CN103402202B - Based on the terminal access restriction method of 802.11 agreements in WLAN - Google Patents
Based on the terminal access restriction method of 802.11 agreements in WLAN Download PDFInfo
- Publication number
- CN103402202B CN103402202B CN201310363562.8A CN201310363562A CN103402202B CN 103402202 B CN103402202 B CN 103402202B CN 201310363562 A CN201310363562 A CN 201310363562A CN 103402202 B CN103402202 B CN 103402202B
- Authority
- CN
- China
- Prior art keywords
- terminal
- request
- content
- associationrequest
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to a kind of terminal based on 802.11 agreements in WLAN access restriction method, is described method to the Association of the terminal of expansion 802.11 link layer? Request request protocol, do you be included in Association? an Extended Protocol part is increased in Request request protocol, described Extended Protocol part comprises the content after component identification, terminal MAC address encryption, and terminal MAC address is by the string length of the content after encryption; Is terminal according to the Association after expansion? does Request request protocol generate Association? Request asks, and sends to access device; Does access device receive the Association of terminal? after Request request, the content of taking out Extended Protocol part is verified, is verified and just allows access.
Description
Technical field
The present invention relates to a kind of method that WLAN access device limits client, refer to a kind of based on expansion 802.11 link layer protocol especially, in terminal access request, add authentication information to limit the method for terminal access.
Background technology
WLAN is as the important supplement of wired networking mode and extension, and forward is broadband, intelligent, advance in multimedization, personalized direction.New technology, new system, new business continue to bring out and merge gradually and differentiation, greatly promote the development of radio network technique, expand network application field rapidly.
WLAN (wireless local area network) based on 802.11 agreements comprises the element such as website (Station), distribution system (DistributionSystem, DS), access point (AccessPoint, AP), critical point (Portal), wireless access controller (AC).Wherein it is crucial that wireless access and control system, comprise access point (AP) and wireless access controller (AC).
Access point can ensure the Internet resources of authorizing website to the restriction that website accesses, avoid illegal website to the attack of access point.Current access point has following two kinds to the method that website accesses:
1.AP end limits Section MAC address, and allow or refuse these MAC to access, this method limited range is limited, can only for the MAC Address of finite number.
2.AP end is encrypted, and website access needs password, and cipher mode has WEP, WPA, WAPI, and WEP is static password, is cracked than being easier to, WPA and WAPI encryption is relatively safe, but needs Third Party Authentication server.
Summary of the invention
The object of this invention is to provide a kind of WLAN access device and terminal is accessed to the reliable method limited.By expanding 802.11 link layer protocols, in the access request that terminal equipment sends, add authentication information, access device is verified this authentication, and satisfactory just permission is accessed.
Technical scheme of the present invention provides a kind of terminal based on 802.11 agreements in WLAN to access restriction method:
Expand the AssociationRequest request protocol of the terminal of 802.11 link layers, be included in AssociationRequest request protocol and increase an Extended Protocol part, described Extended Protocol part comprises the content after component identification, terminal MAC address encryption, and terminal MAC address is by the string length of the content after encryption; Terminal generates AssociationRequest request according to the AssociationRequest request protocol after expansion, and sends to access device;
After access device receives the AssociationRequest request of terminal, the content of taking out Extended Protocol part is verified, is verified and just allows access; Checking implementation is as follows,
Access device searches component identification in AssociationRequest request, according to the string length of terminal MAC address by the content after encryption, takes out the content after terminal MAC address encryption; Then terminal MAC address is encrypted according to the cryptographic algorithm consistent with terminal in this locality, content after the content of gained after local cipher and the terminal MAC address that please seek out from AssociationRequest are encrypted is compared, if consistent, by checking.
Hinge structure of the present invention has following advantage:
1. access device just carries out authentication to terminal access request in driving, and the access request of illegal terminal is without the need to resolving authentication further.
2. the agreement of pair 802.11 link layers is expanded, and only has and drives the terminal revised just by authentication, improve reliability.
3. relatively with carry out contrast the method limited to terminal MAC, the method can limit in batches and can prevent the illegal terminal of forgery MAC from accessing.
Accompanying drawing explanation
Fig. 1 is the protocol format schematic diagram to 802.11 terminal access request frames in prior art.
Fig. 2 is the protocol format schematic diagram of embodiment of the present invention expansion.
Embodiment
Technical solution of the present invention is described in detail below in conjunction with drawings and Examples.
The present invention proposes the AssociationRequest request protocol of expansion 802.11 link layer termination, increases an authentication part in agreement, and the authentication information after encryption is added Extended Protocol part and sends to AP by terminal; AP takes out the content of Extended Protocol, verifies authentication information, be verified and just allow access after receiving the AssociationRequest request of STA.In the art, AssociationRequest represents association request.During concrete enforcement, realize the present invention by modifying to the driving of terminal and access point apparatus.
Embodiment realizes as follows:
Adopt WLAN access device as access point (AP).Expand the driving of WLAN terminal equipment, Fig. 1 is the protocol format of terminal access request frame, realizes, add an Extended Protocol provided by structure shown in Fig. 2 in FrameBody based on mark 802.11 protocol format.
As Fig. 1, the protocol format of terminal access request frame comprises:
FrameControl, for frame controls, takies byte length 2.
Duration/ID, for survival cycle/ID, take byte length 2.
Address1, is address 1, takies byte length 6.
Address2, is address 2, takies byte length 6.
Address3, is address 3, takies byte length 6.
SequenceControl, for sequence controls, takies byte length 2.
Address4, is address 4, takies byte length 6.
QOSControl, for service quality controls, takies byte length 2.
FrameBody is frame entity, takies byte length 0 ~ 23124 by standard agreement regulation.In prior art, can comprise the structure in multiple Fig. 2 in FrameBody, the present invention increases a structure to provide Extended Protocol.
FCS is Frame Check Sequence, takies byte length 4.
As Fig. 2, the Extended Protocol part added is authentication part, comprising:
ElementID is component identification, takies byte length 1.During concrete enforcement, ElementID can choose one not by the retention figures that 802.11 standard agreements in prior art take, and such as, from 17 ~ 31,45, chooses in 51 ~ 126.In embodiment, 70 in the untapped retention of 802.11 agreement is chosen to the corresponding ElementID of certain terminal.Access device extracts corresponding authentication part by according to identical component identification value.
Length, for terminal MAC address is by the string length of the content after encryption, takies byte length 1.
Information, for terminal MAC address encryption after content (namely Address1 be encrypted after content), take byte length length consistent with Length field contents.
Terminal equipment adds the data with Fig. 2 content in Fig. 1 access request Frame, sends to appointment access device.
The driving of WLAN access device is expanded, access device is after receiving the access request frame of terminal, parse the content in FrameBody, data in FrameBody are got up by the textural association shown in multiple Fig. 2, access device finds the structure that ElementID is 70 wherein, according to the length of Length, take out the content in Information.Then according to the cryptographic algorithm that terminal is appointed, the Address1 in Fig. 1 is encrypted (being namely encrypted according to the cryptographic algorithm consistent with terminal in access device this locality), content after encryption and the content in Information are compared, if consistent, illustrate that this terminal is the terminal allowing access.If FrameBody do not find ElementID be 70 structure or Information in content not by authentication, then do not allow this terminal to access.
Above-mentioned example is the present invention's preferably execution mode; but embodiments of the present invention are not restricted to the described embodiments; the change done under other any does not run counter to Spirit Essence of the present invention and principle, modification, substitute, combine, simplify the substitute mode that all should be equivalence, be included within protection scope of the present invention.
Claims (1)
1., based on a terminal access restriction method for 802.11 agreements in WLAN, it is characterized in that:
Expand the AssociationRequest request protocol of the terminal of 802.11 link layers, be included in AssociationRequest request protocol and increase an Extended Protocol part, described Extended Protocol part comprises the content after component identification, terminal MAC address encryption, and terminal MAC address is by the string length of the content after encryption; Terminal generates AssociationRequest request according to the AssociationRequest request protocol after expansion, and sends to access device;
After access device receives the AssociationRequest request of terminal, the content of taking out Extended Protocol part is verified, is verified and just allows access; Checking implementation is as follows:
Access device searches component identification in AssociationRequest request, according to the string length of terminal MAC address by the content after encryption, takes out the content after terminal MAC address encryption; Then terminal MAC address is encrypted according to the cryptographic algorithm consistent with terminal in this locality, content after the content of gained after local cipher and the terminal MAC address that please seek out from AssociationRequest are encrypted is compared, if consistent, by checking.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310363562.8A CN103402202B (en) | 2013-08-20 | 2013-08-20 | Based on the terminal access restriction method of 802.11 agreements in WLAN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310363562.8A CN103402202B (en) | 2013-08-20 | 2013-08-20 | Based on the terminal access restriction method of 802.11 agreements in WLAN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103402202A CN103402202A (en) | 2013-11-20 |
| CN103402202B true CN103402202B (en) | 2016-03-16 |
Family
ID=49565701
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310363562.8A Active CN103402202B (en) | 2013-08-20 | 2013-08-20 | Based on the terminal access restriction method of 802.11 agreements in WLAN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103402202B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105263141A (en) * | 2015-10-30 | 2016-01-20 | 广东美的制冷设备有限公司 | Household electrical appliance and control method thereof |
| CN109714761A (en) * | 2019-02-25 | 2019-05-03 | 成都瑞小博科技有限公司 | A kind of method and system preventing MAC sniff |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805441A (en) * | 2005-11-23 | 2006-07-19 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| US20100161959A1 (en) * | 2008-12-23 | 2010-06-24 | Kapil Sood | Method and apparatus for extending transport layer security protocol for power-efficient wireless security processing |
-
2013
- 2013-08-20 CN CN201310363562.8A patent/CN103402202B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805441A (en) * | 2005-11-23 | 2006-07-19 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| US20100161959A1 (en) * | 2008-12-23 | 2010-06-24 | Kapil Sood | Method and apparatus for extending transport layer security protocol for power-efficient wireless security processing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103402202A (en) | 2013-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10243954B2 (en) | Access network assisted bootstrapping | |
| US8503358B2 (en) | Wireless device registration, such as automatic registration of a Wi-Fi enabled device | |
| CN105027529B (en) | Method and apparatus for verifying user's access to Internet resources | |
| US10477397B2 (en) | Method and apparatus for passpoint EAP session tracking | |
| CN106211152A (en) | A kind of wireless access authentication method and device | |
| CN108738019B (en) | User authentication method and device in converged network | |
| US20110055569A1 (en) | Roaming authentication method based on wapi | |
| CN101599967B (en) | Authorization control method and system based on 802.1x authentication system | |
| CN110383762A (en) | A kind of methods, devices and systems of implementation strategy control | |
| CN101785343B (en) | Method, system and device for fast transitioning resource negotiation | |
| CN105409249A (en) | Machine-to-machine bootstrapping | |
| KR20160122992A (en) | Integrative Network Management Method and Apparatus for Supplying Connection between Networks Based on Policy | |
| CN102547701A (en) | Authentication method and wireless access point as well as authentication server | |
| CN102957678B (en) | Certification IP telephone machine and consult the method for voice domain, system and equipment | |
| EP4057658A1 (en) | Machine-card verification method applied to minimalist network, and related device | |
| WO2017012204A1 (en) | Wireless connection method, terminal, wireless access point and computer storage medium | |
| CN106790086A (en) | A kind of safety access method and device of electric power VoLTE business | |
| KR20190014719A (en) | System for controlling admission and the method thereof | |
| CN102761940B (en) | A kind of 802.1X authentication method and equipment | |
| CN103442359A (en) | Sensor node authentication method and system based on short distance wireless access mode | |
| CN109391937A (en) | Acquisition methods, equipment and the system of public key | |
| Shamshad et al. | Comments on “a multi-factor user authentication and key agreement protocol based on bilinear pairing for the internet of things” | |
| CN102215515B (en) | Data processing method, communication system and related equipment | |
| CN103402202B (en) | Based on the terminal access restriction method of 802.11 agreements in WLAN | |
| CN102624692A (en) | User identity authentication avoiding method based on hypertext transport protocol (HTTP) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 430205 Hubei city of Wuhan province Jiangxia Hidden Dragon Island Tan lake two Road No. 1 Patentee after: CITIC Mobile Communication Technology Co., Ltd Address before: 430073 Hubei province Wuhan Dongxin East Lake high tech Development Zone, Road No. 5 Patentee before: Wuhan Hongxin Telecommunication Technologies Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 430205 No.1 tanhu 2nd Road, Canglong Island, Jiangxia District, Wuhan City, Hubei Province Patentee after: CITIC Mobile Communication Technology Co.,Ltd. Address before: 430205 No.1 tanhu 2nd Road, Canglong Island, Jiangxia District, Wuhan City, Hubei Province Patentee before: CITIC Mobile Communication Technology Co., Ltd |
|
| CP01 | Change in the name or title of a patent holder |