CN101453409B - Information broadcast method for supporting terminal combined access, apparatus and system thereof - Google Patents

Information broadcast method for supporting terminal combined access, apparatus and system thereof Download PDF

Info

Publication number
CN101453409B
CN101453409B CN 200710178990 CN200710178990A CN101453409B CN 101453409 B CN101453409 B CN 101453409B CN 200710178990 CN200710178990 CN 200710178990 CN 200710178990 A CN200710178990 A CN 200710178990A CN 101453409 B CN101453409 B CN 101453409B
Authority
CN
China
Prior art keywords
security
access
terminal
access point
mechanism
Prior art date
Application number
CN 200710178990
Other languages
Chinese (zh)
Other versions
CN101453409A (en
Inventor
叶续茂
周文辉
曹军
邵春菊
黄振海
Original Assignee
中国移动通信集团公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信集团公司 filed Critical 中国移动通信集团公司
Priority to CN 200710178990 priority Critical patent/CN101453409B/en
Publication of CN101453409A publication Critical patent/CN101453409A/en
Application granted granted Critical
Publication of CN101453409B publication Critical patent/CN101453409B/en

Links

Abstract

The invention discloses an information broadcasting method, an information device and an information broadcasting system supporting the hybrid access of terminals. The method comprises: configuring different secure access mechanisms corresponding to different secure capacities of the terminals and secure mechanism identifiers corresponding to the secure access mechanisms in a network access pointentity; when the network access point entity transmits a broadcasting messages to the terminals, transmitting different broadcasting messages according to different secure access mechanisms, wherein the different broadcast messages carry the secure mechanism identifiers corresponding to the different secure access mechanisms. The method, the device and the system support the hybrid access of terminals with different secure capacities through one network access point, thereby reducing network investment and operation and maintenance costs.

Description

支持终端混合接入的信息广播方法及其装置和系统 Terminal supporting hybrid access method and apparatus and the information broadcast system

技术领域 FIELD

[0001] 本发明涉及无线通信领域,尤其涉及支持终端混合接入的信息广播方法及其装置和系统。 [0001] The present invention relates to wireless communications, and in particular relates to a terminal supporting a hybrid access method and the apparatus and the information broadcast systems.

背景技术 Background technique

[0002] 在WLAN(Wireless Local Area Network,无线局域网)网络中,不同安全能力终端都需要接入WLAN网络。 [0002] In the WLAN (Wireless Local Area Network, wireless local area network) network, different security capabilities of the terminal needs to access the WLAN network. 不同安全能力的终端在网络接入时所采用的安全机制是不同的。 Terminal security capabilities of different security mechanisms at the network access used is different. 例如,对于能够支持安全认证机制的终端,则需采用相应的安全机制对该终端进行接入,对于不能够支持安全认证机制的终端,则需采用开放机制对该终端进行接入。 For example, the terminal can support secure authentication mechanism, the corresponding need to use security mechanisms for access to the terminal, the terminal can not support for secure authentication mechanism, the mechanism was needed to open the access terminal. 通常情况下,对于终端的接入控制由接入点(Access Point,AP)实体实现,AP的身份由SSID(Service Set Identifier,服务集标识)来标识,SSID是无线设备连接到WLAN网络时的服务号码。 Typically, the access control terminal (Access Point, AP) entity is implemented by the access point, the identity of the AP's SSID (Service Set Identifier, Service Set Identifier) ​​is identified by, the SSID is a wireless device connected to the WLAN network service numbers.

[0003] 目前,为了解决不同安全能力的终端能够混合接入WLAN网络所采用的技术方案是:架设多个AP,不同AP启用不同的安全接入机制,每个AP针对支持某种安全接入机制的终端进行接入控制和处理。 [0003] Currently, different order to solve the security capabilities of the terminal can be mixed WLAN access network is used: erecting a plurality of AP, AP different security enable different access mechanisms, each support a secure access for the AP terminal access control mechanism and process. 当网络侧寻呼支持不同安全能力的终端时,与终端的安全能力相对应的AP发送广播消息,其中携带与该AP对应的SSID。 When the paging terminal supporting different network security capabilities, security capabilities of the terminal corresponding to the AP sends broadcast message carrying corresponding to the AP SSID. 当终端接收到广播消息后,采用该终端支持的安全能力,根据广播消息中的SSID向对应的AP发起接入请求,相应的AP接收到终端的请求后,采用该AP支持的安全接入机制对终端的接入请求进行处理。 When the terminal receives the broadcast message using the security capabilities supported by the terminal, an access request corresponding to an AP according to the broadcast message as SSID, the AP after receiving a corresponding request from the terminal, using secure access mechanisms supported by the AP requests access to the terminal for processing.

[0004] 现有技术的这种使用不同的SSID提供多种安全接入机制,采用不同的AP实现支持不同安全能力的终端混合接入的方案,其缺点在于,如果在一个区域内既有安全用户又有开放式的用户,采用现有技术方案就需要架设至少2个AP,一个针对安全用户启用安全认证机制,另一个针对开放式用户启用开放机制,以实现将不同安全能力的终端同时接入网络。 [0004] The use of this prior art to provide multiple security SSID different access mechanisms, different AP implementations support different security capabilities of the terminal hybrid access scheme, the disadvantage that, if both the security area in a users have open users, the use of existing technical solutions will need to set up at least two AP, a security-enabled user authentication mechanisms for security, another mechanism to enable open for open user to implement different security capabilities of the terminal simultaneous access the network. 可以看出,采用这种技术方案,需要架设多个AP,增加了网络投资和运营维护成本。 As can be seen, using this solution, it is necessary to set up a plurality of the AP, increasing the investment and operation and maintenance costs of the network.

发明内容 SUMMARY

[0005] 本发明实施例揭示了一种支持终端混合接入的信息广播方法及其装置和系统,以实现通过一个网络接入点实体对不同安全能力的终端实现混合接入。 Example discloses a method and apparatus and the information broadcast system supporting hybrid access terminal [0005] In the present invention, the mixed solutions to enable access to different security capabilities of the terminal through a network access point entity.

[0006] 本发明实施例揭示的支持终端混合接入的信息广播方法,包括以下步骤: [0006] The information broadcasting method disclosed embodiment supports the terminal according to the present invention, hybrid access, comprising the steps of:

[0007] 在网络接入点实体上分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识; [0007] correspond to the access point on the network terminal security capabilities of different entities of the different virtual network configuration entity access point, and configure the security access mechanism and an address corresponding to the identifier of the virtual network access point entity, the the address mark identifies the security mechanism corresponding security access;

[0008] 当所述网络接入点实体向终端发送广播消息时,分别根据不同的安全接入机制发送不同的广播消息,所述不同的广播消息中携带与所述不同的安全接入机制对应的安全机制标识。 [0008] When the network access point transmits a broadcast message to the terminal entity, the broadcast messages are transmitted in accordance with different access to different security mechanisms, different security carries the access mechanisms corresponding to the different broadcast messages the security identity.

[0009] 本发明实施例揭示的网络接入点装置,包括: [0009] The network access point device of the present embodiment of the disclosed embodiment of the invention, comprising:

[0010] 配置模块,用于在网络接入点装置上分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标 [0010] The configuration module, different security capabilities to the network access point device corresponding to the terminal to configure different virtual network access point entity, and configure the security access mechanisms corresponding to the virtual entity and network access point address label

5识,所述地址标识为与所述安全接入机制对应的安全机制标识;还用于根据所述不同的安全机制生成不同的广播消息,其中携带与所述不同的安全机制对应的安全机制标识; 5 knowledge, the address identifier is a security identifier and the corresponding security access mechanism; also used to generate a different broadcast message according to the different security mechanisms, which carries the corresponding different security mechanisms security mechanism identity;

[0011] 通信接口模块,用于分别发送生成的多个广播消息。 [0011] The communication interface module for transmitting a plurality of broadcast messages are generated.

[0012] 本发明实施例揭示的终端,包括: [0012] Example embodiments of the present invention disclosed a terminal, comprising:

[0013] 广播消息接收模块,用于接收并解析网络接入点装置发送的广播消息,所述广播消息中携带与所述终端的安全能力相应的安全机制标识; [0013] a broadcast message receiving module, configured to receive and parse the broadcast message transmitted from the network access point, and carries the security capability of the terminal corresponding security identifier in the broadcast message;

[0014] 接入请求发起模块,用于发起接入请求,所述接入请求中携带与所述终端的安全能力相应的安全机制标识。 [0014] access request initiating module, an access request for the access security mechanism for identifying the corresponding request carries the security capability of the terminal.

[0015] 本发明实施例揭示的支持终端混合接入的信息广播系统,包括网络接入点装置和终端,其中 [0015] The hybrid access terminal supporting broadcast system information disclosed embodiment embodiment of the present invention, comprising a network access point and a terminal apparatus, wherein

[0016] 所述网络接入点装置,用于分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识,并分别根据不同的安全接入机制发送不同的广播消息,所述不同的广播消息中携带与所述不同的安全接入机制对应的安全机制标识; [0016] The network access point device, for different security capabilities corresponding virtual terminal configuring different network access point entity, and configure the security access mechanisms corresponding to the virtual network entities and address access point identifier , the address is identified as the security mechanism for identifying the corresponding secure access mechanism, and broadcast messages are transmitted in accordance with different access to different security mechanisms, different from the broadcast message carries the access to different security corresponding security mechanism identity;

[0017] 所述终端,用于接收并解析所述广播消息并根据正确解析出的广播消息发起接入请求,所述接入请求中携带与所述终端的安全能力相应的安全机制标识。 The [0017] terminal for receiving and analyzing the broadcast message and an access request according to the correct parse out a broadcast message, the access security mechanism for identifying the corresponding request carries the security capability of the terminal.

[0018] 本发明的上述实施例,通过在网络接入点实体上针对多种安全能力的终端配置多种安全机制以及对应的安全机制标识,当该网络接入点实体发送广播消息时,可针对配置的不同安全接入机制发送相应的广播消息,其中携带相应的安全机制标识,从而实现了通过一个网络接入点实体对不同安全能力的终端进行广播,进而可实现不同安全能力的终端通过一个网络接入点实体接入网络,减少了网络投资和运营维护成本。 [0018] The above-described embodiments of the present invention, by arranging multiple security mechanisms and security mechanism for identifying the corresponding plurality of security capability for the terminal in the network entity the access point, the access point when the network entity transmits a broadcast message, may be different mechanisms for secure access transmission configuration corresponding broadcast message, which carries the corresponding security identifier, thereby achieving a terminal broadcast to the terminal via a different security capabilities of the access point network entity, in turn, can implement different security capabilities by a network access point, the access network entity, reduce network investment and operation and maintenance costs.

[0019] 附图说明 [0019] BRIEF DESCRIPTION OF DRAWINGS

[0020] 图1为本发明实施例中支持不同安全能力的终端混合接入的信息广播流程示意图; [0020] FIG. 1 is a schematic flow mix information broadcast access terminal in support different security capabilities embodiment of the invention;

[0021] 图2为本发明实施例中网络接入点实体的物理层实现示意图; [0021] Example 2 Physical layer entity, the network access point to achieve a schematic embodiment of the present invention;

[0022] 图3为本发明实施例中将不同安全能力的终端混合接入的流程示意图; [0022] Fig 3 a schematic flow chart of the terminal security capabilities in the different embodiments of the present invention, hybrid access the embodiment;

[0023] 图4为本发明实施例中终端根据预设的安全策略发起接入请求的示意图; [0023] Fig 4 a schematic embodiment of an access request initiated by a terminal according to the preset embodiment of the present invention, the security policy;

[0024] 图5为本发明实施例中对网络接入点实体上的用户进行分类的示意图; [0024] FIG. 5 is a schematic embodiment of the user entity on the network access point classifies embodiment of the invention;

[0025] 图6为本发明实施例的网络接入点装置的结构示意图; [0025] FIG. 6 is a schematic structure of a network access point device according to an embodiment of the present invention;

[0026] 图7为本发明实施例的终端的结构示意图之一; [0026] Figure 7 is a schematic view of one embodiment of a terminal structure of the embodiment of the present invention;

[0027] 图8为本发明实施例的终端的结构示意图之二。 [0027] FIG. 8 a schematic structural diagram of a terminal according to an embodiment of the present invention is two.

[0028] 具体实施方式 [0028] DETAILED DESCRIPTION

[0029] 本发明的实施例通过在网络接入点实体上配置与不同安全能力的终端对应的安全接入机制以及与安全接入机制对应的安全机制标识,并且当网络接入点实体向终端发送广播消息时分别根据不同的安全接入机制发送携带不同安全机制标识的广播消息,使不同安全能力的终端能够根据接收并正确解析出的广播消息发起与该终端的安全能力相应的接入请求,实现了通过一个网络接入点实体对不同安全能力的终端进行混合接入。 [0029] Embodiments of the present invention, by configuring the access point entity on the network and the terminal capability of corresponding to different security mechanisms and security access and security mechanism for identifying the corresponding secure access mechanism, and when the network access point to the terminal entity It is transmitted in accordance with different security access mechanisms when sending a broadcast message broadcast message carrying the identification of different security mechanisms, different security capabilities so that the terminal can be received correctly in accordance with the parsed message initiating a broadcast corresponding to the security capabilities of the terminal access request , achieved by mixing different security capabilities of the access terminal via a network access point entity.

[0030] 下面结合附图对本发明的实施例进行详细描述。 [0030] The following embodiments in conjunction with the accompanying drawings of embodiments of the present invention will be described in detail. [0031] 本发明实施例中,在某个区域内,针对WLAN网络架设一个物理网络接入点实体(AP),该物理AP由物理地址,即MAC (Media Access Control,媒体接入控制)地址,唯一标识。 [0031] The embodiments of the present invention, within an area, set up a physical entity network access point (AP) for the WLAN network, the physical AP by the physical address, i.e. MAC (Media Access Control, media access control) address ,Uniquely identifies. 在该物理AP上针对终端的安全能力配置至少2种安全接入机制,以及与配置的安全接入机制对应的安全机制标识。 AP physically disposed on the security capabilities of the terminal for at least two security access mechanism, and the security identifier corresponding to the configuration of a secure access mechanism. 安全机制标识由物理AP的唯一标识映射得到,在具体实现中,可采用可逆的掩码技术,由该物理AP的MAC地址衍生出多个不同的BSSID(Basic Service SetIdentif ier,基本服务集标识)作为安全机制标识。 Security identification obtained from the AP uniquely identifies a physical map, In a specific implementation, reversible masking techniques can be employed, derived from a plurality of different physical BSSID of the AP's MAC address (Basic Service SetIdentif ier, a basic service set identification) as a security mechanism to identify. 衍生出的多个BSSID通过相应的可逆运算可唯一得到物理AP的MAC地址,因此衍生出的BSSID可唯一标识物理AP。 Derived from a plurality of available unique BSSID of the AP to obtain the MAC address of a physical operation by a corresponding reversible, so derived BSSID uniquely identifies a physical AP.

[0032] 在物理AP上对应每个BSSID创建虚拟AP,将BSSID作为相应虚拟AP的地址,并为每个虚拟AP赋予不同的安全策略,包括广播消息发送策略和接入请求处理策略,使每个虚拟AP可以针对不同安全能力的终端进行接入处理。 [0032] Each AP corresponding to physically create a virtual AP BSSID, the BSSID as an address of the corresponding virtual AP, and given a different security policies for each virtual AP, comprising transmitting the broadcast message and the access policy request processing policy, so that each virtual AP can be treated for terminal access different security capabilities.

[0033] 当网络侧需要向不同安全能力的终端发送广播消息时,物理AP分别通过相应的虚拟AP发送广播消息,每个虚拟AP发送的广播消息中携带与该虚拟AP对应的BSSID。 [0033] When the network needs to send a broadcast message to a terminal of a different security capabilities, the physical AP broadcast messages are transmitted through a corresponding virtual AP, each virtual AP sends broadcast message carries corresponding to the virtual AP BSSID.

[0034] 上述实现过程可如图1所示。 [0034] The above-described process can be implemented as shown in FIG. 图1中,在一个物理AP上采用可逆的掩码技术,由该物理AP的MAC地址衍生出3个地址(MAC UMAC 2和MAC 3)作为安全机制标识。 In FIG 1, a reversible masking technique on a physical AP, derived from the physical MAC address of the AP 3 addresses (MAC UMAC 2 and MAC. 3) identified as a security mechanism. 在该物理AP上配置3个虚拟AP(VAP1、VAP2和VAP3),其中,VAPl上配置有安全策略1,用于实现安全机制1(如WAPI+SMS4,即采用WAPICWLAN Authentication and Privacy Infrastructure, 无线局域网鉴别与保密基础结构)证书认证及SMS4的加密机制),由MAC 1作为VAPl的MAC地址;VAP2上配置有安全策略2,用于实现安全机制2(如OPEN,即开放机制),由MAC 2作为VAPl的MAC地址;VAP3上配置有安全策略3,用于实现安全机制3 (如WPA2+AES,即WPA2认证及AES加密机制),由MAC 3作为VAPl的MAC地址。 Configuration 3 virtual AP (VAP1, VAP2 and VAP3) on which the AP physically, wherein arranged on the security policy VAPl 1, 1 for implementing security mechanisms (such as WAPI + SMS4, i.e. using WAPICWLAN Authentication and Privacy Infrastructure, wireless local area network authentication and Privacy infrastructure) certificate authentication and encryption mechanisms in SMS4), the MAC address by the MAC VAPl. 1; a is disposed on the security policy VAP2 2, 2 security mechanisms (such as oPEN, i.e. opening mechanism for achieving), the MAC 2 VAPl of the MAC address; security policy is disposed on VAP3 3, 3 for implementing security mechanisms (such as WPA2 + AES, i.e., WPA2 and AES encryption authentication mechanism), the MAC address by the MAC 3 to VAPl. 当AP向不同安全能力的终端发送广播消息时,VAP1、VAP2和VAP3分别发送广播消息,其中,VAPl发送的广播消息中携带MAC 1以及其它信息(如SSID) ;VAP2发送的广播消息中携带MAC 2以及其它信息(如SSID) ;VAP3发送的广播消息中携带MAC 3以及其它信息(如SSID)。 When the AP sends a broadcast message to a terminal different security capabilities, VAP1, VAP2 and VAP3 are transmitted broadcast message, wherein, MAC. 1 and other information (e.g., SSID) VAPl broadcast message sent carries; broadcast message VAP2 transmission carries MAC 2 and other information (e.g., SSID); MAC 3, and other information (e.g., SSID) broadcast message carrying VAP3 transmitted. 对于时分复用系统, AP采用时分复用机制发送广播消息,即不同的虚拟AP在不同的时隙发送广播消息,如图1 所示,物理AP将IOOms划分为16个时隙,根据掩码为VAPl分配时隙1,为VAP2分配时隙2,为VAP3分配时隙3;对于频分复用系统,AP采用频分复用机制发送广播消息,即不同的虚拟AP在不同的频率上同时发送广播消息。 For the TDM system, time division multiplexing mechanism AP transmits a broadcast message, i.e. different virtual AP sends broadcast messages in different time slots, as shown, the AP IOOms physically divided into 16 time slots shown in FIG. 1, according to the mask VAPl is assigned slot 1, slot 2 is allocated VAP2, slot 3 is assigned VAP3; for a frequency division multiplexing system, frequency division multiplexing AP transmits a broadcast message with the mechanism, i.e. different virtual AP simultaneously on different frequencies send broadcast messages.

[0035] 物理AP通过发送Beacon帧进行广播信息的发送,通常情况下Beacon帧中具有BSSID字段,在上述过程中,将由MAC地址衍生出的MAC 1、MAC 2和MAC 3作为Beacon帧的BSSID字段值,用以标识物理AP以及所相应的安全接入机制。 [0035] The physical AP transmits broadcast information by sending a Beacon frame, Beacon frame having the BSSID field Typically, in the above process, by the derived MAC address MAC 1, MAC 2 and MAC. 3 BSSID field a Beacon frame value, and to identify the corresponding physical AP secure access mechanism.

[0036] 图1所示的实现过程可通过改进物理AP的物理层实现,实现方式可如图2所示。 Implementation shown in [0036] FIG. 1 can be achieved by improving the physical layer of the physical AP, implementations may as shown in FIG. 通常情况下,物理AP的网卡驱动分为2层:硬件描述层(即HAL层)和802. 11管理层。 Typically, the physical NIC driver AP 2 levels: hardware description layer (i.e., layer HAL) and 802.11 management. 其中,HAL层是对网卡硬件的抽象,主要定义与硬件有关的参数,802. 11管理层主要用于处理802. 11 协议。 Wherein, the HAL layer is an abstraction of the hardware card, mainly hardware-related parameters is defined, 802.11 802.11 management protocol is mainly used for processing.

[0037] 本发明实施例中,通过物理AP的MAC地址衍生出3个地址作为BSSID,如图2所示,在802. 11管理层上定义3个虚拟AP对象(VAP1、VAP2和VAP3),每个虚拟AP对象有自己的MAC地址(由BSSID标识)、安全策略(包括安全规则和Beacon帧广播规则),还可包括终端表,该终端表用来保存连接到该AP上的终端用户信息,每个虚拟AP对象对于网络层是独立的网络设备,有独立的数据收发通道。 Embodiment [0037] of the present invention, three derived BSSID address as a physical MAC address of the AP, as shown in FIG 3 define the virtual AP objects (VAP1, VAP2 and VAP3) on the management 802.11 2, each object has its own virtual AP MAC address (the BSSID identifier), a security policy (security rules including rules and Beacon frame broadcast), may further include a terminal table, the terminal information table to store the end user is connected to the AP each virtual AP network layer is subject to independent network device, a separate data transceiver channel. 可以有出,由于通过AP的MAC地址衍生出虚拟AP对象的MAC地址,因此在物理AP的网卡上只需存储一个MAC地址,减少了存储空间, 同时便于修改物理网卡的地址。 There may be a, since the virtual MAC address is derived by the target AP MAC address of the AP, and therefore need a MAC address stored in the AP card physically, reducing storage space, while easy to modify the physical address of the NIC.

[0038] 针对图2所示的架构,实现将不同安全能力的终端混合接入的过程可如图3所示, 其中,终端1支持WAPI+SMS4安全机制,终端2支持OPEN安全机制,终端3支持WPA2+AES 安全机制,当网络侧需要向不同安全能力的终端发送广播消息时,VAPU VAP2和VAP3分别根据各自的Beacon帧广播规则,在不同的时隙(在时分复用系统中)或不同的频率(在频分复用系统中)通过MAC+射频层发送各自的Beacon帧,其中,VAPl发送的Beacon帧中携带BSSIDl等信息,VAP2发送的Beacon帧中携带BSSID2等信息,VAP3发送的Beacon帧中携带BSSID3等信息。 [0038] for the architecture shown in Figure 2, terminals of different processes to achieve the security capability of hybrid access may be shown in Figure 3, wherein a terminal support WAPI + SMS4 security mechanisms, security mechanism OPEN terminal supports 2, the terminal 3 support WPA2 + AES security, when the network side needs different security capabilities of the terminal to send a broadcast message, VAPU VAP2 VAP3 and in accordance with their respective rules Beacon frame broadcast in different time slots (time division multiplexing system) or different frequency (in frequency division multiplexing system) by MAC + RF layer send their Beacon frame, wherein, Beacon frame VAPl transmission carries BSSIDl information, Beacon frame VAP2 transmission carries BSSID2 information, VAP3 transmitted Beacon frame carries BSSID3 and other information.

[0039] 终端1、终端2和终端3可按照常规流程接收Beacon帧并进行解析,并根据正确解析出的Beacon帧发起接入请求。 [0039] The terminal 1, terminal 2 and terminal 3 according to a conventional process may receive a Beacon frame, and parses the frame and an access request according to the correct parsed Beacon. 通常情况下,终端1、终端2和终端3可接收所有的Beacon 帧,如果能够正确解析该Beacon帧,则根据该终端的安全能力发起接入请求,其中携带从Beacon帧中解析得到的BSSID。 Typically, the terminal 1, terminal 2 and terminal 3 can receive all the Beacon frame, the Beacon frame is able to resolve if correct, then the access request according to the security capabilities of the terminal, which carries the BSSID of the Beacon frame from the parsed.

[0040] 物理AP根据生成BSSID时所采用的算法的逆运算,从接入请求中携带的BSSID计算得到MAC地址,如果计算得到的MAC地址与自身的MAC地址匹配,则接收该接入请求。 [0040] The inverse algorithm is generated according to a physical AP BSSID employed, BSSID carried calculated from the obtained MAC address of the access request, if the MAC address is calculated and obtained matches own MAC address, the access request is received. 由于BSSIDl、BSSID2和BSSID3都是根据一个物理AP的MAC地址衍生得到的,因此该物理AP 可以接收到携带这些BSSID的接入请求。 Since BSSIDl, BSSID2 are BSSID3 and a MAC address of the physical AP derived, so that the physical AP may receive the access request carries the BSSID. 物理AP接收到接入请求后,根据其中的BSSID将接入请求发送到对应的虚拟AP中进行处理。 Physical AP after receiving the access request, wherein the BSSID according to the access request to a corresponding virtual AP for processing. 在图3中,终端1、终端2和终端3的接入请求被分别发送到VAP1、VAP2和VAP3中进行处理。 In FIG. 3, terminal 1, terminal 2 and terminal 3 of the access request is sent to VAP1, VAP2 VAP3 and respectively processed. 各终端与相应的VAP完成安全认证并协商出加密密钥后,AP将密钥和终端的安全策略写入AP MAC的存储单元中,并与该终端的MAC 相对应。 After each terminal and the corresponding VAP secure authentication and negotiate encryption key, the AP and the terminal key security policy written in the memory cell AP MAC, MAC and corresponds to the terminal. 当终端的加密数据通过AP时,AP通过数据头中的终端的MAC地址,在AP MAC存储单元中查找密钥和安全策略,并通过不同的安全策略调用不同的算法(如调用算法存储单元中的算法SMS4或AES)对数据进行解密,并将数据交给802. 11管理层中相应的VAP进行处理。 When the encrypted data terminal by AP, AP MAC address of the terminal by a data head, to find the key and the security policy AP MAC in the storage unit, and invoke different algorithms with different security policies (e.g., call algorithm storage unit SMS4 algorithm or AES) to decrypt the data, and management data to the corresponding 802.11 VAP processing. AP发送数据时的加密过程与接收数据的解密过程相同。 Decryption process is the same as the encryption process with the AP when sending data to receive data. 如果AP在收到数据时,查找到的对应密钥为空,则不对数据进行解密处理,而是直接交给802. 11管理层中安全机制为OPEN的VAP(如图3中的VAP2)进行处理。 If the AP data is received, find the corresponding key is empty, no data is decrypted, but directly to the 802.11 management security mechanism of the VAP OPEN (in FIG. 3 VAP2) of deal with.

[0041] AP发送广播消息后,终端可按照现有的方式接收、解析该广播消息,并发起接入请求。 [0041] AP after transmitting the broadcast message, the terminal may be received in a conventional manner, parses the broadcast message, and initiates an access request. 当终端的安全能力可支持多种接入机制时,该终端可正确解析出多个携带不同安全机制标识的广播消息,针对这种情况,本发明实施例对终端进行改进以提高其接入的灵活性。 Security capability when a terminal can support multiple access mechanism, the terminal can correctly parse the broadcast message carries a plurality of different security mechanisms identified for this situation, embodiments of the present invention to improve the terminal to increase its access flexibility.

[0042] 本发明实施例中,针对上述情况,终端可采用以下方式发起接入请求: [0042] Example embodiments of the present invention, the above situation, the terminal can employ an access request in the following manner:

[0043] 方式一:在终端上预先设置安全策略,该选择策略定义了在终端接收到多个不同的广播消息(携带不同BSSID的Beacon帧)时,选择哪种安全接入机制发起接入请求。 [0043] Method 1: security policy previously set in the terminal, the selection policy defines when the terminal receives a plurality of different broadcast message (Beacon frame carries a different BSSID), security access mechanism to select which access request . 本发明实施例中,可通过在终端侧设置profile的形式设置安全策略。 Embodiment of the present invention, the form of the profile may be provided by the security policy at the terminal side. 当终端接收到多个不同的广播消息时,根据预设的安全策略选择采用的安全接入机制发起接入请求。 When the terminal receives a plurality of different broadcast message, an access request according to the security access mechanism to select a preset security policies adopted. 图4给出了一种根据安全策略发起接入请求的实现方式。 Figure 4 shows the way to realize a request to initiate an access security policy.

[0044] 图4 中,终端接收到携带不同BSSID 的Beacon 帧(Beaconl、Beacon2 和Beacon3) 后,与本地预设的安全策略进行比对,并根据比对结果选择对应的安全接入机制发起接入请求。 [0044] FIG. 4, the terminal after receiving the Beacon frame (Beaconl, Beacon2 and Beacon3) carry different BSSID's, for comparison with a preset local security policy, and then initiates the comparison result corresponding to the selection according to the security access mechanism the request. 例如,当终端上预设的安全策略为根据接收并正确解析出的第一个Beacon帧发起接入请求时,则终端接收并正确解析出第一个Beacon帧后,通过查询本地安全策略关联到与Beacon帧中的BSSID对应的安全接入机制,并采用该机制发起接入请求;当终端上预设的安全策略是根据安全接入机制的优先级进行选择时,则终端根据接收并正确解析出的Beacon帧中的BSSID所对应的安全接入机制,查询本地预设的安全策略获取各安全接入机制的优先级,并从中选择出最高优先级的安全接入机制发起接入请求。 For example, when a preset terminal initiating an access security policy in accordance with a first frame received Beacon and correctly resolve the request, the terminal receives and correctly parse out after the first Beacon frame, by querying the local security policy associated to Beacon frame and the corresponding BSSID secure access mechanisms, and the use of an access request mechanism; terminal when the preset safety policy is selected in accordance with priority access to the security mechanism, and the terminal based on the received correctly parse Beacon frame in the corresponding BSSID security access mechanisms, query the local security policy preset get priority access to various security mechanisms, and choose the highest-priority security access mechanism to initiate an access request.

[0045] 方式二:在方式一的基础上,终端将接收到的广播消息所对应的所有安全接入机制信息显示给用户,由用户选择合适的安全接入机制,终端采用用户选择的安全接入机制发起接入请求。 [0045] Second way: all security access mechanism on a basis of information on the way, the terminal will receive the corresponding broadcast message to the user, the user selects an appropriate access security mechanisms selected by the user terminal using the secure socket mechanism of the access request.

[0046] 本发明实施例中,还可基于上述实现不同安全能力终端混合接入的架构实现对AP 上的用户进行分类,使不同类型的用户进入不同的VLAN(虚拟局域网络),实现对终端用户的灵活管理和控制。 [0046] The embodiments of the present invention, may be based on different hybrid access terminal to achieve the above-described security architecture implementation capability of the user to classify the AP, so that different types of user enters a different VLAN (virtual local area network), to achieve the terminal flexible management and control of the user. 图5给出了一种对AP上的用户进行分类的实现方式。 Figure 5 shows an implementation of the user on the kind of classifying AP.

[0047] 图5 中,在AP 上设置3 个VAP (VAPUVAP2 和VAP3),通过3 个BSSID (BSSID1、BSSID2 和BSSID3)分别标识3个虚拟局域网(VLAm、VLAN2和VLAN3),从而针对3个BSSID划分了3个不同的VLAN。 [0047] FIG. 5, provided with three VAP (VAPUVAP2 and VAP3) on the AP, by three BSSID (BSSID1, BSSID2 and BSSID3) identified three virtual local area network (VLAm, VLAN2 and VLAN3), respectively, so that for three BSSID divided into three different VLAN. 将经过VAPl处理的数据打上BSSIDl的标签;将经过VAP2处理的数据打上BSSID2的标签,将经过VAP3处理的数据打上BSSID3的标签,从而使接入VAPl的终端归属于VLAN1,使接入VAP2的终端归属于VLAN2,使接入VAP3的终端归属于VLAN3。 After processing the data VAPl BSSIDl marked with a tag; VAP2 the data processed through the label marked BSSID2, after the data processing VAP3 BSSID3 marked labels, so that the access terminal is assigned to the VLAN1 VAPl, so that the terminal access VAP2 attributed to VLAN2, so that the access terminal is assigned to VAP3 VLAN3. 上述实现方式中,由BSSID标识划分的VLAN,将经过各VAP的数据打上相应的BSSID的标签,从而使接入不同VAP的终端归属于不同的VLAN。 The implementations described above, divided by the identified BSSID VLAN, passes through the respective data of each of the VAP BSSID marked labels, so that the access terminal belong to different VAP of a different VLAN. 此外,还可以由SSID标识划分的VLAN,将经过各VAP的数据打上相应的SSID的标签,从而将接入不同VAP的终端归属于不同的VLAN。 Furthermore, also, after the data of each of the VAP marked by the corresponding SSID of the VLAN tags identified SSID division, so that the access terminal will belong to a different VAP of a different VLAN.

[0048] 本发明实施例还提供了一种支持不同安全能力的终端混合接入的网络接入点装置、一种终端以及一种支持不同安全能力的终端混合接入的通信系统。 [0048] The present invention further provides a safe support of a different terminal capability means of the hybrid network access point, the access of a terminal and to a communication system supporting various hybrid access terminal security capabilities.

[0049] 参见图6,为本发明实施例提供的支持终端混合接入的网络接入点装置,该网络接入点装置包括配置模块和通信接口模块,其中, [0049] Referring to Figure 6, the network access point device of the present hybrid access terminal support according to an embodiment the invention, the apparatus comprises a network access point and a communication interface module configuration module, wherein

[0050] 配置模块,用于在网络接入点装置上配置与终端的不同安全能力对应的不同安全接入机制以及与安全接入机制对应的安全机制标识,还用于根据这些不同的安全机制生成不同的广播消息,其中携带与相应的安全机制对应的安全机制标识。 [0050] The configuration module used to configure different security capabilities of the terminal corresponding to the network access point device different security access mechanisms corresponding to the identifier and security mechanisms and security access mechanism is further configured according to these different security mechanisms generating a different broadcast message carrying the security mechanism for identifying the respective corresponding security mechanism. 该配置模块可位于网络接入点装置的无线网卡驱动程序层; The configuration module may be located in the network access point device wireless network card driver layer;

[0051] 通信接口模块,用于分别发送配置模块生成的广播消息,还可用于接收终端发起的接入请求。 [0051] The communication interface module, for respectively transmitting module configured to generate a broadcast message, but also for receiving an access request initiated by a terminal. 该通信接口模块可位于网络接入点装置的MAC及射频(MAC+射频)层。 The communication interface module may be located in the network access point MAC device and RF (radio frequency + MAC) layer.

[0052] 上述网络接入点装置的配置模块包括配置子模块和至少2个虚拟网络接入点装置,其中: [0052] The network access point device configuration module includes a configuration sub-module and at least two virtual network access point device, wherein:

[0053] 配置子模块用于在网络接入点装置上分别对应终端的不同安全能力配置不同的虚拟网络接入点装置,并为各虚拟网络接入点装置配置对应的安全接入机制及地址标识, 即,每个虚拟接入点装置都有自己的地址标识和安全策略,其中,安全策略包括安全规则和Beacon帧广播规则,地址标识为与安全接入机制对应的安全机制标识。 [0053] The sub-module configured for a different security capabilities in the network access point device corresponding to the terminal to configure different virtual network access point device, configure security and access mechanism and an address corresponding to each virtual network access point device identification, i.e., each virtual access point device has its own security policy and address identification, wherein the security policy includes security rules and rules Beacon frame broadcast, the address is identified as corresponding to the security access mechanism security identification. 安全机制标识可由网络接入点装置的唯一标识(如MAC地址)映射得到,具体为:采用可逆的算法由网络接入点装置的MAC地址衍生得到BSSID作为安全机制标识。 Security identification may be a unique identifier (e.g., MAC address) of a network access point device obtained by mapping, in particular: the use of a reversible algorithm the MAC address of the network access point device as a security mechanism derived BSSID identifier. 虚拟接入点装置用于生成与该虚拟接入点装置的安全接入机制对应的广播消息,其中携带该虚拟接入点装置的安全接入标识,还用于采用该虚拟接入点装置对应的安全接入机制对终端的接入请求进行处理。 Means for generating a virtual access point corresponding to the broadcast message security access mechanism of the virtual access point device, wherein the secure access carries the identifier of the virtual access point device corresponding to the virtual access point device is further configured to employ security access mechanism access request of the terminal for processing.

[0054] 上述虚拟接入点装置包括广播消息处理单元和接入请求处理单元,其中:[0055] 广播消息处理单元用于生成与虚拟接入点装置的安全接入机制对应的广播消息, 其中携带该虚拟接入点装置的安全机制标识,并将该广播消息通过通信接口模块发送;接入请求处理单元用于接收终端发送的接入请求,该接入请求中携带的安全机制标识与发送该广播消息的虚拟接入点装置的安全机制标识一致,并采用该虚拟接入点装置对应的安全接入机制进行处理。 [0054] The virtual access point device includes a broadcast message processing unit and the access request processing unit, wherein: [0055] a broadcast message for the broadcast message processing unit corresponding to the security access mechanism generates a virtual access point device, wherein carries the identifier of the security virtual access point device, and sending the broadcast message through the communication interface module; the access request processing unit for receiving an access request sent by a terminal, the security access request identifier carried in the transmission security virtual access point device identifier matches the broadcast message, and using secure access mechanisms corresponding to the virtual device access point processing.

[0056] 上述通信接口模块为时分复用模块或频分复用模块。 [0056] The communication interface module for time division multiplex or frequency division multiplexing module module. 时分复用模块用于通过不同的时隙分别发送与终端的安全能力相对应的广播消息;频分复用模块用于通过不同的频率分别发送与终端的安全能力相对应的广播消息。 Time division multiplexing means for transmitting the broadcast message by different time slots, respectively, and security capabilities of the terminal corresponding; frequency division multiplexing means for transmitting the broadcast message and the security capabilities of the terminal corresponding to the different frequencies, respectively.

[0057] 通信接口模块在接收接入请求时,若根据终端发送的接入请求中携带的安全机制标识映射得到与自身的唯一标识(MAC地址)相匹配的标识时接收该接入请求,并发送到与该安全机制标识对应的虚拟接入点装置进行处理。 Receiving the access request [0057] The communication interface module upon receiving the access request, identity mapping if the security mechanism according to the access request sent by the terminal to obtain identifying carried own unique identifier (MAC address) matches, and the access point to the virtual device and the security processing corresponding to the identifier.

[0058] 参见图7和图8,分别为本发明实施例提供的终端结构示意图,该终端包括广播消息接收模块和接入请求发起模块,其中: [0058] Referring to FIGS. 7 and 8, respectively, a schematic diagram of the structure of a terminal provided in an embodiment the invention, the terminal includes a broadcast receiving module and an access request message initiating module, wherein:

[0059] 广播消息接收模块,用于接收并解析网络接入点装置发送的广播消息,其中携带与该终端的安全能力相应的安全机制标识; [0059] a broadcast message receiving module, configured to receive and parse the broadcast message transmitted from the network access point, which carries the security capability corresponding to the security mechanism of the terminal identifier;

[0060] 接入请求发起模块,用于发起接入请求,其中携带与该终端的安全能力相应的安全机制标识。 [0060] access request initiating module, for initiating an access request, which carries the security capability corresponding to the security mechanism of the terminal identifier. 该安全机制标识由网络接入点装置的唯一标识映射得到,具体为:采用可逆的算法由所述网络接入点装置的物理地址(MAC地址)衍生得到所述安全机制标识。 The resulting safety mechanism for identifying uniquely identified by mapping the network access point device, in particular: the use of a reversible algorithm the security mechanism is identified by a physical address (MAC address) derived from the network access point device.

[0061] 当终端的安全能力支持多种安全接入机制时,即能够正确解析出携带不同安全机制标识的广播消息,则该终端接收并正确解析出多个广播消息后,可从多个广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制发起接入请求;或者,可显示对应的安全接入机制信息供用户选择,并根据用户的选择发起接入请求。 After [0061] When the security capabilities of the terminal support multiple security access mechanisms, i.e. correctly resolve a broadcast message carrying the identification of different security mechanisms, the terminal receives and correctly parsing the plurality of broadcast messages, a broadcast from a plurality of secure access security mechanisms are carried in the message identifier corresponding to the selected, using the selected security and access mechanism to initiate an access request; or secure access mechanisms may be displayed for the user information corresponding to the selection, and the user selection of an access request.

[0062] 当终端从多个安全机制标识所对应的安全接入机制中进行选择时,该终端还可包括配置模块和选择模块,如图7所示,其中: [0062] When the terminal to select from the plurality of secure access mechanisms corresponding security identifier, the terminal may further include a configuration module and a selection module, shown in Figure 7, wherein:

[0063] 配置模块用于配置安全机制选择策略;选择模块用于根据安全机制选择策略从接收并正确解析出的多个广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制通过接入请求发起模块发起接入请求。 [0063] The configuration module for configuring the security policy mechanism selection; selecting means for selecting security policies based on security access mechanism to select from a security mechanism for identifying and receiving a plurality of broadcast correctly parsed messages are carried in the corresponding, and using the selected security mechanism through the access module initiates the access request to initiate an access request.

[0064] 当终端根据用户的选择发起接入请求时,该终端还可包括显示模块和选择模块, 如图8所示,其中: [0064] When the terminal initiates the access request according to a user's selection, the terminal may further include a display module and a selection module, shown in Figure 8, wherein:

[0065] 显示模块用于显示接收并正确解析出的多个广播消息分别携带的安全机制标识所对应的安全接入机制信息供用户选择;选择模块用于接收用户所选择的安全接入机制, 并采用该安全接入机制通过所述接入请求发起模块发起接入请求。 [0065] The display module for displaying a security mechanism for identifying and receiving a plurality of broadcast correctly parsed messages are carried in corresponding security information for the user to select the access mechanism; selecting means for receiving a user selected security access mechanism, and using the secure access mechanism through the access module initiates a request to initiate an access request.

[0066] 本发明实施例提供的支持终端混合接入的通信系统,包括网络接入点装置和终端,网络接入点装置的结构可如图6所示,终端的结构可如图7或图8所示,其中: [0066] communication system supporting hybrid access terminal provided by the embodiment of the present invention, the structure comprises a network access point and a terminal device, a network device may be an access point shown in Figure 6, the terminal structure may be 7 or FIG. 8, wherein:

[0067] 网络接入点装置,用于配置与终端的不同安全能力对应的不同安全接入机制以及与安全接入机制对应的安全机制标识,并分别根据不同的安全接入机制发送不同的广播消息,这些广播消息中分别携带与上述配置的安全接入机制对应安全机制标识,上述安全机制标识由网络接入点装置的唯一标识映射得到。 [0067] The network access point means for a terminal with the ability to configure different security corresponding to different security access and security mechanisms and security identifier corresponding to the access mechanism, and are transmitted according to different broadcast different security access mechanisms message, the broadcast message carries security access mechanism are arranged corresponding to the above-described safety mechanism for identifying the security mechanisms identified by a unique identity mapping obtained network access point device. 网络接入点装置还用于在根据接入请求中携带的安全机制标识映射得到与自身的所述唯一标识相匹配的标识时接收所述接入请求, 并采用与所述安全机制标识对应的安全接入机制对所述接入请求进行处理。 Network access point device is further configured to obtain identity mapping identifier when the unique identifier itself matches the security mechanism according to the access request carries the access request is received, and use the corresponding security identifier secure access mechanism for the access request is processed.

[0068] 终端,用于接收并解析广播消息,并根据正确解析出的广播消息发起接入请求,其中携带与该终端的安全能力相应的安全机制标识。 [0068] terminal for receiving and analyzing the broadcast message, and initiates an access request according to the correct parse the broadcast message carrying security capability corresponding to the security mechanism of the terminal identifier. 当终端接收并正确解析出多个携带不同安全机制标识的广播消息时,从这些广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制发起接入请求;或者,显示这些广播消息分别携带的安全机制标识所对应的安全接入机制信息供用户选择,并根据用户的选择发起接入请求。 When the terminal receives and correctly parsing the broadcast message carries a plurality of different security mechanisms ID, secure access mechanism to select from these security mechanism for identifying broadcast messages are carried by corresponding, and using the selected security mechanism initiated access access request; Alternatively, the display identifies the security mechanisms are carried in a broadcast message corresponding to the information security access mechanism for the user to select and initiate an access request according to a user's selection.

[0069] 综上所述,本发明的上述实施例通过在物理AP上针对不同安全能力的终端配置多个虚拟AP,不同的虚拟AP上配置不同的安全机制及MAC地址,并由不同的虚拟AP广播Beacon帧,其中携带该虚拟AP的MAC地址(由BSSID标识),使不同安全能力的终端接收并解析出相应的Beacon帧时,可根据该Beacon帧发起接入请求,其中携带相应虚拟AP的MAC地址,使相应的虚拟AP能够获得该接入请求并采用相应的安全机制进行处理,从而实现了利用一个物理AP对多种安全能力的终端进行混合接入,减少了网络投资以及运营维护成本。 [0069] In summary, the above-described embodiments of the present invention on the physical AP by the terminal for different security capabilities of the plurality of virtual AP, and configure different security mechanisms on the different virtual MAC address of AP, by different virtual AP broadcasts Beacon frame, wherein when carrying the virtual MAC address of AP (identified by a BSSID), so that the different security capabilities of the terminal receives and analyzes the corresponding Beacon frame, the frame may be an access request based on the Beacon, which carries the corresponding virtual AP MAC address, the corresponding virtual AP and the access request can be obtained using appropriate security mechanisms for processing, in order to achieve physical AP using a plurality of the terminal access to the security capabilities were mixed, reduce network investment and maintenance operations cost.

[0070] 显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。 [0070] Obviously, those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. 这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 Thus, if these modifications and variations of the present invention fall within the claims of the invention and the scope of equivalents thereof, the present invention intends to include these modifications and variations.

Claims (20)

  1. 一种支持终端混合接入的信息广播方法,其特征在于,包括:在网络接入点实体上分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识;当所述网络接入点实体向终端发送广播消息时,分别根据不同的安全接入机制发送不同的广播消息,所述不同的广播消息中携带与所述不同的安全接入机制对应的安全机制标识。 A terminal that supports a hybrid access information broadcasting method, which is characterized in that, comprising: an access point in the network entity corresponding to the terminal security capabilities are different from the configuration of virtual network access point different entity, and access to the virtual network point entity configuration corresponding security access mechanism and an address identifier, and the address is identified as corresponding to the security access mechanism security identifier; when the network access point transmits a broadcast message to the terminal entity, respectively, according to different security access mechanism transmits different broadcast message, the broadcast message carries different security mechanism for identifying the different access mechanisms corresponding to the security.
  2. 2.如权利要求1所述的方法,其特征在于,所述安全机制标识由所述网络接入点实体的唯一标识映射得到;当所述网络接入点实体根据终端发起的接入请求中携带的安全机制标识映射得到与自身的所述唯一标识相匹配的标识时接收所述接入请求。 2. The method according to claim 1, wherein the obtained security mechanism for identifying uniquely identified by mapping the network access point of the entity; the network access point when the access request initiated by the terminal entity according to receiving the access request carries the security mechanism to obtain identity mapping identifier and the unique identifier itself matches.
  3. 3.如权利要求2所述的方法,其特征在于,所述安全机制标识由所述网络接入点实体的唯一标识映射得到,具体为:采用可逆的算法由所述网络接入点实体的物理地址衍生得到所述安全机制标识。 3. The method according to claim 2, wherein said security mechanism is uniquely identified by identity mapping said obtained network access point entity, specifically: a reversible algorithm employed by the network access point of the entity the physical address derived security identification.
  4. 4.如权利要求1所述的方法,其特征在于,当所述网络接入点实体发送广播消息时,不同的虚拟接入点实体发送不同的广播消息,其中携带与相应虚拟接入点实体对应的安全机制标识。 4. The method according to claim 1, wherein, when the network access point transmits a broadcast message entity, a different entity virtual access point transmits different broadcast message, which carries the corresponding virtual access point entity corresponding security identity.
  5. 5.如权利要求4所述的方法,其特征在于,不同的虚拟接入点实体发送不同的广播消息,具体为:不同的虚拟接入点实体分别通过不同的时隙或频率发送不同的广播消息。 5. The method according to claim 4, characterized in that the different virtual access point entity transmits different broadcast message, specifically: Different virtual access point entity are transmitted by different broadcast frequencies or different time slots messages.
  6. 6.如权利要求1所述的方法,其特征在于,所述网络接入点实体发送所述广播消息后还包括步骤:终端接收所述广播消息并进行解析,并根据正确解析出的广播消息发起接入请求,其中携带安全机制标识;所述网络接入点实体接收终端发起的接入请求,并根据其中携带的安全机制标识采用相应的安全机制进行处理。 Parsed and the correct broadcast message according to the terminal receiving the broadcast message and parsing: 6. A method as claimed in claim 1, characterized in that, after the network access point entity transmitting the broadcast message further comprises the step of an access request, which carries the security identifier; the network access point entity receives an access request initiated by a terminal, and wherein the safety mechanism in accordance with the corresponding identifier carried security processing.
  7. 7.如权利要求6所述的方法,其特征在于,当终端接收并正确解析出多个广播消息时, 还包括步骤:从所述多个广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制发起接入请求;或者,显示多个广播消息分别携带的安全机制标识所对应的安全接入机制信息供用户选择,并根据用户的选择发起接入请求。 7. The method according to claim 6, wherein, when the terminal receives and correctly parsing the plurality of broadcast message, further comprising the step of: identifying from the plurality of security mechanisms, respectively, carry the broadcast message corresponding security access the selection mechanism, and using the selected security mechanism to access an access request; or secure access mechanisms displaying information security mechanism for identifying the plurality of broadcast messages are carried in the corresponding user for selection, and according to the selection of the user an access request.
  8. 8.如权利要求1所述的方法,其特征在于,还包括:所述网络接入点实体存储已接入网络的终端的标识和该终端的安全接入机制信息;当所述已接入网络的终端向所述网络接入点实体发送数据时,所述网络接入点实体在所述用户终端的数据中添加与所述终端的安全接入机制信息对应的标识信息,所述标识信息用于标识所述终端所属的虚拟局域网络。 8. The method according to claim 1, characterized in that, further comprising: the access point network access security entity storing information for identifying the terminal access mechanism network and the terminal; and when the access has been when transmitting data terminal network entity to the network access point, the access point network entity added terminal identification information and the security access mechanisms corresponding information data of the user terminal, the identification information a virtual local area network identifier of the terminal belongs.
  9. 9. 一种支持终端混合接入的网络接入点装置,其特征在于,包括:配置模块,用于在网络接入点装置上分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识;还用于根据所述不同的安全机制生成不同的广播消息,其中携带与所述不同的安全机制对应的安全机制标识; 通信接口模块,用于分别发送生成的多个广播消息。 A support network access point device of the hybrid access terminal, characterized by comprising: a configuration module for different security capabilities in the network access point device corresponding to the terminal to configure different virtual network access point entity and security configuration corresponding to the access mechanism and an address identifier, the virtual address of the access point network identifier of the entity with the security identifier corresponding to the security access mechanism; further according to the different security mechanisms generating a different broadcast message carrying the security identifier corresponding to different security mechanisms; a communication interface module, for respectively transmitting a plurality of broadcast messages generated.
  10. 10.如权利要求9所述的网络接入点装置,其特征在于,所述配置模块包括配置子模块和至少2个虚拟网络接入点装置,其中配置子模块,用于在所述网络接入点装置上分别对应终端的不同安全能力配置不同的虚拟网络接入点装置,并为所述虚拟网络接入点装置配置对应的安全接入机制及地址标识,所述地址标识为与所述安全接入机制对应的所述安全机制标识;虚拟接入点装置,用于生成与该虚拟接入点装置的安全接入机制对应的广播消息,其中携带该虚拟接入点装置的安全机制标识;还用于采用该虚拟接入点装置对应的安全接入机制对终端的接入请求进行处理。 10. The network access point device according to claim 9, wherein the configuration module includes a configuration sub-module and at least two virtual network access point device, wherein the configuration sub-module, for receiving the network corresponding point on the terminal devices of different security capabilities configure different virtual network access point device, and access to the security mechanism and the virtual network address configuration corresponding to access point device identifier, the address is identified as the the security mechanisms secure access mechanisms corresponding to the identifier; virtual access point means for secure access mechanisms corresponding to the broadcast message generating virtual access point device, wherein the security mechanism carries the identifier of the virtual access point device ; secure access mechanism is further configured to use the virtual device corresponding to the access point to process the access request from the terminal.
  11. 11.如权利要求10所述的网络接入点装置,其特征在于,所述虚拟接入点装置包括: 广播消息处理单元,用于生成所述广播消息,其中携带该虚拟接入点装置的安全机制标识;接入请求处理单元,用于采用该虚拟接入点装置对应的安全接入机制对接收到的接入请求进行处理,所述接入请求中携带的安全机制标识与该虚拟接入点装置的安全机制标识一致。 11. The network access point device according to claim 10, wherein the virtual access point apparatus comprising: a broadcast message processing unit for generating the broadcast message carrying the virtual access point device security identifier; access request processing unit, a request for secure access mechanism using the access means corresponding to the virtual access point the received processing request carries the access security mechanism for identifying the virtual ground security point device identification consistent.
  12. 12.如权利要求10所述的网络接入点装置,其特征在于,所述安全机制标识由所述网络接入点装置的唯一标识映射得到;所述通信接口模块还用于在根据终端发送的接入请求中携带的安全机制标识映射得到与自身的所述唯一标识相匹配的标识时接收所述接入请求,并发送到与所述安全机制标识对应的虚拟接入点装置进行处理。 12. The network access point device according to claim 10, wherein the obtained security mechanism for identifying uniquely identified by mapping the network access point device; the communication interface module is further configured to transmitting terminal according to receiving the access request when the access security mechanism carried in the request identifier and the identifier obtained by mapping its own unique identification match, processed and sent to the virtual access point device corresponding to the identifier of the security mechanism.
  13. 13.如权利要求9所述的网络接入点装置,其特征在于,所述通信接口模块为时分复用模块或频分复用模块;所述时分复用模块,用于通过不同的时隙分别发送所述与终端的安全能力相对应的广播消息;所述频分复用模块,用于通过不同的频率分别发送所述与终端的安全能力相对应的广播消息。 13. The network access point device according to claim 9, wherein the communication interface module is a time-division multiplexing or frequency division multiplexing module module; said time division multiplexing means for time slots of different transmitting the security capability of the terminal, respectively corresponding to a broadcast message; the frequency-division multiplexing module, configured to send the security capability of the terminal through different frequencies respectively corresponding to a broadcast message.
  14. 14. 一种终端,其特征在于,包括:广播消息接收模块,用于接收并解析网络接入点装置发送的广播消息,所述广播消息中携带与所述终端的安全能力相应的安全机制标识;接入请求发起模块,用于发起接入请求,所述接入请求中携带与所述终端的安全能力相应的安全机制标识。 14. A terminal, comprising: a broadcast message receiving module, configured to receive and parse the broadcast message transmitted from the network access point, the broadcast message carries the security capability of the terminal corresponding security mechanism for identifying ; access request initiating module, an access request for the access security mechanism for identifying the corresponding request carries the security capability of the terminal.
  15. 15.如权利要求14所述的终端,其特征在于,所述安全机制标识由所述网络接入点装置的唯一标识映射得到,具体为:采用可逆的算法由所述网络接入点装置的物理地址衍生得到所述安全机制标识。 By the network access point device using a reversible algorithm: 15. The terminal according to claim 14, wherein said security mechanism is uniquely identified by identity mapping said obtained network access point device, specifically the physical address derived security identification.
  16. 16.如权利要求14所述的终端,其特征在于,还包括: 配置模块,用于配置安全机制选择策略;选择模块,用于根据所述安全机制选择策略,从接收并正确解析出的多个广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制通过所述接入请求发起模块发起接入请求。 16. The terminal according to claim 14, characterized in that, further comprising: a configuration module for configuring the security policy mechanism selection; selecting means for selecting, according to the security policy, and parses received from a plurality correct security access mechanisms corresponding to the security mechanism for identifying broadcast messages are carried in the selection and use of security access mechanism selected by the module initiates the access request to initiate an access request.
  17. 17.如权利要求14所述的终端,其特征在于,还包括:显示模块,用于显示接收并正确解析出的多个广播消息分别携带的安全机制标识所对应的安全接入机制信息供用户选择;选择模块,用于接收用户所选择的安全接入机制,并采用该安全接入机制通过所述接入请求发起模块发起接入请求。 17. The terminal according to claim 14, characterized in that, further comprising: a display module for displaying the security mechanism for identifying and receiving a plurality of broadcast correctly parsed messages are carried in the corresponding information for the user security access mechanism selection; the selection module, a security mechanism for receiving the access selected by the user, and by using the secure access mechanism module initiates the access request to initiate an access request.
  18. 18. 一种支持终端混合接入的通信系统,其特征在于,包括网络接入点装置和终端;所述网络接入点装置,用于分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识,并分别根据不同的安全接入机制发送不同的广播消息,所述不同的广播消息中携带与所述不同的安全接入机制对应的安全机制标识;所述终端,用于接收并解析所述广播消息并根据正确解析出的广播消息发起接入请求,所述接入请求中携带与所述终端的安全能力相应的安全机制标识。 18. A communication system supporting hybrid access terminal, wherein the apparatus comprises a network access point and a terminal; the network access point device, for different security capabilities corresponding virtual terminal configuring different network access point entity and configure security access mechanism and an address corresponding to the identifier of the virtual network access point entity, the address identifier is a security identifier with the secure access mechanism corresponding, respectively, depending on the security and access different mechanisms for transmitting a broadcast message, the broadcast message carries different security identifier corresponding to the different security access mechanism; a terminal for receiving and analyzing the broadcast message and broadcasts the right according to the parsed an access request message, the access security mechanism for identifying the corresponding request carries the security capability of the terminal.
  19. 19.如权利要求18所述的通信系统,其特征在于,所述安全机制标识由所述网络接入点装置的唯一标识映射得到;所述网络接入点装置还用于在根据所述接入请求中携带的安全机制标识映射得到与自身的所述唯一标识相匹配的标识时接收所述接入请求,并采用与所述安全机制标识对应的安全接入机制对所述接入请求进行处理。 19. A communication system according to claim 18, wherein the obtained security mechanism for identifying uniquely identified by mapping the network access point device; the network access point device is further configured according to the access when receiving the access request into a security mechanism carried in the request identifier and the identifier obtained by mapping its own unique identification match, and use the secure access mechanism safety mechanism corresponding to the identifier of the access request deal with.
  20. 20.如权利要求18所述的通信系统,其特征在于,所述终端还用于当接收并正确解析出多个广播消息时,从所述多个广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制发起接入请求;或者,显示多个广播消息分别携带的安全机制标识所对应的安全接入机制信息供用户选择,并根据用户的选择发起接入请求。 20. A communication system according to claim 18, characterized in that the terminal is further configured to receive and parse correctly when a plurality of broadcast message, identifying the plurality of security mechanisms from the broadcast message are carried in the corresponding selecting security access mechanisms, and the use of security access mechanism selected access request; or secure access mechanisms displaying information security mechanism for identifying the plurality of messages are carried in a broadcast for the user to select corresponding, according to the user selection of an access request.
CN 200710178990 2007-12-07 2007-12-07 Information broadcast method for supporting terminal combined access, apparatus and system thereof CN101453409B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200710178990 CN101453409B (en) 2007-12-07 2007-12-07 Information broadcast method for supporting terminal combined access, apparatus and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710178990 CN101453409B (en) 2007-12-07 2007-12-07 Information broadcast method for supporting terminal combined access, apparatus and system thereof

Publications (2)

Publication Number Publication Date
CN101453409A CN101453409A (en) 2009-06-10
CN101453409B true CN101453409B (en) 2011-01-26

Family

ID=40735439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710178990 CN101453409B (en) 2007-12-07 2007-12-07 Information broadcast method for supporting terminal combined access, apparatus and system thereof

Country Status (1)

Country Link
CN (1) CN101453409B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8438389B2 (en) * 2009-08-17 2013-05-07 Intel Corporation Method and system for dynamic service negotiation with a uniform security control plane in a wireless network
WO2011082529A1 (en) * 2010-01-08 2011-07-14 华为技术有限公司 Method, apparatus and system for updating group transient key
CN103493398B (en) * 2011-06-03 2017-05-03 Sk电信有限公司 device and method for simultaneous data transmission service in heterogeneous network
CN102917431B (en) * 2011-08-30 2017-10-31 广州盛华信息技术有限公司 Realize wireless routing system and its routing rule amending method that user dynamically manages
CN103096492B (en) * 2011-11-08 2016-09-07 华为终端有限公司 A kind of WAP and the method for terminal communication, system and relevant device
CN106851776A (en) 2012-01-21 2017-06-13 华为终端有限公司 A kind of method of equipment access network, access point, log equipment and system
CN103260214B (en) 2012-02-17 2017-02-15 华为终端有限公司 Equipment access method, equipment access point and equipment access device
CN103379010B (en) * 2012-04-20 2018-09-21 中兴通讯股份有限公司 A kind of virtual network realization method and system
CN103428695B (en) * 2012-05-18 2016-08-03 飞天联合(北京)系统技术有限公司 Process the method and device of wireless multi-security level(MSL) business
CN103124422B (en) * 2012-12-04 2016-05-25 华为终端有限公司 The method of associate device, Apparatus and system
CN103873454B (en) * 2012-12-18 2017-02-08 中国移动通信集团山东有限公司 Authentication method and equipment
US9763094B2 (en) * 2014-01-31 2017-09-12 Qualcomm Incorporated Methods, devices and systems for dynamic network access administration
CN104219662B (en) * 2014-08-19 2019-05-07 新华三技术有限公司 A kind of sending method and equipment of Beacon frame
CN106817353A (en) * 2015-11-30 2017-06-09 任子行网络技术股份有限公司 For MAC collections and the wireless aps and method of network security audit

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716853A (en) 2004-06-30 2006-01-04 中国科学技术大学 Group broadcast cipher key managing method based on physical layer
CN1909516A (en) 2005-08-01 2007-02-07 古野电气株式会社 Network system, communication relay device, communication terminal device, and program for communication terminal device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716853A (en) 2004-06-30 2006-01-04 中国科学技术大学 Group broadcast cipher key managing method based on physical layer
CN1909516A (en) 2005-08-01 2007-02-07 古野电气株式会社 Network system, communication relay device, communication terminal device, and program for communication terminal device

Also Published As

Publication number Publication date
CN101453409A (en) 2009-06-10

Similar Documents

Publication Publication Date Title
US7664075B2 (en) Access point to access point range extension
EP1872250B1 (en) Wireless device discovery and configuration
JP5780558B2 (en) Wireless multiband security
CA2750814C (en) Authentication for a multi-tier wireless home mesh network
AU2011201655B2 (en) Security Authentication and Key Management Within an Infrastructure-Based Wireless Multi-Hop Network
EP1946580B1 (en) Method of providing security for relay station
US9060240B2 (en) Multi-tier wireless home mesh network with a secure network discovery protocol
US8787572B1 (en) Enhanced association for access points
US6178512B1 (en) Wireless network
EP1515510B1 (en) Method and system for providing multiple encryption in a multi-band multi-protocol hybrid wired/wireless network
KR100999761B1 (en) Service in wlan inter-working, address management system, and method
CN1640054B (en) Method and apparatus for provision of broadcast service information
US7961725B2 (en) Enterprise network architecture for implementing a virtual private network for wireless users by mapping wireless LANs to IP tunnels
JP4039277B2 (en) Radio communication system, terminal, processing method in the terminal, and program for causing terminal to execute the method
US7929504B2 (en) Systems and methods for the connection and remote configuration of wireless clients
US7797530B2 (en) Authentication and encryption method and apparatus for a wireless local access network
US7917146B2 (en) Methods, apparatuses and systems facilitating client handoffs in wireless network systems
DE60121393T2 (en) Key management method for wireless local area networks
KR100891041B1 (en) Personal virtual bridged local area networks
JP4405586B2 (en) Wireless communication device
JP5000648B2 (en) Direct wireless client-to-client communication
CN101379796B (en) Mobile station and method for fast roaming with integrity protection and source authentication using a common protocol
CA2601972C (en) Mobile device and base station for a communication protocol with normal login and ad-hoc login
US20080298333A1 (en) Scanning procedure in wireless lan, station supporting the same, and frame format therefor
JP2005057728A (en) Method for selecting access point based on state information about access point

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted