CN107295514A - A kind of data forwarding method, WAP and communication system - Google Patents

A kind of data forwarding method, WAP and communication system Download PDF

Info

Publication number
CN107295514A
CN107295514A CN201610225336.7A CN201610225336A CN107295514A CN 107295514 A CN107295514 A CN 107295514A CN 201610225336 A CN201610225336 A CN 201610225336A CN 107295514 A CN107295514 A CN 107295514A
Authority
CN
China
Prior art keywords
forwarding
message
wireless terminal
wireless
certification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610225336.7A
Other languages
Chinese (zh)
Inventor
王玲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201610225336.7A priority Critical patent/CN107295514A/en
Publication of CN107295514A publication Critical patent/CN107295514A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/0268Traffic management, e.g. flow control or congestion control using specific QoS parameters for wireless networks, e.g. QoS class identifier [QCI] or guaranteed bit rate [GBR]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/10Flow control between communication endpoints
    • H04W28/14Flow control between communication endpoints using intermediate storage

Abstract

The invention discloses a kind of data forwarding method, WAP and communication system, first confirm whether wireless terminal passes through certification;If wireless terminal is not authenticated, the management data message that wireless terminal is sent is reported into wireless controller in the way of concentrating forwarding and is authenticated;If wireless terminal passes through certification, the business datum message that wireless terminal is sent then is forwarded to network in the way of locally forwarding, so as to realize the intelligence forwarding of access user data, data message is managed before authentication authorization and accounting and concentrates forwarding, business datum message is locally forwarded after certification, effectively make up local forwarding and concentrate the weak point of two kinds of data forwarding modes of forwarding, the advantage of the two is effectively combined, also greatly reduce the amount of interaction of data message between wireless controller and WAP while systematic function is improved, and then mitigate the load of wireless controller, reduce the performance requirement of wireless controller, lift data forwarding efficiency, so as to lift network quality and Consumer's Experience.

