Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
One of the core concepts of the embodiments of the present invention is to provide a wireless roaming method and apparatus, so as to improve a fast roaming success rate and user experience.
Referring to fig. 1, a flowchart of an embodiment of a wireless roaming method according to the present invention is shown, where the method is applied to an AP, and specifically includes the following steps:
step 101, receiving an association request sent by an STA.
In this step, the association request may be sent when the STA roams to the AP from another AP (i.e., an AP belonging to the same AC as the AP), when the STA goes online after going offline, or when the STA first accesses the AP (without associating any AP before).
Step 102, if the association request carries an association key identifier, determining that the STA is a roaming STA, and matching the association key identifier with an association key stored locally, where the association key identifier is generated by the STA according to an association key distributed when the STA associates with an associated AP at least.
Specifically, after receiving an association request from the STA, the AP detects the association request. If the association request is detected to carry an association key identifier (PMKID), the STA may be determined to be a roaming STA. Then, the AP matches the association key identifier carried in the association request with the locally stored association key. Here, the association key locally stored by the AP is an association key (PMK) distributed when a terminal accessing the AP successfully completes wireless authentication on the AP side.
The association key identifier is generated by an association key distributed when the STA associates with any AP under the AC management of the AP before accessing the AP. That is, if the association request carries the association key identifier, the STA has associated with the AP under AC management to which the AP belongs. If the association request does not carry the association key identifier, the STA does not associate with the AP under the AC management to which the AP belongs, that is, the above-mentioned case that the STA accesses the AP for the first time is described.
Step 103, if the matching is successful, allowing the STA to perform fast roaming.
Specifically, if the association key identifier carried in the association request is successfully matched with at least one association key stored in the AP, the AP allows the STA to perform fast roaming, that is, the AP performs four handshaking processes in the fast roaming process with the STA by using the association key successfully matched, so that the STA completes the fast roaming.
And 104, if the matching fails, sending a matching request carrying the associated key identifier to other APs managed by the AC to which the AP belongs so that the other APs match the associated key identifier with the associated key locally stored by the other APs.
Specifically, if the association key Identifier carried in the association request fails to match the association key stored in the AP, the AP sends a matching request to another AP managed by the AC to which the AP belongs, where the matching request may include the association key Identifier, address information (for example, MAC address) of the STA, and Basic Service Set Identifier (BSSID). Wherein, the BSSID refers to the BSSID of the AP accessed when the association key identification is generated by the STA.
After receiving the matching request, the other APs extract the associated key identifier therein, match the associated key identifier with the associated key identifier stored locally, and subsequently feed back the matching result according to the indication of the matching request. For example, the matching request may indicate that all APs receiving the matching request need to feed back the matching result (regardless of whether the matching result is successful or failed), or may indicate that only APs whose matching result is successful feed back, in which case, the AP receiving the matching request and whose matching result is failed does not need to feed back the matching result.
And step 105, if the matching success response sent by other APs is received within the preset time, allowing the STA to perform fast roaming.
Specifically, the matching success response may carry an association key that is successfully matched with the association key identifier in the association request. In this way, the AP may perform four handshaking procedures in fast roaming with the STA by using the association key successfully matched, so that the STA completes the fast roaming.
Further, in the embodiment of the present invention, the wireless roaming method may further include:
if the AP does not receive a matching success response sent by another AP within a preset time, it is determined that the STA has not performed association with any AP under AC management to which the AP belongs, and the STA is notified to perform wireless authentication again.
In a preferred embodiment of the present invention, the process of the AP matching the association key identifier with the locally stored association key identifier in step 102 may include:
and the AP generates a corresponding association key identification based on each locally stored association key. The generation mode of generating each association key identifier by the AP is the same as the generation mode of generating the association key identifier by the STA.
Then, the AP determines whether an associated key identifier identical to the associated key identifier carried in the association request exists in the generated associated key identifier.
If so, determining that the matching is successful, otherwise, determining that the matching is failed.
In another preferred embodiment of the present invention, the association request further carries address information (e.g., a MAC address) of the STA and a BSSID, in which case, the association key identifier is generated by the STA according to an association key distributed when the STA associates with an associated AP, the address information of the STA, and the BSSID, for example, the STA generates the association key by using a hash algorithm. Accordingly, the process of matching the association key identifier with the locally stored association key identifier by the AP may include:
and the AP generates corresponding association key identification based on each locally stored association key and the address information and BSSID carried in the association request. The generation mode of generating each association key identifier by the AP is the same as the generation mode of generating the association key identifier by the STA.
Then, the AP determines whether an associated key identifier identical to the associated key identifier carried in the association request exists in the generated associated key identifier.
If so, determining that the matching is successful, otherwise, determining that the matching is failed.
In another preferred embodiment of the present invention, the association request also carries address information (for example, a MAC address) of the STA and the BSSID, and the association key identifier is generated by the STA according to an association key distributed when the STA associates with an associated AP, the address information of the STA, and the BSSID. The difference from the above embodiment is: the AP locally stores address information and BSSID corresponding to each association key. And in the process of matching the association keys, the AP generates corresponding association key identifications from each locally stored association key and the address information and BSSID corresponding to each association key. The generation mode of the AP for generating the association key identifier is the same as the generation mode of the STA for generating the association key identifier. And then, the AP compares the generated associated key identification with the associated key identification carried in the associated request one by one, and if the generated associated key identification does not have the associated key identification which is the same as the associated key identification carried in the associated request, the matching failure is directly judged.
If the generated association key identifier has the association key identifier which is the same as the association key identifier corresponding to the STA, the AP further compares the locally stored address information corresponding to the association key identifier and the BSSID with the address information and the BSSID carried in the association request, if the address information and the BSSID are the same, the matching is determined to be successful, and if any one of the address information and the BSSID is not the same, the matching is determined to be failed.
It should be noted that, in the embodiment of the present invention, after receiving the matching request, the other AP performs a specific matching process of matching the association key identifier with the association key locally stored in the other AP, which is the same as the matching process performed by the AP.
In addition, in step 104, the AP may directly send a matching request carrying the association key identifier to another AP through a communication channel pre-established with another AP; the matching request carrying the associated key identifier may also be sent to other APs by the AC, that is, the AP first sends the matching request carrying the associated key identifier to the AC to which the AP belongs, and then the AC forwards the matching request to other APs.
The wireless roaming method of the invention can be applied to the scene that the STA roams from one AP to another AP and can also be applied to the scene that the STA accesses the AP again. In order to better understand the wireless roaming method of the present invention, the following is a detailed description of an embodiment in which a STA roams from one AP to another AP. It should be noted that the steps in the embodiment where the STA and the AP are disconnected and the AP is re-accessed are the same as those in the present embodiment, and are not described herein again.
Referring to fig. 2, a network connection diagram of an embodiment of the present invention is shown. In fig. 2:
the AC is communicatively coupled to the APs 1-4, and the AC manages the APs 1-4.
In one embodiment of the invention, a communication channel is established between each of the APs 1-4 to communicate messages. Specifically, the channel establishment process between the APs needs to perform mutual identity authentication, and only under the condition that the identity authentication is successful, the communication channel can be successfully established between the APs. The communication channel establishment process specifically comprises the following steps: taking the channel establishment process between the AP1 and the AP2 as an example, the AP1 sends an identity authentication request to the AP2, the AP2 responds to the identity authentication request and returns an identity authentication response to the AP1, the AP1 receives the authentication response, determines that the identity authentication with the AP2 is successful, and the AP1 establishes a communication channel with the AP 2.
In another embodiment of the present invention, the AP1-AP4 may also communicate messages through the AC, such as: when the AP1 needs to send a message to other APs, the message to be sent may be sent to the AC and then forwarded to other APs through the AC.
In addition, in the invention, passwords can be negotiated among the APs 1-4 to be used for encrypting and decrypting information transmitted among the APs 1-4. The AP1-AP4 may negotiate a password using a channel established with each other, or may transit the negotiation password through the AC.
Assume that the STA performs wireless authentication (e.g., 802.1X authentication) on the AP1 side for the first time and obtains an association key (PMK1) distributed by the authentication server after authentication is successful, and associates with the AP1 using the PMK.
In the present invention, both the STA and AP1 sides store PMK 1.
The STA may calculate an association key identification (PMK1ID) by a hashing algorithm based on PMK1 or based on PMK1, the MAC address of the STA, and the BSSID of AP1, and store the PMK1ID locally for subsequent use in roaming. The AP1 may store only PMK1, or may store PMK1ID (calculated by AP1 based on PMK1, MAC address of STA and BSSID of AP1, the algorithm is on the same STA side), MAC address of STA and BSSID of AP1 in addition to PMK1, the latter stored contents may be embodied in a list form so that AP1 subsequently assists STA in fast roaming.
Assuming that the STA moves due to some reason, the wireless signal coverage of the AP1 moves to the wireless signal coverage of the AP2, and the STA wants to implement fast roaming from the AP1 to the AP2, the STA sends an association request carrying PMK1ID to the AP 2.
After receiving the association request, the AP2 detects the association request, finds that the association request carries PMK1ID, that is, carries an association key identifier, and determines that the STA is a roaming STA, in which case the AP2 matches the PMK1ID with an association key stored locally.
In a matching mode, the association request only carries the PMK1ID, and after detecting that the association request carries the association key identifier, the AP2 may generate a corresponding association key identifier through a hash algorithm based on all locally stored association keys; then, it is determined whether PMK1ID is present in the generated association key identifier, and if yes, it is determined that the matching is successful, and if no, it is determined that the matching is failed. In this matching manner, if the STA only has associated with the AP1, the matching result of the AP2 is a matching failure; if the STA is off line at AP1 and off line and on line at AP2 using PMK1, the matching result is a successful match.
In another matching mode, the association request carries the MAC address of the STA and the BSSID of the AP1 in addition to the PMK1 ID. After the AP2 detects that the association request carries an association key identifier, the AP2 generates a corresponding association key identifier through a hash algorithm based on each locally stored association key and the MAC address and BSSID carried in the association request; then, it is determined whether PMK1ID is present in the generated association key identifier, and if yes, it is determined that the matching is successful, and if no, it is determined that the matching is failed. In this matching manner, if the STA only has associated with the AP1, the matching result of the AP2 is a matching failure; if the STA is off line at AP1 and off line and on line at AP2 using PMK1, the matching result is a successful match.
In another matching mode, the association request carries the MAC address of the STA and the BSSID of the AP1 in addition to the PMK1 ID. After detecting that the association request carries an association key identifier, the AP2 determines whether PMK1ID exists in the association key identifier corresponding to each locally stored association key, where the association key identifier corresponding to each association key is generated by the AP2 through a hash algorithm based on each association key, the MAC address of the STA corresponding to each association key, and the corresponding BSSID; the AP2 may be generated and stored locally in advance, or may be generated after receiving the association request.
If the judgment is no, determining that the matching fails, and if the STA only associates with the AP1, taking the example that the matching result of the AP2 is the matching failure; if so, continuously comparing the MAC address and the BSSID corresponding to the PMK1ID and stored locally with the MAC address and the BSSID carried in the association request one by one; if the two are all the same, the matching is determined to be successful, and if the STA is offline at the AP1 and is offline and online at the AP2 by using the PMK1 as an example, the matching result is successful; if at least one of the entries is not the same, a failure to match is determined, which may occur if the STA is attacked. The matching mode can improve the security of wireless access.
Regardless of the matching method, when the matching result is that the matching is successful, the STA is allowed to perform fast roaming. That is, the STA achieves fast association with the AP2 using PMK 1.
When the matching result is that the matching fails, the AP2 sends matching requests carrying PMK1ID to the AP1, the AP3 and the AP4, respectively. The matching request is a request encrypted by the AP2 using a negotiated password, and the AP2 may transmit the matching request using a communication channel established in advance, or relay the matching request using an AC.
After the AP1, the AP3, and the AP4 receive the matching request, regardless of which AP is, the PMK1ID and the corresponding locally stored association key are matched in the same matching manner as the matching manner of the AP 2.
If the STA only associates with the AP1, for example, the subsequent AP2 may receive the matching success response sent by the AP1 within a certain time period, in this case, the AP2 may decrypt the matching success response to obtain the PMK1, and allow the STA to perform fast roaming, that is, the STA may use the PMK1 to quickly associate with the AP 2.
If for some reason (e.g., failure of AP 1), AP2 does not receive a matching success response within a certain period of time (which may be set according to practical or empirical values), it rejects the association request of the STA and informs the STA to re-perform wireless authentication.
In summary, in the technical solution of the embodiment of the present invention, the association keys are stored in the AP under the same AC management in a scattered manner, so that when the AP detects that there is no association key locally matching with the association key identifier carried in the association request sent by the STA, the AP associated with the STA can obtain the association key, thereby greatly improving resource utilization and fast roaming success rate, and effectively improving user experience.
On the basis of the above embodiment, the present invention further provides a wireless roaming device, which is applied to the AP.
Referring to fig. 3, a block diagram of a wireless roaming device according to an embodiment of the present invention is shown, which may specifically include the following modules:
a receiving module 31, configured to receive an association request sent by a terminal STA.
The matching module 32 is configured to determine that the STA is a roaming STA when the association request carries an association key identifier, and match the association key identifier with an association key stored locally, where the association key identifier is generated by the STA according to an association key distributed when the STA associates with an associated AP at least.
A first permission module 33, configured to allow the STA to perform fast roaming when the matching result of the matching module 32 is a successful matching.
A sending module 34, configured to send a matching request carrying the associated key identifier to another AP managed by the access controller AC to which the AP belongs when the matching result of the matching module 32 is that matching fails, so that the other AP matches the associated key identifier with an associated key locally stored by the other AP.
Optionally, in a preferred embodiment of the present invention, the sending module 34 may be further configured to:
and sending a matching request carrying the identification of the associated key to other APs managed by the AC to which the AP belongs through a communication channel established with the other APs, or,
and sending a matching request carrying the identification of the associated key to other APs managed by the AC to which the AP belongs through the AC.
With continued reference to fig. 3, the wireless roaming apparatus further includes a second permission module 35, configured to allow the STA to perform fast roaming when receiving a matching success response sent by another AP within a preset time.
Referring to fig. 4, in a preferred embodiment of the present invention, the wireless roaming apparatus further includes, on the basis of fig. 3:
and the notifying module 36 is configured to notify the STA to perform wireless authentication again when a matching success response sent by another AP is not received within a preset time.
Referring to fig. 5, in a preferred embodiment of the present invention, the matching module 32 specifically includes, on the basis of fig. 3:
the first generating sub-module 51 is configured to generate a corresponding association key identifier according to each locally stored association key, where a generation manner of generating each association key identifier by the AP is the same as a generation manner of generating an association key identifier by the STA.
The first determining sub-module 52 is configured to determine whether the generated associated key identifier exists, and if so, determine that the matching is successful. And when the judgment result is no, judging that the matching fails.
Referring to fig. 6, in a preferred embodiment of the present invention, the matching module 32 may further include, on the basis of fig. 3:
and a second generation submodule 61, configured to generate a corresponding association key identifier according to each locally stored association key, address information of the STA and the BSSID carried in the association request, where a generation manner in which the AP generates each association key identifier is the same as a generation manner in which the STA generates the association key identifier.
And a second judging submodule 62, configured to judge whether the generated associated key identifier includes an associated key identifier. And when the judgment is yes, the matching is judged to be successful, and when the judgment is no, the matching is judged to be failed.
Referring to fig. 7, in a preferred embodiment of the present invention, the matching module 32 may further include, on the basis of fig. 3:
and a third determining submodule 71, configured to determine whether an associated key identifier exists in associated key identifiers corresponding to each locally stored associated key, and determine that matching fails when the associated key identifier corresponding to each associated key is determined to be not present, where the associated key identifier corresponding to each associated key is generated by the AP according to each associated key, address information of the STA corresponding to each associated key, and the BSSID, and a generation manner of generating each associated key identifier by the AP is the same as a generation manner of generating the associated key identifier by the STA.
And the comparison submodule 74 is configured to, when the determination result of the third determination submodule 73 is yes, compare the locally stored association key, address information, and BSSID corresponding to the association key identifier with the address information and BSSID carried in the association request one by one. And when all the comparison results are the same, the matching is determined to be successful, and when at least one comparison result is different, the matching is determined to be failed.
In summary, the wireless roaming device in the embodiment of the present invention dispersedly stores the association keys in the APs under the same AC management, so that when the AP detects that there is no association key locally matching the association key identifier carried in the association request sent by the STA, the AP associated with the STA can obtain the association key, thereby greatly improving the resource utilization rate and the fast roaming success rate, and effectively improving the user experience.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The foregoing detailed description of the wireless roaming method and apparatus provided by the present invention, and the specific examples applied herein have been provided to illustrate the principles and embodiments of the present invention, and the above description of the embodiments is only provided to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.