JP7481043B2 - Wireless communication device, wireless communication system, wireless communication method, and wireless communication program - Google Patents

Description

The present disclosure relates to a wireless communication device, a wireless communication system, a wireless communication method, and a wireless communication program, and in particular to a wireless communication device, a wireless communication system, a wireless communication method, and a wireless communication program that communicate with wireless slave devices using multiple BSSs (Basic Service Sets).

In recent years, wireless LANs (Local Area Networks) have become so widespread that they are used in many homes. In the past, users with some knowledge of information devices would install and use wireless LAN devices, but as wireless LANs have become more widespread, even users with low IT skills have begun to set up wireless LAN environments at home. Therefore, wireless LAN devices, such as access point devices (APs), are required to be designed for general households so that anyone can easily set up a wireless LAN environment. Here, setting up a wireless LAN environment means setting up the operation of the AP and the network of the wireless client device (STA) so that the STA can belong to the AP's network and be able to communicate.

Wireless LAN devices are also required to ensure a high level of security. Because a wireless LAN is a wireless communication network that uses radio waves as a medium, it is not visible which terminals are connected to the wireless LAN. Therefore, even if an unintentionally malicious STA is associated with the AP's network, it is difficult to be noticed. Also, because radio waves reach a certain range, it is possible to receive radio waves even if the STA is not associated with the AP's network. Therefore, it is relatively easy for a malicious user to intercept the contents of communications from a legitimate user. Therefore, many APs prevent such attacks by authenticating the terminals that are associated with them using passwords and encrypting the communications. Naturally, it is desirable to carry out connection authentication processing to improve security in this way.

In many wireless LAN devices, the setting information for connection authentication processing is set before shipping. For example, the SSID (Service Set Identifier) and password are setting information required for the user to associate the STA with the AP's network, and are often written on a sticker or the like attached to the AP's device body. Therefore, when a user introduces a new AP, a secure wireless LAN environment can be created simply by inputting the AP's SSID and password into the STA without having to change the AP's setting information. However, this method has problems in terms of usability and security. For this reason, various methods have been proposed to solve these problems.

For example, Patent Document 1 discloses a method of transferring connection information to a client device in response to pressing a setting button provided on an access point device, and executing a setting process for joining a wireless network system.
Furthermore, Patent Document 2 discloses a method in which a STA first joins a BSS in a network with poor radio coverage, receives parameters, and then uses the parameters to switch the BSS it joins to a BSS with a high security level.

JP 2016-163178 A JP 2006-186941 A

However, the method described in Patent Document 1 above has the problem that the action of pressing an AP button when joining a network system is not necessarily intuitive for the user. There is also the problem that continuing to operate with the initial connection information still poses security risks.

In addition, in the method described in Patent Document 2 above, an STA that has joined a BSS with a narrow radio wave coverage area will always be able to join a BSS with a high security level, which poses the problem of an insufficient security level.

In view of the above-mentioned problems, the objective of the present disclosure is to provide a wireless communication device, a wireless communication system, a wireless communication method, and a wireless communication program that can operate a wireless network with a high level of security while minimizing the burden on users.

A wireless communication device according to one aspect of the present disclosure communicates with wireless slave devices using multiple BSSs (Basic Service Sets). The wireless communication device includes a first attribution processing unit, an inquiry unit, and a second attribution processing unit. In response to a connection request from an unconnected slave device, which is a wireless slave device for which connection authentication has not been completed, the first attribution processing unit causes the unconnected slave device to be attributable to a first BSS. The inquiry unit inquires of a connected slave device, which is a wireless slave device that is attributable to a second BSS and for which connection authentication has been completed, via the second BSS whether the requesting unconnected slave device can be connected. When the connected slave device permits the connection, the second attribution processing unit changes the attribution destination of the requesting unconnected slave device from the first BSS to the second BSS, and completes the connection authentication.

A wireless communication system according to one aspect of the present disclosure includes a plurality of wireless slave devices and a wireless communication device that performs wireless communication between the wireless slave devices using a plurality of BSSs. The wireless communication device includes a first attribution processing unit, an inquiry unit, and a second attribution processing unit. In response to a connection request from an unconnected slave device, which is a wireless slave device for which connection authentication has not been completed, the first attribution processing unit causes the unconnected slave device to be attributable to a first BSS. The inquiry unit inquires of a connected slave device, which is a wireless slave device that is attributable to a second BSS and for which connection authentication has been completed, via the second BSS whether the requesting unconnected slave device can be connected. When the connected slave device permits the connection, the second attribution processing unit changes the attribution destination of the requesting unconnected slave device from the first BSS to the second BSS, and completes the connection authentication.

A wireless communication method according to one aspect of the present disclosure is a wireless communication method for a wireless communication device that performs wireless communication with a wireless slave using multiple BSSs. The wireless communication method includes a first attribution process step, an inquiry process step, and a second attribution process step. The first attribution process step is a step of attributing the unconnected slave to a first BSS in response to a connection request from an unconnected slave that is a wireless slave for which connection authentication has not been completed. The inquiry process step is a step of inquiring, via the second BSS, a connected slave that is a wireless slave that is attributable to a second BSS and for which connection authentication has been completed, as to whether the unconnected slave that is the request source can connect. The second attribution process step is a step of changing the attribution destination of the unconnected slave that is the request source from the first BSS to the second BSS and completing connection authentication, if the connected slave permits the connection.

A wireless communication program according to one aspect of the present disclosure is a wireless communication program to be executed by a wireless communication device that performs wireless communication with a wireless slave device using multiple BSSs. The wireless communication program causes the wireless communication device to execute a first attribution process, an inquiry process, and a second attribution process. The first attribution process is a process of attributing an unconnected slave device, which is a wireless slave device for which connection authentication has not been completed, to a first BSS in response to a connection request from the unconnected slave device. The inquiry process is a process of inquiring, via the second BSS, of a connected slave device, which is a wireless slave device that is attributable to a second BSS and for which connection authentication has been completed, as to whether the unconnected slave device that is the request source can connect. The second attribution process is a process of changing the attribution destination of the unconnected slave device that is the request source from the first BSS to the second BSS and completing connection authentication when the connected slave device permits the connection.

The first effect of the present disclosure is that a wireless communication device can operate a wireless network with a high level of security by associating only wireless slave devices that are permitted by connected wireless slave devices with a second BSS that is different from the first BSS to which the wireless slave devices belong based on the initial setting information.

The second effect of the present disclosure is that when a second or subsequent wireless slave device is authenticated for connection to a wireless communication device, the target wireless slave device can be assigned to a second BSS with a higher security level simply by the connected wireless slave device transmitting a connection permission/denial.

In this way, the present disclosure can provide a wireless communication device, a wireless communication system, a wireless communication method, and a wireless communication program that can operate a wireless network with a high level of security while minimizing the burden on users.

1 is a block diagram showing a functional configuration of a wireless communication device according to a first embodiment. 1 is a block diagram showing a hardware configuration of a wireless communication device according to a first embodiment. FIG. 11 is a configuration diagram of a wireless communication system according to a second embodiment. FIG. 11 is a sequence diagram of an initial connection authentication process in the wireless communication system according to the second embodiment. FIG. 11 is a sequence diagram of second or subsequent connection authentication processing in the wireless communication system according to the second embodiment. FIG. 11 is a sequence diagram of second or subsequent connection authentication processing in the wireless communication system according to the second embodiment. FIG. 11 is a schematic configuration diagram of a wireless communication system according to first to third examples of the second embodiment. FIG. 13 is a diagram illustrating the internal state of an AP according to a first example of the second embodiment. FIG. 13 is a diagram illustrating an example of a display on a parent's smartphone according to a first example of embodiment 2. FIG. 13 is a diagram illustrating the internal state of an AP according to a first example of the second embodiment. FIG. 13 is a diagram illustrating the internal state of an AP according to a first example of the second embodiment. FIG. 13 is a diagram illustrating an example of a display on a parent's smartphone according to a first example of embodiment 2. FIG. 13 is a diagram illustrating the internal state of an AP according to a first example of the second embodiment. FIG. 11 is a sequence diagram of second or subsequent connection authentication processing in a wireless communication system according to a second example of the second embodiment. FIG. 13 is a diagram illustrating the internal state of an AP according to a second example of the second embodiment. FIG. 11 is a sequence diagram of second or subsequent connection authentication processing in a wireless communication system according to a third example of the second embodiment. FIG. 13 is a diagram illustrating the internal state of an AP according to a third example of the second embodiment. FIG. 13 is a diagram illustrating the internal state of an AP according to a third example of the second embodiment. FIG. 11 is a configuration diagram of a wireless communication system according to a third embodiment. FIG. 13 is a sequence diagram of second or subsequent connection authentication processing in the wireless communication system according to the third embodiment. FIG. 13 is a diagram illustrating an example of a display on a parent's smartphone according to the third embodiment.

The present disclosure will be described below through embodiments, but the invention according to the claims is not limited to the following embodiments. Furthermore, not all of the configurations described in the embodiments are necessarily essential as means for solving the problems. For clarity of explanation, the following description and drawings have been omitted and simplified as appropriate. Note that the same reference numerals are used for the same elements in each drawing.

<Problems of the embodiment>
Here, the problem that the present embodiment is intended to solve will be explained again.
In recent years, wireless LANs (Local Area Networks) have become widespread in ordinary homes, and even users who are unfamiliar with IT devices often set up wireless LAN environments at home. Many users who are unfamiliar with IT devices believe that when they purchase an AP (Access Point), they can use the AP's network simply by inputting an SSID (Service Set Identifier) and password on the wireless client (STA: Station) side. Indeed, in many APs, setting information such as the SSID and password is determined before shipping, and the setting information is written on a sticker attached to the AP body. Therefore, when a user inputs the information on the sticker on the setting screen of the STA, the STA becomes associated with the AP and can communicate. However, continuing to operate with the initial setting information is a high security risk. In many cases, the initial SSID and password are calculated using a different formula for each product using values that are assigned differently to each device, such as the AP's MAC (Media Access Control) address and serial number. However, once the calculation method is analyzed by a cracker, a malicious attacker can calculate the password. In other words, if an AP user operates the AP with the initial setting information, the risk of being attacked by a malicious attacker increases. Therefore, the SSID and password are required to be changed by the user. However, since users who are not familiar with IT devices do not recognize the need to change the setting information of the AP, the reality is that there are many cases where the AP is operated in a state with high security risk without changing the setting information.

When constructing a wireless LAN environment at home, only STAs authorized by the home AP administrator (e.g., a parent) should be able to connect to the AP in order to reduce security risks. APs available on the market can authenticate connection to a BSS (Basic Service Set) if a password is entered, so there is a risk that a malicious attacker may gain unauthorized access if he obtains the password. Therefore, APs equipped with a function for filtering STAs to be connected by MAC address have been developed. This function registers a list of MAC addresses in the AP in advance, and allows connection only if the MAC address of the STA attempting to connect is included in the list (whitelist method), or prohibits connection only if the MAC address is included in the list (blacklist method). Using the whitelist method, only STAs authorized by the administrator can be connected, but it is very difficult for users who are not familiar with IT equipment to register the MAC addresses of permitted STAs in the AP in advance.

Even if a user is willing to change their password, passwords are generally changed using a web interface on the AP, so it remains difficult for users who are unfamiliar with IT devices to change configuration information. In addition, the new password must not be easily guessed and should be complex and contain a certain number of characters. However, it is difficult for users to memorize such a password, and writing it down can actually be a security problem. In other words, requesting users to change their password to a secure one is not user-friendly.

For users who are not familiar with IT devices, it is also troublesome to input a password into the STA when associating the STA with the AP. In response to this, a technology has been proposed in which the user presses a physical or logical button on the AP and STA, such as the push button method of WPS (Wi-Fi Protected Setup), to easily transfer the setting information of the AP's BSS to the STA and enable associating. However, the action of pressing the buttons on the AP and STA is not intuitive for users. In particular, when the STA is a smartphone, it is necessary to display the WPS button in a different procedure for each model, and functions such as the push button method of WPS are often not adopted. On the other hand, there are cases where a document on which a QR code (registered trademark) showing the initial profile information is printed is sold together with the AP. In this case, the user can associate the STA with the AP without manually entering a password. However, users often dispose of or lose the document on which the QR code is printed together with the packaging box after setup. Therefore, when a user tries to associate a new STA, he or she ends up manually entering the password while looking at the sticker attached to the AP. Furthermore, since APs are often installed in the corners of rooms after setup, it is physically difficult to see the sticker in the first place. As such, there is an issue that it is extremely time-consuming to attribute new STAs, especially after setup.

As described above, current wireless LAN devices have problems in terms of security and usability. This disclosure has been made to solve these problems, and an embodiment will be described below.

<Embodiment 1>
A first embodiment of the present disclosure will be described with reference to FIGS. 1 and 2. FIG. 1 is a block diagram showing a functional configuration of a wireless communication device 10 according to the first embodiment. The wireless communication device 10 is a computer device that communicates with wireless slave devices (hereinafter, referred to as STAs) using multiple BSSs. In the first embodiment, the multiple BSSs include a first BSS and a second BSS. Here, a wireless slave device for which connection authentication has not been completed is called an unconnected slave device or an unconnected STA, and a wireless slave device for which connection authentication has been completed is called a connected slave device or a connected STA. In the first embodiment, the unconnected STA becomes a connected STA by belonging to the second BSS, whereby connection authentication is completed.

The wireless communication device 10 includes a first attribution processing unit 14, an inquiry unit 16, and a second attribution processing unit 15.

The first association processing unit 14 associates an unconnected STA with the first BSS in response to a connection request from the unconnected STA.

The inquiry unit 16 inquires of a connected STA belonging to the second BSS whether the requesting unconnected STA can connect via the second BSS.

If the connected STA permits the connection, the second belonging processing unit 15 changes the belonging destination of the requesting unconnected STA from the first BSS to the second BSS and completes the connection authentication.

In this way, the wireless communication device 10 according to the first embodiment allows only unconnected STAs that are permitted by connected STAs to belong to the second BSS. Therefore, even if an attacker's unconnected STA can belong to the first BSS using the initial setting information (SSID and password), the second BSS maintains a high security level. Furthermore, by using the wireless communication device 10 according to the first embodiment, the connected STA can cause the unconnected STA to belong to the second BSS simply by carrying out the simple procedure of transmitting whether or not it is possible to connect. As described above, the wireless communication device 10 can operate a wireless network with a high security level while minimizing the burden on the user.

Figure 2 is a block diagram showing the hardware configuration of the wireless communication device 10 according to the first embodiment.

The wireless communication device 10 has, as its main hardware components, a processor 100, a ROM 101 (Read Only Memory), a RAM 102 (Random Access Memory), and an interface unit 103 (IF; Interface). The processor 100, the ROM 101, the RAM 102, and the interface unit 103 are interconnected via a data bus or the like.

The processor 100 has a function as a calculation device that performs control processing and calculation processing. The processor 100 may be a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), an FPGA (Field-Programmable Gate Array), a DSP (Digital Signal Processor), or an ASIC (Application Specific Integrated Circuit), or a combination of these. The ROM 101 has a function for storing control programs and calculation programs executed by the processor 100. The RAM 102 has a function for temporarily storing processing data and the like. The interface unit 103 inputs and outputs signals with the outside via wired or wireless communication. The interface unit 103 also accepts data input operations by the user and displays information to the user. In this embodiment 1, the interface unit 103 has an antenna and performs wireless communication with the STA. The interface unit 103 also communicates with an external device wirelessly or via wired communication.

<Embodiment 2>
Next, a second embodiment of the present disclosure will be described with reference to FIGS.
3 is a configuration diagram of a wireless communication system to which a wireless communication device according to the second embodiment can be applied. The wireless communication system 1 shown in this figure is a computer system that allows an STA to access an external network 4 and enables communication between the STA and an external device on the external network 4. The external network 4 is, for example, the Internet. The wireless communication system 1 includes a plurality of STAs 2-1, 2-2, and 2-3, and an AP 10a as an example of a wireless communication device. Hereinafter, when there is no need to distinguish between the STAs 2-1, 2-2, and 2-3, they are simply referred to as STAs 2. Note that the number of STAs 2 is not limited to 3, and may be 2, or 4 or more.

STA2 is a mobile phone, a smartphone, a tablet terminal, a personal computer (PC), or other wireless communication terminal. STA2 wirelessly communicates with AP10a via EntryBSS5 or OpBSS6.

Here, OpBSS6 is a BSS used by STA2 to access external network 4 via AP10a, and is a so-called BSS for normal operation. OpBSS6 is basically the same as a BSS constructed with a general AP, but differs in that it has a function for filtering MAC addresses using a whitelist method, and performs authentication and encrypted communication using a password. OpBSS6 is newly constructed during the connection authentication process of STA2 at the time of setup (i.e., the first connection authentication process for AP10a). OpBSS6 corresponds to the second BSS in embodiment 1.

EntryBSS5 is also the BSS to which STA2 first belongs before belonging to OpBSS6. Therefore, the user recognizes EntryBSS5 as the entry point for starting the connection authentication process by AP10a. EntryBSS5 is basically the same as a BSS established by a general AP, but differs in that communication via EntryBSS5 is limited only to communication between STA2 and AP10a itself, and that it has a function for filtering MAC addresses using a blacklist method. EntryBSS5 is already established in the initial state (i.e., before the first connection authentication process). EntryBSS5 corresponds to the first BSS in embodiment 1.

In other words, STA2 communicates with AP10a via EntryBSS5 for connection authentication processing, and after the connection authentication processing is completed, it accesses the external network 4 via OpBSS6.

AP10a is a computer device that performs connection authentication processing for STA2 using EntryBSS5, and relays communication between STA2 and an external device on external network 4 using OpBSS6 only for STA2 for which connection authentication processing has been completed. AP10a has a first communication unit 11, a second communication unit 12, and a memory unit 13.

The first communication unit 11 communicates with the STA2 using the Entry BSS5. The first communication unit 11 includes a first attribution processing unit 14.

In response to a connection request from the unconnected STA2, the first belonging processing unit 14 makes the unconnected STA2 belong to the EntryBSS5 (belonging processing). At this time, the first belonging processing unit 14 uses the blacklist 18 of the EntryBSS5 described later to determine whether or not to make the requesting unconnected STA2 belong to the EntryBSS5. Note that a request for connection is used in the same sense as a request for belonging to the OpBSS6. Furthermore, if the connection of the requesting unconnected STA2 is permitted, the first belonging processing unit 14 releases the requesting unconnected STA2 from belonging to the EntryBSS5 (belonging release processing). On the other hand, if the connection of the requesting unconnected STA2 is not permitted, the first belonging processing unit 14 registers the unconnected STA2 in the blacklist 18 of the EntryBSS5.

The second communication unit 12 communicates with the STA2 using the OpBSS6, and also relays communication between the STA2 and the external network 4. The second communication unit 12 includes an inquiry unit 16, a second attribution processing unit 15, and a relay processing unit 17.

The interrogation unit 16 is connected to the OpBSS 6, and inquires of the connected STA 2 via the OpBSS 6 as to whether the requesting unconnected STA 2 can connect, and receives a response to the inquiry from the connected STA 2.

When the second belonging processing unit 15 receives a response from the connected STA2 permitting the connection of the unconnected STA2, it causes the unconnected STA2 to belong to the OpBSS6 (association processing). At this time, the second belonging processing unit 15 registers the unconnected STA2 permitted to connect in the whitelist 19 of the OpBSS6. This completes the connection authentication processing for the unconnected STA2.

In the second embodiment, the second attribution processing unit 15 constructs an OpBSS6 based on the identification information specified by the unconnected STA2 in response to a connection request from the unconnected STA2 in an initial state where there is no connected STA2 (i.e., in the initial connection authentication process). As an example, the identification information is the network name of the OpBSS6 to be constructed, but is not limited to this. The identification information may be simple and easy to remember for the user of the STA2 in the wireless communication system 1. When constructing an OpBSS6, it is necessary to set an SSID and a password to be used for connection authentication. Of these, the SSID may be a value generated based on the specified identification information (network name). Meanwhile, the password may be a character string generated randomly in consideration of the password strength.

Then, the second attribution processing unit 15 attributs the unconnected STA2 from the EntryBSS5 to the OpBSS6, completing the initial connection authentication process. Meanwhile, the inquiry unit 16 inquires of the connected STA2 whether or not to connect only when it receives the identification information specified when the OpBSS6 was constructed from the requesting unconnected STA2 in the second or subsequent connection authentication processes. This simplifies the connection authentication procedure for the user of the unconnected STA2, since connection authentication is completed simply by transmitting the identification information specified by the connected STA2 at the time of the connection request. Furthermore, the constructed OpBSS6 has new setting information generated based on the specified identification information. In other words, the setting information of the AP10a required to access the external network 4 is changed from the initial state and the operation is performed, improving the security level.

The relay processing unit 17 is connected to the external network 4, and when STA2 is registered in the whitelist 19 of OpBSS6, it relays communication between STA2 and an external device on the external network 4 (relay processing).

The storage unit 13 is a storage medium that stores information necessary for connection authentication processing and relay processing. The storage unit 13 stores a blacklist 18 for the EntryBSS 5 and a whitelist 19 for the OpBSS 6.

The blacklist 18 of the EntryBSS5 is a list of identification information (e.g., MAC addresses) of STA2 whose connection has been refused. The AP 10a uses a blacklist method for the EntryBSS5, and refuses to allow an unconnected STA2 whose connection has been refused once to belong to the EntryBSS5 again. This avoids the hassle of having to inquire of a connected STA2 about whether or not a connection can be made every time a connection is requested, and also prevents attacks such as intentionally inquiring of a connected STA2 multiple times. Note that the blacklist 18 of the EntryBSS5 may be empty at the time of initial shipment.

The whitelist 19 of OpBSS6 is a list of identification information (e.g. MAC addresses) of STA2 that is permitted to connect. AP 10a uses a whitelist method for OpBSS6. Therefore, even if an attacker is able to obtain the configuration information of OpBSS6, AP 10a can use the whitelist 19 to deny the attacker's connection. In addition, by excluding STA2 from the whitelist 19, AP 10a can prevent STA2 from accessing the external network 4, making it possible to deal with cases where it is necessary to restrict connections at a later stage.

Below, there are three patterns in which the connection authentication process occurs. That is, there is a first pattern in which the AP 10a authenticates the STA2 for the first time, a second pattern in which the AP 10a authenticates the STA2 for the second or subsequent time and allows the connection, and a third pattern in which the AP 10a authenticates the STA2 for the second or subsequent time and denies the connection. Note that the following will not include a general description of the wireless LAN process.

First, the first pattern of connection authentication processing will be described.
4 is a sequence diagram of the initial connection authentication process of the wireless communication system 1 according to the embodiment 2. In this diagram, a shaded portion means that the STA2 is currently associated with the corresponding BSS.

First, STA2-1 requests the first communication unit 11 of AP10a to belong to Entry BSS5 (step S10). In other words, STA2-1 requests connection to AP10a.

The first belonging processing unit 14 of the first communication unit 11 performs belonging processing for STA2-1 (step S11). As a result, STA2-1 belongs to EntryBSS5. A known technique may be used for the belonging processing. Also, EntryBSS5 may be set to open authentication (no authentication) in the initial state, or may be set to PSK (Pre-Shared Key) authentication. In the latter case, the first belonging processing unit 14 may perform belonging processing using WPS (Wi-Fi Protected Setup).

Next, the user of STA2-1 decides on a network name for the OpBSS 6 to be constructed, and inputs the network name into an input unit (not shown) of STA2-1 (step S12). For example, if STA2-1 is a smartphone, STA2-1 may display a screen prompting the user to input the network name and accept the input. However, the input method is not limited to this. Then, in response to accepting the input of the network name, STA2-1 transmits the network name to the first attribution processing unit 14 of the first communication unit 11 (step S13).

The AP 10a that has received the network name builds an OpBSS 6 based on the network name (step S14). Specifically, the first belonging processing unit 14 of the first communication unit 11 notifies the second belonging processing unit 15 of the second communication unit 12 of the received network name, and the second belonging processing unit 15 builds an OpBSS 6, but the construction method is not limited to this. Next, the second belonging processing unit 15 of the second communication unit 12 generates a whitelist 19 for the OpBSS 6 and registers the MAC address of STA2-1 in the whitelist 19 (step S15). Note that the MAC address of STA2-1 is written in a packet for general wireless LAN communication, so the AP 10a can obtain the MAC address information of STA2-1 by this step without being explicitly notified by STA2-1.

Then, the first association processing unit 14 of the first communication unit 11 transmits the setting information of OpBSS6, i.e., the SSID, encryption method, and password of OpBSS6, to STA2-1 via EntryBSS5 (step S16). Then, the first association processing unit 14 of the first communication unit 11 releases STA2-1 from association with EntryBSS5 (step S17), and then changes the setting information of EntryBSS5 based on the network name (step S18). Specifically, the first association processing unit 14 changes the SSID to a value generated using the network name, and changes the authentication method to open authentication (no authentication). This ensures that the setting information of EntryBSS5 is changed from its initial state, and open authentication improves usability.

On the other hand, STA2-1 transmits the setting information of OpBSS6 received in step S16 to the second communication unit 12. The second association processing unit 15 of the second communication unit 12 performs association processing using the whitelist 19 of OpBSS6, thereby allowing STA2-1 to associate with OpBSS6 (step S19).

Figure 5 is a sequence diagram of the second and subsequent connection authentication processes of the wireless communication system 1 according to the second embodiment. Figure 5 shows the second pattern of connection authentication processes. Note that Figure 5 shows the processes after the initial connection authentication process shown in Figure 4 is completed, so EntryBSS5 and OpBSS6 are both established and operating normally, and STA2-1 is a connected STA. In this diagram, STA2-2 is an unconnected STA.

First, STA2-2 requests the first communication unit 11 of AP10a to belong to Entry BSS5 (step S20). In other words, STA2-2 requests a connection to AP10a. At this time, STA2-2 also transmits information on the specified network name.

The first belonging processing unit 14 of the first communication unit 11 performs belonging processing for STA2-2 using the blacklist 18 of EntryBSS5 (step S21). Here, since EntryBSS5 is open authentication and STA2-2 is not registered in the blacklist 18, the belonging processing to EntryBSS5 is a simple process. As a result, STA2-2 belongs to EntryBSS5.

In response to STA2-2 becoming associated with EntryBSS5, the inquiry unit 16 of the second communication unit 12 notifies STA2-1, which belongs to OpBSS6, via OpBSS6 that the new STA2-2 has requested a connection, i.e., requested to belong to OpBSS6 (step S22). This notification can also be called an inquiry.

In response to receiving the inquiry, STA2-1 displays the contents of the inquiry and prompts the user to decide whether to allow or deny the connection of STA2-2. For example, if STA2-1 is a smartphone, a button showing options may be displayed on the display unit along with a message to prompt the user to make a selection. However, the method of displaying the inquiry and the method of input by the user are not limited to this. Then, in response to the inquiry, STA2-1 responds by deciding whether to allow or deny the connection of STA2-2. In this example, the user of STA2-1 inputs that he/she wants to allow the connection of STA2-2 (step S23), and STA2-1 transmits the connection permission information to the inquiry unit 16 of the second communication unit 12 (step S24).

In response to receiving connection permission information from STA2-1, the inquiry unit 16 of the second communication unit 12 notifies the second belonging processing unit 15 and the first belonging processing unit 14 of the first communication unit 11 accordingly.

Then, the first belonging processing unit 14 of the second communication unit 12 registers the MAC address of STA2-2 in the whitelist 19 of OpBSS6, and updates the whitelist 19 (step S25).

The first association processing unit 14 of the first communication unit 11 also transmits the setting information of OpBSS6 to STA2-2 via EntryBSS5 (step S26), and releases STA2-2 from associating with EntryBSS5 (step S27).

In this way, STA2-2 is able to obtain the configuration information for OpBSS6, and can then use that configuration information to belong to OpBSS6 (step S28).

Fig. 6 is a sequence diagram of the second and subsequent connection authentication processes of the wireless communication system 1 according to the second embodiment. Fig. 6 shows the third pattern of connection authentication process, that is, the operation when the user of STA2-1, which is a connected STA, rejects the connection of STA2-2, which is an unconnected STA. Note that steps S20 to S22 shown in Fig. 6 are similar to steps S20 to S22 shown in Fig. 5, and therefore a description thereof will be omitted.

In response to the content of the inquiry displayed by STA2-1, the user of STA2-1 inputs a refusal to connect to STA2-2 (step S30) and transmits the connection refusal information to the inquiry unit 16 of the second communication unit 12 (step S31).

In response to receiving connection refusal information from STA2-1, the inquiry unit 16 of the second communication unit 12 notifies the second attribution processing unit 15 and the first attribution processing unit 14 of the first communication unit 11 of that fact.

The first belonging processing unit 14 of the first communication unit 11 registers the MAC address of STA2-2 in the blacklist 18 of EntryBSS5 to update the blacklist 18 (step S32). Then, the first belonging processing unit 14 of the first communication unit 11 releases STA2-2 from belonging to EntryBSS5 (step S33).

Since STA2-2 has not acquired the setting information of OpBSS6, it cannot belong to OpBSS6. Furthermore, since EntryBSS5 uses open authentication, STA2-2 can try to belong again (step S34), but since STA2-2 is registered on the blacklist 18, it cannot belong to EntryBSS5 either (step S35).

Below, examples 1 to 3 are described as examples of embodiment 2.

Figure 7 is a schematic diagram of a wireless communication system according to the first to third examples of the second embodiment. The first to third examples are examples in which an AP 10a is newly introduced in a certain household, a house A. As shown in Figure 7, in the house A, as an example of STA2, there are smartphones (hereinafter, sometimes referred to as smartphones) 200, 201 used by the parents and children who are members of the household, and a smartphone 202 used by a friend who visits the house A as a guest. It is assumed that the radio waves of the AP 10a reach the inside of the house A. It is assumed that the PC 203 used by the attacker is outside the house A, but in an area where the radio waves of the AP 10a reach. It is assumed that the MAC addresses of the parent's smartphone 200, the child's smartphone 201, the friend's smartphone 202, and the attacker's PC 203 are "AA:AA:AA:AA:AA:AA", "BB:BB:BB:BB:BB:BB:BB", "CC:CC:CC:CC:CC:CC:CC", and "XX:XX:XX:XX:XX:XX", respectively.

First, we will explain the first example in which the parent smartphone 200 performs connection authentication, and then the child smartphone 201 performs connection authentication. In the first example, the AP 10a in the initial state first starts the connection authentication process for the parent smartphone 200.

Figure 8 is a diagram showing the internal state I_1 of AP 10a according to the first example of embodiment 2. As shown in Figure 8, in the initial state, EntryBSS5 is activated. The SSID of EntryBSS5 is "DEF_SSID", the encryption method is "WPA3 OWE", the authentication method is "open", there is no password, and the stealth function is disabled. Furthermore, nothing is registered in the blacklist 18 of EntryBSS5. And OpBSS6 is not activated.

Note that WPA3 OWE is a standard that encrypts communication while using open authentication. Therefore, the content of communication between EntryBSS5 and STA2 cannot be intercepted. The stealth function prevents SSID information from being included in the beacon packets that AP10a constantly sends. When this function is enabled, SSID information is no longer displayed in the list of APs around STA2 that is displayed on STA2.

The connection authentication process of the parent's smartphone 200 in the first example will be described below using Figs. 9 to 11 with reference to Fig. 4. Fig. 9 is a diagram showing an example of the display of the parent's smartphone 200 in the first example of embodiment 2. Figs. 10 to 11 are diagrams showing the internal states I_2 and I_3 of the AP 10a in the first example of embodiment 2.

In this process, the parent's smartphone 200 corresponds to STA2-1 shown in FIG. 4. First, the parent's smartphone 200 belongs to EntryBSS5 (steps S10-11 in FIG. 4). Here, EntryBSS5 is open authentication. Therefore, for example, the parent, who is the user of smartphone 200, can associate smartphone 200 with EntryBSS5 by simply tapping the area on the screen of smartphone 200 where "DEF_SSID" is displayed, without having to enter a password, which is troublesome.

When the parent smartphone 200 belongs to EntryBSS5, it displays the screen shown in FIG. 9 and prompts the user to input a network name. For example, the user inputs "A-home" as the network name. When the user inputs the network name, the parent smartphone 200 transmits the information to AP 10a (steps S12-13 in FIG. 4).

After receiving the network name, AP 10a constructs OpBSS6 as shown in FIG. 10 (OpBSS Status: UP). That is, AP 10a performs the following settings for OpBSS6. First, AP 10a sets the SSID of OpBSS6 to "A-home (op)". Here, it is preferable that AP 10a does not use the network name entered by the user as the SSID of OpBSS6 as it is. This is because the network name is later used as the SSID of EntryBSS5. It is also preferable that the encryption method of OpBSS6 is a strong method. In this example, WPA3-Personal is used as the encryption method of OpBSS6. And, a method that requires a password is set as the authentication method of OpBSS6. In this example, SAE (Simultaneous Authentication of Equals) is used as the authentication method of OpBSS6. It is preferable to automatically generate and set a sufficiently strong random character string for the password. In this example, a simple character string is used to simplify the explanation, but in reality, it is preferable to set the longest character string allowed by the authentication method. It is preferable to enable the stealth function of OpBSS6. This will hide the SSID of OpBSS6 on the terminal and only display the SSID of EntryBSS5, preventing user confusion.

Then, AP 10a registers the MAC address of parent smartphone 200, "AA:AA:AA:AA:AA:AA", in whitelist 19 of OpBSS 6 and starts OpBSS 6 (steps S14-15 in FIG. 4). When construction of OpBSS 6 is completed, AP 10a transmits to parent smartphone 200 configuration information required for belonging to OpBSS 6, namely, SSID, encryption method, authentication method, and password information (step S16 in FIG. 4). In addition, in response to the successful transmission of OpBSS 6 information, AP 10a disassociates parent smartphone 200 from EntryBSS 5 (step S17 in FIG. 4).

Then, AP 10a changes the setting information of EntryBSS5 to the setting information shown in FIG. 11 (step S18 in FIG. 4). For example, AP 10a sets the SSID to "A-home", the encryption method to "WPA3 OWE", the authentication method to "open", the password to "none", and the stealth function to remain disabled. In this way, EntryBSS5 can have the network name entered by the user as the SSID. Note that EntryBSS5 with the changed setting information is used as the entry point for the connection authentication process when the second or subsequent STA2 authenticates the connection. Note that the parent smartphone 200 that received the setting information of OpBSS6 has a profile of OpBSS6 created inside it and is also registered in the whitelist 19 of OpBSS6, so that it is associated with OpBSS6 without any user operation (step S19 in FIG. 4).

Next, the connection authentication process of the child's smartphone 201 in the first example will be described using Figs. 12 and 13 with reference to Fig. 5. Fig. 12 is a diagram showing an example of the display of the parent's smartphone 200 in the first example of embodiment 2. Fig. 13 is a diagram showing the internal state I_4 of the AP 10a in the first example of embodiment 2.

In this process, parent smartphone 200 and child smartphone 201 correspond to STA2-1 and STA2-2, respectively, shown in FIG. 5. First, child smartphone 201 belongs to EntryBSS5 (steps S20-21 in FIG. 5). The various setting information of EntryBSS5 is as shown in FIG. 11 above. Therefore, for example, as long as the parent communicates the network name to the child, the child can associate smartphone 201 with EntryBSS5 simply by tapping the area displaying the network name "A-home" from the list of surrounding APs that appears on the screen of smartphone 201.

When the child smartphone 201 belongs to the EntryBSS5, the AP 10a notifies the parent smartphone 200 via the OpBSS6 that a new unconnected STA2 (i.e., the child smartphone 201) is requesting to belong to the OpBSS6, and makes an inquiry accordingly (step S22 in FIG. 5). The parent smartphone 200 then displays the message shown in FIG. 12 on the screen, prompting the user to decide whether or not to allow it. The parent recognizes that the terminal requesting a new association with the OpBSS6 is the child smartphone 201, and allows it. When the allow button is tapped, the parent smartphone 200 transmits to the AP 10a that it has been allowed (steps S23-24 in FIG. 5). The AP 10a then adds the MAC address of the child smartphone 201 to the whitelist 19 of the OpBSS6, as shown in FIG. 13 (step S25 in FIG. 5). AP10a then sends configuration information for OpBSS6 to child smartphone 201, and releases child smartphone 201 from belonging to EntryBSS5 (steps S26-27 in FIG. 5). As a result, a profile for OpBSS6 is created inside child smartphone 201, and child smartphone 201 belongs to OpBSS6 without any user operation (step S28 in FIG. 5).

However, since radio waves can penetrate walls, STA2 outside A's house can also attempt to communicate with AP10a. Here, we will use Figures 14 and 15 to explain a second example in which an attacker outside A's house uses PC203 to illegally attempt to access A's network.

Figure 14 is a sequence diagram of the second and subsequent connection authentication processes of the wireless communication system 1 according to the second example of embodiment 2. Figure 15 is a diagram showing the internal state I_5 of the AP 10a according to the second example of embodiment 2.

First, similar to the connection authentication process for the child's smartphone 201 described above, the attacker's PC 203 belongs to EntryBSS5 (steps S40 to S41). Note that since EntryBSS5 is a BSS that is limited to communication only between AP10a and STA2, even if the attacker's PC 203 belongs to EntryBSS5, there is no impact on the network of A's house.

Next, AP10a queries the connected STA2, i.e., the parent smartphone 200 and the child smartphone 201 (step S42).

Then, a screen similar to that shown in FIG. 12 is displayed on each of the parent's smartphone 200 and the child's smartphone 201. Here, it is assumed that the parent determines that the request is for affiliation of an unintended device and taps the "Do not allow" button (step S43). As a result, the parent's smartphone 200 sends a message to the AP 10a that the connection has been rejected (step S44).

Then, as shown in FIG. 15, AP 10a adds the MAC address of the attacker's PC 203 to the blacklist 18 of EntryBSS 5 (step S45). Then, AP 10a releases the attribution of the attacker's PC 203 to EntryBSS 5 (step S46). As a result, the attributable PC 203 to OpBSS 6 cannot be obtained, and therefore cannot be attributed to OpBSS 6. Even if the attributable PC 203 attempts connection authentication to EntryBSS 5 again (step S47), it cannot even be attributed to EntryBSS 5 because it is registered in the blacklist 18 (step S48). Furthermore, even if the attributable PC 203 is able to obtain the attributable information of OpBSS 6 by some means, it still cannot be attributed to OpBSS 6 because it is not registered in the whitelist 19 of OpBSS 6 (steps S49-50).

Finally, a third example of connection authentication for a friend's smartphone 202 visiting A's house as a guest will be described with reference to Figures 16 to 18. In this example, we consider a case in which the friend's smartphone 202 initially receives connection permission from the child and belongs to OpBSS6, but then the parent rejects the connection, making it unable to belong to OpBSS6.

Figure 16 is a sequence diagram of the second and subsequent connection authentication processes of the wireless communication system 1 according to the third example of embodiment 2. Figures 17 and 18 are diagrams showing internal states I_6 and I_7 of the AP 10a according to the third example of embodiment 2.

First, the operation (steps S60 to S68) until the friend's smartphone 202 is permitted by the child and belongs to OpBSS6 is the same as that in the first example when the child's smartphone 201 is permitted by the parent to belong to OpBSS6 (steps S20 to S28 in FIG. 5). However, the inquiry shown in step S62 is sent to the parent's smartphone 200 and the child's smartphone 201, which are already connected. Then, in steps S63 to S64, only the child first permits the connection, and the parent does not reject or permit it. In this way, if any connected STA2 permits the connection, the unconnected STA2 that made the request can belong to OpBSS6. FIG. 17 shows the internal state I_6 of AP 10a at the time of step S68, and the MAC address of the friend's smartphone 202 is registered in the whitelist 19 of OpBSS6.

Suppose that the friend's smartphone 202 once belonged to OpBSS6, but then the parent noticed the inquiry and rejected the connection (steps S69-70). Here, even if the target STA2 (i.e., the friend's smartphone 202) was permitted to connect by other connected STA2, if any connected STA2 rejects the connection, the rejection of the connection may be prioritized. In this case, the second belonging processing unit 15 of the second communication unit 12 of AP10a deletes the MAC address of the friend's smartphone 202 registered in the whitelist 19 of OpBSS6 (step S71). Then, the first belonging processing unit 14 of the first communication unit 11 of AP10a adds the MAC address of the friend's smartphone 202 to the blacklist 18 of EntryBSS5 (step S72). FIG. 18 shows the internal state I_7 of AP10a at the time of step S72. Then, the second belonging processing unit 15 of the second communication unit 12 of the AP 10a releases the belonging of the friend's smartphone 202 to the OpBSS 6 (step S73). As a result, the friend's smartphone 202 is disconnected from the network of A's house and cannot be connected thereafter.

As described above, according to the wireless communication system 1 of the second embodiment, the unconnected STA2 cannot belong to the OpBSS6 unless the connected STA2 gives permission. Furthermore, the setting information of the BSS used by the AP10a is operated in a state changed from the initial state and includes a complex and strong password, improving the security level. Furthermore, this password is generated automatically, so the user of the STA2 does not need to create a new password, so the user of the STA2 does not need to be concerned about the password.

And according to the wireless communication system 1, when authenticating the connection of a second or subsequent STA2, the user of that STA2 simply selects EntryBSS5, which does not require authentication, on the terminal. Then, the user of the connected STA2 simply responds with permission to the notification (inquiry) that is automatically received from AP10a. Therefore, the wireless communication system 1 can be said to be a user-friendly system.

<Embodiment 3>
Next, a third embodiment of the present disclosure will be described with reference to Figures 19 to 21. The third embodiment is characterized in that the AP uses a third BSS (GuestBSS7) to allow the STA2 of a temporary user to access the external network 4. The GuestBSS7 is a BSS positioned similarly to the OpBSS6. However, while the OpBSS6 allows access to other terminals in the home LAN, the GuestBSS7 may have a characteristic that access to other terminals is prohibited and only access to the Internet is permitted. The GuestBSS7 may be used in cases where it is desired to provide a wireless LAN for guests but to deny access to other terminals in the home LAN.

Figure 19 is a configuration diagram of a wireless communication system 1b according to embodiment 3. Wireless communication system 1b has basically the same configuration and functions as wireless communication system 1, but differs in that it includes AP 10b instead of AP 10a.

AP 10b differs from AP 10a in that it further includes a second communication unit 12b instead of the second communication unit 12, a third communication unit 20, and a memory unit 13b instead of the memory unit 13.

The second communication unit 12b differs from the second communication unit 12 in that it includes an interrogation unit 16b instead of the interrogation unit 16.

The interrogation unit 16b is connected to OpBSS6 and inquires of the connected STA2 belonging to OpBSS6 whether the requesting unconnected STA2 can connect via OpBSS6. On the other hand, the interrogation unit 16 does not inquire of the connected STA2 belonging to GuestBSS7 whether it can connect. By not giving the connected STA2 belonging to GuestBSS7 the authority to decide whether to connect, security can be further improved.

The third communication unit 20 communicates with the STA2 using the GuestBSS7, and also relays communication between the STA2 and the external network 4. The third communication unit 20 includes a third belonging processing unit 21 and a relay processing unit 22.

When the connected STA2 allows the requesting unconnected STA2 to connect to GuestBSS7 in response to an inquiry from the inquiry unit 16 as to whether or not the connection is possible, the third belonging processing unit 21 changes the belonging destination of the requesting unconnected STA2 from EntryBSS5 to GuestBSS7 and completes the connection authentication. Then, the requesting unconnected STA2 becomes a connected STA2 that belongs to GuestBSS7.

The relay processing unit 22 is connected to the external network 4, and when STA2 is registered in the whitelist 23 of the Guest BSS 7, it relays communication between STA2 and an external device on the external network 4 (relay processing).

The memory unit 13b stores the blacklist 18 of the EntryBSS 5, the whitelist 19 of the OpBSS 6, and the whitelist 23 of the GuestBSS 7.

Next, the second and subsequent connection authentication processes for wireless communication system 1b to which GuestBSS7 has been added will be described with reference to Figures 20 and 21.

Fig. 20 is a sequence diagram of the second or subsequent connection authentication process of the wireless communication system 1b according to the third embodiment. Fig. 21 is a diagram showing an example of the display of the parent smartphone 200 according to the third embodiment. For convenience, an example will be described in which the parent smartphone 200 has already belonged to OpBSS6, the friend's smartphone 202 is first made to belong to GuestBSS7, and then the child's smartphone 201 is made to belong to OpBSS6.

First, the friend's smartphone 202 belongs to Entry BSS 5 (steps S80 to S81).
Next, the inquiry unit 16b of the second communication unit 12b of the AP 10b inquires only of the connected STA belonging to the OpBSS 6 (in this case, the parent smartphone 200) about whether or not the connection is possible (step S82). This is because the GuestBSS 7 is a BSS for temporary users, and it is inappropriate for the temporary user to judge whether or not the new STA 2 can connect.

Then, the parent's smartphone 200 displays the screen shown in FIG. 21. In addition to the option of whether to allow the connection, this screen displays the option of allowing the connection as a guest, and prompts the user to select from the three options. In this example, the parent allows the friend's smartphone 202 as a guest (steps S84 to 85). In response to the inquiry unit 16 receiving information of permission to connect as a guest from the parent's smartphone 200, the third belonging processing unit 21 of the third communication unit 20 adds the MAC address of the friend's smartphone 202 to the whitelist 23 of the GuestBSS 7 (step S86). Then, the first belonging processing unit 14 of the first communication unit 11 transmits the setting information of the GuestBSS 7 to the friend's smartphone 202 via the EntryBSS 5 (step S87). The processing shown in steps S88 to 89 is the same as the case of belonging to the OpBSS 6 in the third example of embodiment 2 (steps S67 to 68 in FIG. 16), and therefore will not be described.

Now, the friend's smartphone 202 can belong to GuestBSS7. Next, in order to associate the child smartphone 201 with OpBSS6, the wireless communication system 1b performs the processing shown in steps S90 to 98. The processing shown in steps S90 to 98 is similar to the processing in steps S20 to 28 in FIG. 5 of embodiment 2. It should be noted that, as before, a notification (inquiry) indicating an association request of the new STA (in this case, the child smartphone 201) is only sent to connected STAs belonging to OpBSS6. In other words, the notification is only sent to the parent smartphone 200, and not to the friend's smartphone 202 belonging to GuestBSS7.

As described above, by adjusting the notification destination, i.e., the inquiry destination, and the options the user can select in response to the inquiry, AP10b can operate multiple operational BSSs equivalent to OpBSS6.

In the above embodiment, the present disclosure has been described as a hardware configuration, but the present disclosure is not limited to this. The present disclosure can also be realized by having a processor execute a computer program, for example a wireless communication program, to perform various processes related to the wireless communication method.

In the above example, the program can be stored and supplied to the computer using various types of non-transitory computer readable media. The non-transitory computer readable media includes various types of tangible storage media. Examples of the non-transitory computer readable media include magnetic recording media (e.g., flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (e.g., magneto-optical disks), CD-ROMs (Read Only Memory), CD-Rs, CD-R/Ws, and semiconductor memories (e.g., mask ROMs, PROMs (Programmable ROMs), EPROMs (Erasable PROMs), flash ROMs, and RAMs (Random Access Memory)). The program may also be supplied to the computer by various types of transitory computer readable media. Examples of the transitory computer readable media include electrical signals, optical signals, and electromagnetic waves. The transitory computer readable media can supply the program to the computer via wired communication paths such as electric wires and optical fibers, or wireless communication paths.

In the above-described embodiment, the computer is configured as a computer system including a personal computer, a word processor, etc. However, the computer is not limited to this, and can also be configured as a server of a LAN (local area network), a host for computer (personal computer) communication, a computer system connected to the Internet, etc. It is also possible to distribute functions to each device on the network and configure a computer as a whole network.

The present invention is not limited to the above embodiment, and can be modified as appropriate without departing from the spirit and scope of the invention.

1, 1b Wireless communication system 2 Wireless slave station (STA)
4 External network 5 Entry BSS
6. OpBSS
7 GuestBSS
10 Wireless communication device (access point device, AP)
10a, 10b AP
REFERENCE SIGNS LIST 11 First communication unit 12, 12b Second communication unit 13, 13b Storage unit 14 First belonging processing unit 15 Second belonging processing unit 16, 16b Inquiry unit 17 Relay processing unit 18 EntryBSS blacklist 19 OpBSS whitelist 20 Third communication unit 21 Third belonging processing unit 22 Relay processing unit 23 GuestBSS whitelist 100 Processor 101 ROM
102 RAM
103 Interface unit (IF)
200 Parent's smartphone
201 Child's smartphone
202 Friend's smartphone
203 Attacker's PC

Claims (4)

A wireless communication device that communicates with wireless slave devices using multiple BSSs (Basic Service Sets),
a first association processing unit that, in response to a connection request from an unconnected slave device that is a wireless slave device for which connection authentication has not been completed, causes the unconnected slave device to associate with a first BSS;
an inquiry unit that inquires of a first connected slave device and a second connected slave device, which are wireless slave devices belonging to a second BSS and for which connection authentication has been completed, whether or not the unconnected slave device that is a request source can be connected via the second BSS;
a second association processing unit that, if the first connected child device permits the connection, changes the association destination of the unconnected child device that originated the connection from the first BSS to the second BSS to complete connection authentication, and, if the second connected child device rejects the connection after completion of connection authentication, cancels the association of the unconnected child device that originated the connection to the second BSS. A wireless communication device that communicates with wireless slave devices using multiple BSSs (Basic Service Sets),
a first association processing unit that, in response to a connection request from an unconnected slave device that is a wireless slave device for which connection authentication has not been completed, causes the unconnected slave device to associate with a first BSS;
an inquiry unit that inquires of a first connected slave device and a second connected slave device, which are wireless slave devices belonging to a second BSS and for which connection authentication has been completed, about whether or not the unconnected slave device that is a request source can be connected via the second BSS;
a second association processing unit that, if the first connected handset permits the connection, changes the association destination of the unconnected handset that originated the connection from the first BSS to the second BSS to complete connection authentication, and, if the second connected handset rejects the connection after completion of connection authentication, cancels the association of the unconnected handset that originated the connection to the second BSS. A wireless communication method for a wireless communication device that communicates with a wireless slave device using a plurality of BSSs (Basic Service Sets), comprising:
In response to a connection request from an unconnected wireless terminal for which connection authentication has not been completed, the unconnected wireless terminal is caused to belong to a first BSS;
inquiring, via the second BSS, of a first connected slave device and a second connected slave device which belong to a second BSS and have completed connection authentication, as to whether or not the unconnected slave device which is the request source can be connected;
When the first connected handset permits the connection, the requesting unconnected handset changes its destination from the first BSS to the second BSS to complete connection authentication, and when the second connected handset rejects the connection after completing the connection authentication, the requesting unconnected handset cancels its destination from the second BSS. A wireless communication program to be executed by a wireless communication device that communicates with a wireless slave device using a plurality of BSSs (Basic Service Sets),
In response to a connection request from an unconnected wireless terminal for which connection authentication has not been completed, the unconnected wireless terminal is caused to belong to a first BSS;
inquiring, via the second BSS, of a first connected slave device and a second connected slave device which belong to a second BSS and have completed connection authentication, as to whether or not the unconnected slave device which is the request source can be connected;
A wireless communication program for causing the wireless communication device to execute a process of changing the destination of the requesting unconnected handset from the first BSS to the second BSS to complete connection authentication if the first connected handset permits the connection, and releasing the requesting unconnected handset from belonging to the second BSS if the second connected handset rejects the connection after completing the connection authentication.

Images