CN104837136A - Wireless access authentication method and device - Google Patents

Wireless access authentication method and device Download PDF

Info

Publication number
CN104837136A
CN104837136A CN201510176094.2A CN201510176094A CN104837136A CN 104837136 A CN104837136 A CN 104837136A CN 201510176094 A CN201510176094 A CN 201510176094A CN 104837136 A CN104837136 A CN 104837136A
Authority
CN
China
Prior art keywords
authentication
authentication mode
access point
terminal
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510176094.2A
Other languages
Chinese (zh)
Other versions
CN104837136B (en
Inventor
曾旭明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Technology Co Ltd Of Xin Ruiwang Section Of Shenzhen
Original Assignee
Technology Co Ltd Of Xin Ruiwang Section Of Shenzhen
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Technology Co Ltd Of Xin Ruiwang Section Of Shenzhen filed Critical Technology Co Ltd Of Xin Ruiwang Section Of Shenzhen
Priority to CN201510176094.2A priority Critical patent/CN104837136B/en
Publication of CN104837136A publication Critical patent/CN104837136A/en
Application granted granted Critical
Publication of CN104837136B publication Critical patent/CN104837136B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Abstract

The invention provides a wireless access authentication method and device. The method comprises: receiving an access point detecting request from a terminal, wherein the access point detecting request carries a service set identifier (SSID) and user characteristic information; according to the access point detecting request, querying a user authentication list about an authentication mode identifier corresponding to the user characteristic information; after querying about the authentication mode identifier corresponding to the user characteristic information, distributing a virtual basic service set identifier (BSSID) and returning detection response information carrying the authentication mode identifier and the virtual BSSID to the terminal in order that the terminal uses an authentication mode matching the authentication mode identifier to perform authentication according to the virtual BSSID. The wireless access authentication method and device cannot leak the information of an access point provider and is good in safety.

Description

Wireless access authentication method and device
Technical field
The present invention relates to wireless communication technology field, particularly relate to a kind of wireless access authentication method and device.
Background technology
Current most of enterprise, market, hotel, public place of entertainment all offer wireless internet services, current wireless access authentication method uses different authentication modes for different crowds usually, by setting up access point (the Access Point of multiple SSID (service set), be abbreviated as AP), one of them is selected to access by user, to realize for different user certification in different ways.
But current wireless access authentication method, adopts different authentication modes for different user, need to use different service set.From access point provider, conveniently user finds access point, and the service set of usual access point is relevant to the institutional framework of access point provider, such as can be set to the Pinyin abbreviation of department name, but the institutional framework of access point provider can be revealed like this, cause safety problem.
Summary of the invention
Based on this, be necessary, for the current wireless access authentication method adopting different authentication modes for different user, to there is the technical problem of safety problem, a kind of wireless access authentication method and device are provided.
A kind of wireless access authentication method, described method comprises:
Receive the access point probe requests thereby of self terminal, described access point probe requests thereby carries service set and user's characteristic information;
According to described access point probe requests thereby, from user authentication table, inquire about the authentication mode mark corresponding to described user's characteristic information;
After inquiring the mark of the authentication mode corresponding to described user's characteristic information, distribute virtual basic service sets identifier, and
Return the response detected information carrying described authentication mode mark and described virtual basic service sets identifier to described terminal, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
A kind of wireless access authentication method, described method comprises:
Send access point probe requests thereby to access point, described access point probe requests thereby carries service set and user's characteristic information;
Receive the response detected information that described access point sends after inquire the mark of the authentication mode corresponding to described user's characteristic information from user authentication table; The virtual basic service sets identifier that described response detected information carries described authentication mode mark and distributes after inquiring the mark of the authentication mode corresponding to described user's characteristic information;
The authentication mode marking matched with described authentication mode is adopted to carry out certification according to described virtual basic service sets identifier.
A kind of wireless access authenticate device, described device comprises:
Access point probe requests thereby receiver module, for receiving the access point probe requests thereby of self terminal, described access point probe requests thereby carries service set and user's characteristic information;
Enquiry module, for according to described access point probe requests thereby, inquires about the authentication mode mark corresponding to described user's characteristic information from user authentication table;
Authentication service module, for after inquiring the mark of the authentication mode corresponding to described user's characteristic information, distribute virtual basic service sets identifier, and the response detected information carrying described authentication mode mark and described virtual basic service sets identifier is returned to described terminal, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
A kind of wireless access authenticate device, described device comprises:
Access point probe requests thereby sending module, for sending access point probe requests thereby to access point, described access point probe requests thereby carries service set and user's characteristic information;
Response detected information receiving module, for receiving the response detected information that described access point sends after inquire the mark of the authentication mode corresponding to described user's characteristic information from user authentication table; The virtual basic service sets identifier that described response detected information carries described authentication mode mark and distributes after inquiring the mark of the authentication mode corresponding to described user's characteristic information;
Certification Executive Module, for adopting the authentication mode marking matched with described authentication mode to carry out certification according to described virtual basic service sets identifier.
Above-mentioned wireless access authentication method and device, terminal sends the probe requests thereby carrying service set to access point, the authentication mode that access point is inquired corresponding to user's characteristic information from user authentication table identifies, and distribute virtual basic service sets identifier, terminal just can adopt the authentication mode marking matched with authentication mode to carry out certification according to this virtual basic service sets identifier.Use different like this adopts unified service set to ask access WAP (wireless access point) per family, and distinguish different authentication modes by virtual basic service identifier, can not reveal the information of access point provider, fail safe is high.
Accompanying drawing explanation
Fig. 1 is the applied environment figure of wireless access Verification System in an embodiment;
Fig. 2 is the schematic flow sheet of wireless access authentication method in an embodiment;
Fig. 3 returns to terminal the response detected information carrying authentication mode mark and virtual basic service sets identifier in an embodiment, adopts the authentication mode marking matched with authentication mode to carry out the schematic flow sheet of the step of certification to make terminal according to virtual basic service sets identifier;
Fig. 4 is to terminal return authentication response message in an embodiment, adopts the authentication mode marking matched with authentication mode to carry out the schematic flow sheet of the step of certification to make terminal according to virtual basic service sets identifier;
Fig. 5 is the schematic flow sheet of wireless access authentication method in another embodiment;
Fig. 6 is the schematic flow sheet of wireless access authentication method in another embodiment;
Fig. 7 is the schematic flow sheet to the step of access point request authentication in an embodiment;
Fig. 8 is the schematic flow sheet carrying out the step associated in an embodiment to access point request;
Fig. 9 is the structured flowchart of wireless access authenticate device in an embodiment;
Figure 10 is the structured flowchart of the authentication service module in an embodiment in Fig. 9;
Figure 11 is the structured flowchart of the authentication response module in an embodiment in Figure 10;
Figure 12 is the structured flowchart of wireless access authenticate device in another embodiment;
Figure 13 is the structured flowchart of wireless access authenticate device in another embodiment;
Figure 14 is the structured flowchart of wireless access authenticate device in an embodiment.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
As shown in Figure 1, in one embodiment, provide a kind of wireless access Verification System 100, comprise access point 102 and terminal 104.Access point 102 is equipment the most frequently used when setting up micro radio local area network (LAN) at present.Access point 102 is the bridges being connected with gauze and wireless network, and Main Function is by terminal 104 wirelessly access network based on ethernet.Access point 102 can be specifically wireless router, radio network gateway or wireless bridge etc.Terminal 104 can be desktop computer, portable computer or mobile terminal, and mobile terminal includes but not limited to smart mobile phone, panel computer or electronic reader etc.
As shown in Figure 2, in one embodiment, provide a kind of wireless access authentication method, the access point 102 that the present embodiment is applied in above-mentioned wireless access Verification System 100 in this way illustrates.The method specifically comprises the following steps:
Step 202, receive the access point probe requests thereby of self terminal, described access point probe requests thereby carries service set and user's characteristic information.
Service set English is expressed as Service Set Identifier, is abbreviated as SSID.Service set can be used for a WLAN (wireless local area network) to be divided into several sub-network needing different identity to verify, each sub-network needs independently authentication, only have and just can enter corresponding sub-network by the user of authentication, prevent uncommitted user from entering respective subnet network.
User's characteristic information uniquely to distinguish the information of user, can adopt MAC (MediaAccess Control, the medium access control) address of terminal, also can adopt the sequence number of terminal.In one embodiment, user's characteristic information can also be user account.User account can with a string representation, and this character string comprises at least one in numeral, symbol and letter.
Access point can broadcast Beacon (beacon) information carrying service set, and this beacon message comprises service set, is used for making terminal find this access point.Terminal, after this beacon message being detected, sends the access point probe requests thereby carrying service set and user's characteristic information, access point is received.Or in one embodiment, access point can not broadcast beacon information, and by terminal broadcast access point probe requests thereby, detect this access point probe requests thereby by access point.
Step 204, according to described access point probe requests thereby, inquires about the authentication mode mark corresponding to described user's characteristic information from user authentication table.
User authentication table edits generation by keeper, and this user authentication table can be stored in access point this locality or be stored on given server, obtains when needed.This user authentication table can through encryption.User authentication table includes the corresponding relation of user's characteristic information and the authentication mode mark pre-set, if this user authentication identifies the corresponding relation of user's characteristic information and the corresponding authentication mode mark existed entrained by access point probe requests thereby, then inquire the authentication mode mark corresponding to user's characteristic information.If there is not the user's characteristic information entrained by access point probe requests thereby in user authentication table, although or there is the authentication mode mark that this user's characteristic information does not exist correspondence, then represent that inquiry is less than the authentication mode mark corresponding to user's characteristic information.
Illustrate, user authentication table can be expressed as the form as table one:
Table one:
User's characteristic information (MAC Address) Authentication mode identifies
00:11:22:33:44:55 OPEN-WEB
00:11:22:33:44:56 WPA2-PSK
00:11:22:33:44:57 RADIUS
The authentication mode that in table one, MAC Address " 00:11:22:33:44:55 " is corresponding is designated " OPEN-WEB ", represents for using MAC Address to be that the terminal use of " 00:11:22:33:44:55 " will adopt OPEN-WEB authentication mode.Authentication mode mark can be WEP, WPA, WPA2, WPA-PSK, WPA2-PSK, RADIUS or Portal etc., represents respectively and will adopt WEP authentication mode, WPA authentication mode, WPA2 authentication mode, WPA-PSK authentication mode, WPA2-PSK authentication mode, RADIUS authentication mode or Portal authentication mode to corresponding terminal use.
Wherein OPEN-WEB authentication mode is a kind of Web (network) authentication mode, and when user is surfed the Net by terminal, any webpage of terminal access all can be redirected to specific website and carry out certification.WEP is the abbreviation of WiredEquivalent Privacy, and Chinese means Wired Equivalent Privacy, and WEP agreement is the mode be encrypted the data two equipment room wireless transmission, eavesdrops or invade wireless network in order to prevent disabled user.
WPA is Wi-Fi Protected Access by name entirely, and Chinese means Wi-Fi network secure accessing.Wherein Wi-Fi is a kind of technology being connected to network by radio wave.WPA is a kind of mode protecting wireless device network safety, and WPA2 is then the improvement version based on WPA.WPA-PSK is that shared key Wi-Fi protects access protocal in advance, and WPA2-PSK is then the protection of the shared key Wi-Fi in advance access protocal based on WPA2.Portal authentication mode is also a kind of web authentication mode, RADIUS (Remote Authentication DialIn User Service, remote customer dialing authentication service) is the authentication mode of a kind of C/S (client/server) structure.
Step 206, after inquiring the mark of the authentication mode corresponding to described user's characteristic information, distribute virtual basic service sets identifier, and the response detected information carrying described authentication mode mark and described virtual basic service sets identifier is returned to described terminal, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
Basic service set identifiers, English is expressed as Basic Service Set Identifier, is abbreviated as BSSID, is the unique identification of BSS.BSS is the english abbreviation of Basic Service Set, means Basic Service Set, and be the basic building assembly of 802.11 wireless networks, the work station intercomed mutually by a group formed.In traditional foundation structure type network, basic service set identifiers is the MAC Address of access point.
After inquire the mark of the authentication mode corresponding to user's characteristic information from user authentication table, distribute virtual basic service sets identifier corresponding to service set.Access point directly can create new virtual basic service sets identifier to realize distributing virtual basic service sets identifier.
In one embodiment, step 206 comprises: distribute virtual basic service sets identifier according to described authentication mode mark.In the present embodiment, corresponding often kind of authentication mode mark can distribute different virtual basic service sets identifiers respectively, identical authentication mode mark will distribute identical virtual basic service sets identifier, is convenient to adopting the terminal of different authentication mode to carry out differentiation management and control.
Access point generates the response detected information comprising the authentication mode mark inquired and the virtual basic service sets identifier of distributing, and feeds back to terminal.This response detected information represents that inquiring corresponding authentication mode identifies and notification terminal.In one embodiment, if do not inquire the authentication mode mark corresponding to described user's characteristic information from user authentication table, then refuse access point probe requests thereby, do not return response detected information to terminal.
Terminal is after receiving response detected information, can directly or after other step follow-up, the authentication mode marking matched with described authentication mode is adopted to carry out certification according to described virtual basic service sets identifier, specifically because of the difference of the authentication mode of employing, directly can carry out certification between access point and terminal, also under the assistance of certificate server, can realize the certification of terminal by the request of access point access network.
Above-mentioned wireless access authentication method, terminal sends the probe requests thereby carrying service set to access point, the authentication mode that access point is inquired corresponding to user's characteristic information from user authentication table identifies, and distribute virtual basic service sets identifier, terminal just can adopt the authentication mode marking matched with authentication mode to carry out certification according to this virtual basic service sets identifier.Use different like this adopts unified service set to ask access WAP (wireless access point) per family, and distinguish different authentication modes by virtual basic service identifier, can not reveal the information of access point provider, fail safe is high.And the terminal under identical virtual basic service sets identifier can unified management, the conveniently traffic behavior of each terminal of control.
As shown in Figure 3, in one embodiment, return the response detected information carrying described authentication mode mark and described virtual basic service sets identifier to described terminal in step 206, to make described terminal adopt the authentication mode marking matched with described authentication mode to carry out the step of certification according to described virtual basic service sets identifier, specifically comprise the following steps:
Step 302, returns the response detected information carrying described authentication mode mark and described virtual basic service sets identifier to described terminal.
Access point generates the response detected information comprising the authentication mode mark inquired and the virtual basic service sets identifier of distributing, and feeds back to terminal.This response detected information represents that inquiring corresponding authentication mode identifies and notification terminal.In one embodiment, if do not inquire the authentication mode mark corresponding to described user's characteristic information from user authentication table, then refuse access point probe requests thereby, do not return response detected information to terminal.
Step 304, receives the authentication request that described terminal is initiated according to described virtual basic service sets identifier, and described authentication request carries described user's characteristic information and described authentication mode mark.
Authentication request is the request for carrying out certification to the behavior being carried out access network by access point that terminal is initiated.User's characteristic information entrained by this authentication request and described authentication mode mark are used for verifying.
Step 306, the described user's characteristic information entrained by described authentication request and described authentication mode mark verify.If verify by; perform step 308, if verification by; perform step 310.
Access point can according to above-mentioned user authentication table, and whether the described user's characteristic information judging entrained by authentication request has with described authentication mode mark associates, and namely judges whether they exist binding relationship, thus verifies.Distort or forge the situation of terminal message owing to there is malicious user, for security consideration, be necessary to verify after receiving authentication request.
Step 308, to described terminal return authentication response message, adopts the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
Authentication response information represents that authentication request is verified the information passed through, and is used for triggering terminal further to operate.Terminal is after receiving authentication response information, can directly or after other step follow-up, the authentication mode marking matched with described authentication mode is adopted to carry out certification according to described virtual basic service sets identifier, specifically because of the difference of the authentication mode of employing, directly can carry out certification between access point and terminal, also under the assistance of certificate server, can realize the certification of terminal by the request of access point access network.
Step 310, refusal authentication request.
Particularly, if do not pass through the verification of the described user's characteristic information entrained by authentication request and described authentication mode mark, then authentication request is refused.Access point can not to terminal return authentication response message, and/or, can to the notice of terminal return authentication failure.
In the present embodiment, access point verifies the authentication request that terminal is sent, and verifies by rear return authentication response message, and then makes terminal adopt corresponding authentication mode to carry out certification, can ensure the fail safe of wireless access certification further.
As shown in Figure 4, in one embodiment, step 308 specifically comprises the following steps:
Step 402, to described terminal return authentication response message.
Step 404, receives the association request carrying terminal iidentification that described terminal is initiated according to described virtual basic service sets identifier.
Particularly, access point receive carry virtual basic service sets identifier and terminal iidentification associate request, this virtual basic service sets identifier can identify an endpoint groups, and the terminal in this endpoint groups adopts identical authentication mode.Wherein terminal iidentification is can the identification information of unique locating terminal, can adopt the MAC Address of terminal.
Step 406, associates described terminal iidentification with local access point mark.
Particularly, described terminal iidentification and local access point mark are associated, terminal just can be sent, be received packet by this access point afterwards.
Step 408, returns association response message to described terminal, adopts the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
Association response message represents described terminal iidentification and local access point to identify the information be successfully associated, such SS later just can, according to virtual basic service sets identifier, adopt the authentication mode marking matched with described authentication mode to carry out certification by local access point.
In the present embodiment, achieve the association between terminal and access point, make terminal can carry out certification by access point.
As shown in Figure 5, in a specific embodiment, provide a kind of wireless access authentication method, specifically comprise the following steps:
Step 502, access point receives the access point probe requests thereby of self terminal, and described access point probe requests thereby carries service set and user's characteristic information.
Step 504, access point, according to described access point probe requests thereby, inquires about the authentication mode mark corresponding to described user's characteristic information from user authentication table; After inquiring the mark of the authentication mode corresponding to described user's characteristic information, distribute virtual basic service sets identifier according to described authentication mode mark.
Step 506, access point returns the response detected information carrying described authentication mode mark and described virtual basic service sets identifier to described terminal.
Step 508, access point receives the authentication request that described terminal is initiated according to described virtual basic service sets identifier, and described authentication request carries described user's characteristic information and described authentication mode mark.
Step 510, the described user's characteristic information of access point entrained by described authentication request and described authentication mode mark verify.
Step 512, access point passes through in verification, to described terminal return authentication response message.
Step 514, access point receives the association request carrying terminal iidentification that described terminal is initiated according to described virtual basic service sets identifier.
Step 516, described terminal iidentification associates with local access point mark by access point.
Step 518, access point returns association response message to described terminal, adopts the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
As shown in Figure 6, in one embodiment, provide a kind of wireless access authentication method, the terminal 104 that the present embodiment is applied in above-mentioned wireless access Verification System 100 in this way illustrates.The method specifically comprises the following steps:
Step 602, send access point probe requests thereby to access point, described access point probe requests thereby carries service set and user's characteristic information.
Service set can be used for a WLAN (wireless local area network) to be divided into several sub-network needing different identity to verify, each sub-network needs independently authentication, only have and just can enter corresponding sub-network by the user of authentication, prevent uncommitted user from entering respective subnet network.
User's characteristic information uniquely to distinguish the information of user, can adopt the MAC Address of terminal, also can adopt the sequence number of terminal.In one embodiment, user's characteristic information can also be user account.User account can with a string representation, and this character string comprises at least one in numeral, symbol and letter.
Access point can broadcast the beacon message carrying service set, and this beacon message comprises service set, is used for making terminal find this access point.Terminal, after this beacon message being detected, sends the access point probe requests thereby carrying service set and user's characteristic information, access point is received.Or in one embodiment, access point can not broadcast beacon information, and by terminal broadcast access point probe requests thereby, detect this access point probe requests thereby by access point.
Step 604, receives the response detected information that described access point sends after inquire the mark of the authentication mode corresponding to described user's characteristic information from user authentication table; The virtual basic service sets identifier that described response detected information carries described authentication mode mark and distributes after inquiring the mark of the authentication mode corresponding to described user's characteristic information.
User authentication table edits generation by keeper, and this user authentication table can be stored in access point this locality or be stored on given server, obtains when needed.This user authentication table can through encryption.User authentication table includes the corresponding relation of user's characteristic information and the authentication mode mark pre-set, if this user authentication identifies the corresponding relation of user's characteristic information and the corresponding authentication mode mark existed entrained by access point probe requests thereby, then inquire the authentication mode mark corresponding to user's characteristic information.If there is not the user's characteristic information entrained by access point probe requests thereby in user authentication table, although or there is the authentication mode mark that this user's characteristic information does not exist correspondence, then represent that inquiry is less than the authentication mode mark corresponding to user's characteristic information.
After inquire the mark of the authentication mode corresponding to user's characteristic information from user authentication table, distribute virtual basic service sets identifier corresponding to service set.Access point directly can create new virtual basic service sets identifier to realize distributing virtual basic service sets identifier.
In one embodiment, virtual basic service sets identifier is distributed according to authentication mode mark.In the present embodiment, corresponding often kind of authentication mode mark can distribute different virtual basic service sets identifiers respectively, identical authentication mode mark will distribute identical virtual basic service sets identifier, is convenient to adopting the terminal of different authentication mode to carry out differentiation management and control.
Access point generates the response detected information comprising the authentication mode mark inquired and the virtual basic service sets identifier of distributing, and feeds back to terminal.This response detected information represents that inquiring corresponding authentication mode identifies and notification terminal.In one embodiment, if do not inquire the authentication mode mark corresponding to described user's characteristic information from user authentication table, then refuse access point probe requests thereby, do not return response detected information to terminal.
Step 606, adopts the authentication mode marking matched with described authentication mode to carry out certification according to described virtual basic service sets identifier.
Terminal is after receiving response detected information, can directly or after other step follow-up, the authentication mode marking matched with described authentication mode is adopted to carry out certification according to described virtual basic service sets identifier, specifically because of the difference of the authentication mode of employing, directly can carry out certification between access point and terminal, also under the assistance of certificate server, can realize the certification of terminal by the request of access point access network.
Above-mentioned wireless access authentication method, terminal sends the probe requests thereby carrying service set to access point, the authentication mode that access point is inquired corresponding to user's characteristic information from user authentication table identifies, and distribute virtual basic service sets identifier, terminal just can adopt the authentication mode marking matched with authentication mode to carry out certification according to this virtual basic service sets identifier.Use different like this adopts unified service set to ask access WAP (wireless access point) per family, and distinguish different authentication modes by virtual basic service identifier, can not reveal the information of access point provider, fail safe is high.And the terminal under identical virtual basic service sets identifier can unified management, the conveniently traffic behavior of each terminal of control.
As shown in Figure 7, in one embodiment, also comprise the step to access point request authentication before step 606, specifically comprise the following steps:
Step 702, initiates authentication request according to described virtual basic service sets identifier to access point; Authentication request carries described user's characteristic information and described authentication mode mark.
Access point generates the response detected information comprising the authentication mode mark inquired and the virtual basic service sets identifier of distributing, and feeds back to terminal.This response detected information represents that inquiring corresponding authentication mode identifies and notification terminal.In one embodiment, if access point does not inquire the authentication mode mark corresponding to described user's characteristic information from user authentication table, then refuse access point probe requests thereby, do not return response detected information to terminal.
Authentication request is the request for carrying out certification to the behavior being carried out access network by access point that terminal is initiated.User's characteristic information entrained by this authentication request and described authentication mode mark are used for verifying.
Step 704, receive access point the described user's characteristic information entrained by described authentication request and described authentication mode mark carry out verifying by after the authentication response information that returns.
Access point can according to above-mentioned user authentication table, and whether the described user's characteristic information judging entrained by authentication request has with described authentication mode mark associates, and namely judges whether they exist binding relationship, thus verifies.Distort or forge the situation of terminal message owing to there is malicious user, for security consideration, be necessary to verify after receiving authentication request.
Authentication response information represents that authentication request is verified the information passed through, and is used for triggering terminal further to operate.Terminal is after receiving authentication response information, can directly or after other step follow-up, the authentication mode marking matched with described authentication mode is adopted to carry out certification according to described virtual basic service sets identifier, specifically because of the difference of the authentication mode of employing, directly can carry out certification between access point and terminal, also under the assistance of certificate server, can realize the certification of terminal by the request of access point access network.
If the verification of access point to the described user's characteristic information entrained by authentication request and described authentication mode mark is not passed through, then refuse authentication request.Access point can not to terminal return authentication response message, and/or, can to the notice of terminal return authentication failure.
In the present embodiment, access point verifies the authentication request that terminal is sent, and verifies by rear return authentication response message, and then makes terminal adopt corresponding authentication mode to carry out certification, can ensure the fail safe of wireless access certification further.
As shown in Figure 8, in one embodiment, also comprise before step 606 and carry out to access point request the step that associates after step 704, specifically comprise the following steps:
Step 802, initiates to access point the association request carrying terminal iidentification according to described virtual basic service sets identifier.
Particularly, access point receive carry virtual basic service sets identifier and terminal iidentification associate request, this virtual basic service sets identifier can identify an endpoint groups, and the terminal in this endpoint groups adopts identical authentication mode.Wherein terminal iidentification is can the identification information of unique locating terminal, can adopt the MAC Address of terminal.Described terminal iidentification and local access point mark associate by access point, and terminal just can be sent, be received packet by this access point afterwards.
Step 804, receives access point and terminal iidentification and local access point mark is being carried out associating the rear association response message returned.
Association response message represents described terminal iidentification and local access point to identify the information be successfully associated, such SS later just can, according to virtual basic service sets identifier, adopt the authentication mode marking matched with described authentication mode to carry out certification by local access point.
In the present embodiment, achieve the association between terminal and access point, make terminal can carry out certification by access point.
As shown in Figure 9, in one embodiment, provide a kind of wireless access authenticate device 900, have and realize the above-mentioned function being applicable to the wireless access authentication method of each embodiment of access point 102.This wireless access authenticate device 900 specifically comprises: access point probe requests thereby receiver module 902, enquiry module 904 and authentication service module 906.
Access point probe requests thereby receiver module 902, for receiving the access point probe requests thereby of self terminal, described access point probe requests thereby carries service set and user's characteristic information.
Enquiry module 904, for according to described access point probe requests thereby, inquires about the authentication mode mark corresponding to described user's characteristic information from user authentication table.
Authentication service module 906, for after inquiring the mark of the authentication mode corresponding to described user's characteristic information, distribute virtual basic service sets identifier, and the response detected information carrying described authentication mode mark and described virtual basic service sets identifier is returned to described terminal, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
As shown in Figure 10, in one embodiment, authentication service module 906 comprises response detected information feedback module 906a, authentication request receiver module 906b, correction verification module 906c and authentication response module 906d.
Response detected information feedback module 906a, for returning the response detected information carrying described authentication mode mark and described virtual basic service sets identifier to described terminal.
Authentication request receiver module 906b, for receiving the authentication request that described terminal is initiated according to described virtual basic service sets identifier, described authentication request carries described user's characteristic information and described authentication mode mark.
Correction verification module 906c, verifies for the described user's characteristic information entrained by described authentication request and described authentication mode mark.
Authentication response module 906d, for when correction verification module verification by time, to described terminal return authentication response message, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
As shown in figure 11, in one embodiment, authentication response module 906d comprises: authentication response information feedback module 906d1, association request receiving module 906d2, association Executive Module 906d3 and associate response message feedback module 906d4.
Authentication response information feedback module 906d1, for described terminal return authentication response message.
Association request receiving module 906d2, for receiving the association request carrying terminal iidentification that described terminal is initiated according to described virtual basic service sets identifier.
Association Executive Module 906d3, for associating described terminal iidentification with local access point mark.
Association response message feedback module 906d4, for returning association response message to described terminal, adopts the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
In one embodiment, described authentication service module 906 is also for distributing virtual basic service sets identifier according to described authentication mode mark.
Above-mentioned wireless access authenticate device 900, the probe requests thereby carrying service set that receiving terminal sends, so just, the authentication mode mark corresponding to user's characteristic information can be inquired from user authentication table, and distribute virtual basic service sets identifier, terminal just can adopt the authentication mode marking matched with authentication mode to carry out certification according to this virtual basic service sets identifier.Use different like this adopts unified service set to ask access WAP (wireless access point) per family, and distinguish different authentication modes by virtual basic service identifier, can not reveal the information of access point provider, fail safe is high.And the terminal under identical virtual basic service sets identifier can unified management, the conveniently traffic behavior of each terminal of control.
As shown in figure 12, in one embodiment, provide a kind of wireless access authenticate device 1200, have and realize the above-mentioned function being applicable to the wireless access authentication method of each embodiment of terminal 104.This wireless access authenticate device 1200 specifically comprises: access point probe requests thereby sending module 1202, response detected information receiving module 1204 and certification Executive Module 1206.
Access point probe requests thereby sending module 1202, for sending access point probe requests thereby to access point, described access point probe requests thereby carries service set and user's characteristic information.
Response detected information receiving module 1204, for receiving the response detected information that described access point sends after inquire the mark of the authentication mode corresponding to described user's characteristic information from user authentication table; The virtual basic service sets identifier that described response detected information carries described authentication mode mark and distributes after inquiring the mark of the authentication mode corresponding to described user's characteristic information.
Certification Executive Module 1206, for adopting the authentication mode marking matched with described authentication mode to carry out certification according to described virtual basic service sets identifier.
As shown in figure 13, in one embodiment, this wireless access authenticate device 1200 also comprises: authentication request initiation module 1208 and authentication response information receiving module 1210.
Authentication request initiation module 1208, for initiating authentication request according to described virtual basic service sets identifier to access point; Authentication request carries described user's characteristic information and described authentication mode mark.
Authentication response information receiving module 1210, for receive access point the described user's characteristic information entrained by described authentication request and described authentication mode mark carry out verifying by after the authentication response information that returns.
As shown in figure 14, in one embodiment, this wireless access authenticate device 1200 also comprises: associate request sending module 1212 and associate response message receiver module 1214.
Association request sending module 1212, for initiating to access point the association request carrying terminal iidentification according to described virtual basic service sets identifier.
Association response message receiver module 1214, is being undertaken associating the rear association response message returned by terminal iidentification and local access point mark for receiving access point.
In one embodiment, virtual basic service sets identifier is distributed according to authentication mode mark.
Above-mentioned wireless access authenticate device 1200, the probe requests thereby carrying service set that receiving terminal sends, so just, the authentication mode mark corresponding to user's characteristic information can be inquired from user authentication table, and distribute virtual basic service sets identifier, terminal just can adopt the authentication mode marking matched with authentication mode to carry out certification according to this virtual basic service sets identifier.Use different like this adopts unified service set to ask access WAP (wireless access point) per family, and distinguish different authentication modes by virtual basic service identifier, can not reveal the information of access point provider, fail safe is high.And the terminal under identical virtual basic service sets identifier can unified management, the conveniently traffic behavior of each terminal of control.
The above embodiment only have expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.

Claims (10)

1. a wireless access authentication method, described method comprises:
Receive the access point probe requests thereby of self terminal, described access point probe requests thereby carries service set and user's characteristic information;
According to described access point probe requests thereby, from user authentication table, inquire about the authentication mode mark corresponding to described user's characteristic information;
After inquiring the mark of the authentication mode corresponding to described user's characteristic information, distribute virtual basic service sets identifier, and
Return the response detected information carrying described authentication mode mark and described virtual basic service sets identifier to described terminal, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
2. method according to claim 1, it is characterized in that, described returning to described terminal carries described authentication mode mark and the response detected information of described virtual basic service sets identifier, to make described terminal adopt the authentication mode marking matched with described authentication mode to carry out certification according to described virtual basic service sets identifier, comprising:
The response detected information carrying described authentication mode mark and described virtual basic service sets identifier is returned to described terminal;
Receive the authentication request that described terminal is initiated according to described virtual basic service sets identifier, described authentication request carries described user's characteristic information and described authentication mode mark;
Described user's characteristic information entrained by described authentication request and described authentication mode mark verify, if verification is passed through, then
To described terminal return authentication response message, the authentication mode marking matched with described authentication mode is adopted to carry out certification to make described terminal according to described virtual basic service sets identifier.
3. method according to claim 2, is characterized in that, described to described terminal return authentication response message, to make described terminal adopt the authentication mode marking matched with described authentication mode to carry out certification, comprising:
To described terminal return authentication response message;
Receive the association request carrying terminal iidentification that described terminal is initiated according to described virtual basic service sets identifier;
Described terminal iidentification is associated with local access point mark;
Return association response message to described terminal, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
4. method according to claim 1, is characterized in that, described distribution virtual basic service sets identifier, comprising:
Virtual basic service sets identifier is distributed according to described authentication mode mark.
5. a wireless access authentication method, described method comprises:
Send access point probe requests thereby to access point, described access point probe requests thereby carries service set and user's characteristic information;
Receive the response detected information that described access point sends after inquire the mark of the authentication mode corresponding to described user's characteristic information from user authentication table; The virtual basic service sets identifier that described response detected information carries described authentication mode mark and distributes after inquiring the mark of the authentication mode corresponding to described user's characteristic information;
The authentication mode marking matched with described authentication mode is adopted to carry out certification according to described virtual basic service sets identifier.
6. a wireless access authenticate device, is characterized in that, described device comprises:
Access point probe requests thereby receiver module, for receiving the access point probe requests thereby of self terminal, described access point probe requests thereby carries service set and user's characteristic information;
Enquiry module, for according to described access point probe requests thereby, inquires about the authentication mode mark corresponding to described user's characteristic information from user authentication table;
Authentication service module, for after inquiring the mark of the authentication mode corresponding to described user's characteristic information, distribute virtual basic service sets identifier, and the response detected information carrying described authentication mode mark and described virtual basic service sets identifier is returned to described terminal, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
7. device according to claim 6, is characterized in that, described authentication service module comprises:
Response detected information feedback module, for returning the response detected information carrying described authentication mode mark and described virtual basic service sets identifier to described terminal;
Authentication request receiver module, for receiving the authentication request that described terminal is initiated according to described virtual basic service sets identifier, described authentication request carries described user's characteristic information and described authentication mode mark;
Correction verification module, verifies for the described user's characteristic information entrained by described authentication request and described authentication mode mark;
Authentication response module, for when correction verification module verification by time, to described terminal return authentication response message, adopt the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
8. device according to claim 7, is characterized in that, described authentication response module comprises:
Authentication response information feedback module, for described terminal return authentication response message;
Association request receiving module, for receiving the association request carrying terminal iidentification that described terminal is initiated according to described virtual basic service sets identifier;
Association Executive Module, for associating described terminal iidentification with local access point mark;
Association response message feedback module, for returning association response message to described terminal, adopts the authentication mode marking matched with described authentication mode to carry out certification to make described terminal according to described virtual basic service sets identifier.
9. device according to claim 6, is characterized in that, described authentication service module is also for distributing virtual basic service sets identifier according to described authentication mode mark.
10. a wireless access authenticate device, is characterized in that, described device comprises:
Access point probe requests thereby sending module, for sending access point probe requests thereby to access point, described access point probe requests thereby carries service set and user's characteristic information;
Response detected information receiving module, for receiving the response detected information that described access point sends after inquire the mark of the authentication mode corresponding to described user's characteristic information from user authentication table; The virtual basic service sets identifier that described response detected information carries described authentication mode mark and distributes after inquiring the mark of the authentication mode corresponding to described user's characteristic information;
Certification Executive Module, for adopting the authentication mode marking matched with described authentication mode to carry out certification according to described virtual basic service sets identifier.
CN201510176094.2A 2015-04-14 2015-04-14 Wireless access authentication method and device Active CN104837136B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510176094.2A CN104837136B (en) 2015-04-14 2015-04-14 Wireless access authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510176094.2A CN104837136B (en) 2015-04-14 2015-04-14 Wireless access authentication method and device

Publications (2)

Publication Number Publication Date
CN104837136A true CN104837136A (en) 2015-08-12
CN104837136B CN104837136B (en) 2019-06-21

Family

ID=53814714

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510176094.2A Active CN104837136B (en) 2015-04-14 2015-04-14 Wireless access authentication method and device

Country Status (1)

Country Link
CN (1) CN104837136B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106507394A (en) * 2016-11-15 2017-03-15 杭州华三通信技术有限公司 Data transmission method for uplink, data receiver method and electronic equipment, access point
CN107135506A (en) * 2017-07-03 2017-09-05 迈普通信技术股份有限公司 A kind of portal authentication methods, apparatus and system
CN108934009A (en) * 2017-05-27 2018-12-04 华为技术有限公司 A kind of WiFi network cut-in method, apparatus and system
CN110621018A (en) * 2018-06-20 2019-12-27 深圳市云猫信息技术有限公司 WIFI detection terminal method
CN110831003A (en) * 2018-08-13 2020-02-21 广东亿迅科技有限公司 Authentication method and system based on WLAN flexible access network
WO2022033316A1 (en) * 2020-08-12 2022-02-17 中兴通讯股份有限公司 Wifi access method and system, device, and medium
US20220104017A1 (en) * 2020-09-26 2022-03-31 Mcafee, Llc Wireless access point with multiple security modes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867475A (en) * 2010-05-27 2010-10-20 华为终端有限公司 Access authentication method and related device of remote control terminal service and communication system
CN103716795A (en) * 2012-10-09 2014-04-09 中兴通讯股份有限公司 Wireless network safe access method, apparatus and system
CN103873454A (en) * 2012-12-18 2014-06-18 中国移动通信集团山东有限公司 Authentication method and equipment
US20140325615A1 (en) * 2011-11-30 2014-10-30 British Telecommunications Public Limited Company Rogue access point detection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867475A (en) * 2010-05-27 2010-10-20 华为终端有限公司 Access authentication method and related device of remote control terminal service and communication system
US20140325615A1 (en) * 2011-11-30 2014-10-30 British Telecommunications Public Limited Company Rogue access point detection
CN103716795A (en) * 2012-10-09 2014-04-09 中兴通讯股份有限公司 Wireless network safe access method, apparatus and system
CN103873454A (en) * 2012-12-18 2014-06-18 中国移动通信集团山东有限公司 Authentication method and equipment

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106507394A (en) * 2016-11-15 2017-03-15 杭州华三通信技术有限公司 Data transmission method for uplink, data receiver method and electronic equipment, access point
CN108934009A (en) * 2017-05-27 2018-12-04 华为技术有限公司 A kind of WiFi network cut-in method, apparatus and system
CN107135506A (en) * 2017-07-03 2017-09-05 迈普通信技术股份有限公司 A kind of portal authentication methods, apparatus and system
CN107135506B (en) * 2017-07-03 2019-11-05 迈普通信技术股份有限公司 A kind of portal authentication method, apparatus and system
CN110621018A (en) * 2018-06-20 2019-12-27 深圳市云猫信息技术有限公司 WIFI detection terminal method
CN110831003A (en) * 2018-08-13 2020-02-21 广东亿迅科技有限公司 Authentication method and system based on WLAN flexible access network
WO2022033316A1 (en) * 2020-08-12 2022-02-17 中兴通讯股份有限公司 Wifi access method and system, device, and medium
US20220104017A1 (en) * 2020-09-26 2022-03-31 Mcafee, Llc Wireless access point with multiple security modes
US11930359B2 (en) * 2020-09-26 2024-03-12 Mcafee, Llc Wireless access point with multiple security modes

Also Published As

Publication number Publication date
CN104837136B (en) 2019-06-21

Similar Documents

Publication Publication Date Title
CN104837136A (en) Wireless access authentication method and device
EP2742711B1 (en) Detection of suspect wireless access points
KR101398149B1 (en) Methods and apparatus to discover authentication information in a wireless networking environment
KR100494558B1 (en) The method and system for performing authentification to obtain access to public wireless LAN
EP2950499B1 (en) 802.1x access session keepalive method, device, and system
US20060281457A1 (en) Authentication of mobile stations
EP2432265A1 (en) Method and apparatus for sending a key on a wireless local area network
US7280520B2 (en) Virtual wireless local area networks
CN103222292A (en) Dynamic account creation with secured hotspot network
EP2553898A1 (en) Method and system for authenticating a point of access
US20110055409A1 (en) Method For Network Connection
CN103973658A (en) Static user terminal authentication processing method and device
CN104580116A (en) Management method and equipment of security policy
EP3944649A1 (en) Verification method, apparatus, and device
CN103329091A (en) Cross access login controller
CN106412901A (en) Network-loitering prevention wireless routing method and system
AU2018274707B2 (en) Improvements in and relating to network communications
US20090037979A1 (en) Method and System for Recovering Authentication in a Network
CN112423299B (en) Method and system for wireless access based on identity authentication
KR100819942B1 (en) Method for access control in wire and wireless network
WO2006079953A1 (en) Authentication method and device for use in wireless communication system
US8811272B2 (en) Method and network for WLAN session control
EP2378802B1 (en) A wireless telecommunications network, and a method of authenticating a message
AU2021102117A4 (en) System for secure authentication and inter-communication among networked iot devices
Hidayat et al. Optimation wireless security IEEE 802.1 X using the extensible authentication protocol-protected extensible authentication protocol (EAP-PEAP)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant