CN117134931A

CN117134931A - Network access method and related equipment

Info

Publication number: CN117134931A
Application number: CN202211193959.2A
Authority: CN
Inventors: 韩志冲
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2022-05-25
Filing date: 2022-09-28
Publication date: 2023-11-28
Also published as: CN117176374A; CN117134889A; CN117176373A; CN117130538A; CN117176693A

Abstract

The embodiment of the application provides a network access method and related equipment, wherein the method comprises the following steps: the network access equipment receives a first message sent by a terminal, wherein the first message comprises an automatic network access identifier which indicates that the network access equipment supports automatic network access configuration, and the first message comprises identity information of the terminal; the network access equipment reports the identity information to the network controller for network access verification; after the terminal passes the network access audit and acquires the network access certificate from the network controller, the network access equipment accesses the terminal to the network according to the network access certificate. The method can quickly and safely access the terminal into the network.

Description

Network access method and related equipment

The present application claims priority from China patent office, application No. 202210577854.0, application name "Internet of things end network collaboration System", filed 25 months 2022, the entire contents of which are incorporated herein by reference.

Technical Field

The present application relates to computer networks, and in particular, to a network access method and related devices.

Background

The internet of things (Internet of Things, IOT) refers to collecting any object or process needing to be monitored, connected and interacted in real time through various devices and technologies such as various information sensors, radio frequency identification technologies, global positioning systems, infrared sensors and laser sensors, collecting various needed information such as sound, light, heat, electricity, mechanics, chemistry, biology and positions, and realizing ubiquitous connection of objects and people through various network access, and realizing intelligent sensing, identification and management of objects and processes. The internet of things is an information carrier based on the internet, a traditional telecommunication network and the like, so that all common physical objects which can be independently addressed form an interconnection network.

In the internet of things system, it is often necessary to access a terminal (such as a boundary manager, an ultra-wideband locator, etc.) to a network, and then access the terminal to a gateway device through the network. Generally, a terminal can be accessed to a network in a mode without safety protection or weak safety protection, and the safety of the access mode is low. Or, the constructor can carry out network configuration on the terminal, and the terminal is accessed to the network according to the configuration information of the terminal, so that the access mode has higher requirements on the constructor and lower access efficiency. It can be seen that the current network access method cannot quickly and safely access the terminal to the network.

Disclosure of Invention

The embodiment of the application provides a network access method and related equipment, which can quickly and safely access a terminal into a network.

The first aspect of the application discloses a network access method, which is applied to network access equipment, and comprises the following steps: receiving a first message sent by a terminal, wherein the first message comprises an automatic network access identifier which indicates that network access equipment supports automatic network access configuration, and the first message comprises identity information of the terminal; reporting the identity information to a network controller for network access verification; after the terminal passes the network access audit and acquires the network access certificate from the network controller, the terminal is accessed to the network according to the network access certificate.

According to the network access method provided by the embodiment of the application, the first message sent to the network access equipment by the terminal is expanded to carry the automatic network access identifier, and the terminal is quickly and safely accessed to the network based on the automatic network access identifier. Compared with the network access mode without safety protection or with weak safety protection, the network access method provided by the embodiment of the application has higher safety. Compared with a network access mode of network configuration of a terminal by constructors, the network access method provided by the embodiment of the application reduces the skill requirements on constructors and improves the network access efficiency. The constructor only needs to install and power up the terminal, and network configuration is not needed.

In some alternative embodiments, the automatic network entry identification is included in a data segment of the first message.

The expandability of the data segment is higher, and the terminal can be conveniently and rapidly accessed into the network by carrying the automatic network access identifier in the data segment of the first message.

In some alternative embodiments, the first message comprises an 802.1x Identity message.

802.1x is an access control and authentication protocol based on a Client/Server (C/S) architecture, and is widely used in networks. By using the 802.1x Identity message as the first message, the terminal can be conveniently and rapidly and safely accessed into the network.

In some alternative embodiments, in the process that the terminal obtains the network access credential from the network controller, the method further includes: receiving a hypertext transfer protocol (HTTP) or hypertext transfer security (HTTPS) access request sent by a terminal; and responding to the HTTP or HTTPS access request, returning the network access credential application address to the terminal, wherein the network access credential application address is used for applying the network access credential to the network controller.

After receiving an HTTP or HTTPS access request sent by the terminal, returning the network access certificate application address to the terminal, so that the security of the terminal for acquiring the network access certificate can be improved.

In some optional embodiments, before receiving the first message sent by the terminal, the method further includes: and sending a second message to the terminal, wherein the second message comprises an automatic network access identifier, and the terminal sends the first message after receiving the second message.

The network access device can send a second message to the terminal, wherein the second message comprises an automatic network access identifier, so that the terminal responds to the second message to send the first message, the terminal can conveniently identify whether the network access device supports automatic network access or not, and the automatic network access efficiency is improved.

The second aspect of the application discloses a network access method, which is applied to a terminal, and comprises the following steps: the method comprises the steps that a first message is sent to network access equipment, the first message comprises identity information of a terminal, and the identity information is reported to a network controller by the network access equipment for network access verification; if the network access verification is passed, acquiring a network access credential from a network controller; and accessing the network according to the access certificate.

According to the network access method provided by the embodiment of the application, the network terminal can be accessed to the network rapidly and safely based on the automatic network access identifier by expanding and carrying the automatic network access identifier in the first message sent to the network access equipment by the terminal. Compared with the network access mode without safety protection or with weak safety protection, the network access method provided by the embodiment of the application has higher safety. Compared with a network access mode of network configuration of a terminal by constructors, the network access method provided by the embodiment of the application reduces the skill requirements on constructors and improves the network access efficiency. The constructor only needs to install and power up the terminal, and network configuration is not needed.

In some alternative embodiments, obtaining the network access credential from the network controller includes: transmitting a hypertext transfer protocol (HTTP) or hypertext transfer security (HTTPS) access request to a network access device; receiving an access certificate application address returned by the network access equipment in response to the HTTP or HTTPS access request; sending a network access credential request to a network controller according to the network access credential application address; and receiving the network access credential returned by the network controller in response to the network access credential request.

By sending the HTTP or HTTPS access request to the network access equipment, the network access equipment returns the network access voucher application address to the terminal after receiving the HTTP or HTTPS access request sent by the terminal, so that the security of the terminal for acquiring the network access voucher can be improved.

In some alternative embodiments, the method further comprises: broadcasting a gateway discovery request in a network; receiving a gateway discovery response returned by at least one gateway device in the network in response to the gateway discovery request; determining a target gateway device from the at least one gateway device; a gateway registration request is sent to target gateway equipment, and the gateway registration request is reported to a gateway controller by the target gateway equipment for gateway access audit; receiving gateway access credentials returned by the gateway controller through the target gateway equipment, and returning the gateway access credentials by the gateway controller through the target gateway equipment when the terminal passes the gateway access audit; and accessing the target gateway equipment according to the gateway access certificate.

The gateway discovery request is broadcast in the network, the target gateway equipment is determined based on the gateway discovery response returned by the gateway equipment, and the gateway registration request is sent to the target gateway equipment, so that the target gateway equipment reports the gateway registration request to the gateway controller for gateway access audit, and the terminal can safely and conveniently access the gateway equipment.

In some alternative embodiments, the gateway discovery reply includes gateway load information, and determining the target gateway device from the at least one gateway device includes: and determining the target gateway device from the at least one gateway device according to the gateway load information.

By adopting the technical scheme, the terminal can determine the proper target gateway equipment from at least one gateway equipment according to the gateway load information, so that the load balance of the gateway equipment is realized.

In some alternative embodiments, the method further comprises: and carrying out data transmission with the target gateway equipment according to the gateway access certificate.

After the gateway device is accessed, the terminal can perform safe data transmission with the target gateway device according to the gateway access credentials.

In some alternative embodiments, before sending the first message to the network access device, the method further includes: detecting whether a second message sent by the network access equipment is received or not; and if the second message is received, sending the first message to the network access equipment.

Detecting whether a second message sent by the network access equipment is received or not; if the second message is received, the first message is sent to the network access equipment, and the terminal can quickly identify whether the network access equipment supports automatic network access or not, so that the automatic network access efficiency is improved.

A third aspect of the present application discloses a network access device, applied to a network access apparatus, having a function of implementing any one of the above-mentioned first aspect or the optional implementation manners of the first aspect. The network access device comprises at least one unit/module for implementing the method as provided in the first aspect or any of the alternative embodiments of the first aspect. In some embodiments, the units/modules in the network access device are implemented in software, and the units/modules in the network access device are program modules. In other embodiments, the units/modules in the network access device are implemented in hardware or firmware. The specific details of the network access device provided in the third aspect may be referred to the above first aspect or any optional implementation manner of the first aspect, which is not described herein.

A fourth aspect of the present application discloses a network access device for use in a terminal, the network access device having functionality to implement the second aspect or any of the alternative embodiments of the second aspect. The network access device comprises at least one unit/module for implementing the method of the second aspect or any of the alternative embodiments of the second aspect. In some embodiments, the units/modules in the network access device are implemented in software, and the units/modules in the network access device are program modules. In other embodiments, the units/modules in the network access device are implemented in hardware or firmware. The details of the network access device provided in the fourth aspect may be referred to the above second aspect or any optional implementation manner of the second aspect, which is not described herein.

A fifth aspect of the application discloses a computer readable storage medium comprising computer instructions which, when run on a computing device, cause the computing device to perform a network access method as in the first or second aspect.

A sixth aspect of the application discloses a computing device comprising a processor and a memory, the memory for storing instructions, the processor for invoking the instructions in the memory to cause the computing device to perform a network access method as in the first or second aspect.

A seventh aspect of the application discloses a computer program product for causing a computing device to perform the network access method as the first or second aspect when the computer program product is run on the computing device.

An eighth aspect of the present application discloses a network system, including a network access device and a terminal, the network access device performing the network access method as in the first aspect, and the terminal performing the network access method as in the second aspect.

It should be understood that the third aspect, the fourth aspect, the computer readable storage medium of the fifth aspect, the computing device of the sixth aspect, the computer program product of the seventh aspect, and the network system of the eighth aspect provided above all correspond to the methods of the first aspect and the second aspect, and therefore, the advantages achieved by the method may refer to the advantages in the corresponding methods provided above, and are not repeated herein.

Drawings

Fig. 1 is an application scenario schematic diagram of a network access method provided by an embodiment of the present application.

Fig. 2 is a flowchart of a network access method according to an embodiment of the present application.

Fig. 3 is a schematic diagram of a message format of an 802.1x Identity message according to an embodiment of the present application.

Fig. 4 is a flowchart of a network access method according to another embodiment of the present application.

Fig. 5 is a flowchart of a network access method according to another embodiment of the present application.

Fig. 6 is a flowchart of a network access method according to another embodiment of the present application.

Fig. 7 is a schematic diagram of a message format of a CoAP-based gateway discovery request according to an embodiment of the present application.

Fig. 8 is a schematic structural diagram of a network access device according to an embodiment of the present application.

Fig. 9 is a schematic structural diagram of a network access device according to another embodiment of the present application.

FIG. 10 is a schematic diagram of a computing device according to an embodiment of the present application.

Detailed Description

In the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and the representation may have three relationships, for example, a and/or B may represent: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The terms "first," "second," "third," "fourth" and the like in the description and in the claims and drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.

In embodiments of the application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

In order to better understand the network access method and the related devices provided by the embodiments of the present application, an application scenario of the network access method provided by the embodiments of the present application is first described below.

The network access method provided by the embodiment of the application is applied to the Internet of things system. As shown in fig. 1, the internet of things system 10 includes at least one terminal 101, a network access device 102, a network controller 103, at least one gateway device 104, and a gateway controller 105. The connection between the terminal 101 and the network access device 102, and between the network access device 102 and the gateway device 104 may be wired or wireless. For example, the connection between the terminal 101 and the network access device 102, and between the network access device 102 and the gateway device 104 may be performed wirelessly by bluetooth, wireless fidelity (wireless fidelity, wi-Fi), z-wave, long range radio (LoRa), zigbee, narrowband internet of things (narrow nand internet of things, NB-IOT), cellular network, and the like. The terminal 101 and the network access device 102, and the network access device 102 and the gateway device 104 may be connected by wired means such as ethernet, RS232, RS485, and universal serial bus (universal serial bus, USB).

Communication between the network access device 102 and the network controller 103, and between the gateway device 104 and the gateway controller 105 may be performed through a communication network, which may be a wired network or a wireless network. For example, the communication network may be a local area network (local area networks, LAN) or a wide area network (wide area networks, WAN), such as the internet. When the communication network is a local area network, the communication network may be, for example, a wireless fidelity Wi-Fi network, a Wi-Fi P2P network, a bluetooth network, a zigbee network, or a near field communication (near field communication, NFC) network, or the like. When the communication network is a wide area network, the communication network may be, for example, a third generation mobile communication technology (3 rd-generation wireless telephone technology, 3G) network, a fourth generation mobile communication technology (the 4th generation mobile communication technology, 4G) network, a fifth generation mobile communication technology (5 th-generation mobile communication technology, 5G) network, a future evolution public land mobile network (public land mobile network, PLMN) or the internet, etc.

There are a number of possible product forms for the terminal 101. For example, the terminal 101 includes, but is not limited to, a boundary manager, an ultra-wideband locator, a smart light, a smart curtain, a smart refrigerator, a smart television, a smart washing machine, and the like.

The network controller 103 and the gateway controller 105 may be virtual control devices. For example, the network controller 103 and the gateway controller 105 are network control systems and gateway control systems deployed on computing devices. The network controller 103 and the gateway controller 105 may be deployed on the same computing device or on different computing devices. The network controller 103 and the gateway controller 105 may also be physical control devices. The computing device may refer to a server, computer, or the like.

Fig. 2 is a flowchart of a network access method according to an embodiment of the present application. The network access method is applied to an internet of things system (for example, the internet of things system 10 in fig. 1).

And 201, the terminal sends the first message to the network access equipment.

The first message includes an automatic network access identifier indicating that the network access device supports automatic network access configuration. In one embodiment of the application, the auto-connect identifier may be denoted as "iConnect".

In one embodiment of the application, the automatic network entry identification is included in a data segment of the first message. For example, the first message is an 802.1x Identity message, and the automatic network entry identifier is included in a data segment of the 802.1x Identity message. The expandability of the data segment is higher, and the terminal can be conveniently and rapidly accessed into the network by carrying the automatic network access identifier in the data segment of the first message.

The 802.1x protocol is an access control and authentication protocol based on a Client/Server (C/S) architecture. The 802.1x protocol authenticates user devices to limit unauthorized devices from accessing the network. 802.1x is widely used in networks, and by using an 802.1x Identity message as a first message, a terminal can be conveniently and rapidly and safely accessed into the network.

Fig. 3 is a schematic diagram of a message format of an 802.1x Identity message. As shown in fig. 3, the 802.1x Identity message includes four parts, namely a Protocol Version (Protocol Version), a message Type (Packet Type), a message Body length (Packet Body Length), and a message Body (Packet Body). The message body includes four fields of a Code (Code), an Identifier (Identifier), a Length (Length), and Data (Data). The Code occupies one byte and is used for identifying the message type, and the message type can comprise a Request and a Response. The Identifier field occupies 2 bytes and is used to correspond the Request and Response of the Code. Length occupies 3-4 bytes and is used to describe the Length of the message body. Data occupies 5 to (4+Length) bytes for carrying Data to be transferred.

The first message also includes identity information of the terminal. In the embodiment of the present application, the identity information of the terminal may also be included in the data segment of the first packet.

The identity information of the terminal is used for identifying the terminal. The identity information of the terminal may be a character string composed of manufacturer, product, model and serial number, for example, the identity information of the terminal may be expressed as "manufacturer-product-model-serial number". The identity information of the terminal may also be other, such as an industrial internet identification.

In one embodiment of the present application, the automatic network access identification and the identity information may be represented in the manner of "automatic network access identification: identity information" (i.e., the automatic network access identification and the identity information are connected together). For example, the automatic network entry identity and identity information may be represented in the data segment of the first message in the form of "iConnect: manufacturer-product-model-serial number".

In one embodiment of the present application, before the terminal sends the first message to the network access device, it detects whether a second message sent by the network access device is received, where the second message includes an automatic network access identifier, and is used to instruct the network access device to support automatic network access. If the second message sent by the network access equipment is received, the terminal sends the first message to the network access equipment. The network access device may trigger network access authentication and send the second message to the terminal. Or the terminal can trigger network access authentication, send an authentication start message, and send a second message to the terminal after the network access equipment receives the authentication start message. The terminal determines whether the network access equipment supports automatic network access by detecting whether the second message is received or not, so that the automatic network access efficiency is improved.

202, the network access device reports the identity information of the terminal to the network controller for network access verification.

In one embodiment of the present application, after receiving the identity information reported by the network access device, the network controller may notify the network administrator to perform network access auditing. The network controller can provide a network access checking interface, the network administrator can access the network access checking page, and the network access checking is carried out on the terminal according to the identity information of the terminal on the network access checking page. The network access auditing interface can display a network access auditing list, and the network manager can add the identity information of the terminal into the network access list to be audited. And the network manager reads the identity information of the terminal from the network access checking list, and performs network access checking on the terminal according to the identity information of the terminal. The network administrator may return the network access audit results to the network controller. If the network access audit is passed, the network administrator returns the network access audit result passed by the network access audit to the network controller. If the network access audit fails (i.e. fails), the network administrator returns the network access audit result of the network access audit failure to the network controller.

In other embodiments of the present application, the network controller may perform network access auditing on the terminal according to a preset network access rule. The network access rule is related to the identity information of the terminal, and can be preset by a network administrator. And after receiving the identity information reported by the network access equipment, the network controller performs network access verification on the terminal according to the network access rule.

And 203, the network controller returns the network access auditing result to the terminal through the network access equipment.

If the network access verification passes, the network controller returns the network access verification result passing the network access verification to the terminal through the network access equipment. If the network access audit fails, the network controller returns a network access audit result of the network access audit failure to the terminal through the network access equipment.

204, if the network access verification passes, the terminal acquires the network access credential from the network controller through the network access device.

In one embodiment of the application, the terminal may send a hypertext transfer protocol (HyperText Transfer Protocol, HTTP) or hypertext transfer security protocol (Hypertext Transfer Protocol Secure, HTTPs) access request to the network access device. In response to the HTTP or HTTPS access request, the network access device returns an access credential application address to the terminal. And the terminal applies for the network access certificate to the network controller according to the network access certificate application address. After receiving an HTTP or HTTPS access request sent by the terminal, returning the network access certificate application address to the terminal, so that the security of the terminal for acquiring the network access certificate can be improved.

The network access device accesses the terminal to the network according to the access credentials 205.

The network access equipment accesses the terminal into the network according to the network access certificate, namely, the terminal is authenticated according to the network access certificate, and after the authentication is successful, the terminal is accessed into the network.

In the embodiment shown in fig. 2, the terminal sends a first message to the network access device, where the first message includes an automatic network access identifier and identity information of the terminal, and the network access device reports the identity information of the terminal to the network controller for network access audit, so as to ensure validity of access of the terminal. The terminal passing the verification is issued with the network access certificate, the terminal is accessed to the network based on the network access certificate, and the terminal not passing the verification cannot be accessed to the network. The network access method provided by the embodiment of the application can be used for rapidly and safely accessing the terminal into the network. Compared with the network access mode without safety protection or with weak safety protection, the network access method provided by the embodiment of the application has higher safety. Compared with a network access mode of network configuration of a terminal by constructors, the network access method provided by the embodiment of the application reduces the skill requirements on constructors and improves the network access efficiency. The constructor only needs to install and power up the terminal, and network configuration is not needed.

Fig. 4 is a flowchart of a network access method according to another embodiment of the present application. In the flow chart shown in fig. 4, a terminal accesses a network through an 802.1x protocol.

401 network controller nano-network access device.

402, the network controller turns on 802.1x network authentication of the network access device.

403, the network controller configures the pre-authorization domain and the authorized domain.

The pre-authorization domain and the authorized domain are used for controlling the access rights of the terminal. The pre-authorization domain defines a range accessible to users that are not authenticated, and the authorized domain defines a range accessible to users that are authenticated. The pre-authorization domain may include a dynamic host configuration protocol (dynamic host configuration protocol, DHCP) server and a certificate server. The network controller may redirect the hypertext transfer protocol HTTP or hypertext transfer security protocol HTTPs access request outside of the pre-authorization domain to the HTTP or HTTPs link address corresponding to the certificate issue request.

404, the terminal sends an 802.1x Start message (802.1 x Start) to the network access device. The 802.1x start message is used to trigger 802.1x authentication.

And 405, after receiving the 802.1x start message, the network access equipment sends an 802.1x Identity request message to the terminal. The 802.1x Identity request message includes an automatic network access identifier, which is used to instruct the network access device to support automatic network access configuration.

406, after receiving the 802.1x Identity request message, the terminal returns an 802.1x Identity response message to the network access device. The 802.1x Identity response message includes the automatic network access identifier and the Identity information of the terminal.

407, the network access device reports the identity information of the terminal to the network controller.

The network controller sends 408 the identity information of the terminal to the network administrator.

409, the network administrator performs network access checking on the terminal according to the identity information of the terminal, and returns the network access checking result to the network controller.

And 410, if the network access audit passes, the network access equipment performs 802.1-CHAPv2 authentication on the terminal. The network access device interacts with the network controller, receives the network access audit result of the terminal from the network controller, and returns the 802.1-CHAPv2 authentication result to the network controller.

411, if the authentication of the terminal 802.1-CHAPv2 is successful, the network controller sets the pre-authorization domain of the terminal.

And 412, the terminal applies for the IP address of the domain before authorization to the network controller.

413, the terminal sends an HTTP or HTTPs access request to the network access device based on the pre-authorization domain IP address.

And 414, after receiving the HTTP or HTTPS access request of the terminal, the network access equipment returns the network access voucher application address to the terminal.

And 415, the terminal applies the network access certificate to the network controller according to the network access certificate application address.

And after receiving the network access certificate sent by the network controller, the terminal stores the network access certificate to the local.

416, the network access device authenticates the terminal based on the access credentials for 802.1x EAP-TLS authentication. The network access device interacts with the network controller and returns the result of the 802.1x EAP-TLS authentication to the network controller.

417, if the authentication of the terminal 802.1x EAP-TLS is successful, the network controller authorizes the service domain for the terminal.

After authorizing the service domain to the terminal, the terminal is accessed to the network, so that the network data can be normally accessed.

Fig. 5 is a flowchart of a network access method according to another embodiment of the present application. The network access method is applied to an internet of things system (for example, the internet of things system 10 in fig. 1). In the network access method shown in fig. 5, after the terminal accesses the network, the terminal accesses the gateway device through the network.

501, the terminal sends a first message to the network access device.

The specific process of the terminal sending the first message to the network access device may be referred to above in connection with 201.

And 502, the network access equipment reports the identity information of the terminal to the network controller for network access verification.

The specific process of the network access device reporting the identity information of the terminal to the network controller for network access auditing may be described above with reference to 202.

And 503, the network controller returns the network access auditing result to the terminal through the network access equipment.

The specific process of the network controller returning the network access auditing result to the terminal through the network access device may be described above with reference to 203.

504, if the network access verification passes, the terminal acquires the network access credential from the network controller through the network access device.

If the network access audit passes, the specific process of the terminal obtaining the network access credential from the network controller through the network access device can be referred to as the related description of 204 above.

505, the network access device accesses the terminal to the network according to the access credentials.

The specific process by which the network access device accesses the terminal to the network according to the access credentials may be found in the description above for 505.

The terminal broadcasts 506 a gateway discovery request in the network.

507, the gateway device returns a gateway discovery reply in response to the gateway discovery request.

The gateway device for returning the gateway discovery response may be one or more.

And 508, the terminal determines the target gateway device from the gateway devices which return the gateway discovery response.

If the gateway device returning the gateway discovery response is one, the terminal takes the gateway device returning the gateway discovery response as the target gateway device. If the number of gateway devices returning the gateway discovery response is plural, the terminal determines one gateway device from the plural gateway devices returning the gateway discovery response as the target gateway device.

In one embodiment of the present application, the gateway discovery reply includes gateway load information, and the terminal determines a target gateway device from a plurality of gateway devices that return gateway discovery replies according to the gateway load information. The gateway load information may include the number of devices accessed, CPU occupancy, memory occupancy, etc. The gateway device with the lowest load may be selected as the target gateway device. And the terminal determines the proper target gateway equipment from at least one gateway equipment according to the gateway load information, so that the load balance of the gateway equipment can be realized.

509, the terminal sends a gateway registration request to the target gateway device.

And 510, the target gateway equipment reports the gateway registration request to the gateway controller for gateway access audit.

After receiving the gateway registration request, the gateway controller may send the gateway registration request to a network administrator, so that the network administrator performs gateway access audit on the terminal.

511, if the terminal passes the gateway access audit, the gateway controller returns the gateway access credential to the terminal through the target gateway device.

And 512, the terminal accesses the target gateway equipment according to the gateway access credentials.

The terminal accesses the target gateway equipment to establish communication connection with the target gateway equipment. After the terminal is accessed to the target gateway equipment, data transmission can be carried out with the target gateway equipment according to the gateway access certificate.

In the network access method shown in fig. 5, the terminal can access the network quickly and safely. After the network is accessed, the terminal broadcasts a gateway discovery request in the network, determines target gateway equipment based on a gateway discovery response returned by the gateway equipment, and sends a gateway registration request to the target gateway equipment, so that the target gateway equipment reports the gateway registration request to a gateway controller for gateway access audit, and the terminal can safely and conveniently access the gateway equipment.

Fig. 6 is a flowchart of a terminal accessing gateway device in a network accessing method according to an embodiment of the present application. In the flow chart shown in fig. 6, the terminal accesses the gateway device via a limited application protocol (Constrained Application Protocol, COAP) protocol. In other embodiments of the application, the terminal may access the gateway device via other protocols.

601, the terminal sends a CoAP-based gateway discovery request to the gateway device.

The terminal may send a CoAP-based gateway discovery request to the gateway device according to the multicast address. The multicast address includes a plurality of addresses in the network, and the multicast address can be customized. The uniform resource identifier (Uniform Resource Identifier, URI) of the CoAP-based gateway discovery request may be defined as gateway_discover, and the entire URI may be expressed as a cap:// multicast_ip/gateway_discover.

Fig. 7 is a schematic diagram of a message format of a CoAP-based gateway discovery request according to an embodiment of the present application. The CoAP-based gateway discovery request may be encoded in JSON format. As shown in fig. 7, the CoAP-based gateway discovery request may include fields for identity information, device name, IP address, load information, discovery mode, message type, gateway access credentials, etc.

The gateway device returns a CoAP-based gateway discovery reply 602.

In the network, when receiving a gateway discovery request based on CoAP for which the URI is gateway_discover, the gateway equipment performs CoAP unicast response to the terminal and returns the gateway discovery response based on CoAP. The gateway discovery response based on CoAP carries the IP address and load information of the gateway device. Similar to the CoAP-based gateway discovery request, the CoAP-based gateway discovery reply may be encoded in JSON format.

603, the terminal determines the target gateway device from the gateway devices that return the gateway discovery response.

The gateway discovery reply may include gateway load information from which the terminal determines a target gateway device from among the gateway devices that returned the gateway discovery reply.

The terminal sends 604 a CoAP-based gateway registration request to the target gateway device.

For the target gateway device determined by the terminal, sending a gateway registration request to a URI corresponding to the IP address of the target gateway device, where the gateway registration request may be expressed as: the cap is/(ip/gateway_discover). The gateway registration request carries identity information of the terminal, such as a manufacturer-product-model-serial number.

And 605, the target gateway equipment reports the gateway registration request to the gateway controller for gateway access audit.

The target gateway device may report the gateway registration request to the gateway controller via a message queue telemetry transport (Message Queuing Telemetry Transport, MQTT) protocol.

After receiving the gateway registration request, the gateway controller may send the gateway registration request to a network administrator, and notify the network administrator to perform gateway access audit on the terminal.

If the terminal passes the gateway access audit, the gateway controller returns the gateway access credential to the terminal through the target gateway device 606.

If the terminal passes the gateway access audit, the gateway controller can allocate a unique communication handle deviceID to the terminal and issue a device certificate and a root certificate. The DeviceID and certificate information may be returned by the gateway controller to the target gateway device via the MQTT protocol.

The target gateway device may return a CoAP-based gateway registration reply to the terminal, with gateway access credentials (e.g., deviceID, device credentials, and root credentials) carried in the CoAP-based gateway registration reply.

607, the target gateway device authenticates the terminal according to the gateway access credentials.

The target gateway device may authenticate the terminal based on a packet transport layer security (Datagram Transport Layer Security, DTLS) protocol.

After the target gateway equipment successfully authenticates the terminal, the terminal establishes communication connection with the target gateway equipment (namely accesses the target gateway equipment).

608, the terminal performs data transmission with the target gateway device.

The terminal and the target gateway device can perform data transmission based on CoAP and DTLS.

The network access apparatus 80 shown in fig. 8 may be provided in the network access device 102 in fig. 1, as viewed in conjunction with the application scenario shown in fig. 1. The network access device 80 may include: a first receiving module 801, configured to receive a first message sent by a terminal, where the first message includes an automatic network access identifier, and the automatic network access identifier indicates that a network access device supports automatic network access configuration, and the first message includes identity information of the terminal; the reporting module 802 is configured to report the identity information to the network controller for network access verification; the first access module 803 is configured to access the terminal to the network according to the access certificate after the terminal passes the access audit and obtains the access certificate from the network controller.

In some embodiments of the application, the automatic network entry identification is included in a data segment of the first message.

In some embodiments of the present application, the first message comprises an 802.1x Identity message.

In some embodiments of the present application, the first access module 803 is configured to: receiving a hypertext transfer protocol (HTTP) or hypertext transfer security (HTTPS) access request sent by a terminal; and responding to the HTTP or HTTPS access request, returning the network access credential application address to the terminal, wherein the network access credential application address is used for applying the network access credential to the network controller.

In some embodiments of the present application, the network access device 80 further comprises: the second sending module is used for sending a second message to the terminal, the second message comprises an automatic network access identifier, and the terminal sends the first message after receiving the second message.

The network access device 90 shown in fig. 9 may be provided to the terminal 101 in fig. 1 in conjunction with the application scenario shown in fig. 1. The network access device 90 may include: the first sending module 901 is configured to send a first message to a network access device, where the first message includes identity information of a terminal, and the identity information is reported by the network access device to a network controller for network access verification; an obtaining module 902, configured to obtain a network access credential from the network controller if the network access audit is passed; a second access module 903, configured to access the network according to the access credential.

In some embodiments of the application, the obtaining module 902 is configured to: transmitting a hypertext transfer protocol (HTTP) or hypertext transfer security (HTTPS) access request to a network access device; receiving an access certificate application address returned by the network access equipment in response to the HTTP or HTTPS access request; sending a network access credential request to a network controller according to the network access credential application address; and receiving the network access credential returned by the network controller in response to the network access credential request.

In some embodiments of the application, the second access module 903 is further configured to: broadcasting a gateway discovery request in a network; receiving a gateway discovery response returned by at least one gateway device in the network in response to the gateway discovery request; determining a target gateway device from the at least one gateway device; a gateway registration request is sent to target gateway equipment, and the gateway registration request is reported to a gateway controller by the target gateway equipment for gateway access audit; receiving gateway access credentials returned by the gateway controller through the target gateway equipment, and returning the gateway access credentials by the gateway controller through the target gateway equipment when the terminal passes the gateway access audit; and accessing the target gateway equipment according to the gateway access certificate.

In some embodiments of the present application, the gateway discovery reply includes gateway load information, and the second access module 903 is configured to: and determining the target gateway device from the at least one gateway device according to the gateway load information.

In some embodiments of the present application, the network access device 90 further comprises: and the transmission module is used for carrying out data transmission with the target gateway equipment according to the gateway access certificate.

In some embodiments of the present application, the first sending module 901 is configured to: detecting whether a second message sent by the network access equipment is received or not; and if the second message is received, sending the first message to the network access equipment.

The apparatus embodiments depicted in fig. 8 and 9 are merely illustrative, e.g., the division of the above units/modules is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple units/modules or components may be combined or integrated into another system, or some features may be omitted, or not performed. The functional units/modules in the embodiments of the present application may be integrated into one processing unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated into one unit/module.

The various units/modules in the network access devices 80, 90 are implemented in whole or in part by software, hardware, firmware, or any combination thereof.

In the case of a software implementation, for example, the first receiving module 801, the reporting module 802 and the access module 803 are implemented by software functional units/modules generated after the program codes stored in the memory 1102 are read by the at least one processor 1001 in fig. 10.

In the case of a hardware implementation, for example, each of the units/modules described above in fig. 8 is implemented by different hardware in the computing device, respectively, for example, the first receiving module 801 is implemented by a portion of the processing resources (e.g., one core or two cores in the multi-core processor) in at least one processor 1001 in fig. 10, while the reporting module 802 and the accessing module 803 are implemented by the remaining portion of the processing resources (e.g., other cores in the multi-core processor) in at least one processor 1001 in fig. 10, or by a programmable device such as a field-programmable gate array (field-programmable gate array, FPGA), or a coprocessor.

In the case of a combination of software and hardware, for example, the reporting module 802 is implemented by a hardware programmable device, and the reporting module 802 and the access module 803 are software functional units/modules that are generated after the CPU reads the program codes stored in the memory.

The basic hardware structure associated with a computing device is illustrated below.

Fig. 10 is a schematic structural diagram of a computing device according to an embodiment of the present application.

The computing device 100 shown in fig. 10 may be the terminal 101 in fig. 1 or the network access device 102 in fig. 1.

Computing device 100 includes a processor 1001, memory 1002, bus 1003, input-output interface 1004, and communication interface 1005. The bus 1003 is used to connect the processor 1001, the memory 1002, the input-output interface 1004, and the communication interface 1005, and to realize data transfer among the processor 1001, the memory 1002, the input-output interface 1004, and the communication interface 1005. For example, the processor 1001 receives a command from the input-output interface 1004 through the bus 1003, decrypts the received command, and performs calculation or data processing according to the decrypted command. Memory 1002 may include program modules, which may be comprised of software, firmware, hardware, or at least two of them. The input-output interface 1004 forwards commands or data entered by a user through an input device (e.g., sensor, keyboard, touch screen). The communication interface 1005 connects the computing device 100 with other devices (e.g., the internet of things controller 101, the terminal 103, etc.), networks. The communication interface 1005 may also be connected to a network by wire or wirelessly to connect to other devices outside.

In some embodiments, the processor 1001 may include any one or more of a central processing unit (central processing unit, CPU), a graphics processor (graphics processing unit, GPU), a microprocessor (micro processor, MP), or a digital signal processor (digital signal processor, DSP).

The memory 1002 includes a volatile memory (RAM) such as a random access memory (random access memory). The memory 1002 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory, a mechanical hard disk (HDD), or a solid state disk (solid state drive, SSD).

Bus 1003 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one line is shown in fig. 10, but not only one bus or one type of bus. Bus 1003 may include a path to transfer information between various components of computing device 100 (e.g., memory 1002, processor 1001, communication interface 1005).

Communication interface 1005 enables communication between computing device 100 and other devices or communication networks using a transceiver module such as, but not limited to, a network interface card, transceiver, or the like.

In some embodiments, the memory 1002 stores executable program codes, for example, the processor 1001 executes the executable program codes to implement the functions of the first receiving module 801, the reporting module 802, and the first accessing module 803 shown in fig. 8, respectively, so as to implement the network access method in the embodiment of the present application. That is, the memory 1002 has instructions stored thereon for performing the network access method according to the embodiment of the present application.

The present embodiment also provides a computer storage medium having stored therein computer instructions that, when executed on a physical gateway, cause the physical gateway to perform the above-described related method steps to implement the network access method in the above-described embodiments.

The present embodiment also provides a computer program product which, when run on a physical gateway, causes the physical gateway to perform the above-described related steps to implement the network access method in the above-described embodiments.

In addition, embodiments of the present application also provide an apparatus, which may be embodied as a chip, component or module, which may include a processor and a memory coupled to each other; the memory is configured to store computer-executable instructions, and when the device is running, the processor may execute the computer-executable instructions stored in the memory, so that the chip executes the network access method in the above method embodiments.

From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are illustrative, and the module or unit is divided into a logic function, and may be implemented in other ways, for example, multiple units/modules or components may be combined or integrated into another apparatus, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via interfaces, devices or units/modules, which may be in electrical, mechanical or other forms.

The units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may be one physical unit or multiple physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units/modules may be selected according to actual needs to achieve the purpose of the embodiment.

In addition, each functional unit/module in the embodiments of the present application may be integrated in one processing unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated in one unit/module. The integrated units/modules described above may be implemented either in hardware or in software functional units/modules.

The integrated units/modules may be stored in a readable storage medium if implemented in the form of software functional units/modules and sold or used as a stand-alone product. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The foregoing is merely illustrative of specific embodiments of the present application, and the scope of the present application is not limited thereto, but any changes or substitutions within the technical scope of the present application should be covered by the scope of the present application.

Claims

1. A network access method applied to a network access device, the method comprising:

receiving a first message sent by a terminal, wherein the first message comprises an automatic network access identifier, the automatic network access identifier indicates that the network access equipment supports automatic network access configuration, and the first message comprises identity information of the terminal;

reporting the identity information to a network controller for network access verification;

and after the terminal passes the network access audit and acquires the network access certificate from the network controller, accessing the terminal into a network according to the network access certificate.

2. The network access method of claim 1, wherein the automatic network entry identification is included in a data segment of the first message.

3. The network access method according to claim 1 or 2, wherein the first message comprises an 802.1xIdentity message.

4. A network access method according to any one of claims 1 to 3, wherein during the process of the terminal obtaining network access credentials from the network controller, the method further comprises:

Receiving a hypertext transfer protocol (HTTP) or hypertext transfer security (HTTPS) access request sent by the terminal;

and responding to the HTTP or HTTPS access request, returning an access certificate application address to the terminal, wherein the access certificate application address is used for applying the access certificate to the network controller.

5. The network access method according to any one of claims 1 to 4, wherein before the receiving the first message sent by the terminal, the method further comprises:

and sending a second message to the terminal, wherein the second message comprises the automatic network access identifier, and the terminal sends the first message after receiving the second message.

6. A network access method applied to a terminal, the method comprising:

sending a first message to the network access equipment, wherein the first message comprises the identity information of the terminal, and the identity information is reported to a network controller by the network access equipment for network access verification;

if the network access verification is passed, acquiring a network access certificate from the network controller;

and accessing a network according to the network access certificate.

7. The network access method of claim 6, wherein the obtaining network access credentials from the network controller comprises:

Sending a hypertext transfer protocol (HTTP) or hypertext transfer security (HTTPS) access request to the network access equipment;

receiving an access certificate application address returned by the network access equipment in response to the HTTP or HTTPS access request;

sending a network access credential request to the network controller according to the network access credential application address;

and receiving the network access credential returned by the network controller in response to the network access credential request.

8. The network access method of claim 6 or 7, wherein the method further comprises:

broadcasting a gateway discovery request in the network;

receiving a gateway discovery response returned by at least one gateway device in the network in response to the gateway discovery request;

determining a target gateway device from the at least one gateway device;

sending a gateway registration request to the target gateway equipment, wherein the gateway registration request is reported to a gateway controller by the target gateway equipment for gateway access audit;

receiving gateway access credentials returned by the gateway controller through the target gateway device, wherein the gateway controller returns the gateway access credentials by using the target gateway device when the terminal passes gateway access audit;

And accessing the target gateway equipment according to the gateway access certificate.

9. The network access method of any of claims 6 to 8, wherein the gateway discovery reply includes gateway load information, and wherein determining a target gateway device from the at least one gateway device comprises:

and determining the target gateway equipment from the at least one gateway equipment according to the gateway load information.

10. The network access method according to any one of claims 6 to 9, wherein the method further comprises:

and carrying out data transmission with the target gateway equipment according to the gateway access certificate.

11. The network access method according to any of claims 6 to 10, wherein before the sending the first message to the network access device, the method further comprises:

detecting whether a second message sent by the network access equipment is received or not;

and if the second message is received, sending the first message to the network access equipment.

12. A network access apparatus for use in a network access device, the apparatus comprising:

the first receiving module is used for receiving a first message sent by a terminal, wherein the first message comprises an automatic network access identifier, the automatic network access identifier indicates that the network access equipment supports automatic network access configuration, and the first message comprises identity information of the terminal;

The reporting module is used for reporting the identity information to a network controller for network access verification;

and the first access module is used for accessing the terminal into a network according to the network access certificate after the terminal passes the network access audit and acquires the network access certificate from the network controller.

13. A network access device for a terminal, the device comprising:

the first sending module is used for sending a first message to the network access equipment, wherein the first message comprises the identity information of the terminal, and the identity information is reported to a network controller by the network access equipment for network access verification;

the acquisition module is used for acquiring the network access certificate from the network controller if the network access audit is passed;

and the second access module is used for accessing the network according to the network access certificate.

14. A computing device comprising a processor and a memory, the processor to invoke instructions in the memory to cause the computing device to perform the network access method of any of claims 1-5, or 6-11.

15. A network system comprising a network access device performing the network access method of any one of claims 1-5 and a terminal performing the network access method of any one of claims 6-11.