CN102014391B - Wireless network safety access method, system and wireless controller - Google Patents
Wireless network safety access method, system and wireless controller Download PDFInfo
- Publication number
- CN102014391B CN102014391B CN201010571646.7A CN201010571646A CN102014391B CN 102014391 B CN102014391 B CN 102014391B CN 201010571646 A CN201010571646 A CN 201010571646A CN 102014391 B CN102014391 B CN 102014391B
- Authority
- CN
- China
- Prior art keywords
- wireless
- client
- controller
- wireless client
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a wireless network safety access method, system and wireless controller. In the method, a wireless controller is used for determining generation of roaming among wireless controllers at a wireless client side in accordance with the received wireless local area network (WLAN) identification in packaging messages and information of the wireless client side, wherein the packaging messages are generated by the wireless access points according to the messages sent out by the wireless client side; the wireless controller sends detecting messages to other wireless controllers to acquire a roamed wireless controller, wherein the detecting messages comprise information of the wireless client side; and the wireless controller sends the packaging messages to the acquired roamed wireless controllers so as to provide safety control for the wireless controllers which access to the wireless client side. By adopting the technical scheme provided by the invention, the problem that an access policy of the wireless client side is changed when the roaming happens between ACs is solved, and the same access policy is adopted to carry out access control on the wireless client side before and after the roaming.
Description
Technical field
The present invention relates to the network communications technology, relate in particular to a kind of wireless network safety access method, system and wireless controller.
Background technology
WLAN (wireless local area network) (Wireless Local Area Networks; Referred to as: WLAN) refer to that the employing wireless communication technology is interconnected with computer equipment, make a kind of network of client accessing to wide band network realization whenever and wherever possible information sharing.Wherein, wireless client (for example: notebook computer, personal digital assistant or the wireless network card of supporting the WLAN access function) is by WAP (wireless access point) (Access Point; Referred to as: AP) accessing WLAN.AP is the bridge that is connected with gauze and WLAN (wireless local area network), and its Main Function is that each wireless client is connected together, then with the wireless network access network based on ethernet.
Usually AP only has the function of 802.11 physical layers, namely can only carry out the sending and receiving of radio frequency signal, needs and a wireless controller (Access Controller; Referred to as: AC) connect, by the AC centralized control and management to have access to spider lines.Wherein, AC is responsible for exchanges data and Route Selection, carries out also that the user authenticates, security policy manager, radio-frequency channel selection and power output adjustment etc.As shown in Figure 1, the network topology of a kind of WLAN comprises AC1, AC2, AP1, AP2, PC1 and PC2, and wherein PC1 accesses AP1, and AP1 is connected with AC1 by cable network; PC2 accesses AP2, and AP2 is connected with AC2 by cable network.Usually can roam when wireless client moves, roaming refers to that wireless client re-associates to the process of another AP the identical WLAN, the in this course Internet protocol of wireless client (Internet Protocol from the AP of original association; Referred to as: IP) address and other wireless client client informations do not change, and this roam procedure is transparent for the user.And when associated AP connected respectively different AC before and after the wireless client terminal roam, this roaming was called the AC internetwork roaming.Take network configuration shown in Figure 1 as example, when PC1 moves to when becoming associated AP 2 by associated AP 1, because AP1 and AP2 respectively connect AC1 and AC2, namely claim PC1 that the AC internetwork roaming has occured this moment.Wherein, the AC1 that associated AP1 connects before the PC1 roaming is for diffusing out AC, and the AC2 that associated AP2 connects after the PC1 roaming is for diffusing in AC.
When the AC internetwork roaming occurs after, fail safe when guaranteeing the wireless client access cable network, usually diffuse out the AC access strategy that the wireless client with roaming occurs of its preservation is relevant and be synchronized to and diffuse in AC, carry out the access control of wireless client diffusing in AC.But AC is upper and diffuse out access strategy on the AC and will not make between the access strategy simultaneously and influence each other when diffusing in, and can't guarantee the access profile of wireless client before and after roaming.For example: suppose to diffuse in access strategy on the AC for allowing the access 2.2.2.2 network segment, and diffuse out access strategy on the AC for allowing the access 1.1.1.1 network segment, move to and diffuse on the AC if will diffuse out access strategy on the AC this moment, change is diffused in security strategy on the AC; Do not move to and diffuse on the AC if will not diffuse out access strategy on the AC, then the access profile of wireless client will become the 2.2.2.2 network segment by the original 1.1.1.1 network segment; For WLAN, do not expect to occur above-mentioned any problem, therefore, need a kind of access control mechanisms in order to when the AC internetwork roaming occurs, better conduct interviews control.
Summary of the invention
The invention provides a kind of wireless network safety access method, system and wireless controller, the problem that exists when the AC internetwork roaming solve to occur the access strategy of wireless client to change guarantees to adopt before and after the roaming identical access strategy to the wireless client control that conducts interviews.
The invention provides a kind of wireless network safety access method, comprising:
Wireless controller is according to the information of the sign of the WLAN (wireless local area network) in the encapsulated message that receives and wireless client, determine that the wireless controller internetwork roaming has occured described wireless client, described encapsulated message is to be generated according to the message that described wireless client sends by WAP (wireless access point);
Described wireless controller sends probe messages to other wireless controllers, diffuses out wireless controller to obtain, and described probe messages comprises the information of described wireless client;
Described wireless controller sends to the described wireless controller that diffuses out that obtains with described encapsulated message, for described security control when diffusing out wireless controller described wireless client being accessed.
The invention provides a kind of wireless controller, comprising:
Determination module, be used for according to the WLAN (wireless local area network) sign of the encapsulated message that receives and the information of wireless client, determine that the wireless controller internetwork roaming has occured described wireless client, described encapsulated message is to be generated according to the message that described wireless client sends by WAP (wireless access point);
Acquisition module is used for sending probe messages to other wireless controllers, diffuses out radio network controller to obtain, and described probe messages comprises the information of described client;
The first sending module is used for described encapsulated message is sent to the described wireless controller that diffuses out that obtains, for described security control when diffusing out wireless controller described wireless client being accessed.
The invention provides a kind of wireless network secure connecting system, comprise arbitrary wireless controller provided by the invention, also comprise: WAP (wireless access point) and wireless client;
Described wireless client is connected with described WAP (wireless access point), is used for sending message to described WAP (wireless access point);
Described WAP (wireless access point) is connected with described wireless controller, and the message that is used for sending according to described wireless client generates encapsulated message, and described encapsulated message is sent to described wireless controller.
Wireless network safety access method provided by the invention, system and wireless controller, determine that at first the AC internetwork roaming has occured wireless client, then, by send probe messages obtain wireless client corresponding diffuse out AC, then with the message repeating of wireless client to diffusing out on the AC, the access control when diffusing out the access strategy of AC according to storage on it wireless client is accessed.Technical solution of the present invention has been handed to access control and has been diffused out AC, because the access strategy wireless client before roaming that diffuses out on the AC normally adds fashionable foundation, in the roam procedure of wireless client, remain constant, adopt it on the access strategy stored to the wireless client control that conducts interviews and diffuse out AC by this before and after the roaming, therefore, wireless client has identical access profile before and after can guaranteeing to roam, solve the problem that the access strategy of the wireless client that has existed when the AC internetwork roaming occurs changes, guaranteed to adopt before and after the roaming identical access strategy to conduct interviews control of wireless client.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do one to the accompanying drawing of required use in embodiment or the description of the Prior Art and introduce simply, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is a kind of structural representation of prior art WLAN (wireless local area network);
The flow chart of the wireless network safety access method that Fig. 2 provides for the embodiment of the invention one;
A kind of structural representation of the wireless controller that Fig. 3 A provides for the embodiment of the invention two;
Another structural representation of the wireless controller that Fig. 3 B provides for the embodiment of the invention two
The structural representation of the wireless network secure connecting system that Fig. 4 provides for the embodiment of the invention three.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
In WLAN, in the situation that wireless client is roamed, wireless client sends message to its associated AP, by this AP message is encapsulated, and adds the information of the WLAN at wireless client place in capsule header; Then the message after this AP will encapsulate sends to the AC that it connects.The message of AC after to the encapsulation of receiving carries out decapsulation, and the access strategy corresponding according to the Information Selection of the WLAN that obtains filters message.Wherein, access strategy can be static policies pre-configured on AC, also can be the dynamic strategy of obtaining from the server (mainly referring to the certificate servers such as 802.1x certificate server, web authentication server) that access strategy is provided by variety of protocol.
Usually, in the situation that roaming does not occur, the access profile of wireless client is subjected to the restriction to the relevant access strategy of wireless client place WLAN on the AC that the AP of the current association of wireless client connects.Occured at wireless client in the situation of roaming, for the access profile that guarantees wireless client is constant, the present invention claims and is subject to the technical scheme of the control of identical access strategy before and after the wireless client terminal roam.Based on this, following each embodiment of the present invention will describe the implementation procedure of technical solution of the present invention in detail.
