CN114302393A - Communication control method, device, equipment and system based on authentication - Google Patents

Communication control method, device, equipment and system based on authentication Download PDF

Info

Publication number
CN114302393A
CN114302393A CN202111362375.9A CN202111362375A CN114302393A CN 114302393 A CN114302393 A CN 114302393A CN 202111362375 A CN202111362375 A CN 202111362375A CN 114302393 A CN114302393 A CN 114302393A
Authority
CN
China
Prior art keywords
authentication
wireless terminal
state
mac address
wireless
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111362375.9A
Other languages
Chinese (zh)
Inventor
郑远鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202111362375.9A priority Critical patent/CN114302393A/en
Publication of CN114302393A publication Critical patent/CN114302393A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application provides a communication control method, device, equipment and system based on authentication. The method comprises the following steps: receiving the table entry information sent by the AC, wherein the MAC address of the wireless terminal and the corresponding authentication state are recorded in the table entry information to obtain an AP side identity state table, after the AP side identity state table is associated with any wireless terminal, the authentication state corresponding to the MAC address of any wireless terminal is searched in the AP side identity state table, and if the corresponding authentication state is found and the authentication state is successful authentication, the service data message of any wireless terminal is released. The method can reduce the situation that the normal service communication cannot be performed after the delay after the association of the wireless terminal due to the delay, packet loss, jitter and the like of the wide area network link.

Description

Communication control method, device, equipment and system based on authentication
Technical Field
The present application relates to the field of wireless local area networks, and in particular, to a communication control method, apparatus, device, and system based on authentication.
Background
Wireless Local Area Network (WLAN) is a Network system that uses Wireless communication technology to interconnect computer devices, and can communicate with each other and realize resource sharing, and a Wireless terminal (STA) can Access to the WLAN through an Access Point (AP).
In the prior art, after the association of the wireless terminal, the AC may initiate an authentication request to the authentication server using a Media Access Control (MAC) address of the wireless terminal to obtain an authentication result of the wireless terminal, and after the authentication result of the wireless terminal is successful, the AC may Control the AP to release the service data packet of the STA. In some scenarios, the AC and the authentication server, or the AP and the AC are across a wide area network, and a link of the wide area network may have a delay, a packet loss, and the like, which often causes that the wireless terminal cannot perform normal service communication after being associated.
Disclosure of Invention
The embodiment of the application provides a communication control method, a communication control device, communication equipment and a communication control system based on authentication, which are used for solving the problem that in the prior art, due to the fact that a wide area network link has time delay, packet loss, jitter and the like, normal service communication cannot be achieved due to delay after association of a wireless terminal frequently occurs.
In a first aspect, an embodiment of the present application provides an authentication-based communication control method, which is applied to a wireless access point AP, and includes:
receiving table entry information issued by a wireless controller AC, wherein the table entry information records a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof so as to obtain an AP side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
after being associated with any wireless terminal, searching an authentication state corresponding to the MAC address of any wireless terminal in the AP side identity state table;
and if the corresponding authentication state is found and the authentication state is successful, releasing the service data message of any wireless terminal.
In a second aspect, an embodiment of the present application provides an authentication-based communication control method, which is applied to a wireless controller AC, and includes:
according to an authentication result obtained by initiating an authentication request by using a Media Access Control (MAC) address of a wireless terminal, recording the MAC address and an authentication state corresponding to the MAC address to obtain an AC side identity state table, wherein the authentication state comprises successful authentication or unsuccessful authentication;
and issuing table entry information to the wireless access point AP according to the AC side identity state table, wherein the table entry information records the MAC address of the wireless terminal and the authentication state corresponding to the MAC address so that the AP can obtain the AP side identity state table.
In a third aspect, an embodiment of the present application provides an authentication-based communication control apparatus, which is applied to a wireless access point AP, and includes:
the receiving module is used for receiving the table entry information issued by the wireless controller AC, wherein the table entry information records the Media Access Control (MAC) address of the wireless terminal and the corresponding authentication state thereof so as to obtain an AP side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
the searching module is used for searching the authentication state corresponding to the MAC address of any wireless terminal in the AP side identity state table after being associated with the wireless terminal;
and the control module is used for releasing the service data message of any wireless terminal if the corresponding authentication state is found and the authentication state is successful.
In a fourth aspect, an embodiment of the present application provides an authentication-based communication control apparatus, which is applied to a wireless controller AC, and includes:
the system comprises a recording module, a receiving module and a processing module, wherein the recording module is used for recording a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof according to an authentication result obtained by initiating an authentication request by using the MAC address of the wireless terminal so as to obtain an AC side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
and the sending module is used for sending table item information to the wireless access point AP according to the AC side identity state table, and the table item information records the MAC address of the wireless terminal and the corresponding authentication state thereof so that the AP can obtain the AP side identity state table.
In a fifth aspect, an embodiment of the present application provides a wireless access point, including: a memory and a processor;
the memory for storing a computer program;
the processor, coupled with the memory, to execute the computer program to:
receiving table entry information issued by a wireless controller AC, wherein the table entry information records a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof so as to obtain an AP side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
after being associated with any wireless terminal, using the MAC address of the wireless terminal to search the authentication state corresponding to the MAC address of the wireless terminal in the AP side identity state table;
and if the corresponding authentication state is found and the authentication state is successful, releasing the service data message of any wireless terminal.
In a sixth aspect, an embodiment of the present application provides a wireless controller, including: a memory and a processor;
the memory for storing a computer program;
the processor, coupled with the memory, to execute the computer program to:
recording a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof according to an authentication result obtained by initiating an authentication request by using the MAC address of the wireless terminal so as to obtain an AC side identity state table, wherein the authentication state comprises successful authentication or unsuccessful authentication;
and issuing the table entry information in the AC side identity state table to a wireless Access Point (AP), wherein the table entry information records the MAC address of the wireless terminal and the authentication state corresponding to the MAC address so that the AP can obtain the AP side identity state table.
In a seventh aspect, an embodiment of the present application provides a wireless access system, including: a wireless access point, AP, for performing the method of any of the first aspects and a wireless controller, AC, for controlling the AP, for performing the method of any of the second aspects.
In addition, the present application also provides a computer readable storage medium storing a computer program, which, when executed by a processor, causes the processor to implement the steps in the method according to any one of the first aspect.
Embodiments of the present application also provide a computer-readable storage medium storing a computer program, which, when executed by a processor, causes the processor to implement the steps in the method according to any one of the second aspect.
In the embodiment of the application, the access authentication of the wireless terminal is rapidly identified and judged by the AP, after the wireless terminal is associated, the AP can immediately judge whether the service communication of the wireless terminal is released, and the AP can release the service communication after receiving the AC and the authentication server to complete interaction and announce the release table item, so that the situation that the service communication cannot be normally delayed after the wireless terminal is associated due to the delay, packet loss, jitter and the like of a wide area network link can be reduced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1A to fig. 1C are schematic views of application scenarios according to embodiments of the present application;
fig. 2 is a schematic flow chart of a wireless terminal associating to a service data packet of a released wireless terminal in the prior art;
fig. 3 is a flowchart illustrating an authentication-based communication control method according to an embodiment of the present application;
fig. 4 is a flowchart illustrating an authentication-based communication control method according to another embodiment of the present application;
fig. 5 is a flowchart illustrating an authentication-based communication control method according to another embodiment of the present application;
fig. 6 is a flowchart illustrating an authentication-based communication control method according to another embodiment of the present application;
fig. 7 is a schematic structural diagram of an authentication-based communication control apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a wireless access point according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an authentication-based communication control apparatus according to another embodiment of the present application;
fig. 10 is a schematic structural diagram of a wireless controller according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
For the convenience of those skilled in the art to understand the technical solutions provided in the embodiments of the present application, a technical environment for implementing the technical solutions is described below.
Fig. 1A to fig. 1C are schematic diagrams of application scenarios of a communication control method based on authentication according to an embodiment of the present application, and as shown in fig. 1A and fig. 1B, the application scenarios may include: a wireless terminal 11, a wireless access point 12, a wireless controller 13 and an authentication server 14.
The wireless terminal 11 may be, for example, a mobile phone, a tablet computer, etc., and the wireless terminal 11 may access the wireless lan by associating with the wireless access point 12. The wireless controller 13 may be used to control the wireless access point 12. The wireless controller 13 may also initiate an authentication request to the authentication server 14 using the MAC address of the wireless terminal 11 as authentication information, and the authentication server 14 may be, for example, a Radius authentication server. The authentication server 14 may perform identity authentication according to the request of the wireless controller 13 to obtain an authentication result, and return the authentication result to the wireless controller 13.
In practical application scenarios, the authentication server 14 and the wireless access point 12 are typically across a wide area network, i.e., the wireless access point 12 and the authentication server 14 are in different local area networks. Specifically, as shown in fig. 1A, the wireless controller 13 and the authentication server 14 may cross a wide area network, or, as shown in fig. 1B, the wireless access point 12 and the wireless controller 13 may cross a wide area network.
When the wireless controller 13 and the authentication server 14 span a wide area network, as shown in fig. 1A, the wireless controller 13 and the authentication server 14 may be connected to a wide area network 15, and the wireless controller 13 and the authentication server 14 may interact with each other through the wide area network 15, and the wide area network 15 may be, for example, the internet. It should be noted that fig. 1A schematically shows that the wireless controller 13 and the authentication server 14 are connected to the wide area network 15, and it should be understood that in practical applications, the wireless controller 13 may be connected to the wide area network 15 through a router or a switch with a routing function, and similarly, the authentication server 14 may be connected to the wide area network 15 through a router or a switch with a routing function.
When the wireless access point 12 and the wireless controller 13 cross a wide area network, as shown in fig. 1B, the wireless access point 12 and the wireless controller 13 may be connected to a wide area network 15, the wireless access point 12 and the wireless controller 13 may interact with each other through the wide area network 15, and the wireless controller 13 and the authentication server 14 may be in the same local area network. It should be noted that fig. 1B schematically shows the wireless access point 12 and the wireless controller 13 connected to the wide area network 15, and it should be understood that in practical applications, the wireless access point 12 may be connected to the wide area network 15 through a router or a switch with a routing function, and similarly, the wireless controller 13 may be connected to the wide area network 15 through a router or a switch with a routing function.
It should be noted that the application scenarios shown in fig. 1A and 1B may be combined, that is, in the same application scenario, there may be a case of crossing a wide area network between the wireless controller and the authentication server, or a case of crossing a wide area network between the wireless access point and the wireless controller. Taking the example of connection to the wide area network 15 through the router 16, a combined application scenario may be as shown in fig. 1C.
Generally, as shown in fig. 2, the wireless controller 13 may perform message interaction with the authentication server 14 after the wireless terminal 11 is associated, using the MAC address of the wireless terminal 11 as authentication information. For example, taking the authentication server 14 as a Radius authentication server, as shown in fig. 2, the wireless controller 13 may first send a Radius Access Request (Radius Access-Request) message to the authentication server 14, where the Radius Access-Request message may carry identity authentication information using an MAC address of the wireless terminal 11 as a user name and a password, and the authentication server 14 may authenticate the identity authentication information carried by the Radius Access-Request, where such authentication manner is MAB authentication. Assuming that the authentication result is successful, the authentication server 14 may return a Radius Access-Accept (Radius-Accept) message to the radio controller 13, and further, the radio controller 13 may also send a Radius Accounting-Request (Radius-Accounting-Request) message to the authentication server 14, where the Radius Accounting-Accept message may carry related Accounting information to notify that Accounting is started, and the authentication server may return a Radius Accounting-Response (Radius-Accounting-Response) message indicating that Accounting is started.
With continued reference to fig. 2, after the interaction between the wireless controller 13 and the authentication server 14 is finished and the authentication is successful, the wireless controller 13 may notify the wireless access point 12 of a release entry for controlling the release of the service data packet of the wireless terminal. Then, the wireless access point 12 may add the release entry notified by the wireless controller 13 to the ACL table, so that the service data packet of the wireless terminal 11 may be released, so that the wireless terminal 11 can perform service communication normally.
As can be seen from fig. 1A and fig. 2, when a wide area network is crossed between the wireless controller 13 and the authentication server 14, because a wide area network link may have conditions of delay, packet loss, jitter, and the like, interaction between the wireless controller 13 and the authentication server 14 may be affected, resulting in slow authentication and failure of authentication, and thus often causing a problem that the normal service communication cannot be performed after the association of the wireless terminal 11 is delayed.
As can be seen from fig. 1B and fig. 2, when a wide area network is crossed between the wireless access point 12 and the wireless controller 13, since a link of the wide area network may have conditions of delay, packet loss, jitter, and the like, the wireless controller 13 may affect the notification of the release entry to the wireless access point 12, which may result in slow notification of the release entry and failure of the release entry, and thus often cause a problem that the normal service communication cannot be performed after the association of the wireless terminal 11 is delayed.
In order to solve the technical problem that the delay cannot realize normal service communication after the association of the wireless terminal due to the conditions of delay, packet loss, jitter and the like of a wide area network link, in the embodiment of the application, the access authentication of the wireless terminal is quickly identified and judged by the AP, after the association of the wireless terminal, the AP can immediately judge whether to release the service communication of the wireless terminal, and the AP can release the service communication after receiving the interaction between the AC and the authentication server and notifying a release table item, so that the condition that the delay cannot realize normal service communication after the association of the wireless terminal due to the delay, the packet loss, the jitter and the like of the wide area network link can be reduced.
It should be noted that any type of scenario that spans a wide area network between the wireless controller 13 and the authentication server 14, or spans a wide area network between the wireless access point 12 and the wireless controller 13, can apply the authentication-based communication control method provided in the embodiments of the present application, and the scenario relates to fields including, but not limited to, commerce, transportation, production, manufacturing, logistics, and the like.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 3 is a flowchart illustrating a communication control method based on authentication according to an embodiment of the present application, where the method provided in this embodiment may be executed by the wireless access point 12 in fig. 1A to 1C, and as shown in fig. 3, the method of this embodiment may include:
step 31, receiving entry information issued by the AC, where the entry information records the MAC address of the wireless terminal and the authentication state corresponding to the MAC address, so as to obtain an AP-side identity state table, where the authentication state includes successful authentication or unsuccessful authentication.
In this step, after the AP establishes a connection with the AC, the AP may receive the entry information issued by the AC through the connection established between the AP and the AC. The connection established between the AP and the AC may be a tunnel connection, and the tunneling protocol based on the tunnel connection may be, for example, a Capwap protocol. The AP-side identity status table may be, for example, as shown in table 1 below.
TABLE 1
Sta-MAC Auth-State
xxxx.xxxx.xxxx Yes/No
xxxx.xxxx.xxxx Yes/No
Wherein, Sta-MAC refers to the MAC address of the wireless terminal; the Auth-State refers to an authentication State, a value of the authentication State of Yes (that is, Yes) can indicate successful authentication, and a value of the authentication State of No (that is, No) can indicate unsuccessful authentication. It should be understood that successful authentication and unsuccessful authentication may also be represented by other values in other embodiments.
It should be noted that the MAC address of the wireless terminal and the corresponding authentication status relate to an authentication result obtained by the AC initiating an authentication request using the MAC address of the wireless terminal, and when the authentication result is successful, the authentication status may be successful authentication, and when the authentication result is authentication failure, the authentication status may be unsuccessful authentication.
And step 32, after associating with any wireless terminal, looking up the authentication state corresponding to the MAC address of any wireless terminal in the AP side identity state table.
In this step, in order to improve the lookup efficiency, the AP-side identity state table may be stored by using Key-Value (K-V), and the AP may perform hash matching lookup using the MAC of any wireless terminal, that is, the AP may perform lookup using a result obtained by hashing the MAC address of any wireless terminal as a Key (Key).
It should be understood that, when the MAC address of any wireless terminal and the authentication state corresponding to the MAC address are recorded in the AP-side identity state table, the authentication state corresponding to the MAC address of any wireless terminal can be found in the AP-side identity state table; when the MAC address of any wireless terminal and the authentication state corresponding thereto are not recorded in the AP-side identity state table, the authentication state corresponding to the MAC address of any wireless terminal cannot be found in the AP-side identity state table;
it should be understood that the authentication status corresponding to the MAC address of any wireless terminal found from the AP-side identity status table may be successful authentication or unsuccessful authentication.
It should be noted that, in the embodiment of the present application, the association of the wireless terminal may be implemented by sinking to the AP end, and the specific association process may refer to specific descriptions in the related art, which is not described herein again.
And step 33, if the corresponding authentication state is found and the authentication state is successful, releasing the service data message of any wireless terminal.
In this step, when the authentication state corresponding to the MAC address of the wireless terminal is found to be successful, the service data packet of the wireless terminal may be released. And when the authentication state corresponding to the MAC address of any wireless terminal is found to be unsuccessful authentication, the service data message of any wireless terminal is not released.
In practical applications, whether to release the service data packet of any wireless terminal may be controlled by an Access Control List (ACL). Illustratively, an ACL default table entry which defaults to reject forwarding messages of other MAC addresses may exist in the ACL of the AP; if the authentication state is successful authentication, a corresponding release list item can be generated by aiming at the MAC address of any wireless terminal, and the generated release list item is added into the ACL, so that the service data message of any wireless terminal is released; if the authentication state is unsuccessful authentication, the release table entry aiming at the MAC address of any wireless terminal can not be added into the ACL, and the service data message of any wireless terminal can not be released (namely intercepted).
The service data message refers to a data message which is required to be transmitted by the wireless terminal for normal service communication, and it should be understood that if the service data message of any wireless terminal is released, the any wireless terminal can perform normal service communication, and if the service data message of any wireless terminal is intercepted, the any wireless terminal cannot perform normal service communication.
In the method provided by this embodiment, the entry information sent by the AC is received, the MAC address of the wireless terminal and the authentication state corresponding to the MAC address are recorded in the entry information, so as to obtain the AP-side identity state table, after associating with any wireless terminal, the authentication state corresponding to the MAC address of any wireless terminal is searched in the AP-side identity state table, if the corresponding authentication state is found and the authentication state is successful authentication, the service data packet of any wireless terminal is released, so that the access authentication of any wireless terminal is quickly identified and determined by the AP, so that the authentication state corresponding to the MAC address of any wireless terminal is recorded in the AP-side identity state table, and when the corresponding authentication state is successful authentication, the AP can immediately release the service data packet of any wireless terminal, and the AP does not need to wait until the AC and the authentication server interact and notify the release entry, therefore, the situation that the normal service communication cannot be performed after the wireless terminal is associated in a delayed manner due to the fact that the wide area network link has time delay, packet loss, jitter and the like can be reduced.
Fig. 4 is a flowchart illustrating a communication control method based on authentication according to another embodiment of the present application, where the method provided in this embodiment may be executed by the wireless controller 13 in fig. 1A to 1C, and as shown in fig. 4, the method of this embodiment may include:
step 41, according to the authentication result obtained by initiating the authentication request by using the MAC address of the wireless terminal, recording the MAC address of the wireless terminal and the authentication state corresponding thereto to obtain an AC side identity state table, where the authentication state includes successful authentication or unsuccessful authentication.
In this step, the authentication result according to which the AC records is an authentication result obtained by the AC initiating authentication to the authentication server using the MAC address of the wireless terminal as the user name and the password. It should be noted that, after a wireless terminal associates with an AP, the AP may notify association information for the wireless terminal to an AC, where the association information may include a MAC address of the wireless terminal, so that the AC may initiate an authentication Request to an authentication server using the MAC address of the wireless terminal, and a message used by the AC to initiate the authentication Request may be, for example, a Radius Access-Request message.
When the authentication result obtained by initiating the authentication request by using the MAC address of the wireless terminal is successful, the AC can record the authentication state corresponding to the MAC address of the wireless terminal as successful authentication; when the authentication result obtained by initiating the authentication request by using the MAC address of a wireless terminal is authentication failure, the AC may record the authentication state corresponding to the MAC address of the wireless terminal as unsuccessful authentication. The AC-side identity status table obtained can be shown in table 2 below, for example.
TABLE 2
Sta-MAC Auth-State Age-Time
xxxx.xxxx.xxxx Yes/No xxxx
xxxx.xxxx.xxxx Yes/No xxxx
Wherein, Sta-MAC refers to the MAC address of the wireless terminal; Auth-State refers to an authentication State, the value of the authentication State is Yes, which can indicate successful authentication, and the value of the authentication State is No, which can indicate unsuccessful authentication. It should be understood that successful authentication and unsuccessful authentication may also be represented by other values in other embodiments.
As shown in table 2, an aging Time (i.e., Age-Time) may also be set in the entry in the AC-side identity state table, and the entry in the AC-side identity state table may be automatically aged by setting the aging Time, so as to avoid that some old and useless terminals continuously occupy the entry resources, which results in insufficient resources.
In practical application, the entries in the AC side identity state table may be stored in an external storage device (e.g., Flash) instead of a memory space, so as to avoid the problem that data in the AC memory space is lost due to situations such as AC upgrade and restart, which may cause the entry in the AC side identity state table to need to be learned again.
In practical application, the AC-side identity state table can support external file import, so that when data is lost in an AC new online scene or some abnormal situations, the data can be quickly recovered without relearning.
And 42, issuing table item information to the AP according to the AC side identity state table, wherein the table item information records the MAC address of the wireless terminal and the corresponding authentication state thereof, so that the AP can obtain the AP side identity state table.
In this step, after the AP establishes a connection with the AC, the AC may issue the entry information to the AP through the connection established with the AP. The entry information sent by the AC side may be information of a part of fields in the AC side identity status table, and taking table 2 as an example, the entry information may include information of Sta-MAC and Auth-State, and may not include information of an Age-Time field.
In the method provided by this embodiment, the MAC address of the wireless terminal and the corresponding authentication state are recorded according to the authentication result obtained by initiating the authentication request using the MAC address of the wireless terminal, so as to obtain the AC-side identity state table, the entry information is issued to the AP according to the AC-side identity state table, and the MAC address of the wireless terminal and the corresponding authentication state are recorded in the entry information, so that the AP obtains the AP-side identity state table, so that after the AP is associated with any wireless terminal, the access authentication of any wireless terminal can be quickly identified and determined according to the AP-side identity state table, so that the authentication state corresponding to the MAC address of any wireless terminal is recorded in the AP-side identity state table, and when the corresponding authentication state is successful authentication, the AP can immediately release the service data packet of any wireless terminal.
Fig. 5 is a schematic flowchart of a communication control method based on authentication according to another embodiment of the present application, where this embodiment mainly describes a specific implementation manner of updating an identity state table by an AP and an AC on the basis of the foregoing embodiment, and as shown in fig. 5, the method provided in this embodiment may include:
step 51, after any wireless terminal is associated, the AC initiates an authentication request to the authentication server using the MAC address of the any wireless terminal.
The wireless terminal may associate with the AP, and after any wireless terminal associates with the AP, the AP may notify the AC of association information for the any wireless terminal, where the association information may include a MAC address of the any wireless terminal, so that the AC may initiate an authentication request to the authentication server using the MAC address of the any wireless terminal.
Step 52, the AC receives the authentication result returned by the authentication server.
The authentication result returned by the authentication server may be authentication success or authentication failure. When the returned authentication result is that the authentication is successful, the MAB authentication of the authentication server can be indicated to pass any wireless terminal, so that any wireless terminal can be considered as a successfully authenticated terminal; when the returned authentication result is authentication failure, it may indicate that the wireless terminal fails the MAB authentication of the authentication server, and thus the wireless terminal may be considered as an unsuccessfully authenticated terminal.
In step 53, the AC determines whether the MAC address of any of the wireless terminals is already in the AC-side identity status table.
If yes, step 54 is performed, if no, step 55 is performed.
And step 54, the AC updates the authentication state corresponding to the MAC address of the wireless terminal in the AC-side identity state table according to the authentication result of the wireless terminal.
For example, the update process may specifically include: and judging whether the authentication state corresponding to the MAC address of any wireless terminal in the AC side identity state table is consistent with the authentication result of any wireless terminal obtained in step 52, and if not, modifying the authentication state corresponding to the MAC address of any wireless terminal in the AC side identity state table to be consistent with the authentication result.
Therefore, the corresponding authentication state can be updated again after the authentication server authenticates the wireless terminal every time, and the latest state recorded in the current table entry is ensured. In addition, after the authentication server authenticates the wireless terminal each time, the aging timing can be performed again on the corresponding entry in the AC-side identity state table.
It should be understood that, assuming that the authentication result of the wireless terminal is successful, if the authentication state corresponding to the MAC address of the wireless terminal in the AC-side identity state table is successful authentication, the two may be considered to be identical, and if the authentication state corresponding to the MAC address of the wireless terminal in the AC-side identity state table is unsuccessful authentication, the two may be considered to be not identical. Assuming that the authentication result of the wireless terminal is authentication failure, if the authentication state corresponding to the MAC address of the wireless terminal in the AC-side identity state table is successful authentication, the two may be considered to be inconsistent, and if the authentication state corresponding to the MAC address of the wireless terminal in the AC-side identity state table is unsuccessful authentication, the two may be considered to be consistent.
It should be noted that after step 54 is executed, step 56 may be executed continuously.
And step 55, the AC adds the AC side identity state table according to the authentication result of any wireless terminal.
The adding process may specifically include: and generating a corresponding table entry according to the MAC address of any wireless terminal and the authentication result, and adding the generated table entry into the AC-side identity state table. It should be understood that, when the authentication result of any wireless terminal is successful, the authentication state corresponding to the MAC address of any wireless terminal that can be recorded in one generated entry is successful authentication; and when the authentication result of any wireless terminal is authentication failure, the authentication state corresponding to the MAC address of any wireless terminal which can be recorded in one generated table entry is unsuccessful authentication. In addition, the aging time can be recorded in one generated table entry.
And step 56, when the AC updates the AC side identity state table, the AC sends a corresponding update notification to the AP, so that the AP correspondingly updates the AP side identity state table according to the update notification.
Wherein, the AC side identity status table presence update may be: one or more authentication states in the AC-side identity state table are modified or one or more entries are added to the AC-side identity state table. By issuing the update notification to the AP, the AP-side identity state table can be updated.
In addition, when the aging of the entry in the AP-side identity state table is controlled by the AC side, the presence update of the entry in the AC-side identity state table may also be: one or more entries are deleted from the AC-side identity state table. The aging of the AP side identity state table is controlled by the AC side, so that the AP side does not need to realize aging correlation, the realization of the AP side is simplified, and the AP side processing resource is saved.
And 57, the AP receives an update notification sent by the AC and used for updating the AP side identity state table, and updates the AP side identity state table according to the update notification.
Through the above steps 51 to 57, the update maintenance of the identity state information table in the AC (i.e., AC-side identity state information table) and the identity state information table in the AP (i.e., AP-side identity state information table) can be realized.
Fig. 6 is a schematic flowchart of a communication control method based on authentication according to another embodiment of the present application, where this embodiment mainly describes an interaction process between an AP and an AC on the basis of the foregoing embodiment, and as shown in fig. 6, the method provided by this embodiment may include:
after associating with any wireless terminal, the AP notifies the association information for the wireless terminal to the AC, step 61.
The association information may include a MAC address of the wireless terminal.
After the AC receives the association information for any wireless terminal notified by the AP, the AC may initiate an authentication request to the authentication server using the MAC address of any wireless terminal, step 62.
The AC may initiate an authentication Request to the authentication server using the MAC address of any wireless terminal as the identity authentication information, and a message used by the AC to initiate the authentication Request may be, for example, a Radius Access-Request message.
Optionally, after receiving the association information, advertised by the AP, for any wireless terminal, the AC may directly use the MAC address of any wireless terminal to initiate an authentication request to the authentication server.
Or, optionally, after receiving the association information, advertised by the AP, for any wireless terminal, the AC may first determine whether a time interval from the last time when the MAC address of any wireless terminal is used to initiate an authentication request to the authentication server is greater than or equal to a duration threshold; if yes, using MAC address of any wireless terminal to initiate authentication request to authentication server; otherwise, the authentication result obtained by sending the authentication request to the authentication server by using the MAC address of any wireless terminal for the last time may be returned to the AP.
Because the association and the disassociation of the wireless terminal are frequent due to the roaming and the migration of the wireless terminal in a wireless scene, the association and the disassociation of the wireless terminal may occur once in 1 to 2 seconds, and when the time interval from the last time when the MAC address of any wireless terminal is used to initiate the authentication request to the authentication server is greater than or equal to the time threshold, the MAC address of any wireless terminal is used to initiate the authentication request to the authentication server, so that an authentication anti-jitter mechanism can be provided, and the performance overhead of the AC and the authentication server is reduced.
It should be noted that the message interaction flow between the AC and the authentication server for any wireless terminal is the prior art, and fig. 6 exemplifies that the messages (messages a to d) interacted between the AC and the authentication server are the same as those in fig. 2.
Step 63, after associating with any wireless terminal, the AP further searches the authentication state corresponding to the MAC address of any wireless terminal in the AP side identity state table.
It should be noted that step 63 is similar to step 32, and is not described herein again.
And step 64, if the corresponding authentication state is found and the authentication state is successful, the AP releases the service data message of any wireless terminal.
It should be noted that step 64 is similar to step 33, and is not described herein again.
As shown in fig. 6, if the corresponding authentication status is found to be successfully authenticated, then after step 64, the wireless terminal can perform normal service communication.
Step 65, after the AC completes the interaction with the authentication server, the AC returns the authentication result of any wireless terminal to the AP.
After the AP receives the authentication result of any wireless terminal, if the result of executing step 63 is that the corresponding authentication status is found, step 66 may be further executed after steps 64 and 65; if the corresponding authentication status is not found as a result of performing step 63, step 66 may be further performed after step 65.
And step 66, receiving the authentication result returned by the AC, and performing further control processing on any wireless terminal according to the authentication result.
One kind of situation
When the result of step 63 is that the authentication status of any wireless terminal is found, it should be understood that the authentication status corresponding to the MAC address of any wireless terminal in the AP-side identity status table may or may not be consistent with the authentication result of any wireless terminal returned by the AC. It should be noted that scenes in which the authentication state and the authentication result are inconsistent rarely occur, and may occur after the MAC entry of the terminal corresponding to the authentication server is changed by addition or deletion.
Assuming that the authentication status is consistent with the authentication result, if the authentication result is successful, after releasing the service data packet of any wireless terminal by executing the foregoing step 64, the state of releasing the service data packet of any wireless terminal may be maintained; if the authentication result is authentication failure, the any wireless terminal may be further disassociated.
If the authentication state is not consistent with the authentication result, if the authentication state is unsuccessful authentication and the authentication result is successful authentication, the service data message of any wireless terminal can be further released; if the authentication status is successful authentication and the authentication result is authentication failure, the any wireless terminal may be further disassociated after passing through the service data message of the any wireless terminal by performing the aforementioned step 64.
On the basis of finding out the authentication state of any wireless terminal, the AP performs further control processing on any wireless terminal according to the authentication result, so that the communication control of any wireless terminal by the AP can be consistent with the real-time authentication result of any wireless terminal by the authentication server, and the reliability of a wireless access system is improved.
Based on this, step 66 may specifically include: if the authentication result is authentication failure, disassociating any wireless terminal; and if the authentication result is that the authentication is successful but the authentication state is unsuccessful, releasing the service data message of any wireless terminal.
Optionally, a corresponding traffic state may be set for any of the wireless terminals. Before receiving the authentication result returned by the AC, when the authentication state corresponding to the MAC address of the any wireless terminal is found to be successfully authenticated, the pass state of the any wireless terminal may be set to temporarily allow passing.
Further, after receiving the authentication result returned by the AC, if the authentication result is that the authentication is successful, the passage status of any wireless terminal may be set to be formally permitted to pass. Therefore, the AP can distinguish whether the current passing of the service data message of any wireless terminal is temporary or formal according to the passing state set for the wireless terminal, and the AP can distinguish conveniently.
Based on this, in an embodiment, the method provided in this embodiment may further include: and if the found corresponding authentication state is successful authentication, setting the passing state of any wireless terminal as temporary permission to pass. Step 66 may also include: and if the authentication result is that the authentication is successful, modifying the passing state of any wireless terminal from temporary permission to formal permission.
Optionally, the method provided in this embodiment may further include: and when the passing state of any wireless terminal is temporarily allowed to pass and the passing time of any wireless terminal reaches a temporary passing time threshold, intercepting the service data message of any wireless terminal. Therefore, the AP can limit the time length of the service data message of the temporary release wireless terminal.
Another situation
If the authentication status of any wireless terminal is not found as a result of step 63, after receiving the authentication status of any wireless terminal returned by the AC, it may also be determined whether to pass the service data packet of any wireless terminal according to the authentication result of any wireless terminal. Based on this, step 66 may specifically include: and step 66A, if the corresponding authentication state is not found, releasing the service data message of any wireless terminal according to the authentication result when the authentication result is successful.
In the method provided by this embodiment, after the AP is associated with any wireless terminal, the association information including the MAC address of any wireless terminal for any wireless terminal is notified to the AC, and the authentication state corresponding to the MAC address of any wireless terminal is found in the AP-side identity state table; if the corresponding authentication state is found and the authentication state is successful, the service data message of any wireless terminal is released, and after the AC uses the MAC address of any wireless terminal to initiate an authentication request to the authentication server and returns an authentication result to the AP, further control processing is carried out on any wireless terminal, so that the communication control of the AP on the wireless terminal can be consistent with the real-time authentication result of the authentication server on the wireless terminal, and the reliability of a wireless access system is improved.
In addition, if the corresponding authentication state is not found, the service data message of any wireless terminal is released according to the authentication result of any wireless terminal returned by the AC when the authentication result is successful, so that whether the service data message of any wireless terminal is released or not can be controlled according to the authentication result for the wireless terminal of which the corresponding table entry does not exist in the AP side identity state table, and the rationality of control is improved.
It should be noted that in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that these operations may be executed out of the order presented herein or in parallel, and the order of the operations, such as step 61, step 63, etc., is merely used for distinguishing different operations, and the order itself does not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
Fig. 7 is a schematic structural diagram of an authentication-based communication control apparatus according to an embodiment of the present application. As shown in fig. 7, the apparatus may include: a receiving module 71, a look-up module 72 and a control module 73.
A receiving module 71, configured to receive entry information issued by a wireless controller AC, where the entry information records a media access control MAC address of a wireless terminal and an authentication state corresponding to the MAC address, so as to obtain an AP-side identity state table, where the authentication state includes successful authentication or unsuccessful authentication;
the searching module 72 is configured to search, after associating with any wireless terminal, an authentication state corresponding to the MAC address of the any wireless terminal in the AP side identity state table;
and the control module 73 is configured to release the service data packet of any wireless terminal if the corresponding authentication state is found and the authentication state is successful authentication.
Optionally, the apparatus further includes a sending module, configured to notify the AC of association information for the any wireless terminal, where the association information includes a MAC address of the any wireless terminal, so that the AC initiates an authentication request to an authentication server using the MAC address of the any wireless terminal;
the receiving module 71 is further configured to: receiving an authentication result of any wireless terminal returned by the AC;
the control module 73 is further configured to: and according to the authentication result, further controlling and processing aiming at any wireless terminal.
Optionally, the control module 73 is configured to perform further control processing on the any wireless terminal according to the authentication result, and specifically may include:
if the authentication result is authentication failure, disassociating any wireless terminal;
and if the authentication result is that the authentication is successful but the authentication state is that the authentication is not successful, releasing the service data message of any wireless terminal.
Optionally, the control module 73 is further configured to: if the corresponding authentication state is found and the authentication state is successful, setting the passing state of any wireless terminal as temporary permission to pass;
the control module 73 is configured to, according to the authentication result, further control and process the any wireless terminal, and further includes: and if the authentication result is that the authentication is successful, modifying the passing state of any wireless terminal from temporary permission to formal permission.
Optionally, the control module 73 is further configured to: and when the passing state of any wireless terminal is temporarily allowed to pass and the passing time of any wireless terminal reaches a temporary passing time threshold, intercepting the service data message of any wireless terminal.
Optionally, the control module 73 is configured to perform further control processing on the any wireless terminal according to the authentication result, and specifically includes: and if the corresponding authentication state is not found, releasing the service data message of any wireless terminal according to the authentication result of any wireless terminal when the authentication result is successful.
Optionally, the receiving module 71 is further configured to: receiving an update notification sent by the AC for updating the AP side identity state table;
the lookup module 72 is further configured to: and updating the AP side identity state table according to the updating notice.
The apparatus shown in fig. 7 may perform the AP-side method provided by the foregoing method embodiment, and reference may be made to the related description of the foregoing method embodiment for a part not described in detail in this embodiment. The implementation process and technical effect of the technical solution refer to the description in the foregoing method embodiments, and are not described herein again.
Fig. 8 is a schematic structural diagram of a wireless access point according to an embodiment of the present application. As shown in fig. 8, the wireless access point may include: a memory 81 and a processor 82.
A memory 81 for storing computer programs and may be configured to store other various data to support operations on the wireless access point. Examples of such data include instructions for any application or method operating on the wireless access point.
The memory 81 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A processor 82 coupled to the memory 81 for executing the computer program in the memory 81 for: receiving table entry information issued by a wireless controller AC, wherein the table entry information records a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof so as to obtain an AP side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication; after being associated with any wireless terminal, searching an authentication state corresponding to the MAC address of any wireless terminal in the AP side identity state table; and if the corresponding authentication state is found and the authentication state is successful authentication, releasing the service data message of any wireless terminal.
Optionally, the processor 82 is further configured to: notifying the AC of association information for the any wireless terminal, wherein the association information comprises the MAC address of the any wireless terminal, so that the AC can initiate an authentication request to an authentication server by using the MAC address of the any wireless terminal; receiving an authentication result of any wireless terminal returned by the AC; and performing further control processing for the any wireless terminal according to the authentication result.
Optionally, the processor 82 is configured to perform further control processing for any wireless terminal according to the authentication result, and specifically includes: if the authentication result is authentication failure, disassociating any wireless terminal; and if the authentication result is that the authentication is successful but the authentication state is that the authentication is not successful, releasing the service data message of any wireless terminal.
Optionally, the processor 82 is further configured to: if the corresponding authentication state is found and the authentication state is successful, setting the passing state of any wireless terminal as temporary permission to pass;
the processor 82 is configured to further control the processing for the any wireless terminal according to the authentication result, and further comprises: and if the authentication result is that the authentication is successful, modifying the passing state of any wireless terminal from temporary permission to formal permission.
Optionally, the processor 82 is further configured to: and when the passing state of any wireless terminal is temporarily allowed to pass and the passing time of any wireless terminal reaches a temporary passing time threshold, intercepting the service data message of any wireless terminal.
Optionally, the processor 82 is configured to perform further control processing for any wireless terminal according to the authentication result, and specifically includes: and if the corresponding authentication state is not found, releasing the service data message of any wireless terminal according to the authentication result of any wireless terminal when the authentication result is successful.
Optionally, the processor 82 is further configured to: receiving an update notification sent by the AC for updating the AP side identity state table; and updating the AP side identity state table according to the updating notice.
Further, as shown in fig. 8, the wireless access point may further include: communication components 83, power components 84, and the like. Only some of the components are schematically shown in fig. 8, and it is not meant that the wireless access point includes only the components shown in fig. 8.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program is capable of implementing the steps that can be executed by the wireless access point in the foregoing method embodiments when executed.
Fig. 9 is a schematic structural diagram of an authentication-based communication control apparatus according to another embodiment of the present application. As shown in fig. 9, the apparatus may include: a recording module 91 and a sending module 92.
A recording module 91, configured to record, according to an authentication result obtained by initiating an authentication request using a media access control MAC address of a wireless terminal, the MAC address and an authentication state corresponding to the MAC address, so as to obtain an AC side identity state table, where the authentication state includes successful authentication or unsuccessful authentication;
a sending module 92, configured to issue entry information to the AP according to the AC side identity state table, where the entry information records an MAC address of the wireless terminal and an authentication state corresponding to the MAC address, so that the AP obtains the AP side identity state table.
Optionally, the apparatus may further include a receiving module, configured to receive association information, advertised by the AP, for any wireless terminal, where the association information includes a MAC address of the any wireless terminal;
the sending module 92 is further configured to: initiating an authentication request to an authentication server by using the MAC address of any wireless terminal to obtain an authentication result of any wireless terminal; and returning the authentication result of any wireless terminal to the AP.
Optionally, the sending module 92 is further configured to: judging whether the time interval of initiating the authentication request to the authentication server by using the MAC address of any wireless terminal at the latest time is greater than or equal to a time length threshold value or not; if yes, executing the step of initiating an authentication request to an authentication server by using the MAC address of any wireless terminal; if not, the authentication result obtained by sending the authentication request to the authentication server by using the MAC address of any wireless terminal for the last time is returned to the AP.
Optionally, the sending module 92 is further configured to: and when the table entry in the AC side identity state table is updated, sending a corresponding update notification to the AP so that the AP can correspondingly update the AP side identity state table according to the update notification.
The apparatus shown in fig. 9 can perform the AC-side method provided by the foregoing method embodiment, and reference may be made to the related description of the foregoing method embodiment for a part of this embodiment that is not described in detail. The implementation process and technical effect of the technical solution refer to the description in the foregoing method embodiments, and are not described herein again.
Fig. 10 is a schematic structural diagram of a wireless controller according to an embodiment of the present application. As shown in fig. 10, the wireless controller may include: a memory 101 and a processor 102.
The memory 101 is used to store computer programs and may be configured to store other various data to support operations on the wireless controller. Examples of such data include instructions for any application or method operating on the wireless controller.
The memory 101 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A processor 102, coupled to the memory 101, for executing the computer program in the memory 101 to: according to an authentication result obtained by initiating an authentication request by using a Media Access Control (MAC) address of a wireless terminal, recording the MAC address and an authentication state corresponding to the MAC address to obtain an AC side identity state table, wherein the authentication state comprises successful authentication or unsuccessful authentication; and issuing table entry information to the wireless access point AP according to the AC side identity state table, wherein the table entry information records the MAC address of the wireless terminal and the corresponding authentication state thereof, so that the AP can obtain the AP side identity state table.
Optionally, the processor 102 is further configured to: receiving association information, which is advertised by the AP and aims at any wireless terminal, wherein the association information comprises the MAC address of the any wireless terminal; initiating an authentication request to an authentication server by using the MAC address of any wireless terminal to obtain an authentication result of any wireless terminal; and returning the authentication result of any wireless terminal to the AP.
Optionally, the processor 102 is further configured to: judging whether the time interval of initiating the authentication request to the authentication server by using the MAC address of any wireless terminal at the latest time is greater than or equal to a time length threshold value or not; if yes, executing the step of initiating an authentication request to an authentication server by using the MAC address of any wireless terminal; if not, the authentication result obtained by sending the authentication request to the authentication server by using the MAC address of any wireless terminal for the last time is returned to the AP.
Optionally, the processor 102 is further configured to: and when the table entry in the AC side identity state table is updated, sending a corresponding update notification to the AP so that the AP can correspondingly update the AP side identity state table according to the update notification.
Further, as shown in fig. 10, the wireless controller may further include: communication component 103, power component 104, and the like. Only some of the components are shown schematically in fig. 10, and the wireless controller is not meant to include only the components shown in fig. 10.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program is capable of implementing the steps that can be executed by the wireless controller in the foregoing method embodiments when executed.
In addition, an embodiment of the present application may further provide a wireless access system, including an AP and an AC for controlling the AP, where the AP may be configured to execute the AP-side method provided in the foregoing method embodiment, and the AC is configured to execute the AC-side method provided in the foregoing method embodiment.
The communication components of fig. 8 and 10 described above are configured to facilitate communication between the device in which the communication component is located and other devices in a wired or wireless manner. The device where the communication component is located can access a wireless network based on a communication standard, such as a WiFi, a 2G, 3G, 4G/LTE, 5G and other mobile communication networks, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
The power supply components of fig. 8 and 10 described above provide power to the various components of the device in which the power supply components are located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (16)

1. A communication control method based on authentication is applied to a wireless Access Point (AP), and is characterized by comprising the following steps:
receiving table entry information issued by a wireless controller AC, wherein the table entry information records a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof so as to obtain an AP side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
after being associated with any wireless terminal, searching an authentication state corresponding to the MAC address of any wireless terminal in the AP side identity state table;
and if the corresponding authentication state is found and the authentication state is successful, releasing the service data message of any wireless terminal.
2. The method of claim 1, further comprising:
notifying the AC of association information for the any wireless terminal, wherein the association information comprises the MAC address of the any wireless terminal, so that the AC can initiate an authentication request to an authentication server by using the MAC address of the any wireless terminal;
receiving an authentication result of any wireless terminal returned by the AC;
and according to the authentication result, further controlling and processing aiming at any wireless terminal.
3. The method of claim 2, wherein the performing further control processing for the any wireless terminal according to the authentication result comprises:
if the authentication result is authentication failure, disassociating any wireless terminal;
and if the authentication result is that the authentication is successful but the authentication state is unsuccessful, releasing the service data message of any wireless terminal.
4. The method of claim 3, further comprising: if the corresponding authentication state is found and the authentication state is successful, setting the passing state of any wireless terminal as temporary permission to pass;
the further control processing is performed for any wireless terminal according to the authentication result, and the method further includes: and if the authentication result is that the authentication is successful, modifying the passing state of any wireless terminal from temporary permission to formal permission.
5. The method of claim 4, further comprising:
and when the passing state of any wireless terminal is temporarily allowed to pass and the passing time of any wireless terminal reaches a temporary passing time threshold, intercepting the service data message of any wireless terminal.
6. The method of claim 2, wherein the performing further control processing for the any wireless terminal according to the authentication result comprises:
and if the corresponding authentication state is not found, releasing the service data message of any wireless terminal according to the authentication result when the authentication result is successful.
7. The method of claim 1, further comprising:
receiving an update notification sent by the AC for updating the AP side identity state table;
and updating the AP side identity state table according to the updating notice.
8. An authentication-based communication control method applied to a wireless controller (AC), the method comprising:
according to an authentication result obtained by initiating an authentication request by using a Media Access Control (MAC) address of a wireless terminal, recording the MAC address and an authentication state corresponding to the MAC address to obtain an AC side identity state table, wherein the authentication state comprises successful authentication or unsuccessful authentication;
and issuing table entry information to the wireless access point AP according to the AC side identity state table, wherein the table entry information records the MAC address of the wireless terminal and the authentication state corresponding to the MAC address so that the AP can obtain the AP side identity state table.
9. The method of claim 8, further comprising:
receiving association information, which is advertised by the AP and aims at any wireless terminal, wherein the association information comprises the MAC address of the any wireless terminal;
initiating an authentication request to an authentication server by using the MAC address of any wireless terminal to obtain an authentication result of any wireless terminal;
and returning the authentication result of any wireless terminal to the AP.
10. The method of claim 9, wherein before initiating an authentication request to an authentication server using the MAC address of the wireless terminal, further comprising:
judging whether the time interval of initiating the authentication request to the authentication server by using the MAC address of any wireless terminal at the latest time is greater than or equal to a time length threshold value or not;
if yes, executing the step of initiating an authentication request to an authentication server by using the MAC address of any wireless terminal;
the method further comprises the following steps: if not, the authentication result obtained by sending the authentication request to the authentication server by using the MAC address of any wireless terminal for the last time is returned to the AP.
11. The method of claim 8, further comprising:
and when the table entry in the AC side identity state table is updated, sending a corresponding update notification to the AP so that the AP can correspondingly update the AP side identity state table according to the update notification.
12. An authentication-based communication control device applied to a wireless Access Point (AP), the authentication-based communication control device comprising:
the receiving module is used for receiving the table entry information issued by the wireless controller AC, wherein the table entry information records the Media Access Control (MAC) address of the wireless terminal and the corresponding authentication state thereof so as to obtain an AP side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
the searching module is used for searching the authentication state corresponding to the MAC address of any wireless terminal in the AP side identity state table after being associated with the wireless terminal;
and the control module is used for releasing the service data message of any wireless terminal if the corresponding authentication state is found and the authentication state is successful.
13. An authentication-based communication control device applied to a wireless controller (AC), the authentication-based communication control device comprising:
the system comprises a recording module, a receiving module and a processing module, wherein the recording module is used for recording a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof according to an authentication result obtained by initiating an authentication request by using the MAC address of the wireless terminal so as to obtain an AC side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
and the sending module is used for sending table item information to the wireless access point AP according to the AC side identity state table, and the table item information records the MAC address of the wireless terminal and the corresponding authentication state thereof so that the AP can obtain the AP side identity state table.
14. A wireless access point, comprising: a memory and a processor;
the memory for storing a computer program;
the processor, coupled with the memory, to execute the computer program to:
receiving table entry information issued by a wireless controller AC, wherein the table entry information records a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof so as to obtain an AP side identity state table, and the authentication state comprises successful authentication or unsuccessful authentication;
after being associated with any wireless terminal, using the MAC address of the wireless terminal to search the authentication state corresponding to the MAC address of the wireless terminal in the AP side identity state table;
and if the corresponding authentication state is found and the authentication state is successful, releasing the service data message of any wireless terminal.
15. A wireless controller, comprising: a memory and a processor;
the memory for storing a computer program;
the processor, coupled with the memory, to execute the computer program to:
recording a Media Access Control (MAC) address of a wireless terminal and a corresponding authentication state thereof according to an authentication result obtained by initiating an authentication request by using the MAC address of the wireless terminal so as to obtain an AC side identity state table, wherein the authentication state comprises successful authentication or unsuccessful authentication;
and issuing the table entry information in the AC side identity state table to a wireless Access Point (AP), wherein the table entry information records the MAC address of the wireless terminal and the authentication state corresponding to the MAC address so that the AP can obtain the AP side identity state table.
16. A wireless access system, comprising: a wireless access point, AP, for performing the method of any of claims 1-7 and a wireless controller, AC, for controlling the AP, for performing the method of any of claims 8-11.
CN202111362375.9A 2021-11-17 2021-11-17 Communication control method, device, equipment and system based on authentication Pending CN114302393A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111362375.9A CN114302393A (en) 2021-11-17 2021-11-17 Communication control method, device, equipment and system based on authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111362375.9A CN114302393A (en) 2021-11-17 2021-11-17 Communication control method, device, equipment and system based on authentication

Publications (1)

Publication Number Publication Date
CN114302393A true CN114302393A (en) 2022-04-08

Family

ID=80965554

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111362375.9A Pending CN114302393A (en) 2021-11-17 2021-11-17 Communication control method, device, equipment and system based on authentication

Country Status (1)

Country Link
CN (1) CN114302393A (en)

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120079271A1 (en) * 2010-09-24 2012-03-29 Carlos Cordeiro Method and apparatus for wireless device authentication and association
KR20130082202A (en) * 2012-01-11 2013-07-19 주식회사 케이티 Method and apparatus for effectively controlling traffic and managing station session in wifi roaming based on ac-ap association
CN103442358A (en) * 2013-08-30 2013-12-11 杭州华三通信技术有限公司 Method for local forwarding concentrated authentication and control device
US20140254453A1 (en) * 2008-05-23 2014-09-11 Nokia Siemens Networks Oy Providing station context and mobility in a wireless local area network having a split mac architecture
US20150249921A1 (en) * 2012-09-17 2015-09-03 Zte Corporation Authentication Method and System for Wireless Mesh Network
US20160088475A1 (en) * 2014-09-24 2016-03-24 Fortinet, Inc. Cache-based wireless client authentication
CN105848131A (en) * 2016-05-09 2016-08-10 厦门四信通信科技有限公司 Method for realizing STA cross-domain roaming through cloud AC
US20160269897A1 (en) * 2013-07-11 2016-09-15 Chendu Skspruce Technology, Inc. Access point and system constructed based on the access point and access controller
CN107786977A (en) * 2017-10-09 2018-03-09 杭州迪普科技股份有限公司 A kind of method and device of terminal access wireless network
CN109089263A (en) * 2018-07-25 2018-12-25 新华三技术有限公司 A kind of message processing method and device
CN109451503A (en) * 2018-12-29 2019-03-08 成都西加云杉科技有限公司 A kind of offline user authentication state maintaining method and system
CN109495477A (en) * 2018-11-19 2019-03-19 迈普通信技术股份有限公司 A kind of authentication method, equipment and system
US20190335331A1 (en) * 2018-04-25 2019-10-31 Huawei Technologies Co., Ltd. Method, apparatus, and system for performing authentication on terminal in wireless local area network
CN110839050A (en) * 2018-08-16 2020-02-25 中国电信股份有限公司 Method, system and wireless access point for detecting user offline
WO2020094039A1 (en) * 2018-11-06 2020-05-14 新华三技术有限公司 Access authentication

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140254453A1 (en) * 2008-05-23 2014-09-11 Nokia Siemens Networks Oy Providing station context and mobility in a wireless local area network having a split mac architecture
US20120079271A1 (en) * 2010-09-24 2012-03-29 Carlos Cordeiro Method and apparatus for wireless device authentication and association
KR20130082202A (en) * 2012-01-11 2013-07-19 주식회사 케이티 Method and apparatus for effectively controlling traffic and managing station session in wifi roaming based on ac-ap association
US20150249921A1 (en) * 2012-09-17 2015-09-03 Zte Corporation Authentication Method and System for Wireless Mesh Network
US20160269897A1 (en) * 2013-07-11 2016-09-15 Chendu Skspruce Technology, Inc. Access point and system constructed based on the access point and access controller
CN103442358A (en) * 2013-08-30 2013-12-11 杭州华三通信技术有限公司 Method for local forwarding concentrated authentication and control device
US20160088475A1 (en) * 2014-09-24 2016-03-24 Fortinet, Inc. Cache-based wireless client authentication
CN105848131A (en) * 2016-05-09 2016-08-10 厦门四信通信科技有限公司 Method for realizing STA cross-domain roaming through cloud AC
CN107786977A (en) * 2017-10-09 2018-03-09 杭州迪普科技股份有限公司 A kind of method and device of terminal access wireless network
US20190335331A1 (en) * 2018-04-25 2019-10-31 Huawei Technologies Co., Ltd. Method, apparatus, and system for performing authentication on terminal in wireless local area network
CN109089263A (en) * 2018-07-25 2018-12-25 新华三技术有限公司 A kind of message processing method and device
CN110839050A (en) * 2018-08-16 2020-02-25 中国电信股份有限公司 Method, system and wireless access point for detecting user offline
WO2020094039A1 (en) * 2018-11-06 2020-05-14 新华三技术有限公司 Access authentication
CN109495477A (en) * 2018-11-19 2019-03-19 迈普通信技术股份有限公司 A kind of authentication method, equipment and system
CN109451503A (en) * 2018-12-29 2019-03-08 成都西加云杉科技有限公司 A kind of offline user authentication state maintaining method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
雷特;倪名;: "软件定义无线网络中接入认证技术的研究进展", 广东通信技术, no. 12 *

Similar Documents

Publication Publication Date Title
US11737045B2 (en) Connection processing method and apparatus in multi-access scenario
CN108667695B (en) Backup method and device for BRAS transfer control separation
US11032747B2 (en) Apparatus, system and method for security management
EP3396928B1 (en) Method for managing network access rights and related device
US11962998B2 (en) Method and device for accessing a network
US20200304327A1 (en) ROBUST EVENT HANDLING IN AN ELECTRONIC SUBSCRIBER IDENTITY MODULE (eSIM) NOTIFICATION SERVICE
CN106332182B (en) Wireless access method and device
CN108667575B (en) Backup method and device for BRAS transfer control separation
EP3029983B1 (en) Method for processing radio access, forwarding device, and network controller
CN109548010B (en) Method and device for acquiring identity of terminal equipment
US11082893B2 (en) Session migration method and device applied to a UE tracking area update
US20220248290A1 (en) Communication Method and Communications Apparatus
US20170295452A1 (en) Method and Registration Node for Managing Application Resource in Machine to Machine (M2M)
US20160028716A1 (en) Routing protocol authentication migration
WO2018130053A1 (en) Flow conflict processing method and device
CN113099449B (en) Authentication method and system of distributed core network and home subscriber server
US11395164B2 (en) Method, apparatus and computer-readable medium for terminal monitoring information synchronization
CN114302393A (en) Communication control method, device, equipment and system based on authentication
US20180302789A1 (en) Communication control apparatus, communication control method, and non-transitory computer readable medium storing communication control program
US20160080161A1 (en) Device and method for managing multicast group in wireless network
US20160112344A1 (en) Method for Controlling Service Data Flow and Network Device
JP2017529783A (en) Mobility management procedure start method and device
WO2023142102A1 (en) Security configuration update in communication networks
US20230379181A1 (en) Blockchain on-chain method, electronic device, and storage medium
US20230388179A1 (en) Data processing method, device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination