[TL-AC1000] implementation process and specification of Portal authentication and billing

In the wireless networking environment, the access terminal needs to be authenticated, billing, in order to meet this demand, the TL-AC1000 in the Portal authentication provides the corresponding authentication, billing interface. Users can access third-party authentication servers as needed, or use the built-in AC authentication server for authentication and billing.

TL-AC1000 uses Portal for authentication billing settings see [TL-AC1000] typical Portal features configuration case

This article describes the authentication and billing procedures and specifications for using Radius and local authentication servers.

Note:The TL-AC1000 is billed only when it is upgraded to version 1.2.0 Build 20151125 Rel.51471.

Radius authentication billing type supported by TL-AC1000: Only billing by time is supported. After a wireless terminal is connected to the wireless network, the process of normal authentication and billing is as follows:

Portal authentication flowchart

Authentication and billing process:

1 , Wireless terminal connection WiFi To access any Internet

After the Authentication Policy is configured and the network is connected, connect the wireless client to the Wi-Fi signal sent by the AP, open the browser to access any Internet, and trigger portal authentication.

2 , AP Intercept wireless clients to access the Internet GET And redirect WEB Server

The GET packet sent from an unauthenticated wireless client to the Internet will be intercepted by the AP, and the AP will return a redirection entry to the client: http://www.abc.com /? Pagetype = xxx & vlan = xxx & staMac = xxx & staIp = xxx & apMac = xxx & apIp = xxx

This entry contains the following valid information:

Parameters	Description
Www.abc.com	WEB server address
Pagetype	Mark different authentication methods
Vlan	VLAN to which the client belongs
StaMac	MAC address of the client
StaIp	Client IP address
ApMac	MAC address of the AP device connected to the client
ApIp	IP address of the AP device connected to the client

3 Wireless terminal access WEB Server

The wireless terminal establishes a connection with the WEB server based on the redirection entry returned in step 2.

4 , WEB The server returns the authentication page to the wireless terminal.

The WEB server returns the authentication logon page to the wireless terminal.

5 , Wireless terminal direction TL-AC1000 Submit user name and password

Enter the user name and password on the authentication login page pushed by the WEB server. Click LoginTo GET the username, password, vlan, staMac, staIp, APMac, apIp and other parameters to the TL-AC1000, AC to record this information.

6 , TL-AC1000 Direction Radius The authentication server submits authentication information

After obtaining the information submitted by the client, the TL-AC1000 determines the device to be authenticated from the vlan, staMac, staIp, APMac, apIp parameters, and then submits all the parameters to the authentication server for authentication, parameters include:

Parameters	Description
User-name	User name
NAS-Identifier	NAS device ID
Calling-station-Id	MAC address of the device requiring authentication
Called-station-Id	MAC and the corresponding SSID of the AP
Framed-IP-Address	IP address of the device requiring authentication
NAS-IP-Address	IP address of the NAS device
NAS-port	User access port number
NAS-port-type	NAS device port type
User-password	Encrypted password

7 , Radius Authentication Server TL-AC1000 Return authentication result

The authentication server checks whether the user passes the authentication based on the information submitted by the TL-AC1000. If the user does not pass the authentication, the Radius reports the illegal information of the NAS user. If the user passes the authentication, the related information of the device is recorded, and return the authentication result to the TL-AC1000, which includes the following parameters:

Parameters	Description
Connect-Info	Radius server information
Framed-IP-Address	IP address provided for the user
Framed-Routing	Routing Method set for the router user
Framed-MTU	Maximum transmission unit configured for the user
Session-timeout	User-available session duration
Idle-timeout	Maximum time allowed for idle online users
Acct-interim-interval	Real-time billing time (AC1000 currently does not support real-time billing at intervals, but is billed only by the total connection time at the time of the last disconnection)

8 , TL-AC1000 Returns the authentication result to the wireless terminal.

The TL-AC1000 returns the corresponding authentication results to the wireless terminal based on the results returned by the authentication server. If the authentication succeeds, the AC will allow the access data of the corresponding device based on the previous vlan, staMac, staIp, APMac, and apIp parameter information.

9 , TL-AC1000 Direction Radius The authentication server sends a billing start request

The TL-AC1000 will be the corresponding device IP, MAC and other information submitted to the Radius authentication server, the request starts billing, submit information includes:

Parameters	Description
Acct-Session-Id	Indicates the unique identifier of the billing.
User-name	User name
NAS-Port-Id	User Access Port ID
Service-type	Service type
Framed-Protocol	Protocol Type
Acct-Authentic	Access authentication protocol
NAS-Identifier	NAS device ID
Acct-status-type	Billing request message type
Calling-station-Id	MAC address of the device requiring authentication
Called-station-Id	MAC and the corresponding SSID of the AP
Framed-IP-Address	IP address of the device requiring authentication
NAS-IP-Address	IP address of the NAS device
NAS-port	User access port number
NAS-port-type	NAS device port type

10 , Radius The authentication server responds to the billing start request.

After receiving the billing request, the Radius authentication server sends a response to the TL-AC1000 and agrees to start billing.

11 Wireless device disconnection AP Wireless connection

The wireless device disconnects the AP.

12 , AP Disconnect the device AC

After the wireless connection is disconnected, the AP uploads the information to the AC.

13 , TL-AC1000 Direction Radius The authentication server sends a stop billing request

The AC sends a stop billing request to the Radius authentication server, including the IP address, MAC address, and total online duration of the corresponding device, as follows:

Parameters	Description
Acct-Session-Id	Indicates the unique identifier of the billing.
User-name	User name
NAS-Port-Id	User Access Port ID
Service-type	Service type
Framed-Protocol	Protocol Type
Acct-Authentic	Access authentication protocol
NAS-Identifier	NAS device ID
Acct-status-type	Billing request message type
Acct-Session-Time	Device online duration
Calling-station-Id	MAC address of the device requiring authentication
Called-station-Id	MAC and the corresponding SSID of the AP
Framed-IP-Address	IP address of the device requiring authentication
NAS-IP-Address	IP address of the NAS device
NAS-port	User access port number
NAS-port-type	NAS device port type

14 , Radius Authentication Server TL-AC1000 Response to billing end request

After receiving the billing end request sent by the AC, the Radius authentication server calculates and stops billing based on the device's online duration.

 

Note:

In addition to the client's active request disconnection, if the user account expires, the server will ActiveInitiate a disconnection request. The process is as follows:

1. When the user's account expires, the server will initiate a disconnection Request Disconnect-Request, which contains information:

Parameters	Description
User-name	Username for disconnection
Framed-IP-Address	User IP address to be disconnected

Note:If the Radius authentication server is on the Internet, Port ING must be performed on the front-end router to open the UDP3799 port of the AC.

2. When the AC1000 receives the disconnection request, it returns the response to the Radius server and disconnects the relevant device.

3. Disconnect related devices from AC1000.

 

With the TL-AC1000 built-in local authentication server, you can set free users and formal users two types:

Free users:Set the free Internet access duration as the billing standard.

Official users:Set the expiration time of your account as the billing standard.

You can use the official user's account expiration time to pay for monthly or yearly subscription. The process is as follows:

Steps 1 to 2 are the same as the process when using Radius to authenticate the server.

6 , Return the authentication result

TL-AC1000 according to the user name and password provided by the client, determine whether the user passes the authentication, if the user records, according to the user's IP address, MAC to the corresponding data access, and return the corresponding results. The free user returns the free duration, and the formal user returns the account validity period and other information.

7 Wireless device disconnection

The wireless device actively disconnects the wireless connection.

8 Wireless device disconnection

After the wireless device is disconnected, the AP uploads the message to the AC, and the AC records the related device information.

9 , TL-AC1000 Disconnect a wireless device.

If the user's account expires or the free duration is consumed during the wireless device's internet access period, the AC will automatically disconnect the wireless device, and the device needs to access the Internet for further authentication.