Summary of the invention
Based on this, be necessary for the problems referred to above, a kind of WAP (wireless access point) safety certifying method and system that improves certification accuracy is provided.
A kind of WAP (wireless access point) safety certifying method, comprises the following steps:
Send and find that request message is to wireless controller from WAP (wireless access point); Described discovery request message comprises sequence number and the MAC Address of WAP (wireless access point);
Receive described discovery request message and resolve sequence number and the MAC Address of obtaining described WAP (wireless access point) from described wireless controller, and send discovery response message to described WAP (wireless access point); Described discovery response message comprises the IP address information of described wireless controller;
Receive described discovery back message using and resolve the IP address information of obtaining described wireless controller from described WAP (wireless access point), and according to the IP address information of described wireless controller, described WAP (wireless access point) and wireless controller are bound, and send connection request message to described wireless controller;
From described wireless controller receives described connection request message, judge sequence number and the MAC Address of described WAP (wireless access point), whether mate with the sequence number prestoring and MAC Address;
If so, set up the communication tunnel between WAP (wireless access point) from described wireless controller.
A kind of WAP (wireless access point) security certification system, comprising:
Sending module, finds that for sending from WAP (wireless access point) request message is to wireless controller; Described discovery request message comprises sequence number and the MAC Address of WAP (wireless access point);
Request message parsing module, for receiving described discovery request message from described wireless controller and resolving sequence number and the MAC Address of obtaining described WAP (wireless access point), and sends discovery response message to described WAP (wireless access point); Described discovery response message comprises the IP address information of described wireless controller;
Response message parsing module, for receiving described discovery response message and resolve the IP address information that obtains described wireless controller from described WAP (wireless access point), and according to the IP address information of described wireless controller, described WAP (wireless access point) and wireless controller are bound, and send connection request message to described wireless controller;
Whether judge module, for receiving described connection request message from described wireless controller, judges sequence number and the MAC Address of described WAP (wireless access point), mate with the sequence number prestoring and MAC Address;
Communication connection module, when judging that at described judge module the sequence number of described WAP (wireless access point) and MAC Address are mated with the sequence number prestoring and MAC Address, from the communication tunnel between described wireless controller foundation and WAP (wireless access point).
Above-mentioned WAP (wireless access point) safety certifying method and system, send and find that request message is to wireless controller from WAP (wireless access point); Receive and find request message and resolve sequence number and the MAC Address of obtaining WAP (wireless access point) from wireless controller, and send discovery response message to WAP (wireless access point).Receive and find back message using and resolve the IP address information of obtaining wireless controller from WAP (wireless access point), and according to the IP address information of wireless controller, WAP (wireless access point) and wireless controller are bound, and send connection request message to wireless controller.From wireless controller receives connection request message, judge sequence number and the MAC Address of WAP (wireless access point), whether mate with the sequence number prestoring and MAC Address; If so, set up and the communication tunnel of WAP (wireless access point) from wireless controller.Whether the sequence number and the MAC Address that judge WAP (wireless access point) are mated with the sequence number prestoring and MAC Address, as the foundation that whether allows WAP (wireless access point) access, avoid unallowed WAP (wireless access point) to connect wireless controller.Compared with traditional WAP (wireless access point) safety certifying method, improve certification accuracy.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in detail.A lot of details are set forth in the following description so that fully understand the present invention.But the present invention can implement to be much different from alternate manner described here, and those skilled in the art can do similar improvement without prejudice to intension of the present invention in the situation that, and therefore the present invention is not subject to the restriction of following public specific embodiment.
Unless otherwise defined, all technology that use are herein identical with the implication that belongs to the common understanding of those skilled in the art of the present invention with scientific terminology.The term using in specification of the present invention herein, just in order to describe the object of specific embodiment, is not intended to be restriction the present invention.
A kind of WAP (wireless access point) safety certifying method, as shown in Figure 1, comprises the following steps:
Step S120: send and find that request message is to wireless controller from WAP (wireless access point).
Find that request message comprises sequence number and MAC (Media Access Control, the medium access control) address of WAP (wireless access point), carries out the basis for estimation of safety certification for subsequent step.Can pass through WAP (wireless access point) searching and detecting wireless controller, and send discovery request message to wireless controller.Find that from WAP (wireless access point) transmission the mode of request message has multiple, specifically can send and find that request message is to wireless controller by static mode, mode of unicast, broadcast mode or OPTION43 mode.
Further, find that request message specifically can comprise type of message, server numbering, identification code, message element and five parts of message element length, wherein message element is used for hardware version information and the MAC Address of the WAP (wireless access point) of carrying WAP (wireless access point), hardware version information comprises the sequence number of WAP (wireless access point), and with opposing, different WAP (wireless access point) is identified.Hardware version information also can comprise the hardware version numbers of model, manufacturer's extended sequence number and the WAP (wireless access point) of WAP (wireless access point) etc.In addition one or more in the message element tunnel type that also portability discovery types value, hardware configuration information and WAP (wireless access point) are supported.
Step S130: receive and find request message and resolve sequence number and the MAC Address of obtaining WAP (wireless access point) from wireless controller, and send discovery response message to WAP (wireless access point).
The discovery request message that wireless controller is received is resolved, and extracts and finds that the data message that carries of request message carries out buffer memory, sends and finds that response message is to WAP (wireless access point) obtaining after finding data message that request message carries.Find that response message comprises the IP address information of wireless controller, bind as WAP (wireless access point) in subsequent step and wireless controller, IP address information specifically can comprise that the usable interface address of wireless controller and the wireless access that usable interface has accessed count out, so that WAP (wireless access point) to be accessed is bound selection.In addition, find that response message also can comprise one or more in state information, identifier and the priority number of wireless controller, wherein the state information of wireless controller is used for illustrating its current state, as operating state or dead status etc., the identifier of wireless controller plays recognition reaction, and priority number can be used as the wireless controller of wireless access point selection limit priority and binds.
Step S140: receive and find back message using and resolve the IP address information of obtaining wireless controller from WAP (wireless access point), and according to the IP address information of wireless controller, WAP (wireless access point) and wireless controller are bound, and send connection request message to wireless controller.
Receive and find back message using resolving by WAP (wireless access point), obtain binding with wireless controller after the IP address information of wireless controller.Comprise that with IP address information the usable interface address of wireless controller and the wireless access that usable interface has accessed count out as example, count out to select suitable usable interface address according to accessing wireless access, the usable interface address binding of the wireless controller of WAP (wireless access point) and selection, for certification by after carry out data interactive communication provide basis.By after the usable interface address binding of the wireless controller of WAP (wireless access point) and selection, send connection request message to wireless controller from WAP (wireless access point).
Step S150: from wireless controller receives connection request message, judge sequence number and the MAC Address of WAP (wireless access point), whether mate with the sequence number prestoring and MAC Address.
From wireless controller receives connection request message, judge that whether the sequence number of WAP (wireless access point) and MAC Address mate with the sequence number prestoring and MAC Address, if so, carry out step S160.
The sequence number prestoring and the quantity of MAC Address can be one, can be also more than two.In an embodiment, the sequence number prestoring in wireless controller and MAC Address are stored by the form of list, obtain allowing access control list therein.Specifically can be by building SQLITE database, in this database, set up and allow Access Control List (ACL) to come storage sequence number and MAC Address.Allow Access Control List (ACL) can comprise three of numbering, WAP (wireless access point) sequence number and WAP (wireless access point) MAC Address, storage allows the numbering of the WAP (wireless access point) of access respectively, and sequence number and the MAC Address of correspondence.With the form storage sequence of list number and MAC Address, so that follow-up matching operation, convenient and swift and be difficult for makeing mistakes, improve coupling reliability.
Step S160: set up the communication tunnel between WAP (wireless access point) from wireless controller.
If the sequence number of WAP (wireless access point) and MAC Address are mated with the sequence number prestoring and MAC Address, illustrate that WAP (wireless access point) to be accessed is legal, carry out DTLS dohandshake action, set up the communication tunnel between WAP (wireless access point) and wireless controller.
Above-mentioned WAP (wireless access point) safety certifying method, whether the sequence number and the MAC Address that judge WAP (wireless access point) are mated with the sequence number prestoring and MAC Address, as the foundation that whether allows WAP (wireless access point) access, avoid unallowed WAP (wireless access point) to connect wireless controller.Compared with traditional WAP (wireless access point) safety certifying method, improve certification accuracy.
In an embodiment, before step S120, also comprise from WAP (wireless access point) and set up the step of finding request message therein.
The sequence number of different radio access point is different, and can directly from the hardware version information of WAP (wireless access point), obtain.In the present embodiment, obtain the MAC Address of WAP (wireless access point) by sockets interface.Can deposit the sequence number of WAP (wireless access point) and MAC Address in WTP (wireless terminator point, wireless terminal point) plate data structure, then sequence number and MAC Address in WTP plate data structure are recombinated, obtain finding request message.
Sockets interface is the interface that web application uses while utilizing network protocol stack to communicate, allows multiple program process to export transmission, has portable good feature.The IP address of communication target, the transport layer protocol of use and the port numbers of use are combined with sockets interface and bound, application layer can be distinguished the communication from different application process or network connection by sockets interface, realizes the concurrent service of transfer of data.Utilize sockets interface to obtain the MAC Address of WAP (wireless access point), convenient to operation, and implementation cost is low.
In an embodiment, as shown in Figure 2, if the sequence number of WAP (wireless access point) and MAC Address are not mated with the sequence number prestoring and MAC Address, also comprise step S170 therein.
Step S170: export default warning message from wireless controller.
If judge, sequence number and MAC Address do not mate, and illustrates that WAP (wireless access point) to be accessed is illegal, output alarm information reminding staff.Warning message can be picture, word or audio-frequency information etc., in the present embodiment, step S170 is specially simultaneously and shows default picture character by display, and plays default audio file by loud speaker and report to the police, and is convenient to staff and knows in time.
Continue with reference to Fig. 2, in an embodiment, after step S160, also can comprise step S180 therein.
Step S180: send connection response message to WAP (wireless access point) from wireless controller.
After judging that WAP (wireless access point) to be accessed is legal, send connection response message to WAP (wireless access point) by wireless controller, to inform that WAP (wireless access point) safety certification passes through, can carry out data communication flow process.
In an embodiment, after step S130, also can comprise step S132 therein.
Step S132: store finding request message from wireless controller.
The discovery request message that utilizes wireless controller that WAP (wireless access point) is sent is stored, and carrying out the operations such as system rectification maintenance for staff is follow-up provides data basis.
The present invention also provides a kind of WAP (wireless access point) security certification system, as shown in Figure 3, comprises sending module 120, request message parsing module 130, response message parsing module 140, judge module 150 and communication connection module 160.
Sending module 120 finds that for sending from WAP (wireless access point) request message is to wireless controller.
Find that request message comprises sequence number and the MAC Address of WAP (wireless access point), carries out the basis for estimation of safety certification for subsequent step.Find that from WAP (wireless access point) transmission the mode of request message has multiple, specifically can send and find that request message is to wireless controller by static mode, mode of unicast, broadcast mode or OPTION43 mode.
Further, find that request message specifically can comprise type of message, server numbering, identification code, message element and five parts of message element length, wherein message element is for carrying hardware version information and the MAC Address of WAP (wireless access point), hardware version information comprises the sequence number of WAP (wireless access point), and with opposing, different WAP (wireless access point) is identified.Hardware version information also can comprise the hardware version numbers of model, manufacturer's extended sequence number and the WAP (wireless access point) of WAP (wireless access point) etc.In addition one or more in the message element tunnel type that also portability discovery types value, hardware configuration information and WAP (wireless access point) are supported.
Request message parsing module 130 is for receiving and find request message and resolve sequence number and the MAC Address of obtaining WAP (wireless access point) from wireless controller, and transmission finds that response message is to WAP (wireless access point).
Find that response message comprises the IP address information of wireless controller, binds as WAP (wireless access point) in subsequent step and wireless controller.IP address information specifically can comprise that the usable interface address of wireless controller and the wireless access that usable interface has accessed count out, so that WAP (wireless access point) to be accessed is bound selection.In addition, find that response message also can comprise one or more in state information, identifier and the priority number of wireless controller, wherein the state information of wireless controller is used for illustrating its current state, as operating state or dead status etc., the identifier of wireless controller plays recognition reaction, and priority number can be used as the wireless controller of wireless access point selection limit priority and binds.
Response message parsing module 140 is for receiving and find response message and resolve the IP address information that obtains wireless controller from WAP (wireless access point), and according to the IP address information of wireless controller, WAP (wireless access point) and wireless controller are bound, and send connection request message to wireless controller.
Comprise that with IP address information the usable interface address of wireless controller and the wireless access that usable interface has accessed count out as example, count out to select suitable usable interface address according to accessing wireless access, the usable interface address binding of the wireless controller of WAP (wireless access point) and selection, for certification by after carry out data interactive communication provide basis.By after the usable interface address binding of the wireless controller of WAP (wireless access point) and selection, send connection request message to wireless controller from WAP (wireless access point).
Whether judge module 150, for from wireless controller receives connection request message, judges sequence number and the MAC Address of WAP (wireless access point), mate with the sequence number prestoring and MAC Address.
The sequence number prestoring and the quantity of MAC Address can be one, can be also more than two.In an embodiment, the sequence number prestoring in wireless controller and MAC Address are stored by the form of list, obtain allowing access control list therein.Specifically can be by building SQLITE database, in this database, set up and allow Access Control List (ACL) to come storage sequence number and MAC Address.Allow Access Control List (ACL) can comprise three of numbering, WAP (wireless access point) sequence number and WAP (wireless access point) MAC Address, storage allows the numbering of the WAP (wireless access point) of access respectively, and sequence number and the MAC Address of correspondence.With the form storage sequence of list number and MAC Address, so that follow-up matching operation, convenient and swift and be difficult for makeing mistakes, improve coupling reliability.
Communication connection module 160 is when judging that at judge module 150 sequence number of WAP (wireless access point) and MAC Address are mated with the sequence number prestoring and MAC Address, from the communication tunnel between wireless controller foundation and WAP (wireless access point).
If the sequence number of WAP (wireless access point) and MAC Address are mated with the sequence number prestoring and MAC Address, illustrate that WAP (wireless access point) to be accessed is legal, carry out DTLS dohandshake action, set up the communication tunnel between WAP (wireless access point) and wireless controller.
Above-mentioned WAP (wireless access point) security certification system, whether the sequence number and the MAC Address that judge WAP (wireless access point) are mated with the sequence number prestoring and MAC Address, as the foundation that whether allows WAP (wireless access point) access, avoid unallowed WAP (wireless access point) to connect wireless controller.Compared with traditional WAP (wireless access point) safety certifying method, improve certification accuracy.
Therein in an embodiment, WAP (wireless access point) security certification system also comprises message establishment module, message is set up module for before sending module 120 is from WAP (wireless access point) transmission discovery request message to wireless controller, sets up and finds request message from WAP (wireless access point).
The sequence number of different radio access point is different, and can directly from the hardware version information of WAP (wireless access point), obtain.In the present embodiment, obtain the MAC Address of WAP (wireless access point) by sockets interface.Can deposit the sequence number of WAP (wireless access point) and MAC Address in WTP plate data structure, then sequence number and MAC Address in WTP plate data structure be recombinated, obtain finding request message.Utilize sockets interface to obtain the MAC Address of WAP (wireless access point), convenient to operation, and implementation cost is low.
Therein in an embodiment, as shown in Figure 4, WAP (wireless access point) security certification system also comprises alarm module 170, alarm module 170 when judging that at judge module 150 sequence number of WAP (wireless access point) and MAC Address are not mated with the sequence number prestoring and MAC Address, is exported default warning message from wireless controller.
If judge, sequence number and MAC Address do not mate, and illustrates that WAP (wireless access point) to be accessed is illegal, output alarm information reminding staff.Warning message can be picture, word or audio-frequency information etc., in the present embodiment, is specially and shows default picture character by display simultaneously, and play default audio file by loud speaker and report to the police, and is convenient to staff and knows in time.
Continue with reference to Fig. 4, therein in an embodiment, WAP (wireless access point) security certification system also comprises and returns to module 180, return to module 180 for communicating to connect module 160 after wireless controller is set up the communication tunnel between WAP (wireless access point), send connection response message to WAP (wireless access point) from wireless controller.
After judging that WAP (wireless access point) to be accessed is legal, send connection response message to WAP (wireless access point) by wireless controller, to inform that WAP (wireless access point) safety certification passes through, can carry out data communication flow process.
Therein in an embodiment, WAP (wireless access point) security certification system also comprises memory module 190, memory module 190 is for receiving and find request message and resolve sequence number and the MAC Address of obtaining WAP (wireless access point) from wireless controller at request message parsing module 130, and send discovery response message to WAP (wireless access point), store finding request message from wireless controller.
The discovery request message that WAP (wireless access point) is sent is stored, and carrying out the operations such as system rectification maintenance for staff is follow-up provides data basis.
The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.