Cloud-based WIFI network setup for multiple access points
阅读说明:本技术 对多个接入点的基于云的wifi网络设置 (Cloud-based WIFI network setup for multiple access points ) 是由 M.I.塔斯金 M.帕坎 I.阿卡尔 K.卡克马克 于 2018-05-11 设计创作,主要内容包括:本文公开了用于便于一个或多个新的802.11接入点(AP)的自动化配置的方法、系统和设备。云服务器可以接收与一个或多个新AP的客户账户相关联的消息。云服务器可以基于该消息关联一个或多个新AP中的第一AP。云服务器然后可以检索与第一AP相关联的公钥,该第一AP具有对等私钥。云服务器可以向与客户账户相关联的网关(GW)发送该公钥。该GW可以使用该公钥将GW凭证(诸如密码和SSID)加密成密文,然后广播该信息。当该第一AP上电时,它可以使用私钥解密密文,并使用凭证作为该网关的网络中的节点。(Methods, systems, and devices for facilitating automated configuration of one or more new 802.11 Access Points (APs) are disclosed herein. The cloud server may receive messages associated with the customer accounts of the one or more new APs. The cloud server may associate a first AP of the one or more new APs based on the message. The cloud server may then retrieve a public key associated with the first AP, the first AP having a peer-to-peer private key. The cloud server may send the public key to a Gateway (GW) associated with the customer account. The GW may encrypt GW credentials (such as a password and SSID) into a cipher text using the public key and then broadcast the information. When the first AP powers up, it may decrypt the ciphertext using the private key and use the credential as a node in the gateway's network.)
1. A cloud server for facilitating automated configuration of one or more new 802.11 Access Points (APs), the cloud server comprising:
a processor;
a communication interface operatively connected to the processor, the communication interface and processor configured to receive a message associated with a customer account with one or more new APs, associate a first AP of the one or more new APs with the customer account based on the message, and retrieve first public key information associated with the first AP; and
the communications interface and processor are further configured to transmit the first public key information to a Gateway (GW) associated with the customer account, and instruct the GW to encrypt credentials of the GW into a first cryptogram based on the first public key information, and broadcast the first cryptogram to configure a first AP when the first AP has been powered on.
2. The server of claim 1, further comprising:
the communications interface and processor configured to associate a second AP of the one or more new APs with the customer account and retrieve second public key information associated with the second AP; and
the communications interface and processor are further configured to transmit second public key information to the GW, and to instruct the GW to encrypt credentials of the GW into a second cryptogram based on the second public key information, and to cause the GW and first AP to broadcast the second cryptogram to configure a second AP when the second AP has been powered on.
3. The server of claim 1, wherein the message further includes login information for the customer account, and the communication interface and processor are further configured to authorize access to the customer account based on the login information.
4. The server of claim 1, wherein the communications interface and processor are further configured to receive WiFi diagnostics for the one or more new APs and, based on the received WiFi diagnostics, send a first recommendation to the mobile STA to move the one or more new APs to be visually displayed on the mobile STA.
5. The server of claim 4, wherein the communication interface and processor are further configured to send a second recommendation to further move the one or more new APs for visual display on the mobile STA based on receiving a second WiFi diagnosis.
6. The server of claim 4, wherein the first public key is retrieved from a database.
7. A method performed by a cloud server for facilitating automated configuration of one or more new 802.11 Access Points (APs), the method comprising:
receiving a message associated with a customer account with one or more new APs;
associating a first AP of the one or more new APs with the customer account based on the message;
retrieving first public key information associated with the first AP;
sending the first public key information to a Gateway (GW) associated with the customer account; and
instructing the GW to encrypt a credential of the GW into a first ciphertext based on the first public key information, and broadcasting the first ciphertext to configure a first AP when the first AP has been powered on.
8. The method of claim 7, further comprising:
associating a second AP of the one or more new APs with the customer account;
retrieving second public key information associated with the second AP;
sending second public key information to the GW; and
instructing the GW to encrypt a credential of the GW into a second ciphertext based on the second public key information, and instructing the GW and the first AP to broadcast the second ciphertext to configure a second AP when the second AP has been powered on.
9. The method of claim 7, wherein receiving the message further comprises login information for the customer account, and access to the customer account is authorized based on the login information.
10. The method of claim 7, further comprising:
receiving a first WiFi diagnosis for the one or more new APs; and
based on the received first WiFi diagnosis, sending a first recommendation to move the one or more new APs for visual display on the mobile STA.
11. The method of claim 10, further comprising:
receiving a second WiFi diagnosis after the first WiFi diagnosis with respect to the one or more new APs; and
sending, based on the second received WiFi diagnostics, a second recommendation to further move the one or more new APs for visual display on the mobile STA.
12. The method of claim 10, wherein the first public key is retrieved from a database.
13. A Gateway (GW) for facilitating automated configuration of one or more new 802.11 Access Points (APs) in a network of the GW, the GW comprising:
a processor; and
a communication interface operatively connected to the processor, the communication interface and processor configured to receive a first public key associated with a first AP of the one or more new APs from a cloud server, receive instructions from a cloud server to encrypt credentials of the GW into a first cryptogram using the first public key, broadcast the first cryptogram to configure the first AP when the first AP has been powered on, and register the first AP into a network of the GW once the configuration is complete.
14. The GW of claim 13, further comprising:
the communications interface and processor are further configured to receive a second public key associated with a second AP of the one or more new APs, receive instructions from the cloud server to encrypt credentials of the GW with the second public key into a second ciphertext, and broadcast the second ciphertext through the first AP to configure the second AP when the second AP has been powered on.
15. The GW of claim 13, wherein the communication interface and processor are further configured to receive a first WiFi diagnostic from a first AP to send the first WiFi diagnostic to a cloud server.
16. The GW of claim 14, wherein the communication interface and processor are further configured to receive a second WiFi diagnostic from a second AP through a first AP and to transmit the second WiFi diagnostic to a cloud server.
17. The GW of claim 13, wherein the first ciphertext is added to an application extension attribute of a WiFi Simple Configuration (WSC) Information Element (IE).
18. The GW of claim 17, wherein the application extension attribute is encoded in binary type identifier, length, and value (TLV) format.
19. The GW of claim 13, wherein the first cryptogram is transmitted using a Generic Advertisement Service (GAS) request/response and is transmitted in an 802.11u public action frame.
Technical Field
The present disclosure relates to wireless communication networks.
Background
Business or residential customers may access the internet using DSL, cable or fiber modems/gateways provided by Broadband Service Providers (BSPs). The gateway may also have an integrated wireless Access Point (AP), or there may be a separate wireless AP connected to an ethernet port of the gateway, providing internet access for WiFi devices throughout the house/premises. In large areas, the gateway may not be able to provide full WiFi coverage for the premises. In this case, the customer may complain of insufficient WiFi coverage and request the BSP to solve the problem. The BSP may suggest to the client to use one or more additional wireless APs to improve WiFi coverage. There is a need for systems, methods, and devices to assist BSPs and clients in improving and making efficient the setup and configuration of new APs.
Disclosure of Invention
Methods, systems, and devices for facilitating automated configuration of one or more new 802.11 Access Points (APs) are disclosed herein. The cloud server may receive messages associated with the customer accounts of the one or more new APs. The cloud server may associate a first AP of the one or more new APs based on the message. The cloud server may then retrieve a public key associated with the first AP, the first AP having a peer-to-peer private key. The cloud server may send the public key to a Gateway (GW) associated with the customer account. The GW may encrypt GW credentials (such as a password and SSID) into a cipher text using the public key and then broadcast the information. When the first AP has been powered up, it may decrypt the ciphertext using the private key and use the credential as a node in the network of the gateway.
Drawings
The drawings may be understood in more detail in the following description, but are not intended to limit the scope of the embodiments, but are merely exemplary in combination with the accompanying drawings, in which like reference numerals indicate like elements, and in which:
fig. 1A illustrates an example communication system in which an access point is added to a wireless network;
fig. 1B illustrates an example process for locally adding an access point to a communication system;
fig. 2A illustrates an example communication system in which an access point is added to a wireless network;
fig. 2B illustrates an example process of adding an access point to a communication system using cloud assistance;
fig. 3A illustrates an example communication system in which one or more second access points are added to a wireless network;
fig. 3B illustrates an example process of adding one or more second access points and determining an optimal physical location in a network using cloud assistance;
fig. 4A illustrates an example communication system in which an access point is added to a wireless network; and is
Fig. 4B illustrates an example process for adding an access point to a communication system using cloud assistance in an automated manner.
Detailed Description
As discussed herein, any embodiment, example, or description may be considered in connection with one or more figures and is not intended to represent an exclusive example. Furthermore, any feature of a system, method, or apparatus described in relation to one example or embodiment may be used in another example or embodiment and is not intended to be exclusive to one example or embodiment.
In some cases, it may be desirable to simplify, automate, and/or more efficiently add a new Access Point (AP) to an 802.11 wireless communication system. In particular, in one case, an enterprise or residential customer may access the internet using a DSL, cable or fiber modem/Gateway (GW) provided by a Broadband Service Provider (BSP). The GW may also have an integrated wireless AP (e.g., GW/AP), or there may be a separate wireless AP connected to the ethernet port of the GW, providing internet access for WiFi devices throughout the house/house. For large premises, the AP may not be able to provide full WiFi coverage. In this case, the customer may complain of insufficient WiFi coverage and request the BSP to solve the problem. The BSP may then suggest to the client to use one or more additional wireless APs to improve WiFi coverage. The BSP and client must then coordinate such added logic (logistics), such as adding settings and configurations of one or more new APs. Further, the new AP may form a WiFi mesh network, or the new AP may act as a range extender for an existing network. In either case, establishing such a network may be difficult for some customers.
A client may subscribe to one or more new APs from the BSP, which may reserve the new AP(s) for the client via a globally unique serial number from the warehouse inventory database. Once the new AP arrives, the client can set up and configure the new AP with the BSP. Alternatively, the BSP may be able to remotely set up and configure the AP with the assistance of the BSP's cloud resources. Alternatively, the BSP may pre-configure the existing AP so that when the new AP arrives and is powered on, the new AP may be automatically configured to the existing GW/AP without the customer going through any configuration or setup procedures.
The AP may use public key (e.g., asymmetric) encryption techniques to securely transmit network credentials to the new WiFi device/AP so that it can join the existing network. Public key-based identification of devices may be facilitated through Out-of-band (Out-of-band) techniques (e.g., QR codes). The customer may trigger the provisioning of a new device by scanning the QR code with a mobile application, or the BSP may trigger the process for a new device ordered by the customer, so that the device may automatically join the network after the customer's premises is first powered up, without the customer going through the setup process.
Fig. 1A illustrates an example communication system in which an access point is added to a wireless network. In such an example communication system, there may be an existing GW/AP101 that broadcasts wireless signals to create
It may be desirable (such as for the reasons described above) to add a new AP111 to the
To ensure that the identity of the device does not change throughout its lifetime, the key pair may be stored in a Write Once Read Many (WORM) data storage device. If the hardware does not support WORM, the key pair may be stored in a separate partition and access to it may be restricted to emulate similar functionality. For example, an IOCTL (Input/Output Control) system call may be used to store and read the key pair. This approach will significantly reduce the probability of accidental erasure or corruption during a firmware upgrade.
The public key can be widely spread, but the private key must be kept secret. Only the paired private key can decrypt the message encrypted with the public key. The existing credentials of
In one case, the public key can be accessed by a human operator at the place where the AP111 is manufactured, through a console of the GW/AP101 via a specific command that reads the public key out of the WORM device or a separate partition. The public key may be unique information as well as identification information, such as a serial number and/or a MAC address, and the unique information may be converted into a two-dimensional QR code, which is then printed on a label to be attached to the device. In another case, the public key and the identification information may be stored in a database for later use (i.e., to provide a new AP).
The GW/AP101 public key may also be accessed, for example, through a network (web) server on GW/AP 101. However, GW/AP101 must have obtained the IP address already in order to be able to download the public key (or QR code text and/or image) from another computer on the local network. This feature may be helpful when QR code labels are lost or damaged, and console access is not available.
Fig. 1B illustrates an example process for locally adding an access point to a communication system such as that shown in fig. 1A. As discussed, the AP111 may be assigned unique information, such as public key based identification and an associated QR code tag that may be affixed to the AP 111. The client may use the STA102 (such as a smartphone) with a rich user interface to set up the AP 111. Home network management may be performed using a dedicated mobile application on the
After the customer receives the new device (e.g., AP 111), he or she simply scans the QR code on the device with the mobile application on the STA102 at 151. At 152, the application extracts the public key of the new device from the QR code and sends it to GW/AP 101.
In one case, when the STA102 connects to the
At 153, GW/AP101 may encrypt the credentials of
If the new AP111 is configured as a range extender, it may enable its AP functionality and begin accepting connections from stations in the
Even if no cloud connection is required, the methods of fig. 1A and 1B may be integrated with centralized remote management of the customer's
Fig. 2A illustrates an example communication system in which access points are added to a wireless network using cloud assistance. Cloud assistance may allow for a more efficient and/or improved AP addition process. There may be a GW/AP201 that creates the
The example shown in fig. 2A is similar to fig. 1A in that a new AP211 needs to be added to extend or add to the
Fig. 2B illustrates a more detailed example process of adding an access point to a communication system using cloud assistance. In this example, an AP (such as GW/AP201 or AP 211) may be configured with a generic and unique MAC address or serial number and a configuration PIN embedded into the AP during manufacture. Both identifiers may be displayed externally, such as by a QR code, barcode, or printed text on the AP, so that they are easily accessible. The new AP211 may factory default to turning off its WiFi services and store the URL of the
At 251, adding the new AP211 may begin with the
At 254, the
At 257, the
At 259, when AP211 identification is complete, a success indicator is applied to management on
At 265, the
In one case, at 269, the management application running on STA202 attempts to connect to the new WiFi network 210 using the new credentials. Once the new credentials are validated on AP211, STA202 can associate to AP211 with the new credentials and connect to network 210.
In an alternative procedure based on the example of fig. 2A and similar to the procedure of fig. 2B, an AP211 may be added to the
Fig. 3A illustrates an example communication system in which multiple access points are added to a wireless network. As in fig. 2A, a new AP311 may be added to the network 300 of GW/AP 301 connected to the internet 303. Once the new AP311 is added, it may provide coverage to any client devices that may be associated with the new credentials through the WiFi network 310. To extend WiFi coverage, a customer may add another new AP312 to generate WiFi network 320, add another new AP313 to generate WiFi network 330, and so on until the customer's goal is achieved (e.g., full coverage of the house).
Fig. 3B illustrates an example process of adding one or more second access points and determining an optimal physical location in a network using cloud assistance. To add a second new AP312 to network 300, user 306 may first be instructed via a management application on STA302 to place AP312 in proximity to
When the
The
Meanwhile, at 362, the
At this point, AP311 and AP312 may be in the same network, communicating, and providing internet access to any WiFi client device that may be associated using WiFi credentials set by user 306 through a management application on
The same approach described above can be used if the user wants to add more APs to the network to extend coverage. User 306 may be instructed to place new AP313 near AP311, where user 306 identifies new AP313 by entering the code of new AP313 through the management application on
In an alternative process based on the example of fig. 3A and similar to the process of fig. 3B, an AP312 may be added to the network 300. However, STA302 may scan and send the public key of new AP312 to a cloud server (e.g., remote management service 304) through
For the example in fig. 2A-3B, a new AP may be added as a mesh node or range extender. In either case, the customer may trigger the provisioning process by scanning the QR code on the new AP using a dedicated application on his or her mobile device. While this process is very straightforward and simplified by using the rich user experience provided by mobile devices, it can be further automated by eliminating customer involvement altogether.
Fig. 4A illustrates an example communication system in which an access point is added to a wireless network. There may be a GW/AP401 with network 400 (wired and/or wireless) and a new AP411 may be added using one or a combination of the techniques described herein. GW/AP401 may be connected to cloud server 407 through internet 403. The cloud server may be connected to a database 408 that stores public key information.
Fig. 4B illustrates an example process of adding an access point to a communication system using cloud assistance. At 451, the public key information of the AP411 may be stored in the database 408. At 452, the customer may contact the BSP and subscribe to the
At 455, since the cloud server knows which particular AP411 is to be shipped to the customer, it can send the public key to GW/AP401 over internet connection 403 as a parameter of the custom command "AddNewNode" based on which GW/AP401 is associated with the customer's account.
GW/AP401 may then encrypt its network credentials and place the resulting ciphertext in the application extension attribute of its WSC IE at 456. At 457, once AP411 arrives and turns on, AP411 may decrypt the ciphertext and configure, similar to other processes discussed herein. However, if a new AP411 is shipped to a customer, it may take one or more days to arrive, and unnecessarily increasing the length of beacons and probe responses during this period may waste valuable airtime (airtime). In one approach, the credential cryptogram may not be included in every beacon, but may be inserted in every nth beacon (e.g., every 10 th beacon). The period can be adjusted to strike a balance between airtime savings and setup delays introduced when a new AP arrives and powers up (due to having to wait longer for the next beacon with ciphertext and the increased probability of losing a beacon with ciphertext when scanning all available channels).
In another approach, the ciphertext may be included only in the WSC IE of the probe response and then only when GW/AP401 receives the probe request from the MAC address of
As discussed herein, to simultaneously turn on multiple APs, the cryptogram for each new device may be added to the beacon WSC IE together, or up to a predetermined number of cryptograms may be added to each beacon in a round-robin manner to save airtime. Further, for probe responses, the GW/AP may respond with only one ciphertext of the application extension attribute of the WSC IE that corresponds to the public key of the new AP that sent the probe request.
The strength of a public key encryption system may depend on the computational infeasibility of determining a properly generated private key from its corresponding public key. Common public key Cryptography systems may be Rivest-Shamir-adleman (rsa) and Elliptic-Curve Cryptography (ECC). For RSA, one recommended key size may be at least 2048 bits. For ECC, a 256-bit length key may achieve a similar level of encryption strength. The resulting QR code of the ECC key may be less dense and therefore more easily read by mobile scanner applications, because the smaller key size means that less information must be encoded into the QR code.
The amount of information that may be encrypted with asymmetric encryption may be limited and may be a very small amount of information. If the size of the network credential is above this limit, it may be necessary to use symmetric encryption (e.g., AES) to encrypt the credential with a randomly generated key, then encrypt the random AES key with the new AP's public key, and include two ciphertexts in the WSC IE so that the new AP can first decrypt the random AES key with its private key and then decrypt the credential with the AES key.
Although multiple WSC IEs may be sent in a WiFi frame, in some cases there may be wireless driver limitations that do not enable this feature. In this case, it may be helpful to use the public action frame defined in 802.11u when the WiFi client and AP are in an unauthenticated and unassociated state. Frame exchange procedures generic advertisement Protocol (GAS) requests/responses and the frame format (802.11 action frames) provided by the GAS for the advertisement service may be used for transmission of the cipher text from the GW/AP to the new AP.
While a QR code is discussed in the embodiments and examples herein, this is not intended to limit the present disclosure, and this is merely one possible out-of-band method for initiating secure opening of a new AP. Other technologies such as Near Field Communication (NFC), Bluetooth Low Energy (BLE), and other technologies from WiFi alliance device provisioning protocols may be used as out-of-band methods for securely provisioning a new AP. Thus, displaying the public key by the QR code may be extended to transmitting the public key via NFC or BLE.
Although features and elements are described above in particular combinations, one of ordinary skill in the art will appreciate that each feature or element can be used alone or in any combination with other features and elements. Furthermore, the methods described herein may be implemented in a computer program, software, or firmware incorporated in a computer-readable medium for execution by a computer or processor. Examples of computer readable media include electronic signals (transmitted over a wired or wireless connection) and computer readable storage media. Examples of computer readable storage media include, but are not limited to, Read Only Memory (ROM), Random Access Memory (RAM), registers, cache memory, semiconductor memory devices, magnetic media such as internal hard disks and removable disks, magneto-optical media, and optical media such as CD-ROM disks and Digital Versatile Disks (DVDs). A processor associated with software may be used to implement a communication interface for use in a GW, STA, AP, terminal, base station, RNC, or any host computer.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:节点路径上的双向数据包交换的方法