CN107734505A - Wireless access authentication method and system - Google Patents

Wireless access authentication method and system Download PDF

Info

Publication number
CN107734505A
CN107734505A CN201711132481.1A CN201711132481A CN107734505A CN 107734505 A CN107734505 A CN 107734505A CN 201711132481 A CN201711132481 A CN 201711132481A CN 107734505 A CN107734505 A CN 107734505A
Authority
CN
China
Prior art keywords
authentication information
matching
equipment
authentication
verification system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711132481.1A
Other languages
Chinese (zh)
Inventor
王红雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU SKSPRUCE TECHNOLOGY Inc
Original Assignee
CHENGDU SKSPRUCE TECHNOLOGY Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU SKSPRUCE TECHNOLOGY Inc filed Critical CHENGDU SKSPRUCE TECHNOLOGY Inc
Priority to CN201711132481.1A priority Critical patent/CN107734505A/en
Publication of CN107734505A publication Critical patent/CN107734505A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information

Abstract

The present invention relates to wireless communication technology field, there is provided a kind of wireless access authentication method and system.This method is applied to Verification System, obtain the authentication information for being used to characterize authentication password that wireless terminal is sent, judge that the default authentication information for being used to characterize preset password corresponding to the packet of any user in authentication information multiple user groupings whether corresponding with Verification System matches, when to be, obtain the matching and preset the matching of the matching user grouping where authentication information and preset network legal power, and finally control the default network legal power of matching of wireless terminal to be in active states.This method according only to wireless terminal the authentication information for being used to characterize authentication password it may determine that user grouping where going out the user of wireless terminal, and network legal power is preset accordingly for its distribution, its authentication mode is easy and effective, and realizes the rights management distinguished to different users.

Description

Wireless access authentication method and system
Technical field
The present invention relates to wireless communication field, in particular to a kind of wireless access authentication method and system.
Background technology
At present, Wi-Fi network is constantly popularized, access Wi-Fi network turn into wireless terminal online major way it One.The access method that the Wi-Fi network that Wi-Fi protection access (WPA) standards define is commonly used has OPEN certifications, wildcard (PSK) certification, 802.1X certifications, WLAN authentication and privacy infrastructure (WAPI) certification, MAC certifications and Portal Certification etc..
Wherein, OPEN certifications are the authentication modes of IEEE802.11 standard defaults, do not carry out any certification substantially; 802.1X certifications, WAPI certifications, MAC certifications, Portal certifications can be carried out rights management by unique user, but needed special Aaa server and Portal server, deployment it is cumbersome, cost is also higher;PSK authentication does not need extra service Device, but the rights management that user can not be typically distinguished.In a word, it is easy and effective to lack one kind in the prior art, simultaneously The authentication mode for the rights management that user can be distinguished.
The content of the invention
In view of this, the embodiments of the invention provide a kind of wireless access authentication method and system.
To achieve the above object, the present invention provides following technical scheme:
In a first aspect, the embodiment of the present invention provides a kind of wireless access authentication method, applied to Verification System, Verification System It is corresponding with multiple user groupings, each user grouping in multiple user groupings is corresponding with for characterizing the default of preset password Authentication information and default network access authority, method include:
Obtain the authentication information for being used to characterize authentication password that wireless terminal is sent;
Judge pre- corresponding to any user packet in authentication information multiple user groupings whether corresponding with Verification System Setting authentication information match;
When to be, obtain with authentication information match match preset authentication information where matching user grouping With default network legal power;
The matching of control wireless terminal presets network legal power and is in active states.
Second aspect, the embodiment of the present invention provide a kind of wireless access Verification System, and wireless access Verification System is corresponding with Multiple user groupings, the pre- setting authentication that each user grouping in multiple user groupings is corresponding with for characterizing preset password are believed Breath and default network access authority, wireless access Verification System include:
Authentication information acquisition module, for obtaining the authentication information for being used to characterize authentication password of wireless terminal transmission;
Authentication information judge module, for judging authentication information multiple users whether corresponding with wireless access Verification System Authentication information is preset corresponding to any user packet in packet to match;
Authority acquiring module, authentication information place is preset for when to be, obtaining the matching to match with authentication information Matching user grouping matching preset network legal power;
Authority comes into force module, and the matching for making wireless terminal is preset network legal power and come into force.
The beneficial effect that the present invention realizes:Wireless access authentication method and system provided in an embodiment of the present invention, obtain nothing The authentication information for being used to characterize authentication password that line terminal is sent, judges authentication information multiple use whether corresponding with Verification System The default authentication information for being used to characterize preset password corresponding to any user packet in the packet of family matches, if in the presence of phase therewith The default authentication information of matching, obtain the default network weight of matching that the matching user grouping where authentication information is preset in the matching Limit, and finally control the matching of wireless terminal to preset network legal power and be in active states.Realize and recognize according only to for characterizing The authentication information of password is demonstrate,proved it may determine that user grouping where going out the user of wireless terminal, and it is corresponding default for its distribution Network legal power, it is complicated so as to solve authentication mode in the prior art, it is impossible to which that the rights management distinguished to user is asked Topic.
To enable above-mentioned purpose, technical scheme and the beneficial effect of the present invention to become apparent, special embodiment below, and Accompanying drawing appended by cooperation, is described in detail below.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by embodiment it is required use it is attached Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to this A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 shows the flow chart of wireless access authentication method provided in an embodiment of the present invention;
Fig. 2 shows the schematic diagram of the 4-Way Handshake process of PSK authentication;
Fig. 3 shows the step S11 of wireless access authentication method provided in an embodiment of the present invention flow chart;
Fig. 4 shows the step S111 of wireless access authentication method provided in an embodiment of the present invention flow chart;
Fig. 5 shows the functional block diagram of wireless access Verification System provided in an embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Ground describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Generally exist The component of the embodiment of the present invention described and illustrated in accompanying drawing can be configured to arrange and design with a variety of herein.Cause This, the detailed description of the embodiments of the invention to providing in the accompanying drawings is not intended to limit claimed invention below Scope, but it is merely representative of the selected embodiment of the present invention.Based on embodiments of the invention, those skilled in the art are not doing The every other embodiment obtained on the premise of going out creative work, belongs to the scope of protection of the invention.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore, once a certain Xiang Yi It is defined, then it further need not be defined and explained in subsequent accompanying drawing in individual accompanying drawing.Meanwhile the present invention's In description, term " first ", " second " etc. are only used for distinguishing description, and it is not intended that instruction or hint relative importance.
Wireless access verification process is typically completed by the data interaction between wireless terminal and Verification System, wireless terminal Can be mobile phone, tablet personal computer, Intelligent worn device etc., Verification System can include AP equipment, AC equipment etc..Verification process one Aspect is to verify the authentication information of wireless terminal, such as whether user name, password etc. are correct, are on the other hand then to passing through certification User carry out network privilege management.Network privilege management refers to different users or user's group, and different nets is distributed for it Network accesses resource, and network legal power includes but is not limited to access rights (ACL), bandwidth, speed limit, VLAN (VLAN), service Quality (QoS).
Some dispose fairly simple wireless access authentication mode, such as PSK authentication mode, only pass through wireless terminal The authentication password of offer is authenticated.In the prior art, using the Verification System of above-mentioned authentication mode for the every of its division Individual service set (SSID) can only set unique preset password, and this kind of Verification System is carrying out the network privilege management of user When the problem of certain be present.
Specifically, in the case of Verification System only divides a SSID, all users that can be linked into the SSID make Authentication password is all identical, all with preset password match, it is clear that can not based on same authentication password Verification System Different users is made a distinction, and then the rights management that these users can not be also distinguished.Realize and user is carried out Distinguish, in the prior art, it is necessary to divide multiple SSID in Verification System, different preset passwords be set for each SSID, Different default network legal powers is configured for each SSID simultaneously.The SSID of access is wanted in selection to user on a wireless terminal first, Then input authentication password, if authentication password preset password match corresponding with the SSID, the wireless terminal wireless access Certification success, Verification System are that the user distributes the default network legal power corresponding with the SSID.
For example, inside market, it is desirable to distribute different network legal powers to customer and employee, can be drawn in Verification System Two SSID are separated, title is respectively " customer SSID- " and " SSID- employee ", and " customer SSID- " sets first password, " SSID- employee " sets the second password, tells first password to customer, tells the second password to employee, customer is wireless eventually from it " customer SSID- " is selected on end and inputs first password can access Wi-Fi network and obtains customer's authority, employee from its " SSID- employee " is selected on wireless terminal and inputs the second password can access Wi-Fi network and obtains employee's authority.
However, inventor has found through studying for a long period of time, network is carried out by the way of multiple SSID are divided in Verification System Rights management, many drawbacks be present:
First, user is inconvenient for operation, and multiple SSID, Yong Hunan occurs when searching for Wi-Fi network on a wireless terminal To determine to select which SSID to be accessed on earth.
Second, each SSID will be configured and managed in Verification System, and management cost is high.
3rd, each SSID ceaselessly overseas broadcast can be used to inform beacon frames existing for wireless terminal oneself, lead to Normal interval time is 100ms, and beacon frames send and use relatively low speed, takes and largely eats dishes without rice or wine to send the time.It is special at some Different occasion, such as large-scale concert, substantial amounts of AP equipment can be disposed, each SSID of each AP equipment can overseas broadcast Beacon frames, the problem are especially apparent.
Wireless access authentication method and system provided in an embodiment of the present invention, realize and only divide one in Verification System In the case of SSID, the rights management that user can also be distinguished, and then solve above mentioned problem of the prior art.
First embodiment:
The wireless access authentication method that the present embodiment provides, applied to Verification System, Verification System can have a variety of frameworks Mode, Verification System in the present embodiment are AP equipment and the AC equipment being connected with AP equipment communications, wherein, according to reality Application environment, AC equipment may be replaced by network management system (NMS).
When disposing Wi-Fi network, only one SSID is configured in AC equipment, and configures user in AC equipment and matches somebody with somebody File is put, the user profile includes multiple user groupings, and each user grouping can include group name, preset password, preset The contents such as network access authority.For example, inside market, it is desirable to distribute different network legal powers to customer and employee, change configuration The content of file can be:
It is appreciated that upper table content is merely illustrative, form in upper table can only be used by not representing user profile, or Only include the content in upper table.
After having configured user profile in AC equipment, the user profile is issued in AP equipment by AC equipment, The copy of the user profile can be preserved in AC equipment.
Fig. 1 shows the flow chart of wireless access authentication method provided in an embodiment of the present invention.Reference picture 1, this method bag Include:
Step S10:AP equipment obtains the authentication information for being used to characterize authentication password that wireless terminal is sent.
For security consideration, authentication information be generally based on original authentication password generation certain be suitable to upload in network Defeated information, and authentication information has unique corresponding relation with authentication password, and authentication authorization and accounting information can characterize authentication password, from And it is authenticated being equivalent to using authentication information and is authenticated using authentication password.Authentication password can be that this user access should User inputs during Wi-Fi network, or preserves on a wireless terminal when last user accesses the Wi-Fi network.Nothing After line terminal is based on authentication password generation authentication information, authentication information is sent to AP equipment, so as to which the authentication information is set by AP It is standby acquired.
Step S11:AP equipment is judged in the authentication information multiple user groupings whether corresponding with the Verification System Any user packet corresponding to preset authentication information match.
For security consideration, default authentication information be generally based on original preset password generation certain be suitable in network The information of upper transmission, and default authentication information has unique corresponding relation with preset password, i.e., and default authentication information can be with table Preset password is levied, is authenticated being equivalent to thereby using default authentication information and is authenticated using preset password.Pre- setting authentication letter Breath can be generated before step S11, its place generated can also can be set in AP equipment in AC equipment in AC Standby to be handed down in the user profile of AP equipment, preset password has been replaced by default authentication information.User profile Include multiple user groupings, each user grouping corresponds to a preset password, it is contemplated that preset password and pre- setting authentication letter The corresponding relation of breath, it is also assumed that each user grouping corresponds to a default authentication information.In traverse user configuration file Each user grouping, default authentication information corresponding to it is taken out, contrasted with authentication information, if in the presence of a pre- setting authentication Information is matching, then certification success, continues executing with subsequent step, if matching in the absence of a default authentication information, Authentification failure.Wherein, the implication of matching can be equal or meet certain default relation.
Step S12:When to be, AP equipment obtains the matching to match with the authentication information and presets authentication information place Matching user grouping matching preset network legal power.
If certification success, the default authentication information matched with authentication information is referred to as to match default authentication information, by user User grouping where default authentication information is matched in configuration file is referred to as matching user grouping, pre- in user grouping by matching If network legal power is referred to as matching default network legal power.Distribute matching default network legal power for the user where the wireless terminal, point That matches somebody with somebody is meant that record the corresponding relation of the user and the default network legal power of matching in AP equipment.
Step S13:AP equipment and/or AC equipment control the matching of the wireless terminal to preset network legal power and are in life Effect state.
In step s 12, although being to be assigned with the default network legal power of matching by the user of certification, the authority is not It must can come into force, according to existing wireless communication standard, some data friendships can be also carried out between wireless terminal and Verification System Mutually, the matching is preset network legal power and can just come into force after the completion of interaction, and what is come into force is meant that the user is actual and obtains the matching Default network legal power.According to the difference of the default network legal power content of matching, its process of coming into force can be completed in AP equipment, also may be used To be completed in AC equipment, can also partial content completed in AP equipment, partial content is completed in AC equipment.For matching The part or all of content of default network legal power needs situation about being come into force in AC equipment, and step S13 can also include AP equipment The default authentication information of matching is sent to AC equipment, AC equipment is according to the copy of its user profile preserved, and come into force matching The part or all of content of the default network legal power of matching corresponding to default authentication information.
In summary, the wireless access authentication method that the present embodiment provides, it is multiple by being configured in user profile The user grouping of different default authentication informations is corresponding with, realizing the authentication information only provided by wireless terminal just can be to user Make a distinction, so as to complete the network privilege management to the user after differentiation.In view of the unique of authentication information and authentication password Corresponding relation, different users is when being linked into the Wi-Fi network, it is only necessary to inputs different authentication passwords, can just obtain not Same network legal power.For example, the user profile in upper table, the customer in market should in the wireless terminal selection of oneself The unique SSID in market, input Guest123, it is possible to which it is that 20, ACL is that can only access Internet to obtain VLAN, with a width of 1Mbps customer's authority;Employee in market selects the unique SSID in the market in the wireless terminal of oneself, input Employee123, it is possible to which it is that 10, ACL is to be able to access that internal network and Internet to obtain VLAN, with a width of 5Mbps's Employee's authority.Whole process is very simple, only need to select a SSID, multiple SSID institutes are divided in Verification System so as to avoid Caused variety of problems.
Second embodiment:
Verification System in the present embodiment is AP equipment and the AC equipment that is connected with AP equipment communications, wherein, according to Actual application environment, AC equipment may be replaced by NMS.In the present embodiment, configure and use when disposing Wi-Fi network, in AC equipment AP equipment is not handed down to after the configuration file of family, and is stored in AC equipment.The wireless access authenticating party that the present embodiment provides Method is:
What AP equipment acquisition wireless terminal was sent is used to characterize the authentication information of authentication password, and the authentication information is sent Give AC equipment.
AC equipment judges any use in the authentication information multiple user groupings whether corresponding with the Verification System Authentication information is preset corresponding to the packet of family to match.
When to be, the matching matched where presetting authentication information that AC equipment obtains with the authentication information matches is used Network legal power is preset in the matching of family packet.
AP equipment and/or AC equipment control the matching of the wireless terminal to preset network legal power and are in active states. Part or all of content for the default network legal power of matching needs to include in the in the case of of coming into force in AP equipment, the step AC equipment will match default network legal power and be sent to AP equipment, and AP equipment, which is directed to come into force by the user of certification, matches default network The part or all of content of authority.
The present embodiment provides the deployment side that a kind of wireless access authentication method is different from first embodiment in Verification System Formula, the selection of deployment way can be carried out according to the function of real needs and specific equipment in practice.
3rd embodiment:
Verification System in the present embodiment is AP equipment and the AC equipment that is connected with AP equipment communications, wherein, according to Actual application environment, AC equipment may be replaced by NMS.In the present embodiment, configure and use when disposing Wi-Fi network, in AC equipment AP equipment is not handed down to after the configuration file of family, and is stored in AC equipment, only by the preset password in user profile Or the default authentication information issuing for characterizing preset password gives AP equipment.The wireless access authentication method that the present embodiment provides For:
AP equipment obtains the authentication information for being used to characterize authentication password that wireless terminal is sent.
AP equipment judges any use in the authentication information multiple user groupings whether corresponding with the Verification System Authentication information is preset corresponding to the packet of family to match.
When to be, AP equipment obtains the matching to match with the authentication information and presets authentication information.
The default authentication information of the matching is sent to AC equipment by AP equipment.According to illustrating before, the AP in this implementation is set Standby upper only default authentication information, does not have user grouping information, so the default authentication information of matching must be sent to by AP equipment The processing of AC equipment.
AC equipment obtains the matching user grouping where presetting authentication information with matching of matching of the authentication information The default network legal power of matching.
AP equipment and/or AC equipment control the matching of the wireless terminal to preset network legal power and are in active states. Part or all of content for the default network legal power of matching needs to include in the in the case of of coming into force in AP equipment, the step AC equipment will match default network legal power and be sent to AP equipment, and AP equipment, which is directed to come into force by the user of certification, matches default network The part or all of content of authority.
The present embodiment provides the deployment side that a kind of wireless access authentication method is different from first embodiment in Verification System Formula, the selection of deployment way can be carried out according to the function of real needs and specific equipment in practice.
Fourth embodiment:
Verification System in the present embodiment is AP equipment, and the AP equipment in the present embodiment is generally fat AP, such as family expenses Wireless router.In the present embodiment, when disposing Wi-Fi network, user profile is configured in AP equipment.The present embodiment The wireless access authentication method of offer is:
AP equipment obtains the authentication information for being used to characterize authentication password that wireless terminal is sent.
AP equipment judges any use in the authentication information multiple user groupings whether corresponding with the Verification System Authentication information is preset corresponding to the packet of family to match.
When to be, AP equipment obtains the matching to match with the authentication information and presets authentication information.
AP equipment controls the matching of the wireless terminal to preset network legal power and is in active states.
The present embodiment provides the deployment side that a kind of wireless access authentication method is different from first embodiment in Verification System Formula, the selection of deployment way can be carried out according to the function of real needs and specific equipment in practice.
5th embodiment:
The wireless access authentication method that first embodiment provides, can apply to PSK authentication mode.PSK authentication mode, tool Body is including WPA-PSK, WPA2-PSK etc., and the password inputted using only user is authenticated, and its deployment way is also fairly simple, Extra certificate server need not be built, is a kind of current popular wireless access authentication mode.
PSK authentication is a 4-Way Handshake process, and Fig. 2 shows the schematic diagram of the 4-Way Handshake process of PSK authentication.Reference Fig. 2, handshake procedure are carried out between request authenticator and authenticator, and request authenticator is usually wireless terminal, and authenticator is general It is Verification System.
Handshake procedure is actually a mistake that transmission key is confirmed by the negotiation between wireless terminal and Verification System Journey, this key are exactly pair temporal key (PTK), all between wireless terminal and Verification System after the completion of 4-Way Handshake Data transfer be all encrypted by PTK, to ensure security.
As shown in Fig. 2 before handshake procedure starts, wireless terminal and Verification System each generate pairwise master key (PMK), for Verification System, it is already provided with when building Wi-Fi network and accesses the default close of the Wi-Fi network Code, the PSK of Verification System can be generated based on the preset password, certification can be generated by being further based on the PSK of Verification System The PMK of system, it is believed that the PMK of Verification System is uniquely corresponding with preset password.For wireless terminal, authentication password can Preserved to be that user inputs when this user accesses the Wi-Fi network, or when last user accesses the Wi-Fi network On a wireless terminal, the PSK of wireless terminal can be generated based on authentication password, the PSK for being further based on wireless terminal can To generate the PMK of wireless terminal, it is believed that the PMK of wireless terminal is uniquely corresponding with authentication password.
PTK based on PMK, the MAC Address of Verification System, Verification System random number Anonce, the MAC of wireless terminal Location, the random number Snonce of wireless terminal are calculated and obtained.Before beginning of shaking hands, wireless terminal and Verification System have passed through it His message obtains the MAC Address of other side.
Shake hands for the first time:Verification System generation random number Anonce is sent to wireless terminal, wireless terminal generation random number Snonce, according to being set forth above, now wireless terminal can generate the PTK of wireless terminal.Based on this PTK, and one 802.1xdata data frames can generate the message integrity code (MIC) of wireless terminal.The MIC of wireless terminal can be regarded as with The unique corresponding summary infos of the PMK of wireless terminal.
Second handshake:The random number Snonce that wireless terminal is generated, the MIC of wireless terminal and described 802.1xdata data frames are sent to Verification System, and according to being set forth above, now Verification System can generate Verification System PTK, and this PTK is based on, and the MIC of the 802.1xdata data frames generation Verification System received.The MIC of Verification System can be with It is regarded as and the unique corresponding summary infos of the PMK of Verification System.Compare the MIC of wireless terminal and the MIC of Verification System, if phase Deng, show that the PMK of wireless terminal is identical with the PMK of Verification System, according to PMK and the corresponding relation of original password, and then can be with Think that the authentication password of wireless terminal verifies successfully, Verification System generation group temporary key (GTK);If unequal, show wireless The PMK of terminal and the PMK of Verification System are differed, and according to PMK and the corresponding relation of original password, and then can consider wireless whole The authentication password verification failure at end, handshake procedure failure.
Third time is shaken hands:The MIC of GTK and Verification System is sent to wireless terminal by Verification System.
4-Way Handshake:Wireless terminal sends ACK to Verification System and confirmed.
Understood according to being set forth above, the core of verification process is second handshake process above, in second handshake mistake Cheng Zhong, the PMK of wireless terminal is verified.
The wireless access authentication method that first embodiment provides can apply to the second handshake mistake of PSK authentication mode Journey.And the wireless access authentication method that the present embodiment provides, it is that the wireless access authentication method provided for first embodiment exists Using a kind of specific implementation during PSK authentication mode, it will be understood that the wireless access authentication method that first embodiment provides There can also be other concrete methods of realizing using PSK authentication mode.
Fig. 3 shows the step S11 of wireless access authentication method provided in an embodiment of the present invention flow chart.Reference picture 3, Step S11 includes:
S110:AP equipment judge message where the authentication information whether be PSK authentication second handshake message.
Second handshake process in PSK authentication mode is the process verified to authentication information, and the present embodiment provides Wireless access authentication method be improved for the checking procedure, with reach by authentication information distinguish different user mesh 's.Because PSK authentication mode belongs to a part for 802.11i standards, such improved procedure influences minimum to former verification process, Will not produce with existing standard it is incompatible the problems such as.Therefore, AP equipment is to the report for including authentication information that is obtained in step S10 Text, first determine whether it is second handshake message, if so, then continuing subsequent step, if it is not, then handshake procedure loses Lose.
S111:When to be, AP equipment judges that whether corresponding with the Verification System authentication information is the multiple The default authentication information corresponding to any user packet in user grouping matches.
Fig. 4 shows the step S111 of wireless access authentication method provided in an embodiment of the present invention flow chart.Reference picture 4, step S111 includes:
S111a:AP equipment judge the terminal MIC corresponding to the terminal PMK whether with the multiple user grouping Any user packet corresponding to system end MIC corresponding to the system end PMK it is equal.
Wherein, terminal PMK is the PMK of wireless terminal, and terminal MIC is the MIC of wireless terminal, system end PMK authentication authorization and accountings system The PMK of system, the MIC of system end MIC authentication authorization and accounting systems.
In PSK authentication mode, authentication information is the MIC of wireless terminal, its generation method and existing PSK authentication mode phase Together.Default authentication information is the PMK of Verification System, and the PMK of Verification System has multiple, and the PMK of each Verification System is based on using Preset password corresponding to a user grouping in the allocation list of family generates, and its generation method is identical with existing PSK authentication mode.Enter PMK of one step based on Verification System corresponding to each user grouping generates the MIC of Verification System corresponding to the user grouping, and it is given birth to It is identical with existing PSK authentication mode into method.The MIC of Verification System corresponding to each user grouping is traveled through, with wireless terminal MIC is contrasted, and is judged wherein equal with the MIC of wireless terminal with the presence or absence of the MIC of Verification System corresponding to a user grouping.
S111b:When to be, then the authentication information and any user packet pair in the multiple user grouping The default authentication information answered matches.
If equal with the MIC of wireless terminal in the presence of the MIC of Verification System corresponding to a user grouping, wireless terminal MIC and the PMK of the Verification System of the user grouping match, and then the PMK of wireless terminal and the Verification System of the user grouping PMK it is equal, certification success, match the PMK that default authentication information is the Verification System that the match is successful, continue executing with follow-up step Suddenly, if equal with the MIC of wireless terminal in the absence of the MIC of Verification System corresponding to a user grouping, authentification failure, shook hands Journey terminates.
In addition, for PSK authentication mode, matching default network legal power needs to give birth to after 4-Way Handshake process terminates Effect.
In summary, the wireless access authentication method that the present embodiment provides, the second handshake of PSK authentication mode is improved Process, remain PSK authentication mode and dispose the advantages of simple, while also achieved only by the PMK of wireless terminal with regard to energy User is made a distinction, so as to complete the network privilege management to the user after differentiation.In view of the PMK and user of wireless terminal The unique corresponding relation of the authentication password of input, different users is when being linked into the Wi-Fi network, it is only necessary to which input is different Authentication password, just can obtain different network legal powers.In addition, the wireless access authentication method that the present embodiment provides merely relates to Verification System side, without any change is needed, carrying out operation also according to existing PSK authentication mode can for wireless terminal side With.Obviously, second, third, the wireless access authentication method provided in fourth embodiment can also be applied to PSK authentication mode In.
Sixth embodiment:
Fig. 5 shows the functional block diagram of wireless access Verification System provided in an embodiment of the present invention.Reference picture 5, this reality Applying the wireless access Verification System 100 of example offer includes:Authentication information acquisition module 110, authentication information judge module 120, power Limit acquisition module 130, authority come into force module 140.The wireless access Verification System 100 is corresponding with multiple user groupings, described Each user grouping in multiple user groupings is corresponding with default authentication information and default net for characterizing preset password Network access rights.
Wherein, authentication information acquisition module 110 is used for the certification for being used to characterize authentication password for obtaining wireless terminal transmission Information.Authentication information judge module 120 is used to judge whether the authentication information is corresponding with the wireless access Verification System 100 Multiple user groupings in any user packet corresponding to preset authentication information match.Authority acquiring module 130 is used for During to be, obtaining and being preset with the matching of matching user grouping matched where presetting authentication information that the authentication information matches Network legal power.Authority comes into force module 140 for controlling the matching of the wireless terminal to preset network legal power in the shape that comes into force State.
In summary, the wireless access Verification System that the present embodiment provides has that authentication mode is simple, and can be to difference The rights management distinguished of user.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight Point explanation is all difference with other embodiment, between each embodiment identical similar part mutually referring to. For device class embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is joined See the part explanation of embodiment of the method.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, it can also be passed through Its mode is realized.Device embodiment described above is only schematical, for example, the flow chart and block diagram in accompanying drawing show Device, architectural framework in the cards, the work(of method and computer program product of multiple embodiments according to the present invention are shown Can and it operate.At this point, each square frame in flow chart or block diagram can represent one of a module, program segment or code Point, a part for the module, program segment or code includes one or more and is used to realize the executable of defined logic function Instruction.It should also be noted that at some as in the implementation replaced, the function of being marked in square frame can also be with different from attached The order marked in figure occurs.For example, two continuous square frames can essentially perform substantially in parallel, they also may be used sometimes To perform in the opposite order, this is depending on involved function.It is it is also noted that each in block diagram and/or flow chart The combination of square frame and the square frame in block diagram and/or flow chart, can use function or action as defined in performing it is special based on The system of hardware is realized, or can be realized with the combination of specialized hardware and computer instruction.
In addition, each functional module in each embodiment of the present invention can integrate to form an independent portion Point or modules individualism, can also two or more modules be integrated to form an independent part.
If the function is realized in the form of software function module and is used as independent production marketing or in use, can be with It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention. And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access Memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.Need It is noted that herein, such as first and second or the like relational terms are used merely to an entity or operation Made a distinction with another entity or operation, and not necessarily require or imply these entities or exist between operating any this Actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to nonexcludability Comprising so that process, method, article or equipment including a series of elements not only include those key elements, but also wrapping Include the other element being not expressly set out, or also include for this process, method, article or equipment intrinsic want Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described Other identical element also be present in the process of element, method, article or equipment.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies Change, equivalent substitution, improvement etc., should be included in the scope of the protection.It should be noted that:Similar label and letter exists Similar terms is represented in following accompanying drawing, therefore, once being defined in a certain Xiang Yi accompanying drawing, is then not required in subsequent accompanying drawing It is further defined and explained.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention described should be defined by scope of the claims.

Claims (10)

1. a kind of wireless access authentication method, applied to Verification System, it is characterised in that the Verification System is corresponding with multiple use Family is grouped, and each user grouping in the multiple user grouping is corresponding with the default authentication information for characterizing preset password And default network access authority, methods described include:
Obtain the authentication information for being used to characterize authentication password that wireless terminal is sent;
Judge the authentication information whether with the Verification System corresponding to any user packet in multiple user groupings it is corresponding Default authentication information match;
When to be, obtain with the authentication information match match preset authentication information where matching user grouping With default network legal power;
Control the matching of the wireless terminal to preset network legal power and be in active states.
2. wireless access authentication method according to claim 1, it is characterised in that described whether to judge the authentication information Authentication information is preset corresponding to any user packet in multiple user groupings corresponding with the Verification System to match, and is wrapped Include:
Judge the message where the authentication information whether be Authenticated with pre-shared-key second handshake message;
When to be, judge described in the authentication information the multiple user grouping whether corresponding with the Verification System The default authentication information corresponding to any user packet matches.
3. wireless access authentication method according to claim 2, it is characterised in that it is described wireless whole to tell authentication information Terminal message Integrity Code corresponding to the terminal pairwise master key that end group is generated in the authentication password, the pre- setting authentication letter The system end pairwise master key generated for the Verification System based on the preset password is ceased, it is described to judge that the authentication information is The pre- setting authentication corresponding to any user packet in no the multiple user grouping corresponding with the Verification System Information match, including:
Judge the terminal message Integrity Code corresponding to the terminal pairwise master key whether with the multiple user grouping In any user packet corresponding to system end message integrity code corresponding to the system end pairwise master key it is equal;
When to be, then the authentication information and any user packet in the multiple user grouping are corresponding described pre- Setting authentication information match.
4. the wireless access authentication method according to any claim in claim 1-3, it is characterised in that the certification system Uniting includes AP equipment, the authentication information for being used to characterize authentication password for obtaining wireless terminal and sending, including:
The AP equipment obtains the authentication information for being used to characterize the authentication password that the wireless terminal is sent.
5. wireless access authentication method according to claim 4, it is characterised in that the Verification System also include with it is described The AC equipment of AP equipment communications connection, it is described to judge the authentication information multiple users point whether corresponding with the Verification System Authentication information is preset corresponding to any user packet in group to match, including:
The AP equipment or the AC equipment judge the authentication information told multiple use whether corresponding with the Verification System The default authentication information corresponding to any user packet in the packet of family matches.
6. wireless access authentication method according to claim 5, it is characterised in that the acquisition and the authentication information phase Network legal power is preset in the matching of matching user grouping where the default authentication information of matching of matching, including:
The institute of the matching user grouping where the AP equipment or the default authentication information of the AC equipment acquisition matching State the default network legal power of matching.
7. wireless access authentication method according to claim 6, it is characterised in that the AP equipment or the AC equipment are sentenced Any user packet pair in the authentication information told multiple user groupings whether corresponding with the Verification System of breaking After the default authentication information answered matches, the AP equipment or the AC equipment obtain the default authentication information of the matching Before network legal power is preset in the matching of the matching user grouping at place, methods described also includes:
When to be, the AP equipment obtains the matching to match with the authentication information and presets authentication information;
The default authentication information of the matching is sent to the AC equipment by the AP equipment.
8. wireless access authentication method according to claim 6, it is characterised in that the institute of the control wireless terminal State the default network legal power of matching and be in active states, including:
The AP equipment and/or the AC equipment control the matching of the wireless terminal to preset network legal power and are in the shape that comes into force State.
9. wireless access authentication method according to claim 8, it is characterised in that the AP equipment and/or the AC are set The standby default network legal power of the matching for controlling the wireless terminal is in before active states, and methods described also includes:
The default network legal power of the matching is sent to the AP equipment by the AC equipment.
10. a kind of wireless access Verification System, it is characterised in that the wireless access Verification System is corresponding with multiple users point Group, each user grouping in the multiple user grouping be corresponding with default authentication information for characterizing preset password and Default network access authority, the wireless access Verification System include:
Authentication information acquisition module, for obtaining the authentication information for being used to characterize authentication password of wireless terminal transmission;
Authentication information judge module, for judging whether the authentication information is corresponding multiple with the wireless access Verification System Authentication information is preset corresponding to any user packet in user grouping to match;
Authority acquiring module, authentication information place is preset for when to be, obtaining the matching to match with the authentication information Matching user grouping matching preset network legal power;
Authority comes into force module, and the matching for controlling the wireless terminal presets network legal power and is in active states.
CN201711132481.1A 2017-11-15 2017-11-15 Wireless access authentication method and system Pending CN107734505A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711132481.1A CN107734505A (en) 2017-11-15 2017-11-15 Wireless access authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711132481.1A CN107734505A (en) 2017-11-15 2017-11-15 Wireless access authentication method and system

Publications (1)

Publication Number Publication Date
CN107734505A true CN107734505A (en) 2018-02-23

Family

ID=61216678

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711132481.1A Pending CN107734505A (en) 2017-11-15 2017-11-15 Wireless access authentication method and system

Country Status (1)

Country Link
CN (1) CN107734505A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110856174A (en) * 2019-12-13 2020-02-28 上海兴容信息技术有限公司 Access authentication system, method, device, computer equipment and storage medium
CN111885561A (en) * 2020-06-30 2020-11-03 北京小米移动软件有限公司 Wireless network connection, NFC information writing method, device and storage medium
CN111935717B (en) * 2020-10-09 2021-01-08 中科开创(广州)智能科技发展有限公司 Authentication method and device of WAPI system and computer equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247336A (en) * 2008-03-07 2008-08-20 中兴通讯股份有限公司 Method and server for controlling multilevel access authority of access user
CN102348209A (en) * 2011-09-23 2012-02-08 福建星网锐捷网络有限公司 Method and device for wireless network access and authentication
CN102726080A (en) * 2009-12-23 2012-10-10 马维尔国际贸易有限公司 Station-to-station security associations in personal basic service sets
CN102843687A (en) * 2012-09-18 2012-12-26 惠州Tcl移动通信有限公司 Smartphone portable point safe access system and method
CN105141629A (en) * 2015-09-18 2015-12-09 于博涵 Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
CN105991613A (en) * 2015-03-03 2016-10-05 北京神州泰岳信息安全技术有限公司 Resource remote login method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247336A (en) * 2008-03-07 2008-08-20 中兴通讯股份有限公司 Method and server for controlling multilevel access authority of access user
CN102726080A (en) * 2009-12-23 2012-10-10 马维尔国际贸易有限公司 Station-to-station security associations in personal basic service sets
CN102348209A (en) * 2011-09-23 2012-02-08 福建星网锐捷网络有限公司 Method and device for wireless network access and authentication
CN102843687A (en) * 2012-09-18 2012-12-26 惠州Tcl移动通信有限公司 Smartphone portable point safe access system and method
CN105991613A (en) * 2015-03-03 2016-10-05 北京神州泰岳信息安全技术有限公司 Resource remote login method and system
CN105141629A (en) * 2015-09-18 2015-12-09 于博涵 Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110856174A (en) * 2019-12-13 2020-02-28 上海兴容信息技术有限公司 Access authentication system, method, device, computer equipment and storage medium
CN111885561A (en) * 2020-06-30 2020-11-03 北京小米移动软件有限公司 Wireless network connection, NFC information writing method, device and storage medium
CN111885561B (en) * 2020-06-30 2024-02-13 北京小米移动软件有限公司 Wireless network connection, NFC information writing method, device and storage medium
CN111935717B (en) * 2020-10-09 2021-01-08 中科开创(广州)智能科技发展有限公司 Authentication method and device of WAPI system and computer equipment

Similar Documents

Publication Publication Date Title
CN105306464B (en) Wireless network authentication apparatus and method
RU2333607C2 (en) Key generation in communication system
US20230328516A1 (en) Device based credentials
US20200162913A1 (en) Terminal authenticating method, apparatus, and system
CN104994118A (en) WiFi authentication system and method based on dynamic password
CN104168561B (en) Hot spot configuration method, cut-in method and equipment in a kind of WLAN
CN106921963A (en) A kind of smart machine accesses the method and device of WLAN
WO2017219673A1 (en) Vowifi network access method and system, and terminal
CN105898743B (en) A kind of method for connecting network, apparatus and system
US20170099137A1 (en) Secure connection method for network device, related apparatus, and system
US20070269048A1 (en) Key generation in a communication system
CN102843687A (en) Smartphone portable point safe access system and method
CN103596173A (en) Wireless network authentication method, client wireless network authentication device, and server wireless network authentication device
CN101500229A (en) Method for establishing security association and communication network system
CN104010297B (en) Wireless terminal configuration method and device and wireless terminal
CN102111766A (en) Network accessing method, device and system
CN107734505A (en) Wireless access authentication method and system
CN107359991A (en) A kind of router, the method for generating cipher code of router guest network and system
WO2007021094A1 (en) Method for performing multiple pre-shared key based authentication at once and system for executing the method
CN106658488A (en) Intelligent household electric appliance, method and apparatus for safely accessing the intelligent household electric appliance
WO2015117514A1 (en) Method for accessing lte network, electronic device, and computing storage medium
CN103096317A (en) Two-way authentication method and system based on sharing enciphered data
CN110831000B (en) Secure access method, device and system
CN104902473A (en) Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication
WO2016026429A1 (en) Method, device, and equipment for wireless network configuration, access, and visit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180223