In the wireless networking environment, the access terminal needs to be authenticated, billing, in order to meet this demand, the TL-AC1000 in the Portal authentication provides the corresponding authentication, billing interface. Users can access third-party authentication servers as needed, or use the built-in AC authentication server for authentication and billing.
TL-AC1000 uses Portal for authentication billing settings see [TL-AC1000] typical Portal features configuration case
This article describes the authentication and billing procedures and specifications for using Radius and local authentication servers.
Note:The TL-AC1000 is billed only when it is upgraded to version 1.2.0 Build 20151125 Rel.51471.
Radius authentication billing type supported by TL-AC1000:
Only billing by time is supported. After a wireless terminal is connected to the wireless network, the process of normal authentication and billing is as follows:
Portal authentication flowchart
Authentication and billing process:
1
, Wireless terminal connection
WiFi
To access any Internet
After the Authentication Policy is configured and the network is connected, connect the wireless client to the Wi-Fi signal sent by the AP, open the browser to access any Internet, and trigger portal authentication.
2
,
AP
Intercept wireless clients to access the Internet
GET
And redirect
WEB
Server
The GET packet sent from an unauthenticated wireless client to the Internet will be intercepted by the AP, and the AP will return a redirection entry to the client: http://www.abc.com /? Pagetype = xxx & vlan = xxx & staMac = xxx & staIp = xxx & apMac = xxx & apIp = xxx
This entry contains the following valid information:
Parameters
|
Description
|
Www.abc.com
|
WEB server address
|
Pagetype
|
Mark different authentication methods
|
Vlan
|
VLAN to which the client belongs
|
StaMac
|
MAC address of the client
|
StaIp
|
Client IP address
|
ApMac
|
MAC address of the AP device connected to the client
|
ApIp
|
IP address of the AP device connected to the client
|
3
Wireless terminal access
WEB
Server
The wireless terminal establishes a connection with the WEB server based on the redirection entry returned in step 2.
4
,
WEB
The server returns the authentication page to the wireless terminal.
The WEB server returns the authentication logon page to the wireless terminal.
5
, Wireless terminal direction
TL-AC1000
Submit user name and password
Enter the user name and password on the authentication login page pushed by the WEB server. Click
LoginTo GET the username, password, vlan, staMac, staIp, APMac, apIp and other parameters to the TL-AC1000, AC to record this information.
6
,
TL-AC1000
Direction
Radius
The authentication server submits authentication information
After obtaining the information submitted by the client, the TL-AC1000 determines the device to be authenticated from the vlan, staMac, staIp, APMac, apIp parameters, and then submits all the parameters to the authentication server for authentication, parameters include:
Parameters
|
Description
|
User-name
|
User name
|
NAS-Identifier
|
NAS device ID
|
Calling-station-Id
|
MAC address of the device requiring authentication
|
Called-station-Id
|
MAC and the corresponding SSID of the AP
|
Framed-IP-Address
|
IP address of the device requiring authentication
|
NAS-IP-Address
|
IP address of the NAS device
|
NAS-port
|
User access port number
|
NAS-port-type
|
NAS device port type
|
User-password
|
Encrypted password
|
7
,
Radius
Authentication Server
TL-AC1000
Return authentication result
The authentication server checks whether the user passes the authentication based on the information submitted by the TL-AC1000. If the user does not pass the authentication, the Radius reports the illegal information of the NAS user. If the user passes the authentication, the related information of the device is recorded, and return the authentication result to the TL-AC1000, which includes the following parameters:
Parameters
|
Description
|
Connect-Info
|
Radius server information
|
Framed-IP-Address
|
IP address provided for the user
|
Framed-Routing
|
Routing Method set for the router user
|
Framed-MTU
|
Maximum transmission unit configured for the user
|
Session-timeout
|
User-available session duration
|
Idle-timeout
|
Maximum time allowed for idle online users
|
Acct-interim-interval
|
Real-time billing time (AC1000 currently does not support real-time billing at intervals, but is billed only by the total connection time at the time of the last disconnection)
|
8
,
TL-AC1000
Returns the authentication result to the wireless terminal.
The TL-AC1000 returns the corresponding authentication results to the wireless terminal based on the results returned by the authentication server. If the authentication succeeds, the AC will allow the access data of the corresponding device based on the previous vlan, staMac, staIp, APMac, and apIp parameter information.
9
,
TL-AC1000
Direction
Radius
The authentication server sends a billing start request
The TL-AC1000 will be the corresponding device IP, MAC and other information submitted to the Radius authentication server, the request starts billing, submit information includes:
Parameters
|
Description
|
Acct-Session-Id
|
Indicates the unique identifier of the billing.
|
User-name
|
User name
|
NAS-Port-Id
|
User Access Port ID
|
Service-type
|
Service type
|
Framed-Protocol
|
Protocol Type
|
Acct-Authentic
|
Access authentication protocol
|
NAS-Identifier
|
NAS device ID
|
Acct-status-type
|
Billing request message type
|
Calling-station-Id
|
MAC address of the device requiring authentication
|
Called-station-Id
|
MAC and the corresponding SSID of the AP
|
Framed-IP-Address
|
IP address of the device requiring authentication
|
NAS-IP-Address
|
IP address of the NAS device
|
NAS-port
|
User access port number
|
NAS-port-type
|
NAS device port type
|
10
,
Radius
The authentication server responds to the billing start request.
After receiving the billing request, the Radius authentication server sends a response to the TL-AC1000 and agrees to start billing.
11
Wireless device disconnection
AP
Wireless connection
The wireless device disconnects the AP.
12
,
AP
Disconnect the device
AC
After the wireless connection is disconnected, the AP uploads the information to the AC.
13
,
TL-AC1000
Direction
Radius
The authentication server sends a stop billing request
The AC sends a stop billing request to the Radius authentication server, including the IP address, MAC address, and total online duration of the corresponding device, as follows:
Parameters
|
Description
|
Acct-Session-Id
|
Indicates the unique identifier of the billing.
|
User-name
|
User name
|
NAS-Port-Id
|
User Access Port ID
|
Service-type
|
Service type
|
Framed-Protocol
|
Protocol Type
|
Acct-Authentic
|
Access authentication protocol
|
NAS-Identifier
|
NAS device ID
|
Acct-status-type
|
Billing request message type
|
Acct-Session-Time
|
Device online duration
|
Calling-station-Id
|
MAC address of the device requiring authentication
|
Called-station-Id
|
MAC and the corresponding SSID of the AP
|
Framed-IP-Address
|
IP address of the device requiring authentication
|
NAS-IP-Address
|
IP address of the NAS device
|
NAS-port
|
User access port number
|
NAS-port-type
|
NAS device port type
|
14
,
Radius
Authentication Server
TL-AC1000
Response to billing end request
After receiving the billing end request sent by the AC, the Radius authentication server calculates and stops billing based on the device's online duration.
Note:
In addition to the client's active request disconnection, if the user account expires, the server will
ActiveInitiate a disconnection request. The process is as follows:
1. When the user's account expires, the server will initiate a disconnection Request Disconnect-Request, which contains information:
Parameters
|
Description
|
User-name
|
Username for disconnection
|
Framed-IP-Address
|
User IP address to be disconnected
|
Note:If the Radius authentication server is on the Internet, Port ING must be performed on the front-end router to open the UDP3799 port of the AC.
2. When the AC1000 receives the disconnection request, it returns the response to the Radius server and disconnects the relevant device.
3. Disconnect related devices from AC1000.
With the TL-AC1000 built-in local authentication server, you can set free users and formal users two types:
Free users:Set the free Internet access duration as the billing standard.
Official users:Set the expiration time of your account as the billing standard.
You can use the official user's account expiration time to pay for monthly or yearly subscription. The process is as follows:
Steps 1 to 2 are the same as the process when using Radius to authenticate the server.
6
, Return the authentication result
TL-AC1000 according to the user name and password provided by the client, determine whether the user passes the authentication, if the user records, according to the user's IP address, MAC to the corresponding data access, and return the corresponding results. The free user returns the free duration, and the formal user returns the account validity period and other information.
7
Wireless device disconnection
The wireless device actively disconnects the wireless connection.
8
Wireless device disconnection
After the wireless device is disconnected, the AP uploads the message to the AC, and the AC records the related device information.
9
,
TL-AC1000
Disconnect a wireless device.
If the user's account expires or the free duration is consumed during the wireless device's internet access period, the AC will automatically disconnect the wireless device, and the device needs to access the Internet for further authentication.