CN110784872B - Campus network WLAN roaming access authentication system and method based on SDN - Google Patents
Campus network WLAN roaming access authentication system and method based on SDN Download PDFInfo
- Publication number
- CN110784872B CN110784872B CN201911046793.XA CN201911046793A CN110784872B CN 110784872 B CN110784872 B CN 110784872B CN 201911046793 A CN201911046793 A CN 201911046793A CN 110784872 B CN110784872 B CN 110784872B
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- frame
- access point
- sdn controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000008569 process Effects 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 4
- 230000003139 buffering effect Effects 0.000 claims description 2
- 239000000523 sample Substances 0.000 description 10
- 230000004044 response Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 230000002035 prolonged effect Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/08—Reselecting an access point
Abstract
The invention discloses a campus network WLAN roaming access authentication system and method based on SDN, the system comprises an access and data forwarding device and a control authentication device, the access and data forwarding device comprises: the system comprises an access point AP, an OpenFlow switch and a wireless access gateway; the control authentication device comprises an SDN controller and an AAA authentication server. The method comprises the steps that an authentication request frame of a terminal is sent to an OpenFlow switch, the switch forwards the authentication request frame to an SDN controller for authentication, if the authentication of the SDN controller fails, the SDN controller interacts with an AAA authentication server, the authentication request frame is forwarded to the AAA authentication server for authentication, and authentication result information is forwarded to an access point AP through the SDN controller and the OpenFlow server. The authentication access mode of the invention shortens the roaming access time and improves the roaming service quality.
Description
Technical Field
The invention relates to a campus network WLAN roaming access authentication technology, in particular to a campus network WLAN roaming access authentication system and method based on an SDN.
Background
With the rapid development of mobile intelligent terminal devices, users use mobile intelligent device terminals more and more widely, and wireless network access has become the most extensive access standard for internet access. Today, the deployment of Wireless Local Area Networks (WLANs) based on the IEEE802.11 standard is also ubiquitous. The mobile terminal firstly completes access authentication when the mobile terminal wants to access the WLAN to connect with the Internet, the access authentication occupies an important position in the WLAN, and the basic principle of the WLAN access authentication is as follows: the network management server side maintains basic information of registered users, and the basic information comprises the following steps: user account, user password, user age, user gender, etc. When a user initiates a request to access a WLAN, a network management server side authenticates identity information of the user, the authentication generally comprises authentication of a user account and a user password, when the authentication is passed, the user can access the WLAN to surf the Internet, otherwise, the user is refused to access the WLAN, the authentication mode is suitable for user initialization authentication, the security is higher, however, for a short time, such as several hours, after the mobile terminal completes initialization authentication at one access point AP, the mobile terminal moves (roams) to the coverage range of another access point AP in a short time, at the moment, the user needs to manually input information to complete the authentication which is the same as the initialization authentication process, the Internet surfing experience of the user in a short time is influenced, and inconvenience is brought to the user. The traditional WLAN roaming access authentication method has long authentication time delay, does not have a whole network view and lacks flexibility.
With the advent of Software Defined Networking (SDN), how to make networks flexible and controllable has become a focus of attention. The SDN adopts a centralized control and distributed forwarding idea to realize the global optimization of a control plane and high-performance network forwarding capability, has a global network view, can master the network operation condition in real time, and is beneficial to managing the whole network. In view of the advantages of SDN, the idea of separating SDN control from forwarding is introduced into a WLAN to solve the problems of the WLAN. Thus, Software Defined Wireless Networks (SDWN) have been produced. The SDWN inherits the advantages of network centralized control, network programmability and virtualization, strong flexibility and the like of the SDN, and provides a new idea for solving many problems in the traditional WLAN.
The authentication technology of the traditional WLAN is divided into link-level authentication and network-level authentication according to authentication levels, network-level authentication modes are commonly adopted in small and medium-sized networks such as campus networks, enterprise networks and the like, and the current common authentication modes for accessing the WLAN in the roaming process of the WLAN comprise: 1. MAC address authentication; 2. portal authentication; 3. 802.1X authentication; briefly introduced as follows:
the first prior art is as follows: and authenticating the MAC address.
The principle is as follows: in the WLAN network environment, the MAC address authentication is that an authentication end maintains an MAC address list of a registered user, when the user requests to access the WLAN network, the authentication end authenticates the MAC address of the user, and only after the authentication is passed, the user can access the WLAN network.
