication method and system |
| CN106161580A (en) * | 2015-04-28 | 2016-11-23 | 中兴通讯股份有限公司 | A kind of connection status control method, Apparatus and system |
| CN106803822A (en) * | 2015-11-26 | 2017-06-06 | 北京网御星云信息技术有限公司 | The safety access method and device of network application |
| CN112714123A (en) * | 2020-12-27 | 2021-04-27 | 杭州迪普科技股份有限公司 | Internet surfing method and device and electronic equipment |
-
2004
- 2004-12-31 CN CN 200410103248 patent/CN1801703B/en not_active Expired - Fee Related
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895526A (en) * | 2009-05-20 | 2010-11-24 | 中国电信股份有限公司 | Dial-up authentication method and system |
| CN101895526B (en) * | 2009-05-20 | 2013-04-03 | 中国电信股份有限公司 | Dial-up authentication method and system |
| CN106161580A (en) * | 2015-04-28 | 2016-11-23 | 中兴通讯股份有限公司 | A kind of connection status control method, Apparatus and system |
| CN106803822A (en) * | 2015-11-26 | 2017-06-06 | 北京网御星云信息技术有限公司 | The safety access method and device of network application |
| CN112714123A (en) * | 2020-12-27 | 2021-04-27 | 杭州迪普科技股份有限公司 | Internet surfing method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1801703B (en) | 2011-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3588323B2 (en) | User-specific data redirection system and method for performing user-specific data redirection | |
| US7894359B2 (en) | System and method for distributing information in a network environment | |
| CN100563158C (en) | Access control method and system | |
| US7941839B2 (en) | Countermeasures to automated methods and processes for establishing media streaming connections through firewalls and proxy servers | |
| US20020042883A1 (en) | Method and system for controlling access by clients to servers over an internet protocol network | |
| US7734770B2 (en) | System and method for monitoring information in a network environment | |
| US20020083342A1 (en) | Systems, methods and computer program products for accessing devices on private networks via clients on a public network | |
| US20020184507A1 (en) | Centralized single sign-on method and system for a client-server environment | |
| CN1781099A (en) | Automatic configuration of client terminal in public hot spot | |
| CA2415868A1 (en) | Systems and methods for authenticating a user to a web server | |
| JP2001523865A (en) | Controlled delivery of application programs in computer networks | |
| CN1538706A (en) | HTTP relocation method for WEB identification | |
| US7917941B2 (en) | System and method for providing physical web security using IP addresses | |
| CN1801703A (en) | Method for broadband network access authentication | |
| WO2015102356A1 (en) | Method for selectively allowing or blocking internet access request traffic sharing authorized ip on basis of present time, and system for detecting current state of and blocking authorized ip sharing so as to perform method thereof | |
| CN1297104C (en) | Method for realizing port based identification and transmission layer based identification compatibility | |
| CN1505345A (en) | A method for accessing user forced access identification server | |
| CN1889465A (en) | Switch-in control equipment, Switch-in control system and switch-in control method | |
| EP1479191B1 (en) | System and method for intercepting network access | |
| CN1287308C (en) | Method for displaying door web page based on Ethernet protocol when the user is logged | |
| WO2002030082A2 (en) | A method and system for controlling access by clients to servers over an internet protocol network | |
| KR20040001343A (en) | Wireless LAN connection apparatus and method for net connection certification in public wireless LAN system | |
| GB2367987A (en) | Controlling access by clients to servers over an internet protocol network | |
| Otani et al. | Implementation of IPv6 functions for a network user authentication system opengate | |
| CN1642164A (en) | Method for forced re-orienting while user landing network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110406 Termination date: 20171231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |