CN105530687A - Wireless network access control method and access device - Google Patents
Wireless network access control method and access device Download PDFInfo
- Publication number
- CN105530687A CN105530687A CN201610078502.5A CN201610078502A CN105530687A CN 105530687 A CN105530687 A CN 105530687A CN 201610078502 A CN201610078502 A CN 201610078502A CN 105530687 A CN105530687 A CN 105530687A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- access
- access device
- message
- described user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Abstract
The invention provides a wireless network access control method and an access device, and relates to the communication technical field. The wireless network access control method and the access device distribute a division point for a user terminal which requests access to the access device, obviously improve division effect, increase the transmission efficiency of a wireless network, and relieve the load of the wireless network. The wireless network access control method includes the steps of: receiving an access request sent by the user terminal and transmitting a response message to the user terminal according to the access request through the access device; receiving authentication information sent by the user terminal and transmitting the authentication information to an authentication device in order to judge whether the authentication information is correct; and receiving successful verification messages sent by the authentication device. If the access device receives at least two successful verification messages, the division point is arranged for the user terminal, so that the user terminal accesses the network through the division point arranged by the access device. At least two successful verification messages indicate that at least two user terminals request access to the network through the access device.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of wireless network access controlling method and access device.
Background technology
Wireless network has the advantages such as mobility, portability and instantaneity, is applied in a lot of place more and more continually.Meanwhile, along with the development of wireless access technology, the raising of higher message transmission rate, the increase of number of users and user data transmission speed all proposes requirements at the higher level to the network element performance of core network.
At present, multiple user terminal can ask to access same access device, by this access device access network.Cause the load of wireless network comparatively large, drastically influence development and the raising of the transmission rate of wireless network.
Summary of the invention
The embodiment of the present invention provides a kind of wireless network access controlling method and access device, access for distributing split point for the user terminal of access access device, shunting effect can be improved significantly, improve the efficiency of transmission of wireless network, alleviate the load of wireless network.
For achieving the above object, the technical scheme that the embodiment of the present invention adopts is,
First aspect, discloses a kind of wireless network access controlling method, comprising:
Access device receives the access request that user terminal sends, and sends response message according to described access request to described user terminal, and described response message indicates described user terminal to provide the authentication information of self;
Described access device receives the authentication information that described user terminal sends, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct;
Described access device receive described authenticating device send be proved to be successful message; The described message that is proved to be successful indicates the authentication information of described user terminal correct;
If described access device receives described at least two and is proved to be successful message, then split point is set for described user terminal, with make described user terminal by described access device be its arrange split point access network; Described split point is the access device that can be the shunting of described access device, is proved to be successful message instruction at least two described user terminal requests by described access device access network described in described at least two.
In conjunction with first aspect, in the first possible implementation of first aspect, described split point is set for described user terminal, is specifically comprised by described split point access network to make described user terminal:
Described access device obtains the gateway address of described user terminal;
Described access device according to the gateway address of described user terminal, for described user terminal arranges split point;
The gateway address of the split point arranged for described user terminal is sent to described user terminal by described access device, so that described user terminal is by described split point access network.
In conjunction with first aspect, in the implementation that the second of first aspect is possible, described authentication information comprises user name, the PKI of access pin and described user terminal.
In conjunction with the implementation that the second of first aspect is possible, in the third possible implementation of first aspect, described in be proved to be successful message be the response message that described user terminal generates according to the challenge message of described authenticating device;
Described access device receive described authenticating device send be proved to be successful message before, described method also comprises:
Described access device receives the cryptographic challenge message that described authenticating device sends, and described challenge message is that described authenticating device utilizes the PKI of described user terminal to obtain addressing inquires to message encryption;
Described cryptographic challenge message is transmitted to described user terminal by described access device;
Described access device receives the response message from described user terminal that described authenticating device forwards; Described response message generates according to described challenge message after the described user terminal private key of self obtains challenge message to described cryptographic challenge decrypt messages;
In conjunction with first aspect, in the 4th kind of possible implementation of first aspect, if described access device only receives described in one and is proved to be successful message, described access device is open wireless network insertion authority then, allows described user terminal by described access device access network.
In conjunction with the 4th kind of possible implementation of first aspect, in the 5th kind of possible implementation of first aspect, described access device is open wireless network insertion authority then, and allow described user terminal by after described access device access network, described method also comprises:
Control channel between described access device foundation and described user terminal;
Described access device receives the initial session key that described authenticating device sends;
Described access device generates current sessions key according to described initial session key, and obtains session ciphertext with described initial session key to described current sessions secret key encryption;
Described session ciphertext is sent to described user terminal by described access device, so that described user terminal obtains described current sessions key to described session decrypt ciphertext;
Described access device sets up the session channel between described user terminal.
Second aspect, discloses a kind of access device, comprising:
Receiving element, for receiving the access request that user terminal sends;
Transmitting element, send response message for the described access request received according to described receiving element to described user terminal, described response message indicates described user terminal to provide the authentication information of self;
Described receiving element also for, receive described user terminal send authentication information;
Described transmitting element is used for, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct;
Described receiving element also for, receive described authenticating device send be proved to be successful message; The described message that is proved to be successful indicates the authentication information of described user terminal correct;
Setting unit, is proved to be successful message if receive described at least two for described receiving element, then arranges split point for described user terminal, with make described user terminal by described access device be its arrange split point access network; Described split point is the access device that can be the shunting of described access device, is proved to be successful message instruction at least two described user terminal requests by described access device access network described in described at least two.
In conjunction with second aspect, in the first possible implementation of second aspect, described setting unit specifically for, obtain the gateway address of described user terminal; According to the gateway address of described user terminal, for described user terminal arranges split point;
Described transmitting element also for, the gateway address of the split point arranged for described user terminal is sent to described user terminal, so that described user terminal is by described split point access network.
In conjunction with second aspect, in the implementation that the second of second aspect is possible, described authentication information comprises user name, the PKI of access pin and described user terminal.
In conjunction with the implementation that the second of second aspect is possible, in the third possible implementation of second aspect, described in be proved to be successful message be the response message that described user terminal generates according to the challenge message of described authenticating device,
Described receiving element also for, receive described authenticating device send cryptographic challenge message, described challenge message be described authenticating device utilize the PKI of described user terminal to address inquires to message encryption obtain;
Described transmitting element also for, described cryptographic challenge message is transmitted to described user terminal;
Described receiving element also for, receive described authenticating device forward the response message sent from described user terminal; Described response message generates according to described challenge message after the described user terminal private key of self obtains challenge message to described cryptographic challenge decrypt messages.
In conjunction with second aspect, in the 4th kind of possible implementation of second aspect, also comprise access unit,
Described access unit is used for, if described receiving element only receives described in one be proved to be successful message, then open wireless network insertion authority, allows described user terminal by described access device access network.
In conjunction with the 4th kind of possible implementation of second aspect, in the 5th kind of possible implementation of second aspect, also comprise and set up unit, ciphering unit,
Described set up unit for, in described access unit open wireless network insertion authority, allow described user terminal by after described access device access network, set up and described user terminal between control channel;
Described receiving element also for, receive described authenticating device send initial session key;
Described ciphering unit is used for, and generates current sessions key, and obtain session ciphertext with described initial session key to described current sessions secret key encryption according to the described initial session key that described receiving element receives;
Described transmitting element also for, described session ciphertext is sent to described user terminal, so that described user terminal obtains described current sessions key to described session decrypt ciphertext;
Described set up unit also for, set up with described user terminal between session channel.
The wireless network access controlling method that the embodiment of the present invention provides and access device, access device receives the access request that user terminal sends, and indicates described user terminal to provide the authentication information of self; Access device receives the authentication information that user terminal sends, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct.If the authentication information of user terminal is proved to be successful, access device then arranges split point for described user terminal, to make described user terminal by described split point access network; Or, then allow user terminal by described access device access network.At present, load and the transmission cost of core network are larger, drastically influence development and the raising of the transmission rate of wireless network.And method provided by the invention is when at least two user terminal requests are by same access device access network, for user terminal, split point can be set with by split point access network, pass through shunting effect, alleviate the access load of access device, improve the efficiency of transmission of wireless network, alleviate the load of wireless network.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
The Organization Chart of the network access system that Fig. 1 provides for the embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the wireless network access controlling method that the embodiment of the present invention 1 provides;
Fig. 3 is that the split point that the embodiment of the present invention 1 provides arranges schematic diagram;
Fig. 4 is another schematic flow sheet of the wireless network access controlling method that the embodiment of the present invention 1 provides;
Fig. 5 is the structured flowchart of the access device that the embodiment of the present invention 2 provides;
Fig. 6 is the structured flowchart of the access device that the embodiment of the present invention 3 provides.
Embodiment
Principle of the present invention is: in wireless network access procedure, can be assigned on the split point of this access device by the user terminal of certain access device of request access, make user terminal by split point access network.Shunting effect can be improved significantly like this, improve the efficiency of transmission of wireless network, alleviate the load of wireless network.
As shown in Figure 1, be the Organization Chart of network access system, comprise user terminal, access device and authenticating device.Network, for providing the medium of communication link between this three, can be wired, wireless communication link or fiber optic cables etc.
Wherein, user terminal can be mobile phone, pad (panel computer) etc.When needs access network, send authentication information to access device.Authentication information mentioned here can be, the password that authentication protocol needs or key.
Access device: the equipment being responsible access network can be the service terminal of the Local wireless network such as switch, router.For example, the effect that access device is main is: in verification process, receive the authentication information that client terminal sends.Communicate with authenticating device, to carry out RADIUS (RemoteAuthenticationDialInUserService, remote customer dialing authentication service) message interaction flow process, to verify authentication information, completing user certification.After certification is passed through, user is allowed to access the Internet.Authenticating device can be safety certificate management server.
In wireless network access, access device can receive the access request of multiple user terminal, asks by this access device access network.The load of this access device will be caused comparatively large, drastically influence development and the raising of the transmission rate of wireless network.
Embodiment 1:
The embodiment of the present invention provides a kind of wireless network access controlling method, is applied to network access system, as shown in Figure 2, said method comprising the steps of:
101, access device receives the access request that user terminal sends.
In specific implementation, user terminal, for during by access device access network, sends access request to access device, attempts the id information obtaining access device.
102, access device sends response message to user terminal.
Concrete, the access request that access device sends according to user terminal sends response message to described user terminal, and described response message indicates described user terminal to provide the authentication information of self.Example, described access device obtains the identification information of the described user terminal that described access request is carried, and then sends response message according to this identification information to user terminal.
103, receiving equipment receives the authentication information that user terminal sends.
Concrete, described authentication information can be the id information of user terminal, and wherein, the id information of described user terminal comprises the username and password of access network needs and the PKI of described user terminal.
104, described authentication information is sent to authenticating device by access device.
In addition, can be the encrypted authentication information that access device sends user terminal, the information after encryption is sent to authenticating device, authenticating device receives the information after encryption obtains user terminal authentication information to its deciphering.
105, described authenticating device judges that whether described authentication information is correct.
Particularly, whether the username and password that comprises of first authentication verification information is correct.Secondly, in local authentication certificate catalogue, obtain the PKI of described client terminal, and judge that whether the PKI of the described client terminal that the PKI of the described client terminal obtained comprises with the authentication information that described access device sends is identical.
If the username and password that authentication information comprises is correct, and the PKI of the described client terminal obtained is identical with the PKI of the described client terminal that the authentication information that described access device sends comprises, then determine that described authentication information is correct, namely described user terminal have passed certification.
If the PKI of the described client terminal that the PKI of the described client terminal of the username bad that authentication information comprises or password bad or acquisition and the authentication information that described access device sends comprise is not identical, then determine that described authentication information is wrong, namely described user terminal is not by checking.
In addition, if described authentication information is correct, then carry out step 106.
106, authenticating device sends to access device and is proved to be successful message.
107, access device receive described authenticating device send be proved to be successful message.
Wherein, being proved to be successful message described in indicates the authentication information of described user terminal correct.
If 108 access devices receive described at least two and are proved to be successful message, then split point is set for described user terminal, then split point is set for described user terminal.
For user terminal arranges split point, with make described user terminal by described access device be its arrange split point access network.In addition, be proved to be successful message instruction at least two described user terminal requests described in described at least two by described access device access network, that is access heavier loads of access device, the load of access device can be alleviated by shunting.
Described split point is the access device that can be the shunting of described access device.Can be the split point of this access device predetermined, also can be, after receiving and being proved to be successful message described at least two, dynamically determining split point.Described split point is reported to described access device by access controller.Concrete, as shown in Figure 3, access controller is provided with multiple split point for each access device in advance, wherein the corresponding access device of each split point, and the gateway address of each split point is different.When access device needs to shunt, access controller with reference to the relevant information of user terminal and the relevant information of described access device, can determine suitable split point according to the Diffluence Algorithm preset in the multiple split points in advance for described access device setting.And the gateway address of split point is sent to described access device.
Described access device receives the gateway address of the shunting address that described access controller sends, and the gateway address of split point is sent to user terminal, to make described user terminal by described split point access network.
In a preferred embodiment of the invention, being proved to be successful message described in is the response message that described user terminal generates according to the challenge message of described authenticating device.
Described access device receive described authenticating device send be proved to be successful message, user terminal is allowed specifically to be comprised by described access device access network: the PKI of the described user terminal of authenticating device obtains cryptographic challenge message to inquiry message encryption, and described cryptographic challenge message is sent to access device.Wherein, challenge message is that this password is for the protection of the access to private key for the password to described user terminal inquiry private key.
Described access device receives the cryptographic challenge message that described authenticating device sends, and described cryptographic challenge message is transmitted to described user terminal.
Described user terminal receives described cryptographic challenge message, and obtains challenge message with the private key of self to described cryptographic challenge decrypt messages.According to the response message that described challenge message generates, described response message is sent to authenticating device.Here, response message carries the private key cryptographic that user terminal is keyed in.In specific implementation, if the cryptographic challenge message that user terminal can receive with the private key successful decryption of self, then show that the authentication information of user terminal is correct, can access network, and then the password of private key is carried send to authenticating device in the response message.
Described authenticating device receives the response message that described user terminal sends, and described response message is transmitted to described access device.
In addition, if described access device only receives described in one be proved to be successful message, then allow user terminal by described access device access network.That is the access load of access device is comparatively light, without the need to shunting.
It should be noted that, for a user terminal be proved to be successful (authentication information that namely this user terminal provides is correct), allow this user terminal by this access device (receiving the access device of user terminal access request) access network, allow this user terminal by the split point access network of this access device, need the loading condition current according to access device to determine.Receive the access request of plural user terminal, then alleviate the load of access device by arranging split point.
If if the described access device of execution step only receives described in one be proved to be successful message, then allow user terminal by after described access device access network, described access device can also continue with user terminal and authenticating device mutual, by setting up control channel, arranging the modes such as key, network insertion is specifically defined as a series of checking content, improves reliability and the fail safe of device network access.Particularly, as shown in Figure 4, wireless network access method provided by the invention comprises:
201, access device receives the access request that user terminal sends.
202, access device sends response message to user terminal.
203, receiving equipment receives the authentication information that user terminal sends.
204, described authentication information is sent to authenticating device by access device.
205, described authenticating device judges that whether described authentication information is correct.
In addition, if described authentication information is correct, then carry out step 106.
206, the authenticating device PKI of described user terminal obtains cryptographic challenge message to inquiry message encryption.
207, described cryptographic challenge message is sent to access device by authenticating device.
208, described access device receives the cryptographic challenge message that described authenticating device sends, and described cryptographic challenge message is transmitted to described user terminal.
209, described user terminal receives described cryptographic challenge message, and obtains challenge message with the private key of self to described cryptographic challenge decrypt messages.According to the response message that described challenge message generates.
210, described response message is sent to authenticating device by user terminal.
211, authenticating device receives the response message that described user terminal sends, and described response message is transmitted to described access device.
212, described access device receives described response message, then open wireless network insertion authority, allows described accessing user terminal to network.
213, described access device sets up the control channel between described user terminal.
Particularly, the IAD hand shaking of user terminal and access device, sets up control channel.Set up in the process of control channel at this, communicating pair (i.e. user terminal and access device) exchange agreement version, encryption algorithm type information, if control channel is successfully established, then exchange parameters for authentication by control channel.If control channel is set up unsuccessfully, return failure mistake of shaking hands, user terminal reconnects or exits.Afterwards, exchanged the session key being used for data encryption by control channel, set up data channel.
214, session key is sent to access device and mobile terminal by authenticating device respectively.
215, after access device generates current sessions key, by current sessions secret generating session ciphertext described in described session key.
216, access device sends described session ciphertext to user terminal.
217, user terminal receives described session ciphertext, and deciphers described session ciphertext acquisition current sessions key.
Particularly, the session key that user terminal step 213 receives obtains current sessions key to described session decrypt ciphertext.
218, access device sets up the session channel between user terminal.
Wherein, described session channel can be data channel.What adopt due to user terminal and access device is identical session key (i.e. described current sessions key), therefore can set up session channel therebetween.
It should be noted that, if user terminal is by described access device access network, then after reception response message, decontrol network.If accessed by split point, in that above-mentioned steps 212, access device only receives response message, can't open wireless network insertion authority, allows described accessing user terminal to network.Also step 213-218 would not be carried out.In addition, user terminal will re-start access request flow process, and the access device corresponding to split point sends access request, with access network.Concrete access process can be identical with step 201-218, just access device wherein replaced to access device corresponding to split point, do not repeat at this.
The wireless network access controlling method that the embodiment of the present invention provides, access device receives the access request that user terminal sends, and indicates described user terminal to provide the authentication information of self; Access device receives the authentication information that user terminal sends, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct.If the authentication information of user terminal is proved to be successful, access device then arranges split point for described user terminal, to make described user terminal by described split point access network; Or, then allow user terminal by described access device access network.At present, load and the transmission cost of core network are larger, drastically influence development and the raising of the transmission rate of wireless network.And method provided by the invention can improve shunting effect significantly, improve the efficiency of transmission of wireless network, alleviate the load of wireless network.
Embodiment 2:
The embodiment of the present invention provides a kind of access device, and as shown in Figure 5, described access device comprises: receiving element 301, transmitting element 302 and setting unit 303.
Receiving element 301, for receiving the access request that user terminal sends.
Transmitting element 302, send response message for the described access request received according to described receiving element 301 to described user terminal, described response message indicates described user terminal to provide the authentication information of self.
Described receiving element 301 also for, receive described user terminal send authentication information.
Described transmitting element 302 for, described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information correct.
Described receiving element 301 also for, receive described authenticating device send be proved to be successful message; The described message that is proved to be successful indicates the authentication information of described user terminal correct.
Setting unit 303, is proved to be successful message if receive described at least two for described receiving element, then arranges split point for described user terminal, with make described user terminal by described access device be its arrange split point access network; Described split point is the access device that can be the shunting of described access device, is proved to be successful message instruction at least two described user terminal requests by described access device access network described in described at least two.
Described setting unit 303 specifically for, obtain the gateway address of described user terminal; According to the gateway address of described user terminal, for described user terminal arranges split point.
Described transmitting element 302 also for, the gateway address of the split point arranged for described user terminal is sent to described user terminal, so that described user terminal is by described split point access network.
It should be noted that, described authentication information comprises user name, the PKI of access pin and described user terminal.
The described message that is proved to be successful is the response message that described user terminal generates according to the challenge message of described authenticating device.
Described receiving element also for, receive described authenticating device send cryptographic challenge message, described challenge message be described authenticating device utilize the PKI of described user terminal to address inquires to message encryption obtain;
Described transmitting element also for, described cryptographic challenge message is transmitted to described user terminal;
Described receiving element also for, receive described authenticating device forward the response message sent from described user terminal; Described response message generates according to described challenge message after the described user terminal private key of self obtains challenge message to described cryptographic challenge decrypt messages.
Described access device also comprises access unit.
Described access unit is used for, if described receiving element only receives described in one be proved to be successful message, then open wireless network insertion authority, allows described user terminal by described access device access network.
Described access device also comprises sets up unit, ciphering unit.
Described set up unit for, set up and described user terminal between control channel.
Described receiving element 301 also for, in described access unit open wireless network insertion authority, allow described user terminal by after described access device access network, receive described authenticating device send initial session key.
Described ciphering unit is used for, and generates current sessions key, and obtain session ciphertext with described initial session key to described current sessions secret key encryption according to the described initial session key that described receiving element receives.
Described transmitting element 302 also for, described session ciphertext is sent to described user terminal, so that described user terminal obtains described current sessions key to described session decrypt ciphertext.
Described set up unit also for, set up with described user terminal between session channel.
It should be noted that, the receiving element in the present embodiment can be the receiver of access device, and transmitting element can be the transmitter of access device; In addition, also receiving element and transmitting element can be integrated the transceiver forming access device.Setting unit, access unit can for the processors set up separately, also can be integrated in some processors of access device and realize, in addition, also can the form of program code be stored in the memory of client terminal, called by some processors of client terminal and perform the function of above ciphering unit.Processor described here can be a central processing unit (CentralProcessingUnit, CPU), or specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC).
The access device that the embodiment of the present invention provides, receives the access request that user terminal sends, and indicates described user terminal to provide the authentication information of self; Access device receives the authentication information that user terminal sends, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct.If the authentication information of user terminal is proved to be successful, access device then arranges split point for described user terminal, to make described user terminal by described split point access network; Or, then allow user terminal by described access device access network.At present, load and the transmission cost of core network are larger, drastically influence development and the raising of the transmission rate of wireless network.And access device provided by the invention can improve shunting effect significantly, improve the efficiency of transmission of wireless network, alleviate the load of wireless network.
Embodiment 3:
The embodiment of the present invention provides a kind of access device, and as shown in Figure 6, described access device comprises: processor 401, system bus 402, transceiver 403 and memory 404.
Wherein, processor 401 can be central processing unit (English: centralprocessingunit, abbreviation: CPU).
Memory 404, for program code stored, and give this processor 401 by this program code transfer, processor 401 performs following instruction according to program code.Memory 404 can comprise volatile memory, and (English: volatilememory), such as (English: random-accessmemory, abridges: RAM) random access memory; It is (English: non-volatilememory) that memory 404 also can comprise nonvolatile memory, such as read-only memory is (English: read-onlymemory, abbreviation: ROM), flash memory is (English: flashmemory), hard disk is (English: harddiskdrive, abbreviation: HDD) or solid state hard disc (English: solid-statedrive, abbreviation: SSD).Memory 404 can also comprise the combination of the memory of mentioned kind.Processor 401, connected by system bus 402 between memory 404 and transceiver 403 and complete mutual communication.
Transceiver 403 can by optical transceiver, electric transceiver, and wireless transceiver or its combination in any realize.Such as, optical transceiver can be that Small Form-Factor Pluggable is (English: smallform-factorpluggabletransceiver, abbreviation: SFP) transceiver is (English: transceiver), strengthen Small Form-Factor Pluggable (English: enhancedsmallform-factorpluggable, abbreviation: SFP+) transceiver or 10 gigabit Small Form-Factor Pluggables (English: 10Gigabitsmallform-factorpluggable, abbreviation: XFP) transceiver.Electricity transceiver can be that Ethernet is (English: Ethernet) network interface controller (English: networkinterfacecontroller, abbreviation: NIC).Wireless transceiver can be radio network interface controller (English: wirelessnetworkinterfacecontroller, abbreviation: WNIC).
Transceiver 403, for receiving the access request that user terminal sends.Send response message according to the described access request received to described user terminal, described response message indicates described user terminal to provide the authentication information of self.
Described transceiver 403 also for, receive described user terminal send authentication information;
Described transceiver 403 for, described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information correct.
Processor 401, if for receive described authenticating device send be proved to be successful message, then split point is set for described user terminal, to make described user terminal by described split point access network; The described message that is proved to be successful indicates the authentication information of described user terminal correct, and described split point is the predetermined access device that can be the shunting of described access device.
Or what if receive, described authenticating device sent is proved to be successful message, then allow user terminal by described access device access network.
Described processor 401 specifically for, obtain the gateway address of described split point.
Described processor 401 also for, the gateway address of described split point is sent to described user terminal, so that described user terminal is by described split point access network.
It should be noted that, described authentication information comprises user name, the PKI of access pin and described user terminal.
The described message that is proved to be successful is the response message that described user terminal generates according to the challenge message of described authenticating device.
Described processor 401 specifically for, receive described authenticating device send cryptographic challenge message, described challenge message be described authenticating device utilize the PKI of described user terminal to address inquires to message encryption obtain.Described cryptographic challenge message is transmitted to described user terminal; Receive the response message sent from described user terminal that described authenticating device forwards; Open wireless network insertion authority, allows described accessing user terminal to network.Described response message generates according to described challenge message after the described user terminal private key of self obtains challenge message to described cryptographic challenge decrypt messages.
Processor 401 also for, receive described authenticating device send initial session key.
Described ciphering unit is used for, and generates current sessions key, and obtain session ciphertext with described initial session key to described current sessions secret key encryption according to the described initial session key that described receiving element receives.
Described transceiver 403 also for, described session ciphertext is sent to described user terminal, so that described user terminal obtains described current sessions key to described session decrypt ciphertext.
Described processor 401 also for, set up with described user terminal between session channel.
The access device that the embodiment of the present invention provides, receives the access request that user terminal sends, and indicates described user terminal to provide the authentication information of self; Access device receives the authentication information that user terminal sends, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct.If the authentication information of user terminal is proved to be successful, access device then arranges split point for described user terminal, to make described user terminal by described split point access network; Or, then allow user terminal by described access device access network.At present, load and the transmission cost of core network are larger, drastically influence development and the raising of the transmission rate of wireless network.And access device provided by the invention can improve shunting effect significantly, improve the efficiency of transmission of wireless network, alleviate the load of wireless network.
Claims (12)
1. a wireless network access controlling method, is characterized in that, comprising:
Access device receives the access request that user terminal sends, and sends response message according to described access request to described user terminal, and described response message indicates described user terminal to provide the authentication information of self;
Described access device receives the authentication information that described user terminal sends, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct;
Described access device receive described authenticating device send be proved to be successful message; The described message that is proved to be successful indicates the authentication information of described user terminal correct;
If described access device receives described at least two and is proved to be successful message, then split point is set for described user terminal, with make described user terminal by described access device be its arrange split point access network; Described split point is the access device that can be the shunting of described access device, is proved to be successful message instruction at least two described user terminal requests by described access device access network described in described at least two.
2. method according to claim 1, is characterized in that, describedly arranges split point for described user terminal, is specifically comprised by described split point access network to make described user terminal:
Described access device obtains the gateway address of described user terminal;
Described access device according to the gateway address of described user terminal, for described user terminal arranges split point;
The gateway address of the split point arranged for described user terminal is sent to described user terminal by described access device, so that described user terminal is by described split point access network.
3. method according to claim 1, is characterized in that, described authentication information comprises user name, the PKI of access pin and described user terminal.
4. method according to claim 3, is characterized in that, described in be proved to be successful message be the response message that described user terminal generates according to the challenge message of described authenticating device;
Described access device receive described authenticating device send be proved to be successful message before, described method also comprises:
Described access device receives the cryptographic challenge message that described authenticating device sends, and described challenge message is that described authenticating device utilizes the PKI of described user terminal to obtain addressing inquires to message encryption;
Described cryptographic challenge message is transmitted to described user terminal by described access device;
Described access device receives the response message from described user terminal that described authenticating device forwards; Described response message generates according to described challenge message after the described user terminal private key of self obtains challenge message to described cryptographic challenge decrypt messages.
5. method according to claim 1, is characterized in that, if described access device only receives described in one be proved to be successful message, described access device is open wireless network insertion authority then, allows described user terminal by described access device access network.
6. method according to claim 5, is characterized in that, described access device is open wireless network insertion authority then, and allow described user terminal by after described access device access network, described method also comprises:
Control channel between described access device foundation and described user terminal;
Described access device receives the initial session key that described authenticating device sends;
Described access device generates current sessions key according to described initial session key, and obtains session ciphertext with described initial session key to described current sessions secret key encryption;
Described session ciphertext is sent to described user terminal by described access device, so that described user terminal obtains described current sessions key to described session decrypt ciphertext;
Described access device sets up the session channel between described user terminal.
7. an access device, is characterized in that, comprising:
Receiving element, for receiving the access request that user terminal sends;
Transmitting element, send response message for the described access request received according to described receiving element to described user terminal, described response message indicates described user terminal to provide the authentication information of self;
Described receiving element also for, receive described user terminal send authentication information;
Described transmitting element is used for, and described authentication information is sent to authenticating device, so that described authenticating device judges that whether described authentication information is correct;
Described receiving element also for, receive described authenticating device send be proved to be successful message; The described message that is proved to be successful indicates the authentication information of described user terminal correct;
Setting unit, is proved to be successful message if receive described at least two for described receiving element, then arranges split point for described user terminal, with make described user terminal by described access device be its arrange split point access network; Described split point is the access device that can be the shunting of described access device, is proved to be successful message instruction at least two described user terminal requests by described access device access network described in described at least two.
8. access device according to claim 7, is characterized in that,
Described setting unit specifically for, obtain the gateway address of described user terminal; According to the gateway address of described user terminal, for described user terminal arranges split point;
Described transmitting element also for, the gateway address of the split point arranged for described user terminal is sent to described user terminal, so that described user terminal is by described split point access network.
9. access device according to claim 7, is characterized in that, described authentication information comprises user name, the PKI of access pin and described user terminal.
10. access device according to claim 9, is characterized in that, described in be proved to be successful message be the response message that described user terminal generates according to the challenge message of described authenticating device,
Described receiving element also for, receive described authenticating device send cryptographic challenge message, described challenge message be described authenticating device utilize the PKI of described user terminal to address inquires to message encryption obtain;
Described transmitting element also for, described cryptographic challenge message is transmitted to described user terminal;
Described receiving element also for, receive described authenticating device forward the response message sent from described user terminal; Described response message generates according to described challenge message after the described user terminal private key of self obtains challenge message to described cryptographic challenge decrypt messages.
11. access devices according to claim 7, is characterized in that, also comprise access unit,
Described access unit is used for, if described receiving element only receives described in one be proved to be successful message, then open wireless network insertion authority, allows described user terminal by described access device access network.
12. access devices according to claim 11, is characterized in that, also comprise and set up unit, ciphering unit,
Described set up unit for, in described access unit open wireless network insertion authority, allow described user terminal by after described access device access network, set up and described user terminal between control channel;
Described receiving element also for, receive described authenticating device send initial session key;
Described ciphering unit is used for, and generates current sessions key, and obtain session ciphertext with described initial session key to described current sessions secret key encryption according to the described initial session key that described receiving element receives;
Described transmitting element also for, described session ciphertext is sent to described user terminal, so that described user terminal obtains described current sessions key to described session decrypt ciphertext;
Described set up unit also for, set up with described user terminal between session channel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610078502.5A CN105530687B (en) | 2016-02-04 | 2016-02-04 | A kind of wireless network access controlling method and access device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610078502.5A CN105530687B (en) | 2016-02-04 | 2016-02-04 | A kind of wireless network access controlling method and access device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105530687A true CN105530687A (en) | 2016-04-27 |
| CN105530687B CN105530687B (en) | 2019-04-26 |
Family
ID=55772584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610078502.5A Active CN105530687B (en) | 2016-02-04 | 2016-02-04 | A kind of wireless network access controlling method and access device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105530687B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106792667A (en) * | 2016-12-23 | 2017-05-31 | 北京光年无限科技有限公司 | A kind of network access verifying method and robot for robot |
| WO2020140926A1 (en) * | 2019-01-02 | 2020-07-09 | 中国移动通信有限公司研究院 | Key generation method, terminal device and network device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047942A (en) * | 2006-06-20 | 2007-10-03 | 华为技术有限公司 | Load bridging method and device |
| US20140036705A1 (en) * | 2012-08-02 | 2014-02-06 | Huawei Technologies Co., Ltd. | Method and device for data traffic distribution |
| CN105050081A (en) * | 2015-08-19 | 2015-11-11 | 腾讯科技(深圳)有限公司 | Method, device and system for connecting network access device to wireless network access point |
| CN105262597A (en) * | 2015-11-30 | 2016-01-20 | 中国联合网络通信集团有限公司 | Network access authentication method, client terminal, access device and authentication device |
-
2016
- 2016-02-04 CN CN201610078502.5A patent/CN105530687B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047942A (en) * | 2006-06-20 | 2007-10-03 | 华为技术有限公司 | Load bridging method and device |
| US20140036705A1 (en) * | 2012-08-02 | 2014-02-06 | Huawei Technologies Co., Ltd. | Method and device for data traffic distribution |
| CN105050081A (en) * | 2015-08-19 | 2015-11-11 | 腾讯科技(深圳)有限公司 | Method, device and system for connecting network access device to wireless network access point |
| CN105262597A (en) * | 2015-11-30 | 2016-01-20 | 中国联合网络通信集团有限公司 | Network access authentication method, client terminal, access device and authentication device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106792667A (en) * | 2016-12-23 | 2017-05-31 | 北京光年无限科技有限公司 | A kind of network access verifying method and robot for robot |
| WO2020140926A1 (en) * | 2019-01-02 | 2020-07-09 | 中国移动通信有限公司研究院 | Key generation method, terminal device and network device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105530687B (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107277061B (en) | IOT (Internet of things) equipment based end cloud secure communication method | |
| CN108512846B (en) | Bidirectional authentication method and device between terminal and server | |
| CN103067158B (en) | Encrypting and decrypting method, encrypting and decrypting device and key management system | |
| EP2842258B1 (en) | Multi-factor certificate authority | |
| CN111783068B (en) | Device authentication method, system, electronic device and storage medium | |
| CN103685187B (en) | Method for switching SSL (Secure Sockets Layer) authentication mode on demands to achieve resource access control | |
| TW201706900A (en) | Method and device for authentication using dynamic passwords | |
| US9344417B2 (en) | Authentication method and system | |
| CN110569638B (en) | API authentication method and device, storage medium and computing equipment | |
| CN105262597B (en) | Network access verifying method, client terminal, access device and authenticating device | |
| KR20200013764A (en) | Method for mutual symmetric authentication between first application and second application | |
| US11057195B2 (en) | Method and system for providing security for the first time a mobile device makes contact with a device | |
| WO2021062946A1 (en) | Method for issuing the same-root certificate online, device and system | |
| CN105577377A (en) | Identity-based authentication method and identity-based authentication system with secret key negotiation | |
| JP2021522757A (en) | Non-3GPP device access to core network | |
| JP2016536678A (en) | Network management security authentication method, apparatus, system, and computer storage medium | |
| CN104660523A (en) | Network access control system | |
| CN105722072A (en) | Business authorization method, device, system and router | |
| CN107211265A (en) | The safety interacting method and device of a kind of terminal room | |
| CN105656854B (en) | A kind of method, equipment and system for verifying Wireless LAN user sources | |
| CN105530687A (en) | Wireless network access control method and access device | |
| CN114158046B (en) | Method and device for realizing one-key login service | |
| KR20150114923A (en) | Method for configuring access point connection information and terminal device for the same | |
| Kang | U2fi: A provisioning scheme of iot devices with universal cryptographic tokens | |
| EP2741461A1 (en) | Method of allowing communication between a secure element and a server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |