CN107734505A - Wireless access authentication method and system - Google Patents
Wireless access authentication method and system Download PDFInfo
- Publication number
- CN107734505A CN107734505A CN201711132481.1A CN201711132481A CN107734505A CN 107734505 A CN107734505 A CN 107734505A CN 201711132481 A CN201711132481 A CN 201711132481A CN 107734505 A CN107734505 A CN 107734505A
- Authority
- CN
- China
- Prior art keywords
- authentication information
- matching
- equipment
- authentication
- verification system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Abstract
The present invention relates to wireless communication technology field, there is provided a kind of wireless access authentication method and system.This method is applied to Verification System, obtain the authentication information for being used to characterize authentication password that wireless terminal is sent, judge that the default authentication information for being used to characterize preset password corresponding to the packet of any user in authentication information multiple user groupings whether corresponding with Verification System matches, when to be, obtain the matching and preset the matching of the matching user grouping where authentication information and preset network legal power, and finally control the default network legal power of matching of wireless terminal to be in active states.This method according only to wireless terminal the authentication information for being used to characterize authentication password it may determine that user grouping where going out the user of wireless terminal, and network legal power is preset accordingly for its distribution, its authentication mode is easy and effective, and realizes the rights management distinguished to different users.
Description
Technical field
The present invention relates to wireless communication field, in particular to a kind of wireless access authentication method and system.
Background technology
At present, Wi-Fi network is constantly popularized, access Wi-Fi network turn into wireless terminal online major way it
One.The access method that the Wi-Fi network that Wi-Fi protection access (WPA) standards define is commonly used has OPEN certifications, wildcard
(PSK) certification, 802.1X certifications, WLAN authentication and privacy infrastructure (WAPI) certification, MAC certifications and Portal
Certification etc..
Wherein, OPEN certifications are the authentication modes of IEEE802.11 standard defaults, do not carry out any certification substantially;
802.1X certifications, WAPI certifications, MAC certifications, Portal certifications can be carried out rights management by unique user, but needed special
Aaa server and Portal server, deployment it is cumbersome, cost is also higher;PSK authentication does not need extra service
Device, but the rights management that user can not be typically distinguished.In a word, it is easy and effective to lack one kind in the prior art, simultaneously
The authentication mode for the rights management that user can be distinguished.
The content of the invention
In view of this, the embodiments of the invention provide a kind of wireless access authentication method and system.
To achieve the above object, the present invention provides following technical scheme:
In a first aspect, the embodiment of the present invention provides a kind of wireless access authentication method, applied to Verification System, Verification System
It is corresponding with multiple user groupings, each user grouping in multiple user groupings is corresponding with for characterizing the default of preset password
Authentication information and default network access authority, method include:
Obtain the authentication information for being used to characterize authentication password that wireless terminal is sent;
Judge pre- corresponding to any user packet in authentication information multiple user groupings whether corresponding with Verification System
Setting authentication information match;
When to be, obtain with authentication information match match preset authentication information where matching user grouping
With default network legal power;
The matching of control wireless terminal presets network legal power and is in active states.
Second aspect, the embodiment of the present invention provide a kind of wireless access Verification System, and wireless access Verification System is corresponding with
Multiple user groupings, the pre- setting authentication that each user grouping in multiple user groupings is corresponding with for characterizing preset password are believed
Breath and default network access authority, wireless access Verification System include:
Authentication information acquisition module, for obtaining the authentication information for being used to characterize authentication password of wireless terminal transmission;
Authentication information judge module, for judging authentication information multiple users whether corresponding with wireless access Verification System
Authentication information is preset corresponding to any user packet in packet to match;
Authority acquiring module, authentication information place is preset for when to be, obtaining the matching to match with authentication information
Matching user grouping matching preset network legal power;
Authority comes into force module, and the matching for making wireless terminal is preset network legal power and come into force.
The beneficial effect that the present invention realizes:Wireless access authentication method and system provided in an embodiment of the present invention, obtain nothing
The authentication information for being used to characterize authentication password that line terminal is sent, judges authentication information multiple use whether corresponding with Verification System
The default authentication information for being used to characterize preset password corresponding to any user packet in the packet of family matches, if in the presence of phase therewith
The default authentication information of matching, obtain the default network weight of matching that the matching user grouping where authentication information is preset in the matching
Limit, and finally control the matching of wireless terminal to preset network legal power and be in active states.Realize and recognize according only to for characterizing
The authentication information of password is demonstrate,proved it may determine that user grouping where going out the user of wireless terminal, and it is corresponding default for its distribution
Network legal power, it is complicated so as to solve authentication mode in the prior art, it is impossible to which that the rights management distinguished to user is asked
Topic.
To enable above-mentioned purpose, technical scheme and the beneficial effect of the present invention to become apparent, special embodiment below, and
Accompanying drawing appended by cooperation, is described in detail below.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by embodiment it is required use it is attached
Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair
The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to this
A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 shows the flow chart of wireless access authentication method provided in an embodiment of the present invention;
Fig. 2 shows the schematic diagram of the 4-Way Handshake process of PSK authentication;
Fig. 3 shows the step S11 of wireless access authentication method provided in an embodiment of the present invention flow chart;
Fig. 4 shows the step S111 of wireless access authentication method provided in an embodiment of the present invention flow chart;
Fig. 5 shows the functional block diagram of wireless access Verification System provided in an embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Ground describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Generally exist
The component of the embodiment of the present invention described and illustrated in accompanying drawing can be configured to arrange and design with a variety of herein.Cause
This, the detailed description of the embodiments of the invention to providing in the accompanying drawings is not intended to limit claimed invention below
Scope, but it is merely representative of the selected embodiment of the present invention.Based on embodiments of the invention, those skilled in the art are not doing
The every other embodiment obtained on the premise of going out creative work, belongs to the scope of protection of the invention.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore, once a certain Xiang Yi
It is defined, then it further need not be defined and explained in subsequent accompanying drawing in individual accompanying drawing.Meanwhile the present invention's
In description, term " first ", " second " etc. are only used for distinguishing description, and it is not intended that instruction or hint relative importance.
Wireless access verification process is typically completed by the data interaction between wireless terminal and Verification System, wireless terminal
Can be mobile phone, tablet personal computer, Intelligent worn device etc., Verification System can include AP equipment, AC equipment etc..Verification process one
Aspect is to verify the authentication information of wireless terminal, such as whether user name, password etc. are correct, are on the other hand then to passing through certification
User carry out network privilege management.Network privilege management refers to different users or user's group, and different nets is distributed for it
Network accesses resource, and network legal power includes but is not limited to access rights (ACL), bandwidth, speed limit, VLAN (VLAN), service
Quality (QoS).
Some dispose fairly simple wireless access authentication mode, such as PSK authentication mode, only pass through wireless terminal
The authentication password of offer is authenticated.In the prior art, using the Verification System of above-mentioned authentication mode for the every of its division
Individual service set (SSID) can only set unique preset password, and this kind of Verification System is carrying out the network privilege management of user
When the problem of certain be present.
Specifically, in the case of Verification System only divides a SSID, all users that can be linked into the SSID make
Authentication password is all identical, all with preset password match, it is clear that can not based on same authentication password Verification System
Different users is made a distinction, and then the rights management that these users can not be also distinguished.Realize and user is carried out
Distinguish, in the prior art, it is necessary to divide multiple SSID in Verification System, different preset passwords be set for each SSID,
Different default network legal powers is configured for each SSID simultaneously.The SSID of access is wanted in selection to user on a wireless terminal first,
Then input authentication password, if authentication password preset password match corresponding with the SSID, the wireless terminal wireless access
Certification success, Verification System are that the user distributes the default network legal power corresponding with the SSID.
For example, inside market, it is desirable to distribute different network legal powers to customer and employee, can be drawn in Verification System
Two SSID are separated, title is respectively " customer SSID- " and " SSID- employee ", and " customer SSID- " sets first password,
" SSID- employee " sets the second password, tells first password to customer, tells the second password to employee, customer is wireless eventually from it
" customer SSID- " is selected on end and inputs first password can access Wi-Fi network and obtains customer's authority, employee from its
" SSID- employee " is selected on wireless terminal and inputs the second password can access Wi-Fi network and obtains employee's authority.
However, inventor has found through studying for a long period of time, network is carried out by the way of multiple SSID are divided in Verification System
Rights management, many drawbacks be present:
First, user is inconvenient for operation, and multiple SSID, Yong Hunan occurs when searching for Wi-Fi network on a wireless terminal
To determine to select which SSID to be accessed on earth.
Second, each SSID will be configured and managed in Verification System, and management cost is high.
3rd, each SSID ceaselessly overseas broadcast can be used to inform beacon frames existing for wireless terminal oneself, lead to
Normal interval time is 100ms, and beacon frames send and use relatively low speed, takes and largely eats dishes without rice or wine to send the time.It is special at some
Different occasion, such as large-scale concert, substantial amounts of AP equipment can be disposed, each SSID of each AP equipment can overseas broadcast
Beacon frames, the problem are especially apparent.
Wireless access authentication method and system provided in an embodiment of the present invention, realize and only divide one in Verification System
In the case of SSID, the rights management that user can also be distinguished, and then solve above mentioned problem of the prior art.
First embodiment:
The wireless access authentication method that the present embodiment provides, applied to Verification System, Verification System can have a variety of frameworks
Mode, Verification System in the present embodiment are AP equipment and the AC equipment being connected with AP equipment communications, wherein, according to reality
Application environment, AC equipment may be replaced by network management system (NMS).
When disposing Wi-Fi network, only one SSID is configured in AC equipment, and configures user in AC equipment and matches somebody with somebody
File is put, the user profile includes multiple user groupings, and each user grouping can include group name, preset password, preset
The contents such as network access authority.For example, inside market, it is desirable to distribute different network legal powers to customer and employee, change configuration
The content of file can be:
It is appreciated that upper table content is merely illustrative, form in upper table can only be used by not representing user profile, or
Only include the content in upper table.
After having configured user profile in AC equipment, the user profile is issued in AP equipment by AC equipment,
The copy of the user profile can be preserved in AC equipment.
Fig. 1 shows the flow chart of wireless access authentication method provided in an embodiment of the present invention.Reference picture 1, this method bag
Include:
Step S10:AP equipment obtains the authentication information for being used to characterize authentication password that wireless terminal is sent.
For security consideration, authentication information be generally based on original authentication password generation certain be suitable to upload in network
Defeated information, and authentication information has unique corresponding relation with authentication password, and authentication authorization and accounting information can characterize authentication password, from
And it is authenticated being equivalent to using authentication information and is authenticated using authentication password.Authentication password can be that this user access should
User inputs during Wi-Fi network, or preserves on a wireless terminal when last user accesses the Wi-Fi network.Nothing
After line terminal is based on authentication password generation authentication information, authentication information is sent to AP equipment, so as to which the authentication information is set by AP
It is standby acquired.
Step S11:AP equipment is judged in the authentication information multiple user groupings whether corresponding with the Verification System
Any user packet corresponding to preset authentication information match.
For security consideration, default authentication information be generally based on original preset password generation certain be suitable in network
The information of upper transmission, and default authentication information has unique corresponding relation with preset password, i.e., and default authentication information can be with table
Preset password is levied, is authenticated being equivalent to thereby using default authentication information and is authenticated using preset password.Pre- setting authentication letter
Breath can be generated before step S11, its place generated can also can be set in AP equipment in AC equipment in AC
Standby to be handed down in the user profile of AP equipment, preset password has been replaced by default authentication information.User profile
Include multiple user groupings, each user grouping corresponds to a preset password, it is contemplated that preset password and pre- setting authentication letter
The corresponding relation of breath, it is also assumed that each user grouping corresponds to a default authentication information.In traverse user configuration file
Each user grouping, default authentication information corresponding to it is taken out, contrasted with authentication information, if in the presence of a pre- setting authentication
Information is matching, then certification success, continues executing with subsequent step, if matching in the absence of a default authentication information,
Authentification failure.Wherein, the implication of matching can be equal or meet certain default relation.
Step S12:When to be, AP equipment obtains the matching to match with the authentication information and presets authentication information place
Matching user grouping matching preset network legal power.
If certification success, the default authentication information matched with authentication information is referred to as to match default authentication information, by user
User grouping where default authentication information is matched in configuration file is referred to as matching user grouping, pre- in user grouping by matching
If network legal power is referred to as matching default network legal power.Distribute matching default network legal power for the user where the wireless terminal, point
That matches somebody with somebody is meant that record the corresponding relation of the user and the default network legal power of matching in AP equipment.
Step S13:AP equipment and/or AC equipment control the matching of the wireless terminal to preset network legal power and are in life
Effect state.
In step s 12, although being to be assigned with the default network legal power of matching by the user of certification, the authority is not
It must can come into force, according to existing wireless communication standard, some data friendships can be also carried out between wireless terminal and Verification System
Mutually, the matching is preset network legal power and can just come into force after the completion of interaction, and what is come into force is meant that the user is actual and obtains the matching
Default network legal power.According to the difference of the default network legal power content of matching, its process of coming into force can be completed in AP equipment, also may be used
To be completed in AC equipment, can also partial content completed in AP equipment, partial content is completed in AC equipment.For matching
The part or all of content of default network legal power needs situation about being come into force in AC equipment, and step S13 can also include AP equipment
The default authentication information of matching is sent to AC equipment, AC equipment is according to the copy of its user profile preserved, and come into force matching
The part or all of content of the default network legal power of matching corresponding to default authentication information.
In summary, the wireless access authentication method that the present embodiment provides, it is multiple by being configured in user profile
The user grouping of different default authentication informations is corresponding with, realizing the authentication information only provided by wireless terminal just can be to user
Make a distinction, so as to complete the network privilege management to the user after differentiation.In view of the unique of authentication information and authentication password
Corresponding relation, different users is when being linked into the Wi-Fi network, it is only necessary to inputs different authentication passwords, can just obtain not
Same network legal power.For example, the user profile in upper table, the customer in market should in the wireless terminal selection of oneself
The unique SSID in market, input Guest123, it is possible to which it is that 20, ACL is that can only access Internet to obtain VLAN, with a width of
1Mbps customer's authority;Employee in market selects the unique SSID in the market in the wireless terminal of oneself, input
Employee123, it is possible to which it is that 10, ACL is to be able to access that internal network and Internet to obtain VLAN, with a width of 5Mbps's
Employee's authority.Whole process is very simple, only need to select a SSID, multiple SSID institutes are divided in Verification System so as to avoid
Caused variety of problems.
Second embodiment:
Verification System in the present embodiment is AP equipment and the AC equipment that is connected with AP equipment communications, wherein, according to
Actual application environment, AC equipment may be replaced by NMS.In the present embodiment, configure and use when disposing Wi-Fi network, in AC equipment
AP equipment is not handed down to after the configuration file of family, and is stored in AC equipment.The wireless access authenticating party that the present embodiment provides
Method is:
What AP equipment acquisition wireless terminal was sent is used to characterize the authentication information of authentication password, and the authentication information is sent
Give AC equipment.
AC equipment judges any use in the authentication information multiple user groupings whether corresponding with the Verification System
Authentication information is preset corresponding to the packet of family to match.
When to be, the matching matched where presetting authentication information that AC equipment obtains with the authentication information matches is used
Network legal power is preset in the matching of family packet.
AP equipment and/or AC equipment control the matching of the wireless terminal to preset network legal power and are in active states.
Part or all of content for the default network legal power of matching needs to include in the in the case of of coming into force in AP equipment, the step
AC equipment will match default network legal power and be sent to AP equipment, and AP equipment, which is directed to come into force by the user of certification, matches default network
The part or all of content of authority.
The present embodiment provides the deployment side that a kind of wireless access authentication method is different from first embodiment in Verification System
Formula, the selection of deployment way can be carried out according to the function of real needs and specific equipment in practice.
3rd embodiment:
Verification System in the present embodiment is AP equipment and the AC equipment that is connected with AP equipment communications, wherein, according to
Actual application environment, AC equipment may be replaced by NMS.In the present embodiment, configure and use when disposing Wi-Fi network, in AC equipment
AP equipment is not handed down to after the configuration file of family, and is stored in AC equipment, only by the preset password in user profile
Or the default authentication information issuing for characterizing preset password gives AP equipment.The wireless access authentication method that the present embodiment provides
For:
AP equipment obtains the authentication information for being used to characterize authentication password that wireless terminal is sent.
AP equipment judges any use in the authentication information multiple user groupings whether corresponding with the Verification System
Authentication information is preset corresponding to the packet of family to match.
When to be, AP equipment obtains the matching to match with the authentication information and presets authentication information.
The default authentication information of the matching is sent to AC equipment by AP equipment.According to illustrating before, the AP in this implementation is set
Standby upper only default authentication information, does not have user grouping information, so the default authentication information of matching must be sent to by AP equipment
The processing of AC equipment.
AC equipment obtains the matching user grouping where presetting authentication information with matching of matching of the authentication information
The default network legal power of matching.
AP equipment and/or AC equipment control the matching of the wireless terminal to preset network legal power and are in active states.
Part or all of content for the default network legal power of matching needs to include in the in the case of of coming into force in AP equipment, the step
AC equipment will match default network legal power and be sent to AP equipment, and AP equipment, which is directed to come into force by the user of certification, matches default network
The part or all of content of authority.
The present embodiment provides the deployment side that a kind of wireless access authentication method is different from first embodiment in Verification System
Formula, the selection of deployment way can be carried out according to the function of real needs and specific equipment in practice.
Fourth embodiment:
Verification System in the present embodiment is AP equipment, and the AP equipment in the present embodiment is generally fat AP, such as family expenses
Wireless router.In the present embodiment, when disposing Wi-Fi network, user profile is configured in AP equipment.The present embodiment
The wireless access authentication method of offer is:
AP equipment obtains the authentication information for being used to characterize authentication password that wireless terminal is sent.
AP equipment judges any use in the authentication information multiple user groupings whether corresponding with the Verification System
Authentication information is preset corresponding to the packet of family to match.
When to be, AP equipment obtains the matching to match with the authentication information and presets authentication information.
AP equipment controls the matching of the wireless terminal to preset network legal power and is in active states.
The present embodiment provides the deployment side that a kind of wireless access authentication method is different from first embodiment in Verification System
Formula, the selection of deployment way can be carried out according to the function of real needs and specific equipment in practice.
5th embodiment:
The wireless access authentication method that first embodiment provides, can apply to PSK authentication mode.PSK authentication mode, tool
Body is including WPA-PSK, WPA2-PSK etc., and the password inputted using only user is authenticated, and its deployment way is also fairly simple,
Extra certificate server need not be built, is a kind of current popular wireless access authentication mode.
PSK authentication is a 4-Way Handshake process, and Fig. 2 shows the schematic diagram of the 4-Way Handshake process of PSK authentication.Reference
Fig. 2, handshake procedure are carried out between request authenticator and authenticator, and request authenticator is usually wireless terminal, and authenticator is general
It is Verification System.
Handshake procedure is actually a mistake that transmission key is confirmed by the negotiation between wireless terminal and Verification System
Journey, this key are exactly pair temporal key (PTK), all between wireless terminal and Verification System after the completion of 4-Way Handshake
Data transfer be all encrypted by PTK, to ensure security.
As shown in Fig. 2 before handshake procedure starts, wireless terminal and Verification System each generate pairwise master key
(PMK), for Verification System, it is already provided with when building Wi-Fi network and accesses the default close of the Wi-Fi network
Code, the PSK of Verification System can be generated based on the preset password, certification can be generated by being further based on the PSK of Verification System
The PMK of system, it is believed that the PMK of Verification System is uniquely corresponding with preset password.For wireless terminal, authentication password can
Preserved to be that user inputs when this user accesses the Wi-Fi network, or when last user accesses the Wi-Fi network
On a wireless terminal, the PSK of wireless terminal can be generated based on authentication password, the PSK for being further based on wireless terminal can
To generate the PMK of wireless terminal, it is believed that the PMK of wireless terminal is uniquely corresponding with authentication password.
PTK based on PMK, the MAC Address of Verification System, Verification System random number Anonce, the MAC of wireless terminal
Location, the random number Snonce of wireless terminal are calculated and obtained.Before beginning of shaking hands, wireless terminal and Verification System have passed through it
His message obtains the MAC Address of other side.
Shake hands for the first time:Verification System generation random number Anonce is sent to wireless terminal, wireless terminal generation random number
Snonce, according to being set forth above, now wireless terminal can generate the PTK of wireless terminal.Based on this PTK, and one
802.1xdata data frames can generate the message integrity code (MIC) of wireless terminal.The MIC of wireless terminal can be regarded as with
The unique corresponding summary infos of the PMK of wireless terminal.
Second handshake:The random number Snonce that wireless terminal is generated, the MIC of wireless terminal and described
802.1xdata data frames are sent to Verification System, and according to being set forth above, now Verification System can generate Verification System
PTK, and this PTK is based on, and the MIC of the 802.1xdata data frames generation Verification System received.The MIC of Verification System can be with
It is regarded as and the unique corresponding summary infos of the PMK of Verification System.Compare the MIC of wireless terminal and the MIC of Verification System, if phase
Deng, show that the PMK of wireless terminal is identical with the PMK of Verification System, according to PMK and the corresponding relation of original password, and then can be with
Think that the authentication password of wireless terminal verifies successfully, Verification System generation group temporary key (GTK);If unequal, show wireless
The PMK of terminal and the PMK of Verification System are differed, and according to PMK and the corresponding relation of original password, and then can consider wireless whole
The authentication password verification failure at end, handshake procedure failure.
Third time is shaken hands:The MIC of GTK and Verification System is sent to wireless terminal by Verification System.
4-Way Handshake:Wireless terminal sends ACK to Verification System and confirmed.
Understood according to being set forth above, the core of verification process is second handshake process above, in second handshake mistake
Cheng Zhong, the PMK of wireless terminal is verified.
The wireless access authentication method that first embodiment provides can apply to the second handshake mistake of PSK authentication mode
Journey.And the wireless access authentication method that the present embodiment provides, it is that the wireless access authentication method provided for first embodiment exists
Using a kind of specific implementation during PSK authentication mode, it will be understood that the wireless access authentication method that first embodiment provides
There can also be other concrete methods of realizing using PSK authentication mode.
Fig. 3 shows the step S11 of wireless access authentication method provided in an embodiment of the present invention flow chart.Reference picture 3,
Step S11 includes:
S110:AP equipment judge message where the authentication information whether be PSK authentication second handshake message.
Second handshake process in PSK authentication mode is the process verified to authentication information, and the present embodiment provides
Wireless access authentication method be improved for the checking procedure, with reach by authentication information distinguish different user mesh
's.Because PSK authentication mode belongs to a part for 802.11i standards, such improved procedure influences minimum to former verification process,
Will not produce with existing standard it is incompatible the problems such as.Therefore, AP equipment is to the report for including authentication information that is obtained in step S10
Text, first determine whether it is second handshake message, if so, then continuing subsequent step, if it is not, then handshake procedure loses
Lose.
S111:When to be, AP equipment judges that whether corresponding with the Verification System authentication information is the multiple
The default authentication information corresponding to any user packet in user grouping matches.
Fig. 4 shows the step S111 of wireless access authentication method provided in an embodiment of the present invention flow chart.Reference picture
4, step S111 includes:
S111a:AP equipment judge the terminal MIC corresponding to the terminal PMK whether with the multiple user grouping
Any user packet corresponding to system end MIC corresponding to the system end PMK it is equal.
Wherein, terminal PMK is the PMK of wireless terminal, and terminal MIC is the MIC of wireless terminal, system end PMK authentication authorization and accountings system
The PMK of system, the MIC of system end MIC authentication authorization and accounting systems.
In PSK authentication mode, authentication information is the MIC of wireless terminal, its generation method and existing PSK authentication mode phase
Together.Default authentication information is the PMK of Verification System, and the PMK of Verification System has multiple, and the PMK of each Verification System is based on using
Preset password corresponding to a user grouping in the allocation list of family generates, and its generation method is identical with existing PSK authentication mode.Enter
PMK of one step based on Verification System corresponding to each user grouping generates the MIC of Verification System corresponding to the user grouping, and it is given birth to
It is identical with existing PSK authentication mode into method.The MIC of Verification System corresponding to each user grouping is traveled through, with wireless terminal
MIC is contrasted, and is judged wherein equal with the MIC of wireless terminal with the presence or absence of the MIC of Verification System corresponding to a user grouping.
S111b:When to be, then the authentication information and any user packet pair in the multiple user grouping
The default authentication information answered matches.
If equal with the MIC of wireless terminal in the presence of the MIC of Verification System corresponding to a user grouping, wireless terminal
MIC and the PMK of the Verification System of the user grouping match, and then the PMK of wireless terminal and the Verification System of the user grouping
PMK it is equal, certification success, match the PMK that default authentication information is the Verification System that the match is successful, continue executing with follow-up step
Suddenly, if equal with the MIC of wireless terminal in the absence of the MIC of Verification System corresponding to a user grouping, authentification failure, shook hands
Journey terminates.
In addition, for PSK authentication mode, matching default network legal power needs to give birth to after 4-Way Handshake process terminates
Effect.
In summary, the wireless access authentication method that the present embodiment provides, the second handshake of PSK authentication mode is improved
Process, remain PSK authentication mode and dispose the advantages of simple, while also achieved only by the PMK of wireless terminal with regard to energy
User is made a distinction, so as to complete the network privilege management to the user after differentiation.In view of the PMK and user of wireless terminal
The unique corresponding relation of the authentication password of input, different users is when being linked into the Wi-Fi network, it is only necessary to which input is different
Authentication password, just can obtain different network legal powers.In addition, the wireless access authentication method that the present embodiment provides merely relates to
Verification System side, without any change is needed, carrying out operation also according to existing PSK authentication mode can for wireless terminal side
With.Obviously, second, third, the wireless access authentication method provided in fourth embodiment can also be applied to PSK authentication mode
In.
Sixth embodiment:
Fig. 5 shows the functional block diagram of wireless access Verification System provided in an embodiment of the present invention.Reference picture 5, this reality
Applying the wireless access Verification System 100 of example offer includes:Authentication information acquisition module 110, authentication information judge module 120, power
Limit acquisition module 130, authority come into force module 140.The wireless access Verification System 100 is corresponding with multiple user groupings, described
Each user grouping in multiple user groupings is corresponding with default authentication information and default net for characterizing preset password
Network access rights.
Wherein, authentication information acquisition module 110 is used for the certification for being used to characterize authentication password for obtaining wireless terminal transmission
Information.Authentication information judge module 120 is used to judge whether the authentication information is corresponding with the wireless access Verification System 100
Multiple user groupings in any user packet corresponding to preset authentication information match.Authority acquiring module 130 is used for
During to be, obtaining and being preset with the matching of matching user grouping matched where presetting authentication information that the authentication information matches
Network legal power.Authority comes into force module 140 for controlling the matching of the wireless terminal to preset network legal power in the shape that comes into force
State.
In summary, the wireless access Verification System that the present embodiment provides has that authentication mode is simple, and can be to difference
The rights management distinguished of user.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight
Point explanation is all difference with other embodiment, between each embodiment identical similar part mutually referring to.
For device class embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is joined
See the part explanation of embodiment of the method.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, it can also be passed through
Its mode is realized.Device embodiment described above is only schematical, for example, the flow chart and block diagram in accompanying drawing show
Device, architectural framework in the cards, the work(of method and computer program product of multiple embodiments according to the present invention are shown
Can and it operate.At this point, each square frame in flow chart or block diagram can represent one of a module, program segment or code
Point, a part for the module, program segment or code includes one or more and is used to realize the executable of defined logic function
Instruction.It should also be noted that at some as in the implementation replaced, the function of being marked in square frame can also be with different from attached
The order marked in figure occurs.For example, two continuous square frames can essentially perform substantially in parallel, they also may be used sometimes
To perform in the opposite order, this is depending on involved function.It is it is also noted that each in block diagram and/or flow chart
The combination of square frame and the square frame in block diagram and/or flow chart, can use function or action as defined in performing it is special based on
The system of hardware is realized, or can be realized with the combination of specialized hardware and computer instruction.
In addition, each functional module in each embodiment of the present invention can integrate to form an independent portion
Point or modules individualism, can also two or more modules be integrated to form an independent part.
If the function is realized in the form of software function module and is used as independent production marketing or in use, can be with
It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words
The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be
People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access
Memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.Need
It is noted that herein, such as first and second or the like relational terms are used merely to an entity or operation
Made a distinction with another entity or operation, and not necessarily require or imply these entities or exist between operating any this
Actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that process, method, article or equipment including a series of elements not only include those key elements, but also wrapping
Include the other element being not expressly set out, or also include for this process, method, article or equipment intrinsic want
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described
Other identical element also be present in the process of element, method, article or equipment.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area
For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies
Change, equivalent substitution, improvement etc., should be included in the scope of the protection.It should be noted that:Similar label and letter exists
Similar terms is represented in following accompanying drawing, therefore, once being defined in a certain Xiang Yi accompanying drawing, is then not required in subsequent accompanying drawing
It is further defined and explained.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.Therefore, protection scope of the present invention described should be defined by scope of the claims.
Claims (10)
1. a kind of wireless access authentication method, applied to Verification System, it is characterised in that the Verification System is corresponding with multiple use
Family is grouped, and each user grouping in the multiple user grouping is corresponding with the default authentication information for characterizing preset password
And default network access authority, methods described include:
Obtain the authentication information for being used to characterize authentication password that wireless terminal is sent;
Judge the authentication information whether with the Verification System corresponding to any user packet in multiple user groupings it is corresponding
Default authentication information match;
When to be, obtain with the authentication information match match preset authentication information where matching user grouping
With default network legal power;
Control the matching of the wireless terminal to preset network legal power and be in active states.
2. wireless access authentication method according to claim 1, it is characterised in that described whether to judge the authentication information
Authentication information is preset corresponding to any user packet in multiple user groupings corresponding with the Verification System to match, and is wrapped
Include:
Judge the message where the authentication information whether be Authenticated with pre-shared-key second handshake message;
When to be, judge described in the authentication information the multiple user grouping whether corresponding with the Verification System
The default authentication information corresponding to any user packet matches.
3. wireless access authentication method according to claim 2, it is characterised in that it is described wireless whole to tell authentication information
Terminal message Integrity Code corresponding to the terminal pairwise master key that end group is generated in the authentication password, the pre- setting authentication letter
The system end pairwise master key generated for the Verification System based on the preset password is ceased, it is described to judge that the authentication information is
The pre- setting authentication corresponding to any user packet in no the multiple user grouping corresponding with the Verification System
Information match, including:
Judge the terminal message Integrity Code corresponding to the terminal pairwise master key whether with the multiple user grouping
In any user packet corresponding to system end message integrity code corresponding to the system end pairwise master key it is equal;
When to be, then the authentication information and any user packet in the multiple user grouping are corresponding described pre-
Setting authentication information match.
4. the wireless access authentication method according to any claim in claim 1-3, it is characterised in that the certification system
Uniting includes AP equipment, the authentication information for being used to characterize authentication password for obtaining wireless terminal and sending, including:
The AP equipment obtains the authentication information for being used to characterize the authentication password that the wireless terminal is sent.
5. wireless access authentication method according to claim 4, it is characterised in that the Verification System also include with it is described
The AC equipment of AP equipment communications connection, it is described to judge the authentication information multiple users point whether corresponding with the Verification System
Authentication information is preset corresponding to any user packet in group to match, including:
The AP equipment or the AC equipment judge the authentication information told multiple use whether corresponding with the Verification System
The default authentication information corresponding to any user packet in the packet of family matches.
6. wireless access authentication method according to claim 5, it is characterised in that the acquisition and the authentication information phase
Network legal power is preset in the matching of matching user grouping where the default authentication information of matching of matching, including:
The institute of the matching user grouping where the AP equipment or the default authentication information of the AC equipment acquisition matching
State the default network legal power of matching.
7. wireless access authentication method according to claim 6, it is characterised in that the AP equipment or the AC equipment are sentenced
Any user packet pair in the authentication information told multiple user groupings whether corresponding with the Verification System of breaking
After the default authentication information answered matches, the AP equipment or the AC equipment obtain the default authentication information of the matching
Before network legal power is preset in the matching of the matching user grouping at place, methods described also includes:
When to be, the AP equipment obtains the matching to match with the authentication information and presets authentication information;
The default authentication information of the matching is sent to the AC equipment by the AP equipment.
8. wireless access authentication method according to claim 6, it is characterised in that the institute of the control wireless terminal
State the default network legal power of matching and be in active states, including:
The AP equipment and/or the AC equipment control the matching of the wireless terminal to preset network legal power and are in the shape that comes into force
State.
9. wireless access authentication method according to claim 8, it is characterised in that the AP equipment and/or the AC are set
The standby default network legal power of the matching for controlling the wireless terminal is in before active states, and methods described also includes:
The default network legal power of the matching is sent to the AP equipment by the AC equipment.
10. a kind of wireless access Verification System, it is characterised in that the wireless access Verification System is corresponding with multiple users point
Group, each user grouping in the multiple user grouping be corresponding with default authentication information for characterizing preset password and
Default network access authority, the wireless access Verification System include:
Authentication information acquisition module, for obtaining the authentication information for being used to characterize authentication password of wireless terminal transmission;
Authentication information judge module, for judging whether the authentication information is corresponding multiple with the wireless access Verification System
Authentication information is preset corresponding to any user packet in user grouping to match;
Authority acquiring module, authentication information place is preset for when to be, obtaining the matching to match with the authentication information
Matching user grouping matching preset network legal power;
Authority comes into force module, and the matching for controlling the wireless terminal presets network legal power and is in active states.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711132481.1A CN107734505A (en) | 2017-11-15 | 2017-11-15 | Wireless access authentication method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711132481.1A CN107734505A (en) | 2017-11-15 | 2017-11-15 | Wireless access authentication method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107734505A true CN107734505A (en) | 2018-02-23 |
Family
ID=61216678
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711132481.1A Pending CN107734505A (en) | 2017-11-15 | 2017-11-15 | Wireless access authentication method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107734505A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110856174A (en) * | 2019-12-13 | 2020-02-28 | 上海兴容信息技术有限公司 | Access authentication system, method, device, computer equipment and storage medium |
CN111885561A (en) * | 2020-06-30 | 2020-11-03 | 北京小米移动软件有限公司 | Wireless network connection, NFC information writing method, device and storage medium |
CN111935717B (en) * | 2020-10-09 | 2021-01-08 | 中科开创(广州)智能科技发展有限公司 | Authentication method and device of WAPI system and computer equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101247336A (en) * | 2008-03-07 | 2008-08-20 | 中兴通讯股份有限公司 | Method and server for controlling multilevel access authority of access user |
CN102348209A (en) * | 2011-09-23 | 2012-02-08 | 福建星网锐捷网络有限公司 | Method and device for wireless network access and authentication |
CN102726080A (en) * | 2009-12-23 | 2012-10-10 | 马维尔国际贸易有限公司 | Station-to-station security associations in personal basic service sets |
CN102843687A (en) * | 2012-09-18 | 2012-12-26 | 惠州Tcl移动通信有限公司 | Smartphone portable point safe access system and method |
CN105141629A (en) * | 2015-09-18 | 2015-12-09 | 于博涵 | Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords |
CN105991613A (en) * | 2015-03-03 | 2016-10-05 | 北京神州泰岳信息安全技术有限公司 | Resource remote login method and system |
-
2017
- 2017-11-15 CN CN201711132481.1A patent/CN107734505A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101247336A (en) * | 2008-03-07 | 2008-08-20 | 中兴通讯股份有限公司 | Method and server for controlling multilevel access authority of access user |
CN102726080A (en) * | 2009-12-23 | 2012-10-10 | 马维尔国际贸易有限公司 | Station-to-station security associations in personal basic service sets |
CN102348209A (en) * | 2011-09-23 | 2012-02-08 | 福建星网锐捷网络有限公司 | Method and device for wireless network access and authentication |
CN102843687A (en) * | 2012-09-18 | 2012-12-26 | 惠州Tcl移动通信有限公司 | Smartphone portable point safe access system and method |
CN105991613A (en) * | 2015-03-03 | 2016-10-05 | 北京神州泰岳信息安全技术有限公司 | Resource remote login method and system |
CN105141629A (en) * | 2015-09-18 | 2015-12-09 | 于博涵 | Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110856174A (en) * | 2019-12-13 | 2020-02-28 | 上海兴容信息技术有限公司 | Access authentication system, method, device, computer equipment and storage medium |
CN111885561A (en) * | 2020-06-30 | 2020-11-03 | 北京小米移动软件有限公司 | Wireless network connection, NFC information writing method, device and storage medium |
CN111885561B (en) * | 2020-06-30 | 2024-02-13 | 北京小米移动软件有限公司 | Wireless network connection, NFC information writing method, device and storage medium |
CN111935717B (en) * | 2020-10-09 | 2021-01-08 | 中科开创(广州)智能科技发展有限公司 | Authentication method and device of WAPI system and computer equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105306464B (en) | Wireless network authentication apparatus and method | |
RU2333607C2 (en) | Key generation in communication system | |
US20230328516A1 (en) | Device based credentials | |
US20200162913A1 (en) | Terminal authenticating method, apparatus, and system | |
CN104994118A (en) | WiFi authentication system and method based on dynamic password | |
CN104168561B (en) | Hot spot configuration method, cut-in method and equipment in a kind of WLAN | |
CN106921963A (en) | A kind of smart machine accesses the method and device of WLAN | |
WO2017219673A1 (en) | Vowifi network access method and system, and terminal | |
CN105898743B (en) | A kind of method for connecting network, apparatus and system | |
US20170099137A1 (en) | Secure connection method for network device, related apparatus, and system | |
US20070269048A1 (en) | Key generation in a communication system | |
CN102843687A (en) | Smartphone portable point safe access system and method | |
CN103596173A (en) | Wireless network authentication method, client wireless network authentication device, and server wireless network authentication device | |
CN101500229A (en) | Method for establishing security association and communication network system | |
CN104010297B (en) | Wireless terminal configuration method and device and wireless terminal | |
CN102111766A (en) | Network accessing method, device and system | |
CN107734505A (en) | Wireless access authentication method and system | |
CN107359991A (en) | A kind of router, the method for generating cipher code of router guest network and system | |
WO2007021094A1 (en) | Method for performing multiple pre-shared key based authentication at once and system for executing the method | |
CN106658488A (en) | Intelligent household electric appliance, method and apparatus for safely accessing the intelligent household electric appliance | |
WO2015117514A1 (en) | Method for accessing lte network, electronic device, and computing storage medium | |
CN103096317A (en) | Two-way authentication method and system based on sharing enciphered data | |
CN110831000B (en) | Secure access method, device and system | |
CN104902473A (en) | Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication | |
WO2016026429A1 (en) | Method, device, and equipment for wireless network configuration, access, and visit |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180223 |