CN104640111B - Network insertion processing method, apparatus and system - Google Patents

Network insertion processing method, apparatus and system Download PDF

Info

Publication number
CN104640111B
CN104640111B CN201310556561.5A CN201310556561A CN104640111B CN 104640111 B CN104640111 B CN 104640111B CN 201310556561 A CN201310556561 A CN 201310556561A CN 104640111 B CN104640111 B CN 104640111B
Authority
CN
China
Prior art keywords
terminal
network
wireless broadband
access
broadband router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310556561.5A
Other languages
Chinese (zh)
Other versions
CN104640111A (en
Inventor
薛明星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201310556561.5A priority Critical patent/CN104640111B/en
Publication of CN104640111A publication Critical patent/CN104640111A/en
Application granted granted Critical
Publication of CN104640111B publication Critical patent/CN104640111B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a kind of network insertion processing methods, apparatus and system, this method comprises: wireless broadband router, which receives, carrys out the access request that self terminal is used to request access network;Wireless broadband router carries out authentication processing to accessing terminal to network according to access request, wherein, carrying out authentication processing to accessing terminal to network includes: to access the external network that the subnet that wireless broadband router is covered carries out authentication processing and accesses terminal access wireless broadband router to terminal to carry out authentication processing, through the invention, it solves the terminal existed in the related art under carrier network to be also allowed to access the standard network, use the resource in network, the problem of causing the consumption of Internet resources, and then reaches and accessing terminal to network has been authenticated by wireless broadband router, allow the effect that control is preferably managed accessing terminal to network.

Description

Network insertion processing method, apparatus and system
Technical field
The present invention relates to the communications fields, in particular to a kind of network insertion processing method, apparatus and system.
Background technique
Wireless broadband router is the extended pattern product being combined into one by wireless local network connecting point and broadband router.It It is functional not only to have pure wireless access point (Access Point, referred to as AP) institute: for example, supporting dynamic host configuration Agreement (Dynamic Host Configuration Protocol, referred to as DHCP) client supports Virtual Private Network (Virtual Private Network, abbreviation VPN), firewall support Wired Equivalent Privacy (Wired Equivalent Privacy, referred to as WEP) encryption etc., and further comprise network address translation (Network Address Translation, referred to as NAT) function, the network connection of LAN subscriber can be supported shared.Family wireless network can be achieved In Internet connection it is shared, realize that long term evolution (Long Term Evolution, referred to as LTE) or the third generation are mobile The access of the communication technology (3rd-generation, referred to as 3G) wireless sharing.Wireless broadband router has portable characteristics, can be with It moves at any time, can support all kinds of WLAN devices accesses internet, extend the coverage area and access of mobile network Terminal form, such as tablet computer is without client identification module (Subscriber Identity Module, referred to as SIM)/complete The mobile device of ball Subscriber Identity Module (Universal Subscriber Identity Module, referred to as USIM) card, or It is the terminal of all support WLAN accesses.
For domestic operator, critically important a part is exactly to develop more users in market competition, sale More use the mobile phone of the carrier network standard.Has the appearance of LTE/3G access capability wireless broadband router, so that not It is that terminal under the carrier network is also allowed to access the standard network, uses the resource in network.
Therefore, there is the terminal under carrier network in the related art to be also allowed to access the standard network, use net Resource in network, the problem of causing the consumption of Internet resources.
Summary of the invention
The present invention provides a kind of network insertion processing method and processing devices, at least to solve to have operation in the related art Terminal under quotient's network is also allowed to access the standard network, using the resource in network, causes asking for the consumption of Internet resources Topic.
According to an aspect of the invention, there is provided a kind of network insertion processing method, this method comprises: WiMAX road It is used to request the access request of access network come self terminal by device reception;The wireless broadband router is according to the access request Authentication processing is carried out to the accessing terminal to network, wherein accessing the network to carry out authentication processing to the terminal includes: pair The terminal accesses the subnet that the wireless broadband router is covered and carries out authentication processing and access the nothing to the terminal The external network of line broadband router access carries out authentication processing.
Preferably, the access for being used to request to access network from the terminal is received in the wireless broadband router Before request, further includes: the wireless broadband router issuing service set identifier SSID, wherein the service set SSID Including the first SSID for identifying the subnet that the wireless broadband router is covered and for identifying the extranets 2nd SSID of network.
Preferably, the wireless broadband router carries out authentication department to the accessing terminal to network according to the access request Reason includes: the password for obtaining the terminal and accessing the subnet;The terminal is connect using MD5 method for authenticating according to the password Enter the subnet and carries out Wi-Fi secure accessing WPA/WPA2 authentication;In the case where the authentication is passed by WPA/WPA2, according to preset End message accesses the external network to the terminal and is extended authentication protocol-certifiede-mail protocol EAP-AKA authentication.
Preferably, the end message includes at least one of: operator information, the terminal of the terminal Classification information, the identification information of the terminal.
Preferably, the external network is accessed to the terminal according to the preset end message and carries out the EAP- AKA authentication includes: to obtain the terminal to access the publicly-owned identity of the external network and for carrying out the EAP-AKA mirror The key parameter of power;The EAP-AKA authentication is carried out according to the publicly-owned identity and the key parameter obtained.
According to another aspect of the present invention, a kind of network insertion processing unit is provided, wireless broadband router is applied to, Include: receiving module, carrys out self terminal for requesting the access request of access network for receiving;Processing module, for according to institute It states access request and authentication processing is carried out to the accessing terminal to network, wherein the network is accessed to the terminal and is authenticated Processing includes: to access the subnet that the wireless broadband router is covered to the terminal to carry out authentication processing and to the terminal The external network for accessing the wireless broadband router access carries out authentication processing.
Preferably, device further include: release module is used for issuing service set identifier SSID, wherein the services set mark It includes the first SSID for identifying the subnet that the wireless broadband router is covered and described for identifying for knowing SSID 2nd SSID of external network.
Preferably, the processing module includes: acquiring unit, and the password of the subnet is accessed for obtaining the terminal; First authenticating unit carries out Wi-Fi peace for accessing the subnet to the terminal using MD5 method for authenticating according to the password Full access WPA/WPA2 authentication;Second authenticating unit is used in the case where the authentication is passed by WPA/WPA2, according to preset terminal Information accesses the external network to the terminal and is extended authentication protocol-certifiede-mail protocol EAP-AKA authentication.
Preferably, second authenticating unit includes: acquisition subelement, accesses the extranets for obtaining the terminal The publicly-owned identity of network and key parameter for carrying out the EAP-AKA authentication;Subelement is authenticated, for according to acquisition The publicly-owned identity and the key parameter carry out the EAP-AKA authentication.
Also one side according to the present invention, provides a kind of network insertion processing system, which includes: terminal, core Net and described in any item wireless broadband routers, wherein the terminal, for interacting completion with the wireless broadband router The WPA/WPA2 authentication that the subnet carries out is accessed to the terminal;The core net is used for and the WiMAX road It is authenticated by the EAP-AKA that device interaction completes to access the terminal external network progress.
Through the invention, it is used to request the access request of access network come self terminal using wireless broadband router reception; The wireless broadband router carries out authentication processing to the accessing terminal to network according to the access request, wherein to described It includes: to access the subnet that the wireless broadband router is covered to the terminal that terminal, which accesses the network and carries out authentication processing, The external network for carrying out authentication processing and accessing the wireless broadband router access to the terminal carries out authentication processing, solves The terminal existed under carrier network in the related art is also allowed to access the standard network, using the resource in network, The problem of causing the consumption of Internet resources, and then reached and accessing terminal to network is authenticated by wireless broadband router, Allow the effect that control is preferably managed accessing terminal to network.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of network insertion processing method according to an embodiment of the present invention;
Fig. 2 is the structural block diagram of network insertion processing unit according to an embodiment of the present invention;
Fig. 3 is the preferred structure block diagram of network insertion processing unit according to an embodiment of the present invention;
Fig. 4 is the structural block diagram of processing module 24 in network insertion processing unit according to an embodiment of the present invention;
Fig. 5 is the second authenticating unit 46 in processing module 24 in network insertion processing unit according to an embodiment of the present invention Structural block diagram;
Fig. 6 is the structural block diagram of network insertion processing system according to an embodiment of the present invention;
Fig. 7 is the network architecture schematic diagram of the preferred embodiment of the present invention;
Fig. 8 is the structural schematic diagram of the wireless broadband router of the preferred embodiment of the present invention;
Fig. 9 is the configuration diagram of WLAN terminal according to the preferred embodiment of the invention;
Figure 10 is the WLAN terminal access process figure of IMS network authentication according to the preferred embodiment of the invention.
Specific embodiment
Hereinafter, the present invention will be described in detail with reference to the accompanying drawings and in combination with Examples.It should be noted that not conflicting In the case of, the features in the embodiments and the embodiments of the present application can be combined with each other.
A kind of network insertion processing method is provided in the present embodiment, and Fig. 1 is that network according to an embodiment of the present invention connects Enter the flow chart of processing method, as shown in Figure 1, the process includes the following steps:
Step S102, wireless broadband router, which receives, carrys out the access request that self terminal is used to request access network;
Step S104, the wireless broadband router carry out authentication processing to accessing terminal to network according to access request, wherein Carrying out authentication processing to the accessing terminal to network includes: that the subnet covered to terminal access wireless broadband router authenticates Processing and the external network accessed to terminal access wireless broadband router carry out authentication processing.
Through the above steps, the subnet covered to wireless broadband router to terminal access wireless broadband router carries out Authentication processing and the external network accessed to terminal access wireless broadband router carry out authentication processing, relative in the related technology It is directly accessed the network that terminal is not belonging to by wireless broadband router, causes the consumption of Internet resources, not only solves operation The problem of quotient's network resource consumption, and the network being not belonging to can be accessed to terminal and carry out corresponding management control, accordingly mention High user experience.
Preferably, before wireless broadband router reception carrys out access request of the self terminal for requesting access network, also It include: wireless broadband router issuing service set identifier SSID, wherein service set SSID includes for identifying WiMAX First SSID of the subnet that router is covered and the 2nd SSID for identifying external network.Processing in this way, terminal It can request to authenticate accordingly by way of carrying service set in access request.According to the services set mark carried Know difference, and carry out authentication processing respectively to accessing terminal to network, is exemplified below.
It may include following processing that wireless broadband router, which carries out authentication processing to accessing terminal to network according to access request: For example, obtaining the password of terminal access subnet, Wi-Fi peace is carried out to terminal access subnet using MD5 method for authenticating according to password Full access WPA/WPA2 authentication, in the case where the authentication is passed, wireless broadband router is the first IP address of terminal distribution, In, which is to carry out Wi-Fi secure accessing WPA/WPA2 authentication in the access request for carrying the first SSID to terminal In the case where, it is used to access the address of the affiliated WLAN Intranet of wireless broadband router for terminal distribution;And/or In the case where the authentication is passed by WPA/WPA2, certification association is extended to terminal access external network according to preset end message View-certifiede-mail protocol EAP-AKA authentication, wherein the end message can be a variety of, for example, can for it is following at least it One: operator information, the classification information of terminal, the identification information of terminal of terminal, what in EAP-AKA, the authentication is passed In the case of, wireless broadband router is the second IP address of terminal distribution, wherein second IP address is to carry second to terminal In the case that the access request of SSID is extended authentication protocol-certifiede-mail protocol EAP-AKA the authentication is passed, for terminal point It is used in the address of access wireless broadband router external packet link network.
In addition, the difference according to end message, the processing mode authenticated to terminal access external network can not also Together, first for example, in the case where the key parameter of publicly-owned identity and progress EAP-AKA authentication that end message is terminal First, the publicly-owned identity of terminal access external network and the key parameter for carrying out EAP-AKA authentication are obtained;Later, according to EAP-AKA authentication is carried out according to the publicly-owned identity of acquisition and key parameter.It should be noted that the publicly-owned identity can be with In the case where carrying out WPA/WPA2 and authenticating successful situation, it is stored in the wireless broadband router, is also possible to be returned by core net To in the message of wireless broadband router;Key parameter therein can be the pre-stored parameter of wireless broadband router, and And the key parameter shared in publicly-owned identity corresponding with terminal is appointed as when core net progress user information signing before.
For terminal side, terminal sends the access request for requesting access network to wireless broadband router;Terminal connects Receive the response results that wireless broadband router is handled accessing terminal to network according to access request;Terminal is according to response results Carry out network access authentication processing.Through the above steps, wireless broadband router covers terminal access wireless broadband router The subnet of lid carries out authentication processing and carries out authentication processing to the external network of terminal access wireless broadband router access, relatively In being directly accessed the network that terminal is not belonging to by wireless broadband router in the related technology, the consumption of Internet resources is caused, no The problem of addressing only operator network resources consumption, and the network being not belonging to can be accessed to terminal and be managed accordingly Control, has correspondinglyd increase user experience.
Corresponding to the above-mentioned respective handling in wireless broadband router, execute corresponding operation in terminal side: terminal to Wireless broadband router is sent before the access request for requesting access network, further includes: receives wireless broadband router hair The service set SSID of cloth, wherein service set SSID includes that service set SSID includes for identifying WiMAX First SSID of the subnet that router is covered and the 2nd SSID for identifying external network.
Equally, after according to the access request of the different service sets of carrying sent to wireless broadband router, terminal It may include following several for receiving the response results that wireless broadband router is handled accessing terminal to network according to access request Kind: terminal receives the first IP address of wireless broadband router distribution, wherein the first IP address is to carry first to terminal It is terminal distribution for accessing nothing in the case that the access request of SSID carries out Wi-Fi secure accessing WPA/WPA2 the authentication is passed The address of the affiliated WLAN Intranet of line broadband router;And/or terminal receives the 2nd IP of wireless broadband router distribution Address, wherein the second IP address be to terminal carry the 2nd SSID access request be extended authentication protocol-certification with it is close Key negotiates EAP-AKA in the case that the authentication is passed, is terminal distribution for accessing wireless broadband router external packet link network The address of network.
Additionally provide a kind of network insertion processing unit in the present embodiment, the device is for realizing above-described embodiment and excellent Embodiment is selected, the descriptions that have already been made will not be repeated.As used below, predetermined function may be implemented in term " module " Software and/or hardware combination.Although device described in following embodiment is preferably realized with software, hardware, Or the realization of the combination of software and hardware is also that may and be contemplated.
Fig. 2 is the structural block diagram of network insertion processing unit according to an embodiment of the present invention, as shown in Fig. 2, the device is answered For wireless broadband router, including receiving module 22, processing module 24, the device is illustrated below.
Receiving module 22 carrys out self terminal for requesting the access request of access network for receiving;Processing module 24, connection To above-mentioned receiving module 22, for carrying out authentication processing to accessing terminal to network according to access request, wherein access net to terminal It includes: that the subnet covered to terminal access wireless broadband router carries out authentication processing and connects to terminal that network, which carries out authentication processing, The external network for entering wireless broadband router access carries out authentication processing.
Fig. 3 is the preferred structure block diagram of network insertion processing unit according to an embodiment of the present invention, as shown in figure 3, the dress It sets in addition to including all modules shown in Fig. 2, further includes release module 32, the release module 32 is illustrated below.
Release module 32 is connected to above-mentioned receiving module 22, is used for issuing service set identifier SSID, wherein the services set Mark SSID includes the first SSID for identifying the subnet that wireless broadband router is covered and for identifying external network 2nd SSID.
Fig. 4 is the structural block diagram of processing module 24 in network insertion processing unit according to an embodiment of the present invention, such as Fig. 4 institute Show, which includes acquiring unit 42, the first authenticating unit 44 and the second authenticating unit 46, below to the processing module 24 are illustrated.
Acquiring unit 42, for obtaining the password of terminal access subnet;First authenticating unit 44 is connected to above-mentioned acquisition list Member 42, for carrying out Wi-Fi secure accessing WPA/WPA2 authentication to terminal access subnet using MD5 method for authenticating according to password; Second authenticating unit 46 is connected to above-mentioned first authenticating unit 44, in the case where the authentication is passed by WPA/WPA2, foundation to be pre- The end message set is extended authentication protocol-certifiede-mail protocol EAP-AKA to terminal access external network and authenticates.
Fig. 5 is the second authenticating unit 46 in processing module 24 in the network insertion processing unit of embodiment according to the present invention Structural block diagram, as shown in figure 5, second authenticating unit 46 include: obtain subelement 52 and authentication subelement 54, below to this Second authenticating unit 46 is illustrated.
Subelement 52 is obtained, for obtaining the publicly-owned identity of terminal access external network and for carrying out EAP-AKA The key parameter of authentication;Subelement 54 is authenticated, above-mentioned acquisition subelement 52 is connected to, for according to the publicly-owned identity obtained EAP-AKA authentication is carried out with key parameter.
A kind of network insertion processing system is additionally provided in the present embodiment, and Fig. 6 is network according to an embodiment of the present invention Access processing system structural block diagram, as shown in fig. 6, the network insertion processing system 60 include terminal 62, core net 64 and on The wireless broadband router 66 for stating any one, is below illustrated the system.
Terminal 62, the WPA/WPA2 mirror carried out for having interacted paired terminal access subnet with wireless broadband router 66 Power;Core net 64, the EAP-AKA mirror carried out for having interacted paired terminal access external network with wireless broadband router 66 Power.
In view of the above problems in the related art, a kind of system architecture and method are provided in the present embodiment, and terminal is logical Cross WiMAX device and access the network itself being not belonging to, realize by IP multimedia subsystem (IP Multi Media System, Referred to as IMS) access authentication of the core net completion to WLAN terminal under wireless broadband router, wireless broadband router Using LTE or 3G mode access to mobile network.The carrier network can be accessed and use, more by wireless broadband router It is convenient to use Internet resources.
Implementation method on wireless broadband router provided by above-described embodiment and preferred embodiment, in WLAN Implementation method and network system architecture method and wireless broadband router and WLAN terminal and network interaction in terminal Method, so that operator can control those WLAN coverings provided by LTE/3G wireless broadband router in network And the terminal accessed, the access authentication of WLAN terminal is using the mirror with the same security level of LTE/3G network lower terminal Power mode, and the number and terminal class that can access terminal can be configured by network side, or according to can on other ordinary terminals The parameter of acquisition is to determine whether allow to access.
It should be noted that the wireless broadband router of the embodiment of the present invention and IMS core net can use normal IMS Interaction can use session initiation protocol (Session Initiation between Signalling exchange, with WLAN terminal Protocol, referred to as SIP) and Extensible Authentication Protocol (Extensible Authentication Protocol, referred to as EAP).It can be interacted using customized process between WLAN terminal and wireless broadband router, network side equipment is not necessarily to Do any change.
The embodiment of the present invention is illustrated with reference to the accompanying drawing.
Fig. 7 is the network architecture schematic diagram of the preferred embodiment of the present invention, as shown in fig. 7, wireless broadband router extranets Network access includes the wireless networks such as 3G or LTE access etc., and Fig. 7 show LTE access, and internal network access uses wireless local area The terminal of network technology, internal network can be interacted by WLAN with gateway.Evolved packet system (Evolved Packet System, EPC) it is docked with the network element of IMS core net, the grouped link that wireless broadband router can be provided by LTE network Access IMS network.
Fig. 8 is the structural schematic diagram of the wireless broadband router of the preferred embodiment of the present invention, as shown in figure 8, the structure packet Include following several parts: Wi-Fi Driver(Wi-Fi driver) provide Wi-Fi equipment driving, data in WLAN Link layer packaging;Network security accesses (Wi-Fi Protected Access, referred to as WPA)/WPA2Authenticator (authenticator) provides wireless broadband router to WPA/WPA2 authentication functions in WLAN terminal access procedure;EAP Server(server) wireless broadband router is provided to EAP-AKA authentication functions branch in WLAN terminal access procedure It holds;ICP/IP protocol stack provides IP layers and transport layer data encapsulation parsing, provides IP data transceiver interface for application;IMS Proxy(agency) two parts function is provided, one, which is to provide wireless broadband router as IMS terminal, is registered to IMS core net Client functionality, another is to provide the encapsulation of IMS signaling for the EAP-AKA request of WLAN terminal, and authentication request is transferred to The processing of IMS core net;DHCP Server(server) it is then according to access authentication as a result, deciding whether to WLAN Terminal distribution legitimate ip address, in access procedure of the terminal by two kinds of difference authentication modes of WPA/WPA2 and EAP-AKA, DHCPServer can distribute two classes different IP address, by WPA/WPA2 authentication access terminal, the IP address being assigned to without Method accesses extenal grouped network by wireless broadband router, and by the terminal of EAP-AKA authentication access, nothing after authenticating successfully Line local area network terminal is by assigned IP and can access extenal grouped network by wireless broadband router.Access Controller(access controller) realized as the logic of upper layer access control, will using two kinds of different authentications accesses and with The authentication process of exterior I MS network combines.Wi-Fi driving supports wireless broadband router to issue two different wireless offices Domain net service set ((Service Set Identifier, referred to as SSID) mark.
Corresponding with function structure on wireless broadband router to be, there is also correspondences for function structure on WLAN terminal Modules, Fig. 9 is the configuration diagram of WLAN terminal according to the preferred embodiment of the invention, as shown in figure 9, should WLAN terminal includes: WPA/WPA2client(client), it is connect to execute terminal with WPA/WPA2 authentication mode The function of client when entering WLAN;EAP-AKA client realizes terminal and is accessing nothing with EAP-AKA authentication mode Client functionality when line local area network;IMS client is to carry out IMS registration and subscribe to process;DHCP client is to prop up Hold the IP address dynamic allocation procedure after the authentication is passed.
Figure 10 is the WLAN terminal access process figure of IMS network authentication according to the preferred embodiment of the invention, such as Shown in Figure 10, which includes the following steps:
Step S1002, wireless broadband router attachment are registered to EPC network, i.e., wireless broadband router is in starting Wi- After the access point function of Fi, the different SSID mark of publication two.
Step S1004, wireless broadband router are initiated immediately after being attached to LTE network and establishing default IP connection To the register flow path of IMS core net, authentication uses AKA method, uses what is stored in USIM/ISIM card in wireless broadband router Publicly-owned identity.
Step S1006, after completion of succeeding in registration, on wireless broadband router IMS Proxy as IMS client, It initiates to request for the subscription of other publicly-owned identity current registration status relevant to the corresponding user of USIM/ISIM card, IMS Core, which receives, requests and passes through Notify message for the registration status notification of other publicly-owned identity to wireless broadband router.
Step S1008, terminal is under the control that Access Client is applied, and access corresponds to WPA/WPA2 and authenticates first SSID.Wireless broadband router distributes to one Intranet of terminal by dhcp process after terminal completes WPA/WPA2 authentication Address ip 1, and the IP restricted access external network.
Step S1010, terminal Access Client initiate SIP registration process, the registration after obtaining IP1, using IP1 Request is handled by IMS Proxy on wireless broadband router, and the registration process uses MD5Digest method for authenticating, for making With USIM/ISIM card terminal, the entitled IMSI number of user needed for MD5Digest is authenticated, such as no USIM/ISIM card terminal IPad etc., user name uses offline configuration mode, by Access on Access Client in terminal and wireless broadband router Controller management, password are password used in WPA/WPA2 access authentication.Wireless broadband router receives the SIP registration of terminal It can be initiated for terminal after request, on wireless broadband router in registration request entrained by message header field Request-URI IMSI or customized user name make a decision, and decision logic includes identification terminal operator or terminal class, and according to this information Decide whether to refuse terminal registration request.If receiving request, MD5 authentication challenge is returned to, IMS Client is received in terminal It calculates authenticating result afterwards to organize packet again and send SIP registration request, wireless broadband router returns to SIP200OK after verifying successfully Message is expressed as function registration.Because terminal user name needed for MD5 is authenticated is carried with registration request, wireless broadband router is without pre- First configurating terminal user name need to only obtain terminal access pin from WPA/WPA2authenticator.
It is requested that terminal initiates a SIP subscription (Subscribe) by Access Client notice IMS client immediately Journey, current subscription procedure are required in the identity and AKA authentication process for storing in terminal request wireless broadband router Key parameter Ki.This kind of identity is the privately owned identity with IMS network in wireless broadband router USIM/ISIM card (IMPI) associated publicly-owned identity (IMPU), these IMPU can be stored in USIM/ISIM, or in WiMAX It is returned in the message that succeeds in registration and is carried by IMS core net during the IMS registration of router.Ki parameter is wireless broadband router The Ki parameter prestored in upper USIM/ISIM card, the and (IMS when IMS core net HSS registers user subscription information It is that publicly-owned identity shares that this group is specified when Subscription).Terminal subscribes to the message header field in (Subscribe) request Authentication information before containing in Authorization in register flow path ensure that the terminal ability only by register flow path It can initiate the process of subscription identity and Ki parameter.After wireless broadband router receives subscription request, request is subscribed in registration And success is replied, by the publicly-owned identity of Access Controller distribution storage, pass through SIP Notify message distribution.Terminal After getting publicly-owned identity and Ki parameter, i.e., EAP-AKA process is initiated by Access Client notice EAP client, Another SSID of the wireless broadband router publication of terminal selection at this time initiates operation associated.
Step S1012, EAP Server triggering EAP-AKA authenticates authorizing procedure on wireless broadband router, requests first Terminal identity mark, the publicly-owned identity that terminal obtains before replying immediately.
Step S1014, after judgement receives the access request of EAP-AKA authentication of terminal, on wireless broadband router IMSProxy sets up new SIP registration request, and the publicly-owned identity that identity uses terminal to report by EAP message disappears Breath is sent to IMS core net, and network side returns to AKA authentication challenge.
This is authenticated challenge encapsulation and parses post package from SIP signaling into EAP-Request by step S1016, IMS Proxy Message is sent to WLAN terminal, and terminal calculates authentication knot using the Ki parameter and challenge parameter that obtain in subscription procedure Fruit is sent to wireless broadband router by EAP-Response message.
Step S1018, IMS Proxy continue by AKA authenticating result Parameter analysis of electrochemical and be packaged into SIP registration request be sent to IMS network, network side are replied SIP200OK after the authentication is passed and are indicated successfully.
Step S1020, IMS Proxy receives success message notice Access Controller on wireless broadband router, The latter notifies EAP-Server to reply EAP-Success to terminal, and the access process of EAP-AKA authentication successfully completes.Immediately eventually End initiates dhcp process and requests IP again, and Access Controller notifies DHCP Server on wireless broadband router at this time Distribute IP address IP2, and the accessible extenal grouped network of IP2.
Obviously, those skilled in the art should be understood that each module of the above invention or each step can be with general Computing device realize that they can be concentrated on a single computing device, or be distributed in multiple computing devices and formed Network on, optionally, they can be realized with the program code that computing device can perform, it is thus possible to which they are stored It is performed by computing device in the storage device, and in some cases, it can be to be different from shown in sequence execution herein Out or description the step of, perhaps they are fabricated to each integrated circuit modules or by them multiple modules or Step is fabricated to single integrated circuit module to realize.In this way, the present invention is not limited to any specific hardware and softwares to combine.
These are only the preferred embodiment of the present invention, is not intended to restrict the invention, for those skilled in the art For member, the invention may be variously modified and varied.All within the spirits and principles of the present invention, it is made it is any modification, Equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.

Claims (8)

1. a kind of network insertion processing method characterized by comprising
Wireless broadband router, which receives, carrys out the access request that self terminal is used to request access network;
The wireless broadband router carries out authentication processing to the accessing terminal to network according to the access request, wherein right It includes: to access the wireless broadband router to the terminal to be covered that the terminal, which accesses the network and carries out authentication processing, The external network that subnet carries out authentication processing and accesses the wireless broadband router access to the terminal carries out authentication processing;
It is received before the access request that the terminal is used to request access network in the wireless broadband router, also Include:
The wireless broadband router issuing service set identifier SSID, wherein the service set SSID includes for identifying First SSID of the subnet that the wireless broadband router is covered and the 2nd SSID for identifying the external network.
2. the method according to claim 1, wherein the wireless broadband router is according to the access request pair The accessing terminal to network carries out authentication processing
Obtain the password that the terminal accesses the subnet;
The subnet is accessed to the terminal using MD5 method for authenticating according to the password and carries out Wi-Fi secure accessing WPA/ WPA2 authentication;
In the case where the authentication is passed by WPA/WPA2, according to preset end message to the terminal access the external network into Row Extensible Authentication Protocol-certifiede-mail protocol EAP-AKA authentication.
3. according to the method described in claim 2, it is characterized in that, the end message includes at least one of:
Operator information, the classification information of the terminal, the identification information of the terminal of the terminal.
4. according to the method described in claim 2, it is characterized in that, being accessed according to the preset end message to the terminal The external network carries out the EAP-AKA authentication
It obtains the terminal and accesses the publicly-owned identity of the external network and the key for carrying out the EAP-AKA authentication Parameter;
The EAP-AKA authentication is carried out according to the publicly-owned identity and the key parameter obtained.
5. a kind of network insertion processing unit, which is characterized in that be applied to wireless broadband router, comprising:
Receiving module carrys out self terminal for requesting the access request of access network for receiving;
Processing module, for carrying out authentication processing to the accessing terminal to network according to the access request, wherein to the end Terminate into the network carry out authentication processing include: to the terminal access subnet that the wireless broadband router is covered into Row authentication processing and the external network for accessing the wireless broadband router access to the terminal carry out authentication processing;
Further include: release module is used for issuing service set identifier SSID, wherein the service set SSID includes for marking Know the first SSID of the subnet that the wireless broadband router is covered and for identifying the external network second SSID。
6. device according to claim 5, which is characterized in that the processing module includes:
Acquiring unit accesses the password of the subnet for obtaining the terminal;
First authenticating unit carries out Wi- for accessing the subnet to the terminal using MD5 method for authenticating according to the password Fi secure accessing WPA/WPA2 authentication;
Second authenticating unit is used in the case where the authentication is passed by WPA/WPA2, according to preset end message to the terminal It accesses the external network and is extended authentication protocol-certifiede-mail protocol EAP-AKA authentication.
7. device according to claim 6, which is characterized in that second authenticating unit includes:
Obtain subelement, for obtain the terminal access the publicly-owned identity of the external network and for carrying out it is described The key parameter of EAP-AKA authentication;
Subelement is authenticated, for carrying out the EAP-AKA mirror according to the publicly-owned identity and the key parameter that obtain Power.
8. a kind of network insertion processing system characterized by comprising any one of terminal, core net and claim 5 to 7 The wireless broadband router, wherein the terminal, for interacting completion with the wireless broadband router to the terminal Access the WPA/WPA2 authentication that the subnet carries out;The core net, for having been interacted with the wireless broadband router The pairs of terminal accesses the EAP-AKA authentication that the external network carries out.
CN201310556561.5A 2013-11-11 2013-11-11 Network insertion processing method, apparatus and system Active CN104640111B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310556561.5A CN104640111B (en) 2013-11-11 2013-11-11 Network insertion processing method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310556561.5A CN104640111B (en) 2013-11-11 2013-11-11 Network insertion processing method, apparatus and system

Publications (2)

Publication Number Publication Date
CN104640111A CN104640111A (en) 2015-05-20
CN104640111B true CN104640111B (en) 2019-06-11

Family

ID=53218317

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310556561.5A Active CN104640111B (en) 2013-11-11 2013-11-11 Network insertion processing method, apparatus and system

Country Status (1)

Country Link
CN (1) CN104640111B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110583036B (en) * 2017-05-29 2022-11-25 华为国际有限公司 Network authentication method, network equipment and core network equipment
US11202339B2 (en) * 2019-04-10 2021-12-14 Mediatek Inc. Apparatuses and methods for packet distribution on multiple subscriber identities
CN110769482B (en) * 2019-09-16 2022-03-01 浙江大华技术股份有限公司 Method and device for network connection of wireless equipment and wireless router equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578487A (en) * 2003-07-28 2005-02-09 华为技术有限公司 Method for mobile terminal switching in packet network
WO2006075616A1 (en) * 2005-01-13 2006-07-20 Matsushita Electric Industrial Co., Ltd. Communication system, terminal device and communication device
CN103052064A (en) * 2011-10-13 2013-04-17 中国移动通信集团公司 Method, equipment and system for accessing private services of operator

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005051473A (en) * 2003-07-28 2005-02-24 Sony Corp Network interconnection device, network interconnection method, name solving device, and computer program
CN101562814A (en) * 2009-05-15 2009-10-21 中兴通讯股份有限公司 Access method and system for a third-generation network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578487A (en) * 2003-07-28 2005-02-09 华为技术有限公司 Method for mobile terminal switching in packet network
WO2006075616A1 (en) * 2005-01-13 2006-07-20 Matsushita Electric Industrial Co., Ltd. Communication system, terminal device and communication device
CN103052064A (en) * 2011-10-13 2013-04-17 中国移动通信集团公司 Method, equipment and system for accessing private services of operator

Also Published As

Publication number Publication date
CN104640111A (en) 2015-05-20

Similar Documents

Publication Publication Date Title
CN102884819B (en) System and method for WLAN roaming traffic authentication
CN106105134B (en) Method and apparatus for improving end-to-end data protection
JP5992554B2 (en) System and method for authenticating a second client station using first client station credentials
EP3750342B1 (en) Mobile identity for single sign-on (sso) in enterprise networks
EP2103077B1 (en) Method and apparatus for determining an authentication procedure
KR101427447B1 (en) One-pass authentication mechanism and system for heterogeneous networks
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
US20120284785A1 (en) Method for facilitating access to a first access nework of a wireless communication system, wireless communication device, and wireless communication system
US20150365414A1 (en) Method and Device for Authenticating Static User Terminal
US9749320B2 (en) Method and system for wireless local area network user to access fixed broadband network
WO2012145134A1 (en) Method of and system for utilizing a first network authentication result for a second network
KR20130034649A (en) Secure registration of group of clients using single registration procedure
WO2009152749A1 (en) A binding authentication method, system and apparatus
US11924192B2 (en) Systems and methods for secure automated network attachment
Matos et al. Secure hotspot authentication through a near field communication side-channel
ES2862180T3 (en) Authentication of users in the wireless access network
CN104640111B (en) Network insertion processing method, apparatus and system
CN108353269A (en) Subscriber profiles in WLAN are pre-configured
US8191153B2 (en) Communication system, server apparatus, information communication method, and program
WO2015100874A1 (en) Home gateway access management method and system
JP6861285B2 (en) Methods and devices for parameter exchange during emergency access
Veltri et al. Wireless lan-3g integration: Unified mechanisms for secure authentication based on sip
US20110153819A1 (en) Communication system, connection apparatus, information communication method, and program
Gondi et al. Secured roaming over WLAN and WIMAX networks
WO2016065847A1 (en) Wifi offload method, device and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant