CN106162639A - SDN wireless network management platform based on Floodlight and authentication method - Google Patents

Abstract

The invention relates to a Floodlight-based SDN wireless network management platform and an authentication method, belonging to the field of wireless network management. The wireless network management platform of the present invention is implemented on an Apache server, and includes a system management module, a topology management module, a configuration management module, a user management module, an AP management module and a data statistics module. Add threads for periodically monitoring user information changes in the controller. As a wireless AP, the AP management module also implements the OpenFlow switch function. The data statistics module periodically acquires network data and predicts the network status based on the data analysis model. The added/modified user information is synchronized with each other through distributed databases to keep users consistent across the network. The invention can process frequent user changes in real time, adapt to the management requirements of the wireless network, increase the data storage and feedback capabilities of the SDN controller, and realize the unification of network user authentication.

Description

Floodlight-based SDN wireless network management platform and authentication method

technical field

The invention belongs to the field of wireless network management, relates to SDN network management, in particular to a network management and user authentication method of a centralized WLAN system based on an SDN controller.

Background technique

Due to its cheap and high-efficiency characteristics, wireless local area network technology is more and more widely used. At present, the wireless access point (Access Point, AP) based on the 802.11 protocol has become an indispensable and important part of the current wireless communication network. The rapid increase of wireless network traffic and the improvement of user demand have caused a large number of enterprises and places to start to deploy their own wireless local area network, and the network deployment method of a wireless access node has long been unable to meet the needs of medium and large-scale scenarios. WLAN networking based on the 802.11 protocol family Due to its convenient deployment and high cost performance, it is the preferred solution of various customers. Most currently used WLAN architectures are based on a distributed autonomous management architecture, that is, a fat AP architecture. The AP directly controls the access and authentication process of WLAN users, and can complete functions such as user data encryption, user authentication, and QOS. Since each AP is an individual node, independent of configuration, its channel and power, installation is easy. However, due to the limited frequency band, the limitation of the MAC competition mechanism, and the rapid growth of wireless access points, the interference between distributed wireless access points is serious and difficult to manage. Therefore, many enterprise-level WLAN systems have introduced a thin AP architecture based on Access Control (AC). All wireless access functions are completed by the AP and the AC. The AC implements network QoS, mobility management, resource allocation, and load balancing. and other advanced network functions; AP will focus on wireless functions. The AC and AP communicate through the international standard CAPWAP and LWAPP protocols. This centralized management thin AP structure can provide unified authentication and security settings, efficient network management, and user switching and roaming services in the area, and is suitable for applications in larger scenarios. However, these thin AP solutions are usually closed-source, proprietary, expensive, and mainly implemented by hardware, thus limiting the flexibility and scalability of the entire network.

Among them, the enterprise-level SDN-WLAN system based on the Floodlight controller has become an effective solution to change the status quo. Software Defined Network (Software Defined Network, SDN) is a new type of network innovation architecture and a way to realize network virtualization. Its core technology, OpenFlow, separates the control plane of network equipment from the data plane, thereby realizing network The flexible control of traffic makes the network more intelligent as a pipeline. In general, SDN network is divided into three layers, namely data layer, control layer and application layer. The network equipment at the data layer is only responsible for simple data forwarding, and general-purpose hardware can be used to focus on improving data forwarding capabilities; while the original operating system responsible for control will be refined into an independent network operating system, divided into control layers, responsible for different business The characteristics are adapted, and the communication between the network operating system and business characteristics and hardware devices can be realized through programming. Floodlight is a modular OpenFlow controller developed based on JAVA. You can choose the modules loaded when Floodlight starts, or you can add your own defined function modules. The uppermost application layer can collect and use the underlying resources and information obtained by the control layer, make global, high-level control management and network optimization, and realize demand-oriented network applications. This networking method based on general-purpose hardware and programmable software makes the network more scalable, cheaper to build, easier to upgrade, and more flexible to manage.

In a WLAN based on a software-defined network, the AP is only a unit for wireless reception and data forwarding, without network intelligence. The upper layer functions need to be implemented by the controller, including user access, security authentication, forwarding path, mobility management, power control etc. And the controller only provides the resource abstraction process similar to the operating system, and the specific and more advanced wireless network management is realized by the software program code written in the application layer. The present invention realizes network management and user authentication access based on the Floodlight controller. In references [1][2][3], specific networking solutions for SDN-based WLANs have been proposed. The entire WLAN network is under the unified management of the controller, and network managers can dynamically change the management scheme according to their own needs to adapt to changes in network status. Since large-scale WLAN systems have more stringent requirements for access management, the network platform under unified management can easily provide more diversified network management services and multi-level authority management. Therefore, the loss caused by misconfiguration and misoperation of the network is greatly reduced. The focus of these solutions is to implement the SDN network in the wireless system to achieve centralized control and simplification of the access side, and there is no actual implementation of the system for managing the wireless network platform. At the same time, while simplifying the access side, many management functions available on the AP itself are ignored, which greatly wastes the inherent management capabilities of the AP. The idea of SDN is to deal with the traditional wired network with few changes, while the entry and exit of users in the wireless network are random and frequent. Although the SDN network can use load balancing and traffic management technology to cope with the fluctuation of traffic in the network, but for the change of network users itself, its management almost fails. In references [1][2], the controller even needs to be restarted to read the changes in the user list. Each restart of the controller takes several seconds. Whether it is the QoS of the wireless network or the user experience, it is very important. is unacceptable. In addition, the current SDN controllers are mainly based on real-time data acquisition, and often data information requests will bring a sharp increase in controller overhead. At this time, network performance will decline significantly, which is specifically reflected in the network response time increase, increased transmission jitter, server CPU and memory usage fluctuations, etc. The resulting network stability issues also need to be resolved urgently.

The references are as follows:

[1]Vestin J, Dely P, Kassler A, et al.CloudMAC: towards software defined WLANs[J].Acm Sigmobile Mobile Computing&Communications Review,2013,16(4):42-45.

[2] Suresh L, Schulz-Zander J, Merz R, et al. Towards programmable enterprise WLANS with Odin[C]//Proceedings of the first workshop on Hottopics in software defined networks. ACM, 2012: 115-120.

[3]Lei T, Lu Z, Wen X, et al.SWAN:An SDN based campus WLAN framework[C]//Wireless Communications,Vehicular Technology,Information Theory and Aerospace&Electronic Systems(VITAE),2014 4th International Conference on.IEEE,2014 :1-5.

Contents of the invention

Aiming at the current situation that the SDN-based wireless network lacks effective management measures, the present invention proposes a Floodlight-based SDN wireless network management platform and authentication method, changes the management structure of the SDN controller on the wireless side, adopts the REST API interface, and integrates floodlight The control function is improved, and the REST API is extended to the AP side; the data of the statistical controller is stored through database technology, the load of the controller is reduced, and the data is analyzed and predicted; at the same time, the thread of user management is added, so that it can be implemented User management and authentication.

The invention provides a Floodlight-based SDN wireless network management platform, which is implemented on an Apache server, and the SDN controller in the applied network is Floodlight. The programming interface of the SDN controller includes a JAVA interface and a REST API interface. The management platform includes a system management module, a topology management module, a configuration management module, a user management module, an AP management module and a data statistics module.

The system management module obtains the information of the Apache server and the Floodlight controller itself.

The topology management module uses the connection relationship of the switch and the attachment relationship of the users to draw a logical network topology map, and draws a physical topology map of the network according to the arranged AP positions.

Described configuration management module comprises the configuration management of two aspects, the one, the configuration management of SDN, comprise the configuration of RESTAPI operation controller and the application configuration of JAVA interface; identifier) simulates the REST process to manage APs in a unified way.

The user management module adds threads for periodically monitoring user information changes in the controller. User information is configured through the WEB UI (user interface) of the management platform, and user information changes are realized through database triggers. User information is stored in a distributed database. When the database of an SDN controller in the network changes, the synchronization operation of the database of the SDN controller in the network is triggered to maintain the consistency of user information in the entire network.

The AP management module is used to manage the data of the wireless switch, and realizes two functions. One is as a wireless AP, storing all AP operation instructions on the management platform, and the management platform invokes the wireless management function of the AP through a unified remote operation. The second is as a data plane switch in the network, using the switch control capability of floodlight to realize flow table configuration and firewall settings, and realize the general OpenFlow switch function.

The data statistics module periodically acquires the data of the number of users, switch load and user usage data, and stores them separately to update the statistical data. The stored data can be placed on each controller or centrally placed in the data center . The data statistics module predicts the state of the network according to the obtained data through the established data analysis model, and feeds back the network parameters in the next period to the configuration management module.

The invention also proposes a user authentication method based on the management platform. The method includes:

Step 1, the administrator adds/modifies user information on an SDN controller in the network through the WEB UI, and the WEBUI connects to the database through the PHP interface;

Step 2, the database checks the rationality of the user information added/modified by the administrator, rejects the illegal modification, and updates the reasonable modification request;

Step 3, the distributed databases synchronize the added/modified user information with each other to keep the user information consistent across the network. When the synchronization is not completed, the incoming user authentication request is treated as an authentication failure;

Step 4, the AP receives the user authentication request, uploads it to the Floodlight controller, and the controller converts the user authentication data packet into an authentication event, and activates the user management thread;

Step 5, the controller checks whether the user information exists in the database according to the MAC address or other unified identifier of the authenticated user, and does not allow users without user information to access the network; there is user information, but the user attributes or user rights are abnormal, Then the connection operation will continue, and the access rights will be controlled after access, and an abnormal message will be prompted; if there is user information, and the user attributes and user rights are normal, continue the connection and authentication operations, complete the access at the MAC layer, and download the AP. Send the corresponding flow table;

Step 6, after the user state changes, the controller modifies the user information in the corresponding database, and the user management module acquires the user information;

Step 7. The distributed databases synchronize user information with each other to keep the user information consistent across the network, so that users will not be repeatedly authenticated and disconnected when switching between different APs/controllers, and the user authentication process is completed.

Compared with prior art, advantage and positive effect of the present invention are:

(1) Increase the wireless management function in the SDN network. The core function of SDN lies in routing and forwarding and flow control, and there is almost no management function on the wireless side. Therefore, the present invention integrates the inherent wireless management function instructions of the AP in the control platform, divides the management of the AP into SDN switch management and wireless AP management, and manages the AP with the OF config protocol and out-of-band signaling respectively; at the same time, it modifies the SDN control The structure of the server adds threads for processing wireless users and database operation threads, transforms user data from file management to database management, handles frequent user changes in real time, and is more suitable for wireless network management requirements, such as seamless switching.

(2) The data storage and feedback capabilities of the SDN controller are increased. In order to avoid fluctuations in network performance, large-scale network data operations can be performed when the network load is light, and the administrator can request the latest historical data first, so as not to continue to increase the burden on the controller under heavy load. Usually, the SDN controller only implements network management according to the current network status. In this management platform, the network management application program will combine and analyze historical data and current network conditions, and feed back to the configuration management module to make more reasonable network applications. Parameter prediction.

(3) Realize the unification of network user authentication. The Floodlight adopted in the present invention cooperates with the distributed database system mode, which makes up for the deficiency that most current SDN controllers lack an east-west interface. The scalability of the controller has always been the weakness of the SDN network. Since user data is used in user authentication, unified user authentication can be realized through data synchronization between multiple controllers; this change does not require any changes to the controllers. The user's state change under a certain controller is transparent to other controllers, and the user authentication operation does not need to be performed again during the user's movement.

Description of drawings

Fig. 1 is the architecture diagram of the WLAN management and authentication platform based on Floodlight of the present invention;

Fig. 2 is each module collaboration and feedback relationship diagram of management platform of the present invention;

Fig. 3 is a flow chart of unified user access authentication in the present invention.

detailed description

The present invention will be further described in detail with reference to the accompanying drawings and embodiments.

The present invention proposes a Floodlight-based SDN wireless network management platform and an authentication method, which implements an improved modular OpenFlow controller Floodlight, a distributed database system, an upper-layer management application, and a WEB-based visual user interface. Among them, with the improved Floodlight controller as the core, it connects to the physical network downwards, completes the construction of the SDN-based WLAN system, and implements various management applications on the SDN controller. The management platform is implemented on the Apache server, through the controller and programming abstract network parameters, AP parameters, user parameters, and management parameters, providing managers with convenient and fast management capabilities; and realizing wireless user authentication and authority management through a distributed database system , making up for the lack of WLAN management capabilities of general SDN controllers, and improving the overall performance and controllability of the network.

FIG. 1 is an architecture diagram of the Floodlight-based WLAN management and authentication platform of the present invention. According to the management and authentication framework proposed by the present invention, its basic principle is to realize the collection of network information and the configuration of network parameters through the data interface, and provide management capabilities for wireless SDN networks. A specific embodiment provided by the present invention is as follows.

The operating environment of the network management platform is ThinkServer RD640S2620v2 4/300A2HROD;

The main parameters are:

CPU model: Xeon E5-2620v2; Standard CPU quantity: 1;

Memory type: DDR3; Memory capacity: 4GB;

Hard disk interface type: SAS; standard hard disk capacity: 300GB;

Operating system: Ubuntu 14.04 operating system;

The SDN controller is Floodlight V1.0 (the wireless function is added later);

WEB environment: Apache 2.0+PHP 5.5+MySQL 5.5.44

AP environment: OpenWRT 12.09+OVS 2.3

For the network deployment method, please refer to [2][3]. Here we mainly introduce the architecture and process of the management platform. The Floodlight controller is the control center of the entire OpenFlow network architecture and has a global view of the entire OpenFlow network. The controller is responsible for formulating logical rules for the data flow, and realizes the transmission of the data flow on the specified path by issuing the flow table. The interaction between the management platform and the WLAN network controller is mainly realized through the Representational State Transfer Application Programming Interface (REST API). REST uses simple HTTP, URI standards and XML language to build lightweight Web services. Under the REST framework, all the information that can be provided by the control layer is abstracted into REST resources, and each resource is assigned a unique Uniform Resource Identifier (URI). Floodlight provides the REST SERVER module, which exposes the operable module to the user through the REST API interface. The developer realizes the interoperability with the network through the operation based on the URI. For the operation method, please refer to [4]: Lu Zhaoming , Wang Luhan, Wen Xiangming, Software-Defined Wireless Access Network Architecture and Key Technologies, Beijing University of Posts and Telecommunications Press, 2015:170-174.

Most of the information of the system management module, topology management module, configuration management module, AP management module, and data statistics module in the management platform are obtained through the programming interface of the SDN controller. The programming interface of the SDN controller includes a JAVA interface and a REST API interface. The REST API obtains the network information of the SDN controller by registering the service in the server. The management platform needs to filter the data provided by the Floodlight controller, eliminate unusable network information, identify the network information available to managers, and output it in a formatted mode to form a user-friendly WEB UI. The JAVA interface is directly associated with the application layer/control layer to obtain network data.

The system management module obtains the information of the server and the Floodlight controller itself, including the current CPU, memory, and IO usage status of the server, the overall status of the controller, working mode, open time, module information of the controller, overview of network components, connection Switch overview, flow statistics overview firewall configuration. The server information is obtained by the Linux shell command, and the controller information is obtained by the REST API.

The topology management module collects the connection relationship of the OpenFlow switch and the attachment relationship of the user through the REST API, and draws a logical network topology map. The topology data is obtained through data statistics or real-time query. The topology management module also draws the physical topology map of the network according to the deployed AP location information, which can be used as a rough reference for user positioning.

