Content of the invention
The present invention provides a kind of portal authentication method and device, in order to solve to distort certification request report in prior artLiterary composition, camouflage mac address is to obtain the problem of access authority.
The inventive method comprises the steps:
S100 obtains terminal online request message, parses the mac address of described terminal from described online request message;
S200 response described terminal online request message, returns redirection message, described redirection message carries redirectionAddress and the mac address of the described terminal parsing from described online request message, so that described terminal is according to described heavyOrientation message, opens portal authentication interface, sends authentication request packet;
S300 obtains the authentication request packet of described terminal, parses described terminal from described authentication request packetMac address;
S400 judge mac address in described authentication request packet whether with described online request message in mac addressUnanimously, if so, then execution step s500, otherwise execution step s600;
S500 certification success, opens the access authority of described terminal;
S600 authentification failure, abandons the authentication request packet of described terminal.
When terminal unit opens webpage or other application program, transmission online request message can be triggered, this online requestCarry the mac address of this terminal in message, distort because the online request message of triggering is typically more difficult, so in this messageThe mac address carrying can regard the actual mac address of this terminal unit as.Authentication device gets the online request of this terminalAfterwards, from described request message, just parse the mac address (being considered as actual mac address) of this terminal, be then responding to the upper of terminalNet request, returns to terminal redirection message, the mac address of the address that message carries redirection and this terminal parsing,Terminal, according to this redirection message, opens portal authentication interface, sends authentication request packet, certification according to the address redirectingRequest message is relatively easy to distort, if the mac address of this terminal carrying in the authentication request packet of terminal transmission is camouflageMac address, then authentication device can according to this mac address parsing in authentication request packet and online request in parseMac address out inconsistent and judge the mac address in certification request be camouflage mac address, thus leading to terminal to be recognizedCard result failure, access terminals cannot pass through certification, thus access authority cannot be obtained.
The present invention passes through comparing of the mac address in certification mac address and request message in terminal authentication message, discriminatingWhether the mac address in certification message pretends, thus rejecting the access authentication of illegal mac address, greatly reduces wireless networkSecurity risk.
It is further preferred that further comprising the steps of:
S050, when described terminal is set up and is connected with the communication of wireless network, obtains the mac address of terminal.
Terminal needs elder generation to be connected with wireless network foundation communication before triggering online request, although establish connection herein,But now cannot surf the Net.Need follow-up online request and certification request pass through after can obtain access authority.This leads toNews connect the communication connection referring generally to physical layer, set up the mac address of also this terminal recordable when connecting, subsequently can also pass throughRelatively set up whether the mac address connecting, the mac address surfing the Net in request message and the mac address in certification request are unanimously comeJudge that terminal obtains access authority either with or without camouflage mac address.
It is further preferred that further comprising the steps of:
S150 judges whether the mac address in the described online request message parsing is connected wireless network with when described terminalThe mac address getting during network is consistent, if then continuing executing with subsequent operation, otherwise refuses the online request of described terminal.
Because exclusive rights are to be asked although surfing the Net based on what the mac address that mac address in online request is considered as reality judgedAsk message to be difficult to distort, but be also not excluded for user and online request and certification request can be able to have been distorted, and obtain and recognizeCard passes through.And increase and the mac address parsing in online request message is obtained with setting up when wireless network communication is connected when terminalAfter the step for mac address of the terminal got is compared, then whether can find the mac address surfed the Net in request message in timeCamouflage.
It is further preferred that further comprising the steps of:
S350 judges whether the mac address in the described authentication request packet parsing is connected wireless network with when described terminalThe mac address getting during network is consistent, if then execution step s500, otherwise execution step s600.
This scheme is directly to obtain the mac address in authentication request packet when terminal with setting up when wireless network communication is connectedThe mac address of the terminal got is compared, if both addresses are consistent, certification is passed through, otherwise authentification failure.
It is further preferred that also further comprising the steps of:
S180, when the online getting described terminal is asked, records the acquisition time, and judges described acquisition time intervalWhether the interval from the last time authentication request packet success time reaches preset duration, if then execution step s200, otherwise executesStep s500;
Setting certification effect duration, it is to avoid the frequent certification of user, Consumer's Experience sense is led to decline, on the other hand, preset durationAfter reaching, certification again, pushing certification advertisement page, also can promoting commercial value.
It is further preferred that further comprising the steps of:
S700, when the failure of described terminal authentication, records the number of times of described terminal authentication failure, when described terminal authentication losesWhen the number of times losing reaches preset times, described terminal is piped off, and release described terminal and connect with the communication of wireless networkConnect.
In order to avoid bad user is frequently asked using software, increase the burden of authentication device, affect authentication deviceService performance, this programme increased a blacklist, and the number of times of terminal authentication failure reaches some, then draws this terminalEnter blacklist, release this terminal and be connected with the communication of wireless network.Subsequent authentication device also can connect wireless network in this terminalAfterwards or receive this terminal online request after or certification request after, by judging whether this terminal pipes offAnd take the different measures stoping its acquisition access authority.
It is further preferred that further comprising the steps of: after described step s050
Whether s080 judges described terminal in blacklist;If the communication then releasing described terminal with wireless network connectsConnect, otherwise execution step s100.
The present invention also provides a kind of portal authentication device, including acquisition module, parsing module and judge operation module;Described acquisition module is connected with described parsing module, and described judgement operation module is connected with described parsing module, wherein:
Described acquisition module obtains the online request message of terminal, and described parsing module solves from described online request messageSeparate out the mac address of described terminal;
The described first time online request message judging that operation module responds described terminal, returns redirection message, describedRedirection message carries the mac address of Redirect Address and described terminal, so that described terminal, according to described redirection message, is beatenOpen portal authentication interface, send authentication request packet;
Described acquisition module obtains the authentication request packet of described terminal, and described parsing module is from described certification request reportThe mac address of described terminal is parsed in literary composition;
Described operation processing module judge the mac address of described authentication request packet whether with described request message of surfing the NetMac address is identical, and if so, then certification success, opens the access authority of described terminal;Otherwise, authentification failure, abandons described terminalAuthentication request packet.
The authentication device of the present invention is passed through to compare the mac address parsing in online request message and authentication request packetIn the mac address that parses whether consistent, judge whether described terminal has and pretend mac address to obtain access authority.Pass throughAdd testing mechanism, greatly strengthen the safety of certification, improve security performance.
It is further preferred that also including and described acquisition module and judge the memory module that operation module is connected, wherein:
When described terminal is set up and is connected with the communication of wireless network, described acquisition module obtains the mac ground of described terminalLocation is simultaneously stored in described memory module;
When described acquisition module gets the online request message of described terminal, described parsing module parses described terminalMac address after, described operation judges module judge the mac address of the described terminal in described online request message whether with work asIt is consistent, if then continuing executing with subsequent operation, otherwise described in refusal that described terminal connects the mac address getting during wireless networkThe online request of terminal.Or, when described acquisition module gets the authentication request packet of described terminal, described parsing module solutionAfter separating out the mac address of described terminal in described authentication request packet, described judgement operation module judges described certification requestMac address in message whether with the mac address in described online request message and obtaining when described terminal is connected wireless networkThe mac address three getting is consistent, if then certification success, described terminal obtains access authority, otherwise authentification failure, described behaviourMake the authentication request packet that judge module abandons described terminal.
Compare scheme above, this programme more enhances one layer of protection mechanism, increased terminal and wireless network physicsWhen layer sets up communication connection, get the mac address of terminal, then this address be compared with the address in subsequent packet,The situation that request message is tampered and/or certification request is tampered of surfing the Net can be found in time.Safety greatly enhances.
It is further preferred that also including timing module, counting module, described timing module with described judgement operation module andAcquisition module is connected, and described counting module is connected with described judgement operation module and described memory module, wherein:
The terminal last authentication request packet successful time described in described timing module record, described judgement operation module is sentencedWhether disconnected described online request message reaches preset duration apart from last time authentication request packet, if then holding successful interval timeRow subsequent authentication operates, and otherwise, opens the access authority of described terminal.
When the failure of described terminal authentication, the number of times of terminal authentication failure described in described counting module record, and be stored inIn described memory module, when the number of times of described terminal authentication failure reaches preset times, judged operation module is by described endEnd pipes off, and described blacklist is stored in described memory module;
After described terminal is set up wireless network communication and connected, described operation judges module judges that whether described terminal existsIn blacklist, if so, then release described terminal and be connected with the communication of wireless network, if it is not, then proceeding subsequent operation.
The present invention has the beneficial effect that:
The present invention passes through to introduce mac address detected mechanism, and whether the mac address in identification certification message pretends, thus pickingAccess authentication except illegal mac address.Greatly reduce the security risk of wireless network.
Additionally, the present invention have also been introduced certification effect duration and the blacklist plan of establishment, certification successful effect duration can avoidFrequently certification, strengthens Consumer's Experience sense, and the setting of blacklist then can reduce the workload of authentication device, find in time and maskMalice certification.
Specific embodiment
In order that the object, technical solutions and advantages of the present invention are clearer, below in conjunction with accompanying drawing the present invention is made intoOne step ground describes in detail it is clear that described embodiment is only present invention some embodiments, rather than whole enforcementExample.Based on the embodiment in the present invention, those of ordinary skill in the art are obtained under the premise of not making creative workAll other embodiment, broadly falls into the scope of protection of the invention.
On the one hand, the invention provides a kind of portal authentication method, first embodiment is as shown in figure 1, include step:
S100 obtains terminal online request message, parses the mac address of terminal from online request message;
S200 response terminal online request message, return redirection message, redirection message carry Redirect Address and fromThe mac address of the terminal parsing in online request message, so that terminal is according to redirection message, opens portal certification circleFace, sends authentication request packet;
S300 obtains the authentication request packet of terminal, parses the mac address of terminal from authentication request packet;
S400 judges whether the mac address in authentication request packet is consistent with the mac address in online request message, ifIt is, then execution step s500, otherwise execution step s600;
S500 certification success, opens the access authority of terminal;
S600 authentification failure, abandons the authentication request packet of terminal.
Terminal can trigger online request message before sending authentication request packet, and generally, online request message is notEasily distort, so its mac address carrying can be used as the standard passed judgment on, and authentication request packet is relatively easy to be tampered, thusThen its mac address asked with online can be compared and sentences by parsing the mac address in authentication request packet by weDisconnected, see whether the two address is consistent, unanimously, then judge this terminal authentication success, this terminal obtains access authority.If inconsistent,Then the mac address in its authentication request packet is tampered, and for the mac address of camouflage, so judging the failure of this terminal authentication, abandonsThe message identifying of this terminal, this terminal cannot obtain access authority.
On the basis of above-described embodiment, further comprise the steps of:
S050, when terminal is set up and is connected with the communication of wireless network, obtains the mac address of described terminal.
The communication that terminal sets up physical layer with wireless network is connected, and now, also can obtain the physics mac address of terminal, byBe then based on communication on PHY to connect, so when the terminal mac address that obtains is equally more difficult distorts, also can be considered thisThe actual mac address of terminal, then follow-up we can be surfed the Net again the mac address parsing in request message, certification requestWhether the mac address three parsing in message unanimously judges whether this terminal distorts mac address, thus judging this endWhether end can obtain access authority.Specifically, second embodiment of the present invention is as shown in Fig. 2 include step:
S050 terminal is set up and is connected with the communication of wireless network, obtains the mac address of terminal;
S100 obtains terminal online request message, parses the mac address of terminal from online request message;
S150 judges that whether the mac address in the online request message parsing is connected mac during wireless network with terminalAddress is consistent, is then execution step s200, the otherwise online request of refusal terminal;
S200 response terminal online request message, return redirection message, redirection message carry Redirect Address and fromThe mac address of the terminal parsing in online request message, so that terminal is according to redirection message, opens portal certification circleFace, sends authentication request packet;
S300 obtains the authentication request packet of terminal, parses the mac address of terminal from authentication request packet;
S380 judges the mac address in authentication request packet, the mac address in online request message and this terminal and nothingWhether the mac address three that obtains when communication connects set up by gauze network consistent, if so, then execution step s500, otherwise executes stepRapid s600;
S500 certification success, opens the access authority of terminal;
S600 authentification failure, abandons the authentication request packet of terminal.
The present embodiment further increases one layer of guarantee on the basis of embodiment 1.If terminal does not carry out the puppet of mac addressDress, then the mac address that three phases obtain should be consistent.
Certainly, we can also be further added by obtaining when terminal foundation is connected with wireless network on the basis of embodiment 1Then the mac address parsing in the online request message of this mac address and terminal is compared, thus sentencing by mac address againWhether the address in online request message of breaking pretends, inconsistent, and the request address that illustrates to surf the Net is camouflage, then be rejected by endThe online request at end, if unanimously, proceeds follow-up certification, after also only need to be by the mac ground in authentication request packetLocation with online request message in mac address be compared can (now, online request message mac address be connected with terminalWhen mac address identical).
3rd embodiment of the inventive method, as shown in figure 3, including step:
S100 obtains terminal online request message, parses the mac address of terminal from online request message;
S180 judge to surf the Net request message apart from last time authentication request packet whether reach default successful interval time whenLong, if then execution step s200, otherwise execution step s500;
S200 response terminal online request message, return redirection message, redirection message carry Redirect Address and fromThe mac address of the terminal parsing in online request message, so that terminal is according to redirection message, opens portal certification circleFace, sends authentication request packet;
S300 obtains the authentication request packet of terminal, parses the mac address of terminal from authentication request packet;
S400 judges whether the mac address in authentication request packet is consistent with the mac address in online request message, ifIt is, then execution step s500, otherwise execution step s600;
S500 certification success, opens the access authority of terminal;
S600 authentification failure, abandons the authentication request packet of terminal.
The present embodiment is equivalent to the effect duration that increased online after a certification success on the basis of embodiment 1, that is, recognizeAfter card success, in the default time period, will not frequently receive portal authentication interface (advertisement page etc.), user's body can be liftedTest.Such as we can arrange certification and successfully all can obtain access authority in latter 24 hours, after we leave this network, enter againWhen entering to this network, as long as having in the certification effect phase, we would not be received again by the advertisement page pushing, as long as default when haveTime is up after i.e. effect duration crossed, and just may require that and again completes certification.Certainly, the method for the present embodiment is equally applicable to secondIndividual embodiment.
4th embodiment of the present invention, as shown in figure 4, including step:
S050 terminal is set up and is connected with the communication of wireless network.
Whether s080 judges terminal in blacklist;If then releasing terminal to be connected with the communication of wireless network, otherwise holdRow step s100;
S100 obtains terminal online request message, parses the mac address of terminal from online request message;
S130 judge in the user profile of storage with the presence or absence of with the mac address identical that parses in online request messageMac address;If having, continuing executing with subsequent operation, if no, mac address is stored as new user profile, entering steps200.
S180 judge to surf the Net request message apart from last time authentication request packet whether reach default successful interval time whenLong, if then execution step s200, otherwise execution step s500;
S200 response terminal online request message, return redirection message, redirection message carry Redirect Address and fromThe mac address of the terminal parsing in online request message, so that terminal is according to redirection message, opens portal certification circleFace, sends authentication request packet;
S300 obtains the authentication request packet of terminal, parses the mac address of terminal from authentication request packet;
S400 judges whether the mac address in authentication request packet is consistent with the mac address in online request message, ifIt is, then execution step s500, otherwise execution step s600;
S500 certification success, opens the access authority of terminal;
S600 authentification failure, abandons the authentication request packet of terminal.
, when terminal authentication failure, the number of times of record terminal authentication failure, when the number of times of terminal authentication failure reaches for s700During preset times, terminal is piped off.
The present embodiment, on the basis of combining embodiment above, also add step s130, s700 and step s080;Whether newly increased s130 is mainly used in the judgement of user, is registration user profile if new user, is then subsequently recognized againCard.Step s700 and s080 combine, the frequency of failure under meeting respective record after authentification failure, after reaching default number of times,Just listed in blacklist, and released it and be connected with the communication of wireless network.Next time, terminal is again introduced into this wireless networkRegion, and with wireless network set up communication be connected after, authentication device then can judge whether this terminal enters blacklist, if enteredEnter then to release it to be connected with the communication of wireless network, terminal repeatedly releases upon establishment of a connection in the state of connection and circulates.
Certainly, after the judgement step of blacklist can also be arranged on step s100 by us, that is, when obtain terminal upperAfter net request message, judge this terminal whether in blacklist, if so, then abandon the online request message of this terminal, not ringShould, if otherwise continuing executing with subsequent step.
Likewise, after the judgement step of blacklist can also be provided at step s300, that is, when the certification request obtaining terminalAfter message, judge this terminal whether in blacklist, if so, then abandon the authentication request packet of this terminal, authentification failure, noThen, continue executing with subsequent step.
5th embodiment of the inventive method, specifically includes following steps:
A.ap requires sta to carry out portal certification, and kidnaps first http request online request of user;
B.ap inquires about corresponding physics mac address when sta associates ssid by wireless driver module;
C.ap parses the certification mac address in the http request message of sta, and judges certification mac address and physicsWhether mac address is identical;
If d. certification mac address is identical with physics mac address, the http request message of response user, passes throughHttp 302 redirects portal server url address, and brings the mac of sta;
If e. certification mac address is different from physics mac address, the certification request of refusal sta;
F.sta obtains the url address of ap redirection and the mac of sta, with this url and mac (or tampered mac) againInitiate http request request to portal server.
G.ap kidnaps user's request of the http request with stamac and portal url, parses this http requestCertification mac address in message, and judge whether certification mac address is identical with physics mac address;
If h. certification mac address is identical with physics mac address, this http request message is transmitted to portal clothesBusiness device;
If i. certification mac address is different from physics mac address, abandon this http request message;
6th embodiment of the inventive method, specifically includes following steps:
(1) user first associates some ssid of ap using sta;
(2) ap requires sta to carry out portal certification, and kidnaps first http request online request of user;
(3) ap inquires about corresponding physics mac address when sta associates ssid by wireless driver module;
(4) ap judges mismatch number of times whether n > n (n default initial values are equal to, and n default value is equal to 10 times) of this sta, if becomingVertical, then release the association of this sta, and this mac is added 24 hours blacklists, otherwise execution step (5);
(5) ap parses the certification mac1 address in the http request message of sta, and judges certification mac1 address and thingWhether reason mac address is identical;
(6) if certification mac1 address is identical with physics mac address, the http request message of response user, passes throughHttp 302 redirection portal server url address, and bring the mac1 of sta, execution step (7);
(7) if certification mac1 address is different from physics mac address, the certification request of refusal sta, count the mistake of this staJoin frequency n=n+1, continue to monitor the hhttp request message of sta, execution step (2);
(8) sta obtains the url address of ap redirection and the mac1 of sta, with this url and mac1 (or tampered mac) againSecondary to portal server initiate http request request;
(9) ap kidnaps user's request of the http request with stamac1 and portal url, parses this httpCertification mac2 address in request message;
(10) ap judges whether certification mac1 address is identical with physics mac address with mac2 address;
(11) if certification mac1 is identical with physics mac address three with mac2 address, by this http requestMessage is transmitted to portal server, execution step (12);
(12) if having between any two in certification mac1 and mac2 address and physics mac address three one or more notIdentical, then judge that sta certification message is tampered, abandon this http request message, and make the mismatch frequency n=n of this sta+ 1, continue to monitor the hhttp request message of sta, execution step (2);
(13), after the http request request of portal server take-up sta mac and portal url, record this macAddress, portal advertisement authentication page is responded the http request of sta.
In above-described embodiment, portal server can be a single equipment, be desirably integrated into the equipment such as cloud ac/acOn, but do not affect the content of the invention of this patent.
The various schemes of the present embodiment may be equally applied to other embodiments, no longer illustrates one by one herein.
Based on identical technology design, the present invention also provides a kind of portal authentication device embodiment, and this authentication device canExecution said method embodiment.As shown in figure 5, the authentication device that apparatus of the present invention first embodiment provides, including acquisition module10th, parsing module 20 and judge operation module 30;Acquisition module 10 is connected with parsing module 20, judges operation module 30 and solutionAnalysis module 20 is connected, wherein:
Acquisition module 10 obtains the online request message of terminal, and parsing module 20 parses terminal from online request messageMac address;
Judge that operation module 30 responds the first time online request message of terminal, return redirection message, redirection messageCarry the mac address of Redirect Address and terminal, so that terminal is according to redirection message, open portal authentication interface, sendAuthentication request packet;
Acquisition module 10 obtains the authentication request packet of terminal, and parsing module 20 parses end from authentication request packetThe mac address at end;
Operation processing module judges whether the mac address of authentication request packet is identical with the mac address of online request message,If so, then certification success, opens the access authority of terminal;Otherwise, authentification failure, abandons the authentication request packet of terminal.
Second embodiment of authentication device of the present invention, on the basis of the first embodiment of above-mentioned authentication device, also includesWith acquisition module 10 and judge the memory module 40 that operation module 30 is connected;Preferably, also including timing module 60, timing module60 with judge operation module 30 and acquisition module 10 and be connected;Preferably, also including counting module 50, counting module 50 is grasped with judgementMake module 30 to be connected with memory module 40, wherein:
When terminal is set up and is connected with the communication of wireless network, acquisition module 10 obtains the mac address of terminal and is stored inIn memory module 40;
When acquisition module 10 gets the online request message of terminal, after parsing module 20 parses the mac address of terminal,Operation judges module judges whether the mac address of the terminal in online request message gets with when terminal is connected wireless networkMac address consistent, if then continuing executing with subsequent operation, the otherwise online request of refusal terminal.Or, when acquisition module 10Get the authentication request packet of terminal, after parsing module 20 parses the mac address of the terminal in authentication request packet, judgeOperation module 30 judges whether the mac address in the authentication request packet parsing gets with when terminal is connected wireless networkMac address consistent, if then certification success, terminal obtains access authority, otherwise authentification failure, and operation judges module abandons eventuallyThe authentication request packet at end.
Timing module 60 records the terminal last authentication request packet successful time, judges that operation module 30 judges that online pleaseAsk whether message reaches preset duration apart from last time authentication request packet successful interval time, if then execution subsequent authentication behaviourMake, otherwise, open the access authority of terminal.
When terminal authentication failure, counting module 50 records the number of times of terminal authentication failure, and is stored in memory module 40In, when the number of times of terminal authentication failure reaches preset times, terminal is piped off by judged operation module 30, blacklistIt is stored in memory module 40;
After terminal is set up wireless network communication and connected, operation judges module 30 judges terminal whether in blacklist,If so, then release terminal to be connected with the communication of wireless network, if it is not, then proceeding subsequent operation.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creationProperty concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to including excellentSelect embodiment and fall into being had altered and changing of the scope of the invention.
Obviously, those skilled in the art can carry out the various changes and modification essence without deviating from the present invention to the present inventionGod and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technologiesWithin, then the present invention is also intended to comprise these changes and modification.