The Wireless Local Area Network (WLAN) is a computer local area network using a wireless channel as a transmission medium and is an important supplement and extension of wired networking. A network structure based on a WLAN technology generally includes network devices such as a WLAN station, an Access Point (AP), and an Access Controller (AC). The AP connects the WLAN station to an existing wired network, while the AC can manage the AP by using a Control and Provisioning of Wireless Access Point (CAPWAP) control channel.
Currently, the AC used in the WLAN may be classified into two types according to different functions implemented. The first type is an AC that is separate from a Broadband Remote Access Server (BRAS). In this case, the BRAS implements access authentication for the WLAN station and the AC manages the AP. The second type is an AC integrated with the BRAS. In this case, the AC is integrated with the BRAS as a functional module, and the BRAS implements access authentication for the WLAN station and manages the AP.
The following describes a process of implementing access authentication for the WLAN station in a scenario where the AC is integrated with the BRAS.
The AP establishes a CAPWAP link (including a CAPWAP data channel and a CAPWAP control channel) with the BRAS. The WLAN station sends an association request information to the AP; after receiving the association request information from the WLAN station, the AP sends a request to the BRAS to determine whether the WLAN station is permitted to associate with the AP. If the BRAS determines that the WLAN station is permitted to associate with the AP, the BRAS sends a result to the AP; the AP sends an association response frame to the WLAN station, permitting the WLAN station to associate with the AP. In this case, although the WLAN station is already successfully associated with the AP, the WLAN station is only permitted to use a wireless link between the WLAN station and the AP. The WLAN station also needs to initiate an authentication request to the BRAS, and the BRAS forwards the authentication request to an Authentication, Authorization and Accounting (AAA) server. After being authorized by the AAA server, the BRAS sends an authentication response to the WLAN station to notify the WLAN station of the fact that the WLAN station is authenticated successfully and permitted to access the Internet.
In the prior art, the WLAN station may use three access authentication methods, one of which is an Extensible Authentication Protocol Method for Mobile Communications Subscriber Identity Modules (EAP-SIM)/Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). In an EAP-SIM/SAP-AKA authentication scenario, data transmitted on the wireless link between the WLAN station and the AP is encrypted by using a Wi-Fi Protected Access (WPA2) standard. After the WLAN station is authenticated, the AAA server sends a master key PMK of the WLAN station to the BRAS.
After the ERAS obtains the master key PMK of the WLAN station, if the BRAS integrates the AC, that is, if the AC is integrated with the BRAS as a functional module, the BRAS may notify the AC module by using an internal communication mechanism, and directly initiate a 4-way handshake with the WLAN station by using the master key PMK to agree on a transient key PTK. Subsequently, the data transmitted on the wireless link between the WLAN station and the AP is encrypted by using the transient key PTK.
However, the inventor discovers the following problems in the prior art: In a scenario where the BRAS is separate from the AC, after the BRAS obtains the master key PMK of the WLAN station from the AAA server, the ERAS fails to notify the AC of the master key PMK of the WLAN station by using an internal communication mechanism because the BRAS and the AC are not a same device. Consequently, the AC does not know when to perform the 4-way handshake with the WLAN station to agree on the transient key PTK.