CN103188662B - A kind of method and device verifying WAP (wireless access point) - Google Patents
A kind of method and device verifying WAP (wireless access point) Download PDFInfo
- Publication number
- CN103188662B CN103188662B CN201110454941.9A CN201110454941A CN103188662B CN 103188662 B CN103188662 B CN 103188662B CN 201110454941 A CN201110454941 A CN 201110454941A CN 103188662 B CN103188662 B CN 103188662B
- Authority
- CN
- China
- Prior art keywords
- address information
- type
- negotiation packet
- checking
- dynamic host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of method and the device of verifying WAP (wireless access point), comprise: obtain the negotiation packet that wireless access point AP sends, the address information of the first kind is obtained from negotiation packet, the request of the address information obtaining the Second Type corresponding with the address information of the first kind is sent to AP, if receive the address information of the Second Type of AP feedback, then determine that AP passes through checking; If do not receive the address information of the Second Type of AP feedback, determine AP not by checking, and refusal processes to the negotiation packet that this is not sent by the AP of checking.According to the technical program, after determining that AP is not by checking, the negotiation packet can refused the AP not by checking sends processes, also namely can not preserve not by the information of the AP of checking in AC, a large amount of not by the information of the false AP of checking to avoid AC to preserve, thus improve the disposal ability of AC to AP registration request and wireless network user service request.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of method and the device of verifying WAP (wireless access point).
Background technology
Along with the development of network technology, the application of WLAN (wireless local area network) (Wireless Local Area Networks, WLAN) is more and more extensive.
Fig. 1 shows a kind of structural representation of existing WLAN (wireless local area network), this WLAN (wireless local area network) comprises terminal 101, WAP (wireless access point) (the Access Point of wireless network user, AP) 102 (in practical application, this AP can be multiple, AP102 is only example herein) and Radio Access Controller (Access Controller, AC) 103 (in practical application, this AC can be multiple, AC103 is only example herein), wherein:
WLAN carries out converging and enter the Internet (Internet) mainly through the data that AP102 sends by AC103, in addition, AC103 can also realize being configured AP102 and managing, wireless network user carried out to certification and management, carry out the function such as controlling to the bandwidth of transfer of data.
Wireless network user is when applying for the service using internet to provide, and the terminal 101 of this wireless network user needs to send service request by AP102 to AC103, and further this service request is sent to the corresponding receiving entity in internet by this AC103.In practical application, before AP102 sends service request to AC103, this AP102 needs to register in AC103 in advance.
Fig. 2 shows and realizes based on Fig. 1 the schematic flow sheet that AP registers in AC, and as shown in Figure 2, this registration process mainly comprises the following steps:
Step 201, AP send the request of finding (Discovery Request) to AC;
Step 202, AC send the response message successfully receiving this Discovery Request after receiving the Discovery Request of this AP transmission to this AP.
Step 203, AP confirm that this AC exists after receiving the response message of AC transmission, and send the registration request applying for adding this AC to this AC.
In this step 203, AP sends to the information generally comprising AP in the registration request of AC, such as, and the address information of AP and facility information etc.
After step 204, AC receive the registration request of AP, the information of the AP comprised by this registration request is kept in the local AP information table set up.
So far, the register flow path of AP in AC terminates.
By the flow process that Fig. 2 is corresponding, AP can register in AC, and AC can preserve the information of AP follow-uply to carry out certification to this AP.In practical application, message format mutual between AC and AP can be consulted by AC and AP, follow-up message mutual between AC and AP is called negotiation packet.
After AP completes registration in AC, data transmission channel can be set up between this AP and AC, based on this data transmission channel, the service request of wireless network user can be sent to AC by AP, subsequent treatment is carried out by AC, but also attack AC for malicious user and provide data transmission channel, based on this data transmission channel, malicious user sends a large amount of negotiation packets, and the information of the AP carried in each negotiation packet is generally deceptive information, thus after AC receives negotiation packet, can think have the AP corresponding with the information of the AP carried in this negotiation packet to register, the information of the AP carried in this negotiation packet can be preserved, thus cause memory space that the AP information table in AC is corresponding shared by a large amount of deceptive information, and then normal AP may be caused to be registered to AC, and AC may be caused further cannot to process the service request of wireless network user, have a strong impact on the normal work of AC.
In sum, in prior art, AC is after receiving the registration request of AP, the information of the AP directly comprised by this registration request is kept in the local AP information table set up, namely AC does not carry out security related checking to AP, like this, when the process that malicious user utilizes AP to register in AC carries the message of false AP information in a large number to AC transmission, AC may preserve the information of a large amount of false AP, thus reduces the disposal ability of AC to AP registration request and wireless network user service request.
Summary of the invention
In view of this, embodiments provide a kind of method and the device of verifying WAP (wireless access point), adopt this technical scheme, AC can be avoided to preserve the information of false AP, thus improve the disposal ability of AC to AP registration request and wireless network user service request.
