WO2012068815A1 - Method for preventing impostors in wireless access network, and access point - Google Patents

Method for preventing impostors in wireless access network, and access point Download PDF

Info

Publication number
WO2012068815A1
WO2012068815A1 PCT/CN2011/072402 CN2011072402W WO2012068815A1 WO 2012068815 A1 WO2012068815 A1 WO 2012068815A1 CN 2011072402 W CN2011072402 W CN 2011072402W WO 2012068815 A1 WO2012068815 A1 WO 2012068815A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
access point
authorization status
address
entry
Prior art date
Application number
PCT/CN2011/072402
Other languages
French (fr)
Chinese (zh)
Inventor
彭永超
郭辉
刘昕颖
唐珂
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012068815A1 publication Critical patent/WO2012068815A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Definitions

  • the present invention relates to the field of mobile communications, and in particular to a method and an access point for preventing a counterfeit user in a radio access network. Background technique
  • the access point AP, Access Point
  • the user terminal can be connected to the AP without entering a password, and the IP address can be dynamically obtained.
  • the user terminal accesses the network is limited, and can only access a limited number of addresses, for example, a Domain Name System (DNS) server, a Web Portal server, and the like.
  • DNS Domain Name System
  • Web Portal server When the user opens the browser and accesses any page, it will be redirected to the Web Portal server.
  • the Web Portal server will push a web login page to the user, prompting the user to enter the username and password.
  • the advantage of using the web authentication method is that the user terminal does not need to download and install the customized client software, that is, the login process can be completed using the browser.
  • the disadvantage is that the air packets exchanged between the user terminal and the AP are usually not encrypted, and there is a security risk.
  • One of the more serious ones is a fake user.
  • the fake user uses the air packet capture tool to capture the empty Chinese interaction between other user terminals and the AP, and obtains the MAC address and IP address of the authenticated legal terminal. Then modify the MAC address and IP address of your wireless network card to a legitimate terminal. In this way, fake If it does not come out, the counterfeit terminal can use the service that the legitimate terminal can use without authentication.
  • the expenses incurred by the counterfeit user will be counted in the account of the legitimate user, which will harm the interests of the legitimate user and will also harm the interests of the operator.
  • a method for preventing a fake user from being bound to a physical port by using an IP (Internet Protocol) address + Medium Access Control (MAC) address is generally adopted. That is, after the user passes the authentication, the switch binds the IP address + MAC address (or only the IP address or MAC address) of the terminal to the physical port to which it is connected. If a packet with the same IP address or MAC address comes in from other physical ports, It will be considered illegal and will be discarded.
  • IP Internet Protocol
  • MAC Medium Access Control
  • a wireless access network there is a difference between an AP and a switch in a wired access network.
  • the wireless channel working by the AP can be regarded as a physical port.
  • an AP can only work on one or two wireless channels at any time (some APs support 802.11 a/b/g, and can work at 2.4G and 5G simultaneously. Channel), so the AP has only one or two physical ports. Both the legal terminal and the terminal are connected to the AP through the same physical port. Therefore, the method of binding the physical port to the IP+MAC is not applicable in the wireless access network. Therefore, there is an urgent need for a method of preventing fraudulent users that can be applied to a wireless access network. Summary of the invention
  • the present invention provides a method and an access point for preventing a spoofing user in a radio access network.
  • a packet transmitted over the air in the WTRU is not encrypted, the attack of the spoofing user can be prevented.
  • the present invention provides a method for preventing a fake user in a wireless access network, including: Establishing one or more virtual access points, where the virtual access point has a basic service set identifier BSSID corresponding thereto;
  • the data frame sent by the legal terminal is forwarded according to the binding relationship, and the data frame sent by the fake terminal is discarded.
  • the invention also provides an access point, comprising:
  • a first establishing module configured to establish one or more virtual access points, where the virtual access point has a basic service set identifier BSSID corresponding thereto;
  • connection module configured to connect the terminal to a virtual access point according to the MAC address of the terminal
  • authentication module configured to authenticate the terminal
  • the processing module is configured to forward the data frame sent by the legal terminal according to the binding relationship, and discard the data frame sent by the fake terminal.
  • FIG. 1 is a flowchart of a method for preventing a spoofing user in a radio access network according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of an AP preventing a counterfeit user from being processed according to an embodiment of the present invention
  • FIG. 3 is a signaling flowchart of a call hook function according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a call connection establishment hook function according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a call disconnection hook function according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of invoking an authentication end hook function according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of an access point according to an embodiment of the present invention. detailed description
  • FIG. 1 is a flowchart of a method for preventing a spoofing user in a radio access network according to an embodiment of the present invention, as shown in FIG.
  • a method for preventing a fake user in a radio access network according to an embodiment of the present invention includes the following processing:
  • Step 101 Establish one or more virtual access points, where the virtual access point has a basic service set identifier (BSSID, Basic Service Set Identifier) corresponding thereto; That is to say, multiple VAPs are established on the AP, and multiple VAPs work on the same channel, have the same Service Set Identifier (SSID), but have different BSSIDs.
  • the VAPs send out beacon frames, which carry different BSSIDs. After receiving the beacon frame, the terminal can determine that different VAPs are sent according to the carried BSSID, and the terminal can consider that the beacon frame is sent by multiple APs.
  • BSSID Basic Service Set Identifier
  • Step 102 Connect the terminal to a virtual access point according to the MAC address of the terminal, and authenticate the terminal.
  • step 102 connecting the terminal to a virtual access point requires the following processing: 1. When the terminal needs to connect to the virtual access point, it is determined according to the MAC address of the terminal whether there is a terminal connection with the same MAC address of the terminal. To the virtual access point; 2. In the case that it is determined that the terminal having the same MAC address as the terminal is connected to the virtual access point, the terminal is allowed to connect to the virtual access point; 3. determining the virtual access If the terminal already has the same terminal as the terminal MAC address, the terminal is refused to connect to the virtual access point, forcing the terminal to connect to other virtual access points.
  • the connection is easily disconnected, and the terminal connected first is not necessarily the legal terminal. Therefore, when the terminal wants to connect to a VAP, the AP needs to check whether the terminal with the same MAC address is connected to the VAP. If there is, the terminal is denied to connect to the VAP, and then the terminal will automatically try to connect the other with the same. The VAP of the SSID, thereby forcing the fake terminal to connect to the legal terminal to a different VAP.
  • Step 103 Bind the IP address and/or MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal for the authenticated legal terminal, and determine the binding relationship between the legal terminal and the virtual access point.
  • the 802.11 data frame header sent by the terminal carries the BSSID. Since the legal terminal and the fake terminal are connected to different VAPs, the BSSIDs included in the frames sent by them are different, and the AP can distinguish which frame is sent by the terminal according to the BSSID.
  • a terminal authorization status table may also be established, where
  • the end authorization status table includes: an IP address, a MAC address, a BSSID, and an authorization status, and the authorization status includes: restricted, authorized, and prohibited.
  • step 103 binding the IP address and/or the MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal is performed as follows: 1. According to the terminal authorization status table, Whether there is an entry that matches the MAC address and BSSID of the legal terminal. If yes, the authorization status of the entry is modified to be authorized and the corresponding IP address is saved. 2. According to the terminal authorization status table, it is determined whether it is legal or not. The entry whose MAC address matches but does not match the BSSID of the legal terminal, if any, changes the authorization status of the entry to disabled.
  • step 104 the data frame sent by the legal terminal is forwarded according to the binding relationship, and the data frame sent by the fake terminal is discarded as follows: 1.
  • the terminal authorization status table it is determined whether the MAC address and the BSSID of the legal terminal match. The entry, if any, determines whether the source IP address in the legitimate terminal matches the IP address in the entry; 2. If the IP address matches, the authorization status in the entry is determined; 3. In the authorization status If it is authorized, the packet is forwarded. When the authorization status is forbidden, the packet is discarded.
  • the authorization status is determined to be restricted, it is further determined whether the destination IP address in the packet is within the allowed address range. If the number of the allowed address ranges, the packet is forwarded. If the packet is not in the allowed range, the packet is discarded.
  • the AP binds its IP/MAC address to the VAP to which it is connected.
  • the BSSID included in the frame sent by the legal terminal is the same as the BSSID of the bound VAP, and is allowed to pass.
  • the frame sent by the fake terminal is discarded by the AP because the BSSID it contains is inconsistent with the BSSID of the bound VAP. , thus playing a role in preventing counterfeit terminals.
  • the terminal authorization status table it is checked whether there is an entry of a MAC address and a BSSID matching the terminal, and if an entry exists, Then check whether the authorization status of the entry is authorized; 2. If the authorization status of the entry is authorized, delay the disconnection and set a predetermined time, if the authorization status of the entry is not authorized, immediately disconnect; 3 After the scheduled time expires, check if the terminal is still online. If it is online, keep the connection. Otherwise, disconnect.
  • FIG. 2 is a schematic diagram of an AP preventing a fake user from processing according to an embodiment of the present invention.
  • a wireless access module of an AP is configured to establish a connection with a wireless terminal, disconnect, and detect whether the terminal remains connected.
  • the packet forwarding module of the AP is configured to forward the packet received from the wireless network to the wired network, or conversely, forward the packet received from the wired network to the wireless network.
  • the Web Portal authentication module of the AP is used to implement the Web portal authentication process.
  • the anti-counterfeiting module maintains a terminal authorization status table.
  • the entry format in the table is: ⁇ IP address, MAC address, BSSID, authorization status>.
  • FIG. 3 is a representation of an embodiment of the present invention
  • the signaling flow chart of the hook function includes the following processing:
  • Step 1 The terminal interacts with the AP, and the AP invokes a connection to establish a hook function to implement an 802.11 connection process.
  • Step 2 The terminal interacts with the DHCP server to dynamically obtain an IP address. From this point on, when forwarding the packet sent by the terminal and sent to the terminal, the AP will invoke the WLAN-EAH forwarding hook function and the ETH-WLAN forwarding hook function respectively;
  • Step 3 The terminal interacts with the Web portal server, and after performing Web portal authentication, the AP invokes the authentication end hook function;
  • Step 4 After the authentication succeeds, the terminal accesses the external network.
  • Step 5 The terminal interacts with the AP, and the AP invokes the connection disconnection hook function to implement the 802.11 disconnection process.
  • Step 401 Search for a terminal authorization status table, and check whether an entry with a MAC address and a BSSID match exists.
  • Step 403 if not, add an entry in the terminal authorization status table, and set the initial authorization status to be restricted, because the terminal has not obtained the IP address at this time, and the initial IP address is set to 0.
  • FIG. 5 is a flowchart of a call disconnection hook function according to an embodiment of the present invention. As shown in FIG. 5, the following processing is included:
  • Step 501 Search for a terminal authorization status table, and check whether an entry with a MAC address and a BSSID match exists.
  • Step 502 if there is a matching entry, check whether the authorization status is authorized.
  • Step 503 If the authorization status of the matching entry is authorized, the connection is delayed and the timer is started; otherwise, the connection is immediately disconnected.
  • FIG. 6 is a flowchart of calling the authentication end hook function according to the embodiment of the present invention. As shown in Figure 6, the following processing is included:
  • Step 601 if the authentication does not pass, return directly;
  • Step 603 if there is a matching entry, change the authorization status of the entry to authorized, and save the IP address;
  • FIG. 7 is a flowchart of calling the forwarding hook function according to the embodiment of the present invention. As shown in FIG. 7, the following processing is included:
  • Step 701 Search for a terminal authorization status table, and check whether there is an entry that matches the MAC address and the BSSID.
  • Step 702 If yes, compare the source IP address in the packet with the IP address in the entry. If the IP addresses are equal, or the IP address in the entry is all 0, it is considered to be a match;
  • Step 703 If the IP address is also matched, check the authorization status. If it is authorized, it is allowed to forward; if it is forbidden, the packet is discarded;
  • Step 704 if the status is restricted, it is also checked whether the destination IP is within the allowed address range. If not, the packet is discarded. Otherwise, forwarding is allowed.
  • the BSSID Since the BSSID is included in the 802.11 frame, it is not in the Ethernet frame. In order to distinguish the packets from which the terminal is located on the wired side, you can map different BSSIDs to different VIDs, or MAC address translation and IP address translation when forwarding packets.
  • the technical solution of the embodiment of the present invention can establish only one VAP, and only the connection establishment and connection disconnection hook functions are reserved in the anti-counterfeiting module.
  • the disadvantage of this simplification scheme is that it thinks that the first connection is a legitimate terminal, and the latter connection is a fake terminal. In fact, the opposite situation may occur. If it occurs, the connection of the legitimate terminal is erroneously rejected, so It is recommended to use the above technical solutions.
  • FIG. 8 is a schematic structural diagram of an access point according to an embodiment of the present invention.
  • an access point according to an embodiment of the present invention includes: The module 80, the connection module 81, the authentication module 82, the second setup module 83, and the processing module 84.
  • the connection module 81 in the embodiment of the present invention is equivalent to the wireless access module in FIG. 2, and the authentication module 82 is equivalent.
  • some functions in the processing module 84 are equivalent to the packet forwarding module in FIG. 2
  • the first establishing module 80 and the second establishing module are 83, and other functions in the processing module 84 are equivalent to the anti-counterfeiting module of FIG.
  • the respective modules of the embodiments of the present invention are described in detail below.
  • the first establishing module 80 is configured to establish one or more virtual access points, where the virtual access point has a basic service set identifier BSSID corresponding thereto;
  • the connection module 81 is configured to connect the terminal to a virtual access point according to the MAC address of the terminal;
  • connection module 81 includes:
  • a first determining sub-module configured to determine, according to the MAC address of the terminal, whether a terminal with the same MAC address of the terminal is connected to the virtual access point when the terminal needs to be connected to the virtual access point;
  • the sub-module is configured to connect the terminal to the virtual access point when the first determining sub-module determines that the terminal that is not the same as the MAC address of the terminal is connected to the virtual access point.
  • the first judging sub-module determines that the virtual access point has a terminal with the same MAC address as the terminal, and refuses to connect the terminal to the virtual access point.
  • the connection is easily disconnected, and the terminal connected first is not necessarily the legal terminal. Therefore, when the terminal wants to connect to a VAP, the AP needs to check whether the terminal with the same MAC address is connected to the VAP. If there is, the terminal is denied to connect to the VAP, and then the terminal will automatically try to connect the other with the same. The VAP of the SSID, thereby forcing the fake terminal to connect to the legal terminal to a different VAP.
  • the 802.11 data frame header sent by the terminal carries the BSSID. Since the legal terminal and the fake terminal are connected to different VAPs, the BSSIDs included in the frames sent by them are different, and the AP can distinguish which frame is sent by the terminal according to the BSSID.
  • the access point further includes: a state table establishing module, configured to establish a terminal authorization state table, where the terminal authorization state table includes: an IP address, a MAC The address, the BSSID, and the authorization status, the authorization status includes: restricted, authorized, and forbidden;
  • a state table establishing module configured to establish a terminal authorization state table, where the terminal authorization state table includes: an IP address, a MAC The address, the BSSID, and the authorization status, the authorization status includes: restricted, authorized, and forbidden;
  • the entry format in the terminal authorization status table is: ⁇ IP address, MAC address, BSSID, authorization status>.
  • the second establishing module 83 is specifically configured to: determine, according to the terminal authorization status table, whether there is an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, modify the authorization status of the entry to Authorizing, and saving the corresponding IP address; determining, according to the terminal authorization status table, whether there is an entry that does not match the MAC address of the legal terminal, and does not match the BSSID of the legal terminal, if yes, the entry The authorization status is modified to be prohibited;
  • the processing module 84 is configured to forward the data frame sent by the legal terminal according to the bonding relationship, and discard the data frame sent by the fake terminal.
  • the processing module 84 is specifically configured to: determine, according to the terminal authorization status table, whether there is an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, determine a source IP address in the legal terminal Whether the IP address in the entry matches; if the IP address matches, the authorization status in the entry is determined; when it is determined that the authorization status is authorized, then Sending the packet, when it is determined that the authorization status is forbidden, discarding the packet, and when determining that the authorization status is a restriction, further determining whether the destination IP in the packet is in an allowed address range If the packet is within the allowed address range, the packet is forwarded, and if it is not within the allowed address range, the packet is discarded.
  • the processing module 84 binds its IP/MAC address to its connected VAP.
  • the BSSID included in the frame sent by the legal terminal is the same as the BSSID of the bound VAP, and is allowed to pass.
  • the frame sent by the fake terminal is discarded by the AP because the BSSID it contains is inconsistent with the BSSID of the bound VAP. , thus playing a role in preventing counterfeit terminals.
  • the technical solution of the embodiment of the present invention may further include: a disconnection processing module, configured to check, according to the terminal authorization status table, whether there is a MAC address matching the terminal and when the terminal disconnects An entry of the BSSID exists, if the entry exists, checking whether the authorization status of the entry is authorized; if the authorization status of the entry is authorized, delaying the disconnection, and setting a predetermined time, if If the authorization status of the entry is not authorized, the connection is immediately disconnected; after the predetermined time expires, it is checked whether the terminal is still online, if online, the connection is maintained, otherwise, the connection is disconnected.
  • a disconnection processing module configured to check, according to the terminal authorization status table, whether there is a MAC address matching the terminal and when the terminal disconnects An entry of the BSSID exists, if the entry exists, checking whether the authorization status of the entry is authorized; if the authorization status of the entry is authorized, delaying the disconnection, and setting a predetermined time, if If the authorization status of the entry is not
  • first establishing module 80 the second establishing module 83, and the processing module 84 are represented as a series of hook functions, including: an authentication end hook function, and a WLAN-EAH forwarding hook function. , ETH-WLAN forwarding hook function, connection establishment hook function, and connection disconnect hook function.
  • the above hook functions are called by other modules at the appropriate time.
  • the specific call timing and the call processing flow can be understood by referring to FIG. 3 to FIG. 7 of the foregoing method embodiment, and details are not described herein again.
  • the BSSID is included in the 802.11 frame, it is not included in the Ethernet frame. In order to distinguish the packets from which the terminal is located on the wired side, it is possible to map different BSSIDs into different VIDs, or MAC address translation, IP address translation, etc. when forwarding the message.
  • the technical solution of the embodiment of the present invention can establish only one VAP, and only the connection establishment and connection disconnection hook functions are reserved in the anti-counterfeiting module.
  • the disadvantage of this simplification scheme is that it thinks that the first connection is a legitimate terminal, and the latter connection is a fake terminal. In fact, the opposite situation may occur. If it occurs, the connection of the legitimate terminal is erroneously rejected, so It is recommended to use the above technical solutions.
  • the IP+MAC of the legal terminal is bound to the VAP by establishing the VAP, which solves the problem that the prior art cannot prevent the counterfeit user when the packet transmitted in the air in the radio access network is not encrypted, and can implement the VAP.
  • the purpose of preventing spoofing users in the 802.11 radio access network protects the interests of legitimate users and operators.

Abstract

Provided are a method for preventing impostors in a wireless access network, and an access point. The method comprises: establishing a virtual access point or multiple virtual access points, each of which has a corresponding Basic Service Set Identifier (BSSID); connecting a terminal to a virtual access point according to the Media Access Control (MAC) address of the terminal and authenticating the terminal; for the legal terminal passing the authentication, binding the Internet Protocol (IP) address and/or MAC address of the legal terminal with the BSSID of the virtual access point connected with the legal terminal and determining binding relationship between the legal terminal and the virtual access point; according to the binding relationship, forwarding data frames transmitted from the legal terminal and discarding data frames transmitted from the terminal of an impostor. The present invention can realize the aim of preventing impostors in an 802.11 wireless access network with the application of technical solutions of the present invention.

Description

无线接入网中防止假冒用户的方法及接入点 技术领域  Method and access point for preventing spoofing users in wireless access network
本发明涉及移动通讯领域, 特别是涉及一种无线接入网中防止假冒用 户的方法及接入点。 背景技术  The present invention relates to the field of mobile communications, and in particular to a method and an access point for preventing a counterfeit user in a radio access network. Background technique
目前, 在网络运营商搭建的 802.11无线接入网中, 常用的一种认证方 式是网络(Web )认证。 这种方式要求接入点 (AP, Access Point )公告成 开放系统, 在用户终端上不需要输入密码就可以连接上 AP, 并可动态获取 到 IP地址。 但是, 此时用户终端访问网络是受限的, 只能访问限定的几个 地址, 例如, 域名系统(DNS , Domain Name System )服务器、 门户网站 ( Web Portal )服务器等。 当用户打开浏览器, 访问任何页面时, 会被重向 到 Web Portal服务器, Web Portal服务器会向用户推送一个 Web登录页面, 提示用户输入用户名和密码。 如果用户预先在营业厅开通过相应业务, 可 直接输入开通业务时申请到的用户名和密码。 如果没有, 可以输入自己的 手机号码, 通过手机接收到一个临时的用户名和密码。 当用户通过认证后, 就可正常使用各种业务了。  Currently, one of the commonly used authentication methods in the 802.11 radio access network established by network operators is network (Web) authentication. In this way, the access point (AP, Access Point) is required to be advertised as an open system. The user terminal can be connected to the AP without entering a password, and the IP address can be dynamically obtained. However, at this time, the user terminal accesses the network is limited, and can only access a limited number of addresses, for example, a Domain Name System (DNS) server, a Web Portal server, and the like. When the user opens the browser and accesses any page, it will be redirected to the Web Portal server. The Web Portal server will push a web login page to the user, prompting the user to enter the username and password. If the user pre-opens the corresponding business in the business hall, you can directly enter the user name and password that you applied for when you opened the service. If not, you can enter your mobile number and receive a temporary username and password on your phone. When the user is authenticated, various services can be used normally.
釆用 web认证方式的优点是, 在用户终端上不需要下载安装定制的客 户端软件, 即使用浏览器就可以完成登录过程。 缺点是, 用户终端与 AP间 交互的空中报文通常是不加密的, 存在安全隐患, 其中比较严重的一种就 是假冒用户。假冒用户使用空中抓包工具,抓取其他用户终端与 AP交互的 空中 文, 得到已通过认证的合法终端的 MAC地址、 IP地址等信息。 然 后将自己的无线网卡的 MAC地址、 IP地址修改成合法终端的。 这样, 假 不出来, 假冒终端就可以不经过认证, 就使用合法终端才能使用的业务了。 假冒用户产生的费用会被算到合法用户的账户中, 损害合法用户的利益, 也会损害运营商的利益。 The advantage of using the web authentication method is that the user terminal does not need to download and install the customized client software, that is, the login process can be completed using the browser. The disadvantage is that the air packets exchanged between the user terminal and the AP are usually not encrypted, and there is a security risk. One of the more serious ones is a fake user. The fake user uses the air packet capture tool to capture the empty Chinese interaction between other user terminals and the AP, and obtains the MAC address and IP address of the authenticated legal terminal. Then modify the MAC address and IP address of your wireless network card to a legitimate terminal. In this way, fake If it does not come out, the counterfeit terminal can use the service that the legitimate terminal can use without authentication. The expenses incurred by the counterfeit user will be counted in the account of the legitimate user, which will harm the interests of the legitimate user and will also harm the interests of the operator.
在相关技术中, 无线接入网中其它常用的认证方式还有预共享密钥和 In the related art, other commonly used authentication methods in the radio access network also have a pre-shared key and
802.1x认证。 釆用这两种认证方式的无线接入网, 大多数会对空中传送的 报文进行加密, 如果不加密, 也会存在假冒用户的问题。 802.1x certification. Most wireless access networks that use these two authentication methods encrypt the packets transmitted over the air. If they are not encrypted, there will be problems with counterfeit users.
目前, 在有线接入网络中, 防止假冒用户通常是釆用网络协议(IP, Internet Protocol )地址 +介质访问控制 ( MAC, Medium/MediaAccess Control ) 地址绑定物理端口的方法。 即用户通过认证后, 交换机将终端的 IP地址 +MAC地址(或者仅 IP或 MAC地址 ) 与其连接的物理端口绑定在一起, 如果从其它物理端口进来具有相同 IP地址或 MAC地址的报文, 都会被认 为是非法的, 会被丟弃。 但是, 实现上述方法有一个前提条件: 合法终端 与假冒终端是连接在不同的物理端口。即使报文的源 MAC和 IP地址相同, 也可以通过进来的物理端口, 判断出是哪个终端发出的报文。  Currently, in a wired access network, a method for preventing a fake user from being bound to a physical port by using an IP (Internet Protocol) address + Medium Access Control (MAC) address is generally adopted. That is, after the user passes the authentication, the switch binds the IP address + MAC address (or only the IP address or MAC address) of the terminal to the physical port to which it is connected. If a packet with the same IP address or MAC address comes in from other physical ports, It will be considered illegal and will be discarded. However, there is a prerequisite for implementing the above method: The legal terminal and the fake terminal are connected to different physical ports. Even if the source MAC address and IP address of the packet are the same, the incoming physical port can be used to determine which terminal sent the packet.
而在无线接入网中, AP 与有线接入网络中的交换机是有区别的。 AP 工作的无线信道可以看作是一个物理端口,一般一个 AP任意时刻只能工作 在 1个或 2个无线信道上(有的 AP支持 802.11 a/b/g, 可同时工作在 2.4G 和 5G的信道 ), 所以 AP只有 1个或 2个物理端口。 合法终端和 4艮冒终端 都是通过同一个物理端口连接到 AP的, 所以 IP+MAC绑定物理端口的方 法, 在无线接入网络中并不适用。 因此, 目前急需一种能够适用于无线接 入网的防止假冒用户的方法。 发明内容  In a wireless access network, there is a difference between an AP and a switch in a wired access network. The wireless channel working by the AP can be regarded as a physical port. Generally, an AP can only work on one or two wireless channels at any time (some APs support 802.11 a/b/g, and can work at 2.4G and 5G simultaneously. Channel), so the AP has only one or two physical ports. Both the legal terminal and the terminal are connected to the AP through the same physical port. Therefore, the method of binding the physical port to the IP+MAC is not applicable in the wireless access network. Therefore, there is an urgent need for a method of preventing fraudulent users that can be applied to a wireless access network. Summary of the invention
本发明提供一种无线接入网中防止假冒用户的方法及接入点, 在无线 接入网中在空中传送的报文不加密的情况下, 能够防止假冒用户的攻击。  The present invention provides a method and an access point for preventing a spoofing user in a radio access network. In the case that a packet transmitted over the air in the WTRU is not encrypted, the attack of the spoofing user can be prevented.
本发明提供一种无线接入网中防止假冒用户的方法, 包括: 建立一个或多个虚拟接入点, 其中, 虚拟接入点具有与其相对应的基 本服务集标识 BSSID; The present invention provides a method for preventing a fake user in a wireless access network, including: Establishing one or more virtual access points, where the virtual access point has a basic service set identifier BSSID corresponding thereto;
根据终端的 MAC地址将终端连接到一个虚拟接入点,并对终端进行认 证;  Connect the terminal to a virtual access point according to the MAC address of the terminal, and authenticate the terminal;
对于通过认证的合法终端, 将合法终端的 IP地址和 /或 MAC地址与合 法终端连接的虚拟接入点的 BSSID进行绑定, 确定合法终端与虚拟接入点 的绑定关系;  Bind the IP address and/or MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal to determine the binding relationship between the legal terminal and the virtual access point.
根据绑定关系转发合法终端发送的数据帧, 丟弃假冒终端发送的数据 帧。  The data frame sent by the legal terminal is forwarded according to the binding relationship, and the data frame sent by the fake terminal is discarded.
本发明还提供了一种接入点, 包括:  The invention also provides an access point, comprising:
第一建立模块, 用于建立一个或多个虚拟接入点, 其中, 虚拟接入点 具有与其相对应的基本服务集标识 BSSID;  a first establishing module, configured to establish one or more virtual access points, where the virtual access point has a basic service set identifier BSSID corresponding thereto;
连接模块, 用于根据终端的 MAC地址将终端连接到一个虚拟接入点; 认证模块, 用于对终端进行认证;  a connection module, configured to connect the terminal to a virtual access point according to the MAC address of the terminal; and an authentication module, configured to authenticate the terminal;
第二建立模块, 用于对于通过认证的合法终端, 将合法终端的 IP地址 和 /或 MAC地址与合法终端连接的虚拟接入点的 BSSID进行绑定, 确定合 法终端与虚拟接入点的绑定关系;  The second establishing module is configured to bind the IP address and/or the MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal for the authenticated legal terminal, and determine the binding of the legal terminal and the virtual access point. Relationship
处理模块, 用于根据绑定关系转发合法终端发送的数据帧, 丟弃假冒 终端发送的数据帧。  The processing module is configured to forward the data frame sent by the legal terminal according to the binding relationship, and discard the data frame sent by the fake terminal.
本发明有益效果如下:  The beneficial effects of the present invention are as follows:
通过建立 VAP, 将合法终端的 IP+MAC绑定 VAP, 解决了现有技术在 无线接入网中在空中传送的报文不加密的情况下无法防止假冒用户的问 题, 能够实现在 802.11无线接入网中防止假冒用户的目的, 保护了合法用 户和运营商的利益。 附图说明 By establishing a VAP, the IP+MAC of the legal terminal is bound to the VAP, which solves the problem that the prior art cannot prevent the counterfeit user when the packet transmitted over the air in the radio access network is not encrypted, and can implement the 802.11 wireless connection. The purpose of preventing users from impersonating users in the network is to protect the interests of legitimate users and operators. DRAWINGS
图 1是本发明实施例的无线接入网中防止假冒用户的方法的流程图; 图 2是本发明实施例的 AP防止假冒用户处理的示意图;  1 is a flowchart of a method for preventing a spoofing user in a radio access network according to an embodiment of the present invention; FIG. 2 is a schematic diagram of an AP preventing a counterfeit user from being processed according to an embodiment of the present invention;
图 3是本发明实施例的调用钩子函数的信令流程图;  3 is a signaling flowchart of a call hook function according to an embodiment of the present invention;
图 4是本发明实施例的调用连接建立钩子函数的流程图;  4 is a flowchart of a call connection establishment hook function according to an embodiment of the present invention;
图 5是本发明实施例的调用连接断开钩子函数的流程图;  FIG. 5 is a flowchart of a call disconnection hook function according to an embodiment of the present invention; FIG.
图 6是本发明实施例的调用认证结束钩子函数的流程图;  6 is a flowchart of invoking an authentication end hook function according to an embodiment of the present invention;
图 7是本发明实施例的调用转发钩子函数的流程图;  7 is a flowchart of calling a forwarding hook function according to an embodiment of the present invention;
图 8是本发明实施例的接入点的结构示意图。 具体实施方式  FIG. 8 is a schematic structural diagram of an access point according to an embodiment of the present invention. detailed description
如上所述, 有线接入网中常釆用 IP+MAC绑定物理端口的方法防止 4叚 冒用户, 但此方法在无线接入网中并不适用。 为了解决现有技术在无线接 入网中在空中传送的报文不加密的情况下无法防止假冒用户的问题, 本发 明提供了一种无线接入网中防止假冒用户的方法及接入点, 针对 802.11无 线接入网的特点, 提出了 IP+MAC绑定虚拟接入点 (VAP ) 的方法, 实现 了在 802.11无线接入网中防止假冒用户的目的。以下结合附图以及实施例, 对本发明进行进一步详细说明。 应当理解, 此处所描述的具体实施例仅仅 用以解释本发明, 并不限定本发明。  As mentioned above, in the wired access network, the method of binding the physical port by IP+MAC is often used to prevent users from being used, but this method is not applicable in the radio access network. In order to solve the problem that the prior art can prevent the counterfeit user from being transmitted over the air in the radio access network, the present invention provides a method and an access point for preventing a counterfeit user in the radio access network. Aiming at the characteristics of 802.11 radio access network, a method of IP+MAC binding virtual access point (VAP) is proposed, which realizes the purpose of preventing counterfeit users in 802.11 radio access network. The present invention will be further described in detail below in conjunction with the drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
方法实施例  Method embodiment
根据本发明的实施例, 提供了一种无线接入网中防止假冒用户的方法, 图 1是本发明实施例的无线接入网中防止假冒用户的方法的流程图,如图 1 所示, 根据本发明实施例的无线接入网中防止假冒用户的方法包括如下处 理:  According to an embodiment of the present invention, a method for preventing a spoofing user in a radio access network is provided. FIG. 1 is a flowchart of a method for preventing a spoofing user in a radio access network according to an embodiment of the present invention, as shown in FIG. A method for preventing a fake user in a radio access network according to an embodiment of the present invention includes the following processing:
步骤 101 , 建立一个或多个虚拟接入点, 其中, 虚拟接入点具有与其相 对应的基本服务集标识 (BSSID, Basic Service Set Identifier ); 也就是说, AP上建立多个 VAP, 多个 VAP工作在相同的信道, 具有 相同的服务集标识(SSID, Service Set Identifier ), 但是有不同的 BSSID。 这些 VAP都会向外发送 beacon帧, 携带有不同的 BSSID, 在终端接收到 beacon帧后, 可以根据携带的 BSSID确定是不同的 VAP发出的, 可以让终 端认为 beacon帧是由多个 AP发出的。 Step 101: Establish one or more virtual access points, where the virtual access point has a basic service set identifier (BSSID, Basic Service Set Identifier) corresponding thereto; That is to say, multiple VAPs are established on the AP, and multiple VAPs work on the same channel, have the same Service Set Identifier (SSID), but have different BSSIDs. The VAPs send out beacon frames, which carry different BSSIDs. After receiving the beacon frame, the terminal can determine that different VAPs are sent according to the carried BSSID, and the terminal can consider that the beacon frame is sent by multiple APs.
步骤 102, 根据终端的 MAC地址将终端连接到一个虚拟接入点, 并对 终端进行认证;  Step 102: Connect the terminal to a virtual access point according to the MAC address of the terminal, and authenticate the terminal.
在步骤 102中, 将终端连接到一个虚拟接入点需要进行如下处理: 1、 在终端需要连接到虚拟接入点时,根据终端的 MAC地址判断是否已有与此 终端 MAC地址相同的终端连接到该虚拟接入点; 2、 在判断没有与此终端 MAC地址相同的终端连接到该虚拟接入点的情况下 , 允许此终端连接到该 虚拟接入点; 3、 在判断该虚拟接入点已存在与此终端 MAC地址相同的终 端的情况下, 拒绝将此终端连接到该虚拟接入点, 迫使此终端连接到其它 虚拟接入点上。  In step 102, connecting the terminal to a virtual access point requires the following processing: 1. When the terminal needs to connect to the virtual access point, it is determined according to the MAC address of the terminal whether there is a terminal connection with the same MAC address of the terminal. To the virtual access point; 2. In the case that it is determined that the terminal having the same MAC address as the terminal is connected to the virtual access point, the terminal is allowed to connect to the virtual access point; 3. determining the virtual access If the terminal already has the same terminal as the terminal MAC address, the terminal is refused to connect to the virtual access point, forcing the terminal to connect to other virtual access points.
在无线网络中, 连接很容易断开, 先连接上的终端不一定就是合法终 端。 因此, 当终端要连接到某个 VAP时, AP需要检查是否已有相同 MAC 地址的终端连接到此 VAP, 如果有, 则拒绝此终端连接到此 VAP, 然后此 终端会自动尝试连接其它具有相同 SSID的 VAP,从而迫使假冒终端与合法 终端连接到不同的 VAP上。  In a wireless network, the connection is easily disconnected, and the terminal connected first is not necessarily the legal terminal. Therefore, when the terminal wants to connect to a VAP, the AP needs to check whether the terminal with the same MAC address is connected to the VAP. If there is, the terminal is denied to connect to the VAP, and then the terminal will automatically try to connect the other with the same. The VAP of the SSID, thereby forcing the fake terminal to connect to the legal terminal to a different VAP.
步骤 103 ,对于通过认证的合法终端,将合法终端的 IP地址和 /或 MAC 地址与合法终端连接的虚拟接入点的 BSSID进行绑定, 确定合法终端与虚 拟接入点的绑定关系。  Step 103: Bind the IP address and/or MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal for the authenticated legal terminal, and determine the binding relationship between the legal terminal and the virtual access point.
需要说明的是, 终端发出的 802.11数据帧头标中, 携带有 BSSID。 由 于合法终端与假冒终端是连接到不同的 VAP, 所以它们发出的帧中包含的 BSSID不同, AP可以根据 BSSID区分出是哪个终端发出的帧。  It should be noted that the 802.11 data frame header sent by the terminal carries the BSSID. Since the legal terminal and the fake terminal are connected to different VAPs, the BSSIDs included in the frames sent by them are different, and the AP can distinguish which frame is sent by the terminal according to the BSSID.
优选地, 在实际应用中, 还可以建立一张终端授权状态表, 其中, 终 端授权状态表中包括: IP地址、 MAC地址、 BSSID、 以及授权状态, 授权 状态包括: 受限、 已授权、 以及禁止。 Preferably, in an actual application, a terminal authorization status table may also be established, where The end authorization status table includes: an IP address, a MAC address, a BSSID, and an authorization status, and the authorization status includes: restricted, authorized, and prohibited.
在步骤 103 中, 对于通过认证的合法终端, 将合法终端的 IP地址和 / 或 MAC地址与合法终端连接的虚拟接入点的 BSSID进行绑定包括如下处 理: 1、根据终端授权状态表,判断是否有与合法终端的 MAC地址和 BSSID 都匹配的条目, 如果有, 则将该条目的授权状态修改为已授权, 并保存相 应的 IP地址; 2、 根据终端授权状态表, 判断是否有与合法终端的 MAC地 址匹配, 但与合法终端的 BSSID不匹配的条目, 如果有, 则将该条目的授 权状态修改为禁止。  In step 103, binding the IP address and/or the MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal is performed as follows: 1. According to the terminal authorization status table, Whether there is an entry that matches the MAC address and BSSID of the legal terminal. If yes, the authorization status of the entry is modified to be authorized and the corresponding IP address is saved. 2. According to the terminal authorization status table, it is determined whether it is legal or not. The entry whose MAC address matches but does not match the BSSID of the legal terminal, if any, changes the authorization status of the entry to disabled.
步骤 104,根据绑定关系转发合法终端发送的数据帧,丟弃假冒终端发 送的数据帧。  Step 104: Forward the data frame sent by the legal terminal according to the binding relationship, and discard the data frame sent by the fake terminal.
在步骤 104 中, 根据绑定关系转发合法终端发送的数据帧, 丟弃假冒 终端发送的数据帧包括如下处理: 1、 根据终端授权状态表, 判断是否有与 合法终端的 MAC地址与 BSSID都匹配的条目, 如果有, 则判断合法终端 的才艮文中的源 IP地址与该条目中的 IP地址是否匹配; 2、如果 IP地址匹配, 则判断该条目中的授权状态; 3、在判断授权状态为已授权时, 则转发报文, 在判断授权状态为禁止时, 则丟弃报文, 在判断授权状态为限制时, 进一 步判断报文中的目的 IP是否在允许的地址范围内, 如果在允许的地址范围 内, 则转发报文, 如果不在允许的地址范围内, 则丟弃报文。  In step 104, the data frame sent by the legal terminal is forwarded according to the binding relationship, and the data frame sent by the fake terminal is discarded as follows: 1. According to the terminal authorization status table, it is determined whether the MAC address and the BSSID of the legal terminal match. The entry, if any, determines whether the source IP address in the legitimate terminal matches the IP address in the entry; 2. If the IP address matches, the authorization status in the entry is determined; 3. In the authorization status If it is authorized, the packet is forwarded. When the authorization status is forbidden, the packet is discarded. When the authorization status is determined to be restricted, it is further determined whether the destination IP address in the packet is within the allowed address range. If the number of the allowed address ranges, the packet is forwarded. If the packet is not in the allowed range, the packet is discarded.
也就是说, 当合法终端通过 Web认证后 , AP将其 IP/MAC地址与其连 接的 VAP绑定在一起。 这样, 合法终端发出的帧中包含的 BSSID与绑定的 VAP 的 BSSID相同, 被允许通过; 而假冒终端发送的帧, 由于其包含的 BSSID与绑定的 VAP的 BSSID不一致, 会被 AP丟弃, 从而起到了防止假 冒终端的作用。  That is, after the legitimate terminal passes the Web authentication, the AP binds its IP/MAC address to the VAP to which it is connected. In this way, the BSSID included in the frame sent by the legal terminal is the same as the BSSID of the bound VAP, and is allowed to pass. The frame sent by the fake terminal is discarded by the AP because the BSSID it contains is inconsistent with the BSSID of the bound VAP. , thus playing a role in preventing counterfeit terminals.
此外, 在终端断开连接时, 还包括如下处理: 1、根据终端授权状态表, 检查是否有与终端匹配的 MAC地址和 BSSID的条目存在,如果存在条目, 则检查条目的授权状态是否为已授权; 2、 如果条目的授权状态为已授权, 则延迟断开连接, 并设置一个预定时间, 如果条目的授权状态不是已授权, 则立即断开连接; 3、 在预定时间到时后, 检查终端是否仍然在线, 如果在 线, 则保持连接, 否则, 断开连接。 In addition, when the terminal is disconnected, the following processing is further included: 1. According to the terminal authorization status table, it is checked whether there is an entry of a MAC address and a BSSID matching the terminal, and if an entry exists, Then check whether the authorization status of the entry is authorized; 2. If the authorization status of the entry is authorized, delay the disconnection and set a predetermined time, if the authorization status of the entry is not authorized, immediately disconnect; 3 After the scheduled time expires, check if the terminal is still online. If it is online, keep the connection. Otherwise, disconnect.
以下结合附图, 对本发明实施例的上述技术方案进行详细的说明。 图 2是本发明实施例的 AP防止假冒用户处理的示意图, 如图 2所示, AP的无线接入模块用于实现与无线终端建立连接、 断开连接, 以及检测终 端是否仍然保持连接等功能; AP的报文转发模块用于实现将从无线网络接 收到的报文转发到有线网络, 或者反过来, 将从有线网络接收到的报文转 发到无线网络。 AP的 Web Portal认证模块用于实现 Web portal认证流程。  The above technical solutions of the embodiments of the present invention are described in detail below with reference to the accompanying drawings. 2 is a schematic diagram of an AP preventing a fake user from processing according to an embodiment of the present invention. As shown in FIG. 2, a wireless access module of an AP is configured to establish a connection with a wireless terminal, disconnect, and detect whether the terminal remains connected. The packet forwarding module of the AP is configured to forward the packet received from the wireless network to the wired network, or conversely, forward the packet received from the wired network to the wireless network. The Web Portal authentication module of the AP is used to implement the Web portal authentication process.
AP的防假冒模块用于实现区分、 判断、 阻止假冒终端的功能。 是根据 本发明实施例的技术方案, 在 AP中新增的模块, 防假冒模块主要用于: 1、 收到建立连接的请求时, 检查是否已有相同 MAC的终端连接到同一 VAP, 如果有, 则拒绝连接; 2、 收到断开连接的请求时, 检查终端是否在线, 以 防此请求是来自于假冒终端; 3、 Web portal认证通过后, 建立 IP地址、 MAC地址与 VAP的绑定关系。 4、 在转发报文时, 根据 IP+MAC与 VAP 的绑定关系, 判断是否允许转发。  The anti-counterfeiting module of the AP is used to distinguish, judge, and block the function of the fake terminal. According to the technical solution of the embodiment of the present invention, the anti-counterfeiting module is newly added to the AP, and the anti-counterfeiting module is mainly used to: 1. When receiving the request for establishing a connection, check whether the terminal with the same MAC is connected to the same VAP, if any 2, refuse to connect; 2, when receiving the request to disconnect, check whether the terminal is online, in case the request is from a fake terminal; 3, after the Web portal authentication is passed, establish the binding of the IP address, MAC address and VAP relationship. 4. When forwarding a packet, determine whether to allow forwarding based on the binding relationship between the IP+MAC and the VAP.
此外, 防假冒模块还维护了一张终端授权状态表, 表中条目格式为: <IP地址、 MAC地址, BSSID, 授权状态>。 其中, 授权状态的值有三种: 受限、 已授权和禁止。 受限, 是指只允许终端访问 DHCP服务器、 DNS月良 务器、 Web portal服务器等; 已授权, 是指允许终端正常访问外部网络; 禁 止, 是指禁止转发此终端的报文。  In addition, the anti-counterfeiting module maintains a terminal authorization status table. The entry format in the table is: <IP address, MAC address, BSSID, authorization status>. There are three values for the authorization status: restricted, authorized, and forbidden. Restricted means that only the terminal is allowed to access the DHCP server, the DNS server, the Web portal server, etc.; the authorization is to allow the terminal to access the external network normally;
需要说明的是, 在实际应用中, 防假冒模块的上述功能表现成一系列 钩子函数, 包括: 认证结束钩子函数、 WLAN-EAH 转发钩子函数、 ETH-WLAN转发钩子函数、 连接建立钩子函数、 以及连接断开钩子函数。 上述钩子函数被其它各模块在适当时候调用。 图 3是本发明实施例的调用 钩子函数的信令流程图, 如图 3所示, 包括如下处理: It should be noted that, in practical applications, the above functions of the anti-counterfeiting module are represented by a series of hook functions, including: an authentication end hook function, a WLAN-EAH forwarding hook function, an ETH-WLAN forwarding hook function, a connection establishment hook function, and a connection. Disconnect the hook function. The above hook functions are called by other modules at the appropriate time. Figure 3 is a representation of an embodiment of the present invention The signaling flow chart of the hook function, as shown in Figure 3, includes the following processing:
步骤 1 ,终端与 AP进行交互, AP调用连接建立钩子函数, 实现 802.11 连接过程;  Step 1: The terminal interacts with the AP, and the AP invokes a connection to establish a hook function to implement an 802.11 connection process.
步骤 2, 终端与 DHCP服务器进行交互, 动态获取 IP地址。 从此时开 始, 在转发终端发出的和发往终端的报文时, AP分别会调用 WLAN-EAH 转发钩子函数和 ETH-WLAN转发钩子函数,;  Step 2: The terminal interacts with the DHCP server to dynamically obtain an IP address. From this point on, when forwarding the packet sent by the terminal and sent to the terminal, the AP will invoke the WLAN-EAH forwarding hook function and the ETH-WLAN forwarding hook function respectively;
步骤 3 , 终端与 Web portal服务器交互, 进行 Web portal认证后, AP 调用认证结束钩子函数;  Step 3: The terminal interacts with the Web portal server, and after performing Web portal authentication, the AP invokes the authentication end hook function;
步骤 4, 认证成功后, 终端访问外部网络;  Step 4: After the authentication succeeds, the terminal accesses the external network.
步骤 5 ,终端与 AP进行交互, AP调用连接断开钩子函数, 实现 802.11 断开连接过程。  Step 5: The terminal interacts with the AP, and the AP invokes the connection disconnection hook function to implement the 802.11 disconnection process.
根据 802.11协议, 建立无线连接的过程包括探测、 认证、 关联三个步 骤。 在收到认证帧时, 无线接入模块会调用防假冒模块的连接建立钩子函 数, 传递的参数是终端的 MAC地址, 以及其连接的 VAP的 BSSID, 图 4 是本发明实施例的调用连接建立钩子函数的流程图, 如图 4所示, 包括如 下处理:  According to the 802.11 protocol, the process of establishing a wireless connection includes three steps of detecting, authenticating, and associating. Upon receiving the authentication frame, the wireless access module invokes the connection establishment hook function of the anti-counterfeiting module, the parameter passed is the MAC address of the terminal, and the BSSID of the VAP to which it is connected. FIG. 4 is the call connection establishment in the embodiment of the present invention. The flow chart of the hook function, as shown in Figure 4, includes the following processing:
步骤 401 , 搜索终端授权状态表, 检查是否有 MAC地址、 BSSID都匹 配的条目存在;  Step 401: Search for a terminal authorization status table, and check whether an entry with a MAC address and a BSSID match exists.
步骤 402 , 如果有, 则向终端发送一个状态码为 37 的认证 ( Authentication ) †贞, 拒绝其认证请求;  Step 402, if yes, send an authentication (Authentication) with a status code of 37 to the terminal, rejecting the authentication request;
步骤 403 , 如果没有, 则在终端授权状态表中添加一个条目, 将初始的 授权状态设置为受限, 因为终端这时还没获得 IP地址,将初始的 IP地址设 置为 0。  Step 403, if not, add an entry in the terminal authorization status table, and set the initial authorization status to be restricted, because the terminal has not obtained the IP address at this time, and the initial IP address is set to 0.
如图 3所示, 在终端断开连接时, 会发送去关联(Disassociation )或者 去认证( Deauthentication )。 这时, 无线接入模块会调用防假冒模块的连接 断开钩子函数, 传递的参数是终端的 MAC 地址, 以及其连接的 VAP 的 BSSID。 图 5 是本发明实施例的调用连接断开钩子函数的流程图, 如图 5 所示, 包括如下处理: As shown in Figure 3, when the terminal is disconnected, Disassociation or Deauthentication is sent. At this time, the wireless access module calls the connection disconnection hook function of the anti-counterfeiting module, and the parameters passed are the MAC address of the terminal, and the VAP of the connected terminal. BSSID. FIG. 5 is a flowchart of a call disconnection hook function according to an embodiment of the present invention. As shown in FIG. 5, the following processing is included:
步骤 501 , 搜索终端授权状态表, 检查是否有 MAC地址、 BSSID匹配 的条目存在。  Step 501: Search for a terminal authorization status table, and check whether an entry with a MAC address and a BSSID match exists.
步骤 502, 如果有匹配条目, 检查其授权状态是否为已授权。  Step 502, if there is a matching entry, check whether the authorization status is authorized.
步骤 503 , 如果匹配条目的授权状态是已授权, 则延迟断开连接, 启 动一个定时器; 否则, 立即断开连接。  Step 503: If the authorization status of the matching entry is authorized, the connection is delayed and the timer is started; otherwise, the connection is immediately disconnected.
步骤 504, 定时器到期后, 检查终端是否仍然在线, 如果是, 则仍然 保持连接状态, 否则, 断开连接。  Step 504: After the timer expires, check whether the terminal is still online. If yes, the connection state is still maintained. Otherwise, the connection is disconnected.
需要说明的是, 有时假冒终端在收到拒绝认证请求的 Authentication帧 后, 会发送 Deauthentication帧。 如果 AP收到后, 当作是正常终端发出的 Deauthentication 帧处理, 立即断开连接, 就会影响到正常终端。 因此需要 要延迟断开连接, 检查终端是否真的断开连接。  It should be noted that sometimes the fake terminal sends a Deauthentication frame after receiving the Authentication frame rejecting the authentication request. If the AP is received as a Deauthentication frame from the normal terminal, it will be disconnected immediately, which will affect the normal terminal. It is therefore necessary to delay the disconnection and check if the terminal is actually disconnected.
当 Web portal认证结束时, 如果认证通过, 则调用认证结束钩子函数, 传递的参数是终端的 IP地址、 MAC地址、 BSSID等, 图 6是本发明实施 例的调用认证结束钩子函数的流程图, 如图 6所示, 包括如下处理:  When the authentication of the web portal is completed, if the authentication is passed, the authentication end hook function is invoked, and the parameters passed are the IP address, the MAC address, the BSSID, and the like of the terminal. FIG. 6 is a flowchart of calling the authentication end hook function according to the embodiment of the present invention. As shown in Figure 6, the following processing is included:
步骤 601 , 如果认证没有通过, 直接返回;  Step 601, if the authentication does not pass, return directly;
步骤 602, 搜索终端授权状态表, 检查是否有 MAC地址、 BSSID都匹 配的条目;  Step 602: Search for a terminal authorization status table, and check whether there is an entry that matches the MAC address and the BSSID.
步骤 603 , 如果有匹配的条目, 则将条目的授权状态改为已授权, 并保 存 IP地址;  Step 603, if there is a matching entry, change the authorization status of the entry to authorized, and save the IP address;
步骤 604 ,搜索终端授权状态表,检查是否有 MAC地址匹配,但 BSSID 不匹配的条目;  Step 604: Search the terminal authorization status table to check whether there is an entry whose MAC address matches but the BSSID does not match;
步骤 605 , 如果有这样的条目, 则认为是假冒终端, 将该条目的授权 状态改为禁止。  Step 605, if there is such an entry, it is considered to be a fake terminal, and the authorization status of the entry is changed to prohibited.
终端连接上后, 在转发报文时, 防假冒模块的转发钩子函数会被调用 到, 传递的参数是报文的 IP地址、 MAC地址以及收发艮文使用的 VAP, 图 7是本发明实施例的调用转发钩子函数的流程图, 如图 7所示, 包括如 下处理: After the terminal is connected, the forwarding hook function of the anti-counterfeiting module is called when the packet is forwarded. The parameters that are transmitted are the IP address of the packet, the MAC address, and the VAP used for sending and receiving the message. FIG. 7 is a flowchart of calling the forwarding hook function according to the embodiment of the present invention. As shown in FIG. 7, the following processing is included:
步骤 701 , 搜索终端授权状态表, 检查是否有 MAC地址、 BSSID都匹 配的条目;  Step 701: Search for a terminal authorization status table, and check whether there is an entry that matches the MAC address and the BSSID.
步骤 702, 如果有, 再将报文中的源 IP地址与条目中的 IP地址比较。 如果 IP地址相等, 或者条目中的 IP地址是全 0, 都认为是匹配的;  Step 702: If yes, compare the source IP address in the packet with the IP address in the entry. If the IP addresses are equal, or the IP address in the entry is all 0, it is considered to be a match;
步骤 703 , 如果 IP地址也是匹配的, 再检查授权状态。 如果是已授权, 则允许转发; 如果是禁止, 则丟弃报文;  Step 703: If the IP address is also matched, check the authorization status. If it is authorized, it is allowed to forward; if it is forbidden, the packet is discarded;
步骤 704, 如果状态是受限, 还要检查目的 IP是否在允许的地址范围 内。 如果不在, 则丟弃报文。 否则允许转发。  Step 704, if the status is restricted, it is also checked whether the destination IP is within the allowed address range. If not, the packet is discarded. Otherwise, forwarding is allowed.
由于 BSSID是 802.11帧中才包含的, 而以太帧中没有。 为了能在有线 侧也能区分是从哪个终端的报文,可以在转发报文时,釆取将不同的 BSSID 映射成不同的 VID, 或者 MAC地址转换、 IP地址转换等方法。  Since the BSSID is included in the 802.11 frame, it is not in the Ethernet frame. In order to distinguish the packets from which the terminal is located on the wired side, you can map different BSSIDs to different VIDs, or MAC address translation and IP address translation when forwarding packets.
需要说明的是, 本发明实施例的技术方案可以只建立一个 VAP, 而防 假冒模块中只保留连接建立和连接断开钩子函数。 这种简化方案的缺点是, 它认为先连接上的就是合法终端, 后连接的就是假冒终端, 而实际上可能 出现相反的情况, 如果出现了, 就会错误地拒绝合法终端的连接, 所以不 推荐釆用上述技术方案。  It should be noted that the technical solution of the embodiment of the present invention can establish only one VAP, and only the connection establishment and connection disconnection hook functions are reserved in the anti-counterfeiting module. The disadvantage of this simplification scheme is that it thinks that the first connection is a legitimate terminal, and the latter connection is a fake terminal. In fact, the opposite situation may occur. If it occurs, the connection of the legitimate terminal is erroneously rejected, so It is recommended to use the above technical solutions.
装置实施例  Device embodiment
根据本发明的实施例, 提供了一种接入点, 图 8是本发明实施例的接 入点的结构示意图, 如图 8所示, 根据本发明实施例的接入点包括: 第一 建立模块 80、 连接模块 81、 认证模块 82、 第二建立模块 83、 处理模块 84, 需要说明的是, 本发明实施例中的连接模块 81相当于图 2中的无线接入模 块, 认证模块 82相当于图 2中的 Web Portal认证模块, 处理模块 84中的 一些功能相当于图 2中的报文转发模块, 第一建立模块 80、 第二建立模块 83、 以及处理模块 84中的另一些功能相当于图 2中的防假冒模块。 以下对 本发明实施例的各个模块进行详细的说明。 An access point is provided according to an embodiment of the present invention. FIG. 8 is a schematic structural diagram of an access point according to an embodiment of the present invention. As shown in FIG. 8, an access point according to an embodiment of the present invention includes: The module 80, the connection module 81, the authentication module 82, the second setup module 83, and the processing module 84. It should be noted that the connection module 81 in the embodiment of the present invention is equivalent to the wireless access module in FIG. 2, and the authentication module 82 is equivalent. In the Web Portal authentication module in FIG. 2, some functions in the processing module 84 are equivalent to the packet forwarding module in FIG. 2, and the first establishing module 80 and the second establishing module are 83, and other functions in the processing module 84 are equivalent to the anti-counterfeiting module of FIG. The respective modules of the embodiments of the present invention are described in detail below.
第一建立模块 80用于建立一个或多个虚拟接入点, 其中, 所述虚拟接 入点具有与其相对应的基本服务集标识 BSSID;  The first establishing module 80 is configured to establish one or more virtual access points, where the virtual access point has a basic service set identifier BSSID corresponding thereto;
也就是说, 第一建立模块 80在 AP上建立多个 VAP, 多个 VAP工作在 相同的信道, 具有相同的月良务集标识( Service Set Identifier, 简称为 SSID ), 但是有不同的 BSSID。 这些 VAP都会向外发送 beacon帧, 携带有不同的 BSSID, 在终端接收到 beacon帧后, 可以根据携带的 BSSID确定是不同的 VAP发出的, 可以让终端认为 beacon帧是由多个 AP发出的。  That is, the first establishing module 80 establishes multiple VAPs on the AP, and multiple VAPs work on the same channel, and have the same Service Set Identifier (SSID), but have different BSSIDs. The VAPs send out beacon frames, which carry different BSSIDs. After receiving the beacon frame, the terminal can determine that different VAPs are sent according to the carried BSSID, and the terminal can consider that the beacon frame is sent by multiple APs.
连接模块 81用于根据终端的 MAC地址将所述终端连接到一个虚拟接 入点;  The connection module 81 is configured to connect the terminal to a virtual access point according to the MAC address of the terminal;
具体地, 连接模块 81包括:  Specifically, the connection module 81 includes:
第一判断子模块, 用于在所述终端需要连接到虚拟接入点时, 根据所 述终端的 MAC地址判断是否有与所述终端的 MAC地址相同的终端连接到 该虚拟接入点; 接入子模块, 用于在所述第一判断子模块判断没有与所述 终端的 MAC地址相同的终端连接到该虚拟接入点的情况下,将所述终端连 接到该虚拟接入点在所述第一判断子模块判断该虚拟接入点存在与所述终 端的 MAC地址相同的终端的情况下, 拒绝将所述终端连接到该虚拟接入 接入点上。  a first determining sub-module, configured to determine, according to the MAC address of the terminal, whether a terminal with the same MAC address of the terminal is connected to the virtual access point when the terminal needs to be connected to the virtual access point; The sub-module is configured to connect the terminal to the virtual access point when the first determining sub-module determines that the terminal that is not the same as the MAC address of the terminal is connected to the virtual access point. The first judging sub-module determines that the virtual access point has a terminal with the same MAC address as the terminal, and refuses to connect the terminal to the virtual access point.
在无线网络中, 连接很容易断开, 先连接上的终端不一定就是合法终 端。 因此, 当终端要连接到某个 VAP时, AP需要检查是否已有相同 MAC 地址的终端连接到此 VAP, 如果有, 则拒绝此终端连接到此 VAP, 然后此 终端会自动尝试连接其它具有相同 SSID的 VAP,从而迫使假冒终端与合法 终端连接到不同的 VAP上。  In a wireless network, the connection is easily disconnected, and the terminal connected first is not necessarily the legal terminal. Therefore, when the terminal wants to connect to a VAP, the AP needs to check whether the terminal with the same MAC address is connected to the VAP. If there is, the terminal is denied to connect to the VAP, and then the terminal will automatically try to connect the other with the same. The VAP of the SSID, thereby forcing the fake terminal to connect to the legal terminal to a different VAP.
认证模块 82用于对所述终端进行认证; 第二建立模块 83用于对于通过认证的合法终端,将所述合法终端的 IP 地址和 /或 MAC地址与所述合法终端连接的虚拟接入点的 BSSID进行绑定, 确定所述合法终端与所述虚拟接入点的绑定关系; The authentication module 82 is configured to authenticate the terminal. The second establishing module 83 is configured to bind the IP address and/or the MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal, and determine the legal terminal and the legal terminal. Binding relationship of the virtual access point;
需要说明的是, 终端发出的 802.11数据帧头标中, 携带有 BSSID。 由 于合法终端与假冒终端是连接到不同的 VAP, 所以它们发出的帧中包含的 BSSID不同, AP可以根据 BSSID区分出是哪个终端发出的帧。  It should be noted that the 802.11 data frame header sent by the terminal carries the BSSID. Since the legal terminal and the fake terminal are connected to different VAPs, the BSSIDs included in the frames sent by them are different, and the AP can distinguish which frame is sent by the terminal according to the BSSID.
优选地, 在实际应用中, 根据本发明实施例的接入点还包括: 状态表建立模块, 用于建立一张终端授权状态表, 其中, 所述终端授 权状态表中包括: IP地址、 MAC地址、 BSSID、 以及授权状态, 所述授权 状态包括: 受限、 已授权、 以及禁止;  Preferably, in an actual application, the access point according to the embodiment of the present invention further includes: a state table establishing module, configured to establish a terminal authorization state table, where the terminal authorization state table includes: an IP address, a MAC The address, the BSSID, and the authorization status, the authorization status includes: restricted, authorized, and forbidden;
具体地,终端授权状态表中条目格式为: <IP地址、 MAC地址, BSSID, 授权状态>。 其中, 授权状态的值有三种: 受限、 已授权和禁止。 受限, 是 指只允许终端访问 DHCP服务器、 DNS服务器、 Web portal服务器等; 已 授权, 是指允许终端正常访问外部网络; 禁止, 是指禁止转发此终端的报 文。  Specifically, the entry format in the terminal authorization status table is: <IP address, MAC address, BSSID, authorization status>. There are three values for the authorization status: restricted, authorized, and forbidden. Restricted, it means that only the terminal is allowed to access the DHCP server, the DNS server, the Web portal server, etc.; the authorization is to allow the terminal to access the external network normally;
第二建立模块 83具体用于: 根据所述所述终端授权状态表, 判断是否 有与所述合法终端的 MAC地址和 BSSID都匹配的条目, 如果有, 则将该 条目的授权状态修改为已授权, 并保存相应的 IP地址; 根据所述终端授权 状态表, 判断是否有与所述合法终端的 MAC地址匹配, 与所述合法终端的 BSSID不匹配的条目, 如果有, 则将该条目的授权状态修改为禁止;  The second establishing module 83 is specifically configured to: determine, according to the terminal authorization status table, whether there is an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, modify the authorization status of the entry to Authorizing, and saving the corresponding IP address; determining, according to the terminal authorization status table, whether there is an entry that does not match the MAC address of the legal terminal, and does not match the BSSID of the legal terminal, if yes, the entry The authorization status is modified to be prohibited;
处理模块 84用于根据所述邦定关系转发所述合法终端发送的数据帧, 丟弃假冒终端发送的数据帧。  The processing module 84 is configured to forward the data frame sent by the legal terminal according to the bonding relationship, and discard the data frame sent by the fake terminal.
处理模块 84具体用于: 根据所述终端授权状态表, 判断是否有与所述 合法终端的 MAC地址与 BSSID都匹配的条目, 如果有, 则判断所述合法 终端的 ^艮文中的源 IP地址与该条目中的 IP地址是否匹配; 如果 IP地址匹 配, 则判断该条目中的授权状态; 在判断所述授权状态为已授权时, 则转 发所述报文, 在判断所述授权状态为禁止时, 则丟弃所述报文, 在判断所 述授权状态为限制时, 进一步判断所述报文中的目的 IP是否在允许的地址 范围内, 如果在允许的地址范围内, 则转发所述报文, 如果不在允许的地 址范围内, 则丟弃所述报文。 The processing module 84 is specifically configured to: determine, according to the terminal authorization status table, whether there is an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, determine a source IP address in the legal terminal Whether the IP address in the entry matches; if the IP address matches, the authorization status in the entry is determined; when it is determined that the authorization status is authorized, then Sending the packet, when it is determined that the authorization status is forbidden, discarding the packet, and when determining that the authorization status is a restriction, further determining whether the destination IP in the packet is in an allowed address range If the packet is within the allowed address range, the packet is forwarded, and if it is not within the allowed address range, the packet is discarded.
也就是说, 当合法终端通过 Web认证后, 处理模块 84将其 IP/MAC地 址与其连接的 VAP绑定在一起。 这样, 合法终端发出的帧中包含的 BSSID 与绑定的 VAP的 BSSID相同, 被允许通过; 而假冒终端发送的帧, 由于其 包含的 BSSID与绑定的 VAP的 BSSID不一致,会被 AP丟弃,从而起到了 防止假冒终端的作用。  That is, after the legitimate terminal passes the web authentication, the processing module 84 binds its IP/MAC address to its connected VAP. In this way, the BSSID included in the frame sent by the legal terminal is the same as the BSSID of the bound VAP, and is allowed to pass. The frame sent by the fake terminal is discarded by the AP because the BSSID it contains is inconsistent with the BSSID of the bound VAP. , thus playing a role in preventing counterfeit terminals.
此外, 本发明实施例的技术方案还可以包括: 断开连接处理模块, 用 于在所述终端断开连接时, 根据所述终端授权状态表, 检查是否有与所述 终端匹配的 MAC地址和 BSSID的条目存在, 如果存在所述条目, 则检查 所述条目的授权状态是否为已授权; 如果所述条目的授权状态为已授权, 则延迟断开连接, 并设置一个预定时间, 如果所述条目的授权状态不是已 授权, 则立即断开连接; 在所述预定时间到时后, 检查所述终端是否仍然 在线, 如果在线, 则保持连接, 否则, 断开连接。  In addition, the technical solution of the embodiment of the present invention may further include: a disconnection processing module, configured to check, according to the terminal authorization status table, whether there is a MAC address matching the terminal and when the terminal disconnects An entry of the BSSID exists, if the entry exists, checking whether the authorization status of the entry is authorized; if the authorization status of the entry is authorized, delaying the disconnection, and setting a predetermined time, if If the authorization status of the entry is not authorized, the connection is immediately disconnected; after the predetermined time expires, it is checked whether the terminal is still online, if online, the connection is maintained, otherwise, the connection is disconnected.
需要说明的是, 在实际应用中, 第一建立模块 80、 第二建立模块 83、 以及处理模块 84中的另一些功能表现成一系列钩子函数, 包括: 认证结束 钩子函数、 WLAN-EAH转发钩子函数、 ETH-WLAN转发钩子函数、 连接 建立钩子函数、 以及连接断开钩子函数。 上述钩子函数被其它各模块在适 当时候调用。 具体的调用时机和调用处理流程可以参照上述方法实施例的 图 3至图 7进行理解, 在此不再赘述。  It should be noted that, in practical applications, other functions in the first establishing module 80, the second establishing module 83, and the processing module 84 are represented as a series of hook functions, including: an authentication end hook function, and a WLAN-EAH forwarding hook function. , ETH-WLAN forwarding hook function, connection establishment hook function, and connection disconnect hook function. The above hook functions are called by other modules at the appropriate time. The specific call timing and the call processing flow can be understood by referring to FIG. 3 to FIG. 7 of the foregoing method embodiment, and details are not described herein again.
需要说明的是,由于 BSSID是 802.11帧中才包含的,而以太帧中没有。 为了能在有线侧也能区分是从哪个终端的报文, 可以在转发报文时, 釆取 将不同的 BSSID映射成不同的 VID, 或者 MAC地址转换、 IP地址转换等 方法。 本发明实施例的技术方案可以只建立一个 VAP, 而防假冒模块中只保 留连接建立和连接断开钩子函数。 这种简化方案的缺点是, 它认为先连接 上的就是合法终端, 后连接的就是假冒终端, 而实际上可能出现相反的情 况, 如果出现了, 就会错误地拒绝合法终端的连接, 所以不推荐釆用上述 技术方案。 It should be noted that since the BSSID is included in the 802.11 frame, it is not included in the Ethernet frame. In order to distinguish the packets from which the terminal is located on the wired side, it is possible to map different BSSIDs into different VIDs, or MAC address translation, IP address translation, etc. when forwarding the message. The technical solution of the embodiment of the present invention can establish only one VAP, and only the connection establishment and connection disconnection hook functions are reserved in the anti-counterfeiting module. The disadvantage of this simplification scheme is that it thinks that the first connection is a legitimate terminal, and the latter connection is a fake terminal. In fact, the opposite situation may occur. If it occurs, the connection of the legitimate terminal is erroneously rejected, so It is recommended to use the above technical solutions.
本发明实施例通过建立 VAP, 将合法终端的 IP+MAC绑定 VAP, 解决 了现有技术在无线接入网中在空中传送的报文不加密的情况下无法防止假 冒用户的问题, 能够实现在 802.11无线接入网中防止假冒用户的目的, 保 护了合法用户和运营商的利益。  In the embodiment of the present invention, the IP+MAC of the legal terminal is bound to the VAP by establishing the VAP, which solves the problem that the prior art cannot prevent the counterfeit user when the packet transmitted in the air in the radio access network is not encrypted, and can implement the VAP. The purpose of preventing spoofing users in the 802.11 radio access network protects the interests of legitimate users and operators.
尽管为示例目的, 已经公开了本发明的优选实施例, 本领域的技术人 员将意识到各种改进、 增加和取代也是可能的, 因此, 本发明的范围应当 不限于上述实施例。  While the preferred embodiments of the present invention have been disclosed for purposes of illustration, those skilled in the art will recognize that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.

Claims

权利要求书 Claim
1、 一种无线接入网中防止假冒用户的方法, 其特征在于, 包括: 建立一个或多个虚拟接入点, 其中, 所述虚拟接入点具有与其相对应 的基本服务集标识 BSSID;  A method for preventing a spoofing user in a radio access network, comprising: establishing one or more virtual access points, wherein the virtual access point has a basic service set identifier BSSID corresponding thereto;
根据终端的 MAC地址将所述终端连接到一个虚拟接入点,并对所述终 端进行认证;  Connecting the terminal to a virtual access point according to a MAC address of the terminal, and authenticating the terminal;
对于通过认证的合法终端, 将所述合法终端的 IP地址和 /或 MAC地址 与所述合法终端连接的虚拟接入点的 BSSID进行绑定, 确定所述合法终端 与所述虚拟接入点的绑定关系;  Binding the IP address and/or MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal, and determining the legal terminal and the virtual access point. Binding relationship
根据所述绑定关系转发所述合法终端发送的数据帧, 丟弃假冒终端发 送的数据帧。  Forwarding the data frame sent by the legal terminal according to the binding relationship, and discarding the data frame sent by the fake terminal.
2、 如权利要求 1所述的方法, 其特征在于, 所述根据终端的 MAC地 址将所述终端连接到一个虚拟接入点包括:  2. The method according to claim 1, wherein the connecting the terminal to a virtual access point according to a MAC address of the terminal comprises:
在所述终端需要连接到虚拟接入点时,根据所述终端的 MAC地址判断 是否有与所述终端的 MAC地址相同的终端连接到该虚拟接入点;  When the terminal needs to connect to the virtual access point, determine, according to the MAC address of the terminal, whether a terminal with the same MAC address of the terminal is connected to the virtual access point;
在判断没有与所述终端的 MAC地址相同的终端连接到该虚拟接入点 的情况下, 将所述终端连接到该虚拟接入点;  When it is determined that a terminal that is not the same as the MAC address of the terminal is connected to the virtual access point, connecting the terminal to the virtual access point;
在判断该虚拟接入点存在与所述终端的 MAC 地址相同的终端的情况 下, 拒绝将所述终端连接到该虚拟接入点, 并将所述终端连接到其他没有 与所述终端的 MAC地址相同的终端连接的虚拟接入点上。  In the case that it is determined that the virtual access point has a terminal with the same MAC address of the terminal, the terminal is refused to connect to the virtual access point, and the terminal is connected to other MACs that are not connected to the terminal. The virtual access point is connected to the terminal with the same address.
3、 如权利要求 1或 2所述的方法, 其特征在于, 该方法还包括: 建立一张终端授权状态表,所述终端授权状态表中包括: IP地址、 MAC 地址、 BSSID、 以及授权状态, 所述授权状态包括: 受限、 已授权、 以及禁 止。  The method according to claim 1 or 2, further comprising: establishing a terminal authorization status table, wherein the terminal authorization status table includes: an IP address, a MAC address, a BSSID, and an authorization status. The authorization status includes: restricted, authorized, and prohibited.
4、 如权利要求 3所述的方法, 其特征在于, 在所述终端断开连接时, 该方法还包括: 4. The method of claim 3, wherein when the terminal is disconnected, The method also includes:
根据所述终端授权状态表,检查是否有与所述终端匹配的 MAC地址和 BSSID 的条目存在, 如果存在所述条目, 则检查所述条目的授权状态是否 为已授权;  Checking, according to the terminal authorization status table, whether there is an entry of a MAC address and a BSSID that matches the terminal, and if the entry exists, checking whether the authorization status of the entry is authorized;
如果所述条目的授权状态为已授权, 则延迟断开连接, 并设置一个预 定时间, 如果所述条目的授权状态不是已授权, 则立即断开连接;  If the authorization status of the entry is authorized, the connection is delayed, and a predetermined time is set, and if the authorization status of the entry is not authorized, the connection is immediately disconnected;
在所述预定时间到时后, 检查所述终端是否仍然在线, 如果在线, 则 保持连接, 否则, 断开连接。  After the predetermined time expires, it is checked whether the terminal is still online, if online, the connection is maintained, otherwise, the connection is disconnected.
5、 如权利要求 3所述的方法, 其特征在于, 所述对于通过认证的合法 终端, 将所述合法终端的 IP地址和 /或 MAC地址与所述合法终端连接的虚 拟接入点的 BSSID进行绑定包括:  The method according to claim 3, wherein the BSSID of the virtual access point that connects the IP address and/or MAC address of the legal terminal to the legal terminal for the authenticated legal terminal Binding includes:
根据所述所述终端授权状态表,判断是否有与所述合法终端的 MAC地 址和 BSSID都匹配的条目,如果有,则将该条目的授权状态修改为已授权, 并保存相应的 IP地址;  Determining, according to the terminal authorization status table, an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, modifying the authorization status of the entry to be authorized, and saving the corresponding IP address;
根据所述终端授权状态表,判断是否有与所述合法终端的 MAC地址匹 配, 与所述合法终端的 BSSID不匹配的条目, 如果有, 则将该条目的授权 状态修改为禁止。  And determining, according to the terminal authorization status table, whether there is an entry that matches the MAC address of the legal terminal, and does not match the BSSID of the legal terminal, and if yes, the authorization status of the entry is modified to be prohibited.
6、 如权利要求 3所述的方法, 其特征在于, 所述根据所述绑定关系转 发所述合法终端发送的数据帧, 丟弃假冒终端发送的数据帧包括:  The method of claim 3, wherein the transmitting the data frame sent by the legal terminal according to the binding relationship, and discarding the data frame sent by the fake terminal includes:
根据所述终端授权状态表,判断是否有与所述合法终端的 MAC地址与 BSSID都匹配的条目, 如果有, 则判断所述合法终端的 ^艮文中的源 IP地址 与该条目中的 IP地址是否匹配;  Determining, according to the terminal authorization status table, whether there is an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, determining the source IP address in the legal terminal and the IP address in the entry Whether it matches;
如果 IP地址匹配, 则判断该条目中的授权状态;  If the IP addresses match, determine the authorization status in the entry;
在判断所述授权状态为已授权时, 则转发所述报文, 在判断所述授权 状态为禁止时, 则丟弃所述报文, 在判断所述授权状态为限制时, 进一步 判断所述报文中的目的 IP是否在允许的地址范围内, 如果在允许的地址范 围内, 则转发所述 文, 如果不在允许的地址范围内, 则丟弃所述 文。When it is determined that the authorization status is authorized, the message is forwarded, and when it is determined that the authorization status is prohibited, the message is discarded, and when the authorization status is determined to be a limit, the Whether the destination IP in the message is within the allowed address range, if the allowed address range Within the range, the text is forwarded, and if it is not within the allowed address range, the text is discarded.
7、 一种接入点, 其特征在于, 包括: 7. An access point, comprising:
第一建立模块, 用于建立一个或多个虚拟接入点, 其中, 所述虚拟接 入点具有与其相对应的基本服务集标识 BSSID;  a first establishing module, configured to establish one or more virtual access points, where the virtual access point has a basic service set identifier BSSID corresponding thereto;
连接模块,用于根据终端的 MAC地址将所述终端连接到一个虚拟接入 点;  a connection module, configured to connect the terminal to a virtual access point according to a MAC address of the terminal;
认证模块, 用于对所述终端进行认证;  An authentication module, configured to authenticate the terminal;
第二建立模块, 用于对于通过认证的合法终端, 将所述合法终端的 IP 地址和 /或 MAC地址与所述合法终端连接的虚拟接入点的 BSSID进行绑定, 确定所述合法终端与所述虚拟接入点的绑定关系;  a second establishing module, configured to bind, to the legal terminal that is authenticated, the IP address and/or the MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal, and determine the legal terminal and the Binding relationship of the virtual access point;
处理模块, 用于根据所述绑定关系转发所述合法终端发送的数据帧, 丟弃假冒终端发送的数据帧。  The processing module is configured to forward the data frame sent by the legal terminal according to the binding relationship, and discard the data frame sent by the fake terminal.
8、如权利要求 7所述的接入点, 其特征在于, 所述连接模块具体包括: 第一判断子模块, 用于在所述终端需要连接到虚拟接入点时, 根据所 述终端的 MAC地址判断是否有与所述终端的 MAC地址相同的终端连接到 该虚拟接入点;  The access point according to claim 7, wherein the connection module specifically includes: a first determining submodule, configured to: when the terminal needs to be connected to a virtual access point, according to the terminal The MAC address determines whether a terminal having the same MAC address as the terminal is connected to the virtual access point;
接入子模块, 用于在所述第一判断子模块判断没有与所述终端的 MAC 地址相同的终端连接到该虚拟接入点的情况下, 将所述终端连接到该虚拟 接入点在所述第一判断子模块判断该虚拟接入点存在与所述终端的 MAC 地址相同的终端的情况下, 拒绝将所述终端连接到该虚拟接入点, 并将所 述终端连接到其他没有与所述终端的 MAC 地址相同的终端连接的虚拟接 入点上。  An access submodule, configured to connect the terminal to the virtual access point if the first determining submodule determines that a terminal that is not the same as the MAC address of the terminal is connected to the virtual access point. The first determining sub-module determines that the virtual access point has a terminal with the same MAC address as the terminal, refuses to connect the terminal to the virtual access point, and connects the terminal to other A virtual access point connected to the terminal with the same MAC address as the terminal.
9、 如权利要求 7所述的接入点, 其特征在于, 所述装置还包括: 状态表建立模块, 用于建立一张终端授权状态表, 其中, 所述终端授 权状态表中包括: IP地址、 MAC地址、 BSSID、 以及授权状态, 所述授权 状态包括: 受限、 已授权、 以及禁止; 断开连接处理模块, 用于在所述终端断开连接时, 根据所述终端授权 状态表, 检查是否有与所述终端匹配的 MAC地址和 BSSID的条目存在, 如果存在所述条目, 则检查所述条目的授权状态是否为已授权; 如果所述 条目的授权状态为已授权, 则延迟断开连接, 并设置一个预定时间, 如果 所述条目的授权状态不是已授权, 则立即断开连接; 在所述预定时间到时 后, 检查所述终端是否仍然在线, 如果在线, 则保持连接, 否则, 断开连 接。 The access point according to claim 7, wherein the device further comprises: a status table establishing module, configured to establish a terminal authorization status table, where the terminal authorization status table includes: The address, the MAC address, the BSSID, and the authorization status, the authorization status includes: restricted, authorized, and forbidden; a disconnection processing module, configured to check, according to the terminal authorization status table, whether there is an entry of a MAC address and a BSSID matching the terminal when the terminal is disconnected, and if the entry exists, check Whether the authorization status of the entry is authorized; if the authorization status of the entry is authorized, the connection is delayed, and a predetermined time is set, and if the authorization status of the entry is not authorized, the connection is immediately disconnected. After the predetermined time expires, it is checked whether the terminal is still online, if online, the connection is maintained, otherwise, the connection is disconnected.
10、 如权利要求 9所述的接入点, 其特征在于,  10. The access point of claim 9 wherein:
所述第二建立模块具体用于: 根据所述所述终端授权状态表, 判断是 否有与所述合法终端的 MAC地址和 BSSID都匹配的条目, 如果有, 则将 该条目的授权状态修改为已授权, 并保存相应的 IP地址; 根据所述终端授 权状态表, 判断是否有与所述合法终端的 MAC地址匹配, 与所述合法终端 的 BSSID不匹配的条目, 如果有, 则将该条目的授权状态修改为禁止; 所述处理模块具体用于: 根据所述终端授权状态表, 判断是否有与所 述合法终端的 MAC地址与 BSSID都匹配的条目, 如果有, 则判断所述合 法终端的报文中的源 IP地址与该条目中的 IP地址是否匹配; 如果 IP地址 匹配, 则判断该条目中的授权状态; 在判断所述授权状态为已授权时, 则 转发所述报文, 在判断所述授权状态为禁止时, 则丟弃所述报文, 在判断 所述授权状态为限制时, 进一步判断所述报文中的目的 IP是否在允许的地 址范围内, 如果在允许的地址范围内, 则转发所述报文, 如果不在允许的 地址范围内, 则丟弃所述 文。  The second establishing module is specifically configured to: determine, according to the terminal authorization status table, whether there is an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, modify the authorization status of the entry to Authorized, and save the corresponding IP address; according to the terminal authorization status table, determine whether there is an entry that does not match the MAC address of the legal terminal, and does not match the BSSID of the legal terminal, if any, the entry The authorization module is modified to be disabled; the processing module is specifically configured to: determine, according to the terminal authorization status table, whether there is an entry that matches the MAC address and the BSSID of the legal terminal, and if yes, determine the legal terminal Whether the source IP address in the packet matches the IP address in the entry; if the IP address matches, the authorization status in the entry is determined; when it is determined that the authorization status is authorized, the packet is forwarded. When it is determined that the authorization status is forbidden, the message is discarded, and when the authorization status is determined to be a restriction, further judgment is performed. The object of the IP packet is within the allowable address range, if within the allowable range of addresses, forwarding the message, if not within the allowed range of addresses, the packet is discarded.
PCT/CN2011/072402 2010-11-22 2011-04-02 Method for preventing impostors in wireless access network, and access point WO2012068815A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010553071.6A CN102480729B (en) 2010-11-22 2010-11-22 Method and the access point of fake user is prevented in wireless access network
CN201010553071.6 2010-11-22

Publications (1)

Publication Number Publication Date
WO2012068815A1 true WO2012068815A1 (en) 2012-05-31

Family

ID=46093176

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/072402 WO2012068815A1 (en) 2010-11-22 2011-04-02 Method for preventing impostors in wireless access network, and access point

Country Status (2)

Country Link
CN (1) CN102480729B (en)
WO (1) WO2012068815A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107634843A (en) * 2016-07-18 2018-01-26 智易科技股份有限公司 Mobile local area network management system and method

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200569B (en) * 2013-03-18 2015-08-05 京信通信系统(中国)有限公司 A kind of data packet sending method and device
CN104349322B (en) * 2013-08-01 2018-06-12 新华三技术有限公司 A kind of device and method that personator is detected in Wireless LAN
CN104837134B (en) * 2014-02-07 2018-06-26 中国移动通信集团北京有限公司 A kind of web authentication user login method, equipment and system
CN104270755A (en) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 Equipment capable of preventing wireless intrusion
CN104540135B (en) * 2015-01-12 2019-08-30 努比亚技术有限公司 A kind of wireless network safety access method, device and terminal
CN104539741B (en) * 2015-01-26 2019-10-15 北京奇艺世纪科技有限公司 A kind of reminding method and device of Account Logon
CN104837138B (en) * 2015-03-27 2019-03-01 Oppo广东移动通信有限公司 A kind of detection method and device of terminal hardware mark
JP2018511282A (en) * 2015-03-27 2018-04-19 ユーネット セキュア インコーポレイテッド WIPS sensor and terminal blocking method using the same
KR101917655B1 (en) * 2015-04-13 2018-11-12 삼성전자주식회사 A display apparatus and a display apparatus setting method
CN104954370B (en) * 2015-06-09 2018-04-17 福建新大陆通信科技股份有限公司 The safety certifying method that a kind of smart home client is logined
CN104936181B (en) * 2015-06-25 2018-12-25 新华三技术有限公司 A kind of access authentication method and device connecting specified AP
CN105208324B (en) * 2015-08-20 2018-11-13 浙江宇视科技有限公司 A kind of method that mobile monitor platform finds front monitoring front-end automatically
CN107241775B (en) * 2016-03-28 2020-08-07 华为技术有限公司 Method and device for sending wireless local area network beacon
CN107291773B (en) * 2016-04-11 2020-11-17 创新先进技术有限公司 Webpage address generation method and device
CN106658756B (en) * 2016-12-13 2020-05-26 浙江大华技术股份有限公司 Method and device for identifying connection between terminal equipment and hotspot
CN107276901A (en) * 2017-05-27 2017-10-20 上海斐讯数据通信技术有限公司 The system and method and wireless router and terminal of integration application
CN108934009B (en) * 2017-05-27 2021-08-13 华为技术有限公司 WiFi network access method, device and system
CN107197456B (en) * 2017-06-16 2020-06-02 中国海洋大学 Detection method and detection device for identifying pseudo AP (access point) based on client
CN109981661B (en) * 2019-03-29 2022-04-22 新华三技术有限公司 Method and device for monitoring MAC address and electronic equipment
CN113556337A (en) * 2021-07-20 2021-10-26 迈普通信技术股份有限公司 Terminal address identification method, network system, electronic device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050185626A1 (en) * 2002-08-02 2005-08-25 Meier Robert C. Method for grouping 802.11 stations into authorized service sets to differentiate network access and services
US20060068799A1 (en) * 2004-09-27 2006-03-30 T-Mobile, Usa, Inc. Open-host wireless access system
US20070081477A1 (en) * 2005-10-11 2007-04-12 Cisco Technology, Inc. Virtual LAN override in a multiple BSSID mode of operation
US20070206527A1 (en) * 2006-03-01 2007-09-06 Yuan-Chang Lo Virtual access point for configuration of a LAN
US20070286109A1 (en) * 2006-03-29 2007-12-13 Namco Bandai Games Inc Wireless network system, wireless communication instrument, wireless communication instrument setting device, game process control method, information storage medium, and portable electronic instrument

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050185626A1 (en) * 2002-08-02 2005-08-25 Meier Robert C. Method for grouping 802.11 stations into authorized service sets to differentiate network access and services
US20060068799A1 (en) * 2004-09-27 2006-03-30 T-Mobile, Usa, Inc. Open-host wireless access system
US20070081477A1 (en) * 2005-10-11 2007-04-12 Cisco Technology, Inc. Virtual LAN override in a multiple BSSID mode of operation
US20070206527A1 (en) * 2006-03-01 2007-09-06 Yuan-Chang Lo Virtual access point for configuration of a LAN
US20070286109A1 (en) * 2006-03-29 2007-12-13 Namco Bandai Games Inc Wireless network system, wireless communication instrument, wireless communication instrument setting device, game process control method, information storage medium, and portable electronic instrument

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107634843A (en) * 2016-07-18 2018-01-26 智易科技股份有限公司 Mobile local area network management system and method
CN107634843B (en) * 2016-07-18 2020-12-25 智易科技股份有限公司 Mobile local area network management system and method

Also Published As

Publication number Publication date
CN102480729A (en) 2012-05-30
CN102480729B (en) 2015-11-25

Similar Documents

Publication Publication Date Title
WO2012068815A1 (en) Method for preventing impostors in wireless access network, and access point
TWI625951B (en) Efficient policy enforcement using network tokens for services c-plane approach
US7480933B2 (en) Method and apparatus for ensuring address information of a wireless terminal device in communications network
CN110999356B (en) Network security management method and device
US9112909B2 (en) User and device authentication in broadband networks
US7836488B2 (en) Authentic device admission scheme for a secure communication network, especially a secure IP telephony network
WO2008019615A1 (en) The method, device and system for access authenticating
US9603021B2 (en) Rogue access point detection
WO2006002601A1 (en) A method for wireless lan users set-up session connection
US8069473B2 (en) Method to grant access to a data communication network and related devices
US8514845B2 (en) Usage of physical layer information in combination with signaling and media parameters
WO2014117525A1 (en) Method and device for handling authentication of static user terminal
KR101432042B1 (en) Confidential communication method using vpn, a system and program for the same, and memory media for program therefor
EP2399405A1 (en) Non-validated emergency calls for all-ip 3gpp ims networks
WO2017012142A1 (en) Dual-connection security communication method and apparatus
WO2013185709A1 (en) Call authentication method, device, and system
Matos et al. Secure hotspot authentication through a near field communication side-channel
WO2011041964A1 (en) Method, network system and network access node for network device management
KR100819942B1 (en) Method for access control in wire and wireless network
WO2014201766A1 (en) Emergency communication method, mobile terminal, authentication server and wireless access point
JP4965499B2 (en) Authentication system, authentication device, communication setting device, and authentication method
WO2011157142A2 (en) Method and apparatus for message transmission
CN116709338B (en) Wi-Fi access point capable of defending middleman MitM attack
JP4169534B2 (en) Mobile communication service system
WO2013037264A1 (en) Admission control method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11843372

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11843372

Country of ref document: EP

Kind code of ref document: A1