CN117596590A - Network access method, device, controller, wireless access equipment and system - Google Patents
Network access method, device, controller, wireless access equipment and system Download PDFInfo
- Publication number
- CN117596590A CN117596590A CN202311436110.8A CN202311436110A CN117596590A CN 117596590 A CN117596590 A CN 117596590A CN 202311436110 A CN202311436110 A CN 202311436110A CN 117596590 A CN117596590 A CN 117596590A
- Authority
- CN
- China
- Prior art keywords
- access
- sdp
- service
- wireless access
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 88
- 238000013475 authorization Methods 0.000 claims abstract description 210
- 230000004044 response Effects 0.000 claims abstract description 76
- 238000004891 communication Methods 0.000 claims abstract description 68
- 238000013507 mapping Methods 0.000 claims description 36
- 102100022002 CD59 glycoprotein Human genes 0.000 claims description 29
- 101710176679 CD59 glycoprotein Proteins 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 238000012986 modification Methods 0.000 description 8
- 230000004048 modification Effects 0.000 description 8
- 238000012795 verification Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 230000005236 sound signal Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/71—Hardware identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Abstract
The disclosure relates to a network access method, a device, a controller, a wireless access device and a system, wherein the method comprises the following steps: receiving a network access request of terminal equipment sent by wireless access equipment; authenticating the terminal equipment according to the network access request; after the authentication is passed, receiving a service access authorization request sent by the wireless access equipment, wherein the service access authorization request is used for indicating a target service to be accessed by the terminal equipment; and sending an authorization response for the service access authorization request to the wireless access equipment, and when the authorization response is used for indicating the service access authorization request to pass, enabling the wireless access equipment to send an SPA packet to the SDP gateway, wherein the SPA packet is used for establishing communication connection between the wireless access equipment and the SDP gateway and between the wireless access equipment and the target service, and the communication connection is used for enabling the terminal equipment to access the target service. The communication connection between the terminal device and the target service can be established through the wireless access device, so that the terminal device can access the SDP-based target service.
Description
Technical Field
The disclosure relates to the field of industry internet of things professions, in particular to a network access method, a device, a controller, wireless access equipment and a system.
Background
With the industrial internet of things (Industrial Internet of Thing, IIoT) becoming an important impetus for global economic growth, in order to cope with security threats faced by it, software defined boundary (Software Defined Perimeter, SDP) technology based on the concept of zero trust is increasingly applied. SDP technology implements its protection functions through service hiding, which allows access only to specially authenticated requesters. However, many traditional industrial internet of things devices without extensible functions cannot deploy SDP client applications, so as more and more important services are hidden, the traditional industrial internet of things devices cannot complete normal operation by accessing these services.
Disclosure of Invention
The disclosure aims to provide a network access method, a device, a controller, wireless access equipment and a system, which are used for solving the problem that in the prior art, an internet of things device without an extensible function cannot access a hidden service to complete normal operation because an SDP client cannot be deployed.
To achieve the above object, a first aspect of embodiments of the present disclosure provides a network access method, applied to an SDP controller, the method including:
Receiving a network access request of terminal equipment sent by wireless access equipment;
authenticating the terminal equipment according to the network access request;
after the authentication is passed, receiving a service access authorization request sent by the wireless access equipment, wherein the service access authorization request is used for indicating a target service to be accessed by the terminal equipment;
and sending an authorization response for the service access authorization request to the wireless access equipment, and when the authorization response is used for indicating that the service access authorization request passes, enabling the wireless access equipment to send an SPA packet to an SDP gateway, wherein the SPA packet is used for establishing communication connection between the wireless access equipment and the SDP gateway as well as the target service, and the communication connection is used for enabling the terminal equipment to access the target service.
Optionally, after the authentication is passed, before receiving the service access authorization request sent by the wireless access device, the method further includes:
sending an authentication passing message to the wireless access equipment, wherein the authentication passing message is used for indicating the wireless access equipment to establish a MAC-IP mapping relation for the terminal equipment;
receiving information comprising the MAC-IP mapping relation sent by the wireless access equipment;
And recording the MAC-IP mapping relation into an SDP user table, wherein the SDP user table is used for generating the authorization response of the service access authorization request.
A second aspect of an embodiment of the present disclosure provides a network access method, applied to a wireless access device, the method including:
sending a network access request of terminal equipment to an SDP controller, wherein the network access request is used for authenticating the terminal equipment by the SDP controller;
after the authentication is passed, sending a service access authorization request to the SDP controller;
and receiving an authorization response of the service access authorization request sent by the SDP controller, and sending an SPA packet to the SDP gateway when the authorization response is used for indicating that the service access authorization request passes, so as to establish communication connection between the wireless access equipment and the SDP gateway and between the wireless access equipment and a target service, wherein the communication connection is used for the terminal equipment to access the target service.
Optionally, after the authentication is passed, before sending a service access authorization request to the SDP controller, the method further comprises:
distributing an IP address to the terminal equipment through the wireless access equipment;
and determining a MAC-IP mapping relation of the terminal equipment according to the IP address and the MAC address of the terminal equipment, and sending information comprising the MAC-IP mapping relation to the SDP controller for the SDP controller to record the MAC-IP mapping relation into an SDP user table, wherein the SDP user table is used for the SDP controller to generate the authorization response of the service access authorization request.
Optionally, after the authentication is passed, sending a service access authorization request to the SDP controller, including:
acquiring an authentication result of the network access request from the SDP controller;
after the authentication is passed, receiving a service connection request sent by the terminal equipment;
redirecting the service connection request to the wireless access device to enable the wireless access device to establish a connection with the terminal device instead of the target service;
and after the wireless access equipment establishes connection with the terminal equipment instead of the target service, sending a service access authorization request to the SDP controller.
Optionally, when the authorization response indicates that the service access authorization request passes, sending an SPA packet to the SDP gateway to establish a communication connection between the wireless access device and the SDP gateway and a target service, where the communication connection is used for the terminal device to access the target service, and the method includes:
when the authorization response indicates that the service access authorization request passes, determining an SPA packet according to the authorization response;
the SPA packet is sent to the SDP gateway and is used for establishing a first connection between the SDP gateway and the target service;
When the SPA packet is successfully sent, establishing a second connection between the wireless access device and the SDP gateway;
and establishing connection between the wireless access equipment and the target service through the first connection and the second connection so as to enable the terminal equipment to access the target service.
Optionally, the method further comprises:
and establishing a connection mapping between the terminal equipment and the SDP gateway so that the terminal equipment accesses the target service through the SDP gateway.
Optionally, the method further comprises:
and monitoring the connection state of the terminal equipment and the target service, and disconnecting the connection of the wireless access equipment and the mobile terminal and/or the connection of the wireless access equipment and the SDP gateway under the condition that the terminal equipment finishes accessing the target service.
A third aspect of the embodiments of the present disclosure provides a network access device applied to an SDP controller, the device comprising:
the receiving module is used for receiving a network access request of the terminal equipment, which is sent by the wireless access equipment;
the authentication module is used for authenticating the terminal equipment according to the network access request;
the receiving module is further configured to receive a service access authorization request sent by the wireless access device after the authentication is passed, where the service access authorization request is used to indicate a target service to be accessed by the terminal device;
And the response module is used for sending an authorization response for the service access authorization request to the wireless access equipment, and when the authorization response is used for indicating that the service access authorization request passes, the wireless access equipment sends an SPA packet to an SDP gateway, wherein the SPA packet is used for establishing communication connection between the wireless access equipment and the SDP gateway and the target service, and the communication connection is used for the terminal equipment to access the target service.
A fourth aspect of embodiments of the present disclosure provides a network access apparatus applied to a wireless access device, the apparatus comprising:
the communication module is used for sending a network access request of the terminal equipment to the SDP controller, wherein the network access request is used for authenticating the terminal equipment by the SDP controller;
the communication module is further configured to send a service access authorization request to the SDP controller after the authentication is passed;
and the connection establishment module is used for receiving an authorization response of the service access authorization request sent by the SDP controller, and sending an SPA packet to the SDP gateway when the authorization response is used for indicating that the service access authorization request passes so as to establish communication connection between the wireless access equipment and the SDP gateway and between the wireless access equipment and the target service, wherein the communication connection is used for the terminal equipment to access the target service.
A fifth aspect of the present disclosure provides an SPD controller comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the network access method provided in the first aspect of the present disclosure.
A sixth aspect of the present disclosure provides a wireless access device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the network access method provided in the second aspect of the present disclosure.
A seventh aspect of the present disclosure provides a network access system, the system including the SDP controller provided in the fifth aspect, the wireless access device provided in the sixth aspect, the SDP gateway, and the terminal device;
the wireless access device is used for sending a network access request of the terminal device to the SDP controller;
the SDP controller is used for authenticating the terminal equipment according to the network access request;
the wireless access device is further configured to send a service access authorization request to the SDP controller after the authentication is passed;
the SDP controller is further configured to receive a service access authorization request sent by the wireless access device and send an authorization response to the service access authorization request to the wireless access device;
The wireless access device is further configured to receive an authorization response of the service access authorization request sent by the SDP controller, and send an SPA packet to the SDP gateway when the authorization response is used to indicate that the service access authorization request passes, so as to establish a communication connection between the wireless access device and the SDP gateway and between the wireless access device and a target service, where the communication connection is used for the terminal device to access the target service.
Through the technical scheme, the SDP controller receives a network access request of the terminal equipment, which is sent by the wireless access equipment; authenticating the terminal equipment according to the network access request; after the authentication is passed, receiving a service access authorization request sent by the wireless access equipment, wherein the service access authorization request is used for indicating a target service to be accessed by the terminal equipment; and sending an authorization response for the service access authorization request to the wireless access equipment, and when the authorization response is used for indicating the service access authorization request to pass, enabling the wireless access equipment to send an SPA packet to the SDP gateway, wherein the SPA packet is used for establishing communication connection between the wireless access equipment and the SDP gateway and between the wireless access equipment and the target service, and the communication connection is used for enabling the terminal equipment to access the target service. By the scheme, the connection between the terminal equipment and the SDP controller can be established through the wireless access equipment, and after the authentication of the terminal equipment and the access authorization of the target service are completed, the condition of accessing the SDP gateway is provided through the wireless access equipment, so that the terminal equipment does not need to make any SDP modification, can access the industrial network business service protected by the SDP, and can avoid the problem that the terminal equipment cannot access the target service based on the SDP because of not having an SDP access function.
Additional features and advantages of the present disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification, illustrate the disclosure and together with the description serve to explain, but do not limit the disclosure. In the drawings:
fig. 1 is a flow chart illustrating a network access method according to an exemplary embodiment.
Fig. 2 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 3 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 4 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 5 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 6 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 7 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 8 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 9 is a flow chart illustrating another network access method according to an example embodiment.
Fig. 10 is a block diagram of a network access device, according to an example embodiment.
Fig. 11 is a block diagram of another network access device, according to an example embodiment.
Fig. 12 is a block diagram of a network access system, according to an example embodiment.
Fig. 13 is a block diagram of an electronic device, according to an example embodiment.
Fig. 14 is a block diagram of another electronic device, shown in accordance with an exemplary embodiment.
Detailed Description
Specific embodiments of the present disclosure are described in detail below with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the disclosure, are not intended to limit the disclosure.
It should be noted that, all actions for acquiring signals, information or data in the present disclosure are performed under the condition of conforming to the corresponding data protection rule policy of the country of the location and obtaining the authorization given by the owner of the corresponding device.
Before accessing the protected service, the client in the network constructed based on SDP needs to be authenticated and authorized, then establishes a real-time encryption connection access path between the endpoint and the application infrastructure, and an application program owner can deploy a safety boundary when required so as to isolate the service or/and the service from an unsafe network, and can perform better safety protection on network service scenes with unclear boundaries.
Fig. 1 is a flowchart of a network access method according to an exemplary embodiment, as shown in fig. 1, applied to an SDP controller, including the steps of:
in step S11, a network access request of a terminal device transmitted by a wireless access device is received.
The wireless access device is a device which can provide wireless access function for other devices, and can convert a wired network signal into a wireless signal, so that the terminal device can be connected to the wired network through a wireless network such as WiFi to access target service in the network; the terminal equipment is client equipment with a wireless access function in a network, and can be accessed into the wireless access equipment through a WIFI function;
the network access request is a request initiated when the terminal device accesses the industrial network where the target service is located, and may carry a user name of the terminal device, or may also carry a user name and a password of the wireless access device, when the network access request is sent to the wireless access device, after the user name and the password of the wireless access device pass verification, the wireless access device allows the terminal device to access only when the user name of the terminal device carried in the network access request exists in the WiFi user table.
In step S12, the terminal device is authenticated according to the network access request.
For example, after the terminal device establishes wireless connection with the wireless access device, the terminal device can communicate with the wireless router through the wireless connection channel; and sending a network access request sent by the terminal equipment to the SDP controller through the wireless connection channel, searching whether the user name of the terminal equipment carried by the network access request is included in an SDP user table, and determining that the identity authentication of the terminal equipment passes when the user name of the terminal equipment exists in the SDP table.
In step S13, after the authentication is passed, a service access authorization request sent by the wireless access device is received, where the service access authorization request is used to indicate a target service to be accessed by the terminal device.
For example, after the identity of the terminal device passes, the terminal device may request access rights to a target service, and send, to the SDP controller through the wireless access device, a service access authorization request of the terminal device to the target service, where the target service is a service that is located in a server of the SDP-based network and is accessible to a user, and may also be a protected industrial application service in the wireless industrial control network.
In step S14, an authorization response for the service access authorization request is sent to the wireless access device, and when the authorization response is used for indicating that the service access authorization request passes, the wireless access device is made to send an SPA packet to the SDP gateway, where the SPA packet is used for establishing a communication connection between the wireless access device and the SDP gateway and between the wireless access device and the target service, and the communication connection is used for the terminal device to access the target service.
The SDP controller performs an authorization response to the service access authorization request, and generates a corresponding authorization response result, where the authorization response may include information that the service access authorization request to the target service is passed or not passed, and the SDP controller sends the authorization response to the wireless access device, and when the authorization response is used to indicate that the service access authorization request to the target service is passed, the wireless access device sends an SPA (Single Packet Authorization ) packet to the SDP gateway, and after a communication connection between the wireless access device and the SDP gateway and the target service is established by using the SPA packet, the terminal device may access the target service through the communication connection.
As shown in fig. 2, a WiFi user table, an SDP user table, a service authorization table, and a service information table may be configured;
The WiFi user table may include a user name and attribute information, where the user name of the user allowed to access the wireless access device is recorded, and only the terminal device whose user name exists in the WiFi user table may be authorized to access the wireless access device;
the SDP user table can comprise a user name, a MAC address and an IP address, wherein the user name of a user allowed to access the SDP-based industrial control network is recorded, the user name and the user name in the WiFi user table can be defined to be the same, and one-to-one correspondence can be carried out according to a certain mapping relation, so that the identities of terminal equipment in the SDP system of the WiFi network of the wireless access equipment and the SDP-based industrial network can be unified; only the terminal equipment with the user name in the SDP user list can be authorized to access the SDP-based industrial control network; the MAC address in the SDP user list is the hardware address of the terminal device, which is used to record the MAC address of the login device; the IP address is the address allocated by the network after the terminal equipment is accessed to the SDP-based wireless network;
the service authorization table may include a service ID and a user ID indicating which protected services the user may access in the SDP-based wireless network; the user IDs have a one-to-one correspondence with the user names in the SDP user table or/and the WIFI user table, and terminal equipment corresponding to the user names can be found through the user IDs, and it can be understood that the corresponding user IDs can be found according to the user names in the SDP user table through the correspondence, and service authorization information related to the user IDs is found in the service authorization table, so that authority management and service authorization of users are realized.
The service information table may include a service description, an SDP gateway address, and a service IP address; according to the IP address of the target service in the service access authorization request, the SDP gateway address, the service description and other contents corresponding to the IP address can be found in the service information table, the service IP address and the service ID in the service authorization table have a one-to-one correspondence, or the authorization information of the related service ID of any user ID can be found in the service authorization table through the correspondence, so that service access is provided for the user corresponding to the service.
Through the scheme, the SDP controller receives a network access request of the terminal equipment, which is sent by the wireless access equipment; authenticating the terminal equipment according to the network access request; after the authentication is passed, receiving a service access authorization request sent by the wireless access equipment, wherein the service access authorization request is used for indicating a target service to be accessed by the terminal equipment; and sending an authorization response for the service access authorization request to the wireless access equipment, and when the authorization response is used for indicating the service access authorization request to pass, enabling the wireless access equipment to send an SPA packet to the SDP gateway, wherein the SPA packet is used for establishing communication connection between the wireless access equipment and the SDP gateway and between the wireless access equipment and the target service, and the communication connection is used for enabling the terminal equipment to access the target service. By the scheme, the connection between the terminal equipment and the SDP controller can be established through the wireless access equipment, and after the authentication of the terminal equipment and the access authorization of the target service are completed, the condition of accessing the SDP gateway is provided through the wireless access equipment, so that the terminal equipment does not need to make any SDP modification, can access the service in the industrial network protected by the SDP, and can avoid the problem that the terminal equipment cannot access the target service based on the SDP because the terminal equipment does not have the SDP access function.
Fig. 3 is a flowchart of a network access method according to an exemplary embodiment, as shown in fig. 3, after the authentication result in step S12 is that the authentication is passed, before receiving a service access authorization request sent by the wireless access device, the method may further include the following steps:
in step S15, after the authentication is passed, an authentication pass message is sent to the wireless access device, where the authentication pass message is used to instruct the wireless access device to establish a MAC-IP mapping relationship for the terminal device.
For example, the authentication allows the terminal device to access through the network based on SDP, the wireless access device requests to allocate an IP address to the DHCP server after receiving the authentication passing instruction from the SDP controller, and the wireless access device allocates the IP address to the terminal device through the embedded DHCP service, and binds the IP address with the MAC address of the terminal device, so that the terminal device corresponds to the IP address one by one.
In one implementation, the wireless access device may shield an illegal DHCP server in the access network by starting a DHCP listening service so that the access procedure is more secure.
In step S16, information including a MAC-IP mapping relationship transmitted by the wireless access device is received.
In step S17, the MAC-IP mapping relationship is recorded in an SDP user table for generating an authorization response for the service access authorization request.
For example, the SDP controller records the MAC-IP mapping relationship in the SDP user table under a user name corresponding to the user who initiates the IP address request, establishes a correspondence between the user name, the MAC, and the IP address, and generates an authorization response of the service access authorization request in step S14 according to the SDP user table.
Illustratively, obtaining an IP address means that the terminal device to which the user name corresponds has a wireless link to access the network.
In one implementation manner, the authorization response process for the service access authorization request in the step S14 may include the steps of finding the IP address obtained in the step S15 in the SDP user table, further finding the user name of the corresponding user, obtaining the user ID of the user according to the corresponding relationship between the preset user name and the user ID, and then searching for whether the user ID exists in the service authorization table, if the user ID does not exist in the service authorization table, indicating that the service access authorization of the user fails, if the user ID exists in the service authorization table, indicating that the service access authorization of the user succeeds, and allowing the user to access the corresponding target service.
In another implementation manner, the authorization response process for the service access authorization request in the step S14 may include the steps that the SDP controller searches, through a target service IP address carried in the service access authorization request, whether the service IP address in the service information table exists the target service IP address, searches, according to a preset correspondence between the service IP address and the service ID, whether a service ID corresponding to the service IP address exists in the service authorization table, so as to determine, through the service authorization table, a user ID that the service can be authorized, and then searches, in the SDP user table, whether a user name corresponding to the user ID exists, and if the user name does not exist in the SDP user table, determines that the user initiating the service access authorization request does not have the authority to access the service, determines that the service access authorization fails this time, if the user name exists in the SDP user table, determines that the service access authorization succeeds this time, and returns a message of success of the authorization to the wireless router, so as to allow the service to be accessed by the corresponding user.
Fig. 3 is a flowchart illustrating a network access method, as shown in fig. 3, applied to a wireless access device, according to an exemplary embodiment, including the steps of:
In step S21, a network access request of the terminal device is sent to the SDP controller, where the network access request is used for authenticating the terminal device by the SDP controller.
In step S22, after the authentication is passed, a service access authorization request is sent to the SDP controller.
In step S23, an authorization response of the service access authorization request sent by the SDP controller is received, and when the authorization response is used to indicate that the service access authorization request passes, an SPA packet is sent to the SDP gateway, so as to establish a communication connection between the wireless access device and the SDP gateway and between the wireless access device and the target service, where the communication connection is used for the terminal device to access the target service.
The above methods in steps S21 to S23 have been described above, and specific reference may be made to the methods in steps S11 to S14, which are not described in detail.
Through the scheme, the wireless access device sends a network access request of the terminal device to the SDP controller, and the network access request is used for the SDP controller to authenticate the terminal device; after the authentication is passed, sending a service access authorization request to an SDP controller; and receiving an authorization response of the service access authorization request sent by the SDP controller, and sending an SPA packet to the SDP gateway when the authorization response is used for indicating that the service access authorization request passes so as to establish communication connection between the wireless access device and the SDP gateway and between the wireless access device and the target service, wherein the communication connection is used for the terminal device to access the target service. By the scheme, the connection between the terminal equipment and the SDP controller can be established through the wireless access equipment, and after the authentication of the terminal equipment and the access authorization of the target service are completed, the condition of accessing the SDP gateway is provided through the wireless access equipment, so that the terminal equipment does not need to make any SDP modification, can access the service in the industrial network protected by the SDP, and can avoid the problem that the terminal equipment cannot access the target service based on the SDP because the terminal equipment does not have the SDP access function.
Fig. 4 is a flowchart of a network access method according to an exemplary embodiment, as shown in fig. 4, before sending a service access authorization request to the SDP controller after the authentication result in step S21 is that the authentication is passed, the method may further include the following steps:
in step S24, an IP address is assigned to the terminal device by the wireless access device.
In step S25, the MAC-IP mapping relationship of the terminal device is determined according to the IP address and the MAC address of the terminal device, and the information including the MAC-IP mapping relationship is sent to the SDP controller, where the SDP controller records the MAC-IP mapping relationship in an SDP user table, where the SDP user table is used by the SDP controller to generate an authorization response for the service access authorization request.
The above methods in steps S24 to S25 have been described above, and specific reference may be made to the methods in steps S15 to S17, which are not described in detail.
Fig. 5 is a flowchart of a network access method according to an exemplary embodiment, and as shown in fig. 5, after the authentication is passed, the step S22 sends a service access authorization request to the SDP controller, including the following steps:
in step S221, an authentication result of the network access request is acquired from the SDP controller.
In step S222, after the authentication is passed, a service connection request transmitted by the terminal device is received.
For example, after the authentication of the network access request is passed, the SDP controller may notify the wireless access device, and after the wireless access device obtains a message that the authentication is passed, notify the terminal device that the authentication is passed through a wireless access channel with the terminal device, at this time, the terminal device may initiate a request to a target service to be accessed, and the wireless access device may receive a service connection request sent by the terminal device to the target service, where the service connection request may include information of the target service to be accessed by the terminal device, such as a target service IP address.
Alternatively, the acquisition of the target service IP address may be achieved by DNS request or/and preconfigured means.
In step S223, the service connection request is redirected to the wireless access device to cause the wireless access device to establish a connection with the terminal device instead of the target service.
For example, when the service connection request is sent to the wireless access device, the wireless access device may redirect the target service IP address in the service connection request flowing through the wireless access device to the IP address of the wireless access device according to a rule configured in advance, so as to establish a connection with the terminal device instead of the target service.
In one implementation, the wireless access device may redirect, according to a preconfigured rule, the flow flowing through the wireless access device to a listening port of the forwarding module thereof, and the forwarding module processes the flow, where the forwarding module establishes a connection with the terminal device after receiving the data packet.
In step S224, after the wireless access device establishes a connection with the terminal device instead of the target service, a service access authorization request is sent to the SDP controller.
For example, after the wireless access device establishes a connection with the terminal device instead of the target service, a service access authorization request carrying the IP address of the target service is sent to the SDP controller.
Fig. 6 is a flowchart of a network access method according to an exemplary embodiment, where, as shown in fig. 6, when the authorization response is used to indicate that the service access authorization request passes, an SPA packet is sent to the SDP gateway in the foregoing step S23, so as to establish a communication connection between the wireless access device and the SDP gateway and between the wireless access device and the target service, where the communication connection is used for the terminal device to access the target service, and the method includes the following steps:
in step S231, when the authorization response indicates that the service access authorization request passes, the SPA packet is determined according to the authorization response.
For example, the method of authorizing the response has been described above, and the method described in step S17 may be referred to specifically, and will not be described again.
In one implementation, the message of successful authorization may carry the target service IP or service ID that the terminal device found in the SDP controller requests to access, the authority to access the target service, and the SDP gateway address to which the target service belongs; and the wireless router determines the SPA packet according to the target service IP or service ID, the authority of the terminal equipment to access the target service and the SDP gateway address affiliated by the target service.
In another implementation manner, the response of successful authorization may be issued by the SDP controller, and then the target service IP or service ID, the authority to access the target service, and the SDP gateway address to which the target service belongs, which are found from the SDP controller, are requested to be accessed by the terminal device, and issued to the wireless access device, where the wireless router determines the SPA packet according to the target service IP or service ID, the authority to access the target service by the terminal device, and the SDP gateway address to which the target service belongs.
In step S232, a SPA packet is sent to the SDP gateway, where the SPA packet is used to establish a first connection between the SDP gateway and the target service.
For example, after receiving the SPA packet, the SDP gateway may establish a first connection between the corresponding SDP gateway and the corresponding target service according to the target service IP or service ID included in the SPA packet, the authority of the terminal device to access the target service, and the SDP gateway address affiliated to the target service.
Optionally, after receiving the SPA packet, the SDP gateway may open its forwarding port, so as to receive a service or service access packet sent by the terminal device, and then forward the packet to a module or device of a server to access the service.
In one implementation, after receiving the SPA packet, the SDP gateway may perform a check on the SPA packet including integrity verification, anti-replay check, and user authority check, and notify a forwarding module of the SDP gateway to open a corresponding port after passing the check, and may also establish a first connection between the SDP gateway and the target service after passing the check.
In step S233, when the SPA packet is successfully sent, a second connection between the wireless access device and the SDP gateway is established.
In one implementation, the wireless router establishes a second connection between its forwarding module and a forwarding module in the SDP gateway after determining that the SPA packet was successfully sent.
In step S234, a connection between the wireless access device and the target service is established through the first connection and the second connection, so that the terminal device accesses the target service.
Illustratively, based on the first connection and the second connection established in step S232 and step S233, the wireless access device may establish a connection with the target service, and the service request of the wireless terminal may be sent to the target industrial application service through the wireless router and the SDP gateway.
Optionally, the method further comprises: and establishing a connection mapping between the terminal equipment and the SDP gateway so that the terminal equipment accesses the target service through the SDP gateway.
For example, the wireless access device may access at least 1 terminal device, for example, the wireless access device has accessed 2 terminal devices at the same time, and the wireless access device may proxy for terminal devices a and B at the same time, and when receiving the service access of terminal device a to the target service 1, the wireless access device establishes a mapping relationship between terminal device a and the SDP gateway to which the target service 1 belongs, so as to determine to send the service request of terminal device a to the corresponding SDP gateway.
Optionally, the method further comprises: and monitoring the connection state of the terminal equipment and the target service, and disconnecting the connection of the wireless access equipment and the mobile terminal and/or the connection of the wireless access equipment and the SDP gateway under the condition that the terminal equipment accesses the target service.
For example, in one implementation, the forwarding module of the wireless router may detect a connection condition of the terminal device, disconnect the terminal device from the wireless access device after the terminal device accesses the target service, and/or connect the wireless router to the SDP gateway.
Before accessing the service, network connection between the terminal equipment and an SDP-based industrial network where the protected service is located can be established; the wireless access device may be a wireless router that may include a wireless security access module, a DHCP interception module, and a DHCP/DNS service, and when the SDP controller includes a RADIUS (Remote Authentication Dial In User Service remote authentication dial-in user service) server and a network access control module, fig. 8 is a flowchart of a network access method, as shown in fig. 8, including the steps of:
in step S81, the wireless terminal device transmits a network access request to the wireless security access module of the wireless router.
For example, after the network access request is sent to the wireless router, the wireless security access module performs identity verification, and the identity verification method for the terminal device has been described above, and the method described in step S11 may be specifically referred to, which is not repeated.
In step S82, the wireless security access module forwards the network access request to the RADIUS server of the SDP controller.
In step S83, after receiving the network access request from the wireless security access module, the RADIUS server forwards the information carried in the request to the network access control module of the SDP controller.
For example, the network access control module may search the SDP user table for user information according to information carried in the request, such as a user name.
In step S84, the RADIUS server determines whether to allow the user who initiates the request to access the network according to the return message of the network access control module, and returns the authentication result to the wireless router, and may also return the authentication result to the wireless terminal device through the wireless router.
In one implementation, the network access request of the wireless terminal device is sent to the RADIUS server through the wireless security access module, and the RADIUS server performs authentication on the user according to the returned user information of the network access control module, and then determines whether the user is allowed to access the SDP-based network according to the policy and the authorization rule.
In step S85, when the determination result returned in step S84 is that access is permitted, the wireless terminal apparatus requests allocation of the IP address to the wireless access apparatus.
In step S86, the wireless terminal device is assigned an IP address by the wireless router DHCP service.
The method for requesting to allocate the IP address has been described above, and the method described in step S15 may be referred to specifically, and will not be described in detail.
In step S87, the wireless security access module acquires the MAC-IP mapping from the DHCP interception (DHCP) service, sends the MAC-IP mapping to the RADIUS server through a real-time accounting (interim accounting) packet, and records the MAC-IP mapping into the SDP user table through the network access control module.
For example, the situation that the user generated at regular time uses the network resource (such as the used IP address, flow, duration, etc.) can be reported to the RADIUS server through the real-time charging (interim accounting) packet, which is used as the basis of server charging, and the method for recording the MAC-IP mapping to the SDP user table is described in the foregoing, and the method described in steps S16-S17 may be referred to specifically, and will not be repeated.
After the wireless terminal device completes access authentication and obtains an IP address, a SDP transparent proxy module in the wireless router and an SDP gateway establish a data channel for the wireless terminal device to access a target service, where the wireless router further includes a transparent proxy module, the transparent proxy module includes a forwarding module and an SPA sending module, the SDP gateway further includes a forwarding module and an SPA verifying module, and in the case that the SDP controller further includes a service access control module, fig. 9 is a flowchart illustrating a process for establishing a data channel according to an exemplary embodiment, as shown in fig. 9, including the following steps:
In step S91, a connection between the forwarding module of the wireless router and the wireless terminal device is established.
For example, the wireless terminal device needs to acquire the target service IP address corresponding to the target service, where the acquisition of the target service IP address may be implemented by a DNS request, or may be implemented by a preconfigured manner; after the wireless terminal equipment obtains the IP address of the target service, a connection request is initiated to the target service, the wireless router redirects the service connection request flowing through the wireless router to a monitoring port of a forwarding module of the wireless router according to configured rules, the forwarding module of the wireless router processes the service connection request, and after the forwarding module receives a data packet containing the service connection request, the wireless terminal equipment establishes connection with the wireless terminal equipment instead of the target service.
In one implementation, the forwarding module, upon receiving a service connection request including a target service IP address, reconstructs the service connection request including the target service IP address using the IP address of the wireless router as the target address, and establishes a connection with the wireless terminal device instead of the target service.
In step S92, after the forwarding module of the wireless router establishes a connection with the wireless terminal device, the forwarding module sends a message for requesting to send an SPA packet to the SPA sending module, so as to trigger the SPA sending module to start an SDP security access procedure.
In step S93, the SPA sending module in the wireless router sends a service access authorization request to the service access control module in the SDP controller.
In step S94, the service access control module of the SDP controller generates an authorization response according to the user table and the user service table, and returns the authorization response to the wireless router, and when the authorization response is permission for access, the SPA sending module obtains, constructs and sends necessary information and permissions of the SPA packet, which may include obtaining a gateway to which the protected service belongs, a target service to be accessed by the wireless terminal device, and a right of the target service to be accessed by the wireless terminal device.
The method of the authorization response of the SDP controller has been described above, and the method described in step S17 may be referred to specifically, and will not be described again.
In step S95, after obtaining the permission of the service access control module, the SPA sending module in the wireless router sends a SPA packet to the SDP gateway for requesting to open the forwarding port.
In step S96, after receiving the SPA packet, the SDP gateway checks the SPA packet with a SPA verification module, which may include integrity verification, anti-replay check, and user authority examination, and notifies the forwarding module of the SDP gateway to open a corresponding forwarding port after the verification is passed.
The forwarding port is used for receiving a service access message sent by a terminal equipment user by the SDP gateway and forwarding the message to a server needing to access the service.
In step S97, the SPA sending module of the wireless router sends a message that the SPA packet has been sent to the forwarding module of the wireless router, for instructing the forwarding module of the wireless router to establish a connection with the forwarding module of the SDP gateway.
In step S98, the forwarding module of the wireless router establishes a connection with the forwarding module of the SDP gateway.
In step S99, the forwarding module of the SDP gateway establishes a connection with the protected service according to the information in the SPA packet.
The foregoing description has been given by way of example of establishing a communication connection between a wireless router and a target service through an SPA packet, and the method described in the embodiment of fig. 6 may be specifically referred to, which will not be repeated.
Fig. 10 is a network access device according to an exemplary embodiment, which is applied to an SDP controller, and as shown in fig. 10, the network access device 1000 includes: a receiving module 1001, an authenticating module 1002, and a responding module 1003.
The receiving module 1001 is configured to receive a network access request of a terminal device sent by a wireless access device;
The authentication module 1002 is configured to authenticate a terminal device according to a network access request;
the receiving module 1001 is further configured to receive, after the authentication is passed, a service access authorization request sent by the wireless access device, where the service access authorization request is used to indicate a target service to be accessed by the terminal device;
the response module 1003 is configured to send an authorization response for the service access authorization request to the wireless access device, and when the authorization response is used to indicate that the service access authorization request passes, cause the wireless access device to send an SPA packet to the SDP gateway, where the SPA packet is used to establish a communication connection between the wireless access device and the SDP gateway and between the wireless access device and the target service, and the communication connection is used for the terminal device to access the target service.
Optionally, the network access device 1000 further includes:
the sending module is used for sending an authentication passing message to the wireless access equipment after the authentication is passed, wherein the authentication passing message is used for indicating the wireless access equipment to establish the MAC-IP mapping relation for the terminal equipment;
the receiving module is used for receiving information comprising the MAC-IP mapping relation sent by the wireless access equipment;
and the recording module is used for recording the MAC-IP mapping relation into an SDP user table, and the SDP user table is used for generating an authorization response of the service access authorization request.
By the scheme, the connection between the terminal equipment and the SDP controller can be established through the wireless access equipment, and after the authentication of the terminal equipment and the access authorization of the target service are completed, the condition of accessing the SDP gateway is provided through the wireless access equipment, so that the terminal equipment does not need to make any SDP modification, can access the industrial network business service protected by the SDP, and can avoid the problem that the terminal equipment cannot access the target service based on the SDP because of not having an SDP access function.
Fig. 11 is a network access apparatus according to an exemplary embodiment, which is applied to a wireless access device, and as shown in fig. 11, the network access apparatus 1100 includes: a communication module 1101 and a connection establishment module 1102.
The communication module 1101 is configured to send a network access request of the terminal device to the SDP controller, where the network access request is used for authenticating the terminal device by the SDP controller;
the communication module 1101 is further configured to send a service access authorization request to the SDP controller after the authentication is passed;
the connection establishment module 1102 is configured to receive an authorization response of the service access authorization request sent by the SDP controller, and send an SPA packet to the SDP gateway when the authorization response is used to indicate that the service access authorization request passes, so as to establish a communication connection between the wireless access device and the SDP gateway and between the wireless access device and the target service, where the communication connection is used for the terminal device to access the target service.
Optionally, the network access device 1100 further includes:
the distribution module is used for distributing IP addresses to the terminal equipment through the wireless access equipment;
the mapping module is used for determining the MAC-IP mapping relation of the terminal equipment according to the IP address and the MAC address of the terminal equipment, sending the information comprising the MAC-IP mapping relation to the SDP controller, recording the MAC-IP mapping relation into an SDP user table by the SDP controller, and generating an authorization response of the service access authorization request by the SDP controller.
Optionally, the communication module 1101 is configured to:
acquiring an authentication result of the network access request from the SDP controller;
after passing the authentication, receiving a service connection request sent by the terminal equipment;
redirecting the service connection request to the wireless access device to enable the wireless access device to establish connection with the terminal device instead of the target service;
after the wireless access device establishes connection with the terminal device instead of the target service, a service access authorization request is sent to the SDP controller.
The connection establishment module 1102 is configured to:
when the authorization response indicates that the service access authorization request passes, determining an SPA packet according to the authorization response;
the SPA packet is sent to the SDP gateway and used for establishing a first connection between the SDP gateway and the target service;
When the SPA packet is successfully sent, establishing a second connection between the wireless access equipment and the SDP gateway;
and establishing connection between the wireless access equipment and the target service through the first connection and the second connection so as to enable the terminal equipment to access the target service.
Optionally, the connection establishment module 1102 is further configured to:
and establishing a connection mapping between the terminal equipment and the SDP gateway so that the terminal equipment accesses the target service through the SDP gateway.
Optionally, the network access device 1100 further includes:
the monitoring module is used for monitoring the connection state of the terminal equipment and the target service, and disconnecting the connection of the wireless access equipment and the mobile terminal and/or the connection of the wireless access equipment and the SDP gateway under the condition that the terminal equipment finishes accessing the target service.
By the scheme, the connection between the terminal equipment and the SDP controller can be established through the wireless access equipment, and after the authentication of the terminal equipment and the access authorization of the target service are completed, the condition of accessing the SDP gateway is provided through the wireless access equipment, so that the terminal equipment does not need to make any SDP modification, can access the industrial network business service protected by the SDP, and can avoid the problem that the terminal equipment cannot access the target service based on the SDP because of not having an SDP access function.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
Fig. 12 is a block diagram of a network access system according to an exemplary embodiment, and further provides a network access system, as shown in fig. 12, including: the industrial application service 05 in the wireless terminal 01, the wireless router 02, the SDP controller 03, the SDP gateway 04 and the server, wherein the wireless terminal can be one or more (such as the wireless terminal 1-n shown in fig. 12), and can be an intelligent robot, an intelligent sensor (temperature, humidity), an intelligent camera and the like in the industrial internet of things; the industrial application service 05 may be one or more (wireless application services 1-n as shown in fig. 12).
The wireless router 02 is configured to receive a network access request of the wireless terminal 01, and send the network access request to the SDP controller 03;
the SDP controller 03 is configured to authenticate the terminal device 01 according to a network access request;
the wireless router 02 is further configured to send a service access authorization request of the terminal device 01 to the SDP controller 03;
The SDP controller 03 is further configured to perform an authorization response for a service access authorization request sent by the wireless router 02;
the wireless router 02 is further configured to send an SPA packet to the SDP gateway 04 when the authorization response is used to indicate that the service access authorization request is passed, and establish a communication connection with the SDP gateway 04 and the industrial application service 05 according to the SPA packet, where the communication connection is used for the terminal device 01 to access the industrial application service 05.
The specific methods executed by the wireless terminal 01, the wireless router 02, the SDP controller 03, the SDP gateway 04, and the industrial application service 05 may refer to the network access methods shown in the foregoing embodiments, and will not be described herein.
By the scheme, the connection between the terminal equipment and the SDP controller can be established through the wireless access equipment, and after the authentication of the terminal equipment and the access authorization of the target service are completed, the condition of accessing the SDP gateway is provided through the wireless access equipment, so that the terminal equipment does not need to make any SDP modification, can access the industrial network business service protected by the SDP, and can avoid the problem that the terminal equipment cannot access the target service based on the SDP because of not having an SDP access function.
Fig. 13 is a block diagram of an electronic device 1300, according to an example embodiment. As shown in fig. 13, the electronic device 1300 may include: processor 1301, memory 1302. The electronic device 1300 may also include one or more of a multimedia component 1303, an input/output (I/O) interface 1304, and a communication component 1305.
The processor 1301 is configured to control the overall operation of the electronic apparatus 1300 to perform all or part of the steps in the network access method described above. The memory 1302 is used to store various types of data to support operations at the electronic device 1300, which may include, for example, instructions for any application or method operating on the electronic device 1300, as well as application-related data, such as contact data, transceived messages, pictures, audio, video, and the like. The Memory 1302 may be implemented by any type or combination of volatile or nonvolatile Memory devices such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk. The multimedia component 1303 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen, the audio component being for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signals may be further stored in the memory 1302 or transmitted through the communication component 1305. The audio assembly further comprises at least one speaker for outputting audio signals. The I/O interface 1304 provides an interface between the processor 1301 and other interface modules, which may be a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 1305 is used for wired or wireless communication between the electronic device 1300 and other devices. Wireless communication, such as Wi-Fi, bluetooth, near field communication (Near Field Communication, NFC for short), 2G, 3G, 4G, NB-IOT, eMTC, or other 5G, etc., or one or a combination of more of them, is not limited herein. The corresponding communication assembly 1305 may therefore comprise: wi-Fi module, bluetooth module, NFC module, etc.
In an exemplary embodiment, the electronic device 1300 may be implemented by one or more application specific integrated circuits (Application Specific Integrated Circuit, abbreviated as ASIC), digital signal processors (Digital Signal Processor, abbreviated as DSP), digital signal processing devices (Digital Signal Processing Device, abbreviated as DSPD), programmable logic devices (Programmable Logic Device, abbreviated as PLD), field programmable gate arrays (Field Programmable Gate Array, abbreviated as FPGA), controllers, microcontrollers, microprocessors, or other electronic components for performing the network access methods described above.
In another exemplary embodiment, a computer readable storage medium is also provided, comprising program instructions which, when executed by a processor, implement the steps of the network access method described above. For example, the computer readable storage medium may be the memory 1302 including program instructions described above that are executable by the processor 1301 of the electronic apparatus 1300 to perform the network access method described above.
Fig. 14 is a block diagram of an electronic device 1400, shown in accordance with an exemplary embodiment. For example, electronic device 1400 may be provided as a server. Referring to fig. 14, the electronic device 1400 includes a processor 1422, which may be one or more in number, and a memory 1432 for storing computer programs executable by the processor 1422. The computer program stored in memory 1432 may include one or more modules each corresponding to a set of instructions. Further, the processor 1422 may be used to execute the computer program to perform the network access methods described above.
In addition, the electronic device 1400 may also include a power component 1426 and a communication component 1450, the power component 1426 may be used to perform power management of the electronic device 1400, and the communication component 1450 may be used to enable communication of the electronic device 1400, such as wired or wireless communication. In addition, the electronic device 1400 may also include an input/output (I/O) interface 1458. The electronic device 1400 may operate based on an operating system stored in the memory 1432.
In another exemplary embodiment, a computer readable storage medium is also provided, comprising program instructions which, when executed by a processor, implement the steps of the network access method described above. For example, the non-transitory computer readable storage medium may be the memory 1432 including program instructions described above that are executable by the processor 1422 of the electronic device 1400 to perform the network access method described above.
In another exemplary embodiment, a computer program product is also provided, comprising a computer program executable by a programmable apparatus, the computer program having code portions for performing the above-described network access method when executed by the programmable apparatus.
The preferred embodiments of the present disclosure have been described in detail above with reference to the accompanying drawings, but the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solutions of the present disclosure within the scope of the technical concept of the present disclosure, and all the simple modifications belong to the protection scope of the present disclosure.
In addition, the specific features described in the foregoing embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, the present disclosure does not further describe various possible combinations.
Moreover, any combination between the various embodiments of the present disclosure is possible as long as it does not depart from the spirit of the present disclosure, which should also be construed as the disclosure of the present disclosure.
Claims (13)
1. A network access method, applied to an SDP controller, the method comprising:
receiving a network access request of terminal equipment sent by wireless access equipment;
authenticating the terminal equipment according to the network access request;
after the authentication is passed, receiving a service access authorization request sent by the wireless access equipment, wherein the service access authorization request is used for indicating a target service to be accessed by the terminal equipment;
And sending an authorization response for the service access authorization request to the wireless access equipment, and when the authorization response is used for indicating that the service access authorization request passes, enabling the wireless access equipment to send an SPA packet to an SDP gateway, wherein the SPA packet is used for establishing communication connection between the wireless access equipment and the SDP gateway as well as the target service, and the communication connection is used for enabling the terminal equipment to access the target service.
2. The method of claim 1, wherein after the authentication is passed, prior to receiving a service access authorization request sent by the wireless access device, the method further comprises:
sending an authentication passing message to the wireless access equipment, wherein the authentication passing message is used for indicating the wireless access equipment to establish a MAC-IP mapping relation for the terminal equipment;
receiving information comprising the MAC-IP mapping relation sent by the wireless access equipment;
and recording the MAC-IP mapping relation into an SDP user table, wherein the SDP user table is used for generating the authorization response of the service access authorization request.
3. A network access method for a wireless access device, the method comprising:
Sending a network access request of terminal equipment to an SDP controller, wherein the network access request is used for authenticating the terminal equipment by the SDP controller;
after the authentication is passed, sending a service access authorization request to the SDP controller;
and receiving an authorization response of the service access authorization request sent by the SDP controller, and sending an SPA packet to the SDP gateway when the authorization response is used for indicating that the service access authorization request passes, so as to establish communication connection between the wireless access equipment and the SDP gateway and between the wireless access equipment and a target service, wherein the communication connection is used for the terminal equipment to access the target service.
4. The method of claim 3, wherein after the authentication is passed, before sending a service access authorization request to the SDP controller, the method further comprises:
distributing an IP address to the terminal equipment through the wireless access equipment;
and determining a MAC-IP mapping relation of the terminal equipment according to the IP address and the MAC address of the terminal equipment, and sending information comprising the MAC-IP mapping relation to the SDP controller for the SDP controller to record the MAC-IP mapping relation into an SDP user table, wherein the SDP user table is used for the SDP controller to generate the authorization response of the service access authorization request.
5. The method of claim 3, wherein said sending a service access authorization request to the SDP controller after the authentication passes comprises:
acquiring an authentication result of the network access request from the SDP controller;
after the authentication is passed, receiving a service connection request sent by the terminal equipment;
redirecting the service connection request to the wireless access device to enable the wireless access device to establish a connection with the terminal device instead of the target service;
and after the wireless access equipment establishes connection with the terminal equipment instead of the target service, sending a service access authorization request to the SDP controller.
6. The method of claim 3, wherein the sending a SPA packet to the SDP gateway when the authorization response indicates that the service access authorization request passed, to establish a communication connection between the wireless access device and the SDP gateway and a target service, the communication connection for the terminal device to access the target service, comprises:
when the authorization response indicates that the service access authorization request passes, determining an SPA packet according to the authorization response;
The SPA packet is sent to the SDP gateway and is used for establishing a first connection between the SDP gateway and the target service;
when the SPA packet is successfully sent, establishing a second connection between the wireless access device and the SDP gateway;
and establishing connection between the wireless access equipment and the target service through the first connection and the second connection so as to enable the terminal equipment to access the target service.
7. A method according to claim 3, characterized in that the method further comprises:
and establishing a connection mapping between the terminal equipment and the SDP gateway so that the terminal equipment accesses the target service through the SDP gateway.
8. A method according to claim 3, characterized in that the method further comprises:
and monitoring the connection state of the terminal equipment and the target service, and disconnecting the connection of the wireless access equipment and the mobile terminal and/or the connection of the wireless access equipment and the SDP gateway under the condition that the terminal equipment finishes accessing the target service.
9. A network access device for use in an SDP controller, said device comprising:
the receiving module is used for receiving a network access request of the terminal equipment, which is sent by the wireless access equipment;
The authentication module is used for authenticating the terminal equipment according to the network access request;
the receiving module is further configured to receive a service access authorization request sent by the wireless access device after the authentication is passed, where the service access authorization request is used to indicate a target service to be accessed by the terminal device;
and the response module is used for sending an authorization response for the service access authorization request to the wireless access equipment, and when the authorization response is used for indicating that the service access authorization request passes, the wireless access equipment sends an SPA packet to an SDP gateway, wherein the SPA packet is used for establishing communication connection between the wireless access equipment and the SDP gateway and the target service, and the communication connection is used for the terminal equipment to access the target service.
10. A network access apparatus for use with a wireless access device, the apparatus comprising:
the communication module is used for sending a network access request of the terminal equipment to the SDP controller, wherein the network access request is used for authenticating the terminal equipment by the SDP controller;
the communication module is further configured to send a service access authorization request to the SDP controller after the authentication is passed;
And the connection establishment module is used for receiving an authorization response of the service access authorization request sent by the SDP controller, and sending an SPA packet to the SDP gateway when the authorization response is used for indicating that the service access authorization request passes so as to establish communication connection between the wireless access equipment and the SDP gateway and between the wireless access equipment and the target service, wherein the communication connection is used for the terminal equipment to access the target service.
11. An SPD controller, comprising:
a memory having a computer program stored thereon;
a processor for executing said computer program in said memory to carry out the steps of the method of claim 1 or 2.
12. A wireless access device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of any of claims 3-8.
13. A network access system comprising the SPD controller of claim 11, the wireless access device of claim 12, an SDP gateway, and a terminal device;
the wireless access device is used for sending a network access request of the terminal device to the SDP controller;
The SDP controller is used for authenticating the terminal equipment according to the network access request;
the wireless access device is further configured to send a service access authorization request to the SDP controller after the authentication is passed;
the SDP controller is further configured to receive a service access authorization request sent by the wireless access device and send an authorization response to the service access authorization request to the wireless access device;
the wireless access device is further configured to receive an authorization response of the service access authorization request sent by the SDP controller, and send an SPA packet to the SDP gateway when the authorization response is used to indicate that the service access authorization request passes, so as to establish a communication connection between the wireless access device and the SDP gateway and between the wireless access device and a target service, where the communication connection is used for the terminal device to access the target service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311436110.8A CN117596590A (en) | 2023-10-31 | 2023-10-31 | Network access method, device, controller, wireless access equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311436110.8A CN117596590A (en) | 2023-10-31 | 2023-10-31 | Network access method, device, controller, wireless access equipment and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117596590A true CN117596590A (en) | 2024-02-23 |
Family
ID=89909008
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311436110.8A Pending CN117596590A (en) | 2023-10-31 | 2023-10-31 | Network access method, device, controller, wireless access equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117596590A (en) |
-
2023
- 2023-10-31 CN CN202311436110.8A patent/CN117596590A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3691215B1 (en) | Access token management method, terminal and server | |
| KR102047902B1 (en) | Message management methods, devices, and storage media | |
| US8474017B2 (en) | Identity management and single sign-on in a heterogeneous composite service scenario | |
| US20210004453A1 (en) | Device-specific authentication credentials | |
| CN108632253B (en) | Client data security access method and device based on mobile terminal | |
| JP4598386B2 (en) | Method, computer system, and network system for sharing network resources | |
| EP3462701B1 (en) | Device, control method of the same, and program | |
| US8893255B1 (en) | Device authentication using device-specific proxy addresses | |
| WO2018145605A1 (en) | Authentication method and server, and access control device | |
| WO2017167019A1 (en) | Cloud desktop-based processing method and apparatus, and computer storage medium | |
| US10642664B2 (en) | System and method for securing an inter-process communication via a named pipe | |
| CN104104654A (en) | Method and device for setting Wifi access authority and Wifi authentication | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| KR20160127167A (en) | Multi-factor certificate authority | |
| KR101620254B1 (en) | Method and apparatus for controlling access | |
| KR20130109322A (en) | Apparatus and method to enable a user authentication in a communication system | |
| FI128171B (en) | Network authentication | |
| WO2019037603A1 (en) | Method and device for carrying out wireless connection pre-authorization for user equipment | |
| CN112039878A (en) | Equipment registration method and device, computer equipment and storage medium | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| TW201430608A (en) | Single-sign-on system and method | |
| CN110198540B (en) | Portal authentication method and device | |
| Ferdous et al. | Portable personal identity provider in mobile phones | |
| CN111371762B (en) | Identity authentication method and device, electronic equipment and storage medium | |
| CN117596590A (en) | Network access method, device, controller, wireless access equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |