WO2017092501A1 - Method and system for network certification - Google Patents

Method and system for network certification Download PDF

Info

Publication number
WO2017092501A1
WO2017092501A1 PCT/CN2016/101386 CN2016101386W WO2017092501A1 WO 2017092501 A1 WO2017092501 A1 WO 2017092501A1 CN 2016101386 W CN2016101386 W CN 2016101386W WO 2017092501 A1 WO2017092501 A1 WO 2017092501A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
site
roaming group
layer
authentication information
Prior art date
Application number
PCT/CN2016/101386
Other languages
French (fr)
Chinese (zh)
Inventor
乐毅
Original Assignee
上海斐讯数据通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海斐讯数据通信技术有限公司 filed Critical 上海斐讯数据通信技术有限公司
Publication of WO2017092501A1 publication Critical patent/WO2017092501A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a network authentication method and system.
  • the coverage of current wireless networks is getting larger and larger, and mobile terminal devices such as mobile phones are becoming more and more popular.
  • Internet access through WiFi has become the mainstream method.
  • the traditional wireless network management mode AC (Access Controller or Wireless Access Point) The controller (access controller) and the AP (Wireless Access Point) are deployed locally, and belong to the centralized management of the same LAN (Local Area Network) network, and the data services of the AP are all controlled by the AC. And forwarding, so when the terminal roams, all terminals are still authenticated by the Radius server in the same LAN network.
  • a Portal authentication request is initiated, and the user inputs a user name password or a short message authentication, thereby seriously affecting the user experience.
  • the existing wireless roaming non-aware authentication is established in the same LAN network management mode.
  • the terminal MAC address is previously bound to the username and password.
  • the AP, the AC, and the Radius server automatically participate in and complete the Portal authentication, so that the user experiences non-aware authentication (ie, roaming-free authentication). ), greatly improving the user experience.
  • the forwarding delay of the authentication packet is very small, the authentication packet forwarding efficiency is high because the AP and the AC are in the same LAN network.
  • the AC When the WLAN is deployed on the cloud, the AC is deployed on the public cloud server.
  • the AP is not in the same LAN as the AP.
  • the AP does not manage the AP.
  • the data service of the AP is not controlled and forwarded by the cloud.
  • the cloud AC also integrates the authentication service function, which enables remote authentication across the Internet.
  • an object of the present invention is to provide a network authentication method and system for solving the problems of long delay in network authentication, packet loss and low authentication efficiency in the prior art.
  • the present invention provides a network authentication method, where the network authentication method includes the following steps: a cloud AC establishes a roaming group, and the APs in the same roaming group are divided into the same layer 2 multicast domain.
  • the roaming group includes two or more APs, and the AP includes a local authentication list of the roaming group in which the AP is located.
  • the website sends an authentication request to the target AP, it is determined whether the target authentication list includes the target in the local authentication list.
  • the site when the site sends an authentication request to the target AP, if the local authentication list of the target AP does not include the associated authentication information of the AP and the site in the roaming group where the target AP is located, The site sends a Portal authentication request to the cloud AC.
  • the site when the site sends a Portal authentication request to the cloud AC, if the authentication is passed, the associated authentication information of the target AP and the site is formed, and the associated authentication is formed.
  • the information is stored in a local authentication list of the target AP.
  • the network authentication method further includes: the cloud AC
  • the roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain notify all APs in the roaming group, and the roaming group ID is in one-to-one correspondence with the broadcast domain local area network ID.
  • the association authentication information includes an association relationship between a feature code of the AP and a MAC address of the site.
  • the association authentication information further includes a site status corresponding to a MAC address of the site, where the site status includes an active state, an intermediate state, and an invalid state; and the AP receives an association request of the site.
  • the site status of the associated authentication information corresponding to the site that sends the association request is modified to The intermediate state; when the time when the site state is in the intermediate state exceeds the first time threshold in the associated authentication information, the site state of the site in the associated authentication information is modified to an invalid state.
  • the network authentication method further includes updating a local authentication list of the AP every second time threshold; updating the local authentication list of the AP every second time threshold includes:
  • the second time threshold is that the AP sends Layer 2 multicast packets to all the APs in the roaming group.
  • the Layer 2 multicast packet includes the AP and the site status of the Layer 2 multicast packet being in the intermediate state and valid.
  • the roaming group ID in the multicast packet is confirmed to be in the same roaming group as the AP that sends the Layer 2 multicast packet; if yes, the associated authentication information in the Layer 2 multicast packet is added to its local authentication list, and the added association is recorded.
  • the network authentication method further includes: if the AP does not send Layer 2 multicast packets to all APs in the roaming group in which the AP is within the third time threshold, the other roaming group The AP deletes the associated authentication information of the AP in its local authentication list.
  • the present invention further provides a network authentication system, where the network authentication system includes: a cloud AC, which is used to establish a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain.
  • the roaming group includes two or more APs; the AP includes a local authentication list of the roaming group in which the roaming group is located, and the AP is configured to receive an authentication request sent by the station, and determine whether the local authentication list includes the AP in the roaming group and the The associated authentication information of the site; and when the local authentication list includes the associated authentication information of the AP in the roaming group and the site, the site is authenticated; the site is used to send an authentication request to the target AP, and When the local authentication list of the target AP does not include the association authentication information between the AP and the site in the roaming group where the target AP is located, the portal authentication request is sent to the cloud AC; the target AP is also used at the site.
  • the cloud AC further includes: a roaming group establishing unit, configured to establish a roaming group, and divide the APs in the same roaming group into the same layer 2 multicast domain; The portal user authentication information is verified at the receiving site.
  • a roaming group establishing unit configured to establish a roaming group, and divide the APs in the same roaming group into the same layer 2 multicast domain; The portal user authentication information is verified at the receiving site.
  • the AP further includes: a storage unit, configured to store a local authentication list of the roaming group where the AP is located; an authentication request receiving unit, configured to receive an authentication request sent by the station; and an authentication verification unit, And the connection between the authentication request receiving unit and the storage unit, configured to determine whether the local authentication list includes the associated authentication information of the AP in the roaming group and the site, and is used to include the roaming group in the local authentication list.
  • the AP associates the authentication information with the site, the site is authenticated.
  • the cloud AC further includes a group information sending unit, configured to notify the roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain to all APs in the roaming group.
  • the roaming group ID is in one-to-one correspondence with the broadcast domain local area network ID.
  • the AP further includes a group information receiving unit, configured to receive a roaming group ID of the roaming group where the AP is located, and a broadcast domain local area network of the layer 2 multicast domain.
  • the storage unit is connected to the group information receiving unit, and the storage unit is further configured to store a roaming group ID of the roaming group where the AP is located and a broadcast domain local area network ID of the layer 2 multicast domain.
  • the association authentication information includes an association between a feature code of the AP and a MAC address of the site. a relationship and a site status corresponding to the MAC address of the site; the site state includes a valid state, an intermediate state, and an invalid state; the AP further includes: a multicast packet sending unit, connected to the storage unit, configured to: Sending, by the second time threshold, the Layer 2 multicast packet to all the APs in the roaming group where the AP is located, where the Layer 2 multicast packet includes the AP and the site status of the Layer 2 multicast packet being in an intermediate state.
  • the list updating unit is further configured to: when the roaming group ID in the Layer 2 multicast packet is confirmed, the AP and the AP that sends the Layer 2 multicast packet are in the same roaming group, and the associated authentication information is in the Layer 2 multicast packet. Adding to the local authentication list of the AP, and recording the broadcast domain local area network ID corresponding to the added associated authentication information.
  • the list updating unit is further configured to delete the local authentication list including the AP when the layer 2 multicast packet sent by the AP in the roaming group is not received within the third time threshold range. Associate authentication information.
  • the network authentication method and system of the present invention have the following beneficial effects:
  • the cloud AC establishes a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain, so that when the site sends an authentication request to the target AP, it is first determined whether the local authentication list of the target AP includes the The association authentication information of the AP and the site in the roaming group where the target AP is located; and when the local authentication list of the target AP includes the association authentication information between the AP and the site in the roaming group where the target AP is located, the site passes Certification.
  • the successful authentication result is notified to other APs in the roaming group in the form of associated authentication information, thereby roaming to the roaming group at the site.
  • the other APs are authenticated by the local authentication list, so that the site does not need to participate in the secondary portal authentication. This prevents the remote cloud from obtaining authentication information and reduces cross-public authentication requirements. The process improves the authentication efficiency and achieves the siteless authentication.
  • FIG. 1 is a schematic flowchart showing an embodiment of a network authentication method according to an embodiment of the present invention.
  • FIG. 2 is a schematic structural diagram of an embodiment of a network authentication system according to the present invention.
  • FIG. 3 is a schematic structural diagram of a cloud AC in an embodiment of a network authentication system according to the present invention.
  • FIG. 4 is a schematic structural diagram of an AP in an embodiment of a network authentication system according to the present invention.
  • the cloud AC When the cloud AC and the AP are in different LANs, the cloud AC establishes a roaming group and divides the APs in the same roaming group from the same Layer 2 multicast domain. After the site passes the AP authentication in the roaming group, the AP is formed. Correlation authentication information with the site; and the formed association authentication information is sent to all APs in the roaming group by means of Layer 2 multicast; thereby, when the site roams to other APs in the roaming group, according to local authentication of other APs The authentication information in the list is used to authenticate the local authentication. This prevents local authentication to the secondary AC. This prevents the remote network from obtaining authentication information. This reduces the process of cross-public authentication and improves the authentication efficiency. Non-inductive certification.
  • the network authentication method in Figure 1 includes:
  • step S11 the cloud AC establishes a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain. At this time, the cloud AC establishes a TCP management channel with each AP, thereby implementing management on the AP.
  • the roaming group includes two or more APs, and the AP includes a local authentication list of the roaming group in which the AP is located.
  • the number of APs included in each roaming group should not be too large, and 32 APs can be defaulted.
  • only one roaming group is included in a Layer 2 multicast domain, and each roaming group has only one group owner.
  • An AP may be in two Layer 2 multicast domains, that is, the AP may be in two roaming groups.
  • step S12 the station sends an authentication request to the target AP.
  • step S13 it is determined whether the local authentication list of the target AP includes the associated authentication information of the AP and the site in the roaming group where the target AP is located.
  • step S13 if the local authentication list of the target AP includes the associated authentication information of the AP and the site in the roaming group where the target AP is located, step S14 is performed; if the local authentication list of the target AP is not Step S15, the site sends a Portal authentication request to the cloud AC, and then performs step S16, and when the Portal authentication is passed, the method is formed, including the association authentication information of the AP and the site in the roaming group where the target AP is located.
  • the associated authentication information of the target AP and the site is stored, and the formed associated authentication information is stored in a local authentication list of the target AP.
  • the cloud AC establishes a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain, so as to determine the local authentication of the target AP when the station sends an authentication request to the target AP. Whether the association authentication information of the AP and the site in the roaming group where the target AP is located is included in the list; and the local authentication list of the target AP includes the association authentication between the AP and the site in the roaming group where the target AP is located. When the information is available, the site is certified.
  • the site passes the authentication of an AP in the roaming group, the successful authentication result is notified to other APs in the roaming group in the form of associated authentication information, thereby roaming to the roaming group at the site.
  • the site is directly authenticated according to the associated authentication information in its local authentication list, without the need for the cloud AC to participate in the second time.
  • Portal authentication avoids obtaining authentication information from the remote cloud AC, reduces the process of cross-public network authentication request, improves authentication efficiency, and achieves site-insensitive authentication.
  • the network authentication method further includes: the cloud AC to the roaming group
  • the roaming group ID and the broadcast domain local area network ID of the layer 2 multicast domain notify all APs in the roaming group, and the roaming group ID is in one-to-one correspondence with the broadcast domain local area network ID.
  • the cloud AC notifies the roaming group ID and the broadcast domain local area network ID to all APs in the roaming group, the roaming group AP synchronously switches to the roaming authentication mode.
  • the association authentication information includes an association relationship between a feature code (SN) of the AP and a MAC address (STA MAC) of the station. For example, it can be recorded as ⁇ AP SN, STA MAC>.
  • the association authentication information further includes a site status corresponding to a MAC address of the site, and the site state includes an active state, an intermediate state, and an invalid state.
  • the AP when the AP receives the association request of the site, the AP changes the site status of the associated authentication information corresponding to the site that sends the association request to a valid state; when the AP receives the association request of the site, the AP sends an association request with the association request.
  • the site status of the associated authentication information in the site is modified to an intermediate state.
  • the site state of the site in the associated authentication information is modified to an invalid state.
  • the site may be disassociated from the AP according to an IEEE 802.11 standard protocol.
  • the network authentication method further includes updating the local authentication list of the AP every second time threshold. Updating the local authentication list of the AP every second time threshold specifically includes:
  • the AP sends a Layer 2 multicast packet to all APs in the roaming group in the second time threshold.
  • the Layer 2 multicast packet includes the AP and the site status of the Layer 2 multicast packet.
  • Each AP in the roaming group receives the Layer 2 multicast packet, and confirms whether it is in the same roaming group as the AP that sends the Layer 2 multicast packet according to the roaming group ID in the Layer 2 multicast packet; if yes, The associated authentication information in the layer multicast packet is added to its local authentication list, and the broadcast domain local area network ID corresponding to the added associated authentication information is recorded.
  • the broadcast domain local area network ID corresponding to the added associated authentication information is also recorded. Therefore, in an AP that is in a different roaming group, it is convenient to distinguish the associated authentication information of different roaming groups.
  • the second time threshold may be an integer multiple of the first time threshold, so that the site status of the site in the associated authentication information is modified when the local authentication list is updated.
  • the present embodiment only multicasts all the APs in the roaming group in the form of Layer 2 multicast packets by using the associated authentication information in the active state and the intermediate state of the site to filter and remove the site status.
  • Invalid state Associate authentication information to reduce unnecessary Layer 2 multicast packet transmission, improve packet transmission rate, and improve authentication efficiency.
  • the network authentication method further includes: if the AP does not send Layer 2 multicast packets to all APs in the roaming group in the third time threshold, the other APs in the roaming group are deleted.
  • the local authentication list includes the associated authentication information of the AP.
  • the third time threshold may be an integer multiple of the first time threshold, so that the associated authentication information in the local authentication list is filtered when the local authentication list is updated, so that the local authentication list of the AP implements an aging mechanism, thereby
  • the amount of information screening is reduced, and the authentication efficiency is improved.
  • FIG. 2 is a schematic structural diagram of a network authentication system according to an embodiment of the present invention.
  • the network authentication system 2 in Figure 2 includes:
  • the cloud AC21 is configured to establish the roaming group 22, and divide the AP221 and the AP 222 in the same roaming group 22 into the same layer 2 multicast domain, where the roaming group 22 includes two APs;
  • Both the AP221 and the AP 222 include a local authentication list of the roaming group 22 in which the AP221 (or the AP 222) is configured to receive the authentication request sent by the station, and determine whether the local authentication list includes the AP 222 (or the AP 221) in the roaming group.
  • a site (not shown), configured to send an authentication request to the target AP (AP221 or AP 222), and does not include the roaming of the target AP (AP221 or AP222) in the local authentication list of the target AP (AP221 or AP222) Sending a Portal authentication request to the cloud AC 21 when the AP (AP 222 or AP 221) associates the authentication information with the site;
  • the target AP (AP221 or AP222) is further configured to form association authentication information of the target AP (AP221 or AP222) with the site when the site passes the portal authentication, and form the associated authentication information. It is stored in the local authentication list of the target AP (AP221 or AP222).
  • the roaming group 22 includes two APs (AP221 and AP222), and both the AP221 and the AP222 include a local authentication list of the roaming group 22 in which they are located.
  • the roaming group 22 may further include two or more APs, such as three, four, and ten APs, but is not limited thereto.
  • the number of APs included in each roaming group should not be too large, and 32 APs can be defaulted.
  • only one roaming group is included in a Layer 2 multicast domain, and each roaming group has only one group owner.
  • An AP may be in two Layer 2 multicast domains, that is, the AP may be in two roaming groups.
  • All APs in the same roaming group communicate through Layer 2 multicast.
  • the three APs AP221, AP222, and AP223 managed by the cloud AC may be in another Layer 2 multicast domain with the AP223 to form another roaming group.
  • the site is used for connecting a mobile terminal (such as a mobile phone, a tablet, etc.) with an AP.
  • a mobile terminal such as a mobile phone, a tablet, etc.
  • the cloud AC and the AP are in different local area networks
  • the site passes the authentication of one AP in the roaming group
  • the result of the successful authentication is notified to other APs in the roaming group in the form of the associated authentication information, thereby
  • the site is directly authenticated according to the associated authentication information in the local authentication list.
  • the cloud AC does not need to participate in the secondary portal authentication, and the authentication information is obtained from the remote cloud AC.
  • the process of network authentication request improves the authentication efficiency and realizes the siteless authentication.
  • FIG. 3 it is a schematic structural diagram of a cloud AC in an embodiment of the network authentication system of the present invention.
  • the cloud AC3 in Figure 3 includes:
  • the roaming group establishing unit 31 is configured to establish a roaming group, and divide the APs in the same roaming group into the same layer 2 multicast domain;
  • the authentication unit 32 is configured to receive a Portal authentication request of the site, and verify user information of the site.
  • the group information sending unit 33 is connected to the roaming group establishing unit 31, and is configured to notify the roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain to all APs in the roaming group, the roaming The group ID is in one-to-one correspondence with the broadcast domain local area network ID.
  • the cloud AC3 may not include the group information sending unit 33.
  • FIG. 4 is a schematic structural diagram of an AP in an embodiment of a network authentication system according to the present invention.
  • the association authentication information includes an association between a feature code of the AP and a MAC address of the site, and a site status corresponding to the MAC address of the site (recordable as ⁇ AP SN, STA MAC>);
  • the site status includes a valid state, an intermediate state, and an invalid state;
  • AP4 includes:
  • the storage unit 41 is configured to store a local authentication list of the roaming group where the AP is located;
  • the authentication request receiving unit 42 is configured to receive an authentication request sent by the station
  • the authentication verification unit 43 is connected to the authentication request receiving unit 42 and the storage unit 41, and is configured to determine whether the local authentication list includes the associated authentication information of the AP in the roaming group and the site, and is used in the local authentication list. When the associated authentication information of the AP in the roaming group and the site is included in the roaming group, the site is authenticated;
  • the group information receiving unit 44 is connected to the storage unit 41, and configured to receive the roaming group ID of the roaming group where the AP is located and the broadcast domain local area network ID of the layer 2 multicast domain; the storage unit 41 is further configured to store the The roaming group ID of the roaming group where the AP is located and the broadcast domain local area network ID of the layer 2 multicast domain;
  • the multicast packet sending unit 45 is connected to the storage unit 41, and is configured to send a Layer 2 multicast packet to all APs in the roaming group where the AP is located every second time threshold, where the Layer 2 multicast packet includes The association authentication information of the AP that sends the Layer 2 multicast packet and the site whose site status is the intermediate state and the active state, and the roaming group ID of the roaming group where the AP is located;
  • the multicast packet receiving unit 46 is configured to receive a Layer 2 multicast packet sent by the AP in the roaming group of the AP.
  • the association request receiving unit 47 is configured to receive an association request and a disassociation request of the site;
  • the list updating unit 48 is connected to the storage unit 41, the multicast packet receiving unit 46, and the association request receiving unit 47, and is configured to associate the authentication information when the association request receiving unit 47 receives the association request of the site. Modifying the site status of the corresponding station to an active state; when the association request receiving unit 47 receives the de-association request of the site, modifying the site status of the corresponding station in the associated authentication information to an intermediate state; When the time when the site state is in the intermediate state exceeds the first time threshold, the site state of the site in the associated authentication information is modified to an invalid state; the list updating unit 48 is further configured to roam in the layer 2 multicast packet.
  • the group ID confirms that the AP is in the same roaming group as the AP that sends the Layer 2 multicast packet
  • the associated authentication information in the Layer 2 multicast packet is added to the local authentication list of the AP, and the associated authentication information is recorded.
  • Corresponding broadcast domain LAN ID corresponds to the group ID.
  • the list update unit 48 when the associated authentication information in the Layer 2 multicast packet is added to the local authentication list, the list update unit 48 also records the broadcast domain local area network ID corresponding to the added associated authentication information. Therefore, in an AP that is in a different roaming group, it is convenient to distinguish the associated authentication information of different roaming groups.
  • the network authentication system multicasts all the APs in the roaming group in the form of Layer 2 multicast packets to the associated authentication information in the active state and the intermediate state.
  • Authentication information reduces unnecessary Layer 2 multicast packet transmission, improves packet transmission rate, and improves authentication efficiency.
  • the list updating unit 48 is further configured to delete the association of the AP in the local authentication list when the Layer 2 multicast packet sent by the AP in the roaming group is not received within the third time threshold.
  • Certification Information The aging mechanism of the local authentication list of the AP is implemented, so that when the local authentication list includes the associated authentication information of other APs in the roaming group and the site in the network authentication process, the amount of information screening is reduced, and the authentication efficiency is improved.
  • the network authentication method and system of the present invention when the cloud AC and the AP are in different local area networks, notify the location of the successful authentication result in the form of associated authentication information when the site passes the authentication of one AP in the roaming group.
  • the other APs in the roaming group so that when the site roams to other APs in the roaming group, the site is directly authenticated according to the associated authentication information in the local authentication list, and the cloud AC is not required to participate in the secondary portal authentication.
  • Obtaining the authentication information reduces the process of cross-public network authentication request, improves the authentication efficiency, and realizes the site's non-inductive authentication. Therefore, the present invention effectively overcomes various shortcomings in the prior art and has high industrial utilization value.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a method and system for network certification, the method comprising: establishing a roaming group at a cloud AC, and dividing APs from one same roaming group into one same Layer 2 multicast domain, such that upon sending out a certification request by a station to a target AP, it is determined whether or not a local certification list of the target AP includes association certification information between a roaming group AP where the target AP is located and the station; if the local certification list of the target AP includes the association certification information between the roaming group AP where the target AP is located and the station, approving the certification via the station. When the cloud AC and the AP are located in different local area networks, the method for network certification reduces processes when requesting certification across public networks and increases certification efficiency, thereby achieving painless certification at a station.

