阅读说明：本技术 用于基于策略的无线网络接入的网络设备及方法 (Network device and method for policy-based wireless network access ) 是由 伊戈尔·沙夫兰 伊塔玛·菲克 于 2019-05-02 设计创作，主要内容包括：本发明涉及无线计算机网络领域,具体涉及一种用于基于策略的无线网络接入的网络设备及对应的方法。因此,本发明提供了一种用于基于策略的无线网络(101)接入的网络设备(100),其中,所述网络设备(100)用于：获取无线网络客户端(103)的唯一标识符(102)；根据所述唯一标识符(102)和策略(105),确定至少一个授权服务(104)；创建可以访问所述至少一个授权服务(104)的虚拟子网(106)；将所述无线网络客户端(103)分配给所述虚拟子网(106)。(The present invention relates to the field of wireless computer networks, and in particular, to a network device and corresponding method for policy-based wireless network access. Accordingly, the present invention provides a network device (100) for policy-based wireless network (101) access, wherein the network device (100) is configured to: obtaining a unique identifier (102) of a wireless network client (103); determining at least one authorization service (104) based on the unique identifier (102) and a policy (105); creating a virtual subnet (106) that can access the at least one authorization service (104); assigning the wireless network client (103) to the virtual subnet (106).)

1. A network device (100) for policy-based wireless network (101) access, the network device (100) being configured to:

-obtaining a unique identifier (102) of a wireless network client (103);

-determining at least one authorization service (104) from the unique identifier (102) and a policy (105);

-creating a virtual subnet (106) that can access the at least one authorization service (104);

-assigning the wireless network client (103) to the virtual subnet (106).

2. The network device (100) of claim 1, wherein the virtual subnet (106) has exclusive access to the at least one authorized service (104).

3. The network device (100) according to claim 1 or 2, wherein the unique identifier comprises a passphrase combined with at least one of: a device unique ID or username; or a certificate.

4. The network device (100) of any of the preceding claims, wherein the network device (100) is configured to provision the wireless network (101) according to a network identifier to enable the wireless network client (103) to access the virtual subnet (106).

5. The network device (100) of any of the preceding claims, wherein the network device (100) is configured to create a different virtual subnet (106) for each wireless network client (103) accessing the wireless network (101) according to the policy (105).

6. The network device (100) of any of the preceding claims, wherein each of the different virtual subnets (106) is created according to the policy (105) and the unique identifier (102) of the respective wireless network client (103).

7. The network device (100) of any of the preceding claims, wherein the policy is predefined indicating that the at least one authorized service corresponds to the unique identifier.

8. Network device (100) according to any of the preceding claims, wherein the network identifier of the wireless network (101) is the same for all wireless network clients (103) accessing the wireless network (101).

9. The network device (100) according to any of the preceding claims, wherein the virtual subnet (106) is a virtual subnet (106) in an independent isolated network.

10. The network device (100) of claim 9, wherein only the wireless network clients (103) assigned to the virtual subnets in the isolated independent network have access to the virtual subnets.

11. The network device (100) of any of the preceding claims, further configured to provide a service discovery function (201) to the wireless network client (103).

12. Network device (100) according to any of the preceding claims, wherein the service discovery function (201) provides the wireless network client (103) with a service identifier of the at least one authorization service (104).

13. Network device (100) according to any of the preceding claims, wherein the service identifier provided to the wireless network client (103) is related to the virtual subnet (106) allocated for the wireless network client (103).

14. Network device (100) according to any of the preceding claims, wherein said at least one authorization service (104) operates in a network different from said virtual subnet (106) assigned to said wireless network client (103).

15. The network device (100) according to any of the preceding claims, wherein the network device (100) further comprises a communication module that can communicate with the at least one authorized service (104) provided in a network different from the virtual subnet (106) by means of the service identifier associated with the virtual subnet (106).

16. Network device (100) according to any of the preceding claims, wherein the network device (100) is an Access Point (AP).

17. A method (400) for providing policy-based access to a wireless network (101), the method (400) comprising the steps of:

-the network device (100) obtaining (401) a unique identifier (102) of the wireless network client (103);

-the network device (100) determining (402) at least one authorization service (104) from the unique identifier (102) and a policy (105);

-the network device (100) creating (403) a virtual subnet (106) having access to the at least one authorization service (104);

-the network device (100) assigning (404) the wireless network client (103) to the virtual subnet (106).

Technical Field

The present invention relates to the field of wireless computer networks, and in particular, to a network device and corresponding method for policy-based wireless network access. In other words, the present invention relates to policy-based wireless access to a restricted service set.

Background

In conventional wireless computer networks, a Service Set Identifier (SSID) is a name associated with a wireless computer network (e.g., a Wireless Local Area Network (WLAN)). When a traditional wireless network client intends to join a wireless computer network, the traditional wireless network client joins the wireless computer network using an SSID associated with the wireless computer network. When a traditional wireless network client joins a wireless computer network, the entire network topology of the wireless computer network is exposed to the traditional wireless network client. In particular, all services provided in a wireless computer network are visible to connected legacy wireless network clients. Traditional service access restrictions may be implemented, for example, by using a dedicated portal with service links, or by using dual or complex (e.g., token-based) authentication. Using a security portal may require several steps, access restrictions based on network filtering rules (e.g., firewalls). Furthermore, in conventional wireless computer networks, different legacy network devices (e.g., Access Points (APs)) named by the same SSID are mapped to different subnets, which is why a legacy wireless network client is provided with different sets of services according to the AP to which the legacy wireless network client is connected. For example, as shown in fig. 5.

Conventional solutions lack the dynamic services provided at the device local subnet. Policy enforcement is implemented by a firewall that restricts the network view of a traditional wireless network client through a set of rules. However, conventional wireless network clients can still observe the presence of a service, but are prevented from connecting to the service by a firewall. However, it is desirable that only allowed services be visible and accessible.

The conventional scheme also does not support roaming of conventional wireless network clients. Currently, service separation is achieved in two ways:

1. a WPA pre-shared password based security scheme is configured on a wireless network. A service set is configured on one site a and a different service set is configured on site B. Devices roaming from one site to another will access different sets of services. On the same site, this separation is not feasible for non-identity based authentication (e.g., pre-shared passwords).

2. A WPA enterprise-based security scheme is configured on a wireless network. A conventional wireless network client will access the service set according to the domain group to which it belongs, without being associated with a specific station. This separation is achieved by providing traditional wireless network clients to specific VLAN groups, where the policy is enforced by the firewall.

Thus, there is a lack of a scheme that can isolate wireless network clients connected to a wireless network while using a single SSID in an efficient and effective manner.

Disclosure of Invention

In view of the above problems and disadvantages, the present invention is directed to improving conventional network devices. The present invention is specifically able to determine which authorized service a wireless network client may access based on the unique identifier of the wireless network client and a policy. This may be done for several wireless network clients accessing a wireless network provided by a single SSID.

To do so, wireless network clients attempting to connect to the wireless network must be policy authenticated. This may be accomplished, for example, through Public Key Infrastructure (PKI) certificates. After successful authorization on the network device, authorization and policy enforcement will be triggered and a subnet assigned to the wireless network client is created.

Thereby hiding the topology of the wireless network provided by the network device. Furthermore, no modifications to the wireless network client are required. The application running on the wireless network client is solution independent. No application modifications are required. The scheme can also realize flat service discovery, namely, only the services allowed by the wireless network client exist in the sub-network allocated to the wireless network client. Furthermore, the present invention allows policy-based security enforcement, such as at the Domain Name System (DNS) request level, or when connecting to a service.

The object of the invention is achieved by the solution presented in the appended independent claims. Advantageous implementations of the invention are further defined in the dependent claims.

A first aspect of the present invention provides a network device for policy-based wireless network access, wherein the network device is configured to: acquiring a unique identifier of a wireless network client; determining at least one authorized service based on the unique identifier and a policy; creating a virtual subnet that can access the at least one authorized service; assigning the wireless network client to the virtual subnet.

This is advantageous because each wireless network client may be provisioned and tuned with a policy to a set of authorized services accessible to the network device, where the entire wireless network may be provisioned in a common manner (e.g., over only one SSID).

In particular, the authorization service may include any network service that is not affected by NAT traversal.

In particular, the authorization service is a service that the wireless network client is authorized to use. In particular, the network client is authorized according to a policy.

In one implementation of the first aspect, the virtual subnet has exclusive access to the at least one authorized service.

This may ensure that the virtual subnet restricts access to authorized services in a secure manner. An accessible authorized service may be selected based on the policy and the unique identifier, for example, other services may be excluded from the accessible service.

In another implementation of the first aspect, the unique identifier comprises a passphrase in combination with at least one of: a device unique ID or username; or a certificate.

In particular, the certificate is a Public Key Infrastructure (PKI) certificate.

In another implementation form of the first aspect, the network device is configured to provision the wireless network based on a network identifier to enable the wireless network client to access the virtual subnet.

Specifically, the network identifier may be a Service Set Identifier (SSID).

In another implementation manner of the first aspect, the network device is configured to create a different virtual subnet for each wireless network client accessing the wireless network according to the policy.

In other words, a different virtual subnet for each wireless network client is created according to the policy.

In another implementation of the first aspect, each of the different virtual subnets is created according to the unique identifier of the respective wireless network client and the policy.

In another implementation of the first aspect, the policy is predefined indicating that the at least one authorized service corresponds to the unique identifier.

In another implementation of the first aspect, the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.

In another implementation form of the first aspect, the virtual subnets are virtual subnets in an isolated network.

Specifically, the isolated network is an independent L2 broadcast domain. In particular, the subnet or virtual subnet is an L3 domain (i.e., a network layer domain).

This is advantageous because the same subnet address range can be used within multiple independent networks. It is an advantage that this scheme supports address overlap between different virtual subnets assigned to different wireless network clients.

In another implementation form of the first aspect, only the wireless network clients assigned to the virtual subnets of the isolated independent network may access the virtual subnets.

In particular, no other client (e.g., other wireless network clients) can access or access the independent quarantine network. An independent isolated network may also be referred to as an independent virtual subnet. However, at least one authorization service provided to the wireless network client may access the independent quarantine network to communicate with the wireless network client.

In another implementation form of the first aspect, the network device is further configured to provide a service discovery function to the wireless network client.

This ensures that the wireless network client can identify at least one authorized service in the virtual subnet that is provided to the wireless network client.

In another implementation form of the first aspect, the service discovery function provides a service identifier of the at least one authorized service to the wireless network client.

In particular, the service identifier may include an address (e.g., an IPv4 or IPv6 address), a port, or a protocol of at least one authorized service.

In another implementation form of the first aspect, the service identifier provided to the wireless network client is associated with the virtual subnet assigned to the wireless network client.

In particular, the service identifier is associated with a domain of the virtual subnet (e.g., an address range of the virtual subnet).

In another implementation of the first aspect, the at least one authorization service operates in a network different from the virtual subnet assigned to the wireless network client.

This ensures that the authorization service can operate in a different network or subnet than the virtual subnet, while the wireless network client can still access the authorization service.

In another implementation form of the first aspect, the network device further comprises a communication module that can communicate with the at least one authorized service provided in a network different from the virtual subnet through the service identifier associated with the virtual subnet.

In particular, the communication module includes address routing or address remapping.

In another implementation manner of the first aspect, the network device is an Access Point (AP).

A second aspect of the present invention provides a method for policy-based wireless network access, wherein the method comprises the steps of: the network equipment acquires a unique identifier of a wireless network client; the network device determining at least one authorized service based on the unique identifier and a policy; the network device creating a virtual subnet that can access the at least one authorized service; the network device assigns the wireless network client to the virtual subnet.

In particular, the authorization service may include any network service that is not affected by NAT traversal.

In particular, the authorization service is a service that the wireless network client is authorized to use. In particular, the network client is authorized according to a policy.

In one implementation of the second aspect, the virtual subnet has exclusive access to the at least one authorized service.

In another implementation of the second aspect, the unique identifier comprises a passphrase in combination with at least one of: a device unique ID or username; or a certificate.

In particular, the certificate is a Public Key Infrastructure (PKI) certificate.

In another implementation of the second aspect, the method further includes the network device providing the wireless network according to a network identifier to enable the wireless network client to access the virtual subnet.

Specifically, the network identifier may be a Service Set Identifier (SSID).

In another implementation manner of the second aspect, the method further includes: and the network equipment creates different virtual subnets for each wireless network client accessing the wireless network according to the strategy.

In other words, a different virtual subnet for each wireless network client is created according to the policy.

In another implementation of the second aspect, each of the different virtual subnets is created according to the unique identifier of the respective wireless network client and the policy.

In another implementation of the second aspect, the policy is predefined indicating that the at least one authorized service corresponds to the unique identifier.

In another implementation of the second aspect, the network identifier of the wireless network is the same for all wireless network clients accessing the wireless network.

In another implementation form of the second aspect, the virtual subnets are virtual subnets in an isolated network.

Specifically, the isolated network is an independent L2 broadcast domain. In particular, the subnet or virtual subnet is an L3 domain (i.e., a network layer domain).

In another implementation of the second aspect, only the wireless network clients assigned to the virtual subnets of the isolated independent network may access the virtual subnets.

In particular, no other client (e.g., other wireless network clients) can access or access the independent quarantine network. An independent isolated network may also be referred to as an independent virtual subnet. However, at least one authorization service provided to the wireless network client may access the independent quarantine network to communicate with the wireless network client.

In another implementation manner of the second aspect, the method further includes: the network device provides a service discovery function to the wireless network client.

In another implementation of the second aspect, the service discovery function provides the wireless network client with a service identifier of the at least one authorized service.

In particular, the service identifier may include an address (e.g., an IPv4 or IPv6 address), a port, or a protocol of at least one authorized service.

In another implementation of the second aspect, the service identifier provided to the wireless network client is associated with the virtual subnet assigned to the wireless network client.

In particular, the service identifier is associated with a domain of the virtual subnet (e.g., an address range of the virtual subnet).

In another implementation of the second aspect, the at least one authorization service operates in a network different from the virtual subnet assigned to the wireless network client.

In another implementation of the second aspect, the method further includes the communication module of the network device communicating with the at least one authorized service provided in a network different from the virtual subnet through a service identifier associated with the virtual subnet.

In particular, the communication module includes address routing or address remapping.

In another implementation manner of the second aspect, the network device is an Access Point (AP).

The second aspect and its implementations comprise the same advantages as the first aspect and its respective implementations.

It should be noted that all devices, elements, units and modules described in the present application may be implemented in software or hardware elements or any type of combination thereof. All steps performed by the various entities described in the present application, as well as the functions described to be performed by the various entities, are intended to indicate that the respective entities are adapted or used to perform the respective steps and functions. Although in the following description of specific embodiments specific functions or steps performed by an external entity are not reflected in the description of specific elements of the entity performing the specific steps or functions, it should be clear to a skilled person that these methods and functions may be implemented in corresponding hardware elements or software elements or any type of combination thereof.

Drawings

The following description of specific embodiments, taken in conjunction with the accompanying drawings, set forth the above-described aspects of the invention and the manner of attaining them.

Fig. 1 is a schematic diagram of a network device provided by an embodiment of the present invention;

fig. 2 is a schematic diagram illustrating an operation manner of a network device according to an embodiment of the present invention;

fig. 3 is another schematic diagram illustrating an operation manner of a network device according to an embodiment of the present invention;

FIG. 4 shows a schematic diagram of a method provided by an embodiment of the invention;

fig. 5 illustrates the operating principle of a network device provided by the prior art.

Detailed Description

Fig. 1 illustrates a network device 100 for policy-based wireless network 101 access. Network device 100 may be, for example, an AP, or a router including an AP. Wireless network 101 may be, for example, a WLAN. The network device 100 is configured to: acquiring a unique identifier 102 of a wireless network client 103; determining at least one authorization service 104 based on the unique identifier 102 and based on the policy 105; creating a virtual subnet 106 that can access at least one authorization service 104; the wireless network client 103 is assigned to a virtual subnet 106. The policies 105 may be pre-stored in the network device and may indicate which services 104 are provided to which wireless network clients 103.

Fig. 2 shows a schematic diagram of the manner in which network device 100 operates. As shown in fig. 2, network device 100 may implement a flattened view of services enabled in wireless network 101.

As shown in fig. 2, a wireless network client 103 wirelessly connects to a network device 100 (e.g., an AP) associated with an SSID by submitting a unique identifier 102 (e.g., credentials or certificates). The network device 100 provides an independent, uniquely identified subnet 106 to the authenticated wireless network client 103. No other client can access the subnet 106 unless the subnet is explicitly exposed to the other clients. The subnet 106 cannot be routed directly from the network device 100. Classless inter-domain routing (CIDR) may overlap for the same subnet.

Specifically, the network device 100 may provide the IP address of the subnet 106 and/or the wireless network client 103 by using a Dynamic Host Configuration Protocol (DHCP). Using DHCP, network device 100 may also provide a local DNS address and/or a local domain for service discovery. This allows the host name to be resolved to the local subnet address. This may also limit the network view of the wireless network client 103 to authorized services only. Service discovery is based on a "white list", specifically based on the unique identifier 102 of the wireless network client 103.

To map a service (accessible to network device 100) to subnet 106, where the service is accessible only by authorized wireless network clients 103, the following service forwarding rules apply:

the wireless network client 103 connects to the authorization service 104 using the local standalone IP address of the authorization service 104 (from subnet 106).

To implement forwarding of egress packets, network device 100 converts the destination IP of the packet to a routable service IP. The source IP address may be tracked using a Network Address Translation (NAT) connection. To implement forwarding of ingress packets, the reverse translation is applied.

Fig. 3 shows another schematic diagram of the manner in which network device 100 operates. Specifically, the following steps are performed in the operational manner shown in fig. 3:

1. the wireless network client 103 (i.e., the client device in fig. 3) connects to the network device 100 (i.e., the access point in fig. 3) using predefined connection settings.

2. The network device 100 authenticates the wireless network client 103, for example, by delegating the authentication session to an external AAA server and/or by using an internally implemented WPA enterprise backend.

3. In accordance with policies 105, network device 100 obtains a list of allowed services from the enterprise service domain, provides a separate subnet 106 for wireless client 103, adds service discovery endpoints to the subnet, and populates information about all allowed services. In addition, the network device 100 adds a local logical port for each allowed service 104 on that subnet 106. All logical ports may be Software Defined Network (SDN) ports, and network traffic to and from the logical ports may be intercepted and modified by SDN controlled switches. The logical ports create the illusion of a limited and well-defined network topology from the perspective of the wireless network client 103.

4. Network device 100 returns the service discovery domain (SSDP/DNS-SD), subnet 106, and its local IP address to wireless network client 103.

5. The wireless network client 103 issues a service discovery request to the local discovery service 201. The wireless network client obtains a response with locally mapped service information (address, port and protocol).

Fig. 4 shows a schematic diagram of a method 400 provided by an embodiment of the invention. The method comprises the step of the network device 100 obtaining 401 a unique identifier 102 of a wireless network client 103. The method comprises the step of the network device 100 determining 402 at least one authorization service 104 based on the unique identifier 102 and the policy 105. The method comprises the step of the network device 100 creating 403 a virtual subnet 106 that can access at least one authorization service 104. The method includes the step of the network device 100 assigning 404 the wireless network client 103 to the virtual subnet 106.

The invention has been described in connection with various embodiments and implementations as examples. However, other variations will become apparent to those skilled in the art and may be made in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims as well as in the description, the word "comprising" does not exclude other elements or steps, and "a" or "an" does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.