[0019] see figure 1 , two kinds of wireless access points (APs) are included in the wireless local area network of the present invention, namely the police AP1 and some access AP2s within the coverage of the police AP1, the access AP2 can issue its own identity information as required, and the police AP1 collects these information And make a judgment to confirm the legitimacy of the identity of each access AP2 in the local area network. The police AP1 will periodically scan its coverage area and perform a protocol interaction with the scanned access AP2. If the interaction is successful, it is a legal access AP. He will record the data as a backup. If the interaction is unsuccessful, it will judge It may be an illegal AP, and an alarm will be sent to the network management. In this way, in a local area network, if the access AP2 supports identity reporting, and several police AP1s with the ability to collect and report information are properly placed, when an illegal AP accesses, it will be discovered by one or more police AP1s. And issue a warning at the same time. In this way, it is easy to locate the location range of illegal APs, so that administrators can find and remove illegal APs. For the specific judgment process, please refer to figure 2 :
[0020] 1) The police AP1 performs 802.11 negotiation with the access AP2 as a station mode, and periodically searches and connects to the access AP2;
[0021] 2) The police AP1 sends an identity request message to the access AP2, requesting the access AP2 to reply with its own identity information;
[0022] 3) If accessing AP2 legally, after receiving the identity request message, reply the identity confirmation message to the police AP1;
[0023] 4) The police AP1 collects the identity information message sent by each access AP2;
[0024] 5) The police AP1 identifies the AP2 sent by the identity information message as a legal access to AP2; reports the identity information of the access AP2 to the network management;
[0025] 6) For the access AP that cannot send the identity confirmation message within the specified time, resend the identity request message twice, if it still does not receive a reply, it is marked as an illegal AP;
[0026] 7) To mark as the illegal access AP2, send an alarm to the network management, and inform the network management of its own name and location (if any), and inform the identification information such as the name of the illegal AP, MAC (Media Access Control, Media Access Control) address network management;
[0027] 8) The network manager receives the alarm and displays it to the administrator. The administrator analyzes the data to determine the location of the illegal access AP, and excludes the illegal access AP.
[0028] The above judgment can be realized in two parts, one is access to AP2, and the other is police AP1. Two types of APs are deployed in a LAN at the same time, and they assume different responsibilities. The function of accessing AP2 is to complete the original access function, but can send legal messages according to regulations; the function of police AP1 is to scan access to AP2, analyze the legitimacy of access to AP2, find illegal access to AP and report it.
[0029] The present invention actively scans the wireless network monitored by the police AP1, and associates and communicates with the scanned access AP2. The police AP1 associates with the access AP2 through the standard 802.11 protocol, and obtains the state through the private communication protocol. In the police AP1, the state data tables of all scannable access AP2s are maintained. Within a certain period, the police AP1 reports the status information of the detected access to AP2 to the network manager.
[0030] The police AP1 is placed within the overlapping coverage of multiple access AP2s, which effectively reduces the number of police AP1s. Since the access AP2 that each police AP1 needs to manage is limited by the coverage, the number of management will not be too many, and the scanning cycle can be guaranteed to be within a few minutes. This invention solves the problem of searching for devices that illegally access the network. It can be a police AP1 fixed in a certain place, responsible for device detection in a fixed area; of course, it can also be a mobile handheld device that allows users to conduct Search detection.
[0031] Since the bearer protocol of the present invention is still the wireless 802.11, the security requirement is particularly important. In a specific implementation, 802.11i-based WPA (Wi-Fi Protected Access, Wi-Fi Protected Access) authentication or WPA-PSK (Wi-Fi Protected Access Pre-shared Key, Wi-Fi Protected Access Pre-shared Key) authentication is adopted. The specific requirements for these two certifications for devices are as follows:
[0032] 1) If in the entire wireless network, if the system supports WPA and can provide an authentication server, enable WPA authentication on access AP2 and police AP1;
[0033] 2) If the system supports WPA in the entire wireless network, but cannot provide an authentication server, enable the WPA-PSK authentication method on access AP2 and police AP1;
[0034] 3) If the system does not support WPA in the entire wireless network, enable WEP (Wired Equivalent Privacy) encryption algorithm on access AP2 and police AP1.
[0035] In the identity information interaction between police AP1 and access AP2, we use a set of private protocols to complete. Please refer to image 3 , the identity request message sent by the police AP1 includes the following information:
[0036] 1) access AP MAC address;
[0037] 2) Police AP MAC address;
[0038] 3) Agreement type;
[0039] 4) message type;
[0040] 5) Identity encryption number;
[0041] 6) Encrypted AP SSID (Service Set Identifier).
[0042] Please refer to Figure 4 , access to the identity confirmation message replied by AP2 includes the following information:
[0043] 1) Police AP MAC address;
[0044] 2) access AP MAC address;
[0045]3) Agreement type;
[0046] 4) message type;
[0047] 5) Identity encryption number;
[0048] 6) Encrypted AP SSID.
[0049] In the above information, the identity encryption number is a set of identity encryption codes agreed upon by both the access AP2 and the police AP1 in advance, which can be at least 3 sets or more. Both parties are required to have a one-to-one correspondence between the number and the encryption code when setting up. However, the encryption code with the same number cannot be selected when both parties are required to interact. In this way, both the access AP2 and the police AP1 can further determine the legitimacy of the message after receiving this type of message.
