CN113543131B - Network connection management method, device, computer readable medium and electronic device - Google Patents

Abstract

The embodiments of the present application provide a network connection management method, device, computer-readable medium and electronic device. The network connection management method includes: receiving a dynamic key for connecting to an access point device; if an access request containing the dynamic key is received from a site device, responding to the access request and establishing a connection with the site device; after successfully establishing a connection with the site device, associating the physical address of the site device with the dynamic key to generate an association relationship between the physical address and the dynamic key; passing the association relationship to other access point devices so that the other access point devices verify the access request initiated by the site device based on the dynamic key according to the association relationship. The technical solution of the embodiments of the present application can improve the access efficiency of the site device to the access point device.

Description

Network connection management method, device, computer readable medium and electronic equipment

Technical Field

The present application relates to the field of computers and communication technologies, and in particular, to a network connection management method, a device, a computer readable medium, and an electronic apparatus.

Background

With the development of WLAN (Wireless Local Area Network ) technology, in some application scenarios, a large number of Station devices (i.e., STAs) are required to Access an AP (Access Point), such as an enterprise WLAN, and in such application scenarios, how to effectively implement network connection management on the Station devices is a technical problem to be solved.

Disclosure of Invention

The embodiment of the application provides a network connection management method, a network connection management device, a computer readable medium and electronic equipment, and further can improve the access efficiency of site equipment to access point equipment at least to a certain extent.

Other features and advantages of the application will be apparent from the following detailed description, or may be learned by the practice of the application.

According to one aspect of the embodiment of the application, a network connection management method is provided, which comprises the steps of receiving a dynamic key for connecting access point equipment, responding to an access request sent by site equipment and containing the dynamic key if the access request is received, establishing connection with the site equipment, associating a physical address of the site equipment with the dynamic key after the successful connection with the site equipment is established, generating an association relation between the physical address and the dynamic key, and transmitting the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the site equipment based on the dynamic key according to the association relation.

According to one aspect of the embodiment of the application, a network connection management method is provided, which comprises the steps of responding to a key application request, distributing a dynamic key for connecting access point equipment, sending the dynamic key to the access point equipment and an initiator of the key application request so that the access point equipment verifies a received access request based on the dynamic key, receiving an association relation between a physical address sent by the access point equipment and the dynamic key, wherein the physical address is an address owned by a site equipment which successfully accesses the access point equipment based on the dynamic key, and sending the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the site equipment based on the dynamic key based on the association relation.

According to one aspect of the embodiment of the application, a network connection management method is provided, which comprises the steps of receiving an association relation between a physical address and a dynamic key, wherein the association relation is generated by other access point equipment according to the dynamic key and physical addresses of site equipment which uses the dynamic key and successfully establishes connection with other access points, acquiring the physical address of a designated equipment and the access key contained in the access request if an access request sent by the designated equipment is received, and verifying the access request according to the association relation, the physical address of the designated equipment and the access key contained in the access request.

According to one aspect of the embodiment of the application, a network connection management device is provided, which comprises a first receiving unit, a first processing unit, a first generating unit and a transmission unit, wherein the first receiving unit is configured to receive a dynamic key used for connecting access point equipment, the first processing unit is configured to respond to an access request sent by site equipment and containing the dynamic key and establish connection with the site equipment, the first generating unit is configured to associate a physical address of the site equipment with the dynamic key after the connection is successfully established with the site equipment and generate an association relation between the physical address and the dynamic key, and the transmission unit is configured to transmit the association relation to other access point equipment so that the other access point equipment can verify the access request initiated by the site equipment based on the dynamic key according to the association relation.

In some embodiments of the present application, based on the foregoing solution, the first receiving unit is configured to receive a dynamic key for connecting to the access point device sent by the access point management platform, or receive a preconfigured dynamic key for connecting to the access point device.

In some embodiments of the application, based on the foregoing, the transmission unit is configured to send the association to an access point management platform to cause the access point management platform to forward the association to the other access point devices, or

And sending the association relation to the other access point equipment through a communication link between the association relation and the other access point equipment.

In some embodiments of the present application, based on the foregoing, the first receiving unit is further configured to receive a validity period of the dynamic key, and the first processing unit is configured to determine, according to the validity period, whether the dynamic key included in the access request is within the validity period, and if it is determined that the dynamic key is within the validity period, establish a connection with the station device.

In some embodiments of the present application, based on the foregoing scheme, the transmission unit is further configured to transmit a validity period of the dynamic key to the other access point device, so that the other access point device verifies, according to the association relationship, the access request initiated by the station device based on the dynamic key within the validity period.

According to one aspect of the embodiment of the application, a network connection management device is provided, which comprises an allocation unit configured to allocate a dynamic key for connecting access point equipment in response to a key application request, a first sending unit configured to send the dynamic key to the access point equipment and an initiator of the key application request so that the access point equipment verifies a received access request based on the dynamic key, a second receiving unit configured to receive an association relation between a physical address sent by the access point equipment and the dynamic key, wherein the physical address is an address owned by a site equipment which successfully accesses the access point equipment based on the dynamic key, and a second sending unit configured to send the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the site equipment based on the dynamic key based on the association relation.

In some embodiments of the present application, based on the foregoing, the network connection management apparatus further includes a second generating unit configured to generate a validity period of the dynamic key, and the first transmitting unit is further configured to transmit the validity period to the access point device, so that the access point device verifies the received access request based on the dynamic key within the validity period.

In some embodiments of the present application, based on the foregoing, the allocation unit is further configured to receive, before the response to the key application request, a key application request sent by an application server, where the key application request is sent after the application server passes authentication of an application client that initiates a key application.

According to one aspect of the embodiment of the application, a network connection management device is provided, which comprises a third receiving unit configured to receive an association relation between a physical address and a dynamic key, wherein the association relation is generated by other access point devices according to the dynamic key and physical addresses of site devices which use the dynamic key and successfully establish connection with the other access points, an obtaining unit configured to obtain the physical address of a designated device and an access key contained in the access request if an access request sent by the designated device is received, and a verification unit configured to verify the access request according to the association relation, the physical address of the designated device and the access key contained in the access request.

In some embodiments of the present application, based on the foregoing, the verification unit is configured to determine that the verification of the access request is successful if it is determined that the physical address of the specified device is associated with the access key included in the access request according to the association relationship;

and rejecting the access request if the physical address of the appointed equipment does not exist in the association relation.

In some embodiments of the application, based on the foregoing, the third receiving unit is further configured to receive a validity period of the dynamic key, and the verifying unit is configured to verify the access request according to the association relationship, the physical address of the specified device, and the access key included in the access request during the validity period.

According to an aspect of the embodiments of the present application, there is provided a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements a network connection management method as described in the above embodiments.

According to an aspect of an embodiment of the present application, there is provided an electronic device including one or more processors, and a storage device for storing one or more programs, which when executed by the one or more processors, cause the one or more processors to implement the network connection management method as described in the above embodiment.

According to an aspect of embodiments of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the network connection management method provided in the above-described various alternative embodiments.

In the technical solutions provided in some embodiments of the present application, an access point device receives a dynamic key for connecting to the access point device, then, when receiving an access request including the dynamic key sent by a station device, establishes a connection with the station device in response to the access request, and after successfully establishing a connection with the station device, associates a physical address of the station device with the dynamic key, generates an association relationship between the physical address and the dynamic key, and then, transmits the association relationship to other access point devices, so that the other access point devices verify, according to the association relationship, the access request initiated by the station device based on the dynamic key. Therefore, after the station equipment accesses the access point equipment through the dynamic key, the access point equipment can correlate the physical address of the station equipment with the dynamic key and transmit the physical address to other access point equipment, so that the station equipment can conveniently and rapidly access other access point equipment, and the efficiency of accessing the station equipment to other access point equipment is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is evident that the drawings in the following description are only some embodiments of the present application and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art. In the drawings:

figure 1 shows a schematic diagram of WPA/WPA2-PSK authentication;

FIG. 2 shows a schematic diagram of WPA/WPA2-PPSK authentication;

fig. 3 shows a flow chart for establishing a connection between a STA and an AP;

Fig. 4 shows a four-way handshake authentication schematic between a STA and an AP;

fig. 5 shows a schematic diagram of key generation during authentication of a STA and an AP;

FIG. 6 illustrates a configuration interface schematic diagram of Portal authentication;

Fig. 7 shows a flow chart of a network connection management method according to an embodiment of the application;

Fig. 8 shows a flow chart of a network connection management method according to an embodiment of the application;

fig. 9 shows a flow chart of a network connection management method according to an embodiment of the application;

FIG. 10 illustrates a schematic view of a scenario of a cloud AP according to one embodiment of the present application;

FIG. 11 illustrates a system architecture diagram of a cloud AP scenario according to one embodiment of the present application;

Fig. 12 shows a flow chart of a network connection management method according to an embodiment of the application;

FIG. 13 illustrates a one-touch networking interface schematic according to one embodiment of the application;

Fig. 14 shows a flow chart of a network connection management method according to an embodiment of the application;

FIG. 15 illustrates a functional selection interface schematic according to one embodiment of the present application;

fig. 16 shows a block diagram of a network connection management apparatus according to an embodiment of the present application;

fig. 17 shows a block diagram of a network connection management apparatus according to an embodiment of the present application;

Fig. 18 shows a block diagram of a network connection management apparatus according to an embodiment of the present application;

Fig. 19 shows a schematic diagram of a computer system suitable for use in implementing an embodiment of the application.

Detailed Description

Example embodiments are now described in a more complete manner with reference being made to the figures. However, the exemplary embodiments are capable of being embodied in various forms and should not be construed as limited to only these examples, but rather, the embodiments are provided so as to more fully and completely embody the principles of the exemplary embodiments and to fully convey the concept of the exemplary embodiments to those skilled in the art.

Furthermore, the described features, structures, or characteristics of the application may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are set forth in order to provide a thorough understanding of embodiments of the application. However, it will be recognized by one skilled in the art that the present inventive arrangements may be practiced without all of the specific details of the embodiments, that one or more specific details may be omitted, or that other methods, elements, devices, steps, etc. may be used.

The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.

It should be noted that the term "plurality" as used herein means two or more. "and/or" describes the association relationship of the association object, and indicates that there may be three relationships, for example, a and/or B may indicate that there are three cases of a alone, a and B together, and B alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.

The WPA is named as Wi-Fi Protected Access (Wi-Fi network security access), has three standards of WPA, WPA2 and WPA3, and is a system for protecting the security of a wireless network. WPA/WPA2-PSK (Pre-SHARED KEY ) is an authentication mode of Pre-distributing shared key, and the security is higher in an encryption mode and a key verification mode. As shown in fig. 1, when WPA/WPA2-PSK authentication is used, the access key is the same for all station apparatuses connected to a specified SSID (SERVICE SET IDENTIFIER, service set identification) of the access point apparatus 101, for example, PSK of the station apparatus 102 and the station apparatus 103 is "12345".

The WPA/WPA2-PPSK (PRIVATE PSK ) authentication inherits the advantages of the WPA/WPA2-PSK authentication, is simple to deploy, can provide different pre-shared keys for different site devices, and effectively improves the security of the network. When using WPA/WPA2-PPSK authentication, the station devices connected to the same SSID may have different access keys, different authorizations may be issued according to different users, and if a user owns multiple station devices, the station devices may also be connected to the network through the same PPSK account. As shown in fig. 2 in particular, station apparatus 202 and station apparatus 203 connected to the same SSID of access point apparatus 201 may use the same PSK, and station apparatus 204 may use PSK different from station apparatus 202 and station apparatus 203.

The connection procedure between STA and AP and the key negotiation procedure are consistent regardless of WPA/WPA2-PSK or WPA/WPA 2-PPSK.

As shown in fig. 3, the process of establishing a connection between a station device STA and an access point device AP mainly includes:

step S301, a SCAN Stage (SCAN).

Specifically, the STA searches for APs using Scanning, and when the STA roams to find a new AP, the STA searches on each available channel. The searching mode includes active searching (ACTIVE SCANNING) and passive searching (PASSIVE SCANNING).

The active search is that the STA sends Probe Request frames in each channel (1-13 channels) in turn, searches for the AP with the same SSID as the STA belongs to, and scans all the time if the AP with the same SSID cannot be found. The active search is characterized in that the AP can be quickly searched.

Passive searching is a STA that discovers the network by listening to Beacon frames sent periodically by the AP, which frames provide information about the AP and the BSS (Basic SERVICE SET ) in which it resides. The passive search method takes a lot of time to search for the AP, but can reduce the power consumption of the STA.

Step S302, authentication stage (Authentication).

Specifically, after the STA finds an AP with the same SSID, in the APs with SSID matching, according to the received AP signal strength, an AP with the strongest signal is selected, and then an authentication phase is entered, and only the STA passing the identity authentication can perform wireless access. The authentication method provided by the AP comprises open-system authentication authentication (open-system authentication), shared key authentication (shared-key authentication), pre-identity authentication (WPA PSK) and the like.

The open authentication process is that the STA initiates an authentication request, and the authentication server responds after receiving the authentication request. The shared key authentication process is that the STA initiates an authentication request, the authentication server replies a challenge text after receiving the request, the STA uses a preset key to encrypt plaintext and sends the encrypted plaintext to the authentication server, the authentication server uses the preset key to decrypt and compare the encrypted plaintext with the previous plaintext, and if the encrypted plaintext is consistent, the authentication passes.

Step S303, association stage (Association).

Specifically, when the AP returns authentication response information to the STA, the STA enters the association phase after the STA identity authentication is passed. In the association phase, the STA sends an association request to the AP, and the AP returns an association response to the STA. Roaming problems are involved when STAs move, and if roaming under the same network, re-authentication is not required and only re-association is required. After the association between the AP and the STA is completed, the access procedure of the STA is completed, i.e., the connection between the STA and the AP is successful.

Four-way EAPOL (Extensible Authentication Protocol OVER LAN, extended authentication protocol over local area network) based handshaking procedures between STA and AP are required to generate the required keys before data transmission takes place. Specific procedure as shown in fig. 4, the STA acts as a Supplicant (Supplicant) and the AP acts as an Authenticator (Authenticator) to perform the four-way handshake procedure.

In the four-way handshake process, message 1 is an EAPOL-Key frame carrying an a-Nonce sent by an authenticator to a supplicant in a unicast manner. Where a-Nonce is a random number generated by the authenticator.

After receiving message 1, the supplicant, because the supplicant has obtained the a-Nonce and AA (Authenticator MAC addresses, i.e., the MAC address of the authenticator) while the supplicant has possession of the PMK (PAIRWISE MASTER KEY, i.e., the pairwise master key, typically a set of random numbers) and the SPA (i.e., the MAC address of the supplicant), can calculate the PTK (PAIRWISE TRANSIENT KEY, the pairwise temporary key) by the following function:

PTK=PRF(PMK+A-Nonce+S-Nonce+AA+SPA)

Wherein PRF represents pseudorandom function, namely a pseudo-random function, S-Nonce is a random number generated by a requester, and PMK in the formula is set by the requester. The generated PTK contains 3 parts, KCK (Key Confirmation Key, key validation Key), KEK (Key Encryption Key ) and TK (Temporal Key). The KCK is used to calculate the integrity of the key generation message, the KEK is used to encrypt the key generation message, and the TK is actually used to encrypt the data.

In the four-way handshake process, the message 2 is that after the requester generates the PTK, the information such as S-Nonce, MIC (MESSAGE INTEGRITY code, i.e. message integrity check code, which is a hash value calculated for a set of data to be protected and used to prevent the data from being tampered) is sent to the authenticator through the second EAPOL-Key frame. Wherein the MIC value in message 2 is encrypted by KCK (Key Confirmation Key ).

After the authenticator receives the message 2, the S-Nonce in the message 2 is fetched, and a similar calculation as in the requester is performed to verify whether the message returned by the requester is correct, specifically, to perform an integrity check on the received MIC and the MIC generated by itself. If incorrect, i.e. the MIC integrity check fails, a requester PMK error is indicated and the entire handshake operation is stopped.

If the authenticator verifies that the message returned by the supplicant is correct, the authenticator generates a PTK and a GTK (Group Temporal Key, group temporary key). The GTK is an encryption key used to encrypt multicast and broadcast data streams.

In the four-way handshake process, message 3 is that the authenticator sends a third EAPOL-Key frame to the supplicant after generating the PTK and the GTK, with the GTK and the MIC. Wherein the GTK is encrypted by the KEK and the MIC is encrypted by the KCK.

After receiving message 3, the supplicant will also make some calculations to determine if the authenticator's PMK is correct. If the validation is correct, the requester sends an EAPOL-Key frame to the authenticator last time via message 4, and if the authentication is successful, both the requester and the authenticator Install (instrument) keys, which means that the keys are used to encrypt the data. Specifically, the supplicant installs the PTK and the GTK, and the authenticator installs the PTK.

When the requester and the authenticator finish authentication, the control port of the authenticator is opened, so that the 802.11 data frame can be normally transmitted, all unicast data frames are encrypted by the PTK for protection, and all multicast data and broadcast data are encrypted by the GTK for protection.

Key generation process in authentication process as shown in fig. 5, PMK is generated by ESSID (Extended SERVICE SET IDENTIFIER, service identification number) and PSK, such as by SHA-1 (Secure Hash Algorithm, secure hash algorithm 1) algorithm. The PTK is generated from the requester MAC (i.e., STA MAC), authenticator MAC (which may be represented by BSSID), PMK, a-Nonce, and S-Nonce acquired in the four-way handshake. The ciphertext and MIC may then be encrypted by the PTK. The encryption may be performed by AES (Advanced Encryption Standard ) or TKIP (Temporal KEY INTEGRITY protocol).

In enterprise WLAN, WPA/WPA2-PPSK authentication is used more, so that each user can have different keys, and configuration and deployment are simple. However, this method needs to store the key of each user on the access authentication device, that is, the access authentication device needs to store the key list separately, if the number of keys in the key list is large, the verification time will be greatly increased when verifying the key input by the user. Meanwhile, if the number of the keys is large, when a malicious device intentionally inputs an error key to attack, the access authentication device cannot work, and the phenomenon of key mixing is difficult to avoid in the mode.

In addition, in the related art, a Portal authentication method is also adopted, and Portal is a WEB site serving as a gateway to the internet, and a Wi-Fi provider needs to configure Portal authentication first, and a specific configuration interface is shown in fig. 6, and needs to set a Portal URL (Uniform Resource Locator ), an authentication Key, an authentication Secret, an authentication URL, a whitelist, a Check URL, a network type, and the like. After the configuration is completed, the user can connect Wi-Fi without password, then pop up the portal authentication interface through the browser, fill in the authenticated user name and password, and then can truly surf the internet through Wi-Fi network. The authentication scheme is complex in operation, and Portal authentication has compatibility problems, and after some terminals (such as mobile phones of certain manufacturers) are connected with Wi-Fi, pages of Portal authentication can not be popped up, so that authentication can not be performed.

Based on the above problems, the embodiment of the application provides a new network connection management scheme, which can correlate an access key of a device to be accessed with a physical address, so that when the access point device verifies an access request, on one hand, whether the physical address of the device to be accessed exists in the association relationship can be verified, thereby avoiding that malicious devices frequently initiate the access request to influence the performance of the access point device, on the other hand, when the physical address of the device to be accessed exists in the association relationship, the access key contained in the access request can be rapidly verified according to the access key corresponding to the physical address, thereby improving the efficiency of network access verification, and meanwhile, the problem of mixed use of the access key can be avoided.

Furthermore, in some scenarios, the same user may have multiple site devices, but some devices may not be able to present a convenient, functional visualization interface to access a network, such as a printer device, scanner device, etc. For this situation, it is an urgent need how to be able to guarantee that these devices have easy access to the network. Aiming at the scene, the embodiment of the application provides that the dynamic key can be distributed to the site equipment, after the site equipment accesses the network based on the dynamic key, the access point equipment can correlate the physical address of the site with the dynamic key and send the physical address to other access point equipment, and further when the site equipment moves to the position of the other access point equipment, the efficient network access can be realized. The specific implementation details are as follows:

Fig. 7 shows a flow chart of a network connection management method according to an embodiment of the application, which may be performed by an access point device. Referring to fig. 7, the network connection management method at least includes steps S710 to S740, and is described in detail as follows:

in step S710, a dynamic key for connecting the access point device is received.

In one embodiment of the application, the access point device may receive a dynamic key sent by the access point management platform for connecting to the access point device. In this case, the access point management platform may assign a dynamic key to the user initiated key application request, after which the dynamic key may be returned to the user on the one hand and to the access point device on the other hand.

Alternatively, the user may initiate a key application request on the application client, and the application client may send the key application request to the application server, and then forward the key application request to the access point management platform by the application server. In this case, the access point management platform may send the dynamic key to the application server after generating the dynamic key, and then the dynamic key is fed back to the application client by the application server.

In one embodiment of the application, the access point device may also receive a pre-configured dynamic key for connecting to the access point device. In this case, the user also needs to obtain the pre-configured dynamic key in order to initiate a connection to the access point device.

In one embodiment of the application, the dynamic key may also have a validity period, in which case the access point device also needs to receive the validity period of the dynamic key for access management based on the validity period. The technical scheme of the embodiment also enables the dynamic key to be managed through the effective period, and avoids the problem of access management confusion caused by the untimely use of the dynamic key.

In step S720, if an access request including a dynamic key sent by the station device is received, a connection is established with the station device in response to the access request.

In one embodiment of the application, after the user has acquired the dynamic key, the access request is initiated by the station apparatus for providing the dynamic key to the station apparatus. For example, a user may establish a bluetooth connection with the site device (e.g., printer device, scanner device, etc.) via the smart phone, and then input the dynamic key into an interface provided by the smart phone, and then the smart phone transmits the dynamic key to the site device. Or the user may enter the dynamic key in an interface provided by the station apparatus, and the station apparatus initiates the access request based on the dynamic key.

Optionally, if the dynamic key has a validity period, the access point device needs to determine whether the dynamic key included in the access request is within the validity period according to the validity period, and if the dynamic key included in the access request is within the validity period and matches with the dynamic key received by the access point device in advance, the access point device will establish a connection with the station device.

In step S730, after the connection is successfully established with the station device, the physical address of the station device is associated with the dynamic key, and an association relationship between the physical address and the dynamic key is generated.

In one embodiment of the present application, the physical address of the station device may be a MAC (MEDIA ACCESS Control, media intervention Control) address. Alternatively, in order to improve the query efficiency of the dynamic key, the hash table may be generated according to the association relationship between the dynamic key and the physical address, that is, the association relationship between the physical address and the dynamic key may be embodied in the form of the hash table.

In step S740, the association relationship between the physical address and the dynamic key is transferred to other access point devices, so that the other access point devices verify the access request initiated by the station device based on the dynamic key according to the association relationship.

In one embodiment of the application, the access point device may send the association to the access point management platform to cause the access point management platform to forward the association to other access point devices.

In one embodiment of the application, the access point device may also send the association to other access point devices over a communication link with the other access point devices. The technical scheme of the embodiment is suitable for application scenes in which communication links are established between access point devices.

Optionally, if the dynamic key has a validity period, the access point device needs to transmit the validity period of the dynamic key to other access point devices, so that the other access point devices verify, according to the association relationship, the access request initiated by the station device based on the dynamic key within the validity period.

Fig. 7 is a schematic diagram illustrating a technical solution of an embodiment of the present application from the perspective of an access point device, and the following describes the technical solution of the embodiment of the present application from the perspective of an access point management platform:

Fig. 8 illustrates a flow chart of a network connection management method according to one embodiment of the application, which may be performed by an access point management platform, which may be a platform for access management. Referring to fig. 8, the network connection management method at least includes steps S810 to S840, and is described in detail as follows:

In step S810, a dynamic key for connecting the access point device is allocated in response to the key application request.

In one embodiment of the present application, the key application request may be initiated by a terminal device of the user, such as the user has a plurality of terminal devices, but some terminal devices cannot conveniently access the network, such as a printer device, a scanner device, etc., in which case the user may use a smart phone to initiate the key application request to the access point management platform to enable other terminal devices to access the network based on the dynamic key fed back by the access point management platform.

Alternatively, the user's terminal device may directly establish a connection with the access point management platform to initiate the key application request. Or the terminal equipment of the user can initiate a key application request to the access point management platform through the designated application program, for example, the user can initiate the key application request on the application program client, and the application program client can send the key application request to the application program server and then forward the key application request to the access point management platform through the application program server. In this case, the access point management platform may send the dynamic key to the application server after generating the dynamic key, and then the dynamic key is fed back to the application client by the application server.

Optionally, the access point management platform may further generate a validity period of the dynamic key, and then send the validity period of the dynamic key to the access point device, so that the access point device verifies the received access request based on the dynamic key within the validity period.

In step S820, the dynamic key is sent to the access point device and the initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key.

Optionally, after receiving the dynamic key sent by the access point management platform, the access point device may verify whether the dynamic key in the access request matches the dynamic key obtained by the access point device from the access point management platform if the dynamic key is received, and may determine that the access request is verified to pass if the dynamic key matches the dynamic key obtained by the access point device from the access point management platform. If the dynamic key has a validity period, the access point device also needs to determine whether the dynamic key is within the validity period, and if not, an access request using the dynamic key will not be authenticated.

In step S830, an association relationship between the physical address and the dynamic key, which is the address owned by the station device that successfully accesses the access point device based on the dynamic key, transmitted by the access point device is received.

Alternatively, the process of generating the association relationship between the dynamic key and the physical address by the access point device may refer to the technical solution of the foregoing embodiment, which is not described herein.

In step S840, the association between the physical address and the dynamic key is sent to the other access point device, so that the other access point device verifies, based on the association, the access request initiated by the station device based on the dynamic key.

In the embodiment of the application, the association relation between the physical address and the dynamic key is sent to other access point equipment, so that when the station equipment moves into the coverage area of other access point equipment, the other access point equipment can quickly realize access verification of the station equipment based on the association relation between the physical address and the dynamic key, and the efficiency of accessing the network is effectively improved.

The following describes the technical solution of the embodiment of the present application from the perspective of an access point device that receives an association relationship between a physical address and a dynamic key:

Fig. 9 shows a flow chart of a network connection management method according to an embodiment of the application, which may be performed by an access point device. Referring to fig. 9, the network connection management method at least includes steps S910 to S930, and is described in detail as follows:

In step S910, an association relationship between the physical address and the dynamic key is received, the association relationship being generated by other access point devices according to the dynamic key and the physical address of the station device that uses the dynamic key and successfully establishes a connection with the other access point.

Alternatively, the process of generating the association relationship between the physical address and the dynamic key by the access point device may refer to the foregoing embodiment, and will not be described in detail.

In one embodiment of the present application, the access point device may directly receive the association relationship between the physical address and the dynamic key sent by other access point devices, or may receive the association relationship between the physical address and the dynamic key forwarded by the access point management platform.

In step S920, if an access request sent by the designated device is received, the physical address of the designated device and the access key included in the access request are acquired.

In an embodiment of the application, the designated device is a station device that needs to access the access point device. Since the designated device has communicated with the access point device prior to sending the access request to the access point device, the physical address of the designated device may be obtained as soon as the designated device sends the access request. Of course, the designated device may also carry its physical address again in the access request.

In step S930, the access request is verified according to the association relationship between the physical address and the dynamic key, the physical address of the designated device, and the access key included in the access request.

In one embodiment of the application, if it is determined that the physical address of the specified device is associated with the access key contained in the access request based on the association between the physical address and the dynamic key, it is determined that authentication of the access request is successful. The access point device searches the corresponding dynamic key in the association relation according to the physical address of the appointed device, then compares the searched dynamic key with the access key actively contained in the access request, and if the dynamic key is consistent with the access key, the access request is determined to be successfully verified.

In one embodiment of the application, the access request is denied if the physical address of the designated device does not exist in the above-described association. The technical scheme of the embodiment can avoid the situation that the access point equipment cannot work normally caused by the fact that the malicious equipment frequently initiates the connection request.

Optionally, the access point device may further receive a validity period of the dynamic key, and may further verify the access request according to the association relationship, the physical address of the designated device, and the access key included in the access request during the validity period.

In the foregoing embodiments, the technical solutions of the embodiments of the present application are respectively described from the angles of the access point management platform and the access point device, and details of implementation of the embodiments of the present application are described in the following from the angle of interaction between the devices.

In an application scenario of the present application, the access point device may be a cloud AP, where the cloud AP extends a management capability of a local AP to a cloud end, and performs unified management on a plurality of cloud APs through the cloud end (cloud AP management platform, i.e., the access point management platform in the foregoing embodiment), for example, configures a LAN, a WAN (Wide Area Network, a wide area network), a black-and-white list, and the like of the cloud AP. As shown in fig. 10, the cloud AP management platform communicates with the cloud AP directly through the Internet or the WLAN, or communicates with the cloud AP through the firewall and the switch through the Internet or the WLAN, where the cloud AP is used to interact with the wireless terminal.

The system architecture of the cloud AP scenario is shown in fig. 11, and mainly includes three parts, namely cloud AP hardware, a cloud AP management platform and an application program.

The cloud AP hardware mainly comprises one or more cloud APs, the cloud APs need to be connected with a cloud AP management platform (particularly can be connected through a multi-port transponder HUB), AP configuration information sent by the cloud AP management platform is received, meanwhile, key issuing and management of PPSK are received, and connection information of terminals (namely site equipment) is received and managed.

The cloud AP management platform comprises an operation platform, a HUB, equipment management, enterprise configuration, address book, key management, a database and the like.

The operation platform is used for managing cloud task scheduling, monitoring abnormal conditions and the like, the HUB is in charge of being connected with cloud AP hardware to maintain relevant heartbeat, the equipment management is mainly used for managing information of connected cloud APs, the enterprise configuration is mainly used for managing cloud AP configuration related to each enterprise, the address book is mainly used for recording information of enterprise staff including mobile phone numbers or account information of instant messaging software and the like, the key management is used for generating, destroying and updating keys and simultaneously distributing MAC-PSK hash tables to enterprises, the application service is used for providing corresponding API (Application Programming Interface, application program interface) interface information and the like for application programs, and the database is used as a basic component for carrying out persistence storage on data.

The application program mainly refers to an application program corresponding to the cloud AP, and comprises a management page and application information of a front end, a platform and service capability of a rear end and the like. Alternatively, the application may be a hosted program, which is a program that exists depending on the host environment, such as an applet, a quick application, or the like.

Based on the system architecture shown in fig. 11, in one embodiment of the present application, network access management may be implemented through the flow shown in fig. 12, which specifically includes the following steps:

In step S1201, the enterprise application APP pushes the terminal MAC address and the current enterprise information to the enterprise application cloud platform.

It should be noted that, the enterprise application APP may be an APP developed separately for a certain enterprise, or may be a common platform for all enterprises. If the enterprise application APP is a public platform for all enterprises, then the enterprise user needs to create enterprise information on the public platform, bind the cloud AP of the enterprise with the enterprise information, and configure, such as configure SSID, on the cloud AP.

After the enterprise application APP is installed on the terminal of the enterprise employee and enters the enterprise to which the enterprise application APP belongs, the enterprise application APP can collect the MAC address of the terminal and then push the information to the enterprise application cloud platform.

In step S1202, the enterprise application cloud platform pushes the MAC address and the enterprise employee binding relationship to the cloud AP management platform.

In one embodiment of the application, the enterprise employee may be information such as a work number and a name of the enterprise employee, or may be information such as an account name of the enterprise employee in the enterprise application APP. Alternatively, the enterprise application cloud platform may only push the MAC address to the cloud AP management platform, and maintain the binding relationship between the MAC address and the enterprise employee locally.

In step S1203, the cloud AP management platform generates and pushes the MAC-PSK hash table to the device SDK of the AP.

In one embodiment of the present application, the cloud AP management platform may generate a one-machine-one-secret MAC-PSK hash table according to the MAC address pushed by the enterprise application cloud platform, and send the MAC-PSK hash table to the device SDK (Software Development Kit ) of the cloud AP.

In step S1204, the cloud AP management platform generates and pushes the enterprise employee PSK to the enterprise application cloud platform.

In one embodiment of the application, the cloud AP may send the association between PSK and the MAC address to the enterprise application cloud platform, so that the enterprise application cloud platform distributes PSK according to the MAC address.

Optionally, there is no strict sequence between the step S1204 and the step S1203, which may be performed first the step S1203 and then the step S1204, or may be performed first the step S1204 and then the step S1203, or may be performed simultaneously the step S1203 and the step S1204.

In step S1205, the enterprise application cloud platform forwards enterprise employee PSK to the enterprise application APP.

Optionally, the enterprise application cloud platform pushes the PSK to the corresponding enterprise application APP according to the MAC address reported by the enterprise application APP and the association relationship between the MAC address and the PSK. After the association relation between the MAC address and the PSK is acquired, the enterprise application cloud platform can actively push the PSK to the corresponding enterprise application APP, or can send the PSK to the corresponding enterprise application APP when receiving an access key acquisition request sent by the enterprise application APP.

In step S1206, the user initiates one-touch networking at the enterprise application APP.

Optionally, as shown in fig. 13, a control 1301 of "one-key networking" may be displayed in the enterprise application APP, after the user selects the enterprise network to be connected, the control 1301 of "one-key networking" may be clicked, so that the enterprise application APP on the terminal may push PSK to the cloud AP device, and as the cloud AP device may also obtain the MAC address of the terminal in the process of communicating with the enterprise application APP, the cloud AP device may perform quick verification according to the MAC-PSK hash table.

Specifically, the corresponding PSK can be retrieved from the MAC-PSK hash table according to the MAC address of the terminal, and then whether the PSK pushed by the APP is consistent with the PSK pushed by the APP is verified, if so, the verification is determined to be successful. Meanwhile, because the AP needs to verify whether the MAC address exists in the MAC-PSK hash table, the access request initiated by the device with the illegal MAC address can be directly refused, the problem that the performance of the access point device is affected due to the fact that the access request is frequently initiated by malicious devices is avoided, and in addition, the technical scheme of the embodiment of the application can also avoid the problem of mixed use of access keys.

The technical solution of the embodiment shown in fig. 12 is a one-machine-one-dense application scenario, however, in some scenarios, some terminal devices cannot install the enterprise application APP, so that the terminal devices cannot access the network according to the flow shown in fig. 12. For this situation, the embodiment of the present application proposes a manner of using a dynamic key to ensure that the terminal devices conveniently access the network, for example, a user may initiate a dynamic key application on a terminal capable of installing an APP, after the cloud AP management platform generates a corresponding dynamic key, the dynamic key may be returned to the user, further, the user may make the terminal devices initiate an access request based on the dynamic key, and after the connection is successful, the access point device may add the MAC address and the dynamic key of the terminal devices that are successfully connected to the MAC-PSK hash table, thereby implementing the connection management scheme shown in fig. 12. Meanwhile, the dynamic key is limited in time, and can be effective in the time, so that effective management of the dynamic key is realized. The specific flow may be as shown in fig. 14, including the following steps:

In step S1401, the enterprise application APP installed on the terminal 1 applies for a dynamic key to the enterprise application cloud platform.

It should be noted that, the enterprise application APP may be an APP developed separately for a certain enterprise, or may be a common platform for all enterprises. If the enterprise application APP is a public platform for all enterprises, then the enterprise user needs to create enterprise information on the public platform, bind the cloud AP of the enterprise with the enterprise information, and configure, such as configure SSID, on the cloud AP.

Step S1402, the enterprise application cloud platform examines the employee identity, and initiates a dynamic key application request to the cloud AP management platform after passing.

In one embodiment of the application, the employee identity may be information such as a employee's job number, name, etc., or information such as an enterprise employee's account name in the enterprise application APP. The checking staff identity can be checking whether staff is staff of the enterprise, checking whether staff has authority to apply dynamic keys, and the like.

In step S1403, the cloud AP management platform generates a dynamic key and a valid period of the dynamic key, and returns the dynamic key and the valid period to the device SDK of the cloud AP 1.

In step S1404, the cloud AP management platform returns the generated dynamic key and the validity period to the enterprise application cloud platform.

Alternatively, the cloud AP management platform may only return the dynamic key to the enterprise application cloud platform, and the validity period of the dynamic key may not be returned to the enterprise application cloud platform.

The step S1404 and the step S1403 are not strictly sequential, and the step S1403 and the step S1404 may be performed first, and the step S1403 may be performed second, or the step S1403 and the step S1404 may be performed simultaneously.

In step S1405, the enterprise application cloud platform forwards the dynamic key and the validity period to the enterprise application APP of the terminal 1 applying for the dynamic key.

Alternatively, the enterprise application cloud platform may only return the dynamic key to the enterprise application APP, and the validity period of the dynamic key may not be returned to the enterprise application APP.

In step S1406, after the enterprise application APP of the terminal 1 obtains the dynamic key and the validity period, the user may input the dynamic key on other terminals (such as the terminal 2, the terminal 3, the terminal n, etc.) during the validity period to initiate networking to the cloud AP 1.

It should be noted that, if the enterprise application APP of the terminal 1 does not acquire the validity period, the user may initiate a connection on the other terminal using the dynamic key, and then determine whether the dynamic key exceeds the validity period by the cloud AP 1.

In step S1407, if the other terminals are successfully connected to the cloud AP1, the device SDK of the cloud AP1 generates (or adds) a MAC-PSK hash table according to the MAC address and the dynamic key of the terminal, and pushes the MAC-PSK hash table to the cloud AP management platform.

In step S1408, the cloud AP management platform pushes the MAC-PSK hash table of the terminal device successfully accessed to the cloud AP1 to other APs (e.g., the cloud AP2 shown in fig. 14) of the enterprise, so as to ensure that the terminal device can be normally connected to the other APs.

When the terminal device connects to another AP, since the other AP already has the MAC-PSK hash table of the terminal device, access authentication can be performed according to the authentication flow in fig. 12.

Based on the technical schemes shown in fig. 12 and 14, a specific application scenario is that employee a has multiple devices, including a smart phone, a printer device, and a scanner device. The smart phone of employee a may be networked using the procedure shown in fig. 12, and after accessing the network, employee a also wishes the printer device and scanner device to access the network, but since the printer device and scanner device cannot install the enterprise application APP, employee a may apply for the dynamic key using the smart phone through the scheme shown in fig. 14.

After applying for the dynamic key, employee a uses the dynamic key to access the printer device and scanner device to the network of AP1, while the printer device and scanner device also store the dynamic key. And AP1 may upload the MAC addresses of the printer device and the scanner device in association with the dynamic key to the cloud AP management platform, and then send the dynamic key to other APs, such as to AP2, by the cloud AP management platform.

If employee a moves the printer device to another area, such as the coverage area of AP2, the printer device may initiate an access request to AP2 based on the previously stored dynamic key, and since AP2 already stores the association between the MAC address of the printer device and the dynamic key, the printer device may be quickly authenticated to ensure that the printer device quickly accesses the network of AP 2.

In one embodiment of the present application, the technical solution of the embodiment shown in fig. 12 may be understood as a "one-machine-one-secret" function, since one terminal device will assign an access key. The technical solution of the embodiment shown in fig. 14 can be understood as a function of "one-secret-multiple-machine" because one dynamic key can be used by a plurality of terminal devices. In one embodiment of the present application, the function of "one-machine-one-secret" and the function of "one-secret-multiple-machine" can be selected to be started according to the actual application scenario and the requirements of the user. For example, as shown in fig. 15, the switch controls of the functions of "one-machine-one-secret" and "one-machine-multiple" may be displayed in the enterprise application APP, if the user closes the function of "one-machine-one-secret" and opens the function of "one-machine-multiple", after selecting the network, the control 1501 of "one-key application" may be clicked, and then the enterprise application APP on the terminal may send a dynamic key application request to the enterprise application cloud platform to trigger the flow shown in fig. 14.

The following describes an embodiment of the apparatus of the present application, which may be used to perform the network connection management method in the above embodiment of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the network connection management method of the present application.

Fig. 16 shows a block diagram of a network connection management apparatus according to an embodiment of the application, which may be provided within an access point device.

Referring to fig. 16, a network connection management apparatus 1600 according to an embodiment of the present application includes a first receiving unit 1602, a first processing unit 1604, a first generating unit 1606, and a transmitting unit 1608.

The first receiving unit 1602 is configured to receive a dynamic key for connecting to an access point device, the first processing unit 1604 is configured to respond to an access request sent by a station device and including the dynamic key if the access request is received, establish a connection with the station device, the first generating unit 1606 is configured to associate a physical address of the station device with the dynamic key after the connection is successfully established with the station device, generate an association relationship between the physical address and the dynamic key, and the transmitting unit 1608 is configured to transmit the association relationship to other access point devices, so that the other access point devices verify the access request initiated by the station device based on the dynamic key according to the association relationship.

In some embodiments of the present application, based on the foregoing, the first receiving unit 1602 is configured to receive a dynamic key sent by the access point management platform for connecting to the access point device, or to receive a preconfigured dynamic key for connecting to the access point device.

In some embodiments of the present application, based on the foregoing, the transmitting unit 1608 is configured to send the association to an access point management platform to cause the access point management platform to forward the association to the other access point devices, or

And sending the association relation to the other access point equipment through a communication link between the association relation and the other access point equipment.

In some embodiments of the present application, based on the foregoing, the first receiving unit 1602 is further configured to receive a validity period of the dynamic key, and the first processing unit is configured to determine, according to the validity period, whether the dynamic key included in the access request is within the validity period, and if it is determined that the dynamic key is within the validity period, establish a connection with the station device.

In some embodiments of the present application, based on the foregoing scheme, the transmitting unit 1608 is further configured to transmit the validity period of the dynamic key to the other access point device, so that the other access point device verifies, according to the association relationship, the access request initiated by the station device based on the dynamic key within the validity period.

Fig. 17 shows a block diagram of a network connection management device according to an embodiment of the application, which may be provided within an access point management platform.

Referring to fig. 17, a network connection management apparatus 1700 according to an embodiment of the present application includes an allocation unit 1702, a first transmission unit 1704, a second reception unit 1706, and a second transmission unit 1708.

Wherein the allocation unit 1702 is configured to allocate a dynamic key for connecting to an access point device in response to a key application request, the first sending unit 1704 is configured to send the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key, the second receiving unit 1706 is configured to receive an association relationship between a physical address sent by the access point device and the dynamic key, the physical address being an address owned by a station device that successfully accesses the access point device based on the dynamic key, and the second sending unit 1708 is configured to send the association relationship to other access point devices, so that the other access point devices verify the access request initiated by the station device based on the dynamic key based on the association relationship.

In some embodiments of the present application, based on the foregoing, the network connection management apparatus 1700 further includes a second generating unit configured to generate a validity period of the dynamic key, and the first transmitting unit is further configured to transmit the validity period to the access point device, so that the access point device verifies the received access request based on the dynamic key within the validity period.

In some embodiments of the present application, based on the foregoing, the allocation unit 1702 is further configured to receive, before the response to the key application request, a key application request sent by an application server, where the key application request is sent after the application server passes authentication of an application client that initiates a key application.

Fig. 18 shows a block diagram of a network connection management apparatus according to an embodiment of the application, which may be provided within an access point device.

Referring to fig. 18, a network connection management apparatus 1800 according to an embodiment of the present application includes a third receiving unit 1802, an acquiring unit 1804, and an verifying unit 1806.

The third receiving unit 1802 is configured to receive an association between a physical address and a dynamic key, where the association is generated by other access point devices according to the dynamic key and a physical address of a station device that uses the dynamic key and successfully establishes a connection with the other access point, the obtaining unit 1804 is configured to obtain, if an access request sent by a specified device is received, the physical address of the specified device and an access key included in the access request, and the verifying unit 1806 is configured to verify the access request according to the association, the physical address of the specified device, and the access key included in the access request.

In some embodiments of the present application, based on the foregoing, the verification unit 1806 is configured to determine that the verification of the access request is successful if it is determined that the physical address of the specified device is associated with the access key included in the access request according to the association relationship;

and rejecting the access request if the physical address of the appointed equipment does not exist in the association relation.

In some embodiments of the present application, based on the foregoing, the third receiving unit 1802 is further configured to receive a validity period of the dynamic key, and the verifying unit 1806 is configured to verify the access request according to the association relationship, the physical address of the specified device, and the access key included in the access request during the validity period.

Fig. 19 shows a schematic diagram of a computer system suitable for use in implementing an embodiment of the application.

It should be noted that, the computer system 1900 of the electronic device shown in fig. 19 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.

As shown in fig. 19, the computer system 1900 includes a central processing unit (Central Processing Unit, CPU) 1901 that can perform various appropriate actions and processes, such as performing the methods described in the above embodiments, according to a program stored in a Read-Only Memory (ROM) 1902 or a program loaded from a storage section 1908 into a random access Memory (Random Access Memory, RAM) 1903. In the RAM 1903, various programs and data required for system operation are also stored. The CPU 1901, ROM 1902, and RAM 1903 are connected to each other via a bus 1904. An Input/Output (I/O) interface 1905 is also connected to bus 1904.

Connected to the I/O interface 1905 are an input portion 1906 including a keyboard, a mouse, and the like, an output portion 1907 including a Cathode Ray Tube (CRT), a Liquid crystal display (Liquid CRYSTAL DISPLAY, LCD), and the like, and a speaker, a storage portion 1908 including a hard disk, and the like, and a communication portion 1909 including a network interface card such as a LAN (Local Area Network) card, a modem, and the like. The communication section 1909 performs communication processing via a network such as the internet. The driver 1910 is also connected to the I/O interface 1905 as needed. A removable medium 1911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 1910, so that a computer program read out therefrom is installed into the storage portion 1908 as needed.

In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 1909, and/or installed from the removable media 1911. The computer programs, when executed by a Central Processing Unit (CPU) 1901, perform the various functions defined in the system of the present application.

It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), a flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with a computer-readable computer program embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. A computer program embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Where each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units involved in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.

As another aspect, the present application also provides a computer-readable medium that may be included in the electronic device described in the above embodiment, or may exist alone without being incorporated into the electronic device. The computer-readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the methods described in the above embodiments.

It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.

From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a touch terminal, or a network device, etc.) to perform the method according to the embodiments of the present application.

Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains.

It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (16)

1. A network connection management method, the network connection management method being performed by an access point device, the network connection management method comprising:

The access point equipment receives a dynamic key which is distributed by an access point management platform and is used for connecting the access point equipment, and the dynamic key is sent to site equipment applying the dynamic key by the access point management platform;

if an access request containing the dynamic key and sent by the station equipment is received, responding to the access request and establishing connection with the station equipment;

After the connection is successfully established with the site equipment, the physical address of the site equipment is associated with the dynamic key, and an association relation between the physical address and the dynamic key is generated;

And the access point equipment transmits the association relation to other access point equipment so that the other access point equipment determines that the authentication of the access request sent by the station equipment is successful when the access key contained in the access request sent by the station equipment accords with the association relation with the physical address of the station equipment.

2. The network connection management method according to claim 1, wherein transferring the association relationship to other access point devices includes:

The association relationship is sent to an access point management platform so that the access point management platform forwards the association relationship to other access point equipment, or

And sending the association relation to the other access point equipment through a communication link between the association relation and the other access point equipment.

3. The network connection management method according to any one of claims 1 to 2, further comprising receiving a validity period of the dynamic key;

And responding to the access request, and establishing connection with the station equipment, wherein the connection comprises the steps of determining whether a dynamic key contained in the access request is in the effective period according to the effective period, and establishing connection with the station equipment if the dynamic key is in the effective period.

4. A network connection management method according to claim 3, wherein the network connection management method further comprises:

And transmitting the validity period of the dynamic key to other access point equipment so that the other access point equipment verifies the access request initiated by the station equipment based on the dynamic key according to the association relation within the validity period.

5. A network connection management method, wherein the network connection management method is performed by an access point management platform, the network connection management method comprising:

in response to the key application request, assigning a dynamic key for connecting the access point device;

Transmitting the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key;

Receiving an association relationship between a physical address sent by the access point device and the dynamic key, wherein the physical address is an address owned by a site device which is successfully accessed to the access point device based on the dynamic key;

And sending the association relation to other access point equipment so that the other access point equipment determines that the authentication of the access request sent by the station equipment is successful when the access key contained in the access request sent by the station equipment accords with the association relation with the physical address of the station equipment.

6. The network connection management method according to claim 5, characterized in that the network connection management method further comprises:

Generating a validity period of the dynamic key;

And sending the effective period to the access point equipment so that the access point equipment verifies the received access request based on the dynamic key in the effective period.

7. The network connection management method according to claim 5 or 6, characterized in that before said response to the key application request, the network connection management method further comprises:

And receiving a key application request sent by an application server, wherein the key application request is sent after the application server passes the authentication of an application client initiating the key application.

8. A network connection management method, the network connection management method being performed by an access point device, the network connection management method comprising:

Receiving an association relation between a physical address and a dynamic key, wherein the association relation is generated by other access point equipment according to the dynamic key and a physical address of a site equipment which uses the dynamic key and successfully establishes connection with the other access point equipment, and the dynamic key is distributed by an access point management platform in response to a key application request and is sent to an initiator of the key application request and the other access point equipment;

if an access request sent by a designated device is received, acquiring a physical address of the designated device and an access key contained in the access request;

And if the physical address of the appointed equipment is determined to be associated with the access key contained in the access request according to the association relation, determining that the access request is successfully verified.

9. The network connection management method of claim 8, further comprising:

and rejecting the access request if the physical address of the appointed equipment does not exist in the association relation.

10. The network connection management method according to claim 8 or 9, further comprising receiving a validity period of the dynamic key;

the method further comprises verifying the access request according to the association relationship, the physical address of the appointed equipment and the access key contained in the access request in the effective period.

11. A network connection management apparatus, the network connection management apparatus being applied to an access point device, the network connection management apparatus comprising:

The first receiving unit is configured to receive a dynamic key which is distributed by the access point management platform and is used for connecting the access point equipment, and the dynamic key is sent to the site equipment applying the dynamic key by the access point management platform;

the first processing unit is configured to respond to the access request and establish connection with the site equipment if the access request which is sent by the site equipment and contains the dynamic key is received;

the first generation unit is configured to associate the physical address of the station equipment with the dynamic key after the connection is successfully established with the station equipment, and generate an association relation between the physical address and the dynamic key;

And the transmission unit is configured to transmit the association relation to other access point equipment so as to ensure that the other access point equipment determines that the authentication of the access request sent by the station equipment is successful when the access key contained in the access request sent by the station equipment accords with the association relation with the physical address of the station equipment.

12. A network connection management apparatus, the network connection management apparatus being applied to an access point management platform, the network connection management apparatus comprising:

An allocation unit configured to allocate a dynamic key for connecting the access point device in response to the key application request;

A first sending unit configured to send the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key;

The second receiving unit is configured to receive an association relationship between a physical address sent by the access point device and the dynamic key, wherein the physical address is an address owned by a site device which successfully accesses the access point device based on the dynamic key;

And the second sending unit is configured to send the association relation to other access point equipment so that the other access point equipment determines that the authentication of the access request sent by the station equipment is successful when the access key contained in the access request sent by the station equipment accords with the association relation with the physical address of the station equipment.

13. A network connection management apparatus, the network connection management apparatus being applied to an access point device, the network connection management apparatus comprising:

a third receiving unit, configured to receive an association relationship between a physical address and a dynamic key, where the association relationship is generated by other access point devices according to the dynamic key and a physical address of a station device that uses the dynamic key and successfully establishes a connection with the other access point devices, and the dynamic key is allocated by an access point management platform in response to a key application request and is sent to an initiator of the key application request and the other access point devices;

The access control device comprises an acquisition unit, a control unit and a control unit, wherein the acquisition unit is configured to acquire a physical address of a designated device and an access key contained in an access request if the access request sent by the designated device is received;

And the verification unit is configured to determine that the verification of the access request is successful if the physical address of the designated device is determined to be associated with the access key contained in the access request according to the association relation.

14. A computer readable medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the network connection management method according to any one of claims 1 to 10.

15. An electronic device, comprising:

One or more processors;

Storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the network connection management method of any of claims 1 to 10.

16. A computer program product, characterized in that the computer program product comprises a computer program stored in a computer readable storage medium, from which computer readable storage medium a processor of an electronic device reads and executes the computer program, causing the electronic device to perform the network connection management method of any one of claims 1 to 10.