[go: up one dir, main page]

CN101453409B - Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals - Google Patents

Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals Download PDF

Info

Publication number
CN101453409B
CN101453409B CN2007101789908A CN200710178990A CN101453409B CN 101453409 B CN101453409 B CN 101453409B CN 2007101789908 A CN2007101789908 A CN 2007101789908A CN 200710178990 A CN200710178990 A CN 200710178990A CN 101453409 B CN101453409 B CN 101453409B
Authority
CN
China
Prior art keywords
security
terminal
access
different
access point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007101789908A
Other languages
Chinese (zh)
Other versions
CN101453409A (en
Inventor
邵春菊
周文辉
曹军
叶续茂
黄振海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN2007101789908A priority Critical patent/CN101453409B/en
Publication of CN101453409A publication Critical patent/CN101453409A/en
Application granted granted Critical
Publication of CN101453409B publication Critical patent/CN101453409B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses an information broadcasting method, an information device and an information broadcasting system supporting the hybrid access of terminals. The method comprises: configuring different secure access mechanisms corresponding to different secure capacities of the terminals and secure mechanism identifiers corresponding to the secure access mechanisms in a network access point entity; when the network access point entity transmits a broadcasting messages to the terminals, transmitting different broadcasting messages according to different secure access mechanisms, wherein the different broadcast messages carry the secure mechanism identifiers corresponding to the different secure access mechanisms. The method, the device and the system support the hybrid access of terminals with different secure capacities through one network access point, thereby reducing network investment and operation and maintenance costs.

Description

支持终端混合接入的信息广播方法及其装置和系统 Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals

技术领域technical field

本发明涉及无线通信领域,尤其涉及支持终端混合接入的信息广播方法及其装置和系统。 The present invention relates to the field of wireless communication, in particular to an information broadcasting method, a device and a system supporting hybrid access of terminals. the

背景技术Background technique

在WLAN(Wireless Local Area Network,无线局域网)网络中,不同安全能力终端都需要接入WLAN网络。不同安全能力的终端在网络接入时所采用的安全机制是不同的。例如,对于能够支持安全认证机制的终端,则需采用相应的安全机制对该终端进行接入,对于不能够支持安全认证机制的终端,则需采用开放机制对该终端进行接入。通常情况下,对于终端的接入控制由接入点(Access Point,AP)实体实现,AP的身份由SSID(Service Set Identifier,服务集标识)来标识,SSID是无线设备连接到WLAN网络时的服务号码。 In a WLAN (Wireless Local Area Network, wireless local area network) network, terminals with different security capabilities need to access the WLAN network. Terminals with different security capabilities adopt different security mechanisms when accessing the network. For example, for a terminal that can support a security authentication mechanism, a corresponding security mechanism needs to be used to access the terminal, and for a terminal that cannot support a security authentication mechanism, an open mechanism needs to be used to access the terminal. Usually, the access control for the terminal is implemented by the access point (Access Point, AP) entity, and the identity of the AP is identified by the SSID (Service Set Identifier, service set identifier). service number. the

目前,为了解决不同安全能力的终端能够混合接入WLAN网络所采用的技术方案是:架设多个AP,不同AP启用不同的安全接入机制,每个AP针对支持某种安全接入机制的终端进行接入控制和处理。当网络侧寻呼支持不同安全能力的终端时,与终端的安全能力相对应的AP发送广播消息,其中携带与该AP对应的SSID。当终端接收到广播消息后,采用该终端支持的安全能力,根据广播消息中的SSID向对应的AP发起接入请求,相应的AP接收到终端的请求后,采用该AP支持的安全接入机制对终端的接入请求进行处理。 At present, in order to solve the problem that terminals with different security capabilities can mix access to the WLAN network, the technical solution adopted is: set up multiple APs, different APs enable different security access mechanisms, and each AP targets terminals that support a certain security access mechanism. Perform access control and processing. When the network side paging terminals supporting different security capabilities, the AP corresponding to the terminal's security capabilities sends a broadcast message, which carries the SSID corresponding to the AP. When the terminal receives the broadcast message, it uses the security capabilities supported by the terminal to initiate an access request to the corresponding AP according to the SSID in the broadcast message. After receiving the request from the terminal, the corresponding AP uses the security access mechanism supported by the AP. Process the access request of the terminal. the

现有技术的这种使用不同的SSID提供多种安全接入机制,采用不同的AP实现支持不同安全能力的终端混合接入的方案,其缺点在于,如果在一个区域内既有安全用户又有开放式的用户,采用现有技术方案就需要架设至少2个AP,一个针对安全用户启用安全认证机制,另一个针对开放式用户启用开放机制,以实现将不同安全能力的终端同时接入网络。可以看出,采用这种技术方案,需要架设多个AP,增加了网络投资和运营维护成本。In the existing technology, different SSIDs are used to provide multiple secure access mechanisms, and different APs are used to realize mixed access of terminals supporting different security capabilities. The disadvantage is that if there are both secure users and For open users, at least two APs need to be set up by adopting the existing technical solutions, one for security users to enable security authentication mechanism, and the other for open users to enable open mechanism, so as to realize the simultaneous access of terminals with different security capabilities to the network. It can be seen that adopting this technical solution requires setting up multiple APs, which increases network investment and operation and maintenance costs.

发明内容Contents of the invention

本发明实施例揭示了一种支持终端混合接入的信息广播方法及其装置和系统,以实现通过一个网络接入点实体对不同安全能力的终端实现混合接入。 The embodiment of the present invention discloses an information broadcasting method supporting mixed access of terminals and its device and system, so as to realize mixed access to terminals with different security capabilities through one network access point entity. the

本发明实施例揭示的支持终端混合接入的信息广播方法,包括以下步骤: The information broadcasting method supporting terminal mixed access disclosed in the embodiment of the present invention includes the following steps:

在网络接入点实体上分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识; Configure different virtual network access point entities corresponding to different security capabilities of the terminal on the network access point entity, and configure the corresponding security access mechanism and address identifier for the virtual network access point entity, and the address identifier is The security mechanism identification corresponding to the security access mechanism;

当所述网络接入点实体向终端发送广播消息时,分别根据不同的安全接入机制发送不同的广播消息,所述不同的广播消息中携带与所述不同的安全接入机制对应的安全机制标识。 When the network access point entity sends a broadcast message to the terminal, it sends different broadcast messages according to different security access mechanisms, and the different broadcast messages carry security mechanisms corresponding to the different security access mechanisms logo. the

本发明实施例揭示的网络接入点装置,包括: The network access point device disclosed in the embodiment of the present invention includes:

配置模块,用于在网络接入点装置上分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识;还用于根据所述不同的安全机制生成不同的广播消息,其中携带与所述不同的安全机制对应的安全机制标识; A configuration module, configured to configure different virtual network access point entities corresponding to different security capabilities of terminals on the network access point device, and configure corresponding security access mechanisms and address identifiers for the virtual network access point entities, The address identification is the security mechanism identification corresponding to the security access mechanism; it is also used to generate different broadcast messages according to the different security mechanisms, which carry the security mechanism identification corresponding to the different security mechanisms;

通信接口模块,用于分别发送生成的多个广播消息。 The communication interface module is used for sending the generated multiple broadcast messages respectively. the

本发明实施例揭示的终端,包括: The terminal disclosed in the embodiment of the present invention includes:

广播消息接收模块,用于接收并解析网络接入点装置发送的广播消息,所述广播消息中携带与所述终端的安全能力相应的安全机制标识; The broadcast message receiving module is used to receive and parse the broadcast message sent by the network access point device, and the broadcast message carries a security mechanism identifier corresponding to the security capability of the terminal;

接入请求发起模块,用于发起接入请求,所述接入请求中携带与所述终端的安全能力相应的安全机制标识。 An access request initiating module, configured to initiate an access request, where the access request carries a security mechanism identifier corresponding to the security capability of the terminal. the

本发明实施例揭示的支持终端混合接入的信息广播系统,包括网络接入点装置和终端,其中 The information broadcasting system supporting hybrid access of terminals disclosed in the embodiment of the present invention includes a network access point device and a terminal, wherein

所述网络接入点装置,用于分别对应终端的不同安全能力配置不同的虚拟网络接入点实体,并为所述虚拟网络接入点实体配置对应的安全接入机制以及地址标识,所述地址标识为与所述安全接入机制对应的安全机制标识,并分别根据不同的安全接入机制发送不同的广播消息,所述不同的广播消息中携带与所述不同的安全接入机制对应的安全机制标识; The network access point device is configured to configure different virtual network access point entities corresponding to different security capabilities of terminals, and configure corresponding security access mechanisms and address identifiers for the virtual network access point entities, the The address identifier is the security mechanism identifier corresponding to the security access mechanism, and different broadcast messages are sent according to different security access mechanisms respectively, and the different broadcast messages carry information corresponding to the different security access mechanisms Safety mechanism identification;

所述终端,用于接收并解析所述广播消息并根据正确解析出的广播消息发起接入请求,所述接入请求中携带与所述终端的安全能力相应的安全机制标识。 The terminal is configured to receive and parse the broadcast message and initiate an access request according to the correctly parsed broadcast message, where the access request carries a security mechanism identifier corresponding to the security capability of the terminal. the

本发明的上述实施例,通过在网络接入点实体上针对多种安全能力的终端配置多种安全机制以及对应的安全机制标识,当该网络接入点实体发送广播消息时,可针对配置的不同安全接入机制发送相应的广播消息,其中携带相应的安全机制标识,从而实现了通过一个网络接入点实体对不同安全能力的终端进行广播,进而可实现不同安全能力的终端通过一个网络接入点实体接入网络,减少了网络投资和运营维护成本。 In the above-mentioned embodiments of the present invention, by configuring various security mechanisms and corresponding security mechanism identifiers on the network access point entity for terminals with various security capabilities, when the network access point entity sends a broadcast message, the configured Different security access mechanisms send corresponding broadcast messages, which carry the corresponding security mechanism identifiers, so that terminals with different security capabilities can be broadcast through one network access point entity, and terminals with different security capabilities can be connected through one network access point. The entry point entity accesses the network, reducing network investment and operation and maintenance costs. the

附图说明Description of drawings

图1为本发明实施例中支持不同安全能力的终端混合接入的信息广播流程示意图; FIG. 1 is a schematic diagram of an information broadcast process for mixed access of terminals supporting different security capabilities in an embodiment of the present invention;

图2为本发明实施例中网络接入点实体的物理层实现示意图; Fig. 2 is a schematic diagram of the physical layer implementation of the network access point entity in the embodiment of the present invention;

图3为本发明实施例中将不同安全能力的终端混合接入的流程示意图; FIG. 3 is a schematic flow diagram of mixed access of terminals with different security capabilities in an embodiment of the present invention;

图4为本发明实施例中终端根据预设的安全策略发起接入请求的示意图; 4 is a schematic diagram of a terminal initiating an access request according to a preset security policy in an embodiment of the present invention;

图5为本发明实施例中对网络接入点实体上的用户进行分类的示意图; Fig. 5 is a schematic diagram of classifying users on a network access point entity in an embodiment of the present invention;

图6为本发明实施例的网络接入点装置的结构示意图; 6 is a schematic structural diagram of a network access point device according to an embodiment of the present invention;

图7为本发明实施例的终端的结构示意图之一; Fig. 7 is one of the structural schematic diagrams of the terminal of the embodiment of the present invention;

图8为本发明实施例的终端的结构示意图之二。 FIG. 8 is a second structural schematic diagram of a terminal according to an embodiment of the present invention. the

具体实施方式Detailed ways

本发明的实施例通过在网络接入点实体上配置与不同安全能力的终端对应的安全接入机制以及与安全接入机制对应的安全机制标识,并且当网络接入点实体向终端发送广播消息时分别根据不同的安全接入机制发送携带不同安全机制标识的广播消息,使不同安全能力的终端能够根据接收并正确解析出的广播消息发起与该终端的安全能力相应的接入请求,实现了通过一个网络接入点实体对不同安全能力的终端进行混合接入。 In the embodiments of the present invention, security access mechanisms corresponding to terminals with different security capabilities and security mechanism identifiers corresponding to security access mechanisms are configured on the network access point entity, and when the network access point entity sends a broadcast message to the terminal At the same time, broadcast messages carrying different security mechanism identifiers are sent according to different security access mechanisms, so that terminals with different security capabilities can initiate access requests corresponding to the security capabilities of the terminals according to the received and correctly parsed broadcast messages, realizing Mixed access to terminals with different security capabilities is performed through one network access point entity. the

下面结合附图对本发明的实施例进行详细描述。 Embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. the

本发明实施例中,在某个区域内,针对WLAN网络架设一个物理网络接入点实体(AP),该物理AP由物理地址,即MAC(Media Access Control,媒体接入控制)地址,唯一标识。在该物理AP上针对终端的安全能力配置至少2种安全接入机制,以及与配置的安全接入机制对应的安全机制标识。安全机制标识由物理AP的唯一标识映射得到,在具体实现中,可采用可逆的掩码技术,由该物理AP的MAC地址衍生出多个不同的BSSID(Basic Service SetIdentifier,基本服务集标识)作为安全机制标识。衍生出的多个BSSID通过相应的可逆运算可唯一得到物理AP的MAC地址,因此衍生出的BSSID可唯一标识物理AP。 In the embodiment of the present invention, in a certain area, a physical network access point entity (AP) is set up for the WLAN network, and the physical AP is uniquely identified by a physical address, that is, a MAC (Media Access Control, Media Access Control) address . On the physical AP, at least two security access mechanisms are configured for the security capabilities of the terminal, and security mechanism identifiers corresponding to the configured security access mechanisms are configured. The security mechanism identifier is obtained by mapping the unique identifier of the physical AP. In a specific implementation, a reversible masking technique can be used to derive multiple different BSSIDs (Basic Service Set Identifier, Basic Service Set Identifier) from the MAC address of the physical AP as Safety mechanism identification. The multiple derived BSSIDs can uniquely obtain the MAC address of the physical AP through corresponding reversible operations, so the derived BSSIDs can uniquely identify the physical AP. the

在物理AP上对应每个BSSID创建虚拟AP,将BSSID作为相应虚拟AP的地址,并为每个虚拟AP赋予不同的安全策略,包括广播消息发送策略和接入请求处理策略,使每个虚拟AP可以针对不同安全能力的终端进行接入处理。 Create a virtual AP corresponding to each BSSID on the physical AP, use the BSSID as the address of the corresponding virtual AP, and assign different security policies to each virtual AP, including broadcast message sending policies and access request processing policies, so that each virtual AP Access processing can be performed for terminals with different security capabilities. the

当网络侧需要向不同安全能力的终端发送广播消息时,物理AP分别通过相应的虚拟AP发送广播消息,每个虚拟AP发送的广播消息中携带与该虚拟AP对应的BSSID。 When the network side needs to send broadcast messages to terminals with different security capabilities, physical APs send broadcast messages through corresponding virtual APs, and the broadcast messages sent by each virtual AP carry the BSSID corresponding to the virtual AP. the

上述实现过程可如图1所示。图1中,在一个物理AP上采用可逆的掩码技术,由该物理AP的MAC地址衍生出3个地址(MAC 1、MAC 2和MAC 3)作为安全机制标识。在该物理AP上配置3个虚拟AP(VAP1、VAP2和VAP3),其中,VAP1上配置有安全策略1,用于实现安全机制1(如WAPI+SMS4,即采用WAPI(WLAN Authentication and Privacy Infrastructure,无线局域网鉴 别与保密基础结构)证书认证及SMS4的加密机制),由MAC 1作为VAP1的MAC地址;VAP2上配置有安全策略2,用于实现安全机制2(如OPEN,即开放机制),由MAC 2作为VAP1的MAC地址;VAP3上配置有安全策略3,用于实现安全机制3(如WPA2+AES,即WPA2认证及AES加密机制),由MAC 3作为VAP1的MAC地址。当AP向不同安全能力的终端发送广播消息时,VAP1、VAP2和VAP3分别发送广播消息,其中,VAP1发送的广播消息中携带MAC 1以及其它信息(如SSID);VAP2发送的广播消息中携带MAC 2以及其它信息(如SSID);VAP3发送的广播消息中携带MAC 3以及其它信息(如SSID)。对于时分复用系统,AP采用时分复用机制发送广播消息,即不同的虚拟AP在不同的时隙发送广播消息,如图1所示,物理AP将100ms划分为16个时隙,根据掩码为VAP1分配时隙1,为VAP2分配时隙2,为VAP3分配时隙3;对于频分复用系统,AP采用频分复用机制发送广播消息,即不同的虚拟AP在不同的频率上同时发送广播消息。 The above implementation process may be shown in FIG. 1 . In Figure 1, a reversible masking technique is used on a physical AP, and three addresses (MAC 1, MAC 2, and MAC 3) are derived from the MAC address of the physical AP as security mechanism identifiers. Configure 3 virtual APs (VAP1, VAP2, and VAP3) on the physical AP, where VAP1 is configured with security policy 1 for implementing security mechanism 1 (such as WAPI+SMS4, that is, using WAPI (WLAN Authentication and Privacy Infrastructure, WLAN identification and security infrastructure) certificate authentication and SMS4 encryption mechanism), MAC 1 is used as the MAC address of VAP1; VAP2 is configured with security policy 2, which is used to implement security mechanism 2 (such as OPEN, that is, an open mechanism), MAC 2 is used as the MAC address of VAP1; security policy 3 is configured on VAP3 to implement security mechanism 3 (such as WPA2+AES, that is, WPA2 authentication and AES encryption mechanism), and MAC 3 is used as the MAC address of VAP1. When the AP sends broadcast messages to terminals with different security capabilities, VAP1, VAP2, and VAP3 send broadcast messages respectively. Among them, the broadcast message sent by VAP1 carries MAC 1 and other information (such as SSID); the broadcast message sent by VAP2 carries MAC 2 and other information (such as SSID); the broadcast message sent by VAP3 carries MAC 3 and other information (such as SSID). For the time division multiplexing system, the AP uses the time division multiplexing mechanism to send broadcast messages, that is, different virtual APs send broadcast messages in different time slots, as shown in Figure 1, the physical AP divides 100ms into 16 time slots, according to the mask Allocate time slot 1 for VAP1, time slot 2 for VAP2, and time slot 3 for VAP3; for frequency division multiplexing system, AP uses frequency division multiplexing mechanism to send broadcast messages, that is, different virtual APs simultaneously on different frequencies Send a broadcast message. the

物理AP通过发送Beacon帧进行广播信息的发送,通常情况下Beacon帧中具有BSSID字段,在上述过程中,将由MAC地址衍生出的MAC 1、MAC 2和MAC 3作为Beacon帧的BSSID字段值,用以标识物理AP以及所相应的安全接入机制。 The physical AP sends the broadcast information by sending Beacon frames. Usually, the Beacon frame has a BSSID field. In the above process, MAC 1, MAC 2, and MAC 3 derived from the MAC address are used as the BSSID field value of the Beacon frame. To identify the physical AP and the corresponding security access mechanism. the

图1所示的实现过程可通过改进物理AP的物理层实现,实现方式可如图2所示。通常情况下,物理AP的网卡驱动分为2层:硬件描述层(即HAL层)和802.11管理层。其中,HAL层是对网卡硬件的抽象,主要定义与硬件有关的参数,802.11管理层主要用于处理802.11协议。 The implementation process shown in FIG. 1 can be realized by improving the physical layer of the physical AP, and the implementation method can be shown in FIG. 2 . Normally, the NIC driver of a physical AP is divided into two layers: the hardware description layer (ie, the HAL layer) and the 802.11 management layer. Among them, the HAL layer is an abstraction of the network card hardware, which mainly defines parameters related to the hardware, and the 802.11 management layer is mainly used to process the 802.11 protocol. the

本发明实施例中,通过物理AP的MAC地址衍生出3个地址作为BSSID,如图2所示,在802.11管理层上定义3个虚拟AP对象(VAP1、VAP2和VAP3),每个虚拟AP对象有自己的MAC地址(由BSSID标识)、安全策略(包括安全规则和Beacon帧广播规则),还可包括终端表,该终端表用来保存连接到该AP上的终端用户信息,每个虚拟AP对象对于网络层是独立的网络设备,有独 立的数据收发通道。可以有出,由于通过AP的MAC地址衍生出虚拟AP对象的MAC地址,因此在物理AP的网卡上只需存储一个MAC地址,减少了存储空间,同时便于修改物理网卡的地址。 In the embodiment of the present invention, 3 addresses are derived as BSSID by the MAC address of the physical AP, as shown in Figure 2, define 3 virtual AP objects (VAP1, VAP2 and VAP3) on the 802.11 management layer, each virtual AP object It has its own MAC address (identified by BSSID), security policy (including security rules and Beacon frame broadcast rules), and can also include a terminal table, which is used to save terminal user information connected to the AP. Each virtual AP The object is an independent network device for the network layer, and has an independent data sending and receiving channel. It can be seen that since the MAC address of the virtual AP object is derived from the MAC address of the AP, only one MAC address needs to be stored on the network card of the physical AP, which reduces the storage space and facilitates modification of the address of the physical network card. the

针对图2所示的架构,实现将不同安全能力的终端混合接入的过程可如图3所示,其中,终端1支持WAPI+SMS4安全机制,终端2支持OPEN安全机制,终端3支持WPA2+AES安全机制,当网络侧需要向不同安全能力的终端发送广播消息时,VAP1、VAP2和VAP3分别根据各自的Beacon帧广播规则,在不同的时隙(在时分复用系统中)或不同的频率(在频分复用系统中)通过MAC+射频层发送各自的Beacon帧,其中,VAP1发送的Beacon帧中携带BSSID1等信息,VAP2发送的Beacon帧中携带BSSID2等信息,VAP3发送的Beacon帧中携带BSSID3等信息。 For the architecture shown in Figure 2, the process of implementing mixed access of terminals with different security capabilities can be shown in Figure 3, where Terminal 1 supports the WAPI+SMS4 security mechanism, Terminal 2 supports the OPEN security mechanism, and Terminal 3 supports WPA2+ AES security mechanism, when the network side needs to send broadcast messages to terminals with different security capabilities, VAP1, VAP2, and VAP3 respectively use different time slots (in time division multiplexing systems) or different frequencies according to their respective Beacon frame broadcast rules (In a frequency division multiplexing system) each Beacon frame is sent through the MAC+RF layer. The Beacon frame sent by VAP1 carries information such as BSSID1, the Beacon frame sent by VAP2 carries information such as BSSID2, and the Beacon frame sent by VAP3 carries information such as BSSID1. BSSID3 and other information. the

终端1、终端2和终端3可按照常规流程接收Beacon帧并进行解析,并根据正确解析出的Beacon帧发起接入请求。通常情况下,终端1、终端2和终端3可接收所有的Beacon帧,如果能够正确解析该Beacon帧,则根据该终端的安全能力发起接入请求,其中携带从Beacon帧中解析得到的BSSID。 Terminal 1, terminal 2, and terminal 3 can receive and analyze the Beacon frame according to the conventional process, and initiate an access request according to the correctly parsed Beacon frame. Normally, Terminal 1, Terminal 2, and Terminal 3 can receive all Beacon frames. If the Beacon frame can be parsed correctly, an access request will be initiated according to the security capability of the terminal, which carries the BSSID obtained from the Beacon frame. the

物理AP根据生成BSSID时所采用的算法的逆运算,从接入请求中携带的BSSID计算得到MAC地址,如果计算得到的MAC地址与自身的MAC地址匹配,则接收该接入请求。由于BSSID1、BSSID2和BSSID3都是根据一个物理AP的MAC地址衍生得到的,因此该物理AP可以接收到携带这些BSSID的接入请求。物理AP接收到接入请求后,根据其中的BSSID将接入请求发送到对应的虚拟AP中进行处理。在图3中,终端1、终端2和终端3的接入请求被分别发送到VAP1、VAP2和VAP3中进行处理。各终端与相应的VAP完成安全认证并协商出加密密钥后,AP将密钥和终端的安全策略写入AP MAC的存储单元中,并与该终端的MAC相对应。当终端的加密数据通过AP时,AP通过数据头中的终端的MAC地址,在AP MAC存储单元中查找密钥和安全策略,并通过不同的安全策略调用不同的算法(如调用算法存储单元中的算 法SMS4或AES)对数据进行解密,并将数据交给802.11管理层中相应的VAP进行处理。AP发送数据时的加密过程与接收数据的解密过程相同。如果AP在收到数据时,查找到的对应密钥为空,则不对数据进行解密处理,而是直接交给802.11管理层中安全机制为OPEN的VAP(如图3中的VAP2)进行处理。 The physical AP calculates the MAC address from the BSSID carried in the access request according to the inverse operation of the algorithm used to generate the BSSID. If the calculated MAC address matches its own MAC address, it accepts the access request. Since BSSID1, BSSID2, and BSSID3 are all derived from the MAC address of a physical AP, the physical AP can receive access requests carrying these BSSIDs. After receiving the access request, the physical AP sends the access request to the corresponding virtual AP for processing according to the BSSID therein. In Fig. 3, the access requests of terminal 1, terminal 2 and terminal 3 are respectively sent to VAP1, VAP2 and VAP3 for processing. After each terminal completes security authentication with the corresponding VAP and negotiates an encryption key, the AP writes the key and the security policy of the terminal into the storage unit of the AP MAC, and corresponds to the terminal's MAC. When the terminal's encrypted data passes through the AP, the AP searches the AP MAC storage unit for keys and security policies through the terminal's MAC address in the data header, and calls different algorithms through different security policies (such as calling the algorithm in the storage unit) The algorithm SMS4 or AES) decrypts the data and sends the data to the corresponding VAP in the 802.11 management layer for processing. The encryption process when the AP sends data is the same as the decryption process of the received data. If the corresponding key found by the AP is empty when receiving the data, the data will not be decrypted, but will be directly handed over to the VAP whose security mechanism is OPEN in the 802.11 management layer (such as VAP2 in Figure 3) for processing. the

AP发送广播消息后,终端可按照现有的方式接收、解析该广播消息,并发起接入请求。当终端的安全能力可支持多种接入机制时,该终端可正确解析出多个携带不同安全机制标识的广播消息,针对这种情况,本发明实施例对终端进行改进以提高其接入的灵活性。 After the AP sends the broadcast message, the terminal can receive and analyze the broadcast message in the existing way, and initiate an access request. When the security capability of the terminal can support multiple access mechanisms, the terminal can correctly parse out multiple broadcast messages carrying different security mechanism identifiers. In view of this situation, the embodiment of the present invention improves the terminal to increase its access flexibility. the

本发明实施例中,针对上述情况,终端可采用以下方式发起接入请求: In the embodiment of the present invention, in view of the above situation, the terminal can initiate an access request in the following ways:

方式一:在终端上预先设置安全策略,该选择策略定义了在终端接收到多个不同的广播消息(携带不同BSSID的Beacon帧)时,选择哪种安全接入机制发起接入请求。本发明实施例中,可通过在终端侧设置profile的形式设置安全策略。当终端接收到多个不同的广播消息时,根据预设的安全策略选择采用的安全接入机制发起接入请求。图4给出了一种根据安全策略发起接入请求的实现方式。 Method 1: Preset a security policy on the terminal. The selection policy defines which security access mechanism to choose to initiate an access request when the terminal receives multiple different broadcast messages (Beacon frames carrying different BSSIDs). In the embodiment of the present invention, the security policy can be set in the form of setting a profile on the terminal side. When the terminal receives multiple different broadcast messages, it selects a security access mechanism to initiate an access request according to a preset security policy. Fig. 4 shows an implementation manner of initiating an access request according to a security policy. the

图4中,终端接收到携带不同BSSID的Beacon帧(Beacon1、Beacon2和Beacon3)后,与本地预设的安全策略进行比对,并根据比对结果选择对应的安全接入机制发起接入请求。例如,当终端上预设的安全策略为根据接收并正确解析出的第一个Beacon帧发起接入请求时,则终端接收并正确解析出第一个Beacon帧后,通过查询本地安全策略关联到与Beacon帧中的BSSID对应的安全接入机制,并采用该机制发起接入请求;当终端上预设的安全策略是根据安全接入机制的优先级进行选择时,则终端根据接收并正确解析出的Beacon帧中的BSSID所对应的安全接入机制,查询本地预设的安全策略获取各安全接入机制的优先级,并从中选择出最高优先级的安全接入机制发起接入请求。 In Figure 4, after receiving Beacon frames (Beacon1, Beacon2, and Beacon3) carrying different BSSIDs, the terminal compares it with the local preset security policy, and selects the corresponding security access mechanism to initiate an access request according to the comparison result. For example, when the preset security policy on the terminal is to initiate an access request based on the received and correctly parsed first Beacon frame, after receiving and correctly parsing the first Beacon frame, the terminal queries the local security policy to associate with the The security access mechanism corresponding to the BSSID in the Beacon frame, and use this mechanism to initiate an access request; when the security policy preset on the terminal is selected according to the priority of the security access mechanism, the terminal will receive and correctly parse the The security access mechanism corresponding to the BSSID in the output Beacon frame queries the local preset security policy to obtain the priority of each security access mechanism, and selects the security access mechanism with the highest priority to initiate an access request. the

方式二:在方式一的基础上,终端将接收到的广播消息所对应的所有安全接入机制信息显示给用户,由用户选择合适的安全接入机制,终端采用用户选 择的安全接入机制发起接入请求。 Method 2: On the basis of method 1, the terminal displays all the security access mechanism information corresponding to the received broadcast message to the user, and the user selects an appropriate security access mechanism, and the terminal adopts the security access mechanism selected by the user Initiate an access request. the

本发明实施例中,还可基于上述实现不同安全能力终端混合接入的架构实现对AP上的用户进行分类,使不同类型的用户进入不同的VLAN(虚拟局域网络),实现对终端用户的灵活管理和控制。图5给出了一种对AP上的用户进行分类的实现方式。 In the embodiment of the present invention, it is also possible to classify users on the AP based on the above-mentioned framework for realizing mixed access of terminals with different security capabilities, so that different types of users can enter different VLANs (virtual local area networks), and realize flexible access to terminal users. management and control. Fig. 5 shows an implementation manner of classifying users on the AP. the

图5中,在AP上设置3个VAP(VAP1、VAP2和VAP3),通过3个BSSID(BSSID1、BSSID2和BSSID3)分别标识3个虚拟局域网(VLAN1、VLAN2和VLAN3),从而针对3个BSSID划分了3个不同的VLAN。将经过VAP1处理的数据打上BSSID1的标签;将经过VAP2处理的数据打上BSSID2的标签,将经过VAP3处理的数据打上BSSID3的标签,从而使接入VAP1的终端归属于VLAN1,使接入VAP2的终端归属于VLAN2,使接入VAP3的终端归属于VLAN3。上述实现方式中,由BSSID标识划分的VLAN,将经过各VAP的数据打上相应的BSSID的标签,从而使接入不同VAP的终端归属于不同的VLAN。此外,还可以由SSID标识划分的VLAN,将经过各VAP的数据打上相应的SSID的标签,从而将接入不同VAP的终端归属于不同的VLAN。 In Figure 5, 3 VAPs (VAP1, VAP2, and VAP3) are set on the AP, and 3 virtual local area networks (VLAN1, VLAN2, and VLAN3) are respectively identified by 3 BSSIDs (BSSID1, BSSID2, and BSSID3), so that the three BSSIDs are divided into 3 different VLANs. Label the data processed by VAP1 with BSSID1; label the data processed by VAP2 with BSSID2; Belong to VLAN2, so that the terminals connected to VAP3 belong to VLAN3. In the above implementation manner, the VLANs divided by the BSSID mark mark the data passing through each VAP with the corresponding BSSID label, so that the terminals connected to different VAPs belong to different VLANs. In addition, the VLANs identified by the SSIDs can also be marked with corresponding SSID labels on the data passing through each VAP, so that the terminals connected to different VAPs belong to different VLANs. the

本发明实施例还提供了一种支持不同安全能力的终端混合接入的网络接入点装置、一种终端以及一种支持不同安全能力的终端混合接入的通信系统。 Embodiments of the present invention also provide a network access point device supporting mixed access of terminals with different security capabilities, a terminal, and a communication system supporting mixed access of terminals with different security capabilities. the

参见图6,为本发明实施例提供的支持终端混合接入的网络接入点装置,该网络接入点装置包括配置模块和通信接口模块,其中, Referring to FIG. 6, it is a network access point device that supports hybrid access of terminals provided by an embodiment of the present invention. The network access point device includes a configuration module and a communication interface module, wherein,

配置模块,用于在网络接入点装置上配置与终端的不同安全能力对应的不同安全接入机制以及与安全接入机制对应的安全机制标识,还用于根据这些不同的安全机制生成不同的广播消息,其中携带与相应的安全机制对应的安全机制标识。该配置模块可位于网络接入点装置的无线网卡驱动程序层; The configuration module is used to configure different security access mechanisms corresponding to different security capabilities of the terminal and security mechanism identifiers corresponding to the security access mechanisms on the network access point device, and is also used to generate different security mechanisms according to these different security mechanisms. The broadcast message carries the security mechanism identifier corresponding to the corresponding security mechanism. The configuration module can be located at the wireless network card driver layer of the network access point device;

通信接口模块,用于分别发送配置模块生成的广播消息,还可用于接收终端发起的接入请求。该通信接口模块可位于网络接入点装置的MAC及射频(MAC+射频)层。 The communication interface module is used to respectively send the broadcast messages generated by the configuration module, and is also used to receive the access request initiated by the terminal. The communication interface module can be located at the MAC and radio frequency (MAC+RF) layer of the network access point device. the

上述网络接入点装置的配置模块包括配置子模块和至少2个虚拟网络接入点装置,其中: The configuration module of the above-mentioned network access point device includes a configuration sub-module and at least two virtual network access point devices, wherein:

配置子模块用于在网络接入点装置上分别对应终端的不同安全能力配置不同的虚拟网络接入点装置,并为各虚拟网络接入点装置配置对应的安全接入机制及地址标识,即,每个虚拟接入点装置都有自己的地址标识和安全策略,其中,安全策略包括安全规则和Beacon帧广播规则,地址标识为与安全接入机制对应的安全机制标识。安全机制标识可由网络接入点装置的唯一标识(如MAC地址)映射得到,具体为:采用可逆的算法由网络接入点装置的MAC地址衍生得到BSSID作为安全机制标识。虚拟接入点装置用于生成与该虚拟接入点装置的安全接入机制对应的广播消息,其中携带该虚拟接入点装置的安全接入标识,还用于采用该虚拟接入点装置对应的安全接入机制对终端的接入请求进行处理。 The configuration sub-module is used to configure different virtual network access point devices corresponding to different security capabilities of terminals on the network access point device, and configure corresponding security access mechanisms and address identifiers for each virtual network access point device, namely , each virtual access point device has its own address identifier and security policy, wherein the security policy includes security rules and Beacon frame broadcast rules, and the address identifier is a security mechanism identifier corresponding to the security access mechanism. The security mechanism identifier can be obtained by mapping the unique identifier (such as MAC address) of the network access point device. Specifically, a reversible algorithm is used to derive the BSSID from the MAC address of the network access point device as the security mechanism identifier. The virtual access point device is used to generate a broadcast message corresponding to the security access mechanism of the virtual access point device, which carries the security access identifier of the virtual access point device, and is also used to use the virtual access point device to correspond to The secure access mechanism processes the access request of the terminal. the

上述虚拟接入点装置包括广播消息处理单元和接入请求处理单元,其中: The above-mentioned virtual access point device includes a broadcast message processing unit and an access request processing unit, wherein:

广播消息处理单元用于生成与虚拟接入点装置的安全接入机制对应的广播消息,其中携带该虚拟接入点装置的安全机制标识,并将该广播消息通过通信接口模块发送;接入请求处理单元用于接收终端发送的接入请求,该接入请求中携带的安全机制标识与发送该广播消息的虚拟接入点装置的安全机制标识一致,并采用该虚拟接入点装置对应的安全接入机制进行处理。 The broadcast message processing unit is used to generate a broadcast message corresponding to the security access mechanism of the virtual access point device, which carries the security mechanism identifier of the virtual access point device, and sends the broadcast message through the communication interface module; the access request The processing unit is used to receive the access request sent by the terminal, the security mechanism identifier carried in the access request is consistent with the security mechanism identifier of the virtual access point device sending the broadcast message, and adopt the security mechanism corresponding to the virtual access point device access mechanism. the

上述通信接口模块为时分复用模块或频分复用模块。时分复用模块用于通过不同的时隙分别发送与终端的安全能力相对应的广播消息;频分复用模块用于通过不同的频率分别发送与终端的安全能力相对应的广播消息。 The above-mentioned communication interface module is a time division multiplexing module or a frequency division multiplexing module. The time division multiplexing module is used to send broadcast messages corresponding to the security capabilities of the terminals through different time slots; the frequency division multiplexing module is used to send broadcast messages corresponding to the security capabilities of the terminals through different frequencies. the

通信接口模块在接收接入请求时,若根据终端发送的接入请求中携带的安全机制标识映射得到与自身的唯一标识(MAC地址)相匹配的标识时接收该接入请求,并发送到与该安全机制标识对应的虚拟接入点装置进行处理。 When receiving the access request, the communication interface module receives the access request and sends it to the The security mechanism identifies the corresponding virtual access point device for processing. the

参见图7和图8,分别为本发明实施例提供的终端结构示意图,该终端包括广播消息接收模块和接入请求发起模块,其中: Referring to FIG. 7 and FIG. 8, they are schematic diagrams of the terminal structure provided by the embodiment of the present invention, the terminal includes a broadcast message receiving module and an access request initiating module, wherein:

广播消息接收模块,用于接收并解析网络接入点装置发送的广播消息,其中携带与该终端的安全能力相应的安全机制标识; The broadcast message receiving module is used to receive and parse the broadcast message sent by the network access point device, which carries the security mechanism identification corresponding to the security capability of the terminal;

接入请求发起模块,用于发起接入请求,其中携带与该终端的安全能力相应的安全机制标识。该安全机制标识由网络接入点装置的唯一标识映射得到,具体为:采用可逆的算法由所述网络接入点装置的物理地址(MAC地址)衍生得到所述安全机制标识。 The access request initiating module is used to initiate an access request, which carries a security mechanism identifier corresponding to the security capability of the terminal. The security mechanism identifier is obtained by mapping the unique identifier of the network access point device, specifically: using a reversible algorithm to derive the security mechanism identifier from the physical address (MAC address) of the network access point device. the

当终端的安全能力支持多种安全接入机制时,即能够正确解析出携带不同安全机制标识的广播消息,则该终端接收并正确解析出多个广播消息后,可从多个广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制发起接入请求;或者,可显示对应的安全接入机制信息供用户选择,并根据用户的选择发起接入请求。 When the terminal's security capability supports multiple security access mechanisms, that is, it can correctly parse broadcast messages carrying different security mechanism identifiers, then after receiving and correctly parsing multiple broadcast messages, the terminal can carry Select from the security access mechanism corresponding to the security mechanism identifier, and use the selected security access mechanism to initiate an access request; or, display the corresponding security access mechanism information for the user to choose, and initiate an access request according to the user's choice Access request. the

当终端从多个安全机制标识所对应的安全接入机制中进行选择时,该终端还可包括配置模块和选择模块,如图7所示,其中: When a terminal selects from security access mechanisms corresponding to multiple security mechanism identifiers, the terminal may also include a configuration module and a selection module, as shown in Figure 7, where:

配置模块用于配置安全机制选择策略;选择模块用于根据安全机制选择策略从接收并正确解析出的多个广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制通过接入请求发起模块发起接入请求。 The configuration module is used to configure the security mechanism selection strategy; the selection module is used to select the security access mechanism corresponding to the security mechanism identifiers carried in the received and correctly parsed multiple broadcast messages according to the security mechanism selection strategy, and adopt the selection The security access mechanism issued by the system initiates an access request through the access request initiating module. the

当终端根据用户的选择发起接入请求时,该终端还可包括显示模块和选择模块,如图8所示,其中: When the terminal initiates an access request according to the user's selection, the terminal may also include a display module and a selection module, as shown in Figure 8, wherein:

显示模块用于显示接收并正确解析出的多个广播消息分别携带的安全机制标识所对应的安全接入机制信息供用户选择;选择模块用于接收用户所选择的安全接入机制,并采用该安全接入机制通过所述接入请求发起模块发起接入请求。 The display module is used to display the security access mechanism information corresponding to the security mechanism identifiers carried in the received and correctly parsed multiple broadcast messages for the user to select; the selection module is used to receive the security access mechanism selected by the user, and adopt the The security access mechanism initiates an access request through the access request initiating module. the

本发明实施例提供的支持终端混合接入的通信系统,包括网络接入点装置和终端,网络接入点装置的结构可如图6所示,终端的结构可如图7或图8所示,其中: The communication system supporting mixed access of terminals provided by the embodiment of the present invention includes a network access point device and a terminal. The structure of the network access point device may be shown in FIG. 6, and the structure of the terminal may be shown in FIG. 7 or 8. ,in:

网络接入点装置,用于配置与终端的不同安全能力对应的不同安全接入机制以及与安全接入机制对应的安全机制标识,并分别根据不同的安全接入机制发送不同的广播消息,这些广播消息中分别携带与上述配置的安全接入机制对应安全机制标识,上述安全机制标识由网络接入点装置的唯一标识映射得到。网络接入点装置还用于在根据接入请求中携带的安全机制标识映射得到与自身的所述唯一标识相匹配的标识时接收所述接入请求,并采用与所述安全机制标识对应的安全接入机制对所述接入请求进行处理。 The network access point device is used to configure different security access mechanisms corresponding to different security capabilities of the terminal and security mechanism identifiers corresponding to the security access mechanisms, and to send different broadcast messages according to different security access mechanisms. The broadcast messages respectively carry security mechanism identifiers corresponding to the above-mentioned configured security access mechanisms, and the above-mentioned security mechanism identifiers are obtained by mapping the unique identifier of the network access point device. The network access point device is further configured to receive the access request when an identifier matching its own unique identifier is obtained according to the security mechanism identifier mapping carried in the access request, and use the security mechanism identifier corresponding to the The security access mechanism processes the access request. the

终端,用于接收并解析广播消息,并根据正确解析出的广播消息发起接入请求,其中携带与该终端的安全能力相应的安全机制标识。当终端接收并正确解析出多个携带不同安全机制标识的广播消息时,从这些广播消息分别携带的安全机制标识所对应的安全接入机制中进行选择,并采用选择出的安全接入机制发起接入请求;或者,显示这些广播消息分别携带的安全机制标识所对应的安全接入机制信息供用户选择,并根据用户的选择发起接入请求。 The terminal is configured to receive and parse the broadcast message, and initiate an access request according to the correctly parsed broadcast message, which carries a security mechanism identifier corresponding to the security capability of the terminal. When the terminal receives and correctly parses multiple broadcast messages carrying different security mechanism identifiers, it selects from the security access mechanisms corresponding to the security mechanism identifiers carried in these broadcast messages, and uses the selected security access mechanism to initiate An access request; or, display the security access mechanism information corresponding to the security mechanism identifiers carried in these broadcast messages for the user to select, and initiate an access request according to the user's selection. the

综上所述,本发明的上述实施例通过在物理AP上针对不同安全能力的终端配置多个虚拟AP,不同的虚拟AP上配置不同的安全机制及MAC地址,并由不同的虚拟AP广播Beacon帧,其中携带该虚拟AP的MAC地址(由BSSID标识),使不同安全能力的终端接收并解析出相应的Beacon帧时,可根据该Beacon帧发起接入请求,其中携带相应虚拟AP的MAC地址,使相应的虚拟AP能够获得该接入请求并采用相应的安全机制进行处理,从而实现了利用一个物理AP对多种安全能力的终端进行混合接入,减少了网络投资以及运营维护成本。 In summary, the above embodiments of the present invention configure multiple virtual APs on physical APs for terminals with different security capabilities, configure different security mechanisms and MAC addresses on different virtual APs, and broadcast beacons by different virtual APs. frame, which carries the MAC address of the virtual AP (identified by BSSID), so that when terminals with different security capabilities receive and parse out the corresponding Beacon frame, they can initiate an access request according to the Beacon frame, which carries the MAC address of the corresponding virtual AP , so that the corresponding virtual AP can obtain the access request and use the corresponding security mechanism to process it, thereby realizing mixed access to terminals with multiple security capabilities by using one physical AP, reducing network investment and operation and maintenance costs. the

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations. the

Claims (20)

1. a support terminal mixes the information broadcast method that inserts, and it is characterized in that, comprising:
The different security capabilities of counterpart terminal dispose different virtual network access point entities respectively on the Network Access Point entity, and be the safe access mechanism and the address designation of described virtual network access point physical arrangements correspondence, described address designation is the security mechanism sign corresponding with described safe access mechanism;
When described Network Access Point entity when terminal sends broadcast, send different broadcasts according to different safe access mechanisms respectively, carry and the described different corresponding security mechanism sign of safe access mechanism in the described different broadcast.
2. the method for claim 1 is characterized in that, described security mechanism sign is obtained by the unique identification mapping of described Network Access Point entity;
When sign that the security mechanism sign mapping of carrying in the access request that described Network Access Point entity is initiated according to terminal obtains being complementary with self described unique identification, receive described access request.
3. method as claimed in claim 2, it is characterized in that, described security mechanism sign is obtained by the unique identification mapping of described Network Access Point entity, is specially: adopt reversible algorithm to be derived by the physical address of described Network Access Point entity and obtain described security mechanism sign.
4. the method for claim 1 is characterized in that, when described Network Access Point entity sent broadcast, different virtual access point entities sent different broadcasts, wherein carries the security mechanism sign corresponding with respective virtual access point entity.
5. method as claimed in claim 4 is characterized in that, different virtual access point entities sends different broadcasts, is specially: different virtual access point entities sends different broadcasts by different time slots or frequency respectively.
6. the method for claim 1 is characterized in that, described Network Access Point entity sends and also comprises step after the described broadcast:
Terminal receives described broadcast and resolves, and initiates to insert request according to the broadcast that correctly parses, mechanism sign wherein safe to carry;
The access request that described Network Access Point entity receiving terminal is initiated, and adopt corresponding security mechanisms to handle according to the security mechanism sign of wherein carrying.
7. method as claimed in claim 6 is characterized in that, when terminal receives and correctly parses a plurality of broadcast, also comprises step:
The security mechanism of carrying respectively from described a plurality of broadcasts identifies the pairing safe access mechanism to be selected, and adopts the safe access mechanism of selecting to initiate to insert request; Perhaps, show that the security mechanism that a plurality of broadcasts are carried respectively identifies pairing safe access mechanism information for user's selection, and initiate to insert request according to user's selection.
8. the method for claim 1 is characterized in that, also comprises:
The safe access mechanism information of the sign of the terminal of described Network Access Point entity stores accessed network and this terminal;
When the terminal of described accessed network when described Network Access Point entity sends data, described Network Access Point entity adds the safe access mechanism information corresponding identification information with described terminal in the data of described user terminal, described identification information is used to identify the affiliated Virtual Local Area Network of described terminal.
9. a support terminal mixes the network insertion point apparatus that inserts, and it is characterized in that, comprising:
Configuration module, the different virtual network access point entity of different security capabilities configurations that is used for difference counterpart terminal on the network insertion point apparatus, and be the safe access mechanism and the address designation of described virtual network access point physical arrangements correspondence, described address designation is the security mechanism sign corresponding with described safe access mechanism; Also be used for generating different broadcasts, wherein carry and the described different corresponding security mechanism sign of security mechanism according to described different security mechanism;
Communication interface modules is used for sending respectively a plurality of broadcasts of generation.
10. network insertion point apparatus as claimed in claim 9 is characterized in that, described configuration module comprises configuration submodule and at least 2 virtual network access point apparatus, wherein
The configuration submodule, the different virtual network access point apparatus of different security capabilities configurations that is used for difference counterpart terminal on described network insertion point apparatus, and be corresponding safe access mechanism and the address designation of described virtual network access point apparatus configuration, described address designation is the described security mechanism sign corresponding with described safe access mechanism;
The virtual access point device is used to generate the broadcast corresponding with the safe access mechanism of this virtual access point device, wherein carries the security mechanism sign of this virtual access point device; Also be used to adopt the safe access mechanism of this virtual access point device correspondence that the access request of terminal is handled.
11. network insertion point apparatus as claimed in claim 10 is characterized in that, described virtual access point device comprises:
The broadcast processing unit is used to generate described broadcast, wherein carries the security mechanism sign of this virtual access point device;
Insert requesting processing, be used to adopt the safe access mechanism of this virtual access point device correspondence that the access request that receives is handled, the security mechanism sign of carrying in the described access request is consistent with the security mechanism sign of this virtual access point device.
12. network insertion point apparatus as claimed in claim 10 is characterized in that, described security mechanism sign is obtained by the unique identification mapping of described network insertion point apparatus;
Receive described access request during sign that the security mechanism sign mapping that described communication interface modules also is used for carrying in the access request that sends according to terminal obtains being complementary with self described unique identification, and send to described security mechanism sign corresponding virtual access point apparatus and handle.
13. network insertion point apparatus as claimed in claim 9 is characterized in that, described communication interface modules is time division multiplexing module or frequency division multiplexing module;
Described time division multiplexing module is used for sending described respectively and the corresponding broadcast of security capabilities terminal by different time slots;
Described frequency division multiplexing module is used for sending described respectively and the corresponding broadcast of security capabilities terminal by different frequencies.
14. a terminal is characterized in that, comprising:
The broadcast receiver module is used to receive and resolve the broadcast that the network insertion point apparatus sends, and carries the security capabilities corresponding security mechanisms sign with described terminal in the described broadcast;
Insert the request initiation module, be used for initiating to insert request, carry security capabilities corresponding security mechanisms sign in the described access request with described terminal.
15. terminal as claimed in claim 14, it is characterized in that, described security mechanism sign is obtained by the unique identification mapping of described network insertion point apparatus, is specially: adopt reversible algorithm to be derived by the physical address of described network insertion point apparatus and obtain described security mechanism sign.
16. terminal as claimed in claim 14 is characterized in that, also comprises:
Configuration module is used to dispose the security mechanism selection strategy;
Select module, be used for according to described security mechanism selection strategy, the security mechanism of carrying respectively from a plurality of broadcasts that receive and correctly parse identifies the pairing safe access mechanism to be selected, and adopts the safe access mechanism of selecting to initiate to insert by described access request initiation module and ask.
17. terminal as claimed in claim 14 is characterized in that, also comprises:
Display module is used to show that the security mechanism that reception and a plurality of broadcasts that correctly parse are carried respectively identifies pairing safe access mechanism information for user's selection;
Select module, be used to receive user-selected safe access mechanism, and adopt this safe access mechanism to initiate to insert request by described access request initiation module.
18. a support terminal mixes the communication system that inserts, and it is characterized in that, comprises network insertion point apparatus and terminal;
Described network insertion point apparatus, be used for the different virtual network access point entity of different security capabilities configurations of counterpart terminal respectively, and be the safe access mechanism and the address designation of described virtual network access point physical arrangements correspondence, described address designation is the security mechanism sign corresponding with described safe access mechanism, and send different broadcasts according to different safe access mechanisms respectively, carry and the described different corresponding security mechanism sign of safe access mechanism in the described different broadcast;
Described terminal is used to receive and resolve described broadcast and initiates the access request according to the broadcast that correctly parses, and carries the security capabilities corresponding security mechanisms sign with described terminal in the described access request.
19. communication system as claimed in claim 18 is characterized in that, described security mechanism sign is obtained by the unique identification mapping of described network insertion point apparatus;
Described network insertion point apparatus also is used for receiving described access request when the sign that the mapping of the security mechanism of carrying according to described access request sign obtains being complementary with self described unique identification, and employing identifies corresponding safe access mechanism with described security mechanism described access request is handled.
20. communication system as claimed in claim 18, it is characterized in that, described terminal also is used for when receiving and correctly parsing a plurality of broadcast, the security mechanism of carrying respectively from described a plurality of broadcasts identifies the pairing safe access mechanism to be selected, and adopts the safe access mechanism of selecting to initiate to insert request; Perhaps, show that the security mechanism that a plurality of broadcasts are carried respectively identifies pairing safe access mechanism information for user's selection, and initiate to insert request according to user's selection.
CN2007101789908A 2007-12-07 2007-12-07 Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals Expired - Fee Related CN101453409B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101789908A CN101453409B (en) 2007-12-07 2007-12-07 Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101789908A CN101453409B (en) 2007-12-07 2007-12-07 Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals

Publications (2)

Publication Number Publication Date
CN101453409A CN101453409A (en) 2009-06-10
CN101453409B true CN101453409B (en) 2011-01-26

Family

ID=40735439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101789908A Expired - Fee Related CN101453409B (en) 2007-12-07 2007-12-07 Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals

Country Status (1)

Country Link
CN (1) CN101453409B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8438389B2 (en) * 2009-08-17 2013-05-07 Intel Corporation Method and system for dynamic service negotiation with a uniform security control plane in a wireless network
WO2011082529A1 (en) * 2010-01-08 2011-07-14 华为技术有限公司 Method, apparatus and system for updating group transient key
WO2012165809A2 (en) * 2011-06-03 2012-12-06 에스케이 텔레콤주식회사 Device and method for simultaneous data transmission service in heterogeneous network
CN102917431B (en) * 2011-08-30 2017-10-31 广州盛华信息技术有限公司 Realize wireless routing system and its routing rule amending method that user dynamically manages
CN103096492B (en) * 2011-11-08 2016-09-07 华为终端有限公司 A kind of WAP and the method for terminal communication, system and relevant device
CN103220752B (en) 2012-01-21 2017-04-12 华为终端有限公司 A method for connecting equipment to a network, an access point, a network access equipment, and a system
CN103260214B (en) 2012-02-17 2017-02-15 华为终端有限公司 Equipment access method, equipment access point and equipment access device
CN103379010B (en) 2012-04-20 2018-09-21 中兴通讯股份有限公司 A kind of virtual network realization method and system
CN103428695B (en) * 2012-05-18 2016-08-03 飞天联合(北京)系统技术有限公司 Process the method and device of wireless multi-security level(MSL) business
CN103124422B (en) * 2012-12-04 2016-05-25 华为终端有限公司 The method of associate device, Apparatus and system
CN103873454B (en) * 2012-12-18 2017-02-08 中国移动通信集团山东有限公司 Authentication method and equipment
US9763094B2 (en) * 2014-01-31 2017-09-12 Qualcomm Incorporated Methods, devices and systems for dynamic network access administration
CN104219662B (en) * 2014-08-19 2019-05-07 新华三技术有限公司 A kind of sending method and equipment of Beacon frame
CN106817353A (en) * 2015-11-30 2017-06-09 任子行网络技术股份有限公司 For MAC collections and the wireless aps and method of network security audit
US10834738B2 (en) 2017-06-02 2020-11-10 Apple Inc. Optimized Bluetooth scheduling for accessory devices

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716853A (en) * 2004-06-30 2006-01-04 中国科学技术大学 Multicast key management method based on physical layer
CN1909516A (en) * 2005-08-01 2007-02-07 古野电气株式会社 Network system, communication relay device, communication terminal device, and program for communication terminal device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716853A (en) * 2004-06-30 2006-01-04 中国科学技术大学 Multicast key management method based on physical layer
CN1909516A (en) * 2005-08-01 2007-02-07 古野电气株式会社 Network system, communication relay device, communication terminal device, and program for communication terminal device

Also Published As

Publication number Publication date
CN101453409A (en) 2009-06-10

Similar Documents

Publication Publication Date Title
CN101453409B (en) Information Broadcasting Method, Device and System Supporting Hybrid Access of Terminals
US12063580B2 (en) Method and apparatus for providing a secure communication in a self-organizing network
US20230232315A1 (en) Communication apparatus and communication method for eht virtualization with multi-link devices
EP1707024B1 (en) Improvements in authentication and authorization in heterogeneous networks
CN104955038B (en) Distribute the method and access point, website and communication system of addressing identification
US8009626B2 (en) Dynamic temporary MAC address generation in wireless networks
US11234124B2 (en) Terminal information transfer method and relevant products
CN100403719C (en) Method and device for establishing a virtual link
CN103581901B (en) A kind of Wi Fi wireless networks access the processing method of configuration information and equipment
US20050226423A1 (en) Method for distributes the encrypted key in wireless lan
CN100479403C (en) System and method for access external network of non-radio local network terminal
KR20040047656A (en) Native wi-fi architecture for 802.11 networks
KR20080077006A (en) Management frame protection device and method
US8537716B2 (en) Method and system for synchronizing access points in a wireless network
WO2007086705A1 (en) Communication method for wireless network and wireless network system
KR20160126079A (en) Access node device for forwarding data packets
CN113132983B (en) Smart terminal disconnection and reconnection method
US8270947B2 (en) Method and apparatus for providing a supplicant access to a requested service
CN105636026A (en) Configuration method of WIFI one-key intelligent system
CN100579042C (en) Method and device for supporting multiple logical networks in wireless local area network
CA2661050C (en) Dynamic temporary mac address generation in wireless networks
CN1801704B (en) Method and system for user access to core network
US20250203551A1 (en) Seamless roaming within a seamless mobility domain
WO2025010712A1 (en) Devices and methods for secure communication in wireless local area network
TW202441984A (en) Communication method and apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110126

Termination date: 20201207

CF01 Termination of patent right due to non-payment of annual fee