WO2010130133A1 - Method and system for station switching when wpi is implemented by access controller in convergent wlan - Google Patents

Method and system for station switching when wpi is implemented by access controller in convergent wlan Download PDF

Info

Publication number
WO2010130133A1
WO2010130133A1 PCT/CN2009/075566 CN2009075566W WO2010130133A1 WO 2010130133 A1 WO2010130133 A1 WO 2010130133A1 CN 2009075566 W CN2009075566 W CN 2009075566W WO 2010130133 A1 WO2010130133 A1 WO 2010130133A1
Authority
WO
WIPO (PCT)
Prior art keywords
access controller
destination
site
wireless terminal
key
Prior art date
Application number
PCT/CN2009/075566
Other languages
French (fr)
Chinese (zh)
Inventor
铁满霞
曹军
杜志强
赖晓龙
黄振海
Original Assignee
西安西电捷通无线网络通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信有限公司 filed Critical 西安西电捷通无线网络通信有限公司
Publication of WO2010130133A1 publication Critical patent/WO2010130133A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0083Determination of parameters used for hand-off, e.g. generation or modification of neighbour cell lists
    • H04W36/00837Determination of triggering parameters for hand-off
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0083Determination of parameters used for hand-off, e.g. generation or modification of neighbour cell lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and system for site switching when a WPI is completed by an access controller in a convergence WLAN. Background technique
  • the wireless local area network (WLAN) or the wireless local area network (WLAN) station (Station, referred to as STA) roaming switching method is based on the WLAN Authentication and Privacy Infrastructure (WAPI) protocol.
  • the proposed autonomous WLAN architecture cannot be directly applied to the WAPI-based convergence WL AN architecture.
  • access control devices such as Access Contra Her (AC), wireless switches, or wireless routers centrally manage the authentication and policy enforcement functions of WLA N. These devices can also provide centralized bridging. Forward, encrypt and decrypt user data and other functions.
  • the present invention provides a convergence WLAN architecture, when the WLAN architecture is implemented by the access controller.
  • Structure WLAN Privacy Infrastructure, WPI for short
  • Wired Wireless Termination point of the site under different access controllers
  • Wired Wireless Terminal Point
  • the access controller here can also be replaced by a device such as a wireless switch or a wireless router.
  • the technical solution of the present invention is:
  • the present invention provides a method for site switching when a WPI is completed by an access controller in a convergence WLAN.
  • the method includes:
  • the site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests the unicast session key or the base key from the associated access controller; the associated access controller notifies the associated wireless terminal to delete the site ;
  • the destination access controller notifies the destination wireless terminal to join the site
  • the site and destination access controller negotiates a session key based on the requested unicast session key or base key;
  • the destination access controller informs the destination wireless terminal to open the controlled port.
  • the foregoing site re-associates with the destination access controller by using the destination wireless terminal point, which may include:
  • the beacon frame of the wireless terminal point of the passive listening target of the station obtains related parameters of the destination wireless terminal point including the WAPI information element, and the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination wireless terminal; or
  • the station actively sends a query request frame to the destination wireless terminal, and after receiving the query request frame of the site, the destination wireless terminal sends a probe response frame to the site, and the site receives the query response frame to obtain the destination wireless terminal including the WAPI information element.
  • Point related parameters, the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination wireless terminal;
  • the station sends a link verification request frame to the destination wireless terminal, requesting link verification with the destination wireless terminal, and the destination wireless terminal is based on the chain of the site.
  • the path verification request frame sends a link verification response frame to the station; in the split MAC mode, the station sends a link verification request frame to the destination access controller, requesting link verification with the destination access controller, and the destination access controller Sending a link verification response frame to the station according to the link verification request frame of the station; After the link verification is successful, the station sends a re-association request frame to the destination access controller, and the request is re-associated with the destination access controller.
  • MAC Medium Access Control
  • the station includes the identifier of the currently associated wireless terminal point and the associated access controller in the re-association request frame.
  • the identity and WAPI information element determine the authentication and key management suite and cipher suite selected by the site; wherein the authentication and key management suite and cipher suite selected by the site are preferably associated with the associated access controller Select the same package; the destination access controller resolves the site's reassociation request frame and sends a reassociation response frame to the site.
  • the foregoing destination access controller requests the unicast session key or the base key from the associated access controller, and specifically includes:
  • the destination access controller sends a unicast session key or base key request information to the associated access controller using a pre-established secure channel with the associated access controller, including site deletion information;
  • the associated access controller sends a unicast session key to the destination access controller by using a secure channel between the associated access controller and the destination access controller according to the unicast session key or base key request information of the destination access controller.
  • a base key wherein the unicast session key sent to the destination access controller is either exactly equal to the unicast session key between the site and the associated access controller, or a single between the site and the associated access controller
  • the broadcast session key is calculated by a one-way function using the extended parameters; the base key sent to the destination access controller is either exactly equal to the base key between the site and the associated access controller, or by the site and associated access
  • the base key between the controllers is calculated by the one-way function using the extended parameters; the extended parameters are pre-known parameters between the site and the destination access controller.
  • the foregoing associated access controller notifies the associated wireless terminal to delete the site, and specifically includes: the associated access controller accesses the unicast session key of the controller or the site deletion information in the base key request information according to the destination access
  • the wireless terminal point sends a Control and Provisioning of Wireless Access Points protocol (CAP WAP) Site Configuration Request message, and the message includes the deletion.
  • CAP WAP Control and Provisioning of Wireless Access Points protocol
  • the associated wireless terminal point sends a CAPWAP Site Configuration Response (Station Configuration Response) message to the associated access controller, which contains a Result Code message element identifying the result of the processing of the CAPWAP Site Configuration Request message.
  • CAPWAP Site Configuration Response Selection Configuration Response
  • the destination access controller notifies the destination wireless terminal to join the site, which may include: the destination access controller sends a CAPWAP Site Configuration Request (Satio n Configuration Request) message to the destination wireless terminal, where the request message includes a force entry site (Add) Station ), GB15629.il join site (GB15629.il Add Station), GB15629.il site session key (GB15629.il Station Session Key) message element; where, GB15629.il site session key message element A is placed 1 is used to notify the destination wireless terminal that the WTP closes the controlled port, and only forwards the WLAN Authentication Infrastructure (WAI) protocol data from the corresponding site;
  • CAPWAP Site Configuration Request (Satio n Configuration Request) message to the destination wireless terminal, where the request message includes a force entry site (Add) Station ), GB15629.il join site (GB15629.il Add Station), GB15629.il site session key (GB15629.il Station Session Key) message element; where,
  • the destination wireless terminal sends a CAPWAP Site Configuration Response (Statio n Configuration Response) message to the destination access controller, where the response message includes a processing result for identifying a CAPWAP Site Configuration Request message sent by the destination access controller to the destination wireless terminal point.
  • Result Code Message element The destination wireless terminal sends a CAPWAP Site Configuration Response (Statio n Configuration Response) message to the destination access controller, where the response message includes a processing result for identifying a CAPWAP Site Configuration Request message sent by the destination access controller to the destination wireless terminal point.
  • the foregoing site and the destination access controller negotiate the session key based on the requested unicast session key or the base key, which may specifically include:
  • the destination access controller and the site perform WAI unicast key negotiation based on the requested base key.
  • the destination wireless terminal may be from the point pair.
  • the WAI unicast key negotiation data encapsulated in the CAPWAP data encapsulation format of the destination access controller is decapsulated and forwarded to the site; the destination wireless terminal points to the WAI unicast key negotiation data from the site, according to the CAPWAP data encapsulation format. After being encapsulated, sent to the destination access controller;
  • the destination access controller and the site When the destination access controller requests the unicast session key, the destination access controller and the site perform WAI multicast key advertisement; specifically, the destination wireless terminal points to the destination access controller.
  • the WAI multicast key advertisement data encapsulated according to the CAPWAP data encapsulation format is decapsulated and forwarded to the site; the destination wireless terminal points the WAI multicast key advertisement data from the site, and encapsulates according to the CAPWAP data encapsulation format. Send to the destination access controller.
  • the destination access controller notifies the destination wireless terminal to open the controlled port, and the method may include: the destination access controller sends a CAPWAP Site Configuration Request (Satio n Configuration Request) message to the destination wireless terminal, where the request message includes a force port entry site (Add Station), GB15629.il join site (GB15629.il Add Station), GB15629.il site session key (GB15629.il Station Session Key) message element; where C in the site session key message element is set to 1, Used to inform the destination wireless terminal to open the controlled port corresponding to the site, and forward all data from the site, including WAI protocol data and non-WAI protocol data;
  • the destination wireless terminal sends a CAPWAP Site Configuration Response (Statio n Configuration Response) message to the destination access controller, where the response message includes a processing result for identifying a CAPWAP Site Configuration Request message sent by the destination access controller to the destination wireless terminal point.
  • Result Code message element a CAPWAP Site Configuration Response (Statio n Configuration Response) message to the destination access controller, where the response message includes a processing result for identifying a CAPWAP Site Configuration Request message sent by the destination access controller to the destination wireless terminal point.
  • the present invention also provides a site switching system for completing a WPI by an access controller in a convergence WLAN, the system comprising:
  • Destination access controller associated access controller, destination wireless termination point, associated wireless endpoint, and site;
  • the site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests a unicast session key or a base key from the associated access controller; the associated access controller notifies that Associate the wireless terminal point to delete the site;
  • the destination access controller notifies the destination wireless terminal to join the site
  • the site and the destination access controller negotiate a session key based on the requested unicast session key or base key.
  • the present invention provides a method and system for performing site handover when a WPI is completed by an access controller in a convergence WLAN, by using a base key or a unicast session generated by a WAI negotiation between a STA and an AC.
  • the key is cached, and the session key between the STA and the destination WTP is generated by using the cached base key or the unicast session key in the STA roaming handover process, and the site join between the AC and the WTP is implemented based on the CAPWAP control message.
  • the present invention can quickly and securely implement roaming handover between WTPs of STAs under different ACs.
  • FIG. 1 is a schematic diagram of an embodiment of a site roaming handover scenario provided by the present invention
  • FIG. 2 is a flowchart of an embodiment of a method for roaming a site roaming according to the present invention. detailed description
  • the present invention caches a Base Key (BK) or a Unicast Session Key (USK) generated by negotiation between a STA and an AC via a WAI (WLAN Authentication Infrastructure).
  • BK Base Key
  • USK Unicast Session Key
  • the session key between the STA and the destination WTP is generated by using the cached BK or USK in the STA roaming handover process, and STA joining, STA deleting, and key synchronization operations between the AC and the WTP are implemented based on the CAPWAP control message.
  • the method may include the following steps:
  • Step 1 The STA re-associates with the destination AC through the destination WTP.
  • Step 1 may include: Step 11: The STA passively listens to the beacon frame of the destination WTP to obtain a related parameter of the destination WTP including the WAPI information element, and the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination WTP. Or the STA sends an inquiry request frame to the destination WTP. After receiving the inquiry request frame of the STA, the destination WTP sends an inquiry response frame to the STA. The STA receives the inquiry response frame and obtains the relevant WTP including the WAPI information element. Parameters, the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination WTP;
  • Step 12 In the local MAC mode, the STA sends a link verification request frame to the destination WTP to request link verification with the destination WTP.
  • the destination WTP sends a link verification response frame to the ST according to the link verification request frame of the STA.
  • the STA In the split MAC mode, the STA sends a link verification request frame to the destination AC, requesting link verification with the destination AC, and the destination AC sends a link verification response frame to the STA according to the link verification request frame of the STA;
  • Step 13 After the link verification is successful, the STA sends a re-association request frame to the destination AC, and the request is re-associated with the destination AC.
  • the STA includes the identifier of the currently associated WTP, the identifier of the associated AC, and the WAPI in the re-association request frame.
  • the information element determines the authentication and key management suite and cipher suite selected by the STA, etc., wherein the authentication and key management suite and cipher suite selected by the STA are preferably the same as the suite selected when initially associated with the AC;
  • the destination AC parses the STA's reassociation request frame and sends a reassociation response frame to the STA.
  • Step 2 Destination AC requests USK or extended unicast session key to the associated AC (Extended U).
  • Step 2 can include:
  • Step 21 Using the pre-established secure channel with the associated AC, the destination AC sends USK or EUSK or BK or EBK request information to the associated A C, including the STA deletion information.
  • STA and destination AC are known in advance, such as the MAC address of both parties, and F is a one-way function.
  • Step 3 Associated AC Notification Associated WTP Delete STA.
  • Step 3 can include:
  • Step 31 The associated AC sends a CAPWAP Site Configuration Request (Station Configuration Request) message to the associated WTP according to the STA deletion information in the USK or EUSK or BK or EBK request information of the destination AC, and the message includes the deletion station (Delete Station) ) and other message elements.
  • the delete site message element can include the site's MAC address.
  • Step 32 Associated WTP sends a CAPWAP Site Configuration Response to the Associated AC (Station
  • Step 4 Purpose AC notification destination WTP joins the STA.
  • Step 4 can include:
  • Step 41 The destination AC sends a CAPWAP Site Configuration Request (Station Configuration Request) message to the destination WTP, where the message includes a join station (Add Station), a GB15629.il join site (GB15629.il Add Station), and a GB15629.il site session secret. Key (GB156
  • Step 42 The destination WTP sends a CAPWAP Site Configuration Response (Station Configuration Response) message to the destination AC, where the result code (Result Code) message element for identifying the processing result of the CAPWAP Site Configuration Request message is included. .
  • Step 5 STA and destination The AC negotiates the session key based on the requested USK or EUSK or BK or EBK.
  • Step 5 can include:
  • Step 51 When the destination AC requests BK or EBK from the associated AC, the destination AC and the STA ⁇ perform unicast key negotiation on the WAI of the requested BK or EBK.
  • the destination AC may include: The WTP is forwarded to the STA after being unpacked.
  • the destination WTP encapsulates the WAI unicast key negotiation data from the STA according to the CAP WAP data encapsulation format and then sends it to the destination AC.
  • the destination AC requests the associated AC to be USK or EUSK, it is omitted.
  • Step 52 The destination AC and the STA perform WAI multicast key advertisement. Specifically, the destination WTP is decapsulated and forwarded to the STA. The destination WTP encapsulates the WAI multicast key advertisement data from the STA according to the C APWAP data encapsulation format. After sending to the destination AC.
  • Step 6 Purpose The AC informs the destination that WTP opens the controlled port.
  • Step 6 can include:
  • Step 61 The destination AC sends a CAPWAP Site Configuration Request (Station Configuration Request) message to the destination WTP, where the message includes a join station (Add Station), a GB15629.il join site (GB15629.il Add Station), and a GB15629.il site session secret.
  • Message element such as key (GB1562 9.11 Station Session Key); where C is set to 1 in the GB15629.il Station Session Key (G B15629.ll Station Session Key) message element, used to inform the destination WT P to open corresponding to the STA
  • the controlled port forwards all data from the STA, including WAI protocol data and non-WAI protocol data.
  • the join site message element can include the site's MAC address.
  • Step 62 The destination WTP sends a CAPWAP Site Configuration Response (Station Configuration Response) message to the destination AC, where the result code (Result Code) message element for identifying the processing result of the CAPWAP Site Configuration Request message is included. .
  • the present invention also provides a site switching system in a convergence WLAN when WPI is completed by an access controller, the system includes a destination access controller, an associated access controller, a destination wireless terminal point, an associated wireless terminal point, and a site.
  • the site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests the unicast session key or the base key from the associated access controller; the associated access controller notifies the associated wireless terminal point Delete the site; the destination access controller notifies the destination wireless terminal to join the site; the site and destination access controller are based on the request
  • the unicast session key or base key negotiates the session key.
  • the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Abstract

A method and system for a station switching when WPI (WLAN (Wireless Local Area Network) Privacy Infrastructure) is implemented by an access controller in a convergent WLAN are disclosed by the present invention. The method includes the following steps: the station re-associates with a destination access controller via a destination wireless terminal point; the destination access controller requests a base key or unicast session key from the associated access controller; the associated access controller informs the associated wireless terminal point to delete the station; the destination access controller informs the destination wireless terminal point to add the station; the station and the destination access controller negotiate about a session key based on the requested unicast session key or base key; the destination access controller informs the destination wireless terminal point to turn on the controlled port. By the present invention, in the convergent WLAN based on WAPI (WLAN Authentication and Privacy Infrastructure) protocol, the station can roam and switch rapidly and safely between different wireless terminal points of different controllers.

Description

一种会聚式 WLAN中由访问控制器完成 WPI时站点切换方法及系统 本申请要求于 2009年 5月 14日提交中国专利局、 申请号为 2009100225 27.3、 发明名称为"一种会聚式 WLAN中由 AC完成 WPI时的 STA漫游切换 方法及其系统"的中国专利申请的优先权,其全部内容通过引用结合在本申请 中。 技术领域 Method and system for switching a site when a WPI is completed by an access controller in a convergence WLAN. The application is filed on May 14, 2009, the Chinese Patent Office, the application number is 2009100225 27.3, and the invention name is "a convergent WLAN. The priority of the Chinese Patent Application for the STA Roaming Switching Method and the System of the AC when the AC completes the WPI, the entire contents of which are hereby incorporated by reference. Technical field
本发明涉及通信技术领域,特别是涉及一种会聚式 WLAN中由访问控制 器完成 WPI时站点切换方法及系统。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a method and system for site switching when a WPI is completed by an access controller in a convergence WLAN. Background technique
目前基于无线局域网鉴别和保密基础结构 (WLAN Authentication and Privacy Infrastructure, 简称 WAPI )协议的无线局 i或网 ( Wireless Local Are a Network, 简称 WLAN )中站点(Station, 简称 STA )漫游切换方法均是在 自治式 WLAN体系架构下提出的, 无法直接适用于基于 WAPI的会聚式 WL AN体系架构。 在会聚式 WLAN体系架构中, 由访问控制器(Access Contra Her, 简称 AC )、 无线交换机或者无线路由器等访问控制设备集中管理 WLA N 的鉴别和策略执行功能, 这些设备还可以提供集中的桥接、 转发、 加解密 用户数据等功能。 发明内容  At present, the wireless local area network (WLAN) or the wireless local area network (WLAN) station (Station, referred to as STA) roaming switching method is based on the WLAN Authentication and Privacy Infrastructure (WAPI) protocol. The proposed autonomous WLAN architecture cannot be directly applied to the WAPI-based convergence WL AN architecture. In the convergence WLAN architecture, access control devices such as Access Contra Her (AC), wireless switches, or wireless routers centrally manage the authentication and policy enforcement functions of WLA N. These devices can also provide centralized bridging. Forward, encrypt and decrypt user data and other functions. Summary of the invention
为了解决背景技术中存在的由于目前基于 WAPI的 WLAN中 STA漫游 切换方法仅适用于自治式架构的缺陷,本发明提供了一种会聚式 WLAN体系 架构下, 当由访问控制器实现无线局域网保密基础结构 (WLAN Privacy Inf rastructure, 简称 WPI ) 时, 站点在不同访问控制器下的无线终端点 (Wirele ss Terminal Point, 简称 WTP )之间切换的方法及系统。 这里访问控制器也 可由无线交换机或者无线路由器等设备代替。 In order to solve the defect that the STA roaming handover method in the current WAPI-based WLAN is only applicable to the autonomous architecture, the present invention provides a convergence WLAN architecture, when the WLAN architecture is implemented by the access controller. Structure (WLAN Privacy Infrastructure, WPI for short), the wireless termination point of the site under different access controllers (Wirele) Method and system for switching between ss Terminal Point (WTP). The access controller here can also be replaced by a device such as a wireless switch or a wireless router.
本发明的技术解决方案是:本发明提供了一种会聚式 WLAN中由访问控 制器完成 WPI时站点切换方法。 该方法包括:  The technical solution of the present invention is: The present invention provides a method for site switching when a WPI is completed by an access controller in a convergence WLAN. The method includes:
站点通过目的无线终端点与目的访问控制器进行重新关联连接; 目的访问控制器向已关联访问控制器请求单播会话密钥或基密钥; 已关联访问控制器通知已关联无线终端点删除站点;  The site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests the unicast session key or the base key from the associated access controller; the associated access controller notifies the associated wireless terminal to delete the site ;
目的访问控制器通知目的无线终端点加入站点;  The destination access controller notifies the destination wireless terminal to join the site;
站点与目的访问控制器基于所请求的单播会话密钥或基密钥协商会话密 钥;  The site and destination access controller negotiates a session key based on the requested unicast session key or base key;
目的访问控制器告知目的无线终端点打开受控端口。  The destination access controller informs the destination wireless terminal to open the controlled port.
上述站点通过目的无线终端点与目的访问控制器进行重新关联连接, 具 体可包括:  The foregoing site re-associates with the destination access controller by using the destination wireless terminal point, which may include:
站点被动侦听目的无线终端点的信标帧获得包括 WAPI信息元素在内的 目的无线终端点的相关参数, 该 WAPI信息元素包括目的无线终端点支持的 鉴别及密钥管理套件和密码套件; 或者站点主动向目的无线终端点发送探询 请求帧, 目的无线终端点收到站点的探询请求帧后, 向站点发送探询响应帧, 站点收到探询响应帧即获得包括 WAPI信息元素在内的目的无线终端点的相 关参数, 该 WAPI信息元素包括目的无线终端点支持的鉴别及密钥管理套件 和密码套件;  The beacon frame of the wireless terminal point of the passive listening target of the station obtains related parameters of the destination wireless terminal point including the WAPI information element, and the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination wireless terminal; or The station actively sends a query request frame to the destination wireless terminal, and after receiving the query request frame of the site, the destination wireless terminal sends a probe response frame to the site, and the site receives the query response frame to obtain the destination wireless terminal including the WAPI information element. Point related parameters, the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination wireless terminal;
在本地媒体访问控制 (Medium Access Control, 简称 MAC )模式中, 站点向目的无线终端点发送链路验证请求帧, 请求与目的无线终端点之间的 链路验证, 目的无线终端点根据站点的链路验证请求帧, 向站点发送链路验 证响应帧; 在分离 MAC模式中, 站点向目的访问控制器发送链路验证请求 帧, 请求与目的访问控制器之间的链路验证, 目的访问控制器根据站点的链 路验证请求帧, 向站点发送链路验证响应帧; 链路验证成功后, 站点向目的访问控制器发送重新关联请求帧, 请求与 目的访问控制器进行重新关联, 站点在重新关联请求帧中包含当前已关联无 线终端点的标识、 已关联访问控制器的标识以及 WAPI信息元素确定站点所 选择的鉴别及密钥管理套件和密码套件; 其中, 站点所选择的鉴别及密钥管 理套件和密码套件等最好和其与已关联访问控制器关联时所选择套件的相 同; 目的访问控制器解析站点的重新关联请求帧, 向站点发送重新关联响应 帧。 In the Medium Access Control (MAC) mode, the station sends a link verification request frame to the destination wireless terminal, requesting link verification with the destination wireless terminal, and the destination wireless terminal is based on the chain of the site. The path verification request frame sends a link verification response frame to the station; in the split MAC mode, the station sends a link verification request frame to the destination access controller, requesting link verification with the destination access controller, and the destination access controller Sending a link verification response frame to the station according to the link verification request frame of the station; After the link verification is successful, the station sends a re-association request frame to the destination access controller, and the request is re-associated with the destination access controller. The station includes the identifier of the currently associated wireless terminal point and the associated access controller in the re-association request frame. The identity and WAPI information element determine the authentication and key management suite and cipher suite selected by the site; wherein the authentication and key management suite and cipher suite selected by the site are preferably associated with the associated access controller Select the same package; the destination access controller resolves the site's reassociation request frame and sends a reassociation response frame to the site.
上述目的访问控制器向已关联访问控制器请求单播会话密钥或基密钥, 具体可包括:  The foregoing destination access controller requests the unicast session key or the base key from the associated access controller, and specifically includes:
目的访问控制器利用与已关联访问控制器之间预先建立的安全通道向已 关联访问控制器发送单播会话密钥或基密钥请求信息, 其中包含站点删除信 息;  The destination access controller sends a unicast session key or base key request information to the associated access controller using a pre-established secure channel with the associated access controller, including site deletion information;
已关联访问控制器根据目的访问控制器的单播会话密钥或基密钥请求信 息, 利用已关联访问控制器与目的访问控制器之间的安全通道向目的访问控 制器发送单播会话密钥或基密钥, 其中向目的访问控制器发送的单播会话密 钥或者完全等于站点和已关联访问控制器之间的单播会话密钥, 或者由站点 和已关联访问控制器之间的单播会话密钥利用扩展参数通过单向函数计算得 到; 向目的访问控制器发送的基密钥或者完全等于站点和已关联的访问控制 器之间的基密钥, 或者由站点和已关联的访问控制器之间的基密钥利用扩展 参数通过单向函数计算得到; 扩展参数是站点和目的访问控制器之间预先可 知的参数。  The associated access controller sends a unicast session key to the destination access controller by using a secure channel between the associated access controller and the destination access controller according to the unicast session key or base key request information of the destination access controller. Or a base key, wherein the unicast session key sent to the destination access controller is either exactly equal to the unicast session key between the site and the associated access controller, or a single between the site and the associated access controller The broadcast session key is calculated by a one-way function using the extended parameters; the base key sent to the destination access controller is either exactly equal to the base key between the site and the associated access controller, or by the site and associated access The base key between the controllers is calculated by the one-way function using the extended parameters; the extended parameters are pre-known parameters between the site and the destination access controller.
上述已关联访问控制器通知已关联无线终端点删除站点, 具体可包括: 已关联访问控制器根据目的访问控制器的单播会话密钥或基密钥请求信 息中的站点删除信息, 向已关联无线终端点发送无线接入点控制与配置协议 ( Control And Provisioning of Wireless Access Points protocol , 简称 CAP WAP )站点配置请求(Station Configuration Request ) 消息, 消息中包含删 除站点 (Delete Station )等消息元素; The foregoing associated access controller notifies the associated wireless terminal to delete the site, and specifically includes: the associated access controller accesses the unicast session key of the controller or the site deletion information in the base key request information according to the destination access The wireless terminal point sends a Control and Provisioning of Wireless Access Points protocol (CAP WAP) Site Configuration Request message, and the message includes the deletion. Message elements other than the site (Delete Station);
已关联无线终端点向已关联访问控制器发送 CAPWAP站点配置响应( S tation Configuration Response )消息, 其中包含用于标识对 CAPWAP站点配 置请求消息的处理结果的结果码(Result Code ) 消息元素。  The associated wireless terminal point sends a CAPWAP Site Configuration Response (Station Configuration Response) message to the associated access controller, which contains a Result Code message element identifying the result of the processing of the CAPWAP Site Configuration Request message.
上述目的访问控制器通知目的无线终端点加入站点, 具体可包括: 目的访问控制器向目的无线终端点发送 CAPWAP站点配置请求 ( Statio n Configuration Request )消息, 该请求消息中包含力口入站点(Add Station ) 、 GB15629.i l加入站点(GB15629.i l Add Station ) 、 GB15629.i l站点会话密 钥 ( GB15629.i l Station Session Key )消息元素; 其中, GB15629.i l站点会 话密钥消息元素中的 A被置为 1 ,用于告知目的无线终端点 WTP关闭受控端 口, 仅转发来自对应站点的无线局域网鉴别基础结构(WLAN Authentication Infrastructure, 简称 WAI )协议数据;  The destination access controller notifies the destination wireless terminal to join the site, which may include: the destination access controller sends a CAPWAP Site Configuration Request (Satio n Configuration Request) message to the destination wireless terminal, where the request message includes a force entry site (Add) Station ), GB15629.il join site (GB15629.il Add Station), GB15629.il site session key (GB15629.il Station Session Key) message element; where, GB15629.il site session key message element A is placed 1 is used to notify the destination wireless terminal that the WTP closes the controlled port, and only forwards the WLAN Authentication Infrastructure (WAI) protocol data from the corresponding site;
目的无线终端点向目的访问控制器发送 CAPWAP站点配置响应 ( Statio n Configuration Response ) 消息 , 该响应消息包含用于标识对目的访问控制 器向目的无线终端点发送的 CAPWAP 站点配置请求消息的处理结果的结果 码(Result Code ) 消息元素。  The destination wireless terminal sends a CAPWAP Site Configuration Response (Statio n Configuration Response) message to the destination access controller, where the response message includes a processing result for identifying a CAPWAP Site Configuration Request message sent by the destination access controller to the destination wireless terminal point. Result Code Message element.
上述站点与目的访问控制器基于所请求的单播会话密钥或基密钥协商会 话密钥, 具体可包括:  The foregoing site and the destination access controller negotiate the session key based on the requested unicast session key or the base key, which may specifically include:
当目的访问控制器向已关联访问控制器请求的是基密钥时, 目的访问控 制器与站点基于所请求的基密钥进行 WAI单播密钥协商; 具体可包括: 目的 无线终端点对来自目的访问控制器的、 按照 CAPWAP数据封装格式封装的 WAI单播密钥协商数据, 进行拆封后转发给站点; 目的无线终端点对来自站 点的 WAI单播密钥协商数据, 按照 CAPWAP数据封装格式进行封装后, 发 送给目的访问控制器;  When the destination access controller requests the associated key to the associated access controller, the destination access controller and the site perform WAI unicast key negotiation based on the requested base key. Specifically, the destination wireless terminal may be from the point pair. The WAI unicast key negotiation data encapsulated in the CAPWAP data encapsulation format of the destination access controller is decapsulated and forwarded to the site; the destination wireless terminal points to the WAI unicast key negotiation data from the site, according to the CAPWAP data encapsulation format. After being encapsulated, sent to the destination access controller;
当目的访问控制器请求的是单播会话密钥时, 目的访问控制器与站点进 行 WAI组播密钥通告; 具体可包括: 目的无线终端点对来自目的访问控制器 的、 按照 CAPWAP数据封装格式封装的 WAI组播密钥通告数据, 进行拆封 后转发给站点; 目的无线终端点对来自站点的 WAI组播密钥通告数据, 按照 CAPWAP数据封装格式进行封装后, 发送给目的访问控制器。 When the destination access controller requests the unicast session key, the destination access controller and the site perform WAI multicast key advertisement; specifically, the destination wireless terminal points to the destination access controller. The WAI multicast key advertisement data encapsulated according to the CAPWAP data encapsulation format is decapsulated and forwarded to the site; the destination wireless terminal points the WAI multicast key advertisement data from the site, and encapsulates according to the CAPWAP data encapsulation format. Send to the destination access controller.
上述目的访问控制器告知目的无线终端点打开受控端口, 具体可包括: 目的访问控制器向目的无线终端点发送 CAPWAP站点配置请求 ( Statio n Configuration Request )消息, 该请求消息中包含力口入站点(Add Station ) 、 GB15629.i l 加入站点 (GB15629.i l Add Station ) 、 GB15629.i l 站点会话 密钥 ( GB15629.i l Station Session Key ) 消息元素; 其中站点会话密钥消息 元素中的 C被置 1 , 用于告知目的无线终端点打开与站点对应的受控端口, 转发来自该站点的所有数据, 包括 WAI协议数据和非 WAI协议数据;  The destination access controller notifies the destination wireless terminal to open the controlled port, and the method may include: the destination access controller sends a CAPWAP Site Configuration Request (Satio n Configuration Request) message to the destination wireless terminal, where the request message includes a force port entry site (Add Station), GB15629.il join site (GB15629.il Add Station), GB15629.il site session key (GB15629.il Station Session Key) message element; where C in the site session key message element is set to 1, Used to inform the destination wireless terminal to open the controlled port corresponding to the site, and forward all data from the site, including WAI protocol data and non-WAI protocol data;
目的无线终端点向目的访问控制器发送 CAPWAP站点配置响应 ( Statio n Configuration Response ) 消息, 该响应消息中包含用于标识对目的访问控 制器向目的无线终端点发送的 CAPWAP站点配置请求消息的处理结果的结 果码 ( Result Code ) 消息元素。  The destination wireless terminal sends a CAPWAP Site Configuration Response (Statio n Configuration Response) message to the destination access controller, where the response message includes a processing result for identifying a CAPWAP Site Configuration Request message sent by the destination access controller to the destination wireless terminal point. Result Code message element.
本发明还提供了一种会聚式 WLAN中由访问控制器完成 WPI时站点切 换系统, 该系统包括:  The present invention also provides a site switching system for completing a WPI by an access controller in a convergence WLAN, the system comprising:
目的访问控制器、 已关联访问控制器、 目的无线终端点、 已关联无线终 端点以及站点;  Destination access controller, associated access controller, destination wireless termination point, associated wireless endpoint, and site;
所述站点通过目的无线终端点与目的访问控制器进行重新关联连接; 所述目的访问控制器向已关联访问控制器请求单播会话密钥或基密钥; 所述已关联访问控制器通知已关联无线终端点删除站点;  The site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests a unicast session key or a base key from the associated access controller; the associated access controller notifies that Associate the wireless terminal point to delete the site;
所述目的访问控制器通知目的无线终端点加入站点;  The destination access controller notifies the destination wireless terminal to join the site;
所述站点与所述目的访问控制器基于所请求的单播会话密钥或基密钥协 商会话密钥。  The site and the destination access controller negotiate a session key based on the requested unicast session key or base key.
本发明提供了一种会聚式 WLAN中由访问控制器完成 WPI时站点切换 方法及系统, 通过将 STA与 AC之间经 WAI协商产生的基密钥或单播会话 密钥进行緩存, 在 STA漫游切换过程中利用该緩存的基密钥或单播会话密钥 生成 STA与目的 WTP之间的会话密钥,基于 CAPWAP控制消息实现 AC与 WTP之间的站点加入、 站点删除、 密钥同步操作, 本发明能够快速安全地实 现 STA在不同 AC下的 WTP之间的漫游切换。 附图说明 The present invention provides a method and system for performing site handover when a WPI is completed by an access controller in a convergence WLAN, by using a base key or a unicast session generated by a WAI negotiation between a STA and an AC. The key is cached, and the session key between the STA and the destination WTP is generated by using the cached base key or the unicast session key in the STA roaming handover process, and the site join between the AC and the WTP is implemented based on the CAPWAP control message. The present invention can quickly and securely implement roaming handover between WTPs of STAs under different ACs. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面 描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1为本发明提供的站点漫游切换场景实施例示意图;  1 is a schematic diagram of an embodiment of a site roaming handover scenario provided by the present invention;
图 2为本发明提供的站点漫游切换方法实施例流程图。 具体实施方式  FIG. 2 is a flowchart of an embodiment of a method for roaming a site roaming according to the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有付 出创造性劳动前提下所获得的所有其他实施例 , 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without the creative work are all within the scope of the present invention.
参见图 1 , 本发明是通过将 STA与 AC之间经 WAI ( WLAN Authentication Infrastructure )协商产生的基密钥( Base Key, 简称 BK )或单播会话密钥( U nicast Session Key, 简称 USK )緩存, 在 STA漫游切换过程中利用该緩存的 B K或 USK生成 STA与目的 WTP之间的会话密钥, 并基于 CAPWAP控制消息实 现 AC与 WTP之间的 STA加入、 STA删除、 密钥同步操作, 提出的一种基于 W API的会聚式 WLAN体系架构下, 在不同 AC下的 WTP之间 STA快速安全的漫 游切换方法及其系统。  Referring to FIG. 1, the present invention caches a Base Key (BK) or a Unicast Session Key (USK) generated by negotiation between a STA and an AC via a WAI (WLAN Authentication Infrastructure). The session key between the STA and the destination WTP is generated by using the cached BK or USK in the STA roaming handover process, and STA joining, STA deleting, and key synchronization operations between the AC and the WTP are implemented based on the CAPWAP control message. A fast and secure roaming handover method and system for STA between WTPs under different ACs under a W API-based convergence WLAN architecture.
参见图 2 , 本发明所提供的 ST A在不同 AC下的 WTP之间漫游切换的方法 实施例中, 该方法可包括以下步骤: Referring to FIG. 2, a method for roaming handover between ST As under different ACs according to the present invention is provided. In an embodiment, the method may include the following steps:
步骤 1 : STA通过目的 WTP与目的 AC进行重新关联连接。 步骤 1可包括: 步骤 11 : STA被动侦听目的 WTP的信标帧获得包括 WAPI信息元素在内的 目的 WTP的相关参数, 该 WAPI信息元素包括目的 WTP支持的鉴别及密钥管 理套件和密码套件等; 或者 STA主动向目的 WTP发送探询请求帧, 目的 WTP 收到 STA的探询请求帧后, 向 STA发送探询响应帧, STA收到探询响应帧即获 得包括 WAPI信息元素在内的目的 WTP的相关参数, 该 WAPI信息元素包括目 的 WTP支持的鉴别及密钥管理套件和密码套件等;  Step 1: The STA re-associates with the destination AC through the destination WTP. Step 1 may include: Step 11: The STA passively listens to the beacon frame of the destination WTP to obtain a related parameter of the destination WTP including the WAPI information element, and the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination WTP. Or the STA sends an inquiry request frame to the destination WTP. After receiving the inquiry request frame of the STA, the destination WTP sends an inquiry response frame to the STA. The STA receives the inquiry response frame and obtains the relevant WTP including the WAPI information element. Parameters, the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination WTP;
步骤 12: 在本地 MAC模式下, STA向目的 WTP发送链路验证请求帧, 请 求与目的 WTP之间的链路验证, 目的 WTP根据 STA的链路验证请求帧, 向 ST 送链路验证响应帧; 在分离 MAC模式下, STA向目的 AC发送链路验证请 求帧, 请求与目的 AC之间的链路验证, 目的 AC根据 STA的链路验证请求帧 , 向 STA发送链路验证响应帧;  Step 12: In the local MAC mode, the STA sends a link verification request frame to the destination WTP to request link verification with the destination WTP. The destination WTP sends a link verification response frame to the ST according to the link verification request frame of the STA. In the split MAC mode, the STA sends a link verification request frame to the destination AC, requesting link verification with the destination AC, and the destination AC sends a link verification response frame to the STA according to the link verification request frame of the STA;
步骤 13: 链路验证成功后, STA向目的 AC发送重新关联请求帧, 请求与 目的 AC进行重新关联, STA在重新关联请求帧中包含当前已关联 WTP的标 识、 已关联 AC的标识, 以及 WAPI信息元素以确定 STA所选择的鉴别及密钥 管理套件和密码套件等, 其中, STA所选择的鉴别及密钥管理套件和密码套 件等最好和其初次与 AC关联时所选择的套件相同;目的 AC解析 STA的重新关 联请求帧, 向 STA发送重新关联响应帧。  Step 13: After the link verification is successful, the STA sends a re-association request frame to the destination AC, and the request is re-associated with the destination AC. The STA includes the identifier of the currently associated WTP, the identifier of the associated AC, and the WAPI in the re-association request frame. The information element determines the authentication and key management suite and cipher suite selected by the STA, etc., wherein the authentication and key management suite and cipher suite selected by the STA are preferably the same as the suite selected when initially associated with the AC; The destination AC parses the STA's reassociation request frame and sends a reassociation response frame to the STA.
步骤 2: 目的 AC向已关联 AC请求 USK或扩展单播会话密钥 (Extended U Step 2: Destination AC requests USK or extended unicast session key to the associated AC (Extended U
SK, 简称 EUSK )或 BK或扩展基密钥 (Extended BK, 简称 EBK ) 。 步骤 2可 包括: SK, referred to as EUSK) or BK or Extended BK (EBK). Step 2 can include:
步骤 21 : 利用与已关联 AC之间预先建立的安全通道, 目的 AC向已关联 A C发送 USK或 EUSK或 BK或 EBK请求信息, 其中包含 STA删除信息。  Step 21: Using the pre-established secure channel with the associated AC, the destination AC sends USK or EUSK or BK or EBK request information to the associated A C, including the STA deletion information.
步骤 22: 根据目的 AC的 USK或 EUSK或 BK或 EBK请求信息, 已关联 AC 中, EUSK=F ( USK, 扩展参数) , EBK=F ( ΒΚ, 扩展参数) , 扩展参数是Step 22: According to the USK or EUSK or BK or EBK request information of the destination AC, the AC has been associated Medium, EUSK=F (USK, extended parameter), EBK=F (ΒΚ, extended parameter), extended parameter is
STA和目的 AC预先可知的参数, 如双方的 MAC地址等, F为单向函数。 STA and destination AC are known in advance, such as the MAC address of both parties, and F is a one-way function.
步骤 3: 已关联 AC通知已关联 WTP删除 STA。 步骤 3可包括:  Step 3: Associated AC Notification Associated WTP Delete STA. Step 3 can include:
步骤 31: 已关联 AC根据目的 AC的 USK或 EUSK或 BK或 EBK请求信息中 的 STA删除信息, 向已关联 WTP发送 CAPWAP 站点配置请求(Station Confi guration Request )消息, 消息中包含删除站点( Delete Station )等消息元素。 删除站点消息元素中可包括站点的 MAC地址。  Step 31: The associated AC sends a CAPWAP Site Configuration Request (Station Configuration Request) message to the associated WTP according to the STA deletion information in the USK or EUSK or BK or EBK request information of the destination AC, and the message includes the deletion station (Delete Station) ) and other message elements. The delete site message element can include the site's MAC address.
步骤 32: 已关联 WTP向已关联 AC发送 CAPWAP站点配置响应 (Station Step 32: Associated WTP sends a CAPWAP Site Configuration Response to the Associated AC (Station
Configuration Response ) 消息, 其中包含用于标识对 CAPWAP站点配置请求 ( Station Configuration Request ) 消息的处理结果的结果码 ( Result Code ) 消息元素。 A Configuration Response message containing a Result Code message element that identifies the result of processing a CAPWAP Site Configuration Request message.
步骤 4: 目的 AC通知目的 WTP加入 STA。 步骤 4可包括:  Step 4: Purpose AC notification destination WTP joins the STA. Step 4 can include:
步骤 41 : 目的 AC向目的 WTP发送 CAPWAP站点配置请求( Station Confi guration Request ) 消息, 消息中包含加入站点 (Add Station ) 、 GB15629.i l 加入站点 (GB15629.i l Add Station ) 、 GB15629.i l站点会话密钥 (GB156 Step 41: The destination AC sends a CAPWAP Site Configuration Request (Station Configuration Request) message to the destination WTP, where the message includes a join station (Add Station), a GB15629.il join site (GB15629.il Add Station), and a GB15629.il site session secret. Key (GB156
29.11 Station Session Key )等消息元素; 其中, GB15629.i l站点会话密钥( G29.11 Station Session Key) and other message elements; where, GB15629.i l site session key (G
B15629.l l Station Session Key ) 消息元素中的 A被置为 1 , 用于告知目的 WTB15629.l l Station Session Key ) A in the message element is set to 1 to inform the destination WT
P关闭受控端口, 仅转发来自对应 STA的 WAI协议数据; P turns off the controlled port and forwards only the WAI protocol data from the corresponding STA;
步骤 42: 目的 WTP向目的 AC发送 CAPWAP站点配置响应 ( Station Confi guration Response )消息, 其中包含用于标识对 CAPWAP站点配置请求(Stat ion Configuration Request ) 消息的处理结果的结果码 ( Result Code ) 消息元 素。  Step 42: The destination WTP sends a CAPWAP Site Configuration Response (Station Configuration Response) message to the destination AC, where the result code (Result Code) message element for identifying the processing result of the CAPWAP Site Configuration Request message is included. .
步骤 5: STA与目的 AC基于所请求的 USK或 EUSK或 BK或 EBK协商会话 密钥。 步骤 5可包括:  Step 5: STA and destination The AC negotiates the session key based on the requested USK or EUSK or BK or EBK. Step 5 can include:
步骤 51 : 当目的 AC向已关联 AC请求的是 BK或 EBK时, 目的 AC与 STA^ 于所请求的 BK或 EBK的 WAI进行单播密钥协商; 具体可包括: 目的 WTP对来 拆封后转发给 STA; 目的 WTP对来自 STA的 WAI单播密钥协商数据按照 CAP WAP数据封装格式进行封装后发送给目的 AC; 当目的 AC向已关联 AC请求的 是 USK或 EUSK时, 省略步骤 51而直接执行步骤 52; Step 51: When the destination AC requests BK or EBK from the associated AC, the destination AC and the STA^ perform unicast key negotiation on the WAI of the requested BK or EBK. Specifically, the destination AC may include: The WTP is forwarded to the STA after being unpacked. The destination WTP encapsulates the WAI unicast key negotiation data from the STA according to the CAP WAP data encapsulation format and then sends it to the destination AC. When the destination AC requests the associated AC to be USK or EUSK, it is omitted. Step 51 and directly perform step 52;
步骤 52: 目的 AC与 STA进行 WAI组播密钥通告; 具体可包括: 目的 WTP 进行拆封后转发给 STA; 目的 WTP对来自 STA的 WAI组播密钥通告数据按照 C APWAP数据封装格式进行封装后发送给目的 AC。  Step 52: The destination AC and the STA perform WAI multicast key advertisement. Specifically, the destination WTP is decapsulated and forwarded to the STA. The destination WTP encapsulates the WAI multicast key advertisement data from the STA according to the C APWAP data encapsulation format. After sending to the destination AC.
步骤 6: 目的 AC告知目的 WTP打开受控端口。 步骤 6可包括:  Step 6: Purpose The AC informs the destination that WTP opens the controlled port. Step 6 can include:
步骤 61 : 目的 AC向目的 WTP发送 CAPWAP站点配置请求( Station Confi guration Request ) 消息, 消息中包含加入站点 (Add Station ) 、 GB15629.i l 加入站点 (GB15629.i l Add Station ) 、 GB15629.i l站点会话密钥 (GB1562 9.11 Station Session Key )等消息元素; 其中, GB15629.i l站点会话密钥 ( G B15629.l l Station Session Key ) 消息元素中的 C被置为 1 , 用于告知目的 WT P打开与 STA对应的受控端口, 转发来自该 STA的所有数据, 包括 WAI协议数 据和非 WAI协议数据。 加入站点消息元素中可包括站点的 MAC地址。  Step 61: The destination AC sends a CAPWAP Site Configuration Request (Station Configuration Request) message to the destination WTP, where the message includes a join station (Add Station), a GB15629.il join site (GB15629.il Add Station), and a GB15629.il site session secret. Message element such as key (GB1562 9.11 Station Session Key); where C is set to 1 in the GB15629.il Station Session Key (G B15629.ll Station Session Key) message element, used to inform the destination WT P to open corresponding to the STA The controlled port forwards all data from the STA, including WAI protocol data and non-WAI protocol data. The join site message element can include the site's MAC address.
步骤 62: 目的 WTP向目的 AC发送 CAPWAP站点配置响应 ( Station Confi guration Response )消息, 其中包含用于标识对 CAPWAP站点配置请求(Stat ion Configuration Request ) 消息的处理结果的结果码 ( Result Code ) 消息元 素。  Step 62: The destination WTP sends a CAPWAP Site Configuration Response (Station Configuration Response) message to the destination AC, where the result code (Result Code) message element for identifying the processing result of the CAPWAP Site Configuration Request message is included. .
本发明还提供一种会聚式 WLAN中由访问控制器完成 WPI时的站点切换 系统, 该系统包括目的访问控制器、 已关联访问控制器、 目的无线终端点、 已关联无线终端点以及站点, 所述站点通过目的无线终端点与目的访问控制 器进行重新关联连接; 目的访问控制器向已关联访问控制器请求单播会话密 钥或基密钥; 所已关联访问控制器通知已关联无线终端点删除站点; 目的访 问控制器通知目的无线终端点加入站点; 站点与目的访问控制器基于所请求 的单播会话密钥或基密钥协商会话密钥。 The present invention also provides a site switching system in a convergence WLAN when WPI is completed by an access controller, the system includes a destination access controller, an associated access controller, a destination wireless terminal point, an associated wireless terminal point, and a site. The site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests the unicast session key or the base key from the associated access controller; the associated access controller notifies the associated wireless terminal point Delete the site; the destination access controller notifies the destination wireless terminal to join the site; the site and destination access controller are based on the request The unicast session key or base key negotiates the session key.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步骤 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述 的存储介质包括: R0M、 RAM, 磁碟或者光盘等各种可以存储程序代码的介质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The steps of the foregoing method embodiments are included; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述实施例所记载的技术方案进行 ^ί'爹改, 或者 对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技术 方案的本质脱离本发明实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are replaced by equivalents; and the modifications or substitutions do not deviate from the spirit of the technical solutions of the embodiments of the present invention. range.

Claims

权 利 要 求 书 Claim
1、 一种会聚式 WLAN中由访问控制器完成 WPI时站点切换方法, 其特 征在于, 包括:  A method for switching a WPI site by an access controller in a convergence type WLAN, the method comprising:
站点通过目的无线终端点与目的访问控制器进行重新关联连接; 目的访问控制器向已关联访问控制器请求单播会话密钥或基密钥; 已关联访问控制器通知已关联无线终端点删除站点;  The site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests the unicast session key or the base key from the associated access controller; the associated access controller notifies the associated wireless terminal to delete the site ;
目的访问控制器通知目的无线终端点加入站点;  The destination access controller notifies the destination wireless terminal to join the site;
站点与目的访问控制器基于所请求的单播会话密钥或基密钥协商会话密 钥;  The site and destination access controller negotiates a session key based on the requested unicast session key or base key;
目的访问控制器告知目的无线终端点打开受控端口。  The destination access controller informs the destination wireless terminal to open the controlled port.
2、 根据权利要求 1所述的方法, 其特征在于, 所述站点通过目的无线终 端点与目的访问控制器进行重新关联连接, 包括:  2. The method according to claim 1, wherein the station re-associates with the destination access controller by using the destination wireless terminal, including:
站点被动侦听目的无线终端点的信标帧获得包括 WAPI信息元素在内的 目的无线终端点的相关参数, 该 WAPI信息元素包括目的无线终端点支持的 鉴别及密钥管理套件和密码套件; 或者站点主动向目的无线终端点发送探询 请求帧, 目的无线终端点收到站点的探询请求帧后, 向站点发送探询响应帧, 站点收到探询响应帧即获得包括 WAPI信息元素在内的目的无线终端点的相 关参数, 该 WAPI信息元素包括目的无线终端点支持的鉴别及密钥管理套件 和密码套件;  The beacon frame of the wireless terminal point of the passive listening target of the station obtains related parameters of the destination wireless terminal point including the WAPI information element, and the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination wireless terminal; or The station actively sends a query request frame to the destination wireless terminal, and after receiving the query request frame of the site, the destination wireless terminal sends a probe response frame to the site, and the site receives the query response frame to obtain the destination wireless terminal including the WAPI information element. Point related parameters, the WAPI information element includes an authentication and key management suite and a cipher suite supported by the destination wireless terminal;
在本地媒体访问控制模式中, 站点向目的无线终端点发送链路验证请求 帧, 请求与目的无线终端点之间的链路验证, 目的无线终端点根据站点的链 路验证请求帧, 向站点发送链路验证响应帧; 在分离媒体访问控制模式中, 站点向目的访问控制器发送链路验证请求帧, 请求与目的访问控制器之间的 链路验证, 目的访问控制器根据站点的链路验证请求帧, 向站点发送链路验 证响应帧;  In the local media access control mode, the station sends a link verification request frame to the destination wireless terminal point, requesting link verification with the destination wireless terminal point, and the destination wireless terminal point sends the link verification request frame to the station according to the site. Link verification response frame; In the split media access control mode, the station sends a link verification request frame to the destination access controller, requesting link verification with the destination access controller, and the destination access controller performs link verification according to the site. Requesting a frame, sending a link verification response frame to the station;
链路验证成功后, 站点向目的访问控制器发送重新关联请求帧, 请求与 目的访问控制器进行重新关联, 站点在重新关联请求帧中包含当前已关联无 线终端点的标识、 已关联访问控制器的标识以及 WAPI信息元素所确定站点 选择的鉴别及密钥管理套件和密码套件; 其中, 站点所选择的鉴别及密钥管 理套件和密码套件, 分别与已关联访问控制器关联时所选择的密钥管理套件 和密码套件的相同; 目的访问控制器解析站点的重新关联请求帧, 向站点发 送重新关联响应帧。 After the link verification succeeds, the station sends a re-association request frame to the destination access controller, requesting and The destination access controller performs re-association, and the site includes the identifier of the currently associated wireless terminal point, the identifier of the associated access controller, and the authentication and key management suite and cipher suite selected by the WAPI information element in the re-association request frame. Wherein, the authentication and key management suite and cipher suite selected by the site are the same as the key management suite and cipher suite selected when associated with the associated access controller; the destination access controller resolves the re-association request frame of the site; , Send a reassociation response frame to the site.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 所述目的访问控制器 向已关联访问控制器请求单播会话密钥或基密钥, 包括:  The method according to claim 1 or 2, wherein the destination access controller requests a unicast session key or a base key from the associated access controller, including:
目的访问控制器利用与已关联访问控制器之间预先建立的安全通道向已 关联访问控制器发送单播会话密钥或基密钥请求信息, 其中所述单播会话密 钥或基密钥请求信息包含站点删除信息;  The destination access controller sends a unicast session key or base key request information to the associated access controller using a pre-established secure channel with the associated access controller, wherein the unicast session key or base key request The information contains site deletion information;
已关联访问控制器根据目的访问控制器的单播会话密钥或基密钥请求信 息, 利用已关联访问控制器与目的访问控制器之间的安全通道向目的访问控 制器发送单播会话密钥或基密钥, 其中向目的访问控制器发送的单播会话密 钥或者完全等于站点和已关联访问控制器之间的单播会话密钥, 或者由站点 和已关联访问控制器之间的单播会话密钥利用扩展参数通过单向函数计算得 到; 向目的访问控制器发送的基密钥或者完全等于站点和已关联访问控制器 之间的基密钥, 或者由站点和已关联访问控制器之间的基密钥利用扩展参数 通过单向函数计算得到; 扩展参数是站点和目的访问控制器之间预先可知的 参数。  The associated access controller sends a unicast session key to the destination access controller by using a secure channel between the associated access controller and the destination access controller according to the unicast session key or base key request information of the destination access controller. Or a base key, wherein the unicast session key sent to the destination access controller is either exactly equal to the unicast session key between the site and the associated access controller, or a single between the site and the associated access controller The broadcast session key is calculated by the one-way function using the extended parameter; the base key sent to the destination access controller is either exactly equal to the base key between the site and the associated access controller, or by the site and the associated access controller The base key between them is calculated by a one-way function using extended parameters; the extended parameter is a parameter that is known in advance between the site and the destination access controller.
4、 根据权利要求 3所述的方法, 其特征在于, 所述已关联访问控制器通 知已关联无线终端点删除站点, 包括:  The method according to claim 3, wherein the associated access controller notifies the associated wireless terminal to delete the station, including:
已关联访问控制器根据目的访问控制器的单播会话密钥或基密钥请求信 息中的站点删除信息, 向已关联无线终端点发送无线接入点控制与配置协议 站点配置请求消息, 该站点配置请求消息中包含删除站点消息元素;  The associated access controller sends a wireless access point control and configuration protocol site configuration request message to the associated wireless terminal point according to the unicast session key of the destination access controller or the site deletion information in the base key request information, the site The configuration request message includes a delete site message element;
已关联无线终端点向已关联访问控制器发送无线接入点控制与配置协议 站点配置响应消息, 该站点配置响应消息包含用于标识对已关联访问控制器 向已关联无线终端点发送的站点配置请求消息的处理结果的结果码消息元 素。 The associated wireless terminal point sends a wireless access point control and configuration protocol to the associated access controller A site configuration response message, the site configuration response message containing a result code message element for identifying a result of processing a site configuration request message sent by the associated access controller to the associated wireless terminal point.
5、 根据权利要求 1-4任一所述的方法, 其特征在于, 所述目的访问控制 器通知目的无线终端点加入站点, 包括:  The method according to any one of claims 1-4, wherein the destination access controller notifies the destination wireless terminal to join the site, including:
目的访问控制器向目的无线终端点发送无线接入点控制与配置协议站点 配置请求消息, 该无线接入点控制与配置协议站点配置请求消息中包含加入 站点、 GB15629.i l加入站点、 GB15629.i l站点会话密钥消息元素; 其中, G B15629.l l站点会话密钥消息元素中的 A被置为 1 ,用于告知目的无线终端点 关闭受控端口, 仅转发来自对应站点的无线局域网鉴别基础结构协议数据; 目的无线终端点向目的访问控制器发送无线接入点控制与配置协议站点 配置响应消息, 该无线接入点控制与配置协议站点配置响应消息包含用于标 识对目的访问控制器向目的无线终端点发送的站点配置请求消息的处理结果 的结果码消息元素。  The destination access controller sends a wireless access point control and configuration protocol site configuration request message to the destination wireless terminal, where the wireless access point control and configuration protocol site configuration request message includes the joining site, GB15629.il join site, GB15629.il Site session key message element; where A in the B B6292.91 site session key message element is set to 1 to inform the destination wireless terminal to close the controlled port and forward only the WLAN authentication infrastructure from the corresponding site Protocol data; the destination wireless terminal sends a wireless access point control and configuration protocol site configuration response message to the destination access controller, and the wireless access point control and configuration protocol site configuration response message includes a purpose for identifying the destination access controller The result code message element of the processing result of the site configuration request message sent by the wireless terminal.
6、 根据权利要求 1-5任一所述的方法, 其特征在于, 所述站点与目的访 问控制器基于所请求的单播会话密钥或基密钥协商会话密钥, 包括:  The method according to any one of claims 1-5, wherein the site and the destination access controller negotiate a session key based on the requested unicast session key or base key, including:
当所述目的访问控制器向所述已关联访问控制器请求的是基密钥时, 所 述目的访问控制器与站点基于所请求的基密钥进行无线局域网鉴别基础结构 单播密钥协商;  When the destination access controller requests the base key from the associated access controller, the destination access controller and the station perform WLAN authentication infrastructure unicast key negotiation based on the requested base key;
当所述目的访问控制器向所述已关联访问控制器请求的是单播会话密钥 时, 所述目的访问控制器与所述站点进行无线局域网鉴别基础结构组播密钥 通告。  When the destination access controller requests the unicast session key from the associated access controller, the destination access controller and the station perform a WLAN authentication infrastructure multicast key advertisement.
7、 根据权利要求 6所述的方法, 其特征在于,  7. The method of claim 6 wherein:
当所述目的访问控制器向所述已关联访问控制器请求的是基密钥时, 目 的访问控制器与站点基于所请求的基密钥进行无线局域网鉴别基础结构单播 密钥协商, 包括: 目的无线终端点对来自目的访问控制器的、 按照无线接入 点控制与配置协议数据封装格式封装的无线局域网鉴别基础结构单播密钥协 商数据, 进行拆封后转发给站点; 目的无线终端点对来自站点的无线局域网 鉴别基础结构单播密钥协商数据, 按照无线接入点控制与配置协议数据封装 格式进行封装后, 发送给目的访问控制器; When the destination access controller requests the base key from the associated access controller, the destination access controller negotiates with the site for the WLAN authentication infrastructure unicast key based on the requested base key, including: The destination wireless terminal points to the wireless access from the destination access controller. The unicast key negotiation data of the WLAN authentication infrastructure encapsulated in the data packet encapsulation format is configured to be decapsulated and forwarded to the site; the destination wireless terminal points to the WLAN unicast key negotiation data of the WLAN from the site, After being encapsulated according to the wireless access point control and the configuration protocol data encapsulation format, the packet is sent to the destination access controller;
当所述目的访问控制器向所述已关联访问控制器请求的是单播会话密钥 时, 目的访问控制器与站点进行无线局域网鉴别基础结构组播密钥通告, 包 括: 目的无线终端点对来自目的访问控制器的、 按照无线接入点控制与配置 协议数据封装格式封装的无线局域网鉴别基础结构组播密钥通告数据, 进行 拆封后转发给站点; 目的无线终端点对来自站点的无线局域网鉴别基础结构 组播密钥通告数据, 按照无线接入点控制与配置协议数据封装格式进行封装 后, 发送给目的访问控制器。  When the destination access controller requests the unicast session key from the associated access controller, the destination access controller and the station perform WLAN authentication infrastructure multicast key advertisement, including: destination wireless terminal point pair The WLAN authentication infrastructure multicast key advertisement data encapsulated by the wireless access point control and the configuration protocol data encapsulation format from the destination access controller is decapsulated and forwarded to the site; the destination wireless terminal points to the wireless from the site The local area network authentication infrastructure multicast key advertisement data is encapsulated according to the wireless access point control and the configuration protocol data encapsulation format, and then sent to the destination access controller.
8、 根据权利要求 1-7任一所述方法, 其特征在于, 所述目的访问控制器 告知目的无线终端点打开受控端口, 包括:  The method according to any one of claims 1-7, wherein the destination access controller notifies the destination wireless terminal to open the controlled port, including:
所述目的访问控制器向所述目的无线终端点发送无线接入点控制与配置 协议站点配置请求消息, 该站点配置请求消息中包含加入站点、 GB15629.i l 加入站点、 GB15629.i l站点会话密钥消息元素; 其中站点会话密钥消息元素 中的 C被置 1 , 用于告知目的无线终端点打开与站点对应的受控端口, 转发 来自该站点的所有数据, 包括无线局域网鉴别基础结构协议数据和非无线局 域网鉴别基础结构协议数据;  The destination access controller sends a wireless access point control and configuration protocol site configuration request message to the destination wireless terminal, where the site configuration request message includes a joining site, a GB15629.il joining site, and a GB15629.il site session key. Message element; wherein C in the site session key message element is set to 1 to inform the destination wireless terminal to open the controlled port corresponding to the site, and forward all data from the site, including WLAN authentication infrastructure protocol data and Non-wireless LAN authentication infrastructure protocol data;
所述目的无线终端点向所述目的访问控制器发送无线接入点控制与配置 协议站点配置响应消息, 该站点配置响应消息中包含用于标识对目的访问控 制器向目的无线终端点发送的站点配置请求消息的处理结果的结果码消息元 素。  The destination wireless terminal sends a wireless access point control and configuration protocol site configuration response message to the destination access controller, where the site configuration response message includes a site for identifying a destination access controller to send to the destination wireless terminal A result code message element that configures the processing result of the request message.
9、 一种会聚式 WLAN中由访问控制器完成 WPI时站点切换系统, 其特 征在于, 包括:  9. A convergent WLAN in which a WPI site switching system is implemented by an access controller, the features of which include:
目的访问控制器、 已关联访问控制器、 目的无线终端点、 已关联无线终 端点以及站点; Destination access controller, associated access controller, destination wireless termination point, associated wireless termination Endpoints and sites;
所述站点通过目的无线终端点与目的访问控制器进行重新关联连接; 所述目的访问控制器向已关联访问控制器请求单播会话密钥或基密钥; 所述已关联访问控制器通知已关联无线终端点删除站点;  The site re-associates with the destination access controller through the destination wireless terminal; the destination access controller requests a unicast session key or a base key from the associated access controller; the associated access controller notifies that Associate the wireless terminal point to delete the site;
所述目的访问控制器通知目的无线终端点加入站点;  The destination access controller notifies the destination wireless terminal to join the site;
所述站点与目的访问控制器基于所请求的单播会话密钥或基密钥协商会 话密钥。  The site and destination access controller negotiate a session key based on the requested unicast session key or base key.
PCT/CN2009/075566 2009-05-14 2009-12-14 Method and system for station switching when wpi is implemented by access controller in convergent wlan WO2010130133A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009100225273A CN101557592B (en) 2009-05-14 2009-05-14 STA roaming switching method for completing WPI by AC in convergent-type WLAN and system thereof
CN200910022527.3 2009-05-14

Publications (1)

Publication Number Publication Date
WO2010130133A1 true WO2010130133A1 (en) 2010-11-18

Family

ID=41175481

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075566 WO2010130133A1 (en) 2009-05-14 2009-12-14 Method and system for station switching when wpi is implemented by access controller in convergent wlan

Country Status (2)

Country Link
CN (1) CN101557592B (en)
WO (1) WO2010130133A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2461624A1 (en) * 2010-12-01 2012-06-06 Juniper Networks, Inc. System, apparatus and methods for highly scalable continuous roaming within a wireless network
US8340110B2 (en) 2006-09-15 2012-12-25 Trapeze Networks, Inc. Quality of service provisioning for wireless networks
US8509128B2 (en) 2007-09-18 2013-08-13 Trapeze Networks, Inc. High level instruction convergence function
US8514827B2 (en) 2005-10-13 2013-08-20 Trapeze Networks, Inc. System and network for wireless network monitoring
US8818322B2 (en) 2006-06-09 2014-08-26 Trapeze Networks, Inc. Untethered access point mesh system and method
US8902904B2 (en) 2007-09-07 2014-12-02 Trapeze Networks, Inc. Network assignment based on priority
US8966018B2 (en) 2006-05-19 2015-02-24 Trapeze Networks, Inc. Automated network device configuration and network deployment
US9258702B2 (en) 2006-06-09 2016-02-09 Trapeze Networks, Inc. AP-local dynamic switching

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557591B (en) * 2009-05-14 2011-01-26 西安西电捷通无线网络通信股份有限公司 STA switching method for completing WPI by WTP in convergent-type WLAN and system thereof
CN101557592B (en) * 2009-05-14 2011-06-01 西安西电捷通无线网络通信股份有限公司 STA roaming switching method for completing WPI by AC in convergent-type WLAN and system thereof
CN101562812B (en) 2009-05-14 2011-06-01 西安西电捷通无线网络通信股份有限公司 STA switching method when WPI is finished by AC in convergence type WLAN and system thereof
CN101562811B (en) 2009-05-14 2011-04-06 西安西电捷通无线网络通信股份有限公司 STA roaming switching method when WPI is finished by WTP in convergence type WLAN and system thereof
CN102883385B (en) * 2011-07-14 2016-06-29 智邦科技股份有限公司 The connection control method of wireless access point and portable wireless device
CN103596161B (en) * 2012-08-14 2016-06-08 杭州华三通信技术有限公司 A kind of wireless roaming method and Access Control device
CN103686890B (en) * 2012-09-07 2016-12-28 中兴通讯股份有限公司 The method and system of wireless local network wireless terminal roaming switching

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050254653A1 (en) * 2004-05-14 2005-11-17 Proxim Corporation Pre-authentication of mobile clients by sharing a master key among secured authenticators
CN101079891A (en) * 2007-06-15 2007-11-28 清华大学 Wireless switching network re-authentication method based on wireless LAN secure standard WAPI
CN101155396A (en) * 2006-09-25 2008-04-02 联想(北京)有限公司 Terminal node switching method
CN101557592A (en) * 2009-05-14 2009-10-14 西安西电捷通无线网络通信有限公司 STA roaming switching method for completing WPI by AC in convergent-type WLAN and system thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050254653A1 (en) * 2004-05-14 2005-11-17 Proxim Corporation Pre-authentication of mobile clients by sharing a master key among secured authenticators
CN101155396A (en) * 2006-09-25 2008-04-02 联想(北京)有限公司 Terminal node switching method
CN101079891A (en) * 2007-06-15 2007-11-28 清华大学 Wireless switching network re-authentication method based on wireless LAN secure standard WAPI
CN101557592A (en) * 2009-05-14 2009-10-14 西安西电捷通无线网络通信有限公司 STA roaming switching method for completing WPI by AC in convergent-type WLAN and system thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11 : Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications - Amendment 1", THE PEOPLE'S REPUBLIC OF CHINA NATIONAL STANDARD GB15629.11-2003/XG1-2006, 27 January 2006 (2006-01-27) *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8514827B2 (en) 2005-10-13 2013-08-20 Trapeze Networks, Inc. System and network for wireless network monitoring
US8966018B2 (en) 2006-05-19 2015-02-24 Trapeze Networks, Inc. Automated network device configuration and network deployment
US10834585B2 (en) 2006-06-09 2020-11-10 Trapeze Networks, Inc. Untethered access point mesh system and method
US8818322B2 (en) 2006-06-09 2014-08-26 Trapeze Networks, Inc. Untethered access point mesh system and method
US9258702B2 (en) 2006-06-09 2016-02-09 Trapeze Networks, Inc. AP-local dynamic switching
US9838942B2 (en) 2006-06-09 2017-12-05 Trapeze Networks, Inc. AP-local dynamic switching
US10327202B2 (en) 2006-06-09 2019-06-18 Trapeze Networks, Inc. AP-local dynamic switching
US10798650B2 (en) 2006-06-09 2020-10-06 Trapeze Networks, Inc. AP-local dynamic switching
US11432147B2 (en) 2006-06-09 2022-08-30 Trapeze Networks, Inc. Untethered access point mesh system and method
US11627461B2 (en) 2006-06-09 2023-04-11 Juniper Networks, Inc. AP-local dynamic switching
US11758398B2 (en) 2006-06-09 2023-09-12 Juniper Networks, Inc. Untethered access point mesh system and method
US8340110B2 (en) 2006-09-15 2012-12-25 Trapeze Networks, Inc. Quality of service provisioning for wireless networks
US8902904B2 (en) 2007-09-07 2014-12-02 Trapeze Networks, Inc. Network assignment based on priority
US8509128B2 (en) 2007-09-18 2013-08-13 Trapeze Networks, Inc. High level instruction convergence function
EP2461624A1 (en) * 2010-12-01 2012-06-06 Juniper Networks, Inc. System, apparatus and methods for highly scalable continuous roaming within a wireless network

Also Published As

Publication number Publication date
CN101557592B (en) 2011-06-01
CN101557592A (en) 2009-10-14

Similar Documents

Publication Publication Date Title
WO2010130133A1 (en) Method and system for station switching when wpi is implemented by access controller in convergent wlan
JP5771603B2 (en) Media independent handover protocol security
US20110078442A1 (en) Method, device, system and server for network authentication
KR101002799B1 (en) mobile telecommunication network and method for authentication of mobile node in mobile telecommunication network
US10659370B2 (en) Wireless local area network (WLAN) node, a wireless device, and methods therein
WO2011000234A1 (en) Method for establishing a push session and pushing system, associated devices thereof
US8750521B2 (en) Method and system for station switching when wireless terminal point completes WPI in convergent WLAN
WO2010130191A1 (en) Authentication method of switching access networks, system and device thereof
WO2011137823A1 (en) Key insulation method and device
US8819778B2 (en) Method and system for switching station in centralized WLAN when WPI is performed by access controller
WO2011127774A1 (en) Method and apparatus for controlling mode for user terminal to access internet
US20230111913A1 (en) Non-3gpp handover preparation
WO2010130198A1 (en) Method, system and equipment for handover between access networks
WO2010096995A1 (en) Method for realizing convergent wapi network architecture with separate mac mode
WO2010096996A1 (en) Method for realizing integration of wapi and capwap in local mac mode
WO2010097003A1 (en) Method for realizing integration of wapi and capwap by split mac mode
WO2010130138A1 (en) Station (sta) switching method and system while completing wireless local area network privacy infrastructure (wpi) by wireless terminal point (wtp) in convergent wlan
WO2010097004A1 (en) Method for realizing integration of wapi and capwap by separated mac mode
WO2013091198A1 (en) Method and device supporting encrypted communication
Balažia et al. Architecture proposal for seamless handover in 802.11 networks
WO2012025020A1 (en) Method, system and enhanced sgsn for creating key between geran and enhanced utran
WO2021109770A1 (en) Wireless network switching method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09844544

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09844544

Country of ref document: EP

Kind code of ref document: A1