JP4689225B2 - Wireless network system, wireless terminal accommodating device, and communication device - Google Patents

Description

  The present invention relates to a wireless network system in which an authentication server for performing authentication of a wireless terminal on a network, a wireless terminal accommodating device and a communication device that constitute a communication network in the wireless network system.

As a wireless network system in which an authentication server for performing authentication of a wireless terminal is arranged on a network, for example, the one disclosed in Patent Document 1 is known. That is, in Patent Document 1, in a wireless LAN system having an authentication server on a network, when a client terminal moves to a communicable range of an access point different from the access point that first connected to the network, For the purpose of shortening the time until communication through the previous access point becomes possible and reducing processing for enabling communication, the client terminal is connected to the network through the first access point. If the client terminal moves to the communicable range of the second access point after being already permitted to connect to the client, the client terminal does not perform a predetermined authentication procedure via the second access point, A communication system that is allowed to connect to a network is disclosed. .
JP 2003-188885 A

  In the technology described in the above patent document, since a terminal that moves between access points transmits an ID and a password to the authentication server through the moved access point, a large number of access points are hung from one authentication server. The wireless network system has the following problems.

  That is, since a large number of authentication requests are simultaneously sent to one authentication server, there is a possibility that the load on the authentication server becomes heavy. In the case of an authentication request through an access point near the edge of the network, transmission delay becomes a problem. Therefore, it is expected that it will take time before the encrypted communication can be started at the new access point.

  The present invention has been made in view of this point, and includes a mechanism that can reduce the load on the authentication server and the authentication time, and can start encrypted communication within a short time from a new access point with high probability. Another object of the present invention is to provide a wireless network system, a wireless terminal accommodating device, and a communication device.

  In order to solve this problem, a wireless network system according to the present invention includes a plurality of wireless terminal accommodating devices that are access points of wireless terminals and a large number of communications that constitute a communication network by bundling the plurality of wireless terminal accommodating devices. In the wireless network system comprising: a device; and an authentication server arranged on the communication network and connected to the wireless terminal accommodating device to authenticate a wireless terminal intended for encrypted communication, the authentication server includes the wireless terminal Means for transmitting an authentication success notification when a wireless terminal first connected to the accommodating device is successfully authenticated, and the wireless terminal accommodating device to which the wireless terminal is first connected and the authentication success notification to the wireless terminal accommodating device; Are used by the wireless terminal from the authentication success notification, respectively. A configuration having a means for storing is taken out authentication information.

  According to this configuration, when the wireless terminal is first authenticated by the authentication server, the authentication information can be held in the communication network.

  The wireless network system according to the present invention is the wireless network system according to the present invention, wherein the destination wireless terminal accommodating apparatus that has received the authentication request from the wireless terminal creates an authentication information acquisition request and transmits the request to the communication network. The authentication information used by the wireless terminal is extracted from the authentication information acquisition response received from the wireless terminal, stored, and transmitted to the wireless network. The destination wireless terminal accommodating apparatus transmits the authentication response to the wireless network. The communication device that maintains the authentication information used by the wireless terminal among the communication devices that exist in the path for relaying and forwarding the authentication information acquisition request to the authentication server creates the authentication information acquisition response and A configuration including means for transmitting to the destination wireless terminal accommodating apparatus is adopted.

  According to this configuration, the authentication information necessary for the wireless terminal that has moved can be obtained from the communication network, not from the authentication server, so that the processing load on the authentication server can be reduced. In addition, the problem of transmission delay due to the position of the access point can be solved.

  In the wireless network system according to the present invention, in the above invention, the communication device that has created and transmitted the authentication information acquisition response creates an authentication information deletion request, and the wireless device accommodating device to which the wireless terminal is first connected A wireless terminal accommodating apparatus that is first connected to the wireless terminal receives the authentication information deletion request, deletes the authentication information held therein, and creates an authentication information deletion response. The authentication information deletion request is generated and transmitted to the communication apparatus that has transmitted the request.

  According to this configuration, old authentication information held by the wireless terminal accommodating apparatus before movement can be deleted.

  In the wireless network system according to the present invention, in the above invention, the authentication information is held among communication devices existing in a path for relaying and forwarding an authentication information deletion response transmitted by the wireless terminal accommodating device to which the wireless terminal is first connected. The communication apparatus employs a configuration including means for deleting the authentication information held therein.

  According to this configuration, old authentication information held in the communication network can be deleted.

  In the wireless network system according to the present invention, in the above invention, the communication device that has created and transmitted the authentication information acquisition response creates an authentication information deletion request, and the wireless device accommodating device to which the wireless terminal is first connected A wireless terminal accommodating apparatus that is first connected to the wireless terminal, receives the authentication information deletion request, generates an authentication information deletion response, and generates and transmits the authentication information deletion request. And a means for deleting the authentication information held after elapse of a predetermined time.

  According to this configuration, the old authentication information held by the wireless terminal accommodating apparatus before moving can be deleted after being held for a certain period of time. Therefore, the authentication information can be obtained immediately when returning to access again.

  In the wireless network system according to the present invention, in the above invention, the authentication information deletion response transmitted by the wireless terminal accommodating apparatus to which the wireless terminal is first connected is relayed to the communication apparatus that has generated and transmitted the authentication information deletion request. Of the communication devices that exist on the transfer path, the communication device that holds the authentication information employs a configuration that includes means for deleting the held authentication information after a predetermined time has elapsed.

  According to this configuration, the old authentication information held in the communication network can be deleted after being held for a certain period of time.

  In the wireless network system according to the present invention, in the above invention, the wireless terminal accommodating apparatus to which the wireless terminal is connected for the first time depends on an access state of the wireless terminal depending on an access state of the wireless terminal. The structure which comprises the means to change is taken.

  According to this configuration, in the wireless terminal accommodating apparatus before movement, a certain period of time until the old authentication information held is deleted is appropriately set according to the access state (access amount, access time, etc.) of the user. Can do.

  In the wireless network system according to the present invention as set forth in the invention described above, the communication device that deletes the held authentication information after a predetermined time has passed the predetermined time until the held authentication information is deleted. The structure which comprises the means to change according to a state is taken.

  According to this configuration, in the communication network, it is possible to appropriately set a certain period of time until the old authentication information held is deleted according to the access state (access amount, access time, etc.) of the user.

  In the wireless network system according to the present invention, in the above invention, the communication device that has created and transmitted the authentication information acquisition response creates an authentication information deletion request, and the wireless device accommodating device to which the wireless terminal is first connected A wireless terminal accommodating apparatus that is first connected to the wireless terminal, receives the authentication information deletion request, generates an authentication information deletion response, and generates and transmits the authentication information deletion request. The authentication information deletion response transmitted by the wireless terminal accommodating apparatus to which the wireless terminal is first connected is relayed and forwarded. When the communication device existing in the path to be deleted has a means for deleting the stored authentication information after a lapse of a certain time, the certain time for deleting the authentication information is Short in accommodating device, the communication device adopts a structure that hierarchical position of the network is set to be longer toward the upper.

  According to this configuration, it is possible to optimize the amount of memory holding old authentication information according to the characteristics of the wireless terminal accommodating device and the communication device.

  The wireless network system according to the present invention is the wireless network system according to the present invention, wherein the predetermined time for deleting the authentication information set so as to be shorter as the wireless terminal accommodating device is longer and the communication device is higher as the hierarchical level of the network is higher. A configuration including means for changing according to the access state of the wireless terminal is adopted.

  According to this configuration, it is possible to optimize the amount of memory that holds old authentication information according to the characteristics of the wireless terminal accommodating device and the communication device, and it is possible to appropriately cope with the access state of the user.

  In a wireless network system in which an authentication server for authenticating a wireless terminal exists, the wireless terminal accommodating device according to the present invention includes an identifier and authentication information of the wireless terminal as an access point to which the wireless terminal is connected. The authentication information table to be stored in association with each other and means for storing the authentication information and the identifier of the wireless terminal in association with the authentication information table when the authentication procedure for the first connected wireless terminal is successful are adopted.

  According to this configuration, the wireless terminal accommodating apparatus accessed first can hold the authentication information obtained by the first authentication procedure performed between the wireless terminal and the authentication server.

  The wireless terminal accommodating apparatus according to the present invention is the above-described invention, wherein an authentication information acquisition request is generated based on an authentication request from a wireless terminal that has moved under its control, and is transmitted to the authentication server. The authentication information used by the wireless terminal is extracted from the authentication information used and the authentication information used by the wireless terminal is extracted and stored in the authentication information table, and the authentication response table is transmitted to the wireless terminal.

  According to this configuration, the wireless terminal accommodating device can give necessary authentication information to the wireless terminal that has moved under the control within a short time.

  In the above invention, the wireless terminal accommodating apparatus according to the present invention, when receiving an authentication information deletion request from the network side, means for deleting the corresponding authentication information held in the authentication information table, and an authentication information deletion response And a means for transmitting to the communication device on the network side that has generated and transmitted the authentication information deletion request.

  According to this configuration, when there is no wireless terminal that has been accessed, the authentication information used at that time can be deleted.

  In the above invention, the wireless terminal accommodating apparatus according to the present invention creates an authentication information deletion response when an authentication information deletion request is received from the network side, and creates and transmits the authentication information deletion request. A configuration is adopted that includes means for transmitting to the apparatus and means for deleting the corresponding authentication information held in the authentication information table after a predetermined time has elapsed.

  According to this configuration, when there is no wireless terminal that has been accessed, the authentication information used at that time can be held for a certain period of time.

  In the above invention, the wireless terminal accommodating apparatus according to the present invention measures the access time of the wireless terminal and the predetermined time until the corresponding authentication information held in the authentication information table is deleted. And a means for changing according to the access state of the wireless terminal.

  According to this configuration, in the wireless terminal accommodating device, it is possible to determine a certain time until the authentication information is deleted according to the access state of the user.

  In the wireless terminal accommodating apparatus according to the present invention, in the above invention, the fixed time until the held authentication information is deleted is set to be shorter than the fixed time in the network side communication apparatus. The structure is taken.

  According to this configuration, it is possible to reduce the amount of memory installed in the wireless terminal accommodating device.

  The communication device according to the present invention is a wireless network system in which an authentication server for authenticating a wireless terminal is present, and a plurality of communications constituting a communication network by bundling a plurality of wireless terminal accommodating devices that are access points to which the wireless terminal is connected. Each of the devices includes an authentication information table that stores a wireless terminal identifier, authentication information, a wireless terminal accommodating device side port, and an authentication server side port in association with each other, and the authentication information when the authentication procedure for the first connected wireless terminal is successful. The table includes means for storing the wireless terminal identifier, authentication information, and each port in association with each other.

  According to this configuration, when the wireless terminal is first authenticated by the authentication server, the authentication information can be held in the communication network.

  In the communication device according to the present invention, in the above invention, when a wireless terminal identifier that matches a wireless terminal identifier included in the authentication information acquisition request received from the wireless terminal accommodating device side port exists in the authentication information table, Means for creating an authentication information acquisition response including authentication information corresponding to the terminal identifier and transmitting it from the wireless terminal accommodating apparatus side port; and a wireless terminal identifier that matches the wireless terminal identifier included in the received authentication information acquisition request Means for associating and storing the wireless terminal identifier and the received port in the authentication information table when not present in the authentication information table, and transmitting the received authentication information acquisition request from the corresponding authentication server side port; When an authentication information acquisition response is received from the authentication server side port, the authentication information is acquired from the authentication information acquisition response and the authentication information is received. Stored in the information table, adopts a configuration and means for transmitting the received the authentication information acquisition response from the corresponding radio terminal accommodating apparatus side port.

  According to this configuration, in a situation where the wireless terminal is moving, on the transfer route in the communication network, the authentication information acquisition including the relay for guiding the authentication information acquisition request to the network and the authentication information necessary for the relay process is performed. It is possible to create a response, relay the authentication information acquisition response to the access point, and acquire and hold the authentication information from the authentication information acquisition response in the relay process.

  In the above invention, the communication device according to the present invention creates an authentication information deletion request for the wireless terminal accommodating device to which the wireless terminal first connected and performed the authentication procedure after creating and transmitting the authentication information acquisition response Means for transmitting from the corresponding wireless terminal accommodating apparatus side port, and means for transmitting the received authentication information deletion request from the corresponding wireless terminal accommodating apparatus side port when receiving the authentication information deletion request from the authentication server side port; When the authentication information deletion response is received from the wireless terminal accommodating apparatus side port and the authentication information deletion request is not generated and transmitted, the corresponding authentication information is deleted from the authentication information table and received. And a means for transmitting an authentication information deletion response from the corresponding authentication server side port.

  According to this configuration, the old authentication information held in the communication network can be deleted under the situation where the wireless terminal is moving.

  In the above invention, the communication device according to the present invention creates an authentication information deletion request for the wireless terminal accommodating device to which the wireless terminal first connected and performed the authentication procedure after creating and transmitting the authentication information acquisition response Means for transmitting from the corresponding wireless terminal accommodating apparatus side port, and means for transmitting the received authentication information deletion request from the corresponding wireless terminal accommodating apparatus side port when receiving the authentication information deletion request from the authentication server side port; When the authentication information deletion response is received from the wireless terminal accommodating apparatus side port and the authentication information deletion request is not generated and transmitted, the received authentication information deletion response is transmitted from the corresponding authentication server side port. And a means for deleting the corresponding authentication information from the authentication information table after a predetermined time has elapsed.

  According to this configuration, the old authentication information held in the communication network can be deleted after being held for a certain time.

  In the above invention, the communication device according to the present invention is a means for measuring the access state of the wireless terminal, and a means for changing the predetermined time until the authentication information is deleted according to the measured access state of the wireless terminal. The structure which comprises is taken.

  According to this configuration, it is possible to appropriately determine a certain period of time until the old authentication information held in the communication network is deleted according to the access state of the user.

  According to the present invention, it is possible to reduce the load on the authentication server and shorten the authentication time. Also, encrypted communication can be started within a short time from a new access point with a high probability.

  The essence of the present invention is that the authentication information obtained by the authentication procedure performed with the authentication server when the wireless terminal accesses the access point for the first time can be held in the communication network, and then the moving wireless The provision of the authentication information to the terminal is to be able to be performed without going through the authentication server.

  In the case of adopting the above configuration, it is possible to delete old authentication information held in the communication network, hold for a certain time when deleting, and network hierarchy when deleting after holding for a certain time It is necessary to give a difference in holding time according to the arrangement position, and to give a difference in holding time in consideration of a user's access state (access amount, access time, etc.).

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(Embodiment 1)
FIG. 1 is a network diagram showing a configuration of a wireless network system according to Embodiment 1 of the present invention. The wireless network system shown in FIG. 1 bundles a plurality of wireless terminal accommodating apparatuses 102a, 102b, and 102c, which are access points of the wireless terminal 101 moving within the system, and a plurality of wireless terminal accommodating apparatuses 102a, 102b, and 102c. A number of communication devices 103a, 103b, and 103c that constitute a communication network, and an authentication server 104 that authenticates a wireless terminal 101 that is arranged on the communication network and connected to an access point are provided.

  In the example shown in FIG. 1, the wireless terminal accommodating devices 102a and 102b are connected to the communication device 103a, the wireless terminal accommodating device 102c is connected to the communication device 103b, and the communication devices 103a and 103b are connected to the communication device 103c. An authentication server 104 is connected to the device 103c.

  FIG. 2 is a block diagram illustrating a configuration example of the wireless terminal accommodating apparatuses 102a, 102b, and 102c illustrated in FIG. For example, as shown in FIG. 2, each wireless terminal accommodating apparatus includes a network side transmitting / receiving unit 201 that transmits and receives packets to and from the network side, and a home side that transmits and receives packets via the home side (wireless terminal) and the antenna unit 202. The packet that is between the transmission / reception unit 203, the network-side transmission / reception unit 201, and the home-side transmission / reception unit 203 is encrypted by the network-side transmission / reception unit 201 and transferred to the home-side transmission / reception unit 203. The encryption / decryption transfer unit 204 that decrypts the packet received by the transmission / reception unit 203 from the home side (wireless terminal) and transfers the packet to the network side transmission / reception unit 201 and the encryption / decryption authentication information used in the encryption / decryption transfer unit 204 are managed. The authentication information table 205, the authentication information management unit 206 that performs acquisition processing and deletion processing that writes the authentication information captured by the network side transmission / reception unit 201 to the authentication information table 205, and the network side transmission / reception unit 201 And a initial authentication processing unit 207 that handles authentication operation when the wireless terminal based on elaborate authentication information and the registered contents of the authentication information table 205 is connected to the first network.

  FIG. 3 is a diagram illustrating a configuration example of the authentication information table 205 included in the wireless terminal accommodating apparatuses 102a, 102b, and 102c. In the authentication information table 205, for example, as shown in FIG. 3, “terminal identifier” and “authentication information” are registered in association with each other. The authentication information is information necessary for authentication of the wireless terminal 101 and communication encryption. Generally, it refers to a user ID, password, encryption key, and the like.

  Next, FIG. 4 is a block diagram illustrating a configuration example of the communication apparatuses 103a, 103b, and 103c illustrated in FIG. For example, as illustrated in FIG. 4, each communication device receives packets from a plurality of transmission / reception units 401-1 to 401-n that perform transmission / reception of packets on each route and a plurality of transmission / reception units 401-1 to 401-n. A transfer unit 402 that collectively transfers to a higher level (authentication information management unit 404) and transfers packets from the higher level (authentication information management unit 404) to corresponding transmission / reception units of the plurality of transmission / reception units 401-1 to 401-n; An authentication information table 403 that stores authentication information for each terminal, and an authentication information management unit 404 that exists between the transfer unit 402 and the authentication information table 403 and adds and deletes authentication information to the authentication information table 403. I have.

  FIG. 5 is a diagram illustrating a configuration example of the authentication information table 403 included in the communication devices 103a, 103b, and 103c. For example, as shown in FIG. 5, the authentication information table 403 includes a “terminal identifier”, “authentication information”, a “subordinate port” indicating which port the wireless terminal 101 exists in, and an authentication server direction. A “port to the authentication server” indicating a port is registered in association with each other.

  Next, an authentication operation performed in the wireless network system configured as described above will be described. Here, (A) an authentication operation performed when the wireless terminal is connected for the first time (FIGS. 6 and 7), (B) an authentication operation performed when connecting at the movement destination (FIGS. 8 to 11), ( C) Operations when re-authenticating when moving (FIGS. 12 and 13) and (D) Operations of the authentication information management unit of the wireless terminal accommodating device and the communication device (FIGS. 14 to 16) will be described, respectively. .

  (A) Authentication operation performed when connecting for the first time (FIGS. 6 and 7). FIG. 6 is a sequence diagram illustrating an authentication operation performed when first connecting. FIG. 7 is a network diagram for explaining an entry state of the authentication information table of the wireless terminal accommodating device and the communication device by the authentication operation performed when connecting for the first time. The authentication information used here is an encryption key.

  In FIG. 6, a wireless terminal 601, a wireless terminal accommodating device 602, communication devices 603 and 604, and an authentication server 605 are shown. In FIG. 6, the wireless terminal 601 performs an authentication procedure using the open authentication method with the wireless terminal accommodating apparatus 602 to be connected (procedure T601). At this time, association processing is also performed in order to ensure compatibility with existing WEP (Wired Equivalent Privacy) authentication.

  Next, the wireless terminal 601 performs an authentication procedure based on the IEEE standard document 802.1x with the authentication server 605 on the communication network via the wireless terminal accommodating device 602 and the communication devices 603 and 604, and the authentication server 605 Authentication is performed on the wireless terminal 601 (procedure T602). The authentication server 605 creates authentication information after completing the authentication (procedure T603). Also, the wireless terminal 601 creates and holds authentication information (procedure T604).

  The authentication server 605 transmits an authentication success notification including the created authentication information to the wireless terminal accommodating apparatus 602 (procedure T605). At that time, in the communication devices 604 and 603 existing on the transfer path, the authentication information management unit 404 refers to the authentication success notification relayed and stores “terminal identifier” and “authentication information (encryption key)” in the authentication information table 403. In addition, the port to which the authentication success notification is input is stored in the authentication information table 403 as “port to authentication server”, and the output port is stored as “subordinate port” (procedure T606).

  In the wireless terminal accommodating apparatus 602, the authentication success notification received via the communication apparatus 603 is wirelessly transmitted to the wireless terminal 601 (step T607), and the authentication information management unit 206 refers to the authentication success notification to indicate “terminal identifier”. “Authentication information (encryption key)” is stored in the authentication information table 205 (step T608). As a result, preparation for encrypted communication is performed between the wireless terminal 601 and the wireless terminal accommodating apparatus 602 using the authentication information (procedure T609), and encrypted communication is performed upon completion (procedure T610).

  By performing the first authentication operation in this way, in the communication network, each authentication information of the wireless terminal accommodating apparatus 602 and the communication apparatuses 603 and 604 that relayed the authentication procedure between the wireless terminal 601 and the authentication server 605. An entry for each terminal is set in the table.

  In the example of the network illustrated in FIG. 1, as illustrated in FIG. 7, in the first authentication operation between the wireless terminal 101 and the authentication server 104, the authentication request 701 transmitted from the wireless terminal 101 is transmitted to the communication network ( The authentication response 702 as an authentication result is transferred to the communication network (wireless terminal accommodating apparatus 102a, communication apparatuses 103a, 103c) via the wireless terminal accommodating apparatus 102a and the communication apparatuses 103a, 103c). Route) to the wireless terminal 101. In the process of relaying the authentication response 702 between the wireless terminal accommodating apparatus 102a and the communication apparatuses 103a and 103c, the authentication information can be captured from the authentication response 702. Therefore, authentication information (encryption key) 703, 704, and 705 for each terminal is set in each authentication information table of the wireless terminal accommodating apparatus 102a and the communication apparatuses 103a and 103c.

  (B) Authentication operation performed at the time of connection at the destination (FIGS. 8 to 11). FIG. 8 is a sequence diagram for explaining an authentication operation performed at the time of connection at the movement destination (when a communication device holding authentication information is relatively close). FIG. 9 is a network diagram for explaining an entry state of the authentication information table of the wireless terminal accommodating device and the communication device by the authentication operation shown in FIG. FIG. 10 is a sequence diagram for explaining the authentication operation performed at the time of connection at the movement destination (when the communication device holding the authentication information is located in a relatively far place). FIG. 11 is a network diagram for explaining an entry state of the authentication information table of the wireless terminal accommodating device and the communication device by the authentication operation shown in FIG. The authentication information used here is an encryption key.

  In FIG. 8, a wireless terminal 801, a wireless terminal accommodating device (before movement) 802, a wireless terminal accommodating device (after movement) 803, communication devices 804 and 805, and an authentication server 806 are shown. Among them, it is assumed that only the wireless terminal accommodating device (after movement) 803 does not hold the authentication information (encryption key).

  In FIG. 8, in the process of performing encrypted communication with the wireless terminal accommodating apparatus 802 (procedure T801), the wireless terminal 801 moves under the new wireless terminal accommodating apparatus 803 to establish a connection (procedure T802). ) When an authentication process using the open authentication method is performed with the moved wireless terminal accommodating apparatus 803 (procedure T803), a reassociation request (authentication request) is wirelessly transmitted to the wireless terminal accommodating apparatus 803. (Procedure T804).

  Upon receiving the reassociation request, the wireless terminal accommodating apparatus 803 creates an authentication information acquisition request in which the transmission destination is the authentication server 806, the transmission source is the own wireless terminal accommodating apparatus 803, and the MAC address of the wireless terminal 801 is set in the payload. And sent to the communication network (procedure T805).

  The communication device 804 that first receives the authentication information acquisition request refers to the authentication information table 403 and searches for authentication information managed based on the terminal identifier included in the received authentication information acquisition request (step T806). . In this example, since the communication device 804 holds the authentication information (encryption key) of the wireless terminal 801, the transmission destination is the wireless terminal accommodating device 803, the transmission source is the own communication device 804, and the wireless terminal is included in the payload. An authentication information acquisition response in which the MAC address of 801 and the authentication information are set is created and sent to the port that has received the authentication information acquisition request (step T807).

The wireless terminal accommodating apparatus 803 that has received the authentication information acquisition response refers to the received authentication information acquisition response and stores “terminal identifier” and “authentication information (encryption key)” in the authentication information table 205 (step T808). , Reassociation Response:
An authentication response is wirelessly transmitted to the wireless terminal 801 (procedure T809). As a result, preparation for encrypted communication is performed between the wireless terminal 801 and the moved wireless terminal accommodating apparatus 803 using the authentication information (procedure T810), and encrypted communication is performed when the process ends (procedure T810). T811).

  In this example, the wireless terminal accommodating apparatus 803 does not hold the authentication information, but the wireless terminal 801 moves under the wireless terminal accommodating apparatus 803 when the latest upper communication apparatus 804 holds the authentication information. In the example shown in FIG. 7, the wireless terminal 101 has moved under the wireless terminal accommodating apparatus 102b. In this case, as shown in FIG. 9, an authentication information acquisition request 901 transmitted by the wireless terminal accommodating apparatus 102b is received by the nearest higher-level communication apparatus 103a, and an authentication information acquisition response 902 is returned from the communication apparatus 103a. As a result, the wireless terminal accommodating apparatus 102b can hold the authentication information (encryption key) 903 within a short period of time and can start encrypted communication with the wireless terminal 101 that has moved.

  In FIG. 8, the communication device that first receives the authentication information acquisition request holds the authentication information (encryption key) of the wireless terminal, but the communication device that receives the authentication information first holds the authentication information of the wireless terminal. If not, the communication device transfers the authentication information acquisition request to “port to authentication server” in the authentication information table. In the present example, at least one communication device existing in the transfer path that reaches the authentication server holds the authentication information.

  Therefore, the transfer is repeated, the authentication information acquisition request is transferred to the place where the authentication information exists, and the authentication information acquisition response is transferred from the communication apparatus holding the authentication information. An example thereof is shown in FIGS. Note that in a communication device that relays and forwards an authentication information acquisition response, it is desirable to capture and store the authentication information, but it is not necessarily required to hold all of the communication devices that relay and transfer.

  In FIG. 10, a wireless terminal 1001, a wireless terminal accommodating device (before movement) 1002, a wireless terminal accommodating device (after movement) 1003, communication devices 1004 and 1005, and an authentication server 1006 are shown. Among these, it is assumed that the wireless terminal accommodating device (after movement) 1003 and the communication device 1004 do not hold authentication information (encryption key).

  In FIG. 10, in the process of performing encrypted communication with the wireless terminal accommodating apparatus 1002 (procedure T1001), the wireless terminal 1001 moves and connects to the new wireless terminal accommodating apparatus 1003 (procedure T1002). ) When an authentication process using the open authentication method is performed with the wireless terminal accommodating apparatus 1003 after movement (procedure T1003), a reassociation request (authentication request) is wirelessly transmitted to the wireless terminal accommodating apparatus 1003. (Procedure T1004).

  When the wireless terminal accommodating apparatus 1003 wirelessly receives the reassociation request, the wireless terminal accommodating apparatus 1003 issues an authentication information acquisition request in which the transmission destination is the authentication server 1006, the transmission source is the own wireless terminal accommodating apparatus 1003, and the MAC address of the wireless terminal 1001 is set in the payload. Created and sent to the communication network (procedure T1005).

  The communication apparatus 1004 that first receives the authentication information acquisition request refers to the authentication information table 403 and searches for authentication information managed based on the terminal identifier included in the received authentication information acquisition request (step T1006). . In this example, since the communication device 1004 does not hold the authentication information of the wireless terminal 1001, the communication device 1004 transfers the received authentication information acquisition request to the path to the “port to the authentication server” (procedure T1007).

  The communication device 1005 that has received the authentication information acquisition request next refers to the authentication information table 403 and searches for authentication information managed based on the terminal identifier included in the received authentication information acquisition request (step T1008). . In this example, since the communication device 1005 holds the authentication information (encryption key) of the wireless terminal 1001, the transmission destination is the wireless terminal accommodating device 1003, the transmission source is the own communication device 1005, and the wireless terminal is included in the payload. An authentication information acquisition response in which the MAC address of 1001 and authentication information (encryption key) are set is created and sent to the port that received the authentication information acquisition request (procedure T1009).

  The communication device 1004 that has received the authentication information acquisition response captures the authentication information table 403 from the authentication information acquisition response and stores and holds the authentication information table 403 (step T1010), and also receives the received authentication information acquisition response. The message is sent to the route to the “subordinate port” (procedure T1011).

  The wireless terminal accommodating apparatus 1003 that has received the authentication information acquisition response refers to the received authentication information acquisition response and stores “terminal identifier” and “authentication information (encryption key)” in the authentication information table 205 (step T1012). Then, a reassociation response (authentication response) is wirelessly transmitted to the wireless terminal 1001 (step T1013). Accordingly, preparation for encrypted communication is performed between the wireless terminal 1001 and the wireless terminal accommodating apparatus 1003 after movement using the authentication information (procedure T1014), and encrypted communication is performed when the process ends (procedure). T1015).

  In this example, the wireless terminal accommodating apparatus 1003 does not hold the authentication information, but the wireless terminal 1001 moves under the wireless terminal accommodating apparatus 1003 when the latest upper communication apparatus 1004 also does not hold the authentication information. In the example shown in FIG. 7, the wireless terminal 101 has moved under the wireless terminal accommodating apparatus 102 c via the wireless terminal accommodating apparatus 102 b. In this case, as shown in FIG. 11, the authentication information acquisition request 1101 transmitted by the wireless terminal accommodating apparatus 102c is transferred to the upper communication apparatus 103c as the authentication information acquisition request 1102 by the latest upper communication apparatus 103b, An authentication information acquisition response 1103 is returned from the device 103c to the communication device 103b. The communication device 103b transfers the received authentication information acquisition response 1103 as the authentication information acquisition response 1104 to the wireless terminal accommodating device 102c, and also holds the authentication information (encryption key) 1105.

  As a result, even if the communication device 103b immediately above the wireless terminal accommodating apparatus 102c does not hold the authentication information, an authentication information acquisition response is returned from the middle of the route to the authentication server 104, so the wireless terminal accommodating apparatus 102c Then, the authentication information (encryption key) 1106 can be held within a relatively short period of time, and encrypted communication can be started with the wireless terminal 101 that has moved.

  (C) Operation for re-authentication when moving (FIGS. 12 and 13). FIG. 12 is a sequence diagram for explaining the operation when authentication is performed again when moving (when there is a communication apparatus holding authentication information). FIG. 13 is a sequence diagram for explaining the operation when authentication is performed again when moving (when there is no communication device holding authentication information). The authentication information used here is information necessary for authentication other than the encryption key, such as a user ID and a password.

  In FIG. 12, a wireless terminal 1201, a wireless terminal accommodating apparatus (before movement) 1202, a wireless terminal accommodating apparatus (after movement) 1203, communication apparatuses 1204 and 1205, and an authentication server 1206 are shown. Then, it is assumed that the communication device 1205 holds authentication information (such as a user ID and password), not the communication device 1204.

  In FIG. 12, in the process of performing encrypted communication with the wireless terminal accommodating apparatus 1202 (procedure T1201), the wireless terminal 1201 moves under the new wireless terminal accommodating apparatus 1203 to establish a connection (procedure T1202). ), Open authentication and association processing are performed with the wireless terminal accommodating apparatus 1203 after movement (procedure T1203). When completed, the EAPOL: EAP-START frame is wirelessly transmitted (procedure T1204). EAPOL (Extensible Authentication Protocol Over LAN) is an authentication protocol compliant with the IEEE standard document 802.1x.

  Upon receiving the EAP-START frame wirelessly, the wireless terminal accommodating apparatus 1203 receives the authentication information acquisition request in which the transmission destination is the authentication server 1206, the transmission source is the own wireless terminal accommodating apparatus 1203, and the MAC address of the wireless terminal 1201 is set in the payload. Is transmitted to the communication network (procedure T1205).

  The communication device 1204 that first receives the authentication information acquisition request refers to the authentication information table 403 and manages authentication information (such as a user ID or password) managed based on the terminal identifier included in the received authentication information acquisition request. Is searched (procedure T1206). In this example, since the communication device 1204 does not hold the authentication information (user ID, password, etc.) of the wireless terminal 1201, the received authentication information acquisition request is transferred to the route to the “port to the authentication server”. (Procedure T1207).

  The communication device 1205 that has received the authentication information acquisition request next refers to the authentication information table 403 and manages the authentication information (user ID, password, etc.) managed based on the terminal identifier included in the received authentication information acquisition request. Is searched (procedure T1208). In this example, since the communication device 1205 holds authentication information (user ID, password, etc.) of the wireless terminal 1201, the transmission destination is the wireless terminal accommodating device 1203, the transmission source is the own communication device 1205, and the payload An authentication information acquisition response in which the MAC address of the wireless terminal 1201 and authentication information (user ID, password, etc.) are set is created and sent to the port that received the authentication information acquisition request (step T1209).

  Receiving the authentication information acquisition response, the communication device 1204 takes the authentication information (user ID, password, etc.) from the authentication information acquisition response and stores it in the authentication information table 403 (step T1210) and acquires the received authentication information. The response is sent to the route to the “subordinate port” (procedure T1211).

  The wireless terminal accommodating apparatus 1203 that has received the authentication information acquisition response refers to the received authentication information acquisition response and stores “terminal identifier” and “authentication information (user ID, password, etc.)” in the authentication information table 205 (procedure). T1212)

  Then, the wireless terminal accommodating apparatus 1203 performs an authentication process defined in IEEE 802.1x with the wireless terminal 1201 based on the authentication information (user ID, password, etc.) acquired from the authentication information acquisition response, and the authentication process When is completed, exchange for encrypted communication is performed to generate an encryption key, and encrypted communication is started (procedure T1213).

  In FIG. 12, the authentication information acquisition request is for the case where the second communication device holds the authentication information (user ID, password, etc.) of the wireless terminal, but the second received communication device also authenticates the wireless terminal. When information (user ID, password, etc.) is not held, the communication apparatus transfers an authentication information acquisition request to “port to authentication server” in the authentication information table. In the present example, at least one communication device of communication devices existing on the route to the authentication server holds authentication information (user ID, password, etc.).

  Therefore, the transfer is repeated, the authentication information acquisition request is transferred to the place where the authentication information exists, and the authentication information acquisition response is transferred from the communication apparatus holding the authentication information (user ID, password, etc.). Note that in a communication device that relays and forwards an authentication information acquisition response, it is desirable to capture and store authentication information (such as a user ID and password), but it is not necessary for all of the communication devices that relay and forward.

  In other words, when all of the communication devices existing in the path to the authentication server do not hold the authentication information (user ID, password, etc.), the authentication information acquisition request reaches the authentication server as shown in FIG. It will be. This case mainly occurs when a wireless terminal accessing the network moves for the first time. Even in this case, in the communication device that relays and transfers the authentication information acquisition response, it is desirable to capture and store the authentication information (user ID, password, etc.), but it is not always necessary that all of the communication devices that relay and transfer hold the authentication information. Absent.

  In FIG. 13, a wireless terminal 1301, a wireless terminal accommodating device (before movement) 1302, a wireless terminal accommodating device (after movement) 1303, communication devices 1304 and 1305, and an authentication server 1306 are shown.

  In FIG. 13, in the process of performing encrypted communication with the wireless terminal accommodating apparatus 1302 (procedure T1301), the wireless terminal 1301 moves and connects to a new wireless terminal accommodating apparatus 1303 (procedure T1302). When the open authentication and association processing is performed with the wireless terminal accommodating apparatus 1303 after movement (procedure T1303), an EAPOL: EAP-START frame is wirelessly transmitted (procedure T1304).

  When the wireless terminal accommodating apparatus 1303 wirelessly receives the EAP-START frame, the wireless terminal accommodating apparatus 1303 sets the transmission destination as the authentication server 1306, sets the transmission source as the own wireless terminal accommodating apparatus 1303, and sets the MAC address of the wireless terminal 1301 in the payload. Is transmitted to the communication network (procedure T1305).

  The communication device 1304 that first receives the authentication information acquisition request refers to the authentication information table 403, and manages the authentication information (user ID, password, etc.) based on the terminal identifier included in the received authentication information acquisition request. Is searched (procedure T1306). In this example, since the communication device 1304 does not hold the authentication information (user ID, password, etc.) of the wireless terminal 1301, the received authentication information acquisition request is transferred to the path to the “port to the authentication server”. (Procedure T1307).

  The communication device 1305 that has received the authentication information acquisition request next refers to the authentication information table 403, and manages authentication information (such as a user ID or password) managed based on the terminal identifier included in the received authentication information acquisition request. Is searched (procedure T1308). In this example, since the communication device 1305 does not hold the authentication information (user ID, password, etc.) of the wireless terminal 1301, the received authentication information acquisition request is transferred to the path to the “port to the authentication server”. (Procedure T1309).

  Upon receiving the authentication information acquisition request, the authentication server 1306 acquires authentication information (user ID, password, etc.) from the authentication database based on the MAC address of the terminal in the payload of the packet (procedure T1310). Then, the wireless terminal accommodating device 1303 is set as the transmission destination, the self-authentication server 1306 is set as the transmission destination, an authentication information acquisition response in which the MAC address and authentication information of the wireless terminal 1301 are set in the payload is generated, and the authentication information acquisition request is received. The data is sent out to the port (step T1311).

  Receiving the authentication information acquisition response, the communication device 1305 takes the authentication information (user ID, password, etc.) from the authentication information acquisition response and stores it in the authentication information table 403 (step T1312), and acquires the received authentication information. The response is sent to the route to the “subordinate port” (procedure T1313).

  The communication device 1304 that has received the authentication information acquisition response takes the authentication information (user ID, password, etc.) from the authentication information acquisition response and stores it in the authentication information table 403 (step T1314), and also acquires the received authentication information. The response is sent to the route to the “subordinate port” (procedure T1315).

  The wireless terminal accommodating apparatus 1303 that has received the authentication information acquisition response refers to the received authentication information acquisition response and stores “terminal identifier” and “authentication information (user ID, password, etc.)” in the authentication information table 205 (procedure). T1316)

  Then, the wireless terminal accommodating apparatus 1303 performs an authentication process defined in IEEE 802.1x with the wireless terminal 1301 based on the authentication information acquired from the authentication information acquisition response, and when the authentication process is completed, the encrypted communication is performed. Exchange is performed to generate an encryption key, and encrypted communication is started (step T1317).

  (D) Operation of the authentication information management unit of the wireless terminal accommodating device and the communication device (FIGS. 14 to 16). FIG. 14 is a flowchart for explaining the operation of the authentication information management unit of the wireless terminal accommodating apparatus in the authentication operation performed at the time of connection at the movement destination. FIG. 15 is a flowchart for explaining the operation for the authentication information acquisition request reception of the authentication information management unit of the communication apparatus in the authentication operation performed at the time of connection at the movement destination. FIG. 16 is a flowchart for explaining the operation for the authentication information acquisition response reception of the authentication information management unit of the communication apparatus in the authentication operation performed at the time of connection at the movement destination. In each figure, the processing step is abbreviated as ST.

  In FIG. 14, upon receiving an authentication information acquisition response (ST1401), authentication information management section 206 of the wireless terminal accommodating apparatus acquires authentication information (encryption key, user ID, password, etc.) (ST1402). If it is authentication information, it is added to the authentication information table 205, and if the authentication information of the corresponding terminal already exists, the acquired authentication information is overwritten (ST1403).

  Further, the operation when the authentication information acquisition request is received by the authentication information management unit 404 of the communication apparatus is as shown in FIG. In FIG. 15, when the authentication information management unit 404 of the communication apparatus receives the authentication information acquisition request (ST1501), it acquires the terminal MAC address from the authentication information acquisition request packet (ST1502), and stores it in the authentication information table 403. It is determined whether there is an entry that matches the terminal MAC address (ST1503).

  If there is an entry that matches the terminal MAC address in the authentication information table 403 (ST1503: Yes), based on the entry information in the authentication information table, the destination is the transmission source of the authentication information acquisition request, and the transmission source is the own communication device. And creating an authentication information acquisition response in which the terminal identifier (terminal MAC address) and authentication information (encryption key, user ID, password, etc.) are set in the payload (ST1504), toward the port that received the authentication information acquisition request An authentication information acquisition response is transmitted (ST1505), and “subordinate port” is rewritten to the port number that transmitted the authentication information acquisition response (ST1506).

  On the other hand, if there is no entry matching the terminal MAC address in authentication information table 403 (ST1503: No), an entry corresponding to the terminal MAC address is generated and stored in authentication information table 403 (ST1507). At this point, the “authentication information” field in the authentication information table 403 is blank. Then, the received authentication information acquisition request is transferred to the same port as the “route to the authentication server” (ST1508).

  Further, the operation when the authentication information acquisition response is received by the authentication information management unit 404 of the communication apparatus is as shown in FIG. In FIG. 16, when the authentication information management unit 404 of the communication apparatus receives an authentication information acquisition response (ST1601), it acquires authentication information from the received authentication information acquisition response (ST1602), and corresponds to the terminal MAC address. The acquired authentication information is set in the entry (ST1603). Then, the received authentication information acquisition response is transferred to the “subordinate port” (ST1604).

  As described above, according to the first embodiment, when a wireless terminal moves under the control of a new wireless terminal accommodating apparatus, authentication information (encryption key, user ID, password, etc.) is not acquired from the authentication server. Since it can be acquired from the communication devices constituting the communication network, the time for authentication can be shortened and the load on the authentication server can be reduced.

  At this time, even when a failure occurs in the route to the authentication server, it is highly likely that the authentication information is already held in the wireless terminal accommodating device, so that the fault tolerance is improved.

  In addition, since the communication device that directly bundles the wireless terminal accommodating devices before movement always holds the authentication information corresponding to the wireless terminal, the wireless terminal immediately has a high probability from the new wireless terminal accommodating device that is the moving destination. Since authentication information can be acquired, there is no problem of transmission delay.

(Embodiment 2)
Embodiment 2 of the present invention shows a configuration example in which authentication information held in a communication network before moving is deleted after authentication processing of the moved wireless terminal (FIGS. 17 to 24). Here, the description will be focused on the portion related to the second embodiment.

  FIG. 17 is a network diagram for explaining a deletion process of authentication information held in a communication network before moving as a second embodiment of the present invention (part 1). In FIG. 17, when the wireless terminal 101 moves under the wireless terminal accommodating apparatus 102b as described in FIG. 9, the authentication information (encryption key) held by the wireless terminal accommodating apparatus 102a before the movement is deleted. The case to be shown is shown.

  In FIG. 17, in the authentication information table 403 of the communication device 103a, a subordinate port for the wireless terminal accommodating device 102a that holds the authentication information at the time of authentication before movement is registered. When the communication device 103a returns the authentication information acquisition response 902 in response to the authentication information acquisition request 901 from the wireless terminal accommodation device 102b, the transmission destination is the wireless terminal accommodation device 102a before movement, and the transmission source is the own communication device 103a. Then, an authentication information deletion request 1701 in which the MAC address of the wireless terminal 101 is set in the payload is created and transmitted from the subordinate port held in the authentication information table 403.

  Upon receiving the authentication information deletion request 1701, the wireless terminal accommodating apparatus 102a deletes the authentication information 1703 of the wireless terminal 101 registered in the authentication information table 205, and transmits the authentication information deletion request 1701 to the transmission destination. , The own wireless terminal accommodating apparatus 102a is set as the transmission source, and the authentication information deletion response 1702 in which the MAC address of the wireless terminal 101 is set as the payload is generated and transmitted to the network side. This authentication information deletion response 1702 is received by the communication apparatus 103a.

  Next, FIG. 18 is a sequence diagram for explaining the deletion processing of the authentication information held in the communication network before moving as the second embodiment of the present invention (part 2). In FIG. 18, as described with reference to FIG. 10, when the wireless terminal 1001 moves under the wireless terminal accommodating apparatus 1003, the intermediate communication apparatus 1004 and the wireless terminal accommodating apparatus 1002 before the movement are respectively held. The case where the authentication information (encryption key) is deleted is shown.

  In FIG. 18, the communication device 1005 that has received the authentication information acquisition request secondly and transmitted the authentication information acquisition response has the transmission destination as the wireless terminal accommodating device 1002 before movement, the transmission source as the own communication device 1005, and the payload. An authentication information deletion request in which the MAC address of the wireless terminal 101 is set is created and transmitted from the subordinate port held in the authentication information table 403 (procedure T1801). This authentication information deletion request is received by the wireless terminal accommodating apparatus 1002 via the lower communication apparatus 1004.

  The wireless terminal accommodating apparatus 1002 that has received the authentication information deletion request deletes the held authentication information (encryption key) (step T1802), sets the communication apparatus 1005 that has transmitted the authentication information deletion request to the transmission destination, and transmits it. Original wireless terminal accommodating apparatus 1002 is set, and an authentication information deletion response in which the MAC address of wireless terminal 1001 is set in the payload is created and transmitted to the network side (step T1803). This authentication information deletion response is received by the communication device 1004.

  Upon receiving the authentication information deletion response, the communication device 1004 deletes the held authentication information (encryption key) (procedure T1804), and relays and forwards the received authentication information deletion response to the port to the authentication server (procedure T1805). That is, the authentication information deletion response transmitted by the wireless terminal accommodating apparatus 1002 is received by the communication apparatus 1005 via the communication apparatus 1004, and the completion of the deletion process is recognized.

  Next, FIG. 19 is a network diagram for explaining an entry state of the authentication information table of the wireless terminal accommodating device and the communication device by the authentication information deleting process shown in FIG. FIG. 19 shows a case where deletion processing is performed in the authentication information tables of the wireless terminal accommodating apparatus 102b before movement and the communication apparatus 103a existing in the middle in the network state shown in FIG.

  In FIG. 19, when the communication device 103c returns an authentication information acquisition response 1103 in response to the authentication information acquisition request 1102 from the wireless terminal accommodation device 102c relayed by the communication device 103b, the wireless terminal accommodation device 102b before the movement is moved. The authentication information deletion request 1901 in which the transmission source is the local communication device 103c and the MAC address of the wireless terminal 101 is set in the payload is generated and transmitted from the subordinate port held in the authentication information table 403.

  The lower-level communication device 103a relays and transfers the authentication information deletion request 1901 to the subordinate port as the authentication information deletion request 1902. This authentication information deletion request 1902 is received by the wireless terminal accommodating apparatus 102b.

  When receiving the authentication information deletion request 1902, the wireless terminal accommodating apparatus 102 b deletes the authentication information (encryption key) 1903 of the wireless terminal 101 registered in the authentication information table 205 and transmits the authentication information deletion request 1902 to the transmission destination. The communication device 103c is set, the own wireless terminal accommodating device 102b is set as a transmission source, and an authentication information deletion response 1904 in which the MAC address of the wireless terminal 101 is set as a payload is generated and transmitted to the network side. This authentication information deletion response 1904 is received by the communication apparatus 103a.

  Upon receiving the authentication information deletion response 1904, the communication apparatus 103a deletes the authentication information (encryption key) 1905 of the wireless terminal 101 registered in the authentication information table 403, and also displays the received authentication information deletion response 1904 as the authentication information. A deletion response 1906 is sent to the port to the authentication server. As a result, the authentication information deletion response 1906 is received by the communication apparatus 103c, and the completion of the deletion process is recognized.

  Next, FIG. 20 is a sequence diagram for explaining the deletion processing of authentication information held in the communication network before moving as the second embodiment of the present invention (part 3). In FIG. 20, as described with reference to FIG. 12, when the wireless terminal 1201 moves under the wireless terminal accommodation device 1203, the intermediate communication device 1204 and the wireless terminal accommodation device 1202 before the movement are respectively held. The case where authentication information (user ID, password, etc.) is deleted is shown.

  In FIG. 20, the communication device 1205 that has received the authentication information acquisition request secondly and transmitted the authentication information acquisition response has the transmission destination as the wireless terminal accommodating device 1202 before movement, the transmission source as the own communication device 1205, and the payload. An authentication information deletion request in which the MAC address of the wireless terminal 101 is set is created and transmitted from the subordinate port held in the authentication information table 403 (procedure T2001). This authentication information deletion request is received by the wireless terminal accommodating apparatus 1202 via the lower communication apparatus 1204.

  The wireless terminal accommodating apparatus 1202 that has received the authentication information deletion request deletes the held authentication information (user ID, password, etc.) (step T2002), and sets the communication apparatus 1205 that has transmitted the authentication information deletion request to the transmission destination. Then, the own wireless terminal accommodating apparatus 1202 is set as a transmission source, and an authentication information deletion response in which the MAC address of the wireless terminal 1201 is set as a payload is generated and transmitted to the network side (procedure 2003). This authentication information deletion response is received by the communication device 1204.

  Upon receiving the authentication information deletion response, the communication device 1204 deletes the held authentication information (user ID, password, etc.) (step T2004), and relays the received authentication information deletion response to the port to the authentication server. (Procedure T2005). That is, the authentication information deletion response transmitted by the wireless terminal accommodating apparatus 1202 is received by the communication apparatus 1205 via the communication apparatus 1204, and the completion of the deletion process is recognized.

  Next, the operation of the authentication information management unit in the wireless terminal accommodating device and the communication device before movement will be described with reference to FIGS. FIG. 21 is a flowchart for explaining an authentication information deletion processing operation in the authentication information management unit of the wireless terminal accommodating apparatus. In FIG. 21, upon receiving an authentication information deletion request (ST2101), authentication information management section 206 of the wireless terminal accommodating apparatus deletes an entry associated with the terminal MAC address from authentication information table 205 (ST2102). Then, an authentication information deletion response is created and sent to the network side through the network side transmission / reception unit 201 (ST2103).

  FIG. 22 is a flowchart for explaining an authentication information deletion request generation processing operation performed when an authentication information acquisition request is received by the authentication information management unit of the communication apparatus. In FIG. 22, the same reference numerals are given to procedures that are the same as or equivalent to the processing procedures shown in FIG. Here, the part related to Embodiment 2 is demonstrated. In FIG. 22, when an authentication information acquisition response is transmitted in ST1505, an authentication information acquisition deletion request is created and transmitted from a subordinate port of the authentication information acquisition table 403 (ST2201), and the process proceeds to ST1506.

  FIG. 23 is a flowchart for explaining a transfer processing operation performed when an authentication information deletion request is received by the authentication information management unit of the communication apparatus that relays the authentication information deletion request. 23, when the authentication information deletion request is received (ST2301), the authentication information deletion request is transferred as it is to the subordinate port of the entry that matches the terminal MAC address in the authentication information deletion request in the authentication information table 403. (ST2302).

  FIG. 24 is a flowchart illustrating a transfer processing operation performed when an authentication information deletion response is received by the authentication information management unit of the communication apparatus. 24, when an authentication information deletion response is received (ST2401), authentication information management section 404 of the communication device determines whether or not the communication device has created and transmitted an authentication information deletion request (ST2402). As a result, when the own communication apparatus has not transmitted the authentication information deletion request (ST2402: No), the received authentication information deletion response is transferred to the “port to the authentication server” of the entry of the corresponding terminal (ST2403). . Thereafter, the entry of the corresponding terminal is deleted from authentication information table 403 (ST2404). When the own communication apparatus creates and sends an authentication information deletion request (ST2402: Yes), the end of the deletion process is recognized by receiving the authentication information deletion response.

  As described above, according to the second embodiment, the authentication information of the old route is always deleted, so that a highly scalable system can be obtained.

(Embodiment 3)
In the third embodiment of the present invention, the authentication information held in the communication network before the movement is deleted after the authentication processing of the wireless terminal that has moved as in the second embodiment. A configuration example of deleting after elapse is shown (FIGS. 25 and 26). Here, the description will focus on the part related to the third embodiment. FIG. 25 is a network diagram for explaining a case where the authentication information held in the communication network before moving is deleted after a predetermined time has passed as the third embodiment of the present invention. FIG. 26 is a sequence diagram illustrating a case where the authentication information deletion process is performed after the lapse of a predetermined time shown in FIG.

  FIG. 25 shows a case where, in the network state shown in FIG. 11, the deletion process in the authentication information table of the wireless terminal accommodating apparatus 102b before moving and the communication apparatus 103a existing in the middle is performed after a predetermined time has elapsed.

  In FIG. 25, when the communication device 103c returns an authentication information acquisition response 1103 in response to the authentication information acquisition request 1102 from the wireless terminal accommodating device 102c relayed by the communication device 103b, the wireless terminal accommodating device 102b before the movement is made. The authentication information deletion request 2501 in which the transmission source is the own communication device 103c and the MAC address of the wireless terminal 101 is set in the payload is generated and transmitted from the subordinate port held in the authentication information table 403.

  The lower-level communication device 103a relays and transfers the authentication information deletion request 2501 to the subordinate port as the authentication information deletion request 2502. This authentication information deletion request 2502 is received by the wireless terminal accommodating apparatus 102b.

  When receiving the authentication information deletion request 2502, the wireless terminal accommodating apparatus 102b starts a deletion timer. Then, the communication apparatus 103c that has transmitted the authentication information deletion request 2502 is set as the transmission destination, the own wireless terminal accommodating apparatus 102b is set as the transmission source, and the authentication information deletion response 2503 in which the MAC address of the wireless terminal 101 is set as the payload. Create and send to the network side. This authentication information deletion response 2503 is received by the communication apparatus 103a.

  In the wireless terminal accommodating apparatus 102b, the authentication information (encryption key) 2504 of the wireless terminal 101 registered in the authentication information table 205 is held within a certain time until the deletion timer expires, and the deletion timer counts the certain time. When the time is up, the authentication information (encryption key) 2504 is deleted.

  Upon receiving the authentication information deletion response 2503, the communication apparatus 103a starts a deletion timer and sends the received authentication information deletion response 2503 to the port to the authentication server as the authentication information deletion response 2505. As a result, the authentication information deletion response 2505 is received by the communication device 103c.

  In the communication device 103a, the authentication information (encryption key) 2506 of the wireless terminal 101 registered in the authentication information table 403 is held within a certain time until the deletion timer expires, and the deletion timer counts the certain time. When the time is up, the authentication information (encryption key) 2506 is deleted.

  Next, in FIG. 26, when the communication device 1005 transmits an authentication information acquisition response from the port to which the authentication information acquisition request has been input (procedure T1009), the transmission destination is the wireless terminal accommodating device 1002 before movement, and the transmission source is the own device. The communication apparatus 1005 creates an authentication information deletion request in which the MAC address of the wireless terminal 101 is set in the payload, and transmits it from the subordinate port held in the authentication information table 403 (procedure T2601). This authentication information deletion request is received by the wireless terminal accommodating apparatus 1002 before movement via the communication apparatus 1004.

  When receiving the authentication information deletion request, the wireless terminal accommodating apparatus 1002 starts a deletion timer (procedure T2602). Then, the communication device 1005 that has transmitted the authentication information deletion request is set as the transmission destination, the own wireless terminal accommodating device 1002 is set as the transmission source, and an authentication information deletion response is set in which the MAC address of the wireless terminal 101 is set as the payload. And transmit to the network side (procedure T2603). This authentication information deletion response is received by the communication device 1004.

  In the wireless terminal accommodating apparatus 1002, the authentication information (encryption key) of the wireless terminal 101 registered in the authentication information table 205 is held within a certain time until the deletion timer expires, and the deletion timer counts the certain time. When the time is up, the authentication information (encryption key) is deleted (procedure T2604).

  Upon receiving the authentication information deletion response, the communication device 1004 starts a deletion timer (procedure T2605). Then, the received authentication information deletion response is sent to the port to the authentication server (procedure T2606). As a result, the authentication information deletion response is received by the communication device 1005.

  In the communication device 1004, the authentication information (encryption key) of the wireless terminal 101 registered in the authentication information table 403 is held for a certain period of time until the deletion timer times out, and the deletion timer counts the certain time to measure the time. When it is uploaded, the authentication information (encryption key) is deleted (procedure T2607).

  Next, operations in the authentication information management unit of the wireless terminal accommodating device and the communication device before movement will be described with reference to FIG. 27 and FIG. FIG. 27 is a flowchart for explaining an operation of performing authentication information deletion processing after a predetermined time has elapsed in the authentication information management unit of the wireless terminal accommodating apparatus before movement. FIG. 28 is a flowchart for explaining an operation of performing authentication information deletion processing after a predetermined time has elapsed in the authentication information management unit of the communication apparatus.

  In FIG. 27, when the authentication information management unit 206 of the wireless terminal accommodating apparatus before moving receives an authentication information deletion request from the network side transmission / reception unit 201 (ST2701), a deletion timer is started (ST2702), and an authentication information deletion response is sent. It is created and transmitted to the network side (ST2703). Then, it monitors whether the deletion timer expires (ST2704). When the deletion timer expires (ST2704: Yes), the entry corresponding to the terminal MAC address is deleted from the authentication information table 205 (ST2705).

  In FIG. 28, when receiving an authentication information deletion response (ST2801), authentication information management section 404 of the communication device determines whether or not the own communication device has created and transmitted an authentication information deletion request (ST2802). As a result, when the own communication apparatus has not transmitted the authentication information deletion request (ST2802: No), the received authentication information deletion response is transferred to the “port to the authentication server” of the entry of the corresponding terminal (ST2803). . At the same time, a deletion timer is started (ST2804). Then, it monitors whether the deletion timer expires (ST2805). When the deletion timer expires (ST2805: Yes), the entry of the corresponding terminal is deleted from the authentication information table 403 (ST2806). When the communication apparatus creates and sends an authentication information deletion request (ST2802: Yes), the end of the deletion process is recognized by receiving the authentication information deletion response.

  As described above, according to the third embodiment, since authentication information remains within a certain period of time in the wireless terminal accommodating apparatus that has been connected so far and the communication apparatus that is connected to the wireless terminal accommodating apparatus. The authentication information can be acquired immediately when returning to the wireless terminal accommodating apparatus connected again.

(Embodiment 4)
29 and 30 are block diagrams showing configurations of a radio terminal accommodating device and a communication device in the radio network system according to Embodiment 4 of the present invention. In the fourth embodiment, an access measuring unit 2901 is added to the wireless terminal accommodating device as shown in FIG. 29, and an access measuring unit 3001 is added to the communication device as shown in FIG.

  FIG. 31 is a diagram for explaining the access amount for each user measured by the access measuring units 2901 and 3001. As shown in FIG. 31, the access measuring units 2901 and 3001 count and hold the access amount [byte] of the most recent day for each user, for example. Here, all the users are distinguished by the MAC address of the terminal. That is, the access amount [byte] for a certain time is measured for each MAC address of the terminal. In FIG. 31, the amount of access for the most recent day is illustrated, but the measurement time may be lengthened if there is a margin in the memory, or the measurement time may be shortened if there is no margin.

  FIG. 32 is a diagram illustrating the relationship between the timer time of the deletion timer for deleting authentication information held by the authentication information management units 206 and 404 (time until authentication information deletion) and the access amount measured by the access measurement units 2901 and 3001. It is a figure explaining a relationship.

  In the third embodiment, the data is deleted uniformly at a constant time. However, in the fourth embodiment, as shown in FIG. 32, the timer time can be changed depending on the amount of access. For example, as shown in FIG. 32, when the access amount of the most recent day exceeds 2 Mbytes, it takes 24 hours until the authentication information is deleted, but when it is less than 10 kbytes, it is deleted after 10 minutes. . In FIG. 31 and FIG. 32, the access amount is used as a reference, but it may be based on the access time.

  As described above, according to the fourth embodiment, a user who has frequently accessed a certain access point can hold authentication information for a long time even if the user has left the access point once. When the access point is accessed again, the authentication information can be obtained immediately.

  In addition, authentication information for users who have been connected more than before can be retained for a long time, and authentication information for users who do not have much connection can be deleted first. However, it is possible to increase the probability that the authentication information can be acquired immediately when the user moves.

(Embodiment 5)
In the fifth embodiment of the present invention, authentication information is deleted as the timer time (time until authentication information is deleted) of each of the wireless terminal accommodating device and the communication device is advanced from the wireless terminal accommodating device to the higher level of the network. A configuration example in the case of setting a long time until is shown.

  This is because the wireless terminal accommodating apparatus, which is the access point that needs to be installed most frequently, wants to reduce the amount of memory, so it is better not to hold too much authentication information. On the other hand, attention is paid to the fact that the number of communication devices, which are switches placed at a higher level, is small, so that the cost increase factor is small even with hardware having a large amount of memory.

  Specifically, for example, the timer time of the deletion timer (time until authentication information deletion) that each of the wireless terminal accommodating device and the communication device has is set as shown in FIG. FIG. 33 is a diagram for explaining the relationship of the timer times (time until authentication information deletion) of the deletion timer included in the authentication information management unit of the wireless terminal accommodating device and the communication device, as Embodiment 5 of the present invention. In FIG. 33, the first communication device is a communication device that directly accommodates the wireless terminal accommodation device. The second communication device is a communication device that directly accommodates the first communication device.

  As shown in FIG. 33, the wireless terminal accommodating device, the first communication device, and the second communication device have different timer times of the deletion timer, and the wireless terminal accommodating device is deleted in the shortest time. Two communication devices are set so as to keep long in order.

  As described above, according to the fifth embodiment, the communication device arranged higher in the hierarchy of the network holds the authentication information longer than the wireless terminal accommodating device, so that the authentication information is stored when the wireless terminal moves. The probability that it can be acquired immediately can be increased.

  In addition, by shortening the authentication information holding time in the wireless terminal accommodating device and increasing the authentication information holding time in the network side communication device, the memory of the largest number of wireless terminal accommodating devices as a whole system is reduced. Therefore, the cost of the entire system can be reduced while obtaining the effects of the first to third embodiments.

(Embodiment 6)
In the sixth embodiment of the present invention, a configuration example in which the fourth embodiment and the fifth embodiment are combined is shown. A specific example is shown in FIG. FIG. 34 shows, as Embodiment 6 of the present invention, the timer time (time until authentication information deletion) of the authentication information management unit of the wireless terminal accommodating device and the communication device, and the access shown in FIGS. It is a figure explaining the relationship with the access amount measured in a measurement part.

  As shown in FIG. 34, the timer time (time until deletion of authentication information) is changed according to the amount of access in the last day, as in the fourth embodiment. At this time, the timer time (time until authentication information deletion) is the same as in the fifth embodiment, in the wireless terminal accommodating device, the time until the authentication information is deleted is shortened, and the first communication device placed on the network side more. In the second communication device, the time until the authentication information is deleted is lengthened.

  According to the sixth embodiment, in the wireless terminal accommodating apparatus that is the most frequently installed access point, the effect of the fifth embodiment that the memory can be reduced and the authentication information can be quickly given to the user who accesses more. It is possible to have the effect of the fourth embodiment that acquisition is performed.

  In addition, the method of Embodiment 4 in which authentication information is kept longer for users who have been connected so far, and authentication information of users who are not connected is deleted first, and the authentication information in the wireless terminal accommodating apparatus In addition to the method of the fifth embodiment in which the authentication time of the network side is shortened and the authentication information is held longer in the network side communication device, the user moves while reducing the cost of the entire system. Sometimes it is possible to increase the probability that authentication information can be acquired immediately.

  INDUSTRIAL APPLICABILITY The present invention is suitable for constructing a wireless network system that can reduce the load on the authentication server and shorten the authentication time and can start encrypted communication within a short time from a new access point with a high probability. .

1 is a network diagram showing a configuration of a wireless network system according to Embodiment 1 of the present invention. The block diagram which shows the structural example of the radio | wireless terminal accommodation apparatus shown in FIG. The figure which shows the structural example of the authentication information table shown in FIG. The block diagram which shows the structural example of the communication apparatus shown in FIG. The figure which shows the structural example of the authentication information table shown in FIG. Sequence diagram explaining the authentication operation to be performed when connecting for the first time Network diagram for explaining the entry state of the authentication information table of the wireless terminal accommodating device and the communication device by the authentication operation performed when connecting for the first time Sequence diagram explaining the authentication operation when connecting at the destination (when the communication device that holds the authentication information is relatively close) The network figure explaining the entry state of the authentication information table of the radio | wireless terminal accommodating apparatus and communication apparatus by the authentication operation | movement shown in FIG. Sequence diagram explaining the authentication operation to be performed at the time of connection at the destination (when the communication device holding the authentication information is in a relatively remote location) FIG. 10 is a network diagram for explaining an entry state of the authentication information table of the wireless terminal accommodating device and the communication device by the authentication operation shown in FIG. Sequence diagram explaining operation when authentication is performed again when moving (when there is a communication device holding authentication information) Sequence diagram explaining the operation when authentication is performed again when moving (when there is no communication device holding authentication information) A flowchart for explaining the operation of the authentication information management unit of the wireless terminal accommodating apparatus in the authentication operation performed at the time of connection at the destination The flowchart explaining the operation | movement with respect to the authentication information acquisition request reception of the authentication information management part of the communication apparatus in the authentication operation | movement performed at the time of the connection in a movement destination The flowchart explaining the operation | movement with respect to reception of the authentication information acquisition response of the authentication information management part of the communication apparatus in the authentication operation | movement performed at the time of the connection in a movement destination As a second embodiment of the present invention, a network diagram for explaining a process of deleting authentication information held in a communication network before moving (part 1) As a second embodiment of the present invention, a sequence diagram for explaining a process of deleting authentication information held in a communication network before moving (part 2) FIG. 18 is a network diagram for explaining an entry state of the authentication information table of the wireless terminal accommodating device and the communication device by the authentication information deleting process shown in FIG. 18; As a second embodiment of the present invention, a sequence diagram for explaining a process for deleting authentication information held in a communication network before moving (part 3) The flowchart explaining the deletion processing operation | movement of the authentication information in the authentication information management part of a radio | wireless terminal accommodating apparatus. A flowchart for explaining an authentication information deletion request generation processing operation performed when an authentication information acquisition request is received by the authentication information management unit of the communication device The flowchart explaining the transfer processing operation performed when the authentication information deletion request is received by the authentication information management unit of the communication device The flowchart explaining the transfer processing operation performed at the time of receiving the authentication information deletion response in the authentication information management unit of the communication device FIG. 6 is a network diagram for explaining a case where the authentication information held in the communication network before moving is deleted after a predetermined time has passed as Embodiment 3 of the present invention. FIG. 25 is a sequence diagram for explaining a case in which authentication information deletion processing is performed after a predetermined time has elapsed. The flowchart explaining the operation | movement which performs the deletion process of authentication information after the fixed time progress in the authentication information management part of the radio | wireless terminal accommodating apparatus before movement. Flowchart for explaining an operation for deleting authentication information after a predetermined time has elapsed in the authentication information management unit of the communication device FIG. 9 is a block diagram showing a configuration of a radio terminal accommodating device in a radio network system according to Embodiment 4 of the present invention. FIG. 7 is a block diagram showing a configuration of a communication device in a wireless network system according to Embodiment 4 of the present invention. The figure explaining the access amount for every user measured in the access measurement part shown in FIG.29 and FIG.30 The figure explaining the relationship between the timer time (time until authentication information deletion) with which the authentication information management part shown in FIG.29 and FIG.30 is provided, and the access amount measured by the access measurement part shown in FIG.29 and FIG.30 The figure explaining the relationship of the timer time (time until authentication information deletion) with which the authentication information management part of a radio | wireless terminal accommodating apparatus and a communication apparatus each is provided as Embodiment 5 of this invention. As Embodiment 6 of the present invention, the timer time (time until authentication information deletion) provided in the authentication information management unit of the wireless terminal accommodating device and the communication device, respectively, and the access measurement unit shown in FIGS. Diagram explaining the relationship with the amount of access to be measured

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 Wireless terminal 102a, 102b, 102c Wireless terminal accommodating apparatus 103a, 103b, 103c Communication apparatus 104 Authentication server 201 Network side transmission / reception part 202 Antenna part 203 Home side transmission / reception part 204 Encryption / decryption transfer part 205 Authentication information table 206 Authentication information management part 207 Initial authentication processing unit 401-1 to 401-n Transmission / reception unit 402 Transfer unit 403 Authentication information table 404 Authentication information management unit 2901, 3001 Access measurement unit

Claims (8)

A plurality of wireless terminal accommodating devices that are access points of wireless terminals, a large number of communication devices that form a communication network by bundling the plurality of wireless terminal accommodating devices, and are arranged on the communication network and connected to the wireless terminal accommodating device In a wireless network system comprising an authentication server that authenticates a wireless terminal that intends encrypted communication,
The authentication server comprises means for transmitting an authentication success notification when the authentication of the wireless terminal first connected to the wireless terminal accommodating device is successful;
Authentication information used by the wireless terminal from the authentication success notification is respectively used for the wireless terminal accommodating device to which the wireless terminal is first connected and the communication device existing in the path for relaying and transferring the authentication success notification to the wireless terminal accommodating device. comprising a means for storing is taken out,
The destination wireless terminal accommodating apparatus that has received the authentication request from the wireless terminal creates an authentication information acquisition request and transmits it to the communication network, and the authentication used by the wireless terminal from the authentication information acquisition response received from the communication network Retrieving and storing information, and means for transmitting an authentication response to the wireless terminal,
The authentication information used by the wireless terminal among the communication devices existing in the path for relaying and forwarding the authentication information acquisition request transmitted by the destination wireless terminal accommodating device to the communication network to the authentication server is held. A communication device that creates the authentication information acquisition response and transmits the response to the destination wireless terminal accommodating device, and creates an authentication information deletion request to the wireless terminal accommodating device to which the wireless terminal first connected Means for transmitting to,
The wireless terminal accommodating apparatus to which the wireless terminal is first connected receives the authentication information deletion request, generates an authentication information deletion response, and transmits the authentication information deletion request to the communication apparatus that has generated and transmitted the authentication information deletion request. A means for deleting the stored authentication information after a lapse of a predetermined time; and a means for changing a predetermined time until the stored authentication information is deleted according to the access state of the wireless terminal. A wireless network system. A plurality of wireless terminal accommodating devices that are access points of wireless terminals, a large number of communication devices that form a communication network by bundling the plurality of wireless terminal accommodating devices, and are arranged on the communication network and connected to the wireless terminal accommodating device In a wireless network system comprising an authentication server that authenticates a wireless terminal that intends encrypted communication,
The authentication server comprises means for transmitting an authentication success notification when the authentication of the wireless terminal first connected to the wireless terminal accommodating device is successful;
Authentication information used by the wireless terminal from the authentication success notification is respectively used for the wireless terminal accommodating device to which the wireless terminal is first connected and the communication device existing in the path for relaying and transferring the authentication success notification to the wireless terminal accommodating device. Means for taking out and storing
The destination wireless terminal accommodating apparatus that has received the authentication request from the wireless terminal creates an authentication information acquisition request and transmits it to the communication network, and the authentication used by the wireless terminal from the authentication information acquisition response received from the communication network Retrieving and storing information, and means for transmitting an authentication response to the wireless terminal,
The authentication information used by the wireless terminal among the communication devices existing in the path for relaying and forwarding the authentication information acquisition request transmitted by the destination wireless terminal accommodating device to the communication network to the authentication server is held. A communication device that creates the authentication information acquisition response and transmits the response to the destination wireless terminal accommodating device, and creates an authentication information deletion request to the wireless terminal accommodating device to which the wireless terminal first connected Means for transmitting to,
The wireless terminal accommodating apparatus to which the wireless terminal is first connected receives the authentication information deletion request, generates an authentication information deletion response, and transmits the authentication information deletion request to the communication apparatus that has generated and transmitted the authentication information deletion request. And means for deleting the stored authentication information after a predetermined time,
Holds authentication information among communication devices that exist in the path for relaying and forwarding the authentication information deletion response transmitted by the wireless terminal accommodating device to which the wireless terminal is first connected to the communication device that created and transmitted the authentication information deletion request The communication device includes a unit that deletes the held authentication information after a predetermined time, and a unit that changes a predetermined time until the held authentication information is deleted according to the access state of the wireless terminal. A wireless network system. A plurality of wireless terminal accommodating devices that are access points of wireless terminals, a large number of communication devices that form a communication network by bundling the plurality of wireless terminal accommodating devices, and are arranged on the communication network and connected to the wireless terminal accommodating device In a wireless network system comprising an authentication server that authenticates a wireless terminal that intends encrypted communication,
The authentication server comprises means for transmitting an authentication success notification when the authentication of the wireless terminal first connected to the wireless terminal accommodating device is successful;
Authentication information used by the wireless terminal from the authentication success notification is respectively used for the wireless terminal accommodating device to which the wireless terminal is first connected and the communication device existing in the path for relaying and transferring the authentication success notification to the wireless terminal accommodating device. Means for taking out and storing
The destination wireless terminal accommodating apparatus that has received the authentication request from the wireless terminal creates an authentication information acquisition request and transmits it to the communication network, and the authentication used by the wireless terminal from the authentication information acquisition response received from the communication network Retrieving and storing information, and means for transmitting an authentication response to the wireless terminal,
The authentication information used by the wireless terminal among the communication devices existing in the path for relaying and forwarding the authentication information acquisition request transmitted by the destination wireless terminal accommodating device to the communication network to the authentication server is held. A communication device that creates the authentication information acquisition response and transmits the response to the destination wireless terminal accommodating device, and creates an authentication information deletion request to the wireless terminal accommodating device to which the wireless terminal first connected Means for transmitting to ,
The wireless terminal accommodating apparatus to which the wireless terminal is first connected receives the authentication information deletion request, generates an authentication information deletion response, and transmits the authentication information deletion request to the communication apparatus that has generated and transmitted the authentication information deletion request. , Comprising means for deleting the stored authentication information after a certain period of time ,
In the case where the communication device existing in the route for relaying and forwarding the authentication information deletion response transmitted by the wireless terminal accommodating device to which the wireless terminal is first connected has a means for deleting the retained authentication information after elapse of a predetermined time ,
The wireless network system according to claim 1, wherein the predetermined time for deleting the authentication information is set to be short for the wireless terminal accommodating device and longer for the communication device as the hierarchical level of the network goes higher. The wireless terminal accommodating apparatus is provided with means for changing the predetermined time for deleting the authentication information set to be short as the wireless terminal accommodating apparatus is short and the communication apparatus is set to be longer as the hierarchical level of the network is higher, depending on the access state of the wireless terminal. The wireless network system according to claim 3, wherein: In a wireless network system in which an authentication server for authenticating a wireless terminal exists, a wireless terminal accommodating apparatus that is an access point to which the wireless terminal is connected ,
An authentication information table for storing the identifier and authentication information of the wireless terminal in association with each other;
Means for associating and storing the identifier and authentication information of the wireless terminal in the authentication information table when the authentication procedure for the first connected wireless terminal is successful;
Means for creating an authentication information deletion response when receiving an authentication information deletion request from the network side, and transmitting the authentication information deletion request to the network-side communication device that has transmitted,
Means for deleting the corresponding authentication information held in the authentication information table after a predetermined time;
Means for measuring the access state of the wireless terminal;
Means for changing a predetermined time until the corresponding authentication information held in the authentication information table is deleted according to the measured access state of the wireless terminal;
A wireless terminal accommodating apparatus comprising: Authentication information used by the wireless terminal based on an authentication information acquisition response received from the network side communication device, which is generated and transmitted to the authentication server based on an authentication request from a wireless terminal that has moved under the control Means for taking out and storing in the authentication information table ;
Wireless terminal accommodating apparatus according to claim 5, wherein the further and means for transmitting an authentication response to the wireless terminal. 6. The wireless terminal accommodating apparatus according to claim 5 , wherein a predetermined time until the held authentication information is deleted is set to be shorter than a predetermined time in the communication apparatus on the network side. .   In a wireless network system in which an authentication server for authenticating a wireless terminal exists, a wireless terminal accommodating apparatus that is an access point to which the wireless terminal is connected,
  An authentication information table for storing the identifier of the wireless terminal and the authentication information in association with each other;
  Means for associating and storing the identifier and authentication information of the wireless terminal in the authentication information table when the authentication procedure for the first connected wireless terminal is successful;
  Means for creating an authentication information deletion response when receiving an authentication information deletion request from the network side, and transmitting the authentication information deletion request to the network-side communication device that has transmitted,
  Means for deleting the corresponding authentication information held in the authentication information table after a predetermined time,
  The fixed time until deleting the held authentication information is set to be shorter than the fixed time in the network side communication device,
  A wireless terminal accommodating device.

Images