WO2015196687A1 - Authentication management method and apparatus, wlan access device and communication system - Google Patents

Authentication management method and apparatus, wlan access device and communication system Download PDF

Info

Publication number
WO2015196687A1
WO2015196687A1 PCT/CN2014/090238 CN2014090238W WO2015196687A1 WO 2015196687 A1 WO2015196687 A1 WO 2015196687A1 CN 2014090238 W CN2014090238 W CN 2014090238W WO 2015196687 A1 WO2015196687 A1 WO 2015196687A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
wlan
authentication request
wlan terminal
module
Prior art date
Application number
PCT/CN2014/090238
Other languages
French (fr)
Chinese (zh)
Inventor
徐永千
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015196687A1 publication Critical patent/WO2015196687A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to the field of authentication management technologies, and in particular, to an authentication management method, apparatus, WLAN access device, and communication system.
  • Wireless Local Area Networks refers to the application of wireless communication technology to interconnect computer devices to form a network system that can communicate with each other and share resources.
  • WLAN Wireless Local Area Networks
  • WLAN technology is becoming more and more widely used, and is no longer limited to private occasions such as home wireless Internet access.
  • public areas such as airports, libraries, exhibition halls, cafes, conference halls, etc.
  • WLAN channels can be searched and easily accessed for fast Internet access.
  • the WLAN networking mode is generally a "fat" mode.
  • the so-called fat mode that is, the configuration of the WLAN access device itself generally adopts a default database manner, that is, the so-called "self-management itself", in the network structure, each The WLAN access devices are independent of each other. In this case, if the WLAN access device is configured or modified, it can only be performed through its WEB page or telnet. Due to the large-scale demand for WLAN access devices, A significant disadvantage of this mode is that all access devices in the entire network cannot be centrally controlled, and can only be controlled separately. Large-scale networking is difficult, network maintenance costs are high, and carrier-level network maintenance is also changed. almost impossible.
  • the so-called thin mode that is, a single WLAN access device, is only responsible for data transmission, terminal access management, encryption, authentication, etc., and some of the remaining configuration management, For the WLAN management device to do, see Figure 1. That is to say, in the transition from fat mode to thin mode, the WLAN access device does less work, and the WLAN management device helps the WLAN access device to undertake part of the management work, so that the WLAN access device is more focused on The basic work of data transmission and reception also makes it possible for carrier-scale large-scale networking and maintenance.
  • the commonly used encryption methods in WLAN wireless LAN generally include: SHARE-KEY, WPA-PSK, WPA2-PSK, WPA/WAP2-PSK, WPA-EAP, WPA2-EAP, WPA/WPA2-EAP, WAPI-PSK , WAPI-CERT, WEP-EAP, etc.
  • the WLAN access device needs to have an encryption authentication module to specifically implement the encryption process, and is responsible for notifying the WLAN access device of the encrypted authentication result, and the WLAN access device will perform the encrypted authentication result.
  • the terminal network card is notified, so that the terminal network card knows the encrypted authentication result in time. If the authentication is successful, the terminal network card further sends an association request to the WLAN access device.
  • the following takes the typical WPA/WAP2-PSK encryption mode as an example. After the WLAN management device changes the negotiation key uniformly, the problems that appear on the actual live network are described as follows:
  • the currently widely used interaction between the WLAN terminal and the WLAN access device and the WLAN management device includes the following steps:
  • the WLAN terminal for example, a terminal such as a pad, a notebook, or a mobile phone
  • the WLAN access device After the WLAN terminal (for example, a terminal such as a pad, a notebook, or a mobile phone) obtains the information of the nearby WLAN access device, the WLAN access device sends an association request to the WLAN access device.
  • the WLAN terminal for example, a terminal such as a pad, a notebook, or a mobile phone
  • the WLAN access device receives the association request and establishes an association with the terminal
  • the WLAN terminal sends an encrypted authentication request to the WLAN access device.
  • the WIFI encryption authentication management module of the WLAN access device sends the authentication result of the WLAN terminal to the WLAN access device after the authentication process is performed by using the authentication mechanism such as the key agreement and the four-way handshake.
  • the WLAN access device further informs the WLAN terminal in the form of a message, so that the WLAN terminal reselects the access mode as needed;
  • the WLAN terminal successfully establishes a connection with the terminal after receiving the authentication success message sent by the WLAN access device.
  • the WLAN access device After the WLAN terminal successfully establishes a connection with the WLAN access device, the WLAN access device sends a message that the terminal is successfully associated to the WLAN management device through a private protocol between the WLAN access device and the WLAN management device.
  • the WLAN access device will send an association failure message to the WLAN management device and send a message to notify.
  • the WLAN terminal has failed authentication and clears the relevant information of the terminal, waiting for the next authentication request of the WLAN terminal.
  • the WLAN management device when the network is deployed on a large scale, the WLAN management device continuously receives the association success/failure message of the terminal. At this time, if the key of the WLAN access device is uniformly modified by the WLAN management device, at this time, the WLAN terminal is forced to drop due to a key error, and the authentication of the terminal is failed, because the general WLAN is The mechanism adopted by the terminal NIC is to remember the last key by default, and after the key authentication fails, the key that is reserved last time will be sent to the WLAN access device to send an authentication message.
  • the WLAN management device manages a large number of WLAN access devices at the same time, and each WLAN access device accesses a large number of WLAN terminal network cards at the same time, the WLAN management will eventually lead to WLAN management due to the repeated re-authentication mechanism of the WLAN terminal network card.
  • the device receives a large number of terminal authentication failure messages at the same time, which easily leads to congestion of the communication link between the WLAN access device and the WLAN management device, resulting in a crash of the device message mechanism or between the WLAN management device and the WLAN access device. The communication cannot be performed normally, and eventually the management capability of the WLAN management device is lost.
  • the main technical problem to be solved by the present invention is to provide an authentication management method, device, WLAN access device, and communication system.
  • the WLAN access device feeds back the authentication result of each authentication request to the WLAN.
  • Managing devices is prone to congestion between the WLAN access device and the WLAN management device.
  • a method of authentication management including:
  • Determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal Determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal.
  • the processing result of the authentication request is not fed back to the WLAN management device.
  • the step of determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal comprises:
  • Performing an authentication process according to the authentication request for example, if the authentication fails, further determining whether the last authentication of the WLAN terminal also fails, and if yes, determining that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
  • the authentication request is matched with the invalid authentication request in the authentication failure list. If the matching is successful, the authentication request is determined to be an invalid authentication request continuously sent by the WLAN terminal, where the WLAN terminal is stored in the authentication failure list. The most recent authentication is an authentication request sent when the authentication failed.
  • the method further includes:
  • the method before the step of receiving the authentication request sent by the WLAN terminal, the method further includes: establishing an association with the WLAN terminal;
  • the N is greater than or equal to 1.
  • An authentication management device includes an information receiving module, a determining module, and a processing module, wherein
  • the information receiving module is configured to: receive an authentication request sent by the WLAN terminal to establish a WLAN connection;
  • the determining module is configured to: determine whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal, and if yes, send the determination result to the processing module;
  • the processing module is configured to: after receiving the determination result, not returning the processing result of the authentication request to the WLAN management device.
  • the determining module includes an authentication submodule and an analysis submodule, where
  • the authentication sub-module is configured to: perform authentication on the authentication request, such as authentication failure, and notify the analysis sub-module;
  • the analysis sub-module is configured to: determine whether the last authentication of the WLAN terminal also fails, and if yes, determine that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
  • the determining module includes a matching sub-module, and the matching sub-module is configured to: match the authentication request with an invalid authentication request in the authentication failure list, and if the matching is successful, determine that the authentication request is continuously sent by the WLAN terminal. An invalid authentication request, wherein the authentication failure list stores an authentication request sent when the WLAN terminal is most recently authenticated as an authentication failure.
  • the device further includes a statistics module and a message management module, where
  • the statistic module is configured to: count the number of times the WLAN terminal continuously sends an invalid authentication request
  • the message management module is configured to: when it is determined that the WLAN terminal continuously sends the invalid authentication request for more than the set number of times, and/or when the frequency of continuously transmitting the invalid authentication request is greater than the set frequency threshold And transmitting, to the WLAN terminal, a management instruction for notifying the WLAN terminal to stop sending the authentication request.
  • the device further includes a communication module and a connection management module, wherein
  • the communication module is configured to: establish an association with the WLAN terminal before the information receiving module receives the authentication request;
  • the connection management module is configured to notify the communication module to be disconnected when the message management module continuously sends the management command to the WLAN terminal N times, and still receives the invalid authentication request sent by the WLAN terminal. Opening an association with the WLAN terminal, wherein the N is greater than or equal to 1.
  • a WLAN access device includes a memory and a processor
  • the memory is configured to: store at least one program instruction
  • the processor is configured to: invoke the program instruction to execute the above-described authentication management method.
  • a communication system includes a WLAN management device, a WLAN terminal, and the WLAN access device described above; the WLAN terminal, the WLAN access device, and the WLAN management device are sequentially connected in communication.
  • a computer program comprising program instructions that, when executed by an authentication management device, cause the authentication management device to perform the above-described authentication management method.
  • An authentication management method, device, WLAN access device, and communication system provided by the technical solution of the present invention, after receiving an authentication request for establishing a WLAN connection sent by a WLAN terminal, determining whether the authentication request is continuously sent by the WLAN terminal.
  • the invalid authentication request if yes, does not feed back the processing result of the authentication request to the WLAN management device; that is, in the embodiment of the present invention, the WLAN access device may no longer provide the WLAN terminal with an invalid authentication request that is continuously and repeatedly sent by the WLAN terminal.
  • the WLAN management device feeds back the message that the authentication fails, and only feeds back to the WLAN management device the WLAN terminal authentication success and the message notification when the first authentication fails. Therefore, the amount of message interaction between the WLAN access device and the WLAN management device can be greatly reduced, and various abnormalities caused by message blocking between the two can be avoided, and the key suitable for the WLAN access device is uniformly modified by the WLAN management device. Under the scene.
  • FIG. 1 is a schematic diagram of networking of a WLAN communication system in which a management mode is “thin mode”;
  • FIG. 2 is a schematic diagram of an authentication management method provided in another embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an authentication management device provided in another embodiment 2 of the present invention.
  • FIG. 4 is a schematic structural diagram of a WLAN access device according to another embodiment 3 of the present invention.
  • FIG. 5 is a schematic diagram of an authentication management method provided in another embodiment 3 of the present invention.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • the authentication management management method provided in this embodiment is applicable to a WLAN communication system in which the management mode is a thin mode; the method includes the following steps:
  • the authentication management device is associated with the WLAN terminal (including a terminal supporting a WLAN connection, a PAD, a smart phone, etc.); the authentication management device in this embodiment may be the WLAN access device shown in FIG. It can be implemented independently of other third-party devices of the WLAN access device; when it is a WLAN access device, it can directly associate with the WLAN terminal; otherwise, it can be associated with the WLAN terminal indirectly through the WLAN access device, that is, authentication
  • the management device is associated with the WLAN access device, and the WLAN access device is associated with the WLAN terminal; in addition, based on the current communication, the WLAN terminal generally initiates a management request;
  • Step 202 The authentication management apparatus receives an authentication request that is sent by the WLAN terminal and is used to establish a WLAN connection.
  • the authentication request includes an authentication key, and may further include identification information of the WLAN terminal.
  • Step 203 The authentication management apparatus determines whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal, and if yes, go to step 204; otherwise, go to step 205; where the continuously sent invalid authentication request refers to the authentication request
  • the authentication request that the authentication fails to pass and the WLAN terminal sends last time is also an authentication request that cannot pass the authentication;
  • Step 204 The authentication management device does not feed back the processing result of the authentication request to the WLAN management device; that is, when the authentication management device in this embodiment is implemented by the WLAN access device, it does not feed back the authentication request to the WLAN management device. If the authentication management device is implemented by other third-party devices that are independent of the WLAN access device, send a notification that the processing result is not fed back to the WLAN management device to control the WLAN access device not to the WLAN access device. The WLAN management device feeds back the processing result;
  • Step 205 The authentication management device normally feeds back the processing of the authentication request to the WLAN management device.
  • the authentication management device normally feeds back the processing result of the authentication success or failure to the WLAN management device; if the authentication management device is independent of the WLAN
  • the WLAN access device sends a notification that the processing result is normally fed back to the WLAN management device, and the WLAN access device normally reports the processing result of the successful or failed authentication to the WLAN management device according to the notification.
  • the WLAN access device no longer feeds back the notification of the authentication failure to the WLAN management device, and only feeds back the WLAN terminal authentication success to the WLAN management device for the first time.
  • the manner of determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal may be selected according to a specific application scenario.
  • the following is exemplified in two specific manners. But it should be understood that it is not limited to the following two ways:
  • Manner 1 The authentication process is performed according to the received authentication request. If the authentication fails, it is determined whether the last authentication of the WLAN terminal also fails. If yes, the authentication request is determined to be an invalid authentication request continuously sent by the WLAN terminal.
  • Manner 2 Maintaining an authentication failure list.
  • the authentication failure list stores an authentication request sent by the WLAN terminal when the authentication is the last time the authentication fails.
  • the authentication request received is matched with the invalid authentication request in the authentication failure list. If the matching is successful, determining that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
  • the authentication request is not recorded in the authentication failure list. If the authentication fails, the authentication request is recorded in the authentication failure list;
  • the second authentication request sent by the WLAN terminal it is determined whether the second-time authentication request is stored in the authentication failure list (generally, the WLAN terminal information included in the authentication request and the authentication key are the same) If yes, it indicates that the authentication request sent the second time is the same as the authentication request that failed the last authentication. The invalid authentication request sent by the WLAN terminal continuously; if not, the normal authentication process is performed on the authentication request. If the authentication is successful, the related information about the WLAN terminal is cleared in the authentication failure list (for example, the second authentication request is sent).
  • the request for the authentication key may be modified.
  • the first authentication request sent in the authentication list needs to be cleared; that is, the authentication failure list in this embodiment is dynamically updated, and the WLAN terminal is saved last time.
  • Authentication is an authentication request sent when authentication fails).
  • the authentication management apparatus may also perform statistics on the number of consecutive transmissions of the invalid authentication request by the WLAN terminal, and directly implement the intervention management of the WLAN terminal authentication based on the statistical result, thereby avoiding the WLAN terminal. Continuously sending invalid authentication requests repeatedly; the specific process includes:
  • the number of times the WLAN terminal continuously sends the invalid authentication request is greater than the set number of times threshold N1, and if so, sends a management command to the WLAN interrupt. For example, it is determined whether the WLAN terminal continuously sends 10 invalid authentication requests. At this time, there is no time limit, that is, how many times the unit time (for example, 1 second) is reached, as long as the number of consecutive transmissions is greater than the set threshold. The value is OK, and the difference from the above-mentioned way of managing the frequency is only the conversion of the number of statistics and the frequency.
  • the specific value of the frequency threshold and/or the threshold value may be specifically selected according to the processing capability of the specific WLAN terminal.
  • N N takes an integer greater than or equal to 1
  • the WLAN terminal ignores the continuous transmission of the invalid authentication request.
  • the association with the WLAN terminal is directly disconnected to completely prevent the WLAN terminal from repeatedly transmitting invalid authentication request messages.
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • the authentication management apparatus provides an authentication management apparatus, which may be a WLAN access device in the system shown in FIG. 1, or an additional third party independent of the WLAN access device in the system shown in FIG.
  • the device can be implemented as long as it can implement the following management process.
  • the authentication management apparatus includes: a communication module 301, an information receiving module 302, a determining module 303, and a processing module 304;
  • the communication module 301 is configured to: establish an association with the WLAN terminal;
  • the information receiving module 302 is configured to: receive an authentication request sent by the WLAN terminal for establishing a WLAN connection; the authentication request includes an authentication key, and may further include identification information of the WLAN terminal;
  • the determining module 303 is configured to: determine whether the authentication request received by the information receiving module is an invalid authentication request continuously sent by the WLAN terminal, and send the determination result to the processing module;
  • the processing module 304 is configured to: when the determination result is yes, not to feed back the processing result of the authentication request to the WLAN management device; when the determination result is no, the processing result of the authentication request is normally fed back to the WLAN management device; for example
  • the processing module 304 notifies the information sending module of the internal device that the internal information sending module does not feed back the processing result of the authentication request to the WLAN management device; if the authentication management device passes the independent
  • the processing module 304 may send a notification to the WLAN access device that the processing result is not fed back to the WLAN management device, so as to control the WLAN access device not to feed back the processing result to the WLAN management device.
  • an invalid authentication request for continuous and repeated transmission of the WLAN terminal can be implemented, and the notification of the authentication failure is not returned to the WLAN management device, and only the WLAN terminal device is successfully fed back to the WLAN management device.
  • the message notification when the first authentication fails can greatly reduce the amount of message interaction between the WLAN access device and the WLAN management device.
  • the determining module 303 determines whether the authentication request received by the information receiving module 302 is an invalid authentication request continuously sent by the WLAN terminal, and may select and confirm according to the specific application scenario.
  • the following is exemplified in two specific manners. But it should be understood that it is not limited to the following two ways:
  • the determining module 303 includes an authentication submodule and an analysis submodule;
  • the authentication submodule authenticates the authentication request, such as the authentication failure, and notifies the analysis submodule;
  • the analysis sub-module is configured to: determine whether the last authentication of the WLAN terminal also fails, and if yes, determine that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
  • the determining module 303 includes a matching sub-module, and is configured to: match the authentication request with the invalid authentication request in the authentication failure list, and if the matching is successful, determine that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
  • the authentication failure list here stores the authentication request sent by the WLAN terminal when the authentication is the last time the authentication fails. For example, for a WLAN terminal, when the authentication request is sent for the first time, if the authentication is successful, the authentication request is not recorded in the authentication failure list.
  • the authentication request is recorded in the authentication failure list;
  • the second authentication request sent by the WLAN terminal it is determined whether the second-time authentication request is stored in the authentication failure list (generally, the WLAN terminal information included in the authentication request and the authentication key are the same) If yes, it indicates that the authentication request sent in the second time is the same as the authentication request that failed to be sent last time, and determines that the WLAN terminal continuously sends an invalid authentication request; if not, performs normal authentication processing on the authentication request.
  • the related information about the WLAN terminal is cleared in the authentication failure list.
  • the second authentication request may be a request to modify the authentication key. In this case, the first saved in the authentication list needs to be cleared.
  • the authentication request sent in the second time; that is, the authentication failure list in this embodiment is dynamically updated, and the WL is mainly saved.
  • the AN terminal was last authenticated as an authentication request sent when the authentication failed.
  • the authentication management apparatus in this embodiment may further include a statistics module and a message management module;
  • the statistics module is configured to: count the number of times the WLAN terminal continuously sends invalid authentication requests;
  • the message management module is configured to: when it is determined that the frequency at which the WLAN terminal continuously sends the invalid authentication request is greater than the set frequency threshold, send a message to the WLAN terminal to notify the WLAN terminal to stop sending A management instruction to send an authentication request. After receiving the management command, the WLAN terminal knows that the authentication has failed, and is notified not to repeatedly send the same authentication request.
  • the message management module may directly determine whether the number of times the WLAN terminal continuously sends the invalid authentication request is greater than the set number of times threshold N1, and if so, sends a management command to the WLAN interrupt. For example, it is determined whether the WLAN terminal continuously sends 10 invalid authentication requests.
  • the time is not limited, and the number of times that the WLAN terminal must be sent in a unit time (for example, 1 second) is not limited, as long as the number of consecutive transmissions is greater than the set.
  • the threshold value is sufficient. The only difference between it and the above-mentioned way of managing the frequency is the conversion of the number of statistics and the frequency.
  • the authentication management apparatus in this embodiment may further include a connection management module, configured to: after the message management module continuously sends N management commands to the WLAN terminal, and still receives the invalid authentication request continuously sent by the WLAN terminal, The communication module is notified to disconnect from the WLAN terminal.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • the present embodiment provides a communication system, including a WLAN management device, a WLAN access device, and a WLAN terminal, which are sequentially connected in communication; wherein, as shown in FIG. 4, the WLAN access device includes a memory 401 and a processor 402; It is configured to: store at least one program instruction, and the processor 402 is configured to: invoke the program instruction to execute the authentication management process in the first embodiment. Specifically, at least the following steps are included:
  • the embodiment is described by taking the authentication management device as a WLAN access device as an example.
  • the specific implementation manners of the foregoing steps have been explicitly described in the first embodiment, and are not further described herein. Said.
  • a complete and specific application scenario is taken as an example, and one of the two determination modes provided in the foregoing embodiment is taken as an example for description.
  • the interaction mode between the WLAN management device and the WLAN access device is: mainly adopts the current common interaction mode, the CAPWAP protocol mode, which is also a protocol mode generally adopted by the carrier-level WLAN centralized control device, and the protocol thereof
  • the standardization work is also basically unified under the impetus of major operators, and realizes the interconnection and interconnection between devices of various manufacturers;
  • the interaction between the WLAN access device and its internal authentication sub-module is as follows: the authentication sub-module can adopt a separate process, and the ioctl command line is used to issue the authentication/encryption result of the terminal with the WLAN access device, and the WLAN is connected.
  • the ingress device sends the authentication request of the WLAN terminal to the authentication submodule by sending a netlink message;
  • the WLAN access device and the WLAN terminal's network card fully comply with the 802.11 protocol for normal communication.
  • the management process includes:
  • Step 501 After obtaining the information of the nearby WLAN access device, the WLAN terminal interacts with the WLAN access device to complete the association.
  • Step 502 After the WLAN terminal establishes an association with the WLAN access device, the WLAN access device receives the authentication request sent by the WLAN terminal.
  • Step 503 The WLAN access device receives the authentication request.
  • Step 504 The authentication sub-module of the WLAN access device authenticates the authentication request by using a mechanism such as a key agreement and a four-way handshake, and sends the authentication result to the WLAN access device.
  • a mechanism such as a key agreement and a four-way handshake
  • Step 505 The WLAN access device further reports the authentication result to the WLAN terminal in a message form.
  • Step 506 The WLAN access device determines whether the authentication result is successful, if yes, go to step 507; otherwise, go to step 508; it should be understood that there is no strict timing limit between step 505 and step 506. At the same time, it can also be carried out one after the other;
  • Step 507 The WLAN access device successfully establishes a connection with the WLAN terminal; the WLAN access device also sends a message that the terminal is successfully associated to the WLAN management device by using a private protocol between the WLAN access device and the WLAN management device;
  • Step 508 determining whether the last authentication of the WLAN terminal is also a failure, that is, determining whether the authentication request is an invalid authentication request repeatedly sent by the WLAN terminal; if yes, go to step 509; otherwise, go to step 510;
  • Step 509 It is forbidden to repeatedly feed back the message that the authentication request authentication fails to the WLAN management device.
  • Step 510 The processing result of the authentication request is normally fed back to the WLAN management device.
  • the solution provided by the embodiment of the present invention can identify the repeated and invalid authentication request continuously sent by the WLAN terminal, and prevent the processing result of the authentication request message from being continuously sent to the upper layer for processing, and the WLAN access device is mitigated.
  • the packet exchange pressure between the WLAN access device and the WLAN management device is prevented from colliding with the WLAN management device.
  • An authentication management method, device, WLAN access device, and communication system provided by the technical solution of the present invention, after receiving an authentication request for establishing a WLAN connection sent by a WLAN terminal, determining whether the authentication request is continuously sent by the WLAN terminal.
  • the invalid authentication request if yes, does not feed back the processing result of the authentication request to the WLAN management device; that is, in the embodiment of the present invention, the WLAN access device may no longer provide the WLAN terminal with an invalid authentication request that is continuously and repeatedly sent by the WLAN terminal.
  • the WLAN management device feeds back the message that the authentication fails, and only feeds back to the WLAN management device the WLAN terminal authentication success and the message notification when the first authentication fails.
  • the present invention has strong industrial applicability.

Abstract

An authentication management method and apparatus, a computer program and a corresponding carrier. The method comprises: receiving an authentication request which is sent by a WLAN terminal and used for establishing a WLAN connection; and judging whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal, and when the authentication request is the invalid authentication request continuously sent by the WLAN terminal, not feeding back a processing result of the authentication request to a WLAN management device. The technical solution solves the problem in the related WLAN communication system that blocking easily occurs between a WLAN access device and a WLAN management device due to the fact that the WLAN access device feeds back authentication results of all authentication requests to the WLAN management device.

Description

认证管理方法、装置、WLAN接入设备以及通信系统Authentication management method, device, WLAN access device, and communication system 技术领域Technical field
本发明涉及认证管理技术领域,具体涉及一种认证管理方法、装置、WLAN接入设备以及通信系统。The present invention relates to the field of authentication management technologies, and in particular, to an authentication management method, apparatus, WLAN access device, and communication system.
背景技术Background technique
无线局域网(WLAN,Wireless Local Area Networks)是指应用无线通信技术将计算机设备互联起来,构成可以互相通信和实现资源共享的网络体系。随着用户对于高速无线上网需求的愈加强烈、以及笔记本电脑、手机等WLAN终端对高速WLAN的支持愈加普遍,WLAN技术得到越来越广泛的应用,不再局限于家庭无线上网这类私有场合,在机场、图书馆、展厅、咖啡厅、会议大厅等公共区域,均能搜索到WLAN信道并能方便地接入,实现快速的上网。以往的WLAN组网方式,一般为“胖”模式,所谓胖模式,即WLAN接入设备本身的配置一般采取默认数据库的方式,也就是所谓的“自己管理自己”,在网络结构中,每个WLAN接入设备又相互独立,这个时候要想对此WLAN接入设备进行配置、修改,那么,只有通过其WEB页面、telnet等方式进行,由于现如今,对WLAN接入设备的大规模需求,这种模式有一个显著的缺点就是整个网络中,所有的接入设备不能被集中控制,只能单独控制,大规模组网比较困难、网络维护代价很高,运营商级的网络维护也变的几乎不可能。Wireless Local Area Networks (WLAN) refers to the application of wireless communication technology to interconnect computer devices to form a network system that can communicate with each other and share resources. With the increasing demand for high-speed wireless Internet access and the increasing popularity of WLAN terminals such as laptops and mobile phones for high-speed WLANs, WLAN technology is becoming more and more widely used, and is no longer limited to private occasions such as home wireless Internet access. In public areas such as airports, libraries, exhibition halls, cafes, conference halls, etc., WLAN channels can be searched and easily accessed for fast Internet access. In the past, the WLAN networking mode is generally a "fat" mode. The so-called fat mode, that is, the configuration of the WLAN access device itself generally adopts a default database manner, that is, the so-called "self-management itself", in the network structure, each The WLAN access devices are independent of each other. In this case, if the WLAN access device is configured or modified, it can only be performed through its WEB page or telnet. Due to the large-scale demand for WLAN access devices, A significant disadvantage of this mode is that all access devices in the entire network cannot be centrally controlled, and can only be controlled separately. Large-scale networking is difficult, network maintenance costs are high, and carrier-level network maintenance is also changed. almost impossible.
于是,另外一种“瘦”模式诞生了,所谓瘦模式,即单个WLAN接入设备,只负责数据传输、终端接入的管理、以及加密、认证等工作,剩下的一些配置管理,就交给WLAN管理设备来做,请参见图1所示。也就是说,由胖模式到瘦模式的转变中,WLAN接入设备做的事情少了,WLAN管理设备帮助WLAN接入设备承担了一部分的管理工作,这样由利于WLAN接入设备更“专注于”数据收发这些基本工作,也使得运营商级的大规模组网、维护变得可能。另外,由于目前的WLAN接入设备与终端网卡之间的数据是通过802.11协议,从空口发出、接收回空口的,考虑到安全性的问题,数据加 密就显得有必要。目前,WLAN无线局域网中,普遍采用的加密方式一般包括:SHARE-KEY、WPA-PSK、WPA2-PSK、WPA/WAP2-PSK、WPA-EAP、WPA2-EAP、WPA/WPA2-EAP、WAPI-PSK、WAPI-CERT、WEP-EAP等。上述的加密方式的实现上,都需要WLAN接入设备具备一个加密认证模块,来具体负责实施这些加密过程,并负责将加密认证结果通知WLAN接入设备,WLAN接入设备会将这些加密认证结果处理后,告知终端网卡,以便终端网卡及时获知加密认证结果,如果认证成功,终端网卡会进一步发送关联请求给WLAN接入设备。下面以典型的WPA/WAP2-PSK加密方式为例,对WLAN管理设备统一更改协商密钥后,实际现网中出现的问题进行说明:Therefore, another "skinny" mode was born. The so-called thin mode, that is, a single WLAN access device, is only responsible for data transmission, terminal access management, encryption, authentication, etc., and some of the remaining configuration management, For the WLAN management device to do, see Figure 1. That is to say, in the transition from fat mode to thin mode, the WLAN access device does less work, and the WLAN management device helps the WLAN access device to undertake part of the management work, so that the WLAN access device is more focused on The basic work of data transmission and reception also makes it possible for carrier-scale large-scale networking and maintenance. In addition, since the data between the current WLAN access device and the terminal network card is transmitted through the air interface through the 802.11 protocol, and the air interface is sent back to the air interface, considering the security problem, the data is added. Secret is necessary. At present, the commonly used encryption methods in WLAN wireless LAN generally include: SHARE-KEY, WPA-PSK, WPA2-PSK, WPA/WAP2-PSK, WPA-EAP, WPA2-EAP, WPA/WPA2-EAP, WAPI-PSK , WAPI-CERT, WEP-EAP, etc. In the above implementation of the encryption method, the WLAN access device needs to have an encryption authentication module to specifically implement the encryption process, and is responsible for notifying the WLAN access device of the encrypted authentication result, and the WLAN access device will perform the encrypted authentication result. After the processing, the terminal network card is notified, so that the terminal network card knows the encrypted authentication result in time. If the authentication is successful, the terminal network card further sends an association request to the WLAN access device. The following takes the typical WPA/WAP2-PSK encryption mode as an example. After the WLAN management device changes the negotiation key uniformly, the problems that appear on the actual live network are described as follows:
首先,WLAN终端和WLAN接入设备、WLAN管理设备之间的目前普遍采用的交互方式包括下面几个步骤:First, the currently widely used interaction between the WLAN terminal and the WLAN access device and the WLAN management device includes the following steps:
一,WLAN终端(例如pad、笔记本、手机等终端)获取到附近WLAN接入设备的信息后,向WLAN接入设备发出关联请求;After the WLAN terminal (for example, a terminal such as a pad, a notebook, or a mobile phone) obtains the information of the nearby WLAN access device, the WLAN access device sends an association request to the WLAN access device.
二,WLAN接入设备接收到此关联请求,并建立与该终端的关联;Second, the WLAN access device receives the association request and establishes an association with the terminal;
三,WLAN终端向WLAN接入设备发出加密认证请求;3. The WLAN terminal sends an encrypted authentication request to the WLAN access device.
四,WLAN接入设备的WIFI加密认证管理模块根据认证请求,通过密钥协商、四次握手等认证机制进行认证处理后,将该WLAN终端的认证结果发给WLAN接入设备;The WIFI encryption authentication management module of the WLAN access device sends the authentication result of the WLAN terminal to the WLAN access device after the authentication process is performed by using the authentication mechanism such as the key agreement and the four-way handshake.
五,WLAN接入设备会将认证结果进一步以报文形式告知WLAN终端,以便WLAN终端根据需要重新选择接入方式;5. The WLAN access device further informs the WLAN terminal in the form of a message, so that the WLAN terminal reselects the access mode as needed;
六,如果加密认证管理模块对该WLAN终端的认证是成功的,那么WLAN终端在收到WLAN接入设备发来的认证成功消息后,就会成功与终端建立连接;6. If the cryptographic authentication management module successfully authenticates the WLAN terminal, the WLAN terminal successfully establishes a connection with the terminal after receiving the authentication success message sent by the WLAN access device.
七,WLAN终端与WLAN接入设备成功建立连接后,WLAN接入设备还会通过WLAN接入设备与WLAN管理设备之间的私有协议,将终端成功关联的消息发送给WLAN管理设备;After the WLAN terminal successfully establishes a connection with the WLAN access device, the WLAN access device sends a message that the terminal is successfully associated to the WLAN management device through a private protocol between the WLAN access device and the WLAN management device.
八,如果加密认证管理模块对该WLAN终端的认证是失败的,那么WLAN接入设备将会发送关联失败消息给WLAN管理设备并发送报文告知 WLAN终端,已经认证失败,并且清除终端的相关信息,等待WLAN终端的下一次认证请求。8. If the encryption authentication management module fails the authentication of the WLAN terminal, the WLAN access device will send an association failure message to the WLAN management device and send a message to notify. The WLAN terminal has failed authentication and clears the relevant information of the terminal, waiting for the next authentication request of the WLAN terminal.
上述过程中,大规模组网时,WLAN管理设备会不断收到终端的关联成功/失败消息。而此时,如果WLAN接入设备的密钥被WLAN管理设备统一修改,这个时候,WLAN终端会由于密钥错误而被迫掉线,也就会导致该终端的认证是失败的,由于一般WLAN终端网卡采用的机制是默认记住上一次的密钥,并且当密钥认证失败后,会频繁地以上一次保留的密钥去向WLAN接入设备发送认证消息。因此,如果该WLAN管理设备同时管理了大量的WLAN接入设备,而每一个WLAN接入设备又同时接入了大量的WLAN终端网卡,由于WLAN终端网卡的反复重新认证机制,会最终导致WLAN管理设备在同一时刻会收到大量的终端认证失败消息,容易导致WLAN接入设备与WLAN管理设备之间通信链路的堵塞,从而导致设备消息机制的崩溃或WLAN管理设备与WLAN接入设备之间不能正常通信,最终导致WLAN管理设备的管理能力丧失。In the above process, when the network is deployed on a large scale, the WLAN management device continuously receives the association success/failure message of the terminal. At this time, if the key of the WLAN access device is uniformly modified by the WLAN management device, at this time, the WLAN terminal is forced to drop due to a key error, and the authentication of the terminal is failed, because the general WLAN is The mechanism adopted by the terminal NIC is to remember the last key by default, and after the key authentication fails, the key that is reserved last time will be sent to the WLAN access device to send an authentication message. Therefore, if the WLAN management device manages a large number of WLAN access devices at the same time, and each WLAN access device accesses a large number of WLAN terminal network cards at the same time, the WLAN management will eventually lead to WLAN management due to the repeated re-authentication mechanism of the WLAN terminal network card. The device receives a large number of terminal authentication failure messages at the same time, which easily leads to congestion of the communication link between the WLAN access device and the WLAN management device, resulting in a crash of the device message mechanism or between the WLAN management device and the WLAN access device. The communication cannot be performed normally, and eventually the management capability of the WLAN management device is lost.
发明内容Summary of the invention
本发明要解决的主要技术问题是,提供一种认证管理方法、装置、WLAN接入设备以及通信系统,解决相关WLAN通信系统中,WLAN接入设备将每次认证请求的认证结果都反馈给WLAN管理设备易导致WLAN接入设备与WLAN管理设备之间出现堵塞的问题。The main technical problem to be solved by the present invention is to provide an authentication management method, device, WLAN access device, and communication system. In the related WLAN communication system, the WLAN access device feeds back the authentication result of each authentication request to the WLAN. Managing devices is prone to congestion between the WLAN access device and the WLAN management device.
为解决上述技术问题,采用如下技术方案:In order to solve the above technical problems, the following technical solutions are adopted:
一种认证管理方法,包括:A method of authentication management, including:
接收WLAN终端发送的用于建立WLAN连接的认证请求;Receiving an authentication request sent by the WLAN terminal for establishing a WLAN connection;
判断所述认证请求是否是所述WLAN终端连续发送的无效认证请求,当所述认证请求是所述WLAN终端连续发送的无效认证请求时,不向WLAN管理设备反馈该认证请求的处理结果。Determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal. When the authentication request is an invalid authentication request continuously sent by the WLAN terminal, the processing result of the authentication request is not fed back to the WLAN management device.
可选地,所述判断所述认证请求是否是所述WLAN终端连续发送的无效认证请求的步骤包括: Optionally, the step of determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal comprises:
根据所述认证请求进行认证处理,如认证失败,则进一步判断所述WLAN终端上一次的认证是否也失败,如是,则判定该认证请求为所述WLAN终端连续发送的无效认证请求;Performing an authentication process according to the authentication request, for example, if the authentication fails, further determining whether the last authentication of the WLAN terminal also fails, and if yes, determining that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
or
将所述认证请求与认证失败列表中的无效认证请求进行匹配,如匹配成功,则判定该认证请求为所述WLAN终端连续发送的无效认证请求,其中,所述认证失败列表中存储有WLAN终端最近一次认证为认证失败时发送的认证请求。The authentication request is matched with the invalid authentication request in the authentication failure list. If the matching is successful, the authentication request is determined to be an invalid authentication request continuously sent by the WLAN terminal, where the WLAN terminal is stored in the authentication failure list. The most recent authentication is an authentication request sent when the authentication failed.
可选地,该方法还包括:Optionally, the method further includes:
统计所述WLAN终端连续发送无效认证请求的次数;Counting the number of times the WLAN terminal continuously sends an invalid authentication request;
当所述WLAN终端连续发送无效认证请求的次数大于设定的次数门限值,和/或者所述WLAN终端连续发送无效认证请求的频率大于设定的频率门限值时,向所述WLAN终端发送用于通知WLAN终端停止发送认证请求的管理指令。And when the WLAN terminal continuously sends the invalid authentication request for more than the set number of times, and/or the WLAN terminal continuously sends the invalid authentication request to be greater than the set frequency threshold, to the WLAN terminal A management instruction for notifying the WLAN terminal to stop transmitting the authentication request is sent.
可选地,所述接收所述WLAN终端发送的所述认证请求的步骤之前,还包括:与所述WLAN终端建立关联;Optionally, before the step of receiving the authentication request sent by the WLAN terminal, the method further includes: establishing an association with the WLAN terminal;
在向所述WLAN终端连续发送N次所述管理指令后,若仍收到所述WLAN终端发送的无效认证请求,则断开与所述WLAN终端的关联;After continuously transmitting the management command N times to the WLAN terminal, if the invalid authentication request sent by the WLAN terminal is still received, the association with the WLAN terminal is disconnected;
其中,所述N大于等于1。Wherein, the N is greater than or equal to 1.
一种认证管理装置,包括信息接收模块、判断模块以及处理模块,其中;An authentication management device includes an information receiving module, a determining module, and a processing module, wherein
所述信息接收模块设置成:接收WLAN终端发送的用于建立WLAN连接的认证请求;The information receiving module is configured to: receive an authentication request sent by the WLAN terminal to establish a WLAN connection;
所述判断模块设置成:判断所述认证请求是否是所述WLAN终端连续发送的无效认证请求,若是,将判断结果发送给所述处理模块;The determining module is configured to: determine whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal, and if yes, send the determination result to the processing module;
所述处理模块设置成:在收到所述判断结果后,不向WLAN管理设备反馈该认证请求的处理结果。 The processing module is configured to: after receiving the determination result, not returning the processing result of the authentication request to the WLAN management device.
可选地,所述判断模块包括认证子模块和分析子模块,其中;Optionally, the determining module includes an authentication submodule and an analysis submodule, where
所述认证子模块设置成:对所述认证请求进行认证,如认证失败,通知所述分析子模块;The authentication sub-module is configured to: perform authentication on the authentication request, such as authentication failure, and notify the analysis sub-module;
所述分析子模块设置成:判断所述WLAN终端上一次的认证是否也失败,如是,则判定该认证请求为所述WLAN终端连续发送的无效认证请求;The analysis sub-module is configured to: determine whether the last authentication of the WLAN terminal also fails, and if yes, determine that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
or
所述判断模块包括匹配子模块,所述匹配子模块设置成:将所述认证请求与认证失败列表中的无效认证请求进行匹配,如匹配成功,则判定该认证请求为所述WLAN终端连续发送的无效认证请求,其中,所述认证失败列表中存储有WLAN终端最近一次认证为认证失败时发送的认证请求。The determining module includes a matching sub-module, and the matching sub-module is configured to: match the authentication request with an invalid authentication request in the authentication failure list, and if the matching is successful, determine that the authentication request is continuously sent by the WLAN terminal. An invalid authentication request, wherein the authentication failure list stores an authentication request sent when the WLAN terminal is most recently authenticated as an authentication failure.
可选地,该装置还包括统计模块和报文管理模块,其中;Optionally, the device further includes a statistics module and a message management module, where
所述统计模块设置成:统计所述WLAN终端连续发送无效认证请求的次数;The statistic module is configured to: count the number of times the WLAN terminal continuously sends an invalid authentication request;
所述报文管理模块设置成:在判断所述WLAN终端连续发送无效认证请求的次数大于设定的次数门限值,和/或连续发送无效认证请求的频率大于设定的频率门限值时,向所述WLAN终端发送用于通知WLAN终端停止发送认证请求的管理指令。The message management module is configured to: when it is determined that the WLAN terminal continuously sends the invalid authentication request for more than the set number of times, and/or when the frequency of continuously transmitting the invalid authentication request is greater than the set frequency threshold And transmitting, to the WLAN terminal, a management instruction for notifying the WLAN terminal to stop sending the authentication request.
可选地,该装置还包括通信模块和连接管理模块,其中;Optionally, the device further includes a communication module and a connection management module, wherein
所述通信模块设置成:在所述信息接收模块接收所述认证请求之前,与所述WLAN终端建立关联;The communication module is configured to: establish an association with the WLAN terminal before the information receiving module receives the authentication request;
所述连接管理模块设置成:在所述报文管理模块向所述WLAN终端连续发送N次所述管理指令后,仍收到所述WLAN终端发送的无效认证请求时,通知所述通信模块断开与所述WLAN终端的关联,其中,所述N大于等于1。The connection management module is configured to notify the communication module to be disconnected when the message management module continuously sends the management command to the WLAN terminal N times, and still receives the invalid authentication request sent by the WLAN terminal. Opening an association with the WLAN terminal, wherein the N is greater than or equal to 1.
一种WLAN接入设备,包括存储器和处理器;A WLAN access device includes a memory and a processor;
所述存储器设置成:存储至少一个程序指令;The memory is configured to: store at least one program instruction;
所述处理器设置成:调用所述程序指令执行上述的认证管理方法。 The processor is configured to: invoke the program instruction to execute the above-described authentication management method.
一种通信系统,其中,包括WLAN管理设备、WLAN终端以及上述的WLAN接入设备;所述WLAN终端、WLAN接入设备以及WLAN管理设备依次通信连接。A communication system includes a WLAN management device, a WLAN terminal, and the WLAN access device described above; the WLAN terminal, the WLAN access device, and the WLAN management device are sequentially connected in communication.
一种计算机程序,包括程序指令,当该程序指令被认证管理装置执行时,使得该认证管理装置可执行上述的认证管理方法。A computer program comprising program instructions that, when executed by an authentication management device, cause the authentication management device to perform the above-described authentication management method.
一种载有上述计算机程序的载体。A carrier carrying the above computer program.
本发明技术方案的有益效果是:The beneficial effects of the technical solution of the present invention are:
本发明技术方案提供的一种认证管理方法、装置、WLAN接入设备以及通信系统,在接收到WLAN终端发送的用于建立WLAN连接的认证请求后,判断该认证请求是否是这个WLAN终端连续发送的无效认证请求,如是,不向WLAN管理设备反馈该认证请求的处理结果;也即,在本发明实施例中,对于WLAN终端连续、重复发送的无效的认证请求,WLAN接入设备可不再向WLAN管理设备反馈认证失败的消息通知,只向WLAN管理设备反馈WLAN终端认证成功以及首次认证失败时的消息通知。因此可以大大减少WLAN接入设备与WLAN管理设备之间消息的交互量,避免二者之间出现消息堵塞而引起的各种异常,尤其适用于WLAN接入设备的密钥被WLAN管理设备统一修改的场景下。An authentication management method, device, WLAN access device, and communication system provided by the technical solution of the present invention, after receiving an authentication request for establishing a WLAN connection sent by a WLAN terminal, determining whether the authentication request is continuously sent by the WLAN terminal The invalid authentication request, if yes, does not feed back the processing result of the authentication request to the WLAN management device; that is, in the embodiment of the present invention, the WLAN access device may no longer provide the WLAN terminal with an invalid authentication request that is continuously and repeatedly sent by the WLAN terminal. The WLAN management device feeds back the message that the authentication fails, and only feeds back to the WLAN management device the WLAN terminal authentication success and the message notification when the first authentication fails. Therefore, the amount of message interaction between the WLAN access device and the WLAN management device can be greatly reduced, and various abnormalities caused by message blocking between the two can be avoided, and the key suitable for the WLAN access device is uniformly modified by the WLAN management device. Under the scene.
附图概述BRIEF abstract
图1为管理模式为“瘦模式”的WLAN通信系统组网示意图;FIG. 1 is a schematic diagram of networking of a WLAN communication system in which a management mode is “thin mode”;
图2为本发明另实施例一中提供的认证管理管理方法示意图;2 is a schematic diagram of an authentication management method provided in another embodiment of the present invention;
图3为本发明另实施例二中提供的认证管理管理装置示意图;3 is a schematic diagram of an authentication management device provided in another embodiment 2 of the present invention;
图4为本发明另实施例三中提供的WLAN接入设备结构示意图; 4 is a schematic structural diagram of a WLAN access device according to another embodiment 3 of the present invention;
图5为本发明另实施例三中提供的认证管理管理方法示意图。FIG. 5 is a schematic diagram of an authentication management method provided in another embodiment 3 of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
下面通过具体实施方式结合附图对本发明作进一步详细说明。The present invention will be further described in detail below with reference to the accompanying drawings.
实施例一:Embodiment 1:
请参见图2所示,本实施例提供的认证管理管理方法适用于管理模式为瘦模式的WLAN通信系统;其包括以下步骤:Referring to FIG. 2, the authentication management management method provided in this embodiment is applicable to a WLAN communication system in which the management mode is a thin mode; the method includes the following steps:
步骤201:认证管理装置与WLAN终端(包括支持WLAN连接的笔记本、PAD、智能手机等终端)建立关联;本实施例中的认证管理装置本身可以是图1中所示的WLAN接入设备,也可以独立于WLAN接入设备的其他第三方设备实现;当为WLAN接入设备时,其可直接与WLAN终端建立关联;否则,其可通过WLAN接入设备间接的与WLAN终端建立关联,即认证管理装置与WLAN接入设备建立关联,WLAN接入设备则与WLAN终端建立关联;另外,基于目前的通信,一般是WLAN终端主动发起管理请求;Step 201: The authentication management device is associated with the WLAN terminal (including a terminal supporting a WLAN connection, a PAD, a smart phone, etc.); the authentication management device in this embodiment may be the WLAN access device shown in FIG. It can be implemented independently of other third-party devices of the WLAN access device; when it is a WLAN access device, it can directly associate with the WLAN terminal; otherwise, it can be associated with the WLAN terminal indirectly through the WLAN access device, that is, authentication The management device is associated with the WLAN access device, and the WLAN access device is associated with the WLAN terminal; in addition, based on the current communication, the WLAN terminal generally initiates a management request;
步骤202:认证管理装置接收WLAN终端发送的用于建立WLAN连接的认证请求;该认证请求中包含认证密钥,且还可包含该WLAN终端的识别信息;Step 202: The authentication management apparatus receives an authentication request that is sent by the WLAN terminal and is used to establish a WLAN connection. The authentication request includes an authentication key, and may further include identification information of the WLAN terminal.
步骤203:认证管理装置判断该认证请求是否是这个WLAN终端连续发送的无效认证请求,如是,转至步骤204;否则,转至步骤205;此处的连续发送的无效认证请求是指该认证请求是认证不能通过的、且该WLAN终端上一次发送的也是认证不能通过的认证请求;Step 203: The authentication management apparatus determines whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal, and if yes, go to step 204; otherwise, go to step 205; where the continuously sent invalid authentication request refers to the authentication request The authentication request that the authentication fails to pass and the WLAN terminal sends last time is also an authentication request that cannot pass the authentication;
步骤204:认证管理装置不向WLAN管理设备反馈该认证请求的处理结果;也即当本实施例中的认证管理装置为WLAN接入设备实现时,其自身不向WLAN管理设备反馈该认证请求的处理结果;如果该认证管理装置是通过独立于WLAN接入设备的其他第三方设备实现,则向WLAN接入设备发送不向WLAN管理设备反馈该处理结果的通知,以控制WLAN接入设备不向WLAN管理设备反馈处理结果;Step 204: The authentication management device does not feed back the processing result of the authentication request to the WLAN management device; that is, when the authentication management device in this embodiment is implemented by the WLAN access device, it does not feed back the authentication request to the WLAN management device. If the authentication management device is implemented by other third-party devices that are independent of the WLAN access device, send a notification that the processing result is not fed back to the WLAN management device to control the WLAN access device not to the WLAN access device. The WLAN management device feeds back the processing result;
步骤205:认证管理装置正常向WLAN管理设备反馈该认证请求的处理 结果;例如,如认证成功或失败时,当认证管理装置是通过WLAN接入设备实现,其自身正常向WLAN管理设备反馈该认证成功或失败的处理结果;如果该认证管理装置是通过独立于WLAN接入设备的其他第三方设备实现,则向WLAN接入设备发送正常向WLAN管理设备反馈该处理结果的通知,WLAN接入设备根据该通知正常向WLAN管理设备反馈认证成功或失败的处理结果。Step 205: The authentication management device normally feeds back the processing of the authentication request to the WLAN management device. As a result; for example, when the authentication succeeds or fails, when the authentication management device is implemented by the WLAN access device, it normally feeds back the processing result of the authentication success or failure to the WLAN management device; if the authentication management device is independent of the WLAN When the other third-party device of the access device implements, the WLAN access device sends a notification that the processing result is normally fed back to the WLAN management device, and the WLAN access device normally reports the processing result of the successful or failed authentication to the WLAN management device according to the notification.
可见,在本实施例中,对于WLAN终端连续、重复发送的无效的认证请求,WLAN接入设备不再向WLAN管理设备反馈认证失败的消息通知,只向WLAN管理设备反馈WLAN终端认证成功以及首次认证失败时的消息通知。因此可以大大减少WLAN接入设备与WLAN管理设备之间消息的交互量,避免二者之间出现消息堵塞而引起的各种异常,包括因为消息堵塞导致WLAN管理设备的管理能力丧失。It can be seen that, in this embodiment, for the WLAN terminal to continuously and repeatedly send invalid authentication request, the WLAN access device no longer feeds back the notification of the authentication failure to the WLAN management device, and only feeds back the WLAN terminal authentication success to the WLAN management device for the first time. Message notification when authentication fails. Therefore, the amount of message interaction between the WLAN access device and the WLAN management device can be greatly reduced, and various abnormalities caused by message blocking between the two can be avoided, including the loss of management capability of the WLAN management device due to message congestion.
应当理解的是,上述步骤203中判断认证请求是否是WLAN终端连续发送的无效认证请求的方式可以根据具体应用场景选择确认。为了更好的理解本发明,下面以两种具体判断方式进行示例性的说明。但应当理解的是并不仅局限于以下两种方式:It should be understood that, in the foregoing step 203, the manner of determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal may be selected according to a specific application scenario. In order to better understand the present invention, the following is exemplified in two specific manners. But it should be understood that it is not limited to the following two ways:
方式一:根据接收到的认证请求进行认证处理,如认证失败,则判断该WLAN终端上一次的认证是否也失败,如是,则判定该认证请求为该WLAN终端连续发送的无效认证请求;Manner 1: The authentication process is performed according to the received authentication request. If the authentication fails, it is determined whether the last authentication of the WLAN terminal also fails. If yes, the authentication request is determined to be an invalid authentication request continuously sent by the WLAN terminal.
方式二:维护一份认证失败列表,该认证失败列表中存储有WLAN终端最近一次认证为认证失败时发送的认证请求;将接收到的认证请求与认证失败列表中的无效认证请求进行匹配,如匹配成功,则判定该认证请求为WLAN终端连续发送的无效认证请求;Manner 2: Maintaining an authentication failure list. The authentication failure list stores an authentication request sent by the WLAN terminal when the authentication is the last time the authentication fails. The authentication request received is matched with the invalid authentication request in the authentication failure list. If the matching is successful, determining that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
例如,针对一个WLAN终端,其第一次发送认证请求时,如认证成功,则不在该认证失败列表中记录该认证请求,如认证失败,则在该认证失败列表中记录该认证请求;然后接收到该WLAN终端发送的第二次认证请求时,判断该第二次发送的认证请求在该认证失败列表中是否有存储(一般需分析认证请求中包含的WLAN终端信息以及认证密钥是否相同),如有,则表明该第二次发送的认证请求与上一次发送的认证失败的认证请求相同,判定为 WLAN终端连续发送的无效认证请求;如没有,则对该认证请求进行正常的认证处理,如认证成功,则在认证失败列表中清除有关该WLAN终端的相关消息(例如第二次发送的认证请求可能是修改了认证密钥的请求,此时就需要清除认证列表中保存的第一次发送的认证请求;也即本实施例中的认证失败列表是动态更新的,其主要保存WLAN终端最近一次认证为认证失败时发送的认证请求)。For example, for a WLAN terminal, when the authentication request is sent for the first time, if the authentication is successful, the authentication request is not recorded in the authentication failure list. If the authentication fails, the authentication request is recorded in the authentication failure list; When the second authentication request sent by the WLAN terminal is sent, it is determined whether the second-time authentication request is stored in the authentication failure list (generally, the WLAN terminal information included in the authentication request and the authentication key are the same) If yes, it indicates that the authentication request sent the second time is the same as the authentication request that failed the last authentication. The invalid authentication request sent by the WLAN terminal continuously; if not, the normal authentication process is performed on the authentication request. If the authentication is successful, the related information about the WLAN terminal is cleared in the authentication failure list (for example, the second authentication request is sent). The request for the authentication key may be modified. In this case, the first authentication request sent in the authentication list needs to be cleared; that is, the authentication failure list in this embodiment is dynamically updated, and the WLAN terminal is saved last time. Authentication is an authentication request sent when authentication fails).
在本实施例中,为了更利于实现对WLAN终端的管理,认证管理装置还可对WLAN终端连续发送无效认证请求的次数进行统计,基于统计结果直接实现对WLAN终端认证的干预管理,避免WLAN终端一直重复的连续发送无效的认证请求;具体过程包括:In this embodiment, in order to facilitate the management of the WLAN terminal, the authentication management apparatus may also perform statistics on the number of consecutive transmissions of the invalid authentication request by the WLAN terminal, and directly implement the intervention management of the WLAN terminal authentication based on the statistical result, thereby avoiding the WLAN terminal. Continuously sending invalid authentication requests repeatedly; the specific process includes:
统计WLAN终端连续发送无效认证请求的次数;Counting the number of times the WLAN terminal continuously sends invalid authentication requests;
判断该WLAN终端连续发送无效认证请求的频率是否大于设定的频率门限值(例如1秒10次),如是,向WLAN终端发送用于通知WLAN终端停止发送认证请求的管理指令;WLAN终端收到该管理指令后,就知道认证已经失败,并被通知不要再重复发送相同的认证请求。Determining whether the frequency of the WLAN terminal continuously transmitting the invalid authentication request is greater than a set frequency threshold (for example, 10 times per second), and if so, sending a management command for notifying the WLAN terminal to stop sending the authentication request to the WLAN terminal; After the management command, it is known that the authentication has failed, and is notified not to repeatedly send the same authentication request.
当然,本实施例中,也可直接判断WLAN终端连续发送无效认证请求的次数是否大于设定的次数门限值N1,如是,则向该WLAN中断发送管理指令。例如判断WLAN终端是否连续发送了10次无效认证请求,此时不限定时间,也即不限定是在单位时间(例如1秒)达到多少次,只要是其连续发送的次数大于设定的门限值即可,其与上述通过频率的方式进行管理的区别仅在于统计次数与频率的转换。Certainly, in this embodiment, it is also directly determined whether the number of times the WLAN terminal continuously sends the invalid authentication request is greater than the set number of times threshold N1, and if so, sends a management command to the WLAN interrupt. For example, it is determined whether the WLAN terminal continuously sends 10 invalid authentication requests. At this time, there is no time limit, that is, how many times the unit time (for example, 1 second) is reached, as long as the number of consecutive transmissions is greater than the set threshold. The value is OK, and the difference from the above-mentioned way of managing the frequency is only the conversion of the number of statistics and the frequency.
本实施例中,频率门限值和/或次数门限值的具体取值可根据具体的WLAN终端的处理能力具体选择设置。In this embodiment, the specific value of the frequency threshold and/or the threshold value may be specifically selected according to the processing capability of the specific WLAN terminal.
在实际应用中,有可能会出现虽然已经向WLAN终端连续发送了N(N取大于等于1的整数)次发送管理指令,但WLAN终端没有理会,仍重复连续发送无效认证请求过来,此时可直接断开与WLAN终端的关联,以彻底阻止该WLAN终端反复的发送无效认证请求报文。 In practical applications, it may happen that although the N (N takes an integer greater than or equal to 1) transmission management command has been continuously sent to the WLAN terminal, the WLAN terminal ignores the continuous transmission of the invalid authentication request. The association with the WLAN terminal is directly disconnected to completely prevent the WLAN terminal from repeatedly transmitting invalid authentication request messages.
实施例二:Embodiment 2:
本实施例提供了认证管理装置,该认证管理装置可以是图1所示系统中的WLAN接入设备,也可以在图1所示系统中额外增加的、独立于WLAN接入设备的其他第三方设备,只要其能实现如下管理过程即可。具体的,请参见图3所示,该认证管理装置包括:通信模块301、信息接收模块302、判断模块303以及处理模块304;This embodiment provides an authentication management apparatus, which may be a WLAN access device in the system shown in FIG. 1, or an additional third party independent of the WLAN access device in the system shown in FIG. The device can be implemented as long as it can implement the following management process. Specifically, as shown in FIG. 3, the authentication management apparatus includes: a communication module 301, an information receiving module 302, a determining module 303, and a processing module 304;
通信模块301设置成:与WLAN终端建立关联;The communication module 301 is configured to: establish an association with the WLAN terminal;
信息接收模块302设置成:接收WLAN终端发送的用于建立WLAN连接的认证请求;该认证请求中包含认证密钥,且还可包含该WLAN终端的识别信息;The information receiving module 302 is configured to: receive an authentication request sent by the WLAN terminal for establishing a WLAN connection; the authentication request includes an authentication key, and may further include identification information of the WLAN terminal;
判断模块303设置成:判断信息接收模块接收到的认证请求是否是WLAN终端连续发送的无效认证请求,将判断结果发送给处理模块;The determining module 303 is configured to: determine whether the authentication request received by the information receiving module is an invalid authentication request continuously sent by the WLAN terminal, and send the determination result to the processing module;
处理模块304设置成:在判断结果为是时,不向向WLAN管理设备反馈该认证请求的处理结果,;当判断结果为否时,则正常向WLAN管理设备反馈该认证请求的处理结果;例如,当本实施例中的认证管理装置是通过WLAN接入设备实现,处理模块304通知其自身内部的信息发送模块不向WLAN管理设备反馈该认证请求的处理结果;如果该认证管理装置是通过独立于WLAN接入设备的其他第三方设备实现,则处理模块304可向WLAN接入设备发送不向WLAN管理设备反馈该处理结果的通知,以控制WLAN接入设备不向WLAN管理设备反馈处理结果。The processing module 304 is configured to: when the determination result is yes, not to feed back the processing result of the authentication request to the WLAN management device; when the determination result is no, the processing result of the authentication request is normally fed back to the WLAN management device; for example When the authentication management device in this embodiment is implemented by the WLAN access device, the processing module 304 notifies the information sending module of the internal device that the internal information sending module does not feed back the processing result of the authentication request to the WLAN management device; if the authentication management device passes the independent When the third-party device of the WLAN access device is implemented, the processing module 304 may send a notification to the WLAN access device that the processing result is not fed back to the WLAN management device, so as to control the WLAN access device not to feed back the processing result to the WLAN management device.
可见,通过本实施例提供的管理装置,可以实现对于WLAN终端连续、重复发送的无效的认证请求,不再向WLAN管理设备反馈认证失败的消息通知,只向WLAN管理设备反馈WLAN终端认证成功以及首次认证失败时的消息通知,可以大大减少WLAN接入设备与WLAN管理设备之间消息的交互量。It can be seen that, by using the management device provided in this embodiment, an invalid authentication request for continuous and repeated transmission of the WLAN terminal can be implemented, and the notification of the authentication failure is not returned to the WLAN management device, and only the WLAN terminal device is successfully fed back to the WLAN management device. The message notification when the first authentication fails, can greatly reduce the amount of message interaction between the WLAN access device and the WLAN management device.
本实施例中判断模块303判断信息接收模块302接收到的认证请求是否是WLAN终端连续发送的无效认证请求的方式可以根据具体应用场景选择确认。为了更好的理解本发明,下面以两种具体判断方式进行示例性的说明。 但应当理解的是并不仅局限于以下两种方式:In this embodiment, the determining module 303 determines whether the authentication request received by the information receiving module 302 is an invalid authentication request continuously sent by the WLAN terminal, and may select and confirm according to the specific application scenario. In order to better understand the present invention, the following is exemplified in two specific manners. But it should be understood that it is not limited to the following two ways:
方式一:判断模块303包括认证子模块和分析子模块;Manner 1: The determining module 303 includes an authentication submodule and an analysis submodule;
认证子模块对认证请求进行认证,如认证失败,通知分析子模块;The authentication submodule authenticates the authentication request, such as the authentication failure, and notifies the analysis submodule;
分析子模块设置成:判断WLAN终端上一次的认证是否也失败,如是,则判定该认证请求为WLAN终端连续发送的无效认证请求;The analysis sub-module is configured to: determine whether the last authentication of the WLAN terminal also fails, and if yes, determine that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
方式二:判断模块303包括匹配子模块,设置成:将认证请求与认证失败列表中的无效认证请求进行匹配,如匹配成功,则判定该认证请求为所述WLAN终端连续发送的无效认证请求;此处的认证失败列表中存储有WLAN终端最近一次认证为认证失败时发送的认证请求。例如,针对一个WLAN终端,其第一次发送认证请求时,如认证成功,则不在该认证失败列表中记录该认证请求,如认证失败,则在该认证失败列表中记录该认证请求;然后接收到该WLAN终端发送的第二次认证请求时,判断该第二次发送的认证请求在该认证失败列表中是否有存储(一般需分析认证请求中包含的WLAN终端信息以及认证密钥是否相同),如有,则表明该第二次发送的认证请求与上一次发送的认证失败的认证请求相同,判定为WLAN终端连续发送的无效认证请求;如没有,则对该认证请求进行正常的认证处理,如认证成功,则在认证失败列表中清除有关该WLAN终端的相关消息(例如第二次发送的认证请求可能是修改了认证密钥的请求,此时就需要清除认证列表中保存的第一次发送的认证请求;也即本实施例中的认证失败列表是动态更新的,其主要保存WLAN终端最近一次认证为认证失败时发送的认证请求)。Manner 2: The determining module 303 includes a matching sub-module, and is configured to: match the authentication request with the invalid authentication request in the authentication failure list, and if the matching is successful, determine that the authentication request is an invalid authentication request continuously sent by the WLAN terminal; The authentication failure list here stores the authentication request sent by the WLAN terminal when the authentication is the last time the authentication fails. For example, for a WLAN terminal, when the authentication request is sent for the first time, if the authentication is successful, the authentication request is not recorded in the authentication failure list. If the authentication fails, the authentication request is recorded in the authentication failure list; When the second authentication request sent by the WLAN terminal is sent, it is determined whether the second-time authentication request is stored in the authentication failure list (generally, the WLAN terminal information included in the authentication request and the authentication key are the same) If yes, it indicates that the authentication request sent in the second time is the same as the authentication request that failed to be sent last time, and determines that the WLAN terminal continuously sends an invalid authentication request; if not, performs normal authentication processing on the authentication request. If the authentication succeeds, the related information about the WLAN terminal is cleared in the authentication failure list. For example, the second authentication request may be a request to modify the authentication key. In this case, the first saved in the authentication list needs to be cleared. The authentication request sent in the second time; that is, the authentication failure list in this embodiment is dynamically updated, and the WL is mainly saved. The AN terminal was last authenticated as an authentication request sent when the authentication failed.
在本实施例中,为了更利于实现对WLAN终端的管理,还可对WLAN终端连续发送无效认证请求的次数进行统计,基于统计结果直接实现对WLAN终端认证的干预管理,避免WLAN终端一直重复的连续发送无效的认证请求。因此,本实施例中的认证管理装置还可包括统计模块和报文管理模块;In this embodiment, in order to facilitate the management of the WLAN terminal, the number of times that the WLAN terminal continuously sends invalid authentication requests may be counted, and the intervention management of the WLAN terminal authentication is directly implemented based on the statistical result, so as to avoid the WLAN terminal repeating all the time. Invalid authentication request is sent continuously. Therefore, the authentication management apparatus in this embodiment may further include a statistics module and a message management module;
统计模块设置成:统计WLAN终端连续发送无效认证请求的次数;The statistics module is configured to: count the number of times the WLAN terminal continuously sends invalid authentication requests;
报文管理模块设置成:在判断WLAN终端连续发送无效认证请求的频率大于设定的频率门限值时,向WLAN终端发送用于通知WLAN终端停止发 送认证请求的管理指令。WLAN终端收到该管理指令后,就知道认证已经失败,并被通知不要再重复发送相同的认证请求。The message management module is configured to: when it is determined that the frequency at which the WLAN terminal continuously sends the invalid authentication request is greater than the set frequency threshold, send a message to the WLAN terminal to notify the WLAN terminal to stop sending A management instruction to send an authentication request. After receiving the management command, the WLAN terminal knows that the authentication has failed, and is notified not to repeatedly send the same authentication request.
当然,本实施例中,报文管理模块也可直接判断WLAN终端连续发送无效认证请求的次数是否大于设定的次数门限值N1,如是,则向该WLAN中断发送管理指令。例如,判断WLAN终端是否连续发送了10次无效认证请求,此时可不限定时间,也即可不限定是在单位时间(例如1秒)必须发送多少次,只要是其连续发送的次数大于设定的门限值即可。其与上述通过频率的方式进行管理的区别仅在于统计次数与频率的转换。Certainly, in this embodiment, the message management module may directly determine whether the number of times the WLAN terminal continuously sends the invalid authentication request is greater than the set number of times threshold N1, and if so, sends a management command to the WLAN interrupt. For example, it is determined whether the WLAN terminal continuously sends 10 invalid authentication requests. In this case, the time is not limited, and the number of times that the WLAN terminal must be sent in a unit time (for example, 1 second) is not limited, as long as the number of consecutive transmissions is greater than the set. The threshold value is sufficient. The only difference between it and the above-mentioned way of managing the frequency is the conversion of the number of statistics and the frequency.
在实际应用中,有可能会出现报文管理模块虽然已经向WLAN终端连续发送了N(N取大于等于1的整数)次发送管理指令,但WLAN终端没有理会,仍重复连续发送无效认证请求过来,此时可直接断开与WLAN终端的关联,以彻底阻止该WLAN终端反复的发送无效认证请求报文。因此,本实施例中的认证管理装置还可进一步包括连接管理模块,设置成:在报文管理模块向WLAN终端连续发送N次管理指令后,仍收到WLAN终端连续发送的无效认证请求时,通知通信模块断开与WLAN终端的关联。In practical applications, there may be a message management module that has continuously sent N (N takes an integer greater than or equal to 1) transmission management command to the WLAN terminal, but the WLAN terminal ignores it and repeats the continuous transmission of the invalid authentication request. At this time, the association with the WLAN terminal can be directly disconnected to completely prevent the WLAN terminal from repeatedly transmitting invalid authentication request messages. Therefore, the authentication management apparatus in this embodiment may further include a connection management module, configured to: after the message management module continuously sends N management commands to the WLAN terminal, and still receives the invalid authentication request continuously sent by the WLAN terminal, The communication module is notified to disconnect from the WLAN terminal.
实施例三:Embodiment 3:
本实施例提供了一种通信系统,包括依次通信连接的WLAN管理设备、WLAN接入设备以及WLAN终端;其中,请参见图4所示,WLAN接入设备包括存储器401和处理器402;存储器401设置成:存储至少一个程序指令,处理器402设置成:调用程序指令执行上述实施例一中的认证管理过程。具体至少包括以下步骤:The present embodiment provides a communication system, including a WLAN management device, a WLAN access device, and a WLAN terminal, which are sequentially connected in communication; wherein, as shown in FIG. 4, the WLAN access device includes a memory 401 and a processor 402; It is configured to: store at least one program instruction, and the processor 402 is configured to: invoke the program instruction to execute the authentication management process in the first embodiment. Specifically, at least the following steps are included:
与WLAN终端建立关联;Establishing an association with a WLAN terminal;
接收WLAN终端发送的用于建立WLAN连接的认证请求;Receiving an authentication request sent by the WLAN terminal for establishing a WLAN connection;
判断该认证请求是否是WLAN终端连续发送的无效认证请求,如是,不向WLAN管理设备反馈该认证请求的处理结果。It is determined whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal, and if yes, the processing result of the authentication request is not fed back to the WLAN management device.
即本实施例以认证管理装置为WLAN接入设备为例进行的示例说明。另外,以上各步骤的具体实现方式在实施例一中已经有明确说明,在此不再赘 述。本实施例下面以一个完整、具体的应用场景为例,并以上述实施例中的提供的两种判断方式中的方式一为例进行说明。此处:That is, the embodiment is described by taking the authentication management device as a WLAN access device as an example. In addition, the specific implementation manners of the foregoing steps have been explicitly described in the first embodiment, and are not further described herein. Said. In this embodiment, a complete and specific application scenario is taken as an example, and one of the two determination modes provided in the foregoing embodiment is taken as an example for description. Here:
一,WLAN管理设备与WLAN接入设备之间的交互方式为:主要采用目前比较常见的交互方式,CAPWAP协议方式,这也是目前运营商级的WLAN集中控制设备普遍采用的协议方式,其协议的标准化工作也在各大运营商的推动下,基本统一,实现了各厂商设备之间的互通互联;First, the interaction mode between the WLAN management device and the WLAN access device is: mainly adopts the current common interaction mode, the CAPWAP protocol mode, which is also a protocol mode generally adopted by the carrier-level WLAN centralized control device, and the protocol thereof The standardization work is also basically unified under the impetus of major operators, and realizes the interconnection and interconnection between devices of various manufacturers;
二,WLAN接入设备与其内部的认证子模块之间交互方式为:认证子模块可采用一个单独进程,与WLAN接入设备之间采用ioctl命令行方式下发终端的认证/加密结果,WLAN接入设备则通过发送netlink消息的方式,将WLAN终端的认证请求发送给认证子模块;Second, the interaction between the WLAN access device and its internal authentication sub-module is as follows: the authentication sub-module can adopt a separate process, and the ioctl command line is used to issue the authentication/encryption result of the terminal with the WLAN access device, and the WLAN is connected. The ingress device sends the authentication request of the WLAN terminal to the authentication submodule by sending a netlink message;
三,WLAN接入设备与WLAN终端的网卡之间,完全遵照802.11协议的规定进行正常通信。Third, the WLAN access device and the WLAN terminal's network card fully comply with the 802.11 protocol for normal communication.
请参见图5所示,该管理过程包括:Referring to Figure 5, the management process includes:
步骤501:WLAN终端获取到附近WLAN接入设备的信息后,与WLAN接入设备完成正常关联的报文交互,建立关联;Step 501: After obtaining the information of the nearby WLAN access device, the WLAN terminal interacts with the WLAN access device to complete the association.
步骤502:WLAN终端与WLAN接入设备建立关联之后,WLAN接入设备将收到WLAN终端发送的认证请求;Step 502: After the WLAN terminal establishes an association with the WLAN access device, the WLAN access device receives the authentication request sent by the WLAN terminal.
步骤503:WLAN接入设备接收该认证请求;Step 503: The WLAN access device receives the authentication request.
步骤504:WLAN接入设备的认证子模块通过密钥协商、四次握手等机制对该认证请求进行认证,将认证结果发给WLAN接入设备;Step 504: The authentication sub-module of the WLAN access device authenticates the authentication request by using a mechanism such as a key agreement and a four-way handshake, and sends the authentication result to the WLAN access device.
步骤505:WLAN接入设备将该认证结果进一步以报文形式告知WLAN终端;Step 505: The WLAN access device further reports the authentication result to the WLAN terminal in a message form.
步骤506:WLAN接入设备判断该认证结果是否为认证成功,如是,转至步骤507;否则,转至步骤508;应当理解的是,步骤505与步骤506之间并无严格的时序限制,可同时进行,也可一前一后进行;Step 506: The WLAN access device determines whether the authentication result is successful, if yes, go to step 507; otherwise, go to step 508; it should be understood that there is no strict timing limit between step 505 and step 506. At the same time, it can also be carried out one after the other;
步骤507:WLAN接入设备成功与WLAN终端建立连接;WLAN接入设备还会通过WLAN接入设备与WLAN管理设备之间的私有协议,将终端成功关联的消息发送给WLAN管理设备; Step 507: The WLAN access device successfully establishes a connection with the WLAN terminal; the WLAN access device also sends a message that the terminal is successfully associated to the WLAN management device by using a private protocol between the WLAN access device and the WLAN management device;
步骤508:判断该WLAN终端上一次认证是否也是失败,即判断该认证请求是否是WLAN终端重复发送的无效认证请求;如是,转至步骤509;否则,转至步骤510;Step 508: determining whether the last authentication of the WLAN terminal is also a failure, that is, determining whether the authentication request is an invalid authentication request repeatedly sent by the WLAN terminal; if yes, go to step 509; otherwise, go to step 510;
步骤509:禁止向WLAN管理设备重复反馈该认证请求认证失败的消息。Step 509: It is forbidden to repeatedly feed back the message that the authentication request authentication fails to the WLAN management device.
步骤510:正常向WLAN管理设备反馈该认证请求的处理结果。Step 510: The processing result of the authentication request is normally fed back to the WLAN management device.
可见,本发明实施例提供的方案可以对WLAN终端连续发送来的重复的、无效的认证请求进行识别,并阻止对该认证请求报文的处理结果继续发送到上层进行处理,减轻WLAN接入设备与WLAN管理设备之间的报文交互压力,避免在大规模密钥协商错误的情况下,WLAN接入设备与WLAN管理设备之间报文交互机制的崩溃。It can be seen that the solution provided by the embodiment of the present invention can identify the repeated and invalid authentication request continuously sent by the WLAN terminal, and prevent the processing result of the authentication request message from being continuously sent to the upper layer for processing, and the WLAN access device is mitigated. The packet exchange pressure between the WLAN access device and the WLAN management device is prevented from colliding with the WLAN management device.
以上内容是结合具体的实施方式对本发明所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。The above is a further detailed description of the present invention in connection with the specific embodiments, and the specific embodiments of the present invention are not limited to the description. It will be apparent to those skilled in the art that the present invention may be made without departing from the spirit and scope of the invention.
工业实用性Industrial applicability
本发明技术方案提供的一种认证管理方法、装置、WLAN接入设备以及通信系统,在接收到WLAN终端发送的用于建立WLAN连接的认证请求后,判断该认证请求是否是这个WLAN终端连续发送的无效认证请求,如是,不向WLAN管理设备反馈该认证请求的处理结果;也即,在本发明实施例中,对于WLAN终端连续、重复发送的无效的认证请求,WLAN接入设备可不再向WLAN管理设备反馈认证失败的消息通知,只向WLAN管理设备反馈WLAN终端认证成功以及首次认证失败时的消息通知。因此可以大大减少WLAN接入设备与WLAN管理设备之间消息的交互量,避免二者之间出现消息堵塞而引起的各种异常,尤其适用于WLAN接入设备的密钥被WLAN管理设备统一修改的场景下。因此本发明具有很强的工业实用性。 An authentication management method, device, WLAN access device, and communication system provided by the technical solution of the present invention, after receiving an authentication request for establishing a WLAN connection sent by a WLAN terminal, determining whether the authentication request is continuously sent by the WLAN terminal The invalid authentication request, if yes, does not feed back the processing result of the authentication request to the WLAN management device; that is, in the embodiment of the present invention, the WLAN access device may no longer provide the WLAN terminal with an invalid authentication request that is continuously and repeatedly sent by the WLAN terminal. The WLAN management device feeds back the message that the authentication fails, and only feeds back to the WLAN management device the WLAN terminal authentication success and the message notification when the first authentication fails. Therefore, the amount of message interaction between the WLAN access device and the WLAN management device can be greatly reduced, and various abnormalities caused by message blocking between the two can be avoided, and the key suitable for the WLAN access device is uniformly modified by the WLAN management device. Under the scene. Therefore, the present invention has strong industrial applicability.

Claims (12)

  1. 一种认证管理方法,包括:A method of authentication management, including:
    接收WLAN终端发送的用于建立WLAN连接的认证请求;Receiving an authentication request sent by the WLAN terminal for establishing a WLAN connection;
    判断所述认证请求是否是所述WLAN终端连续发送的无效认证请求,当所述认证请求是所述WLAN终端连续发送的无效认证请求时,不向WLAN管理设备反馈该认证请求的处理结果。Determining whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal. When the authentication request is an invalid authentication request continuously sent by the WLAN terminal, the processing result of the authentication request is not fed back to the WLAN management device.
  2. 如权利要求1所述的认证管理方法,其中,所述判断所述认证请求是否是所述WLAN终端连续发送的无效认证请求的步骤包括:The authentication management method according to claim 1, wherein the step of determining whether the authentication request is an invalid authentication request continuously transmitted by the WLAN terminal comprises:
    根据所述认证请求进行认证处理,如认证失败,则进一步判断所述WLAN终端上一次的认证是否也失败,如是,则判定该认证请求为所述WLAN终端连续发送的无效认证请求;Performing an authentication process according to the authentication request, for example, if the authentication fails, further determining whether the last authentication of the WLAN terminal also fails, and if yes, determining that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
    or
    将所述认证请求与认证失败列表中的无效认证请求进行匹配,如匹配成功,则判定该认证请求为所述WLAN终端连续发送的无效认证请求,其中,所述认证失败列表中存储有WLAN终端最近一次认证为认证失败时发送的认证请求。The authentication request is matched with the invalid authentication request in the authentication failure list. If the matching is successful, the authentication request is determined to be an invalid authentication request continuously sent by the WLAN terminal, where the WLAN terminal is stored in the authentication failure list. The most recent authentication is an authentication request sent when the authentication failed.
  3. 如权利要求1或2所述的认证管理方法,该方法还包括:The authentication management method according to claim 1 or 2, further comprising:
    统计所述WLAN终端连续发送无效认证请求的次数;Counting the number of times the WLAN terminal continuously sends an invalid authentication request;
    当所述WLAN终端连续发送无效认证请求的次数大于设定的次数门限值,和/或者所述WLAN终端连续发送无效认证请求的频率大于设定的频率门限值时,向所述WLAN终端发送用于通知WLAN终端停止发送认证请求的管理指令。And when the WLAN terminal continuously sends the invalid authentication request for more than the set number of times, and/or the WLAN terminal continuously sends the invalid authentication request to be greater than the set frequency threshold, to the WLAN terminal A management instruction for notifying the WLAN terminal to stop transmitting the authentication request is sent.
  4. 如权利要求3所述的认证管理方法,其中:The authentication management method according to claim 3, wherein:
    所述接收所述WLAN终端发送的所述认证请求的步骤之前,还包括:与所述WLAN终端建立关联;Before the step of receiving the authentication request sent by the WLAN terminal, the method further includes: establishing an association with the WLAN terminal;
    在向所述WLAN终端连续发送N次所述管理指令后,若仍收到所述WLAN终端发送的无效认证请求,则断开与所述WLAN终端的关联; After continuously transmitting the management command N times to the WLAN terminal, if the invalid authentication request sent by the WLAN terminal is still received, the association with the WLAN terminal is disconnected;
    其中,所述N大于等于1。Wherein, the N is greater than or equal to 1.
  5. 一种认证管理装置,包括信息接收模块、判断模块以及处理模块,其中;An authentication management device includes an information receiving module, a determining module, and a processing module, wherein
    所述信息接收模块设置成:接收WLAN终端发送的用于建立WLAN连接的认证请求;The information receiving module is configured to: receive an authentication request sent by the WLAN terminal to establish a WLAN connection;
    所述判断模块设置成:判断所述认证请求是否是所述WLAN终端连续发送的无效认证请求,若是,将判断结果发送给所述处理模块;The determining module is configured to: determine whether the authentication request is an invalid authentication request continuously sent by the WLAN terminal, and if yes, send the determination result to the processing module;
    所述处理模块设置成:在收到所述判断结果后,不向WLAN管理设备反馈该认证请求的处理结果。The processing module is configured to: after receiving the determination result, not returning the processing result of the authentication request to the WLAN management device.
  6. 如权利要求5所述的认证管理装置,其中:The authentication management device according to claim 5, wherein:
    所述判断模块包括认证子模块和分析子模块,其中;The determining module includes an authentication submodule and an analysis submodule, wherein
    所述认证子模块设置成:对所述认证请求进行认证,如认证失败,通知所述分析子模块;The authentication sub-module is configured to: perform authentication on the authentication request, such as authentication failure, and notify the analysis sub-module;
    所述分析子模块设置成:判断所述WLAN终端上一次的认证是否也失败,如是,则判定该认证请求为所述WLAN终端连续发送的无效认证请求;The analysis sub-module is configured to: determine whether the last authentication of the WLAN terminal also fails, and if yes, determine that the authentication request is an invalid authentication request continuously sent by the WLAN terminal;
    or
    所述判断模块包括匹配子模块,所述匹配子模块设置成:将所述认证请求与认证失败列表中的无效认证请求进行匹配,如匹配成功,则判定该认证请求为所述WLAN终端连续发送的无效认证请求,其中,所述认证失败列表中存储有WLAN终端最近一次认证为认证失败时发送的认证请求。The determining module includes a matching sub-module, and the matching sub-module is configured to: match the authentication request with an invalid authentication request in the authentication failure list, and if the matching is successful, determine that the authentication request is continuously sent by the WLAN terminal. An invalid authentication request, wherein the authentication failure list stores an authentication request sent when the WLAN terminal is most recently authenticated as an authentication failure.
  7. 如权利要求5或6所述的认证管理装置,该装置还包括统计模块和报文管理模块,其中;The authentication management device according to claim 5 or 6, further comprising a statistics module and a message management module, wherein
    所述统计模块设置成:统计所述WLAN终端连续发送无效认证请求的次数;The statistic module is configured to: count the number of times the WLAN terminal continuously sends an invalid authentication request;
    所述报文管理模块设置成:在判断所述WLAN终端连续发送无效认证请求的次数大于设定的次数门限值,和/或连续发送无效认证请求的频率大于设定的频率门限值时,向所述WLAN终端发送用于通知WLAN终端停止发送 认证请求的管理指令。The message management module is configured to: when it is determined that the WLAN terminal continuously sends the invalid authentication request for more than the set number of times, and/or when the frequency of continuously transmitting the invalid authentication request is greater than the set frequency threshold Sending to the WLAN terminal, for notifying the WLAN terminal to stop sending Management instructions for authentication requests.
  8. 如权利要求7所述的认证管理装置,该装置还包括通信模块和连接管理模块,其中;The authentication management apparatus according to claim 7, further comprising a communication module and a connection management module, wherein
    所述通信模块设置成:在所述信息接收模块接收所述认证请求之前,与所述WLAN终端建立关联;The communication module is configured to: establish an association with the WLAN terminal before the information receiving module receives the authentication request;
    所述连接管理模块设置成:在所述报文管理模块向所述WLAN终端连续发送N次所述管理指令后,仍收到所述WLAN终端发送的无效认证请求时,通知所述通信模块断开与所述WLAN终端的关联,其中,所述N大于等于1。The connection management module is configured to notify the communication module to be disconnected when the message management module continuously sends the management command to the WLAN terminal N times, and still receives the invalid authentication request sent by the WLAN terminal. Opening an association with the WLAN terminal, wherein the N is greater than or equal to 1.
  9. 一种WLAN接入设备,包括存储器和处理器;A WLAN access device includes a memory and a processor;
    所述存储器设置成:存储至少一个程序指令;The memory is configured to: store at least one program instruction;
    所述处理器设置成:调用所述程序指令执行权利要求1-4中任一项所述的认证管理方法。The processor is configured to invoke the program instruction to perform the authentication management method of any one of claims 1-4.
  10. 一种通信系统,其中,包括WLAN管理设备、WLAN终端以及如权利要求9所述的WLAN接入设备;所述WLAN终端、WLAN接入设备以及WLAN管理设备依次通信连接。A communication system, comprising: a WLAN management device, a WLAN terminal, and the WLAN access device according to claim 9; the WLAN terminal, the WLAN access device, and the WLAN management device are in communication connection in sequence.
  11. 一种计算机程序,包括程序指令,当该程序指令被认证管理装置执行时,使得该认证管理装置可执行权利要求1-4中任一项所述的认证管理方法。A computer program comprising program instructions that, when executed by an authentication management device, cause the authentication management device to perform the authentication management method of any one of claims 1-4.
  12. 一种载有权利要求11所述计算机程序的载体。 A carrier carrying the computer program of claim 11.
PCT/CN2014/090238 2014-06-25 2014-11-04 Authentication management method and apparatus, wlan access device and communication system WO2015196687A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410291052.9 2014-06-25
CN201410291052.9A CN105208556A (en) 2014-06-25 2014-06-25 Authentication management method, device, WLAN access apparatus and communication system

Publications (1)

Publication Number Publication Date
WO2015196687A1 true WO2015196687A1 (en) 2015-12-30

Family

ID=54936628

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/090238 WO2015196687A1 (en) 2014-06-25 2014-11-04 Authentication management method and apparatus, wlan access device and communication system

Country Status (2)

Country Link
CN (1) CN105208556A (en)
WO (1) WO2015196687A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113434830A (en) * 2020-03-23 2021-09-24 杭州海康威视数字技术股份有限公司 Authority control method and system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105848149B (en) * 2016-05-13 2020-03-20 上海斐讯数据通信技术有限公司 Security authentication method for wireless local area network
CN111010371A (en) * 2019-11-15 2020-04-14 广东电力信息科技有限公司 Method for realizing stable terminal access based on ipv6 automatic configuration

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141259A (en) * 2007-10-22 2008-03-12 杭州华三通信技术有限公司 Method and device of access point equipment for preventing error access
CN101645817A (en) * 2008-08-05 2010-02-10 中兴通讯股份有限公司 Wireless network access system and method thereof for preventing illegal user from malicious access
CN102299803A (en) * 2011-09-09 2011-12-28 北京星网锐捷网络技术有限公司 Security authentication method, device, authentication equipment and authentication server
WO2014039276A1 (en) * 2012-09-07 2014-03-13 Qualcomm Incorporated Systems, apparatus, and methods for association in multi-hop networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141259A (en) * 2007-10-22 2008-03-12 杭州华三通信技术有限公司 Method and device of access point equipment for preventing error access
CN101645817A (en) * 2008-08-05 2010-02-10 中兴通讯股份有限公司 Wireless network access system and method thereof for preventing illegal user from malicious access
CN102299803A (en) * 2011-09-09 2011-12-28 北京星网锐捷网络技术有限公司 Security authentication method, device, authentication equipment and authentication server
WO2014039276A1 (en) * 2012-09-07 2014-03-13 Qualcomm Incorporated Systems, apparatus, and methods for association in multi-hop networks

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113434830A (en) * 2020-03-23 2021-09-24 杭州海康威视数字技术股份有限公司 Authority control method and system

Also Published As

Publication number Publication date
CN105208556A (en) 2015-12-30

Similar Documents

Publication Publication Date Title
TWI334715B (en) Native wi-fi architecture for 802.11 networks
US7881475B2 (en) Systems and methods for negotiating security parameters for protecting management frames in wireless networks
US10129755B2 (en) Deauthenticating and disassociating unauthorized access points with spoofed management frames
TWI303531B (en) Method and system to support fast hand-over of mobile subscriber stations in broadband wireless networks
EP1972125B1 (en) Apparatus and method for protection of management frames
US8838972B2 (en) Exchange of key material
EP3057351B1 (en) Access method, system, and device of terminal, and computer storage medium
US9154950B2 (en) Network access method, apparatus and system
US8547946B2 (en) Efficient creation of WLAN connections
CN107005927A (en) Cut-in method, equipment and the system of user equipment (UE)
WO2016023324A1 (en) Terminal-based communication method and terminal
EP1794915A1 (en) Method and system for fast roaming of a mobile unit in a wireless network
US20100169954A1 (en) Wireless Access System and Wireless Access Method
US20180359633A1 (en) Neighbor Awareness Networking Device Pairing
CN104009925A (en) Method and device for establishing bridge connection with router and router
WO2019019853A1 (en) Data processing method, terminal device, and network device
WO2016138636A1 (en) Node networking method, apparatus and system
WO2015196687A1 (en) Authentication management method and apparatus, wlan access device and communication system
WO2012151905A1 (en) Method and device for network handover
CN110115067A (en) The operation information of fast propagation for WLAN management
US20090028122A1 (en) Wireless lan terminal allowing another processing in its waiting or idle state
CN111565396B (en) System and method for rapidly realizing distribution of multiple WiFi (Wireless Fidelity) devices
JP2008048212A (en) Radio communication system, radio base station device, radio terminal device, radio communication method, and program
CN113039766A (en) Optimized equal-cost Simultaneous Authentication (SAE) authentication in wireless networks
US20140359731A1 (en) Establishing communications sessions over multiple network protocols using a stored key

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14895526

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14895526

Country of ref document: EP

Kind code of ref document: A1