HK40053594B - Network connection management method and apparatus, computer readable medium and electronic device - Google Patents

Description

Network connection management methods, devices, computer-readable media and electronic devices

Technical Field

This application relates to the fields of computer and communication technology, and more specifically, to a network connection management method, apparatus, computer-readable medium, and electronic device.

Background Technology

With the development of WLAN (Wireless Local Area Network) technology, in some application scenarios, a large number of station devices (STAs) are needed to connect to APs (Access Points), such as enterprise-level WLANs. In such application scenarios, how to effectively manage the network connections of station devices is an urgent technical problem to be solved.

Summary of the Invention

The embodiments of this application provide a network connection management method, apparatus, computer-readable medium, and electronic device, which can at least to some extent improve the efficiency of network access authentication.

Other features and advantages of this application will become apparent from the following detailed description, or may be learned in part from practice of this application.

According to one aspect of the embodiments of this application, a network connection management method is provided, comprising: obtaining the physical address of a device to be accessed; generating an access key corresponding to the physical address of each device to be accessed; generating an association relationship between the physical address and the access key based on the access key corresponding to the physical address of each device to be accessed; sending the association relationship to an access point device and pushing the access key to the corresponding device to be accessed, so that the access point device verifies the access request initiated by the device to be accessed based on the access key based on the association relationship.

According to one aspect of the embodiments of this application, a network connection management method is provided, comprising: receiving an association relationship between a physical address and an access key sent by an access point management platform, wherein the association relationship is generated by the access point management platform based on the access key corresponding to the physical address of each device to be accessed; if an access request is received from a specified device, obtaining the physical address of the specified device and the access key contained in the access request; and verifying the access request based on the association relationship, the physical address of the specified device, and the access key contained in the access request.

According to one aspect of the embodiments of this application, a network connection management method is provided, comprising: reporting a physical address to an application server; receiving an access key corresponding to the physical address pushed by the application server; if a connection triggering operation is received, generating an access request for a specified access point device, the access request containing the access key; and sending the access request to the specified access point device so that the specified access point device verifies the access request based on the association between the physical address and the access key, the association being generated based on the access key corresponding to the physical address of each device to be accessed.

According to one aspect of the embodiments of this application, a network connection management device is provided, comprising: a first acquisition unit configured to acquire the physical address of a device to be accessed; a first generation unit configured to generate an access key corresponding to the physical address of each device to be accessed; a second generation unit configured to generate an association relationship between the physical address and the access key based on the access key corresponding to the physical address of each device to be accessed; and a first sending unit configured to send the association relationship to an access point device and push the access key to the corresponding device to be accessed, so that the access point device verifies the access request initiated by the device to be accessed based on the access key based on the association relationship.

In some embodiments of this application, based on the foregoing scheme, the first acquisition unit is configured to: receive the physical address of at least one device to be accessed sent by the application server, wherein the physical address of the at least one device to be accessed is reported to the application server by the application client running on the at least one device to be accessed.

In some embodiments of this application, based on the foregoing scheme, the first sending unit is configured to: push the association between the physical address and the access key to the application server, so that the application server pushes the access key to the device to be accessed corresponding to the associated physical address according to the association.

In some embodiments of this application, based on the foregoing scheme, the first generation unit is configured to generate an access key according to the physical address of each device to be accessed, wherein the access keys generated for different physical addresses of different devices to be accessed are different.

According to one aspect of the embodiments of this application, a network connection management device is provided, comprising: a first receiving unit configured to receive an association relationship between a physical address and an access key sent by an access point management platform, wherein the association relationship is generated by the access point management platform based on the access key corresponding to the physical address of each device to be accessed; a second obtaining unit configured to obtain the physical address of the specified device and the access key contained in the access request if an access request is received from a specified device; and a processing unit configured to verify the access request based on the association relationship, the physical address of the specified device, and the access key contained in the access request.

In some embodiments of this application, based on the foregoing scheme, the processing unit is configured to: if it is determined that the physical address of the specified device is associated with the access key contained in the access request according to the association relationship, then it is determined that the access request has been successfully verified.

In some embodiments of this application, based on the foregoing scheme, the processing unit is configured to: reject the access request if the physical address of the specified device does not exist in the association relationship.

According to one aspect of the embodiments of this application, a network connection management device is provided, comprising: a reporting unit configured to report a physical address to an application server; a second receiving unit configured to receive an access key corresponding to the physical address pushed by the application server; a third generating unit configured to generate an access request for a specified access point device if a connection trigger operation is received, the access request containing the access key; and a second sending unit configured to send the access request to the specified access point device, so that the specified access point device verifies the access request based on the association between the physical address and the access key, the association being generated based on the access key corresponding to the physical address of each device to be accessed.

In some embodiments of this application, based on the foregoing scheme, the reporting unit is configured to associate the user account information in the local application client with the physical address of the device to be accessed running the local application client, and report it to the application server.

In some embodiments of this application, based on the foregoing scheme, the network connection management device further includes: a determination unit configured to display a graphical user interface, wherein the graphical user interface displays a network connection trigger control, and if a trigger operation on the network connection trigger control is detected, it is determined that a connection trigger operation has been received.

According to one aspect of the embodiments of this application, a computer-readable medium is provided having a computer program stored thereon, which, when executed by a processor, implements the network connection management method as described in the above embodiments.

According to one aspect of the embodiments of this application, an electronic device is provided, including: one or more processors; and a storage device for storing one or more programs, which, when executed by the one or more processors, cause the one or more processors to implement the network connection management method as described in the above embodiments.

According to one aspect of the embodiments of this application, a computer program product or computer program is provided, which includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the network connection management method provided in the various alternative embodiments described above.

In some embodiments of this application, the access point management platform generates access keys corresponding to the physical addresses of each device to be accessed. Then, it generates an association between the physical address and the access key based on the access key corresponding to the physical address of each device to be accessed, sends this association to the access point device, and pushes the access key to the corresponding device to be accessed. This allows the access point device to verify the access request initiated by the device to be accessed based on the association between the physical address and the access key. Therefore, by associating the access key of the device to be accessed with its physical address, the technical solution of this application allows the access point device to verify whether the physical address of the device to be accessed exists in the association when verifying an access request. This avoids malicious devices frequently initiating access requests and affecting the performance of the access point device. Furthermore, when the physical address of the device to be accessed exists in the association, the access key contained in the access request can be quickly verified based on the access key corresponding to that physical address, improving the efficiency of network access verification.

It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application.

Attached Figure Description

The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application. It is obvious that the drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort. In the drawings:

Figure 1 shows a schematic diagram of WPA/WPA2-PSK certification;

Figure 2 shows a schematic diagram of WPA/WPA2-PPSK certification;

Figure 3 shows the flowchart of establishing a connection between the STA and the AP;

Figure 4 illustrates the four-way handshake authentication process between the STA and AP.

Figure 5 illustrates the key generation process during the STA and AP authentication process;

Figure 6 shows a schematic diagram of the Portal authentication configuration interface;

Figure 7 shows a flowchart of a network connection management method according to an embodiment of this application;

Figure 8 shows a flowchart of a network connection management method according to an embodiment of this application;

Figure 9 shows a flowchart of a network connection management method according to an embodiment of this application;

Figure 10 shows a schematic diagram of a cloud AP according to an embodiment of this application;

Figure 11 shows a system architecture diagram of a cloud AP scenario according to an embodiment of this application;

Figure 12 shows a flowchart of a network connection management method according to an embodiment of this application;

Figure 13 shows a schematic diagram of a one-click network connection interface according to an embodiment of this application;

Figure 14 shows a block diagram of a network connection management device according to an embodiment of this application;

Figure 15 shows a block diagram of a network connection management device according to an embodiment of this application;

Figure 16 shows a block diagram of a network connection management device according to an embodiment of this application;

Figure 17 shows a schematic diagram of the structure of a computer system suitable for implementing the electronic device of the present application.

Detailed Implementation

Exemplary embodiments will now be described in a more comprehensive manner with reference to the accompanying drawings. However, the exemplary embodiments can be implemented in various forms and should not be construed as limited to these examples; rather, these embodiments are provided so that this application will be more comprehensive and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art.

Furthermore, the features, structures, or characteristics described in this application can be combined in any suitable manner in one or more embodiments. Numerous specific details are provided in the following description to provide a full understanding of the embodiments of this application. However, those skilled in the art will recognize that when implementing the technical solutions of this application, not all the detailed features in the embodiments may be used, one or more specific details may be omitted, or other methods, elements, devices, steps, etc., may be employed.

The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities can be implemented in software, in one or more hardware modules or integrated circuits, or in different network and/or processor devices and/or microcontroller devices.

The flowcharts shown in the accompanying drawings are merely illustrative and do not necessarily include all content and operations/steps, nor do they necessarily have to be performed in the described order. For example, some operations/steps can be broken down, while others can be combined or partially combined; therefore, the actual execution order may change depending on the specific circumstances.

It should be noted that "multiple" in this article refers to two or more. "And/or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and/or B can represent: A alone, A and B simultaneously, or B alone. The character "/" generally indicates that the preceding and following related objects have an "or" relationship.

WPA stands for Wi-Fi Protected Access, and it has three standards: WPA, WPA2, and WPA3. It is a system for protecting the security of wireless networks. WPA/WPA2-PSK (Pre-Shared Key) is an authentication method that uses a pre-allocated shared key, offering higher security in both encryption and key verification. As shown in Figure 1, when using WPA/WPA2-PSK authentication, all site devices connected to access point device 101 with a specified SSID (Service Set Identifier) share the same access key. For example, the PSK for site devices 102 and 103 is "12345".

WPA/WPA2-PPSK (Private PSK) authentication inherits the advantages of WPA/WPA2-PSK authentication, offering simple deployment and the ability to provide different pre-shared keys to different site devices, effectively enhancing network security. When using WPA/WPA2-PPSK authentication, site devices connected to the same SSID can have different access keys. Different authorizations can be issued to different users, and if a user owns multiple site devices, these devices can connect to the network through the same PPSK account. Specifically, as shown in Figure 2, site devices 202 and 203 connected to access point device 201 with the same SSID can use the same PSK, while site device 204 can use a different PSK than site devices 202 and 203.

Regardless of whether it is WPA/WPA2-PSK or WPA/WPA2-PPSK, the connection process and key negotiation process between the STA and AP are the same.

As shown in Figure 3, the process of establishing a connection between the site device STA and the access point device AP mainly includes:

Step S301, Scanning phase (SCAN).

Specifically, the STA uses scanning to search for access points (APs). When the STA is roaming and looking for a new AP to connect to, it will search on every available channel. There are two types of scanning methods: active scanning and passive scanning.

Active search involves the STA sequentially sending Probe Request frames on each channel (channels 1-13) to search for an AP with the same SSID as the STA. If no AP with the same SSID is found, the search continues. The advantage of active search is that it can quickly locate an AP.

Passive search is a method where the STA discovers the network by listening to Beacon frames periodically sent by the AP. These frames provide information about the AP and its BSS (Basic Service Set). Although passive search takes longer to find the AP, it reduces the STA's power consumption.

Step S302, Authentication phase.

Specifically, once a STA finds an AP with the same SSID, it selects the AP with the strongest signal from among the APs with matching SSIDs, and then enters the authentication phase. Only STAs that pass authentication can access the wireless network. The authentication methods provided by the AP include: open-system authentication, shared-key authentication, and pre-authentication (WPA PSK).

In open authentication, the STA initiates an authentication request, and the authentication server responds upon receiving it. In shared key authentication, the STA initiates an authentication request, the authentication server responds with a challenge text, the STA encrypts the plaintext using a pre-set key and sends it to the authentication server, the authentication server decrypts it using the pre-set key and compares it with the previous plaintext; if they match, authentication is successful.

Step S303, Association stage.

Specifically, after the AP returns an authentication response to the STA and the STA's identity is successfully authenticated, the association phase begins. During the association phase, the STA sends an association request to the AP, and the AP returns an association response to the STA. When the STA moves, roaming becomes an issue. If roaming within the same network, re-authentication is unnecessary; only re-association is required. Only after the AP and STA have successfully associated is the STA's access process complete, meaning the connection between the STA and AP is successful.

Before data transmission, the STA and AP need to perform a four-way handshake based on EAPOL (Extensible Authentication Protocol Over LAN) to generate the required key. The specific process is shown in Figure 4, where the STA acts as the supplicant and the AP acts as the authenticator in the four-way handshake process.

During the four-way handshake, message 1 is an EAPOL-Key frame carrying an A-Nonce sent by the authenticator to the requester via unicast. The A-Nonce is a random number generated by the authenticator.

After receiving message 1, since the requester already possesses the A-Nonce and AA (Authenticator MAC address), as well as the PMK (Pairwise Master Key, usually a set of random numbers) and SPA (the requester's MAC address), it can calculate the PTK (Pairwise Transient Key) using the following function:

PTK＝PRF(PMK+A-Nonce+S-Nonce+AA+SPA)

In this formula, PRF stands for pseudorandom function; S-Nonce is a random number generated by the requester; and PMK is set by the requester. The generated PTK consists of three parts: KCK (Key Confirmation Key), KEK (Key Encryption Key), and TK (Temporal Key). KCK is used to verify the integrity of the key generation message, KEK is used to encrypt the key generation message, and TK is used for the actual data encryption.

During the four-way handshake, message 2 is sent by the requesting party to the authenticating party via the second EAPOL-Key frame after generating the PTK, containing information such as the S-Nonce and MIC (message integrity code, a hash value calculated for a set of data that needs to be protected to prevent data tampering). The MIC value in message 2 is encrypted with the KCK (Key Confirmation Key).

After receiving message 2, the authenticator extracts the S-Nonce from message 2 and performs similar calculations as the requester to verify the correctness of the message returned by the requester. Specifically, it performs an integrity check on the received MIC and its own generated MIC. If they are incorrect, i.e., the MIC integrity check fails, it indicates that the requester's PMK is incorrect, and the entire handshake process stops.

If the authenticator verifies that the message returned by the requester is correct, the authenticator generates a PTK and a GTK (Group Temporal Key). The GTK is an encryption key used to encrypt multicast and broadcast data streams.

During the four-way handshake, message 3 is the third EAPOL-Key frame sent by the authenticator to the requester after generating the PTK and GTK. This frame carries the GTK and MIC. The GTK is encrypted using KEK, and the MIC is encrypted using KCK.

After receiving message 3, the requesting party will also perform some calculations to determine if the authenticator's PMK is correct. If it is correct, the requesting party will send a final EAPOL-Key frame to the authenticator via message 4 for confirmation. If authentication is successful, both the requesting party and the authenticator will install the keys. Installing means using the keys to encrypt the data. Specifically, the requesting party installs both PTK and GTK, while the authenticator installs PTK.

Once the requester and authenticator have completed authentication, the authenticator's control port will be opened, allowing 802.11 data frames to be transmitted normally. All unicast data frames will be protected by PTK encryption, and all multicast and broadcast data will be protected by GTK encryption.

The key generation process during authentication is shown in Figure 5. The PMK is generated from the ESSID (Extended Service Set Identifier) and PSK, for example, using the SHA-1 (Secure Hash Algorithm 1) algorithm. The PTK is generated based on the requester's MAC (STA MAC), the authenticator's MAC (which can be represented by BSSID), the PMK, A-Nonce, and S-Nonce obtained during the four-way handshake. The PTK can then be used to encrypt the ciphertext and MIC. Encryption can be performed using AES (Advanced Encryption Standard) or TKIP (Temporal Key Integrity Protocol).

In enterprise WLANs, WPA/WPA2-PPSK authentication is commonly used, allowing each user to have a different key and simplifying configuration and deployment. However, this method requires storing each user's key on the access authentication device, meaning the device needs to store a separate key list. If the key list contains a large number of keys, verifying the user's input key will significantly increase the verification time. Furthermore, a large number of keys can cause the access authentication device to malfunction if a malicious device intentionally enters an incorrect key. This method also makes it difficult to prevent key mixing.

In addition, some related technologies employ Portal authentication. A Portal is a web site that acts as a gateway to the Internet. The Wi-Fi provider needs to configure Portal authentication, as shown in Figure 6. This requires setting the Portal URL (Uniform Resource Locator), authentication Key, authentication Secret, authentication URL, whitelist, check URL, and network type. After configuration, users can connect to the passwordless Wi-Fi and then access the portal authentication interface through their browser. Entering the username and password is then required to access the Internet via the Wi-Fi network. This authentication scheme is not only cumbersome, but Portal authentication also has compatibility issues. Some terminals (such as certain manufacturers' mobile phones) may not be able to display the portal authentication page after connecting to the Wi-Fi, thus preventing authentication.

To address the aforementioned issues, this application provides a novel network connection management scheme. By associating the access key of the device to be accessed with its physical address, the access point device can verify whether the physical address of the device to be accessed exists in the association when verifying the access request. This avoids malicious devices frequently initiating access requests and affecting the performance of the access point device. Furthermore, when the physical address of the device to be accessed exists in the association, the access key contained in the access request can be quickly verified based on the access key corresponding to the physical address, improving the efficiency of network access verification and avoiding the problem of mixed access keys.

The implementation details of the technical solutions in the embodiments of this application are described in detail below:

Figure 7 shows a flowchart of a network connection management method according to an embodiment of this application. This network connection management method can be executed by an access point management platform, which can be a platform for access management. Referring to Figure 7, the network connection management method includes at least steps S710 to S740, which are described in detail below:

In step S710, the physical address of the device to be connected is obtained.

In one embodiment of this application, the physical address of the device to be accessed can be a MAC (Media Access Control) address. The physical address of the device to be accessed can be directly reported to the access point management platform by the device to be accessed (e.g., directly reported to the access point management platform through a mobile communication network), or it can be indirectly reported to the access point management platform through other devices.

Optionally, an application client is installed on the device to be accessed. This application client can obtain the physical address of the device to be accessed and then report the physical address of the device to be accessed to the application server. In turn, the application server can send at least one physical address collected to the access point management platform.

Optionally, the access point management platform can be implemented in the form of a server. This server can be a standalone physical server, a server cluster or distributed system consisting of multiple physical servers, or a cloud server providing cloud computing services. Devices to be connected can be smartphones, tablets, laptops, desktop computers, smart speakers, smartwatches, in-vehicle terminals, smart TVs, etc., but are not limited to these.

In step S720, an access key corresponding to the physical address of each device to be accessed is generated.

In one embodiment of this application, the access point management platform can randomly generate access keys for each device to be accessed, or generate access keys according to a certain strategy. Optionally, the access point management platform can generate access keys with certain rules according to the region and device type of the device to be accessed. For example, it can generate access keys starting with "01" for devices to be accessed in region 1, and generate access keys starting with "02" for devices to be accessed in region 2; or it can generate access keys starting with "phone" for mobile devices, and generate access keys starting with "pc" for computers, etc.

It can be calculated that different access keys can be generated for different physical addresses of the devices to be accessed, thus achieving one key per device and avoiding the situation of mixed access keys.

In step S730, an association relationship between physical addresses and access keys is generated based on the access keys corresponding to the physical addresses of each device to be accessed.

In one embodiment of this application, after generating corresponding access keys for the physical addresses of each device to be accessed, the access keys can be associated with and stored with the physical addresses to generate an association relationship between the physical addresses and access keys. Furthermore, to improve the speed of querying access keys during the verification phase, a hash table can be generated based on the association relationship between the access keys and physical addresses, thereby improving key query efficiency.

In step S740, the association between the physical address and the access key is sent to the access point device, and the access key is pushed to the corresponding device to be accessed, so that the access point device can verify the access request initiated by the device to be accessed based on the access key based on the association.

In one embodiment of this application, after generating the association between physical addresses and access keys, the access point management platform can push the association to the access point device, and can also push the access keys of each device to be accessed to each device to be accessed. For example, the access keys of the devices to be accessed can be pushed directly to each device to be accessed through the mobile communication network, or they can be indirectly reported to the access point management platform through other devices.

Optionally, an application client is installed on the device to be accessed. This application client can communicate with the application server. In this scenario, the access point management platform can push the association between physical addresses and access keys to the application server. Then, the application server can push each access key to the device to be accessed corresponding to the associated physical address based on the association.

Figure 7 illustrates the technical solution of this application embodiment from the perspective of the access point management platform. The following describes the technical solution of this application embodiment from the perspective of the access point device:

Figure 8 shows a flowchart of a network connection management method according to an embodiment of this application. This network connection management method can be executed by an access point device. Referring to Figure 8, the network connection management method includes at least steps S810 to S830, which are described in detail below:

In step S810, the association between physical addresses and access keys sent by the access point management platform is received. This association is generated by the access point management platform based on the access keys corresponding to the physical addresses of each device to be accessed.

Optionally, the process by which the access point management platform generates the association between the physical address and the access key can be referred to the aforementioned embodiments and will not be repeated here.

In step S820, if an access request is received from a designated device, the physical address of the designated device and the access key contained in the access request are obtained.

In the embodiments of this application, the designated device is a site device that needs to access the access point device. Since the designated device has already communicated with the access point device before sending the access request, the physical address of the designated device can be obtained before the designated device sends the access request. Of course, the designated device can also carry its physical address again in the access request.

In step S830, the access request is verified based on the association between the physical address and the access key, the physical address of the specified device, and the access key contained in the access request.

In one embodiment of this application, if the physical address of a specified device is determined to be associated with the access key included in the access request based on the association relationship between the physical address and the access key, then the access request is determined to be successfully verified. Specifically, the verification process may be as follows: the access point device finds the corresponding access key in the aforementioned association relationship based on the physical address of the specified device, and then compares the found access key with the access key actively included in the access request. If they match, the access request is determined to be successfully verified.

In one embodiment of this application, if the physical address of the specified device does not exist in the association relationship, the access request is rejected. This embodiment's technical solution can prevent malicious devices from frequently initiating connection requests, thus avoiding the situation where the access point device cannot function properly.

The technical solutions of the embodiments of this application are described below from the perspective of site equipment:

Figure 9 shows a flowchart of a network connection management method according to an embodiment of this application. This network connection management method can be executed by a site device. Referring to Figure 9, the network connection management method includes at least steps S910 to S940, which are described in detail below:

In step S910, the physical address is reported to the application server.

In one embodiment of this application, after establishing a connection with the application server, the application client running on the site device can report the physical address of the site device to the application server.

Optionally, the site device can associate the user account information in the local application client with the physical address of the device to be accessed running the local application client, and report it to the application server, so that the application server can know the correspondence between the physical address and the user account information.

In step S920, the access key corresponding to the physical address is received from the application server.

Optionally, the process of the application server pushing the access key corresponding to the physical address can refer to the foregoing embodiments and will not be repeated here.

In step S930, if a connection trigger operation is received, an access request for the specified access point device is generated, which contains an access key.

In one embodiment of this application, the connection triggering operation may be a network operation triggered by the user on the site device, such as clicking the network button.

Optionally, a graphical user interface (GUI) can be displayed on the site device (specifically, an application client installed on the site device). This GUI displays a network connection trigger control. When a trigger operation on this network connection trigger control is detected, it can be determined that a connection trigger operation has been received, and an access request can then be generated based on the access key.

In step S940, an access request is sent to a designated access point device so that the designated access point device can verify the access request based on the association between the physical address and the access key, which is generated based on the access key corresponding to the physical address of each device to be accessed.

Optionally, the verification process for the access point device can refer to the technical solution in the foregoing embodiments, and will not be repeated here.

The foregoing embodiments have described the technical solutions of the embodiments of this application from the perspectives of the access point management platform, access point equipment, and site equipment, respectively. The following describes the implementation details of the embodiments of this application from the perspective of the interaction between various devices.

In one application scenario of this application, the access point device can be a cloud AP. A cloud AP extends the management capabilities of a local AP to the cloud, allowing unified management of multiple cloud APs through a cloud-based management platform (i.e., the access point management platform in the aforementioned embodiments). This includes configuring the cloud AP's LAN, WAN (Wide Area Network), and blacklists/whitelists. The cloud AP scenario is shown in Figure 10. The cloud AP management platform communicates directly with the cloud AP via the Internet or WLAN, or it communicates with the cloud AP via the Internet or WLAN through a firewall and switch. The cloud AP is used for communication and interaction with wireless terminals.

The system architecture of the cloud AP scenario is shown in Figure 11, which mainly consists of three parts: cloud AP hardware, cloud AP management platform, and application.

The cloud AP hardware mainly consists of one or more cloud APs. The cloud AP needs to connect to the cloud AP management platform (specifically through a multi-port repeater HUB), and receive AP configuration information sent by the cloud AP management platform. It also receives and manages the PPSK key distribution, and receives and manages the connection information of the terminal (i.e., site equipment).

The cloud AP management platform includes several components such as an operations platform, a hub, device management, enterprise configuration, address book, key management, and database.

The system comprises the following components: an operations platform for managing cloud task scheduling and monitoring anomalies; a hub for connecting to cloud AP hardware and maintaining heartbeats; device management for managing information about connected cloud APs; enterprise configuration for managing cloud AP configurations for each enterprise; an address book for recording employee information, including phone numbers and instant messaging account information; key management for generating, destroying, and updating keys, and for allocating MAC-PSK hash tables to enterprises; application services for providing API (Application Programming Interface) information to applications; and a database as a fundamental component for persistent data storage.

The application mainly refers to the application corresponding to the cloud AP, including the front-end management page and application information, and the back-end platform and service capabilities. Optionally, the application can be a hosted program, which is a program that depends on a host environment, such as a mini-program or quick app.

Based on the system architecture shown in Figure 11, in one embodiment of this application, network access management can be implemented through the process shown in Figure 12, specifically including the following steps:

Step S1201: The enterprise application APP pushes the terminal MAC address and current enterprise information to the enterprise application cloud platform.

It should be noted that an enterprise application app can be an app developed specifically for a particular enterprise, or it can be a public platform for all enterprises. If the enterprise application app is a public platform for all enterprises, then enterprise users need to create enterprise information on this public platform, bind the enterprise's cloud AP to this enterprise information, and configure the cloud AP, such as configuring the SSID.

Once an employee has installed the enterprise application app on their device and accesses their company's website, the enterprise application app can collect the device's MAC address and then push this information to the enterprise application cloud platform.

Step S1202: The enterprise application cloud platform pushes the MAC address and the binding relationship of enterprise employees to the cloud AP management platform.

In one embodiment of this application, the information of an enterprise employee can be their employee ID, name, or other information, or their account name in the enterprise application APP. Optionally, the enterprise application cloud platform may only push the MAC address to the cloud AP management platform, while maintaining the binding relationship between the MAC address and the enterprise employee locally.

Step S1203: The cloud AP management platform generates and pushes the MAC-PSK hash table to the AP's device SDK.

In one embodiment of this application, the cloud AP management platform can generate a unique MAC-PSK hash table based on the MAC address pushed by the enterprise application cloud platform, and send the MAC-PSK hash table to the cloud AP's device SDK (Software Development Kit).

Step S1204: The cloud AP management platform generates and pushes the PSK of enterprise employees to the enterprise application cloud platform.

In one embodiment of this application, the cloud AP management platform can push the association between PSK and MAC address to the enterprise application cloud platform so that the enterprise application cloud platform can distribute PSK according to MAC address.

Optionally, there is no strict order between steps S1204 and S1203. Step S1203 can be executed first, followed by step S1204; or step S1204 can be executed first, followed by step S1203; or steps S1203 and S1204 can be executed simultaneously.

Step S1205: The enterprise application cloud platform forwards the PSK of enterprise employees to the enterprise application APP.

Optionally, the enterprise application cloud platform pushes the PSK to the corresponding enterprise application app based on the MAC address reported by the enterprise application app and the association between the MAC address and the PSK. It should be noted that after obtaining the association between the MAC address and the PSK, the enterprise application cloud platform can proactively push the PSK to the corresponding enterprise application app, or it can send it to the corresponding enterprise application app when it receives an access key acquisition request from the enterprise application app.

Step S1206: The user initiates one-click network connection in the enterprise application APP.

Optionally, as shown in Figure 13, a "One-Click Network Connection" control 1301 can be displayed in the enterprise application APP. After the user selects the enterprise network to be connected, they can click the "One-Click Network Connection" control 1301. Then, the enterprise application APP on the terminal will push the PSK to the cloud AP device. Since the cloud AP device also obtains the terminal's MAC address during communication with the enterprise application APP, the cloud AP device will quickly verify it according to the MAC-PSK hash table.

Specifically, the corresponding PSK can be retrieved from the MAC-PSK hash table based on the terminal's MAC address, and then verified to be consistent with the PSK pushed by the enterprise application APP. If they are consistent, the verification is successful. Compared to the method of storing a separate key list on the AP and verifying the existence of the PSK pushed by the enterprise application APP by searching the keys in the key list, this scheme greatly reduces the verification time. At the same time, since the AP needs to verify whether the MAC address exists in the MAC-PSK hash table, it can also directly reject access requests initiated by devices with illegal MAC addresses, avoiding the impact on the performance of the access point device caused by frequent access requests from malicious devices. In addition, the technical solution of this application embodiment can also avoid the problem of access key mixing.

The following describes an apparatus embodiment of this application, which can be used to execute the network connection management method described above in this application. For details not disclosed in the apparatus embodiments of this application, please refer to the embodiments of the network connection management method described above in this application.

Figure 14 shows a block diagram of a network connection management device according to an embodiment of the present application, which can be set in an access point management platform.

Referring to FIG14, a network connection management device 1400 according to an embodiment of the present application includes: a first acquisition unit 1402, a first generation unit 1404, a second generation unit 1406, and a first transmission unit 1408.

The first acquisition unit 1402 is configured to acquire the physical address of the device to be accessed; the first generation unit 1404 is configured to generate an access key corresponding to the physical address of each device to be accessed; the second generation unit 1406 is configured to generate an association relationship between the physical address and the access key based on the access key corresponding to the physical address of each device to be accessed; and the first sending unit 1408 is configured to send the association relationship to the access point device and push the access key to the corresponding device to be accessed, so that the access point device can verify the access request initiated by the device to be accessed based on the access key based on the association relationship.

In some embodiments of this application, based on the aforementioned scheme, the first acquisition unit 1402 is configured to: receive the physical address of at least one device to be accessed sent by the application server, wherein the physical address of the at least one device to be accessed is reported to the application server by the application client running on the at least one device to be accessed.

In some embodiments of this application, based on the foregoing scheme, the first sending unit 1408 is configured to: push the association relationship between the physical address and the access key to the application server, so that the application server pushes the access key to the device to be accessed corresponding to the associated physical address according to the association relationship.

In some embodiments of this application, based on the foregoing scheme, the first generation unit 1404 is configured to generate an access key according to the physical address of each device to be accessed, wherein the access keys generated for different physical addresses of different devices to be accessed are different.

Figure 15 shows a block diagram of a network connection management device according to an embodiment of the present application, which can be installed in an access point device.

Referring to FIG15, a network connection management device 1500 according to an embodiment of the present application includes: a first receiving unit 1502, a second acquiring unit 1504, and a processing unit 1506.

The first receiving unit 1502 is configured to receive the association relationship between physical addresses and access keys sent by the access point management platform. The association relationship is generated by the access point management platform based on the access keys corresponding to the physical addresses of each device to be accessed. The second obtaining unit 1504 is configured to obtain the physical address of the specified device and the access key contained in the access request if an access request is received from a specified device. The processing unit 1506 is configured to verify the access request based on the association relationship, the physical address of the specified device, and the access key contained in the access request.

In some embodiments of this application, based on the foregoing scheme, the processing unit 1506 is configured to: if it is determined that the physical address of the specified device is associated with the access key contained in the access request according to the association relationship, then it is determined that the access request has been successfully verified.

In some embodiments of this application, based on the foregoing scheme, the processing unit 1506 is configured to: reject the access request if the physical address of the specified device does not exist in the association relationship.

Figure 16 shows a block diagram of a network connection management device according to an embodiment of the present application, which can be installed in a site device.

Referring to FIG16, a network connection management device 1600 according to an embodiment of the present application includes: a reporting unit 1602, a second receiving unit 1604, a third generating unit 1606, and a second sending unit 1608.

Specifically, the reporting unit 1602 is configured to report the physical address to the application server; the second receiving unit 1604 is configured to receive the access key corresponding to the physical address pushed by the application server; the third generating unit 1606 is configured to generate an access request for a specified access point device if a connection trigger operation is received, the access request containing the access key; and the second sending unit 1608 is configured to send the access request to the specified access point device so that the specified access point device can verify the access request based on the association between the physical address and the access key, the association being generated based on the access key corresponding to the physical address of each device to be accessed.

In some embodiments of this application, based on the foregoing scheme, the reporting unit 1602 is configured to associate the user account information in the local application client with the physical address of the device to be accessed running the local application client, and report it to the application server.

In some embodiments of this application, based on the foregoing scheme, the network connection management device 1600 further includes: a determination unit configured to display a graphical user interface, wherein the graphical user interface displays a network connection trigger control, and if a trigger operation on the network connection trigger control is detected, a connection trigger operation is determined to have been received.

Figure 17 shows a schematic diagram of the structure of a computer system suitable for implementing the electronic device of the present application.

It should be noted that the computer system 1700 of the electronic device shown in Figure 17 is only an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.

As shown in Figure 17, the computer system 1700 includes a Central Processing Unit (CPU) 1701, which can perform various appropriate actions and processes based on programs stored in Read-Only Memory (ROM) 1702 or programs loaded from storage portion 1708 into Random Access Memory (RAM) 1703, such as performing the methods described in the above embodiments. Various programs and data required for system operation are also stored in RAM 1703. The CPU 1701, ROM 1702, and RAM 1703 are interconnected via bus 1704. An Input/Output (I/O) interface 1705 is also connected to bus 1704.

The following components are connected to I/O interface 1705: an input section 1706 including a keyboard, mouse, etc.; an output section 1707 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 1708 including a hard disk, etc.; and a communication section 1709 including a network interface card such as a LAN (Local Area Network) card, modem, etc. The communication section 1709 performs communication processing via a network such as the Internet. A drive 1710 is also connected to I/O interface 1705 as needed. Removable media 1711, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 1710 as needed so that computer programs read from them can be installed into storage section 1708 as needed.

Specifically, according to embodiments of this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program including a computer program for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 1709, and/or installed from removable medium 1711. When the computer program is executed by central processing unit (CPU) 1701, it performs various functions defined in the system of this application.

It should be noted that the computer-readable medium shown in the embodiments of this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying a computer-readable computer program. The transmitted data signal can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to wireless, wired, etc., or any suitable combination thereof.

The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. Each block in a flowchart or block diagram may represent a module, segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

The units described in the embodiments of this application can be implemented in software or hardware, and the described units can also be located in a processor. The names of these units do not necessarily limit the specific unit itself.

In another aspect, this application also provides a computer-readable medium, which may be included in the electronic device described in the above embodiments; or it may exist independently and not assembled into the electronic device. The computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to perform the methods described in the above embodiments.

It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to the embodiments of this application, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.

Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, touch terminal, or network device, etc.) to execute the method according to the embodiments of this application.

Other embodiments of this application will readily occur to those skilled in the art upon consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein.

It should be understood that this application is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.

Claims (14)

1. A network connection management method, characterized in that the network connection management method is executed by an access point management platform, the access point management platform being connected to an access point device, the network connection management method comprising: Receive the physical addresses of multiple devices to be accessed sent by the application server. The physical addresses of the multiple devices to be accessed are reported to the application server by the application client running on the multiple devices to be accessed. Generate access keys corresponding to the physical addresses of the multiple devices to be accessed; Based on the access keys corresponding to the physical addresses of the multiple devices to be accessed, an association relationship between physical addresses and access keys is generated; The association is sent to the application server and the access point device, so that the application server distributes the corresponding access keys to the multiple devices to be accessed, and the access point device verifies the access request initiated by the device to be accessed based on the access key based on the association. 2. The network connection management method according to claim 1, characterized in that generating an access key corresponding to the physical address of each device to be accessed includes: An access key is generated based on the physical address of each device to be accessed, wherein the access key generated for the physical address of different devices to be accessed is different. 3. A network connection management method, characterized in that the network connection management method is executed by an access point device, the access point device being connected to an access point management platform, and the network connection management method comprising: The system receives the association between physical addresses and access keys sent by the access point management platform. This association is generated by the access point management platform based on the access keys corresponding to the physical addresses of multiple devices to be accessed, which are sent by the application server. The physical addresses of the multiple devices to be accessed are reported to the application server by the application clients running on the multiple devices to be accessed. If an access request is received from a specified device, the physical address of the specified device and the access key contained in the access request are obtained. The access request is verified based on the association, the physical address of the specified device, and the access key contained in the access request. 4. The network connection management method according to claim 3, characterized in that, verifying the access request based on the association relationship, the physical address of the designated device, and the access key contained in the access request, includes: If the physical address of the specified device is determined to be associated with the access key contained in the access request based on the association relationship, then the access request is determined to have been successfully verified. 5. The network connection management method according to claim 3 or 4, characterized in that, verifying the access request based on the association relationship, the physical address of the designated device, and the access key included in the access request, includes: If the physical address of the specified device does not exist in the association, the access request is rejected. 6. A network connection management method, characterized in that the network connection management method is executed by a site device, the network connection management method comprising: The physical address of the site device is reported to the application server by the application client running on the site device. The application server receives an access key corresponding to the physical address, which is determined by the application server based on the association between the physical address and the access key sent by the access point management platform. The association is generated by the access point management platform based on the physical addresses of multiple devices to be accessed sent by the application server. If a connection trigger operation is received, an access request for the specified access point device is generated, and the access request contains the access key. The access request is sent to the designated access point device so that the designated access point device can verify the access request based on the association between the physical address and the access key sent by the access point management platform. 7. The network connection management method according to claim 6, characterized in that reporting the physical address of the site device to the application server includes: The user account information in the local application client is associated with the physical address of the site device and reported to the application server. 8. The network connection management method according to claim 6 or 7, characterized in that the network connection management method further includes: A graphical user interface is displayed, which includes a network connection trigger control; If a trigger operation on the network connection trigger control is detected, it is determined that a connection trigger operation has been received. 9. A network connection management device, characterized in that the network connection management device is applied to an access point management platform, the access point management platform being connected to access point devices, and the network connection management device comprising: The first acquisition unit is configured to receive the physical addresses of multiple devices to be accessed sent by the application server. The physical addresses of the multiple devices to be accessed are reported to the application server by the application client running on the multiple devices to be accessed. The first generation unit is configured to generate access keys corresponding to the physical addresses of the plurality of devices to be accessed. The second generation unit is configured to generate an association relationship between physical addresses and access keys based on the access keys corresponding to the physical addresses of the plurality of devices to be accessed. The first sending unit is configured to send the association relationship to the application server and the access point device, so that the application server distributes the corresponding access keys to the multiple devices to be accessed, and the access point device verifies the access request initiated by the device to be accessed based on the access key based on the association relationship. 10. A network connection management device, characterized in that the network connection management device is applied to an access point device, the access point device being connected to an access point management platform, the network connection management device comprising: The first receiving unit is configured to receive the association relationship between physical addresses and access keys sent by the access point management platform. The association relationship is generated by the access point management platform based on the access keys corresponding to the physical addresses of multiple devices to be accessed sent by the application server. The physical addresses of the multiple devices to be accessed are reported to the application server by the application clients running on the multiple devices to be accessed. The second acquisition unit is configured to acquire the physical address of the specified device and the access key contained in the access request if it receives an access request sent by the specified device. The processing unit is configured to verify the access request based on the association relationship, the physical address of the specified device, and the access key contained in the access request. 11. A network connection management device, characterized in that the network connection management device is applied to site equipment, the network connection management device comprising: The reporting unit is configured to report the physical address of the site device to the application server via an application client running on the site device. The second receiving unit is configured to receive an access key corresponding to the physical address pushed by the application server. The access key is determined by the application server based on the association between the physical address and the access key sent by the access point management platform. The association is generated by the access point management platform based on the physical addresses of multiple devices to be accessed sent by the application server. The third generation unit is configured to generate an access request for a specified access point device if a connection trigger operation is received, wherein the access request contains the access key. The second sending unit is configured to send the access request to the designated access point device, so that the designated access point device can verify the access request based on the association between the physical address and the access key sent by the access point management platform. 12. A computer-readable medium having a computer program stored thereon, characterized in that, when the computer program is executed by a processor, it implements the network connection management method as described in any one of claims 1 to 8. 13. An electronic device, characterized in that it comprises: One or more processors; A storage device for storing one or more programs, which, when executed by one or more processors, cause the one or more processors to implement the network connection management method as described in any one of claims 1 to 8. 14. A computer program product, characterized in that the computer program product includes a computer program stored in a computer-readable storage medium, and a processor of an electronic device reads from and executes the computer program from the computer-readable storage medium, causing the electronic device to perform the network connection management method according to any one of claims 1 to 8.