Description

A kind of data forwarding method, WAP and communication system
Technical field
The present invention relates to communication technical field, more particularly to a kind of data forwarding method, WAP and logical Letter system.
Background technology
From 2002, thin AP (Wireless Access Point, WAP) framework turned into WLAN After (Wireless Local Area Networks, WLAN) new trend of industry, AC (Wireless Access Point Controller, wireless controller) the networking of+AP networkings as main flow in wlan system Pattern.AC carries out unified configuration and management to all AP in system, and user's execution in system is recognized Card, traffic statistics and force the strategy such as offline.In thin AP architecture, the interaction of message between AP and AC Use CAPWAP (Control and Provisioning of Wireless Access Points, WAP Control and configuration) agreement.
CAPWAP agreements are the frameworks of control message and data message interaction between a kind of definition AC and AP Property application layer protocol, regulation AC and AP between use UDP (User Datagram Protocol, number of users According to datagram protocol) C/S (Client/Server, client computer and server) model interact.CAPWAP Message is divided into two kinds of control message and data message, and control message is mainly used in the process between AC and AP Interaction, keep-alive such as between link setup, configuration distributing, AC and AP, offline, statistical information is reported in terminal; Data message is mainly used in the transmission of user data, and AP is forwarded and local turn to the forwarding of user data with concentrating Send out two kinds of forward modes most commonly seen.
The basic thought locally forwarded is MAC table (the Media Access Control, medium visit by bridge Ask control) realize data forwarding.When bridge receives message, its receiving port and source MAC are obtained, And both corresponding relations are added in MAC table, then using the target MAC (Media Access Control) address of the message as key Word inquires about MAC table, finds the corresponding forwarding entrys of the MAC, and then obtains the corresponding outgoing interface of the message, And send message by the interface.
The basic thought for concentrating forwarding is one layer of CAPWAP tunnel of outer envelope in all messages of user, because For the tunnel purpose IP (Internet Protocol, procotol) be AC IP address, so, institute Some messages are focused on by AC, and channel message is reached after AC, and AC is by the tunnel decapsulation of outer envelope Dress, is then locally forwarded.CAPWAP tunnel encapsulation order be successively:CAPWAP tunnel head, UDP Head, IP, Ethernet header.
But two kinds of pass-through modes all have respective weak point, local forwarding is primarily present following deficiency:
1) local forwarding has the limitation of application, and it is only applicable to authentication-exempt or AP makees the wep of authentication points (Wired Equivalent Privacy, wired equivalent privacy), wpa/wpa2-psk (Wi-Fi Protected Access, WIFI network secure accessing), 802.1X certifications, for application at present is relatively extensive, AC collection The authentication modes such as portal (the Internet portal) certification, the 802.1X of middle certification are not applied to simultaneously;
2) it is difficult therefore, on AC to unite exactly because all user data are all locally forwarded through AP Customer flow is counted, so as to influence user's charging.
Forwarding is concentrated to be primarily present following deficiency:
1) AC and AP sides are required to increase and all data messages are encapsulated and decapsulated with CAPWAP tunnel Handling process, can reduce the forward efficiency of message to a certain extent;
2) data message outer envelope CAPWAP tunnel, increases the load of message, reduction data message Transmission rate;And the message length after encapsulation tunnel may be more than the MTU (Maximum of transmission interface Transmission Unit, maximum communication unit), cause message fragment, can similarly reduce message forward efficiency, Influence systematic function;
3) because AC not only needs that to the channel message of all receptions tunnel will be decapsulated, in addition it is also necessary to hair Be sent to AP all messages will encapsulation tunnel, therefore, when association user number is more, data volume is big, AC Load increases, it is desirable to which AC must possess the ability of quick processing mass data, otherwise, packet loss etc. easily occur Problem, influences network quality.
The content of the invention
The main technical problem to be solved in the present invention be to provide a kind of data forwarding method, WAP and Communication system, to solve when carrying out user data forwarding, the load of wireless controller is excessive, so as to reduce Data forwarding efficiency and network quality, while also inconvenient concentrated to user data manages and controlled, so that right Customer flow can not accurate statistics technical problem.
In order to solve the above technical problems, the present invention provides a kind of data forwarding method, including:
Confirm whether wireless terminal passes through certification;If the wireless terminal is not authenticated, by the wireless end The management data message that end is sent reports to wireless controller in the way of concentrating forwarding and is authenticated;If described Wireless terminal is by certification, and the business datum message that the wireless terminal is sent is turned in the way of locally forwarding It is sent to network.
In an embodiment of the present invention, after whether the confirmation wireless terminal is by certification, in addition to: If the wireless terminal is not authenticated, the pre-set business data message that the wireless terminal is sent is with local The mode of forwarding is forwarded to network.
In an embodiment of the present invention, in the management data message for sending the wireless terminal to collect transfer The mode of hair is reported to after wireless controller is authenticated, in addition to:If the wireless terminal is by certification, The parameter information of the wireless terminal is counted and the wireless controller is reported to.
In an embodiment of the present invention, in the management data message for sending the wireless terminal to collect transfer The mode of hair is reported to after wireless controller is authenticated, in addition to:If the wireless terminal is by certification, The internet protocol address of the wireless terminal is obtained from local Dynamic Host Configuration Protocol server;Will be described Internet protocol address is sent to the wireless controller.
In an embodiment of the present invention, the management data message at least includes following any one:It is super literary This transmission protocol data message, SSL HTTP data message, expansible authentication Protocol data message.
In an embodiment of the present invention, the authentication mode of the wireless terminal is at least included:Gate verification With EAP certification.
Further, present invention also offers a kind of WAP, including:Processing module, for confirming Whether wireless terminal passes through certification;Authentication module, will be described if not authenticated for the wireless terminal The management data message that wireless terminal is sent reports to wireless controller in the way of concentrating forwarding and is authenticated; Second forwarding module, if for the wireless terminal by certification, the business number that the wireless terminal is sent Network is forwarded in the way of locally forwarding according to message.
In an embodiment of the present invention, in addition to:First forwarding module, for confirming nothing in processing module After whether line terminal is by certification, if the wireless terminal is not authenticated, the wireless terminal is sent Pre-set business data message network is forwarded in the way of locally forwarding.
In an embodiment of the present invention, the management data message at least includes following any one:It is super literary This transmission protocol data message, SSL HTTP data message, expansible authentication Protocol data message.
Further, present invention also offers a kind of communication system, including wireless controller, certificate server with And WAP as described above;The WAP is registered on the wireless controller and reached the standard grade;Institute State wireless controller and issue configuration information to the WAP;The WAP is according to the configuration Information starts wireless service, and allows wireless terminal to associate the wireless service;The WAP is received The wireless controller is forwarded in the management data message union that wireless terminal is sent;The wireless controller The management data message is authenticated by the certificate server, and authentication result is issued to described WAP.
The beneficial effects of the invention are as follows:
The invention provides a kind of data forwarding method, including:Confirm whether wireless terminal passes through certification;If The wireless terminal is not authenticated, then the management data message sent wireless terminal is in the way of concentrating forwarding Wireless controller is reported to be authenticated;If the wireless terminal is by certification, the industry that wireless terminal is sent Business data message is forwarded to network in the way of locally forwarding, so that the intelligence forwarding of access user data is realized, Data message is managed before authentication authorization and accounting concentrates business datum message after forwarding, certification locally to forward, and effectively makes up Local forwarding and the weak point for concentrating two kinds of data forwarding modes of forwarding, the advantage of the two is effectively combined, Also greatly reduce the friendship of data message between wireless controller and WAP while systematic function is improved Mutual quantity, and then mitigate the load of wireless controller, the performance requirement of wireless controller is reduced, data are lifted Forward efficiency, so as to lift network quality and Consumer's Experience.
In addition, present invention also offers a kind of WAP, determining to use by the certification to wireless terminal Which kind of data forwarding mode is forwarded to data;Its construction cycle is short, and implementation is simple, only need to be in nothing Line access point side sets forwarding rule, and forwarding rule is that data will be managed before wireless terminal certification Message is concentrated and is forwarded to wireless controller, and business datum message is locally forwarded into net after wireless terminal certification Network.
Brief description of the drawings
Fig. 1 is the data forwarding method flow chart that the embodiment of the present invention one is provided;
Fig. 2 is the flow chart for the STA associated AP wireless services that the embodiment of the present invention one is provided;
Fig. 3 is the WAP schematic diagram that the embodiment of the present invention two is provided;
Fig. 4 is the communication system schematic diagram that the embodiment of the present invention two is provided;
Fig. 5 is the data interaction signal of intelligent forward mode under the thin AP architecture that the embodiment of the present invention two is provided Figure;
Fig. 6 is portal identifying procedure figures under the thin AP architecture that the embodiment of the present invention three is provided.
Fig. 7 is peap identifying procedure figures under the thin AP architecture that the embodiment of the present invention four is provided.
Embodiment
The present invention is described in further detail below by embodiment combination accompanying drawing.
Embodiment one
The present embodiment provides a kind of data forwarding method, refers to Fig. 1, its specific process step is as follows:
Whether S101, confirm STA (station, wireless terminal) by certification, if not authenticated, performs S102 steps, if by certification, performing S103 steps;
S102, reports to AC by the management data message that STA is sent in the way of concentrating forwarding and is authenticated;
S103, network is forwarded to by the business datum message that STA is sent in the way of locally forwarding.
By the implementation of above-mentioned steps, with STA, whether certification is taken as what is concentrated forwarding or locally forward Criterion, it is intelligent that data message is forwarded, it is effective to mitigate AC loads, reduce the property to AC It can require, and then lift data forwarding efficiency and network quality;In addition, also reducing the limitation of application, make It is applicable more authentication modes;Meanwhile, AP by statistics (such as customer flow) by being packaged into CAPWAP Control message report to AC so that AC can also can accurately statistical parameter information, from without influence user meter Take.Wherein, parameter information includes but is not limited to time-based charging, charge on traffic, user's going on line or off line statistics.
It should be appreciated that after S102 steps have been performed, if STA certifications pass through, directly performing S103 Step;If STA certifications do not pass through, S102 is continued executing with, until certification passes through, S103 steps are performed; Or STA terminates certification.
In addition, above-mentioned data message includes but is not limited to management data message and business datum message, below will Management data message and business datum message are explained successively.Managing data message at least includes following Anticipate:HTTP (Hyper Text Transfer Protocol, HTTP) data message, HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, SSL Hyper text transfer Agreement) data message, (Extensible Authentication Protocol are expansible authentication to EAP Agreement) data message, it is mainly used in being authenticated STA identity, in STA certifications by rear, can also leads to Cross AP and concentrate the forwarding management data message, it is intended that because the original such as poor, network failure of network condition Because causing STA to be gone offline after by certification, data message concentration will be managed by AP and be forwarded to AC again It is authenticated, to ensure that STA normally accesses network, or the local letter that easily accessible certificate server is provided Cease (such as local video, advertisement).Business datum message is mainly used in the transmission of STA data, passes through number According to transmission can carry out network access, it is understood that to be surfed the web;Certainly, partial service number It is used to facilitate user to remember IP (agreement interconnected between Internet Protocol, network) address, right according to message IP address carries out dynamically distributes, such as ARP (Address Resolution Protocol, address resolution protocol) numbers According to message, DNS (Domain Name Service, DNS) data message, DHCP (Dynamic Host Configuration Protocol, DHCP) data message etc..Above-mentioned management data Message and business datum message are only for explaining the present embodiment, are not intended to limit the present invention, right Also belong to what the present invention was protected in other management data messages and business datum message based on the present invention program Scope.
Before S101 steps, that is, before confirming STA whether by certification, in addition to STA associated APs Wireless service process, to determine whether STA can normally access AP, refer to Fig. 2, its detailed process It is as follows:
S201, AP, which follow CAPWAP agreements and registered on AC, to reach the standard grade;
Specifically, AP first obtains IP address, the IP can be static or dynamic;Then institute is found The AC needed, sets up CAPWAP tunnel between AC;AP to AC send add request, AC according to The request that AP is sent determines whether that AP is accessed, and will determine that result is issued to AP;AP allows to be connect After entering, pass through keepalive (keep-alive) messages and echo packet checks data tunnel and control between AC and AP The connectedness in tunnel processed, wherein, keepalive message flag data tunnels have been set up, the appearance of echo messages, Mark control tunnel has been set up.So far, mark AP follows CAPWAP agreements and reached the standard grade in AC successful registrations.
S202, AC issue configuration information to AP;
Specifically, the CAPWAP tunnel between AC and AP is set up and finished, configuration information is issued to AP, AP performs WLAN business according to configuration information.Configuration information includes global configuration, radio-frequency configuration, service Configuration and user access control configuration, wherein, global configuration includes periodicity flow statistic switch and reports week Phase;Service configuration is used to add wireless service, and the forward mode of wireless service is the local forwarding of intelligence, simultaneously IP ACL (Access Control List, accesses control list) rules, the rule are set in service configuration Refer to, specify purpose IP to be concentrated for the message of portal server ip address and be forwarded to AC, will also send AC processing is forwarded into the data set of portal servers;User access control is arranged for controlling for STA accesses wireless service, specifically sees below the detailed description for S204.
S203, the configuration information issued according to AC starts wireless service;
Specifically, the rule set in service configuration is applied, namely the also configuration of IP ACL in AP Rule, is forwarded to AC by the message concentration sent to portal servers and is focused on.
S204, STA associate the wireless service;
Specifically, STA can be notebook, mobile phone, the STA that can associate wireless service can be applied to The scheme that the present invention is protected;When STA associates wireless service, the user access control that AP is issued according to AC Whether configure-ack STA can associate wireless service.If wireless service can be associated, network access is carried out; If wireless service cannot be associated, refuse network access.In user access profile, except system Outside original configuration, with adding authentication state (rigid connection fashionable be configured to unverified), the virtual IP address of user What the intelligence forwardings such as location (AC is what the user distributed, is issued in portal authentication modes) needed matches somebody with somebody confidence Breath.For portal authentication modes, the correlation analysis of embodiment three is referred to, the present embodiment does not elaborate.
Further, STA is associated with after AP wireless service, and STA is not authenticated also, AP according to The user access control configuration that AC is issued, AC is revised as by the source IP address of STA management data message For its distribution virtual ip address, to set up the communication between AC and AP.Meanwhile, AP configuration management numbers Rule is forwarded according to the ebtables of message and business datum message:AP will manage data message concentration and be forwarded to AC, network is locally forwarded to by pre-set business data message, other non-default business datum packet loss, i.e., Other business datum messages are not forwarded.Wherein, pre-set business data message is that STA is set in advance The data message that can be locally forwarded, including but not limited to ARP (ARP (Address Resolution Protocol, address resolution protocol) message, DNS (Domain Name Service, DNS report Text), DHCP (Dynamic Host Configuration Protocol, DHCP) message, The present embodiment is equally applicable to for other business datum messages based on present inventive concept, this hair is also belonged to Bright protection domain.Rule, the default management data message that unauthenticated user is sent are forwarded by ebtables AC is reported in the way of concentrating forwarding to be authenticated, and the non-default business datum message of unauthenticated user is lost Abandon, it is understood that be that non-default business datum message is invalid data message, do not possess and access network Authority, therefore directly abandon the data message.Rule is forwarded by above-mentioned ebtables, is mitigating AC numbers While according to processing load, lifting data forwarding efficiency, unauthenticated user is also avoided to access Internet so that AC can not counting user flow.Rule is forwarded for ebtables, it can be understood as one is set on AP Data forwarding rule, the data for meeting rule are normally forwarded, ungratified data refusal forwarding, so as to improve Data forwarding efficiency, realizes the intelligence forwarding of data.
Further, in S101 steps, AP controls message to report STA to reach the standard grade letter by CAPWAP Cease to AC, interacted with AC, so that it is determined that whether STA passes through certification.
Further, in S102 steps, the overall process being authenticated to STA is as follows:
STA sends authentication information and the authentication information is reported into AC to AP, AP, and AC is according to authentication information The STA is verified whether by certification, and authentication result is issued to AP, authentication result is forwarded to by AP again STA, it is normal to access Internet if STA is by certification, if STA is not authenticated, enter again Row certification, performs above-mentioned verification process.Wherein, authentication information is carried in management data message, management Data message is reported in the form of concentrating forwarding.
Portal certifications and peap certifications are included but is not limited to STA authentication mode, this is based on for other The authentication mode of scheme of the invention can be applied equally to the present invention.For portal certifications and peap certifications, The difference of the two certification is that portal certifications first obtain IP address, then are authenticated;And peap certifications are first It is authenticated, then obtains IP address.It is overall as follows for portal certifications and peap verification process:
In Portal certifications, STA first obtains IP address from local Dynamic Host Configuration Protocol server, then to Internet HTTP request is sent, AC forces to eject portal certification pages on STA, and STA is in portal authentication pages The authentication informations such as username and password are filled on face, portal certification pages send authentication information to AC, AC Authentication information is forwarded to radius servers, radius servers are authenticated to authentication information, and by certification As a result send to AC, AC and authentication result is notified into portal servers and AP, last portal servers will Authentication result is pushed to STA so that STA is confirmed whether certification success;
In peap certifications, STA sends EAP messages (information such as user name, password are included in the message) To AP, EAP messages are packaged into channel message and sent to AC, AC and parsed channel message by AP EAP messages are obtained, EAP messages are converted into radius messages and sent to radius servers to be authenticated, Authentication result is sent to AC, AC and is converted into the radius messages comprising authentication result by radius servers EAP messages are simultaneously packaged into channel message and are issued to AP, and AP, which to the channel message parse, obtains EAP reports Text, EAP messages is sent to STA so that whether STA is able to confirm that by certification.
It is worth noting that, the present embodiment with two kinds of authentication modes of portal certifications and peap certifications to the present invention Explain, but be not used in the restriction present invention.Embodiment three is specifically referred to for above two authentication mode And example IV, no longer it is described in detail here.Wherein, embodiment three is directed to portal certifications, example IV pin To peap certifications.
Further, in S103 steps, after STA is by certification, management of the AP for certification STA Data message and business datum message set ebtables/iptables to forward rule, and the forwarding rule is:STA Business datum message be forwarded to Internet in the way of locally forwarding, management data message is to concentrate forwarding Mode reports to AC, and starts counting user flow on forwarding chain by iptables rules.It is appreciated that To set another data forwarding rule on AP, setting rule is only met, data forwarding can be just normally carried out, Refuse forwarding if being unsatisfactory for realize the intelligence forwarding of data.
Specifically, ebtables rules are Ethernet bridge firewall rule, Ethernet bridge is operated in data link Layer, ebtables filters data link layer packets, and data are forwarded;Iptables Rules are in net Network layers, are mainly used in counting customer flow.In addition, STA MAC Address is as source MAC Location, its business datum message sent is forwarded to Internet in the way of locally forwarding;Above-mentioned management datagram Text refers to EAP management data messages and meets the management data message of IP acl rules, will be managed after certification Data message concentrates the purpose for being forwarded to AC to be, the local information that easily accessible certificate server is provided is (such as Local video, advertisement etc.).
Further, after STA certifications, IP address is obtained from local Dynamic Host Configuration Protocol server, then could Carry out Internet access.At the same time, the STA IP address obtained is reported to AC by AP, and its purpose exists In, when STA is in AP internetwork roamings, STA real IP address can be issued to the AP after roaming by AC, So that the wireless service for the AP being associated with after roaming.
Further, the flow of certification STA can be counted and control message with CAPWAP by AP Form reports to AC, to complete charge on traffic.Certainly, AP can periodically count STA flow amount, then Periodically report to AC;Or STA flow amount is periodically counted, then directly report to AC;Or Irregular statistics STA flow amount report, etc., as long as being counted and being reported to STA flow amount AC, belongs to the scope of protection of the invention.
Enter for other STA after the wlan system, data intelligence forwarding carried out in accordance with a upper STA, Certainly, the STA direct correlation AP wireless services and it is authenticated in the manner described above, so that it may carry out Internet Access.Compared with existing wlan system, invention introduces a kind of new message forward mode, the forwarding Pattern solves local forward mode and concentrates the weak point of two kinds of forward modes of forward mode, realizes Management data message concentrates forwarding, business datum message after certification before the intelligence forwarding of STA data, authentication authorization and accounting Local forwarding.The method that the present invention is provided, reduction needs the quantity of encapsulation tunnel message, mitigates AC and AP Load, reduce AC and AP performance pressures, improve data forwarding efficiency, so as to improve network quality And Consumer's Experience;Meanwhile, the intelligent pass-through mode is applied to scope and larger limitation is also not present.
Embodiment two
Fig. 3 is referred to, the WAP schematic diagram that Fig. 3 provides for the present embodiment, the WAP includes:
Processing module 301, for confirming STA whether by certification;
Authentication module 302, if not authenticated for STA, the management data message that STA is sent is to collect The mode of middle forwarding reports to AC and is authenticated;
Second forwarding module 304, if for STA by certification, the business datum message that STA is sent with The mode locally forwarded is forwarded to network.
By the implementation of above-mentioned steps, with STA, whether certification is taken as what is concentrated forwarding or locally forward Criterion, it is intelligent that data message is forwarded, it is effective to mitigate AC loads, reduce the property to AC It can require, and then lift data forwarding efficiency and network quality;In addition, also reducing the limitation of application, make It is applicable more authentication modes;Meanwhile, AP by statistics (such as customer flow) by being packaged into CAPWAP Control message report to AC so that AC can also can accurately statistical parameter information, from without influence user meter Take.Wherein, parameter information includes but is not limited to time-based charging, charge on traffic, user's going on line or off line statistics.
It should be appreciated that in the management data message that authentication module 302 sends STA to concentrate forwarding Mode is reported to after AC is authenticated, if STA certifications pass through, directly passes through the second forwarding module 304 The STA business datum messages sent are forwarded to network in the way of locally forwarding;If STA certifications do not pass through, Then continue through authentication module 302 to be authenticated STA, until certification passes through, by the second forwarding module 304 Business datum message is carried out locally to forward, or STA terminates certification.
In addition, above-mentioned data message includes but is not limited to management data message and business datum message, below will Management data message and business datum message are explained successively.Manage data message at least include include with Lower any one:HTTP (Hyper Text Transfer Protocol, HTTP) data message, (Hyper Text Transfer Protocol over Secure Socket Layer, SSL is super literary by HTTPS This host-host protocol) data message, (Extensible Authentication Protocol are expansible body to EAP Part indentification protocol) data message, it is mainly used in being authenticated STA identity, in STA certifications by rear, Also it can be concentrated by AP and forward the management data message, it is intended that because network condition is poor, network former The reasons such as barrier cause STA to be gone offline after by certification, and will manage data message concentration by AP is forwarded to AC Certification is re-started, to ensure that STA normally accesses network, or the sheet that easily accessible certificate server is provided Ground information (such as local video, advertisement).Business datum message is mainly used in the transmission of STA data, leads to Network access can be carried out by crossing the transmission of data, it is understood that to be surfed the web;Certainly, part industry Business data message be used for facilitate user remember IP (agreement interconnected between Internet Protocol, network) address, Dynamically distributes, such as ARP (Address Resolution Protocol, address resolution protocol) are carried out to IP address Data message, DNS (Domain Name Service, DNS) data message, DHCP (Dynamic Host Configuration Protocol, DHCP) data message etc..On State management data message and business datum message is only for explaining the present embodiment, be not used to limit The present invention, this is also belonged to for other management data messages and business datum message based on the present invention program Invent the scope of protection.
Further, in addition to:First forwarding module 303, for confirming wireless terminal in processing module 301 After whether by certification, if the wireless terminal is not authenticated, by presetting that the wireless terminal is sent Business datum message is forwarded to network in the way of locally forwarding.
It should be noted that the first forwarding module 303 is with the sequencing of authentication module 302, this implementation is not done Limit, the two can be performed simultaneously, also can successively be performed.In addition, the method in above-described embodiment one can be applied The WAP provided in the present embodiment, therefore the present embodiment is no longer done in detail to WAP part of module Illustrate, particular content refers to the associated description in embodiment one.
Further, Fig. 4 is referred to, the present embodiment additionally provides a kind of communication system, including:Authentication service Device 41, wireless controller 42 and WAP 43 as described above;WAP 43 is wireless Registration is reached the standard grade on controller 42;Wireless controller 42 issues configuration information to WAP 43;Wirelessly connect Access point 43 starts wireless service according to configuration information, and allows wireless terminal to associate the wireless service;Wirelessly connect Access point 43 receives in the management data message union that wireless terminal is sent and is forwarded to wireless controller 42;Wireless controlled Device 42 processed is authenticated by 41 pairs of management data messages of certificate server, and authentication result is issued into nothing Line access point 43.Wherein, WAP 43 includes processing module 431, authentication module 432 and second turn Send out module 433, the WAP 43.In addition, the WAP 43 in this implementation is equally applicable to The WAP (not shown in figures) in Fig. 3 is stated, therefore, the present embodiment is no longer to wireless access Each module is described in detail in point 43.
Specifically, refer to Fig. 5, the present embodiment by by taking two STA data interaction under same AC as an example, Illustrate the data exchange process of intelligent forward mode under thin AP architecture.
Portal servers:One portal website, to need association user STA1, STA2 of Portal certifications Portal certification pages are pushed, user authentication information is collected.And will be used by portal protocol interactions with AC Family authentication information reports AC.After user authentication terminates, user authentication result is fed back to it by AC, root According to result, it pushes the page of corresponding certification success or failure to user STA1, STA2.
AC (wireless controller):It is responsible for being managed collectively AP1, AP2, including configuration distributing, use Family management, Information Statistics etc., wherein, the data forwarding mode of AC configuration AP1, AP2 wireless services is The local forwarding of intelligence.During Portal certifications, realize that user forces portal, Service control receives portal server The certification request of initiation, is interacted with certificate server, completes user authentication function.During PEAP certifications, pass through EAP messages are interacted with STA1, STA2, user authentication information are obtained, with certificate server AAA server Interaction, completes user authentication function.Certification is by rear, and AC is periodically by terminal STA 1, STA2 stream Amount statistical information reports AAA server, realizes charging.
AAA server (3A certificate servers):It is responsible for user authentication, charging.It is used between AC Radius agreements are interacted, and complete authentication to user, billing function:, will after certification terminates STA1/STA2 authentication results notify AC, AC periodically to believe terminal STA 1, STA2 traffic statistics Breath reports it, and it realizes the charging to the two terminals.Meanwhile, the user's going on line or off line that it also receives AC please Ask, the beginning or end of triggering authentication and charging flow.
Router (router):Internet is operated in, the function with connection different type network, by AC institutes Wide area network and AP1/AP2 where LAN connect, and it is according to purpose IP address, passes through Query routing is cached and routing table, selects suitable forward-path, realizes what each port of equipment was received The forwarding of message.Opening of device DHCP Relay functions, by being divided on switch (interchanger) VLAN (Virtual Local Area Network, VLAN), it is ensured that AP1, AP2 IP address Distributed by AC.CAPWAP control messages between AC and AP1/AP2, and STA1, STA2 Channel message all through the equipment routing forwarding.
Switch (interchanger):In a local network, AP, AP, local dhcp server are connected for work Come, form a LAN.It inquires about MAC table, finds the purpose according to the purpose MAC of message The corresponding exit ports of MAC, are sent message by the port, so as to realize turn of message between the ports Hair.Under intelligent forward mode, the equipment mainly forwards the CAPWAP between AC and AP1/AP2 to control report Data message between text, and STA1 and STA2.
Local dhcp server (local Dynamic Host Configuration Protocol server):Local Dynamic Host Configuration Protocol server, it is responsible for Local dhcp client distribution IP address.When STA1, STA2 DHCP message respectively by AP1, AP2 is locally forwarded to be broadcasted in LAN, and the equipment can respond DHCP request, is STA1, STA2 points IP address is not distributed.
AP1 (WAP 1), facility registration to AC performs configuration distributing to it (complete by AC Office's configuration, radio-frequency configuration and service configuration) and user access control, terminal device STA1 can associate this AP wireless service.The equipment can be by STA1 upper offline information reporting to AC.It should be noted that AP2 (WAP 2) is similar with AP1, therefore is not repeated herein.
STA1 (wireless terminal 1), the wireless service of associated AP 1, before certification, the terminal is all HTTP/HTTPS/EAP messages (management message) are all by AP1 in outer layer encapsulation tunnel message, routing forwarding To AC, by AC decapsulate after forwarded;Before certification, all ARP/DHCP/DNS of the terminal Message (data message) is locally forwarded by AP1, is that STA1 distributes IP by local dhcp server Address.In certification by rear, except being sent to particular ip address (the ACL configurations that AC is issued are specified) such as Any message of portal server address and STA1 EAP messages concentrate forwarding outer, other messages by AP1 is locally forwarded.Specifically, the data for being sent to STA2 are locally forwarded by AP1, Ran Houjing Cross switch to be forwarded to up to AP2, data are locally finally transmitted to STA2 by AP2.It should be noted that STA2 (wireless terminal 2) is similar with STA1, therefore is not repeated herein.
In Figure 5, CAPWAP control message interactions are carried out between AC and AP1, AP2, such management report Using AC IP address as source IP in text, AP1/AP2 IP address is purpose IP request message, mainly A series of configuration informations, including global configuration, radio-frequency configuration, service are issued to AP1, AP2 for AC Configuration;Using AP1/AP2 IP address as source IP, AC IP address is purpose IP request message, main Register flow path that will be with AP1/AP2, and statistical information report it is relevant.
STA1 and STA2 carry out service communication before, management message successively via AP1/AP2, Switch, Router, concentration is forwarded to AC.Specifically, by taking STA1 as an example, before certification, STA1 owns The management message such as HTTP/HTTPS/EAP is all packaged into channel message, routing forwarding to AC by AP1.Portal Under authentication mode, AC is STA1 pushing certification pages, and STA1 is submitted after username and password, and message is first AC is reached, is decapsulated by AC after channel message, forwards the packet to portal server.STA1 and portal Mutual message between server needs to complete encapsulation reconciliation encapsulation tunnel message on AC and AP.PEAP Under authentication mode, the purpose MAC of STA1 EAP messages is revised as after AC MAC by AP1, envelope Channel message is dressed up, then routing forwarding decapsulates after channel message to AC, AC, information therein is sealed Radius messages are dressed up, completion is interacted with AAA server's.EAP between STA1 and AC interacts report Text needs to complete encapsulation reconciliation encapsulation tunnel message on AC and AP1.
During STA1 and STA2 service communications, the interaction of data message is carried out.Terminal STA 1 and STA2 it Between communication without AC, mutual message in a local network data link layer forward, specifically, certification passes through Before, STA1, which is sent to STA2 data, STA2 and is sent to STA1 data, to be dropped;Certification is led to Later, STA1 is sent to STA2 data and is locally forwarded message by AP1, then by switch It is forwarded to up to AP2, data is locally finally transmitted to STA2 by AP2.Similarly, STA2 turns to STA1 Send out data similar.
Embodiment three
As shown in fig. 6, illustrating intelligent forward mode terminal portal under thin AP architecture by taking a STA as an example Message forwarding process under authentication mode.
Make lower briefly describe to the equipment being related in flow first:
STA:Wireless terminal device, after the wireless service of associated AP, first carries out portal certifications, certification is led to Later, Internet could be accessed.
AP:AC configuration information is received, and service is provided for STA.
Local DHCP server:STA DHCP message is locally forwarded through AP, and message reaches local DHCP Server, is that STA distributes IP address by the equipment.
AC:Configuration information is issued to AP, and forces STA to push portal page face, with Radius, Portal Interaction, completes user authentication.
Internet:Wide Area Network, user could access after the authentication has been successful.
Radius:Certificate server, the equipment has certification, billing function, by being interacted with AC, completion pair Certification, the charging of user.
Portal server:Portal website, obtains the authentication information of user, and reports AC, logical in AC Know after the success of its user authentication, pushing certification success page.
The idiographic flow of STA portal certifications is as follows:
The wireless service of S601, STA associated AP;
STA is reached the standard grade information reporting to AC by S602, AP, and AC, which issues Access Control configuration information, allows this Terminal is added;
Wherein, Access Control configuration information includes the certification of user in addition to allowing the configuration that user adds The information such as state, virtual ip address.
S603, STA are interacted with local DHCP server, obtain IP address;
S604, STA access arbitrary network, and the http request message is packaged into channel message and route by AP to be turned It is dealt into AC;
S605, AC respond redirection message, it is desirable to which STA accesses portal certification pages;
S606, STA the access registrar page, and submit the authentication informations such as username and password to give portal server;
STA authentication information is reported AC by S607, portal server, and requires that AC enters to the terminal Row certification;
S608, AC and Radius are interacted, and Radius servers are authenticated to STA identity;
S609, after certification is completed, authentication result is notified AC by Radius;
Authentication result is notified portal server by S610, AC;
S611, portal server pushing certification results pages are to STA;
S612, if the data message for accessing Internet is sent to AP by certification success, STA;
The STA data messages for accessing Internet are directly locally forwarded to Internet by S613, AP, and will be connect The Internet of receipts back message is locally transmitted to STA;
It is intended that helping Radius to realize the charging to STA;
S614, AP periodically report the flow of certification user to AC;
S615, AC periodically report the flow of certification user to Radius.
Example IV
As shown in fig. 7, briefly describing intelligent forward mode terminal peap under thin AP architecture by taking a STA as an example Message processing flow under authentication mode.Because the flow of peap certifications follows the peap authentication protocols of standard, So this flow is only focused in the handling process of message forwarding, no longer the flow to peap certifications makees detailed Thin description.
The equipment being related in flow is briefly described first:
STA:Wireless terminal device, after the wireless service of associated AP, first carries out peap certifications, certification is led to Later, IP address is obtained from local DHCP server, then accesses Internet.
AP:AC configuration information is received, statistical information (traffic statistics, user's going on line or off line statistics etc. is reported Deng) AC is given, and provide wireless service for STA.
DHCP server:STA DHCP message is locally forwarded through AP, reaches local DHCP server, It is that STA distributes IP address by the equipment.
AC:Configuration information is issued to AP, as the authentication points of peap certifications, is interacted with Radius, is completed User authentication.
Internet:Wide Area Network, user could access after the authentication has been successful.
Radius:The equipment has certification, billing function, by being interacted with AC, complete to the certification of user, Charging.
The idiographic flow of STA peap certifications is as follows:
The wireless service of S701, STA associated AP;
S702, STA send EAP-start to AC, and request starts 802.1x certifications;
Specifically, the message is first sent to AP by STA, the message is packaged into channel message by AP, then AC is sent to, channel message is decapsulated by AC.
S703, STA carry out data interaction by AP and AC;
Closed specifically, being related between STA and AC on user authentication information, AES negotiation, certificate The flows such as method certification, key agreement, the interaction flow application prior art, therefore this implementation is not done specifically It is bright.All EAP messages are packaged into channel message in the flow:It is sent to AC's by STA EAP messages, are first packaged into channel message by AP, then re-send to AC;It is sent to STA's by AC EAP messages, are first converted into the radius messages received from Radius after EAP messages by AC, are packaged into Channel message, is sent to AP, and channel message is decapsulated by AP, and EAP messages finally are transmitted into STA.
S704, AC and Radius carry out data interaction;
Specifically, being related between AC and Radius on user authentication information, AES negotiation, certificate The interaction of the radius messages such as legitimacy certification, key agreement, the interaction flow application prior art, therefore this Implementation does not elaborate.AC decapsulates the STA of reception EAP channel messages, then, is packaged into Radius messages are sent to Radius, while will be come out from the Radius radius packet parsings received, change Into EAP messages, it is then packaged as channel message and is sent to AP.
Authentication result is controlled to be sent in the form of message by S705, AC with channel message and CAPWAP respectively AP, AP are decapsulated to channel message and are sent to STA;
Specifically, AC sends authentication result to AP in the form of channel message, AP is simply to these tunnels Message is forwarded, not the content inside parsing, AP and the authentication result for being unaware of STA.Therefore, exist Authentication result while to be sent in the form of channel message to AP, also can be controlled report by AC with CAPWAP The form of text sends STA authentication result to AP, to ensure that AP knows STA authentication result.
S706, STA carry out DHCP after the authentication has been successful, with DHCP server and interacted, and obtain IP address;
Specifically, DHCP message is sent to AP by STA, AP is directly locally forwarded to DHCP server, And DHCP server are sent to AP response to STA DHCP message, STA is locally transmitted to by AP.
S707, STA are after the authentication has been successful, it is possible to carry out Internet business;
The STA messages for being sent to Internet are directly locally forwarded to Internet by AP.Internet is sent to STA message is also locally to be transmitted to STA by AP.
S708, is counted by AP to STA flow;
Specifically, STA traffic statistics are periodically reported AC by AP;
S709, AC report the traffic statistics of certification user to Radius;
Specifically, AC periodically reports the traffic statistics of certification user to Radius, to realize to STA Charging.
Obviously, those skilled in the art should be understood that each module or each step of the invention described above can be used General computing device realizes that they can be concentrated on single computing device, or be distributed in multiple On the network that computing device is constituted, alternatively, they can with computing device can perform program code come Realize, it is thus possible to be stored in storage medium (ROM/RAM, magnetic disc, CD) by calculating Device is performed, and in some cases, can be shown or described to be performed different from order herein The step of, they are either fabricated to each integrated circuit modules respectively or by multiple modules in them Or step is fabricated to single integrated circuit module to realize.So, the present invention is not restricted to any specific hard Part and software are combined.
Above content is to combine specific embodiment further description made for the present invention, it is impossible to recognized The specific implementation of the fixed present invention is confined to these explanations.For the ordinary skill of the technical field of the invention For personnel, without departing from the inventive concept of the premise, some simple deduction or replace can also be made, Protection scope of the present invention should be all considered as belonging to.

Claims (10)

1. a kind of data forwarding method, it is characterised in that including:
Confirm whether wireless terminal passes through certification;
If the wireless terminal is not authenticated, the management data message that the wireless terminal is sent is to concentrate The mode of forwarding reports to wireless controller and is authenticated;
If the wireless terminal is by certification, the business datum message that the wireless terminal is sent is locally to turn The mode of hair is forwarded to network.
2. data forwarding method as claimed in claim 1, it is characterised in that confirm wirelessly eventually described After whether end is by certification, in addition to:
If the wireless terminal is not authenticated, the pre-set business data message that the wireless terminal is sent with The mode locally forwarded is forwarded to network.
3. data forwarding method as claimed in claim 1 or 2, it is characterised in that will be described wireless The management data message that terminal is sent is reported in the way of concentrating forwarding after wireless controller is authenticated, Also include:
If the parameter information of the wireless terminal is counted and reported to by certification by the wireless terminal The wireless controller.
4. data forwarding method as claimed in claim 1 or 2, it is characterised in that will be described wireless The management data message that terminal is sent is reported in the way of concentrating forwarding after wireless controller is authenticated, Also include:
If the wireless terminal obtains the nothing by certification from local Dynamic Host Configuration Protocol server The internet protocol address of line terminal;
The internet protocol address is sent to the wireless controller.
5. data forwarding method as claimed in claim 1 or 2, it is characterised in that the management data Message at least includes following any one:HTTP data message, SSL hypertext are passed Defeated protocol data message, EAP data message.
6. data forwarding method as claimed in claim 1 or 2, it is characterised in that to the wireless end The authentication mode at end at least includes:Gate verification and EAP certification.
7. a kind of WAP, it is characterised in that including:
Processing module, for confirming wireless terminal whether by certification;
Authentication module, if not authenticated for the wireless terminal, the management that the wireless terminal is sent Data message reports to wireless controller in the way of concentrating forwarding and is authenticated;
Second forwarding module, if for the wireless terminal by certification, the industry that the wireless terminal is sent Business data message is forwarded to network in the way of locally forwarding.
8. WAP as claimed in claim 7, it is characterised in that also include:First forwarding mould Block, after confirming wireless terminal whether by certification in the processing module, if the wireless terminal is not By certification, the pre-set business data message that the wireless terminal is sent is forwarded in the way of locally forwarding Network.
9. WAP as claimed in claim 7 or 8, it is characterised in that the management datagram Text at least includes following any one:HTTP data message, SSL Hyper text transfer Protocol data message, EAP data message.
10. a kind of communication system, it is characterised in that including wireless controller, certificate server and as weighed Profit requires the WAP described in 7 to 9 any one;
The WAP is registered on the wireless controller and reached the standard grade;
The wireless controller issues configuration information to the WAP;
The WAP starts wireless service according to the configuration information, and allows wireless terminal to associate institute State wireless service;
It is forwarded in the management data message union that the WAP reception wireless terminal is sent described wireless Controller;
The wireless controller is authenticated by the certificate server to the management data message, and will Authentication result is issued to the WAP.
CN201610225336.7A 2016-04-12 2016-04-12 A kind of data forwarding method, WAP and communication system Pending CN107295514A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610225336.7A CN107295514A (en) 2016-04-12 2016-04-12 A kind of data forwarding method, WAP and communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610225336.7A CN107295514A (en) 2016-04-12 2016-04-12 A kind of data forwarding method, WAP and communication system

Publications (1)

Publication Number Publication Date
CN107295514A true CN107295514A (en) 2017-10-24

Family

ID=60093735

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610225336.7A Pending CN107295514A (en) 2016-04-12 2016-04-12 A kind of data forwarding method, WAP and communication system

Country Status (1)

Country Link
CN (1) CN107295514A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108848198A (en) * 2018-05-07 2018-11-20 上海中兴易联通讯股份有限公司 A kind of Portal differentiation method for pushing of multi-service forward mode AP
CN108924953A (en) * 2018-07-05 2018-11-30 新华三技术有限公司 A kind of management method and device of AP
CN109088955A (en) * 2018-07-23 2018-12-25 成都西加云杉科技有限公司 Message processing method and device
CN109982388A (en) * 2019-04-29 2019-07-05 武汉澳易通电信科技有限公司 A kind of informationization WLAN wireless networking framework
CN114158036A (en) * 2021-12-06 2022-03-08 成都飞鱼星科技股份有限公司 Method, device, system and medium for configuring and managing AP
CN115085963A (en) * 2021-03-16 2022-09-20 西门子股份公司 Authenticating a node in a communication network of an automation system

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108848198A (en) * 2018-05-07 2018-11-20 上海中兴易联通讯股份有限公司 A kind of Portal differentiation method for pushing of multi-service forward mode AP
CN108848198B (en) * 2018-05-07 2021-06-29 上海中兴易联通讯股份有限公司 Portal differential pushing method of multi-service forwarding mode AP
CN108924953A (en) * 2018-07-05 2018-11-30 新华三技术有限公司 A kind of management method and device of AP
CN108924953B (en) * 2018-07-05 2020-06-26 新华三技术有限公司 AP management method and device
CN109088955A (en) * 2018-07-23 2018-12-25 成都西加云杉科技有限公司 Message processing method and device
CN109088955B (en) * 2018-07-23 2021-07-09 成都西加云杉科技有限公司 Message processing method and device
CN109982388A (en) * 2019-04-29 2019-07-05 武汉澳易通电信科技有限公司 A kind of informationization WLAN wireless networking framework
CN115085963A (en) * 2021-03-16 2022-09-20 西门子股份公司 Authenticating a node in a communication network of an automation system
US11863544B2 (en) 2021-03-16 2024-01-02 Siemens Aktiengesellschaft Authenticating a node in a communication network of an automation installation
CN115085963B (en) * 2021-03-16 2024-04-19 西门子股份公司 Authenticating nodes in a communication network of an automation system
CN114158036A (en) * 2021-12-06 2022-03-08 成都飞鱼星科技股份有限公司 Method, device, system and medium for configuring and managing AP
CN114158036B (en) * 2021-12-06 2024-01-23 成都飞鱼星科技股份有限公司 Method, equipment, system and medium for configuration management of AP

Similar Documents

Publication Publication Date Title
CN107295514A (en) A kind of data forwarding method, WAP and communication system
EP2606678B1 (en) Systems and methods for maintaining a communication session
EP2606663B1 (en) A system and method for wi-fi roaming
KR101497785B1 (en) Secure registration of group of clients using single registration procedure
EP1597866B1 (en) Fast re-authentication with dynamic credentials
EP1749367B1 (en) Method and device for content-based billing in ip-networks
US7594113B2 (en) Identification information protection method in WLAN inter-working
US9253636B2 (en) Wireless roaming and authentication
US8665819B2 (en) System and method for providing mobility between heterogenous networks in a communication environment
JP4687788B2 (en) Wireless access system and wireless access method
CN103297968B (en) A kind of method, equipment and the system of wireless terminal certification
US8509440B2 (en) PANA for roaming Wi-Fi access in fixed network architectures
CN102461062A (en) Proactive authentication
CN107995052A (en) For for the wired and public control protocol of radio node method and apparatus
CN103229560A (en) Automatic remote access to IEEE 802.11 networks
CN107517189A (en) Method, the equipment that a kind of WLAN user access authentication and configuration information issue
CN102223634A (en) Method and device for controlling mode of accessing user terminal into Internet
CN103384365B (en) A kind of method for network access, method for processing business, system and equipment
CN109391937A (en) Acquisition methods, equipment and the system of public key
CN105101274B (en) The configuration method and device of message pass-through mode
CN103428779B (en) Transmission method, system and the fixed network access gateway of quality of service information
CN103929726A (en) Relevant method and system for access control in wireless local area network (WLAN) and fixed network interaction
CN103379181A (en) Method for notification of user address and apparatus
CN103379591A (en) Method and device for user device connection mode selection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20171024

WD01 Invention patent application deemed withdrawn after publication