KR20180005551A - Operating method of authentication apparatus, system for network access and uthentication, operating method of end terminal and operating method of access terminal - Google Patents

Abstract

A method for operating an authentication apparatus, a method for operating an end terminal, and a method for operating an access terminal are provided. As the method for operating an authentication apparatus, capable of performing network access and authentication for the end terminal accessing a network through the access terminal, the method includes the steps of: setting a traffic cutoff for the access terminal which completes a network access procedure; receiving an authentication request from the end terminal connected to the access terminal; and releasing the traffic cutoff for the access terminal after authenticating the end terminal. If the traffic cutoff is released, the end terminal accesses the network through the access terminal and receives a data service. Accordingly, the present invention can control the access authority of the end terminal which can not perform USIM authentication.

Description

TECHNICAL FIELD [0001] The present invention relates to an authentication method, an authentication method, a network access and authentication system, an operation method of an end terminal, and an operation method of an access terminal.

The present invention relates to an operation method of an authentication apparatus, a network connection and authentication system, an operation method of an end terminal, and an operation method of an access terminal.

Personal computers (PCs) generally do not have an LTE (Long Term Evolution) communication module and a universal subscriber identity module (USIM).

In addition, other carriers' smartphones have LTE communication modules, but they do not have USIM information and can not be LTE certified. In this case, in order to receive a private network access LTE service, a connection (or relay) terminal must be connected to the network.

Here, the access terminal directly connects to the LTE with the wireless communication service provider, and uses a connection interface separate from the end terminal. Examples of access terminals include a USB-LTE dongle, an LTE-WiFi Egg, and an LTE router.

The USB-LTE dongle provides LTE service by making USB communication with end terminal (eg PC). In case of LTE-WiFi Egg, WiFi interface can be connected with end terminal (eg PC, smart phone etc.) LTE router can be connected to PC by LAN (Local Area Network) cable.

When the end terminal connects to the private LTE network via the access terminal, the access terminal, that is, the dongle, the egg, and the router on which the USIM and the LTE communication module are installed can perform access control by authenticating at the provider level.

However, endpoint terminals (eg, PCs, smart phones, pads, etc.) may be unauthenticated or access control only at the existing WiFi authentication level. However, the Wifi authentication method is a value set in the LTE Egg and can not be regarded as a complete security solution since the Egg user can change it.

On the other hand, in general, a company manages data server and information in a corporate intranet very importantly and controls access. When a terminal accessing with unauthorized authentication occurs, it poses a serious threat to the information security of the enterprise .

In particular, when an access terminal is allowed to be unauthorized and the access terminal is lost or stolen, the enterprise is exposed to external attack or data leakage until the access right of the access terminal is completely blocked .

In addition, even if access terminal authentication such as WiFi authentication is used, it is not safe to change the access right of an unauthorized PC or a smartphone if the information change right is provided to users in the enterprise.

SUMMARY OF THE INVENTION It is an object of the present invention to provide an operation method of an authentication apparatus for controlling an authentication and an access right for an end terminal when an end terminal without a subscriber module and a communication module accesses a dedicated network or an intranet via the access terminal, And an authentication system, an operation method of the end terminal, and an operation method of the access terminal.

According to an aspect of the present invention, there is provided a method of operating an authentication apparatus for performing network connection and authentication with an end terminal connected to a network through an access terminal, the method comprising: Receiving an authentication request from the end terminal connected to the access terminal, and releasing the traffic interruption to the access terminal after performing the authentication for the end terminal,

When the traffic interruption is released, the end terminal accesses the network through the access terminal and receives data service.

Wherein the setting step comprises:

Receiving a connection request from the access terminal to authenticate that the access terminal is a dedicated network service subscriber by receiving a connection request to a private network and setting a blocking for all traffic except authentication traffic for the access terminal when the authentication is successful .

Wherein the setting of the blocking for all traffic comprises:

Receiving, by the authentication apparatus, a quality of service (QoS) information of a session for the access terminal from the traffic control apparatus; and responding the service quality information to the traffic control apparatus,

The traffic control device transmits the service quality information to the packet data network gateway,

The packet data network gateway may set blocking for all traffic except authentication traffic for the access terminal.

Wherein the authenticating comprises:

Receiving a connection request of the access terminal from the packet data network gateway; determining whether the access terminal is a dedicated network service subscriber based on the information included in the access request; To the packet data network gateway.

Wherein the authenticating comprises:

Further comprising the step of storing the session for the access terminal after transmitting the connection response to the packet data network gateway,

The packet data network gateway may allocate an IP to be used in a private network to the access terminal when the access response is received, and may transmit a session establishment response to the access terminal.

After receiving the connection request,

Determining whether the terminal transmitting the connection request is a general terminal or an access terminal; and if the terminal is a general terminal, transmitting a connection response to the packet data network gateway,

If it is determined to be the access terminal, the determining step may be performed.

Wherein the step of releasing comprises:

(QoS) information of a session to the access terminal by confirming an access terminal connected to the end terminal, and when the service quality information is set to block traffic, Receiving a first authentication value calculated by an algorithm determined using the authentication key from the end terminal, checking if the first authentication value is valid, and if the first authentication value is valid, And unblocking the traffic.

Wherein the step of canceling the traffic interruption to the access terminal, if valid,

Determining that the first authentication value is valid if the first authentication value and the second authentication value coincide with each other, determining that the first authentication value is valid, And if it is valid, canceling the traffic interruption to the access terminal.

Wherein the first authentication value and the second authentication value are "

The first authentication key and at least one of Media Access Control (MAC), International Mobile Equipment Identity (IMEI), PassWord (PW), and One Time Password (OTP) of the end terminal.

And if the first authentication value is valid, canceling the traffic block to the access terminal,

Transmitting an authentication result and a second authentication key to be used for re-authentication to the end terminal, receiving a re-authentication request using the second authentication key from the end terminal and performing re-authentication, The method may further include setting a traffic cutoff for the access terminal.

Wherein if the re-authentication fails, establishing a traffic block for the access terminal comprises:

Activating a reauthentication timer and transmitting a timer expiration time to the end terminal and setting the traffic interception if the reauthentication fails or the reauthentication request is not received within the timer expiration time can do.

According to another aspect of the present invention, there is provided a system for performing network connection and authentication for an end terminal connected to a network through an access terminal, the system comprising: An authentication DB for storing information of a terminal, and an authentication request including an IP (Internet Protocol) and an end terminal ID from the terminal connected to the access terminal, the access terminal connected to the terminal, based on the IP, And an authentication device for authenticating the end terminal and releasing the traffic interruption if it is determined that the access terminal is set to block traffic for the access terminal.

The authentication DB includes:

A first authentication table including a terminal identifier field of the access terminal, a policy field of the access terminal, an IP field of the access terminal, a connection state field of the access terminal, and at least one terminal terminal ID field connected to the access terminal And a second authentication table including a terminal identifier field of the end terminal corresponding to the end terminal ID field and at least one authentication method field for the end terminal.

The authentication device includes:

Confirms from the first authentication table an access terminal including an IP included in the authentication request and an end terminal ID, identifies an authentication method corresponding to the end terminal ID from the second authentication table, The authentication of the end terminal can be performed using the authentication method confirmed by the end terminal.

The authentication device includes:

After the network access procedure, the policy field of the first authentication table is set to blocked for the access terminal, and if the authentication is successful for the terminal, the policy field of the first authentication table may be set to unblock the traffic have.

When receiving an access request from the access terminal, transmitting an access request to the authentication device and receiving an access response from the authentication device, requesting the traffic disconnection setting from the authentication device to set blocking for all traffic other than the authentication traffic, And a packet data network gateway for releasing the blocking setting for the traffic if the authentication for the end terminal is successful.

Requesting the authentication apparatus according to a request of the packet data network gateway and receiving quality of service (QoS) information of a session for the access terminal including the traffic cutoff setting or traffic cutoff release information from the authentication apparatus And transmitting the packet data to the packet data network gateway.

The authentication device includes:

After confirming that the access terminal is a dedicated network service subscriber, the access terminal can allow network access if it is a dedicated network service subscriber.

According to another aspect of the present invention, there is provided a method of operating an end terminal connected to a network through an access terminal, the method comprising: connecting the end terminal with the access terminal; requesting authentication with the authentication device through the access terminal; And if the authentication is successful, accessing the network through the access terminal and receiving data service.

Wherein the providing and receiving comprises:

Receiving a first authentication key from the authentication device and generating a first authentication value using a predetermined algorithm; transmitting the first authentication value to the authentication device to receive an authentication result indicating that the first authentication value is valid; And receiving the data service by accessing the network through the access terminal if the first authentication value is valid.

After the providing and receiving step,

And requesting re-authentication to the authentication device periodically using the re-authentication key received together with the authentication result,

If the re-authentication fails, the traffic blocking of the access terminal can be set.

According to another aspect of the present invention, there is provided a method of operating an access terminal that connects an end terminal to a network, the method comprising: connecting the access terminal to the end terminal; relaying authentication traffic transmission / reception between the end terminal and the authentication device; And determining whether to allow network connection and user traffic transmission of the end terminal according to an authentication result of the authentication device for the end terminal.

Wherein the determining comprises:

If the authentication is successful, allowing a traffic transmission / reception path between the end terminal and the network, and if the authentication fails, blocking the traffic transmission / reception path between the end terminal and the network.

According to the embodiment of the present invention, when an LTE based private network or an intranet connection is established through an access terminal, the end terminal and the authentication server directly authenticate the access authority of an end terminal that can not perform USIM authentication.

In addition, the access control can be performed through the authentication between the end terminal and the authentication server without adding the function of the access terminal, so that the data of the enterprise using the private network can be protected more securely. The ease of managing the solution also increases.

In addition, the terminal end authentication method can be set only by user authentication. In this case, it is possible to utilize the private network LTE service using other end terminal (PC, notebook) by using a mobile access terminal (USB dongle, WiFi Egg) have.

In addition, the access terminal can be granted the right to use various terminal end points, and the administrator can designate the authentication level for each user, so that the differential management can be performed by adjusting the authentication level.

In addition, for telecom carriers, third-party smartphone subscribers can also benefit from private network LTE services through access terminals, which can help attract new customers and increase business usage by increasing data usage by company.

In addition, it can be used as a combination of various additional authentication such as terminal, user, SMS authentication according to the class of the terminal as well as simple terminal authentication, so that user authentication is possible.

1 is a configuration diagram of a network authentication and access control system of an end terminal according to an embodiment of the present invention.
2 is a flowchart illustrating a network access procedure of an access terminal according to an embodiment of the present invention.
3 is a flowchart illustrating an authentication procedure of an access terminal according to an embodiment of the present invention.
4 is a flowchart illustrating an authentication procedure of an end terminal according to an embodiment of the present invention.
5 is a flowchart illustrating a re-authentication procedure of an end terminal according to an embodiment of the present invention.
6 is a flowchart showing an access control operation of an authentication apparatus according to an embodiment of the present invention.
7 is a flowchart showing a connection authentication operation of an authentication apparatus according to an embodiment of the present invention.
8 is a diagram illustrating an example of the configuration of information stored in the authentication DB according to the embodiment of the present invention.
9 is a hardware block diagram of a system according to one embodiment of the present invention.
10 is a flowchart illustrating a network authentication and access control method of an end terminal according to another embodiment of the present invention.
Figure 11 illustrates a user access scenario in accordance with one embodiment of the present invention.
12 illustrates a user access scenario according to another embodiment of the present invention.
13 illustrates a user access scenario according to another embodiment of the present invention.
14 shows a user access scenario according to another embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly explain the present invention, parts not related to the description are omitted, and like parts are denoted by similar reference numerals throughout the specification

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise. Also, the terms " part, "" module," and " module ", etc. in the specification mean a unit for processing at least one function or operation and may be implemented by hardware or software or a combination of hardware and software have.

A mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS), a user equipment (UE) , An access terminal (AT), and the like, and may include all or some of functions of a mobile station, a mobile terminal, a subscriber station, a mobile subscriber station, a user equipment, an access terminal, and the like.

The terminal of the present disclosure includes a base station (BS), an access point (AP), a radio access station (RAS), a node B, an evolved NodeB (eNodeB) And may be connected to a remote server by connecting to a network device such as a Base Transceiver Station (BTS), a Mobile Multihop Relay (MMR) -BS, or the like.

The terminal of the present specification may be a mobile terminal such as a smart phone, a tablet terminal such as a smart pad and a tablet PC, a communication terminal such as a computer and a television, and may have a plurality of communication interfaces.

The communication interface may vary. For example, the communication interface may include a short-range wireless network interface such as WiFi / WLAN / Bluetooth and a mobile communication network interface such as 3G / Long Term Evolution (LTE) / Long Term Evolution-Advanced And the terminal manufacturer may add various communication interfaces. In this specification, the WiFi interface and the 3G / LTE interface are described as an example, but the communication interface is not limited thereto.

A typical LTE terminal is equipped with a subscriber module (USIM) for LTE and accesses the LTE network to receive a telephone or public Internet access service.

The private network LTE service is a service that allows the LTE service to access a private network via a base station and a wireless core network of a communication carrier using, for example, an enterprise intranet using the LTE terminal.

Hereinafter, embodiments of the present invention relate to a technique for performing authentication and connection control of an end terminal when using a private network LTE service via an access terminal, and each component will be described below with reference to the drawings. That is, the present invention relates to an embodiment that performs authentication and connection control for an end terminal when an end terminal that is an actual service utilization terminal and an access terminal that is a network access terminal are separated.

1 is a configuration diagram of a network authentication and access control system according to an embodiment of the present invention.

1, the network authentication and access control system includes an end terminal 110, an access terminal 120, a base station 130, a wireless core network 140, a packet data network gateway (P-GW) An authentication device 160, a traffic control device 170, an authentication DB 180, and a dedicated network 190. [

The end terminal 110 is a terminal at a user contact but does not have an LTE communication module or a subscriber module (USIM), and includes, for example, a PC, a notebook, a smart pad, and the like. And a communication terminal (e.g., a smart phone) that can carry a subscriber module (USIM) but can not receive an LTE authentication due to a wrong communication provider.

The terminal terminal 110 is connected to the access terminal 120 and accesses the base station 130 via the access terminal 120 since the terminal terminal 110 does not have a subscriber module and can not directly access the LTE network of the provider.

The access terminal 120 includes an LTE-WiFi Egg, an LTE router, an LTE-USB dongle, and the like.

The end terminal 110 can access the LTE network using the access terminal 120 and receive data service.

The access terminal 120 directly connects to the LTE with the wireless communication service provider and uses a connection interface separate from the terminal MT 110. For example, when the access terminal 120 is a USB-LTE dongle, it provides a service through USB communication with a PC as an end terminal. Also, if the access terminal 120 is an LTE-WiFi Egg, the access terminal 120 can be connected to the PC or the end terminal 110, which is a smart phone, using a WiFi interface.

The access terminal 120 mounts an LTE communication module and a subscriber module (USIM), and wirelessly communicates with the base station 130 at an LTE frequency.

Here, it is assumed that the access terminal 120 is a private network LTE service subscription terminal, and that all information necessary for authentication of the end terminal is already set up by a subscription or an administrator. At this time, all the information required for the authentication of the end terminal is authenticated by the authentication device 160, and the necessary information is transmitted according to the type. That is, it is a combination of additional information that requires authentication, for example, MAC, IMEI, PW, and OTP. The authentication information includes the information MSDN, IMEI, etc., which are obtained from the subscription, and the ID issuance can be specified by the subscriber or the administrator, and the information required for the authentication method and authentication by the ID is stored in the server.

In addition, the end terminal 110 assumes that an authentication application (App) or an authentication client (client) is installed in advance.

The base station 130 interworks with a wireless subscriber station (HSS) 140 for interworking with a wireless core network 140 of a communication service provider and obtaining an authentication or a service profile. Base station 130 may be an eNodeB.

The wireless core network 140 is a concept that collectively refers to a set of devices including an MME (Mobility Management Entity) and an S-GW (Serving Gateway) as an LTE (Long Term Evolution) standard node. That is, equipment and procedures necessary for LTE network connection can be referred to in the embodiments of the present invention.

The P-GW 150 is one of the LTE standard nodes included in the wireless core network 140. In order to transmit data from the private network LTE service to the dedicated network 190, And converts the incoming data into IP.

The authentication apparatus 160 authenticates connection request information called an APN (Access Point Name) with the enterprise subscriber and authenticates the end terminal 110 and the access terminal 120 for the private network LTE service. The authentication device 160 is interlocked with the authentication DB 170 including the subscriber authentication information and the terminal terminal authentication information.

The authentication device 160 can perform authentication classified into a terminal authentication level and a user authentication level. Here, the terminal authentication means that it can be divided into various levels, such as a MAC or a universally unique identifier (UUID). The user authentication can be set by the authentication device 160 as to whether to view only the ID / PW or the ID / PW / OTP. That is, an authority (authentication method: terminal authentication / user authentication) level can be assigned to each user (employee / email) other than the access terminal (USB, egg, router).

The authentication device 160 can perform authentication with various terminal authentication types. The information stored in the authentication DB 170 may be added or modified / deleted by a subscription or an administrator.

The traffic control device 180 is a device that performs traffic control (bandwidth, access control) for each subscriber and may refer to a Policy and Charging Rule Function (PCRF) which is one of the standard nodes of the LTE network.

The private network 190 may be a corporate intranet.

Now, an operation flow will be described in which the end terminal 110 and the access terminal 120 can perform network authentication and access control for the end terminal 110 through a certain node of the LTE communication network.

2 is a flowchart illustrating a network access procedure of an access terminal according to an exemplary embodiment of the present invention.

Referring to FIG. 2, when power is applied to the access terminal 120, the access terminal 120 transmits an access request (Attach Request) to the base station 130 (S101). At this time, the access request includes a dedicated access point name (APN) for the private network LTE service.

The base station 130 transmits a connection request to the MME of the wireless core network 140 (S103).

The MME of the radio core network 140 requests the S-GW of the radio core network 140 to create a session (Create Session Request) (S105). Then, the S-GW requests the P-GW 150 to create a session (S107).

The P-GW 150 transmits an access request to the authentication device 160 (S109). At this time, the connection request may include the information of the access terminal and the terminal location (3GPP-User-Location-Info).

Here, the information of the access terminal includes pre-set information and subscriber (USIM) information, and may include MSISDN (Mobile Station International ISDN Number), IMSI I (International Mobile Subscriber Identity), and the like.

In step S111, the authentication apparatus 160 performs subscriber authentication based on the information of the access terminal received in step S109, to determine whether it is a private network LTE service subscriber. That is, it can be determined whether the received information is stored in the authentication DB 170 in step S109.

If the subscriber authentication is successful in step S111, the authentication device 160 transmits an access response (S113). Then, a session for the access terminal 120 is created and stored (S115). Between step S113 and step S115, the P-GW 150 further includes a step of transmitting an Accounting-Request (Start, MSISDN, Framed-IP) and a response from the authentication device 160 can do.

At this time, the session means a PDN session, and one terminal can be made a PDN session in LTE.

Then, the P-GW 150 assigns IP to the access terminal 120 (S117). The P-GW 150 transmits a Create Session Response to the S-GW (S119).

The S-GW sends a session creation response to the MME (S121).

The MME transmits an access acknowledgment to the access terminal 120 through the base station 130 (S123, S125).

Through this process, the access terminal 120 completes the network connection procedure. That is, it is connected to the LTE network.

3 is a flowchart illustrating an authentication procedure of an access terminal according to an embodiment of the present invention.

Referring to FIG. 3, the access terminal 120 performs a dedicated network service authentication procedure (S201), and the step S201 includes the steps of FIG.

The P-GW 150 determines whether authentication of the access terminal 120 is successful (S203). At this time, if the authentication is successful, the traffic control device 180 requests QoS (Quality of Service) information of the session for the access terminal 120 (S205). Here, the step defined in the LTE standard may be applied in step S205.

At this time, the QoS information also defines the bandwidth of the corresponding PDN, but includes allow / block for communication to a specific IP.

The traffic control device 180 requests the authentication device 160 for QoS information of the session with respect to the access terminal 120 (S207).

The authentication apparatus 160 refers to the subscriber profile of the access terminal 120, and responds to the QoS information set for blocking all traffic except for the authentication traffic (S209).

The traffic control device 180 transmits the received QoS information to the P-GW 150 in step S209 (S211).

In step S213, the P-GW 150 sets all traffic coming in through the access terminal 120 to be blocked except the authentication-related traffic according to the QoS information received in step S211.

Here, a plurality of end terminals 110 may be connected to one access terminal 120. For example, when the access terminal 120 is a USB dongle, one end terminal 110 is connected. However, if the access terminal 120 is a Wi-Fi or a router, a plurality of end terminals 110 can be connected. In this case, the end terminal 110 connected to the access terminal 120 for the first time is set to block all the terminals before being authenticated.

4 is a flowchart illustrating an authentication procedure of an end terminal according to an embodiment of the present invention.

Referring to FIG. 4, the end terminal 110 performs a connection procedure with the access terminal 120 (S301). Here, the connection procedure of step S301 is performed by different procedures according to the type of the access terminal 120. [ For example, it may be a Wi-Fi system, a USB system, or a LAN system.

When the connection between the end terminal 110 and the access terminal 120 is completed, the end terminal 110 transmits an authentication request to the access terminal 120 (S303). 3, the access terminal 120 can not access the corporate intranet 190 even if it is connected to the access terminal 120 because the access terminal 120 is in the traffic blocking state except for the traffic related to the authentication State.

The end terminal 110 transmits the authentication request to the access terminal 120 automatically or manually according to the setting of the installed authentication application or the authentication client (S303).

The access terminal 120 transmits the authentication request to the authentication device 160 (S305).

The authentication device 160 identifies the access terminal 120 connected to the end terminal 110 based on the ID and IP information of the end terminal 110 included in the authentication request and transmits the QoS information set for the access terminal 120 (S307). The description of step S307 will be given later with reference to Fig. Here, the IP information of the end terminal 110 is the same as the IP information assigned by the access terminal 120. [

In addition, the ID may be an eigenvalue such as an email type or a number. The access terminal 120 can assign an IP to the end terminal 110 in the NAT type. When the end terminal 110 connects to the authentication device 160, the IP obtained by the access terminal 120 can be used.

Based on the result of the checking in step S307, the authentication device 160 determines whether the access terminal 120 is disconnected, that is, the traffic cutoff state (S309).

At this time, if the traffic is not blocked, the re-authentication process is performed (S311). Here, the step S311 will be described later with reference to FIG.

On the other hand, if the traffic is blocked, the authentication device 160 transmits the authentication key (or the server issuing key) to the end terminal 110 through the access terminal 120 (S313, S315).

The end terminal 110 generates an authentication value by performing a hash operation using the predetermined authentication algorithm and the authentication key received in step S315 (S317).

 Here, the predetermined information may include at least one of Media Access Control (MAC), International Mobile Equipment Identity (IMEI), PassWord (PW), and One Time Password (OTP) of the end terminal 110.

The end terminal 110 transmits the authentication value generated in step S317 to the authentication device 160 to request authentication (S319, S321).

The authentication device 160 confirms the validity of the authentication value received in step S321, and then transmits the authentication result (S323, S325). At this time, the authentication device 160 obtains predetermined information to be used in generating the authentication value in step S317 from the authentication DB 170. [ Then, the authentication key transmitted in step S313 and the previously determined information are subjected to a hash calculation using the same algorithm as in step S317 to calculate the authentication value. If the authentication value thus calculated matches the authentication value received in step S321, the authentication value is determined to be valid. If they do not match, the authentication fails. The authentication result is transmitted to the terminating terminal 110 in steps S323 and S325.

Here, the authentication value calculation may use the selected two pieces of information, or may implement the encryption algorithm in the form of multi PW input.

The authentication device 160 determines whether the authentication is successful (S327). If authentication fails, the process returns to the step before step S305. On the other hand, if the authentication is successful, the traffic control device 180 is requested to change the QoS information of the access terminal 120 (S329). Here, the QoS information change is set to traffic permission.

The traffic control device 180 requests the P-GW 150 to change the QoS information so as to set the traffic policy set as blocking to the traffic permission (S331).

Thereafter, the connection between the end terminal 110 and the access terminal 120, the access terminal 120 and the LTE network connection interface, and the end terminal 110 through the dedicated network connection interface between the P-GW 150 and the dedicated network 190, (E2E) connection with the enterprise intranet, that is, the private network 190 is completed. And is provided with normal data communication and corporate intranet services.

5 is a flowchart illustrating a re-authentication procedure of an end terminal according to an embodiment of the present invention.

Referring to FIG. 5, periodic authentication can be established according to the administrator setting even if the authentication is completed and connection is allowed. In this case, the end terminal 110 periodically requests re-authentication (S401, S403).

The authentication device 160 performs re-authentication (S405) and transmits a re-authentication response (S407, S409).

The authentication key used in the re-authentication is a key value used in the periodic authentication, and is an eigenvalue issued by the authentication device 160, which is different from the authentication key used for the first authentication.

The authentication apparatus 160 determines whether or not the re-authentication is successful (S411). If the re-authentication is successful, the authentication apparatus 160 returns to step S403 and subsequent steps. That is, the conventional session permission information is maintained.

On the other hand, if the re-authentication fails, the authentication device 160 requests the traffic control device 180 to change QoS information by blocking traffic (S413).

Then, the traffic control device 180 requests the P-GW 150 to change QoS information by blocking traffic (S415).

The P-GW 150 sets a traffic cutoff for the access terminal 120 (S417). In this case, the data connection between the end terminal 110 and the dedicated network 190 is blocked.

6 and 7 illustrate how an authentication device 160 performing a core function of the present invention performs authentication and access control for the end terminal 110 and the access terminal 120 according to an algorithm. . 6 and 7 show flowcharts of determination logic in the authentication apparatus.

6 is a flowchart illustrating an access control operation of an authentication apparatus according to an embodiment of the present invention.

Referring to FIG. 6, the authentication apparatus 160 receives a request for access to the dedicated network 190 of the access terminal 120 (S501). Then, in step S503, the subscriber profile of the terminal requesting access to the private network 190 is inquired (S503), and it is determined whether the corresponding access terminal is a general terminal or an access terminal (S505).

At this time, if it is determined to be a general terminal, the connection is allowed and the step is terminated (S507).

On the other hand, if it is determined to be the access terminal, the basic setting is inquired (S509) and it is determined whether the connection is allowed or blocked (S511).

If it is a connection allowable subscriber, step S509 is performed.

If the connection is set to be blocked in the default setting, the connection is blocked (S513). Then, the end terminal 110 enters the authentication wait state.

7 is a flowchart showing a connection authentication operation of the authentication apparatus according to an embodiment of the present invention.

7, when the authentication request is received from the end terminal 110 in step S601, the authentication apparatus 160 confirms the QoS information of the access terminal 120 and the access terminal 120 connected to the end terminal 110 (S603).

The authentication device 160 determines whether the current state of the access terminal 120 is set to traffic interruption (S605).

At this time, if the traffic blocking is not set, the valid authentication failure response is transmitted because it is not valid authentication (S607).

On the other hand, if the traffic blocking is set, the authentication procedure is performed (S609). Here, the authentication procedure is the same as that described in Fig. That is, the authentication key and the predetermined information are exchanged to perform the authentication.

The authentication device 160 determines whether the authentication is successful (S611), and if authentication fails, performs step S607. At this time, if authentication essential information such as IP relation is different, authentication fails.

If authentication is successful in step S611, the authentication device 160 requests the traffic control device 180 to change the connection restriction state to the release state (S613).

If the re-authentication is enabled after the authentication succeeds, the authentication device 160 informs the authentication client of the end terminal 110 of the expiration time and activates its own timer (S615).

The authentication device 160 checks whether there is an authentication request in the timer, and performs a re-authentication process when a re-authentication request is received (S617).

The authentication apparatus 160 determines whether the re-authentication is successful before expiration of the timer (S619). If the authentication is successful, the authentication apparatus 160 maintains the current state (S621).

On the other hand, if the re-authentication fails, that is, if there is no re-authentication request even though the timer has expired, the traffic control device 180 requests to disconnect the connection (S623). Thereafter, a new authentication request standby state is established.

FIG. 8 is a diagram showing an example of the configuration of information stored in the authentication DB according to the embodiment of the present invention, and is an embodiment of the configuration of the authentication table and the relationship diagram of the terminal terminal and the access terminal in the authentication apparatus.

8 (a) shows an authentication table of the access terminal. The authentication table of the access terminal includes an MSISDN field, a policy field, an IP field, a connection status field, a period field, and at least one end terminal ID field.

The authentication table of the access terminal has an MSDN (telephone number) in the USIM for the LTE authentication and can add several IDs of the end terminal connected to the access terminal. You can also choose to block / allow the default policy on first access. It is also possible to record the IP of the access terminal allocated at the time of initial connection. In addition, in order to improve authentication completeness, it is possible to manage the current LTE connection and disconnection / permission status of the access terminal in real time, and to select ON / OFF and time of re-authentication cycle.

Here, at least one end terminal ID recorded in the end terminal ID field is registered in advance in correspondence with the access terminal. The administrator can register. Therefore, the end terminal is registered in advance, and only the end terminal that is mapped to the access terminal and registered in advance is allowed to be authenticated.

In the authentication request information, mapping between MSDN (phone number) -based information and ID-based user authentication is required. If the IP pre-verified in the authentication table of the access terminal and the source IP in authentication are compared with each other, You can tell if you requested it.

Referring to FIG. 8B, the authentication table of the end terminal includes an end terminal ID field, an authentication method field, and a required field.

The authentication table of the end terminal can select each subscriber-specific authentication method based on the ID of the end terminal. The ID of the end terminal can be a phone number in the case of a smart phone, and the number or unique value of a company in the case of a PC. The authentication device can request multiple authentication methods set for each end terminal ID subscriber.

At this time, user authentication and terminal authentication can be distinguished. User authentication uses ID / PW / OTP, and terminal authentication can be ID / MAC / UUID / PW. An algorithm such as MD5 may be used for the authentication method.

The end terminal requests the end terminal ID when requesting the authentication, and the authentication device can extract the request source IP, find the access terminal with this information, perform primary authentication with a valid end terminal, authenticate with the authentication method set according to the end terminal ID Can be performed.

Confirms the IP of the end terminal, verifies the IP, confirms the IP of the connected access terminal, and the end terminal in the profile of the access terminal. Then, the access terminal is confirmed, and the policy is changed to permit traffic.

9 is a hardware block diagram of a system according to one embodiment of the present invention.

9, the authentication device 200 is composed of hardware including a memory device 201, a storage device 203, a processor 205, and a communication device 207, Is stored. The hardware has a configuration and performance capable of executing the method of the present invention. The program includes instructions implementing the method of operation of the present invention described with reference to FIGS. 1 through 8 and is implemented in conjunction with hardware such as processor 205 and memory device 201 to implement the present invention. The program may include instructions for operations implemented in the management application and internal logic.

The traffic control device 200 is also configured with hardware including a memory device 201, a storage device 203, a processor 205 and a communication device 207, do. The hardware has a configuration and performance capable of executing the method of the present invention. The program includes instructions implementing the method of operation of the present invention described with reference to FIGS. 1 through 8 and is implemented in conjunction with hardware such as processor 205 and memory device 201 to implement the present invention. The program may include instructions for operations implemented in the management application and internal logic.

The end terminal is composed of hardware including a communication device, a processor, and a memory, and stores a program that is executed in combination with hardware at a specified location. The hardware has a configuration and performance capable of executing the method of the present invention. The program includes instructions implementing the method of operation of the present invention described with reference to FIGS. 1 through 8 and is implemented in conjunction with hardware such as processor 205 and memory device 201 to implement the present invention. The program may include instructions for operations implemented in the management application and internal logic.

At this time, the communication device includes a communication interface with the access terminal.

Further, the access terminal is composed of hardware including a communication device, a processor and a memory, and a program to be executed in combination with the hardware is stored in a designated place. The hardware has a configuration and performance capable of executing the method of the present invention. The program includes instructions implementing the method of operation of the present invention described with reference to FIGS. 1 through 8 and is implemented in conjunction with hardware such as processor 205 and memory device 201 to implement the present invention. The program may include instructions for operations implemented in the management application and internal logic.

At this time, the communication device includes a communication interface with the LTE network and a communication interface with the access terminal, respectively.

10 is a flowchart illustrating a network authentication and access control method of an end terminal according to another embodiment of the present invention.

10, an interface according to a PC client-dongle standard (HTTP) is connected between an end terminal (PC) 110 and an access terminal (USB dongle) 120 (S701). This step is similar to the step S301 described in Fig.

Next, an interface according to an authentication device-protocol specification (HTTP) is connected between the access terminal (USB dongle) 120 and the authentication device 160 (S703). That is, in this step, a network connection procedure is performed between the access terminal (USB dongle) 120 and the authentication apparatus 160, which is similar to the steps of FIG.

The authentication procedure for the end terminal PC described in FIG. 4 is performed through the connected interface through steps S701 and S703.

Next, when performing the secondary OTP authentication according to the operator setting, the authentication apparatus 160 performs SMPP communication between the authentication apparatus 160 and the message service center (SMSC) (not shown) (S705). Here, step S705 is optional. This step can send an OTP authentication code.

Next, the message service center (not shown) performs SMS communication (S707) with the end terminal (user's mobile phone), which is also optional. This step can send the OTP authentication code to the end terminal (user's mobile phone).

The user inputs the OTP authentication code confirmed by the end terminal (user mobile phone) through the end terminal (PC) 110 and transmits the OTP authentication code to the end terminal (PC) 110, the access terminal (USB dongle) Performs OTP secondary authentication as an option (S709, S711).

Then, the end terminal (PC) 110 forms a control plane with the authentication device 160 through the access terminal (USB dongle) 120, and the end terminal (PC) 110 accesses the access terminal USB dongle) 120 to form an intranet and a data plane (S711). And IP-CAN (LTE / PPP) communication is performed.

At this time, the access terminal (USB dongle) 120 includes a first channel connected to the network to transmit and receive traffic, and a second channel connected to the terminal 110 (PC) to transmit and receive traffic. The access terminal (USB dongle) 120 can control the use of the second channel to allow selective traffic according to the authentication result.

4, the traffic control for permitting selective traffic according to the authentication result is performed by the access terminal (USB dongle)

Figure 11 illustrates a user access scenario in accordance with one embodiment of the present invention.

Referring to (a) of FIG. 11, it is possible to set whether to connect or not through option setting. Referring to (b) of FIG. 11, a login screen is displayed.

12 illustrates a user access scenario according to another embodiment of the present invention.

Referring to FIG. 12, there is shown a screen for performing password authentication after login.

13 illustrates a user access scenario according to another embodiment of the present invention.

Referring to FIG. 13, there is shown a screen for performing a two-step authentication of password-based authentication and SMS / OTP authentication after login.

14 shows a user access scenario according to another embodiment of the present invention.

Referring to FIG. 14, a screen for outputting an error message / code when an error due to an unregistered MAC occurs during the authentication process is shown.

11 through 14 illustrate various embodiments in which the authentication device 160 authenticates the end terminal 110. FIG. Such an authentication screen can be implemented on a web-based basis.

The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (23)

1. An operation method of an authentication apparatus for performing network connection and authentication with an end terminal connected to a network via an access terminal,
Setting a traffic block for the access terminal that has completed the access procedure to the network,
Receiving an authentication request from the end terminal connected to the access terminal, and
Performing authentication for the end terminal and releasing traffic blocking for the access terminal,
And when the traffic interruption is canceled, the end terminal accesses the network through the access terminal to receive the data service. The method of claim 1,
Wherein the setting step comprises:
Receiving a connection request to the private network from the access terminal and authenticating that the access terminal is a private network service subscriber, and
If the authentication succeeds, setting blocking for all traffic except authentication traffic for the access terminal
≪ / RTI > 3. The method of claim 2,
Wherein the setting of the blocking for all traffic comprises:
The authentication apparatus receives a QoS (Quality of Service) information of a session for the access terminal from the traffic control apparatus, and
And responding the service quality information to the traffic control device,
The traffic control device transmits the service quality information to the packet data network gateway,
Wherein the packet data network gateway sets blocking for all traffic except authentication traffic for the access terminal. 4. The method of claim 3,
Wherein the authenticating comprises:
Receiving a connection request of the access terminal from the packet data network gateway;
Determining whether the access terminal is a dedicated network service subscriber based on information included in the access request,
Transmitting a connection response to the packet data network gateway when it is determined to be the dedicated network service subscriber
≪ / RTI > 5. The method of claim 4,
Wherein the authenticating comprises:
After sending the connection response to the packet data network gateway,
Further comprising storing a session for the access terminal,
Wherein the packet data network gateway comprises:
Assigning an IP to be used in a private network to the access terminal when the access response is received, and transmitting a session establishment response to the access terminal. 5. The method of claim 4,
After receiving the connection request,
Determining whether the terminal transmitting the connection request is a general terminal or the access terminal, and
And if so, sending a connection response to the packet data network gateway,
And if the access terminal is determined to be the access terminal, the determining step is performed. The method of claim 1,
Wherein the step of releasing comprises:
Identifying an access terminal connected to the end terminal and confirming quality of service (QoS) information of a session for the access terminal;
Transmitting the first authentication key to the end terminal if the quality of service information is set to block traffic,
Receiving a first authentication value calculated by a predetermined algorithm using the authentication key from the end terminal; and
Checking whether the first authentication value is valid, and if it is valid, canceling traffic blocking for the access terminal
≪ / RTI > 8. The method of claim 7,
Wherein the step of canceling the traffic interruption to the access terminal, if valid,
Computing a second authentication value with the same algorithm as the endpoint terminal;
Determining that the first authentication value is valid if the first authentication value matches the second authentication value, and
If the first authentication value is valid, canceling the traffic interruption to the access terminal
≪ / RTI > 9. The method of claim 8,
Wherein the first authentication value and the second authentication value are "
Wherein the first authentication key is calculated using at least one of Media Access Control (MAC), International Mobile Equipment Identity (IMEI), PassWord (PW), and One Time Password (OTP) of the end terminal. 9. The method of claim 8,
And if the first authentication value is valid, canceling the traffic block to the access terminal,
Transmitting an authentication result and a second authentication key to be used for re-authentication to the end terminal;
Receiving a re-authentication request using the second authentication key from the end terminal and performing re-authentication, and
If the re-authentication fails, establishing a traffic block for the access terminal
≪ / RTI > 11. The method of claim 10,
Wherein if the re-authentication fails, establishing a traffic block for the access terminal comprises:
Activating a re-authentication timer and transmitting a timer expiration time to the end terminal; and
If the re-authentication fails or the re-authentication request is not received within the timer expiration time,
≪ / RTI > A system for performing network connection and authentication to an end terminal connected to a network via an access terminal,
An authentication DB for storing information of an access terminal which has completed the connection procedure to the network and information of the terminal which is registered for the access terminal,
When an authentication request including an IP (Internet Protocol) and an end terminal ID is received from the end terminal connected to the access terminal, the access terminal connected to the end terminal is checked based on the IP from the authentication DB, The terminal device is configured to perform the authentication for the end terminal,
And a network access and authentication system. The method of claim 12,
The authentication DB includes:
A first authentication table including a terminal identifier field of the access terminal, a policy field of the access terminal, an IP field of the access terminal, a connection state field of the access terminal, and at least one terminal terminal ID field connected to the access terminal , And
A second authentication table including a terminal identifier field of an end terminal corresponding to the end terminal ID field and at least one authentication method field for the end terminal
And a network access and authentication system. The method of claim 13,
The authentication device includes:
Confirms from the first authentication table an access terminal including an IP included in the authentication request and an end terminal ID, identifies an authentication method recorded in correspondence with the end terminal ID from the second authentication table, And performs authentication for the end terminal using an authentication method confirmed by the terminal. The method of claim 14,
The authentication device includes:
Setting a policy field of the first authentication table as a traffic block for the access terminal after the network access procedure and setting a policy field of the first authentication table as a traffic block release when the authentication for the end terminal is successful Network access and authentication system. The method of claim 12,
When receiving an access request from the access terminal, transmitting an access request to the authentication device and receiving an access response from the authentication device, requesting the traffic disconnection setting from the authentication device to set blocking for all traffic other than the authentication traffic, If the authentication of the end terminal is successful, the packet data network gateway
Further comprising: a network connection and authentication system. 17. The method of claim 16,
Requesting the authentication apparatus according to a request of the packet data network gateway and receiving quality of service (QoS) information of a session for the access terminal including the traffic cutoff setting or traffic cutoff release information from the authentication apparatus To the packet data network gateway
Further comprising: a network connection and authentication system. The method of claim 17,
The authentication device includes:
The network access and authentication system permitting network access if the access terminal is a dedicated network service subscriber after confirming that the access terminal is a dedicated network service subscriber. 1. An operation method of an end terminal that connects to a network through an access terminal,
Wherein the end terminal is connected to the access terminal,
Requesting authentication from the authentication terminal through the access terminal, and
If the authentication is successful, accessing the network through the access terminal and receiving a data service
Gt; terminal < / RTI > 20. The method of claim 19,
Wherein the providing and receiving comprises:
Receiving a first authentication key from the authentication device and generating a first authentication value with a predetermined algorithm,
Transmitting the first authentication value to the authentication device and receiving an authentication result indicating that the first authentication value is valid, and
When the first authentication value is valid, accessing the network through the access terminal and receiving a data service
Gt; terminal < / RTI > 20. The method of claim 20,
After the providing and receiving step,
And requesting re-authentication to the authentication device periodically using the re-authentication key received together with the authentication result,
And if the reauthentication fails, blocking of traffic of the access terminal is established. An operating method of an access terminal for connecting an end terminal to a network,
Connecting the access terminal to the end terminal,
Relaying authentication traffic transmission / reception between the end terminal and the authentication device, and
Determining whether to allow network connection and user traffic transmission of the end terminal according to the authentication result of the authentication device for the end terminal
To the access terminal. The method of claim 22,
Wherein the determining comprises:
If the authentication is successful, allowing a traffic transmission / reception path between the end terminal and the network, and
Blocking the traffic transmission / reception path between the end terminal and the network if the authentication fails;
To the access terminal.

Images