WO2013107136A1 - Terminal access authentication method and customer premise equipment - Google Patents

Terminal access authentication method and customer premise equipment Download PDF

Info

Publication number
WO2013107136A1
WO2013107136A1 PCT/CN2012/075783 CN2012075783W WO2013107136A1 WO 2013107136 A1 WO2013107136 A1 WO 2013107136A1 CN 2012075783 W CN2012075783 W CN 2012075783W WO 2013107136 A1 WO2013107136 A1 WO 2013107136A1
Authority
WO
WIPO (PCT)
Prior art keywords
cpe
terminal
message
tunnel
dhcp
Prior art date
Application number
PCT/CN2012/075783
Other languages
French (fr)
Chinese (zh)
Inventor
黄保庆
孔涛
朱莉
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to RU2013106254/08A priority Critical patent/RU2556468C2/en
Publication of WO2013107136A1 publication Critical patent/WO2013107136A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the embodiments of the present invention relate to communication technologies, and in particular, to a terminal access authentication method and a user equipment.
  • CPE Customer Premise Equipment
  • AP access point
  • modem modem
  • router modem
  • data card data card
  • the current wireless local area network needs to be deployed based on the resources of the Long Term Evolution-Evolved Packet Core (LTE-EPC network). For this reason, the existing terminal can directly access the LTE-EPC network. However, when the terminal accesses the WLAN network, it needs to pass the LTE-EPC network, that is, the interaction information between the LTE-EPC network transparent transmission terminal and the WLAN network.
  • LTE-EPC network Long Term Evolution-Evolved Packet Core
  • the LTE CPE in the prior art has a built-in WiFi AP and an Ethernet port, and supports a smart phone and a personal computer (PC) to access the LTE-EPC network through a WiFi interface or a PC through an Ethernet port.
  • the LTE-EPC network can only perceive the LTE CPE, and the LTE CPE is used as the unit to charge, and cannot access the WiFi terminal that accesses the LTE CPE, so that the WiFi terminal cannot be separately authenticated, and then the LTE-EPC network is accessed.
  • the WLAN network cannot perform separate authentication, accounting, or Quality of Service (QoS) management for WiFi terminals. Summary of the invention
  • the embodiment of the invention provides a terminal access authentication method and a client device, which are used to solve the problem that the WLAN network relying on the LTE-EPC network cannot separately authenticate the terminal connected to the CPE in the prior art.
  • the present invention provides a method for terminal access authentication, including: The client device CPE sends a discovery request to each AC according to an Internet Protocol (IP) address of each access controller AC in the server of the wireless local area network WLAN network;
  • IP Internet Protocol
  • the CPE If the CPE receives a discovery response corresponding to the discovery request returned by any of the ACs, the CPE establishes a control and configuration of the wireless access point with any of the ACs (Control and Provisioning of Wireless Access Points, referred to as CAP WAP) l3 ⁇ 4 Road;
  • the CPE accesses the terminal connected to the CPE to the WLAN network by using the CAP WAP tunnel, and causes the server of the WLAN network to access the terminal accessing the WLAN network by using the CAP WAP tunnel. Certification.
  • the present invention provides a client device, including:
  • a sending unit configured to send a discovery request to each AC according to an IP address of each access controller AC in a server of the WLAN WLAN network;
  • a receiving unit configured to receive a discovery response corresponding to the discovery request returned by any one of the ACs
  • An establishing unit configured to establish, by the receiving unit, a control response and a configuration CAPWAP tunnel of the wireless access point with any of the ACs after receiving the discovery response corresponding to the discovery request returned by any of the ACs ;
  • An access unit configured to access a terminal connected to the user equipment to the WLAN network by using the CAPWAP tunnel, and enable the server of the WLAN network to authenticate the terminal accessing the WLAN network by using the CAPWAP tunnel.
  • the terminal access authentication method and the user equipment in the embodiment of the present invention the CPE is based on the CAPWAP protocol and the CAPWAP tunnel established by the AC in the server of the WLAN network, and the CAPWAP tunnel can enable the terminal connected to the CPE.
  • the WLAN network enables the server in the WLAN network to authenticate the terminal accessing the WLAN network by using the CAPWAP tunnel, and solves the problem that the WLAN network accessing the LTE-EPC network in the prior art cannot separately authenticate the terminal connected to the CPE.
  • DRAWINGS In order to more clearly illustrate the technical solution of the present invention, a brief description of the drawings to be used in the embodiments will be briefly described below. It is obvious that the following drawings are only drawings of some embodiments of the present invention, which are common in the art. For the skilled person, other drawings which can also realize the technical solution of the present invention can also be obtained according to the drawings without any creative labor.
  • FIG. 1 is a scenario diagram of a terminal connected to a WLAN network according to the present invention.
  • FIG. 2 is a scenario diagram of a terminal connected to a WLAN network according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for access authentication of a terminal according to another embodiment of the present invention
  • FIG. 6 is a schematic flowchart of a method for terminal access authentication according to another embodiment of the present invention
  • FIG. 7 is a schematic diagram of a terminal access authentication method according to another embodiment of the present invention
  • FIG. 8 is a schematic flowchart of a method for access authentication of a terminal according to another embodiment of the present invention
  • FIG. 9 is a schematic structural diagram of a user equipment according to another embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a user equipment according to another embodiment of the present invention. detailed description
  • the LTE CPE 11 in a solution of the prior art, in the LTE CPE 11
  • the built-in AP, and the LTE CPE 11 with built-in APs are also provided with an Ethernet port, and thus various terminals can be directly connected to the LTE CPE 11, for example, a personal computer (Person Computer, PC for short) 10 is accessed through WiFi.
  • the network, or PC 10 accesses the network through an Ethernet port.
  • the embodiment of the invention provides a method for terminal access authentication, which is used to implement separate authentication for a terminal connected to a CPE to a WLAN network accessing an LTE-EPC network.
  • FIG. 2 is a schematic diagram of a scenario in which a terminal is connected to a WLAN network according to an embodiment of the present invention.
  • a thin AP may be integrated into the CPE 21 in the embodiment of the present invention, or a fat AP may be directly connected;
  • the LTE-EPC network 22 can be connected to the LTE-EPC network 22 or connected to the WLAN network 23.
  • the terminal 20 can access the LTE-EPC network 22 or connect to the WLAN network 23 through the Ethernet interface.
  • the CPE 21 in the embodiment of the present invention establishes a CAPWAP tunnel between the CPE 21 and the WLAN network accessing the LTE-EPC network, and the CPE 21 forwards the terminal connected to the CPE to the WLAN network server through the CAPWAP tunnel.
  • the information is such that the terminal 20 connected to the CPE can access the WLAN network, and through the CAPWAP tunnel, the server of the WLAN network can perform authentication, charging, and QoS management on the terminal connected to the CPE.
  • the CPE 21 shown in FIG. 2 may have a built-in thin AP, or the CPE may be externally connected with a fat.
  • the terminal can also connect to the CPE through the Ethernet port.
  • the thin AP described in this embodiment only carries the bridge forwarding function, and the functions of terminal access, AP uplink, authentication, routing, AP management, security protocol, and QoS are all remotely connected by AC and/or broadband.
  • the bearer (Broadband Remote Access Server, BRAS for short) is completed.
  • the fat AP completely carries the function of 802.11, that is, the message based on the 802.11 protocol can be directly terminated at the fat AP. It can be understood that each fat AP can be independently managed as a separate network entity on the network, including terminal access, authentication, data forwarding, AP management, security protocols, routing, and QoS.
  • the method for accessing the terminal in the embodiment is as follows.
  • the CPE connects the terminal connected to the CPE to the WLAN network of the LTE-EPC network through the CAPWAP tunnel, and enables the server of the WLAN network to authenticate the terminal accessing the WLAN network through the CAPWAP tunnel.
  • the foregoing CAPWAP tunnel may be a CAPWAP tunnel established by the CPE with the server of the WLAN network after the LTE-EPC network attach procedure is completed.
  • the CAPWAP tunnel established by the CPE based on the CAPWAP protocol can enable the terminal connected to the CPE to access the WLAN network, thereby enabling the WLAN network to
  • the server authenticates the terminal accessing the WLAN network by using the CAPWAP tunnel, and solves the problem that the WLAN network cannot separately authenticate the terminal connected to the CPE in the prior art.
  • FIG. 3 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 3, a method for accessing authentication of a terminal in this embodiment is as follows.
  • the IP address of the Controller (AC) is sent to each AC to send discovery requests.
  • IP address of the AC there are multiple ways to obtain the IP address of the AC, such as: domain name system (DNS) resolution, dynamic host configuration protocol (DHCP) option, static configuration IP address. , broadcasting, etc.
  • DNS domain name system
  • DHCP dynamic host configuration protocol
  • static configuration IP address static configuration IP address.
  • broadcasting etc.
  • the manner in which the IP address list information is obtained includes:
  • the CPE obtains the IP address of each AC in the server of the WLAN network from the Packet Data Network (PDN) gateway of the LTE-EPC network, where the LTE-EPC network is a network connected to the WLAN network (WLAN network access) To the LTE-EPC network, or the WLAN network depends on the LTE-EPC network).
  • PDN Packet Data Network
  • the CPE obtains the domain name information of each AC in the server of the WLAN network from the PDN gateway of the LTE-EPC network, and sends a domain name resolution request including the domain name information of each AC to the DNS of the LTE-EPC network according to the domain name information of each AC, and receives The IP address list returned by the DNS according to the domain name resolution request.
  • the IP address list contains the IP addresses of the respective ACs.
  • the number of ACs is multiple.
  • the IP address list also includes multiple IP addresses, and each IP address corresponds to an AC.
  • the CPE If the CPE receives the discovery response corresponding to the discovery request returned by any AC in the AC, the CPE establishes a CAPWAP tunnel with any AC.
  • the establishing a CAPWAP tunnel with the AC in the step 302 may include a CAPWAP control plane channel and a CAPWAP data plane channel.
  • the CPE When the CPE is connected to a terminal, the CPE interacts with the AC through the CAPWAP control plane channel to establish an association between the CPE and the AC for the terminal.
  • the CAPWAP data plane channel is used to enable the terminal to interact with the WLAN network.
  • the CPE accesses the CPE terminal to the WLAN network through the CAPWAP tunnel, and enables the server of the WLAN network to authenticate the terminal accessing the WLAN network through the CAPWAP tunnel.
  • one of the ACs is not received at the CPE.
  • the discovery response corresponding to the discovery request returned by the one or more ACs after the interval preset time (for example, 10s, 5s, 15s, etc.), re-sends the discovery request to the AC that does not return the discovery response.
  • the interval preset time in this embodiment may be an interval of 2s, 3s, l is, 20s, 30s, or the like.
  • the terminal connected to the CPE may be a PC connected to the CPE through an external fat AP, a terminal connected to the CPE through an Ethernet port on the CPE, or a WiFi terminal accessed through a WiFi connection.
  • the terminal access authentication method further includes the step 304 not shown in FIG. 3 as follows.
  • the CPE receives the AP version information of the AP based on the CAPWAP tunnel, and the CPE sends a request for updating the version information of the AP to the AC, so that the CPE receives the AP version information and the version information of the AP set in the CPE. Establish the version of the AC update AP of the tunnel.
  • the CPE in this embodiment stores version information of the AP, such as a built-in thin AP or an external fat.
  • the tunnel-established AC sends the version information of the AP that is required to establish the tunnel to the CPE through the CAPWAP control plane channel established by the foregoing, and the AP built in the CPE or the external AP determines whether the upgrade is needed.
  • the CPE in step 304 is configured to receive configuration information corresponding to the AP version information, so that the CPE can view the internally set AP, while receiving the foregoing AP version information.
  • the version information and configuration information are consistent with the version information and configuration information of the received AP.
  • the configuration information of the place carries the service set identifier (Service Set)
  • SSID Identifier
  • the information of the interaction may refer to the relevant provisions in the CAPWAP protocol, which is not described in detail in this embodiment.
  • the method for obtaining the CAPWAP tunnel between the CPE and the AC is initiated by the CPE, and the CPE actively initiates a discovery request to the AC by using the IP address of the AC in the process of attaching the CPE to the LTE-EPC network.
  • the CAPWAP tunnel can interact with the AC that establishes the tunnel, thereby implementing the function of separately authenticating the terminal accessed by the WiFi access or the Ethernet interface in the WLAN network, and solving the prior art.
  • Medium WLAN network cannot connect
  • the CPE terminal performs the problems of separate authentication, separate charging, and QoS management.
  • the following is an example of how to obtain the IP address list information in the terminal access authentication method.
  • the IP address list of the AC in the server of the WLAN network is preset in the CPE, and the IP address list includes the IP addresses of the ACs.
  • the domain name information of the AC in the server of the WLAN network is preset in the CPE, and the CPE obtains the IP address list according to the domain name information as follows:
  • the CPE sends a domain name resolution request including the domain name information to the DNS of the LTE-EPC network according to the domain name information of the preset AC.
  • the DNS resolves the domain name information according to the domain name resolution request, and returns a list of IP addresses formed by the IP address corresponding to the domain name information of the AC.
  • the DNS in the foregoing step S01 can be used as a network element in the LTE-EPC network.
  • DNS can also exist as a separate resolution server according to the deployment requirements of operators.
  • the CPE sends a domain name resolution request including the domain name information to the DNS according to the domain name information of the preset AC, to obtain an IP address list composed of the IP addresses corresponding to the domain name information of the AC.
  • the CPE obtains an AC IP address list from the PDN gateway by using a protocol configuration option (PCO) in the process of attaching to the LTE-EPC network.
  • PCO protocol configuration option
  • the CPE sends a request for obtaining an IP address of all ACs to the PDN gateway, and receives a list of IP addresses including IP addresses of all ACs returned by the PDN gateway according to the request for obtaining the IP address of the AC.
  • the CPE obtains a list of IP addresses consisting of AC IP addresses from the PDN gateway of the LTE-EPC network.
  • the CPE sends a request for obtaining the domain name information of the AC to the PDN gateway, and receives the domain name information of the AC returned by the PDN gateway according to the request for acquiring the domain name information of the AC.
  • the CPE uses the extended protocol configuration item (Protocol) in the process of attaching to the LTE-EPC network.
  • Protocol extended protocol configuration item
  • PCO Configuration Option
  • the CPE sends a domain name resolution request including the domain name information to the DNS of the LTE-EPC network according to the domain name information of the AC, and receives the IP address list returned by the DNS according to the domain name resolution request.
  • the IP address in the IP address list is corresponding to the domain name information of the AC. IP address.
  • the method for obtaining the IP address list of the AC is as follows: When the CPE is attached to the LTE-EPC network, the PDN gateway of the LTE-EPC network does not allocate an IP address, and the default bearer of the CPE is established.
  • the Dynamic Host Configuration Protocol (DHCP) process obtains the IP address, default gateway, and DNS parameters of the CPE from the PDN gateway of the LTE-EPC network, and obtains the IP address list of the AC through option 43.
  • DHCP Dynamic Host Configuration Protocol
  • the method of obtaining the IP address list information of the AC is as follows: If the DHCP process in the first mode supports the option 15 option, and the option 15 is carried in the packet with the IP address of the CPE, the CPE will carry the option according to the option 15
  • the host name list of the AC obtains the IP address of the AC in the list from the DNS, and obtains a list of IP addresses of all ACs.
  • the IP address and the default gateway are allocated to the CPE as the standard flow of the existing DHCP allocation, and the option 43 and the option l5 are the information carried in the response message sent by the DHCP server to the CPE.
  • FIG. 4 is a schematic flowchart of a method for access authentication of a terminal according to another embodiment of the present invention. As shown in FIG. 4, the method for accessing authentication of a terminal in this embodiment is as follows.
  • the CPE sends a discovery request to each AC according to an IP address of each AC in the server of the WLAN network.
  • the CPE If the CPE receives the discovery response corresponding to the discovery request returned by any AC in the AC, the CPE establishes a CAP WAP tunnel with any AC.
  • the CPE receives the DHCP Discovery message (Dynamic Host Setup Protocol Discovery message), and sends the DHCP Discovery message to the AC that has established a tunnel with the CPE through the CAPWAP tunnel.
  • DHCP Discovery message Dynamic Host Setup Protocol Discovery message
  • the DHCP Discovery message is sent by the terminal connected to the CPE to request access to the WLAN network.
  • the DHCP Discovery message contains the Media Access Control (MAC) information of the terminal.
  • MAC Media Access Control
  • the CPE encapsulates the DHCP Disco very message by using the CAPWAP protocol and sends it to the AC through the CAPWAP tunnel.
  • the CPE receives the DHCP offer message (dynamic host setting protocol providing message) corresponding to the DHCP Discovery message sent by the AC that establishes the tunnel through the CAPWAP tunnel, and the DHCP offer message carries the IP address corresponding to the MAC information allocated by the AC that establishes the tunnel. .
  • DHCP offer message dynamic host setting protocol providing message
  • the CPE forwards the DHCP offer message to the terminal, so that the terminal is based on the AC point of establishing the tunnel.
  • the assigned IP address is connected to the WLAN network, and the server of the WLAN network authenticates the terminal accessing the WLAN network through the CAPWAP tunnel.
  • the method for the terminal access authentication further includes the steps 406 and 407 which are not shown in FIG. 4 as follows.
  • the CPE obtains the MAC information of the terminal from the DHCP Discovery message sent by the terminal connected to the CPE, and sends an Association message (association message) to the AC that establishes the tunnel through the CAPWAP tunnel, where the Association message includes the MAC information of the terminal.
  • the foregoing steps are used to indicate that the CPE receives a new terminal, and initiates an association step with the AC for the new terminal, so that the AC adds information related to the terminal.
  • the CPE After receiving the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the CAPWAP tunnel, the CPE establishes an association with the AC that establishes the tunnel according to the MAC information of the terminal.
  • the CPE after receiving the Association response message sent by the AC, the CPE also receives the configuration information of the added terminal message element sent by the AC, so that the CPE configures according to the configuration information of the place. For example, the CPE receives the AC sending station configuration Request message (terminal configuration request message), and sends a station configuration response message (terminal configuration response message) to the AC according to the station configuration Request message.
  • the CPE receives the AC sending station configuration Request message (terminal configuration request message), and sends a station configuration response message (terminal configuration response message) to the AC according to the station configuration Request message.
  • the station configuration request cancellation, the station configuration response, the association message, and the association response message are all specified in the CAPWAP protocol.
  • This embodiment is only an example, and the information exchanged between the CPE and the AC is established.
  • the content can refer to the provisions of the CAP WAP protocol.
  • the CPE if the CPE receives multiple DHCP Discovery messages including the same MAC information sent by the terminal connected to the CPE, the CPE passes any one of the DHCP Discovery messages including the same MAC information through the CAPWAP tunnel. Send to the AC that established the tunnel and discard other messages in multiple DHCP Discovery messages.
  • the CPE selects a Media Access Control (MAC) address of the first DHCP Discovery message in the DHCP Discovery message that includes the same MAC information to initiate the foregoing association process, and other DHCP Discovery messages are discarded. , does not trigger the associated flow Cheng.
  • MAC Media Access Control
  • any port of the CPE receives multiple DHCP Discovery messages within a pre-configured detection time (such as 5s, 10s, 15s, 20s, 30s, etc.), and each DHCP Discovery message included in multiple DHCP Discovery messages is included. If the MAC information is different, multiple DHCP Discovery messages received from the port are discarded.
  • a pre-configured detection time such as 5s, 10s, 15s, 20s, 30s, etc.
  • a specific port of the CPE continuously receives 50 DHCP Discovery messages within 10s, or a specific port of the CPE receives 30 DHCP Discovery messages within 5s, and the MAC information included in the DHCP Discovery messages are different.
  • the CPE can be considered as a network attacker to attack the network, and then the specific port receives the DHCP Discovery message during the detection time, and does not initiate the foregoing association process.
  • the CPE suppresses the abnormality to prevent the terminal from attacking the network by replacing different MAC information.
  • the specific port at this location is any port set in the CPE to connect to the WLAN network, such as an Ethernet port, or a port connected to a fat AP.
  • the CPE can identify the network to which the terminal accessing the CPE needs to connect from the working mode of the preset port.
  • the same terminal connects to the WLAN network through different CPEs.
  • the WLAN network processes the terminal as follows.
  • the AC that establishes the tunnel receives the Association message sent by another CPE through the CAPWAP tunnel, and determines, according to the MAC information in the Association message, that the terminal connecting another CPE and the terminal connected to the CPE are the same terminal, the CPE receives the AC that establishes the tunnel.
  • the station configuration update message (status configuration update message) sent by the CAPWAP tunnel carries the delete station information element (delete status information element), and deletes the information related to the terminal according to the delete station information element.
  • FIG. 5 is a schematic diagram of a process for a terminal to disconnect a WLAN network in a method for access authentication of a terminal according to another embodiment of the present invention. As shown in FIG. 5, the process for a terminal to disconnect a WLAN network in this embodiment is as follows: Said.
  • the CPE After the connection between the terminal and the WLAN network is disconnected, the CPE sends through the CAPWAP tunnel. A Disassociation message (de-association message) is sent to the AC that establishes the channel, and the Disassociation message is used to remove the association between the AC that establishes the tunnel and the CPE.
  • a Disassociation message (de-association message) is sent to the AC that establishes the channel, and the Disassociation message is used to remove the association between the AC that establishes the tunnel and the CPE.
  • the Disassociation message includes the MAC information of the terminal.
  • the CPE receives the response message corresponding to the Disassociation message sent by the AC through the CAPWAP tunnel, and the configuration information of the deleted terminal message element sent by the AC, and deletes the information related to the terminal according to the configuration information of the deleted terminal message element.
  • deleting the configuration information of the terminal message element may be that the CPE receives the configuration information carried in the station configuration Request message sent by the AC.
  • the terminal access authentication method further includes:
  • the CPE does not receive a connection within the set time (such as lmin, 5min, 10min, 50min)
  • the message sent by the terminal of the CPE including the service data determines that the connection between the terminal and the WLAN network is disconnected
  • the CPE checks that the state of the terminal connected to the specific port of the CPE is disconnected, and determines that the connection between the terminal and the WLAN network is disconnected, and then the CPE performs the process of disconnecting the WLAN network by the terminal.
  • a CPE can set a service time to determine the service data or the service data flow setting time (such as 8 min, 15 min, etc.), and the service data sent by the terminal is not received or the service data flow is zero. If the terminal is offline or disconnected, the CPE needs to initiate a de-association process for the terminal to the AC.
  • the CPE if the terminal actively disconnects from the WLAN network and initiates the release process of the DHCP process of the WLAN network, the CPE also needs to initiate a de-association process for the terminal to the AC.
  • the PC directly connects to the CPE Ethernet port in the disconnected state, and the CPE can sense the port status.
  • the CPE senses that the port status of the port is disconnected and does not recover within one minute, a de-association process for the PC is initiated.
  • CAPWAP tunnel includes: CAPWAP control plane channel and
  • the CAPWAP data plane channel the CPE sends the DHCP Discovery message to the AC through the CAPWAP data plane channel; the CPE receives the DHCP offer message sent by the AC through the CAPWAP data plane channel.
  • the aforementioned Association message, Association response message, station configuration Request The message, station configuration response message, etc. are all sent through the CAPWAP control plane channel. It can be understood that the interaction information that the CPE associates with the AC is transmitted through the CAPWAP control plane channel. The information that the terminal interacts with the WLAN network after the CPE is associated with the AC is transmitted through the CAPWAP data plane channel.
  • the terminal corresponding to the AC refined management and operation can perform separate authentication, charging, and QoS management for the terminal.
  • the above CPE can reduce the operator's investment cost.
  • the LTE-EPC network is used for Backhaul transmission. It is conducive to operators in the underdeveloped areas of the fixed network to conduct business and reduce investment costs, and has low dependence on terminals.
  • FIG. 6 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 6, the method for access authentication of a terminal in this embodiment is as follows.
  • the CPE in this embodiment is integrated with a CAPWAP protocol stack, and the CPE is connected to a home AP.
  • the home AP is a fat AP, and the 802.11 air interface will terminate the 802.11 message on the fat AP side.
  • the RJ45 port of the CPE is a port that connects to a normal AP in the home.
  • the WiFi terminal connects to the CPE through a normal AP at home.
  • the CPE After the CPE establishes a CAP WAP tunnel with the AC, the CPE receives the DHCP Discovery message sent by the WiFi terminal through the AP, where the DHCP Discovery message includes the MAC information of the WiFi terminal, where it is used to indicate that a new WiFi terminal is pre-accessed to the WLAN network. .
  • the CPE obtains the MAC information of the WiFi terminal from the DHCP Discovery message, encapsulates the MAC information of the WiFi terminal, and sends an Association message to the AC that establishes the tunnel through the control plane channel of the CAPWAP tunnel, where the Association message includes the encapsulated WiFi terminal.
  • the MAC information is used to inform the AC that there is a new WiFi terminal access, and at the same time, the CPE establishes an association with the established tunnel for the WiFi terminal.
  • the CPE receives the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the control plane channel of the CAPWAP tunnel, and establishes an association with the AC that establishes the tunnel according to the MAC information of the WiFi terminal.
  • the CPE After the CPE and the AC establish an association, the CPE sends the foregoing DHCP Discovery message including the MAC information of the WiFi terminal to the AC through the data plane channel of the CAPWAP tunnel.
  • the CPE receives the AC and sends the DHCP through the data plane channel of the CAPWAP tunnel.
  • the CPE forwards the DHCP offer message to the terminal, so that the terminal accesses the WLAN network based on the IP address allocated by the AC that establishes the tunnel, thereby implementing authentication of the WiFi terminal by the server of the WLAN network.
  • the method for accessing the authentication in the terminal establishes a CAPWAP tunnel between the CPE and the AC, and the CPE enables the terminal accessing the CPE to access the WLAN network through the CAPWAP tunnel, which enables the server of the WLAN network to pass the CAPWAP tunnel pair.
  • the terminal performs authentication, which solves the problem that the WLAN network in the prior art cannot separately authenticate the terminal connected to the CPE.
  • the present invention further provides a method for terminal access authentication, the method comprising: connecting a terminal of a CPE to a CAP WAP channel established between a CPE and an AC to implement the terminal in relying on LTE-EPC Authentication in the network's WLAN network.
  • FIG. 7 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 7, the method for access authentication of a terminal in this embodiment is as follows.
  • WEB authentication is the most common authentication method for WiFi terminals.
  • Username/Password is used for authentication, authorization, and accounting.
  • FIG. 7 illustrates the WEB authentication process for the WiFi terminal.
  • the following AC, Broadband Remote Access Server (BRAS), Portal Server, Authentication, Authorization, and Accounting Server (Authentication, Authorization, Accounting, AAA Server) are all servers in the WLAN network. .
  • the WiFi terminal After the WiFi terminal accesses the WLAN network, the WiFi terminal sends an HTTP packet for access authentication to the CPE.
  • the CPE After receiving the HTTP packet sent by the WiFi terminal, the CPE re-encapsulates the HTTP packet according to the CAPWAP protocol, and sends the re-encapsulated HTTP packet to the AC through the CAPWAP data plane channel.
  • the AC decapsulates the encapsulated HTTP packet, and forwards the decapsulated HTTP packet to the BRAS.
  • the BRAS redirects the HTTP packet to the Portal Server.
  • the Portal server After receiving the HTTP packet, the Portal server passes the CAPWAP data plane channel to the CPE. Push the WEB authentication interface.
  • the CPE After receiving the WEB authentication interface sent by the Portal Server, the CPE forwards the WEB authentication interface to the WiFi terminal, so that the WiFi terminal side presents the WEB authentication interface, and then receives the Ussrnams and Password input by the user.
  • the CPE receives the user name, password, and the like sent by the WiFi terminal, and sends the information to the Portal Server through the CAPWAP data plane channel.
  • the CPE sends the encapsulated user name and password to the Portal Server through the CAPWAP data plane channel.
  • the Portal Server After receiving the information such as the username and password, the Portal Server decapsulates and submits an authentication request to the BRAS.
  • the BRAS After receiving the authentication request sent by the Portal server, the BRAS initiates an Access Request authentication message to the AAA server according to the authentication request.
  • the AAA server After receiving the Access Request authentication message, the AAA server authenticates the user name and password of the WiFi terminal. If the authentication of the AAA server passes, the Access accept message is sent to the BRAS.
  • the BRAS receives the Access accept message sent by the AAA server, and returns a response message corresponding to the Access accept message to the AAA server, and returns a response message of the authentication to the Portal Server according to the Access Accept message.
  • the Portal server After receiving the response message, the Portal server sends a successful authentication interface to the CPE through the CAPWAP data plane channel.
  • the CPE forwards the successfully authenticated interface to the WiFi terminal, so that the WiFi terminal triggers the heartbeat handshake message, and then the WiFi terminal.
  • the normal service of the WLAN network is performed, and the WLAN network initiates charging for the WiFi terminal.
  • FIG. 8 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 8, the method for access authentication of a terminal in this embodiment is as follows.
  • FIG. 8 illustrates the charging process for the WiFi terminal.
  • the BRAS After the WiFi terminal completes the WEB authentication of the WLAN network, the BRAS initiates an Account Request Start message (accounting request start message) for the WiFi terminal to the AAA server, and prompts the AAA server to start charging for the WiFi terminal. 802. The AAA server returns a charging start response message to the BRAS.
  • the uplink traffic of the WiFi terminal accessing the WLAN network service is sent by the CPE to the BRAS through the CAPWAP data plane channel;
  • the downlink traffic sent by the BRAS is sent to the CPE through the CAPWAP data plane channel, so that the CPE forwards the downlink traffic to the WiFi terminal.
  • the BRAS monitors the user's use of the network, and sends an Account Request interim message (accounting request intermediate message) to the AAA server in real time.
  • the AAA server updates the CDR record according to the charging policy, and returns an Account Response interim response message to confirm that the charging is normal. If the partial billing condition is met, the AAA generates an intermediate bill, and the AAA provides the bill to the CBS system, and the CBS system Complete user expense accounting.
  • the foregoing CDR is generated by the cooperation of BRAS+AAA+CBS, and the billing system of the WiFi terminal is output by the operator's charging system.
  • the AAA After the WiFi terminal actively goes offline or the access side (ie, the WLAN network side) detects that the WiFi terminal times out, the AAA initiates an Account Request Stop message (accounting stop request message).
  • the AAA closes the CDR file and returns an Account Response Stop message (the charging stop response message).
  • the CPE performs WLAN network access authentication and accounting services (such as Internet services) at each IP address of the access terminal.
  • the CPE uses the CAPWAP tunnel encapsulation, and the EPC routes to the AC/BRAS for WEB authentication.
  • the AAA Server performs IP layer authentication and accounting, and implements corresponding QoS management.
  • the present invention further provides a client device.
  • the client device includes a sending unit 91, a receiving unit 92, an establishing unit 93, and an access unit 94.
  • the sending unit 92 is configured to send a discovery request to each AC according to an IP address of each AC in the server of the WLAN network;
  • the receiving unit 92 is configured to receive a discovery response corresponding to the discovery request returned by any AC in each AC;
  • the establishing unit 93 is configured to: After receiving the discovery response corresponding to the discovery request returned by any AC in each AC, the receiving unit 92 establishes a CAPWAP tunnel with any AC;
  • the access unit 94 is configured to connect the terminal connected to the user equipment to the WLAN through the CAPWAP tunnel.
  • the network, and the server of the WLAN network authenticates the terminal accessing the WLAN network through the CAPWAP tunnel.
  • the user equipment in this embodiment can implement the WLAN relying on the LTE-EPC network.
  • the problem of the network separately authenticating the terminals connected to the CPE.
  • the foregoing sending unit 91 is further configured to: when the receiving unit 92 does not receive the discovery response corresponding to the discovery request returned by one or more ACs in each AC, after the preset time interval, the device does not return to the discovery.
  • the responding AC sends a discovery request.
  • the foregoing user equipment further includes: an address obtaining unit, where the address obtaining unit is used to obtain a WLAN network server from a Packet Data Network (PDN) gateway of the LTE-EPC network.
  • PDN Packet Data Network
  • the address obtaining unit is configured to obtain the domain name information of each AC in the server of the WLAN network from the PDN gateway of the LTE-EPC network, and send the domain name including the domain name information of each AC to the DNS of the LTE-EPC network according to the domain name information of each AC. Parsing the request, and receiving a list of IP addresses returned by the DNS according to the domain name resolution request, where the IP address list contains the IP addresses of the respective ACs.
  • the foregoing IP address list may also be preset in the CPE.
  • a thin AP or an external fat AP is built in the CPE, and the version information of the AP is stored in the CPE.
  • the receiving unit 92 is further configured to receive the AP version information that is sent by the AC based on the CAPWAP tunnel.
  • the sending unit 91 is further configured to: when the AP version information received by the receiving unit 92 is inconsistent with the version information of the AP set in the user equipment, initiate a request to update the version information of the AP to the AC, so as to establish the AC of the tunnel. Update the version of the AP.
  • the foregoing access unit 94 specifically includes: a message forwarding unit 941, a message receiving unit 942, and a message sending unit 943; wherein the message forwarding unit 941 is configured to receive a DHCP Discovery message, and The DHCP Discovery message is sent to the AC that establishes the tunnel through the CAPWAP tunnel.
  • the DHCP Discovery message is sent by the terminal connected to the user equipment, and is used to request access to the WLAN network.
  • the DHCP Discovery message includes the MAC information of the terminal.
  • the message receiving unit 942 is configured to receive a DHCP offer message corresponding to the DHCP Discovery message sent by the AC that establishes the tunnel through the CAPWAP tunnel, where the DHCP offer message carries an IP address corresponding to the MAC information allocated by the AC establishing the tunnel;
  • the message sending unit 943 is configured to forward the DHCP offer message to the terminal, so that the terminal is established based on the The AC assigned by the AC of the tunnel accesses the WLAN network.
  • the access unit 94 further includes: an association message sending unit 944 and an association unit 945; wherein the association message sending unit 944 is configured to obtain the MAC information of the terminal from the DHCP Discovery message sent by the terminal connected to the user equipment, and pass the The CAPWAP tunnel sends an association association message to the AC that establishes the tunnel.
  • the Association message includes the MAC information of the terminal.
  • the association unit 945 is configured to establish an association for the terminal with the AC that establishes the tunnel according to the MAC information of the terminal after receiving the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the CAPWAP tunnel.
  • the foregoing message forwarding unit 941 is further configured to: when receiving a plurality of DHCP Discovery messages including the same MAC information sent by the terminal connected to the user equipment, perform DHCP Discovery of any one of the multiple DHCP Discovery messages (for example, A DHCP Discovery message is sent to the AC that established the tunnel through the CAPWAP tunnel, and other messages in multiple DHCP Discovery messages are discarded.
  • the message forwarding unit 941 is further configured to detect that any port of the user equipment receives multiple DHCP Discovery messages within a pre-configured detection time, and each of the multiple DHCP Discovery messages includes different MAC information. Then discard multiple DHCP Discovery messages.
  • the foregoing message forwarding unit 941 is further configured to: when the AC that establishes the tunnel receives the Association message sent by another client device through the CAPWAP tunnel, and determines, according to the MAC information in the Association message, the terminal and the connection that connects another client device.
  • the station configuration update message sent by the AC that establishes the tunnel through the CAPWAP tunnel is carried, and the station configuration update message carries the delete station information element, and the terminal station information element is deleted according to the delete station information element. information.
  • the client device further includes: an association removal unit (not shown), where the association removal unit is configured to send a Disassociation to the tunnel-established AC through the CAPWAP tunnel after the connection between the terminal and the WLAN network is disconnected.
  • the message, the Disassociation message is used to remove the association between the AC that establishes the tunnel and the CPE.
  • the association removal unit is configured to receive the response message corresponding to the Disassociation message sent by the AC through the CAPWAP tunnel and the configuration information of the Delete Terminal message element sent by the AC, and delete the information related to the terminal according to the configuration information of the deleted terminal message element.
  • the terminal that sends the service data includes the service data, it determines that the connection between the terminal and the WLAN network is disconnected; or, if the status of the terminal connected to the specific port of the user equipment is disconnected, the terminal and the terminal are determined. The connection of the WLAN network is broken.
  • the UE device in this embodiment uses the sending unit, the receiving unit, and the establishing unit to enable the CPE to establish a CAPWAP tunnel with the AC in the server of the WLAN network based on the CAPWAP protocol, and further, to enable the connection through the access unit.
  • the CPE terminal accesses the WLAN network through the CAPWAP tunnel, and the server in the WLAN network that relies on the LTE-EPC network authenticates the terminal accessing the WLAN network by using the CAPWAP tunnel, thereby solving the problem that the WLAN network cannot be connected in the prior art.
  • the problem of separate authentication of the terminal of the CPE is described in this embodiment.
  • the units described as separate components may or may not be physically separate, and the components displayed as the units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention may contribute to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present invention provide a terminal access authentication method and customer premise equipment (CPE). The method comprises: a CPE sending, according to an IP address of each access controller (AC) in a server of a WLAN, a discovery request to each AC; if the CPE receives a discovery response which is corresponding to the discovery request and returned by any one of the ACs, the CPE establishing a CAPWAP tunnel with any one of the ACs; and the CPE enabling a terminal connected to the CPE to access the WLAN through the CAPWAP tunnel and enabling the server of the WLAN to authenticate the terminal accessing the WLAN through the CAPWAP tunnel. This method solves the problem that a terminal accessing through WiFi or an Ethernet port is separately authenticated in a WLAN based on an LTE-EPC network.

Description

终端接入人证的方法及用户端 i殳备  Method for terminal access card and user terminal
技术领域 Technical field
本发明实施例涉及通信技术, 尤其涉及一种终端接入认证的方法及用户端 设备。  The embodiments of the present invention relate to communication technologies, and in particular, to a terminal access authentication method and a user equipment.
背景技术 Background technique
在通信系统中, 用户端设备 ( Customer Premise Equipment, 简称 CPE )包 括家庭网关、 接入点 (Access Point, 简称 AP )、 调制解调器(modern ), 路由 器、数据卡等。 随着家庭宽带业务的发展, CPE在家庭网络中的应用越来越广 泛。  In the communication system, Customer Premise Equipment (CPE) includes a home gateway, an access point (AP), a modem, a router, a data card, and the like. With the development of home broadband services, CPE has become more and more widely used in home networks.
当前的无线局域网 ( Wireless Local Area Network, 简称 WLAN网 )需要 依托于长期演进型分组核心网 ( Long Term Evolution-Evolved Packet Core , 简 称 LTE-EPC网) 的资源进行布设。 为此, 现有的终端可以直接接入 LTE-EPC 网, 但是, 在终端接入 WLAN网络时需要经过 LTE-EPC网, 即 LTE-EPC网 络透传终端与 WLAN网络之间的交互信息。  The current wireless local area network (WLAN) needs to be deployed based on the resources of the Long Term Evolution-Evolved Packet Core (LTE-EPC network). For this reason, the existing terminal can directly access the LTE-EPC network. However, when the terminal accesses the WLAN network, it needs to pass the LTE-EPC network, that is, the interaction information between the LTE-EPC network transparent transmission terminal and the WLAN network.
然而, 现有技术中的 LTE CPE内置 WiFi AP和以太网口, 支持智能手机 和个人电脑 ( Personal Computer, 简称 PC )通过 WiFi方式接入或 PC通过以 太网口方式接入上述的 LTE-EPC网。 根据 3GPP标准, LTE-EPC网络只能感 知 LTE CPE, 以 LTE CPE为单位计费, 不能感知接入到 LTE CPE的 WiFi终 端,从而不能满足对 WiFi终端进行单独认证,进而接入 LTE-EPC网的 WLAN 网络也无法对 WiFi终端进行单独认证、 计费或服务质量( Quality of Service, 简称 QoS )管理。 发明内容  However, the LTE CPE in the prior art has a built-in WiFi AP and an Ethernet port, and supports a smart phone and a personal computer (PC) to access the LTE-EPC network through a WiFi interface or a PC through an Ethernet port. . According to the 3GPP standard, the LTE-EPC network can only perceive the LTE CPE, and the LTE CPE is used as the unit to charge, and cannot access the WiFi terminal that accesses the LTE CPE, so that the WiFi terminal cannot be separately authenticated, and then the LTE-EPC network is accessed. The WLAN network cannot perform separate authentication, accounting, or Quality of Service (QoS) management for WiFi terminals. Summary of the invention
本发明实施例提供一种终端接入认证的方法及用户端设备,用以解决现有 技术中依托于 LTE-EPC络的 WLAN网络无法对连接 CPE的终端进行单独认 证的问题。  The embodiment of the invention provides a terminal access authentication method and a client device, which are used to solve the problem that the WLAN network relying on the LTE-EPC network cannot separately authenticate the terminal connected to the CPE in the prior art.
本发明提供一种终端接入认证的方法, 包括: 用户端设备 CPE根据无线局域网 WLAN网络的服务器中的各个接入控制 器 AC的互联网协议 ( Internet Protocol , 简称 IP )地址, 向所述各个 AC发送发 现请求; The present invention provides a method for terminal access authentication, including: The client device CPE sends a discovery request to each AC according to an Internet Protocol (IP) address of each access controller AC in the server of the wireless local area network WLAN network;
若所述 CPE接收到所述各个 AC中任一 AC返回的与所述发现请求对应的发 现响应, 则所述 CPE与所述任一 AC建立无线接入点的控制和配置( Control and Provisioning of Wireless Access Points, 简称 CAP WAP ) l¾道;  If the CPE receives a discovery response corresponding to the discovery request returned by any of the ACs, the CPE establishes a control and configuration of the wireless access point with any of the ACs (Control and Provisioning of Wireless Access Points, referred to as CAP WAP) l3⁄4 Road;
所述 CPE通过所述 CAP WAP隧道将连接所述 CPE的终端接入所述 WLAN 网络, 并使所述 WLAN网络的月良务器通过所述 CAP WAP隧道对接入所述 WLAN网络的终端进行认证。  The CPE accesses the terminal connected to the CPE to the WLAN network by using the CAP WAP tunnel, and causes the server of the WLAN network to access the terminal accessing the WLAN network by using the CAP WAP tunnel. Certification.
本发明提供一种用户端设备, 包括:  The present invention provides a client device, including:
发送单元,用于根据无线局域网 WLAN网络的服务器中的各个接入控制器 AC的 IP地址, 向所述各个 AC发送发现请求;  a sending unit, configured to send a discovery request to each AC according to an IP address of each access controller AC in a server of the WLAN WLAN network;
接收单元, 用于接收所述各个 AC中任一 AC返回的与所述发现请求对应的 发现响应;  a receiving unit, configured to receive a discovery response corresponding to the discovery request returned by any one of the ACs;
建立单元, 用于在所述接收单元接收到所述各个 AC中任一 AC返回的与所 述发现请求对应的发现响应之后, 与所述任一 AC建立无线接入点的控制和配 置 CAPWAP隧道;  An establishing unit, configured to establish, by the receiving unit, a control response and a configuration CAPWAP tunnel of the wireless access point with any of the ACs after receiving the discovery response corresponding to the discovery request returned by any of the ACs ;
接入单元, 用于通过所述 CAPWAP隧道将连接用户端设备的终端接入所 述 WLAN网络, 并使所述 WLAN网络的服务器通过所述 CAPWAP隧道对接入 所述 WLAN网络的终端进行认证。  An access unit, configured to access a terminal connected to the user equipment to the WLAN network by using the CAPWAP tunnel, and enable the server of the WLAN network to authenticate the terminal accessing the WLAN network by using the CAPWAP tunnel.
由上述技术方案可知, 本发明实施例的终端接入认证的方法及用户端设 备, CPE基于 CAPWAP协议与 WLAN网络的服务器中的 AC建立的 CAPWAP 隧道, 该 CAPWAP 隧道可以使连接 CPE 的终端接入 WLAN 网络, 进而使 WLAN网络中的服务器借助 CAPWAP隧道对接入 WLAN网络的终端进行认 证, 解决了现有技术中接入 LTE-EPC络的 WLAN网络无法对连接 CPE的终 端进行单独认证的问题。 附图说明 为了更清楚地说明本发明的技术方案,下面将对实施例中所需要使用的附 图作一简单地介绍, 显而易见地: 下面附图只是本发明的一些实施例的附图, 对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据 这些附图获得同样能实现本发明技术方案的其它附图。 According to the foregoing technical solution, the terminal access authentication method and the user equipment in the embodiment of the present invention, the CPE is based on the CAPWAP protocol and the CAPWAP tunnel established by the AC in the server of the WLAN network, and the CAPWAP tunnel can enable the terminal connected to the CPE. The WLAN network, in turn, enables the server in the WLAN network to authenticate the terminal accessing the WLAN network by using the CAPWAP tunnel, and solves the problem that the WLAN network accessing the LTE-EPC network in the prior art cannot separately authenticate the terminal connected to the CPE. DRAWINGS In order to more clearly illustrate the technical solution of the present invention, a brief description of the drawings to be used in the embodiments will be briefly described below. It is obvious that the following drawings are only drawings of some embodiments of the present invention, which are common in the art. For the skilled person, other drawings which can also realize the technical solution of the present invention can also be obtained according to the drawings without any creative labor.
图 1为本发明提供的终端连接 WLAN网络的场景图;  1 is a scenario diagram of a terminal connected to a WLAN network according to the present invention;
图 2为本发明一实施例提供的终端连接 WLAN网络的场景图;  2 is a scenario diagram of a terminal connected to a WLAN network according to an embodiment of the present invention;
图 3为本发明一实施例提供的终端接入认证的方法的流程示意图; 图 4为本发明另一实施例提供的终端接入认证的方法的流程示意图; 图 5为本发明另一实施例提供的终端接入认证的方法的流程示意图; 图 6为本发明另一实施例提供的终端接入认证的方法的流程示意图; 图 7为本发明另一实施例提供的终端接入认证的方法的流程示意图; 图 8为本发明另一实施例提供的终端接入认证的方法的流程示意图; 图 9为本发明另一实施例提供的用户端设备的结构示意图;  FIG. 3 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention; FIG. 4 is a schematic flowchart of a method for access authentication of a terminal according to another embodiment of the present invention; FIG. FIG. 6 is a schematic flowchart of a method for terminal access authentication according to another embodiment of the present invention; FIG. 7 is a schematic diagram of a terminal access authentication method according to another embodiment of the present invention; FIG. 8 is a schematic flowchart of a method for access authentication of a terminal according to another embodiment of the present invention; FIG. 9 is a schematic structural diagram of a user equipment according to another embodiment of the present invention;
图 10为本发明另一实施例提供的用户端设备的结构示意图。 具体实施方式  FIG. 10 is a schematic structural diagram of a user equipment according to another embodiment of the present invention. detailed description
为使本发明的目的、技术方案和优点更加清楚, 下面将结合本发明实施例 中的附图, 对本发明的技术方案进行清楚、 完整地描述。 显然, 下述的各个实 施例都只是本发明一部分的实施例。基于本发明下述的各个实施例, 本领域普 通技术人员即使没有作出创造性劳动,也可以通过等效变换部分甚至全部的技 术特征,而获得能够解决本发明技术问题,实现本发明技术效果的其它实施例, 而这些变换而来的各个实施例显然并不脱离本发明所公开的范围。  The technical solutions of the present invention will be clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the various embodiments described below are merely exemplary embodiments of the invention. Based on the following various embodiments of the present invention, those skilled in the art can obtain other technical features that can solve the technical problems of the present invention and achieve the technical effects of the present invention by equivalently transforming some or even all of the technical features without creative work. The various embodiments of the invention are apparent from the scope of the invention as disclosed.
为使本领域一般技术人员更好的了解本发明实施例提供的技术方案,对现 有技术方案做一些简单的介绍,如图 1所示,现有技术的一种方案中, LTE CPE 11中内置 AP, 并且该内置有 AP的 LTE CPE 11上还设置有以太网口, 进而各种 终端可直接连接 LTE CPE 11 , 例如图中的个人电脑(Person Computer, 简称 PC ) 10通过 WiFi方式接入网络, 或 PC 10通过以太网口接入网络。  In order to enable a person skilled in the art to better understand the technical solutions provided by the embodiments of the present invention, some simple introductions are made to the prior art solutions, as shown in FIG. 1 , in a solution of the prior art, in the LTE CPE 11 The built-in AP, and the LTE CPE 11 with built-in APs are also provided with an Ethernet port, and thus various terminals can be directly connected to the LTE CPE 11, for example, a personal computer (Person Computer, PC for short) 10 is accessed through WiFi. The network, or PC 10, accesses the network through an Ethernet port.
此时的 LTE-EPC网络 12只感知到 LTE CPE, 只能以 LTE CPE为单位进行计 费, 不能感知 LTE CPE后面接入的终端。 因此依托于 LTE-EPC网络的 WLAN网 络不能对连接 LTE CPE 11的终端进行单独认证、 计费和 QoS管理。 有鉴于此, 本发明实施例提供一种终端接入认证的方法,用以实现对接入 LTE-EPC网络的 WLAN网络对连接 CPE的终端进行单独认证。 At this time, the LTE-EPC network 12 only perceives the LTE CPE, and can only perform charging in units of LTE CPE, and cannot sense terminals connected behind the LTE CPE. Therefore, the WLAN network relying on the LTE-EPC network cannot perform separate authentication, charging, and QoS management on the terminal connected to the LTE CPE 11. In view of this, The embodiment of the invention provides a method for terminal access authentication, which is used to implement separate authentication for a terminal connected to a CPE to a WLAN network accessing an LTE-EPC network.
图 2示出了本发明一实施例提供的终端连接 WLAN网络的场景图, 如图 2所示, 本发明实施例中的 CPE 21内可以集成瘦 AP, 也可以直接连接胖 AP; 其中终端 20可以通过 WiFi方式接入 LTE-EPC网络 22或连接 WLAN网络 23 , 或者, 终端 20可通过以太网口接入 LTE-EPC网络 22或连接 WLAN网络 23。  FIG. 2 is a schematic diagram of a scenario in which a terminal is connected to a WLAN network according to an embodiment of the present invention. As shown in FIG. 2, a thin AP may be integrated into the CPE 21 in the embodiment of the present invention, or a fat AP may be directly connected; The LTE-EPC network 22 can be connected to the LTE-EPC network 22 or connected to the WLAN network 23. The terminal 20 can access the LTE-EPC network 22 or connect to the WLAN network 23 through the Ethernet interface.
特别地, 本发明实施例中的 CPE 21与接入 LTE-EPC络的 WLAN网络的 月良务器之间建立有 CAPWAP隧道, 进而 CPE 21通过 CAPWAP隧道转发连接 CPE的终端向 WLAN网络服务器发送的信息, 以使连接 CPE的终端 20能够 接入到 WLAN网络中, 并且通过 CAPWAP隧道, WLAN网络的服务器能够 对连接 CPE的终端进行认证, 计费和 Qos管理。  In particular, the CPE 21 in the embodiment of the present invention establishes a CAPWAP tunnel between the CPE 21 and the WLAN network accessing the LTE-EPC network, and the CPE 21 forwards the terminal connected to the CPE to the WLAN network server through the CAPWAP tunnel. The information is such that the terminal 20 connected to the CPE can access the WLAN network, and through the CAPWAP tunnel, the server of the WLAN network can perform authentication, charging, and QoS management on the terminal connected to the CPE.
需要说明的是, 图 2中所示的 CPE 21中可内置有瘦 AP, 或者 CPE外接有胖 It should be noted that the CPE 21 shown in FIG. 2 may have a built-in thin AP, or the CPE may be externally connected with a fat.
AP。 AP.
在其他的应用场景中, 终端也可以直接通过以太网口连接 CPE。  In other application scenarios, the terminal can also connect to the CPE through the Ethernet port.
可以理解的是, 本实施例中所述的瘦 AP只承载桥接转发功能, 而终端接 入、 AP上线、 认证、 路由、 AP管理、 安全协议、 QoS等功能都由 AC和 /或宽带 远程接入服务器( Broadband Remote Access Server, 简称 BRAS )承载完成。  It can be understood that the thin AP described in this embodiment only carries the bridge forwarding function, and the functions of terminal access, AP uplink, authentication, routing, AP management, security protocol, and QoS are all remotely connected by AC and/or broadband. The bearer (Broadband Remote Access Server, BRAS for short) is completed.
胖 AP则完全承载 802.11的功能,即基于 802.11协议的报文可直接在该胖 AP 处终结。 可以理解的是, 每个胖 AP都可以作为网络上的一个单独的网络实体, 进行独立的管理, 包括终端接入、 认证、 数据转发、 AP管理、 安全协议、 路 由、 QoS等功能。  The fat AP completely carries the function of 802.11, that is, the message based on the 802.11 protocol can be directly terminated at the fat AP. It can be understood that each fat AP can be independently managed as a separate network entity on the network, including terminal access, authentication, data forwarding, AP management, security protocols, routing, and QoS.
在本发明的一实施例中, 本实施例中的终端接入认证的方法如下文所述。 In an embodiment of the present invention, the method for accessing the terminal in the embodiment is as follows.
CPE通过 CAPWAP隧道将连接 CPE的终端接入依托于 LTE-EPC络的 WLAN网络, 并使 WLAN网络的服务器通过 CAPWAP隧道对接入 WLAN网络 的终端进行认证。 The CPE connects the terminal connected to the CPE to the WLAN network of the LTE-EPC network through the CAPWAP tunnel, and enables the server of the WLAN network to authenticate the terminal accessing the WLAN network through the CAPWAP tunnel.
举例来说,前述的 CAPWAP隧道可为 CPE在向 LTE-EPC网络附着过程完成 后与 WLAN网络的服务器建立的 CAPWAP隧道。  For example, the foregoing CAPWAP tunnel may be a CAPWAP tunnel established by the CPE with the server of the WLAN network after the LTE-EPC network attach procedure is completed.
由上可知,本实施例的终端接入认证的方法中 CPE基于 CAPWAP协议建立 的 CAPWAP隧道可以使连接 CPE的终端接入 WLAN网络,进而使 WLAN网络中 的服务器借助 CAPWAP隧道实现对接入 WLAN网络的终端进行认证, 解决了 现有技术中 WLAN网络无法对连接 CPE的终端进行单独认证的问题。 It can be seen that, in the terminal access authentication method of the embodiment, the CAPWAP tunnel established by the CPE based on the CAPWAP protocol can enable the terminal connected to the CPE to access the WLAN network, thereby enabling the WLAN network to The server authenticates the terminal accessing the WLAN network by using the CAPWAP tunnel, and solves the problem that the WLAN network cannot separately authenticate the terminal connected to the CPE in the prior art.
图 3示出了本发明一实施例提供的终端接入认证的方法的流程示意图, 如 图 3所示, 本实施例中的终端接入认证的方法如下文所述。  FIG. 3 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 3, a method for accessing authentication of a terminal in this embodiment is as follows.
301、 CPE根据 WLAN网络的服务器中的各个接入控制器 ( Access 301, CPE according to each access controller in the server of the WLAN network (Access
Controller, 简称 AC ) 的 IP地址, 向各个 AC发送发现请求。 The IP address of the Controller (AC) is sent to each AC to send discovery requests.
需要说明的是, 获取 AC的 IP地址有多种方式, 例如: 域名系统(Domain Name System,简称 DNS )解析、动态主机设置协议( Dynamic Host Configuration Protocol, 简称 DHCP ) 的 option选项、 静态配置 IP地址、 广播等。  It should be noted that there are multiple ways to obtain the IP address of the AC, such as: domain name system (DNS) resolution, dynamic host configuration protocol (DHCP) option, static configuration IP address. , broadcasting, etc.
举例来说, IP地址列表信息的获取方式包括:  For example, the manner in which the IP address list information is obtained includes:
CPE从 LTE-EPC网络的分组数据网络( Packet Data Network, 简称 PDN ) 网关中获得 WLAN网络的服务器中各个 AC的 IP地址, 其中, LTE-EPC网络为 与 WLAN网络相连的网络( WLAN网络接入到 LTE-EPC网络, 或者 WLAN网络 依托于 LTE— EPC网络) 。 或者  The CPE obtains the IP address of each AC in the server of the WLAN network from the Packet Data Network (PDN) gateway of the LTE-EPC network, where the LTE-EPC network is a network connected to the WLAN network (WLAN network access) To the LTE-EPC network, or the WLAN network depends on the LTE-EPC network). Or
CPE从 LTE-EPC网络的 PDN网关中获得 WLAN网络的服务器中的各个 AC 的域名信息, 根据各个 AC的域名信息向 LTE-EPC网络的 DNS发送包括各个 AC 的域名信息的域名解析请求, 并接收 DNS根据域名解析请求返回的 IP地址列 表, IP地址列表包含各个 AC的 IP地址。  The CPE obtains the domain name information of each AC in the server of the WLAN network from the PDN gateway of the LTE-EPC network, and sends a domain name resolution request including the domain name information of each AC to the DNS of the LTE-EPC network according to the domain name information of each AC, and receives The IP address list returned by the DNS according to the domain name resolution request. The IP address list contains the IP addresses of the respective ACs.
本实施例中的 AC为多个, 相应地, IP地址列表中也包括多个 IP地址, 每 一 IP地址对应一 AC。  In this embodiment, the number of ACs is multiple. Correspondingly, the IP address list also includes multiple IP addresses, and each IP address corresponds to an AC.
302、 若 CPE接收到各个 AC中任一 AC返回的与发现请求对应的发现响应, 则 CPE与任一 AC建立 CAPWAP隧道。  302. If the CPE receives the discovery response corresponding to the discovery request returned by any AC in the AC, the CPE establishes a CAPWAP tunnel with any AC.
在本实施例中, 该步骤 302中与 AC建立 CAPWAP隧道可包括 CAPWAP控 制面信道和 CAPWAP数据面信道。 在 CPE连接一终端时, CPE通过 CAPWAP 控制面信道与 AC交互以使 CPE与 AC建立针对该终端的关联; CAPWAP数据面 信道用于使终端与 WLAN网络进行交互。  In this embodiment, the establishing a CAPWAP tunnel with the AC in the step 302 may include a CAPWAP control plane channel and a CAPWAP data plane channel. When the CPE is connected to a terminal, the CPE interacts with the AC through the CAPWAP control plane channel to establish an association between the CPE and the AC for the terminal. The CAPWAP data plane channel is used to enable the terminal to interact with the WLAN network.
303、 CPE通过 CAPWAP隧道将连接 CPE的终端接入 WLAN网络, 并使 WLAN网络的服务器通过 CAPWAP隧道对接入 WLAN网络的终端进行认证。  303. The CPE accesses the CPE terminal to the WLAN network through the CAPWAP tunnel, and enables the server of the WLAN network to authenticate the terminal accessing the WLAN network through the CAPWAP tunnel.
特别地, 与前述的步骤 302相对应的是, 在 CPE没有接收到各个 AC中的一 个或多个 AC返回的与发现请求对应的发现响应,则在间隔预置时间(例如 10s、 5s、 15s等)之后, 重新向没有返回发现响应的 AC发送发现请求。 Specifically, corresponding to the foregoing step 302, one of the ACs is not received at the CPE. The discovery response corresponding to the discovery request returned by the one or more ACs, after the interval preset time (for example, 10s, 5s, 15s, etc.), re-sends the discovery request to the AC that does not return the discovery response.
举例来说, 本实施例中的间隔预置时间可为间隔 2s、 3s、 l is, 20s、 30s 等。连接 CPE的终端可为通过外接的胖 AP连接 CPE的 PC、通过 CPE上的以太网 口连接 CPE的终端、 或者是通过 WiFi方式接入的 WiFi终端等。  For example, the interval preset time in this embodiment may be an interval of 2s, 3s, l is, 20s, 30s, or the like. The terminal connected to the CPE may be a PC connected to the CPE through an external fat AP, a terminal connected to the CPE through an Ethernet port on the CPE, or a WiFi terminal accessed through a WiFi connection.
在实际的使用过程中, 在前述的步骤 302之后, 且在前述的步骤 303之前, 终端接入认证的方法还包括如下图 3未示出的步骤 304。  In the actual use process, after the foregoing step 302, and before the foregoing step 303, the terminal access authentication method further includes the step 304 not shown in FIG. 3 as follows.
304、 CPE接收建立隧道的 AC基于 CAPWAP隧道发送的 AP版本信息, 若 CPE接收到的 AP版本信息与 CPE中设置的 AP的版本信息不一致, CPE向 AC发 起更新 AP的版本信息的请求, 以使建立隧道的 AC更新 AP的版本。  The CPE receives the AP version information of the AP based on the CAPWAP tunnel, and the CPE sends a request for updating the version information of the AP to the AC, so that the CPE receives the AP version information and the version information of the AP set in the CPE. Establish the version of the AC update AP of the tunnel.
本实施例中的 CPE中存储有 AP的版本信息, 例如内置有瘦 AP或外接有胖 The CPE in this embodiment stores version information of the AP, such as a built-in thin AP or an external fat.
AP。 AP.
举例来说, 该处的建立隧道的 AC通过前述建立的 CAPWAP控制面信道向 CPE发送该建立隧道的 AC期望的 AP的版本信息, 由 CPE中内置的 AP或外接的 AP来决定是否需要升级。  For example, the tunnel-established AC sends the version information of the AP that is required to establish the tunnel to the CPE through the CAPWAP control plane channel established by the foregoing, and the AP built in the CPE or the external AP determines whether the upgrade is needed.
当然, 在其他实施例中, 在步骤 304中的 CPE在接收前述的 AP版本信息的 同时,还用于接收建立隧道的 AC发送与 AP版本信息对应的配置信息,以使 CPE 查看内部设置的 AP的版本信息、 配置信息与接收到的 AP的版本信息、 配置信 息是否一致。  Of course, in other embodiments, the CPE in step 304 is configured to receive configuration information corresponding to the AP version information, so that the CPE can view the internally set AP, while receiving the foregoing AP version information. The version information and configuration information are consistent with the version information and configuration information of the received AP.
需要说明的是, 该处的配置信息中携带有服务集标识 ( Service Set It should be noted that the configuration information of the place carries the service set identifier (Service Set)
Identifier, 简称 SSID )的配置信息, 以使 WLAN网络可对接入的终端进行更好 的认证。 Identifier (abbreviated as SSID) configuration information, so that the WLAN network can better authenticate the accessed terminal.
应了解的是, 关于 CPE与 AC建立 CANWAP隧道之后, 交互的信息如 AP版 本信息、 配置信息等可参照 CAPWAP协议中的相关规定, 本实施例不再详述。  It should be understood that, after the CPE and the AC establish a CANWAP tunnel, the information of the interaction, such as the AP version information and the configuration information, may refer to the relevant provisions in the CAPWAP protocol, which is not described in detail in this embodiment.
由上述实施例可知,在终端接入认证的方法通过在 CPE向 LTE-EPC网络附 着过程中获取 AC的 IP地址, 进而 CPE主动向 AC发起发现请求, 以使 CPE和 AC 之间建立 CAPWAP隧道, 使得在终端接入 WLAN网络时, 可通过 CAPWAP隧 道与建立隧道的 AC交互, 进而实现了对 WiFi接入或以太网口接入的终端在 WLAN网络中进行单独认证的功能,解决了现有技术中 WLAN网络无法对连接 CPE的终端进行单独认证、 单独计费和 QoS管理的问题。 According to the foregoing embodiment, the method for obtaining the CAPWAP tunnel between the CPE and the AC is initiated by the CPE, and the CPE actively initiates a discovery request to the AC by using the IP address of the AC in the process of attaching the CPE to the LTE-EPC network. When the terminal accesses the WLAN network, the CAPWAP tunnel can interact with the AC that establishes the tunnel, thereby implementing the function of separately authenticating the terminal accessed by the WiFi access or the Ethernet interface in the WLAN network, and solving the prior art. Medium WLAN network cannot connect The CPE terminal performs the problems of separate authentication, separate charging, and QoS management.
以下举例说明终端接入认证方法中的 IP地址列表信息的获取方式。  The following is an example of how to obtain the IP address list information in the terminal access authentication method.
在一种应用场景中, CPE中预置有 WLAN网络的服务器中的 AC的 IP地址列 表, IP地址列表包含各个 AC的 IP地址。  In an application scenario, the IP address list of the AC in the server of the WLAN network is preset in the CPE, and the IP address list includes the IP addresses of the ACs.
在另一种应用场景中, CPE中预置有 WLAN网络的服务器中的 AC的域名 信息, 则 CPE根据域名信息获取 IP地址列表的方式如下:  In another application scenario, the domain name information of the AC in the server of the WLAN network is preset in the CPE, and the CPE obtains the IP address list according to the domain name information as follows:
501、 CPE根据预置 AC的域名信息, 向 LTE-EPC网络的 DNS发送包括域名 信息的域名解析请求。  501. The CPE sends a domain name resolution request including the domain name information to the DNS of the LTE-EPC network according to the domain name information of the preset AC.
502、 DNS根据域名解析请求解析域名信息, 并返回与 AC的域名信息对应 的 IP地址组成的 IP地址列表。  502. The DNS resolves the domain name information according to the domain name resolution request, and returns a list of IP addresses formed by the IP address corresponding to the domain name information of the AC.
在一种情况下, 前述的步骤 S01中的 DNS可作为 LTE-EPC网络中一网元。 在其他情况下,在部署 LTE-EPC网络和 WLAN网络时,根据运营商的部署需求, 也可将 DNS作为单独的解析服务器存在。 此时, 步骤 S01中 CPE根据预置的 AC 的域名信息向 DNS发送包括域名信息的域名解析请求, 以获取与 AC的域名信 息对应的 IP地址组成的 IP地址列表。  In one case, the DNS in the foregoing step S01 can be used as a network element in the LTE-EPC network. In other cases, when deploying LTE-EPC networks and WLAN networks, DNS can also exist as a separate resolution server according to the deployment requirements of operators. At this time, in step S01, the CPE sends a domain name resolution request including the domain name information to the DNS according to the domain name information of the preset AC, to obtain an IP address list composed of the IP addresses corresponding to the domain name information of the AC.
在第三种应用场景中, CPE在向 LTE-EPC网络附着过程中, 利用扩展协议 配置项( protocol configuration option, 简称 PCO )从 PDN网关获取 AC的 IP地址 列表。  In the third application scenario, the CPE obtains an AC IP address list from the PDN gateway by using a protocol configuration option (PCO) in the process of attaching to the LTE-EPC network.
具体地, CPE向 PDN网关发送获取所有 AC的 IP地址的请求, 并接收 PDN 网关根据获取 AC的 IP地址的请求返回的包括所有 AC的 IP地址的 IP地址列表。  Specifically, the CPE sends a request for obtaining an IP address of all ACs to the PDN gateway, and receives a list of IP addresses including IP addresses of all ACs returned by the PDN gateway according to the request for obtaining the IP address of the AC.
也就是说, CPE从 LTE-EPC网络的 PDN网关中获得 AC的 IP地址组成的 IP 地址列表。  That is, the CPE obtains a list of IP addresses consisting of AC IP addresses from the PDN gateway of the LTE-EPC network.
在第四种应用场景中, CPE向 PDN网关发送获取 AC的域名信息的请求, 并接收 PDN网关根据获取 AC的域名信息的请求返回的 AC的域名信息。  In the fourth application scenario, the CPE sends a request for obtaining the domain name information of the AC to the PDN gateway, and receives the domain name information of the AC returned by the PDN gateway according to the request for acquiring the domain name information of the AC.
此时, CPE在向 LTE-EPC网络附着过程中, 利用扩展协议配置项( Protocol At this time, the CPE uses the extended protocol configuration item (Protocol) in the process of attaching to the LTE-EPC network.
Configuration Option, 简称 PCO )从 PDN网关中获取 AC的域名信息; Configuration Option ( PCO ) obtains the domain name information of the AC from the PDN gateway.
CPE根据 AC的域名信息向 LTE-EPC网络的 DNS发送包括域名信息的域名 解析请求, 并接收 DNS根据域名解析请求返回的 IP地址列表, IP地址列表中的 IP地址为与 AC的域名信息对应的 IP地址。 在第五种应用场景中,获取 AC的 IP地址列表的方式一: CPE在向 LTE-EPC 网络附着过程时, LTE-EPC网络的 PDN网关不分配 IP地址, 在 CPE的缺省承载 建立后通过动态主机设置协议 ( Dynamic Host Configuration Protocol , 简称 DHCP ) 流程从 LTE-EPC网络的 PDN网关处获取该 CPE的 IP地址、 缺省网关和 DNS等参数, 进而通过 option43获得 AC的 IP地址列表。 The CPE sends a domain name resolution request including the domain name information to the DNS of the LTE-EPC network according to the domain name information of the AC, and receives the IP address list returned by the DNS according to the domain name resolution request. The IP address in the IP address list is corresponding to the domain name information of the AC. IP address. In the fifth application scenario, the method for obtaining the IP address list of the AC is as follows: When the CPE is attached to the LTE-EPC network, the PDN gateway of the LTE-EPC network does not allocate an IP address, and the default bearer of the CPE is established. The Dynamic Host Configuration Protocol (DHCP) process obtains the IP address, default gateway, and DNS parameters of the CPE from the PDN gateway of the LTE-EPC network, and obtains the IP address list of the AC through option 43.
获取 AC的 IP地址列表信息的方式二:如果前述方式一中的 DHCP流程支持 option 15选项,并在分配 CPE的 IP地址回应的报文中携带 optionl5 选项,则 CPE 会根据 option 15选项中携带的 AC的主机名列表从 DNS获取列表中的 AC的 IP地 址, 进而获得所有 AC的 IP地址列表。  The method of obtaining the IP address list information of the AC is as follows: If the DHCP process in the first mode supports the option 15 option, and the option 15 is carried in the packet with the IP address of the CPE, the CPE will carry the option according to the option 15 The host name list of the AC obtains the IP address of the AC in the list from the DNS, and obtains a list of IP addresses of all ACs.
需要说明的是, 前述的 LTE-EPC网络中向 CPE分配 IP地址、 缺省网关等为 现有的 DHCP分配的标准流程, option43、 optionl5可为 DHCP服务器向 CPE发 送的响应消息中携带的信息。  It should be noted that, in the foregoing LTE-EPC network, the IP address and the default gateway are allocated to the CPE as the standard flow of the existing DHCP allocation, and the option 43 and the option l5 are the information carried in the response message sent by the DHCP server to the CPE.
图 4示出了本发明另一实施例提供的终端接入认证的方法的流程示意图, 如图 4所示, 本实施例中的终端接入认证的方法如下文所述。  FIG. 4 is a schematic flowchart of a method for access authentication of a terminal according to another embodiment of the present invention. As shown in FIG. 4, the method for accessing authentication of a terminal in this embodiment is as follows.
401、 CPE根据 WLAN网络的服务器中的各个 AC的 IP地址, 向各个 AC发送 发现请求。  401. The CPE sends a discovery request to each AC according to an IP address of each AC in the server of the WLAN network.
402、 若 CPE接收到各个 AC中任一 AC返回的与发现请求对应的发现响应, 则 CPE与任一 AC建立 CAP WAP隧道。  402. If the CPE receives the discovery response corresponding to the discovery request returned by any AC in the AC, the CPE establishes a CAP WAP tunnel with any AC.
403、 CPE接收 DHCP Discovery消息(动态主机设置协议发现消息) , 并 将 DHCP Discovery消息通过 CAPWAP隧道发送至已经与 CPE建立隧道的 AC, 403. The CPE receives the DHCP Discovery message (Dynamic Host Setup Protocol Discovery message), and sends the DHCP Discovery message to the AC that has established a tunnel with the CPE through the CAPWAP tunnel.
DHCP Discovery消息是由连接 CPE的终端发送的, 用于请求接入 WLAN网络, DHCP Discovery消息包含终端的介质控制访问 (Media Access Control, 简称 MAC )信息。 The DHCP Discovery message is sent by the terminal connected to the CPE to request access to the WLAN network. The DHCP Discovery message contains the Media Access Control (MAC) information of the terminal.
举例来说, CPE采用 CAPWAP协议对 DHCP Disco very消息进行封装,通过 CAPWAP隧道发送到 AC。  For example, the CPE encapsulates the DHCP Disco very message by using the CAPWAP protocol and sends it to the AC through the CAPWAP tunnel.
404、 CPE接收建立隧道的 AC通过 CAPWAP隧道发送的与 DHCP Discovery 消息对应的 DHCP offer消息(动态主机设置协议提供消息) , DHCP offer消息 中携带有建立隧道的 AC分配的与 MAC信息对应的 IP地址。  404. The CPE receives the DHCP offer message (dynamic host setting protocol providing message) corresponding to the DHCP Discovery message sent by the AC that establishes the tunnel through the CAPWAP tunnel, and the DHCP offer message carries the IP address corresponding to the MAC information allocated by the AC that establishes the tunnel. .
405、 CPE将 DHCP offer消息转发至终端, 以使终端基于建立隧道的 AC分 配的 IP地址接入 WLAN网络,并使 WLAN网络的服务器通过 CAPWAP隧道对接 入 WLAN网络的终端进行认证。 405. The CPE forwards the DHCP offer message to the terminal, so that the terminal is based on the AC point of establishing the tunnel. The assigned IP address is connected to the WLAN network, and the server of the WLAN network authenticates the terminal accessing the WLAN network through the CAPWAP tunnel.
在实际的应用中, 在步骤 403中的 CPE将 DHCP Discovery消息通过 CAPWAP隧道发送至建立隧道的 AC之前 ,终端接入认证的方法还包括如下图 4 中未示出的步骤 406和步骤 407。  In a practical application, before the CPE in step 403 sends the DHCP Discovery message to the AC that establishes the tunnel through the CAPWAP tunnel, the method for the terminal access authentication further includes the steps 406 and 407 which are not shown in FIG. 4 as follows.
406、 CPE从连接 CPE的终端发送的 DHCP Discovery消息中获得终端的 MAC信息, 并通过 CAPWAP隧道向建立隧道的 AC发送 Association消息(关联 消息 ) , Association消息中包括终端的 MAC信息。  406. The CPE obtains the MAC information of the terminal from the DHCP Discovery message sent by the terminal connected to the CPE, and sends an Association message (association message) to the AC that establishes the tunnel through the CAPWAP tunnel, where the Association message includes the MAC information of the terminal.
具体地, 上述步骤用于说明 CPE接收一新的终端, 并向 AC发起针对新的 终端的关联步骤, 以使 AC添加与该终端相关的信息。  Specifically, the foregoing steps are used to indicate that the CPE receives a new terminal, and initiates an association step with the AC for the new terminal, so that the AC adds information related to the terminal.
407、 CPE在接收建立隧道的 AC通过 CAPWAP隧道返回的与 Association消 息对应的 Association响应消息之后, 根据终端的 MAC信息与建立隧道的 AC建 立针对该终端的关联。  407. After receiving the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the CAPWAP tunnel, the CPE establishes an association with the AC that establishes the tunnel according to the MAC information of the terminal.
特别地, 在实际应用中, CPE接收 AC发送的 Association响应消息之后, 还 接收 AC发送的增加终端消息元素的配置信息, 以使 CPE根据该处的配置信息 进行配置。 例如, CPE接收 AC发送 station configuration Request消息(终端配置 请求消息 ) , 并才艮据 station configuration Request消息向 AC发送 station configuration response消息 (终端配置响应消息 ) 。  In particular, in an actual application, after receiving the Association response message sent by the AC, the CPE also receives the configuration information of the added terminal message element sent by the AC, so that the CPE configures according to the configuration information of the place. For example, the CPE receives the AC sending station configuration Request message (terminal configuration request message), and sends a station configuration response message (terminal configuration response message) to the AC according to the station configuration Request message.
该处 ό station configuration Request消', 、 station configuration response消' 息、 Association消息、 Association响应消息均属于 CAPWAP协议中规定的内容, 本实施例仅为举例说明, 在 CPE和 AC建立关联所交互的信息内容可参照 CAP WAP协议的规定。  The station configuration request cancellation, the station configuration response, the association message, and the association response message are all specified in the CAPWAP protocol. This embodiment is only an example, and the information exchanged between the CPE and the AC is established. The content can refer to the provisions of the CAP WAP protocol.
在其他实施例中,若 CPE接收到连接 CPE的终端发送的多个包括相同 MAC 信息的 DHCP Discovery消息, 则 CPE将多个包括相同 MAC信息的 DHCP Discovery消息中的任一个 DHCP Discovery消息通过 CAPWAP隧道发送至建立 隧道的 AC, 并丟弃多个 DHCP Discovery消息中的其他消息。  In other embodiments, if the CPE receives multiple DHCP Discovery messages including the same MAC information sent by the terminal connected to the CPE, the CPE passes any one of the DHCP Discovery messages including the same MAC information through the CAPWAP tunnel. Send to the AC that established the tunnel and discard other messages in multiple DHCP Discovery messages.
优选地, CPE选取多个包括相同 MAC信息的 DHCP Discovery消息中的第 一个 DHCP Discovery消息的介质访问控制( Media Access Control, 简称 MAC ) 地址发起前述的关联流程, 而其他 DHCP Discovery消息将丟弃, 不触发关联流 程。 Preferably, the CPE selects a Media Access Control (MAC) address of the first DHCP Discovery message in the DHCP Discovery message that includes the same MAC information to initiate the foregoing association process, and other DHCP Discovery messages are discarded. , does not trigger the associated flow Cheng.
另外, 若 CPE的任一端口在预配置的检测时间内 (如 5s、 10s、 15s、 20s、 30s等 )接收到多个 DHCP Discovery消息, 且多个 DHCP Discovery消息中每一 DHCP Discovery消息包括的 MAC信息不同,则丟弃从该端口接收的多个 DHCP Discovery消息。  In addition, if any port of the CPE receives multiple DHCP Discovery messages within a pre-configured detection time (such as 5s, 10s, 15s, 20s, 30s, etc.), and each DHCP Discovery message included in multiple DHCP Discovery messages is included. If the MAC information is different, multiple DHCP Discovery messages received from the port are discarded.
例如, CPE的一特定端口在 10s内连续接收 50个 DHCP Discovery消息, 或 者, CPE的一特定端口在 5s内接收 30个 DHCP Discovery消息时, 该些 DHCP Discovery消息中包括的 MAC信息均不同, 则 CPE可认为有网络攻击者攻击网 络, 进而将该特定端口在检测时间内接收 DHCP Discovery消息丟弃, 并不发起 前述的关联流程。 上述 CPE对该种异常情况进行抑制, 以防止终端通过更换不 同的 MAC信息攻击网络的现象。 该处的特定端口为 CPE中设定的用于连接 WLAN网络的任一端口, 如以太网口, 或连接胖 AP的端口等。  For example, a specific port of the CPE continuously receives 50 DHCP Discovery messages within 10s, or a specific port of the CPE receives 30 DHCP Discovery messages within 5s, and the MAC information included in the DHCP Discovery messages are different. The CPE can be considered as a network attacker to attack the network, and then the specific port receives the DHCP Discovery message during the detection time, and does not initiate the foregoing association process. The CPE suppresses the abnormality to prevent the terminal from attacking the network by replacing different MAC information. The specific port at this location is any port set in the CPE to connect to the WLAN network, such as an Ethernet port, or a port connected to a fat AP.
在实际的操作场景中, CPE可从预置的端口的工作模式中识别接入 CPE的 终端需连接的网络。  In the actual operation scenario, the CPE can identify the network to which the terminal accessing the CPE needs to connect from the working mode of the preset port.
当然, 还可能出现的一种情况是: 相同的终端通过不同的 CPE连接 WLAN 网络, 此时, WLAN网络对终端的处理方式如下所述。  Of course, there may also be a case where the same terminal connects to the WLAN network through different CPEs. At this time, the WLAN network processes the terminal as follows.
在建立隧道的 AC接收到另一 CPE通过 CAPWAP隧道发送的 Association消 息, 并根据 Association消息中的 MAC信息确定连接另一 CPE的终端与连接 CPE 的终端为相同的终端时, CPE接收建立隧道的 AC通过 CAPWAP隧道发送的 station configuration update消息 (状态配置更新消息) , station configuration update消息中携带有 delete station信息元素 (删除状态信息元素) , 根据 delete station信息元素删除与终端相关的信息。 对连接 CPE的终端进行单独认证的问题, 进而能够实现 WLAN网络对连接 CPE 的终端进行单独计费和 Qos管理的问题。  The AC that establishes the tunnel receives the Association message sent by another CPE through the CAPWAP tunnel, and determines, according to the MAC information in the Association message, that the terminal connecting another CPE and the terminal connected to the CPE are the same terminal, the CPE receives the AC that establishes the tunnel. The station configuration update message (status configuration update message) sent by the CAPWAP tunnel carries the delete station information element (delete status information element), and deletes the information related to the terminal according to the delete station information element. The problem of separately authenticating the terminals connected to the CPE enables the WLAN network to perform separate charging and QoS management for the terminals connected to the CPE.
图 5示出了本发明另一实施例提供的终端接入认证的方法中的终端断开 WLAN网络的流程示意图, 如图 5所示, 本实施例中的终端断开 WLAN网络的 流程如下文所述。  FIG. 5 is a schematic diagram of a process for a terminal to disconnect a WLAN network in a method for access authentication of a terminal according to another embodiment of the present invention. As shown in FIG. 5, the process for a terminal to disconnect a WLAN network in this embodiment is as follows: Said.
501、 在终端与 WLAN网络的连接断开之后, CPE通过 CAPWAP隧道发送 向建立 l¾道的 AC发送 Disassociation消息(去关联消息), Disassociation消息用 于使建立隧道的 AC去除与 CPE之间建立的针对该终端的关联。 501. After the connection between the terminal and the WLAN network is disconnected, the CPE sends through the CAPWAP tunnel. A Disassociation message (de-association message) is sent to the AC that establishes the channel, and the Disassociation message is used to remove the association between the AC that establishes the tunnel and the CPE.
通常, 该 Disassociation消息中包括终端的 MAC信息。  Generally, the Disassociation message includes the MAC information of the terminal.
502、 CPE接收 AC通过 CAPWAP隧道发送的与 Disassociation消息对应的响 应消息以及 AC发送的删除终端消息元素的配置信息, 根据删除终端消息元素 的配置信息删除与终端相关的信息。  502. The CPE receives the response message corresponding to the Disassociation message sent by the AC through the CAPWAP tunnel, and the configuration information of the deleted terminal message element sent by the AC, and deletes the information related to the terminal according to the configuration information of the deleted terminal message element.
举例来说, 删除终端消息元素的配置信息可为 CPE接收 AC发送的 station configuration Request消息中携带的配置信息。  For example, deleting the configuration information of the terminal message element may be that the CPE receives the configuration information carried in the station configuration Request message sent by the AC.
特别地, 在步骤 501之前, 终端接入认证的方法中还包括:  In particular, before the step 501, the terminal access authentication method further includes:
若 CPE在设定时间内 (如 lmin、 5min、 10min、 50min ) 没有接收到连接 If the CPE does not receive a connection within the set time (such as lmin, 5min, 10min, 50min)
CPE的终端发送的包括业务数据的消息, 则确定终端与 WLAN网络的连接断 开; 或者 The message sent by the terminal of the CPE including the service data determines that the connection between the terminal and the WLAN network is disconnected; or
CPE查看到 CPE的特定端口所连接的终端的状态为断开状态, 则确定终端 与 WLAN网络的连接断开 , 进而 CPE执行上述终端断开 WLAN网络的流程。  The CPE checks that the state of the terminal connected to the specific port of the CPE is disconnected, and determines that the connection between the terminal and the WLAN network is disconnected, and then the CPE performs the process of disconnecting the WLAN network by the terminal.
通常, CPE中可设置一个判断业务数据的消息或者业务数据流量的设定时 间 (如 8min、 15min等) , 在设定时间内均没收到终端发送的业务数据的消息 或检测业务数据流量为零, 则认为该终端已经下线了或处于断开状态, CPE需 向 AC发起针对该终端的去关联流程。  Generally, a CPE can set a service time to determine the service data or the service data flow setting time (such as 8 min, 15 min, etc.), and the service data sent by the terminal is not received or the service data flow is zero. If the terminal is offline or disconnected, the CPE needs to initiate a de-association process for the terminal to the AC.
在其他实施例中, 若终端主动与 WLAN网络断开, 并主动发起了 WLAN 网络的 DHCP流程的释放流程,此时 CPE也需向 AC发起针对该终端的去关联流 程。  In other embodiments, if the terminal actively disconnects from the WLAN network and initiates the release process of the DHCP process of the WLAN network, the CPE also needs to initiate a de-association process for the terminal to the AC.
另夕卜, 在 PC关机后, PC直连 CPE以太网端口为断开状态, CPE可以感知到 端口状态。 当 CPE感知到该端口的端口状态为断开, 并且在一分钟内未恢复则 发起针对该 PC的去关联流程。  In addition, after the PC is powered off, the PC directly connects to the CPE Ethernet port in the disconnected state, and the CPE can sense the port status. When the CPE senses that the port status of the port is disconnected and does not recover within one minute, a de-association process for the PC is initiated.
需要说明的是, 前述的 CAPWAP 隧道包括: CAPWAP 控制面信道和 It should be noted that the foregoing CAPWAP tunnel includes: CAPWAP control plane channel and
CAPWAP数据面信道; CPE将 DHCP Discovery消息通过 CAPWAP数据面信 道发送至 AC; CPE接收 AC通过 CAPWAP数据面信道发送的 DHCP offer消 息。 The CAPWAP data plane channel; the CPE sends the DHCP Discovery message to the AC through the CAPWAP data plane channel; the CPE receives the DHCP offer message sent by the AC through the CAPWAP data plane channel.
前述的 Association消息、 Association响应消息、 station configuration Request 消息、 station configuration response 消息等均通过 CAPWAP控制面信道发送。 可以理解的是, CPE与 AC建立关联的交互信息通过 CAPWAP控制面信道传 输; 在 CPE 与 AC 建立关联之后的终端与 WLAN 网络交互的信息通过 CAPWAP数据面信道进行传输。 The aforementioned Association message, Association response message, station configuration Request The message, station configuration response message, etc. are all sent through the CAPWAP control plane channel. It can be understood that the interaction information that the CPE associates with the AC is transmitted through the CAPWAP control plane channel. The information that the terminal interacts with the WLAN network after the CPE is associated with the AC is transmitted through the CAPWAP data plane channel.
由上述实施例可知, 前述连接在 CPE上的终端接入 WLAN网络时, 可以使 It can be seen from the foregoing embodiment that when the terminal connected to the CPE accesses the WLAN network,
AC精细化管理和运营相对应的终端 ,如可以对终端进行单独认证、计费和 QoS 管理; 另外, 上述的 CPE可以降低运营商投资成本; 进一步地, 利用 LTE-EPC 网络做 Backhaul传输即回传, 有利于固网不发达地区运营商开展业务和减少投 资成本, 且对终端的依赖性较低。 The terminal corresponding to the AC refined management and operation can perform separate authentication, charging, and QoS management for the terminal. In addition, the above CPE can reduce the operator's investment cost. Further, the LTE-EPC network is used for Backhaul transmission. It is conducive to operators in the underdeveloped areas of the fixed network to conduct business and reduce investment costs, and has low dependence on terminals.
图 6为本发明一实施例提供的终端接入认证的方法的流程示意图, 如图 6 所示, 本实施例的终端接入认证的方法如下文所述。  FIG. 6 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 6, the method for access authentication of a terminal in this embodiment is as follows.
本实施例中的 CPE集成有 CAPWAP协议栈,该 CPE连接有家庭普通 AP。通 常, 家庭普通 AP是胖 AP, 802.11空口报文在胖 AP侧就会终结 802.11报文。  The CPE in this embodiment is integrated with a CAPWAP protocol stack, and the CPE is connected to a home AP. Generally, the home AP is a fat AP, and the 802.11 air interface will terminate the 802.11 message on the fat AP side.
例如, CPE的 RJ45端口为连接家庭普通 AP的端口 , 此时 WiFi终端通过家 庭普通 AP连接 CPE。  For example, the RJ45 port of the CPE is a port that connects to a normal AP in the home. At this time, the WiFi terminal connects to the CPE through a normal AP at home.
601、在 CPE与 AC建立 CAP WAP隧道之后, CPE接收 WiFi终端通过 AP发送 的包括 DHCP Discovery消息, 该 DHCP Discovery消息包括 WiFi终端的 MAC信 息, 其用于说明有一新的 WiFi终端预接入 WLAN网络。  601. After the CPE establishes a CAP WAP tunnel with the AC, the CPE receives the DHCP Discovery message sent by the WiFi terminal through the AP, where the DHCP Discovery message includes the MAC information of the WiFi terminal, where it is used to indicate that a new WiFi terminal is pre-accessed to the WLAN network. .
602、 CPE从 DHCP Discovery消息中获得 WiFi终端的 MAC信息, 将 WiFi终 端的 MAC信息进行封装,并通过 CAPWAP隧道的控制面信道向建立隧道的 AC 发送 Association消息, 该 Association消息中包括封装的 WiFi终端的 MAC信息, 其用于告知 AC有新的 WiFi终端接入, 同时使 CPE与建立隧道的 AC建立针对该 WiFi终端的关联。  602. The CPE obtains the MAC information of the WiFi terminal from the DHCP Discovery message, encapsulates the MAC information of the WiFi terminal, and sends an Association message to the AC that establishes the tunnel through the control plane channel of the CAPWAP tunnel, where the Association message includes the encapsulated WiFi terminal. The MAC information is used to inform the AC that there is a new WiFi terminal access, and at the same time, the CPE establishes an association with the established tunnel for the WiFi terminal.
603、 CPE接收建立隧道的 AC通过 CAPWAP隧道的控制面信道返回的与 Association消息对应的 Association响应消息之后, 并根据 WiFi终端的 MAC信息 与建立隧道的 AC建立针对该新的 WiFi终端的关联。  603. The CPE receives the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the control plane channel of the CAPWAP tunnel, and establishes an association with the AC that establishes the tunnel according to the MAC information of the WiFi terminal.
604、 在 CPE和 AC建立关联之后, CPE将前述的包括 WiFi终端的 MAC信息 的 DHCP Discovery消息通过 CAPWAP隧道的数据面信道发送至 AC。  604. After the CPE and the AC establish an association, the CPE sends the foregoing DHCP Discovery message including the MAC information of the WiFi terminal to the AC through the data plane channel of the CAPWAP tunnel.
605、 CPE接收 AC通过 CAPWAP隧道的数据面信道发送的与 DHCP Discovery消息对应的 DHCP offer消息 , DHCP offer消息中携带有建立隧道的 AC分配的与 MAC信息对应的 IP地址。 605. The CPE receives the AC and sends the DHCP through the data plane channel of the CAPWAP tunnel. A DHCP offer message corresponding to the Discovery message, where the DHCP offer message carries an IP address corresponding to the MAC information allocated by the AC that establishes the tunnel.
606、 CPE将 DHCP offer消息转发至终端, 以使终端基于建立隧道的 AC分 配的 IP地址接入 WLAN网络, 进而实现 WLAN网络的服务器对 WiFi终端的认 证。  606. The CPE forwards the DHCP offer message to the terminal, so that the terminal accesses the WLAN network based on the IP address allocated by the AC that establishes the tunnel, thereby implementing authentication of the WiFi terminal by the server of the WLAN network.
由上述实施例可知, 在终端接入认证的方法通过在 CPE和 AC之间建立 CAPWAP隧道, CPE可使接入 CPE的终端通过 CAPWAP隧道接入 WLAN网络, 其使得 WLAN网络的服务器通过 CAPWAP隧道对终端进行认证, 解决了现有 技术中 WLAN网络无法对连接 CPE的终端进行单独认证的问题。  According to the foregoing embodiment, the method for accessing the authentication in the terminal establishes a CAPWAP tunnel between the CPE and the AC, and the CPE enables the terminal accessing the CPE to access the WLAN network through the CAPWAP tunnel, which enables the server of the WLAN network to pass the CAPWAP tunnel pair. The terminal performs authentication, which solves the problem that the WLAN network in the prior art cannot separately authenticate the terminal connected to the CPE.
根据本发明的另一方面, 本发明还提供一种终端接入认证的方法,该方法 包括: 连接 CPE的终端通过 CPE与 AC之间建立的 CAP WAP遂道实现该终端在 依托于 LTE-EPC网络的 WLAN网络中的认证。  According to another aspect of the present invention, the present invention further provides a method for terminal access authentication, the method comprising: connecting a terminal of a CPE to a CAP WAP channel established between a CPE and an AC to implement the terminal in relying on LTE-EPC Authentication in the network's WLAN network.
举例来说, 图 7为本发明一实施例提供的终端接入认证的方法的流程示意 图, 如图 7所示, 本实施例的终端接入认证的方法如下文所述。  For example, FIG. 7 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 7, the method for access authentication of a terminal in this embodiment is as follows.
本实施例中列举的认证为 WEB认证, WEB认证是目前最常见的 WiFi终端 的认证方式, 采用 Username/Password进行认证、 授权和计费。  The authentication listed in this embodiment is WEB authentication. WEB authentication is the most common authentication method for WiFi terminals. Username/Password is used for authentication, authorization, and accounting.
接上图 6所示的 WiFi终端完成接入 WLAN网络之后, 图 7举例说明对 WiFi 终端的 WEB认证过程。  After the WiFi terminal shown in FIG. 6 is connected to the WLAN network, FIG. 7 illustrates the WEB authentication process for the WiFi terminal.
以下的 AC、 宽带远程接入服务器( Broadband Remote Access Server, 简称 BRAS )、 Portal Server、验证、授权和记账月良务器( Authentication、 Authorization、 Accounting , 简称 AAA服务器) 均为 WLAN网络中的服务器。  The following AC, Broadband Remote Access Server (BRAS), Portal Server, Authentication, Authorization, and Accounting Server (Authentication, Authorization, Accounting, AAA Server) are all servers in the WLAN network. .
701、 在 WiFi终端接入 WLAN网络之后 , WiFi终端向 CPE发送用于接入认 证的 HTTP报文。  701. After the WiFi terminal accesses the WLAN network, the WiFi terminal sends an HTTP packet for access authentication to the CPE.
702、 CPE接收 WiFi终端发送的 HTTP报文之后,根据 CAPWAP协议重新封 装 HTTP报文,并将重新封装的 HTTP报文通过 CAPWAP数据面信道发送至 AC。  702. After receiving the HTTP packet sent by the WiFi terminal, the CPE re-encapsulates the HTTP packet according to the CAPWAP protocol, and sends the re-encapsulated HTTP packet to the AC through the CAPWAP data plane channel.
703、 AC接收 CPE发送的 HTTP报文之后,将封装的 HTTP报文进行解封装, 并将解封装的 HTTP报文转发给 BRAS, BRAS重定向 HTTP报文到 Portal Server 703. After receiving the HTTP packet sent by the CPE, the AC decapsulates the encapsulated HTTP packet, and forwards the decapsulated HTTP packet to the BRAS. The BRAS redirects the HTTP packet to the Portal Server.
(门户月良务器) 。 (Portal server).
704、 Portal Server接收 HTTP报文之后, 通过 CAPWAP数据面信道向 CPE 推送 WEB认证界面。 704. After receiving the HTTP packet, the Portal server passes the CAPWAP data plane channel to the CPE. Push the WEB authentication interface.
705、 CPE接收 Portal Server发送的 WEB认证界面之后,将 WEB认证界面转 发至 WiFi终端 , 以使 WiFi终端侧呈现 WEB认证界面 , 进而接收用户输入的 Ussrnams和 Password。  705. After receiving the WEB authentication interface sent by the Portal Server, the CPE forwards the WEB authentication interface to the WiFi terminal, so that the WiFi terminal side presents the WEB authentication interface, and then receives the Ussrnams and Password input by the user.
706、 CPE接收 WiFi终端发送的用户名、 密码等信息, 并通过 CAPWAP数 据面信道将其发送至 Portal Server。  706. The CPE receives the user name, password, and the like sent by the WiFi terminal, and sends the information to the Portal Server through the CAPWAP data plane channel.
具体地, CPE通过 CAPWAP数据面信道将封装的用户名、 密码等信息发送 给 Portal Server。  Specifically, the CPE sends the encapsulated user name and password to the Portal Server through the CAPWAP data plane channel.
707、 Portal Server在接收到用户名、 密码等信息之后, 解封装并向 BRAS 提交认证请求。  707. After receiving the information such as the username and password, the Portal Server decapsulates and submits an authentication request to the BRAS.
708、 BRAS接收 Portal Server发送的认证请求之后, 根据认证请求向 AAA 月良务器发起 Access Request认证消息。  708. After receiving the authentication request sent by the Portal server, the BRAS initiates an Access Request authentication message to the AAA server according to the authentication request.
709、 AAA服务器接收 Access Request认证消息之后,对 WiFi终端的用户名、 密码等信息进行认证;若 AAA^务器的认证通过,则向 BRAS发送 Access accept 消息;  709. After receiving the Access Request authentication message, the AAA server authenticates the user name and password of the WiFi terminal. If the authentication of the AAA server passes, the Access accept message is sent to the BRAS.
否则, 返回错误提示信息。  Otherwise, an error message is returned.
710、 BRAS接收 AAA服务器发送的 Access accept消息,并向 AAA^务器返 回与 Access accept消息对应的响应消息; 并才艮据 Access accept消息向 Portal Server返回认证通过的响应消息。  710. The BRAS receives the Access accept message sent by the AAA server, and returns a response message corresponding to the Access accept message to the AAA server, and returns a response message of the authentication to the Portal Server according to the Access Accept message.
711、 Portal Server收到认证通过的响应消息后 , 通过 CAPWAP数据面信道 向 CPE发送认证成功的界面; CPE将该认证成功的界面转发至 WiFi终端, 以使 WiFi终端触发心跳握手消息,进而 WiFi终端进行 WLAN网络的正常业务, 同时 WLAN网络启动对 WiFi终端的计费。  711. After receiving the response message, the Portal server sends a successful authentication interface to the CPE through the CAPWAP data plane channel. The CPE forwards the successfully authenticated interface to the WiFi terminal, so that the WiFi terminal triggers the heartbeat handshake message, and then the WiFi terminal. The normal service of the WLAN network is performed, and the WLAN network initiates charging for the WiFi terminal.
图 8为本发明一实施例提供的终端接入认证的方法的流程示意图, 如图 8 所示, 本实施例的终端接入认证的方法如下文所述。  FIG. 8 is a schematic flowchart of a method for access authentication of a terminal according to an embodiment of the present invention. As shown in FIG. 8, the method for access authentication of a terminal in this embodiment is as follows.
接上图 7所示的 WiFi终端完成 WEB认证之后 , 图 8举例说明对 WiFi终端的 计费流程。  After the WiFi terminal shown in FIG. 7 completes the WEB authentication, FIG. 8 illustrates the charging process for the WiFi terminal.
801、 WiFi终端在完成 WLAN网络的 WEB认证之后, BRAS向 AAA服务器 发起针对该 WiFi终端的 Account Request Start消息(计费请求开始消息), 提示 AAA服务器对该 WiFi终端的计费开始。 802、 AAA^务器向 BRAS返回计费开始响应消息。 801. After the WiFi terminal completes the WEB authentication of the WLAN network, the BRAS initiates an Account Request Start message (accounting request start message) for the WiFi terminal to the AAA server, and prompts the AAA server to start charging for the WiFi terminal. 802. The AAA server returns a charging start response message to the BRAS.
803、 WiFi终端访问 WLAN网络业务的上行流量由 CPE通过 CAPWAP数据 面信道发送至 BRAS;  803. The uplink traffic of the WiFi terminal accessing the WLAN network service is sent by the CPE to the BRAS through the CAPWAP data plane channel;
BRAS发送的下行流量通过 CAPWAP数据面信道发送至 CPE , 以使由 CPE 将下行流量转发给 WiFi终端。  The downlink traffic sent by the BRAS is sent to the CPE through the CAPWAP data plane channel, so that the CPE forwards the downlink traffic to the WiFi terminal.
804、 BRAS监控用户使用网络情况, 实时向 AAA服务器发送 Account Request interim消息(计费请求中间消息) 。  804. The BRAS monitors the user's use of the network, and sends an Account Request interim message (accounting request intermediate message) to the AAA server in real time.
805、 AAA服务器根据计费策略更新 CDR记录, 返回 Account Response interim响应消息, 证实计费正常; 如果满足产生部分话单条件, AAA产生中间 话单, AAA将话单提供给 CBS系统, 由 CBS系统完成用户费用核算。  805. The AAA server updates the CDR record according to the charging policy, and returns an Account Response interim response message to confirm that the charging is normal. If the partial billing condition is met, the AAA generates an intermediate bill, and the AAA provides the bill to the CBS system, and the CBS system Complete user expense accounting.
前述的 CDR由 BRAS+AAA+CBS配合生成,由运营商的计费系统输出 WiFi 终端的帐单。  The foregoing CDR is generated by the cooperation of BRAS+AAA+CBS, and the billing system of the WiFi terminal is output by the operator's charging system.
806、 当 WiFi终端主动下线或接入侧 (即 WLAN网络侧)检测到 WiFi终端 超时下线后, 向 AAA发起 Account Request Stop消息(计费停止请求消息 ) 。  806. After the WiFi terminal actively goes offline or the access side (ie, the WLAN network side) detects that the WiFi terminal times out, the AAA initiates an Account Request Stop message (accounting stop request message).
807、 AAA关闭 CDR文件, 返回 Account Response Stop消息(计费停止响 应消息) 。  807. The AAA closes the CDR file and returns an Account Response Stop message (the charging stop response message).
综上, CPE在 IP层面按接入的每一终端进行 WLAN网络接入认证和计费的 业务(如 Internet业务) , 由 CPE采用 CAPWAP隧道封装, 由 EPC路由到 AC / BRAS进行 WEB认证, 接入 Internet和业务域, 由 AAA Server进行 IP层的认证和 计费, 以及实现相应 QoS管理。  In summary, the CPE performs WLAN network access authentication and accounting services (such as Internet services) at each IP address of the access terminal. The CPE uses the CAPWAP tunnel encapsulation, and the EPC routes to the AC/BRAS for WEB authentication. Into the Internet and the service domain, the AAA Server performs IP layer authentication and accounting, and implements corresponding QoS management.
根据本发明的另一方面, 本发明还提供一种用户端设备, 如图 9所示, 该 用户端设备包括发送单元 91、 接收单元 92、 建立单元 93和接入单元 94; 其 中, 发送单元 91用于根据 WLAN网络的服务器中的各个 AC的 IP地址, 向 各个 AC发送发现请求; 接收单元 92用于接收各个 AC中任一 AC返回的与 发现请求对应的发现响应;建立单元 93用于在接收单元 92接收到各个 AC中 任一 AC返回的与发现请求对应的发现响应之后, 与任一 AC建立 CAPWAP 隧道; 接入单元 94 用于通过 CAPWAP 隧道将连接用户端设备的终端接入 WLAN网络, 并使 WLAN网络的服务器通过 CAPWAP隧道对接入 WLAN网 络的终端进行认证。  According to another aspect of the present invention, the present invention further provides a client device. As shown in FIG. 9, the client device includes a sending unit 91, a receiving unit 92, an establishing unit 93, and an access unit 94. The sending unit 92 is configured to send a discovery request to each AC according to an IP address of each AC in the server of the WLAN network; the receiving unit 92 is configured to receive a discovery response corresponding to the discovery request returned by any AC in each AC; the establishing unit 93 is configured to: After receiving the discovery response corresponding to the discovery request returned by any AC in each AC, the receiving unit 92 establishes a CAPWAP tunnel with any AC; the access unit 94 is configured to connect the terminal connected to the user equipment to the WLAN through the CAPWAP tunnel. The network, and the server of the WLAN network authenticates the terminal accessing the WLAN network through the CAPWAP tunnel.
由上, 本实施例中的用户端设备能够实现依托于 LTE-EPC网络的 WLAN 网络对连接 CPE的终端进行单独认证的问题。 The user equipment in this embodiment can implement the WLAN relying on the LTE-EPC network. The problem of the network separately authenticating the terminals connected to the CPE.
在实际应用中, 前述的发送单元 91还用于在接收单元 92没有接收到各个 AC中一个或多个 AC返回的与发现请求对应的发现响应时, 间隔预置时间之 后, 重新向没有返回发现响应的 AC发送发现请求。  In a practical application, the foregoing sending unit 91 is further configured to: when the receiving unit 92 does not receive the discovery response corresponding to the discovery request returned by one or more ACs in each AC, after the preset time interval, the device does not return to the discovery. The responding AC sends a discovery request.
在一种场景下, 前述的用户端设备还需包括: 地址获取单元, 该地址获取 单元用于从 LTE-EPC网络的分组数据网络( Packet Data Network, 简称 PDN ) 网关中获得 WLAN网络的服务器中各个 AC的 IP地址, 其中, LTE-EPC网络为 与 WLAN网络相连( WLAN网络接入到 LTE-EPC网络 , 或者 WLAN网络依托于 LTE_EPC网络) ; 或者  In a scenario, the foregoing user equipment further includes: an address obtaining unit, where the address obtaining unit is used to obtain a WLAN network server from a Packet Data Network (PDN) gateway of the LTE-EPC network. The IP address of each AC, where the LTE-EPC network is connected to the WLAN network (the WLAN network accesses the LTE-EPC network, or the WLAN network depends on the LTE_EPC network); or
该地址获取单元用于从 LTE-EPC网络的 PDN网关中获得 WLAN网络的服 务器中的各个 AC的域名信息, 根据各个 AC的域名信息向 LTE-EPC网络的 DNS 发送包括各个 AC的域名信息的域名解析请求, 并接收 DNS根据域名解析请求 返回的 IP地址列表, 该处的 IP地址列表包含各个 AC的 IP地址。  The address obtaining unit is configured to obtain the domain name information of each AC in the server of the WLAN network from the PDN gateway of the LTE-EPC network, and send the domain name including the domain name information of each AC to the DNS of the LTE-EPC network according to the domain name information of each AC. Parsing the request, and receiving a list of IP addresses returned by the DNS according to the domain name resolution request, where the IP address list contains the IP addresses of the respective ACs.
当然, 在其他的实施例中, 前述的 IP地址列表也可预先预置在 CPE中。 通常, CPE中内置有瘦 AP或外接有胖 AP, 进而 CPE中存储有 AP的版本信 息。 此时, 在 CPE和 AC建立隧道之后, 接收单元 92还用于接收建立隧道的 AC 基于 CAPWAP隧道发送的 AP版本信息;  Of course, in other embodiments, the foregoing IP address list may also be preset in the CPE. Generally, a thin AP or an external fat AP is built in the CPE, and the version information of the AP is stored in the CPE. At this time, after the CPE and the AC establish a tunnel, the receiving unit 92 is further configured to receive the AP version information that is sent by the AC based on the CAPWAP tunnel.
相应地, 发送单元 91还用于在接收单元 92接收到的 AP版本信息与用户端 设备中设置的 AP的版本信息不一致时, 向 AC发起更新 AP的版本信息的请求, 以使建立隧道的 AC更新 AP的版本。  Correspondingly, the sending unit 91 is further configured to: when the AP version information received by the receiving unit 92 is inconsistent with the version information of the AP set in the user equipment, initiate a request to update the version information of the AP to the AC, so as to establish the AC of the tunnel. Update the version of the AP.
在实际使用过程中, 如图 10所示, 前述的接入单元 94具体包括: 消息转发 单元 941、 消息接收单元 942和消息发送单元 943; 其中, 消息转发单元 941用于 接收 DHCP Discovery消息, 并将 DHCP Discovery消息通过 CAPWAP隧道发送 至建立隧道的 AC,该 DHCP Discovery消息是由连接用户端设备的终端发送的, 用于请求接入 WLAN网络, DHCP Discovery消息包含终端的 MAC信息;  In the actual use, as shown in FIG. 10, the foregoing access unit 94 specifically includes: a message forwarding unit 941, a message receiving unit 942, and a message sending unit 943; wherein the message forwarding unit 941 is configured to receive a DHCP Discovery message, and The DHCP Discovery message is sent to the AC that establishes the tunnel through the CAPWAP tunnel. The DHCP Discovery message is sent by the terminal connected to the user equipment, and is used to request access to the WLAN network. The DHCP Discovery message includes the MAC information of the terminal.
消息接收单元 942用于接收建立隧道的 AC通过 CAPWAP隧道发送的与 DHCP Discovery消息对应的 DHCP offer消息, DHCP offer消息中携带有建立隧 道的 AC分配的与 MAC信息对应的 IP地址;  The message receiving unit 942 is configured to receive a DHCP offer message corresponding to the DHCP Discovery message sent by the AC that establishes the tunnel through the CAPWAP tunnel, where the DHCP offer message carries an IP address corresponding to the MAC information allocated by the AC establishing the tunnel;
消息发送单元 943用于将 DHCP offer消息转发至终端, 以使终端基于建立 隧道的 AC分配的 IP地址接入 WLAN网络。 The message sending unit 943 is configured to forward the DHCP offer message to the terminal, so that the terminal is established based on the The AC assigned by the AC of the tunnel accesses the WLAN network.
进一步地, 接入单元 94还包括: 关联消息发送单元 944和关联单元 945; 其 中, 关联消息发送单元 944用于从连接用户端设备的终端发送的 DHCP Discovery消息中获得终端的 MAC信息,并通过 CAPWAP隧道向建立隧道的 AC 发送关联 Association消息, Association消息中包括终端的 MAC信息;  Further, the access unit 94 further includes: an association message sending unit 944 and an association unit 945; wherein the association message sending unit 944 is configured to obtain the MAC information of the terminal from the DHCP Discovery message sent by the terminal connected to the user equipment, and pass the The CAPWAP tunnel sends an association association message to the AC that establishes the tunnel. The Association message includes the MAC information of the terminal.
关联单元 945用于在接收建立隧道的 AC通过 CAPWAP隧道返回的与 Association消息对应的 Association响应消息之后, 才艮据终端的 MAC信息与建立 隧道的 AC建立针对终端的关联。  The association unit 945 is configured to establish an association for the terminal with the AC that establishes the tunnel according to the MAC information of the terminal after receiving the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the CAPWAP tunnel.
特别地, 前述的消息转发单元 941还用于在接收到连接用户端设备的终端 发送的多个包括相同 MAC信息的 DHCP Discovery消息时, 将多个 DHCP Discovery消息中的任一个 DHCP Discovery (例如第一个 DHCP Discovery ) 消 息通过 CAPWAP隧道发送至建立隧道的 AC, 并丟弃多个 DHCP Discovery消息 中的其他消息。  In particular, the foregoing message forwarding unit 941 is further configured to: when receiving a plurality of DHCP Discovery messages including the same MAC information sent by the terminal connected to the user equipment, perform DHCP Discovery of any one of the multiple DHCP Discovery messages (for example, A DHCP Discovery message is sent to the AC that established the tunnel through the CAPWAP tunnel, and other messages in multiple DHCP Discovery messages are discarded.
此外, 消息转发单元 941还用于检测用户端设备的任一端口在预配置的检 测时间内接收到多个 DHCP Discovery消息,且多个 DHCP Discovery消息中每一 DHCP Discovery消息包括的 MAC信息不同,则丟弃多个 DHCP Discovery消息。  In addition, the message forwarding unit 941 is further configured to detect that any port of the user equipment receives multiple DHCP Discovery messages within a pre-configured detection time, and each of the multiple DHCP Discovery messages includes different MAC information. Then discard multiple DHCP Discovery messages.
当然,前述的消息转发单元 941还用于在建立隧道的 AC接收到另一用户端 设备通过 CAPWAP隧道发送的 Association消息, 并根据 Association消息中的 MAC信息确定连接另一用户端设备的终端与连接用户端设备的终端为相同的 终端时 ,接收建立隧道的 AC通过所述 CAPWAP隧道发送的 station configuration update消息, station configuration update消息中携带有 delete station信息元素, 根据 delete station信息元素删除与终端相关的信息。  The foregoing message forwarding unit 941 is further configured to: when the AC that establishes the tunnel receives the Association message sent by another client device through the CAPWAP tunnel, and determines, according to the MAC information in the Association message, the terminal and the connection that connects another client device. When the terminal of the user equipment is the same terminal, the station configuration update message sent by the AC that establishes the tunnel through the CAPWAP tunnel is carried, and the station configuration update message carries the delete station information element, and the terminal station information element is deleted according to the delete station information element. information.
在实际的操作中, 用户端设备还包括: 关联去除单元(图中未示出), 该 关联去除单元用于在终端与 WLAN网络的连接断开之后, 通过 CAPWAP隧道 向建立隧道的 AC发送 Disassociation消息 , Disassociation消息用于使建立隧道的 AC去除与 CPE之间建立的针对终端的关联;  In an actual operation, the client device further includes: an association removal unit (not shown), where the association removal unit is configured to send a Disassociation to the tunnel-established AC through the CAPWAP tunnel after the connection between the terminal and the WLAN network is disconnected. The message, the Disassociation message is used to remove the association between the AC that establishes the tunnel and the CPE.
进一步地, 关联去除单元用于接收 AC通过 CAPWAP隧道发送的与 Disassociation消息对应的响应消息以及 AC发送的删除终端消息元素的配置信 息, 据删除终端消息元素的配置信息删除与终端相关的信息。 备的终端发送的包括业务数据的消息时,确定终端与所述 WLAN网络的连接断 开; 或者, 查看到用户端设备的特定端口所连接的终端的状态为断开状态, 则 确定终端与所述 WLAN网络的连接断开。 Further, the association removal unit is configured to receive the response message corresponding to the Disassociation message sent by the AC through the CAPWAP tunnel and the configuration information of the Delete Terminal message element sent by the AC, and delete the information related to the terminal according to the configuration information of the deleted terminal message element. When the terminal that sends the service data includes the service data, it determines that the connection between the terminal and the WLAN network is disconnected; or, if the status of the terminal connected to the specific port of the user equipment is disconnected, the terminal and the terminal are determined. The connection of the WLAN network is broken.
由上述实施例可知, 本实施例的用户端设备, 通过发送单元、接收单元和 建立单元使 CPE基于 CAPWAP协议与 WLAN网络的服务器中的 AC建立的 CAPWAP隧道, 进而, 通过接入单元使使连接 CPE的终端通过 CAPWAP隧 道接入 WLAN网络, 进而使依托于 LTE-EPC网络的 WLAN网络中的服务器 借助 CAPWAP隧道实现对接入 WLAN网络的终端进行认证,解决了现有技术 中 WLAN网络无法对连接 CPE的终端进行单独认证的问题。  It can be seen from the foregoing embodiment that the UE device in this embodiment uses the sending unit, the receiving unit, and the establishing unit to enable the CPE to establish a CAPWAP tunnel with the AC in the server of the WLAN network based on the CAPWAP protocol, and further, to enable the connection through the access unit. The CPE terminal accesses the WLAN network through the CAPWAP tunnel, and the server in the WLAN network that relies on the LTE-EPC network authenticates the terminal accessing the WLAN network by using the CAPWAP tunnel, thereby solving the problem that the WLAN network cannot be connected in the prior art. The problem of separate authentication of the terminal of the CPE.
在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统, 装置和方 法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示意性 的。  In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are merely illustrative.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为 单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地方,或者 也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部 单元来实现本实施例方案的目的。  The units described as separate components may or may not be physically separate, and the components displayed as the units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元中, 也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元 中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的 形式实现。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售 或使用时, 可以存储在一个计算机可读取存储介质中。基于这样的理解, 本发 明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全 部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储 介质中, 包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器, 或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。 而前述 的存储介质包括: U盘、移动硬盘、 只读存储器(ROM, Read-Only Memory ) 、 随机存取存储器 ( RAM, Random Access Memory ) 、 磁碟或者光盘等各种可 以存储程序代码的介质。 最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其限 制; 尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员 应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或者对其 中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技术方案的 本质脱离本发明各实施例技术方案的精神和范围。 The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may contribute to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. . Finally, it should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权 利 要 求 Rights request
1、 一种终端接入认证的方法, 其特征在于, 包括: A method for terminal access authentication, which is characterized by comprising:
用户端设备 CPE根据无线局域网 WLAN网络的服务器中的各个接入控制器 AC的 IP地址, 向所述各个 AC发送发现请求;  The client device sends a discovery request to each of the ACs according to the IP address of each access controller AC in the server of the wireless local area network WLAN network;
若所述 CPE接收到所述各个 AC中任一 AC返回的与所述发现请求对应的发 现响应,则所述 CPE与所述任一 AC建立无线接入点的控制和配置 CAPWAP隧道; 所述 CPE通过所述 CAPWAP隧道将连接所述 CPE的终端接入所述 WLAN网络, 并使所述 WLAN网络的服务器通过所述 CAPWAP隧道对接入所述 WLAN网络的终 端进行认证。  If the CPE receives a discovery response corresponding to the discovery request returned by any of the ACs, the CPE establishes a control and configuration CAPWAP tunnel with the any AC; The CPE accesses the terminal connected to the CPE to the WLAN network through the CAPWAP tunnel, and enables the server of the WLAN network to authenticate the terminal accessing the WLAN network by using the CAPWAP tunnel.
2、 根据权利要求 1所述的方法, 其特征在于, 还包括: 若所述 CPE没有 接收到所述各个 AC中一个或多个 AC返回的与所述发现请求对应的发现响应, 则在间隔预置时间之后, 重新向所述没有返回发现响应的 AC发送发现请求。  2. The method according to claim 1, further comprising: if the CPE does not receive a discovery response corresponding to the discovery request returned by one or more ACs in the respective ACs, at intervals After the preset time, the discovery request is resent to the AC that does not return a discovery response.
3、 根据权利要求 1所述的方法, 其特征在于, 在所述 CPE根据 WLAN网络 的服务器中的各个 AC的 IP地址, 向所述各个 AC发送发现请求之前,还包括: 所述 CPE从长期演进型分组核心网 LTE-EPC网络的分组数据网络 PDN网关 中获得 WLAN网络的服务器中各个 AC的 IP地址, 所述 LTE-EPC网络为与所述 WLAN网络相连的网络; 或者  The method according to claim 1, wherein before the CPE sends a discovery request to each AC according to an IP address of each AC in a server of the WLAN network, the method further includes: the CPE from a long-term The packet data network of the LTE-EPC network of the evolved packet core network obtains the IP address of each AC in the server of the WLAN network, and the LTE-EPC network is a network connected to the WLAN network; or
所述 CPE从 LTE-EPC网络的 PDN网关中获得 WLAN网络的服务器中的各个 AC的域名信息, 根据所述各个 AC的域名信息向所述 LTE-EPC网络的域名系统 DNS发送包括所述各个 AC的域名信息的域名解析请求, 并接收所述 DNS根据 所述域名解析请求返回的 IP地址列表, 所述 IP地址列表包含所述各个 AC的 IP地址。 The CPE obtains the domain name information of each AC in the server of the WLAN network from the PDN gateway of the LTE-EPC network, and sends the domain name system DNS to the LTE-EPC network according to the domain name information of each AC. The domain name resolution request of the domain name information, and receiving the IP address list returned by the DNS according to the domain name resolution request, where the IP address list includes the IP addresses of the respective ACs.
4、 根据权利要求 1至 3任一所述的方法, 其特征在于, 在所述 CPE与所 述任一 AC建立 CAPWAP隧道之后, 且在所述 CPE通过所述 CAPWAP隧道将连接 所述 CPE的终端接入所述 WLAN网络之前, 还包括: The method according to any one of claims 1 to 3, wherein after the CPE establishes a CAPWAP tunnel with the any AC, and the CPE connects to the CPE through the CAPWAP tunnel, Before the terminal accesses the WLAN network, the method further includes:
所述 CPE接收所述建立隧道的 AC基于所述 CAPWAP隧道发送的无线接入点 AP版本信息;  The CPE receives the AP version information of the wireless access point sent by the AC that establishes the tunnel based on the CAPWAP tunnel;
若所述 CPE接收到的 AP版本信息与所述 CPE中设置的 AP的版本信息不一 致, 所述 CPE向所述 AC发起更新所述 AP的版本信息的请求, 以使所述建立隧 道的 AC更新所述 AP的版本。  If the AP version information received by the CPE is inconsistent with the version information of the AP set in the CPE, the CPE initiates a request for updating the version information of the AP to the AC, so that the AC update of the tunnel is established. The version of the AP.
5、 根据权利要求 1所述的方法, 其特征在于, 所述 CPE通过所述 CAPWAP 隧道将连接所述 CPE的终端接入所述 WLAN网络, 具体包括:  The method according to claim 1, wherein the CPE accesses the terminal connected to the CPE to the WLAN network by using the CAPWAP tunnel, and specifically includes:
所述 CPE接收动态主机设置协议发现 DHCP D i scovery消息 ,并将所述 DHCP Di scovery消息通过所述 CAPWAP隧道发送至所述建立隧道的 AC , 所述 DHCP Di s covery消息是由连接所述 CPE的终端发送的, 用于请求接入所述 WLAN网 络, 所述 DHCP D i scovery消息包含所述终端的介质访问控制 MAC信息; 所述 CPE 接收所述建立隧道的 AC 通过所述 CAPWAP 隧道发送的与所述 DHCP Di scovery消息对应的 DHCP offer消息, 所述 DHCP offer消息中携带有所述 建立隧道的 AC分配的与所述 MAC信息对应的 IP地址;  The CPE receives a dynamic host setup protocol discovery DHCP D i scovery message, and sends the DHCP Di scovery message to the tunnel-established AC through the CAPWAP tunnel, where the DHCP Di s covery message is connected by the CPE Transmitted by the terminal, for requesting access to the WLAN network, the DHCP D i scovery message includes media access control MAC information of the terminal; and the CPE receives the AC that establishes the tunnel and sends the ACL through the CAPWAP tunnel. a DHCP offer message corresponding to the DHCP Di scovery message, where the DHCP offer message carries an IP address corresponding to the MAC information allocated by the AC establishing the tunnel;
所述 CPE将所述 DHCP offer消息转发至所述终端, 以使所述终端基于所 述建立隧道的 AC分配的 IP地址接入所述 WLAN网络。  The CPE forwards the DHCP offer message to the terminal, so that the terminal accesses the WLAN network based on the IP address allocated by the AC establishing the tunnel.
6、 根据权利要求 5 所述的方法, 其特征在于, 在所述 CPE将所述 DHCP 6. The method according to claim 5, wherein the DHCP is performed at the CPE
Di scovery消息通过所述 CAPWAP隧道发送至所述建立隧道的 AC之前,还包括: 所述 CPE从连接所述 CPE的终端发送的 DHCP Di scovery消息中获得所述 终端的 MAC 信息, 并通过所述 CAPWAP 隧道向所述建立隧道的 AC 发送关联 Association消息, 所述 Association消息中包括所述终端的 MAC信息; Before the sending of the Di scovery message to the AC that establishes the tunnel by using the CAPWAP tunnel, the method further includes: obtaining, by the CPE, the DHCP Di scovery message sent by the terminal connected to the CPE. The MAC information of the terminal, and the associated Association message is sent to the AC that establishes the tunnel by using the CAPWAP tunnel, where the Association message includes the MAC information of the terminal;
所述 CPE在接收所述建立隧道的 AC通过所述 CAPWAP隧道返回的与所述 Association消息对应的 Association响应消息之后, 才艮据所述终端的 MAC信 息与所述建立隧道的 AC建立针对所述终端的关联。  After receiving the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the CAPWAP tunnel, the CPE establishes, according to the MAC information of the terminal, the AC that establishes the tunnel, The association of the terminal.
7、 根据权利要求 5或 6所述的方法, 其特征在于, 还包括:  The method according to claim 5 or 6, further comprising:
若所述 CPE接收到连接所述 CPE的终端发送的多个包括相同 MAC信息的 DHCP Discovery消息, 则所述 CPE将所述多个 DHCP Discovery消息中的任一 个 DHCP Discovery消息通过所述 CAPWAP隧道发送至所述建立隧道的 AC, 并 丟弃所述多个 DHCP Discovery消息中的其他消息。  If the CPE receives a plurality of DHCP Discovery messages including the same MAC information sent by the terminal connected to the CPE, the CPE sends any one of the multiple DHCP Discovery messages through the CAPWAP tunnel. Go to the AC that establishes the tunnel, and discard other messages in the multiple DHCP Discovery messages.
8、 根据权利要求 5或 6所述的方法, 其特征在于, 还包括:  8. The method according to claim 5 or 6, further comprising:
若所述 CPE 的任一端口在预配置的检测时间内接收到多个 DHCP Discovery消息, 且所述多个 DHCP Discovery消息中每一 DHCP Discovery消 息包括的 MAC信息不同, 则丟弃所述多个 DHCP Discovery消息。  If any port of the CPE receives multiple DHCP Discovery messages within a pre-configured detection time, and each of the multiple DHCP Discovery messages includes different MAC information, discarding the multiple DHCP Discovery message.
9、 根据权利要求 6所述的方法, 其特征在于, 还包括:  9. The method according to claim 6, further comprising:
在所述终端与所述 WLAN网络的连接断开之后, 所述 CPE通过所述 CAPWAP 隧道向所述建立隧道的 AC 发送去关联 Disassociation 消息, 所述 Disassociation消息用于使所述建立隧道的 AC去除与所述 CPE之间建立的针 对所述终端的关联;  After the connection between the terminal and the WLAN network is disconnected, the CPE sends a de-association Disassociation message to the AC that establishes the tunnel by using the CAPWAP tunnel, where the Disassociation message is used to remove the AC that establishes the tunnel. Association with the CPE established with the CPE;
所述 CPE接收所述 AC通过所述 CAPWAP隧道发送的与所述 Di s association 消息对应的响应消息以及所述 AC发送的删除终端消息元素的配置信息, 根据 所述删除终端消息元素的配置信息删除与所述终端相关的信息。 The CPE receives the response message corresponding to the Di s association message sent by the AC through the CAPWAP tunnel, and the configuration information of the deleted terminal message element sent by the AC, and deletes according to the configuration information of the deleted terminal message element. Information related to the terminal.
1 0、 一种用户端设备, 其特征在于, 包括: A client device, comprising:
发送单元, 用于根据无线局域网 WLAN网络的服务器中的各个接入控制器 AC的 IP地址, 向所述各个 AC发送发现请求;  a sending unit, configured to send a discovery request to each AC according to an IP address of each access controller AC in a server of the WLAN WLAN network;
接收单元,用于接收所述各个 AC中任一 AC返回的与所述发现请求对应的 发现响应;  a receiving unit, configured to receive a discovery response corresponding to the discovery request returned by any one of the ACs;
建立单元,用于在所述接收单元接收到所述各个 AC中任一 AC返回的与所 述发现请求对应的发现响应之后, 与所述任一 AC建立无线接入点的控制和配 置 CAPWAP隧道;  An establishing unit, configured to establish, by the receiving unit, a control response and a configuration CAPWAP tunnel of the wireless access point with any of the ACs after receiving the discovery response corresponding to the discovery request returned by any of the ACs ;
接入单元, 用于通过所述 CAPWAP隧道将连接用户端设备的终端接入所述 WLAN网络,并使所述 WL AN网络的服务器通过所述 CAPWAP隧道对接入所述 WL AN 网络的终端进行认证。  An access unit, configured to access a terminal connected to the user equipment to the WLAN network by using the CAPWAP tunnel, and enable a server of the WL AN network to access a terminal accessing the WL AN network by using the CAPWAP tunnel Certification.
1 1、 根据权利要求 1 0所述的用户端设备, 其特征在于,  1 1. The client device according to claim 10, characterized in that:
所述发送单元, 还用于在所述接收单元没有接收到所述各个 AC中一个或 多个 AC返回的与所述发现请求对应的发现响应时, 在间隔预置时间之后, 重 新向所述没有返回发现响应的 AC发送发现请求。  The sending unit is further configured to: after the receiving unit does not receive the discovery response corresponding to the discovery request returned by one or more ACs in the respective ACs, after the interval preset time, re-send to the The AC that did not return a discovery response sent a discovery request.
1 2、 根据权利要求 1 0所述的用户端设备, 其特征在于, 还包括: 地址获取单元,用于从长期演进型分组核心网 LTE-EPC网络的分组数据网 络 PDN网关中获得 WLAN网络的服务器中各个 AC的 IP地址, 所述 LTE-EPC网 络为与所述 WLAN网络相连的网络; 或者  The user equipment according to claim 10, further comprising: an address obtaining unit, configured to obtain a WLAN network from a packet data network PDN gateway of a long-term evolution type packet core network LTE-EPC network An IP address of each AC in the server, where the LTE-EPC network is a network connected to the WLAN network; or
用于从 LTE-EPC 网络的 PDN网关中获得 WLAN网络的服务器中的各个 AC 的域名信息,根据所述各个 AC的域名信息向所述 LTE-EPC网络的域名系统 DNS 发送包括所述各个 AC的域名信息的域名解析请求, 并接收所述 DNS根据所述 域名解析请求返回的 IP地址列表, 所述 IP地址列表包含所述各个 AC的 IP 地址。 The domain name information of each AC in the server of the WLAN network is obtained from the PDN gateway of the LTE-EPC network, and the domain name system DNS of the LTE-EPC network is sent according to the domain name information of each AC. Domain name resolution request for domain name information, and receiving the DNS according to the A list of IP addresses returned by the domain name resolution request, the IP address list including the IP addresses of the respective ACs.
13、 根据权利要求 10至 12任一所述的用户端设备, 其特征在于, 所述接收单元,还用于接收所述建立隧道的 AC基于所述 CAPWAP隧道发送 的无线接入点 AP版本信息;  The user equipment according to any one of claims 10 to 12, wherein the receiving unit is further configured to receive, by the AC that establishes the tunnel, the AP version information of the wireless access point that is sent by the CAPWAP tunnel. ;
所述发送单元, 还用于在所述接收单元接收到的 AP版本信息与所述用户 端设备中设置的 AP的版本信息不一致时, 向所述 AC发起更新所述 AP的版本 信息的请求, 以使所述建立隧道的 AC更新所述 AP的版本。  The sending unit is further configured to: when the AP version information received by the receiving unit is inconsistent with the version information of the AP set in the user equipment, initiate a request for updating the version information of the AP to the AC, The AC that establishes the tunnel updates the version of the AP.
14、 根据权利要求 10所述的用户端设备, 其特征在于, 所述接入单元, 具体包括:  The user equipment according to claim 10, wherein the access unit specifically includes:
消息转发单元, 用于接收动态主机设置协议发现 DHCP Di scovery消息, 并将所述 DHCP Di scovery消息通过所述 CAPWAP隧道发送至所述建立隧道的 AC, 所述 DHCP Di scovery消息是由连接所述用户端设备的终端发送的, 用于 请求接入所述 WLAN网络, 所述 DHCP Di scovery消息包含所述终端的介质访问 控制 MAC信息;  a message forwarding unit, configured to receive a dynamic host setup protocol discovery DHCP Di scovery message, and send the DHCP Di scovery message to the tunnel establishing AC by using the CAPWAP tunnel, where the DHCP Di scovery message is connected by the Transmitted by the terminal of the user equipment, configured to request access to the WLAN network, where the DHCP Di scovery message includes media access control MAC information of the terminal;
消息接收单元,用于接收所述建立隧道的 AC通过所述 CAPWAP隧道发送的 与所述 DHCP Di scovery消息对应的 DHCP offer消息, 所述 DHCP offer消息 中携带有所述建立隧道的 AC分配的与所述 MAC信息对应的 IP地址;  a message receiving unit, configured to receive a DHCP offer message corresponding to the DHCP Di scovery message sent by the AC that establishes the tunnel through the CAPWAP tunnel, where the DHCP offer message carries the AC allocation of the tunnel establishment The IP address corresponding to the MAC information;
消息发送单元, 用于将所述 DHCP offer消息转发至所述终端, 以使所述 终端基于所述建立隧道的 AC分配的 IP地址接入所述 WLAN网络。  And a message sending unit, configured to forward the DHCP offer message to the terminal, so that the terminal accesses the WLAN network based on an IP address allocated by the AC that establishes the tunnel.
15、 根据权利要求 14所述的用户端设备, 其特征在于, 所述接入单元, 还包括: 关联消息发送单元, 用于从连接所述用户端设备的终端发送的 DHCP Discovery消息中获得所述终端的 MAC信息, 并通过所述 CAPWAP隧道向所述 建立 1¾道的 AC发送关联 Association消息, Association消息中包括所 述终端的 MAC信息; The user equipment according to claim 14, wherein the access unit further includes: An association message sending unit, configured to obtain MAC information of the terminal from a DHCP Discovery message sent by a terminal connected to the user equipment, and send an association association message to the established AC through the CAPWAP tunnel, Association The message includes the MAC information of the terminal;
关联单元,用于在接收所述建立隧道的 AC通过所述 CAPWAP隧道返回的与 所述 Association消息对应的 Association响应消息之后, 才艮据所述终端的 MAC信息与所述建立隧道的 AC建立针对所述终端的关联。  An association unit, configured to: after receiving the Association response message corresponding to the Association message returned by the AC that establishes the tunnel through the CAPWAP tunnel, establish, according to the MAC information of the terminal, the AC that establishes the tunnel The association of the terminal.
16、 根据权利要求 14或 15所述的用户端设备, 其特征在于,  16. The client device according to claim 14 or 15, wherein
所述消息转发单元,还用于在接收到连接所述用户端设备的终端发送的多 个包括相同 MAC信息的 DHCP Discovery消息时, 将所述多个 DHCP Discovery 消息中的任一个 DHCP Discovery消息通过所述 CAPWAP隧道发送至所述建立隧 道的 AC, 并丟弃所述多个 DHCP Discovery消息中的其他消息。  The message forwarding unit is further configured to: when receiving a plurality of DHCP Discovery messages including the same MAC information sent by the terminal connected to the user equipment, pass the DHCP Discovery message of any one of the multiple DHCP Discovery messages The CAPWAP tunnel is sent to the AC that establishes the tunnel, and the other messages in the multiple DHCP Discovery messages are discarded.
17、 根据权利要求 14或 15所述的用户端设备, 其特征在于,  17. The client device according to claim 14 or 15, wherein
所述消息转发单元,还用于当所述用户端设备的任一端口在预配置的检测 时间内接收到多个 DHCP Discovery消息, 且所述多个 DHCP Discovery消息中 每一 DHCP Discovery 消息包括的 MAC 信息不同时, 丟弃所述多个 DHCP Discovery消息。  The message forwarding unit is further configured to: when any port of the user equipment receives a plurality of DHCP Discovery messages within a pre-configured detection time, and each of the plurality of DHCP Discovery messages includes When the MAC information is different, the multiple DHCP Discovery messages are discarded.
18、 根据权利要求 15所述的用户端设备, 其特征在于, 还包括: 关联去除单元, 用于在所述终端与所述 WLAN网络的连接断开之后, 通过 所述 CAPWAP隧道向所述建立隧道的 AC发送去关联 Disassociation消息, 所 述 D i s a s s oc i a t i on消息用于使所述建立隧道的 AC去除与所述 CPE之间建立的 针对所述终端的关联; 用于接收所述 AC通过所述 CAPWAP隧道发送的与所述 Disassociation消 息对应的响应消息以及所述 AC发送的删除终端消息元素的配置信息, 根据所 述删除终端消息元素的配置信息删除与所述终端相关的信息。 The user equipment according to claim 15, further comprising: an association removal unit, configured to establish the CAPWAP tunnel to the terminal after the connection between the terminal and the WLAN network is disconnected The AC of the tunnel is sent to associate with a Disassociation message, where the D isass oc iati on message is used to remove the association between the AC that establishes the tunnel and the CPE. And receiving, by the CAPWAP tunnel, the response message corresponding to the Disassociation message and the configuration information of the deleted terminal message element sent by the AC, deleting, according to the configuration information of the deleted terminal message element, Terminal related information.
PCT/CN2012/075783 2012-01-19 2012-05-19 Terminal access authentication method and customer premise equipment WO2013107136A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
RU2013106254/08A RU2556468C2 (en) 2012-01-19 2012-05-19 Terminal access authentication method and customer premise equipment

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210018120.5A CN102572830B (en) 2012-01-19 2012-01-19 Method and customer premise equipment (CPE) for terminal access authentication
CN201210018120.5 2012-01-19

Publications (1)

Publication Number Publication Date
WO2013107136A1 true WO2013107136A1 (en) 2013-07-25

Family

ID=46417038

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/075783 WO2013107136A1 (en) 2012-01-19 2012-05-19 Terminal access authentication method and customer premise equipment

Country Status (3)

Country Link
CN (1) CN102572830B (en)
RU (1) RU2556468C2 (en)
WO (1) WO2013107136A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104410980A (en) * 2014-11-06 2015-03-11 福建三元达通讯股份有限公司 Thin AP-based user information management method and system
CN104427499A (en) * 2013-09-11 2015-03-18 中国电信股份有限公司 Wireless local area network (WLAN) access authentication method and system based on World Wide Web
CN107409326A (en) * 2015-03-30 2017-11-28 英国电讯有限公司 Communication network
WO2019201175A1 (en) * 2018-04-17 2019-10-24 江苏必得科技股份有限公司 Train-ground lte communication system for damage data transmission of train components
CN112671829A (en) * 2020-11-26 2021-04-16 新华三技术有限公司 Equipment online method and device
CN114115940B (en) * 2021-11-11 2024-04-12 新华三大数据技术有限公司 Version upgrading method and device

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821413A (en) * 2012-07-31 2012-12-12 华为技术有限公司 Data transmission method and network side equipment
CN103929726B (en) * 2013-01-14 2019-06-14 中兴通讯股份有限公司 Wireless LAN accesses control correlation technique and system in interacting with fixed network
CN104283858B (en) * 2013-07-09 2018-02-13 华为技术有限公司 Control the method, apparatus and system of user terminal access
CN103346919A (en) * 2013-07-19 2013-10-09 北京傲天动联技术股份有限公司 Method and system for uniformly managing wireless terminals to access CPE of equipment
CN103532842B (en) * 2013-10-14 2017-10-13 广州供电局有限公司 The high reliability LTE transmission system of distribution network
CN103648124A (en) * 2013-12-18 2014-03-19 南京智微亚通信科技有限公司 Wireless client terminal access management control method
CN105101195B (en) * 2014-04-30 2018-11-30 华为技术有限公司 The control method and device of network admittance
CN105991786A (en) * 2015-02-15 2016-10-05 中国移动通信集团江苏有限公司 Wi-Fi access configuration method, Wi-Fi terminal and access equipment
CN105120505B (en) * 2015-07-28 2019-04-16 小米科技有限责任公司 The method, apparatus and system of smart machine couple in router
CN105791267A (en) * 2016-01-14 2016-07-20 李小林 New wireless WIFI networking identity identification and authentication method
CN106131066B (en) * 2016-08-26 2019-09-17 新华三技术有限公司 A kind of authentication method and device
CN106789534B (en) * 2016-12-27 2019-09-17 京信通信系统(中国)有限公司 A kind of data transmission method and device based on wireless network
CN107071082A (en) * 2017-03-22 2017-08-18 上海斐讯数据通信技术有限公司 The acquisition methods and system of a kind of IP address of access control equipment
CN109391940B (en) * 2017-08-02 2021-02-12 华为技术有限公司 Method, equipment and system for accessing network
CN107454090B (en) * 2017-08-17 2019-12-27 京信通信系统(中国)有限公司 Wired data identification and authentication method and system
RU180801U1 (en) * 2018-03-07 2018-06-22 Общество с ограниченной ответственностью "БУЛАТ" Subscriber network device with virtualized network functions
CN110582085B (en) * 2018-06-11 2022-12-16 成都鼎桥通信技术有限公司 Communication method, device and system
RU186109U1 (en) * 2018-10-31 2019-01-09 Общество с ограниченной ответственностью "БУЛАТ" Subscriber network device with virtualized network functions
RU190103U1 (en) * 2018-11-28 2019-06-18 Общество с ограниченной ответственностью "БУЛАТ" Ethernet switch
RU190237U1 (en) * 2018-12-12 2019-06-24 Общество с ограниченной ответственностью "БУЛАТ" Subscriber Network Device with Virtualized Network Functions
CN113473493B (en) * 2020-03-31 2023-06-30 华为技术有限公司 Communication method and device
CN114500094B (en) * 2022-02-24 2024-03-12 新华三技术有限公司合肥分公司 Access method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217440A (en) * 2008-01-15 2008-07-09 杭州华三通信技术有限公司 An access method and access device of AP to AC in wireless LAN
CN101578828A (en) * 2007-08-24 2009-11-11 华为技术有限公司 Roaming Wi-Fi access in fixed network architectures
WO2010145882A1 (en) * 2009-06-18 2010-12-23 Venatech Ab An access point, a server and a system for distributing an unlimited number of virtual ieee 802.11 wireless networks through a heterogeneous infrastructure

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340340B (en) * 2007-07-31 2012-07-11 杭州华三通信技术有限公司 Access point configuring management method and access controller

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101578828A (en) * 2007-08-24 2009-11-11 华为技术有限公司 Roaming Wi-Fi access in fixed network architectures
CN101217440A (en) * 2008-01-15 2008-07-09 杭州华三通信技术有限公司 An access method and access device of AP to AC in wireless LAN
WO2010145882A1 (en) * 2009-06-18 2010-12-23 Venatech Ab An access point, a server and a system for distributing an unlimited number of virtual ieee 802.11 wireless networks through a heterogeneous infrastructure

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104427499A (en) * 2013-09-11 2015-03-18 中国电信股份有限公司 Wireless local area network (WLAN) access authentication method and system based on World Wide Web
CN104410980A (en) * 2014-11-06 2015-03-11 福建三元达通讯股份有限公司 Thin AP-based user information management method and system
CN104410980B (en) * 2014-11-06 2018-04-17 福建三元达科技有限公司 A kind of user information management method and system based on thin AP
CN107409326A (en) * 2015-03-30 2017-11-28 英国电讯有限公司 Communication network
CN107409326B (en) * 2015-03-30 2021-01-26 英国电讯有限公司 Customer premises equipment, method of controlling the same, and computer-readable storage medium
WO2019201175A1 (en) * 2018-04-17 2019-10-24 江苏必得科技股份有限公司 Train-ground lte communication system for damage data transmission of train components
CN112671829A (en) * 2020-11-26 2021-04-16 新华三技术有限公司 Equipment online method and device
CN112671829B (en) * 2020-11-26 2022-07-12 新华三技术有限公司 Equipment online method and device
CN114115940B (en) * 2021-11-11 2024-04-12 新华三大数据技术有限公司 Version upgrading method and device

Also Published As

Publication number Publication date
RU2013106254A (en) 2014-08-20
CN102572830B (en) 2015-07-08
CN102572830A (en) 2012-07-11
RU2556468C2 (en) 2015-07-10

Similar Documents

Publication Publication Date Title
WO2013107136A1 (en) Terminal access authentication method and customer premise equipment
US10972917B2 (en) Signaling attack prevention method and apparatus
KR101814969B1 (en) Systems and methods for accessing a network
US10432632B2 (en) Method for establishing network connection, gateway, and terminal
TWI713614B (en) Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts
US9736157B2 (en) Method and trusted gateway for WiFi terminal accessing to packet data PS service domain
US9113436B2 (en) Method and system for information transmission
JP5982690B2 (en) Network convergence method, device, and communication system
WO2012130085A1 (en) Method and device for establishing connection with network management system, and communication system
US9271318B2 (en) Internet protocol address registration
WO2014176964A1 (en) Communication managing method and communication system
US9544832B2 (en) Method, apparatus and system for policy control
EP2572491B1 (en) Systems and methods for host authentication
JP6063564B2 (en) Method, apparatus and system for accessing a mobile network
US11871223B2 (en) Authentication method and apparatus and device
WO2014071685A1 (en) Mobile network-based tenant network service implementation method, system, and network element
WO2014067420A1 (en) Packet data network type management method, device, and system
WO2012130133A1 (en) Access point and terminal access method
WO2009082910A1 (en) Method and device for network configuration to user terminal
US8458773B2 (en) Method, device, and system for authentication
US10367658B2 (en) Wireless network session establishment method and apparatus utilizing a virtual local area network label
JP2014036384A (en) Flow distribution system, flow distribution device, flow distribution method, and program
US20190200234A1 (en) Signaling Attack Prevention Method and Apparatus
WO2013143366A1 (en) Policy session establishment method and system

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 4136/KOLNP/2012

Country of ref document: IN

ENP Entry into the national phase

Ref document number: 2013106254

Country of ref document: RU

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12866089

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12866089

Country of ref document: EP

Kind code of ref document: A1