Wapi authentication message processing method and device, computer device, readable storage medium and program product

By deploying a WAPI authentication agent system in a wireless local area network to detect and select available or optimal WAPI authentication servers, the problem of the inability to perform primary/backup switching in a multi-center disaster recovery architecture in WAPI wireless networks is solved, disaster recovery backup of WAPI authentication services is realized, and the reliability of authentication is improved.

CN122160769APending Publication Date: 2026-06-05SHENZHEN ZHIKAI TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN ZHIKAI TECH CO LTD
Filing Date
2026-03-23
Publication Date
2026-06-05

Smart Images

  • Figure CN122160769A_ABST
    Figure CN122160769A_ABST
Patent Text Reader

Abstract

The application relates to a WAPI authentication message processing method and device, computer equipment, a readable storage medium and a program product. The method comprises the following steps: determining the service availability determination result of each WAPI authentication server by a WAPI authentication proxy system according to the WAPI certificate detection response message returned by each WAPI authentication server for a WAPI certificate detection request message; receiving the WAPI certificate authentication request message of a wireless access point (AP) by the WAPI authentication proxy system, and sending the WAPI certificate authentication request message to a target WAPI authentication server; receiving the WAPI certificate authentication response message returned by the target WAPI authentication server for the WAPI certificate authentication request message by the WAPI authentication proxy system, and sending the WAPI certificate authentication response message to the wireless access point (AP). The method can enable the wireless access point (AP) in a wireless network to perform master-backup switching between WAPI authentication servers in multiple data centers under a multi-center disaster recovery architecture, so that disaster recovery backup of the WAPI authentication service is realized.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to a WAPI authentication message processing method, apparatus, computer equipment, readable storage medium, and program product. Background Technology

[0002] WAPI (Wireless LAN Authentication and Privacy Infrastructure) is a wireless network security standard and technology. WAPI uses digital certificates to identify wireless access points (APs) and wireless terminals (STAs), employing a three-factor authentication system to ensure the security of wireless access authentication. This three-factor authentication system means that before a STA connects to the wireless network, both the STA and the AP, which initially do not trust each other, authenticate through a WAPI authentication server (AS) that both parties trust.

[0003] Due to its high security, WAPI wireless technology is increasingly being used in critical infrastructure sectors such as power grids and highway toll stations. In highway toll station applications, access points (APs) are typically deployed at the toll station, while automated systems (ASs) are deployed at the provincial center of the highway system. The provincial center typically employs a dual-center deployment with primary and backup centers for disaster recovery within the same city. To provide highly reliable WAPI authentication services, when using centralized provincial authentication, ASs are also deployed in both centers to form a disaster recovery backup for the WAPI authentication system. Alternatively, within a single center, ASs may also be deployed with dual-machine backup, typically using VRRP (Virtual Redundancy Protocol) or clustering technology to provide a virtual IP address for the WAPI authentication server to each AP. This means that from the external user's perspective, the two ASs in one center appear as a single AS.

[0004] In a disaster recovery AS deployment, the primary and backup AS server systems will present different IP addresses to the outside world. Because the two disaster recovery AS server systems are located on different local area networks, they cannot deploy VRRP or similar protocols to provide a WAPI authentication server IP address to the access points (APs). Furthermore, since current WAPI wireless network APs do not support configuring two or more AS servers, primary / backup failover of WAPI authentication services between the two centers is not possible. Summary of the Invention

[0005] Based on this, it is necessary to provide a WAPI authentication message processing method, apparatus, computer equipment, computer-readable storage medium, and computer program product that enables wireless access points (APs) in a wireless network to perform primary / backup switching between WAPI authentication servers in multiple data centers under a multi-center disaster recovery architecture, thereby achieving disaster recovery backup of WAPI authentication services.

[0006] In a first aspect, this application provides a WAPI authentication message processing method applied to a WAPI authentication system. The WAPI authentication system includes a WAPI authentication proxy system and at least two WAPI authentication servers, which are deployed in different data centers. The WAPI authentication system is used to perform wireless access authentication on wireless terminals (STAs) and wireless access points (APs) accessing the WAPI wireless network. The method includes:

[0007] The WAPI authentication proxy system sends WAPI certificate probe request messages to at least two WAPI authentication servers, and determines the service availability of each WAPI authentication server based on the WAPI certificate probe response messages returned by each WAPI authentication server in response to the WAPI certificate probe request messages.

[0008] The WAPI authentication proxy system receives WAPI certificate authentication request messages from wireless access points (APs), determines the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result, and sends the WAPI certificate authentication request message to the target WAPI authentication server.

[0009] The WAPI authentication proxy system receives the WAPI certificate authentication response message returned by the target WAPI authentication server in response to the WAPI certificate authentication request message, and sends the WAPI certificate authentication response message to the wireless access point (AP).

[0010] In one embodiment, before sending the WAPI certificate probe request message to the at least two WAPI authentication servers through the WAPI authentication proxy system, the method further includes:

[0011] Configure the MAC addresses corresponding to the wireless terminal STA and the wireless access point AP respectively;

[0012] Configure the WAPI certificates corresponding to the wireless terminal STA and the wireless access point AP respectively;

[0013] Based on the MAC address and the WAPI certificate, a WAPI certificate probe request message is generated.

[0014] In one embodiment, determining the service availability determination result of each WAPI authentication server based on the WAPI certificate probe response message returned by each WAPI authentication server in response to the WAPI certificate probe request message includes:

[0015] Obtain the response time of the WAPI authentication server in response to the WAPI certificate probe request message and the WAPI certificate probe response message;

[0016] If the response time is less than a preset time threshold and the WAPI certificate probe response message passes the validity check, the service availability determination result of the WAPI authentication server is determined to be that it has service availability.

[0017] In one embodiment, determining the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result includes:

[0018] Based on the service availability determination result, candidate WAPI authentication servers with service availability are determined from each of the WAPI authentication servers;

[0019] Based on the service configuration information of the candidate WAPI authentication servers, a primary WAPI authentication server is determined from the candidate WAPI authentication servers; the service configuration information is used to indicate whether the candidate WAPI authentication server is a primary WAPI authentication server or a backup WAPI authentication server.

[0020] The primary WAPI authentication server is identified as the target WAPI authentication server.

[0021] In one embodiment, determining the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result includes:

[0022] Based on the service availability determination result, candidate WAPI authentication servers with service availability are determined from each of the WAPI authentication servers;

[0023] The target WAPI authentication server is determined from the candidate WAPI authentication servers based on the quantified performance metrics of the candidate WAPI authentication servers.

[0024] In one embodiment, sending a WAPI certificate probe request message to the at least two WAPI authentication servers through the WAPI authentication proxy system includes:

[0025] The WAPI authentication proxy system sends WAPI certificate probe request messages to at least two WAPI authentication servers according to a preset sending period.

[0026] The preset sending period is matched with the disaster recovery switchover time requirement of the WAPI authentication system.

[0027] Secondly, this application also provides a WAPI authentication message processing apparatus for use in a WAPI authentication system. The WAPI authentication system includes a WAPI authentication proxy system and at least two WAPI authentication servers, which are deployed in different data centers. The WAPI authentication system is used to perform wireless access authentication on wireless terminals (STAs) and wireless access points (APs) accessing the WAPI wireless network. The apparatus includes:

[0028] The authentication service detection module is used to send WAPI certificate detection request messages to at least two WAPI authentication servers through the WAPI authentication proxy system, and determine the service availability judgment result of each WAPI authentication server based on the WAPI certificate detection response messages returned by each WAPI authentication server in response to the WAPI certificate detection request messages.

[0029] The authentication proxy module is used to receive WAPI certificate authentication request messages from wireless access points (APs) through the WAPI authentication proxy system, determine the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result, and send the WAPI certificate authentication request message to the target WAPI authentication server.

[0030] The authentication proxy module is further configured to receive, through the WAPI authentication proxy system, a WAPI certificate authentication response message returned by the target WAPI authentication server in response to the WAPI certificate authentication request message, and send the WAPI certificate authentication response message to the wireless access point (AP).

[0031] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps of the above-described method.

[0032] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the above-described method.

[0033] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the above-described method.

[0034] The aforementioned WAPI authentication message processing method, apparatus, computer equipment, computer-readable storage medium, and computer program product, by deploying a WAPI authentication proxy system in a wireless local area network (WLAN), forms a disaster recovery backup WAPI authentication system with WAPI authentication servers deployed in different centers. The WAPI authentication proxy system detects the availability of each WAPI authentication server and, upon receiving a WAPI certificate authentication request from a wireless access point (AP), selects the currently available or optimal target WAPI authentication server. Then, the WAPI authentication proxy system acts as an agent for the AP to perform the WAPI certificate authentication process with the selected WAPI authentication server. This method enables the WAPI authentication request to be processed by a backup WAPI authentication server when the primary WAPI authentication server is unavailable, or to select the optimal WAPI authentication server from multiple available WAPI authentication servers. This solves the problem of current WAPI wireless networks being unable to switch between disaster recovery-deployed WAPI authentication servers. Therefore, in a multi-center disaster recovery architecture, wireless access points (APs) in a wireless network can perform primary / backup switching between WAPI authentication servers in multiple data centers, thereby achieving disaster recovery backup for WAPI authentication services and improving the reliability of WAPI wireless authentication. Attached Figure Description

[0035] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0036] Figure 1 This is an application environment diagram of a WAPI authentication message processing method in one embodiment.

[0037] Figure 2 This is a flowchart illustrating a WAPI authentication message processing method in one embodiment;

[0038] Figure 3 This is a schematic diagram of a WAPI certificate authentication request message structure in one embodiment.

[0039] Figure 4 A logic diagram of a WAPI authentication proxy system that proxies the WAPI authentication process in one embodiment;

[0040] Figure 5 This is a structural block diagram of a WAPI authentication message processing device in one embodiment;

[0041] Figure 6 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation

[0042] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0043] The WAPI authentication message processing method provided in this application embodiment can be applied to, for example... Figure 1 In the application environment shown, the WAPI authentication system 101 includes a WAPI authentication agent system 102 and at least two WAPI authentication servers 103, which are deployed in different data centers. The WAPI authentication system 101 is used to perform wireless access authentication on wireless terminals (STAs) and wireless access points (APs) that access the WAPI wireless network.

[0044] WAPI authentication agent system 102 sends WAPI certificate probe request messages to at least two WAPI authentication servers 103, and determines the service availability judgment result of each WAPI authentication server 103 based on the WAPI certificate probe response message returned by each WAPI authentication server 103 in response to the WAPI certificate probe request message.

[0045] WAPI authentication agent system 102 receives WAPI certificate authentication request message from wireless access point AP, determines the target WAPI authentication server from each WAPI authentication server 103 according to the service availability determination result, and sends the WAPI certificate authentication request message to the target WAPI authentication server.

[0046] The WAPI authentication agent system 102 receives the WAPI certificate authentication response message returned by the target WAPI authentication server in response to the WAPI certificate authentication request message, and sends the WAPI certificate authentication response message to the wireless access point (AP).

[0047] The WAPI authentication system 101 comprises a WAPI authentication proxy system 102 and at least two WAPI authentication servers 103, used for wireless access authentication of wireless terminals (STAs) and wireless access points (APs) accessing the WAPI wireless network. A WAPI wireless network can refer to a wireless local area network that uses the WAPI protocol for security authentication. WAPI can refer to the wireless local area network authentication and confidentiality infrastructure, a wireless network security standard and technology specified in the Chinese national standard GB15629.11. WAPI uses digital certificates to identify the identities of wireless access points (APs) and wireless terminals (STAs), and performs identity authentication of wireless access points (APs) and wireless terminals (STAs) based on a three-element authentication system, ensuring the security of wireless access authentication. A three-element authentication system can refer to an authentication architecture where, before a wireless terminal (STA) accesses the wireless network, both the STA and the AP, which do not trust each other, authenticate through a WAPI authentication server trusted by both parties.

[0048] The WAPI authentication proxy system 102 may include an intermediary proxy device deployed in a wireless local area network (WLAN) to facilitate authentication interactions between wireless access points (APs) and the WAPI authentication server. The WAPI authentication proxy system can be a standalone server device or a functional entity deployed on existing network equipment. Specifically, the WAPI authentication proxy system 102 is deployed in a WAPI wireless network. The IP address of the WAPI authentication server configured on the wireless access point (AP) in the WAPI wireless network is the IP address of the WAPI authentication proxy system 102. That is, the WAPI authentication server 103 configured on the wireless access point (AP) in the WAPI wireless network points to the WAPI authentication proxy system 102, thereby enabling the wireless access point (AP) to send WAPI certificate authentication request messages to the WAPI authentication proxy system 102.

[0049] For example, the WAPI authentication proxy system can form a disaster recovery backup WAPI authentication system with a first WAPI authentication server deployed in a first data center and a second WAPI authentication server deployed in a second data center. The first and second data centers can be located in different geographical locations. For instance, the first and second data centers can be two primary and backup centers for disaster recovery within the same city (i.e., two data centers located in the same city but in different geographical locations); or they can be two centers for disaster recovery in different locations (i.e., two data centers located in different cities). The first and second WAPI authentication servers can have the same root certificate, meaning the certificates of both WAPI authentication servers are issued by the same root certificate. In this way, the WAPI authentication proxy system only needs to be configured with one root certificate to perform signature verification on response messages from both WAPI authentication servers, simplifying the configuration process.

[0050] The WAPI authentication server 103 may include server equipment for authenticating wireless terminals (STAs) and wireless access points (APs). At least two WAPI authentication servers 103 may be deployed in different data centers, such as a primary data center and a backup data center, or multiple geographically dispersed data centers. For example, they could be two centers for disaster recovery within the same city, or two centers for disaster recovery in different locations. The data center can be a physical location that centrally stores and manages information technology infrastructure such as server equipment and network equipment, including but not limited to computer rooms, servers, network equipment, and power systems.

[0051] In practical applications, by deploying WAPI authentication servers in different data centers, disaster recovery backup of WAPI authentication services can be achieved. When a WAPI authentication server in one data center fails, the service can be switched to a WAPI authentication server in another data center to continue providing authentication services.

[0052] The wireless terminal (STA) can be a terminal device with wireless network access capabilities, such as a smartphone, tablet, laptop, smartwatch, or in-vehicle terminal. The wireless terminal (STA) can connect wirelessly to the wireless access point (AP) to access the wireless network.

[0053] In this context, a wireless access point (AP) can be a network device that provides wireless network access services; it can also be called a wireless access point or a wireless hotspot. The AP receives wireless connection requests from wireless terminals (STAs) and allows them to access the wireless network after successful authentication. Wireless access authentication refers to the process of authenticating the identity of wireless terminals (STAs) attempting to access the wireless network. During wireless access authentication, the AP can send a WAPI certificate authentication request message to the WAPI authentication server. The WAPI authentication server verifies the identities of both the wireless terminal (STA) and the AP and then returns the authentication result.

[0054] The WAPI authentication message processing method in this application deploys a WAPI authentication proxy system in a wireless local area network. This proxy system acts as a go-between for authentication interactions between wireless access points (APs) and WAPI authentication servers deployed in different data centers, thus achieving disaster recovery for the WAPI authentication service. When a WAPI authentication server in one data center fails, the proxy system automatically switches the authentication request to another WAPI authentication server in a different data center, ensuring the continuity and reliability of the authentication service and solving the problem in existing technologies where failover between disaster recovery-deployed WAPI authentication servers is not possible.

[0055] In one exemplary embodiment, such as Figure 2 As shown, a WAPI authentication message processing method is provided, which can be applied to... Figure 1 The WAPI authentication system 101 in the example is used for illustration, including:

[0056] Step S202: Send WAPI certificate probe request messages to at least two WAPI authentication servers through the WAPI authentication proxy system. Determine the service availability judgment result of each WAPI authentication server based on the WAPI certificate probe response messages returned by each WAPI authentication server in response to the WAPI certificate probe request messages.

[0057] The WAPI certificate probe request message can refer to a simulated message constructed by the WAPI authentication agent system to probe the availability of the WAPI authentication server service. The message format is the same as the certificate authentication request message format specified in the WAPI protocol, therefore the WAPI authentication server can receive and process this message normally.

[0058] In its implementation, the WAPI authentication proxy system can proactively send WAPI certificate probe request messages to each WAPI authentication server to detect its service availability. The system can periodically send these messages to the targeted servers. After sending a request, the proxy system waits to receive a response, and then uses this response to determine the server's service availability, generating a service availability assessment result. This method allows for the detection of availability across multiple WAPI authentication servers.

[0059] Among them, the WAPI certificate probe response message refers to the response message returned by the WAPI authentication server after receiving the WAPI certificate probe request message, performing authentication processing.

[0060] The service availability determination result refers to the information used to indicate whether the WAPI authentication server is currently able to provide authentication services normally. The service availability determination result can include two results: one is that the WAPI authentication server is currently able to provide authentication services normally, and the other is that the WAPI authentication server is currently unable to provide authentication services normally.

[0061] In its implementation, the WAPI authentication proxy system, when probing the service availability of a WAPI authentication server, determines the server's availability based on whether a WAPI certificate probe response message is received within a preset timeout period and whether the received message passes a validity check. The timeout period refers to the maximum time the proxy system waits for a response after sending the WAPI certificate probe request message; if no response is received within this time, it is considered a timeout. Specifically, after sending a WAPI certificate probe request message, if the proxy system receives a response from the server within the timeout period and the check passes, the server is considered available; otherwise, if no response is received within the timeout period, the server is considered unavailable.

[0062] In this manner, the WAPI authentication proxy system periodically sends WAPI certificate authentication requests to the probed WAPI authentication server. The availability of the probed WAPI authentication server is determined based on whether a valid certificate authentication response message is received from the WAPI server within the timeout period. The simulated WAPI authentication request method in this embodiment, compared to the general IP reachability-based method (which typically probes by sending ICMP messages, only detecting network link connectivity and not whether the authentication service on the WAPI authentication server is functioning correctly), can comprehensively probe link availability and service availability, thus more accurately determining the service availability of the WAPI authentication server.

[0063] Step S204: Receive the WAPI certificate authentication request message from the wireless access point (AP) through the WAPI authentication proxy system, determine the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result, and send the WAPI certificate authentication request message to the target WAPI authentication server.

[0064] Among them, the WAPI certificate authentication request message can refer to the message sent by the wireless access point (AP) during the WAPI authentication process to request the WAPI authentication server to authenticate the identity of the wireless terminal (STA) and the wireless access point (AP) accessing the wireless network.

[0065] Optionally, the WAPI certificate authentication request message may include information such as the MAC address of the wireless terminal (STA), the MAC address of the wireless access point (AP), the WAPI certificate of the wireless terminal (STA), the WAPI certificate of the wireless access point (AP), the AP challenge random number, and the STA challenge random number. The MAC address can refer to the Media Access Control address, which is a unique identifier for a network device within the network. The WAPI certificate can refer to a digital certificate conforming to the WAPI protocol, used to prove the device's identity. The AP challenge random number can refer to a random number generated by the wireless access point (AP), used to prevent replay attacks during the authentication process. The STA challenge random number can refer to a random number generated by the wireless terminal (STA), also used to prevent replay attacks.

[0066] For the convenience of those skilled in the art, Figure 3 An exemplary diagram of a WAPI certificate authentication request message structure is provided.

[0067] ADDID is the MAC address of the AP and STA, totaling 12 bytes. As an example, it can be configured by using two MAC addresses as the MAC addresses of the AP and STA. As another example, it can be that the WAPI authentication agent system randomly generates two MAC addresses at the beginning as the MAC addresses of the AP and STA.

[0068] Both the AP challenge and the STA challenge are 256-bit random numbers, exchanged between the AP and STA in the WAPI authentication activation message and the WAPI authentication request message. Optionally, they can be generated by the WAPI authentication agent system each time a simulated WAPI authentication request message is constructed.

[0069] The STA certificate and AP certificate are WAPI public key digital certificates for the terminal and wireless access point, respectively. As an example, the WAPI certificate issuing system can issue a test terminal certificate and a test access point certificate to the WAPI authentication agent system; in this case, both certificates are valid. As another example, the WAPI authentication agent system can construct certificates that conform to the WAPI certificate format (i.e., X.509 format WAPI digital certificates); in this case, both certificates are invalid. In both cases, the WAPI digital certificates are of normal format and can be authenticated by the WAPI authentication server; they will not be discarded due to invalid format.

[0070] The STA-trusted ASU list is represented by the identity information of the WAPI authentication server as specified in the WAPI protocol. This field is optional and may not be included in the WAPI certificate authentication request.

[0071] In this embodiment, the address of the WAPI authentication server configured on the wireless access point (AP) can point to the address of the WAPI authentication proxy system. When a wireless terminal (STA) attempts to access the wireless network, the AP can send a WAPI certificate authentication request message to the WAPI authentication proxy system instead of directly to the WAPI authentication server. The WAPI authentication proxy system can listen for and receive WAPI certificate authentication request messages from the AP on a preset port. The preset port can be a standard port specified by the WAPI protocol, such as a UDP port.

[0072] In its implementation, the WAPI authentication proxy system runs a UDP port proxy system. After receiving a WAPI certificate authentication request message from the wireless access point (AP), it selects a currently available WAPI authentication server as the target WAPI authentication server based on the previously detected service availability results of each WAPI authentication server. The target WAPI authentication server refers to the WAPI authentication server ultimately selected to process the current WAPI certificate authentication request message.

[0073] After identifying the target WAPI authentication server, the WAPI authentication proxy system can forward the received WAPI certificate authentication request message to the target WAPI authentication server. Optionally, the WAPI authentication proxy system can encapsulate the WAPI certificate authentication request message into a UDP packet and send it to the target WAPI authentication server over the network.

[0074] Optionally, the WAPI authentication proxy system can use either a primary / backup mode or a load balancing mode when selecting a target WAPI authentication server.

[0075] The primary / standby mode refers to selecting a primary WAPI authentication server as the target WAPI authentication server when multiple WAPI authentication servers are available. The primary and standby WAPI authentication servers are specified by configuration. When the primary WAPI authentication server's availability assessment result is "available," the WAPI authentication proxy system designates it as the target WAPI authentication server. When the primary WAPI authentication server's availability assessment result is "not available," but the standby WAPI authentication server's availability assessment result is "available," the WAPI authentication proxy system designates the standby WAPI authentication server as the target WAPI authentication server. When the primary WAPI authentication server recovers from a state of "not available" to a state of "available," the WAPI authentication proxy system can re-designate it as the target WAPI authentication server, achieving automatic failback of the primary server.

[0076] Load balancing refers to selecting the optimal WAPI authentication server as the target WAPI authentication server when multiple WAPI authentication servers are available. The optimal WAPI authentication server can be determined based on its response time, with the server having the shortest response time being considered the best.

[0077] To achieve load balancing, the WAPI authentication proxy system records the response time of each WAPI authentication server to the last probing WAPI certificate probe request message. The optimal WAPI authentication server is determined based on its shortest response time. In this scenario, the selected optimal WAPI authentication server considers both the authentication processing load and the communication link status of the WAPI authentication servers.

[0078] In one embodiment, the WAPI authentication proxy system can simultaneously support the probing and proxying of two or more WAPI authentication servers. When three or more WAPI authentication servers exist, the WAPI authentication proxy system can probe the service availability of each WAPI authentication server using the same probing method. When selecting a target WAPI authentication server, the WAPI authentication proxy system can employ a load balancing approach to select the currently optimal WAPI authentication server as the target WAPI authentication server from multiple candidate WAPI authentication servers whose service availability assessment results indicate service availability.

[0079] Step S206: Receive the WAPI certificate authentication response message returned by the target WAPI authentication server in response to the WAPI certificate authentication request message through the WAPI authentication proxy system, and send the WAPI certificate authentication response message to the wireless access point (AP).

[0080] Among them, the WAPI certificate authentication response message can refer to the response message returned by the WAPI authentication server after receiving the WAPI certificate authentication request message, performing identity authentication processing.

[0081] Optionally, the WAPI certificate authentication response message may include information such as the authentication result and the authentication result signature. The authentication result may indicate whether the identities of the wireless terminal (STA) and the wireless access point (AP) have been authenticated; the authentication result signature may be the signature data obtained by the WAPI authentication server using its private key to digitally sign the authentication result, used to ensure the integrity and authenticity of the authentication result.

[0082] In practice, after receiving a WAPI certificate authentication request message, the target WAPI authentication server can verify the WAPI certificates of the wireless terminal (STA) and the wireless access point (AP) carried in the message. The verification process may include steps such as checking if the certificate format is correct, checking if the certificate is valid, checking if the certificate has been revoked, and verifying the certificate signature. Based on the verification results, the target WAPI authentication server can generate a WAPI certificate authentication response message and return it to the WAPI authentication proxy system.

[0083] The WAPI authentication proxy system can receive WAPI certificate authentication response messages returned by the target WAPI authentication server. After receiving the WAPI certificate authentication response message, the WAPI authentication proxy system can forward it to the wireless access point (AP) that sent the WAPI certificate authentication request message. Optionally, the WAPI authentication proxy system can encapsulate the WAPI certificate authentication response message into a UDP packet and send it to the wireless access point (AP) over the network.

[0084] After receiving the WAPI certificate authentication response message, the wireless access point (AP) can determine whether to allow the wireless terminal (STA) to access the wireless network based on the authentication result. If the authentication result indicates successful authentication, the AP can allow the STA to access the wireless network, and subsequent steps such as key negotiation can be performed to establish secure communication. If the authentication result indicates unsuccessful authentication, the AP can refuse the STA's access to the wireless network.

[0085] Through the above steps, the WAPI authentication proxy system realizes the proxy forwarding of WAPI certificate authentication requests from wireless access points (APs), enabling WAPI authentication servers deployed in different data centers to form a disaster recovery backup relationship. This solves the problem that the current WAPI wireless network system cannot perform primary / backup switching between WAPI authentication servers deployed for disaster recovery.

[0086] In the aforementioned WAPI authentication message processing method, a WAPI authentication proxy system is deployed in the wireless LAN to form a disaster recovery backup WAPI authentication system with WAPI authentication servers deployed in different centers. The WAPI authentication proxy system detects the availability of each WAPI authentication server, and when it receives a WAPI certificate authentication request from a wireless access point, it selects the currently available or optimal target WAPI authentication server. Then, the WAPI authentication proxy system acts as an agent for the AP to perform the WAPI certificate authentication process with the selected WAPI authentication server. This method enables the WAPI authentication request to be processed by the backup WAPI authentication server when the primary WAPI authentication server is unavailable, or to select the optimal WAPI authentication server from multiple available WAPI authentication servers. This solves the problem that current WAPI wireless networks cannot switch between disaster recovery-deployed WAPI authentication servers. Therefore, in a multi-center disaster recovery architecture, wireless access points (APs) in the wireless network can switch between primary and backup WAPI authentication servers in multiple data centers, thereby achieving disaster recovery backup of WAPI authentication services and improving the reliability of WAPI wireless authentication.

[0087] In another embodiment, before sending a WAPI certificate probe request message to at least two WAPI authentication servers through the WAPI authentication proxy system, the method further includes: configuring the MAC addresses corresponding to the wireless terminal STA and the wireless access point AP; configuring the WAPI certificates corresponding to the wireless terminal STA and the wireless access point AP; and generating a WAPI certificate probe request message based on the MAC address and the WAPI certificate.

[0088] The MAC address can be a fixed MAC address specified through configuration, or it can be a MAC address randomly generated by the WAPI authentication agent system during initialization.

[0089] WAPI certificates can be either legitimate certificates issued by the WAPI certificate issuing system (i.e., certificates that can be verified by the WAPI authentication server) or WAPI certificates with a valid format but invalid content (i.e., certificates that meet the WAPI certificate format requirements but have not been issued by the WAPI certificate issuing system). Regardless of the certificate type, as long as the certificate format conforms to the WAPI protocol, the WAPI authentication server can process it and will not discard it directly due to an invalid format.

[0090] In its specific implementation, the WAPI authentication proxy system constructs a WAPI certificate probe request message when probing the service availability of the WAPI authentication server. This involves: pre-configuring or randomly generating the MAC addresses of the wireless terminal STA and the wireless access point AP; and pre-configuring or constructing the WAPI certificates of the wireless terminal STA and the wireless access point AP. The WAPI certificate can be either an authenticable or unauthenticable WAPI certificate, but its format must be valid. The WAPI certificate probe request message is constructed based on the aforementioned two MAC addresses and two WAPI certificates.

[0091] After configuring the MAC address and WAPI certificate, the WAPI authentication proxy system can generate WAPI certificate probe request messages based on this information. Specifically, the WAPI authentication proxy system can fill the MAC address of the configured wireless terminal (STA) and the MAC address of the wireless access point (AP) into the ADDID field of the WAPI certificate probe request message. The ADDID field can refer to the field specified in the WAPI protocol used to carry the MAC addresses of the wireless terminal (STA) and the wireless access point (AP). The WAPI authentication proxy system can also generate two random numbers, one as the AP challenge random number and the other as the STA challenge random number, and fill them into the corresponding fields. The length of the AP challenge random number and the STA challenge random number can be 256 bits. The WAPI authentication proxy system can also fill the STA certificate field and the AP certificate field with the configured WAPI certificate of the wireless terminal (STA) and the WAPI certificate of the wireless access point (AP), respectively. In this way, the WAPI authentication proxy system can construct WAPI certificate probe request messages that conform to the WAPI protocol.

[0092] The technical solution of this embodiment provides a method for generating WAPI certificate probe request messages, enabling the WAPI authentication proxy system to construct probe request messages that conform to the WAPI protocol, providing the necessary message foundation for subsequent service availability detection, and providing a flexible configuration method to reduce the complexity of probe implementation.

[0093] In another embodiment, the service availability determination result of each WAPI authentication server is determined based on the WAPI certificate probe response message returned by each WAPI authentication server in response to the WAPI certificate probe request message. This includes: obtaining the response time of the WAPI authentication server returning the WAPI certificate probe response message in response to the WAPI certificate probe request message; and determining that the service availability determination result of the WAPI authentication server is that it has service availability if the response time is less than a preset time threshold and the WAPI certificate probe response message passes the validity check.

[0094] In its implementation, the WAPI authentication proxy system can also record the time elapsed from the moment the WAPI certificate probe request message is sent to the moment the WAPI certificate probe response message is received, i.e., the response time. The response time refers to the length of time elapsed from the moment the WAPI authentication proxy system sends the WAPI certificate probe request message to the moment the WAPI authentication proxy system receives the WAPI certificate probe response message.

[0095] The response time reflects the processing capacity of the WAPI authentication server and the status of the communication link between the WAPI authentication agent system and the WAPI authentication server. A shorter response time indicates a stronger processing capacity of the WAPI authentication server or a smoother communication link; a longer response time indicates a weaker processing capacity of the WAPI authentication server or congestion in the communication link.

[0096] Then, the WAPI authentication proxy system determines whether the response time is less than a preset time threshold. The preset time threshold can be configured according to the actual application scenario; for example, it can be set to 3 seconds. If the response time is less than the preset time threshold, and the WAPI certificate probe response message passes the validity check, the WAPI authentication proxy system determines that the WAPI authentication server's service availability is satisfactory.

[0097] Specifically, the WAPI authentication proxy system can record the time when a WAPI certificate probe request message is sent and monitor whether a corresponding WAPI certificate probe response message is received within the timeout period. If the WAPI authentication proxy system receives a WAPI certificate probe response message within the timeout period, it will further perform a validity check on the WAPI certificate probe response message.

[0098] The validity check can include message format validity checks and signature information validity checks. Message format validity checks verify whether the WAPI certificate probe response message conforms to the message format specified in the WAPI protocol. Signature information validity checks verify the signature information in the WAPI certificate probe response message using a pre-configured root certificate to confirm that the WAPI certificate probe response message was indeed returned by a legitimate WAPI authentication server. The root certificate can be a public key certificate used to verify the signature information of the WAPI authentication server; this root certificate can be pre-configured in the WAPI authentication proxy system.

[0099] In its implementation, upon receiving a WAPI certificate probe response message, the WAPI authentication proxy system checks the format validity of the message and examines the signature information within it. When checking the signature information, the WAPI authentication proxy system uses the root certificate of the WAPI authentication server. This root certificate is imported through configuration, and since multiple WAPI authentication servers are backed up for disaster recovery, their root certificates are identical. Therefore, only one root certificate for the WAPI authentication server needs to be configured.

[0100] If the WAPI authentication proxy system receives a WAPI certificate probe response message within the timeout period, and the WAPI certificate probe response message passes the validity check, then the WAPI authentication proxy system determines that the service availability of the WAPI authentication server is satisfactory. Service availability means that the WAPI authentication server is currently able to normally receive and process authentication request messages.

[0101] If the WAPI authentication proxy system does not receive a WAPI certificate probe response message within the timeout period, or if the received WAPI certificate probe response message fails the validity check, the WAPI authentication proxy system determines that the service availability of the WAPI authentication server is unavailable. Unavailable service means that the WAPI authentication server is currently unable to receive or process authentication request messages normally, which may be due to network failure, server failure, or abnormal service processes.

[0102] The technical solution in this embodiment achieves accurate assessment of the availability of WAPI authentication server services through dual judgments of response time and legality checks, improving the accuracy and security of service availability determination and providing a reliable decision-making basis for subsequent target server selection.

[0103] In another embodiment, determining the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result includes: determining candidate WAPI authentication servers with service availability from among the WAPI authentication servers based on the service availability determination result; determining the primary WAPI authentication server from among the candidate WAPI authentication servers based on the service configuration information of the candidate WAPI authentication servers; and determining the primary WAPI authentication server as the target WAPI authentication server.

[0104] The service configuration information is used to indicate whether a candidate WAPI authentication server is the primary or backup WAPI authentication server. This service configuration information can be pre-configured within the WAPI authentication agent system, specifying the primary and backup roles of each WAPI authentication server. For example, the service configuration information could record that the first WAPI authentication server is the primary WAPI authentication server and the second WAPI authentication server is the backup WAPI authentication server.

[0105] The WAPI authentication proxy system can first select WAPI authentication servers from among all WAPI authentication servers that have been assessed as having service availability, based on the service availability assessment results. These selected WAPI authentication servers will then be designated as candidate WAPI authentication servers. Candidate WAPI authentication servers can refer to WAPI authentication servers that currently have service availability.

[0106] After obtaining candidate WAPI authentication servers, the WAPI authentication proxy system can query service configuration information to determine the primary WAPI authentication server from among the candidate WAPI authentication servers.

[0107] If the primary WAPI authentication server is a candidate WAPI authentication server (meaning its current service availability is assessed as having service availability), the WAPI authentication proxy system will designate the primary WAPI authentication server as the target WAPI authentication server. If the primary WAPI authentication server is not a candidate WAPI authentication server (meaning its current service availability is assessed as not having service availability), but the standby WAPI authentication server is a candidate WAPI authentication server, the WAPI authentication proxy system will designate the standby WAPI authentication server as the target WAPI authentication server.

[0108] The technical solution of this embodiment, by pre-configuring primary and backup information, realizes a disaster recovery mechanism that prioritizes the use of the primary server under normal circumstances and automatically switches to the backup server when the primary server fails, thus satisfying the continuity and reliability of wireless network services.

[0109] In another embodiment, determining the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result includes: determining candidate WAPI authentication servers with service availability from among the WAPI authentication servers based on the service availability determination result; and determining the target WAPI authentication server from among the candidate WAPI authentication servers based on the performance index quantification value of the candidate WAPI authentication servers.

[0110] In its implementation, the WAPI authentication proxy system first selects WAPI authentication servers from among all WAPI authentication servers that have been assessed as having service availability, based on the service availability determination results. These selected servers are then chosen as candidate WAPI authentication servers. Next, the WAPI authentication proxy system selects the target WAPI authentication server from the candidate WAPI authentication servers based on the quantified performance metrics of each candidate server.

[0111] Among them, the quantitative value of performance indicators can refer to numerical indicators that can reflect the performance of WAPI authentication server, including one or more of the following: response time, processing latency, current number of connections, and processing capacity.

[0112] Taking response time as a quantifiable performance metric, the WAPI authentication proxy system can select the candidate WAPI authentication server with the shortest response time from among various candidate WAPI authentication servers as the target WAPI authentication server. Since response time comprehensively reflects the processing capacity and communication link status of the WAPI authentication server, selecting the WAPI authentication server with the shortest response time can achieve load balancing and improve overall authentication efficiency.

[0113] If the performance metric quantification includes multiple metrics, the WAPI authentication agent system can perform weighted calculations on each metric to obtain a comprehensive score, and then select the candidate WAPI authentication server with the best comprehensive score as the target WAPI authentication server.

[0114] The technical solution in this embodiment achieves reasonable allocation of authentication requests by dynamically selecting based on the quantitative value of performance indicators, thereby improving overall authentication efficiency and resource utilization.

[0115] In another embodiment, the WAPI authentication proxy system can dynamically adjust the selection strategy of the target WAPI authentication server. For example, under normal circumstances, the WAPI authentication proxy system can use load balancing to select the target WAPI authentication server to fully utilize the processing capacity of each WAPI authentication server. When the response time of a WAPI authentication server is detected to continuously rise above a preset threshold, or when an anomaly is detected in the network link, the WAPI authentication proxy system can automatically switch to a primary / backup mode, prioritizing the primary WAPI authentication server to ensure the stability of the authentication service.

[0116] In another embodiment, sending WAPI certificate probe request messages to at least two WAPI authentication servers through the WAPI authentication proxy system includes: sending WAPI certificate probe request messages to at least two WAPI authentication servers through the WAPI authentication proxy system according to a preset sending period; wherein the preset sending period matches the disaster recovery switchover time requirement of the WAPI authentication system.

[0117] The preset sending period can be determined based on the disaster recovery switchover time requirements of the WAPI authentication system. The disaster recovery switchover time requirement refers to the maximum allowed time for the authentication service to switch to the backup WAPI authentication server when the primary WAPI authentication server fails. For example, if the disaster recovery switchover time requirement is 12 seconds, the preset sending period can be set to 4 seconds. This means that the WAPI authentication proxy system sends a WAPI certificate probe request message to each WAPI authentication server every 4 seconds. By setting a reasonable preset sending period, the WAPI authentication proxy system can promptly detect changes in the status of the WAPI authentication servers, thus enabling a rapid switchover to the backup WAPI authentication server when the primary WAPI authentication server fails, meeting the disaster recovery switchover time requirements.

[0118] In practice, the WAPI authentication proxy system can perform flow control on the sending of WAPI certificate probe request messages to avoid putting excessive pressure on the WAPI authentication server. Since the authentication processing capacity of a WAPI authentication server is typically no less than 500 requests per second, the sending frequency of the WAPI authentication proxy system during probes can be controlled within a range that does not affect the normal operation of the WAPI authentication server. For example, if the preset sending period is 4 seconds and the timeout is 3 seconds, the number of probe requests sent per second is far less than the processing capacity of the WAPI authentication server, and will not have a significant impact on the workload of the WAPI authentication server.

[0119] The technical solution of this embodiment introduces a periodic sending mechanism for probe request messages, and ensures the real-time performance and efficiency of service availability detection by matching the preset sending period with the disaster recovery switchover time requirements.

[0120] For the convenience of those skilled in the art, Figure 4 An exemplary logical diagram of a WAPI authentication proxy system acting as a proxy for the WAPI authentication process is provided. The IP address of the WAPI authentication server configured on the access point (AP) in the wireless network is the IP address of the WAPI authentication proxy system. The process by which the WAPI authentication proxy system proxies the AP's WAPI certificate authentication request is as follows:

[0121] S1: AP sends a WAPI certificate authentication request message to the WAPI authentication agent system, and the WAPI authentication agent system receives the WAPI certificate authentication request message;

[0122] S2: The WAPI authentication agent system selects the currently available WAPI authentication server based on a policy, such as selecting the first WAPI authentication server;

[0123] S3: The WAPI authentication agent system sends a WAPI certificate authentication request message to the first WAPI authentication server;

[0124] S4: The WAPI authentication agent system receives the certificate authentication response message from the first WAPI authentication server;

[0125] S5: The WAPI authentication agent system sends a WAPI certificate authentication response message to the AP.

[0126] In one embodiment, the WAPI authentication proxy system may include three core components:

[0127] WAPI probe message processing module: Implements the construction of WAPI certificate authentication messages for probe, and checks and processes the response to the WAPI certificate authentication request for probe.

[0128] WAPI Authentication Service Probe Module: Periodically sends WAPI certificate authentication requests constructed by the WAPI probe message processing module to the primary and backup servers, and receives response messages for the probe WAPI certificate authentication requests. Based on the received response messages, it determines the availability of the corresponding WAPI authentication server. If no response is received from the corresponding WAPI authentication server within the timeout period, the corresponding WAPI authentication server is determined to be unavailable; otherwise, it is determined to be available. The module also records the time consumed from sending the request to receiving the response.

[0129] WAPI Authentication Proxy Module: Receives WAPI certificate authentication response messages from APs in the wireless network on UDP port 3810. Based on the availability results of the WAPI authentication server detected by the WAPI Authentication Service Probe Module, it selects an available or optimal WAPI authentication server based on a policy. It then sends the AP's WAPI certificate authentication response message to the selected WAPI authentication server via UDP, receives the WAPI certificate authentication response message from the selected WAPI authentication server, and finally sends the WAPI certificate authentication response message to the corresponding AP.

[0130] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.

[0131] Based on the same inventive concept, this application also provides a WAPI authentication message processing apparatus for implementing the WAPI authentication message processing method described above. The solution provided by this apparatus is similar to the implementation described in the above method; therefore, the specific limitations in one or more WAPI authentication message processing apparatus embodiments provided below can be found in the limitations of the WAPI authentication message processing method described above, and will not be repeated here.

[0132] In one exemplary embodiment, such as Figure 5 As shown, a WAPI authentication message processing device is provided, applied to a WAPI authentication system. The WAPI authentication system includes a WAPI authentication proxy system and at least two WAPI authentication servers, which are deployed in different data centers. The WAPI authentication system is used to perform wireless access authentication on wireless terminals (STAs) and wireless access points (APs) accessing the WAPI wireless network. The device includes:

[0133] The authentication service detection module 510 is used to send WAPI certificate detection request messages to the at least two WAPI authentication servers through the WAPI authentication proxy system, and determine the service availability judgment result of each WAPI authentication server based on the WAPI certificate detection response messages returned by each WAPI authentication server in response to the WAPI certificate detection request messages.

[0134] The authentication proxy module 520 is used to receive WAPI certificate authentication request messages from wireless access points (APs) through the WAPI authentication proxy system, determine the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result, and send the WAPI certificate authentication request message to the target WAPI authentication server.

[0135] The authentication proxy module 520 is further configured to receive, through the WAPI authentication proxy system, a WAPI certificate authentication response message returned by the target WAPI authentication server in response to the WAPI certificate authentication request message, and send the WAPI certificate authentication response message to the wireless access point (AP).

[0136] In one embodiment, the WAPI authentication message processing device further includes a probe message processing module, which is specifically used to configure the MAC addresses corresponding to the wireless terminal STA and the wireless access point AP; configure the WAPI certificates corresponding to the wireless terminal STA and the wireless access point AP; and generate the WAPI certificate probe request message based on the MAC address and the WAPI certificate.

[0137] In one embodiment, the authentication service detection module 510 is specifically used to obtain the response time of the WAPI authentication server returning the WAPI certificate detection response message in response to the WAPI certificate detection request message; if the response time is less than a preset time threshold and the WAPI certificate detection response message passes the legality check, the service availability determination result of the WAPI authentication server is determined to be that it has service availability.

[0138] In one embodiment, the authentication proxy module 520 is specifically configured to: determine candidate WAPI authentication servers with service availability from among the WAPI authentication servers based on the service availability determination result; determine a primary WAPI authentication server from among the candidate WAPI authentication servers based on the service configuration information of the candidate WAPI authentication servers; the service configuration information is used to indicate whether the candidate WAPI authentication server is a primary WAPI authentication server or a backup WAPI authentication server; and determine the primary WAPI authentication server as the target WAPI authentication server.

[0139] In one embodiment, the authentication proxy module 520 is specifically used to determine, based on the service availability determination result, candidate WAPI authentication servers with service availability from among the WAPI authentication servers; and to determine the target WAPI authentication server from among the candidate WAPI authentication servers based on the performance index quantification value of the candidate WAPI authentication servers.

[0140] In one embodiment, the authentication proxy module 520 is specifically used to send WAPI certificate probe request messages to the at least two WAPI authentication servers through the WAPI authentication proxy system according to a preset sending period; wherein the preset sending period matches the disaster recovery switchover time requirement of the WAPI authentication system.

[0141] Each module in the aforementioned WAPI authentication message processing device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in hardware within or independently of the processor in a computer device, or stored in software within the memory of the computer device, so that the processor can invoke and execute the corresponding operations of each module.

[0142] In one exemplary embodiment, a computer device is provided, which may be a server and can be used to deploy the aforementioned WAPI authentication system. Its internal structure diagram can be as follows: Figure 6 As shown, this computer device includes a processor, memory, input / output interfaces (I / O), and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores authentication data. The I / O interfaces are used for exchanging information between the processor and external devices. The communication interface is used for communication with external terminals via a network connection. When executed by the processor, the computer program implements a WAPI authentication message processing method.

[0143] Those skilled in the art will understand that Figure 6The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0144] In one exemplary embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps in the above-described method embodiments.

[0145] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the steps in the above method embodiments.

[0146] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above method embodiments.

[0147] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.

[0148] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.

[0149] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.

[0150] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.

Claims

1. A WAPI authentication message processing method, characterized in that, The WAPI authentication system is applied to a WAPI authentication system, which includes a WAPI authentication agent system and at least two WAPI authentication servers, which are deployed in different data centers. The WAPI authentication system is used to perform wireless access authentication between wireless terminals (STAs) and wireless access points (APs) accessing the WAPI wireless network; the method includes: The WAPI authentication proxy system sends WAPI certificate probe request messages to at least two WAPI authentication servers, and determines the service availability of each WAPI authentication server based on the WAPI certificate probe response messages returned by each WAPI authentication server in response to the WAPI certificate probe request messages. The WAPI authentication proxy system receives WAPI certificate authentication request messages from wireless access points (APs), determines the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result, and sends the WAPI certificate authentication request message to the target WAPI authentication server. The WAPI authentication proxy system receives the WAPI certificate authentication response message returned by the target WAPI authentication server in response to the WAPI certificate authentication request message, and sends the WAPI certificate authentication response message to the wireless access point (AP).

2. The method according to claim 1, characterized in that, Before sending the WAPI certificate probe request message to the at least two WAPI authentication servers through the WAPI authentication proxy system, the method further includes: Configure the MAC addresses corresponding to the wireless terminal STA and the wireless access point AP respectively; Configure the WAPI certificates corresponding to the wireless terminal STA and the wireless access point AP respectively; Based on the MAC address and the WAPI certificate, a WAPI certificate probe request message is generated.

3. The method according to claim 1, characterized in that, The step of determining the service availability judgment result of each WAPI authentication server based on the WAPI certificate probe response message returned by each WAPI authentication server in response to the WAPI certificate probe request message includes: Obtain the response time of the WAPI authentication server in response to the WAPI certificate probe request message and the WAPI certificate probe response message; If the response time is less than a preset time threshold and the WAPI certificate probe response message passes the validity check, the service availability determination result of the WAPI authentication server is determined to be that it has service availability.

4. The method according to claim 1, characterized in that, The step of determining the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result includes: Based on the service availability determination result, candidate WAPI authentication servers with service availability are determined from each of the WAPI authentication servers; Based on the service configuration information of the candidate WAPI authentication servers, a primary WAPI authentication server is determined from the candidate WAPI authentication servers; the service configuration information is used to indicate whether the candidate WAPI authentication server is a primary WAPI authentication server or a backup WAPI authentication server. The primary WAPI authentication server is identified as the target WAPI authentication server.

5. The method according to claim 1, characterized in that, The step of determining the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result includes: Based on the service availability determination result, candidate WAPI authentication servers with service availability are determined from each of the WAPI authentication servers; The target WAPI authentication server is determined from the candidate WAPI authentication servers based on the quantified performance metrics of the candidate WAPI authentication servers.

6. The method according to claim 1, characterized in that, The step of sending a WAPI certificate probe request message to the at least two WAPI authentication servers through the WAPI authentication proxy system includes: The WAPI authentication proxy system sends WAPI certificate probe request messages to at least two WAPI authentication servers according to a preset sending period. The preset sending period is matched with the disaster recovery switchover time requirement of the WAPI authentication system.

7. A WAPI authentication message processing device, characterized in that, The WAPI authentication system is applied to a WAPI authentication system, which includes a WAPI authentication agent system and at least two WAPI authentication servers, which are deployed in different data centers. The WAPI authentication system is used to perform wireless access authentication on wireless terminals (STA) and wireless access points (AP) that access the WAPI wireless network. The device includes: The authentication service detection module is used to send WAPI certificate detection request messages to at least two WAPI authentication servers through the WAPI authentication proxy system, and determine the service availability judgment result of each WAPI authentication server based on the WAPI certificate detection response messages returned by each WAPI authentication server in response to the WAPI certificate detection request messages. The authentication proxy module is used to receive WAPI certificate authentication request messages from wireless access points (APs) through the WAPI authentication proxy system, determine the target WAPI authentication server from among the WAPI authentication servers based on the service availability determination result, and send the WAPI certificate authentication request message to the target WAPI authentication server. The authentication proxy module is further configured to receive, through the WAPI authentication proxy system, a WAPI certificate authentication response message returned by the target WAPI authentication server in response to the WAPI certificate authentication request message, and send the WAPI certificate authentication response message to the wireless access point (AP).

8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.

10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.