Embodiment one
The flow chart of the wireless network safety access method that Fig. 2 provides for the embodiment of the invention one.As shown in Figure 2, the wireless network safety access method of present embodiment comprises:
WLAN (wireless local area network) sign in step 201, the AC basis encapsulated message that receives and the information of wireless client determine that the AC internetwork roaming has occured wireless client, and described encapsulated message is to be generated according to the message that wireless client sends by AP;
Particularly, occur at wireless client in the situation of AC internetwork roaming, wireless client sends message to the rear associated AP of its roaming, associated AP is responsible for message is encapsulated after the roaming, form encapsulated message, include the WLAN sign (such as WLAN ID) of wireless client place WLAN and the relevant information of wireless client (such as the sign of wireless client, title, IP address etc.) in this encapsulated message.Associated AP sends to the AC that it connects with encapsulated message after the roaming.
AC carries out decapsulation to the encapsulated message that receives, obtain wherein WLAN sign and the information of wireless client.Wherein, owing to only could roam in same WLAN, therefore, AC will judge whether this wireless client the AC internetwork roaming occurs, and needs to judge whether this wireless client exists in the related wireless client of this AC; If exist, illustrate that then this wireless client is not the wireless client that the AC internetwork roaming occurs; Otherwise, illustrate that the AC internetwork roaming has occured this wireless client.
Owing to the present embodiment technical scheme is to propose for the situation that the AC internetwork roaming occurs, and can adopt the scheme of prior art to process for the situation that the AC internetwork roaming does not occur, therefore, in the present embodiment, directly hypothesis AC determines that the AC internetwork roaming has occured this wireless client, based on this, can continue execution in step 202.Follow-up will be as the AC of present embodiment executive agent, that is judge the AC internetwork roaming occurs wireless client this AC and be called and diffuse in AC.
Step 202, AC send probe messages to other AC, diffuse out AC to obtain, and described probe messages comprises the information of wireless client;
When diffusing in after AC determines that the AC internetwork roaming occurs wireless client, for guaranteeing that this wireless client is subject to the control of identical access strategy before and after roaming, diffuse in AC in the WLAN of place with it adjacent other AC send the probe messages of the information that comprises wireless client, after receiving this probe messages, judge that according to the information of wherein wireless client whether this wireless client is associated wireless client before it, namely judges that for other AC whether it is for diffusing out AC for other AC; And make this diffuse in AC to know its which adjacent AC is for diffusing out AC.
Wherein, can between each AC, arrange in advance: after receiving probe messages, reply, namely send detection response message to the AC (namely diffusing in AC) that sends probe messages, and whether carry in detection response message be the information that diffuses out AC; For example can be with certain in the detection response message as diffusing out the AC flag, when this position represents that this AC is for diffusing out AC during for " 1 "; When being " 0 ", this position represents that this AC diffuses out AC.
In addition, can also arrange between each AC in advance: only when receiving probe messages and being defined as diffusing out AC, send detection response message to diffusing in AC; Wherein, receive probe messages but be not to be that the AC that diffuses out AC does not need to send detection response message to diffusing in AC.
By the way, as the present embodiment executive agent diffuse in AC can according to the detection response message that receives know wireless client corresponding diffuse out AC, and knowing execution in step 203 on the basis that diffuses out AC.Concrete, based on front a kind of execution mode, diffuse in AC and might receive a plurality of detection response messages, need to determine to diffuse out AC according to the AC flag that diffuses out in the detection response message; If based on a rear execution mode, diffuse in AC and only can receive a detection response message, namely diffuse out the detection response message that AC sends, therefore, can directly determine to diffuse out AC based on this detection response message.
Need explanation at this, wherein, diffusing in AC, only to send probe messages to other AC when receiving first encapsulated message are a kind of optimal ways that diffuse out AC that obtain, and can avoid repeatedly sending the wasting of resources that probe messages causes; Learn and diffuse out AC when diffusing in AC, the information that diffuses out AC is stored; For the follow-up encapsulated message that receives, diffuse in AC and can be directly be forwarded to according to the information that diffuses out AC of storage and diffuse out AC, and needn't be at every turn all obtain and diffuse out AC by sending probe messages, but be not limited to this.
Step 203, AC send to the AC that diffuses out that obtains with encapsulated message, the security control when diffusing out AC wireless client is accessed.
Wherein, the access strategy that diffuses out in the present embodiment on the AC normally adds fashionable foundation and storage at wireless client, and in the roam procedure of wireless client, remain constant, therefore, diffuse in AC with the message repeating of wireless client to diffusing out AC, by diffuse out AC according to the access strategy of storage on it to the access of the wireless client control that conducts interviews, can guarantee that the wireless client terminal roam front and back are subject to the control of identical access strategy.
Particularly, in this step 203, diffusing in AC can carry out Reseal with the message after the decapsulation, and in its encapsulation header encapsulation place WLAN sign, that is the WLAN sign of obtaining during decapsulation, the message that Reseal is formed sends to and diffuses out AC.In addition, present embodiment diffuse in AC when receiving encapsulated message, can store this encapsulated message, therefore, in this step 203, diffuse in AC and the encapsulated message of storing directly can also be transmitted to and diffuse out AC.The AC that diffuses in that below only provides for present embodiment provides two kinds of specific implementations of encapsulated message to diffusing out AC, is not limited to this.
Diffuse out AC and carry out decapsulation to receiving encapsulated message, obtain WLAN sign wherein, obtain corresponding access strategy according to the WLAN sign, the message that the unruled card client that decapsulation is got access to sends filters, the control when realization accesses wireless client.
Wherein, different WLAN can adopt different access strategies to carry out the access control of wireless client, therefore, adopt in the present embodiment WLAN to identify to distinguish access strategy under the different WLAN.
The wireless network safety access method of present embodiment, when determining that according to the information of WLAN sign and wireless client the AC internetwork roaming occurs wireless client, diffusing in AC obtains by probe messages and diffuses out AC, and the message repeating of wireless client given diffuse out AC, access control when diffusing out wireless client after AC adopts access strategy before the roaming to roaming and access, guaranteed that roaming front and back wireless client is subjected to the control of identical access strategy, has identical access profile, the problem that the access profile of wireless client changes when having solved the generation AC internetwork roaming that exists in the prior art.
Further, compared with prior art, present embodiment need to not diffuse in AC and diffuse out the policy synchronization migration that conducts interviews between AC, therefore, the problem that does not have the prolongation cutout time of causing because of moving of access strategy has greatly improved roaming efficient and the speed of the wireless client that access strategy is arranged.
Based on technique scheme, present embodiment provides a kind of definite wireless client that the embodiment of AC internetwork roaming occurs.Wherein all can store its lower associated wireless client and the relevant information of wireless client on each AC, namely store client-side information at AC.Therefore, AC can identify according to the WLAN that the decapsulation encapsulated message gets access to, and obtains its lower associated wireless client and the relevant information that belong to WLAN corresponding to this WLAN sign, i.e. client-side information; Then, the information of AC wireless client that the decapsulation encapsulated message is obtained compares with the client-side information that belongs under the same WLAN of local storage; If relatively draw: local storage belong to the information that does not have wireless client in the client-side information under the same WLAN, determine that then the AC internetwork roaming has occured wireless client; Otherwise, illustrate that the AC internetwork roaming does not occur wireless client.
The client-side information based on the local storage of AC that present embodiment provides determines whether wireless client the technical scheme of AC internetwork roaming occurs, and information needed is obtained conveniently, therefore has advantage simple easy to implement and that judging efficiency is higher.
No matter need explanation at this, in technical scheme of the present invention, be that several times AC internetwork roaming occurs, the AC that associated AP connects when diffusing out AC and being wireless client and normally accessing.For example: the AC that associated AP connects when wireless client access WLAN is an AC, and when then roaming into the 2nd AC by an AC, an AC is the AC that diffuses out of technical solution of the present invention, and the 2nd AC is the AC that diffuses in of technical solution of the present invention; Then wireless client roams into the 3rd AC by the 2nd AC again, this moment is for the 2nd AC, do not dispose the security strategy relevant with wireless client on it, its use be the security strategy of an AC, and wireless client can be subject to security strategy control identical when roaming for the first time in order to guarantee to roam for the second time, therefore, and concerning for the second time roaming, it diffuses out AC is an AC still, is the 3rd AC and diffuse in AC.In above-mentioned roam procedure, security strategy is positioned on the AC all the time.
Embodiment two
A kind of structural representation of the wireless controller that Fig. 3 A provides for the embodiment of the invention two.As shown in Figure 3A, the AC of present embodiment comprises: determination module 31, acquisition module 32 and the first sending module 33.
Wherein, determination module 31 is used for determining that according to the WLAN sign of the encapsulated message that receives and the information of wireless client the AC internetwork roaming has occured wireless client that wherein encapsulated message is to be generated according to the message that wireless client sends by AP; Acquisition module 32 is connected with determination module 31, be used for when determination module 31 determines that the AC internetwork roaming occurs wireless clients, sending probe messages to other AC, with obtain wireless client corresponding diffuse out AC, wherein comprise the information of wireless client in the probe messages; The first sending module 33 is connected with acquisition module with determination module 31 and is connected, and is used for encapsulated message is sent to the AC that diffuses out that obtains the security control when diffusing out AC wireless client is accessed.
Concrete, acquisition module 32 sends probe messages to other AC, other AC receive after the probe messages and can judge that whether it is for diffusing out AC according to the information of wherein wireless client, and send detection response message to the acquisition module 32 of local AC (namely diffusing in AC) according to the rule of making an appointment, obtain according to this detection response message for acquisition module 32 and diffuse out AC.
The AC of present embodiment can be used for carrying out the flow process of the wireless network safety access method that the embodiment of the invention provides, determine that by determination module the AC internetwork roaming occurs wireless client, by acquisition module obtain wireless client corresponding diffuse out AC, and by the first sending module with the message repeating of wireless client to diffusing out AC, the access control when diffusing out AC wireless client is accessed.Because the access strategy that diffuses out on the AC normally adds fashionable foundation at wireless client, and constant in the roam procedure of wireless client, therefore, because the access control when diffusing out AC and according to the access strategy of storing it on wireless client being accessed, guaranteed that the wireless client terminal roam front and back are subject to the control of identical access strategy, overcome in the prior art and may occur the different defective of access profile before and after the wireless client terminal roam when AC internetwork roaming occurs, guaranteed that wireless client has identical access profile before and after roaming.
Further, shown in Fig. 3 B, the determination module 31 of present embodiment comprises: the first receiving element 311, the first acquiring unit 312, comparing unit 313 and determining unit 314.Wherein, the first receiving element 311 is for the encapsulated message that receives the AP transmission that is connected with local AC; This AP receives the message of wireless client, and the message that receives is encapsulated, and the WLAN sign in that capsule header is added wireless client place WLAN forms encapsulated message, and encapsulated message is sent to the first receiving element 311.The first acquiring unit 312 is connected with the first receiving element 311, be used for to resolve the encapsulated message that the first receiving element 311 receives, obtain wherein the WLAN sign and the information of wireless client; Comparing unit 313 is connected with the first acquiring unit 312, is used for the sign according to WLAN, and the client-side information that information and the local AC of wireless client stored compares; Determining unit 314 is connected with comparing unit 313, is used for relatively drawing at comparing unit 3 13: when there is not the information of wireless client in the client-side information of local AC storage, determine that the AC internetwork roaming has occured wireless client.
Further, the determining unit 314 in the present embodiment also is used for relatively drawing at comparing unit 313: when there is the information of wireless client in the client-side information of local AC storage, determine that the AC internetwork roaming does not occur wireless client.Wherein, when determining wireless client the AC internetwork roaming does not occur, can determine that result offer existing capability module among the AC, such as the access control module of wireless client being carried out access control etc.Because wireless client does not occur in the situation of AC internetwork roaming, the subsequent treatment that AC carries out is same as the prior art, and therefore, present embodiment does not describe the AC structure that realizes this function, can be referring to prior art.
Wherein, the specific implementation structure of the determination module that above-described embodiment provides only is not limited to this for example for a kind of, also can adopt other structures or functional module to realize.
Further, on the basis of technique scheme, present embodiment provides a kind of specific implementation structure of acquisition module 32, but is not limited to this.Comprise such as this acquisition module 32 of Fig. 3 B: transmitting element 321, the second receiving element 322 and second acquisition unit 323.Wherein, transmitting element 321 is connected with determination module 31 or determining unit 314, is used for sending probe messages to other AC; The second receiving element 322 is connected with transmitting element 321, is used for receiving the detection response message that other AC send after transmitting element 321 sends probe messages; Wherein this detection response message is the rule of being made an appointment by other AC bases, returns after receiving probe messages, and comprises the information that diffuses out AC in this detection response message.Second acquisition unit 323 is connected with the second receiving element 322, is used for according to detection response message, obtains and diffuses out AC.For example can by resolving detection response message, determine to diffuse out AC according to the AC flag that diffuses out of wherein carrying, but be not limited to this.Wherein, transmitting element 321 can preferably only send probe messages according to first encapsulated message, diffuses out AC to obtain.
Based on technique scheme, the AC of present embodiment also comprises: receiver module and the second sending module.Particularly, as the AC of the present embodiment neighbours as other AC, and send probe messages when obtaining its corresponding AC of diffusing out at other AC, the AC of present embodiment can be used for obtaining the probe messages that diffuses out AC by what receiver module received that other AC send, and send detection response message according to the rule of making an appointment to other AC by the second sending module, obtain its required AC that diffuses out for other AC according to this detection response message.Wherein, the second sending module can send detection response message according to the rule of making an appointment between each AC.For example: can make an appointment between each AC: when receiving probe messages, send detection response message to the AC that sends probe messages, and whether carry by certain flag in the detection response message be the information that diffuses out AC; Based on this, as long as receiving probe messages, the second sending module of present embodiment just need to send whether carry be the detection response message that diffuses out AC information to other AC.Again for example: can also make an appointment between each AC: only receiving probe messages and when diffusing out AC, sending detection response message to the AC that sends probe messages, then need not send detection response message if not diffuse out AC; Based on this, the AC that the second sending module of present embodiment only needs at present embodiment is corresponding with other AC detection response message that sends when diffusing out AC, otherwise, then need not send detection response message, at this moment, the detection response message that diffuses out the AC transmission that other AC only can receive, and can determine to diffuse out AC based on the detection response message that receives.
Wherein, the AC that can realize present embodiment by technique scheme as other AC diffuse out AC the time, announcing it to other AC is the technical scheme that diffuses out AC.
In sum, the AC that present embodiment provides can be used for carrying out the flow process of the wireless network safety access method that the embodiment of the invention provides, can guarantee that equally the wireless client terminal roam front and back are subject to the control of identical access strategy, overcome in the prior art and may occur the different defective of access profile before and after the wireless client terminal roam when AC internetwork roaming occurs, guaranteed that wireless client has identical access profile before and after roaming.
Embodiment three
The structural representation of the wireless network secure connecting system that Fig. 4 provides for the embodiment of the invention three.The system of present embodiment comprises: AC, AP and wireless client.Wherein, the system of present embodiment comprises a plurality of AC, and each AC interconnects, and is among the same WLAN; In like manner, in the system of present embodiment, also can there be a plurality of AP or a plurality of wireless client.2 AC, 2 AP and 1 wireless client only are shown in system shown in Fig. 4, are respectively AC41 and AC42, AP43 and AP44, and wireless client 45.
Wherein, the AC that the AC41 in the present embodiment and AC42 can adopt the above embodiment of the present invention to provide, concrete structure and function can referring to the description of the above embodiment of the present invention, not repeat them here.
Wherein, wireless client 45 is connected with AP43 or AP44, is specially the wireless connections mode, is used for sending message to AP43 or AP44; AP43 is connected with AP44 with AC41 and is connected with AC42, is used for generating encapsulated message according to the message that wireless client 45 sends, and encapsulated message is sent to AC41 and AC42.
In the system of present embodiment, when wireless client 45 moves and the AC internetwork roaming occurs, when for example becoming associated AP 44 by associated AP 43, the AC internetwork roaming has occured namely.At this moment, the encapsulated message that the AC42 in the present embodiment can decapsulation AP44 sends, and according to wherein WLAN sign and information and the local client-side information of storing of wireless client 45, determine wireless client 45 generation AC internetwork roamings; Then, AC42 sends probe messages to AC41, receives and knows AC41 for diffusing out AC according to the detection response message that AC41 returns, and the encapsulated message that the AP44 that receives is sent sends to AC41, the access control when by AC41 wireless client 45 being accessed.Need explanation at this, wherein, only be preferably and when receiving first encapsulated message, send for obtaining probe messages that AC41 uses, after AC is AC41 the information of AC41 is stored getting access to diffuse out, can directly be forwarded to the AC41 control that conducts interviews to the follow-up encapsulated message that receives.
Further, the AP44 in the present embodiment can comprise the 3rd receiving element and encapsulation unit.The 3rd receiving element is used for receiving the message that wireless client 45 sends; Encapsulation unit is used for the WLAN ID of the WLAN at the places such as AP44 and wireless client 45, AC41 and the message that receives are encapsulated, and specifically refers to WLAN ID is encapsulated into the header of the message that receives, and sends to the encapsulated message of AC42 with formation.Wherein, AP43 also can comprise the above-mentioned functions unit.
The wireless network secure connecting system of present embodiment, can be used for equally carrying out the flow process of the wireless network safety access method that the embodiment of the invention provides, specifically by diffuse in AC with the message repeating of wireless client to diffusing out AC, access control when diffusing out AC wireless client is accessed, guaranteed that roaming front and back wireless client is subjected to the control of identical access strategy, has identical access profile, the problem that the access profile of wireless client changes when having solved the generation AC internetwork roaming that exists in the prior art.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (9)
1. a wireless network safety access method is characterized in that, comprising:
Wireless controller is according to the information of the sign of the WLAN (wireless local area network) in the encapsulated message that receives and wireless client, determine that the wireless controller internetwork roaming has occured described wireless client, described encapsulated message is to be generated according to the message that described wireless client sends by WAP (wireless access point);
Described wireless controller sends probe messages to other wireless controllers, diffuses out wireless controller to obtain, and described probe messages comprises the information of described wireless client;
Described wireless controller sends to the described wireless controller that diffuses out that obtains with described encapsulated message, for described security control when diffusing out wireless controller described wireless client being accessed.
2. wireless network safety access method according to claim 1, it is characterized in that, wireless controller determines that according to the information of the sign of the WLAN (wireless local area network) in the encapsulated message that receives and wireless client described wireless client the wireless controller internetwork roaming has occured comprised:
Described wireless controller receives the described encapsulated message that described WAP (wireless access point) sends;
Described wireless controller is resolved described encapsulated message, obtains the information of described WLAN (wireless local area network) sign and wireless client;
Described wireless controller identifies according to described WLAN (wireless local area network), and the information of described wireless client and the client-side information of the local storage of described wireless controller are compared;
When there is not the information of described wireless client in described wireless controller in the client-side information of the local storage of described wireless controller, determine that the wireless controller internetwork roaming has occured described wireless client.
3. wireless network safety access method according to claim 1 and 2 is characterized in that, described wireless controller sends probe messages to other wireless controllers, diffuses out wireless controller and comprises to obtain:
Described wireless controller sends probe messages to described other wireless controllers;
Described wireless controller receives the detection response message that described other wireless controllers send according to the rule of making an appointment;
Described wireless controller obtains the described wireless controller that diffuses out according to described detection response message.
4. a wireless controller is characterized in that, comprising:
Determination module, be used for according to the WLAN (wireless local area network) sign of the encapsulated message that receives and the information of wireless client, determine that the wireless controller internetwork roaming has occured described wireless client, described encapsulated message is to be generated according to the message that described wireless client sends by WAP (wireless access point);
Acquisition module is used for sending probe messages to other wireless controllers, diffuses out radio network controller to obtain, and described probe messages comprises the information of described wireless client;
The first sending module is used for described encapsulated message is sent to the described wireless controller that diffuses out that obtains, for described security control when diffusing out wireless controller described wireless client being accessed.
5. wireless controller according to claim 4 is characterized in that, described determination module comprises:
The first receiving element is used for receiving the described encapsulated message that described WAP (wireless access point) sends;
The first acquiring unit is used for resolving described encapsulated message, obtains the information of described WLAN (wireless local area network) sign and wireless client;
Comparing unit is used for according to described WLAN (wireless local area network) sign, and the information of described wireless client and the client-side information of the local storage of described wireless controller are compared;
Determining unit when not having the information of described wireless client for the client-side information that relatively draws the local storage of described wireless controller at described comparing unit, determines that the wireless controller internetwork roaming has occured described wireless client.
6. according to claim 4 or 5 described wireless controllers, it is characterized in that described acquisition module comprises:
Transmitting element is used for sending probe messages to described other wireless controllers;
The second receiving element is used for receiving the detection response message that described other wireless controllers send according to the rule of making an appointment;
Second acquisition unit is used for according to described detection response message, obtains the described wireless controller that diffuses out.
7. according to claim 4 or 5 described wireless controllers, it is characterized in that, also comprise:
Receiver module is used for receiving the probe messages that described other wireless controllers send;
The second sending module is used for sending detection response message according to the rule of making an appointment to described other wireless controllers, obtains according to described detection response message for described other wireless controllers and diffuses out radio network controller.
8. a wireless network secure connecting system that comprises each described wireless controller of claim 4-7 is characterized in that, also comprises: WAP (wireless access point) and wireless client;
Described wireless client is connected with described WAP (wireless access point), is used for sending message to described WAP (wireless access point);
Described WAP (wireless access point) is connected with described wireless controller, and the message that is used for sending according to described wireless client generates encapsulated message, and described encapsulated message is sent to described wireless controller.
