KR102675599B1 - System for providing time policy based authentification service for wireless lan access - Google Patents

Abstract

A wireless LAN environment time-based authentication service provision system is provided, and a user terminal enters an ID and password for WPA2 Enterprise authentication and connects to the wireless LAN according to a preset time policy, and the wireless LAN at a preset time for WPA2 Enterprise authentication. A setting unit that allows authentication and restricts wireless LAN authentication at other times, a restriction unit that restricts access by bypassing authentication requests outside of preset times, and forces wireless LAN connection outside of preset times. It includes an authentication service providing server including a release unit that releases the authentication service.

Description

Wireless LAN environment time-based authentication service provision system {SYSTEM FOR PROVIDING TIME POLICY BASED AUTHENTIFICATION SERVICE FOR WIRELESS LAN ACCESS}

The present invention relates to a time-based authentication service provision system in a wireless LAN environment, and provides a solution that allows and limits usage time using a time policy in a wireless LAN environment.

WPA (Wi-Fi Protected Access) is a wireless Wi-Fi network security protocol being developed by the Wi-Fi Alliance and is defined by the IEEE (Institute of Electrical and Electronics Engineers) 802.11i standard. Before the 802.11i standard was completed, the Wi-Fi Alliance temporarily introduced WPA, a partial implementation of the 802.11i standard, to protect wireless Wi-Fi communications. When the 802.11i standard was finally published in 2004, the Wi-Fi Alliance WPA2 was adopted and used as a standard for providing a secure network. WPA provides a more secure network environment, RSN (Robust Secure Network), by using a different encryption key and message integrity key for each packet from the key generated in the authentication process. The data encryption method of WPA is divided into WPA1 version and WPA2 version, and the encryption algorithm of each version uses TKIP (Temporal Key Integrity Protocol) and AES-CCMP (Counter mode with Cipher block chaining with Message authentication code Protocol) to encrypt data. Provides encryption for In addition, WPA's authentication method can be divided into WPA-PSK method and WPA-Enterprise method depending on the presence or absence of an authentication server. The Enterprise method uses the 802.1x/EAP authentication method as an authentication method using an authentication server.

At this time, for the security of wireless LAN, a method of registering MAC or IP or hiding SSID in hidden mode was researched and developed. In relation to this, the prior art, Korean Patent Publication No. 2015-0025459 (March 2015) In Korea Patent No. 10-1357970 (announced on February 5, 2014), SSID, MAC, IP, and authentication method are received and included in the whitelist, and if any of them do not match as a result of comparison, the unauthorized AP For the configuration determined by the configuration and initial wireless LAN setup, a hidden wireless LAN is set, and if a hidden wireless LAN exists for a preset time, the SSID and network key of the basic wireless LAN are set through the hidden wireless LAN, and the SSID and Each configuration for reconnecting a terminal to a wireless LAN based on a network key is disclosed.

However, in the former case, it does not provide security for the wireless LAN itself, but only initiates a configuration to identify unauthorized APs, and even if MAC or IP is applied to the wireless LAN itself, it does not provide security in an environment that uses dynamic IP or random MAC addresses. Inappropriate. In the latter case, it is said to set up a hidden wireless LAN, but this is not a fundamental measure. In the case of wired LAN, there are physical limitations, but wireless LAN allows anyone to connect through SSID 24 hours a day, and can provide an access path for anonymous users outside of work hours when network management is not performed. Additionally, an AP Radio Scheduler also exists, but the method of turning the access point's signal on and off according to scheduling is not a universal method. Accordingly, research and development of a solution that can perform authentication while maintaining security in the WPA2 Enterprise authentication environment is required.

One embodiment of the present invention prevents unnecessary access by bypassing the authentication process outside of the preset authentication time, and prevents unnecessary access using Session-Timeout and Login-Time Attribute. By establishing a time policy, it is possible to provide a time policy for wireless LAN authentication by dividing the basic policy, exclusive policy, and the method of mixing basic policy and exclusive policy into Global, Group, and User. A wireless LAN environment time-based authentication service provision system can be provided. However, the technical challenge that this embodiment aims to achieve is not limited to the technical challenges described above, and other technical challenges may exist.

As a technical means for achieving the above-described technical problem, one embodiment of the present invention is to enter an ID and password for WPA2 Enterprise authentication, and authenticate the user terminal and WPA2 Enterprise connected to the wireless LAN according to a preset time policy. For this purpose, a setting unit that allows wireless LAN authentication at preset times and restricts wireless LAN authentication at other times, a restriction unit that restricts access by bypassing authentication requests outside of the preset time, and a preset time Other wireless LAN connections include an authentication service providing server that includes a release unit that forcibly disconnects the connection.

According to one of the means for solving the problem of the present invention described above, unnecessary access is prevented by bypassing the authentication process outside of the preset authentication time, and session-timeout and login-time attributes (Login -By establishing a time policy using Time Attribute, wireless LAN authentication is achieved by dividing the basic policy, exclusive policy, and a mixture of basic policy and exclusive policy into Global, Group, and User. A time policy can be provided for this.

Figure 1 is a diagram for explaining a system for providing a time-based authentication service in a wireless LAN environment according to an embodiment of the present invention.
FIG. 2 is a block diagram illustrating the authentication service providing server included in the system of FIG. 1.
Figures 3 and 4 are diagrams for explaining an embodiment in which a time-based authentication service in a wireless LAN environment is implemented according to an embodiment of the present invention.
Figure 5 is an operation flowchart illustrating a method for providing a time-based authentication service in a wireless LAN environment according to an embodiment of the present invention.

Below, with reference to the attached drawings, embodiments of the present invention will be described in detail so that those skilled in the art can easily implement the present invention. However, the present invention may be implemented in many different forms and is not limited to the embodiments described herein. In order to clearly explain the present invention in the drawings, parts unrelated to the description are omitted, and similar parts are given similar reference numerals throughout the specification.

Throughout the specification, when a part is said to be "connected" to another part, this includes not only the case where it is "directly connected," but also the case where it is "electrically connected" with another element in between. . In addition, when a part is said to "include" a certain component, this means that it does not exclude other components, but may further include other components, unless specifically stated to the contrary, and one or more other features. It should be understood that it does not exclude in advance the presence or addition of numbers, steps, operations, components, parts, or combinations thereof.

The terms “about,” “substantially,” and the like used throughout the specification are used to mean at or close to that value when manufacturing and material tolerances inherent in the stated meaning are presented, and are used to enhance the understanding of the present invention. Precise or absolute figures are used to assist in preventing unscrupulous infringers from taking unfair advantage of stated disclosures. The term “step of” or “step of” as used throughout the specification of the present invention does not mean “step for.”

In this specification, 'part' includes a unit realized by hardware, a unit realized by software, and a unit realized using both. Additionally, one unit may be realized using two or more pieces of hardware, and two or more units may be realized using one piece of hardware. Meanwhile, '~ part' is not limited to software or hardware, and '~ part' may be configured to reside in an addressable storage medium or may be configured to reproduce one or more processors. Therefore, as an example, '~ part' refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, and procedures. , subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays, and variables. The functions provided within the components and 'parts' may be combined into a smaller number of components and 'parts' or may be further separated into additional components and 'parts'. Additionally, components and 'parts' may be implemented to regenerate one or more CPUs within a device or a secure multimedia card.

In this specification, some of the operations or functions described as being performed by a terminal, apparatus, or device may instead be performed on a server connected to the terminal, apparatus, or device. Likewise, some of the operations or functions described as being performed by the server may also be performed in a terminal, apparatus, or device connected to the server.

In this specification, some of the operations or functions described as mapping or matching with the terminal mean mapping or matching the terminal's unique number or personal identification information, which is identifying data of the terminal. It can be interpreted as

Hereinafter, the present invention will be described in detail with reference to the attached drawings.

Figure 1 is a diagram for explaining a system for providing a time-based authentication service in a wireless LAN environment according to an embodiment of the present invention. Referring to FIG. 1, a wireless LAN environment time-based authentication service providing system 1 may include at least one user terminal 100, an authentication service providing server 300, and at least one AP 400. However, since the wireless LAN environment time-based authentication service providing system 1 of FIG. 1 is only an embodiment of the present invention, the present invention is not limited to FIG. 1.

At this time, each component of FIG. 1 is generally connected through a network (Network, 200). For example, as shown in FIG. 1, at least one user terminal 100 may be connected to the authentication service providing server 300 through the network 200. In addition, the authentication service providing server 300 may be connected to at least one user terminal 100 and at least one AP 400 through the network 200. Additionally, at least one AP 400 may be connected to the authentication service providing server 300 through the network 200.

Here, the network refers to a connection structure that allows information exchange between each node, such as a plurality of terminals and servers. Examples of such networks include a local area network (LAN) and a wide area network (WAN). Wide Area Network, Internet (WWW: World Wide Web), wired and wireless data communication network, telephone network, wired and wireless television communication network, etc. Examples of wireless data communication networks include 3G, 4G, 5G, 3rd Generation Partnership Project (3GPP), 5th Generation Partnership Project (5GPP), 5G New Radio (NR), 6th Generation of Cellular Networks (6G), and Long Term Evolution (LTE). , WIMAX (World Interoperability for Microwave Access), Wi-Fi, Internet, LAN (Local Area Network), Wireless LAN (Wireless Local Area Network), WAN (Wide Area Network), PAN (Personal Area Network) ), RF (Radio Frequency), Bluetooth (Bluetooth) network, NFC (Near-Field Communication) network, satellite broadcasting network, analog broadcasting network, DMB (Digital Multimedia Broadcasting) network, etc., but are not limited thereto.

In the following, the term at least one is defined as a term including singular and plural, and even if the term at least one does not exist, each component may exist in singular or plural, and may mean singular or plural. This should be self-explanatory. In addition, whether each component is provided in singular or plural form may be changed depending on the embodiment.

At least one user terminal 100 may be a terminal of a user who wants to access the wireless LAN using a web page, app page, program, or application related to a wireless LAN environment time-based authentication service. If access is possible according to a preset time policy, the user terminal 100 may be a terminal that connects to the AP 400 by entering an ID and password.

Here, at least one user terminal 100 may be implemented as a computer capable of accessing a remote server or terminal through a network. Here, the computer may include, for example, a laptop equipped with a navigation system and a web browser, a desktop, a laptop, etc. At this time, at least one user terminal 100 may be implemented as a terminal capable of accessing a remote server or terminal through a network. At least one user terminal 100 is, for example, a wireless communication device that guarantees portability and mobility, and includes navigation, personal communication system (PCS), global system for mobile communications (GSM), personal digital cellular (PDC), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) ) It may include all types of handheld-based wireless communication devices such as terminals, smartphones, smartpads, and tablet PCs.

The authentication service providing server 300 may be a server that provides a wireless LAN environment time-based authentication service web page, app page, program, or application. Additionally, the authentication service providing server 300 may be a server that controls access to the AP 400 according to a preset time policy.

Here, the authentication service providing server 300 may be implemented as a computer that can connect to a remote server or terminal through a network. Here, the computer may include, for example, a laptop equipped with a navigation system and a web browser, a desktop, a laptop, etc.

At least one AP 400 may be a device that allows connection of an authenticated user terminal 100 according to a preset time policy using a web page, app page, program, or application related to a time-based authentication service in a wireless LAN environment. there is.

Here, at least one AP 400 may be implemented as a computer capable of accessing a remote server or terminal through a network. Here, the computer may include, for example, a laptop equipped with a navigation system and a web browser, a desktop, a laptop, etc. At this time, at least one AP 400 may be implemented as a terminal capable of accessing a remote server or terminal through a network. At least one AP 400 is, for example, a wireless communication device that guarantees portability and mobility, and is used for navigation, personal communication system (PCS), global system for mobile communications (GSM), personal digital cellular (PDC), and PHS. (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) It may include all types of handheld-based wireless communication devices such as terminals, smartphones, smartpads, and tablet PCs.

FIG. 2 is a block diagram illustrating the authentication service providing server included in the system of FIG. 1, and FIGS. 3 and 4 illustrate an embodiment in which a time-based authentication service in a wireless LAN environment is implemented according to an embodiment of the present invention. This is a drawing to explain.

Referring to FIG. 2, the authentication service providing server 300 includes a setting unit 310, a restriction unit 320, a release unit 330, a basic policy processing unit 340, an exclusive policy processing unit 350, and an authentication processing unit ( 360).

The authentication service providing server 300 or another server (not shown) operating in conjunction with an embodiment of the present invention performs time-based authentication in a wireless LAN environment with at least one user terminal 100 and at least one AP 400. When transmitting a service application, program, app page, web page, etc., at least one user terminal 100 and at least one AP 400 use the wireless LAN environment time-based authentication service application, program, app page, web page, etc. etc. can be installed or opened. Additionally, a service program may be run on at least one user terminal 100 and at least one AP 400 using a script executed in a web browser. Here, a web browser is a program that allows the use of web (WWW: World Wide Web) services and refers to a program that receives and displays hypertext written in HTML (Hyper Text Mark-up Language), for example, Chrome. , Microsoft Edge, Safari, FireFox, Whale, UC Browser, etc. Additionally, an application refers to an application on a terminal and includes, for example, an app running on a mobile terminal (smartphone).

Referring to FIG. 2, the setting unit 310 may allow wireless LAN authentication at a preset time for WPA2 Enterprise authentication and restrict wireless LAN authentication at other times. At this time, looking at the security mechanism of WPA (WiFi Protected Access), as vulnerabilities in WEP were discovered by various attack techniques, IEEE announced WPA to supplement this. WPA provides a more secure network environment, RSN (Robust Secure Network), by using a different encryption key and message integrity key for each packet from the key generated in the authentication process. The data encryption method of WPA is divided into WPA1 version and WPA2 version, and the encryption algorithm of each version uses TKIP (Temporal Key Integrity Protocol) and AES-CCMP (Counter mode with Cipher-block chaining with Message authentication code Protocol) to encrypt data. Provides encryption for . Additionally, WPA's authentication method can be divided into WPA-PSK method and WPA-Enterprise method depending on the presence or absence of an authentication server. The PSK method verifies through the 4-Way Handshake procedure that the AP and the terminal have a pre-shared secret key, and the Enterprise method uses the 802.1x/EAP authentication method as an authentication method using an authentication server.

<WPA1/WPA2 data encryption>

WPA uses the TKIP algorithm, which dynamically changes the fixed pre-shared key used in WEP, and WPA2 uses AES, a block cipher, in CCMP mode. In both WPA1 and WPA2, the user can select the algorithm used for encryption between TKIP and CCMP modes, and WPA1 and WPA2 are differentiated depending on whether a cache function for pre-authentication and master key-related information exists.

<TKIP>

In TKIP, the terminal dynamically generates a temporary shared secret key, TK (Temporal Key), to form a wireless security channel between the terminal and the AP from the user authentication result by EAP (Extensible Authentication Protocol). This method provides encryption for packets transmitted in the wireless section by applying a different key to each frame.

<AES-CCMP>

WPA2 replaces the TKIP algorithm and provides data encryption and integrity using the AES encryption algorithm using CCMP (Counter mode with Cipher-block chanining with Message authentication code) mode. Sufficient safety can be provided by using AES, a block cipher algorithm with proven safety, and CCMP mode can provide not only confidentiality of packets but also integrity of packet headers and data. Additionally, the parameters required for encryption can be calculated before the packet is received, minimizing the load when the packet arrives and shortening the delay time.

<WPA-PSK authentication>

WPA-PSK authentication is mainly used in small networks that do not install an authentication server, and authentication is performed by confirming through a 4-way handshake process that the AP and the terminal have the same PSK (Pre-Shared Key). In other words, the role of the authentication server can be replaced by mutually confirming whether the PMK (Pairwise Master Key) generated from the PSK set between the AP and the terminal is secured through the 4-Way Handshake procedure. The user must configure the PMK, which is used as a shared secret key between the terminal and the AP, to perform the 4-Way Handshake process. The terminal and AP create a PMK using information such as WPA-PSK, SSID, and SSID length and use it as a shared key.

PMK = SHA14096 (WPA-PSK, SSID, SSID length)
※ SHA1 ⁴⁰⁹⁶ (): SHA1 repetition calculation 4096 times

In 4-Way Handshake, which checks whether the terminal and the AP have the same PMK, mutual authentication is performed between the terminal and the AP by exchanging the AP's MAC address, the terminal's MAC address, the AP's nonce value, and the terminal's nonce value. Using the pre-shared PMK and the ANonce and SNonce parameters acquired through the 4-Way Handshake process, the terminal and the AP create a PTK as follows.

PTK = PRF-512(PMK, Mac address of AP ||
Mac address of the terminal || ANonce || SNonce)

You can generate a PTK (Pairwise Temporal Key) from the master key PMK using the pseudo-random number function PRF-512, and the PTK includes KCK (EAPol-Key Confirmation Key, 128 bit), KEK (EAPol-Key Encryption Key, 128 bit), and It is derived from TK (Temporal Key, 128 bit) and is used for integrity verification, group key transmission, and data encryption. Among these, KCK is used to verify the integrity of messages sent and received between the terminal and the AP. <WPA-Enterprise Authentication>

WPA-Enterprise is an authentication method mainly used by organizations and companies and provides mutual authentication using an authentication server such as RADIUS. The authentication server performs authentication protocols such as EAP-TLS, EAP_AKA, and EAP-TTLS with the terminal, and based on the results, the AP decides whether to allow access to the terminal. Upon successful authentication, the authentication server delivers a temporary encryption key to be used by the AP. If authentication fails, the terminal cannot access the AP. In one embodiment of the present invention, assuming a WPA-Enterprise authentication environment as shown in Figure 3c, wireless LAN authentication that can be applied in the WPA3 authentication environment based on WPA2 is provided.

The restriction unit 320 may restrict access by bypassing authentication requests outside of the preset time. As shown in Figure 3g, if it is not the preset time, that is, the authentication time, wireless LAN authentication can be rejected regardless of whether the user name and password are correct. Additionally, the preset time can be set in units of day and hour. In other words, wireless LAN authentication processes user authentication through a remote customer DB or local DB, and unnecessary access to the DB server can be restricted by unconditionally rejecting authentication requests outside of the preset time. As shown in Figure 3g, if an authentication request (Access-Request) occurs outside of the authentication time, no user account (User Credential) table is referenced. The user terminal 100 can enter an ID and password for WPA (Wi-Fi Protected Access)2 Enterprise authentication and connect to the wireless LAN according to a preset time policy. At this time, the time policy may include a basic policy and an exclusive policy. The basic policy may include a global policy that applies to all users, a group policy that applies to users included in the group, and a user policy that applies to specific users. . Exclusive policies may include group policies, which are policies that apply only to users included in the group, regardless of the basic policy, and user policies, which are policies that apply only to users without being affected by any policies. To summarize, it can be as shown in Table 3 below.

time policy Basic policy Global policy Policies that apply to all users Group policy Policies applied to users included in the group User policy Policies that apply to specific users exclusive
(Exclusive) Policy Group policy Policy that applies only to users included in the group, regardless of the default policy User policy Policies that apply only to users and are not affected by any policies

The release unit 330 can forcibly release the wireless LAN connection outside of a preset time. Even if the connection is made within a preset time as shown in FIG. 3h, the wireless LAN can be automatically released by using the session-timeout attribute when the preset time has elapsed. The release unit 330 can release the session-timeout attribute if the AP (Access Point) of the wireless LAN supports the session-timeout attribute. The basic policy processing unit 340 can release the information included in the basic policy. You can find global policy, group policy, and user policy and set the time by disjunction. If the time policy includes an exclusive policy, the exclusive policy processing unit 350 may set the exclusive policy to time. Group policies within exclusive policies can be set to have lower priority than user policies. At this time, the time policy includes a basic policy and an exclusive policy as shown in Figure 3i and Table 3. In the case of the exclusive policy, if you look at the bottom right of Figure 3i, it is assumed that there is [full policy (basic policy) + user policy (exclusive policy)]. In this case, since it is a policy that is not affected by any policy and applies only to the user, the user policy (exclusive policy) has the highest priority and only this section is set as the range in which the user can use the wireless LAN. Also, among exclusive policies, group policy is a policy that applies only to users included in the group, regardless of the basic policy. Accordingly, the ranking can be organized as [Exclusive policy (user policy) > Exclusive policy (group policy) > Basic policy].

<Basic policy>

As shown in Figure 3j, let's assume that the overall policy among the basic policies is from 8:00 to 18:00 during the week. At this time, if the user policy among the basic policies is from 9:00 AM to 12:00 PM on Saturdays for User 1, the wireless LAN use time for User 1 is [8:00 AM to 18:00 PM during the week] or [9:00 AM to 12:00 PM on Saturdays]. User 1 will be able to work daytime and Saturday mornings during the week. If this part is displayed, it becomes the C1 area of the bottom table of Figure 3j. Also, if the group policy among the basic policies is from 18:00 to 22:00 during the week for Group 1, the wireless LAN use time for users included in Group 1 is [8:00 to 18:00 during the week] or [18:00 to 22:00 during the week] [#182] Until [#182], and Group 1 may be a group that includes users who mostly work overtime during the week. If this part is displayed, it becomes area C2 of the bottom table of Figure 3j. At this time, if User 1 is included in Group 1, the wireless LAN usage time for User 1 is [8:00 to 18:00 during the week] or [18:00 to 22:00 during the week] or [9:00 to 12:00 on Saturday]. This is a user who can work overtime on weekdays, go to work on weekends, and even work in the morning. This is expressed as logical sum as shown in Figure 3l.

<Exclusive policy>

Referring to Figure 3k, assume that the overall policy of the basic policy is from 8:00 to 18:00 during the week. At this time, let us assume that among the exclusive policies, the user policy, that is, the policy for user 1, is [weekdays 12:00 to 15:00] and [Saturday 9:00 to 12:00]. At this time, User 1's wireless LAN usage hours are [Weekdays from 12:00 to 15:00] and [Saturdays from 9:00 to 12:00]. The reason is that the user policy of the exclusive policy is a policy that applies only to users, regardless of the policy (whether basic policy or exclusive policy). Assuming that the group policy among the exclusive policies, that is, the policy for group 1, was [weekdays 18:00 to 22:00], the wireless LAN use hours for users included in group 1 are [weekdays 18:00 to 22:00]. The reason is that, among exclusive policies, group policy is a policy that is applied to users included in the group regardless of the basic policy. At this time, if User 1 is included in Group 1, the wireless LAN available hours for User 1 are [12:00 to 15:00 on weekdays] and [9:00 to 12:00 on Saturdays]. Among exclusive policies, user policy has priority over group policy among exclusive policies, and above all, it is not affected by any policy. This algorithm is shown in Figure 3m. Also, among the time policies, the basic policy and exclusive policy can be mixed, as shown in Figure 3n.

The authentication processing unit 360 sets the time by reading the basic policy and exclusive policy included in the time policy from the attribute table based on the user name, and proceeds with authentication processing if it is not the preset login time. Otherwise, the authentication request is bypassed, and if it is included in the login time, authentication processing for the wireless LAN can proceed. Referring to FIG. 3O, the authentication processing unit 360 sets the basic policy and exclusive policy from the attribute table based on the user name, and if it is not the login time, does not proceed with the authentication process and unconditionally denies access ( Access-Reject) processing (bypass authentication processing). Additionally, if it is included in the login time, wireless LAN authentication processing is performed. At this time, the wireless LAN can use the Session-Timeout of rfc2865 and the Login-Time of RADIUS in a WPA (Wireless Protected Access2) Enterprise environment. A solution according to an embodiment of the present invention is being sold by the company of the applicant of the present invention, as shown in FIGS. 4A to 4H.

Matters that are not explained regarding the method of providing time-based authentication service in a wireless LAN environment in FIGS. 2 to 4 are the same as or are derived from the content described above regarding the method of providing time-based authentication service in a wireless LAN environment through FIG. 1. Since it can be easily inferred, the description below will be omitted.

FIG. 5 is a diagram illustrating a process in which data is transmitted and received between components included in the wireless LAN environment time-based authentication service providing system of FIG. 1 according to an embodiment of the present invention. Hereinafter, an example of the process of transmitting and receiving data between each component will be described with reference to FIG. 5, but the present application is not limited to this embodiment, and the process shown in FIG. 5 according to the various embodiments described above It is obvious to those skilled in the art that the process of transmitting and receiving data can be changed.

Referring to FIG. 5, the authentication service providing server allows wireless LAN authentication at a preset time for WPA2 Enterprise authentication and restricts wireless LAN authentication at other times (S5100).

In addition, the authentication service providing server restricts access by bypassing authentication requests outside of the preset time (S5200) and forcibly disconnects the wireless LAN connection outside of the preset time (S5300).

The sequence between the above-described steps (S5100 to S5300) is only an example and is not limited thereto. That is, the order between the above-described steps (S5100 to S5300) may change, and some of the steps may be executed simultaneously or deleted.

Matters that are not explained regarding the method of providing a time-based authentication service in a wireless LAN environment of FIG. 5 are the same as, or are derived from, the content previously described regarding the method of providing a time-based authentication service in a wireless LAN environment through FIGS. 1 to 4. Since it can be easily inferred, the description below will be omitted.

The method of providing a time-based authentication service in a wireless LAN environment according to an embodiment described with reference to FIG. 5 may also be implemented in the form of a recording medium containing instructions executable by a computer, such as an application or program module executed by a computer. You can. Computer-readable media can be any available media that can be accessed by a computer and includes both volatile and non-volatile media, removable and non-removable media. Additionally, computer-readable media may include all computer storage media. Computer storage media includes both volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data.

The method of providing a time-based authentication service in a wireless LAN environment according to an embodiment of the present invention described above uses an application installed by default on a terminal (this may include a program included in a platform or operating system, etc., which is installed by default on the terminal). It may be executed by an application (i.e., a program) installed by the user directly on the master terminal through an application providing server such as an application store server, an application, or a web server related to the service. In this sense, the method of providing a time-based authentication service in a wireless LAN environment according to an embodiment of the present invention described above is implemented as an application (i.e., a program) installed by default in the terminal or directly installed by the user, and is implemented by a computer such as the terminal. It can be recorded on a readable recording medium.

The description of the present invention described above is for illustrative purposes, and those skilled in the art will understand that the present invention can be easily modified into other specific forms without changing the technical idea or essential features of the present invention. will be. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive. For example, each component described as single may be implemented in a distributed manner, and similarly, components described as distributed may also be implemented in a combined form.

The scope of the present invention is indicated by the claims described below rather than the detailed description above, and all changes or modified forms derived from the meaning and scope of the claims and their equivalent concepts should be construed as being included in the scope of the present invention. do.

Claims (6)

A user terminal that enters an ID and password for WPA (Wi-Fi Protected Access)2 Enterprise authentication and connects to the wireless LAN according to a preset time policy; and
For WPA2 Enterprise authentication, a setting unit that allows authentication of the wireless LAN at preset times and restricts authentication of the wireless LAN at other times, and restricts access by bypassing authentication requests outside of the preset times. An authentication service providing server including a restriction unit and a release unit that forcibly disconnects the wireless LAN connection outside of the preset time,
The time policy includes a basic policy and an exclusive policy,
The above basic policy is,
It includes global policies that apply to all users, group policies that apply to users included in a group, and user policies that apply to specific users.
The above exclusive policy is,
Regardless of the above basic policy, it includes group policy, which is a policy that applies only to users included in the group, and user policy, which is a policy that is applied only to users without being affected by any policy,
The authentication service providing server is,
A system for providing a time-based authentication service in a wireless LAN environment, further comprising a basic policy processing unit that finds the overall policy, group policy, and user policy included in the basic policy and sets the time by disjunction.
According to claim 1,
The release unit,
A system for providing a time-based authentication service in a wireless LAN environment, characterized in that the session-timeout attribute is released when the AP (Access Point) of the wireless LAN supports the session-timeout attribute.
delete delete According to claim 1,
The authentication service providing server is,
If the time policy includes an exclusive policy, it further includes an exclusive policy processing unit that sets the exclusive policy to time,
A system for providing a time-based authentication service in a wireless LAN environment, wherein the group policy within the exclusive policy is set to have lower priority than the user policy.
According to claim 1,
The authentication service providing server is,
The time is set by reading the basic policy and exclusive policy included in the time policy from the Attribute table based on the user name. If it is not the preset login time, authentication is not processed and the authentication request is processed. an authentication processing unit that performs a bypass and performs authentication processing for the wireless LAN if it is included in the login time;
A wireless LAN environment time-based authentication service providing system further comprising:

Images