JP6571615B2 - Authentication server, distribution device, client terminal authentication system, and client terminal authentication method - Google Patents

Description

  The present invention relates to an authentication server, a sorting device, a client terminal authentication system, and a client terminal authentication method in wireless communication.

  As information communication devices that can be carried by users, such as smartphones and tablet terminals, are becoming more common, the scenes in which wireless communication is used is expanding. Along with this, users are increasingly using various services by connecting to a fixed communication line from a wireless communication network such as Wi-Fi (registered trademark) using a portable information terminal.

  When a user accesses a fixed communication line using an information communication terminal, a technique such as line authentication is used to realize high security. Line authentication is an authentication technique using a caller ID (Identifier) that uniquely identifies a user's information communication terminal and a line authentication ID that uniquely identifies a communication line connected to a home gateway (HGW) or the like. It is. The line authentication can prevent the user from accessing the network from other than the contracted line.

  However, when a user uses a wireless network such as Wi-Fi, the location where the user tries to connect to the network cannot be specified in advance, and an arbitrary line is shared. Cannot be realized.

  Therefore, an address allocation server is provided at the end of the network, and after performing simple authentication at this address allocation server, further authentication based on the certificate of the client terminal is further performed at the upstream authentication server, so that information using a wireless line is obtained. A terminal authentication system that ensures security in communication has been proposed (see, for example, Patent Document 1).

Japanese Patent Laid-Open No. 2006-149702

  This system is, for example, a method for configuring a virtual vVPN-GW or a VPN (Virtual Private Network) with a router after authenticating a client terminal in two stages. For example, this system uses SSL (Secure Sockets Layer) / TLS (Transport Layer Security) -VPN technology, which is one of encrypted tunnels. Further, for example, this client terminal authentication system can be applied to a configuration in which a home gateway is virtualized and arranged on the network side, or a configuration in which a public Wi-Fi is connected to a vCPE (virtual customer premises equipment).

  Therefore, the configuration and processing flow of a conventional client terminal authentication system will be described. 20 and 22 are diagrams showing the configuration and processing flow of a conventional client terminal authentication system 1P. FIG. 21 is a sequence diagram showing the configuration and processing flow of the conventional client terminal authentication system 1P.

  As shown in FIGS. 20 and 21, conventionally, when the client terminal 10P is connected to a value-added device group or an external network (NW) 100P via a Wi-Fi-AP (access point) 8AP, first, The service portal server 2P at the end of the network performs simple authentication for the client terminal 10P and assigns an IP address. Using this IP address, the client terminal 10P sends a user certificate and a client address for a tunnel establishment request to the upstream authentication server 3P via the service portal server 2P ((1) and FIG. 20). (See steps S31 and S32 in FIG. 21). The user certificate is used for user authentication.

  The authentication server 3P performs user authentication for the client terminal 10P (see (2) in FIG. 20). If the authentication is successful, the authentication result is returned to the service portal server 2P (see step S33 in FIG. 21). The authentication result is the address, ID and password (PW) of the vVPN-GW 7AP assigned to the client terminal 10P, and the client certificate. This client certificate is used when the vVPN tunnel is established.

  The service portal server 2P connects to the access control management device 4P that controls the communication flow, the address (source address) of the AP 8AP to which the client terminal 10P is connected, and the connection destination vVPN-GW 7AP assigned to the client terminal 10P. A setting request is made to the access control list (ACL) with the address (destination address DA) (see (3) in FIG. 20 and step S34 in FIG. 21).

  In response to this, the access control management device 4P sets the ACL (see step S35 in FIG. 21). Then, the access control management device 4P notifies the access control device 5AP of access permission between the AP 8AP and the vVPN-GW 7AP in accordance with the setting contents of the ACL, and the access control device 5AP is granted this permission accordingly. Only packets that flow between AP8AP and vVPN-GW7AP are allowed to pass (see (3 ′) in FIG. 20). The distribution device 6AP distributes the packet transmitted from the access control device 5AP to the vVPN-GW 7AP that is the transmission destination of this packet (see (3 ″ in FIG. 20)).

  Then, the authentication server 3P sets authentication information in the destination vVPN-GW 7AP based on the authentication result for the client terminal 10P (see (4) in FIG. 20 and step S36 in FIG. 21). This authentication information is the client address and client certificate of the client terminal 10P. Subsequently, the service portal server 2P returns the address, ID and PW, and client certificate of the vVPN-GW 7AP assigned to the client terminal 10P to the client terminal 10P ((5) in FIG. 20 and step S37 in FIG. 21). reference). Then, the client terminal 10P transmits the ID, PW, and client certificate to the vVPN-GW 7AP to request tunnel establishment (see (6) in FIG. 20 and step S38 in FIG. 21). Thereby, for example, SSL / TLS authentication is performed between the client terminal 10P and the vVPN-GW 7AP, a tunnel is established, and encrypted communication is performed.

  In this conventional configuration, a virtual machine management function for managing virtual machines is generally used as a redundant configuration system for a client terminal authentication method in wireless communication. However, there is a problem that the installation cost of this virtual machine management function is high.

  Even when the virtual machine management function detects a failure of vVPN-GW7AP (see (1) in FIG. 22) and switches to vVPN-GW7BP (SBY) (see (2) in FIG. 22), Since there is no cooperation between the virtual machine management function and the access control management device 4P, the distribution devices 6AP and 6BP connected to the authentication server 3P and the vVPN-GW 7AP and 7BP cannot follow the switching of the vVPN-GW (FIG. 22). (See (3)).

  Further, since there is no cooperation between the virtual machine management function and the access control management device 4P, the vVPN-GW is switched to the vVPN-GW for permitting the passage of packets to the vVPN-GW 7AP and 7BP. Cannot be notified (see (4) of FIG. 22). That is, although the access control setting is performed for each authentication, there is no mechanism for notifying the access control devices 5AP and 5BP that the vVPN-GW has been switched, so the access control is performed even if an establishment request is made from the client terminal 10P side. The establishment request is deleted in the devices 5AP and 5BP.

  In the presupposed encryption tunnel, since the encryption key is different every time the tunnel is established, it is necessary to perform authentication again. However, in the conventional configuration, since authentication information cannot be transferred to vVPN-GW7BP (SBY), it is necessary to reset the tunnel again.

  Here, normally, a tunnel establishment request can be made from the client terminal 10P. However, functions of IoT (Internet of Things) terminals (for example, sensors), which have been increasing recently, have limited functions for miniaturization and power reduction, and the terminal detects vVPN-GW failures, and There are implementations that do not have the logic of re-establishing the tunnel. Therefore, in order to connect to the value-added device group or the external NW 100P via the switching destination vVPN-GW 7BP, the user starts again from the access to the service portal server 2P, and the user certificate, ID / PW from the authentication server 3P. (Refer to (5) in FIG. 22). As described above, if authentication is performed again, it takes time to re-establish the tunnel, and there is a problem that the tunnel disconnection time (the time during which data cannot be collected from the sensor) becomes long.

  Therefore, according to the conventional technique, when the vVPN-GW is switched according to the failure of the vVPN-GW assigned to the client terminal 10P regardless of the presence or absence of the virtual machine management function, the user again receives the service. There is a problem that it is necessary to access the portal server 2P and receive authentication from simple authentication again, which is inconvenient for the user.

  The present invention has been made in view of the above, and in information communication using a wireless line, re-establishment of communication authentication accompanying router switching is performed smoothly while ensuring a simple configuration and user convenience. It is an object of the present invention to provide an authentication server, a sorting device, a client terminal authentication system, and a client terminal authentication method.

  In order to solve the above-described problems and achieve the object, an authentication server according to the present invention performs terminal authentication during normal operation in VPN communication between a router that forms a redundant system and a client terminal, VPN authentication between the client terminal and the router is enabled by setting the authentication information of the client terminal in the active router, and when switching to the standby router, the authentication information of the client terminal is taken over to the standby router. The backup router is instructed to set the VPN to the client terminal.

  ADVANTAGE OF THE INVENTION According to this invention, in information communication using a radio | wireless line, re-establishment of the communication authentication accompanying switching of a router can be performed smoothly, ensuring a simple structure and user convenience.

FIG. 1 is a diagram for explaining an example of a configuration of a client terminal authentication system according to an embodiment. FIG. 2 is a block diagram showing an example of the configuration of the service portal server shown in FIG. FIG. 3 is a block diagram showing an example of the configuration of the authentication server shown in FIG. FIG. 4 is a diagram illustrating an example of a data configuration of the switching destination information illustrated in FIG. 3. FIG. 5 is a diagram showing an example of the data configuration of one piece of authentication information shown in FIG. FIG. 6 is a block diagram showing an example of the configuration of the access control management apparatus shown in FIG. FIG. 7 is a diagram showing an example of the data structure of the access control list shown in FIG. FIG. 8 is a block diagram showing an example of the configuration of the access control apparatus shown in FIG. FIG. 9 is a block diagram showing an example of the configuration of the sorting apparatus shown in FIG. FIG. 10 is a block diagram illustrating an example of the configuration of the vVPN-GW illustrated in FIG. FIG. 11 is a block diagram showing an example of the configuration of the client terminal shown in FIG. FIG. 12 is a diagram illustrating a flow of authentication processing for a client terminal in the client terminal authentication system according to the embodiment. FIG. 13 is a diagram illustrating a flow of authentication processing for a client terminal in the client terminal authentication system according to the embodiment. FIG. 14 is a diagram illustrating a flow of tunnel re-establishment after a vVPN-GW failure in the client terminal authentication system according to the embodiment. FIG. 15 is a diagram illustrating a tunnel re-establishment flow after a vVPN-GW failure in the client terminal authentication system according to the embodiment. FIG. 16 is a diagram illustrating a flow of tunnel re-establishment after a vVPN-GW failure in the client terminal authentication system according to the embodiment. FIG. 17 is a sequence diagram showing a flow of authentication processing for a client terminal in the client terminal authentication system shown in FIG. FIG. 18 is a sequence diagram showing the flow of tunnel re-establishment processing after a vVPN-GW failure in the client terminal authentication system shown in FIG. FIG. 19 is a diagram illustrating an example of a computer in which each device of the client terminal authentication system is realized by executing a program. FIG. 20 is a diagram showing the configuration and processing flow of a conventional client terminal authentication system. FIG. 21 is a sequence diagram showing the configuration and processing flow of a conventional client terminal authentication system. FIG. 22 is a diagram showing the configuration and processing flow of a conventional client terminal authentication system.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment. Moreover, in description of drawing, the same code | symbol is attached | subjected and shown to the same part.

[Embodiment]
With regard to the client terminal authentication system according to the embodiment, a schematic configuration of the entire client terminal authentication system, a schematic configuration of each device configuring the client terminal authentication system, a processing flow in the client terminal authentication system, and a specific example will be described. Note that the numbers of access control devices and APs described below are merely examples, and are not limited thereto.

[Configuration of client terminal authentication system]
First, the configuration of the client terminal authentication system according to the embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining an example of a configuration of a client terminal authentication system according to an embodiment.

  As shown in FIG. 1, a client terminal authentication system 1 according to an embodiment includes a service portal server 2 (address assignment server), an authentication server 3 located upstream of the network from the service portal server 2, and an access control management device 4 , Access control devices 5A and 5B, distribution devices 6A and 6B, vVPN-GWs 7A and 7B, and access points (AP) 8A and AP8B with which the client terminal 10 performs wireless communication.

  The vVPN-GW 7A (current router, first router) is a vVPN-GW (ACT) that is assigned to the client terminal 10 and operates, and the vVPN-GW 7B (standby router, second router) is This is a vVPN-GW (SBY) that waits while the vVPN-GW 7A is in operation and operates when the vVPN-GW 7A fails. The client terminal authentication system 1 is a system related to VPN communication between a vVPN-GW that forms a redundant system and a client terminal 10.

  In the client terminal authentication system 1 according to the present embodiment, a failure detection function of the vVPN-GW 7A, a synchronization function of authentication information for tunnel establishment necessary for the vVPN-GW switching operation after the failure detection, the authentication server 3 The ACL setting request function via the service portal server 2 and the tunnel activation function for tunnel re-establishment at the client terminal 10 are set. As a result, in the client terminal authentication system 1, when performing VPN communication between the vVPN-GW that forms a redundant system and the client terminal 10, while ensuring a simple configuration and user convenience, It is possible to smoothly re-establish communication authentication upon switching.

  The client terminal 10 is connected to the network by wireless communication between the AP 8A and AP 8B, and is connected to the value-added device group or the external network 100 via the vVPN-GWs 7A and 7B assigned to the client terminal 10. The value-added device group includes, for example, a video distribution server and a translation server that provide added value such as content distribution and translation limited to the client terminal 10 connected to the vVPN-GWs 7A and 7B.

  The client terminal 10 is a terminal that performs wireless communication with the AP 8A or the AP 8B, and is an information communication device that can be carried by the user, such as a smartphone or a tablet terminal. The client terminal 10 holds a user certificate for receiving a service in advance. The client terminal 10 makes an address authentication assignment request to the service portal server 2 and transmits a user certificate to the authentication server 3 using the IP address assigned by the service portal server 2. Alternatively, the client terminal 10 can request authentication to the authentication server 3 using the login ID and PW.

  When the authentication certificate required for communication authentication (for example, SSL / TLS authentication) (for example, client certificate), ID, and PW is returned from the authentication server 3, the client terminal 10 is assigned via the AP 8 </ b> A. A tunnel establishment request is made to the vVPN-GW 7A. The client terminal 10 performs encrypted communication with the vVPN-GW 7A using a tunnel established by executing SSL / TLS authentication with the vVPN-GW 7A. When the client terminal 10 receives the address information (connection destination information) of vVPN-GW 7A and vVPN-GW 7B from the authentication server 3, and receives a tunnel establishment request from the vVPN-GW 7B having the address included in the address information In this case, SSL / TLS authentication is executed with the vVPN-GW 7B to establish a tunnel.

  The service portal server 2 is located at the end of the network and accepts various services. This service includes simple authentication for the client terminal 10, and the service portal server 2 receives an address assignment request from the client terminal 10, executes address authentication, and succeeds in address authentication. An address for sending a certificate to the authentication server 3 is transmitted to the client terminal 10. In addition, the service includes an authentication request to the authentication server 3 by the client terminal 10 after simple authentication, and a return of the authentication result to the client terminal 10. Note that the service portal server 2 uses, as an authentication result, the vVPN-GW 7A (ACT) address assigned to the client terminal 10 and the vVPN-GW 7B (SBY) address at the time of failure in addition to the authenticated ID and PW. Return to the client terminal 10.

  Further, the service portal server 2 requests the access control management device 4 to set the access permitted client terminal 10 as an access permission target so as to execute access management based on the authentication result. For example, the service portal server 2 uses the address of the AP 8A that performs wireless communication with the client terminal 10 permitted to be accessed by the authentication server 3 and the address of the vVPN-GW 7A (ACT) assigned to the client terminal 10 as a transmission destination. The access control management device 4 is requested to set the ACL in association with the identification information of the access control device 5A. When the distribution device 6A (described later) switches from vVPN-GW 7A to vVPN-GW 7B, the service portal server 2 determines the vVPN-GW corresponding to the AP to which the client terminal 10 is connected in the ACL. A request to switch from vVPN-GW 7A to vVPN-GW 7B is made.

  The authentication server 3 performs terminal authentication during normal operation, and enables VPN communication between the client terminal 10 and the vVPN-GW 7A by setting authentication information of the client terminal 10 in the vVPN-GW 7A. At the time of switching to the GW 7B, the authentication information of the client terminal 10 is taken over to the vVPN-GW 7B and the VPN setting to the client terminal 10 is instructed to the vVPN-GW 7B. Specifically, the authentication server 3 receives the user certificate transmitted by the client terminal 10 after the simple authentication via the service portal server 2, and executes user authentication using the transmitted user certificate. . If the authentication is successful using the user certificate, the authentication server 3 permits the client terminal 10 to access the network, and returns the authentication result to the client terminal 10 via the service portal server 2. As described above, the authentication result is the ID after authentication, PW, the address of vVPN-GW 7A (ACT) assigned to the client terminal 10, and the address of vVPN-GW 7B (SBY) at the time of failure.

