CN102088702B

CN102088702B - Method and system for accessing wireless network into user residential gateway

Info

Publication number: CN102088702B
Application number: CN200910252141.1A
Authority: CN
Inventors: 赵鹏
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2009-12-03
Filing date: 2009-12-03
Publication date: 2014-02-26
Anticipated expiration: 2029-12-03
Also published as: CN102088702A

Abstract

The invention discloses a system and a method for accessing a wireless network into a user residential gateway. The method comprises the following steps of: setting a network access control module and connecting an EVDO access functional unit, a wireless local area network (WLAN) hotspot access functional unit and a strategy database of the user residential gateway respectively; selecting to execute basic configuration strategies comprising WLAN access, EVDO access and hybrid access and invoking access strategies from the strategy database to access the wireless network; when the WLAN access strategy is selected, invoking the WLAN hotspot access functional unit after the user residential gateway starts, searching a default setting service set identifier (SSID) and trying to access WLAN; when the EVDO access strategy is selected, invoking the EVDO access functional unit after the user residential gateway starts, performing EVDO network dialing and trying to access an EVDO network; and when the hybrid access strategy is selected, selecting one network to access under the condition of detecting the coexistence of the WLAN network and the EVDO network.

Description

Method and system for accessing user residential gateway to wireless network

Technical Field

The invention relates to the technical field of broadband access, in particular to a method and a system for accessing a user residential gateway to a wireless network.

Background

At present, the customer premises gateway equipment is accessed to the public internet through a wired Local Area Network (LAN) or an Asymmetric Digital Subscriber Line (ADSL). With the development of Wireless Local Area Network (WLAN) technology and 3G technology, hotspots of existing Network deployment become more and more common, coverage of 3G High-speed packet Data (EVDO) Network becomes wider and wider, and WLAN hotspots and 3G EVDO Network gradually become effective supplements of a wired access mode. In areas which are inconvenient to wire and do not have the condition of accessing a wired network, the WLAN hotspot and the EVDO wireless network are accessed through the gateway, and the down-hanging device is provided to access the public Internet, so that great convenience is brought to users.

WLAN refers to a computer local area network using wireless channel as transmission medium, and is an important complement and extension of wired networking. In recent years, the WLAN has been widely used in places unsuitable for network wiring, such as airports, high-class hotels, conference centers, exhibition halls, etc., because the WLAN has many advantages, such as convenient installation, wide coverage, easy expansion, high transmission rate, etc. Large operators are also actively expanding WLAN hot spot coverage. With the large-scale WLAN construction of operators in 2009 in China and the promotion of wireless city planning in all parts of the country, the increase rate of the domestic WLAN market is far higher than that in the past year.

Due to the characteristic of wireless local area network channel opening, user data is easily stolen, maliciously modified and forwarded when being transmitted over the air interface, so public WLAN network security is a problem to be considered in WLAN development. In order to better solve the security problem of the WLAN network, the Institute of Electrical and Electronics Engineers (IEEE) working group has proposed 802.11i standard, and china has also proposed 5 months in 2003 wireless network mandatory security standard wireless local area network Authentication and Privacy Infrastructure (WAPI) GB 15629.11/1102-plus 2003 and its implementation guidelines, and the WAPI has implemented the mutual Authentication of the workstation (STA) and the Access Point (AP) of the WLAN system by using a certificate mechanism. The WAPI industry consortium announced that WAPI was invited by the international standards organization ISO/IECJTC1/SC6 (an international committee for standardization limited to the field of information technology) to re-enter the international standards process as an independent standard, which means that several discounted domestic standards WAPI are expected to promote the international standard and the struggle with the WiFi standard will be over.

Although the WAPI is used as a domestic WLAN mandatory security standard to provide a safe and reliable network for users, in order to take different requirements of different users on security levels and flexibility and convenience of using an access network into consideration, a future WLAN network has three access modes, namely, an 802.11b non-encryption mode access mode (for users without security requirements and terminals which do not support encryption), an 802.11i authentication access mode (for international roaming users and terminals which support 802.11 i) and a WAPI authentication access mode (for users with higher security requirements and terminals which support WAPI).

EVDO is called CDMA20001xEV-DO and is an evolution stage of 3G standard system CDMA 2000. The 1x EV-DO network is a data service private network, and lacks explicit QoS service design requirements since the system was originally designed to provide non-real-time services. With the development of multimedia data service, the current 1x EV-DO Release A provided by the network supports the single-user reverse peak rate of 1.8Mbit/s, the forward peak rate is further improved to 3.1Mbit/s version, and the complete end-to-end QoS service can be provided.

CDMA2000 has internationally become a mature 3G application standard. There are now 166 carriers deployed in commercial networks of 161 CDMA1X (2G) and 46 EVDO (3G) in the world, and 27 CDMA1X and 40 EVDO networks are under construction. The number of users of CDMA1X worldwide has exceeded 2.66 billion, and the number of users of EVDO has approached 4000 ten thousand.

At present, a WLAN network mainly provides access services for a PC terminal and a mobile phone supporting WIFI and WAPI, and a user premises gateway is not limited as a client for WLAN access in a technical system, but the following disadvantages exist in supporting gateway access:

1) the gateway access WLAN hotspot is actually a channel for providing broadband internet access for the down-hanging device, various applications interacted with the user run on the PC terminal hung below the gateway, and the user generally does not interact with the gateway directly, so that the currently adopted WLAN internet access password acquisition mode and the network access authentication mode participated by the user are not applicable any more.

2) The internet access password is generally set as a temporary password, and the user needs to obtain the temporary password again every time the user accesses the internet, so that the user is more inconvenient to use if the user operates the gateway application mode.

For operators, in areas where wired coverage is not available, users are developed through WLAN hotspots and EVDO networks, so that wireless broadband access becomes the most beneficial supplement of a wired access mode. The WLAN hotspot access and the EVDO network access can be used as a supplement of a wired mode and can also be independently applied, by means of a short message function, a gateway can automatically acquire a WLAN internet access password to realize hotspot access, and in areas where the WLAN cannot cover, the WLAN can also be accessed through the EVDO network, and the two modes are combined and applied, so that the advantages of an operator network are fully exerted, and the idea of full-service operation is embodied.

At present, the WLAN hotspot mainly faces to a PC terminal and a mobile phone user supporting WIFI and WAPI to implement access and broadband internet access.

In the prior art, the process of obtaining the WLAN access password by the user is as follows: the user needs to input a mobile phone number on a PORTAL page, select an account opening place, input a verification code, click to acquire an internet access password, and the background WLAN service opening system generates and obtains the password through interaction with an authentication, authorization and accounting (AAA) system and then sends the password to the mobile phone number of the user through a short message platform.

A process of accessing a WLAN hotspot after a user obtains a WLAN internet Access password is shown in fig. 2, after a PC terminal, that is, a workstation (STA) completes association and link authentication to an AT, an IP address is obtained from a Dynamic Host Configuration Protocol (DHCP) Server, the user accesses a website AT will, an Access Controller (AC) device or a broadband Access Server (BRAS) device redirects a HTTP request of the user to an authentication page of a PORTAL Server, the user inputs a user account and a password of the WLAN internet Access, the PORTAL Server transmits user authentication data to the RADIUS authentication Server, the RADIUS completes user identity authentication, a charging process begins, and the user can normally Access a network.

However, the existing wired access mode and WLAN hotspot access mode cannot meet the access requirement of the residential gateway of the user, and mainly have the following disadvantages:

1) the wired network can not completely cover, and a wireless access mode is the only effective means of competing with the industry for operators and areas with scarce fixed network resources;

2) the existing WLAN hotspot access requires a user interaction process, and in a gateway access mode, a user generally requires plug and play without manual intervention, zero configuration service is opened, and particularly the password acquisition process is required to be automatically completed due to the dynamic property of a WLAN internet access password;

3) the place where the customer premises gateway is placed in the actual application deployment can be changed, and the existing access mode is lack of flexibility.

Disclosure of Invention

In view of the above, the present invention provides a method and a system for accessing a wireless network to a gateway at a subscriber premises, which can conveniently provide a broadband internet service for a subscriber in an area where wiring is inconvenient and broadband access conditions are not available, so as to realize automatic access of the gateway to the wireless network.

The present invention provides a system for accessing a customer premises gateway to a wireless network, which is arranged on the customer premises gateway and comprises:

the EVDO access function unit is used for accessing an EVDO data network;

the WLAN hotspot access functional unit is used for realizing the access authentication of a link layer and the access authentication of a network layer of the WLAN hotspot access; and

the network access control module is respectively connected with the EVDO access function unit, the WLAN hotspot access function unit and a strategy database of the user residential gateway; selecting and executing basic configuration strategies comprising WLAN access, EVDO access and hybrid access, and calling an access strategy from a strategy database to execute the access of the wireless network according to the selection; under the condition of selecting a WLAN access strategy, calling a WLAN hotspot access functional unit after a user residential gateway is started, searching a default configured SSID (service set identifier), and trying to access the WLAN; under the condition of selecting an EVDO access strategy, calling an EVDO access functional unit after a user residential gateway is started, carrying out EVDO network dialing, and trying to access an EVDO network; in case of selecting the hybrid access policy, in case of checking the coexistence of the WLAN network and the EVDO network, one of the networks is selected for access.

Optionally, in the system, the network access control module, when selecting the hybrid access policy, preferably uses WLAN access when checking that the WLAN network and the EVDO network coexist, and attempts EVDO access if access fails.

Optionally, the system supports automatic and manual modes; in the manual mode, the network access control module reserves the selection of network access to the user confirmation of the application layer, and the user operates a management interface of the gateway to select to access the WLAN hotspot or the EVDO network; in the automatic mode, the network access module automatically selects an access mode according to the access strategy.

Optionally, if the system selects the automatic access mode, if the current network connection is unavailable, the network access control module automatically attempts the next access mode, and if the current WLAN hybrid network is unavailable, the network access control module automatically attempts 802.11b non-encrypted network access, and if the current WLAN network is unavailable, the network access control module automatically attempts EVDO network access;

after the original network is recovered, the network access control module cannot automatically switch back to the original network, the customer premises gateway continuously keeps the current connection until the current connection is no longer available or is manually intervened, and if the customer premises gateway is restarted, the customer premises gateway still performs selective access according to a configuration strategy.

Optionally, the EVDO access function unit of the system includes: the short message module is connected with the network access control module and used for realizing the sending and receiving of short messages;

the EVDO dialing module is connected with the network access control module and is used for realizing an EVDO dialing function;

the AT command interface module is used for realizing the conversion of the AT command format;

the USB wireless data card driving module is used for connecting with an external USB wireless data card, virtualizing the external USB wireless data card into modem serial port equipment, driving the USB wireless data card to work through a standard AT command by the gateway AT the user premises, executing initialization, and inquiring information and working states of the data card and the UIM card; in addition, when the USB wireless data card is inserted, and the USB wireless data card driving module is correctly loaded and initialized, the user residential gateway can send and receive short messages through AT commands without accessing the EVDO data network.

Optionally, the WLAN hotspot access functional unit of the system includes:

the 802.11b network card driving module is used for driving the 802.11b network card;

the network identification module is used for searching the network, identifying the specific network type of the BSS mode network, and transmitting network identification information to the link authentication module after determining the network type;

the link authentication module is used for activating a corresponding authentication algorithm according to the network identification information transmitted by the link authentication module, selecting a proper link authentication protocol and finishing link access authentication; and

and the network authentication module initiates DHCP negotiation according to authentication information including a user account and a password transmitted by the network access control module after the link access authentication is successfully established through the link, acquires an IP address and initiates a network authentication process.

Optionally, the network access control module of the system is further configured to call a short message module, and send a password acquisition short message to the short message platform through the AT command interface module to acquire a password for WLAN hotspot access.

Optionally, the specific network types of the BSS mode network in the system include: 802.11i, WAPI, 802.11b, and 802.11b are unencrypted.

Optionally, the system network access control module determines, according to the configuration policy, that the WLAN hotspot network is to be accessed, and then activates the link layer network identification module and the link authentication module, and waits for the link layer association and link layer authentication to complete; if the link is successfully established, the network access control module calls the short message module, and the short message module sends a WLAN internet password request short message by calling the AT command interface module; after receiving the WLAN internet access password, the network access control module activates the WLAN network authentication module, transmits the user account and the acquired password to the WLAN network authentication module, and the network authentication module initiates DHCP negotiation, acquires a DHCP IP address and initiates a network authentication process.

In another aspect of the present invention, a method for accessing a wireless network by a customer premises gateway is further provided, where a network access control module, a WLAN hotspot access function unit and an EVDO access function unit are disposed on the customer premises gateway, and the method includes:

the network access control module selects an access strategy according to the configuration, and calls specific strategy content from a strategy database of the user residential gateway to execute wireless network access;

under the condition of selecting a WLAN access strategy, the user residential gateway calls a WLAN hotspot access functional unit after being started, and activates and waits for the link layer association and link layer authentication process to be completed; if the link is successfully established, the network access control module sends a WLAN internet password request short message; after receiving a WLAN internet access password, a network access control module transmits a user account and the acquired password to a WLAN hotspot access function unit, and the WLAN hotspot access function unit negotiates with a DHCP (dynamic host configuration protocol), acquires a DHCP IP (dynamic host configuration protocol) address and initiates a network authentication process;

under the condition of selecting an EVDO access strategy, the user premises gateway calls an EVDO access functional unit after being started, performs EVDO network dialing and tries to access an EVDO network;

in case of selecting the hybrid access policy, in case of checking the coexistence of the WLAN network and the EVDO network, one of the networks is selected for access.

Optionally, in the method, the network access control module, when selecting the hybrid access policy, preferably selects the WLAN access by the customer premises gateway when checking that the WLAN network and the EVDO network coexist, and attempts the EVDO access if the access fails.

Optionally, the method presets an automatic mode and a manual mode; in the manual mode, the network access control module reserves the selection of network access to the user confirmation of the application layer, and the user operates a management interface of the gateway to select to access the WLAN hotspot or the EVDO network; in the automatic mode, the network access module automatically selects an access mode according to the access strategy.

Optionally, if the automatic access mode is selected, if the current network connection is unavailable, the network access control module automatically attempts the next access mode, and if the current WLAN hybrid network is unavailable, the network access control module automatically attempts 802.11b non-encrypted network access, and if the current WLAN network is unavailable, the network access control module automatically attempts EVDO network access;

Optionally, in the method, under the condition of WLAN hotspot access, a process of obtaining a password by a customer premises gateway includes:

the network access control module calls the short message module, and sends the short message to the short message gateway through the AT command interface module, wherein the short message comprises: local gateway identification, UIM card and IMSI number;

after the short message reaches the short message gateway, the short message gateway extracts the content of the short message, generates a request for acquiring a WLAN internet access password and sends the request to the WLAN opening system;

the WLAN opening system inquires a user account according to information such as UIM card, IMSI number and the like in the WLAN opening system, judges whether a WLAN service opening condition is met, and if the WLAN service opening condition is met, the step 404 is executed; if not, the flow is ended or a failure response is returned to the user residential gateway;

the WLAN opening system takes the user mobile phone number as a user account to enter the AAA system for opening an account, and the AAA system returns temporary password information generated in real time to the WLAN opening system;

the WLAN opening system sends the acquired password information to a short message gateway through a password information sending request;

and the short message gateway transmits the password information to the user residential gateway in a short message mode.

In another aspect of the present invention, a method for obtaining a password during a customer premises gateway accessing a wireless network is further provided, including:

A. the user residential gateway sends request information containing gateway identification, UIM card and IMSI number of the user terminal to the WLAN opening system through short message;

B. the WLAN opening system takes the user mobile phone number as a user account to enter the AAA system for opening an account, and the AAA system returns temporary password information generated in real time to the WLAN opening system;

and C, the WLAN opening system issues the password information to the customer premises gateway.

Optionally, the password obtaining method opens a special service number in a short message gateway in a mobile network;

the user residential gateway sends the short message to a special service number in the step A, and after the short message arrives at the short message gateway, the short message gateway extracts the content of the short message to generate a request for acquiring a WLAN internet access password and sends the request to the WLAN opening system;

an interface with a short message gateway is added in the WLAN opening system;

and C, the WLAN opening system sends the password information to the customer premises gateway by including the password information in a password information sending request.

Optionally, after receiving the request message, the WLAN provisioning system of the password obtaining method queries the user account, determines whether the WLAN service provisioning condition is met, if so, executes the next step, otherwise, ends the procedure.

Optionally, the user account accessed by the user in the password obtaining method adopts a mobile phone number.

From the above, the method and the system for accessing the customer premises gateway to the wireless network provided by the invention realize that the customer premises gateway accesses the public internet through the WLAN hotspot or the EVDO network by upgrading the function of the customer premises gateway equipment. The gateway equipment, a short message platform at the network side and a WLAN service opening system are required to be transformed to a certain degree, and the function of automatically accessing the WLAN hotspot by the gateway equipment at the user premises can be realized by sending a short message to obtain a password. The access capability of the customer premises gateway equipment is effectively expanded. The method specifically comprises the following effects:

1. realizing the access of the user residential gateway to the public internet in a wireless way

At present, the user residential gateways access the public internet in a wired LAN or ADSL mode, the method provided by the invention expands the means of gateway access, and can still provide high-speed broadband access for users by using WLAN hotspots and EVDO networks in areas where wired coverage is unavailable.

2. Zero configuration opening without manual intervention

The WLAN hotspot access mode provided by the invention is that the WLAN internet access password is acquired in a short message form on the gateway through the short message module and the AT command, and then the gateway automatically initiates a network authentication process to realize WLAN hotspot access, so that the whole process does not need manual intervention and is convenient for users to use.

Drawings

Fig. 1 is a schematic structural diagram of a wireless network access system of a customer premises gateway according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a WLAN hotspot access internet access process of a user PC terminal in the prior art;

FIG. 3 is a schematic flow chart of a network access module invoking a short message module and a WLAN network authentication module according to an embodiment of the present invention;

fig. 4 is a schematic flow chart of a WLAN internet access password acquired by a customer premises gateway short message in the embodiment of the present invention;

FIG. 5 is a schematic diagram of a network access control module according to an embodiment of the present invention;

fig. 6 is a schematic view of a complete WLAN hotspot internet access flow of a customer premises gateway in an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.

The invention provides a system for accessing a user residential gateway to a wireless network, which can be arranged on the user residential gateway and mainly comprises:

the EVDO access function unit is used for accessing an EVDO data network;

The system architecture of one embodiment of the present invention is shown with reference to fig. 1. The system is arranged in the customer premises gateway equipment and comprises the following components: a network access control module, an EVDO wireless access function and a WLAN hotspot access function. Wherein,

the network access control module 120 is a core control module for the customer premises gateway to implement wireless network (including WLAN hotspot and EVDO network) access, and is responsible for loading and initializing all the driver modules and the protocol authentication module, and selecting a wireless network access mode according to a policy.

The network access control module 120 is connected to the policy database 110 of the customer premises gateway device, and the policy database 110 is used for storing and providing the access policy of the customer premises gateway to the network access control module 120. The policy control of network access is as follows:

1) the method supports an automatic mode and a manual mode, wherein in the manual mode, the network access control module reserves the selection of network access for the user confirmation of an application layer, and the user selects to access a WLAN hotspot or an EVDO network in the management interface operation of a gateway; in the automatic mode, the network access module automatically selects an access mode according to a strategy;

2) in the automatic access mode, basic configuration strategies comprise WLAN access, EVDO access and hybrid access, if the WLAN access is configured, the gateway equipment searches the default configured SSID after being started, tries to access the WLAN, and records a log after the access fails; if the EVDO access is configured, the gateway equipment automatically dials the EVDO network after being started and tries to access the EVDO network; the default strategy is configured in a hybrid access mode, namely the gateway preferably adopts WLAN access under the condition that a WLAN network and an EVDO network coexist, and the EVDO access is attempted if the access fails;

3) networks covered by WLAN hotspots typically include three cases, 802.11b no encryption, 802.11i authentication, and WAPI authentication. The network identification module can identify all current network types and select access according to default configured SSID. Under the condition that a hybrid network exists, if 802.11b has no encryption and 802.11i, 802.11b and WAPI, the gateway selects the network 802.11i or WAPI with encryption as a default to access;

4) under the condition that the current network connection is unavailable, if the configuration policy is automatic access, the gateway automatically attempts the next access mode, for example, the WAPI in the current WLAN hybrid network is unavailable, the gateway automatically attempts 802.11b non-encryption network access, and if the current WLAN network is unavailable, the gateway automatically attempts EVDO network access. Although the access switching is automatically completed, the gateway automatically switches back to the original network after the original network is recovered, the gateway continuously keeps the current connection until the current connection is no longer available or manual intervention is performed, and if the gateway is restarted, the access is still selected according to the configuration strategy.

Under the above policy, the operation process of the network access control module 120 is as shown in fig. 5, and includes:

step 501, all driver modules and protocol authentication modules in the system of the present invention are loaded and initialized.

502-504, judging whether the module is loaded successfully, if so, entering 505; otherwise, recording the failure condition to a system log, and exiting the system.

505-506, judging whether an automatic access mode is set currently, if so, entering 507; otherwise, the manual access mode is used for waiting for the selection of the application layer user.

Step 507, determining whether the currently configured access mode is a WLAN, EVDO, or hybrid access mode, if the currently configured access mode is the WLAN, EVDO, executing step 508, and if the currently configured access mode is the WLAN or hybrid access mode, executing step 509.

And step 508, executing an EVDO access process, calling an EVDO dialing module, and establishing dialing connection through an AT command.

Step 509, perform the WLAN hotspot access process, specifically referring to fig. 3.

Step 510, determining whether the WLAN hotspot access is successful, if so, ending the process, otherwise, if a hybrid access mode is configured, executing the EVIDO access process of step 508.

The EVDO wireless access function unit 140 includes:

the short message module 141 is connected with the network access control module and used for realizing the sending and receiving of short messages;

the EVDO dialing module 142 is connected with the network access control module and used for realizing an EVDO dialing function;

an AT command interface module 143, configured to implement conversion of AT command formats;

the USB wireless data card driving module 144 is configured to connect with an external USB wireless data card, virtualize the external USB wireless data card into a modem serial device, drive the USB wireless data card to work through a standard AT command by the customer premises gateway, perform initialization, and query information and working status of the data card and the UIM card; in addition, when the USB wireless data card is inserted, and the USB wireless data card driving module is correctly loaded and initialized, the user residential gateway can send and receive short messages through AT commands without accessing the EVDO data network.

As an embodiment of the present invention, the EVDO wireless access function unit 140 may be implemented by developing a wireless data card driving module on a subscriber premises gateway, virtualizing an external USB wireless data card into a modem serial device, and the gateway may drive the USB data card to work through a standard AT command, perform initialization, EVDO dialing, sending and receiving a short message, and query information and working states of the data card and the UIM card.

It is worth to be noted that the use of the short message function does not depend on the access of the EVDO network, the USB wireless data card is inserted, and after the wireless data card driving module is correctly loaded and initialized, the gateway can send and receive the short message through the AT command without accessing the EVDO data network.

The WLAN hotspot access functional unit comprises:

an 802.11b network card driving module 134, configured to drive an 802.11b network card; the realized functions mainly comprise:

1) registering a device with an operating system

2) Providing I/O function to realize initialization and configuration management of equipment

3) Providing API function to upper TCP/IP protocol stack, receiving and transmitting data from and to device, processing device interrupt

4) Management of IEEE802.11MAC protocol stack is realized

5) Configuration management for wireless networks, etc.

Generally, the WAPI and the ieee802.11i are both added with security algorithms in the original 802.11b standard, so the 802.11b network card driver module 134 used in this embodiment may also implement driving of other network types covering WLAN hotspots such as the WAPI and the ieee802.11i.

A network identification module 133, configured to search a network, identify a specific network type of the BSS mode network, and transmit network identification information to the link authentication module after determining the network type;

the link authentication module 132 is used for activating a corresponding authentication algorithm according to the network identification information transmitted by the link authentication module, selecting a proper link authentication protocol and completing link access authentication; and

the network authentication module 131 initiates a DHCP negotiation according to authentication information including a user account and a password transmitted from the network access control module after the link access authentication is successfully established through the link, obtains an IP address, and initiates a network authentication process.

As an embodiment of the present invention, the WLAN hotspot access functional unit 130 may develop an 802.11b network card driving module, a network identification module, a link authentication module, and a network authentication module on the subscriber premise gateway, and in the WLAN hotspot coverage area, the gateway device may automatically search for a network through a beacon frame or a polling response frame, identify a network type (802.11i, WAPI, 802.11b), and select an appropriate link authentication protocol for access.

Since the network types covered by the WLAN hot spot all belong to the BSS mode, only the BSS network needs to be identified, and compared with the 802.11b and WAPI networks, the 802.11i network adds the RSN IE information element in the beacon frame and the probe response frame, so that the 802.11i network can be identified first. If the information element of the RSN IE is not included, it indicates that the network type is 802.11B unencrypted type, or the WAPI type, and in the BSS structure, the WAPI procedure is enforced, so if the capability information field B4 in the information element set is 0, it indicates that the network does not employ any encryption authentication mechanism, so it may determine that the network type is 802.11B, if B4 is 1, it indicates that WEP encryption or WAI authentication mechanism is employed, since the link association procedures of the 802.11B network and the WAPI network are identical, the WAPI network may send an active authentication packet, i.e., a management frame of the WAPI, to the STA after completing the link association, and the ethernet protocol type is 0x88B4, so if the gateway receives the management frame after completing the association with the AP, it may determine that the current network is the WAPI network, and if the active authentication packet is not received, it may determine that the network type is ieee 802.11B.

The network identification module searches the default configured SSID, preferentially selects the encrypted network 802.11i or WAPI for access, transmits network identification information to the link authentication module after determining the network type, and activates a corresponding authentication algorithm through the link authentication module to finish link access authentication.

The user surfs the internet through the residential gateway equipment and must complete network access authentication.

At present, the method of the WLAN user PC terminal is realized through PORTAL authentication: after the PC terminal (STA) completes the association and link authentication to the AT, the IP address is obtained from the DHCP server, the user can randomly access a website, the AC device or the BRAS device redirects the HTTP request of the user to an authentication page of the PORTAL server, the user inputs the user account and the password of the WLAN access, the PORTAL server transmits the user authentication data to the RADIUS authentication server, the RADIUS completes the user identity authentication, the charging process is started, and the user can normally access the network. The prior art authentication process is shown in fig. 2.

The WLAN access password input by the user on the authentication page is obtained in advance by accessing the PORTAL page. This procedure is suitable for user PC terminals but not for user premises gateways:

1) the user residential gateway is used as an outlet device of a user side network accessed to the public Internet to provide an on-line channel service for a user PC terminal which is hung down, and zero configuration opening is generally required without user intervention;

2) the user account accessed by the WLAN hotspot can adopt a mobile phone number, the password is a temporary password, the WLAN access password needs to be acquired again every time the WLAN is accessed to surf the internet, and the user is not convenient to use by logging in a gateway management interface every time.

Based on the consideration, the invention provides a mode of obtaining the password by sending the short message to be applied to the WLAN hotspot access, so that the residential gateway of the user can automatically obtain the WLAN access password without manual intervention, thereby realizing the hotspot access. The process is completed by the coordination of the network access control module, the short message module and the WLAN network authentication module in the attached figure 1. The specific calling process is shown in fig. 3, and includes:

step 301, the network access control module 120 determines to access the WLAN hotspot network according to the configuration policy, and then executes step 302.

In step 302, the network access control module 120 activates the link layer network identification module 133 and the link authentication module 132 and waits for the link layer association and link layer authentication procedures to complete. If the link association fails or the link layer authentication fails, the WLAN hotspot access process is finished; if the link is successfully established, step 303 is entered.

Step 303, the network access control module 120 calls the short message module 303, the short message module sends a WLAN internet password request short message (specifically, the process of obtaining the WLAN internet password is shown in the flow of fig. 4) by calling the AT command interface module 143, waits for a response, records a system log if a response cannot be received within a period of time, cuts off the association with the current AP, and ends the WLAN hotspot access process; if the WLAN access password is received, step 304 is entered.

Step 304, the network access control module 120 activates the WLAN network authentication module 131, transmits information such as a user account (mobile phone number), an acquired password, and the like to the WLAN network authentication module, and the network authentication module 131 initiates a DHCP negotiation, acquires a DHCP IP address, and initiates a network authentication process.

The flow of the customer premises gateway sending the short message to obtain the password is shown in fig. 4.

1) Short message gateway

The short message gateway needs to open a special service number to receive a WLAN access password acquisition request from a user residential gateway and open a system interface with a WLAN service. The process that the short message gateway sends the acquired password to the mobile phone number of the user is consistent with the current implementation mode.

2) WLAN service opening system

The current WLAN service opening system interacts with a PORTAL server, a background IT support system, an AAA system and the like, supports a PC terminal user to acquire a WLAN internet access password in a Web mode, namely, after the user PC terminal is associated with an AP (the current network does not support 802.11i authentication and WAPI authentication), the user selects an opening place and inputs a verification code on a PORTAL page by inputting a mobile phone number, clicks to acquire the internet access password, the PORTAL server transmits a password acquisition request to the WLAN service opening system, the WLAN service opening system interacts with the background system, and the generated password is transmitted to a mobile phone of the user through a short message gateway.

On the basis, the invention expands the functions of the WLAN service opening system, adds an interface with a mobile network short message platform, can process a password request sent by the short message platform, and sends a WLAN internet access password to a mobile phone number corresponding to the IMSI number of the UIM card on the user gateway through the short message platform after the password is obtained by interaction with a background system, so that the password can be read on the gateway through an AT command, and the network access authentication of the WLAN hotspot is completed.

Referring to fig. 4, a process of sending a short message by a customer premises gateway to obtain a password includes:

step 401, the customer premises gateway sends a short message to a set special service number, wherein the short message comprises: local gateway identification, UIM card, IMSI number, etc.

In the step, a network access control module calls a short message module and sends the short message through an AT command interface module.

Step 402, after the short message reaches the short message gateway, the short message gateway extracts the content of the short message, generates a request for obtaining a WLAN internet access password and sends the request to the WLAN opening system.

Step 403, the WLAN provisioning system queries the user account according to the information of the UIM card, the IMSI number, and the like, determines whether the WLAN service provisioning condition is met, and if the WLAN service provisioning condition is met, the WLAN provisioning system enters step 404; if not, the flow is ended or a failure response is returned to the user residential gateway.

Step 404, the WLAN provisioning system uses the user phone number as the user account to enter the AAA system for account opening, and the AAA system returns the temporary password generated in real time to the WLAN provisioning system.

Step 405, the WLAN provisioning system sends the acquired password information to the short message gateway through a password information sending request.

And step 406, the short message gateway sends the password information to the customer premises gateway in a short message mode.

A complete flow (for example, thin AP and WAPI authentication methods) for the customer premises gateway to achieve WLAN hotspot access by sending a short message to obtain an internet access password is shown in fig. 6.

The method is different from the prior method that the user accesses the WLAN hotspot through the PC terminal in that a short message mode is added in the process of acquiring the WLAN internet access password, the AP association and link authentication modes before the process are consistent with the prior realization mode, and the process of acquiring the internet access password and the process of initiating network authentication after the password acquisition do not need to be participated in by a PORTAL server and are automatically completed by the gateway equipment at the user site.

The short message WLAN opening system in the figure comprises a short message gateway and a WLAN opening system.

The method specifically comprises the following steps:

I. physical connection establishment phase

601-603, the gateway of the user station monitors a Beacon frame sent by the WLAN equipment, identifies that the network supports a WAPI security mechanism and authentication, and establishes physical link association with the AP by adopting open authentication.

II. Link authentication phase

Step 604-610, the WLAN access device determines that the user is a WAPI user, sends an authentication activation packet to the gateway, and triggers the gateway to initiate a WAPI authentication interaction process. Authentication data between the gateway and the WLAN access device is transmitted using the WAPI protocol with an ethertype field of 0x88B 4. The WLAN access equipment initiates certificate authentication to a remote WAPI AS, and the authentication request message simultaneously contains certificate information of the gateway and the WLAN access equipment. The AS authenticates the identities of the WLAN access equipment and the gateway, and firstly sends the identity authentication results of the WLAN access equipment and the gateway to the WLAN access equipment through an authentication response message, and then the WLAN access equipment sends the authentication results to the gateway. If the authentication is successful through the AS, the WLAN access equipment initiates a key negotiation interactive process with the gateway, firstly negotiates a unicast key for encrypting the unicast message, and then negotiates a multicast key for encrypting the multicast message. Only after the access authentication and the key agreement are successful, the WLAN access device authorizes the gateway to use the WAPI network.

III, WLAN network access password acquisition stage

Step 611-613, the customer premises gateway sends a short message to a special service number, including a gateway identifier, an IMSI number, and the like, and sends an internet access password acquisition request to the WLAN provisioning system through the short message gateway, the WLAN provisioning system checks whether the user account number meets the WLAN service provisioning condition, if so, the WLAN provisioning system interacts with the AAA system to complete the provisioning of the mobile phone number account, acquire the internet access password, and sends information such as the mobile phone number, the internet access password, and the like to the customer premises gateway through the short message gateway. The flow of obtaining the WLAN internet password can be seen in fig. 4.

IV, network authentication phase

And 614-620, the network authentication stage comprises two processes of IP address acquisition through DHCP negotiation and network access authentication. The network access authentication request is sent to an AAA system through a BRAS, WLAN user authentication is completed through the AAA system, the authentication is successful, the BRAS informs the AAA system of starting charging, and a network access authentication response message is sent to a gateway.

Step 621, after the access authentication is completed, the customer premises gateway is online, and the device hung down can normally access the internet.

The above-described embodiments are merely exemplary embodiments of the present invention, which should not be construed as limiting the invention, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims

1. A system for a customer premises gateway to access a wireless network, the system being disposed at the customer premises gateway and comprising:

the EVDO access function unit is used for accessing an EVDO data network;

the network access control module is respectively connected with the EVDO access function unit, the WLAN hotspot access function unit and a strategy database of the user residential gateway; selecting and executing basic configuration strategies comprising WLAN access, EVDO access and hybrid access, and calling an access strategy from a strategy database to execute the access of the wireless network according to the selection; under the condition of selecting a WLAN access strategy, calling a WLAN hotspot access functional unit after a user residential gateway is started, searching a default configured SSID (service set identifier), and trying to access the WLAN; under the condition of selecting an EVDO access strategy, calling an EVDO access functional unit after a user residential gateway is started, carrying out EVDO network dialing, and trying to access an EVDO network; under the condition of selecting a hybrid access strategy, under the condition of checking that a WLAN network and an EVDO network coexist, selecting one network to access;

wherein the EVDO access function unit includes: the short message module is connected with the network access control module and used for realizing the sending and receiving of short messages;

2. The system of claim 1, wherein the network access control module, in case of selecting the hybrid access policy, prefers the WLAN access in case of checking the coexistence of the WLAN network and the EVDO network, and attempts the EVDO access if the access fails.

3. The system of claim 1, wherein the system supports both automatic and manual modes; in the manual mode, the network access control module reserves the selection of network access to the user confirmation of the application layer, and the user operates a management interface of the gateway to select to access the WLAN hotspot or the EVDO network; in the automatic mode, the network access module automatically selects an access mode according to the access strategy.

4. The system of claim 3, wherein if the automatic access mode is selected, the network access control module automatically attempts the next access mode if the current network connection is not available, such as WAPI is not available in the current WLAN hybrid network, the network access control module automatically attempts 802.11b non-encrypted network access, and if the current WLAN network is not available, the network access control module automatically attempts EVDO network access;

5. The system of claim 1, wherein the WLAN hotspot access function comprises:

6. The system of claim 5, wherein the network access control module is further configured to invoke a short message module, and send a password acquisition short message to the short message platform through the AT command interface module to acquire a password for WLAN hotspot access.

7. The system of claim 5, wherein the specific network types of the BSS-mode network include: 802.11i, WAPI, 802.11b, and 802.11b are unencrypted.

8. The system of claim 5, wherein the network access control module activates the link layer network identification module and the link authentication module after determining to access the WLAN hotspot network according to the configuration policy, and waits for the link layer association and link layer authentication process to complete; if the link is successfully established, the network access control module calls the short message module, and the short message module sends a WLAN internet password request short message by calling the AT command interface module; after receiving the WLAN internet access password, the network access control module activates the WLAN network authentication module, transmits the user account and the acquired password to the WLAN network authentication module, and the network authentication module initiates DHCP negotiation, acquires a DHCP IP address and initiates a network authentication process.

9. A method for accessing a wireless network by a customer premises gateway is characterized in that a network access control module, a WLAN hotspot access functional unit and an EVDO access functional unit are arranged on the customer premises gateway, and the method comprises the following steps:

10. The method of claim 9, wherein the network access control module, in case of selecting the hybrid access policy, prefers the WLAN access in case of checking the coexistence of the WLAN network and the EVDO network, and attempts the EVDO access if the access fails.

11. The method according to claim 9, wherein an automatic mode and a manual mode are preset; in the manual mode, the network access control module reserves the selection of network access to the user confirmation of the application layer, and the user operates a management interface of the gateway to select to access the WLAN hotspot or the EVDO network; in the automatic mode, the network access module automatically selects an access mode according to the access strategy.

12. The method of claim 10, wherein if the automatic access mode is selected, the network access control module automatically attempts the next access mode if the current network connection is not available, such as the WAPI is not available in the current WLAN hybrid network, the network access control module automatically attempts 802.11b non-encrypted network access, and if the current WLAN network is not available, the network access control module automatically attempts EVDO network access;

13. The method of claim 9, wherein the step of obtaining the password by the customer premises gateway in the case of WLAN hotspot access comprises: