And the share of the FIT AP on the AC line in the process, in fact, whether it is on-line or FAT AP FIT AP, the ultimate goal is to be used to provide wireless network coverage environment for wireless access terminal STA. So that we can in our daily life and work, within the wireless network coverage through convenient wireless way to connect to the network via the AP, entertainment or office. This issue will be to introduce in a wireless network environment, STA on how to access the AP - the STA access procedure .
Speaking after the last time we FIT AP after a period of no easy process, thanks to the success of the sects AC master, recognized master, attend a profound internal strength, then, and fellow of you together, to be entrusted with the task master. Under the wise leadership of master suave romantic jade tree adequacy educated car, and the public work together to build a fellow renowned Dragon Escort, chief master AC Young Master, AP as a personal bodyguard for all types of patrons charge dart . Gantry Escort in response to patrons fast, safe and secure care and dart known to everyone. Therefore, though there have been rumors "Which strong mining technology, China Shandong Lanxiang find; check dart matter who is the most capable, the goal is second to none." After a period of hard work, the goal has been to fame Escort can come this far, treatment care standards process Escort dart affairs played an important role. Then we take a look at Longmen Escort looking to prop dart, the specific needs of how to do it.
STA patrons find Escort dart care, there are three specific process:
First, to find a satisfactory Biaoshi AP ( Scan : find a wireless network for the STA);
Second, produce their own qualifications to prop dart bodyguard ( link authentication : Authentication is a wireless link between the AP and STA through this certification before they are eligible to represent STA and AP establish a radio link);
Third, dart asked to sign the agreement ( correlation : determining the STA and AP have the qualifications to establish a wireless link, STA still needs to be negotiated service parameters of the wireless link with the AP, to complete the establishment of a radio link).
STA paper dart find Tropsch process Escort metaphor refers to STA access procedure, care dart refers to data transmission. Here we say that the STA access procedure, comprising three stages: scanning , link authentication and association .
After completion of these three stages, STA connected to the AP. Follow STA also the actual situation to decide STA is to obtain an IP address after you can access the network, or the need to carry out various post-access authentication and key agreement can access the network (the figure is a certification process for the Portal embodiment, IP is acquired before access authentication, different order of acquisition IP authentication method may be different, e.g. MAC authentication, acquires IP is performed after access authentication).
Ps: access authentication and key agreement must not be carried out in association stage STA, STA will be the message to determine the need for access authentication and key agreement based on the association received a response. DETAILED association will be described later stage. However, in practical applications, taking into account the security of wireless networks, they usually choose to access authentication and key agreement.
The first stage: Scanning
Before patrons STA dart care, we must first find satisfying personal bodyguard. Because Escort to meet market demand, arranged in different regions have different personal bodyguard in charge of business, patrons may move in a different area, so patrons need to understand the current and timely What can hire personal bodyguard. Patrons may find the process of hiring a personal bodyguard, the jargon is scanned. Patrons can take the initiative to find personal bodyguard, can passively wait personal bodyguard pushed to your service information.
We usually use the phone to contact before the Wi-Fi connection, usually first look at the current mobile phones can search for radio signals which then select a network access. The picture is a mobile search to the wireless network, inside that string of letters is what? That we introduced before SSID, which is a sign for each wireless network. And we are to be networked by clicking on one SSID which you want to connect.
In fact, here a manifestation of a message, in order to connect to a wireless network, you need to search for a wireless network. STA wireless network search process is called scanning. Of course, now many mobile phone when on Wi-Fi connectivity, if previously connected on the network can connect automatically connect to the previous network, which is to simplify the user's mobile phone software designed to operate features, not to say that mobile phone You do not have to scan the process. In fact, the scanning process is automated process mobile phones and other such STA, when we used to see already scanned result.
Scan divided into two categories: active scanning and passive scanning. As the literal meaning, refers to STA active scanning to detect active search for wireless networks, passive scanning is passive means only STA receives a radio signal sent by the AP. See the specific process described below.
Active scan
Actively seek personal bodyguard in the process, patrons STA will be within their means, take the initiative to find what are the personal bodyguard can help charge dart. STA now has access to the Escort, looking for all the personal bodyguard to provide services. After entering the Escort, STA found a slightly higher position stand, shouted a voice, "There is no personal bodyguard can help prop dart, which is a big deal," maybe three words caused a big business all the personal bodyguard attention is almost the shortest possible time, all the personal bodyguard of the STA in response to the request. Generally in accordance with the requirements specification gantry Escort, all the reign of the personal bodyguard should respond to the needs of patrons, it is to allow patrons to be able to obtain complete information on personal bodyguard, based care to provide more choices. The STA now need to do is choose a favorite personal bodyguard.
Where the active scanning, the STA sends an order channel, it supports the detection signal for the presence of wireless networks around the probe, the probe signal is sent by the STA is called probe request frame (Probe Request). Probe request frame can be divided into two categories, one is not specify any SSID, a class is assigned an SSID.
1, the probe request frame which if not specified SSID , that means that the probe request you want to get around to all be able to get a wireless network signal. AP STA will respond to all receive the broadcast probe request frames, and indicate what their SSID, such a STA will be able to search all around the wireless network. (Note that if the AP in a wireless network configured in a Beacon frame SSID hiding, then the AP STA will not respond to a broadcast probe request frame, the STA will not get through the SSID information in this manner.)
Sometimes STA found a warm personal bodyguard is too much, you want to be able to quickly find the personal bodyguard hired, STA will have a direct personal bodyguard shouted the name of such other personal bodyguard naturally not bother again, but only named the bodyguard would come looking on, communication with the customer.
2, the probe request frame specified SSID , which represents just want to find a particular SSID STA, no other wireless networks other than the specified SSID. After the AP receives a request frame, only to discover that the request frame and their SSID SSID is the same situation, will respond STA.
Passive scanning
In addition to looking for personal bodyguard through the initiative to Escort way, the personal bodyguard also regularly send information or leaflets to tell patrons here are personal bodyguard can provide service charge dart. By the contact details on the initiative to send home information or leaflets, STA can also be found can hire personal bodyguard. The benefit of this course is to make more effort to save the patrons.
Where the passive scanning, the STA does not send a probe request message, it is need to do is a beacon frame (the Beacon frame) passively received periodically transmitted AP.
Beacon frame of the AP, the AP will contain SSID and support rate, etc. information, AP periodically broadcasts a Beacon frame outwardly. For example, the AP transmits a Beacon frame default period is 100ms, 100ms i.e. each AP transmits a Beacon frames are broadcast. STA listens for a Beacon frame is through its support on each channel, to know the presence of the wireless network peripheral. (Note that if the wireless network is configured in the Beacon frame SSID hiding, Beacon frame sent by the AP at this time carried SSID is the empty string, so that STA is unable to obtain the Beacon frame from the SSID information.)
STA is to search through the active scanning or passive scanning radio signal it? This support is entirely determined by the situation of the STA. Phone or computer's wireless network card, in general, these two scanning methods are supported. Either active or passive scanning probe to scan the wireless network will be displayed in the phone or a computer connected to a network, the access for the user to select. The general VoIP clients use passive scanning method, which aims to save power.
After scanning the phone to a wireless network signal, we can choose which network access, and then STA will need to enter the link authentication phase.
Phase II: Certification link
After the signing of the agreement in order to charge dart when the STA to find a satisfactory personal bodyguard, can not let personal bodyguard escort cargo directly, but through the personal bodyguard of certification need to verify the legal qualifications STA avoid illegal or malicious conduct STA hidden activities.
Gantry Escort-based care who offers several service packages (security policy), each service package will contain different ways to verify the legal qualifications of the STA. But in general eligibility verification STA divided in two ways: open system authentication and shared key authentication.
Is connected via a radio link between the STA and AP, during the establishment of this link, it is necessary in claim STA certified wireless link only wireless link between the STA and the AP through certification. But this fashion can not determine whether the STA has permission to access the wireless network, you need to follow STA according to whether you want to access authentication, access authentication in order to determine whether by.
When it comes to certification, and we may think of authentication 802.1X authentication, PSK authentication, Open certification, and so a bunch of. That these authentication and certification link what does it matter? Before solve this problem, we first understand simple safety strategies.
Security policy is embodied in a set of security mechanisms, which includes a link authentication mode radio link establishment, the authentication mode of the user access lines and wireless user data encryption when transmitting data traffic of the wireless user. As the following table, enumerated several security policy corresponding to the link authentication, the access authentication and data encryption.
| security strategy |
Link authentication |
Access authentication |
Data encryption |
Explanation |
| WEP |
Open |
not involving |
No encryption or WEP encryption |
Unsafe security policy |
| Shared-key Authentication |
not involving |
WEP encryption |
It is unsafe security policy |
|
| WPA/WPA2-802.1X |
Open |
802.1X(EAP) |
TKIP or CCMP |
Safe security policies for large enterprises. |
| WPA/WPA2-PSK |
Open |
PSK |
TKIP or CCMP |
Safe security policies for small and medium business or home user. |
| WHERE-CERT |
Open |
Pre-shared key authentication |
Sns4 |
Made in China, few applications for large enterprises and carriers. |
| WHERE-PSK |
Open |
WAPI certificate authentication |
Sns4 |
Made in China, few applications for small businesses and home users |
Here below together with this understanding with the FIG. Link authentication and access authentication are authentication has two different stages .
As can be seen from the table, the security policy can be divided into WEP, WPA, WPA2 and several WAPI, these types of link authentication security policy corresponding in fact only Open and Shared-key Authentication are two, and 802.1X and PSK is belonging to the access authentication mode. Further user access authentication method further comprises fact Portal MAC authentication and not listed in the authentication table.
(Ps: more security policies, content Portal authentication and MAC authentication, refer to WLAN security and safety characteristics characterization.)
Now back to our topic up, link authentication, including Open and Shared-key Authentication, specific certification process is kind of how it?
Open system authentication (Open System Authentication)
To speed processing capability bodyguard services, the gantry Escort way to use a technique called open system authentication patrons to check the legal qualifications, as long as patrons have asked dart request, the personal bodyguard will direct consent. Of course, this would be a security risk, so that illegal patrons will be an opportunity, so in order to improve safety and security Escort, usually with this authentication method, will again perform a rigorous way back to shore dart process to check specifically for patrons legal qualifications.
Open system authentication is referred to as the Open authentication, also known as non certification. Note, however, no authentication is an authentication mode, but in this embodiment the authentication link, as long as the STA transmits an authentication request, the AP will allow it to successful authentication, authentication is an insecure manner, the actual use of this authentication Modes species and other generally used in conjunction with access authentication mode, to improve security.
Shared Key Authentication (Shared-key Authentication)
After another way called shared key authentication is required between the patrons and the personal bodyguard to determine a good code word, patrons request issued dart care, personal bodyguard will verify the identity of the legitimacy of patrons with the code word of the way. By the patrons will apply for certification dart care business.
See the shared key authentication, it is easy from the name to make people think of the pre-shared key authentication PSK (Pre-shared key Authentication), in fact, shared key authentication is a link authentication, and pre-shared key authentication a user access authentication mode, two authentication procedure is actually similar manner.
Shared key authentication process, only four steps, prior to certification, you need to configure the same key on the STA and AP, otherwise it is not successful authentication.
The first step authentication, sending an authentication request to the AP by the STA.
Subsequently, the AP after receiving the request will generate a challenge phrase, then the STA to send the challenge phrase, assuming that the challenge phrase is A.
Then, STA will use their own key phrase Key challenges will be encrypted, encrypted and then sent to AP, after assuming that encryption becomes a B.
Finally, AP STA after receiving the encrypted information B, the decrypting key with his Key. As long as the same key is configured on the STA and the AP, the result will be out decryption A, AP will send the results to the beginning of the challenge phrase STA compared and found consistent results, then told STA authentication is successful, the results are inconsistent the authentication will fail.
After the link authentication is successful, STA can be associated with the next stage.
The third stage: association
After verifying finished patrons of legal qualifications, personal bodyguard patrons will go to the reception room, ready to dart asked to sign the agreement. STA will be prepared to submit material to the various agreements personal bodyguard, personal bodyguard will then submit these materials to the Young Master, the Young Master by the AC to review the current agreement. After the signing of the completion of the audit, the audit results signed personal bodyguard Young Master then submitted to the customer. At this point, STA completed the process of care dart.
STA initiated by the association always, in fact, is the association between AP and STA process of negotiation of the radio link service.
Association phase is only associated with a request and a response of a two-step process.
STA transmitted the association request frame, include some information, including its own STA various parameters according to various parameters, and the selected service configuration. (Including STA supported rates, channel, QoS capability, and the access authentication and encryption algorithm selection, etc.) If the FAT AP STA receives the association request, then FAT AP STA directly determines whether to perform the subsequent access the authentication and respond to STA; if FIT AP receiving the association request to the STA, FIT AP is responsible for the request packets to the AC after CAPWAP encapsulated, the determination process by the AC, and FIT AP is also responsible for processing the results of the AC packaging Solutions CAPWAP then sent to STA. (FIT AP in the process acts as a mouthpiece, and such correlation between the AP and the packets need to be tunneled CAPWAP.)
After dart care agreement is completed, according to patrons selection of service packages, there will be follow-up care dart different processes. For example, patrons chose WEP security policy service packages (eg Open without encryption). In this case, after the completion of the signing of the agreement, STA obtain a temporary contact (obtain an IP address), it can be made by Escort dart. If patrons choose the WPA security policy service packages (eg Open 802.1X CCMP), after the signing of the agreement is completed, the user for contact information, but also the need for a new identity certification authority (802.1X authentication) and key agreement, after successfully sent to dart through the Escort.
After the completion of association, show that between STA and AP radio link has been created, if not configured access authentication, STA can access the wireless network to the IP address after the acquisition. If you configure access authentication, STA also need to complete access authentication, key negotiation phases to network access. (If the access authentication fails, you can only access the Guest VLAN network resources or Portal authentication interface.)
Other stage
As the front link authentication phase, the access authentication including 802.1X authentication, PSK authentication, MAC authentication, and authentication Portal. These certifications can be achieved by way of a user identity authentication, improve network security, and key agreement is to provide protection for user data security. After the completion of access authentication and key agreement, you can access the network. Limited focus of this issue, a detailed description of the content is not to be, interested in understanding this aspect, can refer to WLAN security and safety characterization.
Finally, a connotation to share stories and knowledge with the following simple analysis of the current period presentation. One pair of wedding ***, my wife is superior to a single girlfriends to show, with a newly married husband went to see the single girlfriends, during which his wife took out IPhone6 her husband's habit of opening up Wi-Fi, no password is entered directly even on the network. . . . . Moment, she seems to understand what, quietly took out his cell phone, select the Wi-Fi connection girlfriends home, show that this is a secure network, you need to enter a password to connect. She woke up, she was completely awake - her cell phone can be associated WLAN girlfriends home, but she wants to enter a password to use girlfriends home Wi-Fi.
Can see this Wi-Fi network on your phone, your phone successfully find a Wi-Fi network through the scanning process. Her husband's cell phone can be connected directly to Wi-Fi, is going to lose his wife's cell phone password to connect, and the phone has a display which is a secure network, represents girlfriends home Wi-Fi is the presence of password authentication. Connect your phone off Wi-Fi, can usually store some information at the time of the last connection, such as a password, then the next time and then connect the user is not required to re-enter the password, enter the phone software directly help. So her husband's cell phone must have even had girlfriends home Wi-Fi, this would not lose the password directly connected to before. It is this link authentication or password authentication phase prompt access it only through the above information can not be judged. Because the shared link authentication key cryptosystem may be employed, more access authentication may be employed (such as 802.1X, PSK, Portal etc.) authentication, both of which need to enter a password, it can not be considered is the need to enter a password access authentication , there may be a link authentication. However, in actual use, typically link authentication using Open authentication, Shared Key Authentication using less, under normal circumstances is a high possibility the access authentication password prompt.
