CN104640111B - Network insertion processing method, apparatus and system - Google Patents
Network insertion processing method, apparatus and system Download PDFInfo
- Publication number
- CN104640111B CN104640111B CN201310556561.5A CN201310556561A CN104640111B CN 104640111 B CN104640111 B CN 104640111B CN 201310556561 A CN201310556561 A CN 201310556561A CN 104640111 B CN104640111 B CN 104640111B
- Authority
- CN
- China
- Prior art keywords
- terminal
- network
- wireless broadband
- access
- broadband router
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention provides a kind of network insertion processing methods, apparatus and system, this method comprises: wireless broadband router, which receives, carrys out the access request that self terminal is used to request access network;Wireless broadband router carries out authentication processing to accessing terminal to network according to access request, wherein, carrying out authentication processing to accessing terminal to network includes: to access the external network that the subnet that wireless broadband router is covered carries out authentication processing and accesses terminal access wireless broadband router to terminal to carry out authentication processing, through the invention, it solves the terminal existed in the related art under carrier network to be also allowed to access the standard network, use the resource in network, the problem of causing the consumption of Internet resources, and then reaches and accessing terminal to network has been authenticated by wireless broadband router, allow the effect that control is preferably managed accessing terminal to network.
Description
Technical field
The present invention relates to the communications fields, in particular to a kind of network insertion processing method, apparatus and system.
Background technique
Wireless broadband router is the extended pattern product being combined into one by wireless local network connecting point and broadband router.It
It is functional not only to have pure wireless access point (Access Point, referred to as AP) institute: for example, supporting dynamic host configuration
Agreement (Dynamic Host Configuration Protocol, referred to as DHCP) client supports Virtual Private Network
(Virtual Private Network, abbreviation VPN), firewall support Wired Equivalent Privacy (Wired Equivalent
Privacy, referred to as WEP) encryption etc., and further comprise network address translation (Network Address
Translation, referred to as NAT) function, the network connection of LAN subscriber can be supported shared.Family wireless network can be achieved
In Internet connection it is shared, realize that long term evolution (Long Term Evolution, referred to as LTE) or the third generation are mobile
The access of the communication technology (3rd-generation, referred to as 3G) wireless sharing.Wireless broadband router has portable characteristics, can be with
It moves at any time, can support all kinds of WLAN devices accesses internet, extend the coverage area and access of mobile network
Terminal form, such as tablet computer is without client identification module (Subscriber Identity Module, referred to as SIM)/complete
The mobile device of ball Subscriber Identity Module (Universal Subscriber Identity Module, referred to as USIM) card, or
It is the terminal of all support WLAN accesses.
For domestic operator, critically important a part is exactly to develop more users in market competition, sale
More use the mobile phone of the carrier network standard.Has the appearance of LTE/3G access capability wireless broadband router, so that not
It is that terminal under the carrier network is also allowed to access the standard network, uses the resource in network.
Therefore, there is the terminal under carrier network in the related art to be also allowed to access the standard network, use net
Resource in network, the problem of causing the consumption of Internet resources.
Summary of the invention
The present invention provides a kind of network insertion processing method and processing devices, at least to solve to have operation in the related art
Terminal under quotient's network is also allowed to access the standard network, using the resource in network, causes asking for the consumption of Internet resources
Topic.
According to an aspect of the invention, there is provided a kind of network insertion processing method, this method comprises: WiMAX road
It is used to request the access request of access network come self terminal by device reception;The wireless broadband router is according to the access request
Authentication processing is carried out to the accessing terminal to network, wherein accessing the network to carry out authentication processing to the terminal includes: pair
The terminal accesses the subnet that the wireless broadband router is covered and carries out authentication processing and access the nothing to the terminal
The external network of line broadband router access carries out authentication processing.
Preferably, the access for being used to request to access network from the terminal is received in the wireless broadband router
Before request, further includes: the wireless broadband router issuing service set identifier SSID, wherein the service set SSID
Including the first SSID for identifying the subnet that the wireless broadband router is covered and for identifying the extranets
2nd SSID of network.
Preferably, the wireless broadband router carries out authentication department to the accessing terminal to network according to the access request
Reason includes: the password for obtaining the terminal and accessing the subnet;The terminal is connect using MD5 method for authenticating according to the password
Enter the subnet and carries out Wi-Fi secure accessing WPA/WPA2 authentication;In the case where the authentication is passed by WPA/WPA2, according to preset
End message accesses the external network to the terminal and is extended authentication protocol-certifiede-mail protocol EAP-AKA authentication.
Preferably, the end message includes at least one of: operator information, the terminal of the terminal
Classification information, the identification information of the terminal.
Preferably, the external network is accessed to the terminal according to the preset end message and carries out the EAP-
AKA authentication includes: to obtain the terminal to access the publicly-owned identity of the external network and for carrying out the EAP-AKA mirror
The key parameter of power;The EAP-AKA authentication is carried out according to the publicly-owned identity and the key parameter obtained.
According to another aspect of the present invention, a kind of network insertion processing unit is provided, wireless broadband router is applied to,
Include: receiving module, carrys out self terminal for requesting the access request of access network for receiving;Processing module, for according to institute
It states access request and authentication processing is carried out to the accessing terminal to network, wherein the network is accessed to the terminal and is authenticated
Processing includes: to access the subnet that the wireless broadband router is covered to the terminal to carry out authentication processing and to the terminal
The external network for accessing the wireless broadband router access carries out authentication processing.
Preferably, device further include: release module is used for issuing service set identifier SSID, wherein the services set mark
It includes the first SSID for identifying the subnet that the wireless broadband router is covered and described for identifying for knowing SSID
2nd SSID of external network.
Preferably, the processing module includes: acquiring unit, and the password of the subnet is accessed for obtaining the terminal;
First authenticating unit carries out Wi-Fi peace for accessing the subnet to the terminal using MD5 method for authenticating according to the password
Full access WPA/WPA2 authentication;Second authenticating unit is used in the case where the authentication is passed by WPA/WPA2, according to preset terminal
Information accesses the external network to the terminal and is extended authentication protocol-certifiede-mail protocol EAP-AKA authentication.
Preferably, second authenticating unit includes: acquisition subelement, accesses the extranets for obtaining the terminal
The publicly-owned identity of network and key parameter for carrying out the EAP-AKA authentication;Subelement is authenticated, for according to acquisition
The publicly-owned identity and the key parameter carry out the EAP-AKA authentication.
Also one side according to the present invention, provides a kind of network insertion processing system, which includes: terminal, core
Net and described in any item wireless broadband routers, wherein the terminal, for interacting completion with the wireless broadband router
The WPA/WPA2 authentication that the subnet carries out is accessed to the terminal;The core net is used for and the WiMAX road
It is authenticated by the EAP-AKA that device interaction completes to access the terminal external network progress.
Through the invention, it is used to request the access request of access network come self terminal using wireless broadband router reception;
The wireless broadband router carries out authentication processing to the accessing terminal to network according to the access request, wherein to described
It includes: to access the subnet that the wireless broadband router is covered to the terminal that terminal, which accesses the network and carries out authentication processing,
The external network for carrying out authentication processing and accessing the wireless broadband router access to the terminal carries out authentication processing, solves
The terminal existed under carrier network in the related art is also allowed to access the standard network, using the resource in network,
The problem of causing the consumption of Internet resources, and then reached and accessing terminal to network is authenticated by wireless broadband router,
Allow the effect that control is preferably managed accessing terminal to network.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of network insertion processing method according to an embodiment of the present invention;
Fig. 2 is the structural block diagram of network insertion processing unit according to an embodiment of the present invention;
Fig. 3 is the preferred structure block diagram of network insertion processing unit according to an embodiment of the present invention;
Fig. 4 is the structural block diagram of processing module 24 in network insertion processing unit according to an embodiment of the present invention;
Fig. 5 is the second authenticating unit 46 in processing module 24 in network insertion processing unit according to an embodiment of the present invention
Structural block diagram;
Fig. 6 is the structural block diagram of network insertion processing system according to an embodiment of the present invention;
Fig. 7 is the network architecture schematic diagram of the preferred embodiment of the present invention;
Fig. 8 is the structural schematic diagram of the wireless broadband router of the preferred embodiment of the present invention;
Fig. 9 is the configuration diagram of WLAN terminal according to the preferred embodiment of the invention;
Figure 10 is the WLAN terminal access process figure of IMS network authentication according to the preferred embodiment of the invention.
Specific embodiment
Hereinafter, the present invention will be described in detail with reference to the accompanying drawings and in combination with Examples.It should be noted that not conflicting
In the case of, the features in the embodiments and the embodiments of the present application can be combined with each other.
A kind of network insertion processing method is provided in the present embodiment, and Fig. 1 is that network according to an embodiment of the present invention connects
Enter the flow chart of processing method, as shown in Figure 1, the process includes the following steps:
Step S102, wireless broadband router, which receives, carrys out the access request that self terminal is used to request access network;
Step S104, the wireless broadband router carry out authentication processing to accessing terminal to network according to access request, wherein
Carrying out authentication processing to the accessing terminal to network includes: that the subnet covered to terminal access wireless broadband router authenticates
Processing and the external network accessed to terminal access wireless broadband router carry out authentication processing.
Through the above steps, the subnet covered to wireless broadband router to terminal access wireless broadband router carries out
Authentication processing and the external network accessed to terminal access wireless broadband router carry out authentication processing, relative in the related technology
It is directly accessed the network that terminal is not belonging to by wireless broadband router, causes the consumption of Internet resources, not only solves operation
The problem of quotient's network resource consumption, and the network being not belonging to can be accessed to terminal and carry out corresponding management control, accordingly mention
High user experience.
Preferably, before wireless broadband router reception carrys out access request of the self terminal for requesting access network, also
It include: wireless broadband router issuing service set identifier SSID, wherein service set SSID includes for identifying WiMAX
First SSID of the subnet that router is covered and the 2nd SSID for identifying external network.Processing in this way, terminal
It can request to authenticate accordingly by way of carrying service set in access request.According to the services set mark carried
Know difference, and carry out authentication processing respectively to accessing terminal to network, is exemplified below.
It may include following processing that wireless broadband router, which carries out authentication processing to accessing terminal to network according to access request:
For example, obtaining the password of terminal access subnet, Wi-Fi peace is carried out to terminal access subnet using MD5 method for authenticating according to password
Full access WPA/WPA2 authentication, in the case where the authentication is passed, wireless broadband router is the first IP address of terminal distribution,
In, which is to carry out Wi-Fi secure accessing WPA/WPA2 authentication in the access request for carrying the first SSID to terminal
In the case where, it is used to access the address of the affiliated WLAN Intranet of wireless broadband router for terminal distribution;And/or
In the case where the authentication is passed by WPA/WPA2, certification association is extended to terminal access external network according to preset end message
View-certifiede-mail protocol EAP-AKA authentication, wherein the end message can be a variety of, for example, can for it is following at least it
One: operator information, the classification information of terminal, the identification information of terminal of terminal, what in EAP-AKA, the authentication is passed
In the case of, wireless broadband router is the second IP address of terminal distribution, wherein second IP address is to carry second to terminal
In the case that the access request of SSID is extended authentication protocol-certifiede-mail protocol EAP-AKA the authentication is passed, for terminal point
It is used in the address of access wireless broadband router external packet link network.
In addition, the difference according to end message, the processing mode authenticated to terminal access external network can not also
Together, first for example, in the case where the key parameter of publicly-owned identity and progress EAP-AKA authentication that end message is terminal
First, the publicly-owned identity of terminal access external network and the key parameter for carrying out EAP-AKA authentication are obtained;Later, according to
EAP-AKA authentication is carried out according to the publicly-owned identity of acquisition and key parameter.It should be noted that the publicly-owned identity can be with
In the case where carrying out WPA/WPA2 and authenticating successful situation, it is stored in the wireless broadband router, is also possible to be returned by core net
To in the message of wireless broadband router;Key parameter therein can be the pre-stored parameter of wireless broadband router, and
And the key parameter shared in publicly-owned identity corresponding with terminal is appointed as when core net progress user information signing before.
For terminal side, terminal sends the access request for requesting access network to wireless broadband router;Terminal connects
Receive the response results that wireless broadband router is handled accessing terminal to network according to access request;Terminal is according to response results
Carry out network access authentication processing.Through the above steps, wireless broadband router covers terminal access wireless broadband router
The subnet of lid carries out authentication processing and carries out authentication processing to the external network of terminal access wireless broadband router access, relatively
In being directly accessed the network that terminal is not belonging to by wireless broadband router in the related technology, the consumption of Internet resources is caused, no
The problem of addressing only operator network resources consumption, and the network being not belonging to can be accessed to terminal and be managed accordingly
Control, has correspondinglyd increase user experience.
Corresponding to the above-mentioned respective handling in wireless broadband router, execute corresponding operation in terminal side: terminal to
Wireless broadband router is sent before the access request for requesting access network, further includes: receives wireless broadband router hair
The service set SSID of cloth, wherein service set SSID includes that service set SSID includes for identifying WiMAX
First SSID of the subnet that router is covered and the 2nd SSID for identifying external network.
Equally, after according to the access request of the different service sets of carrying sent to wireless broadband router, terminal
It may include following several for receiving the response results that wireless broadband router is handled accessing terminal to network according to access request
Kind: terminal receives the first IP address of wireless broadband router distribution, wherein the first IP address is to carry first to terminal
It is terminal distribution for accessing nothing in the case that the access request of SSID carries out Wi-Fi secure accessing WPA/WPA2 the authentication is passed
The address of the affiliated WLAN Intranet of line broadband router;And/or terminal receives the 2nd IP of wireless broadband router distribution
Address, wherein the second IP address be to terminal carry the 2nd SSID access request be extended authentication protocol-certification with it is close
Key negotiates EAP-AKA in the case that the authentication is passed, is terminal distribution for accessing wireless broadband router external packet link network
The address of network.
Additionally provide a kind of network insertion processing unit in the present embodiment, the device is for realizing above-described embodiment and excellent
Embodiment is selected, the descriptions that have already been made will not be repeated.As used below, predetermined function may be implemented in term " module "
Software and/or hardware combination.Although device described in following embodiment is preferably realized with software, hardware,
Or the realization of the combination of software and hardware is also that may and be contemplated.
Fig. 2 is the structural block diagram of network insertion processing unit according to an embodiment of the present invention, as shown in Fig. 2, the device is answered
For wireless broadband router, including receiving module 22, processing module 24, the device is illustrated below.
Receiving module 22 carrys out self terminal for requesting the access request of access network for receiving;Processing module 24, connection
To above-mentioned receiving module 22, for carrying out authentication processing to accessing terminal to network according to access request, wherein access net to terminal
It includes: that the subnet covered to terminal access wireless broadband router carries out authentication processing and connects to terminal that network, which carries out authentication processing,
The external network for entering wireless broadband router access carries out authentication processing.
Fig. 3 is the preferred structure block diagram of network insertion processing unit according to an embodiment of the present invention, as shown in figure 3, the dress
It sets in addition to including all modules shown in Fig. 2, further includes release module 32, the release module 32 is illustrated below.
Release module 32 is connected to above-mentioned receiving module 22, is used for issuing service set identifier SSID, wherein the services set
Mark SSID includes the first SSID for identifying the subnet that wireless broadband router is covered and for identifying external network
2nd SSID.
Fig. 4 is the structural block diagram of processing module 24 in network insertion processing unit according to an embodiment of the present invention, such as Fig. 4 institute
Show, which includes acquiring unit 42, the first authenticating unit 44 and the second authenticating unit 46, below to the processing module
24 are illustrated.
Acquiring unit 42, for obtaining the password of terminal access subnet;First authenticating unit 44 is connected to above-mentioned acquisition list
Member 42, for carrying out Wi-Fi secure accessing WPA/WPA2 authentication to terminal access subnet using MD5 method for authenticating according to password;
Second authenticating unit 46 is connected to above-mentioned first authenticating unit 44, in the case where the authentication is passed by WPA/WPA2, foundation to be pre-
The end message set is extended authentication protocol-certifiede-mail protocol EAP-AKA to terminal access external network and authenticates.
Fig. 5 is the second authenticating unit 46 in processing module 24 in the network insertion processing unit of embodiment according to the present invention
Structural block diagram, as shown in figure 5, second authenticating unit 46 include: obtain subelement 52 and authentication subelement 54, below to this
Second authenticating unit 46 is illustrated.
Subelement 52 is obtained, for obtaining the publicly-owned identity of terminal access external network and for carrying out EAP-AKA
The key parameter of authentication;Subelement 54 is authenticated, above-mentioned acquisition subelement 52 is connected to, for according to the publicly-owned identity obtained
EAP-AKA authentication is carried out with key parameter.
A kind of network insertion processing system is additionally provided in the present embodiment, and Fig. 6 is network according to an embodiment of the present invention
Access processing system structural block diagram, as shown in fig. 6, the network insertion processing system 60 include terminal 62, core net 64 and on
The wireless broadband router 66 for stating any one, is below illustrated the system.
Terminal 62, the WPA/WPA2 mirror carried out for having interacted paired terminal access subnet with wireless broadband router 66
Power;Core net 64, the EAP-AKA mirror carried out for having interacted paired terminal access external network with wireless broadband router 66
Power.
In view of the above problems in the related art, a kind of system architecture and method are provided in the present embodiment, and terminal is logical
Cross WiMAX device and access the network itself being not belonging to, realize by IP multimedia subsystem (IP Multi Media System,
Referred to as IMS) access authentication of the core net completion to WLAN terminal under wireless broadband router, wireless broadband router
Using LTE or 3G mode access to mobile network.The carrier network can be accessed and use, more by wireless broadband router
It is convenient to use Internet resources.
Implementation method on wireless broadband router provided by above-described embodiment and preferred embodiment, in WLAN
Implementation method and network system architecture method and wireless broadband router and WLAN terminal and network interaction in terminal
Method, so that operator can control those WLAN coverings provided by LTE/3G wireless broadband router in network
And the terminal accessed, the access authentication of WLAN terminal is using the mirror with the same security level of LTE/3G network lower terminal
Power mode, and the number and terminal class that can access terminal can be configured by network side, or according to can on other ordinary terminals
The parameter of acquisition is to determine whether allow to access.
It should be noted that the wireless broadband router of the embodiment of the present invention and IMS core net can use normal IMS
Interaction can use session initiation protocol (Session Initiation between Signalling exchange, with WLAN terminal
Protocol, referred to as SIP) and Extensible Authentication Protocol (Extensible Authentication Protocol, referred to as
EAP).It can be interacted using customized process between WLAN terminal and wireless broadband router, network side equipment is not necessarily to
Do any change.
The embodiment of the present invention is illustrated with reference to the accompanying drawing.
Fig. 7 is the network architecture schematic diagram of the preferred embodiment of the present invention, as shown in fig. 7, wireless broadband router extranets
Network access includes the wireless networks such as 3G or LTE access etc., and Fig. 7 show LTE access, and internal network access uses wireless local area
The terminal of network technology, internal network can be interacted by WLAN with gateway.Evolved packet system (Evolved Packet
System, EPC) it is docked with the network element of IMS core net, the grouped link that wireless broadband router can be provided by LTE network
Access IMS network.
Fig. 8 is the structural schematic diagram of the wireless broadband router of the preferred embodiment of the present invention, as shown in figure 8, the structure packet
Include following several parts: Wi-Fi Driver(Wi-Fi driver) provide Wi-Fi equipment driving, data in WLAN
Link layer packaging;Network security accesses (Wi-Fi Protected Access, referred to as WPA)/WPA2Authenticator
(authenticator) provides wireless broadband router to WPA/WPA2 authentication functions in WLAN terminal access procedure;EAP
Server(server) wireless broadband router is provided to EAP-AKA authentication functions branch in WLAN terminal access procedure
It holds;ICP/IP protocol stack provides IP layers and transport layer data encapsulation parsing, provides IP data transceiver interface for application;IMS
Proxy(agency) two parts function is provided, one, which is to provide wireless broadband router as IMS terminal, is registered to IMS core net
Client functionality, another is to provide the encapsulation of IMS signaling for the EAP-AKA request of WLAN terminal, and authentication request is transferred to
The processing of IMS core net;DHCP Server(server) it is then according to access authentication as a result, deciding whether to WLAN
Terminal distribution legitimate ip address, in access procedure of the terminal by two kinds of difference authentication modes of WPA/WPA2 and EAP-AKA,
DHCPServer can distribute two classes different IP address, by WPA/WPA2 authentication access terminal, the IP address being assigned to without
Method accesses extenal grouped network by wireless broadband router, and by the terminal of EAP-AKA authentication access, nothing after authenticating successfully
Line local area network terminal is by assigned IP and can access extenal grouped network by wireless broadband router.Access
Controller(access controller) realized as the logic of upper layer access control, will using two kinds of different authentications accesses and with
The authentication process of exterior I MS network combines.Wi-Fi driving supports wireless broadband router to issue two different wireless offices
Domain net service set ((Service Set Identifier, referred to as SSID) mark.
Corresponding with function structure on wireless broadband router to be, there is also correspondences for function structure on WLAN terminal
Modules, Fig. 9 is the configuration diagram of WLAN terminal according to the preferred embodiment of the invention, as shown in figure 9, should
WLAN terminal includes: WPA/WPA2client(client), it is connect to execute terminal with WPA/WPA2 authentication mode
The function of client when entering WLAN;EAP-AKA client realizes terminal and is accessing nothing with EAP-AKA authentication mode
Client functionality when line local area network;IMS client is to carry out IMS registration and subscribe to process;DHCP client is to prop up
Hold the IP address dynamic allocation procedure after the authentication is passed.
Figure 10 is the WLAN terminal access process figure of IMS network authentication according to the preferred embodiment of the invention, such as
Shown in Figure 10, which includes the following steps:
Step S1002, wireless broadband router attachment are registered to EPC network, i.e., wireless broadband router is in starting Wi-
After the access point function of Fi, the different SSID mark of publication two.
Step S1004, wireless broadband router are initiated immediately after being attached to LTE network and establishing default IP connection
To the register flow path of IMS core net, authentication uses AKA method, uses what is stored in USIM/ISIM card in wireless broadband router
Publicly-owned identity.
Step S1006, after completion of succeeding in registration, on wireless broadband router IMS Proxy as IMS client,
It initiates to request for the subscription of other publicly-owned identity current registration status relevant to the corresponding user of USIM/ISIM card, IMS
Core, which receives, requests and passes through Notify message for the registration status notification of other publicly-owned identity to wireless broadband router.
Step S1008, terminal is under the control that Access Client is applied, and access corresponds to WPA/WPA2 and authenticates first
SSID.Wireless broadband router distributes to one Intranet of terminal by dhcp process after terminal completes WPA/WPA2 authentication
Address ip 1, and the IP restricted access external network.
Step S1010, terminal Access Client initiate SIP registration process, the registration after obtaining IP1, using IP1
Request is handled by IMS Proxy on wireless broadband router, and the registration process uses MD5Digest method for authenticating, for making
With USIM/ISIM card terminal, the entitled IMSI number of user needed for MD5Digest is authenticated, such as no USIM/ISIM card terminal
IPad etc., user name uses offline configuration mode, by Access on Access Client in terminal and wireless broadband router
Controller management, password are password used in WPA/WPA2 access authentication.Wireless broadband router receives the SIP registration of terminal
It can be initiated for terminal after request, on wireless broadband router in registration request entrained by message header field Request-URI
IMSI or customized user name make a decision, and decision logic includes identification terminal operator or terminal class, and according to this information
Decide whether to refuse terminal registration request.If receiving request, MD5 authentication challenge is returned to, IMS Client is received in terminal
It calculates authenticating result afterwards to organize packet again and send SIP registration request, wireless broadband router returns to SIP200OK after verifying successfully
Message is expressed as function registration.Because terminal user name needed for MD5 is authenticated is carried with registration request, wireless broadband router is without pre-
First configurating terminal user name need to only obtain terminal access pin from WPA/WPA2authenticator.
It is requested that terminal initiates a SIP subscription (Subscribe) by Access Client notice IMS client immediately
Journey, current subscription procedure are required in the identity and AKA authentication process for storing in terminal request wireless broadband router
Key parameter Ki.This kind of identity is the privately owned identity with IMS network in wireless broadband router USIM/ISIM card
(IMPI) associated publicly-owned identity (IMPU), these IMPU can be stored in USIM/ISIM, or in WiMAX
It is returned in the message that succeeds in registration and is carried by IMS core net during the IMS registration of router.Ki parameter is wireless broadband router
The Ki parameter prestored in upper USIM/ISIM card, the and (IMS when IMS core net HSS registers user subscription information
It is that publicly-owned identity shares that this group is specified when Subscription).Terminal subscribes to the message header field in (Subscribe) request
Authentication information before containing in Authorization in register flow path ensure that the terminal ability only by register flow path
It can initiate the process of subscription identity and Ki parameter.After wireless broadband router receives subscription request, request is subscribed in registration
And success is replied, by the publicly-owned identity of Access Controller distribution storage, pass through SIP Notify message distribution.Terminal
After getting publicly-owned identity and Ki parameter, i.e., EAP-AKA process is initiated by Access Client notice EAP client,
Another SSID of the wireless broadband router publication of terminal selection at this time initiates operation associated.
Step S1012, EAP Server triggering EAP-AKA authenticates authorizing procedure on wireless broadband router, requests first
Terminal identity mark, the publicly-owned identity that terminal obtains before replying immediately.
Step S1014, after judgement receives the access request of EAP-AKA authentication of terminal, on wireless broadband router
IMSProxy sets up new SIP registration request, and the publicly-owned identity that identity uses terminal to report by EAP message disappears
Breath is sent to IMS core net, and network side returns to AKA authentication challenge.
This is authenticated challenge encapsulation and parses post package from SIP signaling into EAP-Request by step S1016, IMS Proxy
Message is sent to WLAN terminal, and terminal calculates authentication knot using the Ki parameter and challenge parameter that obtain in subscription procedure
Fruit is sent to wireless broadband router by EAP-Response message.
Step S1018, IMS Proxy continue by AKA authenticating result Parameter analysis of electrochemical and be packaged into SIP registration request be sent to
IMS network, network side are replied SIP200OK after the authentication is passed and are indicated successfully.
Step S1020, IMS Proxy receives success message notice Access Controller on wireless broadband router,
The latter notifies EAP-Server to reply EAP-Success to terminal, and the access process of EAP-AKA authentication successfully completes.Immediately eventually
End initiates dhcp process and requests IP again, and Access Controller notifies DHCP Server on wireless broadband router at this time
Distribute IP address IP2, and the accessible extenal grouped network of IP2.
Obviously, those skilled in the art should be understood that each module of the above invention or each step can be with general
Computing device realize that they can be concentrated on a single computing device, or be distributed in multiple computing devices and formed
Network on, optionally, they can be realized with the program code that computing device can perform, it is thus possible to which they are stored
It is performed by computing device in the storage device, and in some cases, it can be to be different from shown in sequence execution herein
Out or description the step of, perhaps they are fabricated to each integrated circuit modules or by them multiple modules or
Step is fabricated to single integrated circuit module to realize.In this way, the present invention is not limited to any specific hardware and softwares to combine.
These are only the preferred embodiment of the present invention, is not intended to restrict the invention, for those skilled in the art
For member, the invention may be variously modified and varied.All within the spirits and principles of the present invention, it is made it is any modification,
Equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (8)
1. a kind of network insertion processing method characterized by comprising
Wireless broadband router, which receives, carrys out the access request that self terminal is used to request access network;
The wireless broadband router carries out authentication processing to the accessing terminal to network according to the access request, wherein right
It includes: to access the wireless broadband router to the terminal to be covered that the terminal, which accesses the network and carries out authentication processing,
The external network that subnet carries out authentication processing and accesses the wireless broadband router access to the terminal carries out authentication processing;
It is received before the access request that the terminal is used to request access network in the wireless broadband router, also
Include:
The wireless broadband router issuing service set identifier SSID, wherein the service set SSID includes for identifying
First SSID of the subnet that the wireless broadband router is covered and the 2nd SSID for identifying the external network.
2. the method according to claim 1, wherein the wireless broadband router is according to the access request pair
The accessing terminal to network carries out authentication processing
Obtain the password that the terminal accesses the subnet;
The subnet is accessed to the terminal using MD5 method for authenticating according to the password and carries out Wi-Fi secure accessing WPA/
WPA2 authentication;
In the case where the authentication is passed by WPA/WPA2, according to preset end message to the terminal access the external network into
Row Extensible Authentication Protocol-certifiede-mail protocol EAP-AKA authentication.
3. according to the method described in claim 2, it is characterized in that, the end message includes at least one of:
Operator information, the classification information of the terminal, the identification information of the terminal of the terminal.
4. according to the method described in claim 2, it is characterized in that, being accessed according to the preset end message to the terminal
The external network carries out the EAP-AKA authentication
It obtains the terminal and accesses the publicly-owned identity of the external network and the key for carrying out the EAP-AKA authentication
Parameter;
The EAP-AKA authentication is carried out according to the publicly-owned identity and the key parameter obtained.
5. a kind of network insertion processing unit, which is characterized in that be applied to wireless broadband router, comprising:
Receiving module carrys out self terminal for requesting the access request of access network for receiving;
Processing module, for carrying out authentication processing to the accessing terminal to network according to the access request, wherein to the end
Terminate into the network carry out authentication processing include: to the terminal access subnet that the wireless broadband router is covered into
Row authentication processing and the external network for accessing the wireless broadband router access to the terminal carry out authentication processing;
Further include: release module is used for issuing service set identifier SSID, wherein the service set SSID includes for marking
Know the first SSID of the subnet that the wireless broadband router is covered and for identifying the external network second
SSID。
6. device according to claim 5, which is characterized in that the processing module includes:
Acquiring unit accesses the password of the subnet for obtaining the terminal;
First authenticating unit carries out Wi- for accessing the subnet to the terminal using MD5 method for authenticating according to the password
Fi secure accessing WPA/WPA2 authentication;
Second authenticating unit is used in the case where the authentication is passed by WPA/WPA2, according to preset end message to the terminal
It accesses the external network and is extended authentication protocol-certifiede-mail protocol EAP-AKA authentication.
7. device according to claim 6, which is characterized in that second authenticating unit includes:
Obtain subelement, for obtain the terminal access the publicly-owned identity of the external network and for carrying out it is described
The key parameter of EAP-AKA authentication;
Subelement is authenticated, for carrying out the EAP-AKA mirror according to the publicly-owned identity and the key parameter that obtain
Power.
8. a kind of network insertion processing system characterized by comprising any one of terminal, core net and claim 5 to 7
The wireless broadband router, wherein the terminal, for interacting completion with the wireless broadband router to the terminal
Access the WPA/WPA2 authentication that the subnet carries out;The core net, for having been interacted with the wireless broadband router
The pairs of terminal accesses the EAP-AKA authentication that the external network carries out.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310556561.5A CN104640111B (en) | 2013-11-11 | 2013-11-11 | Network insertion processing method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310556561.5A CN104640111B (en) | 2013-11-11 | 2013-11-11 | Network insertion processing method, apparatus and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104640111A CN104640111A (en) | 2015-05-20 |
CN104640111B true CN104640111B (en) | 2019-06-11 |
Family
ID=53218317
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310556561.5A Active CN104640111B (en) | 2013-11-11 | 2013-11-11 | Network insertion processing method, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104640111B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110583036B (en) * | 2017-05-29 | 2022-11-25 | 华为国际有限公司 | Network authentication method, network equipment and core network equipment |
US11202339B2 (en) * | 2019-04-10 | 2021-12-14 | Mediatek Inc. | Apparatuses and methods for packet distribution on multiple subscriber identities |
CN110769482B (en) * | 2019-09-16 | 2022-03-01 | 浙江大华技术股份有限公司 | Method and device for network connection of wireless equipment and wireless router equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1578487A (en) * | 2003-07-28 | 2005-02-09 | 华为技术有限公司 | Method for mobile terminal switching in packet network |
WO2006075616A1 (en) * | 2005-01-13 | 2006-07-20 | Matsushita Electric Industrial Co., Ltd. | Communication system, terminal device and communication device |
CN103052064A (en) * | 2011-10-13 | 2013-04-17 | 中国移动通信集团公司 | Method, equipment and system for accessing private services of operator |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005051473A (en) * | 2003-07-28 | 2005-02-24 | Sony Corp | Network interconnection device, network interconnection method, name solving device, and computer program |
CN101562814A (en) * | 2009-05-15 | 2009-10-21 | 中兴通讯股份有限公司 | Access method and system for a third-generation network |
-
2013
- 2013-11-11 CN CN201310556561.5A patent/CN104640111B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1578487A (en) * | 2003-07-28 | 2005-02-09 | 华为技术有限公司 | Method for mobile terminal switching in packet network |
WO2006075616A1 (en) * | 2005-01-13 | 2006-07-20 | Matsushita Electric Industrial Co., Ltd. | Communication system, terminal device and communication device |
CN103052064A (en) * | 2011-10-13 | 2013-04-17 | 中国移动通信集团公司 | Method, equipment and system for accessing private services of operator |
Also Published As
Publication number | Publication date |
---|---|
CN104640111A (en) | 2015-05-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102884819B (en) | System and method for WLAN roaming traffic authentication | |
CN106105134B (en) | Method and apparatus for improving end-to-end data protection | |
JP5992554B2 (en) | System and method for authenticating a second client station using first client station credentials | |
EP3750342B1 (en) | Mobile identity for single sign-on (sso) in enterprise networks | |
EP2103077B1 (en) | Method and apparatus for determining an authentication procedure | |
KR101427447B1 (en) | One-pass authentication mechanism and system for heterogeneous networks | |
US20080026724A1 (en) | Method for wireless local area network user set-up session connection and authentication, authorization and accounting server | |
US20120284785A1 (en) | Method for facilitating access to a first access nework of a wireless communication system, wireless communication device, and wireless communication system | |
US20150365414A1 (en) | Method and Device for Authenticating Static User Terminal | |
US9749320B2 (en) | Method and system for wireless local area network user to access fixed broadband network | |
WO2012145134A1 (en) | Method of and system for utilizing a first network authentication result for a second network | |
KR20130034649A (en) | Secure registration of group of clients using single registration procedure | |
WO2009152749A1 (en) | A binding authentication method, system and apparatus | |
US11924192B2 (en) | Systems and methods for secure automated network attachment | |
Matos et al. | Secure hotspot authentication through a near field communication side-channel | |
ES2862180T3 (en) | Authentication of users in the wireless access network | |
CN104640111B (en) | Network insertion processing method, apparatus and system | |
CN108353269A (en) | Subscriber profiles in WLAN are pre-configured | |
US8191153B2 (en) | Communication system, server apparatus, information communication method, and program | |
WO2015100874A1 (en) | Home gateway access management method and system | |
JP6861285B2 (en) | Methods and devices for parameter exchange during emergency access | |
Veltri et al. | Wireless lan-3g integration: Unified mechanisms for secure authentication based on sip | |
US20110153819A1 (en) | Communication system, connection apparatus, information communication method, and program | |
Gondi et al. | Secured roaming over WLAN and WIMAX networks | |
WO2016065847A1 (en) | Wifi offload method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |