CN106549911A - A kind of terminal access method and device - Google Patents

A kind of terminal access method and device Download PDF

Info

Publication number
CN106549911A
CN106549911A CN201510595743.2A CN201510595743A CN106549911A CN 106549911 A CN106549911 A CN 106549911A CN 201510595743 A CN201510595743 A CN 201510595743A CN 106549911 A CN106549911 A CN 106549911A
Authority
CN
China
Prior art keywords
key
terminal
access
access device
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510595743.2A
Other languages
Chinese (zh)
Inventor
李燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201510595743.2A priority Critical patent/CN106549911A/en
Publication of CN106549911A publication Critical patent/CN106549911A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of terminal access method and device, including:Receiving terminal accesses the access request of default network by the first access device, and the terminal is authenticated;If authenticating successfully, when receiving the terminal and accessing the access request of the default network by the second access device, it is allowed to which the terminal is accessed.Terminal access method and device that the present invention is provided, certification authority is separated with the process of key agreement, so that terminal only carries out a certification authority, after authentication passes through, when which roams into another access device from an access device, it is not necessary to authenticate again, can just be directly accessed network, when solving terminal roaming, the affected problem of business, improves Consumer's Experience.

Description

A kind of terminal access method and device
Technical field
The present invention relates to the communications field, more particularly to a kind of terminal access method and device.
Background technology
As Wireless Fidelity (Wireless-Fidelity, Wifi) business is popularized, people are to Wifi safety Concern also lifted day by day.The end of the year in 2003, Chinese Government announce a policy, it is desirable in China's sale Wireless device must support wireless local area network (WLAN) verification Infrastructure standard (WLAN Authentication and Privacy Infrastructure, WAPI) it is Chinese independent research, possess the nothing of independent intellectual property right Line LAN safety technical standard.It is to design for the security breaches solved in WLAN international standard Security enforcement protocol, the confidentiality of data transfer, integrity, distinctive in main protection wireless network, User to asking access network carries out identity discriminating and access control simultaneously, ensures that legal user security connects Enter and have secure access to legal network.
WAPI differentiates architecture (WLAN Authentication by WLAN Infrastructure, WAI) and wireless local area network security architecture (WLAN Privacy Infrastructure, WPI) composition.WAI and WPI realize the discriminating to user identity respectively and to transmission Data encryption.Wherein WAI adopts public key cryptography technology, for wireless client (station, STA) and nothing Authentication between line access point (Access Point, AP).And WPI is then using national Password Management committee The symmetric cryptographic algorithm for WLAN of Yuan Hui offices approval realizes data protection, to medium access control The MAC data service unit of (Medium Access Control, MAC) sublayer is encrypted, decryption processing. WAPI protocol packages contain two types:1) discriminating and key management based on certificate;2) based on wildcard Discriminating and key management.
For the communication of the WAPI agreements of discriminating and key management based on certificate, in prior art, terminal is each Access network is required for the process for carrying out certification authority and key agreement, that is, access different access point AP, just Carry out different certification authorities and key agreement, so that WLAN access terminals user business in roaming Can be affected, make the experience of user not good.
The content of the invention
The main technical problem to be solved in the present invention is to provide a kind of terminal access method and device, for solving Certainly in prior art, each access network of terminal is required for the process for carrying out certification authority and key agreement so that Business can affected technical problem in roaming for WLAN access terminals user.
To solve above-mentioned technical problem, the present invention provides a kind of terminal access method, including:Receiving terminal is led to The access request that the first access device accesses default network is crossed, the terminal is authenticated;If authenticating successfully, When receiving the terminal and accessing the access request of the default network by the second access device, it is allowed to institute State terminal access.
In an embodiment of the present invention, if authenticating successfully, also include:Will be first key or generation described Information needed for first key, is transferred to first access device and the terminal, and the first key is Fixed key;It is described allow the terminal to access after, also include:By the first key or generate described the Information transfer needed for one key gives the second access device;
Or, if authenticating successfully, also include:By the letter needed for the second key or generation second key Breath, is transferred to first access device and the terminal, and second key is the key for periodically updating; It is described allow the terminal to access after, also include:By the letter needed for the second key or generation second key Breath is transferred to second access device and the terminal;
The first key, the second key are connect for the terminal, first access device, described second Enter equipment to generate for entering line number between the terminal and first access device or second access device According to the encryption and decryption key of transmission.
In an embodiment of the present invention, if authenticating successfully, also include:Store the first key or institute State the second key, and media access control layer address and the medium of the terminal of first access device Access control layer address.
In an embodiment of the present invention, carrying out authentication to the terminal includes:Obtain the certificate of the terminal With the certificate of first access device, according to the certificate of the certificate and first access device of the terminal The access terminal is authenticated.
In an embodiment of the present invention, the method for obtaining the certificate of first access device is specially:From Obtained on first access device, access controller, switch, high in the clouds or third-party server.
The present invention also provides a kind of terminal access device, including:
Receiver module, accesses the access request of default network for receiving terminal by the first access device;With And after authentication module authenticates success, receive the terminal and connecing for default network is accessed by the second access device Enter request;
Authentication module, is received the terminal for the receiver module and is accessed by first access device During the access request of the default network, the terminal is authenticated;
AM access module, for accessing institute by the second access device when the receiver module receives the terminal When stating the access request of default network, it is allowed to which the terminal is accessed.
In an embodiment of the present invention, also include:
First transport module, for by the information needed for first key or the generation first key, being transferred to First access device and the terminal, the first key are fixed key;
Second transport module, for by the first key or generating information transfer needed for the first key To the second access device;
3rd transport module, for by the information needed for the second key or generation second key, being transferred to First access device and the terminal, second key are the key for periodically updating;
4th transport module, for by the second key or generating information transfer needed for second key to institute State the second access device and the terminal.
In an embodiment of the present invention, also including memory module, the memory module is used to store described the One key or second key, and the media access control layer address of first access device and described The media access control layer address of terminal.
In an embodiment of the present invention, the authentication module includes:
Acquisition submodule, for obtaining the certificate of the certificate and first access device of the terminal;
Authentication submodule, for the certificate according to the terminal and first access device certificate to described Access terminal is authenticated.
In an embodiment of the present invention, the acquisition submodule specifically for from first access device, Carry out obtaining the card of first access device on access controller, switch, high in the clouds or third-party server Book.
The invention has the beneficial effects as follows:
Terminal access method and device that the present invention is provided, certification authority is separated with the process of key agreement, So that terminal only carries out a certification authority, after authentication passes through, when its roam into from access device it is another During individual access device, it is not necessary to authenticate again, network can be just directly accessed, Consumer's Experience is improved.
Description of the drawings
Terminal access method flow charts of the Fig. 1 for an embodiment of the present invention;
Fig. 2 downloads flow chart for the certificate inspection of an embodiment of the present invention;
Terminal access device schematic diagrams of the Fig. 3 for an embodiment of the present invention;
Fig. 4 is authentication module schematic diagram in Fig. 3 terminal access devices;
Fig. 5 is the terminal access process figure in embodiment three.
Specific embodiment
Accompanying drawing is combined below by specific embodiment to be described in further detail the present invention.
Embodiment one:
Refer to Fig. 1, terminal access method flow charts of the Fig. 1 for an embodiment of the present invention:
S101, receiving terminal access the access request of default network by the first access device;
When after the request for receiving terminal and propose to access by the first access device default network, terminal and first Access device has just carried out interrelated, after receiving the information of the terminal that the first access device sends, can lift Authentication activation, is transmitted to terminal by the first access device;After terminal receives authentication activation, propose to access mirror Power request.
In order to improve the safety and reliability of access point in default network, legal connecing can be carried out to access point Enter inspection, this checkout procedure can be before terminal request accesses default network, under the default network All or part of access device carries out legal access and checks, or connect from some terminal is received After entering the access request sent on equipment, i.e., legal access is carried out to the access device and is verified.
S102, authenticates to terminal;
After receiving the access authentication request of terminal proposition, need to obtain the certificate of the first access device and terminal. For the certificate of the first access device, its certificate can be tested, incorporated by reference to Fig. 2:
S201, certificate of inspection whether there is;
If judged result is no, the certificate of the first access device is not present, and performs S202;
S202, obtains certificate from third-party server and installs;
If the determination result is YES, then the certificate of the first access device is present, and performs S203;
Whether S203, certificate of inspection are expired;
If the certificate is expired, S202 is performed, new certificate is obtained from third-party server and download and pacify Dress, updates original certificate;
If judging the certificate of the first access device not out of date, the certificate is continuing with.Further, obtain After getting the certificate of the first newest access device, the certificate can also be stored.
Due to terminal and default network carry out it is interrelated after, terminal can be forwarded by the first access device Go out end message, just comprising the terminal certificate downloaded from certificate server in end message.
After getting the certificate of the first access device and terminal, it is encapsulated into for certification authority message, then The certification authority message is sent to third party's authentication server and is authenticated, third party's authentication server here Can be certificate server, it is to be understood that certificate server is already engaged in the first access device and end The certificates constructing at end, so selecting certificate server to be intended merely to try one's best as third party's authentication server here Reduction terminal accesses interactive participant during default network, improves terminal and accesses the safety for presetting network development process, It is not necessary to selection.
S103, if authenticating successfully, accesses the default net by the second access device when the terminal is received During the access request of network, it is allowed to which the terminal is accessed.
Certificate of the certificate server to the first access device with terminal is carried out after certification authority, can feed back certificate mirror Power result, according to this certification authority result, judges whether authentication is successful;When judged result is yes, then permit Perhaps terminal accesses default network by the first access device, generates first key;Then build access authentication to swash Message living is sent to the first access device and terminal, and the access authentication message for being sent to the first access device can be with Comprising the first key for generating, it is also possible to comprising the information generated needed for first key;Likewise, being sent to The access authentication activation message of terminal can also include first key or the information needed for generation first key, excellent Choosing, in the present embodiment, include in being sent to the access authentication activation message of terminal and generate needed for first key Information, be sent to the first access device access authentication activation message include first key;Send to terminal Access authentication activation message in allow for terminal and get access comprising the information generated needed for first key Authentication activation message needs to be forwarded by the first access terminal, therefore only sends needed for generation first key Information can be safer;And the access authentication activation message for being sent to the first access device comprising first key is In order to simplify the work of the first access device.
After terminal gets access authentication activation message, the authentication in message can be activated according to access authentication As a result choose whether to access default network, when selection result is yes, terminal may also select whether from first to connect Enter equipment and access default network, if selection result is no, terminal can select from the second access device to connect Enter default network;Beyond all doubt, terminal can access default network from the first access device with reselection, The first access device is then departed from, and selects default network to be accessed from the second access device.In the present embodiment, Terminal selects to access default network from the first access device first, then leaves the first access device again, selects Default network is accessed from the second access device.
As terminal has carried out bi-directional authentification by the first access device with default network, so, work as end End select from the second access device access default network when, it is not necessary to experience the process of certification authority again, when connecing When receiving terminal and accessing the access request of default network by the second access device, terminal can be directly allowed to connect Enter;As first key is fixed key, so, when terminal accesses default network from the second access device, Only need to for first key or the information generated needed for first key to be sent to the second access device.
Terminal and the first access device or the second access device can pass through first key or the root for getting According to the first key that relevant information is generated, key agreement is carried out, negotiated for terminal and the first access device Or second key for carrying out data transmission encryption and decryption between access device, key here can be singlecast key, It can also be multicast key.
In order to further improve the safety of the key for key agreement, therefore, in present invention offer Another preferred embodiment in, can select to replace above-mentioned first key with the second key, the second key be week The key that phase property updates, often updates the second key once, and the just access to terminal and present terminal association sets Preparation send the information needed for the second key of second key or generation;Terminal and the first access device or second Access device can pass through the second key for getting or the second key generated according to relevant information, enter Row key agreement, by way of this continuous renewal key so that the first access device is accessed with second and set It is standby that second key is disposably utilized, without storing key, it is effectively improved terminal and accesses default network Safety and reliability.
After the authenticating result fed back according to certificate server judges authentication success, first key or second is generated Key, and first key or the second key and its relevant information are stored, the content of storage includes first Key or the second key, the first access device media access control layer (Medium Access Control, MAC) the MAC Address of address, terminal.
Further, the content of storage also includes the ageing time of first key or the second key, and terminal is from the After one access device leaves, if asking from second to access in the ageing time of first key or the second key Default network is accessed on equipment, then the second access device can directly allow the terminal to access, it is not necessary to carry out The process of certification authority, but, when terminal is asked after the ageing time of first key or the second key Access, then need to re-start certification authority.
In another embodiment that the present invention is provided, the first key of storage or the second key and its relevant information Also include the entry-into-force time of first key or the second key.
After terminal roams into the second access device from the first access device, the first key of storage or second close Key and its relevant information at least include:First key or the second key, the medium access control of the second access device Preparative layer (Medium Access Control, MAC) address, the MAC Address of terminal.
Embodiment two:
The present invention also provides a kind of terminal access device, is described in detail with reference to Fig. 3:
Terminal access device includes:
Receiver module 301, accesses the access request of default network for receiving terminal by the first access device; And after authentication module authenticates success, receiving terminal accesses the access of default network by the second access device Request;
When after the request for receiving terminal and propose to access by the first access device default network, terminal and first Access device has just carried out interrelated, after receiving the information of the terminal that the first access device sends, can lift Authentication activation, is transmitted to terminal by the first access device;After terminal receives authentication activation, propose to access mirror Power request.
In order to improve the safety and reliability of access point in default network, legal connecing can be carried out to access point Enter inspection, this checkout procedure can be before terminal request accesses default network, under the default network All or part of access device carries out legal access and checks, or connect from some terminal is received After entering the access request sent on equipment, i.e., legal access is carried out to the access device and is verified.
Authentication module 302, receives terminal for receiver module and accesses default network by the first access device During access request, terminal is authenticated;
Fig. 4 is refer to, authentication module 302 includes acquisition submodule 3021 and authentication submodule 3022.
Acquisition submodule 3021 is used for the certificate of the certificate and the first access device for obtaining terminal;Connect for first Enter the certificate of equipment, its certificate can be tested, if there is no the first access in terminal access device setting Standby certificate, then directly obtain its certificate from third-party server and install;If the card of the first access device Book has been present, then check whether the certificate is expired;If the certificate is expired, from third-party server Obtain new certificate to download and install, update original certificate;If judging the certificate of the first access device not mistake Phase, then terminal access device be continuing with the certificate.Further, get the first newest access device Certificate after, can be storing the certificate by terminal access device.
Due to terminal and default network carry out it is interrelated after, terminal can be forwarded by the first access device Go out end message, just comprising the terminal certificate downloaded from certificate server in end message, so obtaining son Module 3022 can get the certificate of terminal from above-mentioned end message.
Authentication submodule 3022, for the certificate according to terminal and the first access device certificate to access terminal Authenticated.
After acquisition submodule 3021 gets the certificate of the first access device and terminal, it is encapsulated into as certificate Then the certification authority message is sent to third party's authentication server and is authenticated by authentication message, here the Tripartite's authentication server can be certificate server, it is to be understood that certificate server is already engaged in The certificates constructing of one access device and terminal, so selecting certificate server here as third party's authentication service The terminal that device is intended merely to reduce as far as possible accesses interactive participant during default network, improves terminal and accesses and presets net The safety of network process, it is not essential however to selection.
AM access module 303, for accessing default network by the second access device when receiver module receives terminal Access request when, it is allowed to terminal access.
First transport module 304, for by the information needed for first key or the generation first key, transmitting To the first access device and terminal, first key is fixed key.
Second transport module 305, after allowing AM access module to allow terminal to access, by first key or generation Information transfer needed for first key gives the second access device.
3rd transport module 306, for by the second key or generating information needed for the second key, is transferred to the One access device and terminal, second key are the key for periodically updating.
4th transport module 307, for giving second by the information transfer needed for the second key of the second key or generation Access device and terminal.
Certificate of the certificate server to the first access device with terminal is carried out after certification authority, can feed back certificate mirror Power result, according to this certification authority result, judges whether authentication is successful;When judged result is yes, then permit Perhaps terminal accesses default network by the first access device, generates first key;Then build access authentication to swash Message living is sent to the first access device and terminal by the first transport module 304, is sent to the first access device Access authentication message can include generate first key, it is also possible to comprising generate first key needed for letter Breath;Likewise, the access authentication activation message for being sent to terminal can also be comprising first key or generation first Information needed for key, it is preferred that in the present embodiment, wraps in being sent to the access authentication activation message of terminal Containing the information generated needed for first key, the access authentication activation message of the first access device is sent to comprising the One key;It is to examine that the information generated needed for first key is included in the access authentication activation message sent to terminal Considering terminal and getting access authentication activation message needs to be forwarded by the first access terminal, therefore only sends out Send generate first key needed for information can be safer;And it is sent to the access authentication activation of the first access device Message is for the work for simplifying the first access device comprising first key.
After terminal gets access authentication activation message, the authentication in message can be activated according to access authentication As a result choose whether to access default network, when selection result is yes, terminal may also select whether from first to connect Enter equipment and access default network, if selection result is no, terminal can select from the second access device to connect Enter default network;Beyond all doubt, terminal can access default network from the first access device with reselection, The first access device is then departed from, and selects default network to be accessed from the second access device.In the present embodiment, Terminal selects to access default network from the first access device first, then leaves the first access device again, selects Default network is accessed from the second access device.
As terminal has carried out bi-directional authentification by the first access device with default network, so, when connecing Receive module 301 receive terminal from the second access device access the request of default network when, it is not necessary to experience again The process of certification authority;Default network is accessed by the second access device when receiver module 301 receives terminal Access request when, be notified that AM access module 303, AM access module 303 can directly allow terminal to access;By In first key be fixed key, so, when terminal accesses default network from the second access device, only need The information needed for first key or generation first key is sent to into the second access by the second transport module 305 Equipment.
Terminal and the first access device or the second access device can pass through first key or the root for getting According to the first key that relevant information is generated, key agreement is carried out, is negotiated for carrying out data biography between the two The key of defeated encryption and decryption, key here can be singlecast key, or multicast key.
In order to further improve the safety of the key for key agreement, therefore, in present invention offer Another preferred embodiment in, can select to replace above-mentioned first key with the second key, the second key be week The key that phase property updates, often updates the second key once, just gives terminal by the 3rd transport module 306 and works as First access device of front terminal association sends the information needed for the second key of second key or generation;Or Person sends to the second access device that terminal and present terminal are associated one time second by the 4th transport module 307 Information needed for the second key of key or generation;Terminal can be led to the first access device or the second access device The second key for getting or the second key generated according to relevant information are crossed, key agreement is carried out, is led to Cross this mode for constantly updating key so that the first access device and the second access device are to the second key one Secondary property is utilized, and without storing key, is effectively improved the safety and reliability that terminal accesses default network.
The terminal access device of the present invention also includes memory module 308, when the authentication fed back according to certificate server As a result after judging authentication success, first key or the second key are generated, memory module 306 can be by first key Or second key and its relevant information stored, the content of storage include first key or the second key, The MAC Address of one access device, the MAC Address of terminal.
Further, the content of storage also includes the ageing time of first key or the second key, and terminal is from the After one access device leaves, if asking from second to access in the ageing time of first key or the second key Default network is accessed on equipment, then the second access device can directly allow the terminal to access, it is not necessary to carry out The process of certification authority, but, when terminal is asked after the ageing time of first key or the second key Access, then need to re-start certification authority.
In another embodiment that the present invention is provided, the first key of storage or the second key and its relevant information Also include the entry-into-force time of first key or the second key.
After terminal roams into the second access device from the first access device, the first key of storage or second close Key and its relevant information at least include:First key or the second key, the MAC Address of the second access device, The MAC Address of terminal.
Embodiment three:
The present embodiment, can be by WAPI proxy modules and third party's authentication server on the basis of embodiment two Together as terminal access device.
First, by WAPI proxy module embedded networks, legal access is carried out to WLAN access devices and is checked, Arranged by certain private information, determine whether WLAN access devices have access to network;WAPI acts on behalf of mould Block is tested, updates and is installed to the validity period of certificate of WLAN access devices;When terminal needs access network, A certificate is downloaded from certificate server.
Here certification authority and key agreement will be described further with reference to Fig. 5:
S501, terminal are associated with WLAN access devices;
Specifically, after terminal is associated with WLAN access devices, WLAN access devices by the information of terminal notify to Acquisition submodule in WAPI proxy modules, the certificate comprising access terminal in the information;
After S502, WAPI proxy module receives the information of terminal, authentication activation is initiated;
S503, terminal initiate access authentication request after receiving from WLAN access devices the authentication activation for forwarding;
S504, processes access authentication request, initiates certification authority request;
Specifically, after WAPI proxy modules receive from WLAN access devices the access authentication request for forwarding, The formation certification authority message of the certificate of access authentication request, package terminals and WLAN access devices is processed, and Certification authority message is sent to into third party's authentication server, certification authority request is initiated with this;
S505, third party's authentication server carry out certification authority and initiate certification authority response;
Specifically, third party's authentication server carries out the 3rd to the certificate of the certificate and WLAN access devices of terminal Fang Jianquan, after third party's authentication server carries out certification authority, initiates certification authority response, while will authentication Response results issue WAPI proxy modules.
S506, WAPI proxy module produces foundation key according to certification authority response is received, and builds access mirror Power response, is sent to terminal;
Specifically, after WAPI proxy modules receive certification authority response results, judge whether to permit according to the result Perhaps terminal is accessed, if allowing terminal to access, produces foundation key, and foundation key here can be real It can also be the second key to apply the first key in example two, it is preferable that the present embodiment can also be by foundation key Store in the foundation key list in WPAI proxy modules, then build access authentication and message is activated to terminal, Responded to terminal accessing authentication with this.
S507, terminal generate foundation key according to access authentication response;
Specifically, terminal is received Jing after the access authentication activation message that the forwarding of WLAN access devices comes, according to mirror Power result judges whether to access WLAN access devices, accesses, and it is close to generate basis if authenticating result success Key.
The foundation key of generation is advertised to WLAN access devices by S508, WAPI proxy module;
S509, WLAN access device carries out key agreement with the foundation key for obtaining and terminal;
Specifically, negotiate for carrying out data transmission the key of encryption and decryption between the two, key here can Being singlecast key, or multicast key.
In the present embodiment, terminal access device can be placed on AP, access controller (Access Controller, AC), switch, on high in the clouds.
Above content is with reference to specific embodiment further description made for the present invention, it is impossible to recognized Being embodied as of the fixed present invention is confined to these explanations.For the ordinary skill of the technical field of the invention For personnel, without departing from the inventive concept of the premise, some simple deduction or replace can also be made, Protection scope of the present invention should be all considered as belonging to.

Claims (10)

1. a kind of terminal access method, it is characterised in that include:
Receiving terminal accesses the access request of default network by the first access device, and the terminal is reflected Power;
If authenticating successfully, connecing for the default network is accessed by the second access device when the terminal is received When entering to ask, it is allowed to which the terminal is accessed.
2. terminal access method as claimed in claim 1, it is characterised in that if authenticating successfully, also wrap Include:By first key or generate information needed for the first key, be transferred to first access device and The terminal, the first key are fixed key;It is described allow the terminal to access after, also include:Will Information transfer needed for the first key or the generation first key gives the second access device;
Or, if authenticating successfully, also include:By the letter needed for the second key or generation second key Breath, is transferred to first access device and the terminal, and second key is the key for periodically updating; It is described allow the terminal to access after, also include:By the second key after current renewal or the generation renewal The information transfer needed for the second key afterwards gives second access device and the terminal;
The first key or the second key are connect with first access device or described second for the terminal Enter equipment and generate the encryption and decryption key for carrying out data transmission between the two.
3. terminal access method as claimed in claim 2, it is characterised in that if authenticating successfully, also Access and set including the storage first key or second key, first access device or described second Standby media access control layer address, the media access control layer address of the terminal, the first key or The ageing time of the entry-into-force time of second key, the first key or second key.
4. the terminal access method as described in any one of claim 1-3, it is characterised in that to the end End carries out authentication to be included:The certificate of the certificate and first access device of the terminal is obtained, according to described The certificate of the certificate of terminal and first access device is authenticated to the access terminal.
5. terminal access method as claimed in claim 4, it is characterised in that obtain described first and access The method of the certificate of equipment is specially:Obtained from first access device or from third-party server.
6. a kind of terminal access system, it is characterised in that include:
First receives request module, and the access of default network is accessed by the first access device for receiving terminal Request;
Authentication module, for working as the access request for receiving that terminal accesses default network by the first access device When, the terminal is authenticated;
Second receives request module, passes through the second access device for after success is authenticated, receiving the terminal Access the access request of default network;
AM access module is allowed, for, after authentication module authenticates success, described second receives request module reception When the access request of the default network is accessed by the second access device to terminal, it is allowed to the access terminal Access.
7. terminal access system as claimed in claim 6, it is characterised in that also include:
First transport module, for by the information needed for first key or the generation first key, being transferred to First access device and the terminal, the first key are fixed key, or allow to connect for described After entering the module permission terminal access, by the information needed for the first key or the generation first key It is transferred to the second access device;
Second transport module, for by the information needed for the second key or generation second key, being transferred to First access device and the terminal, second key are the key for periodically updating;Or for institute State after permission AM access module allows the terminal to access, by the second key after current renewal or described in generating more The information transfer needed for the second key after new gives second access device and the terminal.
8. terminal access system as claimed in claim 7, it is characterised in that also including memory module, The memory module is used for after the authentication module authenticates success, stores the first key or described second Key, the media access control layer address of first access device or second access device, the end The entry-into-force time of the media access control layer address at end, the first key or second key, described The ageing time of one key or second key.
9. the terminal access system as described in any one of claim 6-8, it is characterised in that the authentication Module also includes certificate storage unit, and the certificate storage unit is used to store first access of acquisition and sets Standby certificate.
10. terminal access system as claimed in claim 9, it is characterised in that the authentication module is also wrapped The first access device certificate acquisition unit is included, the first access device certificate acquisition unit obtains described first The method of the certificate of access device is specially:Carry out from first access device or from third-party server Obtain.
CN201510595743.2A 2015-09-17 2015-09-17 A kind of terminal access method and device Pending CN106549911A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510595743.2A CN106549911A (en) 2015-09-17 2015-09-17 A kind of terminal access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510595743.2A CN106549911A (en) 2015-09-17 2015-09-17 A kind of terminal access method and device

Publications (1)

Publication Number Publication Date
CN106549911A true CN106549911A (en) 2017-03-29

Family

ID=58362928

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510595743.2A Pending CN106549911A (en) 2015-09-17 2015-09-17 A kind of terminal access method and device

Country Status (1)

Country Link
CN (1) CN106549911A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302535A (en) * 2017-06-28 2017-10-27 深圳市欧乐在线技术发展有限公司 A kind of access authentication method and device
CN108900306A (en) * 2018-07-02 2018-11-27 四川斐讯信息技术有限公司 A kind of production method and system of wireless router digital certificate
CN110021085A (en) * 2018-10-29 2019-07-16 深圳市微开互联科技有限公司 A kind of open-door system and method for barcode scanning parallel proof
CN111031538A (en) * 2018-10-09 2020-04-17 华为技术有限公司 Authentication method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302535A (en) * 2017-06-28 2017-10-27 深圳市欧乐在线技术发展有限公司 A kind of access authentication method and device
CN108900306A (en) * 2018-07-02 2018-11-27 四川斐讯信息技术有限公司 A kind of production method and system of wireless router digital certificate
CN111031538A (en) * 2018-10-09 2020-04-17 华为技术有限公司 Authentication method and device
CN111031538B (en) * 2018-10-09 2021-12-03 华为技术有限公司 Authentication method and device
CN110021085A (en) * 2018-10-29 2019-07-16 深圳市微开互联科技有限公司 A kind of open-door system and method for barcode scanning parallel proof

Similar Documents

Publication Publication Date Title
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
CN101005359B (en) Method and device for realizing safety communication between terminal devices
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
CN101371550B (en) Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service
CN101437223B (en) Access method, system and apparatus for household base station
JP6668407B2 (en) Terminal authentication method and apparatus used in mobile communication system
CN101610241B (en) Method, system and device for authenticating binding
WO2014058166A1 (en) Data transmitting apparatus and method, and recording medium having program recorded thereon for executing said method on computer
EP3857856B1 (en) System and method for authenticating communications between a vehicle, a charging station and a charging station management server
CN107529160B (en) VoWiFi network access method and system, terminal and wireless access point equipment
CN101772024B (en) User identification method, device and system
KR20120091635A (en) Authentication method and apparatus in wireless communication system
CN104994118A (en) WiFi authentication system and method based on dynamic password
CN102868665A (en) Method and device for data transmission
WO2011076008A1 (en) System and method for transmitting files between wapi teminal and application sever
CN101401465A (en) Method and system for recursive authentication in a mobile network
CN101150406A (en) Network device authentication method and system and relay forward device based on 802.1x protocol
CN101895881B (en) Method for realizing GBA secret key and pluggable equipment of terminal
CN101222322A (en) Safety ability negotiation method in super mobile broadband system
CN106549911A (en) A kind of terminal access method and device
JP2021522757A (en) Non-3GPP device access to core network
CN112565302A (en) Communication method, system and equipment based on security gateway
CN101800686A (en) Method, device and system for realizing service
CN106572465A (en) Wireless connection method and system thereof
CN108882233B (en) IMSI encryption method, core network and user terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170329