CN103402202A - Terminal access limiting method based on 802.11 protocol in WLAN (wireless local area network) - Google Patents
Terminal access limiting method based on 802.11 protocol in WLAN (wireless local area network) Download PDFInfo
- Publication number
- CN103402202A CN103402202A CN2013103635628A CN201310363562A CN103402202A CN 103402202 A CN103402202 A CN 103402202A CN 2013103635628 A CN2013103635628 A CN 2013103635628A CN 201310363562 A CN201310363562 A CN 201310363562A CN 103402202 A CN103402202 A CN 103402202A
- Authority
- CN
- China
- Prior art keywords
- terminal
- protocol
- content
- association request
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a terminal access limiting method based on an 802.11 protocol in a WLAN. The method comprises steps as follows: extending an Association Request protocol of a terminal of an 802.11link layer; and taking out a part of content of an extension protocol for verification after an access device receives an Association Request of the terminal, and allowing access after the passed verification, wherein the step of extending the Association Request protocol of the terminal of the 802.11link layer comprises a step of adding an extension protocol part into the Association Request protocol, the extension protocol part comprises an element identity, content of an encrypted terminal MAC (media access control) address and a length of a character string of the content of the encrypted terminal MAC address, and the terminal generates the Association Request according to the extended Association Request protocol and sends the Association Request to the access device.
Description
Technical field
The present invention relates to a kind of method that WLAN access device limits client, refer to especially a kind of extension-based 802.11 link layer protocols, in the terminal access request, add authentication information to limit the method for terminal access.
Background technology
WLAN is as important supplement and the extension of wired networking mode, and forward is broadband, intelligent, multimedization, personalized direction advance.New technology, new system, new business continues to bring out and merge gradually and differentiation, is greatly promoting the development of radio network technique, is expanding the network application field rapidly.
WLAN (wireless local area network) based on 802.11 agreements comprises the elements such as website (Station), distribution system (DistributionSystem, DS), access point (Access Point, AP), critical point (Portal), wireless access controller (AC).Wherein most critical is wireless access and control system, comprises access point (AP) and wireless access controller (AC).
Access point can ensure the Internet resources of authorizing website to the restriction of website access, avoids the attack of illegal website to access point.Access point has following two kinds to the method for website access at present:
1. the AP end limits the part MAC Address, allows or refuses these MAC accesses, and this method limited range is limited, can only be for the MAC Address of limited number.
2. the AP end is encrypted, and the website access needs password, cipher mode that WEP, WPA, WAPI are arranged, and WEP is static password, than being easier to, is cracked, and WPA and WAPI encrypt relatively safe, but need the Third Party Authentication server.
Summary of the invention
The purpose of this invention is to provide a kind of WLAN access device reliable method that access limits to terminal.By expanding 802.11 link layer protocols, in the access request that terminal equipment sends, add authentication information, access device is verified this authentication, satisfactory just permission access.
Technical scheme of the present invention provides a kind of access of terminal based on 802.11 agreements in WLAN restriction method:
Expand the Association Request request protocol of the terminal of 802.11 link layers, be included in Association Request request protocol and increase an Extended Protocol part, described Extended Protocol partly comprises the content after component identification, terminal MAC Address are encrypted, and the terminal MAC Address is by the string length of the content after encrypting; Terminal generates Association Request request according to the Association Request request protocol after expanding, and sends to access device;
After access device receives the Association Request request of terminal, take out the content of Extended Protocol part and verify, be verified and just allow access; The checking implementation is as follows,
Access device is searched component identification in Association Request request, according to the string length of terminal MAC Address by the content after encrypting, take out the content after the terminal MAC Address is encrypted; Then in this locality, according to the cryptographic algorithm consistent with terminal, the terminal MAC Address is encrypted, content after the content of gained after local cipher and the terminal MAC Address that please seek out from Association Request are encrypted is compared, if unanimously by checking.
The relative prior art of the present invention has following advantage:
1. access device just carries out authentication to the terminal access request in driving, and the access request of illegal terminal is without further resolving authentication.
2. the agreement of 802.11 link layers is expanded, the terminal of only having driving to carry out revising could be passed through authentication, improves reliability.
Relatively with terminal MAC is contrasted to the method for restriction, the method can limit and can prevent from forging the illegal terminal access of MAC in batches.
The accompanying drawing explanation
Fig. 1 is to the protocol format schematic diagram of 802.11 terminal access request frames in prior art.
Fig. 2 is the protocol format schematic diagram of embodiment of the present invention expansion.
Embodiment
Below in conjunction with drawings and Examples, describe technical solution of the present invention in detail.
The present invention proposes to expand the Association Request request protocol of 802.11 link layer termination, in agreement, increases an authentication part, and the authentication information after terminal will be encrypted adds Extended Protocol partly to send to AP; After AP received the Association Request request of STA, the content of taking out Extended Protocol, verified authentication information, is verified and just allows access.In the art, Association Request represents associated request.During concrete enforcement, can modify and realize the present invention by the driving to terminal and access point apparatus.
Embodiment is achieved as follows:
Adopt the WLAN access device as access point (AP).Driving to the WLAN terminal equipment is expanded, and Fig. 1 is the protocol format of terminal access request frame, based on mark 802.11 protocol formats, realizes, an Extended Protocol that provides by structure shown in Figure 2 is provided in Frame Body.
As Fig. 1, the protocol format of terminal access request frame comprises:
Frame Control, control for frame, takies byte length 2.
Duration/ID, cycle/ID, take byte length 2 for survival.
Address 3, are address 3, take byte length 6.
Sequence Control, control for sequence, takies byte length 2.
QOS Control, control for service quality, takies byte length 2.
Frame Body, be the frame entity, by standard protocol specifies, takies byte length 0 ~ 23124.In prior art, in Frame Body, can comprise the structure in a plurality of Fig. 2, the present invention increases a structure so that Extended Protocol to be provided.
FCS, be Frame Check Sequence, takies byte length 4.
As Fig. 2, the Extended Protocol that adds partly is the authentication part, comprising:
Element ID, be component identification, takies byte length 1.During concrete enforcement, Element ID can choose a reservation numeral that is not taken by 802.11 standard agreements in prior art, for example from 17 ~ 31,45,51 ~ 126, chooses.In embodiment, the corresponding Element ID of certain terminal is chosen to 70 in the untapped retention of 802.11 agreement.Access device will extract corresponding authentication part according to identical component identification value.
Length, for the string length of terminal MAC Address by the content after encrypting, take byte length 1.
Information, the content (being the content after Address 1 is encrypted) for after the encryption of terminal MAC Address, take byte length length consistent with the Length field contents.
Terminal equipment adds the data with Fig. 2 content in Fig. 1 access request Frame, sends to the appointment access device.
Driving to the WLAN access device is expanded, access device is after receiving the access request frame of terminal, parse the content in Frame Body, data in Frame Body are to be got up by a plurality of textural associations shown in Figure 2, it is 70 structure that access device finds Element ID therein, according to the length of Length, take out the content in Information.Then according to the cryptographic algorithm with terminal is appointed, the Address 1 in Fig. 1 is encrypted to (namely in access device this locality, according to the cryptographic algorithm consistent with terminal, being encrypted), content after encrypting and the content in Information are compared, if consistent, illustrate that this terminal is the terminal that allows access.If Frame Body do not find Element ID be 70 structure or the content in Information by authentication, do not allow this terminal access.
Above-mentioned example is preferably execution mode of the present invention; but embodiments of the present invention are not restricted to the described embodiments; other any do not run counter to change, the modification done under Spirit Essence of the present invention and principle, substitutes, combination, simplify the substitute mode that all should be equivalence, within being included in protection scope of the present invention.
Claims (1)
1. the terminal based on 802.11 agreements in WLAN accesses the restriction method, it is characterized in that:
Expand the Association Request request protocol of the terminal of 802.11 link layers, be included in Association Request request protocol and increase an Extended Protocol part, described Extended Protocol partly comprises the content after component identification, terminal MAC Address are encrypted, and the terminal MAC Address is by the string length of the content after encrypting; Terminal generates Association Request request according to the Association Request request protocol after expanding, and sends to access device;
After access device receives the Association Request request of terminal, take out the content of Extended Protocol part and verify, be verified and just allow access; The checking implementation is as follows,
Access device is searched component identification in Association Request request, according to the string length of terminal MAC Address by the content after encrypting, take out the content after the terminal MAC Address is encrypted; Then in this locality, according to the cryptographic algorithm consistent with terminal, the terminal MAC Address is encrypted, content after the content of gained after local cipher and the terminal MAC Address that please seek out from Association Request are encrypted is compared, if unanimously by checking.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310363562.8A CN103402202B (en) | 2013-08-20 | 2013-08-20 | Based on the terminal access restriction method of 802.11 agreements in WLAN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310363562.8A CN103402202B (en) | 2013-08-20 | 2013-08-20 | Based on the terminal access restriction method of 802.11 agreements in WLAN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103402202A true CN103402202A (en) | 2013-11-20 |
| CN103402202B CN103402202B (en) | 2016-03-16 |
Family
ID=49565701
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310363562.8A Active CN103402202B (en) | 2013-08-20 | 2013-08-20 | Based on the terminal access restriction method of 802.11 agreements in WLAN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103402202B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105263141A (en) * | 2015-10-30 | 2016-01-20 | 广东美的制冷设备有限公司 | Household electrical appliance and control method thereof |
| CN109714761A (en) * | 2019-02-25 | 2019-05-03 | 成都瑞小博科技有限公司 | A kind of method and system preventing MAC sniff |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805441A (en) * | 2005-11-23 | 2006-07-19 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| US20100161959A1 (en) * | 2008-12-23 | 2010-06-24 | Kapil Sood | Method and apparatus for extending transport layer security protocol for power-efficient wireless security processing |
-
2013
- 2013-08-20 CN CN201310363562.8A patent/CN103402202B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805441A (en) * | 2005-11-23 | 2006-07-19 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| US20100161959A1 (en) * | 2008-12-23 | 2010-06-24 | Kapil Sood | Method and apparatus for extending transport layer security protocol for power-efficient wireless security processing |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105263141A (en) * | 2015-10-30 | 2016-01-20 | 广东美的制冷设备有限公司 | Household electrical appliance and control method thereof |
| CN109714761A (en) * | 2019-02-25 | 2019-05-03 | 成都瑞小博科技有限公司 | A kind of method and system preventing MAC sniff |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103402202B (en) | 2016-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108293185B (en) | Wireless device authentication method and device | |
| CA2877490C (en) | Key agreement for wireless communication | |
| JP4965671B2 (en) | Distribution of user profiles, policies and PMIP keys in wireless communication networks | |
| US10477397B2 (en) | Method and apparatus for passpoint EAP session tracking | |
| CN103108327B (en) | Checking terminal unit and the method for subscriber card security association, Apparatus and system | |
| US9077701B2 (en) | Systems and methods for authentication | |
| CN101599967B (en) | Authorization control method and system based on 802.1x authentication system | |
| CN106211152A (en) | A kind of wireless access authentication method and device | |
| JP6279821B2 (en) | Authenticating messages in wireless communication | |
| CN102088668A (en) | Group-based authentication method of machine type communication (MTC) devices | |
| EP2680531A1 (en) | Key agreement using a key derivation key | |
| CN111092820B (en) | Equipment node authentication method, device and system | |
| CN102571792A (en) | Identity authentication method allowing intelligent mobile wireless terminal to access cloud server | |
| CN105141636A (en) | HTTP safety communication method and system applicable for CDN value added service platform | |
| EP4057658A1 (en) | Machine-card verification method applied to minimalist network, and related device | |
| CN105827669A (en) | Virtual storage method, virtual storage equipment and virtual storage system for terminals | |
| CN107820242A (en) | A kind of machinery of consultation of authentication mechanism and device | |
| CN102761940B (en) | A kind of 802.1X authentication method and equipment | |
| CN107820246A (en) | The methods, devices and systems of user authentication | |
| CN104683296A (en) | Safe authentication method and safe authentication system | |
| WO2014177106A1 (en) | Network access control method and system | |
| CN101188867A (en) | Syndrome differentiation protection method for wireless communication system and related apparatus thereof | |
| CN103139770B (en) | The method and system of pairwise master key is transmitted in WLAN access network | |
| CN103402202A (en) | Terminal access limiting method based on 802.11 protocol in WLAN (wireless local area network) | |
| CN103702328A (en) | Authentication method and system of UIM (User Identity Model) card accessed to EPC (Evolved Packet Core) network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 430205 Hubei city of Wuhan province Jiangxia Hidden Dragon Island Tan lake two Road No. 1 Patentee after: CITIC Mobile Communication Technology Co., Ltd Address before: 430073 Hubei province Wuhan Dongxin East Lake high tech Development Zone, Road No. 5 Patentee before: Wuhan Hongxin Telecommunication Technologies Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 430205 No.1 tanhu 2nd Road, Canglong Island, Jiangxia District, Wuhan City, Hubei Province Patentee after: CITIC Mobile Communication Technology Co.,Ltd. Address before: 430205 No.1 tanhu 2nd Road, Canglong Island, Jiangxia District, Wuhan City, Hubei Province Patentee before: CITIC Mobile Communication Technology Co., Ltd |