JP2017195632A - Radio communication terminal authentication control device, radio communication terminal authentication control system, radio communication terminal authentication control method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow users to easily implement user authentication of a public radio LAN using SIM cards even when business operators (MVNO and the like) different from business operators (MNO and the like) indicated by an MCC/MNC recorded in a SIM card have a use contract of a public radio LAN infrastructure.SOLUTION: A radio communication terminal authentication control device controlling user authentication of a radio communication terminal to be connected to a network, using an authentication medium provided by a virtual mobile communication operator comprises: authentication information management means that stores user identification information of the radio communication terminal permitting connection to the network; and control means that determines whether the user identification information included in the authentication medium mounted in the radio communication terminal is stored in the authentication information management means, and when determining that the user identification information is stored in the authentication information management means, permits a connection of the radio communication terminal to the network.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a wireless communication terminal authentication control device, a wireless communication terminal authentication control system, a wireless communication terminal authentication control method, and a program.

  In recent years, public wireless LAN services that provide an environment that can connect to the Internet using a wireless LAN are already known. In this system, a wireless communication terminal such as a notebook personal computer having a wireless LAN function in which a wireless LAN access point (hereinafter referred to as “AP”) connected to the Internet is disposed in, for example, a restaurant, a hotel, a station, or an airport. Connection is possible.

  In the public wireless LAN service, authentication is performed to ensure the existence, reliability, and legitimacy of a user who uses a wireless communication terminal to connect to a wireless LAN access point. At this time, a method using a SIM (Subscriber Identity Module) card mounted on a wireless communication terminal is already known.

  In authentication using a SIM card (hereinafter referred to as “SIM authentication”), a subscriber identification number (International Mobile Subscriber Identity, hereinafter referred to as “IMSI”) held in the SIM card mounted on the wireless communication terminal is used. By using it, the subscriber is identified.

  The IMSI is usually composed of 15 digits, the first 3 digits are MCC (Mobile Country Code) representing the country, the next 2 to 3 digits are MNC (Mobile Network Code) representing the wireless carrier identification number, and the rest MSIN (Mobile Station Identification Number) representing an identification number for identifying an individual.

  An authentication technique using the above-described SIM authentication is described in, for example, Patent Document 1 and Patent Document 2.

JP 2013-149096 A Japanese Patent No. 3897034

  By the way, in recent years, a virtual mobile network operator (Mobile Virtual Network) that borrows from a mobile network operator (hereinafter referred to as “MNO”) that provides a wireless communication infrastructure such as a mobile phone and provides an original communication service. Operator, hereinafter referred to as “MVNO”) has appeared.

  And MVNO purchases the SIM card for using a smart phone etc. from MNO, and sells this to a user. The user inserts the SIM card purchased from the MVNO into his / her smartphone, and uses the smartphone under the wireless communication infrastructure borrowed from the MNO by the MVNO.

  Here, it goes without saying that SIM authentication is also required when receiving a public wireless LAN service using a SIM card provided by the MVNO. Since the SIM card provided by the MVNO includes the MCC and MNC indicating the MNO, the authentication request goes to the authentication server managed by the MNO. However, in the case where the MVNO borrows infrastructure equipment for providing public wireless LAN services from other public wireless LAN operators other than the MNO that provides the SIM card, between this other operator and the MNO. If there is no contractual relationship, even if you try to use wireless communication with a public wireless LAN facility provided by a provider other than MNO using a SIM card provided by MNO, the contractual relationship will be Since it seems that a user of an MNO without an authentication is making an authentication request, the authentication request must be rejected. For this reason, even if there is a contract between the MVNO and the public wireless LAN operator, the SIM authentication by the terminal fails, and the terminal is not permitted to connect to the public wireless LAN.

  The present invention has been made in view of such circumstances, and is a business different from a business operator (MNO or the like) indicated by MCC / MNC recorded in a SIM card for a public wireless LAN infrastructure usage contract. Even if a user (such as MVNO) possesses, it is an object that a user can easily perform user authentication of a public wireless LAN infrastructure using a SIM card.

  In order to solve the above-described problems, a wireless communication terminal authentication control apparatus according to the present invention is a wireless communication terminal authentication that controls user authentication of a wireless communication terminal connected to a network using an authentication medium provided by a virtual mobile communication carrier. Authentication information management means for storing user identification information of a wireless communication terminal that is allowed to connect to a network, and user identification information included in an authentication medium mounted on the wireless communication terminal is an authentication information management means Control means for permitting connection of the wireless communication terminal to the network when it is determined whether or not the user identification information is stored in the authentication information management means. And

  According to the present invention, the use contract of the public wireless LAN infrastructure is owned by a provider (MVNO, etc.) different from the provider (MNO, etc.) indicated by the MCC / MNC recorded in the SIM card. Even in this case, the user can easily perform user authentication of the public wireless LAN infrastructure using the SIM card.

It is a schematic block diagram of the radio | wireless communication control system containing the radio | wireless communication terminal authentication control apparatus in 1st Embodiment of this invention. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 1st Embodiment of this invention. It is an example of the database which memorize | stores IMSI in 1st Embodiment of this invention. It is a schematic diagram which shows the information managed by the session management part of the access point in 1st Embodiment of this invention. It is a flowchart which shows the schematic procedure from the wireless communication connection request | requirement of the terminal in embodiment of this invention to communication permission. It is a flowchart which shows the process sequence in 1st Embodiment of this invention. It is a general | schematic process sequence in 1st Embodiment of this invention. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 2nd Embodiment of this invention. It is a flowchart which shows the process sequence in 2nd Embodiment of this invention. It is a general | schematic process sequence in 2nd Embodiment of this invention. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 3rd Embodiment of this invention. It is an example of the database which matches and memorize | stores IMSI and the destination information of MVNO in 3rd Embodiment of this invention. It is an example of the terminal database which memorize | stores IMSI in 3rd Embodiment of this invention. It is a flowchart which shows the process sequence in 3rd Embodiment of this invention. It is a general | schematic processing sequence in 3rd Embodiment of this invention. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 4th Embodiment of this invention. It is an example of the company database which stores company information in a 4th embodiment of the present invention. It is a flowchart which shows the process sequence in 4th Embodiment of this invention. It is a general | schematic processing sequence in 4th Embodiment of this invention. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 5th Embodiment of this invention. It is an example of the database which matches and memorize | stores IMSI, user ID, and an authentication password in 5th Embodiment of this invention. It is a flowchart which shows the process sequence in 5th Embodiment of this invention. It is a general | schematic processing sequence in 5th Embodiment of this invention. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 6th Embodiment of this invention. It is an example of the database which matches and memorize | stores a part of IMSI and the destination information of MVNO in 6th Embodiment of this invention. It is a flowchart which shows the process sequence in 6th Embodiment of this invention. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 7th Embodiment of this invention. It is an example of the database which matches and memorize | stores IMSI and utilization restriction information in 7th Embodiment of this invention. It is a schematic diagram which shows the information managed by the session management part in which the utilization restriction information in the seventh embodiment of the present invention is reflected. It is a functional block diagram of the radio | wireless communication terminal authentication control apparatus in 8th Embodiment of this invention. It is a flowchart which shows the process sequence in 8th Embodiment of this invention. It is a general | schematic processing sequence in 8th Embodiment of this invention.

  A wireless communication terminal authentication control apparatus according to an embodiment of the present invention will be described below with reference to the drawings. In addition, in each figure, the same code | symbol is attached | subjected to the part which is the same or it corresponds, The duplication description is simplified thru | or abbreviate | omitted suitably. Note that the authentication processing of the wireless communication terminal in the present embodiment will be described by taking the authentication processing in wireless LAN communication as an example. However, the authentication processing is not limited to wireless LAN communication, and is used when devices are interconnected via a wireless network. It may be applied to other authentication processing. Note that each device in the embodiment described below has as many hardware configurations as necessary, such as a CPU, a RAM, a ROM, an HDD, various interfaces, and a wireless communication antenna, as necessary, in order to realize its functions. It goes without saying that you are doing.

[First Embodiment]
An outline of a wireless communication control system including a wireless communication terminal authentication control apparatus according to the first embodiment of the present invention will be described with reference to FIG. This system includes a wireless communication terminal 10, an AP 20, a wireless communication terminal authentication control device 30, an authentication information management device 40, and a shipping system 50. The wireless communication terminal 10 is a device that connects to the AP 20 using wireless LAN communication, and connects to the Internet via the AP 20 after authentication control described later. In FIG. 1, one wireless communication terminal 10 is connected to the AP 20, but a plurality of wireless communication terminals 10 may be connected. The AP 20 is an access point that connects to the wireless communication terminal 10 using wireless LAN communication and connects the wireless communication terminal 10 to the Internet. In FIG. 1, one AP 20 is connected to the wireless communication terminal authentication control device 30, but there may be a plurality of APs 20.

  The wireless communication terminal 10 includes a terminal wireless communication unit 11, a terminal authentication request unit 12, a SIM card 13 as an authentication medium, and an application execution unit 14.

  The terminal wireless communication unit 11 is connected to the AP wireless communication unit 21 via a wireless network, and acquires data to be processed by, for example, the application execution unit 14 from the Internet via the AP wireless communication unit 21 after terminal authentication.

  The terminal authentication request unit 12 acquires IMSI as user identification information stored in the SIM card 13 for terminal authentication and a MAC address unique to the wireless communication terminal 10 and passes them to the terminal wireless communication unit 11. The SIM card 13 purchased from the MNO by the MVNO is inserted into the SIM slot of the wireless communication terminal 10. The authentication medium in the present invention is not limited to the SIM card, but any medium that can store user identification information may be used.

  The AP 20 includes an AP wireless communication unit 21, a terminal authentication server 22, a connection authentication request unit 23, and a session management unit 24. The AP wireless communication unit 21 acquires the IMSI and the MAC address from the wireless communication terminal 10 via the terminal wireless communication unit 11. The terminal authentication server 22 manages the IMSI acquired via the terminal wireless communication unit 11. The connection authentication request unit 23 transmits a connection authentication request to the wireless communication terminal authentication control device 30 in response to the terminal authentication server 22 acquiring the IMSI. The session management unit 24 acquires a MAC address via the AP wireless communication unit 21 and stores a communication permission flag indicating whether or not the wireless communication terminal 10 can communicate in association with the MAC address. The session management unit 24 permits the AP 20 to connect the wireless communication terminal 10 with the MAC address to the Internet until the MAC address is stored in the management information and the communication permission flag becomes “1”. do not do.

  For example, the wireless communication terminal authentication control device 30 typified by Radius Proxy controls authentication of a user who uses the wireless communication terminal 10. Although details will be described later with reference to FIG. 2, the connection authentication request is received from the connection authentication request unit 23 of the AP 20, and the authentication result received from the predetermined authentication server is returned to the connection authentication request unit 23 of the AP 20. Also, it plays a role of distributing the connection authentication request to the authentication control management device of the communication carrier designated by the destination included in the connection authentication request. The connection authentication request includes user identification information, and the user identification information includes IMSI.

  The authentication information management device 40 is an authentication information management unit that manages authentication information used for user authentication of the wireless communication terminal, and functions as a storage unit that stores IMSI. Note that the authentication information management device 40 preferably stores the IMSI stored in the SIM card 13 at least before the SIM card 13 is provided to the user. Specifically, it is preferable that the SIM card 13 is stored in the authentication information management device 40 almost simultaneously with the shipment of the SIM card 13 to the user.

  The shipping system 50 is a system for shipping a SIM card to a user or a SIM card dealer. When the SIM card is shipped, the IMSI assigned to the SIM card is registered in the authentication information management apparatus 40.

  Next, the wireless communication terminal authentication control device 30 in the first embodiment will be described with reference to FIG. The wireless communication terminal authentication control device 30 determines whether or not the user identification information of the wireless communication terminal 10 is stored in the authentication information management device 40, and the user identification information is stored in the authentication information management device 40. When the determination is made, the wireless communication terminal 10 is permitted to connect to the wireless network.

  When the wireless communication terminal authentication control device 30 determines that the IMSI that is the user identification information is stored in the authentication information management device 40, the wireless communication terminal authentication control device 30 authenticates the connection with a connection permission message that permits the wireless communication terminal 10 to connect to the wireless network. The data is transmitted to the AP 20 via the request unit 23. On the other hand, when the wireless communication terminal authentication control device 30 determines that the IMSI is not stored in the authentication information management device 40, the connection authentication requesting unit 23 sends a connection rejection message for refusing the connection of the wireless communication terminal 10 to the wireless network. To the AP 20 via.

  Next, an example of IMSI stored in the authentication information management device 40 in the first embodiment will be described with reference to FIG. Here, for example, “429011234567890”, “310150123456789”, “3104107336067599”, and “4401012345567890” are stored in the authentication information management apparatus 40 as the IMSI. The wireless communication terminal authentication control device 30 determines whether or not the user identification information included in the connection authentication request matches these IMSIs stored in the authentication information management device 40.

  Next, an example of management information managed and stored by the session management unit 24 in the first embodiment will be described with reference to FIG. The session management unit 24 stores a MAC address, an internal process ID, and a communication permission state that are numbers unique to the wireless communication terminal 10 in association with each other. The internal process ID is a unique arbitrary character string issued each time the connection authentication request unit 23 makes a connection authentication request. The communication permission state is represented by “1” or “0”, “1” indicates a state where the inquiry of the wireless communication terminal 10 is completed and communication is permitted, and “0” indicates that the inquiry is being accepted or communication is rejected. It shows the state being done. In addition, when communication is refused, it is preferable to hold | maintain the state of "0" for several minutes, for example. Thereby, it is possible to prevent multiple inquiries from the wireless communication terminal 10 from being concentrated.

  Here, the communication permission for the upper MAC address “00004c001234” and the PID “12345” is “1”, and the communication permission for the middle MAC address “abcdef123456” and the PID “23456” is “0”. The communication permission for the lower MAC address “123456abcdef” and the PID “34567” is “0”, but it goes without saying.

  Next, a schematic procedure from the wireless communication connection request to the Internet of the wireless communication terminal 10 in the present embodiment to the communication permission will be described with reference to FIG.

  The wireless communication terminal 10 makes a wireless communication connection request including the MAC address of the own terminal to the AP 20 via the terminal wireless communication unit 11 (step S01).

  The AP 20 acquires the MAC address of the wireless communication terminal 10 included in the wireless communication connection request, confirms whether the MAC address is registered in the stored management information (step S02), and sets communication permission in the management information. If registered (step S02, YES), the wireless communication terminal 10 is connected to the Internet (step S03). If not registered (NO in step S02), the AP 20 acquires SIM card information including user identification information from the wireless communication terminal 10 (step S04), and issues a connection authentication request including user identification information to the wireless communication terminal. It transmits to the authentication control apparatus 30 (step S05).

  The wireless communication terminal authentication control apparatus 30 determines whether or not “wlan” is included in the user identification information included in the connection authentication request or whether the IMSI is stored in the DB (step S06). A control process related to authentication is performed, and a message indicating a result of connection determination is returned based on the result of the authentication process. For example, when the user identification information includes “wlan” and the IMSI is stored in the DB, or the user identification information does not include “wlan” and the authentication result by the domain to which the request is transferred is authenticated OK. If it is, it is determined that the connection is possible (step S06, YES), and a connection permission message is returned (step S07). On the other hand, if the user identification information includes “wlan” and the IMSI is not stored in the DB, or if the user identification information does not include “wlan” and the authentication result by the domain to which the request is transferred is authentication NG If it is, it is determined that the connection is impossible (step S06, NO), and a connection rejection message is returned (step S08). The control process related to authentication and the determination of whether connection is possible will be described in detail with reference to FIG.

  The AP 20 permits (step S09) or rejects (step S010) the communication of the wireless communication terminal 10 with the Internet based on the connection determination result. When the AP 20 receives the connection permission message, the AP 20 registers the MAC address of the wireless communication terminal 10 in the management information as communication permission (step S011).

  Next, a processing procedure until the wireless communication terminal authentication control device 30 according to the first embodiment receives a connection authentication request and transmits a message indicating a connection permission / inhibition determination result will be described with reference to FIG. First, the wireless communication terminal authentication control device 30 receives user identification information together with a connection authentication request from the connection authentication request unit 23 of the AP 20 (step S1).

  Next, the wireless communication terminal authentication control device 30 checks whether or not “wlan” is written at the head of the domain name indicated after @ of the user identification information included in the connection authentication request (step S2). .

  When the wireless communication terminal authentication control apparatus 30 confirms that the “wlan” is written at the head of the domain name (step S2, YES), it extracts the IMSI from the user identification information included in the connection authentication request (step S2). Step S3). On the other hand, when the wireless communication terminal authentication control device 30 confirms that there is no “wlan” notation at the head of the domain name (step S2, YES), it indicates the domain name that does not include at least the “wlan” notation. The connection authentication request is transferred to a destination (a predetermined communication carrier such as an MNO that manages user authentication control) (step S6).

  After step S3, in the wireless communication terminal authentication control device 30, the extracted IMSI is the authentication information management device 40 ("DB" for the sake of illustration. The same applies to each of the processing procedures shown in FIG. 5 and subsequent figures). (Step S4). When the wireless communication terminal authentication control device 30 determines that the extracted IMSI is stored in the authentication information management device 40 (step S4, YES), the wireless communication terminal authentication control device 30 transmits a connection permission message to the connection authentication request unit 23 (step S4). S5). On the other hand, when the wireless communication terminal authentication control device 30 determines that the extracted IMSI is not stored in the authentication information management device 40 (step S4, NO), it transmits a connection rejection message to the connection authentication request unit 23 (step S4). S7).

  Next, a schematic procedure from the wireless communication connection request to the Internet of the wireless communication terminal 10 in the present embodiment to the communication permission will be described with reference to FIG. Here, the IMSI of the SIM card 13 shipped to the user by the shipping system 50 is stored in the authentication information management device 40 in advance, and the management information stored in the session management unit 24 of the AP 20 includes the wireless communication terminal 10. It is assumed that no MAC address is registered. First, the wireless communication terminal 10 makes a wireless communication connection request including the MAC address of its own terminal to the AP 20 via the terminal wireless communication unit 11 [1].

  Next, when the AP 20 receives the wireless communication connection request from the AP wireless communication unit 21, the session management unit 24 of the AP 20 transmits the wireless communication terminal 10 included in the wireless communication connection request via the AP wireless communication unit 21. The MAC address is acquired, and it is confirmed whether the MAC address is registered as communication permission in the stored management information. The session management unit 24 connects the wireless communication terminal 10 to the Internet if the MAC address of the wireless communication terminal 10 is registered in the management information, and uses the SIM card information for the connection authentication request unit 23 if not registered. Ask for authentication. Here, since the MAC address is not registered in the management information, the session management unit 24 issues the internal process ID described in FIG. 4 and registers the management information in association with the MAC address of the wireless communication terminal 10. At this time, since the session management unit 24 has not yet permitted the communication of the wireless communication terminal 10, the communication permission state is set to “0” and is associated with the MAC address of the wireless communication terminal 10 and the internal process ID as described above. To register in management information. Then, the session management unit 24 requests authentication from the connection authentication request unit 23 together with the issued internal process ID.

  The connection authentication request unit 23 requests authentication from the terminal authentication server 22. The terminal authentication server 22 transmits a SIM card information acquisition request (for example, EAP-Request / Identity) to the wireless communication terminal 10 via the AP wireless communication unit 21. When the terminal wireless communication unit 11 receives the SIM card information acquisition request, the terminal authentication request unit 12 of the wireless communication terminal 10 performs communication for specifying the IMSI and the communication carrier from the SIM card 13 mounted on the wireless communication terminal 10. User identification information obtained by acquiring carrier information, etc. and combining IMSI and domain name indicating carrier information (example: 1440101234567890@wlan.mnc10.mcc440. 3gppnetwork.org “440101234567890” is an example of IMSI, “440” Is an example of MCC, “10” is an example of MNC, “1234567890” is an example of a subscriber number, “3gppnetwork.org” is an example of a standard domain name when using SIM authentication defined in the 3GPP standard) The generated SIM card information including the user identification information is transmitted to the AP wireless communication unit 21 via the terminal wireless communication unit 11. The user identification information is transmitted from the wireless communication terminal 10 to the AP 20 as a message such as a User-Name attribute, an EAP-Response / Identity attribute, or an EAP-Response / SIM / Start attribute.

  When receiving the SIM card information including the user identification information from the terminal wireless communication unit 11, the AP wireless communication unit 21 of the AP 20 passes this to the terminal authentication server 22. The terminal authentication server 22 passes these pieces of information to the connection authentication request unit 23. The connection authentication request unit 23 transmits a connection authentication request including user identification information included in the acquired SIM card information to the wireless communication terminal authentication control device 30 [2].

  When receiving the connection authentication request, the wireless communication terminal authentication control device 30 extracts the IMSI from the user identification information included in the connection authentication request and inquires whether the IMSI is stored in the authentication information management device 40 [3]. The authentication information management device 40 replies to the wireless communication terminal authentication control device 30 with a determination result as to whether the IMSI is stored. Here, since the IMSI of the wireless communication terminal 10 is stored in the authentication information management device 40, a determination result indicating storage is returned to the wireless communication terminal authentication control device 30 [4]. The wireless communication terminal authentication control device 30 replies to the AP 20 with a message indicating a connection permission / inhibition determination result based on the determined determination result. Here, a connection permission message is returned based on the determination result with storage [5].

  The connection authentication request unit 23 of the AP 20 receives a message indicating the connection permission / inhibition determination result from the wireless communication terminal authentication control device 30 as a response to the connection authentication request. Here, since the IMSI of the wireless communication terminal 10 is stored in the authentication information management device 40, the connection authentication request unit 23 receives a connection permission message indicating that the connection of the wireless communication terminal 10 to the Internet is permitted.

  Upon receiving the connection permission message, the session management unit 24 changes and registers the communication permission state corresponding to the internal process ID included in the connection permission message as “1” in the management information, and sets the communication permission state to “1”. For the wireless communication terminal 10 with the MAC address, transmission / reception of communication between the Internet and the wireless communication terminal 10 is permitted [6]. Further, when the session management unit 24 receives a connection refusal message indicating that the connection of the wireless communication terminal 10 to the Internet is rejected to the connection authentication request unit 23, the communication permission state of the management information is “0”. The connection rejection is notified to the wireless communication terminal 10 via the AP wireless communication unit 21.

  Thereafter, the wireless communication terminal 10 starts wireless communication to the Internet via the AP 20 [7].

  As described above, according to the first embodiment, a provider (MVNO, etc.) different from the provider (MNO, etc.) indicated by the MCC / MNC recorded in the SIM card has a public wireless LAN infrastructure usage contract. Even if it is, the user identification information (IMSI) of the SIM card that is provided by the MNO that is the wireless communication carrier is stored in the authentication information management device 40, and the stored IMSI and AP2 are connected to the Internet. By collating with the IMSI acquired from the wireless communication terminal 10 requesting the user, the user can easily perform user authentication.

[Second Embodiment]
Next, a schematic configuration of a wireless communication control system including the wireless communication terminal authentication control device 30 according to the second embodiment of the present invention will be described with reference to FIG. In addition, description about the same structure as 1st Embodiment is abbreviate | omitted, and demonstrates mainly the structure which appears for the first time in 2nd Embodiment.

  In the second embodiment, subsequent processing when the wireless communication terminal authentication control device 30 determines that the IMSI is not stored in the authentication information management device 40 is different from that in the first embodiment. That is, in the second embodiment, when the wireless communication terminal authentication control device 30 determines that the IMSI is not stored in the authentication information management device 40, it is determined that the IMSI is not stored in the authentication information management device 40. The connection authentication request is transferred to an authentication control management device of a predetermined communication carrier such as an MNO that manages user authentication control indicated by the domain name of the original user identification information included in the connection authentication request.

  In FIG. 8, the A company authentication server 61 and the A company authentication database 62 (hereinafter referred to as “A company authentication DB”), the B company authentication server 71 and the B company authentication database 72 (hereinafter referred to as “B company authentication DB”). This corresponds to an authentication control management device of a predetermined communication carrier. Hereinafter, all the names of the constituent elements including “database” will be represented by “DB” which is an abbreviation thereof.

  A processing procedure until the wireless communication terminal authentication control device 30 according to the second embodiment receives a connection authentication request and transmits a message indicating a connection permission / inhibition determination result will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the process procedure demonstrated in FIG. 6 of 1st Embodiment. That is, in the second embodiment, when the wireless communication terminal authentication control device 30 determines in step S4 that the IMSI is not stored in the authentication information management device 40 (step S4, NO), the subsequent processing is the first. In this case, the connection authentication request is transferred to the A company authentication server 61 or the B company authentication server 71 indicated by the domain name of the user identification information included in the connection authentication request (step S16).

  Next, a schematic procedure of wireless communication processing in the second embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the procedure shown in FIG. 7 of 1st Embodiment. That is, here, unlike the case described in the first embodiment, it is assumed that the IMSI is not stored in the authentication information management device 40. The second embodiment is different from the first embodiment in the procedure after [4] for returning the determination result of whether or not the authentication information management device 40 stores the IMSI to the wireless communication terminal authentication control device 30.

  First, since the IMSI of the wireless communication terminal 10 is not stored, the authentication information management apparatus 40 returns a determination result indicating no storage to the wireless communication terminal authentication control apparatus 30. Upon receiving the determination result indicating no storage, the wireless communication terminal authentication control device 30 transfers the connection authentication request to the A company authentication server 61 or the B company authentication server 71 indicated by the domain name of the user identification information included in the connection authentication request. Then, a determination inquiry is made [11]. Then, the A company authentication server 61 or the B company authentication server 71 inquires of the A company authentication DB 62 or the B company authentication DB 72 and performs authentication processing based on the user identification information included in the connection authentication request [12]. The authentication determination result is received from the DB 62 or the B company authentication DB 72 [13], and the determination result is returned to the wireless communication terminal authentication control device 30 [14]. The wireless communication terminal authentication control device 30 replies to the AP 20 with a message indicating the connection permission / inhibition determination result based on the determined determination result [5]. The subsequent steps are the same as those in [6] and thereafter in FIG. 7 of the first embodiment.

  As described above, according to the second embodiment, even when the IMSI is not stored in the authentication information management device 40, the authentication process is performed in the MNO, so the usage contract is made between the public wireless LAN operator and the MVNO operator. Even if there is not, if there is a usage contract between the public wireless LAN operator and the MNO operator, it is possible to avoid a situation in which the user cannot receive the wireless communication service without performing user authentication. .

[Third Embodiment]
Next, a schematic configuration of a wireless communication control system including the wireless communication terminal authentication control device 30 according to the third embodiment of the present invention will be described with reference to FIG. In addition, description about the structure similar to 1st Embodiment and 2nd Embodiment is abbreviate | omitted, and demonstrates the structure which appears for the first time in 3rd Embodiment.

  The third embodiment is characterized in that the role of the authentication information management device 400 is different from that of the first embodiment and the authentication processing is performed by the terminal authentication control management device of the MVNO. That is, the authentication information management apparatus 400 stores the destination information of the end authentication control management apparatus that manages user authentication control by MVNO and the user identification information stored in the SIM card in association with each other.

  When the wireless communication terminal authentication control device 30 determines that the IMSI is stored in the authentication information management device 400, the wireless communication terminal authentication control device 30 sends a connection authentication request including the IMSI determined to be stored in the authentication information management device 400 to the connection authentication request. Transfer to the terminal authentication control management device indicated by the destination information stored corresponding to the IMSI. The C company authentication server 83, the terminal DB 82 and the shipping system 81, and the D company authentication server 93, the terminal DB 92, and the shipping system 91 shown in FIG. 11 correspond to the terminal authentication control management device.

  Next, an example of the correspondence between IMSI and destination information stored in the authentication information management apparatus 400 in the third embodiment will be described with reference to FIG. Here, the destination “MVNO-C” is stored in correspondence with the IMSI “440101234556790”, the destination “MVNO-D” is stored in correspondence with the IMSI “440100123456789”, and the destination “MVNO” in correspondence with the IMSI “440010073606759”. -D "is stored, and the destination" MVNO-C "is stored corresponding to the IMSI" 4401012345567890 ". That is, the radio communication terminal authentication control apparatus 30 may identify a destination corresponding to the IMSI with reference to these, and transfer the connection authentication request to the terminal authentication control management apparatus of the MVNO indicated by the identified destination.

  Next, an example of IMSI stored in the terminal DB 82 or the terminal DB 92 in the third embodiment will be described with reference to FIG. The terminal DB 82 and terminal DB 92 in the third embodiment have the same functions as the authentication information management apparatus 40 in the first embodiment, but the terminal DB 82 and terminal DB 92 are different from the first embodiment in the installation location. Is different. That is, the third embodiment is greatly different from the first embodiment in that it is installed in the MVNO. Note that the IMSI example in FIG. 13 is the same as the IMSI in FIG. 3 described in the first embodiment, and a description thereof will be omitted.

  Next, a processing procedure in the third embodiment will be described with reference to FIG. Note that the description of the same procedure as that described in FIG. 6 of the first embodiment and FIG. 9 of the second embodiment is omitted. That is, in the third embodiment, the procedure after the wireless communication terminal authentication control device 30 determines that the IMSI is stored in the authentication information management device 400 in step S4 (step S4, YES) is the first embodiment or the like. And different.

  Thereafter, the wireless communication terminal authentication control device 30 transfers the connection authentication request to the terminal authentication control management device of the MVNO indicated by the destination stored corresponding to the IMSI determined to be stored in the authentication information management device 400. (Step S21).

  Thereafter, each company authentication server determines whether or not the IMSI is stored in each company terminal DB in the terminal authentication control management device (step S22), and when it is determined that the IMSI is stored in each company terminal DB (step S22, YES), each company authentication server transmits a connection permission message to the wireless communication terminal authentication control device 30 (step S23). On the other hand, when it is determined that no IMSI is stored in each company end DB (step S22, NO), each company authentication server transmits a connection rejection message to the wireless communication terminal authentication control device 30 (step S24).

  Next, a schematic procedure of wireless communication processing in the third embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the procedure shown in FIG. 7 of 1st Embodiment. That is, here, the procedure after [4] in which the wireless communication terminal authentication control apparatus 30 returns that the IMSI is stored in the authentication information management apparatus 400 is different from the first embodiment. In this figure, the A company authentication server 61 and the A company authentication DB 62, and the B company authentication server 71 and the B company authentication DB 72 shown in FIG. 10 are excluded, but for convenience of illustration. This does not mean that the third embodiment does not include these configurations. Here, it is assumed that the IMSI of the wireless communication terminal 10 that has transmitted the wireless communication connection request is stored in the terminal DB 82 of the company C or the terminal DB 92 of the company D.

  The wireless communication terminal authentication control device 30 authenticates connection to the C company authentication server 83 or the D company authentication server 93 included in the terminal authentication control management device specified by the destination information corresponding to the IMSI stored in the authentication information management device 400. Forward the request [21]. The C company authentication server 83 or the D company authentication server 93 determines whether the IMSI is stored in the terminal DB 82 or the terminal DB 92 [22], and obtains a determination result [23]. Here, since the IMSI of the wireless communication terminal 10 is stored in the terminal DB 82 or the terminal DB 92, an authentication OK determination result is obtained. Thereafter, the C company authentication server 83 or the D company authentication server 93 returns the obtained authentication OK determination result to the wireless communication terminal authentication control apparatus 30 [24]. Based on the determination result, the wireless communication terminal authentication control device 30 replies to the AP 20 with a message indicating whether the connection is permitted [5]. Here, a connection permission message is returned to the AP 20 based on the determination result of the authentication OK. The subsequent steps are the same as those in [6] onward in the first embodiment.

  As described above, according to the third embodiment, the wireless communication terminal authentication control device 30 identifies the end authentication control management device of MVNO corresponding to the IMSI included in the connection authentication request, and connects to the identified end authentication control management device. Since authentication requests are distributed and authentication control is performed based on the IMSI included in the connection authentication request received by the terminal authentication control management device, the MVNO enables reliable and easy authentication processing, and wireless communication terminal authentication control. Since the apparatus 30 only needs to distribute the transfer destination of the connection authentication request, there is an advantage that the processing load is reduced.

  In the third embodiment, the IMSI is stored in the authentication information management apparatus 400, and the terminal DB 82 and the terminal DB 92, but the IMSI may not be stored on the terminal DB side. For example, the usage restriction processing on the MVNO side can be easily performed by not storing in the terminal DB the IMSI assigned to the usage-restricted user such as the upper limit of the usage fee or the allowable communication data amount. Is possible. In addition, for example, when a user loses a wireless communication terminal or encounters theft, temporary use restriction can be performed quickly and easily.

[Fourth Embodiment]
Next, a schematic configuration of a wireless communication control system including the wireless communication terminal authentication control device 30 according to the fourth embodiment of the present invention will be described with reference to FIG. In addition, the description which overlaps with 1st Embodiment etc. is abbreviate | omitted, and demonstrates mainly the structure which appears for the first time in 4th Embodiment.

  The fourth embodiment is characterized in that an operator DB 41 is added to the configuration of the second embodiment. That is, the fourth embodiment further includes a business entity DB 41 as business operator identification information storage means for storing business operator identification information for identifying a predetermined communication business operator. The wireless communication terminal authentication control device 30 determines whether or not the IMSI is stored in the authentication information management device 40 when the carrier identification information included in the IMSI is stored in the carrier DB 41.

  An example of company identification information stored in the company DB 41 will be described with reference to FIG. Here, a character string composed of 5 to 6 digits representing “MCC” and “MNC” is adopted as the carrier identification information. For example, “44010” in the upper row indicates that “440” indicates MCC and “10” indicates a predetermined business operator. In the lower “310410”, “310” indicates MCC and “410” indicates a predetermined business operator. When the radio communication terminal authentication control device 30 extracts the IMSI, first, it refers to this business entity DB 41 and confirms whether or not it is necessary to determine whether or not the IMSI is stored in the authentication information management device 40. To do.

  Next, a processing procedure in the fourth embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the process procedure demonstrated in FIG. 9 of 2nd Embodiment. That is, in the fourth embodiment, the procedure after the IMSI is extracted in step S3 is different from that in the second embodiment.

  The wireless communication terminal authentication control device 30 determines whether or not a character string composed of “MCC” and “MNC” included in the extracted IMSI is stored in the provider DB 41 (step S31). When the wireless communication terminal authentication control device 30 determines that the character string consisting of “MCC” and “MNC” is stored in the operator DB 41 (YES in step S31), the IMSI is stored in the authentication information management device 40. It is determined whether or not it has been performed (step S32).

  When the wireless communication terminal authentication control device 30 determines that the IMSI is stored in the authentication information management device 40 (step S32, YES), it transmits a connection permission message to the AP 20 (step S33). On the other hand, when the wireless communication terminal authentication control device 30 determines that the character string consisting of “MCC” and “MNC” included in the extracted IMSI is not stored in the provider DB 41 (step S31, NO), the wireless communication terminal The authentication control device 30 transfers the connection authentication request to the A company authentication server 61 or the B company authentication server 71 indicated by the domain name included in the connection authentication request (step S34).

  A schematic procedure of wireless communication processing in the fourth embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the procedure shown in FIG. 10 of 2nd Embodiment. That is, here, the procedure after [2] in which the radio communication terminal authentication control device 30 extracts the IMSI is different from that of the second embodiment. Here, unlike the case described in the second embodiment, the IMSI of the wireless communication terminal 10 is stored in the authentication information management device 40, and the carrier identification information “44010” extracted from the IMSI is stored in the carrier DB 41. Suppose that Here, the A company authentication server 61 and the A company authentication DB 62, and the B company authentication server 71 and the B company authentication DB 72 are omitted for convenience of illustration.

  The wireless communication terminal authentication control device 30 determines whether or not the carrier identification information “MCC = 440” and “MNC = 10” extracted from the IMSI is stored in the carrier DB 41 [31]. Here, since the operator identification information “MCC = 440” and “MNC = 10” are stored in the operator DB 41, it is determined that the operator identification information exists. After obtaining the determination result [32], the wireless communication terminal authentication control apparatus 30 determines whether or not the IMSI is stored in the authentication information management apparatus 40 because the determination result includes the operator identification information. [33]. Here, since the IMSI of the wireless communication terminal 10 is stored in the authentication information management device 40, the wireless communication terminal authentication control device 30 obtains a determination result indicating storage [34]. The procedure after obtaining the determination result with storage is the same as that after [5] in FIG. 7 of the first embodiment.

  As described above, according to the fourth embodiment, the wireless communication terminal authentication control device 30 first confirms the carrier identification information “MCC” and “MNC” in the extracted IMSI, and whether or not this is stored in the carrier DB 41. Only when the carrier identification information “MCC” and “MNC” are stored in the carrier DB 41, the processing for determining whether the IMSI is stored in the authentication information management device 40 is performed. When it is determined that the information “MCC” and “MNC” are not stored in the provider DB 41, the authentication information management device 40 is not processed and the destination indicated by the domain name included in the connection authentication request is sent to the destination. Since the connection authentication request is transferred, it is not necessary for the subscriber stored in the authentication information management device 40 to always check all the IMSI digits for hundreds of thousands of users, thereby reducing the search load. It is possible.

[Fifth Embodiment]
Next, a schematic configuration of a wireless communication control system including the wireless communication terminal authentication control device 30 according to the fifth embodiment of the present invention will be described with reference to FIG. In addition, the description which overlaps with 3rd Embodiment etc. is abbreviate | omitted, and demonstrates mainly the structure which appears for the first time in 5th Embodiment. In the fifth embodiment, an E company authentication server 201 and an E company authentication DB 202, and an F company authentication server 301 and an F company authentication DB 302 are added as MVNO authentication control management devices. For convenience of illustration, the A company authentication server 61 and the A company authentication DB 62, the B company authentication server 71, and the B company authentication DB 72 are omitted.

  The authentication information management apparatus 40 in the third embodiment stores the IMSI and destination information corresponding thereto, whereas in the fifth embodiment, the authentication information management apparatus 410 includes the IMSI and the destination information. Correspondingly, the feature is that a user ID and an authentication password used for authentication in the terminal authentication control management apparatus of MVNO are stored.

  That is, the authentication information management apparatus 410 in the fifth embodiment generates a user ID and an authentication password used for user authentication in the terminal authentication control management apparatus that manages user authentication control by MVNO based on the IMSI stored in the SIM card. The generated user ID and authentication password are stored in association with the IMSI. When the wireless communication terminal authentication control apparatus 30 determines that the extracted IMSI is stored in the authentication information management apparatus 410, the user ID and authentication corresponding to the extracted IMSI stored in the authentication information management apparatus 410 are stored. The password is transferred to the terminal authentication control management device of MVNO indicated by the destination information included in the user ID.

  Next, an example of IMSI stored in the authentication information management apparatus 410 according to the fifth embodiment and a user ID and authentication password corresponding to the IMSI will be described with reference to FIG.

  Here, a user ID “4401012345567890@MVNO-E.jp” and an authentication password “vwxyz12345” are stored corresponding to the IMSI “4401012345567890”, and a user ID “01234456789@MVNO-F.jp” is stored corresponding to the IMSI “440100123456789”. ”And the authentication password“ Abcd12345 ”are stored, the user ID“ 7360667599@MVNO-F.jp ”and the authentication password“ 98765asdfg ”are stored in correspondence with the IMSI“ 440010073606759 ”, and the user ID is stored in correspondence with the IMSI“ 440101234567890 ”. “440101234556791@MVNO-E.jp” and the authentication password “qwertyuiop” are the authentication information tube. Stored in the device 410. Needless to say, these are examples. The wireless communication terminal authentication control device 30 transfers the connection authentication request to the terminal authentication control management device of the MVNO specified based on these pieces of information stored in the authentication information management device 410.

  Next, a processing procedure in the fifth embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the process procedure demonstrated in FIG. 14 of 3rd Embodiment. That is, in the fifth embodiment, the procedure after the wireless communication terminal authentication control device 30 determines that the IMSI is stored in the authentication information management device 410 in step S4 is different from the third embodiment. Here, the E company authentication DB 202 or the F company authentication DB 302 stores a user ID and an authentication password corresponding to the user (or IMSI) who uses the wireless communication terminal 10 that has transmitted the wireless communication connection request. .

  The wireless communication terminal authentication control device 30 converts the user identification information included in the connection authentication request into the user ID stored in the authentication information management device 410 corresponding to the IMSI (step S41). Then, the wireless communication terminal authentication control device 30 transfers the connection authentication request including the user ID to the terminal authentication control management device of the MVNO specified by the destination information indicated by the domain name included in the converted user ID (step) S42).

  A schematic procedure of wireless communication processing in the fifth embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the procedure shown in FIG. 15 of 3rd Embodiment. That is, here, the procedure after [2] in which the radio communication terminal authentication control device 30 extracts the IMSI is different from that of the third embodiment.

  The wireless communication terminal authentication control device 30 determines that the IMSI is stored in the authentication information management device 410 [41], and then the user stored in the authentication information management device 410 corresponding to the IMSI of the wireless communication terminal 10 The ID and authentication password are received [42]. The wireless communication terminal authentication control device 30 converts the user identification information into a user ID in the E company authentication server 201 or F company authentication server 301 specified by the destination information indicated by the domain name included in the received user ID, The connection authentication request including the user ID and the authentication password is transferred together with the user ID and the authentication password [43].

  The E company authentication server 201 or the F company authentication server 301 refers to the E company authentication DB 202 or the F company authentication DB 302 and transmits a wireless communication connection request using the user ID and the authentication password included in the transferred connection authentication request. The user authentication of the user who uses the wireless communication terminal 10 is executed [44], and an authentication determination result is obtained [45]. Here, since the user ID and the authentication password are stored in the E company authentication DB 202 or the F company authentication DB 302, an authentication OK determination result is obtained. Thereafter, the E company authentication server 201 or the F company authentication server 301 returns an authentication OK authentication result to the wireless communication terminal authentication control apparatus 30 [46]. Based on the determination result of the connection authentication request, the wireless communication terminal authentication control device 30 replies with a message indicating a connection permission / inhibition determination result to the AP 20 [5]. Here, a connection permission message is returned to the AP 20 based on the determination result of the authentication OK. The subsequent steps are the same as those in FIG. 15 of the third embodiment.

  As described above, according to the fifth embodiment, the user ID and the authentication password converted from the IMSI in the authentication information management device 40 are transferred to the terminal authentication control management device of the MVNO together with the connection authentication request, and the terminal authentication control management device of the MVNO In order to perform user authentication control using the transferred user ID and authentication password, the MVNO operator uses a conventional authentication control management apparatus using an ID and password without being aware of the presence of the SIM card. Thus, user authentication can be performed easily.

[Sixth Embodiment]
Next, a schematic configuration of a wireless communication control system including the wireless communication terminal authentication control device 30 according to the sixth embodiment of the present invention will be described with reference to FIG. In addition, the description which overlaps with 3rd Embodiment etc. is abbreviate | omitted, and demonstrates mainly the structure which appears for the first time in 6th Embodiment.

  Whereas the authentication information management device 40 in the third embodiment stores all the digits constituting the IMSI, in the sixth embodiment, the authentication information management device 420 changes the number digits constituting the IMSI. The point to memorize is a feature.

  That is, the authentication information management apparatus 420 in the sixth embodiment corresponds to the destination information of the terminal authentication control management apparatus that manages user authentication control by MVNO and a part of character strings included in the IMSI stored in the SIM card. Let me remember. When the wireless communication terminal authentication control device 30 determines that a part of the character string included in the extracted IMSI is stored in the authentication information management device 420, the wireless communication terminal authentication control device 30 determines that it is stored in the authentication information management device 420. The connection authentication request including the IMSI including the read character string is transferred to the terminal authentication control management device of the MVNO indicated by the destination information stored corresponding to the character string.

  Next, an example of part of IMSI and destination information stored in the authentication information management apparatus 420 according to the sixth embodiment will be described with reference to FIG. Here, a part of the IMSI is “MCC + MNC + first two digits of MSIN”, which is a total of 7 digits or 8 digits, but is not limited to this.

  Here, the destination information “MVNO-C” is stored corresponding to the IMSI part “4401005”, and the destination information “MVNO-D” is stored corresponding to the IMSI part “4401004”. The destination information “MVNO-D” is stored corresponding to the part “4401004”, and the destination information “MVNO-C” is stored corresponding to a part “4401005” of the IMSI. Needless to say, these are examples.

  Next, a processing procedure in the sixth embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the process procedure demonstrated in FIG. 14 of 3rd Embodiment. That is, in the sixth embodiment, the procedure after the wireless communication terminal authentication control device 30 extracts the IMSI in step S3 is different from the third embodiment.

  The wireless communication terminal authentication control device 30 determines whether a part of the extracted IMSI is stored in the authentication information management device 420 (step S51). When the wireless communication terminal authentication control device 30 determines that a part of the IMSI is stored in the authentication information management device 420 (step S51, YES), it is indicated by the destination information stored corresponding to the part of the IMSI. The connection authentication request is transferred to the terminal authentication control management device of MVNO (step S52). On the other hand, when the wireless communication terminal authentication control device 30 determines that a part of the IMSI is not stored in the authentication information management device 420 (step S51, NO), the destination information indicated by the domain name included in the connection authentication request The connection authentication request is transferred to the MNO authentication control management device specified in step S53. The procedure after step S52 is the same as step S22 of FIG. 14 of the third embodiment. Note that the schematic procedure of the wireless communication process in the sixth embodiment is the same as the procedure of FIG. 14 described in the third embodiment, and thus illustration and description thereof are omitted.

  As described above, according to the sixth embodiment, there is no need to check all the digits constituting the IMSI for hundreds of thousands in the authentication information management apparatus 420, so that the search load is reduced.

[Seventh Embodiment]
Next, a schematic configuration of a wireless communication control system including the wireless communication terminal authentication control device 30 according to the seventh embodiment of the present invention will be described with reference to FIG. In addition, the description which overlaps with 1st Embodiment etc. is abbreviate | omitted, and demonstrates mainly the structure which appears for the first time in 7th Embodiment.

  The seventh embodiment is different from the first embodiment in that the authentication information management device 430 stores not only IMSI but also use restriction information for restricting use of the wireless communication terminal under a predetermined condition.

  That is, the authentication information management device 430 in the seventh embodiment includes the IMSI stored in the SIM card and the use restriction information for restricting the use of the communication service via the wireless network of the wireless communication terminal 10 using the SIM card. Memorize it in correspondence. And when the IMSI of the wireless communication terminal 10 included in the connection authentication request is stored in the authentication information management device 430, the wireless communication terminal authentication control device 30 in the seventh embodiment makes the AP 20 correspond to the IMSI. The usage restriction information stored in the authentication information management device 430 is transmitted.

  Next, IMSI and usage restriction information stored in the authentication information management apparatus 430 will be described with reference to FIG. Here, “maximum speed”, “time zone”, “data amount”, “line type”, and “application type” when using the wireless communication terminal 10 are used as usage restriction information. The usage restriction information may be used. Note that “ALL” in FIG. 27 means that there is no limit.

  In FIG. 28, from the top, all usage restriction information is stored as “ALL” corresponding to the IMSI “4401012345567890”, the maximum speed “1.0 Mbps” corresponding to the IMSI “440100123456789”, and the time zone “14” −16 ”, data amount“ 2.5 Gb ”, line type“ WPAonly ”, application type“ movie site prohibited ”are stored, maximum speed“ ALL ”, time zone“ 9-11 ”corresponding to IMSI“ 440010073606759 ” 14-17 ”, data amount“ ALL ”, line type“ ALL ”, application type“ ALL ”are stored, and maximum speed“ 10.0 Mbps ”, time zone“ ALL ”, data amount corresponding to IMSI“ 440101234567890 ” “ALL”, line type “EAPonly”, application type “SNS "It is stored. When the wireless communication terminal authentication control device 30 receives the connection authentication request from the AP 20 and the IMSI extracted from the user identification information included in the connection authentication request is stored in the authentication information management device 430, the wireless communication terminal authentication control device 30 corresponds to the IMSI. The usage restriction information is transmitted to the AP 20.

  Next, an example of management information managed by the session management unit 24 of the AP 20 will be described with reference to FIG. This figure is obtained by adding the usage restriction information transmitted from the wireless communication terminal authentication control device 30 to the MAC address of the corresponding wireless communication terminal 10 in FIG. 4 of the first embodiment. Description is omitted. That is, in response to the MAC address assigned to the wireless communication terminal 10 that has made the connection authentication request, the AP 20 stores the use restriction information stored in correspondence with the IMSI extracted from the connection authentication request. Receive from device 30 and store.

  As described above, according to the seventh embodiment, the AP 20 receives the usage restriction information from the wireless communication terminal authentication control device 30 and stores it in the session management unit 24 during the authentication control. Instead, it is possible to apply usage restrictions for each user individually.

[Eighth Embodiment]
Next, a schematic configuration of a wireless communication control system including the wireless communication terminal authentication control device 30 according to the eighth embodiment of the present invention will be described with reference to FIG. In addition, the description which overlaps with 3rd Embodiment etc. is abbreviate | omitted, and demonstrates the structure which appears for the first time in 8th Embodiment.

  The eighth embodiment is characterized in that both the terminal authentication control management device of MVNO and the authentication control management device of MNO are used in the authentication control. FIG. 30 is obtained by adding the A company authentication server 61 and the A company authentication DB 62, and the B company authentication server 71 and the B company authentication DB 72 to FIG. 11 in the third embodiment (however, these are the third embodiment). In FIG. 5 for the convenience of illustration). In the eighth embodiment, the wireless communication terminal authentication control device 30 ′ has a function different from that of the wireless communication terminal authentication control device 30 in the third embodiment.

  That is, the radio communication terminal authentication control device 30 ′ sends a connection authentication request including the IMSI determined to be stored in the authentication information management device 400 to the end authentication of the MVNO indicated by the destination information stored corresponding to the IMSI. The IMSI transferred to the control management apparatus is authenticated by the terminal authentication control management apparatus. Thereafter, the wireless communication terminal authentication control device 30 ′ connects the connection authentication including the IMSI authenticated by the terminal authentication control management device to the MNO authentication control management device that manages the user authentication control indicated by the destination information included in the connection authentication request. Forward the request.

  Since the IMSI and the like are stored in the authentication information management apparatus 400 and the terminal DB in the eighth embodiment are the same as those in the third embodiment, description thereof will be omitted.

  Next, a processing procedure in the eighth embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the process procedure demonstrated in FIG. 14 of 3rd Embodiment. That is, in the eighth embodiment, after the wireless communication terminal authentication control device 30 determines that the IMSI is stored in the authentication information management device 400 in step S21, the destination information corresponding to the stored IMSI is specified. The procedure after the connection authentication request is transferred to the terminal authentication control management device of the MVNO is different from that of the third embodiment.

  The terminal authentication control management device of the MVNO specified by the destination information determines whether authentication is OK or NG for the IMSI included in the connection authentication request (step S61). When it is determined that authentication is OK in the terminal authentication control management device (step S61, YES), the wireless communication terminal authentication control device 30 that has received the determination result next receives the destination indicated by the domain name included in the connection authentication request. The connection authentication request is transferred to the MNO authentication control management device specified by the information (step S62). On the other hand, when it is determined as authentication NG in the terminal authentication control management device (step S61, NO), the wireless communication terminal authentication control device 30 transmits a connection rejection message to the AP 20 (step S65).

  On the other hand, the authentication control management device of the MNO that has received the connection authentication request determines whether authentication is OK or NG for the IMSI included in the connection authentication request (step S63). When the authentication control management apparatus determines that the authentication is OK (step S63, YES), the wireless communication terminal authentication control apparatus 30 transmits a connection permission message to the AP 20. On the other hand, when the authentication control management apparatus determines that the authentication is NG (step S63, NO), the wireless communication terminal authentication control apparatus 30 transmits a connection rejection message to the AP 20 (step S65).

  A schematic procedure of wireless communication processing in the eighth embodiment will be described with reference to FIG. In addition, description is abbreviate | omitted about the procedure which overlaps with the procedure shown in FIG. 15 of 3rd Embodiment. That is, here, the procedure after [4] in which it is determined whether the IMSI is stored in the authentication information management device 400 by the wireless communication terminal authentication control device 30 is different from the third embodiment or the like. Here, it is assumed that the IMSI of the wireless communication terminal 10 is stored in the A company authentication DB 62 or the B company authentication DB 72.

  When the wireless communication terminal authentication control device 30 determines that the IMSI is stored in the authentication information management device 400, the wireless communication terminal authentication control device 30 is a terminal authentication control management device of MVNO specified by the destination information corresponding to the stored IMSI. The connection authentication request is transferred to the company authentication server 83 or the D company authentication server 93 [51].

  The C company authentication server 83 or the D company authentication server 93 determines whether the IMSI is stored in the C company end DB 82 or the D company end DB 92 [52], and obtains a determination result [53]. Thereafter, the C company authentication server 83 or the D company authentication server 93 returns the obtained determination result to the wireless communication terminal authentication control device 30 [54]. Here, since the IMSI of the wireless communication terminal 10 is stored in the terminal DB 82 or the terminal DB 92, an authentication OK determination result is obtained.

  Thereafter, when the wireless communication terminal authentication control device 30 receives the authentication OK determination result from the C company authentication server 83 or the D company authentication server 93, the A company authentication indicated by the domain name of the user identification information included in the connection authentication request. The connection authentication request is transferred to the server 61 or the B company authentication server 71 [55]. The company A authentication server 61 or the company B authentication server 71 refers to the company A authentication DB 62 or the company B authentication DB 72 to perform authentication control based on the IMSI [56], and receives the authentication result [57]. Here, since the IMSI of the wireless communication terminal 10 is stored in the A company authentication DB 62 or the B company authentication DB 72, the A company authentication server 61 or the B company authentication server 71 determines the authentication OK determination result as the wireless communication terminal authentication control. Reply to device 30 [58]. Based on the determination result, the wireless communication terminal authentication control device 30 replies to the AP 20 with a message indicating whether the connection is permitted [5]. Here, a connection permission message is returned to the AP 20 based on the determination result of the authentication OK. The subsequent steps are the same as those in FIG. 15 of the third embodiment.

  As described above, according to the eighth embodiment, since both the MVNO end authentication control management device and the MNO authentication control management device perform authentication processing, it is possible to improve the certainty of the personal authentication. In the description of the above-described eighth embodiment, the terminal authentication control management device of MVNO performs the authentication process first, and then the authentication control management device of MNO is authenticated. However, the present invention is not limited to this. It is also possible to cause the authentication control management device of the MNO to perform authentication processing first, and then cause the terminal authentication control management device of the MVNO to perform authentication processing.

  Each of the above-described embodiments is a preferred embodiment of the present invention, and various modifications can be made without departing from the scope of the present invention. For example, each process in the present embodiment described above can be executed using hardware, software, or a combined configuration of both.

  In the case of executing processing using software, it is possible to install and execute a program in which a processing sequence is recorded in a memory in a computer incorporated in dedicated hardware. Alternatively, the program can be installed and executed on a general-purpose computer capable of executing various processes.

DESCRIPTION OF SYMBOLS 10 Wireless communication terminal 11 Terminal wireless communication part 12 Terminal authentication request part 13 SIM card 14 Application execution part 20 AP
21 AP wireless communication unit 22 Terminal authentication server 23 Connection authentication request unit 24 Session management unit 30 Wireless communication terminal authentication control device 40, 400, 410, 420, 430 Authentication information management device 41 Provider DB
50 Shipping System 61 Company A Authentication Server 62 Company A Authentication DB
71 Company B authentication server 72 Company B authentication DB
81, 91 Shipping system 82, 92 Terminal DB
83 Company C authentication server 93 Company D authentication server 201 Company E authentication server 202 Company E authentication DB 202
301 F company authentication server 302 F company authentication DB

Claims (10)

Wireless communication for controlling authentication of a wireless communication terminal connected to a network from an access point of a wireless communication network different from the network of the communication carrier, using an authentication medium provided by the virtual mobile communication carrier purchased from the communication carrier A terminal authentication control device,
Authentication information management means for storing user identification information of the wireless communication terminal that permits connection to the network;
Control means for determining whether or not user identification information included in an authentication medium mounted on the wireless communication terminal acquired by the access point from the wireless communication terminal is stored in the authentication information management means;
With
The control means sends a connection authentication request including the user identification information transmitted from the access point when terminal identification information of the wireless communication terminal that requests connection to the network is not stored in the access point. If received, it is determined whether or not the user identification information included in the received connection authentication request is stored in the authentication information management means, and the result of determining whether or not the wireless communication terminal can be connected to the network A wireless communication terminal authentication control apparatus that transmits a result of determining whether or not connection is possible to the access point. The control means includes
When it is determined that the user identification information is stored in the authentication information management means, a connection permission for permitting connection of the wireless communication terminal to the network is transmitted to the access point,
When it is determined that the user identification information is not stored in the authentication information management means, a connection authentication request determined that the user identification information is not stored in the authentication information management means is included in the connection authentication request The wireless communication terminal is transferred to an authentication control management device of a predetermined communication carrier that manages user authentication control indicated by the destination information, and based on the authentication determination result received from the authentication control management device of the predetermined communication carrier The wireless communication terminal authentication control apparatus according to claim 1, wherein a connection permission / inhibition determination result, which is a result of determining whether to connect to the network, is transmitted to the access point. The authentication information management means stores destination information of a terminal authentication control management device that manages user authentication control by the virtual mobile communication carrier in association with user identification information stored in the authentication medium,
When the control unit determines that the user identification information is stored in the authentication information management unit, the control unit sends a connection authentication request including the user identification information determined to be stored in the authentication information management unit. Transfer to the terminal authentication control management device indicated by the destination information stored corresponding to the user identification information, and to the network of the wireless communication terminal to the network based on the authentication determination result received from the terminal authentication control management device The wireless communication terminal authentication control apparatus according to claim 1, wherein a connection permission / inhibition determination result, which is a result of determining connection permission / inhibition, is transmitted to the access point. Further comprising a carrier identification information storage means for storing carrier identification information for identifying a predetermined communication carrier,
The control means determines whether or not the user identification information is stored in the authentication information management means when the carrier identification information included in the user identification information is stored in the operator identification information storage means. The wireless communication terminal authentication control apparatus according to claim 1 or 2, characterized in that: The authentication information management means includes a user ID and an authentication password used for user authentication in a terminal authentication control management apparatus that manages user authentication control by the virtual mobile carrier based on user identification information stored in the authentication medium. And storing the generated user ID and authentication password in association with the user identification information,
When the control unit determines that the user identification information is stored in the authentication information management unit, the control unit stores a user ID and an authentication password corresponding to the user identification information stored in the authentication information management unit. Transferred to the terminal authentication control management device indicated by the destination information included in the user ID, and determined whether the wireless communication terminal can be connected to the network based on the authentication determination result received from the terminal authentication control management device The wireless communication terminal authentication control apparatus according to claim 1, wherein a connection result determination result as a result is transmitted to the access point. The authentication information management means includes destination information of a terminal authentication control management apparatus that manages user authentication control by the virtual mobile carrier, and a part of character strings included in user identification information stored in the authentication medium. Is stored in correspondence,
When the control means determines that a part of the character string included in the user identification information is stored in the authentication information management means, the character string determined to be stored in the authentication information management means A connection authentication request including the user identification information including the authentication result transferred to the terminal authentication control management device indicated by the destination information stored corresponding to the character string, and received from the terminal authentication control management device The wireless communication terminal authentication control apparatus according to claim 1, wherein the wireless communication terminal authentication control apparatus according to claim 1, wherein the wireless communication terminal authentication control apparatus transmits a connection permission determination result, which is a result of determining whether the wireless communication terminal is connectable to the network based on the access point. The authentication information management means associates user identification information stored in the authentication medium with use restriction information that restricts use of a communication service via the network of the wireless communication terminal using the authentication medium. Remember,
When the user identification information included in the received connection authentication request is stored in the authentication information management unit when the connection authentication request to the network is received, the control unit corresponds to the user identification information. The wireless communication terminal authentication control apparatus according to claim 1, wherein usage restriction information is transmitted to the access point.   The terminal authentication control management device, wherein the control means indicates a connection authentication request including user identification information determined to be stored in the authentication information management means by destination information stored corresponding to the user identification information Authentication control of a predetermined telecommunications carrier that manages user authentication control indicated by destination information included in the connection authentication request after the transferred user identification information is authenticated by the terminal authentication control management device The wireless communication terminal transfers a connection authentication request including user identification information authenticated by the terminal authentication control management device to the management device, and based on the authentication determination result received from the authentication control management device of the predetermined communication carrier 7. A connection permission determination result, which is a result of determining whether to connect to the network, is transmitted to the access point. Wireless communication terminal authentication control apparatus according to (1). Wireless communication for controlling authentication of a wireless communication terminal connected to a network from an access point of a wireless communication network different from the network of the communication carrier, using an authentication medium provided by the virtual mobile communication carrier purchased from the communication carrier A control method for a terminal authentication control device,
Included in the authentication medium mounted on the wireless communication terminal obtained from the wireless communication terminal when the terminal identification information of the wireless communication terminal that requests connection to the network is not stored in the access point Receiving a connection authentication request including user identification information from the access point;
Determining whether or not the user identification information included in the received connection authentication request is stored in authentication information management means for storing user identification information of the wireless communication terminal permitting connection to the network; ,
Transmitting a connection determination result, which is a result of determining whether the wireless communication terminal can be connected to the network, to the access point;
The control method characterized by including. Wireless communication for controlling authentication of a wireless communication terminal connected to a network from an access point of a wireless communication network different from the network of the communication carrier, using an authentication medium provided by the virtual mobile communication carrier purchased from the communication carrier A program to be executed by the terminal authentication control device,
Included in the authentication medium mounted on the wireless communication terminal obtained from the wireless communication terminal when the terminal identification information of the wireless communication terminal that requests connection to the network is not stored in the access point Receiving a connection authentication request including user identification information from the access point;
A procedure for determining whether or not the user identification information included in the received connection authentication request is stored in authentication information management means for storing user identification information of the wireless communication terminal that permits connection to the network; ,
A procedure for transmitting to the access point a connection determination result that is a result of determining whether the wireless communication terminal can connect to the network;
The program characterized by including.

Images