[go: up one dir, main page]

CN113079512B - Method, device and storage medium for supporting terminal roaming - Google Patents

Method, device and storage medium for supporting terminal roaming Download PDF

Info

Publication number
CN113079512B
CN113079512B CN202110267456.4A CN202110267456A CN113079512B CN 113079512 B CN113079512 B CN 113079512B CN 202110267456 A CN202110267456 A CN 202110267456A CN 113079512 B CN113079512 B CN 113079512B
Authority
CN
China
Prior art keywords
terminal
user
authentication
roaming
authenticated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110267456.4A
Other languages
Chinese (zh)
Other versions
CN113079512A (en
Inventor
梁世颍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202110267456.4A priority Critical patent/CN113079512B/en
Publication of CN113079512A publication Critical patent/CN113079512A/en
Application granted granted Critical
Publication of CN113079512B publication Critical patent/CN113079512B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/06Reselecting a communication resource in the serving access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/686Types of network addresses using dual-stack hosts, e.g. in Internet protocol version 4 [IPv4]/Internet protocol version 6 [IPv6] networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明涉及一种支持终端漫游的方法、装置及存储介质,该方法包括:获取第一指令,根据第一指令,开启免二次认证功能;获取终端切换无线接入点或切换漫游网络后发送的流量报文,并根据流量报文,确定用户mac信息和接收流量报文对应的入接口;根据用户mac信息和入接口,判断终端是否已经认证上线,若已经认证上线,则放通流量报文,并将终端切换无线接入点后形成的新IP地址加入到认证用户表中。本发明应用于上网行为管理设备,当其下接多个AP时,既可以实现让同一个终端,经过同一个AP上网,且网络从IPv4切换为IPv6时,可以实现漫游,免二次认证,且又可以实现让同一个终端,经过不同的AP上网时,需要重新认证,从而达到SSID隔离的诉求。

Figure 202110267456

The present invention relates to a method, a device and a storage medium for supporting terminal roaming. The method includes: acquiring a first instruction, and enabling a second-time authentication-free function according to the first instruction; acquiring and sending a terminal after switching wireless access points or roaming networks. According to the traffic packet, determine the user's mac information and the inbound interface corresponding to the received traffic packet; according to the user's mac information and the inbound interface, determine whether the terminal has been authenticated and go online. The new IP address formed after the terminal switches the wireless access point is added to the authenticated user table. The present invention is applied to the surfing behavior management equipment. When multiple APs are connected to it, the same terminal can surf the Internet through the same AP, and when the network is switched from IPv4 to IPv6, roaming can be realized without secondary authentication. In addition, it can be realized that the same terminal needs to be re-authenticated when accessing the Internet through different APs, so as to achieve the requirement of SSID isolation.

Figure 202110267456

Description

一种支持终端漫游的方法、装置及存储介质A method, device and storage medium for supporting terminal roaming

技术领域technical field

本发明涉及网络管理技术领域,尤其涉及一种支持终端漫游的方法、装置及存储介质。The present invention relates to the technical field of network management, and in particular, to a method, a device and a storage medium for supporting terminal roaming.

背景技术Background technique

目前,上网行为管理产品是对流量经过设备的终端用户进行Portal认证上线,从而达到上网行为的控制。而其中的Portal认证上线控制主要有两种方式:一种是基于终端用户的IP,进行Portal认证上线;另外一种是基于终端用户的MAC,进行Portal无感知上线。At present, the online behavior management product performs Portal authentication for end users whose traffic passes through the device to go online, so as to control the online behavior. There are two main methods for Portal authentication online control: one is based on the end user's IP, and the other is based on the end user's MAC, and the Portal is not aware of the online.

然而,针对基于用户IP进行Portal认证上线方式,当终端用户的网络从IPv4切换到IPv6时,因为IP地址发生变化,导致终端用户流量过设备时,需要二次认证,严重影响用户体验;而针对基于终端用户MAC进行无感知上线方式,终端切换AP,相同MAC不同IP的终端流量过设备,设备根据用户终端MAC,需要先向NAS设备发送请求消息,确认终端是否已经Portal认证上线,若已上线,则该终端的流量过设备会直接放通,不需要二次认证,无法达到SSID隔离的诉求。综上,如何在终端切换网络或者AP时进行高效的认证是亟待解决的问题。However, for Portal authentication based on user IP, when the end user's network is switched from IPv4 to IPv6, because the IP address changes, and the end user traffic passes through the device, a second authentication is required, which seriously affects the user experience. Based on the terminal user's MAC, the non-sensing online mode is implemented. The terminal switches APs. The traffic of terminals with the same MAC and different IP passes through the device. According to the user terminal MAC, the device needs to send a request message to the NAS device to confirm whether the terminal has been authenticated by Portal. If it has been online , the traffic of the terminal will be released directly through the device, no secondary authentication is required, and the requirement of SSID isolation cannot be achieved. In conclusion, how to perform efficient authentication when a terminal switches networks or APs is an urgent problem to be solved.

