[0033] The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
[0034] In order to solve the problems in the prior art that the wireless network access operation process is complicated and the encryption method is easy to be leaked, the embodiments of the present invention provide a wireless network secure access method, device and system. The present invention is applicable to any user, preferably, it is applicable to enterprise users with many users accessing the WLAN network.
[0035] The technical scheme of the present invention enables users with specific rights to use a specific WLAN network, while taking into account the security of the WLAN network. When a user needs to access a specific WLAN network, he only needs to input the user name and user password, and select the corresponding SSID at the same time, and then Then you can automatically connect to the corresponding WLAN network. During the access process, the user does not need to make any complicated settings, the user does not need to know which encryption algorithm the AP uses, and the user does not need to enter the complex WLAN network password, which is convenient for the user.
[0036]Specifically, when the user enters the user name and user password, and selects the corresponding SSID, the STA will send a Probe Request (probe request) frame. Different from the current Probe Request frame, the STA will put the current STA's MAC address, user name, and user password into the extension field. When the AP receives the Probe Request frame, it calls the pre-configured white list. First, check whether the MAC address is a legitimate user; then, check whether the user name and password are correct; finally, check the corresponding MAC address of the user name in the white list. Whether the address is the current MAC address. If there is a problem in any step of the above operation, the AP will not respond to the probe request frame of the STA. If the MAC address, user name, and user password are all correct, the AP will continue to perform authentication and association operations with the STA, establish a connection with the STA, and then the STA can conduct data services through the AP.
[0037] The implementation process of the present invention will be described in detail below through several specific embodiments.
[0038] method embodiment
[0039] like figure 1 As shown, a wireless network secure access method provided by an embodiment of the present invention specifically includes:
[0040] Step S101, the AP receives the probe request frame sent by the STA, and obtains the user name, user password and MAC address of the STA carried in the probe request frame;
[0041] Furthermore, in the method described in this embodiment, the AP also periodically broadcasts Beacon (beacon) frames, in order to inform surrounding STAs of its SSID, channel, supported rate, and other information for STAs to make access choices.
[0042] Step S102, the AP invokes the pre-configured white list, and uses the white list to detect whether the user name, user password, and STA's MAC address are legal, and when the detection results are all legal, feed back the encryption method and key information to the STA Probe Request Response frame.
[0043] Preferably, legal user names, user passwords and MAC addresses are recorded in the white list, as well as the matching correspondence among the three;
[0044] In this step, the detection results are all legal means: the user name, user password and MAC address of the STA are all in the white list, and the corresponding relationship among the three matches the corresponding relationship recorded in the white list.
[0045] To be precise, when the AP performs detection, the specific operations are as follows:
[0046] Step 1. After receiving the probe request frame, the AP checks the whitelist to confirm whether the MAC address carried in the probe request frame is a legitimate user. If so, perform step 2; otherwise, the AP does not respond to the probe request frame of the STA;
[0047] Step 2, AP checks whether the user name and user password are correct, if so, execute step 3; otherwise, the AP does not respond to the probe request frame of the STA;
[0048] Step 3. The AP checks whether the MAC address corresponding to the user name in the whitelist is the MAC address carried in the probe request frame. If so, it determines that the user name, user password, and STA’s MAC address are legal; otherwise, the AP does not respond to the STA’s probe request. frame.
[0049] Further, after performing the step S102, the method according to the embodiment of the present invention also performs the following operations:
[0050] (1) STA sends Authentication Request frame (authentication request frame);
[0051] (2) The AP sends an Authentication Response frame to confirm that the authentication is successful;
[0052] (3) STA sends Association Request frame (association request frame);
[0053] (4) The AP sends an Association Response frame to confirm that the association is successful;
[0054] (5) STA and AP successfully establish a connection, and both use the same encryption method and key to communicate.
[0055] In order to illustrate the implementation process of the present invention more clearly, the wireless network secure access method provided by the method embodiment of the present invention will be further described in detail below in conjunction with the schematic diagram of the connection establishment process between the STA and the AP, as shown in figure 2 shown, including:
[0056] Step 1, the AP is powered on for initialization, and the main control process reads the Wi-Fi configuration items to determine whether to call the Wi-Fi process;
[0057] Step 2, when the Wi-Fi configuration item is closed, the Wi-Fi process is not invoked. At this time, the AP works in modem mode;
[0058] Step 3, when the Wi-Fi configuration item is enabled, call the Wi-Fi process. At this time, AP works in modem&wi-fi mode;
[0059] Step 4, the Wi-Fi process calls the wifi_ap_whitename_read() function to update the ap_whitename.xml file;
[0060] Step 5, the WEB SERVER process calls the web_server_whitename_read() function to read the above xml file;
[0061] Step 6, the WEB UI process calls the web_ui_whitename_show() function, reads the above xml file, and displays it on the WEB UI;
[0062] Step 7, the network administrator logs in to the WEB UI, adds a whitelist that allows access, and the WEB UI process passes the above information to the WEB SERVER process through an HTTP request;
[0063] Step 8, the WEB SERVER process passes the above information to the Wi-Fi process through the message queue mechanism;
[0064] Step 9, the Wi-Fi process calls the wifi_ap_whitename_read() function to write the above information into the ap_whitename.xml file;
[0065] Step 10, the Wi-Fi process calls the wifi_ap_beacon_broadcast() function to periodically inform the surrounding STAs of its SSID, channel, supported rate and other information;
[0066] Step 11, when the STA needs to access the AP, the STA inputs the user name, the user password, and selects the corresponding SSID; at this time, the STA sends a Probe Request frame including the user name, the user password and the MAC address of the STA to the AP;
[0067] Step 12, after the AP receives the Probe Request frame, the Wi-Fi process calls the wifi_ap_mac_filter() function to check whether the MAC address carried in the frame is a legitimate user;
[0068] Step 13, according to the operation result of step 12, if it is not a legal user, the AP does not respond to the probe request frame of the STA;
[0069] Step 14, according to the operation result of step 12, if it is a legitimate user, the Wi-Fi process calls the wifi_ap_id_pwd() function to judge whether the user name and user password input by the STA are correct;
[0070] Step 15, according to the operation result of step 14, if it is incorrect, the AP does not respond to the Probe Request frame of the STA;
[0071] Step 16, according to the operation result of step 14, if correct, the Wi-Fi process calls the wifi_ap_mac_id () function to determine whether the MAC address corresponding to the current user name in the whitelist is the MAC address carried by the Probe Request frame;
[0072] Step 17, according to the operation result of step 16, if not, the AP does not respond to the Probe Request frame of the STA;
[0073] Step 18, according to the operation result of step 16, if yes, the Wi-Fi process calls the wifi_ap_probe_response() function, responds to the above request frame, and sends information such as encryption method and encryption key to the STA;
[0074] Step 19, when the STA receives the Probe Response frame, the STA sends the Authentication frame;
[0075] Step 120, after the AP receives the frame, the Wi-Fi process calls the wifi_ap_authentication_response() function, responds to the frame, and confirms that the authentication is successful;
[0076] Step 21, when the STA receives the Authentication frame, the STA sends an Association Request frame;
[0077] Step 22, after the AP receives the frame, the Wi-Fi process calls the wifi_ap_association_response() function, responds to the frame, and confirms that the association is successful;
[0078] In step 23, the STA and the AP successfully establish a connection, and both use the same encryption method and key to communicate.
[0079] In summary, the access method provided by the method described in the embodiment of the present invention does not require the user to perform any complicated settings, does not require the user to know which encryption algorithm the AP uses, and does not require the user to input a complex WLAN network password, which is convenient for the user Use; In addition, in the embodiment of the present invention, by setting a white list, the legitimacy of the access user is detected in a bundled manner, which can effectively protect the security of the wireless network.
[0080] Device embodiment
[0081] like image 3 As shown, the embodiment of the present invention provides an access point AP, which specifically includes:
[0082] The message receiving unit 310 is configured to receive the probe request frame sent by the STA, and obtain the user name, user password and MAC address of the STA carried in the probe request frame;
[0083] The message processing unit 320 is configured to call a pre-configured white list, use the white list to detect whether the user name, user password, and MAC address of the STA are legal, and send a message to the STA when the detection results are all legal. Feedback probe request response frame carrying encryption mode and key information.
[0084] Preferably, the white list invoked by the message processing unit 320 records legal user names, user passwords, and MAC addresses, as well as matching and corresponding relationships among the three.
[0085] Preferably, the message processing unit 320 is specifically configured to detect whether the user name, user password, and MAC address of the STA are all in the white list, and whether the correspondence between the three is consistent with that recorded in the white list. Match the corresponding relationship of the test results, when the test results are all yes, it is determined that the test results are all legal.
[0086] Further, after the access point AP in the embodiment of the present invention completes the above discovery process, it continues to perform authentication and association operations with the STA.
[0087] In order to more clearly illustrate the implementation process of the device embodiment of the present invention, the access point AP provided by the device embodiment of the present invention will be further described in detail below through a specific example. The access point AP specifically includes:
[0088] WEB UI module (WEB interface module), Web Server module (background server module for user interface operations), Main Control module (main control module), WLAN Control module (WLAN network control module), WLAN Beacon module (WLAN network beacon module), WLAN Probe module (WLAN network detection module), WLAN Authentication module (WLAN network authentication module), WLAN Association module (WLAN network association module), and Internet Connect module (network connection module); wherein, the WLAN Probe module specifically includes : a message receiving unit 310 and a message processing unit 320 . in:
[0089] The WEB UI module is the interactive interface between the user and the AP, through which the user can select the network connection mode, query the phone book, send short messages and other operations.
[0090] The Web Server module is the background processing program module of the WEB UI module, which is mainly used to process various requests submitted by the WEB UI module.
[0091] The Main Control module is the main control module of the AP, which maintains a state machine of the AP, and sends functional modules such as network connection, phone book, and short message according to different messages.
[0092] The WLAN Control module is a WLAN network control module, which mainly implements functions such as scanning, authentication, and association under the WLAN network.
[0093] The WLAN Beacon module is responsible for periodically broadcasting Beacon frames to inform surrounding STAs of its SSID, channel, supported rate, and other information.
[0094] The WLAN Probe module receives the Probe Request frame sent by the STA according to the message receiving unit 310 and the message processing unit 320, and checks the carried MAC address, user name, and user password to detect the legitimacy of the STA, thereby completing the Probe of the STA. The response of the Request frame;
[0095] The WLAN Authentication module is responsible for responding to the STA's Authentication Request frame, that is, the authentication request frame.
[0096] The WLAN Association module is responsible for responding to the Association Request frame of the STA, that is, the association request frame.
[0097] The Internet Connect module mainly controls whether to access the Internet after the STA is successfully associated with the AP.
[0098] To sum up, the access method provided by the device described in the embodiment of the present invention does not require the user to make any complicated settings, does not require the user to know which encryption algorithm the AP uses, and does not require the user to input a complex WLAN network password, which is convenient for the user. Use; In addition, in the embodiment of the present invention, by setting a white list, the legitimacy of the access user is detected in a bundled manner, which can effectively protect the security of the wireless network.
[0099] System embodiment
[0100] like Figure 4 As shown, the embodiment of the present invention also provides a wireless network security access system, specifically including: STA 410 and AP 420, wherein:
[0101] The STA 410 is configured to send a probe request frame to the AP 420, the probe request frame carrying a user name, a user password, and a MAC address of the STA; and receiving a probe request response frame fed back by the AP 420;
[0102] The AP 420 is configured to receive the probe request frame sent by the STA 410, invoke a pre-configured white list, and use the white list to detect whether the user name, user password, and MAC address of the STA are legal, and check whether the detection results are valid. When valid, feed back the probe request response frame carrying encryption mode and key information to STA 410 .
[0103] Preferably, in the system described in the embodiment of the present invention, the pre-configured white list records legal user names, user passwords and MAC addresses, and the matching correspondence between the three;
[0104] Preferably, in the system described in the embodiment of the present invention, if the detection results are legal, it means that the user name, user password and STA MAC address are all in the white list, and the correspondence between the three is the same as that of the white list. Match the corresponding relationship of the internal records.
[0105] Further, in the system described in the embodiment of the present invention:
[0106] The STA 410 is further configured to send an authentication request frame to the AP 420 after receiving the probe request response frame, send an association request frame to the AP 420 after receiving the authentication success response frame sent by the AP 420, and send an association request frame to the AP 420 after receiving the After the association success response frame sent by AP 420, a connection with AP 420 is established;
[0107] The AP 420 is further configured to authenticate the STA 410 after receiving the authentication request frame, and feed back the authentication result to the STA 410; and, after receiving the association request frame, establish an association with the STA 410, and The association result is fed back to STA 410 .
[0108] To sum up, the access method provided by the system described in the embodiment of the present invention does not require the user to perform any complicated settings, does not require the user to know which encryption algorithm the AP uses, and does not require the user to input a complex WLAN network password, which is convenient for the user. Use; In addition, in the embodiment of the present invention, by setting a white list, the legitimacy of the access user is detected in a bundled manner, which can effectively protect the security of the wireless network.
[0109] Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.
