[go: up one dir, main page]

CN113785606B - Network device and method for policy-based wireless network access - Google Patents

Network device and method for policy-based wireless network access Download PDF

Info

Publication number
CN113785606B
CN113785606B CN201980095727.3A CN201980095727A CN113785606B CN 113785606 B CN113785606 B CN 113785606B CN 201980095727 A CN201980095727 A CN 201980095727A CN 113785606 B CN113785606 B CN 113785606B
Authority
CN
China
Prior art keywords
network
wireless network
network device
service
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201980095727.3A
Other languages
Chinese (zh)
Other versions
CN113785606A (en
Inventor
伊戈尔·沙夫兰
伊塔玛·菲克
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Publication of CN113785606A publication Critical patent/CN113785606A/en
Application granted granted Critical
Publication of CN113785606B publication Critical patent/CN113785606B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application relates to the field of wireless computer networks, and in particular to a network device and corresponding method for policy-based wireless network access. Accordingly, the present application provides a network device (100) for policy based wireless network (101) access, wherein the network device (100) is configured to: -obtaining a unique identifier (102) of a wireless network client (103); determining at least one authorization service (104) based on the unique identifier (102) and a policy (105); creating a virtual sub-network (106) having access to the at least one authorization service (104); -assigning the wireless network client (103) to the virtual sub-network (106).

Description

用于基于策略的无线网络接入的网络设备及方法Network device and method for policy-based wireless network access

技术领域Technical field

本发明涉及无线计算机网络领域,具体涉及一种用于基于策略的无线网络接入的网络设备及对应的方法。换句话说,本发明涉及对受限服务集的基于策略的无线接入。The present invention relates to the field of wireless computer networks, and in particular to a network device for policy-based wireless network access and a corresponding method. In other words, the present invention relates to policy-based wireless access to a restricted set of services.

背景技术Background technique

在传统的无线计算机网络中,服务集标识符(service set identifier,SSID)是与无线计算机网络(例如,无线局域网(wireless local area network,WLAN))相关联的名称。当传统无线网络客户端意图加入无线计算机网络时,传统无线网络客户端使用与无线计算机网络相关联的SSID加入无线计算机网络。当传统无线网络客户端加入无线计算机网络时,无线计算机网络的整个网络拓扑会暴露给传统无线网络客户端。具体地,在无线计算机网络中提供的所有服务对连接的传统无线网络客户端都是可见的。传统的服务访问限制可以通过例如使用具有服务链接的专用门户,或通过使用双重或复杂(例如,基于令牌的)认证来实现。使用安全门户可能需要几个步骤,接入限制基于网络过滤规则(例如,防火墙)。此外,在传统无线计算机网络中,由相同SSID命名的不同传统网络设备(例如,接入点(access point,AP))被映射到不同的子网,这就是根据传统无线网络客户端所连接的AP向传统无线网络客户端提供不同的服务集的原因。例如,如图5所示。In traditional wireless computer networks, a service set identifier (SSID) is a name associated with a wireless computer network (eg, wireless local area network (WLAN)). When a legacy wireless network client intends to join a wireless computer network, the legacy wireless network client joins the wireless computer network using an SSID associated with the wireless computer network. When a traditional wireless network client joins a wireless computer network, the entire network topology of the wireless computer network is exposed to the traditional wireless network client. Specifically, all services provided in a wireless computer network are visible to connected legacy wireless network clients. Traditional service access restrictions can be achieved, for example, by using a dedicated portal with service links, or by using two-factor or complex (e.g., token-based) authentication. Using a secure portal may require several steps, with access restrictions based on network filtering rules (e.g., firewall). In addition, in traditional wireless computer networks, different traditional network devices (for example, access points (APs)) named by the same SSID are mapped to different subnets, which is based on what the traditional wireless network client is connected to. The reason why APs provide different service sets to traditional wireless network clients. For example, as shown in Figure 5.

传统方案缺少在设备本地子网处提供的动态服务。策略执行是由防火墙实现的,该防火墙通过一组规则限制传统无线网络客户端的网络视图。但是,传统的无线网络客户端仍然可以观察到服务的存在,但被防火墙阻止连接到服务。但是,期望的是只有允许的服务是可见的和可访问的。Traditional solutions lack dynamic services provided at the device's local subnet. Policy enforcement is achieved by a firewall that restricts traditional wireless network clients' view of the network through a set of rules. However, legacy wireless network clients can still observe the service's presence but are blocked by the firewall from connecting to it. However, the expectation is that only allowed services are visible and accessible.

传统方案也不支持传统无线网络客户端的漫游。目前,服务分离通过两种方式实现:Traditional solutions also do not support roaming for legacy wireless network clients. Currently, service separation is implemented in two ways:

1.在无线网络上配置基于WPA预共享密码的安全方案。在一个站点A上配置服务集,在站点B上配置不同的服务集。从一个站点漫游到另一个站点的设备将访问不同的服务集。在同一站点上,这种分离对于非基于身份的认证(如预共享密码)是不可行的。1. Configure a security solution based on WPA pre-shared password on the wireless network. Configure a service set on one site A, and configure a different service set on site B. Devices roaming from one site to another will access a different set of services. On the same site, this separation is not feasible for non-identity-based authentication (such as pre-shared passwords).

2.在无线网络上配置基于WPA企业的安全方案。传统的无线网络客户端将根据其所属的域组访问服务集,而不与特定站点相关。这种分离是通过将传统无线网络客户端提供到特定VLAN组来实现的,其中,策略由防火墙执行。2. Configure a WPA enterprise-based security solution on the wireless network. Traditional wireless network clients will access a set of services based on the domain group to which they belong, not tied to a specific site. This separation is achieved by providing traditional wireless network clients to specific VLAN groups, where the policy is enforced by the firewall.

因此,缺少一种可以隔离连接到无线网络的无线网络客户端同时以高效和有效的方式使用单个SSID的方案。Therefore, what is missing is a scheme that can isolate wireless network clients connected to the wireless network while using a single SSID in an efficient and effective manner.

发明内容Contents of the invention

鉴于上述问题和缺点,本发明旨在改进传统网络设备。本发明具体地能够根据无线网络客户端的唯一标识符和策略确定无线网络客户端可以访问哪个授权服务。这可以针对接入通过单个SSID提供的无线网络的若干无线网络客户端进行。In view of the above problems and shortcomings, the present invention aims to improve traditional network equipment. The present invention is specifically capable of determining which authorized service a wireless network client can access based on the wireless network client's unique identifier and policy. This can be done for several wireless network clients accessing the wireless network provided by a single SSID.

为此,尝试连接到无线网络的无线网络客户端必须经过策略认证。例如,这可以通过公共密钥基础设施(public key infrastructure,PKI)证书实现。在网络设备上成功授权后,将触发授权和策略执行,并创建为无线网络客户端分配的子网。To do this, wireless network clients attempting to connect to the wireless network must be policy authenticated. This can be achieved, for example, through a public key infrastructure (PKI) certificate. Upon successful authorization on the network device, authorization and policy enforcement are triggered and the subnet assigned to the wireless network client is created.

从而隐藏网络设备提供的无线网络的拓扑。此外,不需要修改无线网络客户端。在无线网络客户端上运行的应用程序与方案无关。不需要进行应用程序修改。该方案还可以实现扁平化服务发现,即只有无线网络客户端允许的这些服务存在于为无线网络客户端分配的子网中。此外,本发明允许基于策略的安全执行,例如在域名系统(domain namesystem,DNS)请求级别,或者当连接到服务时。Thereby hiding the topology of the wireless network provided by the network device. Additionally, no modifications to the wireless network client are required. Applications running on wireless network clients are scenario independent. No application modifications are required. This solution also enables flat service discovery, that is, only those services allowed by the wireless network client exist in the subnet assigned to the wireless network client. Furthermore, the present invention allows for policy-based security enforcement, for example at the domain name system (DNS) request level, or when connecting to a service.

本发明的目的是通过所附独立权利要求书中提供的方案实现的。本发明的有利实现方式在从属权利要求中进一步定义。The object of the invention is achieved by the solutions provided in the appended independent claims. Advantageous implementations of the invention are further defined in the dependent claims.

本发明的第一方面提供了一种用于基于策略的无线网络接入的网络设备,其中,所述网络设备用于:获取无线网络客户端的唯一标识符;根据所述唯一标识符和策略,确定至少一个授权服务;创建可以访问所述至少一个授权服务的虚拟子网;将所述无线网络客户端分配给所述虚拟子网。A first aspect of the present invention provides a network device for policy-based wireless network access, wherein the network device is configured to: obtain a unique identifier of a wireless network client; according to the unique identifier and the policy, Determine at least one authorized service; create a virtual subnet that can access the at least one authorized service; assign the wireless network client to the virtual subnet.

这是有利的,因为可以通过策略为每个无线网络客户端提供和调整网络设备可访问的授权服务集,其中,可以以通用方式(例如仅通过一个SSID)提供整个无线网络。This is advantageous because the set of authorized services accessible to network devices can be provisioned and adapted through policy for each wireless network client, where the entire wireless network can be provisioned in a common manner (eg, through only one SSID).

具体地,授权服务可以包括不受NAT穿越影响的任何网络服务。Specifically, the authorized service may include any network service that is not affected by NAT traversal.

具体地,授权服务是无线网络客户端被授权使用的服务。具体地,网络客户端是根据策略授权的。Specifically, the authorized service is a service that the wireless network client is authorized to use. Specifically, network clients are authorized based on policy.

在第一方面的一种实现方式中,所述虚拟子网独占访问所述至少一个授权服务。In an implementation manner of the first aspect, the virtual subnet has exclusive access to the at least one authorization service.

这可以确保所述虚拟子网以安全的方式限制对授权服务的访问。可以根据策略和唯一标识符选择可访问的授权服务,例如,其它服务可以被排除在可访问服务之外。This ensures that the virtual subnet restricts access to authorized services in a secure manner. Accessible authorized services can be selected based on policies and unique identifiers, for example, other services can be excluded from accessible services.

在第一方面的另一种实现方式中,所述唯一标识符包括与以下各项中的至少一个组合的密码短语:设备唯一ID或用户名;或证书。In another implementation of the first aspect, the unique identifier includes a passphrase combined with at least one of: a device unique ID or a username; or a certificate.

具体地,证书是公共密钥基础设施(public key infrastructure,PKI)证书。Specifically, the certificate is a public key infrastructure (PKI) certificate.

在第一方面的另一种实现方式中,所述网络设备用于根据网络标识符提供所述无线网络,以使得所述无线网络客户端能够接入所述虚拟子网。In another implementation manner of the first aspect, the network device is configured to provide the wireless network according to a network identifier so that the wireless network client can access the virtual subnet.

具体地,网络标识符可以是服务集标识符(service set identifier,SSID)。Specifically, the network identifier may be a service set identifier (SSID).

在第一方面的另一种实现方式中,所述网络设备用于根据所述策略为接入所述无线网络的每个无线网络客户端创建不同的虚拟子网。In another implementation manner of the first aspect, the network device is configured to create different virtual subnets for each wireless network client accessing the wireless network according to the policy.

换句话说,每个无线网络客户端的不同虚拟子网是根据所述策略创建的。In other words, a different virtual subnet for each wireless network client is created based on the policy.

在第一方面的另一种实现方式中,所述不同的虚拟子网中的每个虚拟子网是根据所述相应无线网络客户端的所述唯一标识符和所述策略创建的。In another implementation of the first aspect, each of the different virtual subnets is created based on the unique identifier of the respective wireless network client and the policy.

在第一方面的另一种实现方式中,所述策略是预定义的,指示所述至少一个授权服务对应于所述唯一标识符。In another implementation of the first aspect, the policy is predefined indicating that the at least one authorization service corresponds to the unique identifier.

在第一方面的另一种实现方式中,对于接入所述无线网络的所有无线网络客户端,所述无线网络的所述网络标识符是相同的。In another implementation of the first aspect, the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.

在第一方面的另一种实现方式中,所述虚拟子网是独立隔离网络中的虚拟子网。In another implementation manner of the first aspect, the virtual subnet is a virtual subnet in an independent isolation network.

具体地,隔离网络是独立的L2广播域。具体地,子网或虚拟子网是L3域(即,网络层域)。Specifically, the isolated network is an independent L2 broadcast domain. Specifically, a subnet or virtual subnet is an L3 domain (ie, a network layer domain).

这是有利的,因为相同的子网地址范围可用于多个独立网络内。优点在于,这种方案支持分配给不同无线网络客户端的不同虚拟子网之间的地址重叠。This is advantageous because the same subnet address range can be used within multiple independent networks. The advantage is that this scheme supports address overlap between different virtual subnets assigned to different wireless network clients.

在第一方面的另一种实现方式中,只有分配给所述独立隔离网络中的所述虚拟子网的所述无线网络客户端可以接入所述虚拟子网。In another implementation manner of the first aspect, only the wireless network clients assigned to the virtual subnet in the independent isolation network can access the virtual subnet.

具体地,任何其它客户端(例如,其它无线网络客户端)都不能访问或接入独立隔离网络。独立隔离网络也可以称为独立虚拟子网。但是,提供给无线网络客户端的至少一个授权服务可以接入独立隔离网络以与无线网络客户端通信。Specifically, no other clients (eg, other wireless network clients) can access or access the independent isolated network. An independent isolated network may also be called an independent virtual subnet. However, at least one authorized service provided to the wireless network client can access the independent isolated network to communicate with the wireless network client.

在第一方面的另一种实现方式中,所述网络设备还用于向所述无线网络客户端提供服务发现功能。In another implementation manner of the first aspect, the network device is further configured to provide a service discovery function to the wireless network client.

这确保了无线网络客户端可以标识虚拟子网中提供给无线网络客户端的至少一个授权服务。This ensures that the wireless network client can identify at least one authorized service provided to the wireless network client in the virtual subnet.

在第一方面的另一种实现方式中,所述服务发现功能向所述无线网络客户端提供所述至少一个授权服务的服务标识符。In another implementation of the first aspect, the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.

具体地,服务标识符可以包括至少一个授权服务的地址(例如,IPv4或IPv6地址)、端口或协议。Specifically, the service identifier may include an address (eg, IPv4 or IPv6 address), port, or protocol of at least one authorized service.

在第一方面的另一种实现方式中,提供给所述无线网络客户端的所述服务标识符与为所述无线网络客户端分配的所述虚拟子网相关。In another implementation of the first aspect, the service identifier provided to the wireless network client is related to the virtual subnet assigned to the wireless network client.

具体地,服务标识符与虚拟子网的域(例如,虚拟子网的地址范围)相关。Specifically, the service identifier is associated with the domain of the virtual subnet (eg, the address range of the virtual subnet).

在第一方面的另一种实现方式中,所述至少一个授权服务在不同于分配给所述无线网络客户端的所述虚拟子网的网络中操作。In another implementation of the first aspect, the at least one authorization service operates in a different network than the virtual subnet assigned to the wireless network client.

这确保了授权服务可以在不同于虚拟子网的网络或子网中操作,而无线网络客户端仍然可以访问授权服务。This ensures that the authorization service can operate on a different network or subnet than the virtual subnet, while wireless network clients can still access the authorization service.

在第一方面的另一种实现方式中,所述网络设备还包括通信模块,所述通信模块可以通过与所述虚拟子网相关的所述服务标识符与在不同于所述虚拟子网的网络中提供的所述至少一个授权服务通信。In another implementation manner of the first aspect, the network device further includes a communication module, and the communication module can communicate with a user in a network different from the virtual subnet through the service identifier associated with the virtual subnet. The at least one authorized service communication provided in the network.

具体地,通信模块包括地址路由或地址重映射。Specifically, the communication module includes address routing or address remapping.

在第一方面的另一种实现方式中,所述网络设备为接入点(access point,AP)。In another implementation of the first aspect, the network device is an access point (AP).

本发明的第二方面提供一种用于基于策略的无线网络接入的方法,其中,所述方法包括以下步骤:网络设备获取无线网络客户端的唯一标识符;所述网络设备根据所述唯一标识符和策略确定至少一个授权服务;所述网络设备创建可以访问所述至少一个授权服务的虚拟子网;所述网络设备将所述无线网络客户端分配给所述虚拟子网。A second aspect of the present invention provides a method for policy-based wireless network access, wherein the method includes the following steps: a network device obtains a unique identifier of a wireless network client; the network device obtains a unique identifier according to the unique identifier The code and policy determine at least one authorized service; the network device creates a virtual subnet that can access the at least one authorized service; the network device allocates the wireless network client to the virtual subnet.

具体地,授权服务可以包括不受NAT穿越影响的任何网络服务。Specifically, the authorized service may include any network service that is not affected by NAT traversal.

具体地,授权服务是无线网络客户端被授权使用的服务。具体地,网络客户端是根据策略授权的。Specifically, the authorized service is a service that the wireless network client is authorized to use. Specifically, network clients are authorized based on policy.

在第二方面的一种实现方式中,所述虚拟子网独占访问所述至少一个授权服务。In an implementation manner of the second aspect, the virtual subnet has exclusive access to the at least one authorization service.

在第二方面的另一种实现方式中,所述唯一标识符包括与以下各项中的至少一个组合的密码短语:设备唯一ID或用户名;或证书。In another implementation of the second aspect, the unique identifier includes a passphrase combined with at least one of: a device unique ID or a username; or a certificate.

具体地,证书是公共密钥基础设施(public key infrastructure,PKI)证书。Specifically, the certificate is a public key infrastructure (PKI) certificate.

在第二方面的另一种实现方式中,所述方法还包括所述网络设备根据网络标识符提供所述无线网络,以使得所述无线网络客户端能够接入所述虚拟子网。In another implementation of the second aspect, the method further includes the network device providing the wireless network according to a network identifier so that the wireless network client can access the virtual subnet.

具体地,网络标识符可以是服务集标识符(service set identifier,SSID)。Specifically, the network identifier may be a service set identifier (SSID).

在第二方面的另一种实现方式中,所述方法还包括:所述网络设备根据所述策略为接入所述无线网络的每个无线网络客户端创建不同的虚拟子网。In another implementation manner of the second aspect, the method further includes: the network device creates a different virtual subnet for each wireless network client accessing the wireless network according to the policy.

换句话说,每个无线网络客户端的不同虚拟子网是根据所述策略创建的。In other words, a different virtual subnet for each wireless network client is created based on the policy.

在第二方面的另一种实现方式中,所述不同的虚拟子网中的每个虚拟子网是根据所述相应无线网络客户端的所述唯一标识符和所述策略创建的。In another implementation of the second aspect, each of the different virtual subnets is created based on the unique identifier of the respective wireless network client and the policy.

在第二方面的另一种实现方式中,所述策略是预定义的,指示所述至少一个授权服务对应于所述唯一标识符。In another implementation of the second aspect, the policy is predefined indicating that the at least one authorization service corresponds to the unique identifier.

在第二方面的另一种实现方式中,对于接入所述无线网络的所有无线网络客户端,所述无线网络的所述网络标识符是相同的。In another implementation of the second aspect, the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.

在第二方面的另一种实现方式中,所述虚拟子网是独立隔离网络中的虚拟子网。In another implementation manner of the second aspect, the virtual subnet is a virtual subnet in an independent isolation network.

具体地,隔离网络是独立的L2广播域。具体地,子网或虚拟子网是L3域(即,网络层域)。Specifically, the isolated network is an independent L2 broadcast domain. Specifically, a subnet or virtual subnet is an L3 domain (ie, a network layer domain).

在第二方面的另一种实现方式中,只有分配给所述独立隔离网络中的所述虚拟子网的所述无线网络客户端可以接入所述虚拟子网。In another implementation manner of the second aspect, only the wireless network clients assigned to the virtual subnet in the independent isolation network can access the virtual subnet.

具体地,任何其它客户端(例如,其它无线网络客户端)都不能访问或接入独立隔离网络。独立隔离网络也可以称为独立虚拟子网。但是,提供给无线网络客户端的至少一个授权服务可以接入独立隔离网络以与无线网络客户端通信。Specifically, no other clients (eg, other wireless network clients) can access or access the independent isolated network. An independent isolated network may also be called an independent virtual subnet. However, at least one authorized service provided to the wireless network client can access the independent isolated network to communicate with the wireless network client.

在第二方面的另一种实现方式中,所述方法还包括:所述网络设备向所述无线网络客户端提供服务发现功能。In another implementation manner of the second aspect, the method further includes: the network device providing a service discovery function to the wireless network client.

在第二方面的另一种实现方式中,所述服务发现功能向所述无线网络客户端提供所述至少一个授权服务的服务标识符。In another implementation of the second aspect, the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.

具体地,服务标识符可以包括至少一个授权服务的地址(例如,IPv4或IPv6地址)、端口或协议。Specifically, the service identifier may include an address (eg, IPv4 or IPv6 address), port, or protocol of at least one authorized service.

在第二方面的另一种实现方式中,提供给所述无线网络客户端的所述服务标识符与为所述无线网络客户端分配的所述虚拟子网相关。In another implementation of the second aspect, the service identifier provided to the wireless network client is related to the virtual subnet assigned to the wireless network client.

具体地,服务标识符与虚拟子网的域(例如,虚拟子网的地址范围)相关。Specifically, the service identifier is associated with the domain of the virtual subnet (eg, the address range of the virtual subnet).

在第二方面的另一种实现方式中,所述至少一个授权服务在不同于分配给所述无线网络客户端的所述虚拟子网的网络中操作。In another implementation of the second aspect, the at least one authorization service operates in a different network than the virtual subnet assigned to the wireless network client.

在第二方面的另一种实现方式中,所述方法还包括所述网络设备的通信模块可以通过与所述虚拟子网相关的服务标识符与在不同于所述虚拟子网的网络中提供的所述至少一个授权服务通信。In another implementation of the second aspect, the method further includes that the communication module of the network device may communicate with a service provided in a network different from the virtual subnet through a service identifier associated with the virtual subnet. The at least one authorized service communicates.

具体地,通信模块包括地址路由或地址重映射。Specifically, the communication module includes address routing or address remapping.

在第二方面的另一种实现方式中,所述网络设备为接入点(access point,AP)。In another implementation of the second aspect, the network device is an access point (AP).

第二方面及其实现方式包括与第一方面及其各自的实现方式相同的优点。The second aspect and its implementations include the same advantages as the first aspect and its respective implementations.

需要说明的是,本申请中描述的所有设备、元件、单元和模块可以在软件或硬件元件或其任何类型的组合中实现。本申请中描述的各种实体执行的所有步骤以及所描述的将由各种实体执行的功能旨在表明相应的实体适于或用于执行相应的步骤和功能。虽然在以下具体实施例的描述中,由外部实体执行的具体功能或步骤没有在执行具体步骤或功能的该实体的具体元件的描述中反映,但是技术人员应该清楚的是这些方法和功能可以在对应的硬件元件或软件元件或其任何类型的组合中实现。It should be noted that all devices, components, units and modules described in this application can be implemented in software or hardware components or any type of combination thereof. All steps described in this application as being performed by various entities and functions described to be performed by the various entities are intended to indicate that the corresponding entities are suitable or used to perform the corresponding steps and functions. Although in the following description of specific embodiments, specific functions or steps performed by external entities are not reflected in the description of specific elements of the entity that perform specific steps or functions, it should be clear to skilled persons that these methods and functions can be implemented in corresponding hardware elements or software elements or any type of combination thereof.

附图说明Description of the drawings

结合所附附图,下面具体实施例的描述将阐述上述本发明的各方面及其实现方式。In conjunction with the accompanying drawings, the following description of specific embodiments will illustrate various aspects of the invention and implementation methods thereof.

图1示出了本发明实施例提供的网络设备的示意图;Figure 1 shows a schematic diagram of a network device provided by an embodiment of the present invention;

图2示出了本发明实施例提供的网络设备的操作方式的示意图;Figure 2 shows a schematic diagram of the operation mode of the network device provided by the embodiment of the present invention;

图3示出了本发明实施例提供的网络设备的操作方式的另一示意图;Figure 3 shows another schematic diagram of the operation mode of the network device provided by the embodiment of the present invention;

图4示出了本发明实施例提供的方法的示意图;Figure 4 shows a schematic diagram of the method provided by the embodiment of the present invention;

图5示出了现有技术提供的网络设备的操作原理。Figure 5 shows the operating principle of a network device provided by the prior art.

具体实施方式Detailed ways

图1示出了用于基于策略的无线网络101接入的网络设备100。网络设备100可以例如是AP,或者是包括AP的路由器。无线网络101可以例如是WLAN。网络设备100用于:获取无线网络客户端103的唯一标识符102;根据唯一标识符102并根据策略105,确定至少一个授权服务104;创建可以访问至少一个授权服务104的虚拟子网106;将无线网络客户端103分配给虚拟子网106。策略105可以预先存储在网络设备中,并且可以指示向哪个无线网络客户端103提供哪个服务104。Figure 1 illustrates a network device 100 for policy-based wireless network 101 access. The network device 100 may be, for example, an AP, or a router including an AP. Wireless network 101 may be, for example, a WLAN. The network device 100 is configured to: obtain the unique identifier 102 of the wireless network client 103; determine at least one authorized service 104 according to the unique identifier 102 and according to the policy 105; create a virtual subnet 106 that can access the at least one authorized service 104; Wireless network client 103 is assigned to virtual subnet 106. The policy 105 may be pre-stored in the network device and may indicate which service 104 is provided to which wireless network client 103 .

图2示出了网络设备100的操作方式的示意图。如图2所示,网络设备100可以实现无线网络101中允许的服务的扁平化视图。Figure 2 shows a schematic diagram of the operation mode of the network device 100. As shown in Figure 2, network device 100 can implement a flattened view of services allowed in wireless network 101.

如图2所示,无线网络客户端103通过提交唯一标识符102(例如,凭证或证书)无线连接到与SSID相关联的网络设备100(例如,AP)。网络设备100向经过认证的无线网络客户端103提供独立的、唯一标识的子网106。任何其它客户端都不能接入该子网106,除非该子网显式地暴露给所述其它客户端。该子网106不能从网络设备100直接路由。同一子网无类别域间路由(classless inter-domain routing,CIDR)可以重叠。As shown in Figure 2, a wireless network client 103 wirelessly connects to a network device 100 (eg, an AP) associated with the SSID by submitting a unique identifier 102 (eg, a credential or certificate). The network device 100 provides an independent, uniquely identified subnet 106 to the authenticated wireless network client 103 . No other client can access this subnet 106 unless the subnet is explicitly exposed to the other clients. This subnet 106 is not directly routable from the network device 100 . Classless inter-domain routing (CIDR) on the same subnet can overlap.

具体地,网络设备100可以通过使用动态主机配置协议(dynamic hostconfiguration protocol,DHCP)提供子网106和/或无线网络客户端103的IP地址。通过使用DHCP,网络设备100还可以提供本地DNS地址和/或本地域,用于服务发现。这样可以将主机名解析为本地子网地址。这样还可以将无线网络客户端103的网络视图仅限于授权服务。服务发现基于“白名单”,具体地根据无线网络客户端103的唯一标识符102。Specifically, the network device 100 may provide the IP address of the subnet 106 and/or the wireless network client 103 by using a dynamic host configuration protocol (DHCP). Using DHCP, network device 100 can also provide local DNS addresses and/or local domains for service discovery. This resolves the hostname to a local subnet address. This also limits the wireless network client's 103 view of the network to authorized services only. Service discovery is based on a "whitelist", specifically based on the unique identifier 102 of the wireless network client 103.

为了将服务(网络设备100可访问的服务)映射到子网106,其中,该服务只能由授权的无线网络客户端103访问,应用以下服务转发规则:In order to map services (accessible by network device 100) to subnet 106, where the service can only be accessed by authorized wireless network clients 103, the following service forwarding rules apply:

无线网络客户端103使用授权服务104的本地独立IP地址(来自子网106)连接到授权服务104。Wireless network client 103 connects to authorization service 104 using its local independent IP address (from subnet 106).

为了实现出口分组的转发,网络设备100将分组的目的IP转换为可路由的服务IP。源IP地址可以使用网络地址转换(network address translation,NAT)连接跟踪。为了实现入口分组的转发,应用逆转换。In order to realize the forwarding of the egress packet, the network device 100 converts the destination IP of the packet into a routable service IP. The source IP address can be tracked using network address translation (NAT) connections. To achieve forwarding of ingress packets, inverse transformation is applied.

图3示出了网络设备100的操作方式的另一示意图。具体地,以图3所示的操作方式执行以下步骤:Figure 3 shows another schematic diagram of the operation mode of the network device 100. Specifically, perform the following steps in the operation mode shown in Figure 3:

1.无线网络客户端103(即,图3中的客户端设备)使用预定义的连接设置连接到网络设备100(即,图3中的接入点)。1. Wireless network client 103 (i.e., client device in Figure 3) connects to network device 100 (i.e., access point in Figure 3) using predefined connection settings.

2.网络设备100例如通过将该认证会话委托给外部AAA服务器和/或通过使用内部实现的WPA企业后端认证无线网络客户端103。2. The network device 100 authenticates the wireless network client 103, for example by delegating the authentication session to an external AAA server and/or by using an internally implemented WPA enterprise backend.

3.根据策略105,网络设备100从企业服务域获得允许的服务的列表,为无线客户端103提供单独的子网106,将服务发现端点添加到该子网,并填充关于所有允许的服务的信息。此外,网络设备100为该子网106上的每个允许的服务104添加本地逻辑端口。所有逻辑端口都可以是软件定义网络(software defined network,SDN)端口,导向和来自所述逻辑端口的网络流量可以被SDN控制的交换机拦截和修改。逻辑端口从无线网络客户端103的角度产生有限和定义良好的网络拓扑的错觉。3. Based on the policy 105, the network device 100 obtains the list of allowed services from the enterprise service domain, provides a separate subnet 106 for the wireless client 103, adds the service discovery endpoint to the subnet, and populates the fields regarding all allowed services. information. Additionally, the network device 100 adds a local logical port for each allowed service 104 on the subnet 106 . All logical ports can be software defined network (SDN) ports, and network traffic to and from the logical ports can be intercepted and modified by SDN-controlled switches. Logical ports create the illusion of a limited and well-defined network topology from the wireless network client 103 perspective.

4.网络设备100向无线网络客户端103返回服务发现域(SSDP/DNS-SD)、子网106及其本地IP地址。4. The network device 100 returns the service discovery domain (SSDP/DNS-SD), subnet 106 and its local IP address to the wireless network client 103.

5.无线网络客户端103向本地发现服务201发出服务发现请求。无线网络客户端获得带有本地映射服务信息(地址、端口和协议)的响应。5. The wireless network client 103 sends a service discovery request to the local discovery service 201. The wireless network client gets a response with local mapping service information (address, port, and protocol).

图4示出了本发明实施例提供的方法400的示意图。该方法包括网络设备100获取401无线网络客户端103的唯一标识符102的步骤。该方法包括网络设备100根据唯一标识符102和策略105确定402至少一个授权服务104的步骤。该方法包括网络设备100创建403可以访问至少一个授权服务104的虚拟子网106的步骤。该方法包括网络设备100将无线网络客户端103分配404给虚拟子网106的步骤。Figure 4 shows a schematic diagram of a method 400 provided by an embodiment of the present invention. The method includes the step of the network device 100 obtaining 401 the unique identifier 102 of the wireless network client 103. The method includes the step of the network device 100 determining 402 at least one authorized service 104 based on the unique identifier 102 and the policy 105 . The method includes the step of the network device 100 creating 403 a virtual subnet 106 to which at least one authorized service 104 can be accessed. The method includes the step of the network device 100 assigning 404 the wireless network client 103 to the virtual subnet 106 .

已经结合作为实例的不同实施例以及实现方式描述了本发明。但是,根据对附图、本发明和独立权利要求的研究,本领域技术人员在实践所要求保护的发明时,能够理解和实现其它变化。在权利要求书以及说明书中,词语“包括”不排除其它元件或步骤,且“一个”不排除多个。单个元件或其它单元可满足权利要求书中所叙述的若干实体或项目的功能。在互不相同的从属权利要求中列举某些措施并不表示这些措施的组合不能用于有益的实现方式。The invention has been described in connection with different embodiments and implementations as examples. However, a person skilled in the art will be able to understand and implement other variations in practicing the claimed invention, from a study of the drawings, the disclosure and the independent claims. In the claims and description, the word "comprising" does not exclude other elements or steps, and "a" does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantageous implementations.

Claims (16)

1. A network device (100) for policy-based wireless network (101) access, characterized in that the network device (100) is configured to:
-obtaining a unique identifier (102) of a wireless network client (103);
determining at least one authorization service (104) from the unique identifier (102) and a policy (105);
creating a virtual sub-network (106) having access to the at least one authorization service (104);
-assigning the wireless network client (103) to the virtual sub-network (106);
wherein the virtual subnetwork (106) is a virtual subnetwork (106) in an independent isolated network, the isolated network is an independent L2 broadcast domain, and the virtual subnetwork (106) is an L3 network layer domain.
2. The network device (100) of claim 1, wherein the virtual sub-network (106) has exclusive access to the at least one authorization service (104).
3. The network device (100) of claim 1 or 2, wherein the unique identifier comprises a passphrase in combination with at least one of: a device unique ID or username; or a certificate.
4. The network device (100) according to claim 1 or 2, wherein the network device (100) is configured to provide the wireless network (101) according to a network identifier to enable the wireless network client (103) to access the virtual sub-network (106).
5. The network device (100) according to claim 1 or 2, wherein the network device (100) is configured to create a different virtual sub-network (106) for each wireless network client (103) accessing the wireless network (101) according to the policy (105).
6. The network device (100) of claim 5, wherein each of the different virtual subnets (106) is created from the unique identifier (102) of the respective wireless network client (103) and the policy (105).
7. The network device (100) according to claim 1 or 2, wherein the policy is predefined indicating that the at least one authorized service corresponds to the unique identifier.
8. The network device (100) according to claim 1 or 2, wherein the network identifier of the wireless network (101) is the same for all wireless network clients (103) accessing the wireless network (101).
9. The network device (100) of claim 1, wherein only the wireless network clients (103) assigned to the virtual sub-network in the independent isolated network may access the virtual sub-network.
10. The network device (100) according to claim 1 or 2, further being configured to provide a service discovery function (201) to the wireless network client (103).
11. The network device (100) according to claim 1 or 2, wherein a service discovery function (201) provides a service identifier of the at least one authorization service (104) to the wireless network client (103).
12. The network device (100) according to claim 1 or 2, wherein the service identifier provided to the wireless network client (103) is related to the virtual sub-network (106) allocated for the wireless network client (103).
13. The network device (100) according to claim 1 or 2, wherein the at least one authorization service (104) operates in a network different from the virtual sub-network (106) assigned to the wireless network client (103).
14. The network device (100) according to claim 1 or 2, wherein the network device (100) further comprises a communication module that can communicate with the at least one authorization service (104) provided in a network different from the virtual sub-network (106) by means of a service identifier associated with the virtual sub-network (106).
15. The network device (100) according to claim 1 or 2, wherein the network device (100) is an Access Point (AP).
16. A method (400) for providing policy-based wireless network (101) access, the method (400) comprising the steps of:
the network device (100) obtains (401) a unique identifier (102) of the wireless network client (103);
-the network device (100) determining (402) at least one authorization service (104) from the unique identifier (102) and policy (105);
-the network device (100) creating (403) a virtual sub-network (106) having access to the at least one authorization service (104);
-the network device (100) assigning (404) the wireless network client (103) to the virtual sub-network (106);
wherein the virtual subnetwork (106) is a virtual subnetwork (106) in an independent isolated network, the isolated network is an independent L2 broadcast domain, and the virtual subnetwork (106) is an L3 network layer domain.
CN201980095727.3A 2019-05-02 2019-05-02 Network device and method for policy-based wireless network access Active CN113785606B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2019/061216 WO2020221454A1 (en) 2019-05-02 2019-05-02 Network device and method for policy based access to a wireless network

Publications (2)

Publication Number Publication Date
CN113785606A CN113785606A (en) 2021-12-10
CN113785606B true CN113785606B (en) 2023-10-27

Family

ID=66448529

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980095727.3A Active CN113785606B (en) 2019-05-02 2019-05-02 Network device and method for policy-based wireless network access

Country Status (2)

Country Link
CN (1) CN113785606B (en)
WO (1) WO2020221454A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8363658B1 (en) * 2008-11-13 2013-01-29 Sprint Communications Company L.P. Dynamic firewall and dynamic host configuration protocol configuration

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7627123B2 (en) * 2005-02-07 2009-12-01 Juniper Networks, Inc. Wireless network having multiple security interfaces
US20080301801A1 (en) * 2007-05-31 2008-12-04 Premkumar Jothimani Policy based virtual private network (VPN) communications
US20100074261A1 (en) * 2008-09-24 2010-03-25 At&T Intellectual Property I, L.P. Providing access to multiple different services by way of a single network identifier
US9197498B2 (en) * 2012-08-31 2015-11-24 Cisco Technology, Inc. Method for automatically applying access control policies based on device types of networked computing devices
US9438630B2 (en) * 2014-10-15 2016-09-06 Adtran, Inc. Network access control using subnet addressing
US20160345170A1 (en) * 2015-05-21 2016-11-24 Ftac Systems, Inc. Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8363658B1 (en) * 2008-11-13 2013-01-29 Sprint Communications Company L.P. Dynamic firewall and dynamic host configuration protocol configuration

Also Published As

Publication number Publication date
CN113785606A (en) 2021-12-10
WO2020221454A1 (en) 2020-11-05

Similar Documents

Publication Publication Date Title
CN110087236B (en) Protocol for establishing a secure communication session with an anonymous host over a wireless network
KR100826736B1 (en) A method of dynamically connecting a client node to a serving network, a method of connecting a client node to multiple internet service providers, and a method of connecting a client node to a serving network
CA3021367C (en) Using wlan connectivity of a wireless device
JP4988143B2 (en) Computer network
US8681695B1 (en) Single address prefix allocation within computer networks
CN103858387B (en) Architecture for Virtualized Home IP Service Delivery
Mortier et al. Control and understanding: Owning your home network
US8295285B2 (en) Method and apparatus for communication of data packets between local networks
CN101056178B (en) A method and system for controlling user network access authority
US20090129386A1 (en) Operator Shop Selection
US20050114490A1 (en) Distributed virtual network access system and method
US20140075505A1 (en) System and method for routing selected network traffic to a remote network security device in a network environment
JP2004357292A (en) System for converting data transferred on ip switched network from ipv4 base into ipv6 base
JP2011501623A (en) Various methods and apparatus for a central station for assigning virtual IP addresses
WO2017166936A1 (en) Method and device for implementing address management, and aaa server and sdn controller
JP3858884B2 (en) Network access gateway, network access gateway control method and program
US20040083290A1 (en) Software implemented virtual private network service
CN113785606B (en) Network device and method for policy-based wireless network access
KR100714368B1 (en) Internet protocol address management system co-operated with authentication server
Aura et al. Securing network location awareness with authenticated DHCP
JP5461465B2 (en) Computer network
De Launois et al. Connection of extruded subnets: a solution based on RSIP
Odagiri et al. Consideration of the User Authentication Processes for the Cloud Type of Virtual Policy Based Network Management Scheme to manage the Specific Domain
WO2006075823A1 (en) Internet protocol address management system co-operated with authentication server
Odagiri et al. Concept of Policy Information Decision Method in the Cloud Type Virtual Policy Based Network Management Scheme for the Specific Domain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220222

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Applicant after: Huawei Cloud Computing Technologies Co.,Ltd.

Address before: 518129 Huawei headquarters office building, Bantian, Longgang District, Shenzhen City, Guangdong Province

Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd.

GR01 Patent grant
GR01 Patent grant