9. wireless network secure connecting system according to claim 8 is characterized in that, described WAP (wireless access point) comprises:
The 3rd receiving element is used for receiving the message that described wireless client sends;
Encapsulation unit is used for WLAN (wireless local area network) sign and the described message of place WLAN (wireless local area network) are encapsulated, and forms described encapsulated message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010571646.7A CN102014391B (en) | 2010-11-29 | 2010-11-29 | Wireless network safety access method, system and wireless controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010571646.7A CN102014391B (en) | 2010-11-29 | 2010-11-29 | Wireless network safety access method, system and wireless controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102014391A CN102014391A (en) | 2011-04-13 |
| CN102014391B true CN102014391B (en) | 2013-05-29 |
Family
ID=43844360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010571646.7A Active CN102014391B (en) | 2010-11-29 | 2010-11-29 | Wireless network safety access method, system and wireless controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102014391B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833721B (en) * | 2012-08-06 | 2015-06-17 | 福建星网锐捷网络有限公司 | Wireless roaming data forwarding method and wireless access point |
| EP3039894B1 (en) * | 2013-08-30 | 2018-10-03 | Hewlett-Packard Enterprise Development LP | Zeroconf profile transferring to enable fast roaming |
| CN104410980B (en) * | 2014-11-06 | 2018-04-17 | 福建三元达科技有限公司 | A kind of user information management method and system based on thin AP |
| CN105072605B (en) * | 2015-08-18 | 2018-11-09 | 北京星网锐捷网络技术有限公司 | Terminal roaming method under AP stand-alone modes and AP |
| CN107820246B (en) * | 2016-09-14 | 2020-07-21 | 华为技术有限公司 | User authentication method, device and system |
| CN111953607B (en) * | 2020-07-17 | 2022-10-21 | 新华三技术有限公司 | Method and device for updating route |
| CN112311647B (en) * | 2020-09-29 | 2022-05-27 | 新华三大数据技术有限公司 | Roaming tunnel establishment method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448336A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Control method and system of wireless client terminal roam and wireless access controller |
| CN101764751A (en) * | 2009-12-25 | 2010-06-30 | 杭州华三通信技术有限公司 | Method, system and equipment for forwarding roaming messages for wireless user terminal travelling across VLAN |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030212794A1 (en) * | 2002-05-13 | 2003-11-13 | Telefonaktiebolaget L M Ericsson (Publ) | Network address resolution |
-
2010
- 2010-11-29 CN CN201010571646.7A patent/CN102014391B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448336A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Control method and system of wireless client terminal roam and wireless access controller |
| CN101764751A (en) * | 2009-12-25 | 2010-06-30 | 杭州华三通信技术有限公司 | Method, system and equipment for forwarding roaming messages for wireless user terminal travelling across VLAN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102014391A (en) | 2011-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102014391B (en) | Wireless network safety access method, system and wireless controller | |
| US11425225B2 (en) | Method, apparatus, and equipment for exposing edge network capability, and storage medium | |
| US11924641B2 (en) | Security management for service access in a communication system | |
| JP5978391B2 (en) | Authentication using DHCP service in mesh networks | |
| CN107864508A (en) | A kind of pre-synchronization method and device of radio roaming authentication state | |
| JP2019506053A (en) | Communication system for communication in a communication network having a sub-network | |
| EP3206440B1 (en) | Method, computer-readable storage medium and computing device for prioritizing service set identifiers on a wireless access point | |
| JP2019504564A (en) | Method for establishing a roaming connection | |
| EP4007326A1 (en) | Method and device for activating 5g user | |
| CN111885680A (en) | Method, system and core equipment for establishing network connection | |
| CN106330723B (en) | Discovery method and device of network neighbor equipment | |
| WO2017008580A1 (en) | Method and device for wireless station to access local area network | |
| EP3984193A1 (en) | Secure access control in communication system | |
| US20220240089A1 (en) | Authorization for network function sets in communication system | |
| US20200280837A1 (en) | System and interface for cross administration or technology domain network functions (nfs) instantiation and configuration for roaming users | |
| CN102684966B (en) | Equipment method of network entry, Apparatus and system | |
| CN112751684B (en) | Method and device for realizing multi-AP network networking and wireless access point | |
| US11789803B2 (en) | Error handling framework for security management in a communication system | |
| CN110149677A (en) | A kind of method and mobile terminal of terminal selection access VoWiFi network | |
| CN103634877B (en) | Without the management method of access point in the network of access controller and access point apparatus | |
| CN104429128B (en) | Wireless access processing method, apparatus and system | |
| CN107770847A (en) | Method for network access, access device and terminal device | |
| EP3141015B1 (en) | Methods and apparatus to prevent potential conflicts among instances of son functions | |
| CN114363879B (en) | Roaming processing method and system for wireless terminal | |
| JP2007028234A (en) | Wireless lan system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |