Search

CN-121792239-B - Mobile network equipment forced authentication system and method based on multi-protocol perception

CN121792239BCN 121792239 BCN121792239 BCN 121792239BCN-121792239-B

Abstract

The invention discloses a mobile network equipment forced authentication system and a method based on multi-protocol perception, which belong to the technical field of wireless network portal authentication, and aim at the problems that in the prior Captive Portal technology, the authentication cannot be triggered by a non-HTTP protocol, a system popup window can only be triggered once, and the authentication is interrupted due to unstable Wi-Fi connection; the authentication popup window is triggered for multiple times by distributing short leases to the unauthenticated equipment, triggering the system to re-detect by using the expiration of the lease or the change of the IP address, and returning a normal network response to maintain high network score when the user is initially connected, so that the user equipment is prevented from automatically switching networks.

Inventors

  • ZHANG LIFENG
  • YANG HONGBIN

Assignees

  • 深圳市中兴视通科技有限公司

Dates

Publication Date
20260508
Application Date
20260225

Claims (7)

  1. 1. A multi-protocol awareness based mobile network device mandatory authentication system, comprising: The connection tracking and state management module is used for monitoring the network connection between the user equipment and the mobile network equipment, acquiring the MAC address and the IP address of the user equipment, identifying the type of the user equipment and the type of an operating system, and maintaining an authentication state table, wherein the authentication state table at least records the authentication state and the delay authentication mark of the user equipment; The multi-protocol sensing and delay authentication module is used for identifying various protocol types of requests, setting a delay authentication mark of the user equipment to be in an activated state when the user equipment is detected to be unauthenticated to initiate a non-HTTP protocol request, recording blocked request information and blocking the request; The dynamic DHCP lease management module is used for distributing different lease time according to different authentication states of the user and whether a delay authentication mark exists or not, and triggering the system to carry out network detection again when the short lease time expires; the multi-operating system network detection adapting module is used for identifying and adapting the forced authentication network detection request of each operating system and triggering the authentication popup window of the corresponding network detection according to the authentication state of the user equipment; The authentication Portal service module is used for providing an authentication page, updating the authentication state of the user equipment to authenticated after the user equipment is authenticated successfully, and clearing a delay authentication mark; The dynamic DHCP lease management module allocates hour-level lease time to authenticated user equipment, allocates first second-level lease time to newly connected but unauthenticated user equipment, and allocates second-level lease time to unauthenticated user equipment with a delay authentication mark, wherein the second-level lease time is smaller than the first second-level lease time; And if the second lease time of the user equipment which is not authenticated and has the authentication delay mark expires, restarting the DHCP request, and if the user equipment is inquired to be in an unauthorized state, distributing a new IP address by the dynamic DHCP lease management module, wherein the change of the IP address triggers the operation system to carry out network detection again.
  2. 2. The multi-protocol aware-based mobile network device mandatory authentication system of claim 1, wherein the multi-protocol aware and deferred authentication module comprises: a protocol identification unit for identifying HTTP, HTTPS, QUIC, UDP protocols; A delay authentication flag unit configured to set a delay authentication flag when a non-HTTP protocol request is detected; and the request blocking unit is used for returning connection reset to the TCP request and silently discarding the UDP request.
  3. 3. The system of claim 1 further comprising an intelligent network score protection module for returning a response indicating that the network is normal to the network probe request of the operating system to maintain the network score if it is determined that the user equipment has not yet had actual network activity at an initial stage after the user equipment is connected to the network, and determining a response content to the network probe request according to the authentication state of the user equipment and the delay authentication flag after it is determined that the user equipment has actual network activity, thereby avoiding the user equipment from automatically switching to other networks.
  4. 4. The forced authentication method for the mobile network equipment based on the multi-protocol awareness is characterized by comprising the following steps of: the method comprises the steps that S1, user equipment is connected with a network access point, a user equipment MAC address is obtained, the user equipment type and an operating system type are identified, an IP address and an initial lease are allocated for the user equipment, a record is created in an authentication state table, and an initialization delay authentication mark is not activated; S2, system network detection processing, including: S201, the system automatically initiates network detection, when an HTTP protocol request initiated by an unauthenticated user equipment is detected, an authentication page is triggered, an authenticated state is recorded for the user equipment after authentication is completed, an hour-level lease is allocated, normal response is returned, and the system judges that the network is available; S202, the system automatically initiates network detection, and when the fact that the user equipment is not authenticated to access the network and a non-HTTP protocol request is not initiated, a first second lease is allocated; S203, the system automatically initiates network detection, when the unauthenticated user equipment initiates a non-HTTP protocol request, the request is blocked, a second-level lease is allocated and a delay authentication mark is activated in an authentication state record of the request, and the second-level lease is smaller than the duration of the first-level lease; S204, in the step S203, after the user equipment is in the second lease period more than the third second lease period, the system allocates a new IP address to trigger the operating system to initiate network detection again; S3, when the authentication page is re-triggered by the system for assigning the lease of the first second level, after the unauthenticated user equipment is ignored or closed, when the unauthenticated user equipment initiates a first non-HTTP protocol request, according to whether the user equipment performs authentication operation, if the authentication operation is not performed, the lease of the first second level is changed into the lease of the second level, and a delay authentication mark is activated; s4, when the user equipment with the delay authentication mark is detected to initiate an HTTP request, a redirection response is returned to the user equipment so as to trigger an authentication page; And S5, after the user completes authentication through the authentication page, clearing the delay authentication mark, and updating the equipment DHCP lease to an hour-level lease.
  5. 5. The forced authentication method of mobile network equipment based on multi-protocol awareness according to claim 4, wherein the hour-level lease time in step S2 is 1-2 hours, the first second-level lease time is 30-60 seconds, and the second-level lease time is 15-30 seconds.
  6. 6. The method according to claim 4, wherein in step S202, if the user equipment initiates an HTTP protocol request, the step S201 is executed, and if the user equipment initiates a non-HTTP protocol request, the step S203 is executed.
  7. 7. The method for forced authentication of mobile network equipment based on multi-protocol awareness according to claim 4, further comprising a network scoring protection stage after the user equipment is connected to the network access point for the first time in step S1, wherein when the user equipment is just connected and does not perform actual network operation, the system probe request returns a normal response to make the system determine that the network is available, and the normal network scoring is maintained, so that triggering of the user equipment to automatically switch to the mobile data network or other Wi-Fi network is avoided.

Description

Mobile network equipment forced authentication system and method based on multi-protocol perception Technical Field The disclosure relates to the technical field of mandatory network portal authentication, in particular to a mobile network equipment mandatory authentication system and method based on multi-protocol awareness. Background The captive authentication portal (Captive Portal) technology is widely used in Wi-Fi networks where user authentication is required. The traditional workflow is that when a user connects to a Wi-Fi network, unauthorized access is intercepted and redirected to an authentication page. The process relies on the redirection status code (e.g. 302) and Location header field of the HTTP protocol, after the server returns a redirection response, the browser automatically requests a new URL to display an authentication page, meanwhile, ‌ DNS redirection is often used ‌ in combination with HTTP redirection, firstly the user domain name request is directed to the gateway IP, then the page skip is completed through HTTP, and after the user completes authentication, the flow is released. However, the prior art has significant drawbacks: The non-HTTP protocol cannot trigger authentication-currently a large number of applications use encrypted or non-HTTP protocols such as HTTPs, QUIC (UDP based), DNS over UDP, etc. Traditional Captive Portal relies on HTTP redirection, and the first request to the non-HTTP protocol can only be rejected or discarded, resulting in the user perceiving "connected but not online" and not knowing that authentication is required. The system popup window can only be triggered once, and an operating system (such as iOS, android and Windows) performs network detection once and popup window when being connected for the first time. If the user ignores or closes the popup window, the system marks the network state, and the user does not actively popup window later, so that the user falls into the dilemma that the user cannot surf the internet and cannot trigger authentication again, and the user needs to reconnect after forgetting to connect the network. Wi-Fi connection instability causes certification disruption-the operating system (especially Android and its customization systems like MIUI, EMUI) will score the network quality. An unauthenticated network may be marked as "restricted" and the score reduced. When there are other available networks (e.g., wi-Fi or mobile data already saved), the system may automatically switch networks, resulting in unexpected interruption of the authentication flow and poor user experience. Therefore, a solution that can comprehensively solve the above-mentioned problems is needed. Disclosure of Invention The invention aims to overcome the defects of the prior art and provides a forced authentication system and method for mobile network equipment based on multi-protocol perception, which are characterized in that the multi-time triggering of authentication triggering and authentication popup window of non-HTTP protocol is realized through the cooperation of three mechanisms of 'delay authentication mark', 'dynamic DHCP lease management' and 'intelligent network scoring protection', and the stability of network connection is maintained in the authentication process. In a first aspect, the present application provides a mobile network device mandatory authentication system based on multi-protocol awareness, comprising: The connection tracking and state management module is used for monitoring the network connection between the user equipment and the mobile network equipment, acquiring the MAC address and the IP address of the user equipment, identifying the type of the user equipment and the type of an operating system, and maintaining an authentication state table, wherein the authentication state table at least records the authentication state and the delay authentication mark of the user equipment; The multi-protocol sensing and delay authentication module is used for identifying various protocol types of requests, setting a delay authentication mark of the user equipment to be in an activated state when the user equipment is detected to be unauthenticated to initiate a non-HTTP protocol request, recording blocked request information and blocking the request; The dynamic DHCP lease management module is used for distributing different lease time according to different authentication states of the user and whether a delay authentication mark exists or not, and triggering the system to carry out network detection again when the short lease time expires; the multi-operating system network detection adapting module is used for identifying and adapting the forced authentication network detection request of each operating system and triggering the authentication popup window of the corresponding network detection according to the authentication state of the user equipment; And the authentication Portal service module is used for providin