发明内容SUMMARY OF THE INVENTION

有鉴于此,有必要提供一种支持终端漫游的方法,用以解决如何在终端切换网络或者AP时进行高效的认证的问题。In view of this, it is necessary to provide a method for supporting terminal roaming, so as to solve the problem of how to perform efficient authentication when the terminal switches between networks or APs.

本发明提供一种支持终端漫游的方法,应用于上网行为管理设备,所述上网行为管理设备与无线接入点通信连接,所述支持终端漫游的方法包括:The present invention provides a method for supporting terminal roaming, which is applied to a surfing behavior management device, wherein the surfing behavior management device is communicatively connected to a wireless access point, and the method for supporting terminal roaming includes:

获取第一指令,根据所述第一指令,开启免二次认证功能;获取终端切换无线接入点或切换漫游网络后发送的流量报文,并根据所述流量报文,确定用户mac信息和接收所述流量报文对应的入接口;Acquire a first instruction, according to the first instruction, enable the function of exempting secondary authentication; acquire a traffic packet sent by the terminal after switching a wireless access point or switching a roaming network, and according to the traffic packet, determine the user's mac information and receiving the inbound interface corresponding to the traffic packet;

根据所述用户mac信息和所述入接口,判断是否开启免二次认证功能,若是,则放通所述流量报文,并将所述终端切换无线接入点后形成的新IP地址或者新无线接入点加入到认证用户表中。According to the user mac information and the inbound interface, it is judged whether the function of exempting secondary authentication is enabled. The wireless access point is added to the list of authenticated users.

进一步地,所述根据所述用户mac信息和所述入接口,判断是否开启免二次认证功能包括:Further, according to the user mac information and the inbound interface, judging whether to enable the function of exempting secondary authentication includes:

根据所述用户mac信息和所述入接口,判断所述终端是否已经认证上线,若已认证,则开启所述免二次认证功能。According to the user mac information and the inbound interface, it is determined whether the terminal has been authenticated to go online, and if it has been authenticated, the second authentication-free function is enabled.

进一步地,所述根据所述用户mac信息和所述入接口,判断所述终端是否已经认证上线包括:Further, judging whether the terminal has been authenticated and going online according to the user mac information and the inbound interface includes:

将所述用户mac信息和所述入接口作为键值,在预存的哈希表中进行查询,判断是否存在对应的认证记录;Using the user mac information and the inbound interface as key values, query in a pre-stored hash table to determine whether there is a corresponding authentication record;

若存在,则所述终端已经认证上线。If it exists, the terminal has been authenticated to go online.

进一步地,所述获取终端切换无线接入点或切换漫游网络后发送的流量报文包括:Further, the obtaining the traffic packets sent by the terminal after switching the wireless access point or switching the roaming network includes:

获取IPv6流量报文,其中,所述IPv6流量报文由终端的用户使用相同AP,从IPv4网络切换到IPv6网络后发出的报文。Obtain an IPv6 traffic packet, wherein the IPv6 traffic packet is a packet sent by the user of the terminal after switching from the IPv4 network to the IPv6 network using the same AP.

进一步地,所述获取终端切换无线接入点或切换漫游网络后发送的流量报文包括:Further, the obtaining the traffic packets sent by the terminal after switching the wireless access point or switching the roaming network includes:

获取切换AP后的报文,其中,所述切换AP后的报文为所述上网行为管理设备的不同的接口首次接收到相同mac地址,不同IP地址的流量报文。A packet after the AP switching is obtained, wherein the packet after the AP switching is a traffic packet with the same mac address and different IP addresses received for the first time by different interfaces of the surfing behavior management device.

进一步地,所述支持终端漫游的方法还包括:Further, the method for supporting terminal roaming also includes:

若未认证上线,则向所述终端推送Portal认证页面,以使所述终端进行Portal认证。If the authentication is not online, the Portal authentication page is pushed to the terminal, so that the terminal performs Portal authentication.

进一步地,所述认证用户表的形式为哈希表。Further, the form of the authenticated user table is a hash table.

本发明还提供一种支持终端漫游的装置,包括:The present invention also provides a device for supporting terminal roaming, including:

获取单元,用于获取第一指令,根据所述第一指令,开启免二次认证功能;获取终端切换无线接入点或切换漫游网络后发送的流量报文,并根据所述流量报文,确定用户mac信息和接收所述流量报文对应的入接口;an obtaining unit, configured to obtain a first instruction, and according to the first instruction, enable the function of avoiding secondary authentication; obtain the traffic packets sent by the terminal after switching the wireless access point or switching the roaming network, and according to the traffic packets, Determine the user mac information and the ingress interface corresponding to receiving the traffic packet;

处理单元,用于根据所述用户mac信息和所述入接口,判断是否开启免二次认证功能,若是,则放通所述流量报文,并将所述终端切换无线接入点后形成的新IP地址或者新无线接入点加入到认证用户表中。The processing unit is configured to determine whether to enable the second authentication-free function according to the user mac information and the inbound interface; New IP addresses or new wireless access points are added to the list of authenticated users.

本发明还提供一种支持终端漫游的装置,包括处理器以及存储器,存储器上存储有计算机程序,计算机程序被处理器执行时,实现如上所述的支持终端漫游的方法。The present invention also provides a device for supporting terminal roaming, including a processor and a memory, where a computer program is stored in the memory, and when the computer program is executed by the processor, the above-mentioned method for supporting terminal roaming is implemented.

本发明还提供一种计算机可读存储介质,所述计算机该程序被处理器执行时,实现如上所述的支持终端漫游的方法。The present invention also provides a computer-readable storage medium, which, when the program is executed by the processor, implements the above-mentioned method for supporting terminal roaming.

与现有技术相比,本发明的有益效果包括:首先,对上网行为管理设备进行免二次认证功能的开启,通过第一指令的下发,控制免二次认证功能的开闭,保证了使用的灵活性;然后,获取终端在网络漫游过程中切换无线接入点(AP)或者漫游网络(IPv4、IPv6)后的流量报文,对流量报文进行有效的解析,确定其中对应的用户mac信息和上网行为管理设备接收该流量报文的对应的入接口;最后,结合用户mac信息和入接口共同判断终端是否已经认证上线,充分考虑了多方面信息,在设备上直接查询终端是否已经认证上线,避免每次都将终端用户mac和IP信息发往NAS设备,查询用户是否上线,减少了数据消息的发送,也降低了上网行为管理设备和NAS设备处理数据报文的压力,若已经认证上线,则直接放行该用户流量,表现形式为该用户可以直接上网,访问网络资源,不需要认证,同时,将该用户的新IP地址加入到认证用户表中,下次再接收该IPv6地址的流量报文,不会再触发查询用户是否已Portal认证上线。综上,本发明应用于上网行为管理设备,当其下接多个AP时,既可以实现让同一个终端,经过同一个AP上网,且网络从IPv4切换为IPv6时,可以实现漫游,免二次认证,且又可以实现让同一个终端,经过不同的AP上网时,需要重新认证,从而达到SSID隔离的诉求。Compared with the prior art, the beneficial effects of the present invention include: firstly, the function of exempting the second authentication is enabled for the online behavior management device, and the opening and closing of the function of exempting the second authentication is controlled by issuing the first instruction, thereby ensuring the safety of the device. The flexibility of use; then, obtain the traffic packets after the terminal switches the wireless access point (AP) or roaming network (IPv4, IPv6) during the network roaming process, effectively parse the traffic packets, and determine the corresponding user. The mac information and the corresponding ingress interface of the online behavior management device to receive the traffic packet; finally, combined with the user mac information and ingress interface to determine whether the terminal has been authenticated and online, fully considering various information, directly query on the device whether the terminal has been online. Authentication goes online, avoiding sending the end user's mac and IP information to the NAS device every time to check whether the user is online, reducing the sending of data messages, and reducing the pressure on the online behavior management device and the NAS device to process data packets. After authentication goes online, the user's traffic will be released directly. The manifestation is that the user can directly access the Internet and access network resources without authentication. At the same time, the user's new IP address is added to the authenticated user table, and the IPv6 address will be received next time. The traffic packets will no longer be triggered to query whether the user has been authenticated through Portal. To sum up, the present invention is applied to an online behavior management device. When multiple APs are connected to it, the same terminal can access the Internet through the same AP, and when the network is switched from IPv4 to IPv6, roaming can be realized without the need for two Secondary authentication, and it can be realized that the same terminal needs to be re-authenticated when accessing the Internet through different APs, so as to achieve the requirement of SSID isolation.

附图说明Description of drawings

图1为本发明提供的支持终端漫游的方法的流程示意图;1 is a schematic flowchart of a method for supporting terminal roaming provided by the present invention;

图2为本发明提供的判断终端是否已经认证上线的流程示意图;FIG. 2 is a schematic flow chart of judging whether a terminal has been authenticated and online provided by the present invention;

图3为本发明提供的支持终端漫游的装置的模块示意图。FIG. 3 is a schematic block diagram of an apparatus for supporting terminal roaming provided by the present invention.

具体实施方式Detailed ways

下面结合附图来具体描述本发明的优选实施例,其中,附图构成本申请一部分,并与本发明的实施例一起用于阐释本发明的原理,并非用于限定本发明的范围。The preferred embodiments of the present invention are specifically described below with reference to the accompanying drawings, wherein the accompanying drawings constitute a part of the present application, and together with the embodiments of the present invention, are used to explain the principles of the present invention, but are not used to limit the scope of the present invention.

