WO2010096996A1 - Procédé pour réaliser l'intégration de wapi et capwap en mode mac local - Google Patents
Procédé pour réaliser l'intégration de wapi et capwap en mode mac local Download PDFInfo
- Publication number
- WO2010096996A1 WO2010096996A1 PCT/CN2009/075537 CN2009075537W WO2010096996A1 WO 2010096996 A1 WO2010096996 A1 WO 2010096996A1 CN 2009075537 W CN2009075537 W CN 2009075537W WO 2010096996 A1 WO2010096996 A1 WO 2010096996A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- site
- capwap
- wireless terminal
- access controller
- wai
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Definitions
- the present invention relates to the field of network applications, and in particular, to a method for implementing WAPI and CAPWAP fusion in a local MAC mode.
- the access point AP acts as a separate entity on the network and fully deploys and terminates the GB15629.il function, which needs to be managed independently.
- the autonomous system architecture is adopted based on the WLAN authentication and confidentiality base.
- the network working mode of the autonomous architecture has gradually become an obstacle to the development of wireless technology due to its inherent defects.
- the AP acts as an Internet Protocol (IP) addressable device and needs to be managed independently, including monitoring, configuration, and control.
- IP Internet Protocol
- the wireless transmission medium is used as a shared resource.
- each AP In order to improve the performance of the network, each AP must be monitored in real time and dynamically updated according to the current usage of the shared medium, and manually configured and wirelessly transmitted. Media-related AP parameters will consume a lot of manpower and material resources.
- the purpose of the present invention is to overcome the shortcomings of the above-mentioned autonomous WLAN network architecture, and to provide a CAPWAP (Control And Provisioning of Wireless Access Points) specification in a Medium Access Control MAC (Medium Access Control) mode.
- CAPWAP Control And Provisioning of Wireless Access Points
- MAC Medium Access Control
- WAPI WLAN Authentication and Privacy Infrastructure
- the present invention provides a method for implementing WAPI and CAPWAP fusion in a local MAC mode, which is special in that the method includes the following steps:
- Steps of constructing a local MAC mode Separating the MAC function and the WAPI function of the wireless access point from the wireless terminal point and the access controller;
- step 2.1 The specific steps of step 2.1 above are as follows:
- the station passively listens to the beacon frame of the wireless terminal point to obtain parameters of the wireless terminal point including the WAPI information element;
- the station actively sends a query request frame to the wireless terminal point, and after receiving the probe request frame of the station, the wireless terminal point sends a probe response frame to the station, and the station obtains the WAPI information element from the query response frame of the received wireless terminal point.
- the WAPI information element includes an authentication and key management suite and a cipher suite supported by the wireless terminal point;
- the station sends a link verification request frame to the wireless terminal point, requesting link verification with the wireless terminal point;
- the wireless terminal point sends a link verification response frame to the station according to the link verification request frame of the station;
- the wireless terminal After successful link verification, the wireless terminal sends an association request frame to the access controller, requesting association with the access controller, and the association request frame includes a WAPI information element to determine the authentication and key management suite for the site selection. And cipher suites;
- the access controller resolves the association request frame of the site and sends an association response frame to the site.
- step 2.2 The specific steps of step 2.2) above are as follows:
- the access controller sends a CAPWAP Site Configuration Request message to the wireless terminal.
- the message includes Add Station, GB15629.il Join Station and GB15629.il Site Session Key. (Station Session Key) message element, where A in the site session key message element is set to 1 to inform the wireless terminal to close the controlled port, and only forward WAI protocol data from the corresponding site; where A is GB15629.il One of the identifiers in the site session key message element, A is used as the flag bit. If the flag is set to 1, it is used to inform the wireless terminal to open the controlled port and forward only the WAI protocol data.
- the wireless terminal sends a CAPWAP Site Configuration Response (Station Configuration Response) message to the access controller, including the Result Code message element, The result of processing the request message to the CAPWAP site configuration request.
- CAPWAP Site Configuration Response Selection Configuration Response
- step 2.3) The specific steps of step 2.3) above are as follows:
- step 2.4 The specific steps of step 2.4) above are as follows:
- the access controller sends a CAPWAP Site Configuration Request message to the wireless terminal, the message including the joining site, the GB15629.il joining site and the GB15629.il site session key message element; a MAC address, the wireless terminal opens a controlled port corresponding to the MAC address, and forwards all data from the site, including WAI protocol data and non-WAI protocol data;
- the wireless terminal point sends a CAPWAP Site Configuration Response message to the access controller, including a result code message element, for identifying the processing result of the CAPWAP Site Configuration Request message.
- step 2.5 The specific steps of step 2.5) above are as follows:
- the wireless terminal encrypts the data from the access controller and sends it to the site;
- the wireless terminal locates and forwards the data from the site.
- Step 2.5) above also includes step 2.6) accessing the unicast key update process between the controller and the site.
- step 2.6 The specific steps of step 2.6) above are as follows:
- the access controller sends a CAPWAP Site Configuration Request message to the wireless terminal, including the joining site, GB 15629.11 joining site, GB15629.il site session key and GB15629.
- Il information element message element
- the wireless terminal point sends a CAPWAP Site Configuration Response message to the access controller, which includes a result code message element for identifying the processing result of the CAPWAP Site Configuration Request message.
- steps 2.5) or 2.6) also include step 2.7) accessing the multicast key update process between the controller and the site.
- step 2.7 The specific steps of step 2.7 above are as follows:
- GB15629.11 WLAN configuration request (GB 15629.11 WLAN Configuration Request) message, which contains GB15629.il update WLAN (GB 15629.11 Update WLAN) message element, the GB15629.il update WLAN message element includes multicast session key MSK (Multicast Session Key) Key data, MSK index, MSK update start identifier, and data packet sequence number PN (Packet Number);
- the wireless terminal sends a GB 15629.11 WLAN Configuration Response (GB15629.il WLAN Configuration Response) message to the access controller, which contains the result code message element, which is used to identify the processing result of the GB15629.il WLAN configuration request message;
- the access controller sends a point to the wireless terminal.
- GB15629.11 WLAN configuration request message which includes GB15629.il update WLAN message element, the GB15629.il update WLAN message element includes MSK index and MSK update end identifier;
- the wireless terminal sends a GB15629.il WLAN configuration response message to the access controller, which contains a result code message element for identifying the processing result of the GB15629.11 WLAN configuration request message.
- the communication interaction process separates the MAC function and the WAPI function of the AP from the wireless terminal point WTP (Wireless Terminal Point) and the access controller AC (Access Controller).
- WTP implements the interaction of the real-time information required by the GB15629.il standard with the STA (Station), including the beacon frame, the response to the interrogation request frame, etc., and implements the WPI protocol, which is implemented by the AC and the STA. Real-time interaction, including associations, WAI protocols, and more.
- the communication between AC and WTP is implemented based on the CAPWAP GB15629.il binding specification.
- the division mode of this AP function is referred to as a local MAC mode.
- the present invention has the following advantages:
- the present invention provides a method for implementing WAPI and CAPWAP fusion in a local MAC mode, and realizing centralized control of the entire network AP by dividing the MAC function and the WAPI function of the AP. And management, able to meet the deployment needs of large-scale WLAN.
- Overcoming the limitations of the current autonomous network architecture based on the WAPI protocol cannot be applied to large-scale WLAN deployment requirements.
- the WAI protocol is implemented by the AC
- the WPI protocol is implemented by the WTP
- the WAPI protocol is implemented.
- the converged WLAN architecture seamlessly integrates to ensure WLAN security.
- the invention can not only meet the large-scale deployment requirements of the WLAN, but also ensure the security of the WLAN under the convergence architecture.
- FIG. 1 is a message flow diagram of implementing WAPI and CAPWAP fusion in a local MAC mode
- FIG. 2 is a flowchart of unicast key update between an AC and a STA
- FIG. 3 is a flow chart of multicast key update between the AC and the STA. detailed description
- STA passively listens to WTP beacon frames to obtain WTP related parameters, including WAPI information elements (WTP-supported authentication and key management suite, cipher suite, etc.); Or, the STA sends an inquiry request frame to the WTP, and after receiving the inquiry request frame of the STA, the WTP sends a query response frame to the STA, and the STA obtains the WTP related parameter from the WTP inquiry response frame, including the WAPI information element.
- WAPI information elements WTP-supported authentication and key management suite, cipher suite, etc.
- the WAPI information element includes an authentication and key management suite supported by WTP, a cipher suite, and the like;
- the STA sends a link verification request to the WTP to request a link verification with the WTP;
- WTP sends a link verification response frame to the STA according to the link verification request frame of the STA;
- the STA sends an association request frame to the AC, and the request is associated with the AC.
- the association request frame includes a WAPI information element to determine the authentication and key management suite, the cipher suite, and the like selected by the STA;
- the AC resolves the association request frame of the STA, and sends an association response frame to the STA;
- the AC sends a CAPWAP Site Configuration Request message to the WTP, including the joining site (the MAC address of the STA), the GB15629. il joining the site (WLAN ID), and the GB15629.
- site session key (A is set to 1) Wait for message elements.
- the A in the site session key message element is set to 1 to inform the WTP to close the controlled port, and only forward the WAI protocol data from the corresponding STA; where A is GB15629.
- the WTP sends a CAPWAP Site Configuration Response message to the AC, which contains a Result Code message element, which is used to identify the processing result of the CAPWAP Site Configuration Request message.
- the WAI authentication process between the AC and the STA includes: WTP decapsulates the WAI authentication data encapsulated according to the CAPWAP data encapsulation format from the AC, and then forwards the WAI authentication data to the STA; and wraps the WAI authentication data from the STA according to the CAPWAP data.
- the format is encapsulated and sent to the AC;
- WAI unicast key negotiation process between the AC and the STA includes: WTP pair The WAI unicast key negotiation data encapsulated by the AC according to the CAPWAP data encapsulation format is decapsulated and then forwarded to the STA; the WAI unicast key negotiation data from the STA is encapsulated according to the CAPWAP data encapsulation format and then sent to the AC;
- the AC sends a CAPWAP Site Configuration Request message to the WTP, including the joining site (the MAC address of the STA), GB15629. il joining the site (WLAN ID), GB15629. il site session key (key data), GB15629 . il information element (WAPIIE (password algorithm is WPI-SMS4)) and other message elements.
- WAPIIE password algorithm is WPI-SMS4
- the WTP opens the controlled port of the site corresponding to the MAC address, and forwards all data from the STA, including WAI protocol data and non-WAI protocol data;
- the WTP sends a CAPWAP Site Configuration Response message to the AC, which contains a Result Code message element, which is used to identify the processing result of the CAPWAP Site Configuration Request message.
- WTP encrypts data from the AC and sends it to the STA
- WTP decrypts and forwards data from the STA.
- the process of the present invention further includes the step 2.6) a unicast key update process between the AC and the STA:
- the AC sends a CAPWAP Site Configuration Request message to the WTP, where the message includes the joining site (the MAC address of the STA),
- GB15629 il join site (WLAN ID), GB15629. il site session key (unicast session key USK (Unicast Session Key) key data), GB15629. il information element ( WAPIIE (password algorithm is WPI-SMS4)) And other message elements;
- WTP sends a CAPWAP site configuration response message to the AC, which contains the result.
- the code message element is used to identify the processing result of the C APWAP site configuration request message.
- the process of the present invention further includes the step 2.7) a multicast key update process between the AC and the STA:
- the AC When the AC needs to perform multicast key update, it first sends an IEEE 802.11 WLAN configuration request message to the WTP, which includes GB15629. il updates the WLAN message element, which contains MSK key data, MSK index, MSK. Update start identifier, data packet number PN, etc.;
- the WTP sends a GB15629.11 WLAN configuration response message to the AC, which contains a result code message element for identifying the processing result of the GB15629.il WLAN configuration request message;
- the AC sends an IEEE 802.11 WLAN configuration request message to the WTP, which includes GB15629. il updates the WLAN (MSK index, MSK update end identifier) and other message elements;
- WTP sends a GB15629.il WLAN configuration response message to the AC, which contains the result code message element, which is used to identify the processing result of the GB15629.il WLAN configuration request message.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
L'invention concerne un procédé destiné à réaliser l'intégration d'une infrastructure d'authentification et de confidentialité pour réseaux locaux radioélectriques (Wireless Local Area Network Authentication and Privacy Infrastructure, WAPI) et du contrôle et de la fourniture d'un point d'accès sans fil (Control and Provisioning of Wireless Acces Point, CAPWAP) en mode local de contrôle d'accès au support (Media Access Control, MAC). Le procédé comprend deux étapes : 1) un nœud MAC local est construit en séparant la fonction MAC de la fonction WAPI d'un point d'accès sans fil vers un point de terminal sans fil (Wireless Terminal Point, WTP) et un contrôleur d'accès (Access Controller, AC) ; 2) la spécification CAPWAP établit un rattachement avec WAPI au niveau du nœud MAC local. L'étape 2) comporte les étapes suivantes : une liaison d'association est établie entre une station (STA), le WTP et l'AC ; le début de la mise en œuvre du protocole d'infrastructure d'authentification WLAN (WLAN Authentication Infrastructure, WAI) est annoncé entre l'AC et le WTP ; le protocole de WAI est mis en œuvre entre la STA et l'AC ; la fin de la mise en œuvre du protocole WAI est annoncée entre l'AC et le WTP ; une communication confidentielle est établie entre le WTP et la STA à l'aide d'une infrastructure de confidentialité WLAN (WLAN Privacy Infrastructure, WPI). Non seulement la présente invention satisfait une mise en place de WLAN à grande échelle, mais elle assure également la sécurité de WLAN sous une architecture convergente de systèmes.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100214175A CN101577916B (zh) | 2009-02-27 | 2009-02-27 | 一种以本地mac模式实现wapi与capwap融合的方法 |
CN200910021417.5 | 2009-02-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010096996A1 true WO2010096996A1 (fr) | 2010-09-02 |
Family
ID=41272662
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2009/075537 WO2010096996A1 (fr) | 2009-02-27 | 2009-12-14 | Procédé pour réaliser l'intégration de wapi et capwap en mode mac local |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101577916B (fr) |
WO (1) | WO2010096996A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2572825C1 (ru) * | 2012-01-18 | 2016-01-20 | Хуавей Текнолоджиз Ко., Лтд. | СПОСОБ И УСТРОЙСТВО ДЛЯ Wi-Fi ТЕРМИНАЛА ДЛЯ ДОПУСКА К РАЗЛИЧНЫМ ДОМЕНАМ УСЛУГ |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101646170B (zh) * | 2009-02-27 | 2011-08-17 | 西安西电捷通无线网络通信股份有限公司 | 一种以分离mac模式实现wapi与capwap融合的方法 |
CN101577916B (zh) * | 2009-02-27 | 2011-07-06 | 西安西电捷通无线网络通信股份有限公司 | 一种以本地mac模式实现wapi与capwap融合的方法 |
CN102281594B (zh) * | 2011-09-06 | 2014-06-11 | 华为技术有限公司 | 一种报文转发方法及无线访问节点、系统 |
CN102547850B (zh) * | 2012-02-22 | 2014-04-09 | 深圳市共进电子股份有限公司 | 一种capwap隧道的实现方法 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101013940A (zh) * | 2006-12-22 | 2007-08-08 | 西安电子科技大学 | 一种兼容802.11i及WAPI的身份认证方法 |
US20080072047A1 (en) * | 2006-09-20 | 2008-03-20 | Futurewei Technologies, Inc. | Method and system for capwap intra-domain authentication using 802.11r |
CN101247295A (zh) * | 2007-02-13 | 2008-08-20 | 华为技术有限公司 | 一种在无线局域网获得接入控制器信息的方法和装置 |
CN101577978A (zh) * | 2009-02-27 | 2009-11-11 | 西安西电捷通无线网络通信有限公司 | 一种以本地mac模式实现会聚式wapi网络架构的方法 |
CN101577916A (zh) * | 2009-02-27 | 2009-11-11 | 西安西电捷通无线网络通信有限公司 | 一种以本地mac模式实现wapi与capwap融合的方法 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7426550B2 (en) * | 2004-02-13 | 2008-09-16 | Microsoft Corporation | Extensible wireless framework |
CN100369434C (zh) * | 2006-07-31 | 2008-02-13 | 西安西电捷通无线网络通信有限公司 | 无线局域网中实现基于wapi体制的虚拟局域网的方法 |
CN100583752C (zh) * | 2006-11-30 | 2010-01-20 | 北京中电华大电子设计有限责任公司 | 802.11芯片中wapi、ccmp共存的方法和装置 |
-
2009
- 2009-02-27 CN CN2009100214175A patent/CN101577916B/zh not_active Expired - Fee Related
- 2009-12-14 WO PCT/CN2009/075537 patent/WO2010096996A1/fr active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080072047A1 (en) * | 2006-09-20 | 2008-03-20 | Futurewei Technologies, Inc. | Method and system for capwap intra-domain authentication using 802.11r |
CN101013940A (zh) * | 2006-12-22 | 2007-08-08 | 西安电子科技大学 | 一种兼容802.11i及WAPI的身份认证方法 |
CN101247295A (zh) * | 2007-02-13 | 2008-08-20 | 华为技术有限公司 | 一种在无线局域网获得接入控制器信息的方法和装置 |
CN101577978A (zh) * | 2009-02-27 | 2009-11-11 | 西安西电捷通无线网络通信有限公司 | 一种以本地mac模式实现会聚式wapi网络架构的方法 |
CN101577916A (zh) * | 2009-02-27 | 2009-11-11 | 西安西电捷通无线网络通信有限公司 | 一种以本地mac模式实现wapi与capwap融合的方法 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2572825C1 (ru) * | 2012-01-18 | 2016-01-20 | Хуавей Текнолоджиз Ко., Лтд. | СПОСОБ И УСТРОЙСТВО ДЛЯ Wi-Fi ТЕРМИНАЛА ДЛЯ ДОПУСКА К РАЗЛИЧНЫМ ДОМЕНАМ УСЛУГ |
Also Published As
Publication number | Publication date |
---|---|
CN101577916B (zh) | 2011-07-06 |
CN101577916A (zh) | 2009-11-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2010096997A1 (fr) | Procédé permettant d'implémenter une architecture convergente de réseau à infrastructure d'authentification et de confidentialité (wapi) pour réseau local sans fil (wlan) en mode mac local | |
CN102687537B (zh) | 媒体无关切换协议的安全 | |
TWI713614B (zh) | 用於使用支援多個連線性和服務上下文的安全模型的無線通訊的方法和裝置 | |
AU2004244634B2 (en) | Facilitating 802.11 roaming by pre-establishing session keys | |
US8036183B2 (en) | Method and system for transporting configuration protocol messages across a distribution system (DS) in a wireless local area network (WLAN) | |
US20160081130A1 (en) | Method and apparatus for accelerated link setup | |
CN101557592B (zh) | 一种会聚式wlan中由ac完成wpi时的sta漫游切换方法及其系统 | |
WO2011144174A1 (fr) | Procédé, dispositif et système de configuration de dispositif d'accès | |
WO2013174267A1 (fr) | Procédé, système et dispositif pour l'établissement d'une connexion sécurisée à un réseau local sans fil | |
WO2010096995A1 (fr) | Procédé de réalisation d'une architecture convergente de réseau wapi avec mode mac séparé | |
WO2010096996A1 (fr) | Procédé pour réaliser l'intégration de wapi et capwap en mode mac local | |
CN101562812B (zh) | 会聚式wlan中由ac完成wpi时的sta切换方法及其系统 | |
WO2010130132A1 (fr) | Procédé et système permettant une commutation de station lorsqu'un point de terminal sans fil complète une infrastructure wpi dans un réseau wlan convergeant | |
WO2010096998A1 (fr) | Procédé servant à réaliser une architecture de réseau wapi convergente avec un mode mac fractionné | |
WO2021031055A1 (fr) | Procédé et dispositif de communication | |
WO2010097003A1 (fr) | Procédé permettant de réaliser une intégration de wapi et de capwap par mode mac fractionné | |
WO2010097004A1 (fr) | Procédé permettant de réaliser une intégration d'infrastructure wapi et de points capwap par un mode mac séparé | |
WO2014153908A1 (fr) | Dispositif de communication et méthode de communication sans fil | |
CN101998389A (zh) | 一种密钥生成和分发的方法和系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09840664 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09840664 Country of ref document: EP Kind code of ref document: A1 |