The configuration management module is divided into two aspects of configuration management, one is the configuration management of SDN, including the configuration of the REST API operation controller and the application configuration of the JAVA interface. According to the developer documentation of Floodlight, the present invention adopts some REST API configuration interfaces related to WLAN networks, such as device management, switch information acquisition, flow table configuration, etc., and the JAVA interface mainly provides code parameters for application layer management applications written by administrators enter. The second is AP configuration management. The present invention extends the REST API from the controller side to the AP side, utilizes the URI provided by OpenWRT to simulate the REST process, and manages the AP in a unified manner. From the perspective of upper-level users, there is no need to distinguish whether the REST API comes from Floodlight or AP.

The collection function of the data statistics module on the right side of Figure 1 is independent of the Floodlight controller and implemented based on the Linux crontab command. crond is a daemon process used to periodically execute certain tasks or wait for certain events to be processed under Linux. The crond process regularly checks whether there is a task to be executed every minute, and if there is a task to be executed, the task is automatically executed. At the same time, the management platform decides whether to actually perform data collection according to the network load situation. When the WLAN network is large-scale, there may be more than a dozen or even dozens of AP nodes under one controller. Obtaining network-wide information will consume a lot of CPU resources and memory resources, such as obtaining topology information and network-wide switch information. Wait. When the load of the controller is already heavy, typical values: the CPU utilization rate is greater than 70%, and the memory utilization rate is greater than 65%. At this time, the collection function of the data statistics module will be suppressed, and if the administrator requests large-scale data, it will also be prioritized. Use the existing data, because once the server resources are used too high, some WLAN network burst operations will cause the network performance to decline rapidly and the response time will be too long. Therefore, data statistics can be deferred as a low-priority thread. The data will be stored in the data warehouse. On this basis, data analysis models can be established, such as situation awareness models and data mining models, to predict the state of the network, and through the decision algorithm, control the configuration management module to determine the parameters of the network in the next period of time. .

Aiming at the shortcoming of Floodlight lacking in user management, the present invention improves the structure of Floodlight, provides a user management module, and adds a real-time monitoring user database thread to the controller for periodically monitoring changes in user data. Administrators can modify user information through the WEB UI of the management platform, and user information changes are realized through triggers in the database. A trigger is a special kind of stored procedure. A general stored procedure is directly invoked by the stored procedure name, while a trigger is mainly triggered and executed by an event (addition, deletion, modification), and is automatically enforced when the data in the table changes. Therefore, as shown in Figure 1, when the user information table is changed, the trigger will create a new table USER_CHANGE in the user database, and the Floodlight user management thread will update the controller once it finds new data in the USER_CHANGE table The user information in the table; each time the user thread finishes querying the USER_CHANGE table, it will be cleared, indicating that the update operation has been completed.

At the same time, the change of the database of a certain SDN controller will trigger the synchronization operation of all associated databases in the network, and the user database between the controllers needs to be synchronized. Currently, the MySQL database supports a mutual master-slave relationship between two databases. Usually the changed database is called the master database (Master), and the synchronized database is called the slave database (Slave). The IO thread on the Slave will connect to the Master and request the log content after the specified location of the specified log file; then the Master will read the specified log according to the request information through the IO thread responsible for copying after receiving the request from the IO thread of the Slave Log information after the specified position. Afterwards, after the IO thread of the Slave receives the information, it writes the received log content to the end of the relay log Relay Log file on the Slave side in turn. After the SQL thread of the Slave detects that the newly added content in the Relay Log, it will Make the operation consistent with the Master to realize the synchronization of the database. In this way, the consistency of user information in the entire WLAN network is guaranteed.

Referring to Figure 1, the management platform not only directly manages the Floodlight controller, but also logically connects directly with the AP. This is mainly to improve the wireless management function of the management platform. The core of the SDN network is to simplify the routing and forwarding network, which is essentially routing management and flow management, so Floodlight has almost no wireless side management. However, the AP used in the SDN-based WLAN system is usually based on OpenWRT, and OpenWRT has certain wireless management functions to support working in fat AP mode. Therefore, the present invention provides an AP management module, which reasonably utilizes existing AP functions to increase the management capability of the WALN network. As a wireless AP, the AP management module focuses on the inherent management functions of wireless APs. It stores all AP operation instructions on the management platform, and the management platform uses unified remote operations. command to invoke the specific management functions of the AP. The AP management module is also used as a data plane switch in the SDN network, focusing on routing and forwarding management and flow management on the wired side. It uses the switch control capability of floodlight to implement flow table configuration and firewall settings, as a general OpenFlow switch function. These two functions of the AP management module are logically two lines. In the WLAN, the IP address of the AP generally does not change, so the management platform of the present invention uses IP as the identifier of the AP, integrates the LUCI module user interface provided by OpenWRT, and performs unified AP management. Since each AP requires an independent login, and each login will generate a new session, when the entire network is configured, the management password of each AP in the network needs to be known by the management platform; Session information is intercepted, and when operating the same AP, the corresponding session id is used to communicate with it. Similar to the REST API, the control commands of the AP are encapsulated in the form of URI+parameters, and the AP management module uses the GET method to obtain the data of the AP and change the configuration parameters of the AP. The management platform integrates these commands into the module, cooperates with the IP address and the intercepted session id, and splices them into a complete request URI to realize the unified management of different APs. The forwarding module of the Floodlight controller is responsible for the routing and forwarding of the AP. The forwarding module automatically issues the flow table according to the OpenFlow protocol to realize the function of the OpenFlow switch of the AP. The switch layer management of the AP is realized through the flow table push interface provided by the Floodlight controller. .

Fig. 2 is a schematic diagram of the collaborative relationship between modules when the management authentication platform proposed by the present invention is running. The collaborative relationship between the modules of the management platform is mainly divided into three parts: data collection, analysis and decision-making, and feedback execution. Referring to the hierarchical structure in Figure 2, the bottom layer is the data collection layer. The function of this layer is to collect network data and provide analysis sources for the last time. It mainly includes modules including system management module, topology management module, AP management module and user management module, which respectively correspond to four aspects of collecting Floodlight controllers and servers, network structure description, wireless switch data, and wireless user information. There are two methods of data collection, one is real-time user request, and the other is periodic acquisition using the crontab command of the Linux kernel; the collected data can be divided into three dimensions: time, user, and occupied resources. After the data request is completed, it will be stored in the data warehouse of the data statistics module.

The analysis and decision-making layer shown in Figure 2 is composed of a data statistics module, which connects the data acquisition layer and the feedback execution layer, and acts as a link between the preceding and the following. The data acquisition module uses the statistical data for mathematical modeling and analysis, and finally passes the decision algorithm Decide how to adjust the parameters of the WLAN network next. It should be pointed out that the statistical analysis results are drawn into charts using the fusion chart tool, which can be directly read by managers.

The top layer in Figure 2 mainly includes the configuration management module, and also includes the AP management module, user management module, and WLAN application. Among them, the AP management module and the user management module belong to both the data collection layer and the feedback execution layer, because these two modules not only have the ability to obtain information from the bottom layer of the network, but also can change the information. The configuration management module configures WLAN applications by analyzing the network parameters formulated by the decision-making layer to obtain better network performance. For example, when the load of a certain AP is heavy, the analysis and decision-making layer will adjust the parameters of the load balancing application, so that the range of APs with heavy loads will be reduced, and the range of surrounding APs will be expanded, and some users will be distributed to other APs. , so as to achieve the effect of feedback. For another example, when there are very few users in the entire network, the analysis and decision-making layer will enable energy-saving applications, query the attachment status of each user in the database, and make AP nodes without user attachments sleep to reduce the overall power consumption of the network. In addition, the configuration management module can also configure the system management module and the data statistics module, and decide whether to execute the data collection operation when the resource utilization of the server is different. The feedback execution layer is also a space for administrators to manage the network. The functional modules of this layer need to provide administrators with a friendly operation interface, and be able to identify dangerous operations and warn administrators.

The modularized management platform proposed by the invention enhances the flexibility and scalability of management, and each module performs its duties and cooperates with each other, making the network intelligent and improving the manageability and stability of the network. The introduction of the analysis and decision-making layer solves the complexity of manually judging the network situation and reduces the negative impact of judgment errors.

FIG. 3 is a Floodlight-based WLAN user authentication process proposed by the present invention, and each step will be described below.

In step 301, the administrator adds/modifies user information on a certain controller in the network through the WEB UI. This step is the initialization step for users to join the WLAN network, which needs to be operated by an administrator, and general users do not have the authority for this step. The data structure of WLAN users includes user identifiers, user attributes and user permissions. The WEB UI is connected to the database through the PHP (Hypertext Preprocessor) interface.

Step 302, the database checks whether the user information added/modified by the administrator is legal, rejects the illegal modification, and updates the reasonable modification request. This step requires administrator permissions.

In step 303, the distributed databases synchronize the added/modified user information with each other to keep the user information consistent across the network. When the synchronization is not completed, the incoming user authentication request is treated as an authentication failure; the unmodified user is not affected by the synchronization process. Rejecting the access of unsynchronized users is to consider that the inconsistency of user information will cause the controller to malfunction. , all user information saved in the past will be lost, such as billing information or recharge information.

In step 304, the AP receives the user authentication request and uploads it to the Floodlight controller. The controller converts the user authentication data packet into an authentication event and activates a user management thread. This function is completed by the FloodlightProvider core module, which is responsible for converting the received OF Packet (OpenFlow data packet) into events, and the forwarding module, link learning module, device management module, and statistics module of the controller register with the FloodlightProvider, After registration, it becomes a service, and then the corresponding events can be processed.

In step 305, the controller invokes the user database to query user information and user authority according to the MAC address or other unified identifier of the authenticated user, and makes different countermeasures according to different attributes and authority of the user. Users who do not have user information will not be allowed to access the network. Users who have user information but have abnormal user access rights will continue to associate (association) operations. After access, the access rights will be controlled and abnormal information will be prompted.

Step 305 further includes the following three sub-steps:

Step 305-1, when a user accesses the WLAN network for the first time, there is no flow entry corresponding to the user in the OpenFlow switch, and the OpenFlow switch will upload the data packet as a packet-in message to the Floodlight controller. The Floodlight controller parses the content of the Packet-in data packet, extracts the user identifier, and then triggers the user management thread to query the user data corresponding to the user identifier in the user database, and compares user attributes and user permissions.

Step 305-2, if the user does not exist, the authentication is terminated directly; if the user exists, but the user attributes or user permissions are abnormal, the entire authentication process will still continue, and the AP also allows the user to continue the connection operation. After full access, the controller will limit the user's access scope according to the user's authority; or if the user's attributes are abnormal, the controller will push an error message in the form of a WEB page.

Step 305-3, if the user attributes and permissions are normal, the controller will inform the AP to continue to complete the connection operation, complete the access of the MAC layer, and deliver the required flow table to the AP. At this time, if the AP is directly connected to the aggregation switch, the subsequent data packets do not need the Packet-in process and are directly forwarded by the OpenFlow switch; if there are multiple packets between the AP and the aggregation router, the packet-in process will also be triggered. However, the Floodlight controller will find that the user is marked as connected and does not need to re-authenticate.

Step 306, after the user status changes, the controller modifies the user information in the database corresponding to the controller, and at the same time the user management module of the management platform acquires the user information.

Step 307, the distributed databases corresponding to the controllers synchronize user information with each other to keep the users in the entire network consistent, so as to ensure that users will not be repeatedly authenticated and disconnected when switching between different APs/controllers, and complete the user authentication process .

The user authentication method proposed by the present invention is a method for SDN authentication to access mobile users, which avoids the operation of traditional SDN controllers to read user configuration files, makes user management more flexible, and improves user experience at the same time. The introduction of data synchronization is the consistency of user information in the entire network, which makes up for the lack of east-west interfaces of most current SDN controllers, prevents data conflicts caused by user mobility, and provides a solid foundation for the actual management of SDN-WLAN networks based on Floodlight. workable solution.

The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention, and are not intended to limit the present invention. Within the spirit and principles of the present invention, any modifications, equivalent replacements, improvements, etc., shall be included in the protection scope of the present invention.

Claims (4)

1. a kind of SDN wireless network management platform based on Floodlight, realize on Apache server, the SDN controller in the applied network is Floodlight; The programming interface of SDN controller comprises JAVA interface and REST API interface; It is characterized in that, described The management platform includes system management module, topology management module, configuration management module, user management module, AP management module and data statistics module; AP is a wireless access point; The system management module obtains the information of the Apache server and the Floodlight controller itself; The topology management module uses the connection relationship of the switch and the attachment relationship of the user to draw a logical network topology diagram, and draws a physical topology diagram of the network according to the arranged AP positions; The configuration management module includes two aspects of configuration management, one is the configuration management of SDN, including the configuration of the REST API operation controller and the application configuration of the JAVA interface; the other is the configuration management of the AP, which utilizes the URI provided by OpenWRT to simulate REST Process, manage AP in a unified way; URI is Uniform Resource Identifier; The user management module adds threads for periodically monitoring user information changes in the controller; user information is configured through the WEB UI of the management platform, and user information changes are realized through database triggers; user information is stored in the distributed database Among them, when the database of a certain SDN controller in the network changes, the synchronization operation of the database of the SDN controller in the network is triggered to maintain the consistency of user information in the entire network; UI is the user interface; The AP management module is used to manage the data of the wireless switch, and realizes two functions, one is as a wireless AP, and stores the operation instructions of all APs on the management platform, and the management platform calls the management function of the AP through a unified remote operation; It is to realize flow table configuration and firewall setting, and realize OpenFlow switch function; The data statistics module periodically obtains the number of users, switch load and user usage data, and stores them separately, and stores them on each SDN controller in the network or centrally stores them in the data center; the data statistics module passes through the established The data analysis model predicts the state of the network according to the obtained data, and feeds back the network parameters in the next period to the configuration management module. 2. a kind of SDN wireless network management platform based on Floodlight according to claim 1, is characterized in that, described data statistics module, utilizes the crontab order of Linux to realize data collection, and management platform decides whether to execute data according to network load situation Acquisition and data statistics are used as low-priority threads. 3. A kind of SDN wireless network management platform based on Floodlight according to claim 1, it is characterized in that, described AP management module adopts IP as the identifier of AP, integrates the LUCI module user interface that OpenWRT provides, and carries out uniformly AP management; when the network is configured, the management password of each AP in the network is known, and after login, the session information generated by AP login is intercepted, and when operating the same AP, the corresponding session id is used to communicate with the AP; AP The control command is encapsulated in the form of URI+parameters, and the AP management module uses the GET method to obtain AP data and change AP configuration parameters; the forwarding module of the Floodlight controller is responsible for the routing and forwarding of the AP, and the forwarding module automatically delivers according to the OpenFlow protocol The flow table implements the OpenFlow switch function of the AP. 4. based on the user authentication method of the management platform described in claim 1, it is characterized in that, the realization step is as follows: Step 1. The administrator edits/adds user information on one of the controllers through the WEB UI, and the WEB UI connects to the database through the PHP interface; Step 2, the database checks the rationality of the administrator's modification/addition of information, rejects the illegal modification, and updates the reasonable modification request; Step 3, the distributed databases synchronize the added/modified user information with each other to keep the users of the entire network consistent. When the synchronization is not completed, the incoming user authentication request is treated as an authentication failure; Step 4, the AP receives the user authentication request, uploads it to the Floodlight controller, and the controller converts the user authentication data packet into an authentication event, and activates the user management thread; Step 5, the controller checks whether the user information exists in the database according to the MAC address or the unified identifier of the authenticated user, and does not allow users without user information to access the network; if there is user information, but the user attributes or user rights are abnormal, then The connection operation will continue, and the access rights will be controlled after access, and an abnormal message will be prompted; there is user information, user attributes and user permissions are normal, continue the connection operation, complete the access at the MAC layer, and send the corresponding flow to the AP surface; Step 6, after the user state changes, the controller modifies the user information in the corresponding database, and the user management module acquires the user information; Step 7, the distributed databases synchronize user information with each other, keep the user information consistent across the network, and complete the user authentication process.