The embodiment of the present invention is achieved through the following technical solutions:
According to an aspect of the embodiment of the present invention, provide a kind of method verifying WAP (wireless access point), comprising:
Obtain the negotiation packet that wireless access point AP sends, from described negotiation packet, obtain the address information of the first kind;
The request of the address information obtaining the Second Type corresponding with the address information of the described first kind is sent to described AP;
If receive the address information of the Second Type that described AP feeds back, then determine that described AP is by checking;
If do not receive the address information of the Second Type that described AP feeds back, then determine described AP not by checking, and refusal processes to the negotiation packet that this is not sent by the AP of checking.
According to another aspect of the embodiment of the present invention, additionally provide a kind of device verifying WAP (wireless access point), comprising:
Address information acquiring unit, for obtaining the negotiation packet that wireless access point AP sends, obtains the address information of the first kind from described negotiation packet;
Request transmitting unit, for sending the request of the address information obtaining the Second Type corresponding with the address information of the described first kind that described address information acquiring unit obtains to described AP;
Address information authentication unit, for when receiving the address information of Second Type of the described request feedback that described AP sends according to described request transmitting element, determines that described AP is by checking; When not receiving the address information of Second Type of the described request feedback that described AP sends according to described request transmitting element, determine described AP not by checking, and refusal processes to the negotiation packet that this is not sent by the AP of checking.
By at least one technical scheme above-mentioned that the embodiment of the present invention provides, the address information of the first kind is got the negotiation packet that can send from the AP obtained, and the request of the address information obtaining the Second Type corresponding with the address information of this first kind is sent to AP, if receive the address information of the Second Type of AP feedback, then determine that this AP is by checking; If do not receive the address information of the Second Type that this AP feeds back, then determine this AP not by checking, and refusal processes to the negotiation packet that this is not sent by the AP of checking.According to the technical program, can verify AP, determine not by the AP of checking, further, after determining that AP is not by checking, the negotiation packet can refused the AP not by checking sends processes, also namely can not preserve not by the information of the AP of checking in AC, this technical scheme compared with prior art, avoids AC and preserves a large amount of not by the problem of the information of the false AP of checking, thus improves the disposal ability of AC to AP registration request and wireless network user service request.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in write specification, claims and accompanying drawing and obtain.
Accompanying drawing explanation
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for specification, is used from explanation the present invention, is not construed as limiting the invention with the embodiment of the present invention one.In the accompanying drawings:
The structural representation of a kind of WLAN (wireless local area network) that Fig. 1 provides for prior art;
What Fig. 2 provided for prior art realizes the schematic flow sheet that AP registers in AC;
The structural representation of a kind of Radio Network System that Fig. 3 provides for the embodiment of the present invention one;
A kind of schematic flow sheet verifying WAP (wireless access point) that Fig. 4 provides for the embodiment of the present invention one;
A kind of schematic flow sheet of the AP of the checking transmission negotiation packet that Fig. 5 provides for the embodiment of the present invention one;
Another schematic flow sheet of the AP of the checking transmission negotiation packet that Fig. 6 provides for the embodiment of the present invention one;
Another schematic flow sheet of the AP of the checking transmission negotiation packet that Fig. 7 provides for the embodiment of the present invention one;
The structural representation of the Radio Network System of the method for a kind of application verification WAP (wireless access point) that Fig. 8 provides for the embodiment of the present invention two;
A kind of schematic flow sheet verifying WAP (wireless access point) in Radio Network System that Fig. 9 provides for the embodiment of the present invention two;
A kind of schematic flow sheet carrying out data interaction in Radio Network System that Figure 10 provides for the embodiment of the present invention two;
A kind of structural representation verifying the device of WAP (wireless access point) that Figure 11 provides for the embodiment of the present invention three.
Embodiment
The implementation of AC to the disposal ability of AP registration request and wireless network user service request is improved in order to provide, embodiments provide a kind of method and the device of verifying WAP (wireless access point), below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein, only for instruction and explanation of the present invention, is not intended to limit the present invention.And when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.
Technical scheme provided by the invention can be applied in the structural representation of the Radio Network System shown in Fig. 3, particularly, this Radio Network System comprises user terminal 301, (in practical application, this AP may exist multiple AP 302, AP 302 is only example herein), safeguard 303 and AC 304, wherein:
AP 302 is when applying for the certification of AC 304, negotiation packet can be sent to AC 304, but before AC 304 receives this negotiation packet, the safeguard 303 of AC 304 can be verified the AP302 sending negotiation packet, and can receive the data that user terminal 301 forwarded by AP 302 after AP 302 is verified.
In Radio Network System shown in Fig. 3, safeguard 303 is independent of AC 304, and in practical application, this safeguard 303 also can be arranged in AC 304, and a module as AC 304 realizes corresponding AP authentication function.
Embodiment one
This embodiment one provides a kind of method verifying WAP (wireless access point), the method can be applied in the Radio Network System shown in Fig. 3, by applying the technical program in this Radio Network System, AC can be avoided to preserve the information of a large amount of false AP, thus improve the disposal ability of AC to AP registration request and wireless network user service request.
