CN1662001B - Implementation method for grouping mobile users in WLAN - Google Patents
Implementation method for grouping mobile users in WLAN Download PDFInfo
- Publication number
- CN1662001B CN1662001B CN2004100034216A CN200410003421A CN1662001B CN 1662001 B CN1662001 B CN 1662001B CN 2004100034216 A CN2004100034216 A CN 2004100034216A CN 200410003421 A CN200410003421 A CN 200410003421A CN 1662001 B CN1662001 B CN 1662001B
- Authority
- CN
- China
- Prior art keywords
- user
- group
- local
- visitor
- mobile subscriber
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 claims abstract 10
- 230000005540 biological transmission Effects 0.000 claims abstract 5
- 238000013507 mapping Methods 0.000 claims 1
- 230000013011 mating Effects 0.000 claims 1
- 238000002360 preparation method Methods 0.000 claims 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The disclosed method realizes grouping mobile users in wireless local area network and controlling transmission of unicasting, multicasting and broadcasting data packets. Data transmission control between local users, visiting users as well as visiting user and local user in different groups is realized in the invention. User access control based on user group is reached for most application programs. Features are: the method does not need mobile user to install special software at client end and does not require system manager to manage encryption key. Thus, the system and user management is relative simple. But, the method does not provide encryption function to wireless data transmission.
Description
Technical field
The invention describes and a kind of the WLAN (wireless local area network) mobile subscriber is divided into groups, and the method that the transmission of the clean culture between these users, multicast and broadcast data packet is controlled.This method has realized the Data Transmission Controlling between or not on the same group the local user, between the Guest User and Guest User and the local user, thereby realized a kind of user capture control based on user's group under most of application program.
Background technology
User grouping is many based on VLAN (VLAN or Virtual LAN) technology in the wired internet.The characteristics of this technology are controlled grouping and the respective data transfer control of finishing the user who is connected with these physical ports by the network equipment to its physical port (switching on and off).Because network equipment many places are under system manager's control, this group technology has higher fail safe.
Particularly, VLAN can be divided into several partition modes such as port vlan, dynamic vlan, Super VLAN, MAC VLAN.
Port vlan is a kind of VLAN division methods relatively commonly used, its principle be from logic with the port assignment of switch the local area network (LAN) in corresponding VLAN.Each VLAN has the IP address space of oneself.The user determines its VLAN of living in according to access interface.Port vlan is divided into single switch and two kinds of patterns of multi-exchange; The former only is supported in the some port composition VLAN of appointment on the switch, and the latter allows a VLAN to cross over a plurality of switches, and the port on the same switch can belong to different VLAN.
The principle of dynamic vlan is to formulate a user message table in the internal memory of switch, is used for writing down continuous user's IP address, VLAN sign and port information etc.When user's swap data, switch is checked according to information table, and is further carried out addressing and Route Selection according to check result.The confidentiality of dynamic vlan is higher than the fail safe of port vlan, also will check its VLAN sign because switch not only will be checked user's IP address.
SuperVLAN is present more advanced a kind of VLAN division methods.The essence of SuperVLAN is to have adopted the administrative skill of the IP address of optimizing.Its each subnet (sub-VLAN) all is a multicast channel independently, and multicast information can not exchange in different subnets.When data need be delivered to a plurality of destination node, just dynamically set up the VLAN agency, by agent equipment the user among the VLAN is managed.Each subnet does not need to set the IP address like this, but the all-ones subnet among SuperVLAN is shared an IP address, the IP address that this IP address is exactly SuperVLAN.
MAC VLAN finishes the VLAN classification by the MAC Address (hardware address) of equipment by manually carrying out initial configuration.When user's swap data, switch carries out addressing and Route Selection according to human configuration.
In WLAN (wireless local area network), wireless can aloft propagate from all directions and by anyone reception be not so there is physical connection to guarantee the data-directed transmission of (wireless) mobile subscriber in the VLAN.At this moment, generally controlling the method that mobile user data receives is to adopt the data encrypting and deciphering technology.This method requires access point and mobile subscriber all to have the encryption and decryption ability.Anyly all must be earlier after encrypting, send again with the wireless mode information transmitted; Though any acceptance point can both receive the information of sending, have only corresponding receiving station really to decipher this information, thereby realized the directional transmissions of data.
VLAN based on data encryption has higher level security, need be furnished with correspondent customer terminal software and have respective certificate or/and key is realized authentication and encryption and decryption functions but shortcoming is the mobile subscriber.This is provided with and user management key management, user, to such an extent as to the maintenance of whole system has all proposed higher requirement.
Summary of the invention
The present invention relates to the group technology of user in the WLAN (wireless local area network), and based on the user data transmission control technology of user group.
Furtherly, the present invention's technology is distinguished this locality and the Guest User in the WLAN (wireless local area network), and with the local user by user's tissue; It belongs to the transfer of data between between the local user of different user groups, between the different Guest Users and Guest User and the local user by control, realize the access control between all users.
The technology that the present invention adopts is directly to control unicast data transmission between the user with access point, and controls replying of multicast between the user and broadcasting with this, thereby provides user capture control on great majority are used.
The present invention introduces the notion of user's group, and each group is made up of some users, and each user can belong to a plurality of user's groups.According to the control mode to user right in organizing, user's component is two classes: a class is called this locality (local) (user) group, another kind of visitor (guest) (user) group that is called, and its user is called local user and Guest User.A WLAN (wireless local area network) can be supported a plurality of local groups, but only supports visitor's group.
In fact directly perceived, the local user also has the authority of visiting mutually except visiting by local area network (LAN) in the user organizes the external the Internet, and do not have the access rights of striding user's group; The then only addressable external the Internet of Guest User, and do not have the authority of visit mutually, the authority of more not visiting any local user.
The motivations that a plurality of local groups are set are that the local mobile subscriber of enterprise is divided by grouping, can shared data between the mobile subscriber in making on the same group, and stop the mobile subscriber's shared data that belongs to not on the same group.
The motivation that visitor's group is set is that all visitor mobile subscribers are included into this group, makes between visitor mobile subscriber and the local mobile subscriber, and between all visitor mobile subscribers, all can not shared data.As long as containing, these requirements have visitor's group just enough!
Core technology of the present invention is embodied in a kind of access point and transmits the method for user to the user's data bag.Before carrying out corresponding core procedure, as preparation process, all mobile subscribers must be first to carry out the IEEE 802.11 of standard related with access point, and carry out a mutual discrimination process; This discrimination process need not to produce any encryption key that is used for enciphered data, but access point has all been set up a mapping of organizing set from user's MAC address user under all to all by the mobile subscribers that differentiate.After having carried out above-mentioned preparation process, specifically describing of core procedure is as follows:
1, after access point AP receives the packet P of user A, find the pairing user of transmission user to organize S set G according to the transmission MAC Address SA among the P earlier;
If the destination-mac address DA among 2 P is the MAC Address of this AP, and SG contains at least one local class grouping or the visitor organizes (being the SG non-NULL), and AP then sends into P the protocol stack of oneself and handles; (at this moment, P may be the packet that local user or Guest User ask to visit external the Internet.)
If the destination-mac address DA among 3 P is the broadcast or multicast address, then carry out following steps:
A) have local class grouping as SG, AP then (wireless) transmits P; (all mobile subscribers related with AP and that have a MAC Address of mating DA can receive P.)
B) otherwise, promptly SG does not have local class grouping (be empty set or only have visitor's group), AP then abandons P.
4 otherwise, if promptly DA is not the broadcast or multicast address, AP then according to DA find the user of targeted customer's correspondence organize the set DG,
If a) S set G and DG do not comprise any same subscriber group (comprising the situation that SG or DG are empty sets), AP then abandons P.
B) otherwise, if promptly SG and DG comprise identical user's group, AP then continues to judge the type of these users' groups:
If i. in these identical user groups a local group is arranged, AP then (wireless) transmits P;
(user related with AP and that have a MAC Address DA will receive P.)
Ii. otherwise, if promptly these identical users group all is that the visitor organizes, AP then abandons P.
Above-mentioned steps reaches following effect:
● transmit all packets that this locality and Guest User ask to visit external the Internet;
● transmit any multicast and broadcast data transmission that the local user sends;
● block any multicast and broadcast data transmission that the Guest User sends;
● transmit the unicast data transmission between any user in same local group;
● block the unicast data transmission between the user of different user groups;
● block the visitor and organize unicast data transmission between user and any other visitor group or the local group user;
● block any clean culture of sending from the user who does not have affiliated user group, rich and broadcast data transmission how;
● block any clean culture that the user of user's group under not having sends, rich and broadcast data transmission how.
Though above-mentioned steps is transmitted local user's multicast and broadcasting, but because multicast and replying of broadcasting mostly are clean culture, so these steps still can be blocked replying of multicast and broadcasting, multicast and the broadcast communication process that need reply can't be finished, thus the agreement, the finishing that stop those to reply as ARP, DHCP and netbios protocol etc. based on multicast and broadcasting.
Description of drawings
Fig. 1 is that group technology of the present invention and mobile subscriber carry out related schematic diagram with access point.AP relies on its discriminating service function to finish mobile subscriber's discriminating, grouping and wireless access control at this.
Fig. 2 is a group technology logical description schematic diagram.
Embodiment
A concrete enforcement of the present invention can be with reference to Fig. 1 description below.
Before carrying out core procedure of the present invention, all mobile subscriber C1, C2, C3, C4, C5 and C6 must be earlier carry out relatedly with access point AP, and AS (AuthenticationService) is served in the discriminating of the system of dependence and AP differentiates mutually; AS can run on the hardware of an intrasystem independent server, AP or other the network equipment.The mechanism of differentiating can be various, as based on digital certificate (EAP-TLS the is ExtensibleAuthentication Protocol-Transport Layer Security) pattern of user name/password (EAP-MD5 the is Extensible Authentication Protocol-Message Digestalgorithm 5) pattern of IEEE802.1X, IEEE802.1X or based on the user name/password pattern of WEB etc.The different mechanism of differentiating have determined the related order of finishing and differentiating with AP of mobile subscriber.But no matter be what kind of order, after related and discriminating completed successfully, AP had found out all users' affiliated grouping.Here we need particularly point out, and step described in the invention is only controlled the transfer of data between the user, and do not influence the transfer of data of user and system; Here the transfer of data of user and system comprises in the discrimination process of carrying out IEEE802.1X, the information exchange of user and AS and AP, when also being included in execution based on the user name/password discrimination process of WEB, the mobile subscriber must be before by WEB input user name/password, and is related with the AP success and serve with DHCP and to obtain lan address by information exchange.
In Fig. 1, mobile subscriber C1, C2, C3, C4, C5 and C6 be all by related and differentiate that AP has also found out this locality group G1 and the G2 under them, and the visitor organizes G3, and set up the mapping from MAC Address to these users' groups.
Setting up after the user organizes mapping, core procedure of the present invention will carry out following execution:
● when C1 through AP when C2 sends unicast data because C1 and C2 belong to same local group, AP transmits this data, makes C2 can receive these data; Further, when C2 sends (clean culture) when replying through AP to C1, by the same token, C2 also can receive this and reply.
● when C1 through AP when C3 (or C5) sends unicast data because C1 and C3 (or C5) belong to different user groups, so AP abandons this data, makes C3 (or C5) can not receive these data, thereby C1 can not be finished with communicating by letter of C3 (or C5).
● when C1 through AP when the user organizes G1 and sends out broadcasting (or multicast) data owing to be broadcasting (or multicast), also, send so AP will broadcast (or multicast) data because the user that C1 belongs to organizes G1 is local group.The user organizes in all interior user-present examples except that C1 of G1 has only C2-can receive this broadcasting (or multicast) information.Further, (clean culture) that send corresponding this broadcasting (or multicast) to C1 through AP as C2 when replying, because C1 and C2 belong to same local group, C1 also can receive and reply.
● when C1 through AP when the user organizes G2 (or G3) and sends out broadcasting (or multicast) data, owing to be broadcasting (or multicast), also because the user that belongs to of C1 organizes G1 is local group, so no matter the user organizes the user's group what type G2 (or G3) is, also no matter whether C1 belongs to the user and organize G2 (or G3), AP sends broadcast data without exception.The user organizes all users in the G2 (or G3), can receive this broadcasting (or multicast) information.But, the user in G2 (or G3), C3 (or C5) for example, (clean culture) that send corresponding this broadcasting (or multicast) to C1 through AP when replying, because C3 and C5 do not belong to G1, so AP abandons this and replys, and replys thereby C1 can not be received.
● when C5 through AP when C1 sends unicast data because C5 and C1 belong to different user groups, so AP abandons this data, thereby makes C1 can not receive these data.
● when C5 through AP when C6 sends unicast data because C5 belongs to visitor's group,, thereby make C6 can not receive these data so AP abandons this data.
● when C5 through AP when the user organizes G1 (G2 or G3) and sends out broadcasting (or multicast) data because C5 belongs to visitor's group,, thereby make the interior user of G1 (G2 or G3) can not receive this broadcasting (or multicast) data so AP abandons this broadcasting (or multicast) data.
● be in the discrimination process a user, from then on AP does not also have, and user's MAC address arrives the mapping that its affiliated user organizes, the affiliated user who is this user organizes collection for empty, so AP will not transmit the clean culture that this user transfers, the data of multicast or broadcasting, also not transmitting with this user is the data of destination address.
● above-mentioned only is for example, in fact, C1 and C2, C3 and C4, C5 and C6 etc. rise other interior users of group its to change in proper order be equivalent.
All use the mobile subscriber under the prerequisite of Windows operating system, the present invention has guaranteed the following feature in the WLAN (wireless local area network):
● AP does not allow a unidentified mobile subscriber and other any (do not differentiate or differentiated) users to utilize network neighbor (Network Neighborhood) to visit mutually; The reason here is to unidentified mobile subscriber, and AP does not have the mapping of the group from its MAC Address to the user.
● AP allows all two two to visit mutually by the network neighbor through the mobile subscriber who successfully differentiates and belong to unified local class user's group;
● AP does not allow the Guest User to visit any other user on the network by the network neighbor, does not allow the Guest User to be visited by any other user on the network by the network neighbor yet.
One of characteristics of the present invention are that the mobile subscriber in the WLAN (wireless local area network) uses Web browser, username and password to differentiate and insert, and do not need special client software and digital certificate, thereby save many system managers' trouble.But the present invention does not provide the wireless transmission data encryption function.
Claims (3)
1. a WLAN (wireless local area network) mobile subscriber grouping implementation method, it is characterized in that, this method is introduced the notion of user's group, each group is made up of some users, each user can belong to a plurality of user's groups, and according to the control mode to user right in organizing, user's component is two classes: a class is called local group, the another kind of visitor's group that is called, its user is called local mobile subscriber and visitor mobile subscriber; A WLAN (wireless local area network) can be supported a plurality of local groups, but only supports visitor's group; A plurality of local groups wherein are set, the local mobile subscriber of enterprise is divided by grouping, can shared data between the local mobile subscriber in making on the same group, and stop the local mobile subscriber's shared data that belongs to not on the same group; Visitor group is set, all visitor mobile subscribers are included into this group, make between visitor mobile subscriber and the local mobile subscriber, and between all visitor mobile subscribers, all can not shared data; That is to say, only required visitor's group.
2. according to the method described in the claim 1, wherein local mobile subscriber also has the authority of visiting mutually except visiting by local area network (LAN) in the user organizes the external the Internet, and do not have the access rights of not striding user's group; The then only addressable external the Internet of visitor mobile subscriber, and do not have the authority of visit mutually, the authority of more not visiting any local mobile subscriber.
3. an access point is transmitted the method for user to the user's data bag, it is characterized in that, before carrying out core procedure, as preparation process, all mobile subscribers must be earlier to carry out the IEEE 802.11 of standard related with access point, and carry out a mutual discrimination process; This discrimination process need not to produce any encryption key that is used for enciphered data, but access point has all been set up a mapping of organizing set from user's MAC address user under all to all by the mobile subscribers that differentiate;
Receive the packet P of user A at access point AP after, find the pairing user of transmission user to organize S set G according to the transmission MAC Address SA among the P earlier;
If the destination-mac address DA among the P is the MAC Address of this AP, and SG contains at least one local group or the visitor organizes, and AP then sends into P the protocol stack of oneself and handles; At this moment, P may be the packet that local user or Guest User ask to visit external the Internet;
If the destination-mac address DA among the P is the broadcast or multicast address, then carry out following steps:
(a) have local group as SG, AP then transmits P; All mobile subscribers related with AP and that have a MAC Address of mating DA can receive P;
(b) otherwise, SG does not have local group, AP then abandons P;
If the destination-mac address DA among the P is not the broadcast or multicast address, AP then finds the user of targeted customer's correspondence to organize set DG according to DA:
(c) if S set G and DG do not comprise any same subscriber group, comprise the situation that SG or DG are empty sets, AP then abandons P;
(d) otherwise, if SG and DG comprise identical user's group, AP then continues to judge the type of these users' groups:
If i. in these identical user groups a local group is arranged, AP then transmits P;
User related with AP and that have a MAC Address DA will receive P;
Ii. otherwise, if these identical users group all is that the visitor organizes, AP then abandons P.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2004100034216A CN1662001B (en) | 2004-02-26 | 2004-02-26 | Implementation method for grouping mobile users in WLAN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2004100034216A CN1662001B (en) | 2004-02-26 | 2004-02-26 | Implementation method for grouping mobile users in WLAN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1662001A CN1662001A (en) | 2005-08-31 |
| CN1662001B true CN1662001B (en) | 2011-05-18 |
Family
ID=35011069
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2004100034216A Expired - Fee Related CN1662001B (en) | 2004-02-26 | 2004-02-26 | Implementation method for grouping mobile users in WLAN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1662001B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100428677C (en) * | 2006-01-21 | 2008-10-22 | 华为技术有限公司 | A method and system for subscribing to presentation information |
| JP4989117B2 (en) * | 2006-06-12 | 2012-08-01 | キヤノン株式会社 | Communication apparatus and method |
| US9198033B2 (en) * | 2007-09-27 | 2015-11-24 | Alcatel Lucent | Method and apparatus for authenticating nodes in a wireless network |
| CN104349396B (en) * | 2013-08-09 | 2017-11-24 | 华为技术有限公司 | A kind of data packet forwarding method, apparatus and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| CN1370300A (en) * | 1999-08-17 | 2002-09-18 | 易玖私人有限公司 | Method and appts. for collaborative information management |
| CN1437359A (en) * | 2002-02-07 | 2003-08-20 | 华为技术有限公司 | Control method of network access of user to log on |
| CN1455905A (en) * | 2001-01-16 | 2003-11-12 | 通用电气公司 | Use at least one arbitrary user group to delegate management of information in a database directory |
-
2004
- 2004-02-26 CN CN2004100034216A patent/CN1662001B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1370300A (en) * | 1999-08-17 | 2002-09-18 | 易玖私人有限公司 | Method and appts. for collaborative information management |
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| CN1455905A (en) * | 2001-01-16 | 2003-11-12 | 通用电气公司 | Use at least one arbitrary user group to delegate management of information in a database directory |
| CN1437359A (en) * | 2002-02-07 | 2003-08-20 | 华为技术有限公司 | Control method of network access of user to log on |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1662001A (en) | 2005-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8195950B2 (en) | Secure and seamless wireless public domain wide area network and method of using the same | |
| EP1653668B1 (en) | Restricted WLAN access for unknown wireless terminal | |
| EP1529352B1 (en) | A method for grouping 802.11 stations into authorized service sets to differentiate network access and services | |
| KR100933097B1 (en) | Aerial access point | |
| US7342906B1 (en) | Distributed wireless network security system | |
| US7688981B2 (en) | Network partitioning using encryption | |
| US7711824B2 (en) | Arrangements and methods in an access system | |
| CN102263648B (en) | System and method for grouping multiple VLANs into a single 802.11 IP multicast domain | |
| US20080198821A1 (en) | Public Access Point | |
| EP1499072B1 (en) | Method for interconnecting a PLC LAN with any other non-PLC LAN | |
| CA2849630C (en) | Local area network | |
| CN101568069B (en) | Method and device for providing multicast service for external mobile terminal | |
| CN1662001B (en) | Implementation method for grouping mobile users in WLAN | |
| CN100370776C (en) | System and method for realizing multi-user access by LAN terminal | |
| CN101160833A (en) | Method, system and terminal for accessing wireless local area network terminal to network | |
| US20050013268A1 (en) | Method for registering broadcast/multicast service in a high-rate packet data system | |
| CN100486244C (en) | Method for transmitting 802.1X certification message by bridging equipment | |
| KR100684306B1 (en) | Method for requesting, generating, and distributing traffic encryption keys for each service in a wireless portable Internet system, apparatus thereof, and method for configuring the protocol | |
| Scheffler | of Deliverable: Advanced Network Infrastructure | |
| HK1089519A1 (en) | Method, system, and network of accessing resources via a wireless communication network | |
| HK1089519B (en) | Method, system, and network of accessing resources via a wireless communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110518 Termination date: 20130226 |