Description

网络认证方法及系统Network authentication method and system
本申请要求2015年12月04日提交的申请号为:201510891807.3、发明名称为“网络认证方法及系统”的中国专利申请的优先权,其全部内容合并在此。The present application claims priority to Chinese Patent Application No. 201510891807.3, entitled "Network Authentication Method and System", filed on Dec. 4, 2015, the entire disclosure of which is incorporated herein.
技术领域Technical field
本发明涉及一种通信技术领域,特别是涉及一种网络认证方法及系统。The present invention relates to the field of communications technologies, and in particular, to a network authentication method and system.
背景技术Background technique
当前无线网络的覆盖范围越来越大,手机等移动终端设备也越来越普及,通过WiFi(WIreless-FIdelity)上网成为当前的主流方式,传统的无线网络管理模式AC(Access Controller或Wireless Access Point Controller,接入控制器)与AP(Wireless Access Point,无线访问接入点)部署在本地,属于同一个LAN(Local Area Network,局域网)网络的集中式管理,并且AP的数据业务全部由AC控制和转发,因此终端漫游时,所有终端仍然在同一LAN网络中的Radius服务器进行认证。但是当终端用户每次漫游切换时,都会发起Portal认证请求,用户输入用户名密码或短信认证,从而严重影响了用户的使用体验。The coverage of current wireless networks is getting larger and larger, and mobile terminal devices such as mobile phones are becoming more and more popular. Internet access through WiFi (WIreless-FIdelity) has become the mainstream method. The traditional wireless network management mode AC (Access Controller or Wireless Access Point) The controller (access controller) and the AP (Wireless Access Point) are deployed locally, and belong to the centralized management of the same LAN (Local Area Network) network, and the data services of the AP are all controlled by the AC. And forwarding, so when the terminal roams, all terminals are still authenticated by the Radius server in the same LAN network. However, when the end user roams and switches every time, a Portal authentication request is initiated, and the user inputs a user name password or a short message authentication, thereby seriously affecting the user experience.
为此,现有的无线漫游无感知认证建立在同一LAN网络管理模式下,通过Radius服务器在第一次Portal认证时,预先将终端MAC地址与用户名密码建立绑定关系。当用户终端由于漫游切换要求第二次Portal认证时,通过预先绑定终端的认证关系,AP、AC和Radius服务器自动参于并完成Portal认证,从而使用户体验到无感知认证(即漫游免认证),大大提升了用户的体验。而且,由于传统模式下AP与AC由于在同一LAN网络,认证报文的转发延时非常小,认证报文转发效率高。For this reason, the existing wireless roaming non-aware authentication is established in the same LAN network management mode. When the first Portal authentication is performed by the Radius server, the terminal MAC address is previously bound to the username and password. The AP, the AC, and the Radius server automatically participate in and complete the Portal authentication, so that the user experiences non-aware authentication (ie, roaming-free authentication). ), greatly improving the user experience. Moreover, since the forwarding delay of the authentication packet is very small, the authentication packet forwarding efficiency is high because the AP and the AC are in the same LAN network.
当云端AC部署WLAN网络时,AC部署在公有云服务器上,与AP不在同一LAN网络中,并且云端AC只对AP有管理功能,AP的数据业务并不由云端AC控制和转发。同时,云端AC还集成了认证服务功能,可以跨Internet网实现远程认证。When the WLAN is deployed on the cloud, the AC is deployed on the public cloud server. The AP is not in the same LAN as the AP. The AP does not manage the AP. The data service of the AP is not controlled and forwarded by the cloud. At the same time, the cloud AC also integrates the authentication service function, which enables remote authentication across the Internet.
在云端AC下,若仍然沿用传统模式下的漫游无感知认证,AP与云端AC之间产生频繁的认证交互会严重影响到用户的漫游体验。这是由于,在云端AC模式下,AP与云端AC跨公网传输,当网络状态很差时,认证报文的转发延时会成倍增加,甚至会丢包,从而造成用户在漫游时切换很慢,甚至漫游失败,严重影响了用户的漫游体验。In the cloud AC, if the roaming non-aware authentication is still used in the traditional mode, frequent authentication interactions between the AP and the cloud AC will seriously affect the roaming experience of the user. This is because in the cloud AC mode, the AP and the cloud AC are transmitted across the public network. When the network status is poor, the forwarding delay of authentication packets will be multiplied, and even packets will be lost, causing users to switch when roaming. Very slow, even roaming failure, seriously affecting the user's roaming experience.
发明内容 Summary of the invention
鉴于以上所述现有技术的缺点,本发明的目的在于提供一种网络认证方法及系统,用于解决现有技术中网络认证时延时长,易发生丢包、认证效率低的问题。In view of the above-mentioned shortcomings of the prior art, an object of the present invention is to provide a network authentication method and system for solving the problems of long delay in network authentication, packet loss and low authentication efficiency in the prior art.
为实现上述目的及其他相关目的,本发明提供一种网络认证方法,所述网络认证方法包括以下步骤:云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中,所述漫游群包括两个以上AP,所述AP包括其所在漫游群的本地认证列表;在站点向目标AP发出认证请求时,判断所述目标AP的本地认证列表中是否包括所述目标AP所在漫游群中AP与所述站点的关联认证信息;若是,则所述站点通过认证。To achieve the above and other related purposes, the present invention provides a network authentication method, where the network authentication method includes the following steps: a cloud AC establishes a roaming group, and the APs in the same roaming group are divided into the same layer 2 multicast domain. The roaming group includes two or more APs, and the AP includes a local authentication list of the roaming group in which the AP is located. When the website sends an authentication request to the target AP, it is determined whether the target authentication list includes the target in the local authentication list. The association authentication information between the AP and the site in the roaming group where the AP is located; if yes, the site passes the authentication.
于本发明的一实施例中,在站点向目标AP发出认证请求时,若所述目标AP的本地认证列表中不包括所述目标AP所在漫游群中AP与所述站点的关联认证信息,则所述站点向所述云端AC发送Portal认证请求。In an embodiment of the present invention, when the site sends an authentication request to the target AP, if the local authentication list of the target AP does not include the associated authentication information of the AP and the site in the roaming group where the target AP is located, The site sends a Portal authentication request to the cloud AC.
于本发明的一实施例中,在所述站点向所述云端AC发送Portal认证请求时,若认证通过,则形成所述目标AP与所述站点的关联认证信息,并将所形成的关联认证信息存储于所述目标AP的本地认证列表中。In an embodiment of the present invention, when the site sends a Portal authentication request to the cloud AC, if the authentication is passed, the associated authentication information of the target AP and the site is formed, and the associated authentication is formed. The information is stored in a local authentication list of the target AP.
于本发明的一实施例中,在云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中之后,所述网络认证方法还包括:所述云端AC将所述漫游群的漫游群ID以及所述二层组播域的广播域局域网ID通知所述漫游群中所有AP,所述漫游群ID与所述广播域局域网ID一一对应。In an embodiment of the present invention, after the roaming group is established in the cloud AC, and the AP in the same roaming group is divided into the same layer 2 multicast domain, the network authentication method further includes: the cloud AC The roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain notify all APs in the roaming group, and the roaming group ID is in one-to-one correspondence with the broadcast domain local area network ID.
于本发明的一实施例中,所述关联认证信息包括AP的特征码与站点的MAC地址的关联关系。In an embodiment of the invention, the association authentication information includes an association relationship between a feature code of the AP and a MAC address of the site.
于本发明的一实施例中,所述关联认证信息还包括与所述站点的MAC地址对应的站点状态,所述站点状态包括有效状态、中间状态和无效状态;在AP收到站点的关联请求时,将与发送关联请求的站点对应的关联认证信息中站点状态修改为有效状态;在AP收到站点的解关联请求时,将与发送关联请求的站点对应的关联认证信息中站点状态修改为中间状态;在关联认证信息中站点状态处于中间状态的时间超过第一时间阈值时,将关联认证信息中站点的站点状态修改为无效状态。In an embodiment of the present invention, the association authentication information further includes a site status corresponding to a MAC address of the site, where the site status includes an active state, an intermediate state, and an invalid state; and the AP receives an association request of the site. When the AP receives the de-association request from the site, the site status of the associated authentication information corresponding to the site that sends the association request is modified to The intermediate state; when the time when the site state is in the intermediate state exceeds the first time threshold in the associated authentication information, the site state of the site in the associated authentication information is modified to an invalid state.
于本发明的一实施例中,所述网络认证方法还包括每隔第二时间阈值更新所述AP的本地认证列表;每隔第二时间阈值更新所述AP的本地认证列表包括:每隔第二时间阈值所述AP向其所在漫游群中所有AP发送二层组播报文,所述二层组播报文包括发送所述二层组播报文的AP与站点状态为中间状态和有效状态的站点的关联认证信息以及发送所述二层组播报文的AP所在漫游群的漫游群ID;漫游群中各个AP接收二层组播报文,并根据所述二层 组播报文中的漫游群ID确认是否与发送所述二层组播报文的AP处于同一漫游群;若是,则将二层组播报文中关联认证信息添加至其本地认证列表,并记录所添加关联认证信息对应的广播域局域网ID。In an embodiment of the present invention, the network authentication method further includes updating a local authentication list of the AP every second time threshold; updating the local authentication list of the AP every second time threshold includes: The second time threshold is that the AP sends Layer 2 multicast packets to all the APs in the roaming group. The Layer 2 multicast packet includes the AP and the site status of the Layer 2 multicast packet being in the intermediate state and valid. The associated authentication information of the site in the state and the roaming group ID of the roaming group where the AP transmitting the Layer 2 multicast message is located; each AP in the roaming group receives the Layer 2 multicast packet, and according to the second layer The roaming group ID in the multicast packet is confirmed to be in the same roaming group as the AP that sends the Layer 2 multicast packet; if yes, the associated authentication information in the Layer 2 multicast packet is added to its local authentication list, and the added association is recorded. The broadcast domain LAN ID corresponding to the authentication information.
于本发明的一实施例中,所述网络认证方法还包括:若AP在第三时间阈值范围内未向其所在漫游群中所有AP发送二层组播报文,则所述漫游群中其他AP删除其本地认证列表中包括该AP的关联认证信息。In an embodiment of the present invention, the network authentication method further includes: if the AP does not send Layer 2 multicast packets to all APs in the roaming group in which the AP is within the third time threshold, the other roaming group The AP deletes the associated authentication information of the AP in its local authentication list.
相应的,本发明还提供了一种网络认证系统,所述网络认证系统包括:云端AC,用于建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中,所述漫游群包括两个以上AP;AP,包括其所在漫游群的本地认证列表,所述AP用于接收站点发送的认证请求,并判断本地认证列表中是否包括其所在漫游群中AP与所述站点的关联认证信息;以及在本地认证列表中包括其所在漫游群中AP与所述站点的关联认证信息时,使所述站点通过认证;站点,用于向目标AP发送认证请求,以及在所述目标AP的本地认证列表中不包括所述目标AP所在漫游群中AP与所述站点的关联认证信息时,向所述云端AC发送Portal认证请求;所述目标AP还用于在所述站点通过所述Portal认证时,形成所述目标AP与所述站点的关联认证信息,并将所形成的关联认证信息存储于所述目标AP的本地认证列表中。Correspondingly, the present invention further provides a network authentication system, where the network authentication system includes: a cloud AC, which is used to establish a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain. The roaming group includes two or more APs; the AP includes a local authentication list of the roaming group in which the roaming group is located, and the AP is configured to receive an authentication request sent by the station, and determine whether the local authentication list includes the AP in the roaming group and the The associated authentication information of the site; and when the local authentication list includes the associated authentication information of the AP in the roaming group and the site, the site is authenticated; the site is used to send an authentication request to the target AP, and When the local authentication list of the target AP does not include the association authentication information between the AP and the site in the roaming group where the target AP is located, the portal authentication request is sent to the cloud AC; the target AP is also used at the site. When the portal authentication is performed, the association authentication information of the target AP and the site is formed, and the formed association authentication information is stored in a local authentication column of the target AP. In.
于本发明的一实施例中,所述云端AC进一步包括:漫游群建立单元,用于建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中;认证单元,用于接收站点的Portal认证请求,对站点的用户信息进行验证。In an embodiment of the present invention, the cloud AC further includes: a roaming group establishing unit, configured to establish a roaming group, and divide the APs in the same roaming group into the same layer 2 multicast domain; The portal user authentication information is verified at the receiving site.
于本发明的一实施例中,所述AP进一步包括:存储单元,用于存储所述AP所在漫游群的本地认证列表;认证请求接收单元,用于接收站点发送的认证请求;认证验证单元,与所述认证请求接收单元和存储单元连接,用于判断本地认证列表中是否包括其所在漫游群中AP与所述站点的关联认证信息,以及用于在本地认证列表中包括其所在漫游群中AP与所述站点的关联认证信息时,使所述站点通过认证。In an embodiment of the present invention, the AP further includes: a storage unit, configured to store a local authentication list of the roaming group where the AP is located; an authentication request receiving unit, configured to receive an authentication request sent by the station; and an authentication verification unit, And the connection between the authentication request receiving unit and the storage unit, configured to determine whether the local authentication list includes the associated authentication information of the AP in the roaming group and the site, and is used to include the roaming group in the local authentication list. When the AP associates the authentication information with the site, the site is authenticated.
于本发明的一实施例中,所述云端AC还包括群信息发送单元,用于将所述漫游群的漫游群ID以及二层组播域的广播域局域网ID通知所述漫游群中所有AP,所述漫游群ID与所述广播域局域网ID一一对应;所述AP还包括群信息接收单元,用于接收所述AP所在漫游群的漫游群ID以及二层组播域的广播域局域网ID;所述存储单元与所述群信息接收单元连接,所述存储单元还用于存储所述AP所在漫游群的漫游群ID以及二层组播域的广播域局域网ID。In an embodiment of the present invention, the cloud AC further includes a group information sending unit, configured to notify the roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain to all APs in the roaming group. The roaming group ID is in one-to-one correspondence with the broadcast domain local area network ID. The AP further includes a group information receiving unit, configured to receive a roaming group ID of the roaming group where the AP is located, and a broadcast domain local area network of the layer 2 multicast domain. The storage unit is connected to the group information receiving unit, and the storage unit is further configured to store a roaming group ID of the roaming group where the AP is located and a broadcast domain local area network ID of the layer 2 multicast domain.
于本发明的一实施例中,所述关联认证信息包括AP的特征码与站点的MAC地址的关联 关系以及与所述站点的MAC地址对应的站点状态;所述站点状态包括有效状态、中间状态和无效状态;所述AP还包括:组播报文发送单元,与所述存储单元连接,用于每隔第二时间阈值向该AP所在漫游群中所有AP发送二层组播报文,所述二层组播报文包括发送所述二层组播报文的AP与站点状态为中间状态和有效状态的站点的关联认证信息以及该AP所在漫游群的漫游群ID;组播报文接收单元,用于接收该AP所述漫游群中AP发送的二层组播报文;关联请求接收单元,用于接收站点的关联请求和解关联请求;列表更新单元,与所述存储单元、组播报文接收单元和关联请求接收单元连接,用于在所述关联请求接收单元收到站点的关联请求时,将关联认证信息中对应站台的站点状态修改为有效状态;用于在所述关联请求接收单元收到站点的解关联请求时,将关联认证信息中对应站台的站点状态修改为中间状态;以及用于在关联认证信息中站点状态处于中间状态的时间超过第一时间阈值时,将关联认证信息中站点的站点状态修改为无效状态;所述列表更新单元还用于在据所述二层组播报文中的漫游群ID确认该AP与发送所述二层组播报文的AP处于同一漫游群时,则将二层组播报文中关联认证信息添加至所述AP的本地认证列表,以及记录所添加关联认证信息对应的广播域局域网ID。In an embodiment of the invention, the association authentication information includes an association between a feature code of the AP and a MAC address of the site. a relationship and a site status corresponding to the MAC address of the site; the site state includes a valid state, an intermediate state, and an invalid state; the AP further includes: a multicast packet sending unit, connected to the storage unit, configured to: Sending, by the second time threshold, the Layer 2 multicast packet to all the APs in the roaming group where the AP is located, where the Layer 2 multicast packet includes the AP and the site status of the Layer 2 multicast packet being in an intermediate state. The associated authentication information of the site in the active state and the roaming group ID of the roaming group in which the AP is located; the multicast packet receiving unit is configured to receive the Layer 2 multicast packet sent by the AP in the roaming group of the AP; the association request receiving unit And an association request and a disassociation request for receiving the site; the list update unit is connected to the storage unit, the multicast packet receiving unit, and the association request receiving unit, and configured to receive the association request of the site at the association request receiving unit. Modifying the site status of the corresponding station in the associated authentication information to a valid state; and when the association request receiving unit receives the disassociation request of the site, the associated authentication is performed. Modifying the site status of the corresponding station in the information to an intermediate state; and modifying the site state of the site in the associated authentication information to an invalid state when the time when the site state is in the intermediate state exceeds the first time threshold in the associated authentication information; The list updating unit is further configured to: when the roaming group ID in the Layer 2 multicast packet is confirmed, the AP and the AP that sends the Layer 2 multicast packet are in the same roaming group, and the associated authentication information is in the Layer 2 multicast packet. Adding to the local authentication list of the AP, and recording the broadcast domain local area network ID corresponding to the added associated authentication information.
于本发明的一实施例中,所述列表更新单元还用于在第三时间阈值范围内未收到漫游群中AP发送的二层组播报文时,删除本地认证列表中包括该AP的关联认证信息。In an embodiment of the present invention, the list updating unit is further configured to delete the local authentication list including the AP when the layer 2 multicast packet sent by the AP in the roaming group is not received within the third time threshold range. Associate authentication information.
如上所述,本发明的网络认证方法及系统,具有以下有益效果:As described above, the network authentication method and system of the present invention have the following beneficial effects:
云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中,从而在站点向目标AP发出认证请求时,先判断所述目标AP的本地认证列表中是否包括所述目标AP所在漫游群中AP与所述站点的关联认证信息;并在所述目标AP的本地认证列表中包括所述目标AP所在漫游群中AP与所述站点的关联认证信息时,站点通过认证。在云端AC与AP处于不同的局域网时,当站点通过漫游群中一个AP的认证时,将认证成功的结果以关联认证信息的形式通知其所在漫游群中其他AP,从而在站点漫游至漫游群中其他AP时,根据其本地认证列表中的关联认证信息使该站点直接通过认证,无需云端AC参与二次Portal认证,避免从远端云端AC获取认证信息,减少了跨公网认证求请的过程,提高了认证效率,实现站点的无感认证。The cloud AC establishes a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain, so that when the site sends an authentication request to the target AP, it is first determined whether the local authentication list of the target AP includes the The association authentication information of the AP and the site in the roaming group where the target AP is located; and when the local authentication list of the target AP includes the association authentication information between the AP and the site in the roaming group where the target AP is located, the site passes Certification. When the AC and the AP are in different LANs, when the site passes the authentication of an AP in the roaming group, the successful authentication result is notified to other APs in the roaming group in the form of associated authentication information, thereby roaming to the roaming group at the site. The other APs are authenticated by the local authentication list, so that the site does not need to participate in the secondary portal authentication. This prevents the remote cloud from obtaining authentication information and reduces cross-public authentication requirements. The process improves the authentication efficiency and achieves the siteless authentication.
附图说明DRAWINGS
图1显示为本发明网络认证方法的于一实施例中的流程示意图。FIG. 1 is a schematic flowchart showing an embodiment of a network authentication method according to an embodiment of the present invention.
图2显示为本发明网络认证系统的于一实施例中的结构示意图。FIG. 2 is a schematic structural diagram of an embodiment of a network authentication system according to the present invention.
图3显示为本发明网络认证系统的于一实施例中的云端AC的结构示意图。 FIG. 3 is a schematic structural diagram of a cloud AC in an embodiment of a network authentication system according to the present invention.
图4显示为本发明网络认证系统的于一实施例中的AP的结构示意图。FIG. 4 is a schematic structural diagram of an AP in an embodiment of a network authentication system according to the present invention.
元件标号说明Component label description
1            网络认证系统1 Network authentication system
21           云端AC21 Cloud AC
22           漫游群22 roaming group
221、222、223 AP221, 222, 223 AP
3            云端AC3 Cloud AC
31           漫游群建立单元31 roaming group building unit
32           认证单元32 certification unit
33           群信息发送单元33 group information sending unit
4            AP4 AP
41           存储单元41 storage unit
42           认证请求接收单元42 authentication request receiving unit
43           认证验证单元43 Certification Verification Unit
44           群信息接收单元44 group information receiving unit
45           组播报文发送单元45 Multicast Packet Sending Unit
46           组播报文接收单元46 Multicast Packet Receiving Unit
47           关联请求接收单元47 association request receiving unit
48           列表更新单元48 list update unit
S11~S16     步骤S11~S16 steps
具体实施方式detailed description
以下通过特定的具体实例说明本发明的实施方式,本领域技术人员可由本说明书所揭露的内容轻易地了解本发明的其他优点与功效。本发明还可以通过另外不同的具体实施方式加以实施或应用,本说明书中的各项细节也可以基于不同观点与应用,在没有背离本发明的精神下进行各种修饰或改变。需说明的是,在不冲突的情况下,以下实施例及实施例中的特征可以相互组合。The embodiments of the present invention are described below by way of specific examples, and those skilled in the art can readily understand other advantages and effects of the present invention from the disclosure of the present disclosure. The present invention may be embodied or applied in various other specific embodiments, and various modifications and changes can be made without departing from the spirit and scope of the invention. It should be noted that the features in the following embodiments and embodiments may be combined with each other without conflict.
需要说明的是,以下实施例中所提供的图示仅以示意方式说明本发明的基本构想,遂图式中仅显示与本发明中有关的组件而非按照实际实施时的组件数目、形状及尺寸绘制,其实际实施时各组件的型态、数量及比例可为一种随意的改变,且其组件布局型态也可能更为复 杂。It should be noted that the illustrations provided in the following embodiments merely illustrate the basic concept of the present invention in a schematic manner, and only the components related to the present invention are shown in the drawings, rather than the number and shape of components in actual implementation. Dimensional drawing, the actual type of implementation of each component type, number and proportion can be a random change, and its component layout type may also be more complex miscellaneous.
当云端AC与AP处于不同的局域网时,云端AC建立漫游群,并将同一个漫游群中AP划分自同一个二层组播域中;在站点通过漫游群中一个AP认证之后,形成该AP与站点的关联认证信息;并将所形成的关联认证信息通过二层组播的方式发送至漫游群中所有AP;从而在站点漫游至所述漫游群中其他AP时,根据其他AP的本地认证列表中关联认证信息使局部直接通过认证,避免局部向云端AC进行二次Portal认证,避免从远端云端AC获取认证信息,减少了跨公网认证求请的过程,提高了认证效率,实现站点的无感认证。When the cloud AC and the AP are in different LANs, the cloud AC establishes a roaming group and divides the APs in the same roaming group from the same Layer 2 multicast domain. After the site passes the AP authentication in the roaming group, the AP is formed. Correlation authentication information with the site; and the formed association authentication information is sent to all APs in the roaming group by means of Layer 2 multicast; thereby, when the site roams to other APs in the roaming group, according to local authentication of other APs The authentication information in the list is used to authenticate the local authentication. This prevents local authentication to the secondary AC. This prevents the remote network from obtaining authentication information. This reduces the process of cross-public authentication and improves the authentication efficiency. Non-inductive certification.
请参阅图1,本发明提供一种网络认证方法的流程示意图。图1中网络认证方法包括:Referring to FIG. 1 , the present invention provides a schematic flowchart of a network authentication method. The network authentication method in Figure 1 includes:
步骤S11,云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中。此时,云端AC与每一个AP建立TCP管理通道,从而对AP实现管理。In step S11, the cloud AC establishes a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain. At this time, the cloud AC establishes a TCP management channel with each AP, thereby implementing management on the AP.
本实施例中,所述漫游群包括两个以上AP,所述AP包括其所在漫游群的本地认证列表。In this embodiment, the roaming group includes two or more APs, and the AP includes a local authentication list of the roaming group in which the AP is located.
具体的,每个漫游群包括的AP的数量不宜过大,可默认32个AP。一般的,在一个二层组播域中只包括一个漫游群,每个漫游群只有一个群主。某一个AP可能处于两个二层组播域中,即AP可能处于两个漫游群中;但同一个二层组播域中,不可能包括两个漫游群。同一个漫游群内所有AP通过二层组播通信。Specifically, the number of APs included in each roaming group should not be too large, and 32 APs can be defaulted. Generally, only one roaming group is included in a Layer 2 multicast domain, and each roaming group has only one group owner. An AP may be in two Layer 2 multicast domains, that is, the AP may be in two roaming groups. However, in the same Layer 2 multicast domain, it is impossible to include two roaming groups. All APs in the same roaming group communicate through Layer 2 multicast.
步骤S12,站点向目标AP发出认证请求。In step S12, the station sends an authentication request to the target AP.
步骤S13,判断所述目标AP的本地认证列表中是否包括所述目标AP所在漫游群中AP与所述站点的关联认证信息。In step S13, it is determined whether the local authentication list of the target AP includes the associated authentication information of the AP and the site in the roaming group where the target AP is located.
在步骤S13中,若所述目标AP的本地认证列表中包括所述目标AP所在漫游群中AP与所述站点的关联认证信息,则执行步骤S14;若所述目标AP的本地认证列表中不包括所述目标AP所在漫游群中AP与所述站点的关联认证信息,则执行步骤S15,所述站点向所述云端AC发送Portal认证请求;然后执行步骤S16,在Portal认证通过时,形成所述目标AP与所述站点的关联认证信息,并将所形成的关联认证信息存储于所述目标AP的本地认证列表中。In step S13, if the local authentication list of the target AP includes the associated authentication information of the AP and the site in the roaming group where the target AP is located, step S14 is performed; if the local authentication list of the target AP is not Step S15, the site sends a Portal authentication request to the cloud AC, and then performs step S16, and when the Portal authentication is passed, the method is formed, including the association authentication information of the AP and the site in the roaming group where the target AP is located. The associated authentication information of the target AP and the site is stored, and the formed associated authentication information is stored in a local authentication list of the target AP.
本实施例中,云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中,从而在站点向目标AP发出认证请求时,先判断所述目标AP的本地认证列表中是否包括所述目标AP所在漫游群中AP与所述站点的关联认证信息;并在所述目标AP的本地认证列表中包括所述目标AP所在漫游群中AP与所述站点的关联认证信息时,站点通过认证。在云端AC与AP处于不同的局域网时,当站点通过漫游群中一个AP的认证时,将认证成功的结果以关联认证信息的形式通知其所在漫游群中其他AP,从而在站点漫游至漫游群中其他AP时,根据其本地认证列表中的关联认证信息使该站点直接通过认证,无需云端AC参与二次 Portal认证,避免从远端云端AC获取认证信息,减少了跨公网认证求请的过程,提高了认证效率,实现站点的无感认证。In this embodiment, the cloud AC establishes a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain, so as to determine the local authentication of the target AP when the station sends an authentication request to the target AP. Whether the association authentication information of the AP and the site in the roaming group where the target AP is located is included in the list; and the local authentication list of the target AP includes the association authentication between the AP and the site in the roaming group where the target AP is located. When the information is available, the site is certified. When the AC and the AP are in different LANs, when the site passes the authentication of an AP in the roaming group, the successful authentication result is notified to other APs in the roaming group in the form of associated authentication information, thereby roaming to the roaming group at the site. In other APs, the site is directly authenticated according to the associated authentication information in its local authentication list, without the need for the cloud AC to participate in the second time. Portal authentication avoids obtaining authentication information from the remote cloud AC, reduces the process of cross-public network authentication request, improves authentication efficiency, and achieves site-insensitive authentication.
在一个实施例中,在云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中之后,所述网络认证方法还包括:所述云端AC将所述漫游群的漫游群ID以及所述二层组播域的广播域局域网ID通知所述漫游群中所有AP,所述漫游群ID与所述广播域局域网ID一一对应。云端AC将漫游群ID和广播域局域网ID通知漫游群内所有AP的同时,漫游群内AP同步切换到漫游认证模式。In an embodiment, after the roaming group is established in the cloud AC, and the APs in the same roaming group are divided into the same layer 2 multicast domain, the network authentication method further includes: the cloud AC to the roaming group The roaming group ID and the broadcast domain local area network ID of the layer 2 multicast domain notify all APs in the roaming group, and the roaming group ID is in one-to-one correspondence with the broadcast domain local area network ID. While the cloud AC notifies the roaming group ID and the broadcast domain local area network ID to all APs in the roaming group, the roaming group AP synchronously switches to the roaming authentication mode.
在另一个实施例中,所述关联认证信息包括AP的特征码(SN)与站点的MAC地址(STA MAC)的关联关系。例如可记录为<AP SN,STA MAC>。所述关联认证信息还包括与所述站点的MAC地址对应的站点状态,所述站点状态包括有效状态、中间状态和无效状态。In another embodiment, the association authentication information includes an association relationship between a feature code (SN) of the AP and a MAC address (STA MAC) of the station. For example, it can be recorded as <AP SN, STA MAC>. The association authentication information further includes a site status corresponding to a MAC address of the site, and the site state includes an active state, an intermediate state, and an invalid state.
具体的,在AP收到站点的关联请求时,将与发送关联请求的站点对应的关联认证信息中站点状态修改为有效状态;在AP收到站点的解关联请求时,将与发送关联请求的站点对应的关联认证信息中站点状态修改为中间状态;在关联认证信息中站点状态处于中间状态的时间超过第一时间阈值时,将关联认证信息中站点的站点状态修改为无效状态。Specifically, when the AP receives the association request of the site, the AP changes the site status of the associated authentication information corresponding to the site that sends the association request to a valid state; when the AP receives the association request of the site, the AP sends an association request with the association request. The site status of the associated authentication information in the site is modified to an intermediate state. When the time when the site state is in the intermediate state exceeds the first time threshold in the associated authentication information, the site state of the site in the associated authentication information is modified to an invalid state.
具体的,所述站点可按IEEE802.11标准协议与所述AP解除关联。Specifically, the site may be disassociated from the AP according to an IEEE 802.11 standard protocol.
本实施例中,所述网络认证方法还包括每隔第二时间阈值更新所述AP的本地认证列表。每隔第二时间阈值更新所述AP的本地认证列表具体包括:In this embodiment, the network authentication method further includes updating the local authentication list of the AP every second time threshold. Updating the local authentication list of the AP every second time threshold specifically includes:
每隔第二时间阈值所述AP向其所在漫游群中所有AP发送二层组播报文,所述二层组播报文包括发送所述二层组播报文的AP与站点状态为中间状态和有效状态的站点的关联认证信息以及发送所述二层组播报文的AP所在漫游群的漫游群ID;The AP sends a Layer 2 multicast packet to all APs in the roaming group in the second time threshold. The Layer 2 multicast packet includes the AP and the site status of the Layer 2 multicast packet. The associated authentication information of the site in the state and the valid state, and the roaming group ID of the roaming group where the AP transmitting the Layer 2 multicast message is located;
漫游群中各个AP接收二层组播报文,并根据所述二层组播报文中的漫游群ID确认是否与发送所述二层组播报文的AP处于同一漫游群;若是,则将二层组播报文中关联认证信息添加至其本地认证列表,并记录所添加关联认证信息对应的广播域局域网ID。Each AP in the roaming group receives the Layer 2 multicast packet, and confirms whether it is in the same roaming group as the AP that sends the Layer 2 multicast packet according to the roaming group ID in the Layer 2 multicast packet; if yes, The associated authentication information in the layer multicast packet is added to its local authentication list, and the broadcast domain local area network ID corresponding to the added associated authentication information is recorded.
本实施例中,在将二层组播报文中关联认证信息添加至其本地认证列表时,还记录所添加关联认证信息对应的广播域局域网ID。从而在一个AP处于不同的漫游群中,便于区分不同漫游群的关联认证信息。In this embodiment, when the associated authentication information in the Layer 2 multicast packet is added to the local authentication list, the broadcast domain local area network ID corresponding to the added associated authentication information is also recorded. Therefore, in an AP that is in a different roaming group, it is convenient to distinguish the associated authentication information of different roaming groups.
具体的,所述第二时间阈值可为第一时间阈值的整数倍,从而在更新本地认证列表时对关联认证信息中的站点的站点状态进行修改。Specifically, the second time threshold may be an integer multiple of the first time threshold, so that the site status of the site in the associated authentication information is modified when the local authentication list is updated.
与第一个实施例相比,本实施例仅对站点状态处于有效状态和中间状态的关联认证信息以二层组播报文的形式向漫游群中所有AP进行组播,从而筛选去除站点状态为无效状态的 关联认证信息,减少不必要的二层组播报文传输,提高报文传输速率,提高认证效率。Compared with the first embodiment, the present embodiment only multicasts all the APs in the roaming group in the form of Layer 2 multicast packets by using the associated authentication information in the active state and the intermediate state of the site to filter and remove the site status. Invalid state Associate authentication information to reduce unnecessary Layer 2 multicast packet transmission, improve packet transmission rate, and improve authentication efficiency.
在另一个实施例中,所述网络认证方法还包括:若AP在第三时间阈值范围内未向其所在漫游群中所有AP发送二层组播报文,则所述漫游群中其他AP删除其本地认证列表中包括该AP的关联认证信息。In another embodiment, the network authentication method further includes: if the AP does not send Layer 2 multicast packets to all APs in the roaming group in the third time threshold, the other APs in the roaming group are deleted. The local authentication list includes the associated authentication information of the AP.
具体的,所述第三时间阈值可为第一时间阈值的整数倍,从而在更新本地认证列表时对本地认证列表中的关联认证信息进行筛选,使AP的本地认证列表实现老化机制,从而在网络认证过程中,判断本地认证列表中是否包括漫游群中其他AP与所述站点的关联认证信息时,减少信息筛选量,提高认证效率。Specifically, the third time threshold may be an integer multiple of the first time threshold, so that the associated authentication information in the local authentication list is filtered when the local authentication list is updated, so that the local authentication list of the AP implements an aging mechanism, thereby In the network authentication process, when determining whether the local authentication list includes the associated authentication information of other APs in the roaming group and the site, the amount of information screening is reduced, and the authentication efficiency is improved.
请参阅图2,为本发明网络认证系统的于一实施例中的结构示意图。图2中网络认证系统2包括:Please refer to FIG. 2 , which is a schematic structural diagram of a network authentication system according to an embodiment of the present invention. The network authentication system 2 in Figure 2 includes:
云端AC21,用于建立漫游群22,并将同一个漫游群22中AP221和AP222划分到同一个二层组播域中,所述漫游群22包括两个AP;The cloud AC21 is configured to establish the roaming group 22, and divide the AP221 and the AP 222 in the same roaming group 22 into the same layer 2 multicast domain, where the roaming group 22 includes two APs;
AP221和AP222均包括其所在漫游群22的本地认证列表,所述AP221(或者AP222)用于接收站点发送的认证请求,并判断本地认证列表中是否包括其所在漫游群中AP222(或者AP221)与所述站点的关联认证信息;以及在本地认证列表中包括其所在漫游群中AP222(或者AP221)与所述站点的关联认证信息时,使所述站点通过认证;Both the AP221 and the AP 222 include a local authentication list of the roaming group 22 in which the AP221 (or the AP 222) is configured to receive the authentication request sent by the station, and determine whether the local authentication list includes the AP 222 (or the AP 221) in the roaming group. The associated authentication information of the site; and when the local authentication list includes the associated authentication information of the AP 222 (or the AP 221) in the roaming group and the site, the site is authenticated;
站点(图未示),用于向目标AP(AP221或者AP222)发送认证请求,以及在所述目标AP(AP221或者AP222)的本地认证列表中不包括所述目标AP(AP221或者AP222)所在漫游群中AP(AP222或者AP221)与所述站点的关联认证信息时,向所述云端AC21发送Portal认证请求;a site (not shown), configured to send an authentication request to the target AP (AP221 or AP 222), and does not include the roaming of the target AP (AP221 or AP222) in the local authentication list of the target AP (AP221 or AP222) Sending a Portal authentication request to the cloud AC 21 when the AP (AP 222 or AP 221) associates the authentication information with the site;
所述目标AP(AP221或者AP222)还用于在所述站点通过所述Portal认证时,形成所述目标AP(AP221或者AP222)与所述站点的关联认证信息,并将所形成的关联认证信息存储于所述目标AP(AP221或者AP222)的本地认证列表中。The target AP (AP221 or AP222) is further configured to form association authentication information of the target AP (AP221 or AP222) with the site when the site passes the portal authentication, and form the associated authentication information. It is stored in the local authentication list of the target AP (AP221 or AP222).
本实施例中,所述漫游群22包括两个AP(AP221和AP222),所述AP221和AP222均包括其所在漫游群22的本地认证列表。In this embodiment, the roaming group 22 includes two APs (AP221 and AP222), and both the AP221 and the AP222 include a local authentication list of the roaming group 22 in which they are located.
在其他实施例中,所述漫游群22还可包括两个以上AP,如包括三个、四个、十个AP,但不限于此。In other embodiments, the roaming group 22 may further include two or more APs, such as three, four, and ten APs, but is not limited thereto.
具体的,每个漫游群包括的AP的数量不宜过大,可默认32个AP。一般的,在一个二层组播域中只包括一个漫游群,每个漫游群只有一个群主。某一个AP可能处于两个二层组播域中,即AP可能处于两个漫游群中;但同一个二层组播域中,不可能包括两个漫游群。 同一个漫游群内所有AP通过二层组播通信。以图2为例,云端AC所管理的AP221、AP222和AP223三个AP,AP222或AP221还可能与AP223处于另一个二层组播域中,形成另一个漫游群。Specifically, the number of APs included in each roaming group should not be too large, and 32 APs can be defaulted. Generally, only one roaming group is included in a Layer 2 multicast domain, and each roaming group has only one group owner. An AP may be in two Layer 2 multicast domains, that is, the AP may be in two roaming groups. However, in the same Layer 2 multicast domain, it is impossible to include two roaming groups. All APs in the same roaming group communicate through Layer 2 multicast. As shown in Figure 2, the three APs AP221, AP222, and AP223 managed by the cloud AC may be in another Layer 2 multicast domain with the AP223 to form another roaming group.
本实施例中,所述站点用于移动终端(如手机、平板电脑等)与AP进行连接。In this embodiment, the site is used for connecting a mobile terminal (such as a mobile phone, a tablet, etc.) with an AP.
本实施例中,在云端AC与AP处于不同的局域网时,当站点通过漫游群中一个AP的认证时,将认证成功的结果以关联认证信息的形式通知其所在漫游群中其他AP,从而在站点漫游至漫游群中其他AP时,根据其本地认证列表中的关联认证信息使该站点直接通过认证,无需云端AC参与二次Portal认证,避免从远端云端AC获取认证信息,减少了跨公网认证求请的过程,提高了认证效率,实现站点的无感认证。In this embodiment, when the cloud AC and the AP are in different local area networks, when the site passes the authentication of one AP in the roaming group, the result of the successful authentication is notified to other APs in the roaming group in the form of the associated authentication information, thereby When the site roams to other APs in the roaming group, the site is directly authenticated according to the associated authentication information in the local authentication list. The cloud AC does not need to participate in the secondary portal authentication, and the authentication information is obtained from the remote cloud AC. The process of network authentication request improves the authentication efficiency and realizes the siteless authentication.
请参阅图3,显示为本发明网络认证系统的于一实施例中的云端AC的结构示意图。图3中云端AC3包括:Referring to FIG. 3, it is a schematic structural diagram of a cloud AC in an embodiment of the network authentication system of the present invention. The cloud AC3 in Figure 3 includes:
漫游群建立单元31,用于建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中;The roaming group establishing unit 31 is configured to establish a roaming group, and divide the APs in the same roaming group into the same layer 2 multicast domain;
认证单元32,用于接收站点的Portal认证请求,对站点的用户信息进行验证;The authentication unit 32 is configured to receive a Portal authentication request of the site, and verify user information of the site.
群信息发送单元33,与所述漫游群建立单元31连接,用于将所述漫游群的漫游群ID以及二层组播域的广播域局域网ID通知所述漫游群中所有AP,所述漫游群ID与所述广播域局域网ID一一对应。The group information sending unit 33 is connected to the roaming group establishing unit 31, and is configured to notify the roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain to all APs in the roaming group, the roaming The group ID is in one-to-one correspondence with the broadcast domain local area network ID.
在另一个实施例中,所述云端AC3还可不包括所述群信息发送单元33。In another embodiment, the cloud AC3 may not include the group information sending unit 33.
请参阅图4,为本发明网络认证系统的于一实施例中的AP的结构示意图。本实施例中,所述关联认证信息包括AP的特征码与站点的MAC地址的关联关系以及与所述站点的MAC地址对应的站点状态(可记录为<AP SN,STA MAC>);所述站点状态包括有效状态、中间状态和无效状态;图4中AP4包括:FIG. 4 is a schematic structural diagram of an AP in an embodiment of a network authentication system according to the present invention. In this embodiment, the association authentication information includes an association between a feature code of the AP and a MAC address of the site, and a site status corresponding to the MAC address of the site (recordable as <AP SN, STA MAC>); The site status includes a valid state, an intermediate state, and an invalid state; in Figure 4, AP4 includes:
存储单元41,用于存储所述AP所在漫游群的本地认证列表;The storage unit 41 is configured to store a local authentication list of the roaming group where the AP is located;
认证请求接收单元42,用于接收站点发送的认证请求;The authentication request receiving unit 42 is configured to receive an authentication request sent by the station;
认证验证单元43,与所述认证请求接收单元42和存储单元41连接,用于判断本地认证列表中是否包括其所在漫游群中AP与所述站点的关联认证信息,以及用于在本地认证列表中包括其所在漫游群中AP与所述站点的关联认证信息时,使所述站点通过认证;The authentication verification unit 43 is connected to the authentication request receiving unit 42 and the storage unit 41, and is configured to determine whether the local authentication list includes the associated authentication information of the AP in the roaming group and the site, and is used in the local authentication list. When the associated authentication information of the AP in the roaming group and the site is included in the roaming group, the site is authenticated;
群信息接收单元44,与所述存储单元41连接,用于接收所述AP所在漫游群的漫游群ID以及二层组播域的广播域局域网ID;所述存储单元41还用于存储所述AP所在漫游群的漫游群ID以及二层组播域的广播域局域网ID; The group information receiving unit 44 is connected to the storage unit 41, and configured to receive the roaming group ID of the roaming group where the AP is located and the broadcast domain local area network ID of the layer 2 multicast domain; the storage unit 41 is further configured to store the The roaming group ID of the roaming group where the AP is located and the broadcast domain local area network ID of the layer 2 multicast domain;
组播报文发送单元45,与所述存储单元41连接,用于每隔第二时间阈值向该AP所在漫游群中所有AP发送二层组播报文,所述二层组播报文包括发送所述二层组播报文的AP与站点状态为中间状态和有效状态的站点的关联认证信息以及该AP所在漫游群的漫游群ID;The multicast packet sending unit 45 is connected to the storage unit 41, and is configured to send a Layer 2 multicast packet to all APs in the roaming group where the AP is located every second time threshold, where the Layer 2 multicast packet includes The association authentication information of the AP that sends the Layer 2 multicast packet and the site whose site status is the intermediate state and the active state, and the roaming group ID of the roaming group where the AP is located;
组播报文接收单元46,用于接收该AP所述漫游群中AP发送的二层组播报文;The multicast packet receiving unit 46 is configured to receive a Layer 2 multicast packet sent by the AP in the roaming group of the AP.
关联请求接收单元47,用于接收站点的关联请求和解关联请求;The association request receiving unit 47 is configured to receive an association request and a disassociation request of the site;
列表更新单元48,与所述存储单元41、组播报文接收单元46和关联请求接收单元47连接,用于在所述关联请求接收单元47收到站点的关联请求时,将关联认证信息中对应站台的站点状态修改为有效状态;用于在所述关联请求接收单元47收到站点的解关联请求时,将关联认证信息中对应站台的站点状态修改为中间状态;以及用于在关联认证信息中站点状态处于中间状态的时间超过第一时间阈值时,将关联认证信息中站点的站点状态修改为无效状态;所述列表更新单元48还用于在据所述二层组播报文中的漫游群ID确认该AP与发送所述二层组播报文的AP处于同一漫游群时,则将二层组播报文中关联认证信息添加至所述AP的本地认证列表,以及记录所添加关联认证信息对应的广播域局域网ID。The list updating unit 48 is connected to the storage unit 41, the multicast packet receiving unit 46, and the association request receiving unit 47, and is configured to associate the authentication information when the association request receiving unit 47 receives the association request of the site. Modifying the site status of the corresponding station to an active state; when the association request receiving unit 47 receives the de-association request of the site, modifying the site status of the corresponding station in the associated authentication information to an intermediate state; When the time when the site state is in the intermediate state exceeds the first time threshold, the site state of the site in the associated authentication information is modified to an invalid state; the list updating unit 48 is further configured to roam in the layer 2 multicast packet. When the group ID confirms that the AP is in the same roaming group as the AP that sends the Layer 2 multicast packet, the associated authentication information in the Layer 2 multicast packet is added to the local authentication list of the AP, and the associated authentication information is recorded. Corresponding broadcast domain LAN ID.
本实施例中,所述列表更新单元48在将二层组播报文中关联认证信息添加至其本地认证列表时,还记录所添加关联认证信息对应的广播域局域网ID。从而在一个AP处于不同的漫游群中,便于区分不同漫游群的关联认证信息。In this embodiment, when the associated authentication information in the Layer 2 multicast packet is added to the local authentication list, the list update unit 48 also records the broadcast domain local area network ID corresponding to the added associated authentication information. Therefore, in an AP that is in a different roaming group, it is convenient to distinguish the associated authentication information of different roaming groups.
本实施例中网络认证系统仅对站点状态处于有效状态和中间状态的关联认证信息以二层组播报文的形式向漫游群中所有AP进行组播,从而筛选去除站点状态为无效状态的关联认证信息,减少不必要的二层组播报文传输,提高报文传输速率,提高认证效率。In this embodiment, the network authentication system multicasts all the APs in the roaming group in the form of Layer 2 multicast packets to the associated authentication information in the active state and the intermediate state. Authentication information reduces unnecessary Layer 2 multicast packet transmission, improves packet transmission rate, and improves authentication efficiency.
在再一个实施例中,所述列表更新单元48还用于在第三时间阈值范围内未收到漫游群中AP发送的二层组播报文时,删除本地认证列表中包括该AP的关联认证信息。使AP的本地认证列表实现老化机制,从而在网络认证过程中,判断本地认证列表中是否包括漫游群中其他AP与所述站点的关联认证信息时,减少信息筛选量,提高认证效率。In another embodiment, the list updating unit 48 is further configured to delete the association of the AP in the local authentication list when the Layer 2 multicast packet sent by the AP in the roaming group is not received within the third time threshold. Certification Information. The aging mechanism of the local authentication list of the AP is implemented, so that when the local authentication list includes the associated authentication information of other APs in the roaming group and the site in the network authentication process, the amount of information screening is reduced, and the authentication efficiency is improved.
综上所述,本发明网络认证方法及系统,在云端AC与AP处于不同的局域网时,当站点通过漫游群中一个AP的认证时,将认证成功的结果以关联认证信息的形式通知其所在漫游群中其他AP,从而在站点漫游至漫游群中其他AP时,根据其本地认证列表中的关联认证信息使该站点直接通过认证,无需云端AC参与二次Portal认证,避免从远端云端AC获取认证信息,减少了跨公网认证求请的过程,提高了认证效率,实现站点的无感认证。所以,本发明有效克服了现有技术中的种种缺点而具高度产业利用价值。In summary, the network authentication method and system of the present invention, when the cloud AC and the AP are in different local area networks, notify the location of the successful authentication result in the form of associated authentication information when the site passes the authentication of one AP in the roaming group. The other APs in the roaming group, so that when the site roams to other APs in the roaming group, the site is directly authenticated according to the associated authentication information in the local authentication list, and the cloud AC is not required to participate in the secondary portal authentication. Obtaining the authentication information reduces the process of cross-public network authentication request, improves the authentication efficiency, and realizes the site's non-inductive authentication. Therefore, the present invention effectively overcomes various shortcomings in the prior art and has high industrial utilization value.
上述实施例仅例示性说明本发明的原理及其功效,而非用于限制本发明。任何熟悉此技 术的人士皆可在不违背本发明的精神及范畴下,对上述实施例进行修饰或改变。因此,举凡所属技术领域中具有通常知识者在未脱离本发明所揭示的精神与技术思想下所完成的一切等效修饰或改变,仍应由本发明的权利要求所涵盖。 The above-described embodiments are merely illustrative of the principles of the invention and its effects, and are not intended to limit the invention. Any familiar with this technique Modifications or variations of the above embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention. Therefore, all equivalent modifications or changes made by those skilled in the art without departing from the spirit and scope of the invention will be covered by the appended claims.

Claims (14)

  1. 一种网络认证方法,其特征在于,所述网络认证方法包括以下步骤:A network authentication method, characterized in that the network authentication method comprises the following steps:
    云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中,所述漫游群包括两个以上AP,所述AP包括其所在漫游群的本地认证列表;The cloud AC establishes a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain, where the roaming group includes more than two APs, and the AP includes a local authentication list of the roaming group in which the roaming group is located;
    在站点向目标AP发出认证请求时,判断所述目标AP的本地认证列表中是否包括所述目标AP所在漫游群中AP与所述站点的关联认证信息;When the site sends an authentication request to the target AP, it is determined whether the local authentication list of the target AP includes the associated authentication information between the AP and the site in the roaming group where the target AP is located;
    若是,则所述站点通过认证。If so, the site is authenticated.
  2. 根据权利要求1所述的网络认证方法,其特征在于:在站点向目标AP发出认证请求时,若所述目标AP的本地认证列表中不包括所述目标AP所在漫游群中AP与所述站点的关联认证信息,则所述站点向所述云端AC发送Portal认证请求。The network authentication method according to claim 1, wherein when the site sends an authentication request to the target AP, if the local authentication list of the target AP does not include the AP and the site in the roaming group where the target AP is located The associated authentication information, the site sends a Portal authentication request to the cloud AC.
  3. 根据权利要求2所述的网络认证方法,其特征在于:在所述站点向所述云端AC发送Portal认证请求时,若认证通过,则形成所述目标AP与所述站点的关联认证信息,并将所形成的关联认证信息存储于所述目标AP的本地认证列表中。The network authentication method according to claim 2, wherein when the site sends a Portal authentication request to the cloud AC, if the authentication is passed, the associated authentication information of the target AP and the site is formed, and The formed associated authentication information is stored in a local authentication list of the target AP.
  4. 根据权利要求1所述的网络认证方法,其特征在于:在云端AC建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中之后,所述网络认证方法还包括:所述云端AC将所述漫游群的漫游群ID以及所述二层组播域的广播域局域网ID通知所述漫游群中所有AP,所述漫游群ID与所述广播域局域网ID一一对应。The network authentication method according to claim 1, wherein after the cloud AC establishes a roaming group and the APs in the same roaming group are divided into the same layer 2 multicast domain, the network authentication method further includes: The cloud AC notifies the roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain to all APs in the roaming group, and the roaming group ID corresponds to the broadcast domain local area network ID. .
  5. 根据权利要求4所述的网络认证方法,其特征在于:所述关联认证信息包括AP的特征码与站点的MAC地址的关联关系。The network authentication method according to claim 4, wherein the association authentication information includes an association relationship between a feature code of the AP and a MAC address of the site.
  6. 根据权利要求5所述的网络认证方法,其特征在于:所述关联认证信息还包括与所述站点的MAC地址对应的站点状态,所述站点状态包括有效状态、中间状态和无效状态;The network authentication method according to claim 5, wherein the associated authentication information further includes a site status corresponding to a MAC address of the site, and the site state includes an active state, an intermediate state, and an invalid state;
    在AP收到站点的关联请求时,将与发送关联请求的站点对应的关联认证信息中站点状态修改为有效状态;在AP收到站点的解关联请求时,将与发送关联请求的站点对应的关联认证信息中站点状态修改为中间状态;在关联认证信息中站点状态处于中间状态的时间超过第一时间阈值时,将关联认证信息中站点的站点状态修改为无效状态。When the AP receives the association request of the site, the site status of the associated authentication information corresponding to the site that sends the association request is modified to a valid state; when the AP receives the disassociation request of the site, the AP corresponds to the site that sends the association request. The site status of the associated authentication information is modified to an intermediate state. When the time when the site state is in the intermediate state exceeds the first time threshold in the associated authentication information, the site state of the site in the associated authentication information is modified to an invalid state.
  7. 根据权利要求6所述的网络认证方法,其特征在于:所述网络认证方法还包括每隔第二时间阈值更新所述AP的本地认证列表;每隔第二时间阈值更新所述AP的本地认证列表包 括:The network authentication method according to claim 6, wherein the network authentication method further comprises updating a local authentication list of the AP every second time threshold; updating the local authentication of the AP every second time threshold List package include:
    每隔第二时间阈值所述AP向其所在漫游群中所有AP发送二层组播报文,所述二层组播报文包括发送所述二层组播报文的AP与站点状态为中间状态和有效状态的站点的关联认证信息以及发送所述二层组播报文的AP所在漫游群的漫游群ID;The AP sends a Layer 2 multicast packet to all APs in the roaming group in the second time threshold. The Layer 2 multicast packet includes the AP and the site status of the Layer 2 multicast packet. The associated authentication information of the site in the state and the valid state, and the roaming group ID of the roaming group where the AP transmitting the Layer 2 multicast message is located;
    漫游群中各个AP接收二层组播报文,并根据所述二层组播报文中的漫游群ID确认是否与发送所述二层组播报文的AP处于同一漫游群;若是,则将二层组播报文中关联认证信息添加至其本地认证列表,并记录所添加关联认证信息对应的广播域局域网ID。Each AP in the roaming group receives the Layer 2 multicast packet, and confirms whether it is in the same roaming group as the AP that sends the Layer 2 multicast packet according to the roaming group ID in the Layer 2 multicast packet; if yes, The associated authentication information in the layer multicast packet is added to its local authentication list, and the broadcast domain local area network ID corresponding to the added associated authentication information is recorded.
  8. 根据权利要求7所述的网络认证方法,其特征在于:所述网络认证方法还包括:若AP在第三时间阈值范围内未向其所在漫游群中所有AP发送二层组播报文,则所述漫游群中其他AP删除其本地认证列表中包括该AP的关联认证信息。The network authentication method according to claim 7, wherein the network authentication method further comprises: if the AP does not send Layer 2 multicast packets to all APs in the roaming group in the third time threshold, The other APs in the roaming group delete the associated authentication information including the AP in the local authentication list.
  9. 一种网络认证系统,其特征在于,所述网络认证系统包括:A network authentication system, characterized in that the network authentication system comprises:
    云端AC,用于建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中,所述漫游群包括两个以上AP;The cloud AC is used to establish a roaming group, and divides the APs in the same roaming group into the same layer 2 multicast domain, where the roaming group includes more than two APs;
    AP,包括其所在漫游群的本地认证列表,所述AP用于接收站点发送的认证请求,并判断本地认证列表中是否包括其所在漫游群中AP与所述站点的关联认证信息;以及在本地认证列表中包括其所在漫游群中AP与所述站点的关联认证信息时,使所述站点通过认证;The AP includes a local authentication list of the roaming group in which the AP is located, and the AP is configured to receive an authentication request sent by the station, and determine whether the local authentication list includes the associated authentication information of the AP in the roaming group and the site; and locally When the authentication list includes the associated authentication information of the AP in the roaming group and the site, the site is authenticated;
    站点,用于向目标AP发送认证请求,以及在所述目标AP的本地认证列表中不包括所述目标AP所在漫游群中AP与所述站点的关联认证信息时,向所述云端AC发送Portal认证请求;a site, configured to send an authentication request to the target AP, and send a Portal to the cloud AC when the local authentication list of the target AP does not include the associated authentication information of the AP and the site in the roaming group where the target AP is located. Authentication request;
    所述目标AP还用于在所述站点通过所述Portal认证时,形成所述目标AP与所述站点的关联认证信息,并将所形成的关联认证信息存储于所述目标AP的本地认证列表中。The target AP is further configured to: when the site passes the portal authentication, form association authentication information of the target AP and the site, and store the formed association authentication information in a local authentication list of the target AP. in.
  10. 根据权利要求9所述的网络认证系统,其特征在于:所述云端AC进一步包括:The network authentication system according to claim 9, wherein the cloud AC further comprises:
    漫游群建立单元,用于建立漫游群,并将同一个漫游群中AP划分到同一个二层组播域中;a roaming group establishing unit, configured to establish a roaming group, and divide the APs in the same roaming group into the same layer 2 multicast domain;
    认证单元,用于接收站点的Portal认证请求,对站点的用户信息进行验证。The authentication unit is configured to receive a Portal authentication request of the site, and verify the user information of the site.
  11. 根据权利要求10所述的网络认证系统,其特征在于:所述AP进一步包括: The network authentication system according to claim 10, wherein the AP further comprises:
    存储单元,用于存储所述AP所在漫游群的本地认证列表;a storage unit, configured to store a local authentication list of the roaming group where the AP is located;
    认证请求接收单元,用于接收站点发送的认证请求;An authentication request receiving unit, configured to receive an authentication request sent by the station;
    认证验证单元,与所述认证请求接收单元和存储单元连接,用于判断本地认证列表中是否包括其所在漫游群中AP与所述站点的关联认证信息,以及用于在本地认证列表中包括其所在漫游群中AP与所述站点的关联认证信息时,使所述站点通过认证。The authentication verification unit is connected to the authentication request receiving unit and the storage unit, and is configured to determine whether the local authentication list includes the associated authentication information of the AP in the roaming group and the site, and is used to include the local authentication list in the local authentication list. When the AP in the roaming group associates the authentication information with the site, the site is authenticated.
  12. 根据权利要求11所述的网络认证系统,其特征在于:The network authentication system according to claim 11, wherein:
    所述云端AC还包括群信息发送单元,用于将所述漫游群的漫游群ID以及二层组播域的广播域局域网ID通知所述漫游群中所有AP,所述漫游群ID与所述广播域局域网ID一一对应;The cloud AC further includes a group information sending unit, configured to notify the roaming group ID of the roaming group and the broadcast domain local area network ID of the layer 2 multicast domain to all APs in the roaming group, the roaming group ID and the Broadcast domain LAN ID one-to-one correspondence;
    所述AP还包括群信息接收单元,用于接收所述AP所在漫游群的漫游群ID以及二层组播域的广播域局域网ID;The AP further includes a group information receiving unit, configured to receive a roaming group ID of the roaming group where the AP is located, and a broadcast domain local area network ID of the layer 2 multicast domain;
    所述存储单元与所述群信息接收单元连接,所述存储单元还用于存储所述AP所在漫游群的漫游群ID以及二层组播域的广播域局域网ID。The storage unit is connected to the group information receiving unit, and the storage unit is further configured to store a roaming group ID of the roaming group where the AP is located and a broadcast domain local area network ID of the layer 2 multicast domain.
  13. 根据权利要求12所述的网络认证系统,其特征在于:所述关联认证信息包括AP的特征码与站点的MAC地址的关联关系以及与所述站点的MAC地址对应的站点状态;所述站点状态包括有效状态、中间状态和无效状态;所述AP还包括:The network authentication system according to claim 12, wherein the associated authentication information includes an association relationship between a feature code of the AP and a MAC address of the site, and a site state corresponding to a MAC address of the site; The active state, the intermediate state, and the invalid state are included; the AP further includes:
    组播报文发送单元,与所述存储单元连接,用于每隔第二时间阈值向该AP所在漫游群中所有AP发送二层组播报文,所述二层组播报文包括发送所述二层组播报文的AP与站点状态为中间状态和有效状态的站点的关联认证信息以及该AP所在漫游群的漫游群ID;The multicast packet sending unit is connected to the storage unit, and is configured to send a Layer 2 multicast packet to all APs in the roaming group where the AP is located, and the Layer 2 multicast packet includes a sending station. The associated authentication information of the AP of the Layer 2 multicast packet and the site whose state is the intermediate state and the active state, and the roaming group ID of the roaming group where the AP is located;
    组播报文接收单元,用于接收该AP所述漫游群中AP发送的二层组播报文;The multicast packet receiving unit is configured to receive a layer 2 multicast packet sent by the AP in the roaming group of the AP;
    关联请求接收单元,用于接收站点的关联请求和解关联请求;An association request receiving unit, configured to receive an association request and a disassociation request of the site;
    列表更新单元,与所述存储单元、组播报文接收单元和关联请求接收单元连接,用于在所述关联请求接收单元收到站点的关联请求时,将关联认证信息中对应站台的站点状态修改为有效状态;用于在所述关联请求接收单元收到站点的解关联请求时,将关联认证信息中对应站台的站点状态修改为中间状态;以及用于在关联认证信息中站点状态处于中间状态的时间超过第一时间阈值时,将关联认证信息中站点的站点状态修改为无效状态;所述列表更新单元还用于在据所述二层组播报文中的漫游群ID确认该AP与发送所述二层组播报文的AP处于同一漫游群时,则将二层组播报文中关联认证信息添 加至所述AP的本地认证列表,以及记录所添加关联认证信息对应的广播域局域网ID。a list updating unit, configured to be connected to the storage unit, the multicast packet receiving unit, and the association request receiving unit, configured to: when the association request receiving unit receives the association request of the site, associate the site status of the corresponding station in the authentication information Modifying to a valid state; when the association request receiving unit receives the disassociation request of the site, modifying the site status of the corresponding station in the associated authentication information to an intermediate state; and for using the site authentication state in the associated authentication information When the time of the state exceeds the first time threshold, the site state of the site in the associated authentication information is changed to an invalid state; the list updating unit is further configured to confirm the AP and send the data according to the roaming group ID in the Layer 2 multicast packet. When the APs of the Layer 2 multicast packets are in the same roaming group, the associated authentication information in the Layer 2 multicast packets is added. Adding to the local authentication list of the AP, and recording the broadcast domain local area network ID corresponding to the added associated authentication information.
  14. 根据权利要求13所述的网络认证系统,其特征在于:所述列表更新单元还用于在第三时间阈值范围内未收到漫游群中AP发送的二层组播报文时,删除本地认证列表中包括该AP的关联认证信息。 The network authentication system according to claim 13, wherein the list updating unit is further configured to delete the local authentication when the layer 2 multicast packet sent by the AP in the roaming group is not received within the third time threshold range. The list includes the associated authentication information of the AP.
PCT/CN2016/101386 2015-12-04 2016-09-30 Method and system for network certification WO2017092501A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510891807.3 2015-12-04
CN201510891807.3A CN105376739B (en) 2015-12-04 2015-12-04 Method for network authorization and system

Publications (1)

Publication Number Publication Date
WO2017092501A1 true WO2017092501A1 (en) 2017-06-08

Family

ID=55378453

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/101386 WO2017092501A1 (en) 2015-12-04 2016-09-30 Method and system for network certification

Country Status (2)

Country Link
CN (1) CN105376739B (en)
WO (1) WO2017092501A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111225376A (en) * 2018-11-26 2020-06-02 中国电信股份有限公司 Authentication method, system, wireless access point AP and computer readable storage medium
CN113079512A (en) * 2021-03-11 2021-07-06 武汉思普崚技术有限公司 Method, device and storage medium for supporting terminal roaming
CN115348574A (en) * 2022-10-18 2022-11-15 浙江大华技术股份有限公司 Roaming method of wireless terminal, electronic device, and storage medium

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105376739B (en) * 2015-12-04 2019-10-11 上海斐讯数据通信技术有限公司 Method for network authorization and system
CN105813078A (en) * 2016-05-05 2016-07-27 杭州树熊网络有限公司 Network authentication method, device and system and AP (ACCESS POINT) with authentication function
CN105848131A (en) * 2016-05-09 2016-08-10 厦门四信通信科技有限公司 Method for realizing STA cross-domain roaming through cloud AC
CN106358174A (en) * 2016-09-23 2017-01-25 上海众人网络安全技术有限公司 Wireless roaming hotspot access method, system and wireless terminal
CN108811043B (en) * 2017-04-27 2022-06-10 中兴通讯股份有限公司 Access device, authentication server, terminal device access control method and system
CN107786977A (en) * 2017-10-09 2018-03-09 杭州迪普科技股份有限公司 A kind of method and device of terminal access wireless network
CN107613497B (en) * 2017-10-25 2020-11-13 迈普通信技术股份有限公司 Network authentication method and wireless access equipment
CN107566418B (en) * 2017-10-26 2020-03-27 锐捷网络股份有限公司 Security management method and access device
CN107864508A (en) * 2017-12-26 2018-03-30 杭州迪普科技股份有限公司 A kind of pre-synchronization method and device of radio roaming authentication state
CN110493886A (en) * 2019-08-28 2019-11-22 上海连尚网络科技有限公司 Wireless network connecting method, device, electronic equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102340775A (en) * 2011-10-28 2012-02-01 杭州华三通信技术有限公司 Method for quickly roaming wireless client in AP (Assembly Program) and AP
WO2013166934A1 (en) * 2012-05-07 2013-11-14 中兴通讯股份有限公司 Method and apparatus for performing roaming handover
CN105376739A (en) * 2015-12-04 2016-03-02 上海斐讯数据通信技术有限公司 Network authentication method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103220817A (en) * 2012-01-20 2013-07-24 中兴通讯股份有限公司 Session establishing method and device
CN103281692B (en) * 2013-05-08 2016-06-08 杭州华三通信技术有限公司 Method for fast roaming between a kind of AC and equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102340775A (en) * 2011-10-28 2012-02-01 杭州华三通信技术有限公司 Method for quickly roaming wireless client in AP (Assembly Program) and AP
WO2013166934A1 (en) * 2012-05-07 2013-11-14 中兴通讯股份有限公司 Method and apparatus for performing roaming handover
CN105376739A (en) * 2015-12-04 2016-03-02 上海斐讯数据通信技术有限公司 Network authentication method and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111225376A (en) * 2018-11-26 2020-06-02 中国电信股份有限公司 Authentication method, system, wireless access point AP and computer readable storage medium
CN113079512A (en) * 2021-03-11 2021-07-06 武汉思普崚技术有限公司 Method, device and storage medium for supporting terminal roaming
CN113079512B (en) * 2021-03-11 2022-06-28 武汉思普崚技术有限公司 Method, device and storage medium for supporting terminal roaming
CN115348574A (en) * 2022-10-18 2022-11-15 浙江大华技术股份有限公司 Roaming method of wireless terminal, electronic device, and storage medium
CN115348574B (en) * 2022-10-18 2023-02-10 浙江大华技术股份有限公司 Roaming method of wireless terminal, electronic device, and storage medium

Also Published As

Publication number Publication date
CN105376739A (en) 2016-03-02
CN105376739B (en) 2019-10-11

Similar Documents

Publication Publication Date Title
WO2017092501A1 (en) Method and system for network certification
EP2608617B1 (en) System and method for resource management for operator services and internet
WO2018145654A1 (en) Multi-access management implementation method and device, and computer storage medium
US9210728B2 (en) System and method for resource management for operator services and internet
US8909223B2 (en) Multicast optimization and aggregation in an enterprise controller
WO2021232897A1 (en) Relay link establishment, configuration information transmission method and apparatus, and readable storage medium
CN113691969A (en) Communication method and device
WO2010130174A1 (en) Method for enabling local access control and corresponding communication system
US20150327303A1 (en) Communication system, connection control apparatus, mobile terminal, base station control method, service request method, and program
US8594669B2 (en) Method for home base station to access network and home base station management server
CN103384365A (en) Method and system for network access, method for processing business and equipment
US10136458B2 (en) Method and arrangement for controlling connection in communication networks
CN103200534B (en) A kind of method of trunking communication, Apparatus and system
KR101727557B1 (en) Method and apparatus for supporting local breakout service in wireless communication system
TW202234940A (en) Authentication and authorization associated with layer 3 wireless-transmit/receive-unit-to-network
RU2668114C2 (en) Method of managing shared network users, corresponding device and system
JP5980733B2 (en) Mobile traffic offload system
WO2011035643A1 (en) Home base station access method, home base station system and home base station access point
CN102264154B (en) Customer service control method in a kind of backhaul network and system
WO2009155863A1 (en) Method and system for supporting mobility security in the next generation network
JP6266064B2 (en) Authentication method, access point, and program for connecting third-party wireless terminal to user-owned access point
WO2011003310A1 (en) Method, apparatus and system for implementing access control determination by core network
KR101873918B1 (en) Method and Apparatus for Effectively Controlling Traffic and Managing Station Session in WiFi Roaming Based on AC-AP Association
CN101938735B (en) Method for accessing terminal to a WiMAX core network through WiFi network and interworking network
JP6266063B2 (en) Authentication method, access point, and program for connecting third-party wireless terminal to user-owned access point

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16869812

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16869812

Country of ref document: EP

Kind code of ref document: A1