Access control method of WiFi (wireless fidelity) equipment and WiFi equipment

An access control and equipment technology, applied in security devices, electrical components, wireless network protocols, etc., can solve problems such as low efficiency, reduce processing time, improve processing efficiency, and improve user experience.

Active Publication Date: 2014-06-18
HUAWEI DEVICE CO LTD
6 Cites 8 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0006] Every time a user attempts to access the WEBUI, the IP/MAC correspondence table must be queried, and the WiFi query interface is called to obtain a list of MAC addresses of all end users associated with the SSID (fo...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Method used

As can be seen above, in some feasible embodiments of the present invention, the user layer of the WiFi device receives an access request based on the service set identifier SSID for accessing the WiFi device, and the access request includes accessing the WiFi device The request of the management interface WEBUI of the device; whether the label of the received access request is judged at the user layer of the WiFi device is the same as one of the labels pre-set for prohibiting access to the SSID of the WiFi device, if it is judged to be yes, Then reject the access request, and if the judgment is no, accept the access request. It can be seen that the embodiment of the present invention can manage the access request for accessing the WiFi device only through the label, which effectively reduces the MAC table processing time of users who query the IP/MAC correspondence table and the SSID that is not allowed to access the WEBUI, and improves the processing time. efficiency. In addition, the embodiment of the present invention is based on SSID management access, rather than based on the user's MAC address management access, then when the user changes, the user authority setting still will not go wrong; Network security risks, improve user experience.
As can be seen from the above, in some feasible embodiments of the present invention, the user layer of the WiFi device receives an access request based on the service set identifier SSID for accessing the WiFi device, and the access request includes accessing the WiFi device The request of the management interface WEBUI of the device; whether the label of the received access request is judged at the user layer of the WiFi device is the same as one of the labels pre-set for prohibiting access to the SSID of the WiFi device, if it is judged to be yes, Then reject the access request, and if the judgment is no, accept the access request. It can be seen from this that th...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Abstract

The embodiment of the invention discloses an access control method of WiFi (wireless fidelity) equipment and the WiFi equipment, wherein the method can comprise the following steps that a access request for accessing the WiFi equipment based on an SSID (service set identifier) is received at a user layer of the WiFi equipment, wherein the access request comprises a request for accessing the management interface WEBUI (web user interface) of the WiFi equipment; whether a label of the received access request is identical to one preset SSID label for forbidding the WiFi equipment access or not is judged at the user layer of the WiFi equipment, if the judging result shows that the label of the received access request is identical to one preset SSID label, the access request is refused, and if the judging result shows that the label of the received access request is not identical to one preset SSID set label, the access request is accepted. Therefore the access control on the WiFi equipment can be realized in a simple mode.

Application Domain

Technology Topic

Simple modeUser interface +2

Image

  • Access control method of WiFi (wireless fidelity) equipment and WiFi equipment
  • Access control method of WiFi (wireless fidelity) equipment and WiFi equipment
  • Access control method of WiFi (wireless fidelity) equipment and WiFi equipment

Examples

  • Experimental program(1)

Example Embodiment

[0043] In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings.
[0044] figure 1 It is a schematic flowchart of an embodiment of a method for access control of a WiFi device of the present invention. Such as figure 1 As shown, the method of the embodiment of the present invention includes:
[0045] Step S110: Receive an access request to access the WiFi device based on the service set identifier SSID at the user layer of the WiFi device, the access request includes a request to access the management interface WEBUI of the WiFi device;
[0046] Step S111: Determine at the user layer of the WiFi device whether the tag of the received access request is the same as one of the tags set in advance for the SSID that prohibits access to the WiFi device, and if the judgment is yes, then step S112 is executed; If the judgment is no, step S122 is executed.
[0047] Step S112: Reject the access request.
[0048] Step S122: Accept the access request.
[0049] In specific implementation, the user layer in the embodiment of the present invention may include a platform layer, a protocol layer, and an application layer. The kernel layer of the embodiment of the present invention may include an operating system part.
[0050] In a specific implementation, the access request received in step S110 may be an access request to log in or maintain the management interface of the WiFi device, and the access request may be a Hyper Text Transfer Protocol (HTTP) message, a file transfer protocol (File Transfer Protocol, FTP) etc.
[0051] In a specific implementation, a corresponding label and access request filtering rule may be set in the user layer of the WiFi device through a firewall setting process for the SSID that is prohibited from accessing the WiFi device. For example, assuming that the SSID forbidden to access the WiFi device is SSID2, the SetSSID2AccessRule (customized function name can be set to other names as needed) function can be called in the user layer of the WiFi device to set the firewall rule. The access request filtering rules can be inserted or deleted according to the enable/disable parameters. For example, the set filtering rules can be deny access requests with a tag of 0xfff1. Then when the wifi works in the Multi-SSID mode, in step S111, the user layer of the WiFi device judges the label of the received access request. If the label is 0xfff1, discard (ie deny access), otherwise forward normally (ie accept access).
[0052] In some feasible implementation manners of the present invention, the user layer of the WiFi device receives an access request to access the WiFi device based on the service set identifier SSID, the access request includes a request to access the management interface WEBUI of the WiFi device; At the user layer of the WiFi device, it is judged whether the label of the received access request is the same as one of the labels set in advance for the SSID that prohibits access to the WiFi device. If the judgment is yes, the access request is rejected, if If the judgment is no, the access request is accepted. The embodiments of the present invention can manage access requests for accessing WiFi devices only through tags, which effectively reduces the processing time for querying the IP/MAC correspondence table and the MAC table of users associated with SSIDs not allowed to access WEBUI, and improves processing efficiency. In addition, the embodiment of the present invention manages access based on the SSID instead of the user's MAC address. When the user changes, the user authority setting will not be wrong; in addition, the embodiment of the present invention avoids the problem caused by the user setting a static IP Network security risks have improved user experience.
[0053] figure 2 It is a schematic flowchart of an embodiment of a method for access control of a WiFi device of the present invention. Its figure 1 On the basis of the embodiment, the related processing flow of the WiFi device kernel layer is added, such as figure 2 As shown, the method of the embodiment of the present invention includes:
[0054] Step S210: Obtain the index value of the interface where access to the SSID of the WiFi device is prohibited in the Multi-SSID of the multi-WiFi service set identifier at the kernel layer of the WiFi device.
[0055] Step S211: Receive an access request to access the WiFi device based on the server identification SSID at the kernel layer of the WiFi device.
[0056] Step S212: Determine at the kernel layer of the WiFi device whether the index value of the interface where the service set identifier SSID on which the access request is based is one of the index values ​​of the interface where the SSID of the WiFi device is prohibited from being accessed, and if it is judged as yes , Go to step S213; if the judgment is no, go to step S223.
[0057] Step S213: Add a preset tag to the access request based on the server identification SSID at the kernel layer of the WiFi device, and send the access request with the preset tag added to the user layer of the WiFi device.
[0058] Step S223: Do not add a preset tag to the access request based on the server identification SSID at the core layer of the WiFi device, and send the access request without the preset tag to the user layer of the WiFi device.
[0059] Step S214: At the user layer of the WiFi device, an access request to access the WiFi device based on the service set identifier SSID is received, the access request includes a request to access the management interface WEBUI of the WiFi device;
[0060] Step S215: It is judged at the user layer of the WiFi device whether the label of the received access request is the same as one of the labels set in advance for the SSID that prohibits access to the WiFi device, and if the judgment is yes, then step S216 is executed; If the judgment is no, step S236 is executed.
[0061] Step S216: Reject the access request.
[0062] Step S236: Accept the access request.
[0063] In a specific implementation, the user layer of the WiFi device can set access permissions for each SSID that accesses the WiFi device, especially for the SSID that is forbidden to access the WiFi device, it needs to be set to prohibit access to the WiFi device. For example, if the SSID forbidden to access the WiFi device is SSID2, you can add the EnableSsid2AccessUI (customized interface name, which can be set to other names as needed) interface in the user layer wlan_api.c file for the user layer application modules Call, the application module of the user layer can pass the enable/disable parameter to record the authority value of the SSID through this function. The default recorded parameter is forbidden, that is, it is forbidden to send access requests to WiFi devices based on SSID2. And according to the enable/disable parameters to determine whether to write the index value of the interface where SSID2 is located in the user layer to the ssid2Proc file (custom file name, which can be set to other names as needed), such as the index value of interface eth1 ifindex value; if the parameter is that SSID2 prohibits access to the WiFi device, you need to write the index value of the interface where SSID2 is located in the ssid2 Proc file; if the parameter is that SSID2 allows access to the WiFi device, you need to write an illegal value to the ssid2Proc file. The index value of any interface.
[0064] Therefore, in step S210, the interface index value in the ssid2 Proc file can be read at the kernel layer of the WiFi device to obtain the index value of the interface that is forbidden to access the SSID2 of the WiFi device.
[0065] In steps S211 and S212, when an access request to access the WiFi device based on the server identification SSID is received at the kernel layer of the WiFi device, before the kernel layer forwards the access request to the user layer, the WiFi device The kernel layer judges whether the index value of the interface where the service set identifier SSID on which the access request is based is one of the index values ​​of the interface where the SSID of the WiFi device is prohibited from being accessed, if the judgment is yes, execute step S213; if the judgment is no , Go to step S223. Still in combination with the foregoing example, in step S212, in the kernel forwarding process, through judgment (for example, judgment in the br_pass_frame_up(struct sk_buff*skb) function of the br_input.c file) whether the index value ifindex of the current forwarding device interface is the same as the ssid2 Proc file Ifindex obtained in the ssid2 Proc file is equal, if the index value ifindex of the forwarding device interface is equal to the value obtained in the ssid2 Proc file, then in step S213, add a preset label (for example, the added The label is 0xfff1). If the index value ifindex of the forwarding device interface is not equal to the value obtained in the ssid2 Proc file, the labeling operation is skipped, and the standard process is executed and the access request is directly forwarded.
[0066] Then in step S225, the user layer of the WiFi device judges the label of the received access request, if the label is 0xfff1, discard it (ie deny access), otherwise forward it normally (ie accept access).
[0067] As can be seen from the above, in some feasible implementations of the present invention, the user layer of the WiFi device receives an access request to access the WiFi device based on the service set identifier SSID, and the access request includes management of accessing the WiFi device Interface WEBUI request; at the user layer of the WiFi device, determine whether the tag of the received access request is the same as one of the tags set in advance for the SSID that prohibits access to the WiFi device, and if the judgment is yes, reject all If the access request is judged to be no, then the access request is accepted. It can be seen from this that the embodiment of the present invention can manage access requests for accessing WiFi devices only through tags, which effectively reduces the MAC table processing time of users who query the IP/MAC correspondence table and are not allowed to access the WEBUI SSID, and improve processing effectiveness. In addition, the embodiment of the present invention manages access based on the SSID instead of the user's MAC address. When the user changes, the user authority setting will not be wrong; in addition, the embodiment of the present invention avoids the problem caused by the user setting a static IP Network security hidden dangers to improve user experience.
[0068] Correspondingly, the embodiment of the present invention also provides an embodiment of a WiFi device that can be used to implement the above method embodiment. image 3 It is a schematic structural composition diagram of an embodiment of the WiFi device of the present invention. Such as image 3 As shown, the WiFi device of the embodiment of the present invention may include: a first receiving module 31, a first determining module 32, and a first access control module 33, where:
[0069] The first receiving module 31 is configured to receive, at the user layer of the WiFi device, an access request for accessing the WiFi device based on the service set identifier SSID, the access request including a request for accessing the management interface WEBUI of the WiFi device;
[0070] The first judgment module 32 is configured to judge at the user layer of the WiFi device whether the label of the received access request is the same as one of the labels previously set for the SSID that prohibits access to the WiFi device;
[0071] The first access control module 33 is configured to reject the access request when the judgment result of the first judgment module 32 is yes, and accept the access request when the judgment result of the first judgment module 32 is no .
[0072] In a specific implementation, the access request received by the first receiving module 31 may be an access request for logging in or maintaining the management interface of the WiFi device, and the access request may be a Hyper Text Transfer Protocol (HTTP) message, a file transfer protocol (File Transfer Protocol, FTP) etc.
[0073] In a specific implementation, the WiFi device of the embodiment of the present invention may further include a setting module 34, configured to set a corresponding tag filtering rule for the SSID that prohibits access to the WiFi device in the user layer of the WiFi device in advance. For example, the setting module may set a corresponding label and access request filtering rule for the SSID that is prohibited from accessing the WiFi device at the user layer of the WiFi device through the firewall setting process in advance. For example, if the SSID forbidden to access the WiFi device is SSID2, the setting module can call the SetSSID2AccessRule (customized function name, which can be set to other names as needed) function in the user layer of the WiFi device to set Firewall rules, this function can insert or delete access request filtering rules according to the enable/disable parameters. For example, suppose that the set filtering rules can be deny access requests with tag 0xfff1, then when wifi works in Multi-SSID In the mode, the first judgment module 32 judges the label of the received access request at the user layer of the WiFi device. If the label is 0xfff1, discard it (ie deny access), otherwise forward it normally (ie accept access).
[0074] As can be seen from the above, in some feasible implementations of the present invention, the user layer of the WiFi device receives an access request to access the WiFi device based on the service set identifier SSID, and the access request includes management of accessing the WiFi device Interface WEBUI request; at the user layer of the WiFi device, determine whether the tag of the received access request is the same as one of the tags set in advance for the SSID that prohibits access to the WiFi device, and if the judgment is yes, reject all If the access request is judged to be no, then the access request is accepted. It can be seen from this that the embodiment of the present invention can manage access requests to WiFi devices only through tags, which effectively reduces the processing time of querying the IP/MAC correspondence table and the MAC table of users associated with SSIDs that are not allowed to access WEBUI, and improves Improved processing efficiency. In addition, the embodiment of the present invention manages access based on the SSID instead of the user's MAC address. When the user changes, the user authority setting will not be wrong; in addition, the embodiment of the present invention avoids the problem caused by the user setting a static IP Network security risks have improved user experience.
[0075] Figure 4 It is a schematic structural composition diagram of another embodiment of the WiFi device of the present invention. Such as Figure 4 As shown, the WiFi device of the embodiment of the present invention may include: an acquisition module 41, a second receiving module 42, a second judgment module 43, a second access control module 44, a setting module 45, a first receiving module 46, a first judgment Module 32, the first access control module 33, where:
[0076] The obtaining module 41 is configured to obtain the index value of the interface where access to the SSID of the WiFi device is prohibited in the Multi-SSID of the multi-WiFi service set identifier at the kernel layer of the WiFi device.
[0077] The second receiving module 42 is configured to receive an access request for accessing the WiFi device based on the server identification SSID at the core layer of the WiFi device.
[0078] The second judgment module 43 is configured to, when the second receiving module 42 receives an access request for accessing a WiFi device based on the server identification SSID, judge whether the index value of the interface where the service set identification SSID on which the access request is based is It is forbidden to access one of the index values ​​of the interface where the SSID of the WiFi device is located.
[0079] The second access control module 44 is configured to, when the judgment result of the second judgment module 43 is yes, add a preset label to the access request based on the server identification SSID at the kernel layer, and add a preset label The access request for setting the tag is sent to the first receiving module, and when the judgment result of the second judgment module 43 is no, the kernel layer does not add a preset for the access request based on the server identification SSID Label, and send the access request without adding a preset label to the first receiving module 46.
[0080] The setting module 45 is configured to set a corresponding label for the SSID that is prohibited from accessing the WiFi device in the user layer of the WiFi device in advance.
[0081] The first receiving module 46 is configured to receive an access request for accessing the WiFi device based on the service set identifier SSID at the user layer of the WiFi device, the access request including a request for accessing the management interface WEBUI of the WiFi device.
[0082] The first judging module 47 is configured to judge at the user layer of the WiFi device whether the tag of the received access request is the same as one of the tags previously set for the SSID that prohibits access to the WiFi device.
[0083] The first access control module 48 is configured to reject the access request when the judgment result of the first judgment module 47 is yes, and accept the access request when the judgment result of the first judgment module 47 is no .
[0084] In a specific implementation, the user layer of the WiFi device can set access permissions for each SSID that accesses the WiFi device, especially for the SSID that is forbidden to access the WiFi device, it needs to be set to prohibit access to the WiFi device. For example, if the SSID forbidden to access the WiFi device is SSID2, you can add the EnableSsid2AccessUI (customized interface name, which can be set to other names as needed) interface in the user layer wlan_api.c file for the user layer application modules Call, the application module of the user layer can pass the enable/disable parameter to record the authority value of the SSID through this function. The default recorded parameter is forbidden, that is, it is forbidden to send access requests to WiFi devices based on SSID2. And according to the enable/disable parameters to determine whether to write the index value of the interface where SSID2 is located in the user layer to the ssid2Proc file (custom file name, which can be set to other names as needed), such as the index value of interface eth1 ifindex value; if the parameter is that SSID2 prohibits access to the WiFi device, you need to write the index value of the interface where SSID2 is located in the ssid2 Proc file; if the parameter is that SSID2 allows access to the WiFi device, you need to write an illegal value to the ssid2 Proc file, that is Not the index value of any interface.
[0085] Therefore, in the embodiment of the present invention, the obtaining module 41 can obtain the index value of the interface that prohibits access to the SSID2 of the WiFi device by reading the ssid2Proc file of the user layer at the kernel layer of the WiFi device. The above-mentioned writing the index value of the interface where SSID2 is located in the ssid2 Proc file is just a simple example. In some other embodiments, the index value of the interface where the SSID is located can be passed from the user layer to the kernel layer in other ways, and the kernel layer can pass other The method saves the index value of the interface where the SSID (not limited to SSID2, including all SSIDs forbidden to access the WiFi device) of the WiFi device is prohibited.
[0086] When the second receiving module 42 receives an access request for accessing the WiFi device based on the server identification SSID at the kernel layer of the WiFi device, before forwarding the access request to the user layer at the kernel layer, the second judgment module 43 is used to access the WiFi device. The kernel layer of the WiFi device determines whether the index value of the interface where the SSID of the service set identification on which the access request is based is one of the index values ​​of the interface where the SSID of the WiFi device is prohibited from being accessed. Still taking SSID2 as an example for explanation, the second judgment module 43 can judge (for example, judge in the br_pass_frame_up(struct sk_buff*skb) function of the br_input.c file) whether the index value ifindex of the interface that currently forwards the SSID is the same as in the ssid2 Proc file If the obtained ifindex is equal, if the index value ifindex of the interface forwarding the SSID is equal to the value obtained in the ssid2 Proc file, the second access control module 44 adds a preset tag (set by the setting) to the access request based on the server identifier SSID2 The module 45 presets the label, for example, the label is 0xfff1; the function of the setting module 45 is the same as that of the setting module 34 in the previous embodiment, and will not be repeated here), if the index values ​​of the interface forwarding the SSID are ifindex and ssid2 If the values ​​obtained in the Proc file are not equal, the tagging operation is skipped, and the standard process is executed and the access request is directly forwarded.
[0087] Then the first receiving module 46 can receive the access request sent from the second access control module 44 at the user level, and the first judging module 47 judges the label of the received access request at the user level of the WiFi device, if the label is When 0xfff1, discard (ie deny access), otherwise forward normally (ie accept access).
[0088] As can be seen from the above, in some feasible implementations of the present invention, the user layer of the WiFi device receives an access request to access the WiFi device based on the service set identifier SSID, and the access request includes management of accessing the WiFi device Interface WEBUI request; at the user layer of the WiFi device, determine whether the tag of the received access request is the same as one of the tags set in advance for the SSID that prohibits access to the WiFi device, and if the judgment is yes, reject all If the access request is judged to be no, then the access request is accepted. It can be seen from this that the embodiment of the present invention can manage access requests for accessing WiFi devices only through tags, which effectively reduces the MAC table processing time of users who query the IP/MAC correspondence table and are not allowed to access the WEBUI SSID, and improve processing effectiveness. In addition, the embodiment of the present invention manages access based on the SSID instead of the user's MAC address. When the user changes, the user authority setting will not be wrong; in addition, the embodiment of the present invention avoids the problem caused by the user setting a static IP Network security hidden dangers to improve user experience.
[0089] Figure 5 It is a schematic structural composition diagram of another embodiment of the WiFi device of the present invention. Such as Figure 5 As shown, the WiFi device of the embodiment of the present invention may include a memory 51 and a processor 52, the memory 51 stores a designated program, and the processor 52 calls the program stored in the memory 51 to perform the following steps:
[0090] Receiving at the user layer of the WiFi device an access request for accessing the WiFi device based on the service set identifier SSID, the access request including a request for accessing the management interface WEBUI of the WiFi device;
[0091] At the user layer of the WiFi device, it is judged whether the label of the received access request is the same as one of the labels set in advance for the SSID that prohibits access to the WiFi device, and if the judgment is yes, the access request is rejected, if If the judgment is no, the access request is accepted.
[0092] In some feasible implementation manners, the processor 52 determines whether the label of the received access request is the same as one of the labels set in advance for prohibiting access to the SSID of the WiFi device before the user layer of the WiFi device determines , And perform the following steps:
[0093] Acquiring, at the kernel layer of the WiFi device, the index value of the interface where access to the SSID of the WiFi device is prohibited in the Multi-SSID;
[0094] When an access request to access a WiFi device based on the server identification SSID is received at the core layer of the WiFi device, it is determined whether the index value of the interface where the service set identification SSID on which the access request is based is forbidden to access the WiFi device One of the index values ​​of the interface where the SSID is located;
[0095] If the judgment is yes, add a preset tag to the access request based on the server identification SSID at the kernel layer of the WiFi device, and send the access request with the preset tag added to the user of the WiFi device If the judgment is no, the WiFi device kernel layer does not add a preset tag to the access request based on the server identification SSID, and sends the access request without a preset tag to the WiFi device User layer.
[0096] In some feasible implementation manners, before the user layer of the WiFi device receives an access request to access the WiFi device based on the service set identifier SSID, the processor 52 further executes the following steps:
[0097] A corresponding label is set in the user layer of the WiFi device in advance for the SSID that is prohibited from accessing the WiFi device.
[0098] The above-listed are only the preferred embodiments of the present invention, which of course cannot be used to limit the scope of rights of the present invention. Therefore, equivalent changes made according to the claims of the present invention still fall within the scope of the present invention.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Similar technology patents

Method of recognizing object based on pattern matching and medium for recording computer program having same

InactiveUS7058221B1Stable and sure pattern detectionReduce processing timeCharacter and pattern recognitionDensity distributionNormalized correlation
Owner:TANI ELECTRONICS IND CO LTD

Classification and recommendation of technical efficacy words

  • Improve processing efficiency
  • Reduce processing time

Acid tank sealing treatment system

Owner:YANTAI JEREH PETROLEUM EQUIP & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products