  Further, the authentication server 3 synchronizes authentication information necessary for SSL / TLS authentication performed with the client terminal 10 between the vVPN-GW 7A and the vVPN-GW 7B. Note that the authentication server 3 has registered in advance address information of the vVPN-GW 7A and vVPN-GW 7B. Further, the authentication server 3 may perform an authentication process using the login ID and PW transmitted from the client terminal 10.

  The access control management device 4 performs different access control for each client terminal 10 by giving an access control instruction to the access control devices 5A and 5B. Holds ACL related to access control. This ACL includes the address of the AP (source address: SA) for wireless communication with the client terminal 10 permitted to be accessed by the authentication server 3, and the address of the destination vVPN-GW assigned to the client terminal 10 (transmission). The destination address: DA) is associated with the identification information of the access control devices 5A and 5B. Information to be set in the ACL is requested from the service portal server 2.

  In response to the switching request from the vVPN-GW 7A to the vVPN-GW 7B by the service portal server 2, the access control management device 4 converts the vVPN-GW corresponding to the AP to which the client terminal 10 is connected from the vVPN-GW 7A to the vVPN. -Switch to GW7B. At the same time, the access control management device 4 permits the access control device 5B to pass packets flowing between the AP 8B to which the client terminal 10 is connected and the vVPN-GW 7B.

  The access control device 5A controls access between the vVPN-GW 7A and the AP 8A connected to the distribution device 6A (first distribution device), and passes a packet for which access is permitted. For example, the access control device 5A includes the AP 8A in the path, and passes a packet flowing through the tunnel T1 between the client terminal 10 and the vVPN-GW 7A assigned to the client terminal 10.

  In addition, when the distribution device 6A switches from the vVPN-GW 7A to the vVPN-GW 7B, the access control device 5B determines whether the vVPN-GW 7B and the AP 8B connected to the distribution device 6B (second distribution device) are connected. Control the access between them and allow the packets for which access is permitted to pass. For example, the access control device 5B includes the AP 8B in the path, and passes the packet flowing through the tunnel between the client terminal 10 and the vVPN-GW 7B.

  The sorting device 6A refers to the DA included in the outer header of the received packet, and sorts the packet addressed to the vVPN-GW 7A among the received packets to the vVPN-GW 7A.

  When the distribution device 6A detects a failure of the vVPN-GW 7A, the distribution device 6A sends authentication information necessary for SSL / TLS authentication with the client terminal 10 to the authentication server 3 to the vVPN-GW 7B. Instruct to send. In this case, the authentication server 3 sends at least the address information of the client terminal 10 that is the execution destination of SSL / TLS authentication to the vVPN-GW 7B, and the SSL / TLS authentication key used with the client terminal 10. Information is transmitted as authentication information. Then, the distribution device 6A instructs the distribution device 6B to switch packet distribution from the vVPN-GW 7A to the vVPN-GW 7B. As described above, the distribution device 6A instructs switching from the vVPN-GW 7A to the vVPN-GW 7B. Note that the sorting device 6A has registered in advance the address information of the vVPN-GW 7A and the vVPN-GW 7B.

  The distribution device 6B switches the distribution destination of the packet received via the access control device 5B to vVPN-GW 7B according to the switching of the gateway of the distribution device 6A.

  The vVPN-GWs 7A and 7B are arranged on the network side, and a tunnel termination point established with the client terminal 10 is set. The vVPN-GWs 7A and 7B are virtual machines that operate in the virtual environment of the physical server, and are connected to the value-added device group or the external NW 100 according to the service used by the client terminal 10. That is, the vVPN-GWs 7A and 7B function as gateways when accessing the value-added device group or the external NW 100. The vVPN-GWs 7A and 7B group a plurality of client terminals 10 and provide customized added value in units of groups.

  The vVPN-GWs 7A and 7B receive from the client terminal 10 a packet that includes an electronic certificate and is encrypted by SSL / TSL. Then, the vVPN-GWs 7A and 7B decrypt the received packets based on the authentication information synchronized with the authentication server 3. Subsequently, when the vVPN-GW 7A, 7B authenticates that the client terminal 10 of the communication partner is authentic using the electronic certificate in the packet, the vVPN-GW 7A, 7B establishes a tunnel (specifically, the client terminal 10). Is an encrypted IP tunnel). Thereafter, the vVPN-GWs 7A and 7B perform communication with the client terminal 10 by encrypting data using the tunnel.

  The vVPN-GW 7A stands by while the vVPN-GW 7A is operating, and when the vVPN-GW 7A fails, the vVPN-GW 7A uses the authentication information necessary for SSL / TSL authentication performed with the client terminal 10 to use the client. A tunnel is established with the terminal 10.

  In this embodiment, the vVPN-GW 7A, 7B is a VPN configuration method, but a vCPE in which CPE (Customer Premises Equipment) is virtualized may be configured. Further, the vVPN-GWs 7A and 7B may be physical servers themselves. The vVPN-GWs 7A and 7B may be routers or GW routers.

  The AP 8A and AP 8B are relay apparatuses that connect to the client terminal 10 by wireless communication, and also have a connection function with a wired LAN, for example. The AP 8A is connected to the access control device 5A. The AP 8B is connected to the access control device 5B. The AP 8A and AP 8B convert the IP address and port number of the packet transmitted from the client terminal 10 by NAPT (Network Address Port Translation). In this case, the address of the inner header of the packet transmitted by the AP 8A and the AP 8B is a value NAPTed by the AP, and is the same value for a group of clients connected to the same AP. Therefore, the access control management device 4 and the access control devices 5A and 5B perform access control by recognizing information in the outer header. Alternatively, in the case of a pattern in which the client terminal 10 transmits to the vVPN-GW7, the client terminal 10 side sets the OTT server address as the inner DA address and sets the vVPN-GW7 address as the outer DA address. , 8B.

  In this client terminal authentication system 1, after authentication by the authentication server 3, for the client terminal 10, after establishing the tunnel T <b> 1 including the AP 8 </ b> A, the sorting device 6 </ b> A detects the presence / absence of a vVPN-GW 7 </ b> A failure. Then, the sorting device 6A detects a failure of the vVPN-GW 7A and instructs to switch to the vVPN-GW 7B. Along with this, transmission of authentication information to the vVPN-GW 7B by the authentication server 3 and an access permission request between the vVPN-GW 7B and the client terminal 10 to the access control management device 4 via the service portal server 2 are executed. Is done. As a result, it is possible to send a tunnel establishment request to the client terminal 10 from the vVPN-GW 7B after switching.

  In the embodiment, the client terminal 10 has a function of establishing a tunnel when receiving a tunnel establishment request from the vVPN-GW 7B having the registered address. Therefore, the client terminal 10 can establish a tunnel with the vVPN-GW 7B in response to a tunnel establishment request by the vVPN-GW 7B. Therefore, in this embodiment, even if the virtual device management function is not provided, the vVPN-GW maintains the simple configuration, and the user accesses the service portal server 2 again and does not receive authentication from the simple authentication again. It is possible to smoothly execute re-establishment of communication authentication in accordance with the switching. Therefore, the configuration of the main device of the client terminal authentication system 1 will be described.

[Service Portal Server configuration]
First, the configuration of the service portal server 2 will be described. FIG. 2 is a block diagram showing an example of the configuration of the service portal server 2 shown in FIG. As illustrated in FIG. 2, the service portal server 2 includes a communication unit 21, a storage unit 22, and a control unit 23.

  The communication unit 21 is a communication interface that transmits and receives various types of information to and from devices connected via a network.

  The storage unit 22 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and a processing program for operating the service portal server 2 or a processing program The data used during the execution of is stored. The storage unit 22 stores the IP address of the client terminal 10 that has performed address assignment and the authentication result of the client terminal 10 that has been successfully authenticated by the authentication server 3. The storage unit 22 stores connection destination information of both the vVPN-GWs 7A and 7B in advance.

  The control unit 23 has an internal memory for storing a program that defines various processing procedures and the necessary data, and executes various processes using these. For example, the control unit 23 is an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit). The control unit 23 includes an authentication reception unit 231 and an access control list setting request unit 232.

  The authentication receiving unit 231 receives an address authentication assignment request from the client terminal 10 via wireless communication with the AP, performs simple authentication, and assigns an IP address to the client terminal 10 when the authentication is successful. The simple authentication is not particularly limited, and an authentication level may be set according to the security level required for the network. For example, the authentication accepting unit 231 may acquire the caller ID and the line authentication ID in the same manner as the line authentication, and may set the IP address to be issued only when the registered user caller ID is acquired. Good. In addition to the caller ID, simple authentication may be realized using a 5 tuple, a SIM, a tunnel ID, or the like.

  Further, the authentication receiving unit 231 receives an authentication request from the client terminal 10 that has accessed the network using the IP address, and transmits a user certificate to the authentication server 3. Then, the authentication reception unit 231 returns the authentication result (ID, PW, client certificate) by the authentication server 3 to the client terminal 10. The authentication reception unit 231 notifies the client terminal 10 of connection destination information of both the vVPN-GWs 7A and 7B notified from the authentication server 3.

  The access control list setting request unit 232 requests the access control management device 4 to set the access permitted client terminal 10 as an access permission target so as to execute access management based on the authentication result by the authentication server 3.

  For example, the access control list setting request unit 232 includes the address of the AP 8A that performs wireless communication with the client terminal 10 that is permitted to access by the authentication server 3, and the vVPN-GW 7A (ACT) assigned to the client terminal 10 as a transmission destination. The access control management device 4 is requested to set the address in the ACL in association with the identification information of the access control device 5A. When the distribution device 6A (described later) switches from vVPN-GW 7A to vVPN-GW 7B, the access control list setting request unit 232, among ACLs, vVPN- corresponding to the AP to which the client terminal 10 is connected. The access control management device 4 is requested to switch the GW from vVPN-GW 7A to vVPN-GW 7B.

[Configuration of authentication server]
Next, the configuration of the authentication server 3 will be described. FIG. 3 is a block diagram showing an example of the configuration of the authentication server 3 shown in FIG. As illustrated in FIG. 3, the authentication server 3 includes a communication unit 31, an authentication database (DB) 32, and a control unit 33.

  The communication unit 31 is a communication interface that transmits and receives various types of information to and from a device connected via a network.

  The authentication DB 32 is a DB inside the authentication server 3 or a DB connected to the authentication server 3 through a dedicated line. The authentication DB 32 stores switching destination information 321 and authentication information 322.

  The switching destination information 321 is information in which the address of the vVPN-GW (ACT) assigned to the client terminal 10 and the address of the vVPN-GW (SBY) are associated with each client terminal 10. FIG. 4 is a diagram illustrating an example of a data configuration of the switching destination information 321 illustrated in FIG. As shown in the table Ta in FIG. 4, for the client terminal 10, the address “A” of the vVPN-GW (ACT) assigned to the client terminal 10 and the vVPN-GW (SBY) assigned to the client terminal 10. Is associated with the address “B”. The switching destination information 321 is registered in advance. Alternatively, the switching destination information 321 may be information acquired by the authentication server 3 at the time of terminal authentication with vVPN-GW (ACT) connection. Further, the switching destination information 321 may be notified from the sorting device 6A when the vVPN-GW (ACT) fails.

  The authentication information 322 stores a server certificate issued from the certificate authority, an authentication key, and the like in the authentication server 3. Further, the authentication DB 32 stores authentication information regarding the client terminal 10 authenticated by the authentication server 3 for each client terminal 10. FIG. 5 is a diagram showing an example of the data configuration of one piece of authentication information 322 shown in FIG. For example, as shown in the table Tb of FIG. 5, any one of the authentication information 322 is obtained by associating key information “D” as authentication information with the address “C” of the client terminal 10. .

  Similar to the control unit 23, the control unit 33 is an electronic circuit such as a CPU or MPU, and executes various processes according to a program that defines various processing procedures. The control unit 33 includes an authentication unit 331 and an ACL setting instruction unit 332.

  The authentication unit 331 receives a user certificate transmitted from the client terminal 10 to which the IP address is assigned via the communication unit 31, and performs authentication using the user certificate. For example, when receiving the user certificate from the client terminal 10, the authentication server 3 decrypts the electronic signature included in the user certificate using the public key. Accordingly, the authentication unit 331 determines whether or not the user certificate is authentic. The authenticating unit 331 authenticates the authenticity of the user certificate. When the authentication is successful, the authentication unit 331 permits the client terminal 10 that has transmitted the user certificate to access the network.

  Then, the authentication unit 331 returns the ID, PW, and client certificate corresponding to the client terminal 10 that has permitted access to the client terminal 10 via the service portal server 2. At this time, the authentication unit 331 also notifies the client terminal 10 of the address of the vVPN-GW 7A (ACT) assigned to the client terminal 10 and the address of the vVPN-GW 7B (SBY) at the time of failure.

  In addition, the authentication unit 331 synchronizes authentication information necessary for SSL / TLS authentication with the client terminal 10 between the vVPN-GWs 7A and 7B. When the distribution unit 6A instructs the vVPN-GW 7B to switch from the vVPN-GW 7A to the vVPN-GW 7B, the authentication unit 331 sends at least the client terminal 10 that performs SSL / TLS authentication to the vVPN-GW 7B. Address information and key information for SSL / TLS authentication used with the client terminal 10 are transmitted as authentication information. The address of the client terminal 10 connected from the vVPN-GW 7B (SBY) is acquired by the authentication server 3 at the time of terminal authentication at the time of connection of the vVPN-GW 7A (ACT), and a connection instruction to the client terminal 10 when the vVPN-GW 7A fails. At the same time, the VPN-GW 7B (SBY) is notified.

  The ACL setting instruction unit 332 corresponds to the AP to which the client terminal 10 is connected to the ACL with respect to the service portal server 2 when the distribution device 6A is instructed to switch from the vVPN-GW 7A to the vVPN-GW 7B. Instructs vVPN-GW to switch from vVPN-GW 7A to vVPN-GW 7B.

[Configuration of access control management device]
Next, the configuration of the access control management device 4 will be described. The access control management device 4 is a management device that is, for example, a PCRF (Policy and Charging Rules Function). FIG. 6 is a block diagram showing an example of the configuration of the access control management device 4 shown in FIG. As illustrated in FIG. 6, the access control management device 4 includes a communication unit 41, a storage unit 42, and a control unit 43.

  The communication unit 41 is a communication interface that transmits and receives various types of information to and from a device connected via a network.

  The storage unit 42 is realized by a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk, and is used during execution of a processing program for operating the access control devices 5A and 5B or the processing program. Data etc. are stored. The storage unit 42 stores an access control list 421.

  FIG. 7 is a diagram showing an example of the data configuration of the access control list 421 shown in FIG. As shown in the table Tc of FIG. 7A, the access control list 421 includes, in the identification information of the access control devices 5A and 5B to be managed, the packets that permit access to the access control devices 5A and 5B. The addresses (SA, DA) of the outer header are associated with each other. For example, the access control device 5A is associated with the address (SA1) of the AP 8A to which the client terminal 10 is connected, and is associated with the address (DA1) of the vVPN-GW 7A assigned to the client terminal 10.

  Like the control unit 23, the control unit 43 is an electronic circuit such as a CPU or MPU, and executes various processes according to a program that defines various processing procedures. The control unit 43 includes an access control list setting unit 431 and an access control unit 432.

  Upon receiving a setting request for the access control list 421 from the service portal server 2, the access control list setting unit 431 sets information requested to be set in the access control list 421. Then, the access control list setting unit 431 performs ACL change setting in response to the switching request from the vVPN-GW 7A to the vVPN-GW 7B by the service portal server 2.

  For example, when there is a request for switching from vVPN-GW 7A to vVPN-GW 7B, the access control list setting unit 431 uses the table Tc corresponding to the client terminal 10 in the ACL (see FIG. 7A). Then, SA1 and DA1 are deleted from the outer header corresponding to the access control device 5A. Then, as shown in the table Td (see FIG. 7B), the access control list setting unit 431 stores the address (DA2) of the vVPN-GW 7B (SBY) and the access control apparatus 5B. The ACL is changed so as to correspond to the address (SA2) of the AP 8B to be connected.

  The access control unit 432 identifies the flow for each client terminal 10 by issuing an access control instruction to the access control devices 5A and 5B according to the setting contents of the access control list 421, and different access control for each client terminal 10. I do.

  For example, when the table Tc is set as the ACL of the client terminal 10, the access control unit 432 permits the access control device 5A to pass packets containing “SA1” and “DA1” in the outer header. doing. That is, the access control unit 432 permits the access control device 5A to access between the AP 8A and the vVPN-GW 7A. When the table Td is set as the ACL of the client terminal 10 by the switching request from the vVPN-GW 7A to the vVPN-GW 7B, the access control unit 432 sets “SA2” in the outer header to the access control device 5A. , “DA2” is allowed to pass. That is, the access control unit 432 permits the access control device 5B to access between the AP 8B and the vVPN-GW 7B.

[Configuration of access control device]
Next, the configuration of the access control device 5A will be described. FIG. 8 is a block diagram showing an example of the configuration of the access control apparatus 5A shown in FIG. The access control device 5B has the same configuration as the access control device 5A. As illustrated in FIG. 8, the access control device 5A includes a communication unit 51, a storage unit 52, and a control unit 53.

  The communication unit 51 is a communication interface that transmits and receives various types of information to and from devices connected via a network.

  The storage unit 52 is realized by a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk, and a processing program for operating the access control device 5A, data used during execution of the processing program, or the like Is memorized. The storage unit 52 stores an access permission list 521. The access permission list 521 indicates the address of the outer header of a packet that the access control device 5A is permitted to access from the access control management device 4.

  Like the control unit 23, the control unit 53 is an electronic circuit such as a CPU or MPU, and executes various processes according to a program that defines various processing procedures. The control unit 53 includes an access permission list setting unit 531 and an access processing unit 532.

  The access permission list setting unit 531 receives access control from the access control management device 4, and adds the SA and DA of the client terminal 10 to which the access control device 5A is permitted to access the access permission list 521, or , Delete.

  The access processing unit 532 determines the outer header of the packet received by the access control device 5A, refers to the access permission list 521, and determines whether the packet can pass. Since the access control device 5A is connected to the AP 8A, the access processing unit 532 controls access between the vVPN-GW 7A and the AP 8A assigned to the client terminal 10, and based on an instruction from the access control management device 4 , Pass the packet for which access is permitted. That is, the access control device 5A includes the AP 8A in the route, and passes the tunnel T1 between the client terminal 10 and the vVPN-GW 7A assigned to the client terminal 10.

[Configuration of sorting device]
Next, the configuration of the sorting device 6A shown in FIG. 1 will be described. FIG. 9 is a block diagram showing an example of the configuration of the sorting apparatus 6A shown in FIG. As illustrated in FIG. 9, the sorting device 6 </ b> A includes a communication unit 61, a storage unit 62, and a control unit 63.

  The communication unit 61 is a communication interface that transmits and receives various types of information to and from a device connected via a network.

  The storage unit 62 is realized by a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk, and a processing program for operating the sorting device 6A, data used during execution of the processing program, and the like Is memorized. The storage unit 62 stores switching destination information 621. The switching destination information 621 indicates the address information of the vVPN-GW 7A (ACT) assigned to the client terminal 10 and the connection destination information of the vVPN-GW 7B (vVPN-GW (SBY)).

  Similar to the control unit 23, the control unit 63 is an electronic circuit such as a CPU or MPU, and executes various processes according to a program that defines various processing procedures. The control unit 63 includes a distribution unit 631, a failure detection unit 632, and a switching instruction unit 633.

  The allocating unit 631 distributes the packets to which the vVPN-GW 7A is the transmission destination among the received packets to the vVPN-GW 7A.

  The failure detection unit 632 detects a failure of the vVPN-GW 7A. Specifically, the failure detection unit 632 transmits a status monitoring packet request to the vVPN-GW 7A at regular intervals. Then, the failure detection unit 632 detects a failure of the vVPN-GW 7A based on the presence / absence of a state monitoring packet response of the vVPN-GW 7A to the state monitoring packet request. That is, when there is a vVPN-GW 7A state monitoring packet response to the state monitoring packet request, the failure detection unit 632 determines that there is no failure in the vVPN-GW 7A. On the other hand, when there is no vVPN-GW 7A state monitoring packet response to the state monitoring packet request, the failure detection unit 632 determines that a failure has occurred in the vVPN-GW 7A.

  When the failure detection unit 632 detects a failure of the vVPN-GW 7A, the switching instruction unit 633 communicates the authentication server 3 with the client terminal 10 to the vVPN-GW 7B, which is the redundant destination of the vVPN-GW 7A. Instructs transmission of authentication information necessary for SSL / TSL authentication to be performed. Then, the switching instruction unit 633 instructs the distribution device 6B to switch packet distribution from the vVPN-GW 7A to the vVPN-GW 7B. As described above, the switching instruction unit 633 instructs switching from the vVPN-GW 7A to the vVPN-GW 7B.

  The distribution device 6B only needs to have a function of distributing the received packet to the switching destination vVPN-GW 7B in response to the switching instruction of the distribution device 6A. That is, the distribution device 6B may have a configuration similar to that of the distribution device 6A, or may have a configuration in which the failure detection unit 632 and the switching instruction unit 633 are deleted from the distribution device 6A. Of course, the sorting device 6B may have the same configuration as the sorting device 6A.

[Configuration of vVPN-GW]
Next, the configuration of the vVPN-GW 7A shown in FIG. 1 will be described. FIG. 10 is a block diagram illustrating an example of the configuration of the vVPN-GW 7A illustrated in FIG. The vVPN-GW 7B has the same configuration as the vVPN-GW 7A. As illustrated in FIG. 10, the vVPN-GW 7A includes a communication unit 71, a storage unit 72, and a control unit 73.

  The communication unit 71 is a communication interface that transmits and receives various types of information to and from a device connected via a network, and is actually provided in a physical server that operates the vVPN-GW 7A.

  The storage unit 72 stores a processing program for operating the vVPN-GW 7A, data used during the execution of the processing program, and the like. When the client terminals 10 are grouped, the storage unit 72 stores the identification information of the client terminals 10 belonging to the group in association with each group. And the memory | storage part 72 matches and memorize | stores the content which shows the value-added function to provide, the information of the value-added apparatus of a provision destination, etc. for every group. The storage unit 72 is realized by a RAM, a semiconductor memory element such as a flash memory provided in a physical server that operates the vVPN-GW 7A, or a storage device such as a hard disk or an optical disk.

  The control unit 73 executes various processes according to a program that defines various processing procedures. The control unit 73 is an electronic circuit such as a CPU or MPU provided in a physical server that operates the vVPN-GW 7A. The control unit 73 includes a client group management unit 731, an added value function providing unit 732, an authentication execution unit 733, and a state monitoring packet response unit 734.

  The client group management unit 731 groups a plurality of arbitrary client terminals 10. For example, the client group management unit 731 temporarily sets a client group in response to an event or the like. The client group management unit 731 stores the identification information of the client terminals 10 belonging to the group in the storage unit 72 in association with each group.

  The value-added function providing unit 732 connects to the value-added device group according to the service used by the client terminal 10 and provides the client terminal 10 with value-added functions such as limited content and translation. The value-added function providing unit 732 distributes traffic to an appropriate operator network or value-added device group. The value-added function providing unit 732 is grouped by the client group management unit 731. Provide customized value-added functions for each group.

  The authentication execution unit 733 executes SSL / TLS authentication with the client terminal 10 and establishes a tunnel with the client terminal 10. In the present embodiment, an encrypted tunnel technology using SSL authentication, SSL-VPN (for example, Open VPN) is used. For example, when the vVPN-GW 7A and the client terminal 10 perform encrypted communication using SSL / TLS authentication used for realizing the Open VPN, the authentication procedure of both the vVPN-GW 7A and the client terminal 10 I do. In this authentication technique, a packet consistency check based on the HMAC signature is performed on all SSL / TLS handshake packets using a TLS-AUTH HMAC common key (hereinafter referred to as a common key).

  When the state monitoring packet response unit 734 receives a state monitoring packet request from the distribution device 6A, and there is no failure in the vVPN-GW 7A, the state monitoring packet response unit 734 responds to the state monitoring packet request to the distribution device 6A (state monitoring packet). Response).

[Client terminal configuration]
Next, the configuration of the client terminal 10 shown in FIG. 1 will be described. FIG. 11 is a block diagram showing an example of the configuration of the client terminal 10 shown in FIG. As illustrated in FIG. 11, the client terminal 10 includes a communication unit 11, a storage unit 12, a control unit 13, an input unit 14, and an output unit 15.

  The communication unit 11 is a communication interface that transmits and receives various types of information to and from a device connected via a network.

  The storage unit 12 is realized by a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk, and stores a processing program for operating the client terminal 10, data used during execution of the processing program, and the like. Remembered.

  The storage unit 12 stores switching destination information 121. The switching destination information 121 indicates the address information of vVPN-GW 7A (ACT) assigned to the client terminal 10 and the connection destination information of vVPN-GW 7B (SBY).

  Similar to the control unit 23, the control unit 13 is an electronic circuit such as a CPU or MPU, and executes various processes according to a program that defines various processing procedures. The control unit 13 includes a communication control unit 131.

  The communication control unit 131 receives the address information (connection destination information) of vVPN-GW 7A and vVPN-GW 7B from the authentication server 3 and stores them as switching destination information 121 in the storage unit 12. When the communication control unit 131 receives a tunnel establishment request from the vVPN-GW 7B having the address included in the switching destination information 121, the communication control unit 131 executes SSL / TLS authentication with the vVPN-GW 7B to establish a tunnel. Establish.

  The input unit 14 is an input interface that accepts various operations from the user of the client terminal 10. For example, the input unit 14 includes buttons, a touch panel, a voice input device, and input devices such as a keyboard and a mouse. The output unit 15 is, for example, a liquid crystal display and outputs various information such as communication results.

[Flow of authentication processing for client terminals]
Next, the flow of authentication processing for the client terminal 10 in the client terminal authentication system 1 will be described. 12 and 13 are diagrams showing the flow of authentication processing for the client terminal 10 in the client terminal authentication system 1.

  First, as shown in FIG. 12, the authentication server 3 and the sorting device 6A detect a failure based on the redundant configuration of the vVPN-GW 7A (ACT) and the VPN-GW 7B (SBY) that are configured in advance. The switching destination (vVPN-GW7B (SBY)) of vVPN-GW7A (ACT) at that time is registered (see (1) and (1 ') in FIG. 12). Then, the authentication server 3 sends connection destination information of both the vVPN-GW 7A (ACT) and vVPN-GW 7B (SBY) assigned to the client terminal 10 from the service portal server 2 when the client terminal 10 authentication is requested. The access control management device 4 is notified (see (2) and (3) in FIG. 12).

  The access control management device 4 receives connection destination information of vVPN-GW 7A (ACT) and vVPN-GW 7B (SBY) (see (4) in FIG. 12), and holds these pieces of information. Further, the client terminal 10 receives the connection destination information of vVPN-GW 7A (ACT) and vVPN-GW 7B (SBY) (see (4 ′) in FIG. 12) and stores it as switching destination information 121. As a result, the authentication server 3, the distribution device 6A, the access control management device 4 and the client terminal 10 are connected to the vVPN-GW 7A (ACT) address “A” and the vVPN-GW 7B (as shown in a frame C1 in FIG. SBY) The table Ta associated with the address “B” is stored.

  Subsequently, the client terminal 10 makes an IP address assignment request to the service portal server 2 via wireless communication with the AP 8A. When the service portal server 2 succeeds in simple authentication, an IP address is assigned. The client terminal 10 connects to the network using the assigned IP address, and sends the user certificate to the authentication server 3 (see (1) in FIG. 13). The user certificate is used for user authentication. A processing procedure for tunnel re-establishment processing after a vVPN-GW failure will be described with reference to FIG.

  When the authentication server 3 succeeds in the authentication using this user certificate (see (2) in FIG. 13), the authentication result is returned to the service portal server 2. The service portal server 2 connects to the access control management apparatus 4 the address (source address) of the AP 8A to which the client terminal 10 is connected and the address (transmission destination address) of the connection destination vVPN-GW 7A assigned to the client terminal 10. DA) is requested to set to ACL ((3) in FIG. 13).

  In response to this, the access control management device 4 performs ACL setting (see (3-1) in FIG. 13). Then, the access control management device 4 notifies the access control device 5A of access permission between the AP 8A and the vVPN-GW 7A according to the ACL setting contents (see (3-2) in FIG. 13), and according to this. The access control device 5A passes only the permitted packets flowing between the AP 8A and the vVPN-GW 7A (see (3-3) in FIG. 13).

  Then, the authentication server 3 sets authentication information to the destination vVPN-GW 7A (ACT) based on the authentication result for the client terminal 10 (see (4) in FIG. 13). For example, as shown in the table Tb of the frame C2 in FIG. 13, the authentication server 3 sends the address “C” of the client terminal 10 and the key information “D” that is authentication information corresponding to the client terminal 10 to the vVPN− Send to GW7A. Also, the allocating device 6A sees the address of the outer header of the packet transmitted from the access control device 5A, and distributes it to the vVPN-GW 7A (see (4-1) in FIG. 13).

  Then, the authentication server 3 sends the address of the vVPN-GW 7A (ACT) assigned to the client terminal 10, the address of the vVPN-GW 7B (SBY) at the time of failure, ID, PW, client certificate via the service portal server 2 The document is returned to the client terminal 10 (see (5) in FIG. 13). Then, the client terminal 10 makes a tunnel establishment request to the vVPN-GW 7A (ACT) (see (6) in FIG. 13), and uses the ID, PW, and client certificate to communicate with the vVPN-GW 7A (ACT). A tunnel is established between them and encrypted communication is performed. The client certificate is used when the vVPN tunnel is established.

[Flow of tunnel re-establishment after vVPN-GW failure]
Next, the flow of tunnel re-establishment after a vVPN-GW 7A (ACT) failure in the client terminal authentication system 1 will be described. 14 to 16 are diagrams showing a tunnel re-establishment flow after the vVPN-GW 7A (ACT) failure in the client terminal authentication system 1. FIG.

  The allocating device 6A makes a state monitoring packet request to the vVPN-GW 7A (ACT) (see (1) in FIG. 14). When there is no response from the vVPN-GW 7A (ACT) to the state monitoring packet request, the distribution device 6A detects a failure of the vVPN-GW 7A (ACT) (see (2) in FIG. 14). In this case, the distribution device 6A instructs the distribution device 6B to switch the packet distribution destination to the vVPN-GW 7B (see (3) in FIG. 14). Then, the distribution device 6A instructs the authentication server 3 to synchronize the authentication information of the tunnel accommodated in the vVPN-GW 7A (ACT) with the vVPN-GW 7B (SBY) (see (4) in FIG. 14). ). In response to this, the authentication server 3 synchronizes the key information “D” necessary for authentication with the client terminal 10 to the vVPN-GW 7B (SBY) (see (5) in FIG. 14).

  Subsequently, the authentication server 3 instructs the service portal server 2 to switch to the vVPN-GW 7B (SBY) side (see (1) in FIG. 15). In response to this, the service portal server 2 instructs the access control management device 4 to validate the ACL of vVPN-GW 7B (SBY) (see (2) in FIG. 15). That is, the service portal server 2 requests the access control management device 4 to switch the vVPN-GW corresponding to the AP to which the client terminal 10 is connected from the vVPN-GW 7A to the vVPN-GW 7B in the ACL.

  In response to this, the access control management device 4 switches the vVPN-GW corresponding to the AP to which the client terminal 10 is connected from the ACL from the vVPN-GW 7A to the vVPN-GW 7B ((3) in FIG. 15). reference). The access control management device 4 permits the access control device 5B to access between the AP 8B and the vVPN-GW 7B (see (4) in FIG. 15). As a result, the access control device 5B permits the passage of packets between the AP 8B and the vVPN-GW 7B (see (5) in FIG. 15).

  As a result, the tunnel establishment request can be transmitted from the vVPN-GW 7B (address “B”) (see (1) in FIG. 16). When the client terminal 10 receives a tunnel establishment request from the vVPN-GW 7B having the address “B” included in the switching destination information 121, the client terminal 10 performs SSL / TLS authentication with the vVPN-GW 7B and performs the tunnel T2 Is established (see (2) of FIG. 16). As described above, in the embodiment, even when the vVPN-GW 7A fails, the client terminal 10 does not access the service portal server 2 again, and does not access the service portal server 2 again. Can be re-established.

[Authentication processing for client terminals]
Next, with reference to FIG. 17, a processing procedure of authentication processing for the client terminal 10 in the client terminal authentication system 1 will be described. FIG. 17 is a sequence diagram showing a flow of authentication processing for the client terminal 10 in the client terminal authentication system 1 shown in FIG.

  First, the service portal server 2 performs simple authentication for the client terminal 10 and assigns an IP address. Using this IP address, the client terminal 10 sends a user certificate and a client address for a tunnel establishment request to the upstream authentication server 3 via the service portal server 2 (steps S1 and S2).

  The authentication server 3 performs user authentication for the client terminal 10, and if the authentication is successful, returns the authentication result to the service portal server 2 (step S3). The authentication result is the vVPN-GW 7A address assigned to the client terminal 10, the vVPN-GW 7B (SBY) address, ID and PW, and client certificate when the vVPN-GW 7A fails. The service portal server 2 requests the access control management device 4 to set the ACL of the address of the AP 8A to which the client terminal 10 is connected and the address of the vVPN-GW 7A assigned to the client terminal 10 (step S4). ).

  In response to this, the access control management device 4 sets the ACL (step S5). Then, the access control management device 4 notifies the access control device 5A of access permission between the AP 8A and the vVPN-GW 7A according to the ACL setting contents (step S6), and according to this, the access control device 5A This permitted packet passing between the AP 8A and the vVPN-GW 7A is passed.

  Further, the authentication server 3 sets authentication information in the vVPN-GW 7A (step S7). The authentication information is an address of the client terminal 10 and a client certificate. Subsequently, the service portal server 2 returns the vVPN-GW 7A address, the vVPN-GW 7B (SBY) address, the ID and PW, and the client certificate when the vVPN-GW 7A fails (step S8). The client terminal 10 transmits an ID / PW and a client certificate to the vVPN-GW 7A, and makes a tunnel establishment request (step S9). Thereby, for example, SSL / TLS authentication is performed between the client terminal 10 and the vVPN-GW 7A, a tunnel is established, and encrypted communication is performed.

  FIG. 17 shows a sequence in the case where the authentication server 3 manages the addresses of VPN-GW 7A (ACT) and VPN-GW 7B (SBY). Since the address of vVPN-GW7B (SBY) is notified to the client terminal 10 in advance, only VPN-GW7B (SBY) connection is permitted when vVPN-GW7A (ACT) fails, as described in FIG. Tunnel connection.

[Tunnel re-establishment after vVPN-GW failure]
Therefore, with reference to FIG. 18, a processing procedure of tunnel re-establishment processing after a vVPN-GW failure in the client terminal authentication system 1 will be described. FIG. 18 is a sequence diagram showing a flow of tunnel re-establishment processing after a vVPN-GW 7A failure in the client terminal authentication system 1 shown in FIG.

  As shown in FIG. 18, the sorting apparatus 6A (ACT side) periodically transmits a state monitoring packet request to the vVPN-GW 7A (step S11). If there is no failure in vVPN-GW 7A, vVPN-GW 7A transmits a state monitoring packet response (step S12). Then, even if the distribution device 6A transmits the state monitoring packet request (step S13), if there is no reply from the vVPN-GW 7A for a certain period due to the failure of the vVPN-GW 7A (step S14), the distribution device 6A ACT) is determined to be a failure (step S15).

  Then, the distribution device 6A instructs the distribution device 6B (SBY) to switch to the distribution destination vVPN-GW 7B (step S16). Then, the distribution device 6B requests the authentication server 3 to synchronize the authentication information with respect to the vVPN-GW 7B, and instructs switching to the vVPN-GW 7B (SBY) (step S17).

  In response to this instruction, the authentication server 3 issues an ACL setting instruction (an ACL setting instruction for vVPN-GW7B (SBY)) to the service portal server 2 (step S18). In the case of notifying the VPN-GW 7B (SBY) address to the authentication server 3 from the sorting apparatus 6A that has detected the failure of the vVPN-GW 7A (ACT), the authentication server 3 uses the vVPN-GW 7A, the VPN-GW 7B, It is not necessary to manage the correspondence relationship. However, in this case, the authentication server 3 does not execute vVPN-GW7B (SBY) notification to the client terminal 10 at the time of authentication.

  In response to this instruction, the service portal server 2 requests the access control management device 4 to switch the vVPN-GW corresponding to the AP to which the client terminal 10 is connected from the vVPN-GW 7A to the vVPN-GW 7B in the ACL. Perform (step S19). Then, the access control management device 4 switches the vVPN-GW corresponding to the AP to which the client terminal 10 is connected from the ACL from the vVPN-GW 7A to the vVPN-GW 7B (step S20). The access control management device 4 permits the access control device 5B to access between the AP 8B and the vVPN-GW 7B (step S21).

  Further, the authentication server 3 sends synchronization information of authentication information necessary for authentication with the client terminal 10 to the vVPN-GW 7B (SBY) (step S22). In this case, the authentication server 3 sends the address of the client terminal 10 and the client certificate as authentication information to the vVPN-GW 7B (SBY). The vVPN-GW 7B (SBY) transmits a tunnel establishment request to the client terminal 10 (step S23). When the client terminal 10 receives a tunnel establishment request from the vVPN-GW 7B having the address included in the switching destination information 121, the client terminal 10 establishes a tunnel by executing SSL / TLS authentication with the vVPN-GW 7B.

[Effect of the embodiment]
As described above, in the client terminal authentication system 1 according to the embodiment, after the authentication by the authentication server 3, after establishing the tunnel including the AP 8A for the client terminal 10, the distribution device 6A determines whether or not the vVPN-GW 7A has failed. Detect. When the distribution device 6A detects a failure of the vVPN-GW 7A and instructs to switch to the vVPN-GW 7B, the authentication server 3 transmits the authentication information to the vVPN-GW 7B and passes through the service portal server 2. The access permission request between the vVPN-GW 7B and the client terminal 10 to the access control management device 4 is executed. As a result, it is possible to send a tunnel establishment request to the client terminal 10 from the vVPN-GW 7B after switching.

  In the embodiment, the client terminal 10 has a function of establishing a tunnel when receiving a tunnel establishment request from the vVPN-GW 7B having the registered address. Therefore, the client terminal 10 can establish a tunnel with the vVPN-GW 7B in response to a tunnel establishment request by the vVPN-GW 7B.

  In other words, in this embodiment, at the time of switching from vVPN-GW 7A (ACT) to vVPN-GW 7B (SBY), the distribution device 6A notifies the authentication server 3 of the vVPN-GW switching, and the authentication server 3 The authentication information of the client terminal 10 is set in the vVPN-GW 7B (SBY) and is taken over. In the embodiment, the tunnel is re-established from the vVPN-GW 7B (SBY) to the client terminal 10. As a result, according to the present embodiment, it is possible to make a vVPN-GW redundant configuration even in an IoT terminal or the like having a limited function, and to shorten the tunnel disconnection time at the time of a vVPN-GW failure. become.

  Therefore, in this embodiment, even if the virtual device management function is not provided, the vVPN-GW maintains the simple configuration, and the user accesses the service portal server 2 again and does not receive authentication from the simple authentication again. It is possible to smoothly execute re-establishment of communication authentication in accordance with the switching.

  In the client terminal authentication system 1, the service portal server 2 executes address authentication, thereby preventing an unauthorized client terminal from sending a communication flow to the network. Further, in the client terminal authentication system 1, by further executing authentication based on the certificate of the client terminal 10 that has succeeded in address authentication, it is possible to improve the security of the network as compared with the case where only address authentication is performed. Therefore, the client terminal authentication system 1 can achieve high security in information communication using a wireless line.

  Further, in the client terminal authentication system 1, since the authentication server 3 is arranged upstream of the service portal server 2, compared to the case where the service portal server 2 and the authentication server 3 are arranged at the same position on the network. The authentication server 3 can be centrally arranged.

  As a result, in this embodiment, re-establishment of communication authentication associated with vVPN-GW switching can be smoothly performed while ensuring a simple configuration and user convenience in information communication using a wireless line. At the same time, high security can be realized.

  In the present embodiment, the access control management device 4 has described an example in which the SA and DA included in the out header of the packet are set in association with the identification information of the access control devices 5A and 5B as ACL. Of course, but not limited to this. The access control management device 4 associates and sets 5 tuples (Source IP, Destination IP, Src Port, Dst Port, Protocol) included in the out header of the packet as identification information of the access control devices 5A and 5B as ACL. The access control devices 5A and 5B may be controlled so as to permit the passage of packets including 5 tuples set in the ACL in the out header.

  In the present embodiment, the case where the address of vVPN-GW 7B (SBY) is set in advance in each device such as the authentication server 3 has been described as an example. However, the present invention is not limited to this. The distribution device 6A that detects a failure of the vVPN-GW 7A (ACT) authenticates connection destination information (address) of the vVPN-GW 7B (SBY) corresponding to the vVPN-GW 7A (ACT) that has detected the failure at the time of failure detection. The server 3 may be notified. The authentication server 3 may access the address of the vVPN-GW 7B (SBY) notified from the distribution device 6A, instruct the connection to the vVPN-GW 7B (SBY), and transmit the authentication information.

[System configuration of the embodiment]
Each component of the client terminal authentication system 1 shown in FIG. 1 is functionally conceptual and does not necessarily need to be physically configured as illustrated. That is, the specific form of distribution and integration of the functions of the client terminal authentication system 1 is not limited to the one shown in the figure, and all or a part of them can be functionally functioned in arbitrary units according to various loads and usage conditions. It can be physically distributed or integrated.

  In addition, each process performed in each device of the client terminal authentication system 1 may be realized by the CPU and a program that is analyzed and executed by the CPU. Moreover, each process performed in each device of the client terminal authentication system 1 may be realized as hardware by wired logic.

  In addition, among the processes described in the embodiment, all or a part of the processes described as being automatically performed can be manually performed. Alternatively, all or part of the processing described as being performed manually can be automatically performed by a known method. In addition, the above-described and illustrated processing procedures, control procedures, specific names, and information including various data and parameters can be changed as appropriate unless otherwise specified.

[program]
FIG. 19 is a diagram illustrating an example of a computer in which each device of the client terminal authentication system 1 is realized by executing a program. The computer 1000 includes a memory 1010 and a CPU 1020, for example. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example. The video adapter 1060 is connected to the display 1130, for example.

  The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of each device of the client terminal authentication system 1 is implemented as a program module 1093 in which a code executable by the computer 1000 is described. The program module 1093 is stored in the hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration in each device of the client terminal authentication system 1 is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

  The setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.

  The program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN, etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

  Although the embodiment to which the invention made by the present inventor is applied has been described above, the present invention is not limited by the description and the drawings that form part of the disclosure of the present invention according to this embodiment. That is, other embodiments, examples, operation techniques, and the like made by those skilled in the art based on the present embodiment are all included in the scope of the present invention.

1, 1P client terminal authentication system 2, 2P service portal server 3, 3P authentication server 4, 4P access control management device 5A, 5B, 5AP, 5BP access control device 6A, 6B, 6AP, 6BP distribution device 7A, 7B, 7AP , 7BP vVPN-GW
8A, 8B, 8AP, 8BP Access point (AP)
10, 10P Client terminal 11, 21, 31, 41, 51, 61, 71 Communication unit 12, 22, 42, 52, 62, 72 Storage unit 13, 23, 33, 43, 53, 63, 73 Control unit 32 Authentication Database (DB)
100,100P value added device group or external network (NW)
121, 321, 621 Switching destination information 131 Communication control unit 231 Authentication accepting unit 232 Access control list setting request unit 331 Authentication unit 322 Authentication information 332 ACL setting instruction unit 421 Access control list (ACL)
431 Access control list setting unit 432 Access control unit 521 Access permission list 531 Access permission list setting unit 532 Access processing unit 631 Distribution unit 632 Failure detection unit 633 Switching instruction unit T1, T2 Tunnel

Claims (7)

In VPN (Virtual Private Network) communication between a router that forms a redundant system and a client terminal, during normal operation, terminal authentication is performed, and authentication information of the client terminal is set in the active router, thereby the client VPN communication between the terminal and the router is possible, and when switching to the standby router, the authentication information of the client terminal is taken over to the standby router and the VPN to the client terminal is set in the standby router An authentication server characterized by Among the received packets, the client terminal is a first router assigned to a client terminal permitted to access the network and uses a communication path established by performing communication authentication with the client terminal. A distribution unit that distributes a packet to which the first router that performs encrypted communication to the first router to the first router;
A failure detection unit for detecting a failure of the first router;
When the failure detection unit detects a failure of the first router, to the authentication server that has permitted access to the client terminal to the second router that is the redundant destination of the first router, A switching instruction unit for instructing transmission of authentication information necessary for communication authentication performed with the client terminal and switching from the first router to the second router;
A sorting apparatus comprising: A client terminal authentication system for authenticating a client terminal connected to a network by wireless communication between access points and permitting the client terminal to access the network,
A router assigned to the client terminal, the first router performing encrypted communication with the client terminal using a communication path established by executing communication authentication with the client terminal;
Wait while the first router is operating, and if the first router fails, use the authentication information necessary for communication authentication with the client terminal to communicate with the client terminal. A second router that establishes a communication path to
Of the received packets, the packet addressed to the first router is distributed to the first router, and when a failure of the first router is detected, the authentication server performs the process with the client terminal. A first distribution device that instructs transmission of authentication information necessary for communication authentication to the second router, and switches from the first router to the second router;
During normal operation, terminal authentication is performed, and authentication information of the client terminal is set in the first router, thereby enabling VPN communication between the client terminal and the first router. An authentication server that takes over the authentication information of the client terminal to the second router and instructs the second router to set up a VPN for the client terminal,
The packet passing between the access point to which the client terminal is connected and the first router is allowed to pass, and the first distribution device switches from the first router to the second router. An access control device that permits passage of a packet flowing between the access point to which the client terminal is connected and the second router;
A second distribution device that switches a distribution destination of a packet received via the access control device to the second router according to switching of the router of the first distribution device;
A client terminal authentication system comprising: The first distribution device and the authentication server have registered connection destination information of the first router and connection destination information of the second router,
The client terminal receives the connection destination information of the first router and the connection destination information of the second router from the authentication server, and establishes a communication path from the second router having the received connection destination information. 4. The client terminal authentication system according to claim 3, wherein when a request is received, communication authentication is executed with the second router to establish the communication path. Storing an access control list in which an address of the access point that performs wireless communication with the client terminal and an address of a router assigned as a transmission destination to the client terminal are associated with identification information of the access control device; An access control management device that allows the access control device to pass packets according to a list;
When the address allocation request from the client terminal is received and address authentication is performed and the address authentication is successful, an address for sending a certificate to the authentication server is transmitted to the client terminal, The access control management apparatus requests to set the address of the access point that performs communication and the address of the router assigned as a transmission destination to the client terminal in the access control list in association with the identification information of the access control apparatus An address assignment server for
Further comprising
The address allocation server corresponds to an access point to which the client terminal connects in the access control list when the first distribution device switches from the first router to the second router. Requesting the access control management device to switch the router to be switched from the first router to the second router;
The access control management device switches a router corresponding to an access point to which the client terminal is connected from the first router to the second router in the access control list in response to a request from the address assignment server. 5. The client terminal according to claim 3, wherein the access control device is allowed to pass a packet flowing between the access point to which the client terminal is connected and the second router. Authentication system.   The authentication server transmits, to the second router, at least address information of the client terminal that is a communication authentication execution destination and communication authentication key information used between the client terminal as the authentication information. The client terminal authentication system according to any one of claims 3 to 5, wherein An authentication server arranged in the network performs terminal authentication during normal operation in VPN communication between a router forming a redundant system and a client terminal, and sets authentication information of the client terminal in a working router. Enabling VPN communication between the client terminal and the router,
The authentication server, when switching to the standby router, takes over the authentication information of the client terminal to the standby router and instructs the standby router to set the VPN to the client terminal;
A client terminal authentication method comprising:

Images