实施例1Example 1

本发明实施例提供了一种支持终端漫游的方法,结合图1来看,图1为本发明提供的支持终端漫游的方法的流程示意图,上述支持终端漫游的方法包括步骤S1至步骤S3,其中:An embodiment of the present invention provides a method for supporting terminal roaming. Referring to FIG. 1, FIG. 1 is a schematic flowchart of the method for supporting terminal roaming provided by the present invention. The above-mentioned method for supporting terminal roaming includes steps S1 to S3, wherein :

在步骤S1中,获取第一指令,根据第一指令,开启免二次认证功能;In step S1, the first instruction is obtained, and according to the first instruction, the function of exempting secondary authentication is enabled;

在步骤S2中,获取终端切换无线接入点或切换漫游网络后发送的流量报文,并根据流量报文,确定用户mac信息和接收流量报文对应的入接口;In step S2, obtain the traffic packets sent by the terminal after switching the wireless access point or switching the roaming network, and according to the traffic packets, determine the user mac information and the ingress interface corresponding to the received traffic packets;

在步骤S3中,根据用户mac信息和入接口,判断是否开启免二次认证功能,若是,则放通流量报文,并将终端切换无线接入点后形成的新IP地址或者新无线接入点加入到认证用户表中。In step S3, according to the user's mac information and the inbound interface, it is judged whether the function of exempting secondary authentication is enabled. Click to add to the list of authenticated users.

在本发明实施例中,首先,对上网行为管理设备进行免二次认证功能的开启,通过第一指令的下发,控制免二次认证功能的开闭,保证了使用的灵活性;然后,获取终端在网络漫游过程中切换无线接入点(AP)或者漫游网络(IPv4、IPv6)后的流量报文,对流量报文进行有效的解析,确定其中对应的用户mac信息和上网行为管理设备接收该流量报文的对应的入接口;最后,结合用户mac信息和入接口共同判断终端是否已经认证上线,充分考虑了多方面信息,在设备上直接查询终端是否已经认证上线,避免每次都将终端用户mac和IP信息发往NAS设备,查询用户是否上线,减少了数据消息的发送,也降低了上网行为管理设备和NAS设备处理数据报文的压力,若已经认证上线,则直接放行该用户流量,表现形式为该用户可以直接上网,访问网络资源,不需要认证,同时,将该用户的新IP地址加入到认证用户表中,下次再接收该IPv6地址的流量报文,不会再触发查询用户是否已Portal认证上线。In the embodiment of the present invention, firstly, the function of exempting the second authentication is enabled for the online behavior management device, and the opening and closing of the function of exempting the second authentication is controlled by issuing the first instruction, so as to ensure the flexibility of use; then, Obtain the traffic packets after the terminal switches wireless access points (APs) or roaming networks (IPv4, IPv6) during network roaming, effectively parse the traffic packets, and determine the corresponding user mac information and surfing behavior management equipment The corresponding inbound interface that receives the traffic packet; finally, combined with the user's mac information and inbound interface to determine whether the terminal has been authenticated and online, fully considering various information, directly query the device on the device whether the terminal has been authenticated and online, to avoid every time. Send the end user's mac and IP information to the NAS device to check whether the user is online, which reduces the transmission of data messages, and also reduces the pressure on the online behavior management device and the NAS device to process data packets. The user traffic is expressed in the form that the user can directly access the Internet and access network resources without authentication. At the same time, the user's new IP address is added to the authenticated user table, and the next time it receives traffic packets of this IPv6 address, it will not be Trigger to check whether the user has been authenticated through Portal.

需要说明的是,上网行为管理产品是指帮助互联网用户控制和管理对互联网的使用的产品,其主要功能包括:对网页访问过滤、网络应用控制、带宽流量管理、信息收发审计、用户行为分析。It should be noted that Internet behavior management products refer to products that help Internet users control and manage the use of the Internet. Its main functions include: filtering web page access, network application control, bandwidth traffic management, information sending and receiving audit, and user behavior analysis.

优选地,上述根据用户mac信息和入接口,判断是否开启免二次认证功能包括:根据用户mac信息和入接口,判断终端是否已经认证上线,若已认证,则开启免二次认证功能。作为具体实施例,本发明实施例基于终端的用户mac信息和上网行为管理设备接收用户流量的入接口进行有效地开启免二次认证功能。Preferably, according to the user mac information and the inbound interface, judging whether to enable the function of exempting secondary authentication includes: judging whether the terminal has been authenticated and going online according to the user mac information and the inbound interface, and if so, enabling the function of exempting secondary authentication. As a specific embodiment, the embodiment of the present invention effectively enables the second authentication-free function based on the user mac information of the terminal and the ingress interface of the surfing behavior management device for receiving user traffic.

优选地,结合图2来看,图2为本发明提供的判断终端是否已经认证上线的流程示意图,上述步骤S3包括步骤S31至步骤S32,其中:Preferably, with reference to FIG. 2 , FIG. 2 is a schematic flowchart of judging whether the terminal has been authenticated to go online provided by the present invention. The above step S3 includes steps S31 to S32, wherein:

在步骤S31中,将用户mac信息和入接口作为键值,在预存的哈希表中进行查询,判断是否存在对应的认证记录;In step S31, the user mac information and the inbound interface are used as key values, and a query is performed in the pre-stored hash table to determine whether there is a corresponding authentication record;

在步骤S32中,若存在,则终端已经认证上线。In step S32, if it exists, the terminal has been authenticated to go online.

作为具体实施例,本发明实施例基于终端的用户mac信息和上网行为管理设备接收用户流量的入接口作为键值,数据以哈希链表的形式存储在上网行为管理设备上面,便于进行有效的数据存储和查找,同时结合用户mac信息和入接口,多方面进行数据查找,有效识别终端切换无线接入点或切换漫游网络的情况。As a specific embodiment, the embodiment of the present invention is based on the user mac information of the terminal and the ingress interface of the user traffic received by the surfing behavior management device as the key value, and the data is stored on the surfing behavior management device in the form of a hash linked list, which is convenient for effective data processing Store and search, combined with the user's mac information and inbound interface, to search for data in multiple aspects, effectively identifying the situation of the terminal switching wireless access points or switching roaming networks.

优选地,上述获取终端切换无线接入点或切换漫游网络后发送的流量报文包括:Preferably, obtaining the traffic packets sent by the terminal after switching the wireless access point or switching the roaming network includes:

获取IPv6流量报文,其中,IPv6流量报文由终端的用户使用相同AP,从IPv4网络切换到IPv6网络后发出的报文。Obtain IPv6 traffic packets, where the IPv6 traffic packets are sent by the terminal user using the same AP after switching from the IPv4 network to the IPv6 network.

作为具体实施例,本发明实施例识别终端使用同一AP,但切换了不同的网络的情况,以便在该情况下实现漫游上网免认证。As a specific embodiment, the embodiment of the present invention identifies a situation in which the terminal uses the same AP but switches to different networks, so as to realize authentication-free roaming and surfing the Internet in this situation.

优选地,上述获取终端切换无线接入点或切换漫游网络后发送的流量报文包括:Preferably, obtaining the traffic packets sent by the terminal after switching the wireless access point or switching the roaming network includes:

获取切换AP后的报文,其中,切换AP后的报文为上网行为管理设备的不同的接口首次接收到相同mac地址,不同IP地址的流量报文。Obtain the packets after the AP is switched, wherein the packets after the AP switch are traffic packets with the same mac address and different IP addresses that are received for the first time by different interfaces of the online behavior management device.

作为具体实施例,本发明实施例识别终端切换AP的情况,此时需要重新认证,以保证网络的安全性。As a specific embodiment, the embodiment of the present invention identifies a situation in which a terminal switches an AP, and at this time, re-authentication is required to ensure network security.

优选地,上述支持终端漫游的方法还包括:Preferably, the above-mentioned method for supporting terminal roaming further includes:

若未认证上线,则向终端推送Portal认证页面,以使终端进行Portal认证。If the authentication is not online, the Portal authentication page is pushed to the terminal so that the terminal can perform Portal authentication.

作为具体实施例,本发明实施例在未认证的情况下,需要重新认证,从而达到SSID隔离的诉求。As a specific embodiment, in the embodiment of the present invention, re-authentication is required in the case of no authentication, so as to achieve the requirement of SSID isolation.

优选地,所述认证用户表的形式为哈希表。作为具体实施例,本发明实施例以哈希表的形式构建认证用户表,便于下一次的认证查询。Preferably, the form of the authenticated user table is a hash table. As a specific embodiment, the embodiment of the present invention constructs an authentication user table in the form of a hash table, which is convenient for the next authentication query.

实施例2Example 2

本发明实施例提供了一种支持终端漫游的装置,结合图3来看,图3为本发明提供的支持终端漫游的装置的结构示意图,上述支持终端漫游的装置300包括:An embodiment of the present invention provides an apparatus for supporting terminal roaming. Referring to FIG. 3, FIG. 3 is a schematic structural diagram of the apparatus for supporting terminal roaming provided by the present invention. The above-mentioned apparatus 300 for supporting terminal roaming includes:

获取单元301,用于获取第一指令,根据第一指令,开启免二次认证功能;获取终端切换无线接入点或切换漫游网络后发送的流量报文,并根据流量报文,确定用户mac信息和接收所述流量报文对应的入接口;The obtaining unit 301 is configured to obtain a first instruction, and according to the first instruction, enable the function of avoiding secondary authentication; obtain a traffic packet sent by the terminal after switching a wireless access point or switching a roaming network, and determine the user mac according to the traffic packet information and the ingress interface corresponding to receiving the traffic packet;

处理单元302,用于根据用户mac信息和入接口,判断是否开启免二次认证功能,若是,则放通流量报文,并将终端切换无线接入点后形成的新IP地址或者新无线接入点加入到认证用户表中。The processing unit 302 is configured to determine whether to enable the second authentication-free function according to the user's mac information and the inbound interface, and if so, release traffic packets, and transfer the new IP address or new wireless access point formed after the terminal switches to the wireless access point. The entry point is added to the list of authenticated users.

实施例3Example 3

本发明实施例提供了一种支持终端漫游的装置,包括处理器以及存储器,存储器上存储有计算机程序,计算机程序被处理器执行时,实现如上所述的支持终端漫游的方法。An embodiment of the present invention provides an apparatus for supporting terminal roaming, including a processor and a memory, where a computer program is stored in the memory, and when the computer program is executed by the processor, the above-mentioned method for supporting terminal roaming is implemented.

实施例4Example 4

本发明实施例提供了一种计算机可读存储介质,其上存储有计算机程序,所述计算机该程序被处理器执行时,实现如上所述的支持终端漫游的方法。An embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the above-mentioned method for supporting terminal roaming is implemented.

本发明公开了一种支持终端漫游的方法、装置及存储介质,首先,对上网行为管理设备进行免二次认证功能的开启,通过第一指令的下发,控制免二次认证功能的开闭,保证了使用的灵活性;然后,获取终端在网络漫游过程中切换无线接入点(AP)或者漫游网络(IPv4、IPv6)后的流量报文,对流量报文进行有效的解析,确定其中对应的用户mac信息和上网行为管理设备接收该流量报文的对应的入接口;最后,结合用户mac信息和入接口共同判断终端是否已经认证上线,充分考虑了多方面信息,在设备上直接查询终端是否已经认证上线,避免每次都将终端用户mac和IP信息发往NAS设备,查询用户是否上线,减少了数据消息的发送,也降低了上网行为管理设备和NAS设备处理数据报文的压力,若已经认证上线,则直接放行该用户流量,表现形式为该用户可以直接上网,访问网络资源,不需要认证,同时,将该用户的新IP地址加入到认证用户表中,下次再接收该IPv6地址的流量报文,不会再触发查询用户是否已Portal认证上线。The invention discloses a method, a device and a storage medium for supporting terminal roaming. First of all, the function of freeing secondary authentication is enabled for an online behavior management device, and the opening and closing of the function of exempting secondary authentication is controlled by issuing a first instruction. , to ensure the flexibility of use; then, obtain the traffic packets after the terminal switches the wireless access point (AP) or roaming network (IPv4, IPv6) during the network roaming process, and effectively analyze the traffic packets to determine which Corresponding user mac information and the corresponding ingress interface of the Internet behavior management device to receive the traffic packet; finally, combined with the user mac information and ingress interface to determine whether the terminal has been authenticated and online, fully considering various information, and directly query on the device Whether the terminal has been authenticated to go online, to avoid sending the terminal user's mac and IP information to the NAS device every time, to check whether the user is online, reduce the transmission of data messages, and reduce the pressure on the online behavior management device and the NAS device to process data packets , if the user has been authenticated to go online, the user's traffic will be released directly. The expression is that the user can directly access the Internet and access network resources without authentication. At the same time, the user's new IP address is added to the authenticated user table, and the user will receive it next time. Traffic packets of this IPv6 address will no longer trigger the query to see whether the user has been authenticated through Portal.

本发明技术方案,应用于上网行为管理设备,当其下接多个AP时,既可以实现让同一个终端,经过同一个AP上网,且网络从IPv4切换为IPv6时,可以实现漫游,免二次认证,且又可以实现让同一个终端,经过不同的AP上网时,需要重新认证,从而达到SSID隔离的诉求。The technical scheme of the present invention is applied to an online behavior management device. When multiple APs are connected to it, the same terminal can surf the Internet through the same AP, and when the network is switched from IPv4 to IPv6, roaming can be realized, avoiding the need for two Secondary authentication, and it can be realized that the same terminal needs to be re-authenticated when accessing the Internet through different APs, so as to achieve the requirement of SSID isolation.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。The above description is only a preferred embodiment of the present invention, but the protection scope of the present invention is not limited to this. Substitutions should be covered within the protection scope of the present invention.

Claims (8)

1.一种支持终端漫游的方法,其特征在于,应用于上网行为管理设备,所述上网行为管理设备与无线接入点通信连接,所述支持终端漫游的方法包括:1. A method for supporting terminal roaming, characterized in that, it is applied to a surfing behavior management device, the surfing behavior management device is communicatively connected to a wireless access point, and the method for supporting terminal roaming comprises: 获取第一指令,根据所述第一指令,控制免二次认证功能的开启;获取流量报文,所述流量报文包括由终端的用户使用相同无线接入点,从IPv4网络切换到IPv6网络后发出的IPv6流量报文,或者所述上网行为管理设备的不同的接口首次接收到相同mac地址,不同IP地址的切换无线接入点后的报文,并根据所述流量报文,确定用户mac信息和接收所述流量报文对应的入接口;Acquiring a first instruction, and controlling the enabling of the secondary authentication-free function according to the first instruction; acquiring a traffic packet, where the traffic packet includes switching from an IPv4 network to an IPv6 network by a user of the terminal using the same wireless access point IPv6 traffic packets sent later, or packets after the wireless access point is switched with the same mac address for the first time on different interfaces of the online behavior management device, and determine the user according to the traffic packets mac information and the ingress interface corresponding to receiving the traffic packet; 根据所述用户mac信息和所述入接口,判断是否需要进行免二次认证,若是,则放通所述流量报文,并将所述终端切换IP后形成的According to the user's mac information and the inbound interface, it is judged whether it is necessary to perform secondary authentication. 新IPV6地址加入到认证用户表中;若否,则需要重新认证,并将所述终端切换无线接入点后形成的新IPV6地址或者新无线接入点加入到认证用户表中。The new IPV6 address is added to the authenticated user table; if not, re-authentication is required, and the new IPV6 address or new wireless access point formed after the terminal switches wireless access points is added to the authenticated user table. 2.根据权利要求1所述的支持终端漫游的方法,其特征在于,所述根据所述用户mac信息和所述入接口,判断是否需要进行免二次认证包括:2 . The method for supporting terminal roaming according to claim 1 , wherein, according to the user mac information and the inbound interface, judging whether it is necessary to perform secondary authentication-free comprises: 2 . 根据所述用户mac信息和所述入接口,判断所述终端是否已经认证上线,若已认证,则进行免二次认证。According to the user mac information and the inbound interface, it is determined whether the terminal has been authenticated to go online, and if it has been authenticated, the second authentication is exempted. 3.根据权利要求2所述的支持终端漫游的方法,其特征在于,所述根据所述用户mac信息和所述入接口,判断所述终端是否已经认证上线包括:3. The method for supporting terminal roaming according to claim 2, wherein the determining whether the terminal has been authenticated to go online according to the user mac information and the inbound interface comprises: 将所述用户mac信息和所述入接口作为键值,在预存的哈希表中进行查询,判断是否存在对应的认证记录;Using the user mac information and the inbound interface as key values, query in a pre-stored hash table to determine whether there is a corresponding authentication record; 若存在,则所述终端已经认证上线。If it exists, the terminal has been authenticated to go online. 4.根据权利要求1所述的支持终端漫游的方法,其特征在于,所述支持终端漫游的方法还包括:4. The method for supporting terminal roaming according to claim 1, wherein the method for supporting terminal roaming further comprises: 若未认证上线,则向所述终端推送Portal认证页面,以使所述终端进行Portal认证。If the authentication is not online, the Portal authentication page is pushed to the terminal, so that the terminal performs Portal authentication. 5.根据权利要求1所述的支持终端漫游的方法,其特征在于,所述认证用户表的形式为哈希表。5 . The method for supporting terminal roaming according to claim 1 , wherein the form of the authenticated user table is a hash table. 6 . 6.一种支持终端漫游的装置,包括:6. A device for supporting terminal roaming, comprising: 获取单元,用于获取第一指令,根据所述第一指令,控制免二次认证功能的开启;还用于获取流量报文,所述流量报文包括由终端的用户使用相同无线接入点,从IPv4网络切换到IPv6网络后发出的IPv6流量报文,或者上网行为管理设备的不同的接口首次接收到相同mac地址,不同IP地址的切换无线接入点后的报文,并根据所述流量报文,确定用户mac信息和接收所述流量报文对应的入接口;an obtaining unit, configured to obtain a first instruction, and according to the first instruction, control the activation of the second-time authentication-free function; and also be used to obtain a traffic packet, the traffic packet includes a user of the terminal using the same wireless access point , the IPv6 traffic packets sent after switching from the IPv4 network to the IPv6 network, or the packets after the wireless access point switching with the same mac address and different IP addresses received by different interfaces of the online behavior management device for the first time, and according to the described Traffic packets, determine the user mac information and the ingress interface corresponding to receiving the traffic packets; 处理单元,用于根据所述用户mac信息和所述入接口,判断是否需要免二次认证,若是,则放通所述流量报文,并将所述终端切换IP后形成的新IPV6地址加入到认证用户表中;若否,则需要重新认证,并将所述终端切换无线接入点后形成的新IPV6地址或者新无线接入点加入到认证用户表中。The processing unit is configured to determine whether the second authentication is required according to the user mac information and the inbound interface, and if so, release the traffic packet, and add the new IPV6 address formed after the terminal switches IPs into the authenticated user table; if not, re-authentication is required, and the new IPV6 address or new wireless access point formed after the terminal switches wireless access points is added to the authenticated user table. 7.一种支持终端漫游的装置,其特征在于,包括处理器以及存储器,存储器上存储有计算机程序,计算机程序被处理器执行时,实现根据权利要求1-5任一项所述的支持终端漫游的方法。7. A device for supporting terminal roaming, comprising a processor and a memory, and a computer program is stored on the memory, and when the computer program is executed by the processor, the supporting terminal according to any one of claims 1-5 is realized. method of roaming. 8.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机该程序被处理器执行时,实现如权利要求1-5任一项所述的支持终端漫游的方法。8. A computer-readable storage medium on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the method for supporting terminal roaming according to any one of claims 1-5 is realized .
CN202110267456.4A 2021-03-11 2021-03-11 Method, device and storage medium for supporting terminal roaming Active CN113079512B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110267456.4A CN113079512B (en) 2021-03-11 2021-03-11 Method, device and storage medium for supporting terminal roaming

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110267456.4A CN113079512B (en) 2021-03-11 2021-03-11 Method, device and storage medium for supporting terminal roaming

Publications (2)

Publication Number Publication Date
CN113079512A CN113079512A (en) 2021-07-06
CN113079512B true CN113079512B (en) 2022-06-28

Family

ID=76612423

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110267456.4A Active CN113079512B (en) 2021-03-11 2021-03-11 Method, device and storage medium for supporting terminal roaming

Country Status (1)

Country Link
CN (1) CN113079512B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication
CN105376829A (en) * 2015-10-27 2016-03-02 上海斐讯数据通信技术有限公司 System and method for WIFI roaming of mobile terminal in local area network (LAN)
CN105376739A (en) * 2015-12-04 2016-03-02 上海斐讯数据通信技术有限公司 Network authentication method and system
CN108718280A (en) * 2018-08-30 2018-10-30 新华三技术有限公司 A kind of message forwarding method and device
CN108881308A (en) * 2018-08-09 2018-11-23 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of user terminal and its authentication method, system, medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8102813B2 (en) * 2006-04-28 2012-01-24 Microsoft Corporation Coordinating a transition of a roaming client between wireless access points using another client in physical proximity
US9392494B2 (en) * 2013-07-15 2016-07-12 Qualcomm Incorporated Systems and methods for reduced latency during initial link setup

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication
CN105376829A (en) * 2015-10-27 2016-03-02 上海斐讯数据通信技术有限公司 System and method for WIFI roaming of mobile terminal in local area network (LAN)
CN105376739A (en) * 2015-12-04 2016-03-02 上海斐讯数据通信技术有限公司 Network authentication method and system
WO2017092501A1 (en) * 2015-12-04 2017-06-08 上海斐讯数据通信技术有限公司 Method and system for network certification
CN108881308A (en) * 2018-08-09 2018-11-23 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of user terminal and its authentication method, system, medium
CN108718280A (en) * 2018-08-30 2018-10-30 新华三技术有限公司 A kind of message forwarding method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种基于SAM+的极简网络设计与实现;姜建秋等;《青岛大学学报(自然科学版)》;20180815(第03期);全文 *

Also Published As

Publication number Publication date
CN113079512A (en) 2021-07-06

Similar Documents

Publication Publication Date Title
US11425202B2 (en) Session processing method and device
EP2263396B1 (en) Access through non-3gpp access networks
RU2556468C2 (en) Terminal access authentication method and customer premise equipment
CN103201986B (en) A processing method and device for a data security channel
EP3032859B1 (en) Access control method and system, and access point
CN109413649B (en) Access authentication method and device
US8151325B1 (en) Optimizing device authentication by discovering internet protocol version authorizations
WO2017097023A1 (en) Perception-free authentication method and system, and control method and system based on method
JP5551805B2 (en) Method and apparatus for accessing the Internet
CN104219339A (en) Method and device for detecting address resolution protocol attack in local area network
WO2011160587A1 (en) Method and system for connecting a dual-stack terminal to networks
JP5872066B2 (en) Method, apparatus and system for accessing core network by non-3GPP
CN105357180A (en) Network system, attack message interception method, device and equipment
WO2012126335A1 (en) Access control method, access device and system
WO2017219748A1 (en) Method and device for access permission determination and page access
EP3226594B1 (en) Method, device and system for obtaining local domain name
CN108093390B (en) Intelligent device discovery method based on characteristic information
CN113543282B (en) Wireless roaming method and system
WO2014206152A1 (en) Network safety monitoring method and system
CN104506406B (en) A kind of authentication equipment
CN113079512B (en) Method, device and storage medium for supporting terminal roaming
CN113726901A (en) P2P communication method and system based on ICE
CN110278558B (en) Message interaction method and WLAN system
WO2023143412A1 (en) Ip address assignment method, device, and readable storage medium
US20170289099A1 (en) Method and Device for Managing Internet Protocol Version 6 Address, and Terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant