WO2015042917A1 - Wireless secure access method, apparatus and system - Google Patents

Wireless secure access method, apparatus and system Download PDF

Info

Publication number
WO2015042917A1
WO2015042917A1 PCT/CN2013/084616 CN2013084616W WO2015042917A1 WO 2015042917 A1 WO2015042917 A1 WO 2015042917A1 CN 2013084616 W CN2013084616 W CN 2013084616W WO 2015042917 A1 WO2015042917 A1 WO 2015042917A1
Authority
WO
WIPO (PCT)
Prior art keywords
security access
access mode
security
web portal
secure access
Prior art date
Application number
PCT/CN2013/084616
Other languages
French (fr)
Chinese (zh)
Inventor
吴义壮
崔洋
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201380002577.XA priority Critical patent/CN105264932A/en
Priority to PCT/CN2013/084616 priority patent/WO2015042917A1/en
Publication of WO2015042917A1 publication Critical patent/WO2015042917A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • H04W48/10Access restriction or access information delivery, e.g. discovery data delivery using broadcasted information

Definitions

  • the present invention relates to a radio access technology, and in particular, to a wireless security access method, apparatus, and system, and belongs to the field of wireless communication technologies. Background technique
  • Wireless Local Area Networks is a very convenient data transmission system. It uses radio frequency (RF) technology to replace the local area network of traditional twisted-pair copper wires.
  • WLAN is a wireless access technology that provides a high transmission rate and is considered a useful complement to wide area wireless networks. In the workplace, at home, and in public hotspots, WLANs are getting more and more deployed. Users can access Wi-Fi networks using laptops, cameras, mobile phones, game consoles, and more and more consumer electronics devices.
  • WLAN secure access mode mainly includes wireless security access modes such as Wired Equivalent Privacy (WEP), Open (Web Portal, also known as portal), and Wi-Fi Protected Access (WPA). .
  • WEP Wired Equivalent Privacy
  • Open Web Portal, also known as portal
  • WPA Wi-Fi Protected Access
  • a WLAN access point (AP) of different security access modes in the prior art is configured to be accessed by a user equipment (User Equipment, UE for short) by broadcasting different service set identifiers (SSIDs).
  • An SSID can only correspond to one wireless security access mode. Therefore, if multiple secure access modes need to be supported, multiple WLANs need to be deployed, and multiple SSIDs are set to correspond to each WLAN, or one WLAN broadcasts multiple SSIDs. If the UE accesses the radio, it needs to try to access each detected SSID until the access is successful, which is not flexible enough and wastes wireless network resources.
  • the embodiments of the present invention provide a wireless security access method, device, and system, so as to improve the flexibility of the UE to access the AP by using different wireless security access modes.
  • an embodiment of the present invention provides a wireless security access method, including: The AP sends a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the multiple security interfaces. Entry mode
  • a selected secure access mode sent by the UE where the selected secure access mode is a secure access mode selected by the UE from multiple security access modes in the protocol frame;
  • the AP sets its own secure access mode based on the selected secure access mode.
  • the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
  • the capability information of the web portal security access mode is implemented by:
  • the information element is included in the protocol frame to indicate that the network supports the web portal secure access mode, that is, the capability information of the web portal secure access mode; or
  • the field of the cell included in the protocol frame is extended, that is, a field is added in the cell to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode.
  • the sending, by the AP, the protocol frame to the UE includes:
  • the AP sends a probe response probe response frame to the UE according to the probe request frame sent by the UE.
  • the AP receives the selected security access mode sent by the UE, including: Receiving, by the AP, the association request information sent by the UE, acquiring parameter information of the selected security access mode carried in the association request information, and acquiring a corresponding selected security access mode according to the parameter information; or
  • the method further includes:
  • the AP sends a secure access authentication request message to the UE according to the secure access authentication mechanism.
  • the method further includes :
  • the secure access mode selected by the UE is a non-Web Portal secure access mode
  • the AP After receiving the security access authentication failure indication message sent by the UE, the AP changes the security access mode of the WLAN to the Web Portal security access mode, and initiates a Web Portal security access process to the UE; or
  • the AP sends a secure access authentication failure message to the UE after the UE fails to obtain the secure access authentication, and the UE receives the authentication.
  • the Web Portal secure access process is triggered after the failure message; or
  • the AP sends a secure access authentication failure message to the UE after the secure access authentication of the UE fails, and triggers the web portal to be connected. Into the process.
  • an embodiment of the present invention provides a wireless security access method, including:
  • the protocol frame includes an SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the multiple security Access mode
  • the UE selects a secure access mode from a selected one of the multiple secure access modes in the protocol frame as the selected secure access mode;
  • the UE notifies the AP of the selected secure access mode.
  • the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
  • the UE receives the protocol frame sent by the AP, and includes:
  • the UE After the UE sends a probe request frame to the AP, the UE receives the probe response frame sent by the AP.
  • the UE notifying the selected security access mode to the AP, including The UE sends association request information carrying parameter information of the selected security access mode to the AP; or
  • the UE selects a corresponding identity or constructs a corresponding identity according to the selected secure access mode according to a predetermined policy, and sends a secure access authentication response message to the AP by using the identity.
  • the UE selects a corresponding identity according to the selected security access mode based on a predetermined policy, and uses the identity to Before the AP sends a secure access authentication response message, it also includes:
  • the UE sends association request information to the AP, where the association request information carries security access authentication mechanism information;
  • the UE receives a secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information.
  • the method further includes:
  • the secure access mode selected by the UE is a non-Web Portal secure access, and the UE is configured to
  • the device When the authentication of the network where the AP is located fails, the device sends a secure access authentication failure message to the AP. After receiving the secure access authentication failure message sent by the AP, the UE initiates a Web Portal security access process to the AP. .
  • an embodiment of the present invention provides a wireless security access device, including:
  • a sending module configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the Multiple secure access modes;
  • the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
  • the capability information of the web portal security access mode is implemented by:
  • the information element is included in the protocol frame to indicate that the network supports the web portal secure access mode, that is, the capability information of the web portal secure access mode; or
  • the sending module is specifically configured to:
  • the receiving module is specifically configured to:
  • the receiving module is further configured to receive association request information sent by the UE, and obtain a secure access authentication mechanism indicated in the association request information;
  • the sending module is further configured to send security to the UE according to the secure access authentication mechanism. Access authentication request message.
  • the method further includes:
  • a change module configured to: after the setting module sets its own secure access mode based on the selected secure access mode, if the secure access mode selected by the UE is a non-Web Portal secure access mode, After the security access authentication failure indication message sent by the UE, the security access mode of the WLAN is changed to the Web Portal security access mode, and the Web Portal security access process is initiated to the UE; or
  • the sending module is specifically configured to: after the setting module sets its own secure access mode based on the selected secure access mode, if the secure access mode selected by the UE is a non-Web Portal secure access mode, After the UE fails to receive the secure access authentication, the UE sends a secure access authentication failure message to the UE to trigger the Web Portal secure access process after receiving the authentication failure message; or sends a secure access to the UE.
  • the authentication failure message is triggered and the web portal access process is triggered.
  • an embodiment of the present invention provides a wireless security access device, including:
  • a receiving module configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and the
  • the security capability information of the AP includes capability information of multiple security access modes, and the SSID corresponds to the multiple security access modes;
  • a selection module configured to select a secure access mode from a selected one of multiple secure access modes in the protocol frame as the selected secure access mode
  • a sending module configured to notify the AP of the selected secure access mode.
  • the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
  • the receiving module is specifically configured to:
  • the probe response frame sent by the AP is received.
  • the sending module is specifically configured to:
  • the sending module selects a corresponding identity or constructs a corresponding identity according to the selected secure access mode based on a predetermined policy, And sending the secure access authentication response message to the AP in the identity
  • the sending module is specifically configured to send association request information to the AP, where the association request information carries security access authentication mechanism information;
  • the receiving module is specifically configured to receive a secure access authentication request message that is sent by the AP to the UE according to the information about the secure access authentication mechanism.
  • the sending module is further configured to: if the security access mode selected by the UE is a non-Web Portal security connection If the UE fails to authenticate the network where the AP is located, the UE sends a secure access authentication failure message to the AP; or
  • the sending module after the receiving module receives the security access authentication failure message sent by the AP, initiates a Web Portal security access process to the AP.
  • a fifth aspect of the present invention provides a wireless security access device, including:
  • a transmitter configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the Multiple secure access modes;
  • a receiver configured to receive a selected secure access mode sent by the UE, where the selected secure access mode is a secure access selected by the UE from multiple security access modes in the protocol frame Mode
  • an embodiment of the present invention provides a wireless security access device, including:
  • a receiver configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to Describe multiple security access modes;
  • a processor configured to select a secure connection from a plurality of secure access modes in the protocol frame In mode selects a secure access mode as the selected secure access mode
  • a transmitter configured to notify the AP of the selected secure access mode.
  • a seventh aspect of the present invention provides a wireless security access system, including an AP and a UE of a WLAN, where:
  • the AP includes the wireless security access device of the fifth aspect
  • the UE includes the wireless security access device of the sixth aspect.
  • the invention includes the parameter information of various security access modes supported by the WLAN in the protocol message for sending an SSID, in particular, the parameter information of the secure access mode of the Web Portal, so as to solve the problem that one SSID cannot support the Web at the same time in the prior art.
  • the problem of Portal secure access mode and other secure access modes makes the user equipment more flexible when accessing the wireless network and saves wireless network resources.
  • Embodiment 2 is a flowchart of Embodiment 2 of a wireless security access method according to the present invention
  • Embodiment 3 is a flowchart of Embodiment 3 of a wireless security access method according to the present invention.
  • Embodiment 4 is a flowchart of Embodiment 4 of a wireless security access method according to the present invention.
  • FIG. 5 is a flowchart of Embodiment 5 of a method for wireless security access according to the present invention.
  • Embodiment 6 is a flowchart of Embodiment 6 of a wireless security access method according to the present invention.
  • Embodiment 7 is a structural diagram of Embodiment 1 of a wireless security access device according to the present invention.
  • Embodiment 8 is a structural diagram of Embodiment 2 of a wireless security access device according to the present invention.
  • Embodiment 9 is a structural diagram of Embodiment 3 of a wireless security access device according to the present invention.
  • Embodiment 4 of a wireless security access device according to the present invention.
  • Embodiment 5 is a structural diagram of Embodiment 5 of a wireless security access device according to the present invention.
  • FIG. 12 is a structural diagram of Embodiment 1 of a wireless security access system according to the present invention. detailed description
  • Embodiment 1 is a flowchart of Embodiment 1 of a wireless security access method according to the present invention.
  • the method execution entity of this embodiment is a wireless security access device, and the device can be implemented in the form of hardware or software, and can be configured in an AP in a WLAN.
  • the WLAN can support the Web Portal secure access mode. As shown in Figure 1, the method includes the following steps:
  • Step 101 The AP sends a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the multiple Safe access mode;
  • the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and non-web portal secure access simultaneously. mode.
  • an SSID can only support one type of security access mode.
  • the security capability information of the AP includes multiple security access modes, and the SSID is corresponding to the multiple security access modes.
  • One SSID supports multiple secure access modes.
  • the AP security capability information includes an access authentication mode or a data encryption method used in the secure access mode.
  • the access authentication method may include a pre-shared key (PSK) and an IEEE 802.1X
  • the data encryption method may include a block cipher chain-information authenticity check code protocol (CTR with CBC-MAC Protocol). , referred to as CCMP), Temporal Key Integrity Protocol (TKIP), WEP-40 and WEP-104.
  • CTR with CBC-MAC Protocol block cipher chain-information authenticity check code protocol
  • CCMP block cipher chain-information authenticity check code protocol
  • TKIP Temporal Key Integrity Protocol
  • WEP-40 WEP-104.
  • the web portal security capability indication information is an indication that the WLAN network supports access using a web portal.
  • the Web Portal secure access mode is based on the authentication method of the user name and password.
  • the data is not encrypted, that is, there is no encryption method. Therefore, unlike other secure access modes, there is no parameter information involved in authentication and encryption.
  • the embodiment of the present invention can be implemented in the following manner to indicate that the WLAN supports the Web Portal secure access mode in the protocol message IE.
  • the capability information of the web portal security access mode is implemented by: using a reserved value of a reserved field or a field of a cell included in the protocol frame to indicate a network to a web portal secure access mode.
  • the field of the cell included in the protocol frame is extended, that is, a field is added in the cell to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode.
  • the AP sends a protocol frame that carries the AP security capability information to the UE, including:
  • beacon frame Sending, by the AP, a beacon frame to the UE, where the beacon frame carries the AP security capability information;
  • the AP After receiving the probe request frame sent by the UE, the AP sends a probe response frame to the UE, where the probe response frame carries the AP security capability information.
  • protocol frame beacon or probe response contains only one SSID identifier.
  • Step 102 The AP receives a selected secure access mode sent by the UE, where the selected secure access mode is a secure connection selected by the UE from multiple security access modes in the protocol frame. Entry mode
  • the UE obtains various security access modes supported by the WLAN according to the protocol message sent by the received AP, and the UE may obtain more security modes according to the secure access mode or network state, encryption registration, or personal habits supported by the UE.
  • a secure access mode is selected in the secure access mode and a selected secure access mode is notified to the AP.
  • the parameter information of each security access mode may be carried.
  • the security access mode is WPA2
  • the following parameters may be carried in the protocol message.
  • Step 103 The AP sets its own secure access mode based on the selected secure access mode.
  • the AP performs corresponding configuration on the WLAN according to the obtained security access mode information selected by the UE.
  • the AP sends the message to the UE.
  • the access process of the secure access mode negotiated by both parties.
  • the AP is a fat AP, that is, the AP and the Access Controller (AC) node function are integrated on a fat AP. When the two are deployed separately, functions such as security-related settings are completed by the AC.
  • the fat AP refers to two interfaces, namely WAN and LAN, in addition to the wireless access function, and supports a Dynamic Host Configuration Protocol (DHCP) server, a Domain Name System (DNS), and a domain name system (DNS). Hardware Access Control Address (MAC) clone, and virtual private network (Virtual Private Network, referred to as VPN access, firewall and other security functions.
  • DHCP Dynamic Host Configuration Protocol
  • DNS Domain Name System
  • DNS domain name system
  • MAC Hardware Access Control Address
  • ⁇ AP is only a wireless AP product that cannot be configured or used by itself. It is only part of a WLAN system that is responsible for managing installation and operation.
  • an SSID cannot correspond to multiple security access modes at the same time.
  • the SSID and the security capability information of the AP are included in the protocol frame, where the security capability information of the AP includes multiple security access modes.
  • the SSID corresponds to the multiple security access modes, and the protocol message for the AP to broadcast an SSID is correspondingly provided to the UE in multiple wireless security access modes, so that the user equipment is more flexible when accessing the wireless network, and saves wireless network resources.
  • Embodiment 2 is a flowchart of Embodiment 2 of a wireless security access method according to the present invention.
  • the UE and the AP increase the access mode when the non-web portal security access mode fails.
  • the step of re-attempting the access by the Web Portal secure access mode is as shown in FIG. 2, and the method specifically includes the following steps:
  • Step 201 After receiving the probe request frame sent by the UE, the AP sends a probe response frame to the UE, where the probe response frame carries the AP security capability information, where the AP security capability information includes a web portal. Safety capability indication information;
  • the UE sends a Probe Request message to the detected AP.
  • the AP sends the Probe response with the secure access mode supported by the AP to the UE.
  • WPA or WPA2 secure access mode you can use RSN IE to carry the authentication method and encryption method supported by WLAN.
  • the authentication methods include PSK, IEEE802.1X, etc.
  • the encryption methods include WEP-40, WEP-104, TKIP and CCMP.
  • the probe response also includes the web portal security capability indication information supported by the AP.
  • the Authentication and Key Management (AKM) bit value of 3-255 is not used.
  • Portal security access mode Or define a new IE, the ID of the IE may be identified by one of 43-47, and the IE is used to indicate the network support for the web portal access mode. Or, if you extend an existing IE domain, such as adding an octet to the RSN IE, and defining the domain value to 1 or other values, it indicates that the network supports the access mode of the web portal.
  • Step 202 The AP receives the association request information sent by the UE, and obtains a security access authentication mechanism indicated in the association request information.
  • the UE obtains the secure access mode supported by the AP from the probe response frame sent by the received AP, selects a security mode for access according to its own attribute policy, security capability, and network condition, and sends a gateway to the AP.
  • An association request message where the association request includes security setting parameters of the security access mode selected by the UE, for example, including the 802.1X parameter information of the authentication method.
  • Step 203 The AP sends a secure access authentication request message to the UE according to the secure access authentication mechanism.
  • the AP sends a security authentication request message, such as an 802.1X EAP authentication request message, according to the received security access authentication mechanism in the Association request.
  • a security authentication request message such as an 802.1X EAP authentication request message
  • Step 204 The AP receives an authentication response message sent by the UE, acquires an identity or a configured identity that is sent by the UE, and determines a security access mode selected by the UE according to the identity.
  • the identity information may be a predefined identity, where the identity is used to indicate a corresponding secure access mode; or the identity information is extended by a field based on an existing identity, and the field is used to indicate The corresponding security access mode selected by the UE; the identity information may also be a field defined in the existing identity for indicating a corresponding secure access mode.
  • the AP sends a security access authentication request message to the UE according to the secure access authentication mechanism, so that the UE sends the security of the secure access authentication mechanism to the AP according to the identity set by the preset policy. Access authentication response message. For example, after receiving the RSN IE, the UE will instruct the network to use IEEE 802.1X authentication.
  • the UE will package in the Extensible Authentication Protocol response (Extensible Authentication Protocol response) message in the IEEE802.1X authentication process.
  • the AP receives the association request information sent by the UE, acquires parameter information of the selected security access mode carried in the association request information, and obtains the parameter information according to the parameter information. Corresponding selected security access mode.
  • Step 205 The AP sets its own secure access mode based on the selected secure access mode.
  • the AP determines the secure access mode selected by the UE according to step 204, and sets its own secure access mode. For example, the WPA selected by the UE, the AP also sets itself to WPA.
  • Step 206 The AP determines whether the secure access mode selected by the UE is a Web Portal secure access mode.
  • step 207 is performed; if the UE selects the Web Portal secure access mode, the subsequent Web Portal secure access process is performed.
  • the security access mode selected by the UE is not the Web Portal security access mode
  • the secure access process of the AP and the UE may be triggered, and the Web Portal security access process may also be triggered.
  • Step 207 After receiving the security access authentication failure indication message sent by the UE, the AP changes the security access mode of the WLAN to the Web Portal security access mode, and initiates a Web Portal security connection to the UE. Into the process.
  • the step may further send a security access authentication failure message to the UE, and the UE triggers the Web Portal security access process after receiving the authentication failure message;
  • the WLAN is set to the Web Portal security by determining whether the secure access mode selected by the UE is the Web Portal security access mode.
  • the access mode is attempted to access again, so that the UE can access certain internal open network resources in the Web Portal in the secure access mode of the Web Portal, and cannot access the internal open network after the failure of other secure access modes in the network.
  • the problem of resources is determined whether the WLAN is set to the Web Portal security by determining whether the secure access mode selected by the UE is the Web Portal security access mode. The access mode is attempted to access again, so that the UE can access certain internal open network resources in the Web Portal in the secure access mode of the Web Portal, and cannot access the internal open network after the failure of other secure access modes in the network.
  • FIG. 3 is a flowchart of a third embodiment of a wireless security access method according to the present invention.
  • the method execution subject of the present embodiment is a wireless security access device, and the device can be implemented in hardware or software, and can be configured in a UE, such as As shown in FIG. 3, the method includes the following steps:
  • Step 301 The UE receives a protocol frame sent by the AP, where the protocol frame includes an SSID and the AP.
  • the security capability information, the security capability information of the AP includes capability information of multiple security access modes, and the SSID corresponds to the multiple security access modes;
  • the AP is a fat AP, that is, the AP and AC node functions are integrated on a fat AP. When the two are deployed separately, functions such as security-related settings are completed by the AC.
  • the fat AP and the ⁇ AP are the same as the fat AP and the ⁇ AP described in the foregoing embodiments, and are not described herein again.
  • the protocol frame in this step includes the AP sending a beacon broadcast message to the UE, where the beacon broadcast message includes an SSID message field and AP security capability information; or, the AP sends a Probe Response message to the UE after receiving the probe request message sent by the UE, where The Probe Response includes an SSID message field and AP security capability information, where the AP security capability information includes web portal security capability indication information;
  • the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and the non-web portal secure access mode.
  • Step 302 The UE selects a secure access mode from a selected one of multiple security access modes in the protocol frame as the selected secure access mode.
  • the UE selects one of all secure access modes supported by the WLAN according to the parameter information of each secure access mode in the protocol message and the secure access mode or network environment supported by the UE.
  • the secure access mode that is, the corresponding access authentication method, the data encryption method, etc., for example, if the UE selects the WPA secure access mode, the access authentication method may be IEEE 802.1X, PSK, etc., and the data encryption method may be For TKIP.
  • Step 303 The UE notifies the selected secure access mode to the UI.
  • the UE notifies the selected secure access mode to ⁇ , so that ⁇ also sets itself to the corresponding secure access mode for access.
  • the UE receives the protocol frame sent by the UE, where the protocol frame includes the SSID and the security capability information of the AP, and the security capability information of the AP includes multiple security access modes, and the SSID corresponds to the multiple security access modes. Therefore, the protocol message that the UE receives the AP to broadcast an SSID may correspond to multiple wireless security access modes, so that the UE accesses the wireless network more flexibly, and saves wireless network resources.
  • Embodiment 4 is a flowchart of Embodiment 4 of a wireless security access method according to the present invention.
  • a Probe Response message is used as a protocol message, and a UE security access mode is added. If the UE fails to send an access authentication failure message to the AP, as shown in FIG. 2, the method specifically includes the following steps:
  • Step 401 The UE sends a Probe Request frame to the AP.
  • Step 402 The UE receives a Probe Response frame sent by the AP, where the probe response frame carries the AP security capability information;
  • the UE receives a Probe Response message including an SSID message field from the AP, where the SSID is used to identify the AP, and the AP security capability information includes the indication information that the WLAN supports the Web Portal security access mode.
  • the UE may also receive the Beacon broadcast message sent by the AP, where the Beacon broadcast message also includes an SSID and parameter information of the secure access mode supported by the WLAN.
  • the parameter information is an access authentication method, a data encryption method, and the like used in the secure access mode.
  • Step 403 The UE selects a secure access mode according to the security capability information in the protocol frame, as the selected secure access mode.
  • the UE selects a preferred secure access mode as the selected secure access mode according to the secure access mode supported by the UE and all the secure access modes supported by the WLAN in the protocol message.
  • the step may further include: the UE selecting a corresponding identity or constructing a corresponding identity according to the selected secure access mode according to a predetermined policy, and sending a secure access authentication response to the AP by using the identity Message.
  • the UE includes receiving, by the UE, a secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information. If the access authentication mechanism selected by the UE is IEEE 802.1X, the EAP response message in the authentication process sent by the UE to the AP will include a specific identity, which is used to indicate that the UE selects the secure access of the web portal. mode.
  • Step 405 The UE determines whether the Web Portal security access mode is selected for secure access.
  • step 406 If it is determined that the UE selects the non-Web Portal security access mode for secure access, proceed to step 406; otherwise, perform normal Web Portal secure access.
  • Step 406 When the UE fails to authenticate with the network where the AP is located, the UE sends a secure access authentication failure message to the AP. In this step, the UE sends an authentication failure message to the AP, so that the AP is reset to the Web Portal secure access mode for secure access.
  • the step may further include: after receiving the security access authentication failure message sent by the AP, the UE initiates a Web Portal security access procedure to the AP.
  • the UE sends a secure access authentication failure message to the AP, so that the AP will
  • the secure access mode of the WLAN is set to the Web Portal secure access mode to try to access again.
  • the UE can access certain internal open network resources in the Web Portal in the secure access mode of the Web Portal.
  • the authentication method failed to authenticate and could not access the internal open network resources.
  • FIG. 5 is a flowchart of Embodiment 5 of a wireless security access method according to the present invention.
  • the AP supports the WEP, the WPAAVPA2, and the Web Portal security access mode, and the UE only supports the Web Portal security access mode.
  • the specific steps may include the following steps:
  • Step 501 The UE sends the Probe Request information to the AP.
  • the UE may actively send a initiate wireless network Probe Request message to the AP to obtain the AP.
  • the Probe Response message of the WLAN can also passively receive the Beacon broadcast message sent by the AP. Both types of protocol messages contain a field for the SSID.
  • Step 502 The AP sets the message field in the Probe Response message to a preset value according to the preset rule, and is used to indicate that the WLAN supports the Web Portal secure access mode.
  • the AP may set a reserved field in the Probe Response message to a preset value.
  • the UE determines whether the WLAN is based on whether the value of a certain reserved field is a preset value.
  • Step 503 The AP sends the Probe Response information to the UE.
  • the Probe Response information carries the parameter information of the WLAN to support the Web Portal secure access mode and other security modes, such as the access authentication method in the WPA secure access mode, IEEE 802.1X, and the data encryption method TKIP.
  • Step 504 The UE sends an authentication request message to the UI.
  • the UE when the secure access mode selected by the UE is not WEP, the UE actively sends an authentication request message to the UI to trigger the open system authentication process.
  • Step 505 The AP sends an authentication response message to the UE.
  • Step 506 The UE sends association request information to the AP.
  • the UE carries the parameter information of the UE to select the secure access mode in the association request information. For example, if the WEP is selected, the UE carries the access authentication mode parameter of the WEP and the parameter of the data encryption method. In this embodiment, the UE only supports the Web Portal security access mode. Therefore, the association request message carries the parameters of the Web Portal security access mode.
  • Step 507 The AP sends association response information to the UE.
  • Step 508 The UE and the AP perform a DHCP configuration process.
  • the following steps are steps to set the device to the secure connection mode of the Web Portal security access mode.
  • Step 509 The UE sends an HTTP request message to the AP.
  • Step 510 The AP sends an HTTP request message to the portal.
  • Step 511 The portal sends an HTTP response message to the UE.
  • Step 512 The UE sends user login information to the portal.
  • the user login information includes information such as the username and password previously registered with the authentication server.
  • Step 513 The AP, the portal, and the authentication server complete the verification of the user login information.
  • the verification process of the user login information is completed by the AC, the portal, and the authentication server.
  • Step 514 The portal sends a user authentication message to the UE.
  • the function of the AP and the access controller (AC) node is integrated on a fat AP, that is, the AP and the AC are combined into one, and the two work in one entity AP. Implemented on. Those skilled in the art should understand that, in specific implementation, the AP and the AC may also be deployed separately.
  • the Probe Response includes the indication information supporting the Web Portal secure access mode, and the protocol frame for broadcasting an SSID in the AP is implemented, and multiple security modes of the UE can be accessed.
  • FIG. 6 is a flowchart of Embodiment 6 of a wireless security access method according to the present invention.
  • a complete example may be provided based on any of the foregoing embodiments.
  • Step 601 The AP sets the message field in the Beacon message to a preset value according to the preset rule, and is used to indicate that the WLAN supports the Web Portal secure access mode.
  • Step 602 The AP sends Beacon broadcast information to the UE.
  • the Beacon broadcast information includes an SSID field identifying the WLAN and an indication message that the WLAN supports the Web Portal secure access mode in step 601.
  • Step 603 The UE sends an authentication request message to the AP.
  • the UE when the secure access mode selected by the UE is not WEP, the UE actively sends an authentication request message to the AP to trigger an open system authentication process.
  • Step 604 The AP sends an authentication response message to the UE.
  • Step 605 The UE sends the association request information to the AP, and specifies that the security access mode is WPA, where the authentication method is IEEE 802.1X authentication.
  • the UE specifies the selected authentication mode as IEEE 802.1X in the association request information sent to the AP.
  • Step 606 The AP sends association response information to the UE.
  • Step 607 The AP sends an IEEE 802.1X EAP request message to the UE.
  • Step 608 The UE sends an IEEE 802.1X EAP response message to the AP according to the identity set by the preset policy.
  • the UE sets an identity according to the predetermined policy, and the UE indicates that the UE supports the Web Portal secure access mode, and initiates an IEEE 802.1X EAP response message to the AP, so that the AP obtains the UE-supported Web Portal secure access mode according to the identity.
  • Step 609 The AP sends an access request message that includes an EAP message to the authentication server.
  • the AP forwards the content of the IEEE 802.1X EAP response message sent by the UE, and starts IEEE 802.IX authentication between the UE and the authentication server.
  • Step 611 The authentication server sends an IEEE 802.1X authentication failure message to the UE.
  • the UE will receive a message that the authentication fails from the authentication server.
  • Step 612 The AP sets the WLAN to support the Web Portal secure access mode.
  • Step 613 The UE and the AP perform a DHCP configuration process.
  • the AP obtains the Web Portal security access mode of the UE, and therefore sets the AP itself into the Web Portal security access mode and attempts to access.
  • the following steps are used to start the Web Portal security access mode at both ends. Process steps.
  • Step 614 The UE sends an HTTP request message to the AP.
  • Step 615 The AP sends an HTTP request message to the portal.
  • Step 616 The portal sends an HTTP response message to the UE.
  • Step 617 The UE sends user login information to the portal.
  • the user login information includes information such as the username and password previously registered with the authentication server.
  • Step 618 The AP, the portal, and the authentication server complete the verification of the user login information.
  • the verification process of the user login information is completed by the AC, the portal, and the authentication server.
  • Step 619 The portal sends a user authentication message to the UE.
  • the UE sends an IEEE 802.1X EAP response message to the AP according to the identity set by the preset policy, to indicate that the UE supports the Web Portal secure access mode, and the AP and the UE are implemented. After the other security access modes fail, you can try to enter using the Web Portal secure access mode to solve the problem that the authentication fails due to other secure access modes and cannot access some internal shared networks.
  • FIG. 7 is a structural diagram of Embodiment 1 of a wireless security access device according to the present invention.
  • the device 70 is generally integrated in an AP network element. As shown in FIG. 7, the device specifically includes:
  • the sending module 71 is configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to Describe multiple security access modes;
  • the receiving module 72 is configured to receive a selected secure access mode sent by the UE, where the selected secure access mode is a secure connection selected by the UE from multiple security access modes in the protocol frame. Entry mode
  • the setting module 73 is configured to set its own secure access mode based on the selected secure access mode.
  • the device in this embodiment is used to perform the technical solution of the method embodiment shown in FIG. 1. The implementation principle and technical effects are similar, and details are not described herein again.
  • FIG. 8 is a structural diagram of Embodiment 2 of a wireless security access device according to the present invention. As shown in FIG. 8, the device 80 is based on the previous embodiment, and further, The multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and the non-web portal secure access mode.
  • the sending module 71 is specifically configured to:
  • the capability information of the web portal security access mode is implemented by: using a reserved field of a cell included in the protocol frame or a reserved value of a field to indicate a network to a web portal secure access mode. Supporting, that is, capability information of the web portal secure access mode; or, defining a new information element included in the protocol frame to indicate that the network supports the web portal secure access mode, that is, the web portal secure access mode Capability information; or,
  • the field of the cell included in the protocol frame is extended, that is, a field is added in the cell to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode.
  • the receiving module 72 is specifically configured to:
  • the receiving module 72 receives the secure access authentication response message sent by the UE:
  • the receiving module 72 is further configured to receive association request information sent by the UE, and obtain a secure access authentication mechanism indicated in the association request information.
  • the sending module 71 is further configured to send a security access authentication request message to the UE according to the secure access authentication mechanism.
  • the device further includes:
  • the change module 81 is configured to: after the setting module 73 sets its own secure access mode based on the selected secure access mode and initiates a corresponding secure access procedure to the UE, if the UE selects the security
  • the access mode is a non-Web Portal secure access mode, and the UE is received and sent.
  • the security access mode of the WLAN is changed to the Web Portal security access mode, and the Web Portal security access process is initiated to the UE; or, the sending module 71, specifically After the setting module 73 sets its own secure access mode based on the selected secure access mode and initiates a corresponding secure access procedure to the UE, if the secure access mode selected by the UE is non- In the secure access mode of the Web Portal, the AP sends a security access authentication failure message to the UE after the UE fails to obtain the authentication failure message, so that the UE triggers the Web Portal security access process after receiving the authentication failure message; Or sending a secure access authentication failure message to the UE, and triggering a web portal access procedure.
  • the device in this embodiment is used to perform the technical solution of the method embodiment shown in FIG. 2, and the implementation principle and the technical effect are similar, and details are not described herein again.
  • FIG. 9 is a structural diagram of Embodiment 3 of the wireless security access device of the present invention.
  • the device 90 is generally integrated in the UE. As shown in FIG. 9, the device specifically includes:
  • the receiving module 91 is configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to The plurality of secure access modes;
  • the selecting module 92 is configured to select a secure access mode from a security access mode selected from the plurality of secure access modes in the protocol frame as the selected secure access mode;
  • the sending module 93 is configured to notify the AP of the selected secure access mode.
  • the device in this embodiment is used to perform the technical solution of the method embodiment shown in FIG. 3, and the implementation principle and the technical effect are similar, and details are not described herein again.
  • the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and the non-web portal secure access mode.
  • the receiving module 91 is specifically configured to:
  • the probe response frame sent by the AP is received.
  • the sending module 93 is specifically configured to:
  • the sending module 93 selects a corresponding identity according to the selected security access mode according to the predetermined policy, and sends a secure access authentication response message to the AP by using the identity
  • the sending module 93 Specifically, the method is configured to send association request information to the AP, where the association request information carries security access authentication mechanism information;
  • the receiving module 91 is specifically configured to receive a secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information.
  • the sending module 93 is further configured to: if the security access mode selected by the UE is not a Web Portal secure access, and the UE fails to authenticate the network where the AP is located, send a secure connection to the AP. Incoming authentication failure message; or,
  • the sending module 93 is configured to: after receiving the security access authentication failure message sent by the AP, the sending module 93 initiates a Web Portal security access process to the AP; or
  • the sending module 93 is further configured to: if the security access mode selected by the UE is not a Web Portal security access, and the UE fails to perform authentication on the network where the AP is located, send a security access authentication failure message to the AP. Afterwards, a web portal process is initiated to the AP.
  • the device of the foregoing embodiment is used to implement the technical solution of the method embodiment shown in FIG. 4, and the implementation principle and the technical effect are similar, and details are not described herein again.
  • FIG. 10 is a structural diagram of Embodiment 4 of the wireless security access device of the present invention. As shown in FIG. 10, the wireless security access device 100 provided in this embodiment may be integrated into an AP, including:
  • the transmitter 101 is configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to Describe multiple security access modes;
  • the receiver 102 is configured to receive a selected secure access mode sent by the UE, where the selected secure access mode is a secure connection selected by the UE from multiple security access modes in the protocol frame. Entry mode
  • the processor 103 is configured to set its own secure access mode based on the selected secure access mode.
  • the processor 103 executes the execution instruction, so that the connection establishment device performs the method as described in FIG. 1 , and the implementation principle and technical effects are similar, and details are not described herein again.
  • the wireless security access device 110 provided by the embodiment may be integrated in the UE, and includes: a receiver 112, configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and the
  • the security capability information of the AP includes capability information of multiple security access modes, and the SSID corresponds to the multiple security access modes;
  • the processor 113 is configured to select a secure access mode as a selected secure access mode from a security access mode selected from the plurality of secure access modes in the protocol frame.
  • the transmitter 111 is configured to notify the AP of the selected secure access mode.
  • the processor 113 executes the execution instruction to cause the connection establishment device to perform the method as described in FIG. 3, and the implementation principle and technical effects are similar, and details are not described herein again.
  • FIG. 12 is a structural diagram of Embodiment 1 of a wireless security access system according to the present invention.
  • an AP 121 and a UE 122 are included, and the AP 121 includes the wireless security access device 100 according to any of the foregoing embodiments.
  • the UE 122 includes the wireless security access device 110 according to any of the foregoing embodiments.
  • the wireless security access device 100 in this embodiment can implement the wireless security access method of the AP provided by any embodiment of the present invention. The principle and the technical effect are similar, and are not described herein again.
  • the wireless security access device 110 in this embodiment can perform the wireless security access method on the terminal side provided by any embodiment of the present invention, and the implementation principle and technical effect are similar. , will not repeat them here.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
  • the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present invention provide a wireless secure access method, an apparatus and a system. The method in the present invention comprises: an AP sending a protocol frame to a UE, wherein the protocol frame comprises an SSID and security capability information of the AP, the security capability information of the AP comprises security capability information of multiple secure access modes, and the SSID corresponds to the multiple secure access modes; the AP receiving a selected secure access mode sent by the UE, wherein the selected secure access mode is a secure access mode selected by the UE from the multiple secure access modes in the protocol frame; and the AP setting a secure access mode of itself based on the selected secure access mode. According to the embodiments of the present invention, a protocol message comprises instruction information of secure access modes supported by a WLAN so as to solve a problem in prior art that one SSID can correspond to only one wireless secure access mode.

Description

无线安全接入方法、 装置及***  Wireless security access method, device and system
技术领域 Technical field
本发明涉及无线接入技术, 尤其涉及一种无线安全接入方法、 装置及系 统, 属于无线通信技术领域。 背景技术  The present invention relates to a radio access technology, and in particular, to a wireless security access method, apparatus, and system, and belongs to the field of wireless communication technologies. Background technique
无线局域网络 (Wireless Local Area Networks, 简称 WLAN)是相当便利的 数据传输***, 它利用射频 (Radio Frequency, 简称 RF) 的技术, 取代传统 的双绞铜线所构成的局域网络。 WLAN是一种无线接入技术, 这种技术能够 提供较高的传输速率, 被认为是广域无线网的有益补充。 在工作场所、 家里、 公共热点, WLAN得到越来越多的部署。 用户可以使用笔记本电脑、 相机、 手机、 游戏机及越来越多的其他消费电子设备接入 WLAN网络。  Wireless Local Area Networks (WLAN) is a very convenient data transmission system. It uses radio frequency (RF) technology to replace the local area network of traditional twisted-pair copper wires. WLAN is a wireless access technology that provides a high transmission rate and is considered a useful complement to wide area wireless networks. In the workplace, at home, and in public hotspots, WLANs are getting more and more deployed. Users can access Wi-Fi networks using laptops, cameras, mobile phones, game consoles, and more and more consumer electronics devices.
为了满足不同使用情况和设备的安全要求, 标准上提出了多种不同的 In order to meet the different use conditions and equipment safety requirements, the standard proposes a variety of different
WLAN安全接入模式。 目前, 主要包括有线等效保密 (Wired Equivalent Privacy,简称 WEP)、开放(Web Portal,也称门户网站)和 Wi-Fi保护接入(Wi-Fi Protected Access, 简称 WPA) 等无线安全接入模式。 WLAN secure access mode. At present, it mainly includes wireless security access modes such as Wired Equivalent Privacy (WEP), Open (Web Portal, also known as portal), and Wi-Fi Protected Access (WPA). .
现有技术中不同安全接入模式的 WLAN接入点(Access Point,简称 AP) 通过广播不同的服务集标识(Service Set Identity,简称 SSID)供用户设备(User Equipment,简称 UE)选择接入,一个 SSID只能对应一种无线安全接入模式。 因此, 若需要支持多个安全接入模式时, 则需要部署多个 WLAN, 并设置多 个 SSID与各个 WLAN对应, 或者一个 WLAN广播多个 SSID。 则 UE无线 接入时需要尝试对探测到的每个 SSID 进行接入直至接入成功, 导致不够灵 活, 且浪费无线网络资源。 发明内容  A WLAN access point (AP) of different security access modes in the prior art is configured to be accessed by a user equipment (User Equipment, UE for short) by broadcasting different service set identifiers (SSIDs). An SSID can only correspond to one wireless security access mode. Therefore, if multiple secure access modes need to be supported, multiple WLANs need to be deployed, and multiple SSIDs are set to correspond to each WLAN, or one WLAN broadcasts multiple SSIDs. If the UE accesses the radio, it needs to try to access each detected SSID until the access is successful, which is not flexible enough and wastes wireless network resources. Summary of the invention
有鉴于此, 本发明实施例提供一种无线安全接入方法、 装置及***, 以 提高 UE采用不同无线安全接入模式接入 AP的灵活性。  In view of this, the embodiments of the present invention provide a wireless security access method, device, and system, so as to improve the flexibility of the UE to access the AP by using different wireless security access modes.
第一方面, 本发明实施例提供一种无线安全接入方法, 包括: AP向 UE发送协议帧, 所述协议帧包括 SSID和所述 AP的安全能力信 息, 所述 AP的安全能力信息包括多种安全接入模式的能力信息, 所述 SSID 对应所述多种安全接入模式; In a first aspect, an embodiment of the present invention provides a wireless security access method, including: The AP sends a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the multiple security interfaces. Entry mode
所述 AP接收所述 UE发送的选定安全接入模式,所述选定安全接入模式 为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全接入模式; 所述 AP基于所述选定安全接入模式设置自身的安全接入模式。  Receiving, by the AP, a selected secure access mode sent by the UE, where the selected secure access mode is a secure access mode selected by the UE from multiple security access modes in the protocol frame; The AP sets its own secure access mode based on the selected secure access mode.
在第一方面的第一种可能的实现方式中, 所述多种安全接入模式包括: web portal安全接入模式和非 web portal安全接入模式, 且所述 SSID同时对 应所述 web portal安全接入模式和非 web portal安全接入模式。  In a first possible implementation manner of the first aspect, the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
结合第一方面的第一种可能的实现方式, 在第二种可能的实现方式中, 所述 web portal安全接入模式的能力信息通过以下方式体现:  With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner, the capability information of the web portal security access mode is implemented by:
使用所述协议帧中包含的信元的预留字段或字段的预留的值指示网络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息;或, 定义一个新的信息元包含在所述的协议帧中以指示网络对 web portal安 全接入模式的支持, 即 web portal安全接入模式的能力信息; 或,  Using the reserved value of the reserved field or field of the cell included in the protocol frame to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode; or, defining a new one The information element is included in the protocol frame to indicate that the network supports the web portal secure access mode, that is, the capability information of the web portal secure access mode; or
扩展所述协议帧中包含的信元的字段, 即在信元中增加字段用于指示网 络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息。  The field of the cell included in the protocol frame is extended, that is, a field is added in the cell to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode.
结合第一方面、 第一方面的第一种至第二种可能的实现方式, 在第三种 可能的实现方式中, 所述 AP向 UE发送协议帧, 包括:  With reference to the first aspect, the first to the second possible implementation manners of the first aspect, in a third possible implementation, the sending, by the AP, the protocol frame to the UE includes:
所述 AP向所述 UE发送信标 beacon帧; 或,  Sending, by the AP, a beacon beacon frame to the UE; or
所述 AP根据接收所述 UE发送的探测请求帧, 向所述 UE发送探测应答 probe response帧。  The AP sends a probe response probe response frame to the UE according to the probe request frame sent by the UE.
结合第一方面、 第一方面的第一种至第三种可能的实现方式, 在第四种 可能的实现方式中, 所述 AP接收所述 UE发送的选定安全接入模式, 包括: 所述 AP接收所述 UE发送的关联请求信息,获取所述关联请求信息中携 带的所述选定安全接入模式的参数信息, 根据所述参数信息获取对应的选定 安全接入模式; 或,  With reference to the first aspect, the first to the third possible implementation manner of the first aspect, in a fourth possible implementation manner, the AP receives the selected security access mode sent by the UE, including: Receiving, by the AP, the association request information sent by the UE, acquiring parameter information of the selected security access mode carried in the association request information, and acquiring a corresponding selected security access mode according to the parameter information; or
所述 AP接收所述 UE发送的认证应答消息, 获取所述 UE发送的所述 UE选择的身份或者构造的身份,根据所述身份判断所述 UE选定的安全接入 模式。 结合第一方面的第四种可能的实现方式, 在第五种可能的实现方式中, 所述 AP接收所述 UE发送的安全接入认证应答消息之前, 还包括: Receiving, by the UE, an authentication response message sent by the UE, acquiring an identity or a configured identity sent by the UE, and determining, according to the identity, the secure access mode selected by the UE. With the fourth possible implementation of the first aspect, in a fifth possible implementation manner, before the AP receives the secure access authentication response message sent by the UE, the method further includes:
所述 AP接收所述 UE发送的关联请求信息,获取所述关联请求信息中指 示的安全接入认证机制;  Receiving the association request information sent by the UE, and acquiring the secure access authentication mechanism indicated in the association request information;
所述 AP根据所述安全接入认证机制向所述 UE发送安全接入认证请求消 息。  The AP sends a secure access authentication request message to the UE according to the secure access authentication mechanism.
结合第一方面的第一种至第五种可能的实现方式, 在第六种可能的实现 方式中, 所述 AP基于所述选定安全接入模式设置自身的安全接入模式之后, 还包括:  With reference to the first to fifth possible implementation manners of the first aspect, in a sixth possible implementation manner, after the AP sets its own secure access mode based on the selected security access mode, the method further includes :
若所述 UE选定的安全接入模式是非 Web Portal安全接入模式, 则所述 If the secure access mode selected by the UE is a non-Web Portal secure access mode,
AP接收到所述 UE发送的安全接入认证失败指示消息后, 将所述 WLAN的 安全接入模式更改为 Web Portal安全接入模式,并向所述 UE发起 Web Portal 安全接入流程; 或者, After receiving the security access authentication failure indication message sent by the UE, the AP changes the security access mode of the WLAN to the Web Portal security access mode, and initiates a Web Portal security access process to the UE; or
若所述 UE选定的安全接入模式是非 Web Portal安全接入模式, 则所述 AP在 UE安全接入认证失败后, 向所述 UE发送安全接入认证失败消息, 所 述 UE接到认证失败消息后触发 Web Portal安全接入流程; 或者,  If the secure access mode selected by the UE is a non-Web Portal secure access mode, the AP sends a secure access authentication failure message to the UE after the UE fails to obtain the secure access authentication, and the UE receives the authentication. The Web Portal secure access process is triggered after the failure message; or
若所述 UE选定的安全接入模式是非 Web Portal安全接入模式, 则所述 AP在 UE的安全接入认证失败后, 向所述 UE发送安全接入认证失败消息, 并触发 web portal接入流程。  If the secure access mode selected by the UE is a non-Web Portal secure access mode, the AP sends a secure access authentication failure message to the UE after the secure access authentication of the UE fails, and triggers the web portal to be connected. Into the process.
第二方面, 本发明实施例提供一种无线安全接入方法, 包括:  In a second aspect, an embodiment of the present invention provides a wireless security access method, including:
UE接收 AP发送的协议帧, 所述协议帧包括 SSID和所述 AP的安全能 力信息, 所述 AP 的安全能力信息包括多种安全接入模式的能力信息, 所述 SSID对应所述多种安全接入模式;  Receiving, by the UE, a protocol frame sent by the AP, where the protocol frame includes an SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the multiple security Access mode
所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全接入模 式选择一个安全接入模式, 作为选定安全接入模式;  The UE selects a secure access mode from a selected one of the multiple secure access modes in the protocol frame as the selected secure access mode;
所述 UE将所述选定安全接入模式通知给所述 AP。  The UE notifies the AP of the selected secure access mode.
在第二方面的第一种可能的实现方式中, 所述多种安全接入模式包括: web portal安全接入模式和非 web portal安全接入模式, 且所述 SSID同时对 应所述 web portal安全接入模式和非 web portal安全接入模式。  In a first possible implementation manner of the second aspect, the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
结合第二方面或第二方面的第一种可能的实现方式, 在第二种可能的实 现方式中, 所述 UE接收 AP发送的协议帧, 包括: In combination with the second aspect or the first possible implementation of the second aspect, in the second possible implementation In the current mode, the UE receives the protocol frame sent by the AP, and includes:
所述 UE接收所述 AP发送的 beacon帧; 或,  Receiving, by the UE, a beacon frame sent by the AP; or
所述 UE向 AP发送探测请求帧后, 接收所述 AP发送的 probe response 帧。  After the UE sends a probe request frame to the AP, the UE receives the probe response frame sent by the AP.
结合第二方面、 第二方面的第一种至第二种可能的实现方式, 在第三种 可能的实现方式中,所述 UE将所述选定安全接入模式通知给所述 AP,包括: 所述 UE向所述 AP发送携带所述选定安全接入模式的参数信息的关联请 求信息; 或,  With reference to the second aspect, the first to the second possible implementation manners of the second aspect, in a third possible implementation manner, the UE notifying the selected security access mode to the AP, including The UE sends association request information carrying parameter information of the selected security access mode to the AP; or
所述 UE基于预定策略根据所述选定安全接入模式选择相应的身份或者 构造相应的身份, 并以所述身份向所述 AP发送安全接入认证应答消息。  And the UE selects a corresponding identity or constructs a corresponding identity according to the selected secure access mode according to a predetermined policy, and sends a secure access authentication response message to the AP by using the identity.
结合第二方面的第三种可能的实现方式, 在第四种可能的实现方式中, 所述 UE基于预定策略根据所述选定安全接入模式选择相应的身份, 并以所 述身份向所述 AP发送安全接入认证应答消息之前, 还包括:  With reference to the third possible implementation manner of the second aspect, in a fourth possible implementation manner, the UE selects a corresponding identity according to the selected security access mode based on a predetermined policy, and uses the identity to Before the AP sends a secure access authentication response message, it also includes:
所述 UE向所述 AP发送关联请求信息,其中所述关联请求信息中携带安 全接入认证机制信息;  The UE sends association request information to the AP, where the association request information carries security access authentication mechanism information;
所述 UE接收所述 AP根据所述安全接入认证机制信息向所述 UE发送的 安全接入认证请求消息。  The UE receives a secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information.
结合第二方面的第一种至第四种可能的实现方式, 在第五种可能的实现 方式中, 还包括:  With reference to the first to fourth possible implementation manners of the second aspect, in a fifth possible implementation manner, the method further includes:
若所述 UE选择的安全接入模式是非 Web Portal安全接入,且 UE对所述 If the secure access mode selected by the UE is a non-Web Portal secure access, and the UE is configured to
AP所在网络的认证失败时, 向所述 AP发送安全接入认证失败消息; 或者, 所述 UE接收所述 AP发送的安全接入认证失败消息后, 向所述 AP发起 Web Portal安全接入流程。 When the authentication of the network where the AP is located fails, the device sends a secure access authentication failure message to the AP. After receiving the secure access authentication failure message sent by the AP, the UE initiates a Web Portal security access process to the AP. .
第三方面, 本发明实施例提供一种无线安全接入装置, 包括:  In a third aspect, an embodiment of the present invention provides a wireless security access device, including:
发送模块, 用于向 UE发送协议帧, 所述协议帧包括 SSID和所述 AP的 安全能力信息, 所述 AP的安全能力信息包括多种安全接入模式的能力信息, 所述 SSID对应所述多种安全接入模式;  a sending module, configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the Multiple secure access modes;
接收模块, 用于接收所述 UE发送的选定安全接入模式, 所述选定安全 接入模式为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全 接入模式; 设置模块, 用于基于所述选定安全接入模式设置自身的安全接入模式。 在第三方面的第一种可能的实现方式中, 所述多种安全接入模式包括: web portal安全接入模式和非 web portal安全接入模式, 且所述 SSID同时对 应所述 web portal安全接入模式和非 web portal安全接入模式。 a receiving module, configured to receive a selected secure access mode sent by the UE, where the selected secure access mode is a secure access selected by the UE from multiple security access modes in the protocol frame mode; And a setting module, configured to set its own secure access mode based on the selected secure access mode. In a first possible implementation manner of the third aspect, the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
结合第三方面的第一种可能的实现方式, 在第二种可能的实现方式中, 所述 web portal安全接入模式的能力信息通过以下方式体现:  With reference to the first possible implementation manner of the third aspect, in a second possible implementation manner, the capability information of the web portal security access mode is implemented by:
使用所述协议帧中包含的信元的预留字段或字段的预留的值指示网络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息;或, 定义一个新的信息元包含在所述的协议帧中以指示网络对 web portal安 全接入模式的支持, 即 web portal安全接入模式的能力信息; 或,  Using the reserved value of the reserved field or field of the cell included in the protocol frame to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode; or, defining a new one The information element is included in the protocol frame to indicate that the network supports the web portal secure access mode, that is, the capability information of the web portal secure access mode; or
扩展所述协议帧中包含的信元的字段, 即在信元中增加字段用于指示网 络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息。 结合第三方面、 第三方面的第一种至第二种可能的实现方式, 在第三种可能 的实现方式中, 所述发送模块, 具体用于:  The field of the cell included in the protocol frame is extended, that is, a field is added in the cell to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode. With reference to the third aspect, the first to the second possible implementation manner of the third aspect, in a third possible implementation manner, the sending module is specifically configured to:
向所述 UE发送信标 beacon帧, 所述协议帧为该 beacon帧; 或, 根据接收所述 UE发送的探测请求帧, 向所述 UE发送探测应答 probe response帧, 所述协议帧为该 probe response帧。  Sending a beacon beacon frame to the UE, where the protocol frame is the beacon frame; or, according to receiving the probe request frame sent by the UE, sending a probe response probe response frame to the UE, where the protocol frame is the probe Response frame.
结合第三方面、 第三方面的第一种至第三种可能的实现方式, 在第四种 可能的实现方式中, 所述接收模块, 具体用于:  With reference to the third aspect, the first to the third possible implementation manners of the third aspect, in a fourth possible implementation, the receiving module is specifically configured to:
接收所述 UE发送的关联请求信息, 获取所述关联请求信息中携带的所 述选定安全接入模式的参数信息, 根据所述参数信息获取对应的选定安全接 入模式; 或,  Receiving the association request information sent by the UE, acquiring parameter information of the selected security access mode carried in the association request information, and acquiring a corresponding selected security access mode according to the parameter information; or
接收所述 UE发送的认证应答消息,获取所述 UE发送的所述 UE选择的 身份或者构造的身份, 根据所述预定义身份判断所述 UE选定的安全接入模 式。  And receiving an authentication response message sent by the UE, acquiring an identity selected by the UE or a configured identity, and determining, according to the predefined identity, the secure access mode selected by the UE.
结合第三方面的第四种可能的实现方式, 在第五种可能的实现方式中, 在所述接收模块接收所述 UE发送的安全接入认证应答消息之前:  With reference to the fourth possible implementation manner of the third aspect, in a fifth possible implementation manner, before the receiving module receives the secure access authentication response message sent by the UE:
所述接收模块, 还用于接收所述 UE发送的关联请求信息, 获取所述关 联请求信息中指示的安全接入认证机制;  The receiving module is further configured to receive association request information sent by the UE, and obtain a secure access authentication mechanism indicated in the association request information;
所述发送模块, 还用于根据所述安全接入认证机制向所述 UE发送安全 接入认证请求消息。 The sending module is further configured to send security to the UE according to the secure access authentication mechanism. Access authentication request message.
结合第三方面的第一种至第五种可能的实现方式, 在第六种可能的实现 方式中, 还包括:  With reference to the first to fifth possible implementation manners of the third aspect, in a sixth possible implementation manner, the method further includes:
更改模块, 用于在所述设置模块基于所述选定安全接入模式设置自身的 安全接入模式之后, 若所述 UE选定的安全接入模式是非 Web Portal安全接 入模式, 则接收到所述 UE 发送的安全接入认证失败指示消息后, 将所述 WLAN的安全接入模式更改为 Web Portal安全接入模式, 并向所述 UE发起 Web Portal安全接入流程; 或者,  a change module, configured to: after the setting module sets its own secure access mode based on the selected secure access mode, if the secure access mode selected by the UE is a non-Web Portal secure access mode, After the security access authentication failure indication message sent by the UE, the security access mode of the WLAN is changed to the Web Portal security access mode, and the Web Portal security access process is initiated to the UE; or
所述发送模块, 具体用于在所述设置模块基于所述选定安全接入模式设 置自身的安全接入模式之后,若所述 UE选定的安全接入模式是非 Web Portal 安全接入模式,则在 UE安全接入认证失败后: 向所述 UE发送安全接入认证 失败消息以使所述 UE接到认证失败消息后触发 Web Portal安全接入流程; 或者, 向所述 UE发送安全接入认证失败消息, 并触发 web portal接入流程。  The sending module is specifically configured to: after the setting module sets its own secure access mode based on the selected secure access mode, if the secure access mode selected by the UE is a non-Web Portal secure access mode, After the UE fails to receive the secure access authentication, the UE sends a secure access authentication failure message to the UE to trigger the Web Portal secure access process after receiving the authentication failure message; or sends a secure access to the UE. The authentication failure message is triggered and the web portal access process is triggered.
第四方面, 本发明实施例提供一种无线安全接入装置, 包括:  In a fourth aspect, an embodiment of the present invention provides a wireless security access device, including:
接收模块, 用于接收 AP发送的协议帧, 所述协议帧包括 SSID和所述 a receiving module, configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and the
AP的安全能力信息, 所述 AP的安全能力信息包括多种安全接入模式的能力 信息, 所述 SSID对应所述多种安全接入模式; The security capability information of the AP, the security capability information of the AP includes capability information of multiple security access modes, and the SSID corresponds to the multiple security access modes;
选择模块, 用于从所述协议帧中的多种安全接入模式中选择的一个安全 接入模式选择一个安全接入模式, 作为选定安全接入模式;  a selection module, configured to select a secure access mode from a selected one of multiple secure access modes in the protocol frame as the selected secure access mode;
发送模块, 用于将所述选定安全接入模式通知给所述 AP。  And a sending module, configured to notify the AP of the selected secure access mode.
在第四方面的第一种可能的实现方式中, 所述多种安全接入模式包括: web portal安全接入模式和非 web portal安全接入模式, 且所述 SSID同时对 应所述 web portal安全接入模式和非 web portal安全接入模式。  In a first possible implementation manner of the fourth aspect, the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID simultaneously corresponds to the web portal security Access mode and non-web portal secure access mode.
结合第四方面或第四方面的第一种可能的实现方式, 在第二种可能的实 现方式中, 所述接收模块, 具体用于:  With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in the second possible implementation manner, the receiving module is specifically configured to:
接收所述 AP发送的 beacon帧; 或,  Receiving a beacon frame sent by the AP; or
向 AP发送探测请求帧后, 接收所述 AP发送的 probe response帧。  After sending the probe request frame to the AP, the probe response frame sent by the AP is received.
结合第四方面、 第四方面的第一种至第二种可能的实现方式, 在第三种 可能的实现方式中, 所述发送模块, 具体用于:  With reference to the fourth aspect, the first to the second possible implementation manner of the fourth aspect, in a third possible implementation, the sending module is specifically configured to:
向所述 AP发送携带所述选定安全接入模式的参数信息的关联请求信息; 或, Sending, to the AP, association request information that carries parameter information of the selected secure access mode; or,
基于预定策略根据所述选定安全接入模式选择相应的身份, 并以所述身 份向所述 AP发送安全接入认证应答消息。  And selecting a corresponding identity according to the selected secure access mode based on the predetermined policy, and sending a secure access authentication response message to the AP by using the identity.
结合第四方面的第三种可能的实现方式, 在第四种可能的实现方式中, 在所述发送模块基于预定策略根据所述选定安全接入模式选择相应的身份或 者构造相应的身份, 并以所述身份向所述 AP发送安全接入认证应答消息之 With reference to the third possible implementation manner of the fourth aspect, in a fourth possible implementation, the sending module selects a corresponding identity or constructs a corresponding identity according to the selected secure access mode based on a predetermined policy, And sending the secure access authentication response message to the AP in the identity
,
刖, Oh,
所述发送模块, 具体用于向所述 AP发送关联请求信息, 其中所述关联 请求信息中携带安全接入认证机制信息;  The sending module is specifically configured to send association request information to the AP, where the association request information carries security access authentication mechanism information;
所述接收模块, 具体用于接收所述 AP根据所述安全接入认证机制信息 向所述 UE发送的安全接入认证请求消息。  The receiving module is specifically configured to receive a secure access authentication request message that is sent by the AP to the UE according to the information about the secure access authentication mechanism.
结合第四方面的第一种至第四种可能的实现方式, 在第五种可能的实现 方式中, 所述发送模块, 还用于若所述 UE选择的安全接入模式是非 Web Portal安全接入, 且 UE对所述 AP所在网络的认证失败时, 向所述 AP发送 安全接入认证失败消息; 或者,  With reference to the first to fourth possible implementation manners of the fourth aspect, in a fifth possible implementation, the sending module is further configured to: if the security access mode selected by the UE is a non-Web Portal security connection If the UE fails to authenticate the network where the AP is located, the UE sends a secure access authentication failure message to the AP; or
所述发送模块, 用于所述接收模块接收所述 AP发送的安全接入认证失 败消息后, 向所述 AP发起 Web Portal安全接入流程。  The sending module, after the receiving module receives the security access authentication failure message sent by the AP, initiates a Web Portal security access process to the AP.
第五方面, 本发明实施例提供一种无线安全接入装置, 包括:  A fifth aspect of the present invention provides a wireless security access device, including:
发射器, 用于向 UE发送协议帧, 所述协议帧包括 SSID和所述 AP的安 全能力信息, 所述 AP 的安全能力信息包括多种安全接入模式的能力信息, 所述 SSID对应所述多种安全接入模式;  a transmitter, configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the Multiple secure access modes;
接收器, 用于接收所述 UE发送的选定安全接入模式, 所述选定安全接 入模式为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全接 入模式;  a receiver, configured to receive a selected secure access mode sent by the UE, where the selected secure access mode is a secure access selected by the UE from multiple security access modes in the protocol frame Mode
处理器, 用于基于所述选定安全接入模式设置自身的安全接入模式。 第六方面, 本发明实施例提供一种无线安全接入装置, 包括:  And a processor, configured to set its own secure access mode based on the selected secure access mode. In a sixth aspect, an embodiment of the present invention provides a wireless security access device, including:
接收器, 用于接收 AP发送的协议帧, 所述协议帧包括 SSID和所述 AP 的安全能力信息, 所述 AP 的安全能力信息包括多种安全接入模式的能力信 息, 所述 SSID对应所述多种安全接入模式;  a receiver, configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to Describe multiple security access modes;
处理器, 用于从所述协议帧中的多种安全接入模式中选择的一个安全接 入模式选择一个安全接入模式, 作为选定安全接入模式; a processor, configured to select a secure connection from a plurality of secure access modes in the protocol frame In mode selects a secure access mode as the selected secure access mode;
发射器, 用于将所述选定安全接入模式通知给所述 AP。  a transmitter, configured to notify the AP of the selected secure access mode.
第七方面, 本发明实施例提供一种无线安全接入***, 包括 WLAN 的 AP和 UE, 其中:  A seventh aspect of the present invention provides a wireless security access system, including an AP and a UE of a WLAN, where:
所述 AP包括第五方面所述的无线安全接入装置;  The AP includes the wireless security access device of the fifth aspect;
所述 UE包括第六方面所述的无线安全接入装置。  The UE includes the wireless security access device of the sixth aspect.
本发明通过在发送一个 SSID的协议消息中包括 WLAN支持的各种安全 接入模式的参数信息, 尤其是携带 Web Portal安全接入模式的参数信息, 以 解决现有技术中一个 SSID不能同时支持 Web Portal安全接入模式和其他安全 接入模式的问题, 使得用户设备接入无线网络时更加灵活, 且节省无线网络 资源。 附图说明  The invention includes the parameter information of various security access modes supported by the WLAN in the protocol message for sending an SSID, in particular, the parameter information of the secure access mode of the Web Portal, so as to solve the problem that one SSID cannot support the Web at the same time in the prior art. The problem of Portal secure access mode and other secure access modes makes the user equipment more flexible when accessing the wireless network and saves wireless network resources. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下 面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在 不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 图 1为本发明无线安全接入方法实施例一的流程图;  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor. 1 is a flowchart of Embodiment 1 of a wireless security access method according to the present invention;
图 2为本发明无线安全接入方法实施例二的流程图;  2 is a flowchart of Embodiment 2 of a wireless security access method according to the present invention;
图 3为本发明无线安全接入方法实施例三的流程图;  3 is a flowchart of Embodiment 3 of a wireless security access method according to the present invention;
图 4为本发明无线安全接入方法实施例四的流程图;  4 is a flowchart of Embodiment 4 of a wireless security access method according to the present invention;
图 5为本发明无线安全接入方法实施例五的流程图;  FIG. 5 is a flowchart of Embodiment 5 of a method for wireless security access according to the present invention;
图 6为本发明无线安全接入方法实施例六的流程图;  6 is a flowchart of Embodiment 6 of a wireless security access method according to the present invention;
图 7为本发明无线安全接入装置实施例一的结构图;  7 is a structural diagram of Embodiment 1 of a wireless security access device according to the present invention;
图 8为本发明无线安全接入装置实施例二的结构图;  8 is a structural diagram of Embodiment 2 of a wireless security access device according to the present invention;
图 9为本发明无线安全接入装置实施例三的结构图;  9 is a structural diagram of Embodiment 3 of a wireless security access device according to the present invention;
图 10为本发明无线安全接入装置实施例四的结构图;  10 is a structural diagram of Embodiment 4 of a wireless security access device according to the present invention;
图 11为本发明无线安全接入装置实施例五的结构图;  11 is a structural diagram of Embodiment 5 of a wireless security access device according to the present invention;
图 12为本发明无线安全接入***实施例一的结构图。 具体实施方式 FIG. 12 is a structural diagram of Embodiment 1 of a wireless security access system according to the present invention. detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于 本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获 得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图 1为本发明无线安全接入方法实施例一的流程图, 本实施例的方法执 行主体是一个无线安全接入装置, 该装置能够以硬件或软件的形式实现, 可 配置在 WLAN中的 AP中, 其中 WLAN可支持 Web Portal安全接入模式。 如图 1所示, 该方法包括以下步骤:  1 is a flowchart of Embodiment 1 of a wireless security access method according to the present invention. The method execution entity of this embodiment is a wireless security access device, and the device can be implemented in the form of hardware or software, and can be configured in an AP in a WLAN. The WLAN can support the Web Portal secure access mode. As shown in Figure 1, the method includes the following steps:
步骤 101、 AP向 UE发送协议帧, 所述协议帧包括 SSID和所述 AP的安 全能力信息, 所述 AP 的安全能力信息包括多种安全接入模式的能力信息, 所述 SSID对应所述多种安全接入模式;  Step 101: The AP sends a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to the multiple Safe access mode;
本步骤中, 所述多种安全接入模式包括: web portal 安全接入模式和非 web portal安全接入模式, 且所述 SSID同时对应所述 web portal安全接入模 式和非 web portal安全接入模式。相对于现有技术中, 一个 SSID只能支持一 种安全接入模式, 本实施例通过在 AP 的安全能力信息包括多种安全接入模 式, 将 SSID对应所述多种安全接入模式, 实现一个 SSID支持多种安全接入 模式。  In this step, the multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and non-web portal secure access simultaneously. mode. Compared with the prior art, an SSID can only support one type of security access mode. In this embodiment, the security capability information of the AP includes multiple security access modes, and the SSID is corresponding to the multiple security access modes. One SSID supports multiple secure access modes.
所述 AP安全能力信息包括安全接入模式中使用的接入认证方式或者数 据加密方法等。 其中接入认证方法可以包括预共享密钥模式(pre-shared key, 简称 PSK) 和 IEEE 802.1X等, 数据加密方法可以包括区块密码锁链-信息真 实性检查码协议 (CTR with CBC-MAC Protocol , 简称 CCMP) 、 临时密钥 完整性协议 (Temporal Key Integrity Protocol , 简称 TKIP) 、 WEP-40 和 WEP-104等。所述 web portal安全能力指示信息是指示该 WLAN网络支持使 用 web portal的方式接入。 Web Portal安全接入模式是基于用户名密码的认证 方式, 数据不进行加密, 即不存在加密方法, 因此与其他安全接入模式不同, 没有认证和加密所涉及的参数信息。  The AP security capability information includes an access authentication mode or a data encryption method used in the secure access mode. The access authentication method may include a pre-shared key (PSK) and an IEEE 802.1X, and the data encryption method may include a block cipher chain-information authenticity check code protocol (CTR with CBC-MAC Protocol). , referred to as CCMP), Temporal Key Integrity Protocol (TKIP), WEP-40 and WEP-104. The web portal security capability indication information is an indication that the WLAN network supports access using a web portal. The Web Portal secure access mode is based on the authentication method of the user name and password. The data is not encrypted, that is, there is no encryption method. Therefore, unlike other secure access modes, there is no parameter information involved in authentication and encryption.
本发明实施例可以通过以下方式以实现在协议消息 IE中指示 WLAN支 持 Web Portal安全接入模式。 比如: 优选地, 所述 web portal安全接入模式的能力信息通过以下方式体现: 使用所述协议帧中包含的信元的预留字段或字段的预留的值指示网络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息;或, 定义一个新的信息元包含在所述的协议帧中以指示网络对 web portal安 全接入模式的支持, 即 web portal安全接入模式的能力信息; 或, The embodiment of the present invention can be implemented in the following manner to indicate that the WLAN supports the Web Portal secure access mode in the protocol message IE. such as: Preferably, the capability information of the web portal security access mode is implemented by: using a reserved value of a reserved field or a field of a cell included in the protocol frame to indicate a network to a web portal secure access mode. Supporting, that is, capability information of the web portal secure access mode; or, defining a new information element included in the protocol frame to indicate that the network supports the web portal secure access mode, that is, the web portal secure access mode Capability information; or,
扩展所述协议帧中包含的信元的字段, 即在信元中增加字段用于指示网 络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息。  The field of the cell included in the protocol frame is extended, that is, a field is added in the cell to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode.
可选地, 本步骤中所述 AP向 UE发送携带所述 AP安全能力信息的协议 帧, 包括:  Optionally, in this step, the AP sends a protocol frame that carries the AP security capability information to the UE, including:
所述 AP向所述 UE发送信标 (beacon)帧,其中所述信标帧中携带所述 AP 安全能力信息; 或,  Sending, by the AP, a beacon frame to the UE, where the beacon frame carries the AP security capability information; or
所述 AP接收所述 UE发送的探测请求 (probe request)帧后,向所述 UE发 送探测应答 (probe response)帧,其中所述探测应答帧中携带所述 AP安全能力 信息。  After receiving the probe request frame sent by the UE, the AP sends a probe response frame to the UE, where the probe response frame carries the AP security capability information.
需要说明的是, 上述协议帧 beacon或 probe response中只包含一个 SSID 标识。  It should be noted that the above protocol frame beacon or probe response contains only one SSID identifier.
步骤 102、 所述 AP接收所述 UE发送的选定安全接入模式, 所述选定安 全接入模式为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安 全接入模式;  Step 102: The AP receives a selected secure access mode sent by the UE, where the selected secure access mode is a secure connection selected by the UE from multiple security access modes in the protocol frame. Entry mode
本步骤中, UE根据接收到的 AP发送的协议消息, 获取 WLAN所支持 的各种安全接入模式, UE可以根据自身支持的安全接入模式或网络状态、加 密登记或个人习惯等, 从多个安全接入模式中选择一个安全接入模式并将选 择的一个安全接入模式告知给 AP。 比如在 UE接收到的消息字段的协议信息 元素(Information Element, 简称 IE) 中, 可以携带各安全接入模式的参数信 息, 比如, 若安全接入模式为 WPA2, 在协议消息中可以携带如下参数信息: WPA2支持的接入认证方法 IEEE 802.1X协议、 以及 WPA2支持的数据加密 方法 CCMP等相关的参数信息。  In this step, the UE obtains various security access modes supported by the WLAN according to the protocol message sent by the received AP, and the UE may obtain more security modes according to the secure access mode or network state, encryption registration, or personal habits supported by the UE. A secure access mode is selected in the secure access mode and a selected secure access mode is notified to the AP. For example, in the information element (Information Element, IE for short) of the message field received by the UE, the parameter information of each security access mode may be carried. For example, if the security access mode is WPA2, the following parameters may be carried in the protocol message. Information: Access parameter authentication method supported by WPA2 IEEE 802.1X protocol, and data encryption method CCMP and other related parameter information supported by WPA2.
步骤 103、所述 AP基于所述选定安全接入模式设置自身的安全接入模式。 本步骤中, AP根据获取的 UE选定的安全接入模式信息, 对 WLAN进 行相应的配置, AP和 UE之间的安全接入模式协商完成之后, AP向 UE发 起双方协商的安全接入模式的接入流程。 Step 103: The AP sets its own secure access mode based on the selected secure access mode. In this step, the AP performs corresponding configuration on the WLAN according to the obtained security access mode information selected by the UE. After the security access mode negotiation between the AP and the UE is completed, the AP sends the message to the UE. The access process of the secure access mode negotiated by both parties.
所述 AP是胖 AP, 即痩 AP和接入控制器 (Access controller, 简称 AC) 节点功能集成在一个胖 AP上。 当两者分开部署时, 安全相关设置等功能由 AC完成。 所述胖 AP是指除无线接入功能外, 一般具备 WAN、 LAN两个接 口, 多支持动态主机配置协议 (Dynamic Host Configuration Protocol, 简称 DHCP) 服务器、 域名*** (Domain Name System, 简称 DNS ) 和硬件地址 (Media Access Control Address,简称 MAC)克隆,以及虚拟专用网络(Virtual Private Network , 简称 VPN接入、 防火墙等安全功能。 痩 AP只是代表自身 不能单独配置或者使用的无线 AP产品, 这种产品仅仅是一个 WLAN***的 一部分, 负责管理安装和操作。  The AP is a fat AP, that is, the AP and the Access Controller (AC) node function are integrated on a fat AP. When the two are deployed separately, functions such as security-related settings are completed by the AC. The fat AP refers to two interfaces, namely WAN and LAN, in addition to the wireless access function, and supports a Dynamic Host Configuration Protocol (DHCP) server, a Domain Name System (DNS), and a domain name system (DNS). Hardware Access Control Address (MAC) clone, and virtual private network (Virtual Private Network, referred to as VPN access, firewall and other security functions. 痩AP is only a wireless AP product that cannot be configured or used by itself. It is only part of a WLAN system that is responsible for managing installation and operation.
相对于现有技术中,一个 SSID不能同时对应多个安全接入模式,本实施 例通过在协议帧包括 SSID和所述 AP的安全能力信息, 其中 AP的安全能力 信息包括多种安全接入模式, SSID对应所述多种安全接入模式, 实现 AP广 播一个 SSID的协议消息对应提供给 UE多种无线安全接入模式,使得用户设 备接入无线网络时更加灵活, 且节省无线网络资源。  Compared with the prior art, an SSID cannot correspond to multiple security access modes at the same time. In this embodiment, the SSID and the security capability information of the AP are included in the protocol frame, where the security capability information of the AP includes multiple security access modes. The SSID corresponds to the multiple security access modes, and the protocol message for the AP to broadcast an SSID is correspondingly provided to the UE in multiple wireless security access modes, so that the user equipment is more flexible when accessing the wireless network, and saves wireless network resources.
图 2为本发明无线安全接入方法实施例二的流程图, 本实施例在上述实 施例的基础上, 增加 UE和 AP在执行其他非 web portal安全接入模式失败时 将接入模式设置成 Web Portal安全接入模式重新尝试进行接入的步骤, 如图 2所示, 该方法具体包括以下步骤:  2 is a flowchart of Embodiment 2 of a wireless security access method according to the present invention. On the basis of the foregoing embodiment, the UE and the AP increase the access mode when the non-web portal security access mode fails. The step of re-attempting the access by the Web Portal secure access mode is as shown in FIG. 2, and the method specifically includes the following steps:
步骤 201、 所述 AP接收所述 UE发送的探测请求帧后, 向所述 UE发送探测 应答帧, 其中所述探测应答帧中携带所述 AP安全能力信息, 所述 AP安全能力 信息包括 web portal安全能力指示信息;  Step 201: After receiving the probe request frame sent by the UE, the AP sends a probe response frame to the UE, where the probe response frame carries the AP security capability information, where the AP security capability information includes a web portal. Safety capability indication information;
本步骤中, 若 UE主动发起接入, 则 UE则向探测到的 AP发送 Probe request 消息, AP接收到 Probe request消息后,将携带自身支持的安全接入模式的 Probe response发送给 UE,对于 WEP、 WPA或 WPA2安全接入模式,可以使用 RSN IE 来携带 WLAN支持的认证方法和加密方式。其中认证方法有 PSK、 IEEE802.1X 等, 加密的方式有 WEP-40、 WEP-104, TKIP和 CCMP等参数信息。  In this step, if the UE initiates the access, the UE sends a Probe Request message to the detected AP. After receiving the Probe Request message, the AP sends the Probe response with the secure access mode supported by the AP to the UE. , WPA or WPA2 secure access mode, you can use RSN IE to carry the authentication method and encryption method supported by WLAN. Among them, the authentication methods include PSK, IEEE802.1X, etc. The encryption methods include WEP-40, WEP-104, TKIP and CCMP.
其中, Probe response还包括 AP支持的 web portal安全能力指示信息。实现 在 Probe response中包括 web portal安全會 ^力指示信息, 可以使用 Probe response 中包含的 IE的预留字段或者字段的预留值, 比如在 Probe Response消息的健壮 的安全网络 (Robust Security Network, 简称 RSN) IE中, 认证和密钥管理 (Authentication and key Management, 简称 AKM) 比特位的值 3-255都没有使 用, 可以定义整数 "3"或其他数值表示 Web Portal安全接入模式。 或者定义一 个新的 IE, 该 IE的 ID可以为 43-47中的一个来进行标识, 通过使用该 IE来指示 该网络对 web portal接入模式的支持。 或者在扩展现有 IE中的域, 如 RSN IE中 增加一个 octet, 定义该域值为 1或者其他数值时, 指示该网络支持 web portal 的接入模式。 The probe response also includes the web portal security capability indication information supported by the AP. To implement the web portal security policy indication in the probe response, you can use the reserved field of the IE included in the Probe response or the reserved value of the field, such as the robustness of the Probe Response message. In the Security Network (Robust Security Network, RSN for short) IE, the Authentication and Key Management (AKM) bit value of 3-255 is not used. You can define the integer "3" or other value to represent the Web. Portal security access mode. Or define a new IE, the ID of the IE may be identified by one of 43-47, and the IE is used to indicate the network support for the web portal access mode. Or, if you extend an existing IE domain, such as adding an octet to the RSN IE, and defining the domain value to 1 or other values, it indicates that the network supports the access mode of the web portal.
步骤 202、 所述 AP接收所述 UE发送的关联请求信息, 获取所述关联请求 信息中指示的安全接入认证机制;  Step 202: The AP receives the association request information sent by the UE, and obtains a security access authentication mechanism indicated in the association request information.
UE从接收到的 AP发送的探测应答帧中获取到 AP支持的安全接入模式, 根据自身的属性策略、 安全能力和网络情况等, 选择一种安全模式进行接入, 贝 lJUE向 AP发送关耳关请求消息 (Association request) , 其中 Association request 中包括了 UE选定的安全接入模式的安全设置参数, 比如包含认证方法 802.1X 参数信息。  The UE obtains the secure access mode supported by the AP from the probe response frame sent by the received AP, selects a security mode for access according to its own attribute policy, security capability, and network condition, and sends a gateway to the AP. An association request message, where the association request includes security setting parameters of the security access mode selected by the UE, for example, including the 802.1X parameter information of the authentication method.
步骤 203、 所述 AP根据所述安全接入认证机制向所述 UE发送安全接入认 证请求消息;  Step 203: The AP sends a secure access authentication request message to the UE according to the secure access authentication mechanism.
AP根据接收到的 Association request中的安全接入认证机制, 发送安全认 证请求消息, 比如发送 802.1X EAP的认证请求消息。  The AP sends a security authentication request message, such as an 802.1X EAP authentication request message, according to the received security access authentication mechanism in the Association request.
步骤 204、 所述 AP接收所述 UE发送的认证应答消息, 获取所述 UE发送的 所述 UE选择的身份或者构造的身份,根据所述身份判断所述 UE选定的安全接 入模式;  Step 204: The AP receives an authentication response message sent by the UE, acquires an identity or a configured identity that is sent by the UE, and determines a security access mode selected by the UE according to the identity.
本步骤中, 所述身份信息可以是一个预先定义的身份, 该身份用于指示 对应的安全接入模式; 或者所述身份信息是在现有的身份基础上扩展一个字 段, 通过该字段来指示 UE选择的对应的安全接入模式; 所述身份信息也可 以是定义现有的身份中的某一个字段用于指示对应的安全接入模式。所述 AP 根据所述安全接入认证机制向所述 UE发送安全接入认证请求消息, 以使所 述 UE以基于预设策略设置的身份向所述 AP发送所述安全接入认证机制的安 全接入认证应答消息。 比如, UE接收到 RSN IE后将指示网络使用 IEEE 802.1X 认证。 UE 在 IEEE802.1X 的认证流程中的可扩展验证协议响应 (Extensible Authentication Protocol response,简禾尔 EAP response )消息中将包 含用户的身份,该身份用于指示该 UE选择的是一个 web portal安全接入模式。 可选地, 步骤 202-204中, 所述 AP接收所述 UE发送的关联请求信息, 获取所述关联请求信息中携带的所述选定安全接入模式的参数信息, 根据所 述参数信息获取对应的选定安全接入模式。 In this step, the identity information may be a predefined identity, where the identity is used to indicate a corresponding secure access mode; or the identity information is extended by a field based on an existing identity, and the field is used to indicate The corresponding security access mode selected by the UE; the identity information may also be a field defined in the existing identity for indicating a corresponding secure access mode. The AP sends a security access authentication request message to the UE according to the secure access authentication mechanism, so that the UE sends the security of the secure access authentication mechanism to the AP according to the identity set by the preset policy. Access authentication response message. For example, after receiving the RSN IE, the UE will instruct the network to use IEEE 802.1X authentication. The UE will package in the Extensible Authentication Protocol response (Extensible Authentication Protocol response) message in the IEEE802.1X authentication process. Contains the identity of the user, which is used to indicate that the UE selects a web portal secure access mode. Optionally, in step 202-204, the AP receives the association request information sent by the UE, acquires parameter information of the selected security access mode carried in the association request information, and obtains the parameter information according to the parameter information. Corresponding selected security access mode.
步骤 205、所述 AP基于所述选定安全接入模式设置自身的安全接入模式; Step 205: The AP sets its own secure access mode based on the selected secure access mode.
AP根据步骤 204确定 UE选定的安全接入模式,设置自身的安全接入模式, 比如 UE选择的 WPA, 则 AP也将自身设置成 WPA。 The AP determines the secure access mode selected by the UE according to step 204, and sets its own secure access mode. For example, the WPA selected by the UE, the AP also sets itself to WPA.
步骤 206、所述 AP判断所述 UE选定的安全接入模式是否为 Web Portal安全 接入模式;  Step 206: The AP determines whether the secure access mode selected by the UE is a Web Portal secure access mode.
如果所述 AP判断 UE选定的安全接入模式不是 Web Portal安全接入模式, 则执行步骤 207; 如果 UE选定的是 Web Portal安全接入模式, 则执行后续的 Web Portal安全接入流程。  If the AP determines that the secure access mode selected by the UE is not the Web Portal secure access mode, step 207 is performed; if the UE selects the Web Portal secure access mode, the subsequent Web Portal secure access process is performed.
可选地, 本步骤中, 若所述 UE选定的安全接入模式不是 Web Portal安全 接入模式, 则所述 AP与 UE的安全接入认证失败后, 还可以触发 Web Portal安 全接入流程。  Optionally, in this step, if the security access mode selected by the UE is not the Web Portal security access mode, the secure access process of the AP and the UE may be triggered, and the Web Portal security access process may also be triggered. .
步骤 207、 所述 AP接收到所述 UE发送的安全接入认证失败指示消息后, 将所述 WLAN的安全接入模式更改为 Web Portal安全接入模式, 并向所述 UE 发起 Web Portal安全接入流程。  Step 207: After receiving the security access authentication failure indication message sent by the UE, the AP changes the security access mode of the WLAN to the Web Portal security access mode, and initiates a Web Portal security connection to the UE. Into the process.
可选地, 本步骤还可以向所述 UE发送安全接入认证失败消息, 所述 UE 接到认证失败消息后触发 Web Portal安全接入流程; 或者,  Optionally, the step may further send a security access authentication failure message to the UE, and the UE triggers the Web Portal security access process after receiving the authentication failure message; or
向所述 UE发送安全接入认证失败消息, 并触发 web portal接入流程。  Sending a secure access authentication failure message to the UE, and triggering a web portal access procedure.
本实施例中, AP与 UE之间执行的安全接入认证流程失败后,通过判断所 述 UE选定的安全接入模式是否为 Web Portal安全接入模式, 决定是否将 WLAN设置成 Web Portal安全接入模式进行尝试再次接入, 以实现 UE可以在 Web Portal安全接入模式下接入访问网络中某些内部开放的网络资源,解决网 络中因其他安全接入模式失败后不能访问内部开放网络资源的问题。  In this embodiment, after the security access authentication process performed by the AP and the UE fails, it is determined whether the WLAN is set to the Web Portal security by determining whether the secure access mode selected by the UE is the Web Portal security access mode. The access mode is attempted to access again, so that the UE can access certain internal open network resources in the Web Portal in the secure access mode of the Web Portal, and cannot access the internal open network after the failure of other secure access modes in the network. The problem of resources.
图 3为本发明无线安全接入方法实施例三的流程图, 本实施例的方法执 行主体是一个无线安全接入装置, 该装置能够以硬件或软件的形式实现, 可 配置在 UE中, 如图 3所示, 该方法包括以下步骤:  3 is a flowchart of a third embodiment of a wireless security access method according to the present invention. The method execution subject of the present embodiment is a wireless security access device, and the device can be implemented in hardware or software, and can be configured in a UE, such as As shown in FIG. 3, the method includes the following steps:
步骤 301、 UE接收 AP发送的协议帧, 所述协议帧包括 SSID和所述 AP 的安全能力信息, 所述 AP 的安全能力信息包括多种安全接入模式的能力信 息, 所述 SSID对应所述多种安全接入模式; Step 301: The UE receives a protocol frame sent by the AP, where the protocol frame includes an SSID and the AP. The security capability information, the security capability information of the AP includes capability information of multiple security access modes, and the SSID corresponds to the multiple security access modes;
所述 AP是胖 AP, 即痩 AP和 AC节点功能集成在一个胖 AP上。 当两 者分开部署时, 安全相关设置等功能由 AC完成。所述胖 AP和痩 AP与上述 实施例所述的胖 AP和痩 AP相同, 在此不再赘述  The AP is a fat AP, that is, the AP and AC node functions are integrated on a fat AP. When the two are deployed separately, functions such as security-related settings are completed by the AC. The fat AP and the 痩 AP are the same as the fat AP and the 痩 AP described in the foregoing embodiments, and are not described herein again.
具体地,本步骤中协议帧包括 AP向 UE发送 beacon广播消息,其中 beacon 广播消息包含 SSID消息字段和 AP安全能力信息; 或, AP接收 UE发送的 探测请求消息后向 UE发送 Probe Response消息, 其中 Probe Response包含 SSID 消息字段和 AP安全能力信息, 其中所述 AP安全能力信息包括 web portal安全能力指示信息;  Specifically, the protocol frame in this step includes the AP sending a beacon broadcast message to the UE, where the beacon broadcast message includes an SSID message field and AP security capability information; or, the AP sends a Probe Response message to the UE after receiving the probe request message sent by the UE, where The Probe Response includes an SSID message field and AP security capability information, where the AP security capability information includes web portal security capability indication information;
所述多种安全接入模式包括: web portal安全接入模式和非 web portal安 全接入模式, 且所述 SSID同时对应所述 web portal安全接入模式和非 web portal安全接入模式。  The multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and the non-web portal secure access mode.
步骤 302、所述 UE从所述协议帧中的多种安全接入模式中选择的一个安 全接入模式选择一个安全接入模式, 作为选定安全接入模式;  Step 302: The UE selects a secure access mode from a selected one of multiple security access modes in the protocol frame as the selected secure access mode.
本步骤中, 其中 UE根据所述协议消息中的各安全接入模式的参数信息和 自身支持的安全接入模式或者网络环境等因素, 从 WLAN支持的全部安全接 入模式中选择一个作为选定安全接入模式, 即选择相应的接入认证方法, 数 据加密方法等, 比如假设 UE选择的是 WPA的安全接入模式, 则接入认证方法 可以为 IEEE 802.1X、 PSK等, 数据加密方法可以为 TKIP。  In this step, the UE selects one of all secure access modes supported by the WLAN according to the parameter information of each secure access mode in the protocol message and the secure access mode or network environment supported by the UE. The secure access mode, that is, the corresponding access authentication method, the data encryption method, etc., for example, if the UE selects the WPA secure access mode, the access authentication method may be IEEE 802.1X, PSK, etc., and the data encryption method may be For TKIP.
步骤 303、 所述 UE将所述选定安全接入模式通知给所述 ΑΡ。  Step 303: The UE notifies the selected secure access mode to the UI.
本步骤中, UE将选定的安全接入模式通知给 ΑΡ, 以使 ΑΡ将自身也设置 成相应的安全接入模式进行接入。  In this step, the UE notifies the selected secure access mode to ΑΡ, so that ΑΡ also sets itself to the corresponding secure access mode for access.
本实施例, UE通过接收 ΑΡ发送的协议帧, 其中协议帧包括 SSID和所述 AP的安全能力信息, AP的安全能力信息包括多种安全接入模式, SSID对应 所述多种安全接入模式, 从而实现 UE接收到 AP广播一个 SSID的协议消息可 以对应多种无线安全接入模式, 使得 UE接入无线网络时更加灵活, 且节省无 线网络资源。  In this embodiment, the UE receives the protocol frame sent by the UE, where the protocol frame includes the SSID and the security capability information of the AP, and the security capability information of the AP includes multiple security access modes, and the SSID corresponds to the multiple security access modes. Therefore, the protocol message that the UE receives the AP to broadcast an SSID may correspond to multiple wireless security access modes, so that the UE accesses the wireless network more flexibly, and saves wireless network resources.
图 4为本发明无线安全接入方法实施例四的流程图, 本实施例在实施例 三的基础上, 以 Probe Response消息作为协议消息, 并增加 UE安全接入模 式失败时 UE向 AP发送接入认证失败消息的步骤,如图 2所示, 该方法具体 包括以下步骤: 4 is a flowchart of Embodiment 4 of a wireless security access method according to the present invention. On the basis of Embodiment 3, a Probe Response message is used as a protocol message, and a UE security access mode is added. If the UE fails to send an access authentication failure message to the AP, as shown in FIG. 2, the method specifically includes the following steps:
步骤 401、 UE向 AP发送 Probe Request帧;  Step 401: The UE sends a Probe Request frame to the AP.
步骤 402、所述 UE接收所述 AP发送的 Probe Response帧, 其中所述探测应 答帧中携带所述 AP安全能力信息;  Step 402: The UE receives a Probe Response frame sent by the AP, where the probe response frame carries the AP security capability information;
本步骤中, UE从 AP上接收包含一个 SSID消息字段的 Probe Response消息, 所述 SSID用于标识 AP, 所述 AP安全能力信息中包括所述 WLAN支持 Web Portal安全接入模式的指示信息;  In this step, the UE receives a Probe Response message including an SSID message field from the AP, where the SSID is used to identify the AP, and the AP security capability information includes the indication information that the WLAN supports the Web Portal security access mode.
本步骤中, UE也可以接收 AP发送的 Beacon广播消息, 其中 Beacon广 播消息中也包括一个 SSID和所述 WLAN支持的安全接入模式的参数信息。 所述参数信息为安全接入模式中使用的接入认证方法和数据加密方法等。  In this step, the UE may also receive the Beacon broadcast message sent by the AP, where the Beacon broadcast message also includes an SSID and parameter information of the secure access mode supported by the WLAN. The parameter information is an access authentication method, a data encryption method, and the like used in the secure access mode.
步骤 403、 所述 UE根据所述协议帧中的安全能力信息选择一个安全接入 模式, 作为选定安全接入模式;  Step 403: The UE selects a secure access mode according to the security capability information in the protocol frame, as the selected secure access mode.
本步骤中 UE根据自身支持的安全接入模式和协议消息中 WLAN支持的 全部安全接入模式, 选择一个较优的安全接入模式作为选定安全接入模式 步骤 404、 所述 UE向所述 AP发送携带所述选定安全接入模式的参数信息 的关联请求信息;  In this step, the UE selects a preferred secure access mode as the selected secure access mode according to the secure access mode supported by the UE and all the secure access modes supported by the WLAN in the protocol message. Sending, by the AP, association request information that carries parameter information of the selected secure access mode;
可选地, 本步骤还可以包括: 所述 UE基于预定策略根据所述选定安全 接入模式选择相应的身份或者构造相应的身份, 并以所述身份向所述 AP发 送安全接入认证应答消息。 对应地, 在此步骤之前, 包括所述 UE接收所述 AP 根据所述安全接入认证机制信息向所述 UE发送的安全接入认证请求消 息。 假如 UE选定的接入认证机制是 IEEE 802.1X, 则在 UE发送给 AP的认 证流程中的 EAP response消息中将包含一个特定的身份,该身份用于指示 UE 选择的是 web portal安全接入模式。  Optionally, the step may further include: the UE selecting a corresponding identity or constructing a corresponding identity according to the selected secure access mode according to a predetermined policy, and sending a secure access authentication response to the AP by using the identity Message. Correspondingly, before the step, the UE includes receiving, by the UE, a secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information. If the access authentication mechanism selected by the UE is IEEE 802.1X, the EAP response message in the authentication process sent by the UE to the AP will include a specific identity, which is used to indicate that the UE selects the secure access of the web portal. mode.
步骤 405、 所述 UE判断选择是否是 Web Portal安全接入模式进行安全接 入;  Step 405: The UE determines whether the Web Portal security access mode is selected for secure access.
如果判断 UE选择的是非 Web Portal安全接入模式进行安全接入, 则进行 步骤 406, 否则, 则执行正常的 Web Portal安全接入。  If it is determined that the UE selects the non-Web Portal security access mode for secure access, proceed to step 406; otherwise, perform normal Web Portal secure access.
步骤 406、 UE与所述 AP所在网络的认证失败时, 向所述 AP发送安全接入 认证失败消息; 本步骤中, UE向 AP发送认证失败消息,以使 AP重新设置成 Web Portal 安全接入模式进行安全接入; Step 406: When the UE fails to authenticate with the network where the AP is located, the UE sends a secure access authentication failure message to the AP. In this step, the UE sends an authentication failure message to the AP, so that the AP is reset to the Web Portal secure access mode for secure access.
可选地,本步骤中还可以包括:所述 UE接收所述 AP发送的安全接入认 证失败消息后, 向所述 AP发起 Web Portal安全接入流程。  Optionally, the step may further include: after receiving the security access authentication failure message sent by the AP, the UE initiates a Web Portal security access procedure to the AP.
本实施例中, 通过 UE向所述 AP发送安全接入认证失败消息使所述 AP将 In this embodiment, the UE sends a secure access authentication failure message to the AP, so that the AP will
WLAN的安全接入模式设置为 Web Portal安全接入模式进行尝试再次接入,以 实现 UE可以在 Web Portal安全接入模式下接入访问网络中某些内部开放的网 络资源, 解决网络中以其他认证方式认证失败而不能访问内部开放网络资源 的问题。 The secure access mode of the WLAN is set to the Web Portal secure access mode to try to access again. In this way, the UE can access certain internal open network resources in the Web Portal in the secure access mode of the Web Portal. The authentication method failed to authenticate and could not access the internal open network resources.
图 5为本发明无线安全接入方法实施例五的流程图, 可以以上述任意实 施例为基础, 提供一完全实例。 该实施例中假设 AP支持 WEP、 WPAAVPA2 以及 Web Portal安全接入模式, 而 UE仅支持 Web Portal安全接入模式为例, 具体可以包括如下步骤:  FIG. 5 is a flowchart of Embodiment 5 of a wireless security access method according to the present invention. A complete example may be provided based on any of the foregoing embodiments. In this embodiment, the AP supports the WEP, the WPAAVPA2, and the Web Portal security access mode, and the UE only supports the Web Portal security access mode. The specific steps may include the following steps:
步骤 501、 UE向 AP发送 Probe Request信息;  Step 501: The UE sends the Probe Request information to the AP.
UE可以主动向 AP发送发起无线网络 Probe Request消息以获取 AP中 The UE may actively send a initiate wireless network Probe Request message to the AP to obtain the AP.
WLAN的 Probe Response消息,也可以被动接收 AP发送的 Beacon广播消息。这 两种类型的协议消息都包含一个 SSID的字段。 The Probe Response message of the WLAN can also passively receive the Beacon broadcast message sent by the AP. Both types of protocol messages contain a field for the SSID.
步骤 502、 AP基于预设规则将 Probe Response消息中的消息字段设置成预 设值, 用于指示所述 WLAN支持 Web Portal安全接入模式;  Step 502: The AP sets the message field in the Probe Response message to a preset value according to the preset rule, and is used to indicate that the WLAN supports the Web Portal secure access mode.
本步骤中, AP可以将 Probe Response消息中的某个预留字段设置成预设 值, 在 UE接收时, 根据解析到的某个预留字段的值是否是预设值, 判断所述 WLAN是否支持 Web Portal安全接入模式;  In this step, the AP may set a reserved field in the Probe Response message to a preset value. When the UE receives the packet, it determines whether the WLAN is based on whether the value of a certain reserved field is a preset value. Support Web Portal secure access mode;
步骤 503、 AP向 UE发送 Probe Response信息;  Step 503: The AP sends the Probe Response information to the UE.
Probe Response信息中, 携带有 WLAN支持 Web Portal安全接入模式和其 他安全模式的参数信息, 比如 WPA的安全接入模式中的接入认证方法 IEEE 802.1X, 数据加密方法 TKIP。  The Probe Response information carries the parameter information of the WLAN to support the Web Portal secure access mode and other security modes, such as the access authentication method in the WPA secure access mode, IEEE 802.1X, and the data encryption method TKIP.
步骤 504、 UE向 ΑΡ发送认证请求消息;  Step 504: The UE sends an authentication request message to the UI.
本步骤中, 当 UE选择的安全接入方式不是 WEP时, 则 UE主动向 ΑΡ发送 authentication request消息以触发开放***认证流程。  In this step, when the secure access mode selected by the UE is not WEP, the UE actively sends an authentication request message to the UI to trigger the open system authentication process.
步骤 505、 AP向 UE发送认证响应消息; 步骤 506、 UE向 AP发送关联请求信息; Step 505: The AP sends an authentication response message to the UE. Step 506: The UE sends association request information to the AP.
UE在关联请求信息中,携带了 UE选择安全接入模式的参数信息, 比如若 选择的是 WEP, 则携带有 WEP的接入认证模式参数和数据加密方法的参数。 本实施例中, 因 UE只支持 Web Portal安全接入模式, 因此在关联请求消息中 携带有 Web Portal安全接入模式的参数。  The UE carries the parameter information of the UE to select the secure access mode in the association request information. For example, if the WEP is selected, the UE carries the access authentication mode parameter of the WEP and the parameter of the data encryption method. In this embodiment, the UE only supports the Web Portal security access mode. Therefore, the association request message carries the parameters of the Web Portal security access mode.
步骤 507、 AP向 UE发送关联应答信息;  Step 507: The AP sends association response information to the UE.
步骤 508、 UE和 AP进行 DHCP配置流程;  Step 508: The UE and the AP perform a DHCP configuration process.
在超文本传输协议 (Hypertext Transfer Protocol, 简称 HTTP) 流程之前 先执行 DHCP, 以下步骤为两端都将自身的设备设置成 Web Portal安全接入模 式开始安全接入流程步骤。  Perform DHCP before the Hypertext Transfer Protocol (HTTP) process. The following steps are steps to set the device to the secure connection mode of the Web Portal security access mode.
步骤 509、 UE向 AP发送 HTTP请求消息;  Step 509: The UE sends an HTTP request message to the AP.
步骤 510、 AP向门户网站发送 HTTP请求消息;  Step 510: The AP sends an HTTP request message to the portal.
步骤 511、 门户网站向 UE发送 HTTP应答消息;  Step 511: The portal sends an HTTP response message to the UE.
步骤 512、 UE向门户网站发送用户登录信息;  Step 512: The UE sends user login information to the portal.
用户登录信息包括之前在认证服务器注册的用户名和密码等信息。  The user login information includes information such as the username and password previously registered with the authentication server.
步骤 513、 AP、 门户网站和认证服务器之间完成用户登录信息验证; 当 AP和 AC分开部署时, 上述用户登录信息的验证流程由 AC、 门户网站 和认证服务器完成。  Step 513: The AP, the portal, and the authentication server complete the verification of the user login information. When the AP and the AC are deployed separately, the verification process of the user login information is completed by the AC, the portal, and the authentication server.
步骤 514、 门户网站将用户验证通过消息发送给 UE。  Step 514: The portal sends a user authentication message to the UE.
至此, 完成 UE和 AP中的 WLAN之间的 Web Portal安全接入模式的流程。 需要说明的是, 本实施例中, 将 AP和接入控制器 (Access controller , 简称 AC) 节点功能集成在一个胖 AP上, 即 AP和 AC合二为一, 两者的工作在 一个实体 AP上实现。 本领域技术人员应了解, 具体实施时, 也可以将 AP和 AC分开部署。  At this point, the process of the Web Portal secure access mode between the UE and the WLAN in the AP is completed. It should be noted that, in this embodiment, the function of the AP and the access controller (AC) node is integrated on a fat AP, that is, the AP and the AC are combined into one, and the two work in one entity AP. Implemented on. Those skilled in the art should understand that, in specific implementation, the AP and the AC may also be deployed separately.
本实施例中, 通过将 Probe Response包含支持 Web Portal安全接入模式的 指示信息, 实现了 AP中广播一个 SSID的协议帧, 可以实现 UE的多种安全模 式的接入。  In this embodiment, the Probe Response includes the indication information supporting the Web Portal secure access mode, and the protocol frame for broadcasting an SSID in the AP is implemented, and multiple security modes of the UE can be accessed.
图 6为本发明无线安全接入方法实施例六的流程图, 可以以上述任意实 施例为基础, 提供一完全实例。 该实施例中假设 AP 和 UE都支持 WEP、 WPAAVPA2以及 Web Portal安全接入模式, 以第一次接入选择 WPA安全接 入模式失败后, 尝试用 Web Portal安全接入模式继续接入为例, 具体可以包 括如下步骤: FIG. 6 is a flowchart of Embodiment 6 of a wireless security access method according to the present invention. A complete example may be provided based on any of the foregoing embodiments. In this embodiment, it is assumed that both the AP and the UE support the WEP, WPAAVPA2, and Web Portal secure access modes, and the WPA secure connection is selected for the first access. After the entry mode fails, try to use the Web Portal secure access mode to continue access. For example, the following steps are included:
步骤 601、 AP基于预设规则将 Beacon消息中的消息字段设置成预设值, 用于指示所述 WLAN支持 Web Portal安全接入模式;  Step 601: The AP sets the message field in the Beacon message to a preset value according to the preset rule, and is used to indicate that the WLAN supports the Web Portal secure access mode.
步骤 602、 AP向 UE发送 Beacon广播信息;  Step 602: The AP sends Beacon broadcast information to the UE.
Beacon广播信息中包含标识 WLAN的 SSID字段以及步骤 601中 WLAN支 持 Web Portal安全接入模式的指示消息。  The Beacon broadcast information includes an SSID field identifying the WLAN and an indication message that the WLAN supports the Web Portal secure access mode in step 601.
步骤 603、 UE向 AP发送认证请求消息;  Step 603: The UE sends an authentication request message to the AP.
本步骤中, 当 UE选择的安全接入方式不是 WEP时, 则 UE主动向 AP发送 authentication request消息以触发开放***认证流程。  In this step, when the secure access mode selected by the UE is not WEP, the UE actively sends an authentication request message to the AP to trigger an open system authentication process.
步骤 604、 AP向 UE发送认证响应消息;  Step 604: The AP sends an authentication response message to the UE.
步骤 605、 UE向 AP发送关联请求信息, 指定安全接入模式为 WPA, 其中 认证方法为 IEEE 802.1X认证;  Step 605: The UE sends the association request information to the AP, and specifies that the security access mode is WPA, where the authentication method is IEEE 802.1X authentication.
若 UE和 AP都支持 IEEE 802.1X认证, 则 UE在向 AP发送的关联请求信息 中, 指定选择的认证方式为 IEEE 802.1X。  If both the UE and the AP support the IEEE 802.1X authentication, the UE specifies the selected authentication mode as IEEE 802.1X in the association request information sent to the AP.
步骤 606、 AP向 UE发送关联应答信息;  Step 606: The AP sends association response information to the UE.
步骤 607、 AP向 UE发送 IEEE 802.1X EAP请求消息;  Step 607: The AP sends an IEEE 802.1X EAP request message to the UE.
步骤 608、UE以基于预设策略设定的身份向 AP发送发起 IEEE 802.1X EAP 应答消息;  Step 608: The UE sends an IEEE 802.1X EAP response message to the AP according to the identity set by the preset policy.
UE根据预定策略设定一个身份, 以此身份表示 UE支持 Web Portal安全接 入模式, 向 AP发起 IEEE 802.1X EAP应答消息以使 AP根据这个身份, 获取 UE 支持 Web Portal安全接入模式。  The UE sets an identity according to the predetermined policy, and the UE indicates that the UE supports the Web Portal secure access mode, and initiates an IEEE 802.1X EAP response message to the AP, so that the AP obtains the UE-supported Web Portal secure access mode according to the identity.
步骤 609、 AP向认证服务器发送包含 EAP消息的接入请求消息; 步骤 610、 UE与认证服务器之间开始 IEEE 802.1X认证流程;  Step 609: The AP sends an access request message that includes an EAP message to the authentication server. Step 610: The UE starts an IEEE 802.1X authentication process with the authentication server.
AP转发 UE发送的 IEEE 802.1X EAP应答消息的内容, UE与认证服务器之 间开始 IEEE 802. IX认证。  The AP forwards the content of the IEEE 802.1X EAP response message sent by the UE, and starts IEEE 802.IX authentication between the UE and the authentication server.
步骤 611、 认证服务器向 UE发送 IEEE 802.1X认证失败消息;  Step 611: The authentication server sends an IEEE 802.1X authentication failure message to the UE.
若认证失败, UE将从认证服务器接收到认证失败的消息。  If the authentication fails, the UE will receive a message that the authentication fails from the authentication server.
步骤 612、 AP设置所述 WLAN支持 Web Portal安全接入模式;  Step 612: The AP sets the WLAN to support the Web Portal secure access mode.
步骤 613、 UE和 AP进行 DHCP配置流程; 因在步骤 608中, AP获取到 UE支持 Web Portal安全接入模式, 因此将 AP 自身也设置成 Web Portal安全接入模式, 尝试接入, 以下步骤为两端进行开始 Web Portal安全接入模式的流程步骤。 Step 613: The UE and the AP perform a DHCP configuration process. In the step 608, the AP obtains the Web Portal security access mode of the UE, and therefore sets the AP itself into the Web Portal security access mode and attempts to access. The following steps are used to start the Web Portal security access mode at both ends. Process steps.
步骤 614、 UE向 AP发送 HTTP请求消息;  Step 614: The UE sends an HTTP request message to the AP.
步骤 615、 AP向门户网站发送 HTTP请求消息;  Step 615: The AP sends an HTTP request message to the portal.
步骤 616、 门户网站向 UE发送 HTTP应答消息;  Step 616: The portal sends an HTTP response message to the UE.
步骤 617、 UE向门户网站发送用户登录信息;  Step 617: The UE sends user login information to the portal.
用户登录信息包括之前在认证服务器注册的用户名和密码等信息。  The user login information includes information such as the username and password previously registered with the authentication server.
步骤 618、 AP、 门户网站和认证服务器之间完成用户登录信息验证; 当 AP和 AC分开部署时, 上述用户登录信息的验证流程由 AC、 门户网站 和认证服务器完成。  Step 618: The AP, the portal, and the authentication server complete the verification of the user login information. When the AP and the AC are deployed separately, the verification process of the user login information is completed by the AC, the portal, and the authentication server.
步骤 619、 门户网站将用户验证通过消息发送给 UE。  Step 619: The portal sends a user authentication message to the UE.
本实施例中, 在 IEEE 802.1x认证中, UE以基于预设策略设定的身份向 AP发送发起 IEEE 802.1X EAP应答消息,以指示 UE自身支持 Web Portal安全接 入模式, 实现 AP和 UE在其他安全接入模式失败后, 可以尝试用 Web Portal安 全接入模式进行进入, 以解决因其他安全接入模式认证失败, 不能访问一些 内部共享网络的问题。  In this embodiment, in the IEEE 802.1x authentication, the UE sends an IEEE 802.1X EAP response message to the AP according to the identity set by the preset policy, to indicate that the UE supports the Web Portal secure access mode, and the AP and the UE are implemented. After the other security access modes fail, you can try to enter using the Web Portal secure access mode to solve the problem that the authentication fails due to other secure access modes and cannot access some internal shared networks.
图 7为本发明无线安全接入装置实施例一的结构图,该装置 70通常集成 在 AP网元里面, 如图 7所示, 该装置具体包括:  FIG. 7 is a structural diagram of Embodiment 1 of a wireless security access device according to the present invention. The device 70 is generally integrated in an AP network element. As shown in FIG. 7, the device specifically includes:
发送模块 71, 用于向 UE发送协议帧, 所述协议帧包括 SSID和所述 AP 的安全能力信息, 所述 AP 的安全能力信息包括多种安全接入模式的能力信 息, 所述 SSID对应所述多种安全接入模式;  The sending module 71 is configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to Describe multiple security access modes;
接收模块 72, 用于接收所述 UE发送的选定安全接入模式, 所述选定安 全接入模式为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安 全接入模式;  The receiving module 72 is configured to receive a selected secure access mode sent by the UE, where the selected secure access mode is a secure connection selected by the UE from multiple security access modes in the protocol frame. Entry mode
设置模块 73,用于基于所述选定安全接入模式设置自身的安全接入模式。 本实施例的装置, 用于执行图 1所示方法实施例的技术方案, 其实现原理 和技术效果类似, 此处不再赘述。  The setting module 73 is configured to set its own secure access mode based on the selected secure access mode. The device in this embodiment is used to perform the technical solution of the method embodiment shown in FIG. 1. The implementation principle and technical effects are similar, and details are not described herein again.
图 8为本发明无线安全接入装置实施例二的结构图, 如图 8所示, 该装 置 80在上一实施例的基础上, 进一步地, 所述多种安全接入模式包括: web portal安全接入模式和非 web portal安 全接入模式, 且所述 SSID同时对应所述 web portal安全接入模式和非 web portal安全接入模式。 FIG. 8 is a structural diagram of Embodiment 2 of a wireless security access device according to the present invention. As shown in FIG. 8, the device 80 is based on the previous embodiment, and further, The multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and the non-web portal secure access mode.
所述发送模块 71, 具体用于:  The sending module 71 is specifically configured to:
向所述 UE发送信标 beacon帧, 所述协议帧为该 beacon帧; 或, 根据接收所述 UE发送的探测请求帧, 向所述 UE发送探测应答 probe response帧, 所述协议帧为该 probe response帧。  Sending a beacon beacon frame to the UE, where the protocol frame is the beacon frame; or, according to receiving the probe request frame sent by the UE, sending a probe response probe response frame to the UE, where the protocol frame is the probe Response frame.
进一步地, 所述 web portal安全接入模式的能力信息通过以下方式体现: 使用所述协议帧中包含的信元的预留字段或字段的预留的值指示网络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息;或, 定义一个新的信息元包含在所述的协议帧中以指示网络对 web portal安 全接入模式的支持, 即 web portal安全接入模式的能力信息; 或,  Further, the capability information of the web portal security access mode is implemented by: using a reserved field of a cell included in the protocol frame or a reserved value of a field to indicate a network to a web portal secure access mode. Supporting, that is, capability information of the web portal secure access mode; or, defining a new information element included in the protocol frame to indicate that the network supports the web portal secure access mode, that is, the web portal secure access mode Capability information; or,
扩展所述协议帧中包含的信元的字段, 即在信元中增加字段用于指示网 络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息。  The field of the cell included in the protocol frame is extended, that is, a field is added in the cell to indicate the network support for the web portal secure access mode, that is, the capability information of the web portal secure access mode.
可选地, 所述接收模块 72, 具体用于:  Optionally, the receiving module 72 is specifically configured to:
接收所述 UE发送的关联请求信息, 获取所述关联请求信息中携带的所 述选定安全接入模式的参数信息, 根据所述参数信息获取对应的选定安全接 入模式; 或,  Receiving the association request information sent by the UE, acquiring parameter information of the selected security access mode carried in the association request information, and acquiring a corresponding selected security access mode according to the parameter information; or
接收所述 UE发送的认证应答消息,获取所述 UE发送的所述 UE选择的 身份或者构造的身份, 根据所述身份判断所述 UE选定的安全接入模式。  And receiving an authentication response message sent by the UE, acquiring an identity selected by the UE or a configured identity, and determining, according to the identity, a secure access mode selected by the UE.
进一步地, 在所述接收模块 72接收所述 UE发送的安全接入认证应答消 息之前:  Further, before the receiving module 72 receives the secure access authentication response message sent by the UE:
所述接收模块 72, 还用于接收所述 UE发送的关联请求信息, 获取所述 关联请求信息中指示的安全接入认证机制;  The receiving module 72 is further configured to receive association request information sent by the UE, and obtain a secure access authentication mechanism indicated in the association request information.
所述发送模块 71, 还用于根据所述安全接入认证机制向所述 UE发送安 全接入认证请求消息。  The sending module 71 is further configured to send a security access authentication request message to the UE according to the secure access authentication mechanism.
进一步地, 该装置, 还包括:  Further, the device further includes:
更改模块 81, 用于在所述设置模块 73基于所述选定安全接入模式设置 自身的安全接入模式并向所述 UE发起相应的安全接入流程之后,若所述 UE 选定的安全接入模式是非 Web Portal安全接入模式, 则接收到所述 UE发送 的安全接入认证失败指示消息后,将所述 WLAN的安全接入模式更改为 Web Portal安全接入模式, 并向所述 UE发起 Web Portal安全接入流程; 或者, 所述发送模块 71, 具体用于在所述设置模块 73基于所述选定安全接入 模式设置自身的安全接入模式并向所述 UE发起相应的安全接入流程之后, 若所述 UE选定的安全接入模式是非 Web Portal安全接入模式, 则所述 AP 在 UE安全接入认证失败后,向所述 UE发送安全接入认证失败消息以使所述 UE接到认证失败消息后触发 Web Portal安全接入流程; 或者, 向所述 UE发 送安全接入认证失败消息, 并触发 web portal接入流程。 The change module 81 is configured to: after the setting module 73 sets its own secure access mode based on the selected secure access mode and initiates a corresponding secure access procedure to the UE, if the UE selects the security The access mode is a non-Web Portal secure access mode, and the UE is received and sent. After the security access authentication failure indication message is sent, the security access mode of the WLAN is changed to the Web Portal security access mode, and the Web Portal security access process is initiated to the UE; or, the sending module 71, specifically After the setting module 73 sets its own secure access mode based on the selected secure access mode and initiates a corresponding secure access procedure to the UE, if the secure access mode selected by the UE is non- In the secure access mode of the Web Portal, the AP sends a security access authentication failure message to the UE after the UE fails to obtain the authentication failure message, so that the UE triggers the Web Portal security access process after receiving the authentication failure message; Or sending a secure access authentication failure message to the UE, and triggering a web portal access procedure.
本实施例的装置, 用于执行图 2所示方法实施例的技术方案, 其实现原 理和技术效果类似, 此处不再赘述。  The device in this embodiment is used to perform the technical solution of the method embodiment shown in FIG. 2, and the implementation principle and the technical effect are similar, and details are not described herein again.
图 9为本发明无线安全接入装置实施例三的结构图,该装置 90通常集成 在 UE里面, 如图 9所示, 该装置具体包括:  FIG. 9 is a structural diagram of Embodiment 3 of the wireless security access device of the present invention. The device 90 is generally integrated in the UE. As shown in FIG. 9, the device specifically includes:
接收模块 91,用于接收 AP发送的协议帧,所述协议帧包括 SSID和所述 AP的安全能力信息, 所述 AP的安全能力信息包括多种安全接入模式的能力 信息, 所述 SSID对应所述多种安全接入模式;  The receiving module 91 is configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to The plurality of secure access modes;
选择模块 92, 用于从所述协议帧中的多种安全接入模式中选择的一个安 全接入模式选择一个安全接入模式, 作为选定安全接入模式;  The selecting module 92 is configured to select a secure access mode from a security access mode selected from the plurality of secure access modes in the protocol frame as the selected secure access mode;
发送模块 93, 用于将所述选定安全接入模式通知给所述 AP。  The sending module 93 is configured to notify the AP of the selected secure access mode.
本实施例的装置, 用于执行图 3所示方法实施例的技术方案, 其实现原 理和技术效果类似, 此处不再赘述。  The device in this embodiment is used to perform the technical solution of the method embodiment shown in FIG. 3, and the implementation principle and the technical effect are similar, and details are not described herein again.
在上述实施例的基础上, 进一步地,  Based on the above embodiment, further,
所述多种安全接入模式包括: web portal安全接入模式和非 web portal安 全接入模式, 且所述 SSID同时对应所述 web portal安全接入模式和非 web portal安全接入模式。  The multiple security access modes include: a web portal secure access mode and a non-web portal secure access mode, and the SSID corresponds to the web portal secure access mode and the non-web portal secure access mode.
所述接收模块 91, 具体用于:  The receiving module 91 is specifically configured to:
接收所述 AP发送的 beacon帧; 或,  Receiving a beacon frame sent by the AP; or
向 AP发送探测请求帧后, 接收所述 AP发送的 probe response帧。  After sending the probe request frame to the AP, the probe response frame sent by the AP is received.
进一步地, 所述发送模块 93, 具体用于:  Further, the sending module 93 is specifically configured to:
向所述 AP发送携带所述选定安全接入模式的参数信息的关联请求信息; 或, 基于预定策略根据所述选定安全接入模式选择相应的身份或者构造相应 的身份, 并以所述身份向所述 AP发送安全接入认证应答消息。 Sending association request information carrying parameter information of the selected secure access mode to the AP; or Selecting a corresponding identity or constructing a corresponding identity according to the selected secure access mode based on the predetermined policy, and sending a secure access authentication response message to the AP in the identity.
进一步地,在所述发送模块 93基于预定策略根据所述选定安全接入模式 选择相应的身份, 并以所述身份向所述 AP发送安全接入认证应答消息之前, 所述发送模块 93, 具体用于向所述 AP发送关联请求信息, 其中所述关 联请求信息中携带安全接入认证机制信息;  Further, before the sending module 93 selects a corresponding identity according to the selected security access mode according to the predetermined policy, and sends a secure access authentication response message to the AP by using the identity, the sending module 93, Specifically, the method is configured to send association request information to the AP, where the association request information carries security access authentication mechanism information;
所述接收模块 91, 具体用于接收所述 AP根据所述安全接入认证机制信 息向所述 UE发送的安全接入认证请求消息。  The receiving module 91 is specifically configured to receive a secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information.
可选地, 所述发送模块 93, 还用于若所述 UE选择的安全接入模式不是 Web Portal安全接入, 且 UE对所述 AP所在网络的认证失败时, 向所述 AP 发送安全接入认证失败消息; 或者,  Optionally, the sending module 93 is further configured to: if the security access mode selected by the UE is not a Web Portal secure access, and the UE fails to authenticate the network where the AP is located, send a secure connection to the AP. Incoming authentication failure message; or,
所述发送模块 93,用于所述接收模块 91接收所述 AP发送的安全接入认 证失败消息后, 向所述 AP发起 Web Portal安全接入流程; 或者,  The sending module 93 is configured to: after receiving the security access authentication failure message sent by the AP, the sending module 93 initiates a Web Portal security access process to the AP; or
所述发送模块 93,还用于若所述 UE选择的安全接入模式不是 Web Portal 安全接入, 且 UE对所述 AP所在网络的认证失败时, 向所述 AP发送安全接 入认证失败消息后, 向所述 AP发起 web portal流程。  The sending module 93 is further configured to: if the security access mode selected by the UE is not a Web Portal security access, and the UE fails to perform authentication on the network where the AP is located, send a security access authentication failure message to the AP. Afterwards, a web portal process is initiated to the AP.
上述实施例的装置, 用于执行图 4所示方法实施例的技术方案, 其实现 原理和技术效果类似, 此处不再赘述。  The device of the foregoing embodiment is used to implement the technical solution of the method embodiment shown in FIG. 4, and the implementation principle and the technical effect are similar, and details are not described herein again.
图 10为本发明无线安全接入装置实施例四的结构图, 如图 10所示, 本 实施例提供的无线安全接入装置 100可以集成在 AP里, 包括:  FIG. 10 is a structural diagram of Embodiment 4 of the wireless security access device of the present invention. As shown in FIG. 10, the wireless security access device 100 provided in this embodiment may be integrated into an AP, including:
发射器 101, 用于向 UE发送协议帧, 所述协议帧包括 SSID和所述 AP 的安全能力信息, 所述 AP 的安全能力信息包括多种安全接入模式的能力信 息, 所述 SSID对应所述多种安全接入模式;  The transmitter 101 is configured to send a protocol frame to the UE, where the protocol frame includes an SSID and security capability information of the AP, and the security capability information of the AP includes capability information of multiple security access modes, where the SSID corresponds to Describe multiple security access modes;
接收器 102, 用于接收所述 UE发送的选定安全接入模式,所述选定安全 接入模式为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全 接入模式;  The receiver 102 is configured to receive a selected secure access mode sent by the UE, where the selected secure access mode is a secure connection selected by the UE from multiple security access modes in the protocol frame. Entry mode
处理器 103, 用于基于所述选定安全接入模式设置自身的安全接入模式。 本实施例中, 所述处理器 103执行所述执行指令使得所述连接建立装置 执行如图 1中所述的方法, 其实现原理和技术效果类似, 此处不再赘述。  The processor 103 is configured to set its own secure access mode based on the selected secure access mode. In this embodiment, the processor 103 executes the execution instruction, so that the connection establishment device performs the method as described in FIG. 1 , and the implementation principle and technical effects are similar, and details are not described herein again.
图 11为本发明无线安全接入装置实施例五的结构图, 如图 11所示, 本 实施例提供的无线安全接入装置 110可以集成在 UE里, 包括: 接收器 112, 用于接收 AP发送的协议帧, 所述协议帧包括 SSID和所述11 is a structural diagram of Embodiment 5 of a wireless security access device according to the present invention, as shown in FIG. The wireless security access device 110 provided by the embodiment may be integrated in the UE, and includes: a receiver 112, configured to receive a protocol frame sent by the AP, where the protocol frame includes an SSID and the
AP的安全能力信息, 所述 AP的安全能力信息包括多种安全接入模式的能力 信息, 所述 SSID对应所述多种安全接入模式; The security capability information of the AP, the security capability information of the AP includes capability information of multiple security access modes, and the SSID corresponds to the multiple security access modes;
处理器 113, 用于从所述协议帧中的多种安全接入模式中选择的一个安 全接入模式选择一个安全接入模式, 作为选定安全接入模式;  The processor 113 is configured to select a secure access mode as a selected secure access mode from a security access mode selected from the plurality of secure access modes in the protocol frame.
发射器 111, 用于将所述选定安全接入模式通知给所述 AP。  The transmitter 111 is configured to notify the AP of the selected secure access mode.
本实施例中, 所述处理器 113执行所述执行指令使得所述连接建立装置 执行如图 3中所述的方法, 其实现原理和技术效果类似, 此处不再赘述。  In this embodiment, the processor 113 executes the execution instruction to cause the connection establishment device to perform the method as described in FIG. 3, and the implementation principle and technical effects are similar, and details are not described herein again.
图 12为本发明无线安全接入***实施例一的结构图, 如图 12所示, 包 括 AP 121和 UE 122, 所述 AP 121包括上述任意实施例所述的无线安全接入 装置 100, 所述 UE 122包括上述任意实施例所述的无线安全接入装置 110; 本实施例中的无线安全接入装置 100对应的可执行本发明任意实施例所 提供的 AP的无线安全接入方法, 实现原理和技术效果类似, 此处不再赘述; 本实施例中的无线安全接入装置 110对应的可执行本发明任意实施例所 提供的终端侧的无线安全接入方法, 实现原理和技术效果类似, 此处不再赘 述。  FIG. 12 is a structural diagram of Embodiment 1 of a wireless security access system according to the present invention. As shown in FIG. 12, an AP 121 and a UE 122 are included, and the AP 121 includes the wireless security access device 100 according to any of the foregoing embodiments. The UE 122 includes the wireless security access device 110 according to any of the foregoing embodiments. The wireless security access device 100 in this embodiment can implement the wireless security access method of the AP provided by any embodiment of the present invention. The principle and the technical effect are similar, and are not described herein again. The wireless security access device 110 in this embodiment can perform the wireless security access method on the terminal side provided by any embodiment of the present invention, and the implementation principle and technical effect are similar. , will not repeat them here.
在本申请所提供的几个实施例中, 应该理解到, 所揭露的***, 装置和 方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示 意性的, 例如, 所述单元的划分, 仅仅为一种逻辑功能划分, 实际实现时可 以有另外的划分方式, 例如多个单元或组件可以结合或者可以集成到另一个 ***, 或一些特征可以忽略, 或不执行。 另一点, 所显示或讨论的相互之间 的耦合或直接耦合或通信连接可以是通过一些接口, 装置或单元的间接耦合 或通信连接, 可以是电性, 机械或其它的形式。  In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的, 作 为单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地方, 或者也可以分布到多个网络单元上。 可以根据实际的需要选择其中的部分或 者全部单元来实现本实施例方案的目的。  The units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步骤 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述 的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序代码的介 质。 A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions, and the foregoing program may be stored in a computer readable In the storage medium, when the program is executed, the steps including the foregoing method embodiments are performed; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上各实施例仅用以说明本发明的技术方案, 而非对 其限制; 尽管参照前述各实施例对本发明进行了详细的说明, 本领域的普通 技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改, 或者对其中部分或者全部技术特征进行等同替换; 而这些修改或者替换, 并 不使相应技术方案的本质脱离本发明各实施例技术方案的范围。  Finally, it should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting thereof; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. range.

Claims

权 利 要 求 书 claims
1、 一种无线安全接入方法, 其特征在于, 包括: 1. A wireless secure access method, characterized by including:
接入点 AP向用户设备 UE发送协议帧,所述协议帧包括服务集标识 SSID 和所述 AP的安全能力信息,所述 AP的安全能力信息包括多种安全接入模式 的能力信息, 所述 SSID对应所述多种安全接入模式; The access point AP sends a protocol frame to the user equipment UE, where the protocol frame includes a service set identifier SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, SSID corresponds to the various security access modes mentioned above;
所述 AP接收所述 UE发送的选定安全接入模式,所述选定安全接入模式 为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全接入模式; 所述 AP基于所述选定安全接入模式设置自身的安全接入模式。 The AP receives the selected security access mode sent by the UE, where the selected security access mode is a security access mode selected by the UE from a plurality of security access modes in the protocol frame; The AP sets its own security access mode based on the selected security access mode.
2、 根据权利要求 1所述的方法, 其特征在于, 所述多种安全接入模式包 括:开放 web portal安全接入模式和非 web portal安全接入模式,且所述 SSID 同时对应所述 web portal安全接入模式和非 web portal安全接入模式。 2. The method according to claim 1, wherein the multiple security access modes include: an open web portal security access mode and a non-web portal security access mode, and the SSID simultaneously corresponds to the web portal security access mode. portal security access mode and non-web portal security access mode.
3、 根据权利要求 2所述的方法, 其特征在于, 所述 web portal安全接入 模式的能力信息通过以下方式体现: 3. The method according to claim 2, characterized in that the capability information of the web portal secure access mode is reflected in the following manner:
使用所述协议帧中包含的信元的预留字段或字段的预留的值指示网络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息;或, 定义一个新的信息元包含在所述的协议帧中以指示网络对 web portal安 全接入模式的支持, 即 web portal安全接入模式的能力信息; 或, Use the reserved field or the reserved value of the field of the information element contained in the protocol frame to indicate the network's support for the web portal secure access mode, that is, the capability information of the web portal secure access mode; or, define a new The information element is included in the protocol frame to indicate the network's support for the web portal secure access mode, that is, the capability information of the web portal secure access mode; or,
扩展所述协议帧中包含的信元的字段, 即在信元中增加字段用于指示网 络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息。 Expand the fields of the information element contained in the protocol frame, that is, add a field in the information element to indicate the network's support for the web portal security access mode, that is, the capability information of the web portal security access mode.
4、 根据权利要求 1-3任一所述的方法, 其特征在于, 所述 AP向 UE发 送协议帧, 包括: 4. The method according to any one of claims 1-3, characterized in that the AP sends a protocol frame to the UE, including:
所述 AP向所述 UE发送信标 beacon帧; 或, The AP sends a beacon frame to the UE; or,
所述 AP根据接收所述 UE发送的探测请求帧, 向所述 UE发送探测应答 probe response帧。 The AP sends a probe response frame to the UE according to receiving the probe request frame sent by the UE.
5、 根据权利要求 1-4任一所述的方法, 其特征在于, 所述 AP接收所述 5. The method according to any one of claims 1-4, characterized in that the AP receives the
UE发送的选定安全接入模式, 包括: The selected security access mode sent by the UE includes:
所述 AP接收所述 UE发送的关联请求信息,获取所述关联请求信息中携 带的所述选定安全接入模式的参数信息, 根据所述参数信息获取对应的选定 安全接入模式; 或, The AP receives the association request information sent by the UE, obtains the parameter information of the selected security access mode carried in the association request information, and obtains the corresponding selected security access mode according to the parameter information; or ,
所述 AP接收所述 UE发送的认证应答消息, 获取所述 UE发送的所述 UE选择的身份或者构造的身份,根据所述身份判断所述 UE选定的安全接入 模式。 The AP receives the authentication response message sent by the UE, and obtains the authentication response message sent by the UE. The identity selected by the UE or the constructed identity is used to determine the security access mode selected by the UE based on the identity.
6、 根据权利要求 5所述的方法, 其特征在于, 所述 AP接收所述 UE发 送的安全接入认证应答消息之前, 还包括: 6. The method according to claim 5, characterized in that before the AP receives the secure access authentication response message sent by the UE, it further includes:
所述 AP接收所述 UE发送的关联请求信息,获取所述关联请求信息中指 示的安全接入认证机制; The AP receives the association request information sent by the UE and obtains the secure access authentication mechanism indicated in the association request information;
所述 AP根据所述安全接入认证机制向所述 UE发送安全接入认证请求消 息。 The AP sends a secure access authentication request message to the UE according to the secure access authentication mechanism.
7、 根据权利要求 2-6任一所述的方法, 其特征在于, 所述 AP基于所述 选定安全接入模式设置自身的安全接入模式之后, 还包括: 7. The method according to any one of claims 2-6, characterized in that, after the AP sets its own security access mode based on the selected security access mode, it further includes:
若所述 UE选定的安全接入模式是非 Web Portal安全接入模式, 则所述 AP接收到所述 UE发送的安全接入认证失败指示消息后, 将所述 WLAN的 安全接入模式更改为 Web Portal安全接入模式,并向所述 UE发起 Web Portal 安全接入流程; 或者, If the security access mode selected by the UE is a non-Web Portal security access mode, after receiving the security access authentication failure indication message sent by the UE, the AP changes the security access mode of the WLAN to Web Portal secure access mode, and initiates the Web Portal secure access process to the UE; or,
若所述 UE选定的安全接入模式是非 Web Portal安全接入模式, 则所述 If the security access mode selected by the UE is a non-Web Portal security access mode, then the
AP在 UE安全接入认证失败后, 向所述 UE发送安全接入认证失败消息, 所 述 UE接到认证失败消息后触发 Web Portal安全接入流程; 或者, After the UE security access authentication fails, the AP sends a security access authentication failure message to the UE, and the UE triggers the Web Portal security access process after receiving the authentication failure message; or,
若所述 UE选定的安全接入模式是非 Web Portal安全接入模式, 则所述 AP在 UE的安全接入认证失败后, 向所述 UE发送安全接入认证失败消息, 并触发 web portal接入流程。 If the security access mode selected by the UE is a non-Web Portal security access mode, after the UE's security access authentication fails, the AP sends a security access authentication failure message to the UE and triggers the web portal access mode. into the process.
8、 一种无线安全接入方法, 其特征在于, 包括: 8. A wireless secure access method, characterized by including:
用户设备 UE接收接入点 AP发送的协议帧,所述协议帧包括服务集标识 SSID和所述 AP的安全能力信息, 所述 AP的安全能力信息包括多种安全接 入模式的能力信息, 所述 SSID对应所述多种安全接入模式; The user equipment UE receives a protocol frame sent by the access point AP. The protocol frame includes a service set identifier SSID and security capability information of the AP. The security capability information of the AP includes capability information of multiple security access modes, so The SSID corresponds to the multiple security access modes;
所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全接入模 式选择一个安全接入模式, 作为选定安全接入模式; The UE selects a security access mode from a security access mode selected from multiple security access modes in the protocol frame as the selected security access mode;
所述 UE将所述选定安全接入模式通知给所述 AP。 The UE notifies the AP of the selected security access mode.
9、 根据权利要求 8所述的方法, 其特征在于, 所述多种安全接入模式包 括:开放 web portal安全接入模式和非 web portal安全接入模式,且所述 SSID 同时对应所述 web portal安全接入模式和非 web portal安全接入模式。 9. The method according to claim 8, wherein the multiple security access modes include: an open web portal security access mode and a non-web portal security access mode, and the SSID simultaneously corresponds to the web portal security access mode. portal security access mode and non-web portal security access mode.
10、 根据权利要求 8或 9所述的方法, 其特征在于, 所述 UE接收 AP发 送的协议帧, 包括: 10. The method according to claim 8 or 9, characterized in that the UE receives the protocol frame sent by the AP, including:
所述 UE接收所述 AP发送的信标 beacon帧; 或, The UE receives the beacon frame sent by the AP; or,
所述 UE向 AP发送探测请求帧后, 接收所述 AP发送的探测应答 probe response帧。 After the UE sends a probe request frame to the AP, it receives a probe response frame sent by the AP.
11、 根据权利要求 8-10任一所述的方法, 其特征在于, 所述 UE将所述 选定安全接入模式通知给所述 AP, 包括: 11. The method according to any one of claims 8-10, characterized in that the UE notifies the AP of the selected security access mode, including:
所述 UE向所述 AP发送携带所述选定安全接入模式的参数信息的关联请 求信息; 或, The UE sends association request information carrying parameter information of the selected security access mode to the AP; or,
所述 UE基于预定策略根据所述选定安全接入模式选择相应的身份或者 构造相应的身份, 并以所述身份向所述 AP发送安全接入认证应答消息。 The UE selects a corresponding identity or constructs a corresponding identity according to the selected security access mode based on a predetermined policy, and sends a security access authentication response message to the AP with the identity.
12、 根据权利要求 11所述的方法, 其特征在于, 所述 UE基于预定策略 根据所述选定安全接入模式选择相应的身份, 并以所述身份向所述 AP发送 安全接入认证应答消息之前, 还包括: 12. The method of claim 11, wherein the UE selects a corresponding identity according to the selected security access mode based on a predetermined policy, and sends a security access authentication response to the AP with the identity. Before the message, also include:
所述 UE向所述 AP发送关联请求信息,其中所述关联请求信息中携带安 全接入认证机制信息; The UE sends association request information to the AP, where the association request information carries secure access authentication mechanism information;
所述 UE接收所述 AP根据所述安全接入认证机制信息向所述 UE发送的 安全接入认证请求消息。 The UE receives the secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information.
13、 根据权利要求 9-12任一所述的方法, 其特征在于, 还包括: 若所述 UE选择的安全接入模式是非 Web Portal安全接入,且 UE对所述 13. The method according to any one of claims 9-12, further comprising: if the security access mode selected by the UE is non-Web Portal secure access, and the UE
AP所在网络的认证失败时, 向所述 AP发送安全接入认证失败消息; 或者, 所述 UE接收所述 AP发送的安全接入认证失败消息后, 向所述 AP发起 Web Portal安全接入流程。 When the authentication of the network where the AP is located fails, a security access authentication failure message is sent to the AP; or, after receiving the security access authentication failure message sent by the AP, the UE initiates a Web Portal security access process to the AP. .
14、 一种无线安全接入装置, 其特征在于, 包括: 14. A wireless security access device, characterized by including:
发送模块, 用于向用户设备 UE发送协议帧, 所述协议帧包括服务集标 识 SSID和所述 AP的安全能力信息, 所述 AP的安全能力信息包括多种安全 接入模式的能力信息, 所述 SSID对应所述多种安全接入模式; A sending module, configured to send a protocol frame to the user equipment UE, where the protocol frame includes a service set identifier SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, so The SSID corresponds to the multiple security access modes;
接收模块, 用于接收所述 UE发送的选定安全接入模式, 所述选定安全 接入模式为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全 接入模式; 设置模块, 用于基于所述选定安全接入模式设置自身的安全接入模式。 A receiving module, configured to receive a selected security access mode sent by the UE, where the selected security access mode is a security access selected by the UE from a plurality of security access modes in the protocol frame. model; A setting module, configured to set its own security access mode based on the selected security access mode.
15、 根据权利要求 14所述的装置, 其特征在于, 所述多种安全接入模式 包括: 开放 web portal安全接入模式和非 web portal安全接入模式, 且所述 SSID同时对应所述 web portal安全接入模式和非 web portal安全接入模式。 15. The device according to claim 14, wherein the multiple security access modes include: an open web portal security access mode and a non-web portal security access mode, and the SSID simultaneously corresponds to the web portal security access mode. portal security access mode and non-web portal security access mode.
16、 根据权利要求 15述的装置, 其特征在于, 所述 web portal安全接入 模式的能力信息通过以下方式体现: 16. The device according to claim 15, characterized in that the capability information of the web portal secure access mode is reflected in the following manner:
使用所述协议帧中包含的信元的预留字段或字段的预留的值指示网络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息;或, 定义一个新的信息元包含在所述的协议帧中以指示网络对 web portal安 全接入模式的支持, 即 web portal安全接入模式的能力信息; 或, Use the reserved field or the reserved value of the field of the information element contained in the protocol frame to indicate the network's support for the web portal secure access mode, that is, the capability information of the web portal secure access mode; or, define a new The information element is included in the protocol frame to indicate the network's support for the web portal secure access mode, that is, the capability information of the web portal secure access mode; or,
扩展所述协议帧中包含的信元的字段, 即在信元中增加字段用于指示网 络对 web portal安全接入模式的支持,即 web portal安全接入模式的能力信息。 Expand the fields of the information element contained in the protocol frame, that is, add a field in the information element to indicate the network's support for the web portal security access mode, that is, the capability information of the web portal security access mode.
17、 根据权利要求 14-16任一所述的装置, 其特征在于, 所述发送模块, 具体用于: 17. The device according to any one of claims 14-16, characterized in that the sending module is specifically used for:
向所述 UE发送信标 beacon帧, 所述协议帧为该 beacon帧; 或, 根据接收所述 UE发送的探测请求帧, 向所述 UE发送探测应答 probe response帧, 所述协议帧为该 probe response帧。 Send a beacon frame to the UE, and the protocol frame is the beacon frame; or, based on receiving the probe request frame sent by the UE, send a probe response frame to the UE, and the protocol frame is the probe response frame.
18、 根据权利要求 14-17任一所述的装置, 其特征在于, 所述接收模块, 具体用于: 18. The device according to any one of claims 14 to 17, characterized in that the receiving module is specifically used for:
接收所述 UE发送的关联请求信息, 获取所述关联请求信息中携带的所 述选定安全接入模式的参数信息, 根据所述参数信息获取对应的选定安全接 入模式; 或, Receive the association request information sent by the UE, obtain the parameter information of the selected security access mode carried in the association request information, and obtain the corresponding selected security access mode according to the parameter information; or,
接收所述 UE发送的认证应答消息,获取所述 UE发送的所述 UE选择的 身份或者构造的身份, 根据所述预定义身份判断所述 UE选定的安全接入模 式。 Receive the authentication response message sent by the UE, obtain the identity selected by the UE or the constructed identity sent by the UE, and determine the security access mode selected by the UE based on the predefined identity.
19、 根据权利要求 18所述的装置, 其特征在于, 在所述接收模块接收所 述 UE发送的安全接入认证应答消息之前: 19. The device according to claim 18, characterized in that, before the receiving module receives the security access authentication response message sent by the UE:
所述接收模块, 还用于接收所述 UE发送的关联请求信息, 获取所述关 联请求信息中指示的安全接入认证机制; The receiving module is also configured to receive association request information sent by the UE, and obtain the secure access authentication mechanism indicated in the association request information;
所述发送模块, 还用于根据所述安全接入认证机制向所述 UE发送安全 接入认证请求消息。 The sending module is also configured to send a secure message to the UE according to the secure access authentication mechanism. Access authentication request message.
20、 根据权利要求 15-19任一所述的装置, 其特征在于, 还包括: 更改模块, 用于在所述设置模块基于所述选定安全接入模式设置自身的 安全接入模式之后, 若所述 UE选定的安全接入模式是非 Web Portal安全接 入模式, 则接收到所述 UE 发送的安全接入认证失败指示消息后, 将所述 WLAN的安全接入模式更改为 Web Portal安全接入模式, 并向所述 UE发起 Web Portal安全接入流程; 或者, 20. The device according to any one of claims 15 to 19, further comprising: a changing module, configured to, after the setting module sets its own security access mode based on the selected security access mode, If the security access mode selected by the UE is a non-Web Portal security access mode, after receiving the security access authentication failure indication message sent by the UE, the security access mode of the WLAN is changed to Web Portal security. access mode, and initiate a Web Portal secure access process to the UE; or,
所述发送模块, 具体用于在所述设置模块基于所述选定安全接入模式设 置自身的安全接入模式之后,若所述 UE选定的安全接入模式是非 Web Portal 安全接入模式,则在 UE安全接入认证失败后: 向所述 UE发送安全接入认证 失败消息以使所述 UE接到认证失败消息后触发 Web Portal安全接入流程; 或者, 向所述 UE发送安全接入认证失败消息, 并触发 web portal接入流程。 The sending module is specifically configured to: after the setting module sets its own security access mode based on the selected security access mode, if the security access mode selected by the UE is a non-Web Portal security access mode, Then after the UE security access authentication fails: Send a security access authentication failure message to the UE so that the UE triggers the Web Portal security access process after receiving the authentication failure message; or, Send security access to the UE Authentication failure message and trigger the web portal access process.
21、 一种无线安全接入装置, 其特征在于, 包括: 21. A wireless security access device, characterized by including:
接收模块, 用于接收接入点 AP发送的协议帧, 所述协议帧包括服务集 标识 SSID和所述 AP的安全能力信息, 所述 AP的安全能力信息包括多种安 全接入模式的能力信息, 所述 SSID对应所述多种安全接入模式; A receiving module, configured to receive a protocol frame sent by an access point AP. The protocol frame includes a service set identifier SSID and security capability information of the AP. The security capability information of the AP includes capability information of multiple security access modes. , the SSID corresponds to the multiple security access modes;
选择模块, 用于从所述协议帧中的多种安全接入模式中选择的一个安全 接入模式选择一个安全接入模式, 作为选定安全接入模式; A selection module, configured to select a security access mode from a security access mode selected from a plurality of security access modes in the protocol frame as the selected security access mode;
发送模块, 用于将所述选定安全接入模式通知给所述 AP。 A sending module, configured to notify the AP of the selected security access mode.
22、 根据权利要求 21所述的装置, 其特征在于, 所述多种安全接入模式 包括: 开放 web portal安全接入模式和非 web portal安全接入模式, 且所述 SSID同时对应所述 web portal安全接入模式和非 web portal安全接入模式。 22. The device according to claim 21, wherein the multiple security access modes include: an open web portal security access mode and a non-web portal security access mode, and the SSID simultaneously corresponds to the web portal security access mode. portal security access mode and non-web portal security access mode.
23、 根据权利要求 21或 22所述的装置, 其特征在于, 所述接收模块, 具体用于: 23. The device according to claim 21 or 22, characterized in that the receiving module is specifically used for:
接收所述 AP发送的信标 beacon帧; 或, Receive the beacon frame sent by the AP; or,
向 AP发送探测请求帧后, 接收所述 AP发送的探测应答 probe response 帧。 After sending the probe request frame to the AP, receive the probe response frame sent by the AP.
24、 根据权利要求 21-23任一所述的装置, 其特征在于, 所述发送模块, 具体用于: 24. The device according to any one of claims 21 to 23, characterized in that the sending module is specifically used for:
向所述 AP发送携带所述选定安全接入模式的参数信息的关联请求信息; 或, Send association request information carrying parameter information of the selected security access mode to the AP; or,
基于预定策略根据所述选定安全接入模式选择相应的身份, 并以所述身 份向所述 AP发送安全接入认证应答消息。 Select a corresponding identity according to the selected security access mode based on a predetermined policy, and send a security access authentication response message to the AP with the identity.
25、 根据权利要求 24所述的装置, 其特征在于, 在所述发送模块基于预 定策略根据所述选定安全接入模式选择相应的身份或者构造相应的身份, 并 以所述身份向所述 AP发送安全接入认证应答消息之前, 25. The device according to claim 24, wherein the sending module selects a corresponding identity or constructs a corresponding identity according to the selected security access mode based on a predetermined policy, and sends the message to the said identity with the said identity. Before the AP sends the secure access authentication response message,
所述发送模块, 具体用于向所述 AP发送关联请求信息, 其中所述关联 请求信息中携带安全接入认证机制信息; The sending module is specifically configured to send association request information to the AP, where the association request information carries secure access authentication mechanism information;
所述接收模块, 具体用于接收所述 AP根据所述安全接入认证机制信息 向所述 UE发送的安全接入认证请求消息。 The receiving module is specifically configured to receive a secure access authentication request message sent by the AP to the UE according to the secure access authentication mechanism information.
26、 根据权利要求 22-25任一所述的装置, 其特征在于, 26. The device according to any one of claims 22 to 25, characterized in that,
所述发送模块, 还用于若所述 UE选择的安全接入模式是非 Web Portal 安全接入, 且 UE对所述 AP所在网络的认证失败时, 向所述 AP发送安全接 入认证失败消息; 或者, The sending module is also configured to send a security access authentication failure message to the AP if the security access mode selected by the UE is non-Web Portal security access and the UE fails to authenticate the network where the AP is located; or,
所述发送模块, 用于所述接收模块接收所述 AP发送的安全接入认证失 败消息后, 向所述 AP发起 Web Portal安全接入流程。 The sending module is configured to initiate a Web Portal security access process to the AP after the receiving module receives the security access authentication failure message sent by the AP.
27、 一种无线安全接入装置, 其特征在于, 包括: 27. A wireless security access device, characterized by including:
发射器, 用于向用户设备 UE发送协议帧, 所述协议帧包括服务集标识 SSID和所述 AP的安全能力信息, 所述 AP的安全能力信息包括多种安全接 入模式的能力信息, 所述 SSID对应所述多种安全接入模式; A transmitter, configured to send a protocol frame to the user equipment UE, where the protocol frame includes a service set identifier SSID and security capability information of the AP, where the security capability information of the AP includes capability information of multiple security access modes, so The SSID corresponds to the multiple security access modes;
接收器, 用于接收所述 UE发送的选定安全接入模式, 所述选定安全接 入模式为所述 UE从所述协议帧中的多种安全接入模式中选择的一个安全接 入模式; A receiver configured to receive a selected security access mode sent by the UE, where the selected security access mode is a security access selected by the UE from a plurality of security access modes in the protocol frame. model;
处理器, 用于基于所述选定安全接入模式设置自身的安全接入模式。 The processor is configured to set its own security access mode based on the selected security access mode.
28、 一种无线安全接入装置, 其特征在于, 包括: 28. A wireless security access device, characterized by including:
接收器, 用于接收接入点 AP发送的协议帧, 所述协议帧包括服务集标 识 SSID和所述 AP的安全能力信息, 所述 AP的安全能力信息包括多种安全 接入模式的能力信息, 所述 SSID对应所述多种安全接入模式; A receiver configured to receive a protocol frame sent by an access point AP. The protocol frame includes a service set identifier SSID and security capability information of the AP. The security capability information of the AP includes capability information of multiple security access modes. , the SSID corresponds to the multiple security access modes;
处理器, 用于从所述协议帧中的多种安全接入模式中选择的一个安全接 入模式选择一个安全接入模式, 作为选定安全接入模式; 发射器, 用于将所述选定安全接入模式通知给所述 AP。 A processor, configured to select a security access mode from a security access mode selected from a plurality of security access modes in the protocol frame as the selected security access mode; A transmitter, configured to notify the AP of the selected security access mode.
29、 一种无线安全接入***, 包括无线局域网络 WLAN的接入点 AP和 用户设备 UE, 其特征在于: 29. A wireless security access system, including a wireless local area network WLAN access point AP and user equipment UE, which is characterized by:
所述 AP包括权利要求 27所述的无线安全接入装置; The AP includes the wireless security access device according to claim 27;
所述 UE包括权利要求 28所述的无线安全接入装置。 The UE includes the wireless security access device described in claim 28.
PCT/CN2013/084616 2013-09-29 2013-09-29 Wireless secure access method, apparatus and system WO2015042917A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201380002577.XA CN105264932A (en) 2013-09-29 2013-09-29 Wireless secure access method, apparatus and system
PCT/CN2013/084616 WO2015042917A1 (en) 2013-09-29 2013-09-29 Wireless secure access method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/084616 WO2015042917A1 (en) 2013-09-29 2013-09-29 Wireless secure access method, apparatus and system

Publications (1)

Publication Number Publication Date
WO2015042917A1 true WO2015042917A1 (en) 2015-04-02

Family

ID=52741851

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/084616 WO2015042917A1 (en) 2013-09-29 2013-09-29 Wireless secure access method, apparatus and system

Country Status (2)

Country Link
CN (1) CN105264932A (en)
WO (1) WO2015042917A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016131289A1 (en) * 2015-07-28 2016-08-25 中兴通讯股份有限公司 Method, device and user equipment for testing security of wireless hotspot
US20220104017A1 (en) * 2020-09-26 2022-03-31 Mcafee, Llc Wireless access point with multiple security modes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060174330A1 (en) * 2005-02-01 2006-08-03 Hyun-Min Yoon Network access method of wireless local area network (WLAN) terminals and network system thereof
CN101304615A (en) * 2008-07-09 2008-11-12 杭州华三通信技术有限公司 Hybrid access method and apparatus
CN102572831A (en) * 2012-02-07 2012-07-11 中兴通讯股份有限公司 Method and system for access of multi-mode terminal to wireless local area network, and equipment
CN103139775A (en) * 2011-12-02 2013-06-05 ***通信集团上海有限公司 Access method of wireless local area network (WLAN), access device of WLAN and access system of WLAN

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060174330A1 (en) * 2005-02-01 2006-08-03 Hyun-Min Yoon Network access method of wireless local area network (WLAN) terminals and network system thereof
CN101304615A (en) * 2008-07-09 2008-11-12 杭州华三通信技术有限公司 Hybrid access method and apparatus
CN103139775A (en) * 2011-12-02 2013-06-05 ***通信集团上海有限公司 Access method of wireless local area network (WLAN), access device of WLAN and access system of WLAN
CN102572831A (en) * 2012-02-07 2012-07-11 中兴通讯股份有限公司 Method and system for access of multi-mode terminal to wireless local area network, and equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016131289A1 (en) * 2015-07-28 2016-08-25 中兴通讯股份有限公司 Method, device and user equipment for testing security of wireless hotspot
CN106385683A (en) * 2015-07-28 2017-02-08 中兴通讯股份有限公司 Wireless hot spot safety detection method, apparatus and user equipment thereof
US20220104017A1 (en) * 2020-09-26 2022-03-31 Mcafee, Llc Wireless access point with multiple security modes
US11930359B2 (en) * 2020-09-26 2024-03-12 Mcafee, Llc Wireless access point with multiple security modes

Also Published As

Publication number Publication date
CN105264932A (en) 2016-01-20

Similar Documents

Publication Publication Date Title
US10798767B2 (en) Method and apparatus for relaying user data between a secure connection and a data connection
JP5992554B2 (en) System and method for authenticating a second client station using first client station credentials
JP5523632B2 (en) WiFi communication implementation method, user equipment, and wireless router
US8036183B2 (en) Method and system for transporting configuration protocol messages across a distribution system (DS) in a wireless local area network (WLAN)
WO2017219673A1 (en) Vowifi network access method and system, and terminal
US20140351887A1 (en) Authentication Method and Device for Network Access
US8036639B2 (en) Method and system for confirming secure communication network setup in a wireless local area network (WLAN)
WO2011144174A1 (en) Method, device and system for configuring access device
US20180027025A1 (en) Hotspot configuration method, access method and device in wireless local area network
US11871223B2 (en) Authentication method and apparatus and device
JP6476523B2 (en) Wireless access point
WO2013181847A1 (en) Method, apparatus and system for wlan access authentication
US11818575B2 (en) Systems and methods for virtual personal Wi-Fi network
EP3213545B1 (en) Identification of a wireless device in a wireless communication environment
WO2014029267A1 (en) Method, apparatus, and system for implementing ue registration and service call
WO2014169641A1 (en) Method and device for establishing convenient wireless connection
US20230275883A1 (en) Parameter exchange during emergency access using extensible authentication protocol messaging
WO2016155478A1 (en) User equipment authentication method and device
WO2015157981A1 (en) Wireless local area network user side device and information processing method
WO2015042917A1 (en) Wireless secure access method, apparatus and system
WO2013104301A1 (en) Method for transmitting message, method for establishing secure connection, access point and workstation
WO2022067827A1 (en) Key derivation method and apparatus, and system
KR20120070027A (en) Authentication authorization/accountig server and method for authenticating access thereof in interworking-wireless local area network
KR20060027633A (en) Connection method between access point and terminal in wireless lan
WO2014169568A1 (en) Security context handling method and apparatus

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201380002577.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13894589

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13894589

Country of ref document: EP

Kind code of ref document: A1