JP2006352503A - Communication system and its method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an improved communication system capable of collectively managing transmission nodes of a plurality of different systems. <P>SOLUTION: An idle port 300 is registered for a 802.1x terminal. A terminal management server 5 releases security for a port of a registration destination switch device 3 and a new MAC terminal 202. When the new MAC terminal 202 initiates network connection, the terminal information is notified to the terminal management server 5, and a port 300 where the MAC terminal 202 is connected is established to use for the MAC terminal, and further a MAC address of the terminal is registered. When the switch device 3 notifies the MAC terminal 202 of registration to an FDB326, the terminal becomes transmission enable. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a communication system and method for performing communication between a plurality of types of communication means.

For example, Non-Patent Documents 1 and 2 disclose MAC (Media Access Control) addresses.
The MAC address is individually assigned to each communication node that performs communication via a network, such as a computer and a printer.
According to MAC filtering authentication used in a communication system, when a certain MAC address is registered in a port of a switch device that performs filtering using the MAC address, this port is a communication node to which the registered MAC address is attached. Can only be used for communication.

Further, for example, Non-Patent Document 3 discloses IEEE 802.1x.
According to the 802.1x authentication, the 802.1x authentication is valid for the port of the switch device, and as long as the authentication using the certificate is performed, the communication node conforming to IEEE802.1x connected to this port Communication via the network is possible.

In a communication system, communication is possible only with a communication node that conforms to IEEE802.1x (hereinafter also referred to as "802.1x terminal") and a MAC address that is not compliant with IEEE802.1x and is registered to a port. Communication nodes (hereinafter also referred to as “MAC terminals”).
In such a communication system, it is desirable that an 802.1x terminal and a MAC terminal can be managed collectively.
http://standards.ieee.org/regauth/llc/index.html http://www.tech-encyclopedia.com/term/mac_address_(media_access_control_address)?c=1554038471 http://grouper.ieee.org/groups/802/1/pages/802.1x.html

  The present invention has been made from the background described above, and it is an object of the present invention to provide an improved communication system and method for managing a plurality of communication nodes collectively. .

  In order to achieve the above object, a communication system according to the present invention includes a port used for connection to a network, and a first method for registering the port and performing communication via the network. First communication means; second communication means of a second method other than the first method; first port setting means for setting all of the ports to ports of the second method; When the first communication means is connected to the port set as the second method port, the port to which the first communication means is connected is set as the first method port. Second port setting means and registration means for registering the first communication means in a port to which the first communication means is connected.

  Preferably, in the first method, only the first communication means registered for the port allows communication via the network.

  Preferably, an individual address is set in the first communication means, and the first method is used only for the first communication means in which an address is registered for the port via the network. Allow communication.

  Preferably, the address is a MAC address.

  Preferably, the second method further includes an authentication unit that allows communication via the network and performs authentication for the second communication unit when the second communication unit is authenticated.

  Preferably, the authentication unit performs the authentication using a certificate issued to the second communication unit.

  Preferably, the second method conforms to the IEEE 802.1x standard.

  Preferably, individual identification information is set in each of the second communication means, and the certificate is issued only once for the second communication means to which specific identification information is attached. And a document issuing means.

  Preferably, the first communication means further includes a third communication means to which the first communication means is connected, and the registration means is connected to the port to which the third communication means is connected. 3 communication means and the first communication means connected to the third communication means are registered.

  Preferably, the third communication means is an IP telephone.

  Preferably, the apparatus further includes security setting means for setting security for the first communication means.

  Preferably, the first communication unit accesses the second port setting unit when security is released, and the registration unit stores the accessed communication note of the first method, The communication setting unit registers the port to which the communication unit is connected, and the security setting unit cancels the security of the first communication unit and the port prior to the registration of the second communication unit with respect to the port. When registration of the two communication means for the port is performed, security is set for the first communication means and the port.

  Preferably, the apparatus further includes registration revocation means for revoking registration for the port of the first communication means that has not performed communication for a predetermined period.

  Preferably, the registration unit registers the first communication unit for which the registration has expired in response to a request with respect to the port to which the first communication unit is connected.

  Preferably, the communication apparatus further includes a communication prohibiting unit that prohibits communication of the second communication unit that has not performed communication for a predetermined period.

  Preferably, it further has a communication banning means for banning the communication of the second communication means forbidden to communicate upon request.

  Preferably, the second method allows the communication via the network when the second communication means is authenticated, and prevents the communication from being performed for a predetermined period. It further has an authentication cancellation means for canceling the authentication.

  Preferably, it further includes a totaling unit that totalizes which of the first communication unit and the second communication unit is connected to each of the ports, and the second port setting unit is configured according to the totalization. The port is set to a port of the first system, and the first port setting means sets a port other than the port set to the first system to the port of the second system.

  The communication device according to the present invention is preferably registered with a port used for connection to a network and first communication means of a first method for performing communication via the network. , A communication control device for controlling communication with a second communication means of a second method other than the first method, wherein all of the ports are set to ports of the second method When the first communication means is connected to a port setting means and a port set as the port of the second method, the port to which the first communication means is connected is designated as the first method. Second port setting means for setting the first communication means, and registration means for registering the first communication means in the port to which the first communication means is connected.

  In addition, a communication method according to the present invention includes a port used for connection to a network, and a first communication means of a first method registered for the port and performing communication through the network. A communication method in a communication system including a second communication means of a second method other than the first method, wherein all of the ports are set as ports of the second method, and the second When the first communication means is connected to the port set as the port of the first method, the port connected to the first communication means is set as the port of the first method, and the first The first communication means is registered in the port to which the first communication means is connected.

  Further, a program according to the present invention includes a port used for connection to a network, a first communication means registered in the port and performing communication via the network, A communication program in a communication system including a second communication means of a second method other than the first method, wherein all of the ports are set as ports of the second method; Setting the port connected to the first communication means to the port of the first method when the first communication means is connected to the port set to the port of the second method; And causing the computer to execute the step of registering the first communication means in the port to which the first communication means is connected.

  ADVANTAGE OF THE INVENTION According to this invention, the communication system improved so that the communication node of several systems can be managed collectively and its method are provided.

  Embodiments of the present invention will be described below.

[Communication system 1]
FIG. 1 is a diagram illustrating a communication system 1 to which a communication method according to the present invention is applied.
As shown in FIG. 1, the communication system 1 includes an administrator terminal 110, a RADIUS (Remote Authentication Dial In User Service) server 112, a PKI (Public Key Infrastructure) system 7, terminal systems 2-1 to 2-n, and terminal management. The server 5 is configured to be connected via a network 100 such as a LAN or a WAN.
The PKI system 7 includes a certificate issuing server 70 and a CA (Certificate Authority) server 78.
Here, any two or more of the administrator terminal 110, the RADIUS server 112, the CA server 78, the terminal management server 5, and the certificate issuing server 70 can be appropriately configured integrally.

In addition, although n shows an integer greater than or equal to 1, below, not all n show the same number.
Further, when any of a plurality of possible components such as “terminal systems 2-1 to 2-n” is indicated without being specified, it may be simply referred to as “terminal system 2”.
In addition, components such as the RADIUS server 112 that can be the subject of information communication and information processing in the communication system 1 may be referred to as “communication nodes” hereinafter.
In the following drawings, substantially the same components are denoted by the same reference numerals.

Each of the terminal systems 2 includes a switch device 3 having ports 300-1 to 300-n, 802.1x terminals 200-1 to 200-n and MAC terminals 202-1 to 202-n connected to the port 300 (special notes Unless otherwise specified, IP telephone terminals 204-1 to 204-n are included) and 802.1x terminal 200 or MAC terminal 202 connected to the IP telephone terminal.
Hereinafter, unless otherwise specified, a case where the MAC terminal 202 is connected to the IP telephone terminal 204 is a specific example.
Further, the 802.1x terminal 200 and the MAC terminal 202 may be collectively referred to as terminals, and terminal names are set for these terminals.

In the communication system 1, in addition to communication between communication nodes, the following processing is performed by these components.
(1) Processing for managing the type of terminal connected to each port 300;
(2) Processing for moving a terminal between ports 300,
(3) Processing for managing terminals that have not been used for a long time, and
(4) Processing for issuing a certificate used for authentication of the 802.1x terminal 200.

[Hardware]
2 shows the hardware of the administrator terminal 110, the RADIUS server 112, the CA server 78, the 802.1x terminal 200, the MAC terminal 202, the IP telephone terminal 204, the terminal management server 5 and the certificate issuing server 70 shown in FIG. It is a figure which shows a structure.
As shown in FIG. 2, these communication nodes communicate with other nodes via a main body 120 including a CPU 122 and a memory 124, an input / output device 126 including a keyboard and a display device, and the network 100. A network interface (IF) 128 and a recording device 130 such as a CD device and an HD device for writing and reading data to and from the recording medium 132 are configured.

That is, these communication nodes have components as computers that can communicate with other nodes.
In the IP telephone terminal 204, a microphone and a speaker (not shown) necessary for realizing the function as an IP telephone are further added to the input / output device 126. A connector or the like (not shown) required for connection to the terminal is further added.

FIG. 3 is a diagram illustrating a hardware configuration of the switch device 3 illustrated in FIG. 1.
As shown in FIG. 3, the switch device 3 includes ports 300-1 to 300-n, a control circuit 310 including a CPU 122 and a memory 124 (not shown), a network IF 128, and a network IF 128 and a port 300. And a switch 302 for exchanging data.
That is, the switch device 3 has a component as a switching hub.

[Communication node of communication system 1]
Hereinafter, each communication node of the communication system 1 illustrated in FIG. 1 will be described.

[Administrator terminal 110]
The administrator terminal 110 receives data indicating the status of the RADIUS server 112, the CA server 78, the switch device 3 of the terminal system 2, the terminal management server 5, and the certificate issuing server 70 of the communication system 1 as the administrator of the communication system 1. Is displayed.
Further, the administrator terminal 110 accepts operations for maintenance and management of these communication nodes from the administrator of the communication system 1, and transmits the accepted operations to these communication nodes.

[RADIUS server 112]
In response to a request from the 802.1x terminal 200, the RADIUS server 112 uses the certificate issued by the certificate issuing server 70 in accordance with the RADIUS (Remote Authentication Dial In User Service) protocol. Authenticate.
In the communication system 1, only the 802.1x terminal 200 authenticated by the RADIUS server 112 is allowed to communicate with other communication nodes via the network 100.

[Terminal system 2]
The 802.1x terminal 200 of the terminal system 2 performs authentication based on IEEE802.1x in the communication system 1 and performs communication with other nodes.
FIG. 4 is a diagram showing a configuration of the 802.1x compatible software 22 executed in the 802.1x terminal 200 of the terminal system 2 shown in FIG.
As shown in FIG. 4, the 802.1x-compatible software 22 includes a registry 222 and the like, and includes an operating system (OS) 220 having a communication function, a network connection unit 224, an 802.1x authentication unit 226, and a certificate installer 228. Composed.
The 802.1x-compatible software 22 is supplied to the 802.1x terminal 200 via the recording medium 132 or the like except for the certificate installer 228 supplied from the certificate issuing server 70 via the network 100, and the memory 124 (FIG. 2) and executed by specifically using the hardware of the 802.1x terminal 200 by the function of the OS 220, and each component other than the OS 220 can be appropriately realized as a part of the function of the OS 220 ( Same for each program below).

The network connection unit 224 of the 802.1x compatible software 22 performs processing for connection to another node via the switch device 3.
The 802.1x authentication unit 226 authenticates the RADIUS server 112 (FIG. 1) using the certificate installed in the 802.1x compatible software 22 by the certificate installer 228.

The certificate installer 228 includes a certificate issued to the 802.1x terminal 200 on which the 802.1x compatible software 22 is operating, a key for decrypting the encrypted certificate, and a certificate. Installer (both not shown).
The certificate installer 228 is supplied from the certificate issuing server 70 to the 802.1x terminal 200 when the certificate is issued, and is executed with the administrator authority of the OS 220.
When executed, the certificate installer 228 decrypts the certificate using the key, writes the key to the registry 222 of the OS 220, and uses the function of the OS 220 to use the function of the OS 220 to transfer the certificate to the other communication node. It is installed in the 802.1x compatible software 22 so that it cannot be exported.
In this way, the certificate installer 228 writes the key to the registry 222, so that a third party cannot retrieve the key.

The MAC terminal 202 communicates with other communication nodes only through the port 300 (FIG. 1 or the like) in which the MAC address attached thereto is registered.
FIG. 5 is a diagram showing a configuration of the MAC-compatible software 24 executed in the MAC terminal 202 shown in FIG.
As shown in FIG. 5, the MAC compatible software 24 adopts a configuration in which the 802.1x authentication unit 226 and the certificate installer 228 are removed from the 802.1x compatible software 22 shown in FIG. 4.

The IP telephone terminal 204 communicates with other communication nodes only through the port 300 (FIG. 1 or the like) in which the MAC address attached thereto is registered, thereby realizing the function as an IP telephone.
FIG. 6 is a diagram showing a configuration of the IP telephone compatible software 26 executed in the IP telephone terminal 204 shown in FIG.
As shown in FIG. 6, the IP phone compatible software 26 employs a configuration in which an IP phone processing unit 260 and a terminal connection unit 262 are added to the MAC compatible software 24 shown in FIG.
The IP phone processing unit 260 of the IP phone compatible software 26 outputs voice data sent from another node via the network 100 or the like from a speaker (not shown) of the IP phone terminal 204 (FIG. 2). The voice input from the microphone (not shown) is transmitted to another node.
That is, the IP telephone processing unit 260 realizes a function required for transmitting and receiving voice by VoIP (Voice over IP).
The terminal connection unit 262 performs processing necessary for connecting the MAC terminal 202 to the IP telephone terminal 204.

The switch device 3 has a function as a switching hub that supports the MAC filtering authentication function and the 802.1x authentication function, and transmits data between the network 100 and a terminal connected to the port 300.
FIG. 7 is a diagram showing a switch control program 32 executed in the switch device 3 shown in FIG.
As shown in FIG. 7, the switch control program 32 includes a port management unit 320, an authentication unit 330, and a switch control unit 340.
The port management unit 320 includes a port monitoring unit 322, a port setting unit 324, and an FDB (Forwarding Data Base) 326.

FIG. 8 is a diagram showing the contents of the FDB 326 shown in FIG.
As illustrated in FIG. 8, the FDB 326 stores the following information (1) to (3) for each of the ports 300-1 to 300-n of the switch device 3-i.
These pieces of information stored in the FDB 326 are referred to and used to control packet transfer in the switch device 3.
(1) The port number of each port 300,
(2) the MAC address of the terminal connected to the port 300, and
(3) Statically set by the administrator terminal 110 or the like, and dynamically set according to the static entry used for controlling the switch 302 (FIG. 3) or the data received by the switch device 3, Dynamic entry used for control of switch 302 (FIG. 3).

The port monitoring unit 322 monitors each port 300 (FIG. 1 and the like) and the network IF 128 and receives the terminal type of the terminal connected to each port 300 and whether or not the connected terminal is communicating. A MAC address included in the data is detected.
The port monitoring unit 322 creates a dynamic entry from the detected information and writes it in the FDB 326.

The port setting unit 324 indicates the type of the terminal connected to each port 300 according to the setting from the terminal management server 5, and when the MAC terminal 202 or the IP telephone terminal 204 is connected to the port 300, 3 to port 300.
When the 802.1x terminal 200 connected to the port 300 of the switch device 3 starts connection to the network 100, the authentication unit 330 issues the authentication unit 330 to the 802.1x terminal 200 with the RADIUS server 112 Authentication using the registered certificate is performed.

The switch control unit 340 controls the switch 302 (FIG. 3) of the switch device 3 according to the terminal type, the MAC address, the static entry, the dynamic entry, and the port state stored in the port 300 of the switch device 3. And the terminal are connected to transmit data.
That is, when data from the MAC terminal 202 whose MAC address is registered in the port 300 is input to a certain port 300, the switch control unit 340 outputs the data to the network 100. When data from a MAC terminal 202 whose MAC address is not registered in the port 300 is input, the switch control unit 340 does not output the data to the network 100.
In addition, the switch control unit 340 outputs data input from the network 100 to the port 300 corresponding to the transmission source address included in the data and the static entry or dynamic entry of the FDB 326.
Note that the switch control unit 340 performs the above-described process only for the port 300 whose port state is normally usable, and between the terminal 100 connected to the port 300 whose port state is prohibited to be used and the network 100. No connection is made between the switches 302, and no data is transmitted between them.

[Terminal management server 5]
FIG. 9 is a diagram showing a configuration of terminal management software 50 executed in the terminal management server 5 shown in FIG.
As shown in FIG. 9, the terminal management software 50 includes an OS 220, a terminal information collection unit 500, an unused terminal extraction unit 502, a terminal management unit 510, a terminal information DB 512, an 802.1x terminal registration unit 520, and an 802.1x terminal. Status management unit 522, MAC terminal registration unit 530, MAC terminal status management unit 532, certificate management unit 540, security management unit 542, switch device management unit 544, user management unit 550, backup unit 552, log creation unit 554, and backup A log storage unit 556 is included.
The terminal management software 50 performs the following processing using these components.
(1) Management of terminal information (terminal registration, terminal deletion, change of terminal registration content, acquisition of terminal information from the switch device 3, etc.),
(2) Terminal and certificate status management (terminals that are not used for a long time and their certificates are revoked or temporarily revoked (FIG. 11)),
(3) Security setting and release of port 300, etc.
(4) Management of the switch device 3, and
(5) Other processing such as backup and log creation and access control.

In the terminal management software 50, the terminal information collection unit 500 requests each switch device 3 to transmit the contents of the FDB 326 (FIG. 9) at a certain time interval (for example, every day), and responds to this request. The contents of the FDB 326 returned from each switch device 3 are collected and used for processing of each component of the terminal management software 50.
The unused terminal extraction unit 502 uses the MAC addresses in the FDB 326 collected by the terminal information collection unit 500 to extract terminals that have not been used for a certain period (for example, one month) or longer.
In order to improve versatility, the management of the switch device 3 and the security setting and release of the port 300 may be realized by the telnet command.

FIG. 10 is a diagram showing terminal information stored in the terminal information DB 512 shown in FIG. 9, where (A) shows the entire terminal information, and (B) shows the IP telephone terminal 204 and connected thereto. The terminal information of the MAC terminal 202 is shown.
The terminal management unit 510 is a setting performed by the administrator of the communication system 1 via the administrator terminal 110 (FIG. 1), terminal information collected from each switch device 3 by the terminal information collection unit 500, and unused terminal extraction The terminal information shown in FIGS. 10A and 10B is created according to the unused terminal extracted by the unit 502 and the notification from the PKI system 7, stored in the terminal information DB 512, and managed.

As shown in FIG. 10A, the terminal information includes the identifier (ID) of each switch device 3, the port number of each port 300 of each switch device 3, the terminal type of the terminal connected to the port 300, The MAC address of the MAC terminal 202 connected to the port 300, the state of the terminal connected to the port 300 (FIG. 11), the security setting state for the port 300, and the 802.1x connected to the port 300 And the status of the certificate issued to the terminal 200.
When the IP telephone terminal 204 is connected to a certain port 300-i of a certain switch device 3, and the MAC terminal 202 is further connected to this IP telephone terminal 204, as shown in FIG. The IP telephone terminal 204 and its MAC terminal 202 are registered as the terminal information of 300-i.

Among the information included in the terminal information, the identifier (ID), port number, terminal type, and MAC address of the switch device 3 are the contents of the FDB 326 (FIG. 8) collected from each switch device 3 or the communication system 1. The contents of the settings made by the administrator via the administrator terminal 110 are reflected.
The security setting status reflects whether security is set or released for each port 300.

When the 802.1x terminal 200 is authenticated by the RADIUS server 112, the 802.1x terminal registration unit 520 stores the terminal information (FIG. 10A) of the port 300 to which the authenticated 802.1x terminal 200 is connected. Processing for registration with the terminal type as the 802.1x terminal 200 is performed.
Further, the 802.1x terminal registration unit 520 performs a process for registration in which the terminal type (FIG. 8) of the port 300 is the 802.1x terminal 200.

FIG. 11 is a diagram illustrating state transition of the 802.1x terminal 200 (FIG. 1 and the like) managed by the 802.1x terminal state management unit 522 illustrated in FIG.
The 802.1x terminal state management unit 522 manages the state of the 802.1x terminal 200 shown in FIG.
As shown in FIG. 11, the 802.1x terminal state management unit 522 can normally communicate with the 802.1x terminal 200 extracted as a terminal that has not been used for a certain period of time by the unused terminal extraction unit 502. From the status, it will be temporarily revoked.

Further, the 802.1x terminal state management unit 522 requests the PKI system 7 to place the certificate that has been issued to the 802.1x terminal 200 that has been revoked into a temporary revocation state.
The 802.1x terminal state management unit 522 sets the 802.1x terminal 200 that has been temporarily revoked to a normal state in response to an operation for canceling the temporary revocation via the administrator terminal 110 by the administrator of the communication system 1. Further, the port state of the port 300 to which the 802.1x terminal 200 is connected is normally usable.

The 802.1x terminal state management unit 522 determines that the 802.1x terminal 200 is revoked if the temporary revocation state of the 802.1x terminal 200 that has been temporarily revoked is not released for a certain period (for example, six months) or longer. State.
Further, the 802.1x terminal state management unit 522 requests the PKI system 7 to make the certificate issued to the 802.1x terminal 200 in the revoked state revoked.
Regardless of whether the 802.1x terminal 200 is in the normal state, the temporary revocation state, or the revocation state, the administrator of the communication system 1 deletes the 802.1x terminal 200 via the administrator terminal 110. When the operation is performed, the 802.1x terminal state management unit 522 prohibits the use of the port state of the port 300 to which the 802.1x terminal 200 is connected, and invalidates the certificate issued to the terminal. A request is made to the PKI system 7, and the terminal information (FIG. 10A) corresponding to this terminal is deleted.
That is, in order for the deleted 802.1x terminal 200 to be in a normal state, this terminal needs to be registered again.
Note that the revoked state may be removed from the state of the MAC terminal 202.

In response to an operation for registering the MAC terminal 202 with respect to the administrator terminal 110 by the administrator of the communication system 1, the MAC terminal registration unit 530 receives terminal information of the port 300 to which the MAC terminal 202 is connected (FIG. )) Is registered as the MAC terminal 202.
Further, the MAC terminal registration unit 530 performs processing for registering the terminal type (FIG. 8) of the switch device 3 of the port 300 as the MAC terminal 202.
The MAC terminal state management unit 532 deletes the terminal information (FIGS. 10A and 10B) of the MAC terminal 202 extracted as a terminal that is not used for a certain period of time by the unused terminal extraction unit 502, The port state of the port 300 to which the MAC terminal 202 is connected is prohibited from being used.
Further, when the registration of the MAC terminal 202 that has not been used for a certain period is deleted, the 802.1x terminal state management unit 522 changes the terminal type of the port 300 to which the MAC terminal 202 is connected to the 802.1x terminal 200. Set.

The certificate management unit 540 manages certificates issued to the 802.1x terminal 200.
That is, when a certain 802.1x terminal 200 is in a normal state and a temporary revocation state, the certificate management unit 540 manages that the certificate issued to the 802.1x terminal 200 is valid.
Further, the certificate management unit 540 manages a certificate issued to the 802.1x terminal 200 as invalid when a certain 802.1x terminal 200 is in a revoked state or is deleted. .

The security management unit 542 performs processing necessary for setting and canceling security for the port 300 that is required when a terminal is registered or changed.
Processing for setting and releasing security for the port 300 by the security management unit 542 is divided into processing for the port 300 for MAC terminal connection and processing for the port 300 for 802.1x terminal connection.
By the processing for the MAC terminal connection port 300, the MAC address registration and the MAC filtering authentication setting are performed for the port 300 to be processed.
The 802.1x authentication is set by processing for all the ports 300 other than the MAC terminal connection port (802.1x terminal connection port 300 and unused port 300).

The switch device management unit 544 performs processing required for newly adding or deleting the switch device 3 in the communication system 1.
That is, when a new switch device 3 is newly installed in the communication system 1, the switch device management unit 544 notifies each component of the terminal management software 50 to that effect. Processing such as creating an entry for the switch device 3 is performed.
Further, when the existing switch device 3 is deleted from the communication system 1, the switch device management unit 544 notifies each component of the terminal management software 50 to that effect, and is removed, for example, by the terminal management unit 510. The processing such as deleting the entry for the switch device 3 is performed.

The user management unit 550 authenticates the administrator of the communication system 1 and, when there are a plurality of administrators, which administrator is allowed to manage which range of terminals (access management) or the like (access management) Perform processing required for management by the administrator.
The backup unit 552 backs up data used in the processing in the terminal management software 50, such as terminal information in the terminal information DB 512, and stores and manages the backed up data in the backup / log storage unit 556.
The log creation unit 554 creates a log indicating the history of processing performed by the terminal management software 50, and stores the created log in the backup / log storage unit 556 for management.

[PKI system 7]
The certificate issuing server 70 and the CA server 78 of the PKI system 7 shown in FIG. 1 cooperate to issue and manage certificates for the 802.1x terminal 200.

The CA server 78 of the PKI system 7 performs the following processing.
(1) Processing for issuing and managing certificates used for authentication of the 802.1x terminal 200 by the RADIUS server 112;
(2) The issued certificate is forcibly revoked according to a predetermined condition, and a certificate revocation list (CRL) indicating the revoked certificate is created and output to the RADIUS server 112. Processing to be reflected, and
(3) Processing such as backup of the contents of processing performed by the CA server 78, management of a user (administrator), backup of data used in the processing, and creation of a log of processing contents.

FIG. 12 is a diagram showing a configuration of certificate issuing software 72 executed in the certificate issuing server 70 shown in FIG.
The certificate issuing server 70 includes a certificate information management unit 720, a certificate information database (DB) 722, an 802.1x terminal certificate issuing unit 730, an 802.1x terminal certificate status management unit 732, and a terminal batch registration / deletion unit. 740, a terminal batch revocation / revocation cancellation unit 742, a log creation unit 750, and a log storage unit 752.

FIG. 13 is a diagram showing certificate information stored in the certificate information DB 722 shown in FIG.
The certificate information management unit 720 of the certificate issuing server 70 creates the certificate information illustrated in FIG. 13 in response to a request from the terminal management server 5 and an operation via the administrator terminal 110 of the communication system 1. And stored in the certificate information DB 722 and managed.
As shown in FIG. 13, the certificate information includes the following information.
(1) a certificate issuance state indicating whether a certificate has already been issued to each of the port 300 to which the terminal is connected and the 802.1x terminal 200;
(2) a certificate status indicating whether a certificate issued to the 802.1x terminal 200 is valid, temporarily revoked, or revoked;
(3) Certificate information indicating the contents of issued certificates, and
(4) The terminal name of the 802.1x terminal 200 that should be the target of certificate issuance.

In response to the request including the terminal name from the 802.1x terminal 200, the 802.1x terminal certificate issuing unit 730 includes the terminal name in the terminal information (FIG. 13) and corresponds to the terminal. When the certificate issuance status to be issued is not issued, the CA server 78 is requested to issue a certificate.
Further, the 802.1x terminal certificate issuing unit 730 creates a certificate installer 228 (FIG. 4) including the certificate returned from the CA server 78 in response to the request, and requests the certificate issuance. Transmit to the 802.1x terminal 200.
When the certificate is issued to the 802.1x terminal 200 by the 802.1x terminal certificate issuing unit 730, the 802.1x terminal certificate status management unit 732 sends the 802.1x terminal certificate status management unit 732 to the certificate information management unit 720. It is assumed that the certificate issuance state of the certificate information corresponding to the terminal 200 has been issued.
Further, the 802.1x terminal certificate state management unit 732 sends the state transition (FIG. 11) of the 802.1x terminal 200 to the certificate information management unit 720 in response to the notification from the terminal management server 5. To be reflected in the certificate status.

The terminal batch registration / deletion unit 740 collectively adds a plurality of 802.1x terminals 200 to the communication system 1 and registers them, and batches the plurality of 802.1x terminals 200. And perform the processing required to delete them.
That is, the terminal batch registration / deletion unit 740 performs a process of issuing a certificate to a plurality of 802.1x terminals 200 added to the communication system 1 in response to a request from the terminal management server 5. The processing result is reflected in the certificate information (FIG. 13).
Also, the terminal batch registration / deletion unit 740 revokes certificates issued to a plurality of 802.1x terminals 200 to be deleted from the communication system 1 in response to a request from the terminal management server 5. Processing is performed, and the processing result is reflected in the certificate information (FIG. 13).

The terminal batch revocation / revocation cancellation unit 742 cancels the processes required for batch revocation of a plurality of 802.1x terminals 200 and the revocation of the plurality of 802.1x terminals 200 in a lump. The processing required for this is performed.
That is, the terminal batch revocation / revocation cancellation unit 742 performs a process of revoking issued certificates for a plurality of 802.1x terminals 200 to be revoked in response to a request from the terminal management server 5. The processing result is reflected in the certificate information (FIG. 13).
Further, the terminal batch revocation / revocation cancellation unit 742 performs a process of issuing a certificate to a plurality of 802.1x terminals 200 whose revocation has been canceled in response to a request from the terminal management server 5. The result is reflected in the certificate information (FIG. 13).
The log creation unit 750 creates a log of the processing of the certificate issuing software 72, stores it in the log creation unit 750 and the log storage unit 752, and manages it.

[Overall Operation of Communication System 1]
Hereinafter, the overall operation of the communication system 1 will be described.

FIG. 14 is a first diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows processing (S10) for newly registering the 802.1x terminal 200 in the communication system 1.
As shown in FIG. 14, in step 100 (S100), the terminal management server 5 sets all ports of all switch devices 3 for the 802.1x terminal 200 as an initial setting.
In step 102 (S102), when the terminal information (FIG. 10) of the 802.1x terminal 200 is input to the terminal management server 5 by the administrator of the communication system 1 and registration is requested, the terminal management server 5 5 requests the PKI system 7 to issue a certificate.

In step 104 (S104), the PKI system 7 issues a certificate and logs it by sending a certificate installer 228 (FIG. 4) to the 802.1x terminal 200 for which registration has been requested.
In step 106 (S106), the PKI system 7 notifies the terminal management server 5 of the certificate status (certificate issued).
In step 108 (S108), the 802.1x terminal 200 installs the issued certificate and starts network connection since it is connected.

In step 110 (S110), the 802.1x terminal 200 requests authentication from the RADIUS server 112 using the installed certificate.
In step 112 (S112), the RADIUS server 112 authenticates the 802.1x terminal 200 in response to the request and notifies the switch device 3 of it.
Further, the RADIUS server 112 creates a log of this process.
In step 114 (S114), the RADIUS server 112 transmits the log created in the process of S112 to the terminal management server 5.
The terminal management server 5 receives this log from the terminal management server 5 and reflects it in its own log.
In step 116 (S116), when the switch device 3 connects to the 802.1x terminal 200, the terminal becomes communicable.

FIG. 15 is a second diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process (S14) for temporarily revoking the 802.1x terminal 200.
In step 140 (S140), when the 802.1x terminal 200 that has not been used for a certain period of time is extracted, the terminal management server 5 executes a process for temporarily revoking this terminal (FIG. 11).
Further, the terminal management server 5 requests the PKI system 7 to temporarily revoke the certificate issued to this terminal.

In step 142 (S142), the PKI system 7 revokes the certificate issued to this terminal, and further issues a CRL for revoking the certificate issued to this terminal. 112 for output.
The RADIUS server 112 revokes the certificate issued to this terminal according to this CRL, and creates a log of this process.
In step 144 (S144), the RADIUS server 112 transmits the log created in the process of S142 to the terminal management server 5 as a certificate status.
The terminal management server 5 reflects the log from the RADIUS server 112 in its own log.

FIG. 16 is a third diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process (S15) for releasing the temporary revocation of the 802.1x terminal 200.
In step 150 (S150), when receiving an operation from the administrator of the communication system 1 to release the temporary revocation of the 802.1x terminal 200 that has been temporarily revoked, the terminal management server 5 temporarily revokes this terminal ( The process of canceling FIG. 11) is executed.
Further, the terminal management server 5 requests the PKI system 7 to cancel the temporary revocation of the certificate issued to this terminal.

In step 152 (S152), the PKI system 7 validates the certificate issued to the temporarily revoked terminal, and further validates the certificate issued to the temporarily revoked terminal. CRL is issued and output to the RADIUS server 112.
The RADIUS server 112 validates the certificate issued to this terminal according to this CRL, and creates a log of this process.
In step 154 (S154), the RADIUS server 112 notifies the terminal management server 5 of the log created in the process of S152 as a certificate status.
The terminal management server 5 reflects the log from the RADIUS server 112 in its own log.

FIG. 17 is a fourth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows processing (S16) for revoking the 802.1x terminal 200.
In step 160 (S160), when the 802.1x terminal 200 that has been temporarily revoked for a certain period is extracted, the terminal management server 5 executes a process of revoking this terminal (FIG. 11). .
Further, the terminal management server 5 requests the PKI system 7 to revoke the certificate issued to this terminal.

In step 162 (S162), the PKI system 7 revokes the certificate issued to this terminal, and further issues a CRL for revoking the certificate issued to this terminal. 112 for output.
The RADIUS server 112 revokes the certificate issued to this terminal according to this CRL, and creates a log of this process.
In step 164 (S164), the RADIUS server 112 transmits the log created in the process of S162 to the terminal management server 5 as a certificate status.
The terminal management server 5 reflects the log from the RADIUS server 112 in its own log.

FIG. 18 is a fifth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process (S17) for canceling the revocation of the 802.1x terminal 200.
In step 170 (S170), upon receiving an operation for canceling the revocation of the revoked 802.1x terminal 200 from the administrator of the communication system 1, the terminal management server 5 revokes this terminal (FIG. 11). Execute the process to cancel.
Further, the terminal management server 5 requests the PKI system 7 to cancel the revocation of the certificate issued to this terminal.

In step 172 (S172), the PKI system 7 validates the certificate issued to the revoked terminal, and further, the CRL for validating the certificate issued to the revoked terminal. Issued and output to the RADIUS server 112.
The RADIUS server 112 validates the certificate issued to the terminal according to the CRL and creates a processing log.
In step 174 (S174), the RADIUS server 112 notifies the terminal management server 5 of the log created in the process of S172 as a certificate status.
The terminal management server 5 reflects the log from the RADIUS server 112 in its own log.
In step 176 (S176), when the 802.1x terminal 200 authenticates with the RADIUS server 112 again as shown in FIG. 14, the terminal that has been revoked returns to the normal state.

FIG. 19 is a sixth diagram illustrating the overall operation of the communication system 1 illustrated in FIG. 1 and the like, and illustrates processing for deleting the 802.1x terminal 200 (S19).
In step 190 (S190), if there is an operation for deleting the 802.1x terminal 200 from the administrator of the communication system 1, the terminal management server 5 executes a process of deleting this terminal (FIG. 11).
Further, the terminal management server 5 requests the PKI system 7 to delete the certificate issued to the terminal.

In step 192 (S192), the PKI system 7 deletes the certificate issued to the terminal, issues a CRL for revoking the certificate issued to the terminal, and sends it to the RADIUS server 112. Output.
The RADIUS server 112 revokes the certificate issued to the terminal according to the CRL and creates a processing log.
In step 194 (S194), the RADIUS server 112 transmits the log created in the process of S192 to the terminal management server 5 as a certificate status.
The terminal management server 5 reflects the log from the RADIUS server 112 in its own log.

FIG. 20 is a seventh diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process (S20) of registering a new MAC terminal 202 in the communication system 1.
Step 200 (S200) indicates that, as a premise, the terminal type (FIG. 8) of the vacant port 300 is the 802.1x terminal 200.
In step 202 (S202), when the administrator of the communication system 1 inputs terminal information (FIG. 10) and performs an operation of registering the MAC terminal 202, the terminal management server 5 is connected to the new MAC terminal 202. Security of all vacant ports 300 on the switch device 3 to be released is released.
In the process of S202, the 802.1x security setting set for the unused port is canceled.

In step 204 (S204), the new MAC terminal 202 starts network connection via the switch device 3.
By the process of S204, the MAC terminal 202 becomes communicable, and after actual communication is performed, the port 200 used in this communication and the MAC address of the MAC terminal 202 are registered in the table in the FDB 326. .
The switch device 3 registers terminal information (MAC address, switch port) obtained from the new MAC terminal 202 in the FDB 326 (FIG. 8).
In step 206 (S206), the MAC terminal 202 becomes communicable and the MAC terminal 202 is registered in the FDB 326 of the switch device 3.

In step 208 (S208), the terminal management server 5 acquires the terminal information of the new MAC terminal 202 obtained in the process of S206 from the switch device 3.
The terminal management server 5 that has acquired the terminal information updates data used for security setting for the port 300 to which the new MAC terminal 202 is connected, and the administrator of the communication system 1 approves this security setting. .
In the process of S208, the content of the FDB 326 is acquired from the switch device 3 by the terminal management server 5, and the terminal information (MAC address, switch port) in the FDB 326 is stored in the database (terminal information DB 512; This is reflected in FIGS. 10A and 10B.
Based on the information in the terminal information DB 512, appropriate security settings are performed for the port 300 whose security has been released in the switch device 3.
In step 210 (S210), the terminal management server 5 sets the terminal type (FIG. 8) of the port 300 to which the new MAC terminal 202 is connected to the switch device 3 in the MAC terminal 202, and further, the MAC address of the terminal Register.

FIG. 21 is an eighth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows processing (S22) for changing the MAC address registered in the port 300.
As shown in FIG. 21, in step 220 (S 220), when the administrator of the communication system 1 requests a change of the MAC address registered in the specific port 300, the terminal management server 5 sets the target port 300. The switch device 3 is requested to delete the MAC address (FIG. 8) registered in the target port 300.
In response to this request, the switch device 3 deletes the MAC address registered in the target port 300.

In step 222 (S222), the terminal management server 5 transmits the changed MAC address to the switch device 3 and requests registration of the MAC address for the target port 300.
In response to this request, the switch device 3 registers the changed MAC address in the target port 300.

FIG. 22 is a ninth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process of deleting the MAC terminal 202 and registering it again (S24).
In step 240 (S240), when a MAC terminal 202 that has not been used for a certain period or longer is extracted, the terminal management server 5 performs a process for deleting the extracted MAC terminal 202, and the port to which the terminal is connected The switch apparatus 3 having 300 (at the time of deletion) is requested to delete the MAC address of the terminal (FIG. 8).
The switch device 3 deletes the MAC address of the MAC terminal 202 in response to the request.
In step 242 (S242), the terminal management server 5 requests the switch device 3 to set the terminal type of the port 300 from which the MAC address is deleted to the 802.1x terminal 200.
In response to the request, the switch device 3 sets the terminal type of the port 300 as the 802.1x terminal 200.

In step 244 (S244), the MAC terminal 202 from which the MAC address has been deleted is connected to the port 300 of the same or another switch device 3 (at the time of re-registration), and the terminal management server according to the operation of the user of the terminal 5 to request re-registration.
Thereafter, the processing of S202 to S210 shown in FIG. 20 is performed, and the MAC terminal 202 is re-registered as a terminal connected to the destination port 300.

FIG. 23 is a tenth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows the process of deleting the MAC terminal 202 (S28).
As illustrated in FIG. 22, in step 280 (S280), when the administrator of the communication system 1 performs an operation for deleting a specific MAC terminal 202, the terminal management server 5 performs a MAC operation according to this operation. Processing for deleting the terminal 202 is performed.
The terminal management server 5 requests the switch device 3 having the port 300 to which the MAC terminal 202 is connected to delete the MAC address (FIG. 8) of the MAC terminal 202.
The switch device 3 deletes the MAC address registered in the port 300 in response to the request.

In step 282 (S282), the terminal management server 5 deletes the terminal information (FIG. 10) of the MAC terminal 202 that is the object of deletion.
Further, the terminal management server 5 requests the switch device 3 to set the terminal type of the port 300 to the 802.1x terminal 200.
In response to a request from the terminal management server 5, the switch device 3 sets the terminal type of the port 300 to the 802.1x terminal 200.

FIG. 24 is an eleventh view showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows the process of moving the MAC terminal 202 between the ports 300 (S30).
As shown in FIG. 24, in step 300 (S300), from the 802.1x terminal 200 connected to the port 300 (movement source) of a certain switch device 3, another switch device 3 is connected to the terminal management server 5. Application for transfer to port 300 (destination) is issued.
In step 302 (S302), the terminal management server 5 releases the security of the source port 300.
In step 304 (S304), when the MAC terminal 202 is already connected to the destination port 300, the security of the MAC terminal 202 is released.

In step 306 (S306), the MAC terminal 202 starts network connection to the switch device 3 at the movement destination.
In step 308 (S308), the MAC terminal 202 becomes communicable and the MAC terminal 202 is registered in the FDB 326 of the switch device 3.
In step 310 (S310), the terminal management server 5 notifies the terminal information from the switch device 3 at the movement destination.

In step 312 (S312), the terminal management server 5 deletes the MAC address (FIG. 8) of the source MAC terminal 202.
In step 314 (S314), the terminal management server 5 sets the terminal type of the source port 300 as the 802.1x terminal 200.
In step 316 (S316), the terminal management server 5 sets the terminal type of the destination port 300 as the MAC terminal 202, and registers the MAC address of the connected MAC terminal 202.

FIG. 25 is a twelfth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process of registering a new IP telephone terminal 204 in the communication system 1 (S34).
In step 340 (S340), when the administrator of the communication system 1 inputs the terminal information (FIG. 10) and performs an operation of registering the IP telephone terminal 204, the terminal management server 5 causes the new IP telephone terminal 204 to be registered. The security of the port 300 to be connected is released.
In step 342 (S342), the IP telephone terminal 204 starts network connection with the switch device 3.
In step 344 (S344), the IP telephone terminal 204 becomes communicable and the IP telephone terminal 204 is registered in the FDB 326 of the switch device 3.

In step 346 (S346), the MAC terminal 202 starts network connection to the switch device 3.
In step 348 (S348), the MAC terminal 202 becomes communicable and the MAC terminal 202 is registered in the FDB 326 of the switch device 3.
In step 350 (S350), the terminal management server 5 acquires terminal information from the switch device 3.
In step 352 (S352), the terminal management server 5 registers the MAC addresses (FIG. 8) of the IP telephone terminal 204 and the MAC terminal 202 in the switch device 3.

FIG. 26 is a thirteenth view showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows the process of deleting the IP telephone terminal 204 from the communication system 1 (S38).
As shown in FIG. 26, when the administrator of the communication system 1 performs an operation for deleting a specific IP telephone terminal 204 in step 380 (S380), the terminal management server 5 Processing for deleting the IP telephone terminal 204 and the MAC terminal 202 connected thereto is performed.
The terminal management server 5 requests the switch device 3 having the port 300 to which the IP telephone terminal 204 is connected to delete the IP address of the IP telephone terminal 204 (FIG. 8).
The switch device 3 deletes the MAC address of the IP telephone terminal 204 in response to the request.

In step 382 (S382), the terminal management server 5 sends the MAC address of the MAC terminal 202 connected to the IP telephone terminal 204 to the switch device 3 having the port 300 to which the IP telephone terminal 204 is connected (see FIG. Request to delete 8).
The switch device 3 deletes the MAC address of the MAC terminal 202 in response to the request.
In step 384 (S384), the terminal management server 5 compares the terminal type of the port 300 to which the IP telephone terminal 204 is connected to the switch device 3 having the port 300 to which the IP telephone terminal 204 is connected (FIG. 11). ) Is set to the 802.1x terminal 200.
The switch device 3 sets the terminal type of the port 300 to the 802.1x terminal 200 in response to the request.

FIG. 27 is a fourteenth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and a process of moving a large number of terminals in the communication system 1 between ports 300 (large-scale layout change) Processing; S40) is shown.
As shown in FIG. 27, in step 400 (S400), the terminal management server 5 at least moves the terminal when the communication system 1 is disconnected from the external network and is in a state where it is easy to maintain security. The security of all the previous ports 300 is released.

In step 402 (S402), the terminal connected to the destination port 300 starts network connection to the switch device 3 having the destination port 300.
In step 404 (S404), the terminal connected to the destination port 300 becomes communicable and is registered in the FDB 326 of the switch device 3.
In step 406 (S406), the terminal management server 5 acquires terminal information from the switch device 3 at the movement destination.
In the process of S406, the terminal management server 5 acquires the contents of the FDB 326 from the switch device 3, and the terminal information (MAC address, switch port) in the FDB 326 is stored in the database (terminal information DB 512) on the terminal management server 5. reflect.
In accordance with the contents of this terminal information DB 512, appropriate security settings are made for the port 300 of the released switch device 3.
The terminal management server 5 performs security setting for the port 300 to which the new MAC terminal 202 is connected, and the administrator of the communication system 1 approves this security setting.

In step 408 (S408), the terminal management server 5 deletes the MAC address registered in the port 300 to which the moved MAC terminal 202 was connected.
In step 410 (S410), the terminal management server 5 sets the terminal type of the port 300 to which the moved MAC terminal 202 is connected as the 802.1x terminal 200.

In step 412 (S412), the terminal management server 5 registers the MAC address of the connected MAC terminal 202 in each port 300 to which the MAC terminal 202 is connected in the switch device 3 that is the movement destination.
In step 414 (S414), the terminal management server 5 sets the terminal type (FIG. 10) other than the port 300 to which the MAC terminal 202 is connected to the 802.1x terminal 200 among the ports 300 to be moved.

FIG. 28 is a fifteenth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process of registering a large number of terminals in the communication system 1 (S44).
In step 440 (S440), when the terminal batch registration list exists in the terminal management server 5, the terminal management server 5 transmits the terminal batch registration list to the certificate issuing server 70.
The terminal batch registration list is created by the administrator of the communication system 1 and collectively indicates terminals to be registered and terminal information thereof.

In step 442 (S442), the certificate issuing server 70 checks the terminal collective registration list from the terminal management server 5, and registers the 802.1x terminal 200 included in the terminal collective registration list to the CA server 78. Request.
In step 444 (S444), the CA server 78 issues a certificate for each of the 802.1x terminals 200 included in the terminal batch registration list in response to this request, and the registration process (individual processing) of the 802.1x terminal 200 is performed. Except for whether there is a batch process or a batch process, the same as the 802.1x terminal registration process shown in FIG. 14) is performed.
The CA server 78 further notifies the certificate issuing server 70 of the result of the registration process.

FIG. 29 is a sixteenth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process of deleting a large number of terminals in the communication system 1 (S46).
As shown in FIG. 29, in step 460 (S460), when the terminal batch deletion list exists in the terminal management server 5, the terminal management server 5 sends the terminal batch deletion list to the certificate issuing server 70. Send.
Note that the terminal batch deletion list is created by the administrator of the communication system 1, or the terminal management server 5 stores the terminal information (FIG. 10) before correction by the processing of S440 and the terminal information before correction. Terminals that should be created and deleted by comparison are collectively shown.

In step 462 (S462), the certificate issuing server 70 checks the terminal batch deletion list from the terminal management server 5, and deletes the 802.1x terminal 200 included in the terminal batch deletion list to the CA server 78. Request.
In step 446 (S446), in response to this request, the CA server 78 deletes the certificate for each 802.1x terminal 200 included in the terminal batch deletion list, and performs the deletion process of the 802.1x terminal 200.
The CA server 78 further notifies the certificate issuing server 70 of the result of the deletion process.

FIG. 30 is a seventeenth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process of temporarily revoking a large number of terminals in the communication system 1 (S48).
As shown in FIG. 30, in step 480 (S480), when the terminal batch temporary revocation list exists in the terminal management server 5, the terminal management server 5 sends the terminal batch temporary revocation list to the certificate issuing server 70. Send to.
The terminal batch temporary revocation list is created by the administrator of the communication system 1 and collectively indicates terminals to be temporarily revoked.

In step 482 (S 482), the certificate issuing server 70 checks the terminal batch temporary revocation list from the terminal management server 5 and determines the temporary revocation of the 802.1x terminal 200 included in the terminal batch temporary revocation list as the CA server 78. To request.
In step 484 (S484), the CA server 78 temporarily revokes the certificate for each of the 802.1x terminals 200 included in the terminal batch temporary revocation list in response to this request, and performs the temporary revocation processing of the 802.1x terminal 200. Do.
The CA server 78 further notifies the certificate issuing server 70 of the result of the temporary revocation process.

FIG. 31 is an 18th diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and shows a process (S50) for deleting a large number of terminals in the communication system 1 at once.
As shown in FIG. 30, in step 500 (S500), when the terminal batch deletion list exists in the terminal management server 5, the terminal management server 5 sends the terminal batch deletion list to the certificate issuing server 70. Send.
Note that the terminal batch deletion list is created by the administrator of the communication system 1, or the terminal management server 5 stores the terminal information (FIG. 10) before correction by the processing of S440 and the terminal information before correction. Terminals that should be created and deleted by comparison are collectively shown.

In step 502 (S502), the certificate issuing server 70 checks the terminal batch deletion list from the terminal management server 5, and deletes the 802.1x terminal 200 included in the terminal batch deletion list to the CA server 78. Request.
In step 504 (S504), the CA server 78 deletes the certificate for each of the 802.1x terminals 200 included in the terminal batch deletion list in response to this request, and performs the deletion process of the 802.1x terminal 200.
The CA server 78 further notifies the certificate issuing server 70 of the result of the deletion process.

FIG. 32 is a nineteenth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, and the certificate is normally issued to the 802.1x terminal 200 that has accessed the certificate issuing server 70. Shows the process (S52).
In step 520 (S520), when the 802.1x terminal 200 accesses the certificate issuing server 70 by notifying its own terminal name according to the operation of the user, the certificate issuing server 70 It is determined whether there is a notified terminal name in the document information (FIG. 13).
In step 522 (S522), the certificate issuing server 70, when the certificate information (FIG. 13) includes the notified terminal name, accesses the 802.1x terminal that has accessed necessary information such as its host name. 200 is displayed.

In step 524 (S524), when the user of the 802.1x terminal 200 sees information such as the host name displayed in the process of S522 and performs processing for requesting certificate issuance, the 802.1x terminal 200 The certificate issuing server 70 is requested to issue a certificate.
In step 526 (S526), the certificate issuing server 70 requests the CA server 78 to issue a certificate.

In step 528 (S528), the CA server 78 issues a certificate in response to the request and returns it to the certificate issuing server 70.
In step 530 (S530), the certificate issuing server 70 sends the certificate installer 228 (FIG. 4) including the certificate obtained from the CA server 78 to the 802.1x terminal 200 and installs the certificate. Let

FIG. 33 is a twentieth diagram showing the overall operation of the communication system 1 shown in FIG. 1 and the like, in the case where a certificate is not issued to the 802.1x terminal 200 that has accessed the certificate issuing server 70. A process (S54) is shown.
In step 520 (S520), the 802.1x terminal 200 accesses the certificate issuing server 70 by notifying its own terminal name.
In step 540 (S540), the certificate issuing server 70 displays an error message or the like on the accessed 802.1x terminal 200 when the notified terminal name is not included in the certificate information (FIG. 13). .

  The present invention can be used for managing terminals in a communication system.

FIG. 1 is a diagram illustrating a communication system 1 to which a communication method according to the present invention is applied. FIG. 2 is a diagram illustrating a hardware configuration of an administrator terminal, a RADIUS server, a CA server, an 802.1x terminal, a MAC terminal, an IP telephone terminal, a terminal management server, and a certificate issuing server illustrated in FIG. 1. FIG. 3 is a diagram illustrating a hardware configuration of the switch device 3 illustrated in FIG. 1. It is a figure which shows the structure of the 802.1x corresponding | compatible software performed in the 802.1x terminal of the terminal system 2 shown in FIG. It is a figure which shows the structure of the MAC corresponding | compatible software performed in the MAC terminal shown in FIG. It is a figure which shows the structure of the IP telephone corresponding software performed in the IP telephone terminal shown in FIG. It is a figure which shows the switch control program performed in the switch apparatus shown in FIG. It is a figure which shows the content of FDB shown in FIG. It is a figure which shows the structure of the terminal management software performed in the terminal management server shown in FIG. It is a figure which shows the terminal information memorize | stored in terminal information DB shown in FIG. 9, Comprising: (A) shows the whole terminal information, (B) is terminal information of an IP telephone terminal and a MAC terminal connected to it. Indicates. It is a figure which shows the state transition of the 802.1x terminal (FIG. 1 etc.) managed by the 802.1x terminal state management part shown in FIG. It is a figure which shows the structure of the certificate issuing software performed in the certificate issuing server shown in FIG. It is a figure which shows the certificate information memorize | stored in certificate information DB shown in FIG. FIG. 2 is a first diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 3 is a second diagram showing the overall operation of the communication system shown in FIG. 1 and the like. FIG. 4 is a third diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 6 is a fourth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 6 is a fifth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 7 is a sixth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 8 is a seventh diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 9 is an eighth diagram illustrating the overall operation of the communication system depicted in FIG. 1 and the like. FIG. 10 is a ninth diagram illustrating the overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 10 is a tenth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 11 is an eleventh diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 13 is a twelfth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 14 is a thirteenth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 15 is a fourteenth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 16 is a fifteenth diagram illustrating the overall operation of the communication system depicted in FIG. 1 and the like. FIG. 17 is a sixteenth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 18 is a seventeenth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 19 is an eighteenth diagram illustrating the overall operation of the communication system depicted in FIG. 1 and the like. FIG. 20 is a nineteenth diagram illustrating an overall operation of the communication system illustrated in FIG. 1 and the like. FIG. 21 is a twentieth diagram showing the overall operation of the communication system shown in FIG. 1 and the like.

Explanation of symbols

1 ... communication system,
100 ... Network,
110: Administrator terminal,
120 ... main body,
122... CPU
124 ... memory,
126 ... I / O device,
128: Network IF,
130... Recording device,
132... Recording medium,
112 ... RADIUS server,
2 ... Terminal system,
200 ... 802.1x terminal,
22 ... 802.1x compatible software,
220 ... OS,
222: Registry,
224 ... Network connection part,
226 ... 802.1x authentication unit,
202 ... MAC terminal,
204: IP telephone terminal,
26 ... IP phone compatible software,
260 ... IP telephone processing unit,
262 ... terminal connection part,
3 ... Switch device,
300 ... Port,
302... Switch
310... Control circuit,
32... Switch control program,
320: Port management unit,
322: Port monitoring unit,
324 ... Port setting section,
326... FDB,
330: Authentication unit,
340... Switch control unit,
5 ... terminal management server,
50 ... terminal management software,
500 ... Terminal information collection unit,
502 ... Unused terminal extraction unit,
510... Terminal management unit,
512 ... terminal information DB,
520... 802.1x terminal registration unit,
522... 802.1x terminal state management unit,
530: MAC terminal registration unit,
532... MAC terminal state management unit,
540 ... Certificate management department,
542: Security management department,
544 ... Switch device management unit,
550 ... User management unit,
552 ... backup unit,
554 ... Log creation unit,
556: Backup log storage unit 7: PKI system,
70: Certificate issuing server,
72 ... Certificate issuing software,
720 ... Certificate information management unit,
722 ... Certificate information DB,
730 ... 802.1x terminal certificate issuing unit,
732 ... 802.1x terminal certificate status management unit,
740: Terminal batch registration / deletion unit,
742 ... Terminal batch revocation / revocation cancellation unit,
750 ... log creation unit,
752 ... Log creation unit 750 and log storage unit,
78 ... CA server,

Claims (21)

A port used to connect to the network;
First communication means registered in the port and performing communication via the network;
Second communication means of a second method other than the first method;
First port setting means for setting all of the ports as ports of the second method;
When the first communication means is connected to the port set as the second method port, the port to which the first communication means is connected is set as the first method port. A second port setting means;
A communication system comprising: registration means for registering the first communication means in a port to which the first communication means is connected. The communication system according to claim 1, wherein the first method allows communication via the network only to the first communication unit registered for the port. In the first communication means, an individual address is set,
3. The communication system according to claim 2, wherein the first method permits communication via the network only to the first communication unit in which an address is registered for the port. The communication system according to claim 3, wherein the address is a MAC address. The second method allows communication via the network when the second communication means is authenticated.
The communication system according to claim 1, further comprising: an authentication unit that performs authentication on the second communication unit. The communication system according to claim 5, wherein the authentication unit performs the authentication using a certificate issued to the second communication unit. The communication system according to claim 6, wherein the second method conforms to an IEEE 802.1x standard. Individual identification information is set for each of the second communication means,
The communication system according to claim 6 or 7, further comprising: a certificate issuing unit that issues the certificate only once to the second communication unit to which specific identification information is attached. The first communication means further includes a third communication means to which the first communication means is connected,
The registration means registers the third communication means and the first communication means connected to the third communication means in a port to which the third communication means is connected. A communication system according to any one of the above. The communication system according to claim 9, wherein the third communication unit is an IP telephone. The communication system according to claim 1, further comprising security setting means for setting security for the first communication means. The first communication means accesses the second port setting means when security is released,
The registration unit registers the accessed communication note of the first method with respect to a port to which the communication unit is connected,
The security setting unit cancels security for the first communication unit and the port prior to registration of the second communication unit with respect to the port, and when the registration of the port of the second communication unit is performed. The communication system according to claim 10, wherein security is set for the first communication means and the port. The communication system according to any one of claims 1 to 12, further comprising a registration revocation means for revoking registration of the port of the first communication means that has not performed communication for a predetermined period. The communication system according to claim 13, wherein the registration unit registers, in response to a request, the first communication unit in which the registration is invalidated with respect to a port to which the first communication unit is connected. The communication system according to claim 1, further comprising: a communication prohibiting unit that prohibits communication of the second communication unit that is not performing communication for a predetermined period. The communication system according to claim 15, further comprising: communication banning means for banning communication of the second communication means forbidden for communication in response to a request. The second method allows communication via the network when the second communication means is authenticated.
The communication system according to claim 15 or 16, further comprising: authentication cancellation means for canceling authentication for the first communication means for which communication is prohibited for a predetermined period. A tabulating unit that tabulates which of the first communication unit and the second communication unit is connected to each of the ports;
The second port setting means sets the port as a port of the first method according to the aggregation,
The communication system according to any one of claims 1 to 17, wherein the first port setting means sets a port other than the port set to the first scheme as a port of the second scheme. First communication means of a first method registered for a port used for connection to a network and performing communication via the network, and second of a second method other than the first method A communication device that performs communication control with respect to two communication means,
First port setting means for setting all of the ports as ports of the second method;
When the first communication means is connected to the port set as the second method port, the port to which the first communication means is connected is set as the first method port. A second port setting means;
A communication apparatus comprising: registration means for registering the first communication means in a port to which the first communication means is connected. A port used for connection to a network, a first communication means of a first method registered for the port and performing communication via the network, and a second other than the first method A communication method in a communication system including the second communication means of the method
Set all of the ports as ports of the second scheme,
When the first communication means is connected to the port set as the second method port, the port to which the first communication means is connected is set as the first method port. ,
A communication method for registering the first communication means in a port to which the first communication means is connected. A port used for connection to a network, a first communication means of a first method registered for the port and performing communication via the network, and a second other than the first method A communication program in a communication system including the second communication means of the method,
Setting all of the ports to ports of the second scheme;
When the first communication means is connected to the port set as the second method port, the port to which the first communication means is connected is set as the first method port. Steps,
A communication program for causing a computer to execute the step of registering the first communication means in a port to which the first communication means is connected.

Images