JP4894431B2 - Cooperation control device - Google Patents

Description

  The present invention relates to a linkage control apparatus that links an entry / exit management system for managing entry / exit in a security management area and a network authentication system for restricting access to a terminal apparatus connected to a network constructed in the security management area.

  In companies that frequently handle confidential information or specific departments within the company, it is possible to prevent leakage of confidential information in advance by applying an entry / exit management system that manages the entry / exit of workers handling confidential information. ing.

  Generally, an entry / exit management system is a user ID (IDentification) incorporated in an IC (Integrated Circuit) card given to a user or biometric information (fingerprint, iris, voiceprint, etc.) to be authenticated information that uniquely identifies the user. Is used to perform personal authentication for users who wish to enter and exit. When it is authenticated that the user is a registered legitimate user, for example, entry into the security management area that handles confidential information is permitted by unlocking the locked door.

  By the way, the above-mentioned confidential information is managed by a network authentication system constructed in a network different from the entrance / exit management system, and is used by accessing the network from a terminal device provided in the security management area. It becomes possible. When accessing a network using a terminal device, the network authentication system requires an authentication process similar to the personal authentication in the above-described entry / exit management system.

  Therefore, cooperation between such an entry / exit management system and a network authentication system is required, and user authentication processing at the time of entry / exit into a security management area that handles confidential information, and a user who uses a terminal device after entering the room A technique for associating with authentication processing has been devised (see, for example, Patent Document 1 and Patent Document 2).

In addition, a technique for realizing a countermeasure for a problem caused by a lapse of time from entry to logon to the terminal device, and a countermeasure for forgetting to log off the terminal device when leaving, which are not considered in Patent Document 1 and Patent Document 2. Has also been devised (for example, see Patent Document 3).
JP 2000-259878 A JP 2002-41469 A JP 2004-302875 A

  By the way, when there are a plurality of terminal devices connected to the network constructed in the security management area, not only one terminal device is required as long as it is a valid user as long as the user enters the security management area. There is a problem that it is possible to access the network without limitation using a plurality of terminal devices.

  The present invention has been made in view of such circumstances, and allows a legitimate user who has entered the security management area to permit use of the terminal device provided in the security management area, This is to limit the number of terminal devices that can be used.

  In order to solve such a problem, the present invention provides an entry / exit management system for managing entry / exit of a user in a security management area according to a result of a user authentication process based on first authenticated information for uniquely identifying a user. Restricting access to the network according to the result of user authentication by the authentication server based on the second authenticated information that uniquely identifies the user, with a plurality of terminal devices provided in the security management area as processing targets Provided is a linkage control device that links a network authentication system to each other. The cooperation control device includes an authentication terminal count that is the second authenticated information, the user entry / exit state in the security management area, and the number of terminal devices that are permitted to authenticate the user by the authentication server among the plurality of terminal devices. A user status storage unit that stores the number in association with each user, and a request for access to the network using the second authenticated information that is made by the user to the authentication server via the terminal device Includes authentication processing means for authenticating the use of the terminal device for the user based on the entry / exit state and the authentication terminal count number associated with the second authentication information stored in the user state storage means. Here, the authentication processing means transfers the access request to the authentication server when the use authentication processing result is authentication permission, and sends the access request to the authentication server when the use authentication processing result is authentication non-permission. Return authentication rejection to the terminal device without forwarding.

  In the present invention, the cooperation control device further includes user information storage means for storing the second authenticated information in association with the upper limit number of authentications, which is the number of terminal devices that are allowed to authenticate the user. You may do it. Here, the authentication processing means searches the user status storage means and the user information storage means based on the second authenticated information in the authentication processing. And, when the user status storage means is in the security management area, the user is in the input status, and the user status storage means authentication terminal count number is smaller than the upper limit authentication number of the user information storage means, Judgment that authentication is permitted. On the other hand, if the entry / exit state of the user state storage means is the user exit state in the security management area, or the authentication terminal count number of the user state storage means is the upper limit authentication number of the user information storage means, authentication is performed. Judgment is not permitted.

  In the present invention, the user status storage unit may further store a terminal identifier that identifies a terminal device that is permitted to authenticate the user by the authentication server. In this case, the authentication processing means searches the user state storage means based on the second authenticated information and disconnects the terminal device that is permitted to authenticate the user by the authentication server from the network. The terminal device corresponding to the terminal identifier associated with the authentication information is disconnected from the network.

  In the present invention, each of the terminal devices may be connected to the network via a relay device. In this case, the terminal identifier includes a network-specific identifier assigned to the relay device to which the terminal device is connected and the port number of the relay device to which the terminal device is connected.

  In the present invention, the terminal identifier may further include a device-specific identifier assigned to the terminal device.

  In the present invention, the relay device may be connected to a plurality of terminal devices using radio. In this case, the authentication processing means, when the authentication for the user is permitted by the authentication server, the device-specific identifier assigned to the terminal device authorized for the user is already stored in the terminal identifier of the user status storage means. If this is the case, the previous information is updated with the network-specific identifier and port number of the relay device to which this terminal device is currently connected.

  Further, in the present invention, the cooperation control device further includes terminal device information storage means for storing device-specific identifiers assigned to a plurality of terminal devices connected to a network constructed in the security management area. Also good. In this case, the authentication processing means further searches the terminal device information storage means in the use authentication. And the entry / exit state of the user state storage means is the user in the security management area, the authentication terminal count number of the user state storage means is smaller than the upper limit authentication number of the user information storage means, and the terminal If the device-specific identifier of the device information storage means matches the device-specific identifier assigned to the terminal device that transmitted the access request, it is determined that authentication is permitted. On the other hand, the entry / exit state of the user state storage means is that the user is in the security management area, or the authentication terminal count number of the user state storage means is the upper limit authentication number of the user information storage means, or a terminal device If the device-specific identifier of the information storage means does not match the device-specific identifier assigned to the terminal device that transmitted the access request, it is determined that authentication is not permitted.

  According to the present invention, when the authentication result based on the entry / exit state to the security management area and the authentication terminal count number is authentication permission, the access request is transferred to the authentication server. When the authentication result is not permitted, the access request is transferred to the authentication server. By returning authentication rejection to the terminal device without transferring to the terminal device, it is possible to limit the number of terminal devices that can allow the user to be authenticated.

  Also, according to the present invention, since the upper limit number of terminals can be set, the number of terminal devices that can be used by the user can be freely controlled.

  Further, according to the present invention, since the terminal identifier for specifying the terminal device is stored, access restriction such as blocking of the terminal device from the network can be easily performed.

  Further, according to the present invention, it is possible to effectively specify a terminal device using a network relay device as a key.

  Further, according to the present invention, by using a unique identifier for a device, it is possible to effectively identify a terminal device regardless of the network configuration.

  In addition, according to the present invention, even if information related to a relay device for specifying a terminal device on the network is changed, the information can be updated using a unique identifier for the device as a key. Access restriction can be performed effectively.

  Furthermore, according to the present invention, since the authentication process is further performed using the device-specific identifier of the terminal device connected to the network, the access request from the unauthorized terminal device is rejected before being transferred to the authentication server. It becomes possible.

(First embodiment)
FIG. 1 is a conceptual diagram showing the overall configuration of a network management system 1 according to the first embodiment of the present invention. In the network management system 1, an equipment system 10 and a network authentication system 20 are connected to each other by a cooperation control device 30.

  The facility system 10 is an entry / exit management system that manages user entry / exit from a low security level area to a high security level area (security management area) that handles confidential information.

  The equipment system 10 may be of any form as long as it manages the entry into and exit from the security management area. For example, as shown in FIG. 1, the security management area is separated by a barrier or the like. A form in which entry / exit (entrance / exit) is allowed according to processing can be applied.

  The facility system 10 performs user authentication for all users who wish to enter the security management area, thereby permitting authentication only for legitimate users registered in advance, and entering the security management area. Allow entry. Also, the facility system 10 performs user authentication for all users who wish to leave the security management area, thereby permitting authentication only for legitimate users registered in advance, and from the security management area. Allow leaving. The security management area includes a door including an electric lock that can be locked and unlocked by an electric action.

  Specifically, the facility system 10 is mainly configured by an entrance card reader 11, an exit card reader 12, and an entrance / exit control unit 13.

  The entrance card reader 11 is provided in the vicinity of the door outside the security management area, and reads information stored in a semiconductor memory of a user, for example, a non-contact IC card (Integrated Circuit) 2. Information read by the entry card reader 11 is transmitted to the entry / exit control unit 13.

  The exit card reader 12 is provided in the vicinity of the door inside the security management area, and reads information stored in the semiconductor memory of the IC card 2 owned by the user. Information read by the leaving card reader 12 is transmitted to the entry / exit control unit 13.

  The entrance / exit control unit 13 performs authentication processing based on the card ID of the IC card 2 in the information acquired from the entrance card reader 11. If the user who wishes to enter the room (the holder of the IC card 2) determines that the user is a valid user (authentication permitted) by the authentication process, the entrance / exit control unit 13 unlocks the locked electric lock. Lock. This allows the user to enter the security management area. On the other hand, the entrance / exit control unit 13 keeps the electric lock locked when it is determined by the authentication process that the user who wishes to enter the room is not a valid user (authentication is not permitted). Thereby, the user's entry into the security management area is not permitted. Here, the card ID is information to be authenticated that uniquely identifies the user, and the entrance / exit control unit 13 holds in advance a database in which the card ID related to the legitimate user is described, and refers to this database for authentication. Process.

  Further, the entrance / exit control unit 13 performs an authentication process based on the card ID of the IC card 2 in the information acquired from the exit card reader 12. The entry / exit control unit 13 unlocks the locked electric lock when it is determined by the authentication process that the user who wants to leave the room is an authorized user (authentication permitted). This allows the user to leave the security management area. On the other hand, the entry / exit control unit 13 keeps the electric lock locked when it is determined by the authentication process that the user who wants to leave the room is not a valid user (authentication is not permitted). As a result, the user cannot leave the security management area.

  When the entry / exit control unit 13 permits the user to enter / exit the security management area by such an authentication process, the card ID of the IC card 2, the door ID unique to the unlocked door, and the entry / exit The entry / exit information including the information indicating whether the user has exited and the time when the entry / exit operation was performed (entrance / exit time) is transmitted to the linkage control device 30. In addition, you may make it show the information which shows whether it is entering or leaving a room with the apparatus ID which specifies the card reader 11 for entrance, or the card reader 12 for exit, respectively uniquely.

  The network authentication system 20 manages a network constructed in the security management area, and a plurality of terminal devices 21 are connected to the network via a relay device 22. In this network, the relay device 22 is also connected to the authentication server 23.

  The network authentication system 20 treats each terminal device 21 as a processing target, performs user authentication for all users who wish to access the network using the terminal device 21, and performs authentication only for users who are permitted to authenticate. The terminal device 21 is permitted to connect to the network. In the network authentication system 20, access requests to the network transmitted from the plurality of terminal devices 21 are authenticated by the relay device 22 and the authentication server 23.

  Specifically, the network authentication system 20 uses a technology for authenticating a user connected to a LAN (Local Area Network) switch or a wireless LAN access point established by IEEE (American Institute of Electrical and Electronics Engineers) 802.1X. Thus, an authentication process corresponding to the network connection request that is an access request from the terminal device 21 is performed. IEEE 802.1X is a protocol on Ethernet (registered trademark) that controls whether or not a LAN can be used. In addition, a RADIUS server that can centrally manage users to be authenticated by communication using RADIUS (Remote Authentication Dial-In-User-Service) as an authentication protocol is used for user authentication.

  The terminal device 21 is a so-called PC (Personal Computer) that can be used by a user who has entered the security management area, and exchanges information with the relay device 22 and the authentication server 23. The terminal device 21 holds authentication client software called a supplicant for requesting connection to a network.

  The relay device 22 is connected to a plurality of terminal devices 21 by wire, and relays authentication processing between the authentication server 23 and the terminal device 21. The relay device 22 is an authentication device that functions as a RADIUS client for the RADIUS server, and performs communication using RADIUS as an authentication protocol for communication with the RADIUS server. The relay device 22 is a LAN switch or the like that supports IEEE 802.1X and RADIUS, and connects the terminal device 21 to the network for each port 22a in cooperation with the authentication server 23.

  The authentication server 23 is a RADIUS server in RADIUS authentication, and includes a user information storage unit (not shown) that holds information related to a user who requests connection of the terminal device 21 to the network, and is connected to the terminal via the relay device 22 that is a RADIUS client. The authentication process of the device 21 is performed, and whether or not access to the network is possible is notified according to the authentication result.

  A user information storage unit (not shown) provided in the authentication server 23 holds an account ID, which is information to be authenticated for uniquely identifying a user in the network, and a password corresponding to the account ID.

  The actual authentication procedure by the network authentication system 20 is defined by EAP (Extensible Authentication Protocol). In the network authentication system 20, a user ID (account ID) and a password are input to various EAP that can be used in IEEE802.1X, for example, EAP-MD5 (EAP-Message Digest alogorithm5) and PEAP (Protected-EAP). EAP that is required to be performed, EAP-TLS (EAP-Transport Layer Security) that authenticates using a digital electronic certificate, or the like can be used.

  The cooperation control device 30 is provided so as to pass through an authentication packet exchanged during the authentication process between the relay device 22 and the authentication server 23 of the network authentication system 20, and the facility system 10 and the network authentication system 20. And linked control.

  The linkage control device 30 uses the entry / exit information transmitted from the facility system 10 to grasp the change in the user entry / exit state (entrance / exit state) in the facility system 10 such as entering the security management area. Depending on the leaving state, the authentication server 23 passes the network authentication request, which is an authentication packet transmitted as an access request from the terminal device 21 to the authentication server 23 via the relay device 22, or does not pass through the authentication server 23. It is determined whether or not a rejection response will be made prior to the authentication.

  In addition, the cooperation control device 30 uses the entrance / exit information transmitted from the equipment system 10 in a state where the user has already been authenticated for connection to the network, and the equipment system 10 such as leaving the security management area. It is possible to perform control such as grasping the change in the user's entry / exit state at, and disconnecting the connected network in accordance with this entry / exit state.

  FIG. 2 is a block diagram illustrating a configuration of the cooperation control device 30. The cooperation control device 30 includes an external system I / F (interface) 31, an internal database 32, a network I / F (interface) 33, a RADIUS authentication unit 34, and an authentication processing unit 35.

  The external system I / F 31 is a communication interface for connecting the facility system 10 and the cooperation control device 30. Communication between the facility system 10 and the cooperation control apparatus 30 via the external system I / F 31 can use a communication standard such as Ethernet (registered trademark), for example. Communication between the facility system 10 and the cooperation control device 30 via the external system I / F 31 is not limited to TCP / IP-based communication, and a non-IP field bus or the like can also be used.

  The internal database 32 is a database that stores various types of information used by the cooperation control device 30, and includes a user information storage unit 32 </ b> A that stores static information defined for each user, and a dynamic that indicates the current state of the user. User occupancy state storage unit 32B and user authentication state storage unit 32C for storing various information, and system information storage unit 32D for storing static information defined in relation to the equipment system 10 and the network authentication system 20 It has.

  The user information storage unit 32A associates the card ID, the occupancy time, the occupancy time, and the upper limit number of authentications for each account ID that is authentication information for uniquely identifying the user in the network. I remember. The information stored in the user information storage unit 32A is static information, and once set, it is held without being changed until a new user registration or system change is made.

  FIG. 3 is an explanatory diagram showing an example of information stored and held in the user information storage unit 32A and its contents. The card ID is a card ID of the IC card 2 that is held by a user registered in advance and used when the facility system 10 enters or leaves the room. When the card ID is notified from the facility system 10, the authentication processing unit 35 refers to the user information storage unit 32A to acquire an account ID corresponding to the card ID, and the user occupancy state based on the acquired account ID. An update process of the storage unit 32B is executed. In addition, since one user may have a plurality of IC cards 2, a plurality of card IDs may be registered for one account ID.

  The occupancy time indicates the time allowed to continue in the security management area permitted by the user specified by this account ID. This occupancy time is compared with the occupancy time that indicates how long the user has been in the security management area so far, and if this occupancy time exceeds the occupancy time, For example, the authentication processing unit 35 disconnects the network connected to the terminal device 21 used by the user, or denies authentication of an access request to the network. The occupancy time is obtained by the authentication processing unit 35 by referring to the occupancy start time stored in the user occupancy state storage unit 32B described later.

  The occupancy time indicates a time zone in which the user specified by this account ID is allowed to stay in the security management area, and depends on a set of occupancy start time and occupancy end time. It is configured. This occupancy time is compared with the current time, and if the current time is outside the occupancy time range, the authentication processing unit 35 connects, for example, the terminal device 21 used by the user. The connected network is disconnected, or the access request to the network is not authorized.

  The upper limit number of authentication is an upper limit value of the terminal device 21 that can permit authentication for the user specified by the account ID. This upper limit authentication number is compared with the count number of the terminal device 21 that is permitted to authenticate the user when requesting access to the network. If this count number is smaller than the upper limit authentication number, the authentication processing unit 35 Authentication is allowed.

  The user occupancy state storage unit 32B stores the occupancy room number and the occupancy start time in association with each account ID that is authentication information for uniquely identifying the user in the network. The information stored in the user occupancy state storage unit 32B is dynamic information and is updated as needed by the authentication processing unit 35 according to the user's entrance / exit state managed by the facility system 10.

  FIG. 4 is an explanatory diagram showing an example of information stored in the user occupancy state storage unit 32B and its contents. The occupancy room number is a room number that identifies the security management area in which the user is currently occupying the room. The authentication processing unit 35 specifies whether or not the user is currently in the security management area from the entry / exit information that is notified when there is a state change in the facility system 10, and the user is in the room In this case, the room number indicating the security management area is stored in the user occupancy state storage unit 32B as the occupancy room number.

  The occupancy start time is the entry time to the security management area specified from the entry / exit information transmitted when there is a state change from the equipment system 10, and the occupancy start time is the time when the occupancy is started in the security management area Is shown. This occupancy start time is used for comparison with the occupancy time in the security management area at the time of network authentication or the like.

  The user authentication state storage unit 32C stores the authentication terminal count number, the relay device ID, and the relay device port number in association with each account ID that is information to be authenticated for uniquely identifying the user in the network. Yes. The information stored in the user authentication status storage unit 32C is dynamic information and is updated as needed by the authentication processing unit 35 according to the network authentication status of the user managed by the network authentication system 20.

  FIG. 5 is an explanatory diagram showing an example of information stored in the user authentication state storage unit 32C and its contents. The authentication terminal count number indicates the number (count number) of terminal devices 21 that are permitted to authenticate the user specified by the account ID among a plurality of terminals provided in the security management area. The authentication processing unit 35 increments the authentication terminal count number when the relay device 22 and the authentication server 23 are permitted to authenticate the access to the network, and the network connection between the relay device 22 and the terminal device 21 is blocked. When notified, the authentication terminal count is decremented.

  The relay device ID is the IP address (relay device) of the relay device 22 to which the terminal device 21 permitted to authenticate the user specified by the account ID among the plurality of terminal devices 21 provided in the security management area is connected. 22 shows a unique identifier assigned to the network. The authentication processing unit 35 relays the IP address of the relay device 22 to which the terminal device 21 permitted to authenticate the user is connected when the relay device 22 and the authentication server 23 are permitted to authenticate the access to the network. The device ID is stored in the user authentication state storage unit 32C. In addition, the authentication processing unit 35, on the condition that the network connection is blocked for all of the terminal devices 21 that are permitted to authenticate the user among all the terminal devices 21 connected to the relay device 22, The ID is deleted from the user authentication state storage unit 32C. A plurality of relay device IDs can be set according to the number of relay devices 22 set in the security management area.

  The relay device port number indicates the number of the port 22a of the relay device 22 to which the terminal device 21 permitted to authenticate the user specified by the account ID among a plurality of terminals provided in the security management area is connected. . When the relay device 22 and the authentication server 23 are permitted to authenticate the network, the authentication processing unit 35 sets the port 22a number of the relay device 22 to which the terminal device 21 permitted to authenticate the user is connected. The user authentication state storage unit 32C stores the relay device port number. Further, the authentication processing unit 35 deletes the corresponding relay device port number from the user authentication state storage unit 32C on condition that the network connection of the terminal device 21 permitted to authenticate the user is blocked. A plurality of relay device port numbers can be set according to the number of ports 22a of the relay device 22 to which the terminal device 21 permitted to authenticate the user is connected.

  The system information storage unit 32D stores a room number, which is an identification number for uniquely specifying the security management area of the facility system 10, an entrance door ID, an exit door ID, and a relay device ID in association with each other. ing. The information stored in the system information storage unit 32D is static information, and once set, it is held without being changed until there is a system change or the like.

  FIG. 6 is an explanatory diagram showing an example of information stored and held in the system information storage unit 32D and its contents.

  The entrance door ID is an ID of an entrance door provided in the equipment system 10 and uses the equipment ID of the entrance card reader 11 of the equipment system 10 corresponding one-to-one with the entrance door. The exit door ID is an ID of an exit door provided in the equipment system 10 and uses the equipment ID of the exit card reader 12 of the equipment system 10 corresponding one-to-one with the exit door. A plurality of entrance door IDs and exit door IDs can be set according to the number of doors provided in the security management area.

  The relay device ID indicates the IP address of the relay device 22 installed in this security management area. A plurality of relay device IDs can be set according to the number of relay devices 22 set in the security management area.

  The network I / F 33 is a communication interface for performing communication between the cooperation control device 30, the relay device 22, and the authentication server 23. The network I / F 34 corresponds to Ethernet (registered trademark) or a TCP / IP stack.

  The RADIUS authentication unit 34 includes an authentication request relay unit 34A, a request relay determination unit 34B, and a device setting storage unit 34C, and executes processing related to RADIUS authentication.

  The authentication request relay unit 34A relays a RADIUS packet transmitted / received between the relay device 22 and the authentication server 23 in the RADIUS authentication. At this time, the authentication request relay unit 34A acquires information necessary for authentication processing in the authentication processing unit 35 such as an account ID included in the RADIUS packet of the network authentication request. It also has a function of recalculating the authentication code defined in the RADIUS standard.

  The request relay determination unit 34B finally determines whether to transmit a network authentication request to the authentication server 23 or to reject the network authentication request based on the authentication determination made by the authentication processing unit 35. The request relay determination unit 34 </ b> B generates a rejection response packet and transmits it to the relay device 22 when a rejection response is made.

  The device setting storage unit 34C manages all secret shared keys held in the relay device 22 and the authentication server 23 that are necessary for confirming the validity of the RADIUS communication in association with the IP address of the communication partner. .

  The authentication processing unit 35 performs authentication processing using the information included in the RADIUS packet of the network authentication request transmitted from the relay device 22 and the information stored in the internal database 32, and sends the network authentication request to the authentication server 23. Determine whether to forward to or reject.

  In addition, when the relay device 22 supports external authentication state control, the authentication processing unit 35 immediately transmits a request for resetting the authentication state in response to a change in the user's action state. . In this case, the authentication processing unit 35 operates when the relay device 22 holds a management information database called MIB (Management Information Base). Specifically, by exchanging the MIB, which is the management information, in SNMP (Simple Network Management Protocol), which is a management protocol in a TCP / IP network environment standardized by IETF (Internet Engineering Task Force), The relay device 22 can be managed by the authentication processing unit 35. That is, when an SNMP agent is given to the relay device 22, the authentication processing unit 35 functions as an SNMP manager. For example, a MIB defined by IEEE 802.1x can be used.

  Further, the authentication processing unit 35 can manage static information and the like stored in the user information storage unit 32A from the outside using an HTTP (S) server, Telnet, or the like.

  Next, a procedure for limiting the number of terminal devices 21 that can permit authentication for a user (terminal number limiting process), which is one of the features of the present embodiment, will be described. FIG. 7 is a flowchart illustrating the procedure of the terminal number restriction process by the cooperation control device 30 according to the present embodiment. In describing the procedure of the terminal number restriction process, referring to the timing chart shown in FIG. 8, a series of procedures from entering a user's security management area to user authentication in a network constructed in this security management area It explains together.

  First, a user enters a security management area where a network is constructed from a door managed by the entrance / exit control unit 13. Specifically, the user puts the IC card 2 in the room card reader 11. In response to this, the entrance / exit control unit 13 reads the information stored in the semiconductor memory of the IC card 2, authenticates the card ID, and unlocks the locked electric lock. The entrance / exit control unit 13 uses the card ID of the IC card 2, the door ID that uniquely identifies the unlocked door, information indicating entry, and the entrance / exit time as entry / exit information to the linkage control device 30. Send.

  As shown in FIG. 8, at timing T <b> 1, when the cooperation control device 30 acquires the entrance / exit information from the facility system 10 via the external system I / F 31, the cooperation control device 30 converts the entrance / exit information so that it can be used for authentication processing. After that, it is stored in the user occupancy state storage unit 32B of the internal database 32, and the current entry / exit state of the user in the security management area is stored.

  Specifically, the authentication processing unit 35 searches the user information storage unit 32A using the card ID of the IC card 2 transmitted from the entrance / exit control unit 13, and stores it in association with this card ID. Get an account ID. Further, the authentication processing unit 35 searches the system information storage unit 32D using the door ID transmitted from the entrance / exit control unit 13, and determines a room number for specifying the security management area associated with the door ID. get. And the authentication process part 35 matches with the account ID acquired from the user information memory | storage part 32A, and memorize | stores the acquired room number in the user occupancy state memory | storage part 32B as an occupancy room number. If the entry / exit information transmitted from the entry / exit control unit 13 is information indicating entry, the authentication processing unit 35 uses the entry / exit time included in the entry / exit information as the occupancy start time. It is stored in the state storage unit 32B.

  At timing T2, the user who entered the security management area transmits a network authentication request as an access request from the terminal device 21 via the relay device 22 according to the IEEE 802.1X procedure, thereby connecting the terminal device 21 to the network. Try. In the initial state, since the connection between the terminal device 21 and the network is disconnected by the relay device 22, the terminal device 21 can communicate only with the relay device 22.

  First, in order to connect to the network, the user inputs an account ID and a password from the terminal device 21 and transmits a network authentication request, which is an authentication packet, to the relay device 22.

  The terminal device 21 transmits a network authentication request to the relay device 22 as a MAC (Media Access Control) frame including an EAP message. At this time, the account ID is transmitted in plain text, and the password is transmitted in a hashed state.

  The relay device 22 extracts the EAP message from the MAC frame, transfers it to the IP packet, and transmits it to the cooperation control device 30. Specifically, the relay device 22 stores the EAP message extracted from the relay device 22 in the data portion of the RADIUS packet and transmits it to the cooperation control device 30 using UDP of the upper layer of IP.

  Here, referring to FIG. 7, in step S <b> 1, the authentication request relay unit 34 </ b> A of the RADIUS authentication unit 34 determines whether or not a RADIUS packet that is a network authentication request has been received. If the authentication request relay unit 34A receives a network authentication request, the process proceeds to step S2. On the other hand, if the authentication request relay unit 34A has not received the network authentication request, the process proceeds to step S10 described later.

  In step S2, the authentication request relay unit 34A performs hash calculation according to the RADIUS protocol and authenticates the RADIUS packet. As a result, the received RADIUS packet is authenticated as to whether the data has been altered or altered, or whether the data has been corrupted. If a positive determination is made in step S2, the process proceeds to step S3 described later. On the other hand, when a negative determination is made in step S2, the process proceeds to step S4, and the authentication request relay unit 34A discards the packet.

  In step S <b> 3, the authentication request relay unit 34 </ b> A determines whether or not the received RADIUS packet is the first packet in the authentication sequence in the RADIUS authentication process between the relay device 22 and the authentication server 23. In the authentication sequence in the RADIUS authentication process, only the EAP message of the first RADIUS packet transmitted as a network authentication request from the relay device 22 includes the plain text account ID EAP-Type = Identity data. Therefore, it is possible to determine whether or not it is the first packet by searching for EAP-Type = Identity data in the received RADIUS packet. If a negative determination is made in step S3, the process proceeds to step S5, and the RADIUS packet is transferred to the authentication server 23. On the other hand, if a positive determination is made in step S3, the process proceeds to step S6. In addition to the account ID, the RADIUS packet includes the IP address of the relay device 22 as the information of the relay device 22, the port number of the relay device 22 to which the terminal device 21 is connected, and the terminal device 21 that has performed network authentication. A MAC address or the like is described as RADIUS attribute information.

  When the account ID of the user who made the network authentication request is acquired in step S6, in step S7, the IP address of the relay device 22 that made the network authentication request and the relay device 22 to which the terminal device 21 is connected are connected. Port number is obtained.

  Specifically, as shown at timing T3 in FIG. 8, the authentication request relay unit 34A of the RADIUS authentication unit 34 receives the Identity attached to the EAP message of the RADIUS packet of the network authentication request received via the network I / F 34. Data (account ID) is acquired and output to the authentication processing unit 35. Further, the authentication request relay unit 34A acquires the IP address of the relay device 22 and the port number of the relay device 22 to which the terminal device 21 is connected from the received RADIUS packet of the network authentication request, and outputs it to the authentication processing unit 35.

  At timing T4, the authentication processing unit 35 uses the account ID of the acquired Identity data as a key, and the available time, available time and upper limit authentication number stored in the user information storage unit 32A, The occupancy room number and occupancy start time stored in the state storage unit 32B and the authentication terminal count stored in the user authentication state storage unit 32C are requested. Further, the authentication processing unit 35 requests a room number stored in the system information storage unit 32D using the acquired IP address of the relay device 22 as a key. This room number indicates the security management area in which the relay device 22 that has transmitted the network authentication request is installed.

  At timing T5, the authentication processing unit 35 acquires the occupancy time, occupancy time, and the upper limit authentication number from the user information storage unit 32A, and the occupancy room number and occupancy start time from the user occupancy state storage unit 32B. And the authentication terminal count number is acquired from the user authentication state storage unit 32C, and the room number is acquired from the system information storage unit 32D.

  Referring again to FIG. 7, in step S <b> 8, the authentication processing unit 35 of the cooperation control device 30 determines whether to transfer the network authentication request transmitted from the relay device 22 to the authentication server 23. The authentication processing unit 35 transfers the network authentication request to the authentication server 23 when the following conditions are satisfied.

(1) The user is present in the security management area (2) A network authentication request is made by the terminal device 21 (relay apparatus 22) in the present security management area (3) User The number of terminal devices 21 authorized for authentication (authentication terminal count number) is smaller than the upper limit value (conditional authentication count number) of the terminal device 21 that can authorize the user (4) in the security management area The elapsed time that the user is in the room does not exceed the available time. (5) The current time is within the available time range. If all of a) to (d) have been confirmed, the process proceeds to step S5 following the positive determination in step S8.

(A) The occupancy room number acquired from the user occupancy state storage unit 32B is compared with the room number acquired from the system information storage unit 32D, and the user exists in the security management area. (B) The terminal device authenticated by the user by comparing the upper limit authentication number acquired from the user information storage unit 32A with the authentication terminal count acquired from the user authentication state storage unit 32C 21 is smaller than the upper limit authentication count (c) The occupancy time acquired from the user information storage unit 32A and the occupancy time are compared, and the security management area exceeds the occupancy time (D) The occupancy time acquired from the user information storage unit 32A is compared with the current time, and the user And it is a time zone that can be occupancy sense region, in step S5, the network authentication request is forwarded to the authentication server 23. Specifically, as shown in the timing chart of FIG. 8, at timing T <b> 6, the authentication processing unit 35 notifies the request relay determination unit 34 </ b> B of the RADIUS authentication unit 34 of an authentication determination indicating authentication permission. At timing T7, the request relay determination unit 34B makes a final determination to transmit a network authentication request to the authentication server 23 in response to the authentication determination from the authentication processing unit 35, and via the network I / F 34, A network authentication request is transmitted to the authentication server 23.

  On the other hand, if any one of the above-described (a) to (d) is not confirmed, the authentication processing unit 35 proceeds to step S9 following the negative determination in step S8.

  In step S <b> 9, an authentication rejection packet is transmitted to the relay device 22. Specifically, as illustrated in the timing chart of FIG. 8, at timing T8, the authentication processing unit 35 notifies the request relay determination unit 34B of the RADIUS authentication unit 34 of a rejection determination indicating that authentication is not permitted. At timing T9, in response to the rejection determination from the authentication processing unit 35, the request relay determination unit 34B rejects transmission of the network authentication request to the authentication server 23, generates a rejection response packet, and generates a network I / O. It transmits to the relay apparatus 22 via F34. The relay device 22 notifies the terminal device 21 of a rejection response indicating that the network authentication request has been rejected based on the transmitted rejection response packet.

  In response to the transmission of the network authentication request to the authentication server 23 at the timing T10, an authentication response that is a packet transmitted from the authentication server 23 to which the EAP message is attached, and an authentication that is a packet transmitted from the terminal device 21 By exchanging requests, authentication processing on the user's network is executed.

  Specifically, the authentication server 23 performs collation processing with information stored in a user information storage unit (not shown) using the account ID attached to the network authentication request as a key. The authentication server 23 hashes the password of the target user associated with the transmitted account ID and stored in the user information storage unit with a predetermined hash function, and is hashed attached to the network authentication request. Compare with the password and check if the hashed passwords match. At this time, the authentication request relay unit 34A of the cooperation control device 30 passes through the authentication request and the authentication response between the terminal device 21 and the authentication server 23 without performing anything. The relay device 22 functions as a relay device that performs only EAP message transfer as described above.

  Referring again to FIG. 7, in step S <b> 10, the authentication request relay unit 34 </ b> A of the RADIUS authentication unit 34 of the cooperation control device 30 determines whether an authentication response from the authentication server 23 has been received. When the authentication request relay unit 34A receives the authentication response, the process proceeds to step S11. On the other hand, if the authentication request relay unit 34A has not received an authentication response, the routine exits.

  In step S11, the RADIUS authentication unit 34 performs hash calculation according to the RADIUS protocol and authenticates the authentication response packet. As a result, data authentication is performed on the received authentication response packet, such as whether the data has not been altered or altered, or whether the data has been corrupted. If a positive determination is made in step S11, the process proceeds to step S12 described later. On the other hand, if a negative determination is made in step S11, the process proceeds to step S13, and the authentication request relay unit 34A discards the packet.

  In step S <b> 12, the authentication request relay unit 34 </ b> A determines whether the authentication result is present in the authentication response from the authentication server 23. Here, as shown at timing T11 in FIG. 8, when the authentication process for the network authentication request is completed, the authentication server 23, as an authentication response, an authentication permission notification indicating that authentication by the authentication server 23 has been performed, One of the authentication non-permission notifications indicating that the authentication has not been performed is transmitted as an authentication result to the RADIUS authentication unit 34 of the cooperation control device 30. Therefore, when an authentication result exists in the authentication response, a negative determination is made in step S12 shown in FIG. 7, and thus the process proceeds to step S14 and the authentication response from the authentication server 23 is transferred to the relay device 22. On the other hand, if there is no authentication result in the authentication response, a negative determination is made in step S12, and the process proceeds to step S15.

  In step S15, the authentication request relay unit 34A determines whether the authentication result is an authentication permission notification. When a negative determination is made in step S15, the process proceeds to step S14, and the authentication request relay unit 34A transfers an authentication non-permission notification that is a packet from the authentication server 23 to the relay device 22. When the relay device 22 receives the authentication non-permission notification from the authentication server 23 via the cooperation control device 30, the relay device 22 notifies that the authentication is not permitted without opening the line between the terminal device 21 and the network. A message is transmitted to the terminal device 21.

  On the other hand, if an affirmative determination is made in step S15, the authentication request relay unit 34A notifies the authentication processing unit 35 that authentication is permitted, and then proceeds to step S16.

  In step S16, the authentication processing unit 35 searches for the relay device port number of the user authentication state storage unit 32C using the user account ID as a key, and the relay device 22 to which the terminal device 21 that has made the network authentication request is connected. It is determined whether the port number is stored. When an affirmative determination is made in step S16, the process proceeds to step S14, and the authentication request relay unit 34A transfers the authentication permission notification to the relay device 22. On the other hand, if a negative determination is made in step S16, the process proceeds to step S17.

  In step S17, the IP address of the relay device 22 to which the network authentication request is transmitted is stored in the user authentication state storage unit 32C as the relay device ID in association with the user account ID, and the terminal that has made the network authentication request The port number of the relay device 22 to which the device 21 is connected is stored in the user authentication state storage unit 32C as the relay device port number. As a result, the network authentication result is stored in the internal database 32 as shown at timing T12 in FIG.

  Then, referring to FIG. 7 again, in step S14 following step S17, the authentication request relay unit 34A transfers the authentication permission notification to the relay device 22.

  When receiving the authentication permission notification from the authentication server 23, the relay device 22 opens the line between the terminal device 21 and the network. Thus, the user can access the network via the terminal device 21 and can communicate with other terminal devices on the network.

  In this way, in the network management system 1 in which the facility system 10 and the network authentication system 20 are mutually connected and linked by the linkage control device 30, in the high security level area of the user in the detected facility system 10. Based on the current entry / exit state, the cooperation control device 30 determines in the previous stage of notifying the authentication server 23 of the validity of the network authentication request made from the terminal device 21.

  According to the present embodiment, the authentication processing unit 35 forwards the access request to the authentication server 23 when the authentication result based on the entry / exit state to the security management area and the authentication terminal count number indicates that the authentication is permitted. In this case, the access request is not transferred to the authentication server 23. This makes it possible to limit the number of terminal devices 21 that are permitted to authenticate users.

  Further, according to the present invention, the number of terminal devices 21 that are the upper limit can be set, so that the number of terminal devices 21 that can be used can be freely controlled.

  Further, according to the present invention, the terminal device 21 can be specified using the network relay device 22 as a key.

(Second Embodiment)
By the way, the user enters the security management area and is authenticated on the network through the authentication by the cooperation control device 30 and the authentication server 23 as described above, but this user does not execute the disconnection process, but the security management area. The situation that you leave is considered.

  If the user leaves the security management area without executing the disconnection process with the authenticated network, there is a high possibility that another user in the security management area may illegally access the network. Therefore, unauthorized access to the network can be prevented by the following method.

  For example, in the network management system 1, the terminal device 21 and the network are connected via the relay device 22 and the cooperation control device 30 by the user who has entered the security management area as shown in the timing chart of FIG. Suppose that

  First, the user leaves the door managed by the entrance / exit control unit 13 from the security management area to an area with a low security level (for example, a corridor).

  Specifically, the user puts the IC card 2 on the leaving card reader 12. In response to this, the entrance / exit control unit 13 reads the information stored in the semiconductor memory of the IC card 2, authenticates the card ID, and unlocks the locked electric lock.

  The entrance / exit control unit 13 includes the card ID read from the IC card 2, the door ID that uniquely identifies the door that has unlocked the electric lock, the information indicating exit, and the entrance / exit time. To the cooperation control device 30.

  The cooperation control device 30 converts the entry / exit information transmitted from the facility system 10 via the external system I / F 31 so that it can be used in the authentication process, and then stores it in the user occupancy state storage unit 32B of the internal database 32. The current entry / exit state of the user in the security management area of the facility system 10 is stored.

  Specifically, when the entry / exit information transmitted from the entry / exit control unit 13 is information indicating exit, the authentication processing unit 35 stores the occupancy room stored in the user occupancy state storage unit 32B. Delete the room number and occupancy start time.

  The authentication processing unit 35 refers to the internal database 32 in response to the writing in the user occupancy state storage unit 32B, and the user whose state in the equipment system 10 has changed is currently being authenticated on the network. It is determined whether or not. Specifically, the authentication processing unit 35 refers to the relay device ID or the relay device port number in the user authentication state storage unit 32C and determines whether authentication is being performed on the network.

  When the authentication is being performed on the network, the authentication processing unit 35 uses the relay device ID and the relay device port number stored in the user authentication state storage unit 32C of the internal database 32 in association with the account ID of the corresponding user. With reference, the port 22a of the relay device 22 to which the terminal device 21 is connected is closed, and the terminal device 21 is disconnected from the network. Then, the authentication processing unit 35 deletes the stored authentication terminal count, relay device ID, and relay device port number in the user authentication state storage unit 32C.

  As described above, according to the present embodiment, since the terminal identifier that identifies the terminal device 21 permitted to authenticate the user is stored, it is possible to easily perform access restriction such as blocking the terminal device 21 from the network. .

  In addition, the authentication processing unit 35 exits the above-mentioned room when the available time in the security management area permitted by the user has elapsed or when it is not the available time set in the security management area. Similarly to the case of acquiring information, the entry / exit state in the security management area of the corresponding user in the user occupancy state storage unit 32B of the internal database 32 is rewritten, and the terminal device 21 authenticated by the user is disconnected from the network. Can do.

(Third embodiment)
FIG. 9 is a conceptual diagram showing the overall configuration of the network management system 1 according to the third embodiment of the present invention. The network management system 1 according to the present embodiment is different from that of the first or second embodiment in that the terminal device 21 is connected to the network via the wireless relay device 22A or the relay device 22 via the hub 22B. It is a point that has been. The wireless relay device 22A is wirelessly connected to the plurality of terminal devices 21 and relays authentication processing between the authentication server 23 and the terminal device 21. Similarly to the wired relay device 22, the wireless relay device 22A is an authentication device that functions as a RADIUS client for the RADIUS server.

  The wireless relay device 22A has the same function as that of the relay device 22 shown in the first embodiment. However, if the user's authentication on the network is permitted, the wireless relay device 22A is connected to the terminal device 21 used by the user. Re-authenticate regularly. At this time, the radio relay device 22A may change the port number (virtual port number) to which the terminal device 21 is connected from the viewpoint of improving security. For this reason, even if the authentication is performed by the same terminal device 21, the port number changes, so that the terminal device 21 cannot be specified.

  In addition, when the hub 22B is interposed between the relay device 22 and the terminal device 21, a plurality of terminal devices 21 are connected to an arbitrary port 22a of the relay device 22, and the terminal device 21 based on the port number. In this identification, it is impossible to specify which terminal device 21 is connected to the port 22a from which the authentication is made.

  Therefore, in the present embodiment, such a problem is addressed by the network management system 1 as described below based on the first or second embodiment. In the description of the system configuration of the third embodiment, the same reference numerals are used for the same configurations as those in the first or second embodiment, and the details thereof are omitted.

  As one of the features of this embodiment, as shown in FIG. 10, the cooperation control device 30 includes a terminal search unit 36 and a log recording unit 37 described later in addition to the configuration shown in the first embodiment. is doing.

  The internal database 32 of the cooperation control device 30 further includes a terminal device information storage unit 32E.

  The terminal device information storage unit 32E stores a room number, which is an identification number for uniquely specifying the security management area of the facility system 10, and a terminal device unique ID in association with each other. The information stored in the terminal device information storage unit 32E is static information, and once set, it is held without being changed until there is a system change or the like.

  FIG. 11 is an explanatory diagram showing an example of information stored in the terminal device information storage unit 32E and its contents. The terminal device unique ID is an identifier unique to the device of the terminal device 21 provided in the security management area. In the present embodiment, this corresponds to the MAC address. A plurality of terminal device unique IDs can be set according to the number of terminal devices 21 provided in the security management area.

  As shown in FIG. 12, the user authentication status storage unit 32C of the internal database 32 stores the above-described authentication terminal count number and relay for each account ID that is information to be authenticated for uniquely identifying a user in the network. In addition to the device ID and the relay device port number, a user terminal unique ID is further associated.

  The user terminal unique ID is an identification number unique to the device of the terminal device 21 that is permitted to authenticate the user, and corresponds to a MAC address in the present embodiment. When the relay device 22 and the authentication server 23 are permitted to authenticate the network, the authentication processing unit 35 uses the MAC address of the terminal device 21 permitted to authenticate the user as the user terminal unique ID. It memorize | stores in the authentication state memory | storage part 32C. Further, the authentication processing unit 35 deletes the corresponding user terminal unique ID from the user authentication state storage unit 32C on the condition that the network connection of the terminal device 21 permitted to authenticate the user is blocked. A plurality of user terminal unique IDs can be set according to the number of terminal devices 21 set in the security management area.

  In the user authentication state storage unit 32 </ b> C, the authentication terminal count is performed based on a MAC address that is an identification number unique to the device of the terminal device 21.

  Referring again to FIG. 10, the terminal search unit 36 searches the user authentication state storage unit 32 </ b> C using the MAC address of the terminal device 21 to which the network authentication request is permitted as a key, and searches the authentication state of the terminal device 21. To do.

  The log recording unit 37 stores the access log as unauthorized access when unauthorized access to the network is performed by the terminal device 21.

  FIG. 11 is a flowchart illustrating the procedure of the terminal number restriction process by the cooperation control device 30 according to the present embodiment. The basic processing procedure is the same as the processing procedure shown in FIG. 7 as described in the first embodiment. The same processing is referred to by the same step number, and the differences will be described below. I do.

  In step S18 subsequent to step S7 described above, the first RADIUS packet transmitted as the network authentication request is referred to, and the MAC address of the terminal device 21 that has made the network authentication request is acquired.

  In step S19 following step S18, the authentication processing unit 35 searches the terminal device information storage unit 32E based on the room number of the system information storage unit 32D searched using the acquired IP address of the relay device 22 as a key. It is determined whether or not the MAC address acquired in step S18 is registered as the MAC address of the terminal device 21 existing in the security management area. If a positive determination is made in step S19, the process proceeds to step S20. On the other hand, if a negative determination is made in step S19, the process proceeds to step S21.

  In step S <b> 20, the authentication processing unit 35 determines whether or not to transfer the network authentication request transmitted from the relay device 22 to the authentication server 23. The authentication processing unit 35 transfers a network authentication request to the authentication server 23 when the condition (6) is further provided in addition to the conditions (1) to (5) shown in the first embodiment.

(1) The user is present in the security management area (2) A network authentication request is made by the terminal device 21 (relay apparatus 22) in the present security management area (3) User The number of terminal devices 21 that are allowed to be authenticated (authentication terminal count) is smaller than the upper limit authentication count allowed for the user. (4) There is an elapsed time that the user is in the security management area. The room availability time has not been exceeded (5) The current time is within the range of the room availability time (6) The terminal device 21 for which a network authentication request has been made and the terminal device 21 that has already been authorized for user authentication Specifically, if all of the following (a) to (e) can be confirmed, the authentication processing unit 35 follows the affirmative determination in step S20, Proceed to step S5.

(A) The occupancy room number acquired from the user occupancy state storage unit 32B is compared with the room number acquired from the system information storage unit 32D, and the user exists in the security management area. (B) The terminal device authenticated by the user by comparing the upper limit authentication number acquired from the user information storage unit 32A with the authentication terminal count acquired from the user authentication state storage unit 32C 21 is smaller than the upper limit authentication count (c) The occupancy time acquired from the user information storage unit 32A and the occupancy time are compared, and the security management area exceeds the occupancy time (D) The occupancy time acquired from the user information storage unit 32A is compared with the current time, and the user It is a time zone in which the user can stay in the physical area. (E) The current network authentication is performed by comparing the user terminal unique ID stored in the user authentication state storage unit 32C with the MAC address acquired in step S18. The terminal device 21 that has made the request has not already been authorized for network authentication. On the other hand, if any one of the above-described (a) to (e) has not been confirmed, the authentication processing unit 35 performs step Following the negative determination in S20, the process proceeds to step S9.

  On the other hand, in step S21 following the negative determination in step S19, the unauthorized access log is recorded in the log recording unit 37.

  Further, referring to FIG. 13, in step S22 following the affirmative determination in step S15, the user terminal unique ID in the user authentication state storage unit 32C is searched, and whether or not the MAC address acquired in step S18 is already stored. Judging. If a positive determination is made in step S22, the process proceeds to step S23. On the other hand, if a negative determination is made in step S22, the process proceeds to step S24.

  In step S23, the relay apparatus ID of the user authentication state storage unit 32C is updated with the IP address of the relay apparatus 22 to which the network authentication request is transmitted in association with the user account ID, and the terminal that has made the network authentication request The relay device port number in the user authentication state storage unit 32C is updated with the port number of the relay device 22 to which the device 21 is connected.

  In step S24, the IP address of the relay device 22 to which the network authentication request is transmitted is stored in the user authentication state storage unit 32C as the relay device ID in association with the user account ID, and the terminal device that has made the network authentication request The port number of the relay device 22 to which the terminal 21 is connected is stored in the user authentication state storage unit 32C as the relay device port number, and the MAC address of the terminal device 21 that has made the network authentication request is stored as the user terminal unique ID. Store in the state storage unit 32C.

  As described above, according to the present embodiment, by using a unique identifier (MAC address) for a device, the terminal device 21 can be effectively specified regardless of the network configuration.

  In addition, according to the present embodiment, even if the network-specific information for identifying the terminal device 21 on the network is changed, it can be updated using a unique identifier for the device as a key. Can be performed effectively.

  Furthermore, according to the present embodiment, since the authentication process is further performed using the device-specific identifier of the terminal device 21 connected to the network, before the access request from the unauthorized terminal device 21 is transferred to the authentication server 23. It is possible to refuse.

The conceptual diagram which shows the whole structure of the network management system 1 concerning 1st Embodiment. The block diagram which shows the structure of the cooperation control apparatus 30 concerning 1st Embodiment. Explanatory drawing which shows an example of the information memorize | stored and held in the user information storage part 32A, and its content Explanatory drawing which shows an example of the information memorize | stored in the user occupancy state memory | storage part 32B, and its content Explanatory drawing which shows an example of the information memorize | stored in the user authentication state memory | storage part 32C, and its content Explanatory drawing which shows an example of the information memorize | stored and hold | maintained in 32D of system information, and the content The flowchart which shows the procedure of the terminal number restriction | limiting process by the cooperation control apparatus 30 concerning 1st Embodiment. Timing chart showing authentication sequence The conceptual diagram which shows the whole structure of the network management system 1 concerning 3rd Embodiment. The block diagram which shows the structure of the cooperation control apparatus 30 concerning 3rd Embodiment. Explanatory drawing which shows an example of the information memorize | stored in the terminal device information storage part 32E, and its content Explanatory drawing which shows an example of the information memorize | stored in the user authentication state memory | storage part 32C, and its content The flowchart which shows the procedure of the terminal number restriction | limiting process by the cooperation control apparatus 30 of 3rd Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Network management system 2 IC card 10 Equipment system 11 Entrance card reader 12 Exit card reader 13 Entrance / exit control unit 20 Network authentication system 21 Terminal device 22 Relay device 22A Wireless relay device 22B Hub 22a Port 23 Authentication server 30 Cooperation control Device 32 Internal database 32A User information storage unit 32B User occupancy status storage unit 32C User authentication status storage unit 32D System information storage unit 32E Terminal device information storage unit 34 RADIUS authentication unit 34A Authentication request relay unit 34B Request relay determination unit 34C Device setting Storage unit 35 Authentication processing unit 36 Terminal search unit 37 Log recording unit

Claims (6)

An entry / exit management system that manages the entry / exit of the user in the security management area in accordance with the processing result of the user authentication based on the first authenticated information for uniquely identifying the user;
Access to the network according to the processing result of user authentication by the authentication server based on the second authenticated information that uniquely identifies the user, with each of the plurality of terminal devices provided in the security management area as a processing target In the cooperation control device that cooperates with the network authentication system that restricts
The second authenticated information, the user entry / exit state in the security management area, and the authentication terminal count number that is the number of the terminal devices permitted to be authenticated by the authentication server among the plurality of terminal devices; User status storage means for storing the information in association with each user,
When a request for access to the network using the second authenticated information is made to the authentication server from the user via the terminal device, the user status storage unit stores the request Authentication processing means for performing use authentication of the terminal device for a user based on the entry / exit state associated with second authenticated information and the authentication terminal count number ;
User information storage means for storing the second authenticated information in association with the upper limit number of authentications, which is the number of the terminal devices that can permit authentication for the user ;
Have
The authentication processing unit searches the user status storage unit and the user information storage unit based on the second authenticated information in the usage authentication,
When the user status storage means enters / exits the user in the security management area and the user status storage means has an authentication terminal count smaller than the upper limit authentication number of the user information storage means Makes a decision to allow authentication,
When the entry / exit state of the user state storage means is a user exit state in the security management area, or the authentication terminal count number of the user state storage means is the upper limit authentication number of the user information storage means , Make a decision that authentication is not allowed,
The access request is transferred to the authentication server when the result of the use authentication is permission, and the access request is transferred to the authentication server when the result of the use authentication is not permitted. A cooperative control device characterized by rejecting. The user status storage means further stores a terminal identifier that identifies the terminal device that is permitted to authenticate a user by the authentication server,
The authentication processing unit searches the user status storage unit based on the second authenticated information when disconnecting the terminal device that has been authenticated by the authentication server from the network. The cooperation control device according to claim 1, wherein the terminal device corresponding to the terminal identifier associated with the second authentication information is disconnected from the network . Each of the terminal devices is connected to the network via a relay device,
The terminal identifier includes a network-specific identifier assigned to the relay device to which the terminal device is connected and a port number of the relay device to which the terminal device is connected. Cooperation control device. The cooperation control apparatus according to claim 3 , wherein the terminal identifier further includes a device-specific identifier assigned to the terminal apparatus. The relay device is connected to the plurality of terminal devices using radio,
In the authentication processing unit, when the authentication to the user is permitted by the authentication server, the device-specific identifier assigned to the terminal device permitted to authenticate the user is already stored in the terminal identifier of the user state storage unit. 5. The cooperation control apparatus according to claim 4, wherein if the network information is present, the previous information is updated with a network-specific identifier and a port number of the relay apparatus to which the terminal apparatus is currently connected . A terminal device information storage unit that stores device-specific identifiers assigned to a plurality of terminal devices provided in the security management area;
The authentication processing means further searches the terminal device information storage means in the use authentication,
The entry / exit state of the user state storage means is a user in the security management area, and the authentication terminal count number of the user state storage means is smaller than the upper limit authentication number of the user information storage means, and If the device-specific identifier of the terminal device information storage means matches the device-specific identifier assigned to the terminal device that has transmitted the access request, it is determined that authentication is permitted,
The entry / exit state of the user state storage means is a user exit state in the security management area, or the authentication terminal count number of the user state storage means is the upper limit authentication number of the user information storage means, or When the device-specific identifier of the terminal device information storage means does not match the device-specific identifier assigned to the terminal device that transmitted the access request, it is determined that authentication is not permitted. The cooperation control apparatus according to claim 4 or 5 .

Images