Based on the terminal access restriction method of 802.11 agreements in WLAN
Technical field
The present invention relates to a kind of method that WLAN access device limits client, refer to a kind of based on expansion 802.11 link layer protocol especially, in terminal access request, add authentication information to limit the method for terminal access.
Background technology
WLAN is as the important supplement of wired networking mode and extension, and forward is broadband, intelligent, advance in multimedization, personalized direction.New technology, new system, new business continue to bring out and merge gradually and differentiation, greatly promote the development of radio network technique, expand network application field rapidly.
WLAN (wireless local area network) based on 802.11 agreements comprises the element such as website (Station), distribution system (DistributionSystem, DS), access point (AccessPoint, AP), critical point (Portal), wireless access controller (AC).Wherein it is crucial that wireless access and control system, comprise access point (AP) and wireless access controller (AC).
Access point can ensure the Internet resources of authorizing website to the restriction that website accesses, avoid illegal website to the attack of access point.Current access point has following two kinds to the method that website accesses:
1.AP end limits Section MAC address, and allow or refuse these MAC to access, this method limited range is limited, can only for the MAC Address of finite number.
2.AP end is encrypted, and website access needs password, and cipher mode has WEP, WPA, WAPI, and WEP is static password, is cracked than being easier to, WPA and WAPI encryption is relatively safe, but needs Third Party Authentication server.
Summary of the invention
The object of this invention is to provide a kind of WLAN access device and terminal is accessed to the reliable method limited.By expanding 802.11 link layer protocols, in the access request that terminal equipment sends, add authentication information, access device is verified this authentication, and satisfactory just permission is accessed.
Technical scheme of the present invention provides a kind of terminal based on 802.11 agreements in WLAN to access restriction method:
Expand the AssociationRequest request protocol of the terminal of 802.11 link layers, be included in AssociationRequest request protocol and increase an Extended Protocol part, described Extended Protocol part comprises the content after component identification, terminal MAC address encryption, and terminal MAC address is by the string length of the content after encryption; Terminal generates AssociationRequest request according to the AssociationRequest request protocol after expansion, and sends to access device;
After access device receives the AssociationRequest request of terminal, the content of taking out Extended Protocol part is verified, is verified and just allows access; Checking implementation is as follows,
Access device searches component identification in AssociationRequest request, according to the string length of terminal MAC address by the content after encryption, takes out the content after terminal MAC address encryption; Then terminal MAC address is encrypted according to the cryptographic algorithm consistent with terminal in this locality, content after the content of gained after local cipher and the terminal MAC address that please seek out from AssociationRequest are encrypted is compared, if consistent, by checking.
Hinge structure of the present invention has following advantage:
1. access device just carries out authentication to terminal access request in driving, and the access request of illegal terminal is without the need to resolving authentication further.
2. the agreement of pair 802.11 link layers is expanded, and only has and drives the terminal revised just by authentication, improve reliability.
3. relatively with carry out contrast the method limited to terminal MAC, the method can limit in batches and can prevent the illegal terminal of forgery MAC from accessing.
Accompanying drawing explanation
Fig. 1 is the protocol format schematic diagram to 802.11 terminal access request frames in prior art.
Fig. 2 is the protocol format schematic diagram of embodiment of the present invention expansion.
Embodiment
Technical solution of the present invention is described in detail below in conjunction with drawings and Examples.
The present invention proposes the AssociationRequest request protocol of expansion 802.11 link layer termination, increases an authentication part in agreement, and the authentication information after encryption is added Extended Protocol part and sends to AP by terminal; AP takes out the content of Extended Protocol, verifies authentication information, be verified and just allow access after receiving the AssociationRequest request of STA.In the art, AssociationRequest represents association request.During concrete enforcement, realize the present invention by modifying to the driving of terminal and access point apparatus.
Embodiment realizes as follows:
Adopt WLAN access device as access point (AP).Expand the driving of WLAN terminal equipment, Fig. 1 is the protocol format of terminal access request frame, realizes, add an Extended Protocol provided by structure shown in Fig. 2 in FrameBody based on mark 802.11 protocol format.
As Fig. 1, the protocol format of terminal access request frame comprises:
FrameControl, for frame controls, takies byte length 2.
Duration/ID, for survival cycle/ID, take byte length 2.
Address1, is address 1, takies byte length 6.
Address2, is address 2, takies byte length 6.
Address3, is address 3, takies byte length 6.
SequenceControl, for sequence controls, takies byte length 2.
Address4, is address 4, takies byte length 6.
QOSControl, for service quality controls, takies byte length 2.
FrameBody is frame entity, takies byte length 0 ~ 23124 by standard agreement regulation.In prior art, can comprise the structure in multiple Fig. 2 in FrameBody, the present invention increases a structure to provide Extended Protocol.
FCS is Frame Check Sequence, takies byte length 4.
As Fig. 2, the Extended Protocol part added is authentication part, comprising:
ElementID is component identification, takies byte length 1.During concrete enforcement, ElementID can choose one not by the retention figures that 802.11 standard agreements in prior art take, and such as, from 17 ~ 31,45, chooses in 51 ~ 126.In embodiment, 70 in the untapped retention of 802.11 agreement is chosen to the corresponding ElementID of certain terminal.Access device extracts corresponding authentication part by according to identical component identification value.
Length, for terminal MAC address is by the string length of the content after encryption, takies byte length 1.
Information, for terminal MAC address encryption after content (namely Address1 be encrypted after content), take byte length length consistent with Length field contents.
Terminal equipment adds the data with Fig. 2 content in Fig. 1 access request Frame, sends to appointment access device.
The driving of WLAN access device is expanded, access device is after receiving the access request frame of terminal, parse the content in FrameBody, data in FrameBody are got up by the textural association shown in multiple Fig. 2, access device finds the structure that ElementID is 70 wherein, according to the length of Length, take out the content in Information.Then according to the cryptographic algorithm that terminal is appointed, the Address1 in Fig. 1 is encrypted (being namely encrypted according to the cryptographic algorithm consistent with terminal in access device this locality), content after encryption and the content in Information are compared, if consistent, illustrate that this terminal is the terminal allowing access.If FrameBody do not find ElementID be 70 structure or Information in content not by authentication, then do not allow this terminal to access.
Above-mentioned example is the present invention's preferably execution mode; but embodiments of the present invention are not restricted to the described embodiments; the change done under other any does not run counter to Spirit Essence of the present invention and principle, modification, substitute, combine, simplify the substitute mode that all should be equivalence, be included within protection scope of the present invention.