The disadvantages are as follows: since the MAC address only verifies the MAC address of the user, although the authentication time is short and the authentication process is simple, the authentication security is low.
The second prior art is: portal authentication
The principle is as follows: in the WLAN network environment, when a user tries to apply for accessing the WLAN, a user side receives a WEB authentication page provided by a Portal authentication server, when the user inputs information and submits the WEB page, the Portal authentication server acquires the user information and matches the data with a background database, if the matching is successful, the authentication is successful, and if the matching is failed, the authentication is failed, so the Portal authentication is also called WEB authentication.
The disadvantages are as follows: although Portal authentication technology improves the security of access verification, the authentication process is more complex compared with MAC address authentication, the authentication time is prolonged, and when a user moves from one networking network to another networking network in a WLAN, the user needs to re-authenticate information, and the authentication is troublesome.
The prior art is three: 802.1X authentication
The principle is as follows: 802.1X authenticates an accessing terminal with an ADIUS server through a series of connection and authentication protocols, wherein the most important standard is EAP, strictly speaking, it is not a protocol, but a standard used for exchanging information between the terminal and the authentication server, and EAP is necessarily used in 802.1X authentication because an 802.1X-based authentication system needs to use EAP packets encapsulated in EAPOL format to transmit authentication information between the terminal and the authentication system.
The disadvantages are as follows: when the 802.1X is used for roaming authentication, the authentication time is prolonged, the requirements of real-time voice and video services cannot be met, the traffic congestion of an access point after roaming can be caused in the roaming process, and the roaming access is not flexible enough.
In summary, the existing conventional campus network WLAN roaming access authentication technology is either low in security, or improved in security but prolonged in authentication time.
Disclosure of Invention
The invention provides a campus network WLAN roaming access authentication system and method based on an SDN (software defined network), aiming at the problems that the existing traditional campus network WLAN roaming access authentication technology is low in security or improved in security but prolonged in authentication and the like.
The invention is realized by at least one of the following technical schemes.
The system comprises an access and data forwarding device and a control authentication device, wherein the access and data forwarding device comprises an Access Point (AP), an OpenFlow switch and a wireless access gateway; the control authentication device comprises an SDN controller and an AAA authentication server;
the OpenFlow switch is used for sending the authentication request frame to the SDN controller and forwarding data to the wireless access gateway;
the wireless access gateway is used for receiving data sent by the OpenFlow switch and accessing the data to the Internet through the wireless access gateway;
the access point AP is connected with the terminal, an authentication request frame of the terminal is sent to the OpenFlow switch, the OpenFlow switch forwards the authentication request frame to the SDN controller for authentication, and if the authentication is successful, the terminal is allowed to be accessed; and if the authentication is unsuccessful, the SDN controller interacts with the AAA authentication server, the authentication request frame is sent to the AAA authentication server for authentication, the authentication result information is forwarded to the access point AP through the SDN controller and the OpenFlow server, if the authentication is successful, the terminal access is allowed, and if the authentication is unsuccessful, the terminal access is rejected.
When the terminal accesses a network and then roams from one access point to another access point, the authentication information cache of the SDN controller can quickly authenticate the roaming terminal without an AAA authentication server, so that the roaming access time is shortened, and the roaming service quality is improved.
Further, when the terminal requests the AP, the communication between the AP and the terminal is accessed in an 802.1x authentication manner. And after the terminal successfully accesses the AP, the OpenFlow switch forwards the data packet to the wireless access gateway to access the Internet resource.
Further, if the authentication is successful, the communication between the AP and the terminal is accessed in an 802.1x authentication manner.
Further, the AAA authentication server authenticates the terminal using an 802.1X authentication method.
Further, the SDN controller may be capable of buffering authentication frames.
Further, the access and data forwarding device specifically comprises: the access and data forwarding device specifically comprises the following working processes: a Probe Request frame (Request Probe frame) sent by a terminal is sent to an access point AP, the access point AP sends a Probe Response frame (Probe reply frame) to the terminal, then the terminal sends a GAS Request frame (network information Request frame) to the access point AP to Request network information, the access point AP sends a corresponding GAS Response frame (network information reply frame) to reply the terminal, then the terminal sends an Association Request frame (connection Request frame) to the access point AP to Request connection with the access point AP, the access point AP replies the Association Response frame (connection reply frame) to establish connection with the terminal, finally the terminal sends an authentication Request frame to the access point AP to carry out authentication Request, the access point AP sends the authentication Request frame to an OpenFlow switch, the OpenFlow switch forwards the authentication Request frame to an SDN controller, the access point AP allows the terminal to access if authentication is successful, if authentication is unsuccessful, the terminal is denied access.
Further, the controlling the working process of the authentication device specifically comprises: when the SDN controller receives an authentication request frame forwarded by an OpenFlow switch, extracting terminal information in the terminal information, authenticating and matching the terminal information with a local authentication frame cache, if the authentication is matched, directly sending the terminal authentication frame to the OpenFlow switch, forwarding the terminal authentication frame to an access point AP by the OpenFlow switch, allowing the access of the terminal by the access point AP, if the authentication is not matched, interacting the SDN controller with an AAA authentication server, forwarding the authentication request frame to the AAA authentication server, authenticating the authentication request frame by the AAA authentication server, sending the terminal authentication frame to the SDN controller after the authentication is passed, forwarding the terminal authentication frame to the access point AP through the OpenFlow switch, accessing the terminal by the access point AP, updating the terminal authentication frame into the authentication frame cache by the SDN controller, and if the authentication request frame is not authenticated by the AAA authentication server, the AAA authentication server sends the information of denying access to the SDN controller and forwards the information to the access point AP through the OpenFlow switch, and the access point AP denies the access of the terminal.
Further, if the terminal authentication frame of the terminal is not cached in the SDN controller, the SDN controller interacts with the AAA authentication server once, the SDN controller forwards the terminal authentication request frame to the AAA authentication server, and when the AAA authentication server authenticates the authentication request frame, the SDN controller sends an authentication result to the SDN controller and forwards the authentication result to the access point AP via the OpenFlow switch to access the terminal, and meanwhile, the SDN controller updates the authentication frame of the terminal to the authentication frame cache.
When the terminal roams after accessing a network, due to the fact that the SDN controller has the authentication frame caching function, the SDN controller authentication frame caching can rapidly authenticate the roaming terminal without an AAA authentication server, and compared with the existing WLAN roaming access mode, the authentication access mode has the advantages that the access speed is higher, the roaming access time is shortened, the roaming service quality is improved, and the problems are solved.
An information caching function is contained in the SDN controller, so that the SDN controller can cache the authentication frame.
In the invention, after receiving an authentication request frame, an SDN controller compares the authentication request frame with authentication frame cache information, and directly after the comparison is successful, the SDN controller sends result information of the successful authentication to an OpenFlow switch, and then the OpenFlow switch forwards the result information to an access point AP, if the comparison is failed, the SDN controller sends the authentication request frame to an AAA authentication server for authentication, the SDN controller receives the authentication result information from the AAA server, if the authentication result information is a terminal authentication frame passing the authentication, the SDN controller stores the terminal authentication frame in an authentication frame cache, and finally, the SDN controller sends the authentication result information to the OpenFlow switch, and then the authentication result information is forwarded to the access point AP by the OpenFlow switch.
The authentication method for the SDN-based campus network WLAN roaming access authentication system comprises the following steps:
step 1, a Probe Request frame (Request detection frame) sent by a terminal is sent to an access point AP;
step 2, the access point AP sends a Probe Response frame (detection reply frame) to the terminal;
step 3, the terminal sends a GAS Request frame (network information Request frame) to the access point AP to Request network information;
step 4, the access point AP sends a corresponding GAS Response frame (network information reply frame) to the terminal for replying;
step 5, the terminal sends an Association Request frame (connection Request frame) Request to establish connection with the AP;
step 6, the access point AP replies an Association Response frame (connection reply frame) to establish connection with the terminal;
step 7, the terminal sends an authentication request frame to the access point AP to carry out an authentication request, the access point AP sends the authentication request frame to the OpenFlow switch, and the OpenFlow switch forwards the authentication request frame to the SDN controller;
step 8, if the SDN controller caches the terminal authentication frame, turning to step 12, and if not, continuing to step 9;
step 9, the SDN controller forwards the authentication request frame to an AAA server for authentication;
step 10, if the AAA server passes the authentication, sending a terminal authentication frame to the SDN controller, otherwise, sending authentication failure information to the SDN controller;
step 11, if the SDN controller receives the terminal authentication frame, updating the terminal authentication frame to an authentication frame cache;
12, the SDN controller issues a terminal authentication frame or authentication failure information to the OpenFlow switch;
step 13, the OpenFlow issues the authentication result from the SDN controller to the corresponding access point AP;
and step 14, when the access point AP receives the authentication information forwarded by the OpenFlow, if the received authentication frame is a terminal authentication frame, allowing the terminal to access, and if the authentication frame is authentication failure information, refusing the terminal to access.
Compared with the prior art, the invention has the beneficial effects that: the system utilizes the flexibility of the SDN network to complete the roaming switching authentication of the user through the authentication frame buffer function on the SDN controller. In the system, when a terminal authentication frame of the access terminal is cached in an authentication frame cache of the SDN controller, the SDN controller directly issues the terminal authentication frame of the terminal to the OpenFlow switch, and forwards the terminal authentication frame to the access point AP for accessing the terminal. When the terminal has access to the network and then roams, the roaming terminal can be quickly authenticated by the authentication information cache of the SDN controller without an AAA authentication server, and compared with the existing WLAN roaming access mode, the authentication access mode has higher access speed, so that the roaming access time is shortened, and the roaming service quality is improved.
Drawings
Fig. 1 is a schematic structural diagram of a system for WLAN roaming access authentication based on SDN according to this embodiment;
fig. 2 is an authentication flowchart of the SDN-based campus network WLAN roaming access authentication method provided in this embodiment.
Detailed Description
The present invention is further described with reference to the accompanying drawings and specific embodiments, wherein the following processes or symbols, such as codes, etc., which are not described in detail below, are understood or implemented by those skilled in the art with reference to the prior art.
The system for accessing and authenticating the WLAN roaming based on the SDN campus network shown in fig. 1 comprises an accessing and data forwarding device and a control authentication device, wherein the accessing and data forwarding device comprises: an Access Point (AP) (wireless access point), an OpenFlow switch and a wireless access gateway; the control authentication device includes: an SDN controller, an AAA authentication server;
the access point AP is used for the terminal to access and send an authentication request frame of the terminal to the OpenFlow switch;
the OpenFlow switch is used for sending the authentication request frame to the SDN controller and forwarding data to the wireless access gateway;
the SDN controller directly issues a terminal authentication frame to a roaming Access Point (AP) through authentication frame cache to realize the rapid roaming access authentication of the terminal; the SDN controller has an authentication frame buffer function.
The AAA authentication server performs initialization authentication on the terminal by using a traditional 802.1X authentication mode and sends authentication result information to the SDN controller;
the wireless access gateway is used for receiving data sent by the OpenFlow switch and accessing the Internet through the wireless access gateway.
The access point AP is connected with the terminal, an authentication request frame of the terminal is sent to the OpenFlow switch, the OpenFlow switch forwards the authentication request frame to the SDN controller for authentication, and if the authentication is successful, the terminal is allowed to be accessed; and if the authentication is unsuccessful, the SDN controller interacts with the AAA authentication server, the authentication request frame is sent to the AAA authentication server for authentication, the authentication result information is forwarded to the access point AP through the SDN controller and the OpenFlow server, if the authentication is successful, the terminal access is allowed, and if the authentication is unsuccessful, the terminal access is rejected. And if the authentication is successful, the communication between the access point AP and the terminal is accessed by adopting an 802.1x authentication mode.
The AAA authentication server authenticates the terminal by using an 802.1X authentication mode.
The access and data forwarding device specifically comprises the following working processes: a Probe Request frame (Request Probe frame) sent by a terminal is sent to an access point AP, the access point AP sends a Probe Response frame (Probe reply frame) to the terminal, then the terminal sends a GAS Request frame (network information Request frame) to the access point AP to Request network information, the access point AP sends a corresponding GAS Response frame (network information reply frame) to reply the terminal, then the terminal sends an Association Request frame (connection Request frame) to the access point AP to Request connection with the access point AP, the access point AP replies the Association Response frame (connection reply frame) to establish connection with the terminal, finally the terminal sends an authentication Request frame to the access point AP to carry out authentication Request, the access point AP sends the authentication Request frame to an OpenFlow switch, the OpenFlow switch forwards the authentication Request frame to an SDN controller, the access point AP allows the terminal to access if authentication is successful, if authentication is unsuccessful, the terminal is denied access.
The working process of the control authentication device specifically comprises the following steps: when the SDN controller receives an authentication request frame forwarded by an OpenFlow switch, extracting terminal information in the terminal information, authenticating and matching the terminal information with a local authentication frame cache, if the authentication is matched, directly sending the terminal authentication frame to the OpenFlow switch, forwarding the terminal authentication frame to an access point AP by the OpenFlow switch, allowing the access of the terminal by the access point AP, if the authentication is not matched, interacting the SDN controller with an AAA authentication server, forwarding the authentication request frame to the AAA authentication server, authenticating the authentication request frame by the AAA authentication server, sending the terminal authentication frame to the SDN controller after the authentication is passed, forwarding the terminal authentication frame to the access point AP through the OpenFlow switch, accessing the terminal by the access point AP, updating the terminal authentication frame into the authentication frame cache by the SDN controller, and if the authentication request frame is not authenticated by the AAA authentication server, the AAA authentication server sends the information of denying access to the SDN controller and forwards the information to the access point AP through the OpenFlow switch, and the access point AP denies the access of the terminal.
The method includes the steps that a mainstream SDN controller OpenDaylight is selected to serve as a controller, and an information caching function is developed in the controller to store authentication frame caching, specifically as follows (as an example only):
wherein, a class named as authentication cache is used for storing and acquiring the authentication frame, wherein the member attribute named as the authentication cache map is used as a cache space medium of the authentication frame; the function addauthentiationmessage is used for adding terminal information and a corresponding authentication frame, a first parameter userInformation of the function represents the terminal information, a second parameter authentiationmessage represents the corresponding authentication frame, and a calling function mode when the terminal information and the corresponding authentication frame are added is as follows: authentication address cache. address authentication address (terminal information, authentication frame); the function getauthentiationmessage is used for acquiring a corresponding authentication frame according to the terminal information, wherein the parameter userInformation represents the terminal information, and the method for acquiring the corresponding authentication frame according to the terminal information calls the function as follows: string authentication frame information is authentication message cache.
In the process that the terminal 4 roams from the extension set 1 to the extension set 2 in fig. 1, the roaming access point AP of the extension set 2 sends an authentication request frame of the terminal 4 to the OpenFlow switch and forwards the authentication request frame to the SDN controller, since the terminal 4 has already accessed a wireless network before roaming, the terminal authentication frame of the terminal 4 is stored in the SDN controller authentication frame cache, the SDN controller directly issues the terminal authentication frame of the terminal 4 to the OpenFlow switch and forwards the terminal authentication frame to the roaming access point AP of the extension set 2, and the terminal 4 is allowed to access the roaming access point AP, so that the terminal 4 roams from the extension set 1 to the extension set 2. The extended set 1 and the extended set 2 respectively comprise a plurality of terminals.
As shown in fig. 2, the authentication method for the SDN-based campus network WLAN roaming access authentication system includes the following steps:
step 201, a terminal tries to access an AP and sends an authentication request frame to carry out an authentication request;
step 202, the access point AP sends an authentication request frame to the OpenFlow switch;
step 203, the OpenFlow switch forwards the authentication request frame to the SDN controller;
step 204, if the SDN controller caches the terminal authentication frame, turning to step 209, otherwise, following step 205;
step 205, the SDN controller forwards the authentication request frame to the AAA server for authentication;
step 206, if the AAA server passes the authentication, sending a terminal authentication frame to the SDN controller, otherwise, sending authentication failure information to the SDN controller;
step 207, if the SDN controller receives the terminal authentication frame, go to step 208, otherwise go to step 209;
step 208, the SDN controller updates the terminal authentication frame to an authentication frame buffer;
step 209, the SDN controller issues a terminal authentication frame or authentication failure information to the OpenFlow switch;
step 210, the OpenFlow issues authentication result information from the SDN controller to a corresponding access point AP;
step 211, when the AP receives the authentication result information forwarded by the OpenFlow, if the received authentication frame is a terminal authentication frame, allowing the terminal to access, and ending the authentication flow, otherwise, going to step 212;
step 212, rejecting the terminal access, and ending the authentication process.
Through the above description of the embodiments, those skilled in the art can clearly understand that the present invention can be implemented by a hardware platform as necessary. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (7)
1. The system is characterized by comprising an access and data forwarding device and a control authentication device, wherein the access and data forwarding device comprises an Access Point (AP), an OpenFlow switch and a wireless access gateway; the control authentication device comprises an SDN controller and an AAA authentication server;
the OpenFlow switch is used for sending the authentication result frame to the SDN controller and forwarding data to the wireless access gateway;
the wireless access gateway is used for receiving data sent by the OpenFlow switch and accessing the data to the Internet through the wireless access gateway;
the access point AP is connected with the terminal, sends an authentication request frame of the terminal to the OpenFlow switch, and forwards the authentication request frame to the SDN controller for authentication by the OpenFlow switch; if the authentication is unsuccessful, the SDN controller interacts with an AAA authentication server, an authentication request frame is sent to the AAA authentication server for authentication, authentication result information is forwarded to an Access Point (AP) through the SDN controller and an OpenFlow server, if the authentication is successful, the terminal access is allowed, and if the authentication is unsuccessful, the terminal access is rejected;
the working process of the control authentication device specifically comprises the following steps: when the SDN controller receives an authentication request frame forwarded by an OpenFlow switch, extracting terminal information in the terminal information, authenticating and matching the terminal information with an authentication frame cached locally, if the authentication is matched, directly sending the terminal authentication frame to the OpenFlow switch, forwarding the terminal authentication frame to an access point AP by the OpenFlow switch, allowing the access of the terminal by the access point AP, if the authentication and matching are unsuccessful, enabling the SDN controller to interact with an AAA authentication server, forwarding the authentication request frame to the AAA authentication server, authenticating the authentication request frame by the AAA authentication server, sending the terminal authentication frame to the SDN controller after the authentication is passed, forwarding the terminal authentication frame to the access point AP through the OpenFlow switch, accessing the terminal by the access point AP, updating the terminal authentication frame into an authentication frame cache by the SDN controller, and if the AAA authentication request frame is unsuccessful, the AAA authentication server sends the information of denying access to the SDN controller and forwards the information to the access point AP through the OpenFlow switch, and the access point AP denies the access of the terminal.
2. The authentication system of claim 1, wherein if the authentication is successful, the communication between the AP and the terminal is accessed by 802.1x authentication.
3. The authentication system of claim 1, wherein the AAA authentication server authenticates the terminal using 802.1X authentication.
4. The authentication system of claim 1, wherein the SDN controller is capable of buffering authentication frames.
5. The authentication system of claim 1, wherein the access and data forwarding device specifically operates as follows: the method comprises the steps that a request detection frame sent by a terminal is sent to an access point AP, the access point AP sends a detection reply frame to the terminal, the terminal sends a network information request frame to the access point AP to request network information, the access point AP sends a corresponding network information reply frame to reply the terminal, the terminal sends a connection request frame to the access point AP to request connection with the access point AP, the access point AP replies the connection reply frame to establish connection with the terminal, the terminal sends an authentication request frame to the access point AP to carry out authentication request, the access point AP sends the authentication request frame to an OpenFlow switch, the OpenFlow switch forwards the authentication request frame to an SDN controller, the access point AP receives authentication result information from the OpenFlow switch, if authentication is successful, the terminal is allowed to be accessed, and if authentication is unsuccessful, the terminal is refused to be accessed.
6. The SDN-based campus network WLAN roaming access authentication system recited in claim 1, wherein if the SDN controller does not cache a terminal authentication frame of the terminal, the SDN controller interacts with the AAA authentication server once, the SDN controller forwards the terminal authentication request frame to the AAA authentication server, the AAA authentication server authenticates the authentication request frame, sends an authentication result to the SDN controller, and forwards the authentication result to the access point AP via the OpenFlow switch to access the terminal, and the SDN controller updates the authentication frame of the terminal to the authentication frame cache.
7. The authentication method for the SDN based campus network WLAN roaming access authentication system of claim 1, comprising the steps of:
step 1, a request detection frame sent by a terminal is sent to an access point AP;
step 2, the access point AP sends a detection reply frame to the terminal;
step 3, the terminal sends a network information request frame to the access point AP to request network information;
step 4, the access point AP sends a corresponding network information reply frame to the terminal for replying;
step 5, the terminal sends a connection request frame request to establish connection with the access point AP;
step 6, the access point AP sends a connection reply frame to establish connection with the terminal;
step 7, the terminal sends an authentication request frame to the access point AP to carry out an authentication request, the access point AP sends the authentication request frame to the OpenFlow switch, and the OpenFlow switch forwards the authentication request frame to the SDN controller;
step 8, if the SDN controller caches the terminal authentication frame, turning to step 12, and if not, continuing to step 9;
step 9, the SDN controller forwards the authentication request frame to an AAA server for authentication;
step 10, if the AAA server passes the authentication, sending a terminal authentication frame to the SDN controller, otherwise, sending authentication failure information to the SDN controller; the SDN controller issues authentication failure information to the OpenFlow switch;
step 11, if the SDN controller receives the terminal authentication frame, updating the terminal authentication frame to an authentication frame cache;
12, the SDN controller issues terminal authentication frame information to the OpenFlow switch;
step 13, the OpenFlow issues the authentication result from the SDN controller to the corresponding access point AP;
and step 14, when the access point AP receives the authentication information forwarded by the OpenFlow, if the received authentication frame is a terminal authentication frame, allowing the terminal to access, and if the authentication frame is authentication failure information, refusing the terminal to access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911046793.XA CN110784872B (en) | 2019-10-30 | 2019-10-30 | Campus network WLAN roaming access authentication system and method based on SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911046793.XA CN110784872B (en) | 2019-10-30 | 2019-10-30 | Campus network WLAN roaming access authentication system and method based on SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110784872A CN110784872A (en) | 2020-02-11 |
| CN110784872B true CN110784872B (en) | 2021-08-10 |
Family
ID=69387836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911046793.XA Active CN110784872B (en) | 2019-10-30 | 2019-10-30 | Campus network WLAN roaming access authentication system and method based on SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110784872B (en) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105025487B (en) * | 2015-07-28 | 2018-07-27 | 北京邮电大学 | A method of the Working level wlan system based on SDN and unified certification |
| CN105915550B (en) * | 2015-11-25 | 2018-12-21 | 北京邮电大学 | A kind of Portal/Radius authentication method based on SDN |
| KR102063819B1 (en) * | 2018-02-01 | 2020-01-08 | 충북대학교 산학협력단 | System for controlling connectivity for wireless lan device based on software defined networks |
| CN108738098B (en) * | 2018-08-14 | 2020-11-24 | 重庆邮电大学 | Method for seamless switching among multiple access points of WLAN (Wireless local area network) |
-
2019
- 2019-10-30 CN CN201911046793.XA patent/CN110784872B/en active Active
Non-Patent Citations (3)
| Title |
|---|
| 《Multicasting in Next-Generation Software-Defined》;Janfizza Bukhari;《IEEE》;20180522;全文 * |
| 《基于 WiFi 的超密集软件定义网络的设计与实现》;殷攀;《中国优秀硕士学位论文全文数据库》;20190215;全文 * |
| 《基于Flash P2P的物流监控视频传输协议及应用研究》;孙延鹏;《中国优秀硕士学位论文全文数据库》;20190215;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110784872A (en) | 2020-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11743728B2 (en) | Cross access login controller | |
| US7802091B2 (en) | Fast re-authentication with dynamic credentials | |
| US8077688B2 (en) | Method of user access authorization in wireless local area network | |
| US7940656B2 (en) | System and method for authenticating an element in a network environment | |
| JP4586071B2 (en) | Provision of user policy to terminals | |
| US8315246B2 (en) | System and method employing strategic communications between a network controller and a security gateway | |
| US20060126584A1 (en) | Method for user equipment selection of a packet data gateway in a wireless local network | |
| US8621572B2 (en) | Method, apparatus and system for updating authentication, authorization and accounting session | |
| CN115835203A (en) | Network security management method and device | |
| WO2010000185A1 (en) | A method, apparatus, system and server for network authentication | |
| WO2006088585A2 (en) | System and method of reducing session transfer time from a cellular network to a wi-fi network | |
| JP2007513536A (en) | Method for determining and accessing selected services in a wireless local area network | |
| CN110784872B (en) | Campus network WLAN roaming access authentication system and method based on SDN | |
| WO2023030473A1 (en) | Access control method and apparatus | |
| US11696208B1 (en) | Priority data transport service | |
| US20230413353A1 (en) | Inter-plmn user plane integration | |
| FI114076B (en) | Method and system for subscriber authentication | |
| WO2022262948A1 (en) | Methods and means for providing access to external networks | |
| CN116709320A (en) | Terminal authentication method and device of open loop network, electronic equipment and medium | |
| CN115567934A (en) | Authentication method and communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| OL01 | Intention to license declared | ||
| OL01 | Intention to license declared |