During securely connecting to a wireless fidelity (WiFi) access point (AP), a WiFi terminal which is also referenced as a station (STA) needs to complete stipulated procedures such as scanning, open authentication, association, 802.1x authentication (that is, Extensible Authentication Protocol (EAP) authentication), and four-way handshake according to the 802.11 protocol of wireless local area network standards. In addition, it needs to complete an Internet Protocol (IP) address allocation process.
Specifically and generally, the STA may send a probe request frame to the AP, and detects the AP and queries attributes and capabilities of the AP according to a probe response returned by the AP. Before this, the STA may also intercept a beacon frame of the AP, and acquires the attributes and capabilities of the AP from the beacon frame. If the STA decides to connect to the AP, the STA sends an open system authentication request frame, that is, an authentication frame defined in the 802.11, to the AP, and specifies in the authentication frame that open system authentication is used, so as to be compatible with the 802.11 protocol of another version. After receiving the open system authentication request frame, the AP may return an open system authentication response frame, indicating that the STA is accepted.
After the open system authentication, the STA sends an association request frame to the AP, and the AP returns an association response frame, where the response frame carries an association identifier (AID) allocated by the AP to the STA. On a WiFi network, each STA on the network has a unique AID. Then, the STA and the AP perform an EAP authentication procedure. The EAP authentication is triggered by an Extensible Authentication Protocol over Local Area Network (EAPoL) start message that is sent by the STA to the AP. After receiving the EAPoL start message, the AP sends an EAP request/identity message to the STA to request a user identifier from the STA. The STA sends the user identifier to the AP by sending an EAP response/identity message to the AP. The subsequent process is an EAP method procedure. There are multiple EAP methods, the number of steps varies, and there are at least two air interface messages.
Generally, an authentication server (AS) participates the EAP authentication procedure. Essentially, the STA performs authentication to the AS. The AP may include an authenticator module, configured to forward a message in the EAP authentication procedure. After the EAP authentication is successful, the AS may notify the AP that the authentication is successful, and send a key called a pairwise master key (PMK) to the AP. The AP may further send an EAP-Success message to the STA to end the EAP authentication procedure. In the 802.11 specification, most functions of the AS are realized in the AP. However, in practical network deployment, the AP and the AS are generally separated from each other.
After the EAP authentication is completed, the AP acquires the PMK from the AS, and the STA is capable of obtaining a PMK through calculation. Then, based on the PMKs, the STA and the AP perform a four-way handshake procedure to negotiate a pairwise transient key (PTK). The PTK is practically used to protect air interface communication between the STA and the AP. The four-way handshake includes four messages. The first message is sent by the AP, and in the third message, the AP sends a group transient key (GTK) of the WiFi network to the STA after encrypting it by using the PTK. Therefore, the four-way handshake procedure further undertakes the function of transferring the GTK. In addition, in the four-way handshake procedure, both the STA and the AP sends a respective nonce to each other for calculating a PTK.
After the four-way handshake is performed successfully, the STA generally acquires an IP address according to the Dynamic Host Configuration Protocol (DHCP). The procedure may include four messages. The STA sends a DHCP Discovery message through broadcast; a DHCP server on the network side receives the DHCP Discovery message and returns a DHCP Offer message to the STA, where the DHCP Offer message includes an IP address allocated by the DHCP server to the STA. The STA sends a DHCP Request message through broadcast, where the DHCP Request message includes the identifier of a DHCP server selected by the STA and the IP address allocated by the DHCP server. Then, the selected DHCP server returns a DHCP ACK message to the STA to confirm that the IP address has been allocated. After receiving the DHCP Request message, an unselected DHCP server reclaims the IP address just allocated to the STA. For an IP network, the STA sets up a communication link to the WiFi network where the AP is located only when the STA acquires the IP address.