Fig. 4 shows a kind of schematic flow sheet verifying WAP (wireless access point) that inventive embodiments one provides, and particularly, as shown in Figure 4, the process of this checking WAP (wireless access point), mainly comprises the following steps:
The negotiation packet that step 401, acquisition AP send, obtains the address information of the first kind from the negotiation packet obtained.
In this step 401, negotiation packet can be the message of the broadcast type that AP sends with broadcast mode, also can be the message of the unicast type that AP sends with mode of unicast, or, it is the message of the multiast types that AP sends with multicast mode, further, this negotiation packet can be the single message of the address information comprising the first kind, or the multiple messages of AC checking needed for AP, this negotiation packet comprising multiple message comprises the message of the address information of carrying the first kind, such as, the wireless access point control sent to AC at AP and configuration protocol (Control And Provisioning of Wireless Access Points Protocol Specification, CAPWAP) discovery request (Discovery Request) message that message comprises is controlled, the address information of the first kind can be carried in this Discovery Request message.
Step 402, send the request of the address information obtaining the Second Type corresponding with the address information of the first kind to AP.
In this step 402, there is corresponding relation in the address information of the first kind and the address information of Second Type, if the address information of the first kind is mac address information, the address information of Second Type is procotol IP address information; Or the address information of the first kind is IP address information, the address information of Second Type is mac address information.In practical application, can according to address resolution protocol (Address resolution Protocol, ARP) and inverse arp send the request of the address information obtaining the Second Type corresponding with the address information of the first kind to AP, such as, send the request obtaining the mac address information corresponding with IP address information according to ARP to AP, send the acquisition IP address information corresponding with mac address information according to inverse arp to AP.
Step 403, determine whether the address information receiving the Second Type that AP returns, if so, perform step 404; If not, step 405 is performed.
Step 404, determine AP pass through checking.
Step 405, determine AP by checking, and refusal to this not by checking AP transmission negotiation packet process.
In this step 405, determine AP not by checking, can think that the negotiation packet that AP sends carries unsafe data, or the information that this negotiation packet carries may be forge, thus this negotiation packet is considered to invalid message, and refusal processes this negotiation packet, such as, after determining that AP is not by checking, can not preserve not by the information of the AP of checking in AC, further, can delete not by the negotiation packet that the AP of checking sends, or send warning information.
So far, verify that the flow process of WAP (wireless access point) terminates.
The checking flow process that Fig. 4 is corresponding can be performed by the safeguard shown in Fig. 3, also can be performed by AC, if performed by AC, then can not arrange safeguard in Radio Network System.
In the flow process that Fig. 4 is corresponding, the AP sending negotiation packet can be verified, determine not by the AP of checking, and, after determining that AP is not by checking, the negotiation packet can refused the AP not by checking sends processes, also namely can not preserve not by the information of the AP of checking in AC, this technical scheme compared with prior art, avoiding AC preserves a large amount of not by the problem of the information of the false AP of checking, thus improves the disposal ability of AC to AP registration request and wireless network user service request.
In the corresponding flow process of Fig. 4, if in step 401 from AP send negotiation packet except the address information getting the first kind, also get the address information of Second Type, before execution step 404 (namely confirming that AP is by checking), following process can also be performed further after then determining to receive the address information of the Second Type of AP feedback in step 403:
Judge whether the address information of the Second Type that AP feeds back mates with the address information of the Second Type obtained from negotiation packet;
If judged result is coupling, then perform above-mentioned step 404, otherwise, determine AP not by checking.
In above-mentioned deterministic process, judge the mode that the address information of the Second Type that AP feeds back is mated with the address information of the Second Type obtained from negotiation packet, can set flexibly as the case may be, such as, determine whether the address information of the Second Type that AP feeds back mates with the address information of the Second Type obtained from negotiation packet according to the identification information setting field in the address information of Second Type, or, judge that whether the address information of Second Type is consistent with the address information of the Second Type obtained from negotiation packet, if consistent, then determine that the address information of Second Type is mated with the address information of the Second Type obtained from negotiation packet, otherwise, do not mate.Other modes can also be adopted in practical application to mate, repeat no longer one by one herein.
In the flow process that Fig. 4 is corresponding, after determining to receive the address information of the Second Type that AP returns in step 403, before execution step 404 (namely confirming that AP is by checking), following process can also be performed further:
Judge whether the address information that the address information arranging the corresponding first kind in protocol DHCP server at DynamicHost is preserved mates with the address information of the Second Type of reception;
If judged result is coupling, then perform step 404, otherwise, determine AP not by checking.
The preferred implementation that the address information that present solution provides the Second Type that several address information determining that the address information of the corresponding first kind in Dynamic Host Configuration Protocol server is preserved is fed back with the AP of reception is mated, to determine that whether the AP sending negotiation packet is by checking further, specific as follows:
Preferred implementation one
In this preferred implementation one, can in the address information of the first kind of Dynamic Host Configuration Protocol server this locality preservation obtained and the corresponding relation of the address information of Second Type, determine whether there is the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from negotiation packet and AP feed back, thus determine that whether the AP sending negotiation packet is by checking, particularly, as shown in Figure 5, checking sends the process of the AP of negotiation packet, mainly comprises the following steps:
Step 501, the address information of the first kind of acquisition Dynamic Host Configuration Protocol server preservation and the corresponding relation of the address information of Second Type.
In this step 501, in practical application, usual Dynamic Host Configuration Protocol server can generate the corresponding relation of an information list for the address information of the address information and Second Type of preserving the first kind in this locality.
Step 502, determine the corresponding relation of the address information of the Second Type that the address information that whether there is the first kind obtained from negotiation packet in the corresponding relation that obtains is fed back with AP, if so, execution step 503; If not, step 504 is performed.
Step 503, determine send negotiation packet AP by checking.
Step 504, determine send negotiation packet AP by checking, and refusal this negotiation packet is processed.
So far, the flow process of the AP of checking transmission negotiation packet terminates.
Preferred implementation two
In this preferred implementation two, can by the mode of the address information of the instruction Dynamic Host Configuration Protocol server feedback Second Type preserved corresponding to the address information of the first kind obtained from negotiation packet, determine that the address information of the Second Type whether address information of the Second Type that Dynamic Host Configuration Protocol server feeds back is fed back with AP is mated, if coupling, then determine that the AP sending negotiation packet is by checking, particularly, as shown in Figure 6, checking sends the process of the AP of negotiation packet, mainly comprises the following steps:
Step 601, send the instruction of address information of the instruction Dynamic Host Configuration Protocol server feedback Second Type preserved corresponding to the address information of the first kind obtained from negotiation packet to Dynamic Host Configuration Protocol server.
Step 602, determine whether the address information of the Second Type whether address information of the Second Type that Dynamic Host Configuration Protocol server feeds back is fed back with AP mates, and if so, performs step 603; Otherwise, perform step 604.
Step 603, determine send negotiation packet AP by checking.
Step 604, determine send negotiation packet AP by checking, and refusal this negotiation packet is processed.
So far, the flow process of the AP of checking transmission negotiation packet terminates.
With reference to the flow process of figure 6 correspondence, can by the mode of the address information of the instruction Dynamic Host Configuration Protocol server feedback first kind of preserving corresponding to the address information of the Second Type that AP feeds back, determine whether the address information of the first kind that Dynamic Host Configuration Protocol server feeds back mates with the address information of the first kind obtained from described negotiation packet, particularly, repeat no more herein.
Preferred implementation three
In this preferred implementation three, the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from negotiation packet and AP can be fed back is sent to Dynamic Host Configuration Protocol server, there is the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from negotiation packet and AP feed back in the corresponding relation that Dynamic Host Configuration Protocol server determines the local address information of the first kind of preserving and the address information of Second Type after, determine that the AP sending negotiation packet is by checking, particularly, as shown in Figure 7, checking sends the process of the AP of negotiation packet, mainly comprise the following steps:
The corresponding relation of the address information of the Second Type that step 701, the address information sending the first kind obtained from negotiation packet to Dynamic Host Configuration Protocol server and AP feed back.
Step 702, Dynamic Host Configuration Protocol server are determined in the address information of the first kind of local preservation and the corresponding relation of the address information of Second Type, whether there is the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from negotiation packet and AP feed back, if so, step 703 is performed; If not, step 704 is performed.
The result of the corresponding relation of the address information of the Second Type that the address information of the first kind that step 703, the determination this locality existence receiving Dynamic Host Configuration Protocol server transmission obtain from negotiation packet and AP feed back, and determine that the AP sending negotiation packet is by verifying.
Step 704, receive the result of the corresponding relation of the address information of the Second Type that address information that determination this locality that Dynamic Host Configuration Protocol server sends do not exist the first kind obtained from negotiation packet feed back with AP, and the AP determining to send negotiation packet does not pass through to verify.
In this step 704, the corresponding relation of the address information of the first kind that Dynamic Host Configuration Protocol server is preserved and the address information of Second Type, the corresponding relation of the address information of other Second Types of the address information that may there is the first kind obtained from negotiation packet and the address information being different from the Second Type that AP feeds back, or the corresponding relation of the address information of other first kind of the address information that there is the Second Type of AP feedback and the address information being different from the first kind obtained from negotiation packet, or there is not the information of the address information of the address information of any first kind about obtaining from negotiation packet and the Second Type of AP feedback.
So far, the flow process of the AP of checking transmission negotiation packet terminates.
Embodiment two
The preferred embodiment two provides a kind of application scenarios verifying the method for WAP (wireless access point) that a kind of embodiment one provides.
Fig. 8 shows a kind of structural representation of Radio Network System of method of application verification WAP (wireless access point), what embodiment one provided a kind ofly verifies that the method for WAP (wireless access point) can be applied in this Radio Network System, particularly, this Radio Network System comprises user terminal 801, and (in practical application, this user terminal may for multiple, user terminal 801 is only example herein), (in practical application, this AP may be multiple to AP 802, AP 802 is only example herein), switch 803, safeguard 804, AC 805, remote customer dialing authentication service (Remote Authentication Dial In user Service, Radius) server 806, entrance (Portal) server 807 and DynamicHost arrange agreement (Dynamic Host Configuration Protocol, DHCP) server 808, wherein:
Access request from AP 802 can carry out converging and entering the Internet by AC 805, before the access request receiving AP 802, AP 802 can send access request to Dynamic Host Configuration Protocol server 808, and receive the information of the AC that Dynamic Host Configuration Protocol server 808 sends according to access request, the information of this AC comprises the IP address information and configuration information etc. of AC, then AP 802 can go out the AC that will set up data channel according to the Information Selection of the AC received, to set up data channel with this AC (the technical program with the AC selected for AC 805 describes accordingly), the access request of user terminal 801 is forwarded to AC 805, in addition, this Dynamic Host Configuration Protocol server 808 can also operate accordingly according to the instruction of safeguard 804, and the mac address information such as preserved this locality according to the instruction of safeguard 804 and the corresponding relation of IP address information are sent to safeguard 804,
After AP 802 and AC 805 set up data channel, the access request of user terminal 801 can be forwarded to AC 805 by switch 803 by AP 802;
Portal server 807 provides the network authentication page for user terminal 801, and the authentication information that user submits to is submitted to Radius server 806 carries out certification.
The Radio Network System corresponding according to Fig. 8, Fig. 9 provides a kind of schematic flow sheet verifying WAP (wireless access point) in this Radio Network System, namely sets up the flow process of AP 802 and AC 805 data channel, particularly, the process of checking WAP (wireless access point), as shown in Figure 9, mainly comprises the following steps:
Step 901, AP 802 send access request to obtain the information of the AC of Dynamic Host Configuration Protocol server 808 preservation to Dynamic Host Configuration Protocol server 808.
Step 902, AP 802 determine that the AC that will set up data channel is AC 805 from the information of the AC obtained, and the IP address information according to this AC 805 sends negotiation packet to switch 803.
In this step 902, the information of the AC that AP 802 obtains comprises IP address information and other configuration informations of each AC.
The negotiation packet of reception is sent to safeguard 804 by step 903, switch 803.
In this step 903, in practical application, switch 803 is that this negotiation packet is sent to AC's 805 by the address information of carrying according to negotiation packet, but for it is configured with safeguard 804 in AC 805, this safeguard can verify the fail safe ensureing AC 805 to each data being sent to AC 805.
Step 904, safeguard 804 obtain discovery request message from the negotiation packet received, and the further IP address information obtaining this discovery request message and carry.
In this step 904, in practical application, discovery request message is except carrying IP address information, mac address information can also be carried, such as, this discovery request message only can carry mac address information, or, carry IP address information and mac address information, the technical program is carried IP address information with discovery request message and is described accordingly simultaneously.
Step 905, safeguard 804 send the request obtaining the mac address information preserved corresponding to IP address information to AP 802 by switch 803.
In this step 905, in practical application, can also send the request obtaining the corresponding mac address information preserved with IP address information in the preservation IP address information of AP and the equipment of mac address information corresponding relation, the technical program preferably carries out corresponding description to send to obtain to AP 802 to the request of the corresponding mac address information preserved of IP address information.
The AP 802 that step 906, safeguard 804 desampler 803 forward is according to the execution result of the request feedback received.
Step 907, safeguard 804 determine whether comprise the mac address information corresponding with IP address information in the execution result received, and if not, perform step 908; If so, step 909 is performed.
Step 908, safeguard 804 confirm AP 802 not by checking, and refusal preserves the information of AP 802 in AC 805.
Step 909, safeguard 804 send the instruction obtaining the mac address information of Dynamic Host Configuration Protocol server 808 preservation and the corresponding relation of IP address information to Dynamic Host Configuration Protocol server 808.
Step 910, safeguard 804 determine whether to exist in the corresponding relation that Dynamic Host Configuration Protocol server sends according to instruction the corresponding relation of the mac address information that the IP address information that obtains from negotiation packet and AP 802 return, and if so, perform step 911; If not, step 912 is performed.
Step 911, safeguard 804 determine that AP 802 is by checking;
Step 912, safeguard 804 determine AP 802 not by checking, and refusal preserves the information of AP 802 in AC 805.
So far, verify that the flow process of WAP (wireless access point) terminates.
Before the step 904 that the flow process that Fig. 9 is corresponding comprises, namely from the negotiation packet received, discovery request message is obtained at safeguard, and before the IP address information that this discovery request message of acquisition carries further, safeguard can determine the negotiation packet for applying for setting up data channel according to the identification information of the setting of negotiation packet from the numerous information received, further, can confirm that the negotiation packet determined is the data message or the control message sent by wireless data channel that are sent by cable data passage, discovery request message is obtained to carry out corresponding parsing according to setting means to data message and control message.
After the corresponding flow process of Fig. 9, if AP 802 is by the checking of safeguard 804, then negotiation packet can be sent to AC 805 by safeguard 804, the information that negotiation packet carries can be saved to this locality by AC805, and send the notice be verified to AP 802, thus successfully set up the data channel of AP 802 and AC 805.After the data channel setting up AP 802 and AC 805, the access request of user terminal can be forwarded to AC 805 by AP 802.
Figure 10 shows the schematic flow sheet carrying out data interaction in a kind of Radio Network System corresponding at Fig. 8 provided by the invention, particularly, as shown in Figure 10, carries out the process of data interaction, mainly comprise the following steps in Radio Network System:
Step 1001, AP 802 forward by switch 803 access request that user terminal 801 is sent to AC 805;
According to the access request received, step 1002, AC 805 determine that this access request is the need of checking, if not, perform step 1003; If so, step 1004 is performed;
Step 1003, the access request of reception is sent to internet;
Step 1004, send to Portal server 807 instruction Portal server 807 to provide instruction from the network authentication page to user terminal 801;
User terminal 801 is sent to Radius server 806 by the authentication information that the network authentication page is submitted to by step 1005, Portal server 807;
Step 1006, Radius server 806 whether by certification, if so, perform step 1007 according to authentication information determination user terminal 801; If not, step 1008 is performed;
Step 1007, user terminal 801, by certification, normally can use internet;
Step 1008, reminding subscriber terminal 801 authentification failure.
So far, the flow process of carrying out data interaction in Radio Network System terminates.
Embodiment four
This embodiment four provides a kind of device verifying WAP (wireless access point), this device can be applied in the Radio Network System shown in Fig. 3, by applying the technical program in this Radio Network System, AC can be avoided to preserve the information of a large amount of false AP, thus improve the disposal ability of AC to AP registration request and wireless network user service request.
Figure 11 shows a kind of structural representation verifying the device of WAP (wireless access point) provided by the invention, and particularly, as shown in figure 11, the device of this checking WAP (wireless access point), comprising:
Address information acquiring unit 1101, request transmitting unit 1102 and address information authentication unit 1103; Wherein:
Address information acquiring unit 1101, for obtaining the negotiation packet that wireless access point AP sends, obtains the address information of the first kind from negotiation packet;
Request transmitting unit 1102, for sending the request of the address information obtaining the Second Type corresponding with the address information of the first kind that address information acquiring unit 1101 obtains to AP;
Address information authentication unit 1103, for when receiving the address information of Second Type of the request feedback that AP sends according to request transmitting unit 1102, determines that AP passes through checking; When not receiving the address information of Second Type of the request feedback that AP sends according to request transmitting unit 1102, determine AP not by checking, and refusal processes to the negotiation packet that this is not sent by the AP of checking.
In the preferred implementation that the embodiment of the present invention three provides, the address information authentication unit 1103 that Figure 11 shown device comprises, also for:
If address information acquiring unit 1101 from negotiation packet except the address information getting the first kind, also get the address information of Second Type, then receive AP feedback Second Type address information after and determine AP pass through checking before, determine that the address information of the Second Type that AP feeds back is mated with the address information of the Second Type obtained from negotiation packet.
In the preferred implementation that the embodiment of the present invention three provides, the address information authentication unit 1103 that Figure 11 shown device comprises, also for:
After the address information of Second Type receiving AP feedback and before determining that AP passes through checking, determine that the address information that the address information arranging the corresponding first kind in protocol DHCP server at DynamicHost is preserved is mated with the address information of the Second Type of reception.
In the preferred implementation that the embodiment of the present invention three provides, the address information authentication unit 1103 that Figure 11 shown device comprises, specifically for:
Obtain the corresponding relation of the address information of the first kind and the address information of Second Type that Dynamic Host Configuration Protocol server is preserved, and determine to exist in the corresponding relation of acquisition the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from negotiation packet and AP feed back; Or
Send the instruction of the address information of the instruction Dynamic Host Configuration Protocol server feedback Second Type preserved corresponding to the address information of the first kind obtained from negotiation packet to Dynamic Host Configuration Protocol server, and determine that the address information of the Second Type that the address information of the Second Type that Dynamic Host Configuration Protocol server feeds back is fed back with AP is mated; Or
Send the address information of the instruction Dynamic Host Configuration Protocol server feedback first kind of preserving corresponding to the address information of the Second Type that AP feeds back to Dynamic Host Configuration Protocol server, and determine that the address information of the first kind that Dynamic Host Configuration Protocol server feeds back is the address information of the first kind obtained from negotiation packet; Or
The corresponding relation of the address information of the Second Type that the address information of the first kind obtained from negotiation packet and AP feed back is sent to Dynamic Host Configuration Protocol server, and receive Dynamic Host Configuration Protocol server and determine in the corresponding relation of the local address information of the first kind of preserving and the address information of Second Type, the result sent after there is the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from negotiation packet and AP feed back.
Should be appreciated that the logical partitioning that unit that above device comprises is only the function that realizes according to this device and carries out, in practical application, superposition or the fractionation of said units can be carried out.And the method flow one_to_one corresponding of the function that the device that this embodiment provides realizes and the checking WAP (wireless access point) that above-described embodiment provides, for the handling process specifically that this device realizes, be described in detail in said method embodiment, be not described in detail herein.
Further, the device of the checking WAP (wireless access point) in the present embodiment three also has the functional module that can realize embodiment one and embodiment two scheme, repeats no more herein.
Although described the preferred embodiment of the application, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the application's scope.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (7)
1. verify a method for WAP (wireless access point), it is characterized in that, comprising:
Obtain the negotiation packet that wireless access point AP sends, from described negotiation packet, obtain the address information of the first kind;
The request of the address information obtaining the Second Type corresponding with the address information of the described first kind is sent to described AP;
If receive the address information of the Second Type that described AP feeds back, then determine that described AP is by checking;
If do not receive the address information of the Second Type that described AP feeds back, then determine described AP not by checking, and refusal processes to the negotiation packet that this is not sent by the AP of checking.
2. the method for claim 1, it is characterized in that, if from described negotiation packet except the address information getting the first kind, also get the address information of Second Type, then receive described AP feed back Second Type address information after and determine described AP by checking before, also comprise:
Determine that the address information of the Second Type that described AP feeds back is mated with the address information of the Second Type obtained from described negotiation packet.
3. the method for claim 1, is characterized in that, receive described AP feed back Second Type address information after and determine described AP by checking before, also comprise:
Determine that the address information that the address information arranging the corresponding described first kind in protocol DHCP server at DynamicHost is preserved is mated with the address information of the described Second Type of reception;
Wherein, determine that the address information that the address information of the corresponding described first kind in Dynamic Host Configuration Protocol server is preserved is mated with the address information of the described Second Type of reception, comprising:
Obtain the corresponding relation of the address information of the first kind and the address information of Second Type that described Dynamic Host Configuration Protocol server is preserved, and determine to exist in the described corresponding relation of acquisition the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from described negotiation packet and described AP feed back; Or
Send the instruction of the address information of the described Dynamic Host Configuration Protocol server feedback of the instruction Second Type preserved corresponding to the address information of the first kind obtained from described negotiation packet to described Dynamic Host Configuration Protocol server, and determine that the address information of the Second Type that the address information of the Second Type that described Dynamic Host Configuration Protocol server feeds back is fed back with described AP is mated; Or
Send the address information of the described Dynamic Host Configuration Protocol server feedback of the instruction first kind of preserving corresponding to the address information of the Second Type that described AP feeds back to described Dynamic Host Configuration Protocol server, and determine that the address information of the first kind that described Dynamic Host Configuration Protocol server feeds back is mated with the address information of the first kind obtained from described negotiation packet; Or
The corresponding relation of the address information of the Second Type that the address information of the first kind obtained from described negotiation packet and described AP feed back is sent to described Dynamic Host Configuration Protocol server, and receive described Dynamic Host Configuration Protocol server and determine in the corresponding relation of the local address information of the first kind of preserving and the address information of Second Type, the result sent after there is the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from described negotiation packet and described AP feed back.
4. the method as described in any one of claims 1 to 3, is characterized in that, the address information of the described first kind is medium access control mac address information, and the address information of described Second Type is procotol IP address information; Or
The address information of the described first kind is IP address information, and the address information of described Second Type is mac address information.
5. verify a device for WAP (wireless access point), it is characterized in that, comprising:
Address information acquiring unit, for obtaining the negotiation packet that wireless access point AP sends, obtains the address information of the first kind from described negotiation packet;
Request transmitting unit, for sending the request of the address information obtaining the Second Type corresponding with the address information of the described first kind that described address information acquiring unit obtains to described AP;
Address information authentication unit, for when receiving the address information of Second Type of the described request feedback that described AP sends according to described request transmitting element, determines that described AP is by checking; When not receiving the address information of Second Type of the described request feedback that described AP sends according to described request transmitting element, determine described AP not by checking, and refusal processes to the negotiation packet that this is not sent by the AP of checking.
6. device as claimed in claim 5, is characterized in that, described address information authentication unit, also for:
If described address information acquiring unit from described negotiation packet except the address information getting the first kind, also get the address information of Second Type, then receive described AP feed back Second Type address information after and determine described AP by checking before, determine that the address information of the Second Type that described AP feeds back is mated with the address information of the Second Type obtained from described negotiation packet.
7. device as claimed in claim 5, is characterized in that, described address information authentication unit, also for:
After the address information receiving the Second Type that described AP feeds back and before determining that described AP is by checking, determine that the address information that the address information arranging the corresponding described first kind in protocol DHCP server at DynamicHost is preserved is mated with the address information of the described Second Type of reception;
Wherein, described address information authentication unit, specifically for:
Obtain the corresponding relation of the address information of the first kind and the address information of Second Type that described Dynamic Host Configuration Protocol server is preserved, and determine to exist in the described corresponding relation of acquisition the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from described negotiation packet and described AP feed back; Or
Send the instruction of the address information of the described Dynamic Host Configuration Protocol server feedback of the instruction Second Type preserved corresponding to the address information of the first kind obtained from described negotiation packet to described Dynamic Host Configuration Protocol server, and determine that the address information of the Second Type that the address information of the Second Type that described Dynamic Host Configuration Protocol server feeds back is fed back with described AP is mated; Or
Send the address information of the described Dynamic Host Configuration Protocol server feedback of the instruction first kind of preserving corresponding to the address information of the Second Type that described AP feeds back to described Dynamic Host Configuration Protocol server, and determine that the address information of the first kind that described Dynamic Host Configuration Protocol server feeds back is mated with the address information of the first kind obtained from described negotiation packet; Or
The corresponding relation of the address information of the Second Type that the address information of the first kind obtained from described negotiation packet and described AP feed back is sent to described Dynamic Host Configuration Protocol server, and receive described Dynamic Host Configuration Protocol server and determine in the corresponding relation of the local address information of the first kind of preserving and the address information of Second Type, the result sent after there is the corresponding relation of the address information of the Second Type that the address information of the first kind obtained from described negotiation packet and described AP feed back.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110454941.9A CN103188662B (en) | 2011-12-30 | 2011-12-30 | A kind of method and device verifying WAP (wireless access point) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110454941.9A CN103188662B (en) | 2011-12-30 | 2011-12-30 | A kind of method and device verifying WAP (wireless access point) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103188662A CN103188662A (en) | 2013-07-03 |
| CN103188662B true CN103188662B (en) | 2015-07-29 |
Family
ID=48679549
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110454941.9A Active CN103188662B (en) | 2011-12-30 | 2011-12-30 | A kind of method and device verifying WAP (wireless access point) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103188662B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547345B (en) * | 2017-07-19 | 2021-01-29 | 新华三技术有限公司 | VXLAN dynamic access method, device, equipment and medium |
| CN108834221B (en) * | 2018-06-01 | 2022-09-20 | 南昌黑鲨科技有限公司 | Network connection control method, computer-readable storage medium, and mobile terminal |
| CN109451503A (en) * | 2018-12-29 | 2019-03-08 | 成都西加云杉科技有限公司 | A kind of offline user authentication state maintaining method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050243778A1 (en) * | 2002-05-13 | 2005-11-03 | Wang Charles C | Seamless public wireless local area network user authentication |
| US20090210710A1 (en) * | 2006-09-07 | 2009-08-20 | Motorola, Inc. | Security authentication and key management within an infrastructure-based wireless multi-hop network |
| CN101841813A (en) * | 2010-04-07 | 2010-09-22 | 北京傲天动联技术有限公司 | Anti-attack wireless control system |
| CN102137401A (en) * | 2010-12-09 | 2011-07-27 | 华为技术有限公司 | Centralized 802.1X authentication method, device and system of wireless local area network |
-
2011
- 2011-12-30 CN CN201110454941.9A patent/CN103188662B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050243778A1 (en) * | 2002-05-13 | 2005-11-03 | Wang Charles C | Seamless public wireless local area network user authentication |
| US20090210710A1 (en) * | 2006-09-07 | 2009-08-20 | Motorola, Inc. | Security authentication and key management within an infrastructure-based wireless multi-hop network |
| CN101841813A (en) * | 2010-04-07 | 2010-09-22 | 北京傲天动联技术有限公司 | Anti-attack wireless control system |
| CN102137401A (en) * | 2010-12-09 | 2011-07-27 | 华为技术有限公司 | Centralized 802.1X authentication method, device and system of wireless local area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103188662A (en) | 2013-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10382951B2 (en) | Infrastructure coordinated media access control address assignment | |
| CN106332224B (en) | Equipment network distribution method, device and system | |
| US9699270B2 (en) | Method for commissioning and joining of a field device to a network | |
| EP2950499B1 (en) | 802.1x access session keepalive method, device, and system | |
| US9370031B2 (en) | Wireless network setup and configuration distribution system | |
| US20200187003A1 (en) | Methods and apparatus for end device discovering another end device | |
| US20110055409A1 (en) | Method For Network Connection | |
| US9596209B2 (en) | Causing client device to request a new internet protocol address based on a link local address | |
| CN102143492B (en) | Method for establishing virtual private network (VPN) connection, mobile terminal and server | |
| CN105338529A (en) | Wireless network connecting method and system | |
| JP2006518967A (en) | Virtual wireless local area network | |
| CN106686592B (en) | Network access method and system with authentication | |
| CN110086839B (en) | Dynamic access method and device for remote equipment | |
| CN106453370A (en) | Method and device for allowing IPC to register to NVR | |
| CN101616414A (en) | Method, system and server that terminal is authenticated | |
| CN102571811A (en) | User access authority control system and method thereof | |
| CN103188662B (en) | A kind of method and device verifying WAP (wireless access point) | |
| US20160112286A1 (en) | Method and system for detecting use of wrong internet protocol address | |
| CN107257558B (en) | Message forwarding method and device | |
| WO2015192665A1 (en) | Access method, apparatus and system based on temporary mac address | |
| CN106789843B (en) | Method, PORTAL server and system for sharing internet access | |
| WO2018049655A1 (en) | Device networking method, apparatus and system | |
| CN102883265A (en) | Method, equipment and system for sending and receiving position information of access user | |
| CN104052717A (en) | Message sending method and apparatus | |
| CN113556337A (en) | Terminal address identification method, network system, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |