WO2007138663A1 - procÉdÉ de contrÔle d'accÈs au rÉseau, systÈme de contrÔle d'accÈs au rÉseau, dispositif d'authentification, dispositif de contrÔle d'accÈs, dispositif de requÊte de serveur mandataire, et dispositif de requÊte d'accÈs - Google Patents

procÉdÉ de contrÔle d'accÈs au rÉseau, systÈme de contrÔle d'accÈs au rÉseau, dispositif d'authentification, dispositif de contrÔle d'accÈs, dispositif de requÊte de serveur mandataire, et dispositif de requÊte d'accÈs Download PDF

Info

Publication number
WO2007138663A1
WO2007138663A1 PCT/JP2006/310585 JP2006310585W WO2007138663A1 WO 2007138663 A1 WO2007138663 A1 WO 2007138663A1 JP 2006310585 W JP2006310585 W JP 2006310585W WO 2007138663 A1 WO2007138663 A1 WO 2007138663A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
access control
proxy
request
data
Prior art date
Application number
PCT/JP2006/310585
Other languages
English (en)
Japanese (ja)
Inventor
Katsunori Iwamoto
Hiroshi Ishinishi
Yoshio Aoyagi
Original Assignee
Fujitsu Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Limited filed Critical Fujitsu Limited
Priority to PCT/JP2006/310585 priority Critical patent/WO2007138663A1/fr
Priority to JP2008517726A priority patent/JP4832516B2/ja
Publication of WO2007138663A1 publication Critical patent/WO2007138663A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user

Definitions

  • Network access control method network access control system, authentication processing device, access control device, proxy request device, and access request device
  • the present invention relates to a network access control method, a network access control system, an authentication processing device, an access control device, a proxy request device, and a network access control method suitable for an environment in which connection to the network is strictly managed, such as an in-company network.
  • Background Art on Access Request Device
  • RADIUS Remote Authentication Dial In User Service
  • a RADIUS server receives an authentication request for an information terminal from a RADIUS client, and the RADIUS server authenticates the information terminal or its user based on a preset access control policy,
  • the RADIUS client receives an authentication response including access control data for the information terminal from the RADIUS server, the information terminal acquires the access control data from the RADIUS client, and the information terminal and the RAD IUS client are based on the access control data.
  • access control it is possible to control access to a network based on an appropriate access control policy for each information terminal or for each user.
  • Patent Document 1 JP 2003-345575 A
  • Patent Document 2 Japanese Patent Laid-Open No. 08-335208
  • the RADIUS server When the RADIUS server receives an authentication request regarding an information terminal or a user who does not belong to the management jurisdiction, the RADIUS server forwards the authentication request to a management source RADIUS server of the information terminal and authenticates from the RADIUS server. It is equipped with a proxy function that receives responses, and can indirectly perform authentication for information terminals outside the administrative jurisdiction.
  • an authentication request for an information terminal brought in by an employee visiting from another company is transferred to the RADIUS server of the company to which the employee belongs, and the authentication result is a RADIUS server that manages the company network.
  • the RADIUS server that manages the company's network is surely requesting the connection to the network is an employee of the company in question, and whether the connection to the network is permitted. Can be confirmed. That is, it is possible to control access to the network based on an appropriate access control policy for information terminals brought in by visitors as well as information terminals managed by the company.
  • the proxy function in the above technology is based on the premise that the in-house and the management source RADIUS server are linked, the in-house and the management source network both employ a RADIUS authentication method, and both RADIUS servers communicate with each other. It is necessary to create a possible environment. Based on the authentication result of the management RADIUS server, In order to realize network access control, it is necessary to make an appropriate contract or rule between companies in advance, and it is used as a means for realizing business collaboration between limited departments or short-term business collaboration. However, there is a problem that the threshold for introduction is high and flexible.
  • the former known technology cannot solve the problems already explained, and even when the latter known technology is applied, for example, instead of an information terminal brought in by an employee visiting from another company, although the information terminal managed by the server requests authentication to the RADIUS server via the RADIUS client, the information subject to authentication is the information of the employee who visited from another company or the information terminal (such as ID and password) that the employee brought in. After all, in order to perform authentication, it is necessary to cooperate with the RADIUS server of the organization to which the employee belongs, and the above problem cannot be solved.
  • the present invention has been made in view of the above points, and there is no need to set an access control policy for an information terminal outside the management jurisdiction that does not need to forward an authentication request to an external network server in a timely manner.
  • a network access control method is a network access control method in which an access control device controls network access from an access requesting device that attempts to access a network, and the proxy requesting device includes: The proxy receives the access request including the identification information of the access requesting device from the access requesting device and receives permission from the user of the proxy requesting device, and includes the identification information of the access requesting device and the authentication data of the proxy requesting device.
  • the step of making an access request to the access control device and the access control device records the identification information of the access request device of the proxy access request, and issues a permission authentication request including authentication data of the proxy request device to the authentication processing device And the authentication processing device performs authentication processing of the authentication data of the license authentication request and accesses the license authentication request. Distribute access control data based on authentication result to the control unit
  • the proxy requesting device requests the authentication processing device with its own authentication data in response to a request from the access requesting device rather than the access requesting device directly requesting the authentication processing device.
  • the authentication processing device receives the request and distributes access control data based on the authentication processing result to the access control device. Therefore, even if the access request device is an information terminal outside the management jurisdiction, the access request device is in the management jurisdiction. If access is requested to the proxy requesting device, which is the information terminal, and the processing of the proxy requesting device, access control device, and authentication processing device is executed, access to the network access from the access requesting device that requested access is performed. If the control of the control device changes and the network can be accessed, the effect is achieved.
  • the access request device may be configured to receive access control data via the proxy request device, but after the access request device requests access to the proxy request device, the access request device requests the access control device at a predetermined interval. In the case of a configuration for transmitting information, it is not always necessary for the access requesting device to receive the access control data via the proxy requesting device.
  • a network access control method is a network access control method for controlling network access from an access requesting device in which the access control device attempts to access the network, wherein the access requesting device A step of making an access request including identification information of the access requesting device to the proxy requesting device, and the proxy requesting device receives the access request including the identification information of the access requesting device from the access requesting device, and The access control device records the identification information of the access requesting device in the proxy access request, and the access control device performs a proxy access request including the identification information of the access requesting device and the authentication data of the proxy requesting device to the access control device. At the same time, a license authentication request including authentication data of the proxy request device is sent to the authentication processor.
  • the authentication processing device authenticates the authentication data of the license authentication request, distributes the access control data based on the authentication processing result to the access control device that has requested the license authentication, and the access control device
  • the access control data distributed from the authentication processing device is recorded, and the access control data sent from the access control device to the proxy requesting device that sent the access control data to the proxy requesting device is sent to the proxy requesting device.
  • the access requesting device recording the access control data transmitted from the proxy requesting device, and executing the network access based on the recorded access control data, and the access control Recorded based on access control data recorded by the device And those containing and controlling the network access from the access requesting device identified by the identification information of the access requesting device.
  • the access control information received by the access requesting device includes information that needs to be added to the transmission information when the access requesting device transmits information to the network. If the access control device does not contain information that needs to be added to the transmission information, you can receive the information from another device after it becomes possible to access the network.
  • the information is, for example, an IP address, a subnet mask, and a default gateway.
  • Another apparatus is, for example, a DHCP (Dynamic Host Configuration Protocol) server.
  • the access control data includes a valid time of the access control data as necessary, and the validity of the access control data recorded by the access control device is included. When the time expires, the access control device newly includes a step of deleting the corresponding access control data.
  • the access control device when the access control data valid time expires, the access control device deletes the corresponding access control data. Therefore, the same as before the access control device receives the authentication processing device power access control device.
  • the access request device identified by the access request device's identification information is controlled, and the access request device becomes unable to access the network and is allowed to access the network.
  • the access requesting device is given access to the access requesting device only for a permitted time that does not allow permanent access to the network, and appropriate network access control can be realized within the required range.
  • the access requesting device accesses the proxy requesting device that requested the access at least before the expiration of the valid time of the access control data, if necessary. Includes a new step to send the request
  • the access control device since the access requesting device requests access to the proxy requesting device before the valid time of the access control data expires, the access control device deletes it when the valid time expires.
  • the scheduled access control data is not deleted, and the access request device can access the network even after the validity time of the original access control data expires.
  • the access control data from the authentication processing device may be redistributed to the access control device by processing the access request first by a re-access request to the proxy requesting device.
  • the proxy requesting device may request the access control device to extend the network access of the access requesting device. This request may be accompanied by an additional valid time in addition to the identification information of the access request device.
  • the network access control system controls network access from an access requesting device in which the access control device attempts to access the network.
  • a network access control system comprising a proxy requesting device and an authentication processing device, wherein the proxy requesting device is a means for receiving an access request including identification information of the access requesting device from the access requesting device;
  • a proxy access request including identification information of the access requesting device and authentication data of the proxy requesting device after receiving the permission of the user of the proxy requesting device after receiving the permission of the user of the proxy requesting device for the access request from the device
  • the access control device includes: means for recording identification information of the access request device in the proxy access request; means for issuing a permission authentication request including authentication data of the proxy request device to the authentication processing device; And access requirements recorded based on the access control data distributed from the authentication processor.
  • the authentication processing device includes means for controlling network access from the access requesting device identified by the device identification information, the authentication processing device authenticating the authorization authentication request authentication data, and the access control device requesting the authorization authentication Includes means
  • the "means for receiving permission of the user of the proxy requesting device for the access request from the access requesting device that has requested access” is via an input means such as a keyboard of a computer or the like in which the proxy requesting device is constructed. This is a means of receiving permission information of the user of the proxy requesting device for the access request from the access requesting device that has entered the access request.
  • a proxy request device that is an information terminal belonging to a management jurisdiction acquires access control data on behalf of an access request device that is an information terminal outside the management jurisdiction.
  • the proxy requesting device executes access control data acquisition processing upon receipt of an access request from the access requesting device, and the authentication processing device accesses based on the authentication result for the proxy requesting device.
  • the access control data is distributed to the requesting device, the access control device performs network access control based on the access control data distributed in the acquisition process by the proxy requesting device, and the access requesting device Based on the access control data obtained from the proxy requesting device in response to the access request It performs network access.
  • the authentication process for connecting to the network is closed within the company's network, so that server cooperation between companies is not required. Further, when the access requesting device accesses the network, the access requesting data can be distributed to the access control device and the access requesting device in the course of execution of the authentication procedure by the proxy requesting device. It is possible to confirm that network access has been granted by an information terminal or user with appropriate rights. Due to these features, the network access control method according to the present invention can connect information terminals brought in by the visitor to the network based on an appropriate access control policy more easily and flexibly than in the prior art. .
  • FIG. 1 is a system configuration diagram of an embodiment of a network access control system of the present invention.
  • FIG. 2 is a hardware configuration diagram of a computer in which the components of the network access control system are constructed.
  • FIG. 3 is a functional block diagram of the authentication processing device.
  • FIG. 4 is a functional block diagram of an access control device.
  • FIG. 5 is a functional block diagram of a proxy request device.
  • FIG. 6 is a functional block diagram of an access request device.
  • FIG. 7 is a configuration diagram of authentication management data.
  • FIG. 8 is a configuration diagram of access management data.
  • FIG. 9 is a configuration diagram of access control data.
  • FIG. 10 is a flowchart of processing executed by the authentication processing device.
  • FIG. 11 is a flowchart of processing executed by the access control apparatus.
  • FIG. 12 is a flowchart of processing executed by the access control apparatus.
  • FIG. 13 is a flowchart of processing executed by a proxy request device.
  • FIG. 14 is a flowchart of processing executed by the access requesting device.
  • FIG. 15 is a diagram for explaining a network access control sequence of the present invention. 16] This is a window display example on the display of the proxy request device.
  • FIG. 17 is a diagram for explaining a network access control sequence of the present invention.
  • FIG. 18 is a system configuration diagram of embodiment 1 of a network access control system of the present invention.
  • FIG. 19 is a diagram illustrating a configuration example of authentication management data according to the first embodiment.
  • FIG. 20 A diagram showing a configuration example of access management data in the first embodiment.
  • FIG. 21 is a diagram illustrating an example of the configuration of access control data according to the first embodiment.
  • FIG. 22 is a diagram for explaining a network access control sequence according to the first embodiment.
  • FIG. 23 is a system configuration diagram of Embodiment 2 of the network access control system of the present invention.
  • FIG. 23 is a diagram showing a configuration example of authentication management data of Embodiment 2.
  • FIG. 25 is a diagram showing a configuration example of access management data in the second embodiment.
  • FIG. 26 A diagram showing a configuration example of access control data in the second embodiment.
  • FIG. 27 is a diagram for explaining a network access control sequence according to the second embodiment. Explanation of symbols
  • the present invention can also be implemented as a program and method that can be used by a computer.
  • the present invention can be implemented in hardware, software, or software and hardware embodiments.
  • the program can be recorded on any computer-readable medium such as a hard disk, CD-ROM, DVD-ROM, optical storage device, or magnetic storage device.
  • the program can be recorded on another computer via a network.
  • FIG. 1 shows a system configuration diagram of a network access control system of the present invention.
  • the network access control system includes an authentication processing device 10, an access control device 20, a proxy request device 30, and an access request device 40.
  • the authentication processing device 10 and the access control device 20 can transmit and receive information via the communication network 50.
  • the access control device 20, the proxy requesting device 30, and the access requesting device 40 are ready to communicate at least in the physical layer.
  • the authentication processing device 10, the access control device 20, the proxy request device 30 and the communication network 50 belong to the same management jurisdiction, and the access request device 40 belongs to a different management jurisdiction. .
  • Figure 2 shows the hardware configuration of the computer on which the components of the network access control system are built.
  • the computer 100 on which the proxy request device 30 is constructed includes a CPU (Central Processing Unit) ll, a RAM (Random Access Memory) 112, a ROM (Read Only Memory) 113, a flash memory (Flash memory) 114, and an external storage device.
  • HD Hard disk
  • LAN Local Area Network
  • the speaker 120a is a sound output device electrically connected to the sound card 120, and a drive 121 for reading and writing a storage medium such as a floppy disk (registered trademark), CD_ROM, DVD-ROM or the like.
  • the LAN card 116 is a LAN card for wireless LAN.
  • the computer in which the access request device 40 is constructed has the same hardware configuration.
  • the proxy requesting device 30 and the access requesting device 40 are a laptop computer, Example of hardware configuration shown in a typical PC (Personal Computer) such as a desktop PC or Tablet PC. It can also be constructed in PDA (Personal Digital Assistant), mobile phone, PHS, etc. .
  • PDA Personal Digital Assistant
  • mobile phone PHS, etc.
  • wireless LAN-compatible mobile phones are already known.
  • a program for functioning as the proxy requesting device 30 is installed in the computer 100 (sometimes referred to as “Install” or “setup”), and the proxy requesting device 30 is constructed on the computer.
  • the access request device 40 is the same.
  • the authentication processing apparatus 10 is normally constructed on a server computer, and the hardware configuration is usually the same as that of the computer 100.
  • the authentication processing device is a device that performs authentication processing in response to a request from the access control device 20 and distributes access control data in accordance with the authentication result.
  • the authentication processing device is limited to an in-house network. It corresponds to the authentication server that manages the range. Normally, the authentication server is equipped with a means to distribute access control data for realizing access control for the information terminal or user to be authenticated based on the access control policy set in advance.
  • the authentication processing device 10 of the present invention has a function of managing services that can be licensed to third parties by an information terminal to be authenticated or a user.
  • the proxy requesting device 30 When receiving a license authentication request from the requesting device 30, the proxy requesting device 30 generates access control data for realizing access control licensed to a third party, and a license authentication response corresponding to the license authentication request.
  • a means for distributing the access control data including the access control data to the access control device 20 is provided.
  • FIG. 3 shows a configuration diagram of the authentication processing apparatus.
  • the data transmission / reception unit 11 is a functional unit that transmits / receives data regarding communication with the outside of the apparatus.
  • the authentication request processing unit 12 is a functional unit that performs authentication processing of an information terminal or a user in response to an authentication request and a license authentication request received from the data transmission / reception unit 11, and corresponds to an information terminal to be authenticated based on authentication management data. Extract the entry data.
  • the authentication request processing unit 12 generates access control data related to a service that the information terminal can grant to a third party from the authentication management data based on the authentication processing result, and generates an authentication response or a license authentication response. Thereafter, the data transmission / reception unit 11 is requested to transmit the response.
  • FIG. 7 shows the configuration of the authentication management data.
  • Authentication management data consists of a collection of authentication processing data set for each information terminal or user to be managed.
  • the authentication processing data includes authentication data for authenticating the information terminal or user, access authorization data indicating whether access to the information terminal or user can be executed, and the information terminal or user It is composed of permission access authorization data indicating whether or not to permit access to be executed.
  • the configuration of the authentication data and access authorization data is not limited in the present invention, and follows the configuration of a general authentication server.
  • a combination of ID and password can be used for authentication data, and access permission data can use whether or not it can be connected to a network and communication quality.
  • the configuration of the authorized access authorization data may be the same as that of the access authorization data, but the contents need not be the same. For example, in an entry corresponding to an information terminal, “network connection is allowed” may be set in the access authorization data, and “network connection is not possible” may be set in the permitted access authorization data.
  • FIG. 9 shows the structure of access control data.
  • the access control data is composed of access authorization data and access execution data. If the access request device 40 does not require special information to execute access, the access execution data is unnecessary.
  • the configuration of the access execution data is not limited in the present invention, and follows the configuration of a general authentication server. Further, when generating access control data in response to the authorization authentication response, authorization access authorization data for authentication processing data is set as access authorization data for access control data.
  • An access control device is a device that controls network access of information terminals based on access control data, and is used for NAS (Network Access Server), wireless access points, etc. Equivalent to.
  • an access control device has a function of excluding network access by an information terminal that has not been authenticated, a function of providing appropriate communication quality with respect to network access by an information terminal that has been authenticated.
  • the access control device 20 of the present invention includes means for transmitting a permission authentication request to the authentication processing device 10 when receiving the proxy access request from the proxy requesting device 30.
  • the access control device 20 of the present invention includes means for transmitting a permission authentication request to the authentication processing device 10 when receiving the proxy access request from the proxy requesting device 30.
  • FIG. 4 shows a configuration diagram of the access control apparatus.
  • the data transmission / reception unit 21 is a functional unit that transmits / receives data regarding communication with the outside of the apparatus.
  • the access control unit 22 is a functional unit that executes access control to convert data via the access control device 20, and access control processing data corresponding to the transmission source information terminal of the data received from the data transmission / reception unit 21. Is extracted from the access management data 23, data is discarded or communication quality is applied based on the access control processing data, and if the data can pass through the access control device 20, the transmission of the data is Request to transceiver 21. Also, the access control data is set in the access management data in response to a request from the access request processing unit 24.
  • the access request processing unit 24 is a functional unit that executes processing corresponding to the access request received from the data transmitting / receiving unit 21, the proxy access request, the authentication response, or the license authentication response.
  • An authentication request is generated and the data transmitting / receiving unit 21 is requested to transmit the permission authentication request.
  • the access control data included in the permission authentication response is extracted, the access control unit 22 is requested to set the access control data, and then the proxy access response corresponding to the permission authentication response is received. And requests the data transmitting / receiving unit 21 to transmit the proxy access response.
  • FIG. 8 shows the configuration of access management data.
  • the access management data 23 includes device identification data for identifying each information terminal managed by the access control device 20 and access authorization data indicating whether or not access to the information terminal can be executed.
  • the content of the device identifier is not limited in the present invention, so long as the information terminal can be specified in performing access control for the information terminal. For example, the MAC address, IP address, port number of the connected device, etc. can be used.
  • the proxy request device 30 is a device that executes mail and Web applications, and corresponds to an information terminal such as a PC (Personal Computer) or a PDA (Personal Digital Assistant) having communication means. Usually, it has a function to access the network based on the access control data.
  • PC Personal Computer
  • PDA Personal Digital Assistant
  • the proxy requesting device 30 of the present invention provides a means for receiving an access request from the access requesting device 40 and the access control device 20 triggered by the reception of the access request.
  • FIG. 5 shows a configuration diagram of the proxy requesting device.
  • the data transmission / reception unit 31 is a functional unit that transmits / receives data regarding communication with the outside of the apparatus.
  • the access request processing unit 32 is a functional unit that executes processing corresponding to the access request or proxy access response received from the data transmission / reception unit 31.
  • the authentication processing device 10 receives the proxy request device.
  • the data transmission / reception unit 31 is requested to transmit the proxy access request.
  • the access request processing unit 32 when receiving the proxy access response, the access request processing unit 32 generates an access response corresponding to the proxy access response and requests the data transmitting / receiving unit 31 to transmit the access response.
  • the authentication data 33 stores authentication data for the authentication processing device 10 to authenticate the proxy requesting device 30.
  • the content of the authentication data corresponds to the authentication data of the authentication processing data for the proxy requesting device 30 in the authentication management data of the authentication processing device 10, and must match this.
  • An access request device is a device that executes mail and Web applications, and corresponds to an information terminal such as a PC or PDA having communication means. Usually in access control data Based on the network access function.
  • the access request device 40 of the present invention when receiving an access request corresponding to the access request and a means for transmitting an access request to the proxy request device 30, Means for extracting and setting the access control data contained in.
  • FIG. 6 shows a configuration diagram of the access requesting device.
  • the data transmitter / receiver 41 is a functional unit that transmits / receives data regarding communication with the outside of the apparatus.
  • the access request execution unit 42 is a functional unit that processes the access request and the access response.
  • the access request execution unit 42 extracts the device identification data 43 and generates an access request including the acquired device identification data 43. After the generation, the data transmission / reception unit 41 is requested to transmit the access request. Further, when receiving an access response, the access request execution unit 42 extracts the access control data included in the access response and requests the access processing unit 44 to set the access control data 45.
  • the device identification data 43 stores data for the proxy requesting device 30 to identify the access requesting device 40, and corresponds to the device identification data included in the access management data 23 of the access control device 20.
  • the access processing unit 44 is a functional unit that performs network access based on the acquired access control data. In accordance with an instruction from the user of the access requesting device 40, the access processing unit 44 transmits transmission data of mail and Web application communication data. Request to transceiver 41. Further, in accordance with a request from the access request execution unit 42, access execution data included in the access control data is set.
  • the communication network 50 is a network that delivers data regarding communication performed between the devices or between other servers and information terminals, and corresponds to a corporate intra network (Intranet, Intranetwork) or the like.
  • a specific network configuration of the intra network can be appropriately constructed by those skilled in the art and will not be described in detail here.
  • Network configuration components include communication devices such as LAN cables, network devices such as repeaters, hubs, layer 2 switches, routers, and layer 3 switches.
  • FIG. 10 shows a flowchart of processing executed by the authentication processing device.
  • step S101 in FIG. 10 it is determined whether any data is received from the outside. If it has been received, the process proceeds to step S102. If it has not been received, the process ends.
  • step S102 it is determined whether the received data is an authentication request. If it is an authentication request, the process proceeds to step S103, and if it is not an authentication request, the process proceeds to step S106.
  • step S103 corresponding authentication data of the information terminal or user is extracted from the authentication management data 13 based on the authentication data included in the authentication request.
  • step S104 the authentication process is executed by comparing the authentication data included in the authentication request with the authentication data extracted from the authentication process data. Specifically, it is determined whether the ID and password included in the authentication request match the ID and password included in the authentication processing data.
  • step S105 an authentication response is generated based on the result of step S104, and this is transmitted to the transmission source of the authentication request, that is, the access control device 20.
  • the authentication response includes the result of the authentication process. If the result is normal, the access control data is further added.
  • the access authorization data of the authentication processing data is set as the access authorization data of the access control data.
  • step S 106 it is determined whether the received data is a permission authentication request. If it is a license authentication request, the process proceeds to step S107, and if it is not a license authentication request, the process is terminated. In step S107, the corresponding information terminal or use from authentication management data 13 based on the authentication data included in the license authentication request User authentication processing data.
  • step S108 the authentication process is executed by comparing the authentication data included in the permission authentication request with the authentication data extracted from the authentication process data. Specifically, it is determined whether the ID and password included in the authorization authentication request match the ID and password included in the authentication processing data.
  • step S109 a permission authentication response is generated based on the result of step S108, and is transmitted to the transmission source of the permission authentication request, that is, the access control device 20.
  • the authorization authentication response includes the result of the authentication process. Add control data.
  • the access authorization data of the access control data sets the authorized access authorization data of the authentication processing data.
  • FIG. 11 and FIG. 12 show flowcharts of processing executed by the access control apparatus.
  • step S201 in FIG. 11 it is determined whether any data has been received from the outside. If it has been received, the process proceeds to step S202. If it has not been received, the process is terminated.
  • step S202 it is determined whether the received data is an access request. If it is an access request, the process proceeds to step S203, and if it is not an access request, the process proceeds to step S204.
  • step S203 an authentication request is generated based on the authentication data included in the access request, and is transmitted to the authentication processing device 10.
  • step S 204 it is determined whether the received data is a proxy access request. If it is a proxy access request, the process proceeds to step S205, and if it is not a proxy access request, the process proceeds to step S206.
  • step S 205 a permission authentication request is generated based on the authentication data included in the proxy access request, and is transmitted to the authentication processing device 10.
  • step S206 it is determined whether the received data is an authentication response. If it is an authentication response, the process proceeds to step S207, and if it is not an authentication response, the process proceeds to step S209.
  • step S207 the authentication result included in the authentication response is confirmed. If the result is normal, the access control data included in the authentication response and the device identification data included in the previously received access request are obtained. Access control processing data is generated based on the data and set in access management data 23.
  • step S 208 an access response is generated based on the received authentication response, and this is transmitted to the proxy requesting device 30.
  • step S209 it is determined whether the received data is a permission authentication response. If it is a license authentication response, the process proceeds to step S210, and if it is not a license authentication response, the process proceeds to step S212. [0062] In step S210, the authentication result included in the authorization authentication response is confirmed. If the result is normal, the access control data contained in the authorization authentication response and the device included in the proxy access request received earlier. Access control processing data is generated based on the identification data and set in the access management data 23.
  • step S 211 a proxy access response is generated based on the received permission authentication response, and this is transmitted to proxy request device 30.
  • step S212 access control processing data corresponding to the device identification data is extracted from the access management data 23 based on the device identification data included in the transmission source information of the received data.
  • step S213 access control is executed based on the information extracted in step S212. Specifically, if network access is permitted, the received data is transferred according to the destination information. Also, when the priority is set high for communication quality, transfer processing is executed with priority. Here, if the corresponding access control processing data does not exist, that is, if data is received from an information terminal for which an appropriate authentication procedure has not been completed, processing is performed according to the default setting. For example, the received data is discarded.
  • FIG. 13 shows a flowchart of processing executed by the proxy requesting device.
  • step S301 in FIG. 13 it is determined whether any data has been received from the outside. If it has been received, the process proceeds to step S302. If it has not been received, the process ends.
  • step S302 it is determined whether the received data is an access request. If it is an access request, the process proceeds to step S303, and if it is not an access request, the process proceeds to step S306.
  • step S303 it is determined whether to execute the proxy request based on the device identification data included in the received access request. If the proxy request is to be executed, the process proceeds to step S304. If not, the process ends.
  • the method for determining whether or not the proxy request can be executed is not limited, but the device identification data is displayed on the screen of the proxy requesting device 30 and the user of the proxy requesting device 30 is inquired about whether or not it can be executed. so, A method for confirming the intention of the user is desirable.
  • step S304 authentication data of the proxy requesting device 30 itself or its user is extracted.
  • step S 305 a proxy access request is generated based on the device identification data included in the received access request and the authentication data extracted in step S 304, and this is transmitted to the access control device 20.
  • step S 306 it is determined whether the received data is a proxy access response. If it is a proxy access response, the process proceeds to step S307, and if it is not a proxy access response, the process ends.
  • step S307 an access response is generated based on the received proxy access response, and is transmitted to the access requesting device 40.
  • FIG. 14 shows a flowchart of processing executed by the access requesting device.
  • step S401 in FIG. 14 the force of receiving some data from the outside is determined. If it has been received, the process proceeds to step S402. If it has not been received, the process ends.
  • step S402 it is determined whether the received data is an access response. If it is an access response, the process proceeds to step S403. If it is not an access response, the process proceeds to step S404.
  • step S403 access control data is extracted from the received access response, and if the access execution data includes access execution data, this is set.
  • step S404 it is determined whether an access request is transmitted.
  • the process proceeds to step S405, and if not transmitted, the process ends.
  • the access control device 20 cannot access from the access control device 20 when attempting to access the network. It may be determined that the access request is transmitted when the notification is received.
  • step S405 device identification data for identifying the access requesting device 40 is extracted.
  • an access request including the device identification data extracted in step S405 Is transmitted to the proxy requesting device 30.
  • the access request may include an identifier of the access control device 20 attempting access.
  • the identifier of the access control device 20 can be acquired by including it in a message periodically broadcast by the access control device 20 or by including it in the notification of inaccessibility.
  • the method for transmitting the access request to the proxy requesting device 30 is not limited. It is possible to select a method of broadcasting within a wireless coverage area or a wired subnet, or a direct communication method using infrared rays.
  • FIG. 15 is a diagram for explaining the sequence of the access control process.
  • the numbers in parentheses correspond to the following explanations.
  • the access requesting device 40 transmits an access request including device identification data that can identify the device to the proxy requesting device 30.
  • the proxy request device 30 When the proxy request device 30 receives the access request, the proxy request device 30 generates a proxy access request including the device identification data included in the access request and the authentication data stored in the device, and performs access control on this. Sent to device 20.
  • the access control device 20 When receiving the proxy access request, the access control device 20 generates a permission authentication request including the authentication data included in the proxy access request and transmits it to the authentication processing device 10.
  • the authentication processing device 10 Upon receiving the license authentication request, the authentication processing device 10 performs an authentication process based on the authentication data included in the license authentication request, generates a license authentication response according to the authentication result, It is transmitted to the access control device 20. At this time, if the authentication result is normal, the access control data is included in the permission authentication response.
  • the access control device 20 Upon receiving the permission authentication response, the access control device 20 extracts the access control data included in the permission authentication response, and includes the device identification data and the access control data acquired in (2). Access control processing data is generated based on the access authorization data to be set, and this is set in the access management data 23. Further, a proxy access response including the access control data is generated and transmitted to the proxy requesting device 30.
  • the access requesting device 40 sets this and executes communication processing based on the information.
  • the access control device 20 executes access control based on the access management data 23, and discards the received data or performs a transfer process toward an appropriate destination.
  • An access request is made from the access requesting device 40 to the proxy requesting device 30 in, for example, a wireless LAN ad hoc mode, and the proxy requesting device 30 receives the access request.
  • a GUI see FIG. The Graphical User Interface window is displayed. If the proxy request device 30 presses the “OK” button, a proxy access request is made to the access control device 20, and if the “Cancel” button is pressed, nothing is done, or the access request device 40 denies the proxy access request. Notify that. Note that the user name or host name of the access requesting device 40 is displayed in the portion of “XXX” on the window of FIG. 16 (a).
  • This user name or host name is the one sent from the access requesting device 40 to the proxy requesting device 30 at the time of the access request.
  • the company name, affiliation, and telephone number may be used.
  • the proxy requesting device 30 since the user of the proxy requesting device 30 can identify the access requesting device 40 or its user, more secure network access control can be realized.
  • the proxy requesting device 30 does not respond to the access requesting device 40 because the user of the proxy requesting device 30 cannot identify the access requesting device 40 or the user. It is also possible to make a configuration in which further information provision is requested and the access requesting device 40 transmits the provision information to the proxy requesting device 30 in response to the request.
  • the request for information from the proxy requesting device 30 may be a general statement such as “Please provide other information”, or “Apparel?” “Machine color?” “Machine type?” “Machine model number” ]
  • the text specified by the user of the proxy requesting device 30 from the words prepared in advance may be used, or may be a word created by the user of the proxy requesting device 30 itself.
  • Fig. 1 only one access control device 20 is displayed. In the vicinity of the location where the access control device 20 is placed, visitors from outside the company can obtain permission to access the network via the proxy request device 30 using the access request device 40. By doing so, appropriate network access at multiple locations becomes possible.
  • the authentication processing apparatus 10 may also have a configuration in which a plurality of forces, which are displayed only one in FIG. 1, are arranged.
  • Authentication processing device 10 and access control device 20 need to communicate Depending on the network configuration, one authentication processing device 10 and access control device 20 may be unable to communicate. In this case, of course, the network configuration or network settings are changed. However, it is also possible to place the authentication processing device 10 in a network within a communicable range. As a result, a plurality of authentication processing devices 10 are arranged in the intra network. Of course, a configuration in which a plurality of authentication processing devices 10 are arranged for load distribution may be used.
  • networks that are controlled by one access control device 20 and another access control device 20 may be configured differently. This does not simply mean that the physical network to which one access control device 20 and the other access control device 20 are connected is different from the network that is connected to the same physical network.
  • one access control device 20 is operated by dividing it into a plurality of logical networks, one access control device 20 should be controlled by one logical network, and the other access control device 20 should be controlled by another logical network. It also means.
  • a logical network is formed when a network is divided and operated and managed using a subnet mask, and also when a network is divided and operated and managed using a VLAN (Virtual LAN). Is done.
  • the access control device 20 can make a proxy access request to the logical network that is displayed, receives the specification of the user of the proxy requesting device 30, and has the check box specified.
  • the authorization access authorization data of the authentication management data used by the authentication processing device 10 that has received the authorization authentication request via the access control device 20 is a logical network that the proxy request device 30 can authorize. It is also possible to set the data up to whether or not the power can be set.
  • the access device 20 is not permitted to access the network of the access request device 40. That is, the access permission data of the access management data 23 of the access control device 20 is set for each logical network, and the access control device 20 controls access to information from the access requesting device 40 in response to the setting.
  • the networks that can be specified are displayed in the sub-window.
  • the display in this sub-window is set by the permitted access permission data associated with the authentication data of the current proxy requesting device 30. It can also be configured to display only existing logical networks. By doing so, it is possible to avoid a situation in which the user of the access requesting device 40 cannot use the logical network designated by the user of the proxy requesting device 30.
  • the “Detail” button located at the bottom of the sub window is pressed, the logical network is displayed in more detail than the logical network displayed in the sub window displayed in the network management system implemented in accordance with SNMP (Simple Network Management Protocol).
  • a network configuration diagram is displayed. The network configuration displayed in this network configuration diagram can also be a logical network set by the permitted access permission data associated with the authentication data of the current proxy requesting device 30.
  • the specified, Z, or setting from the computers connected to the network to be controlled by the access control device 20 instead of the specified, Z, or set logical network has been described for the logical network. Even if it was a computer that was made. In other words, the user of the proxy requesting device 30 does not use the network displayed in FIG. The computer displays the computer, the user connects the access request device 40, designates the computer instead of the network, and the access control device 20 from the access request device 40 only for the designated computer. Control access to information. If the access permission data of the access management data 23 can be set on a computer basis, the proxy requesting device 30 can be specified by the user, or the authentication management data of the authentication processing device 10 can be set in the permitted access permission data.
  • the access control device 20 can access-control the information from the access requesting device 40 based on the access permission data associated with the corresponding authentication data.
  • Such information handling in computer units in the access control device 20 is a technique similar to a known technique in which packet filtering is realized in the IP layer. In other words, it is not possible to pass all information from a certain access requesting device 40. For example, information from a certain access requesting device 40 is analyzed by the header on the access control device 20, and the source IP address and destination IP address are analyzed. The port number is taken out, and only the information from the access requesting device 40 having the specified combination of header information can be passed or not passed.
  • Necessary access requesting device 40 is specified by the proxy requesting device 30 so that access control can be performed only with computers that need to be accessed.
  • a computer group is set in advance, and the computer related to the electronic conference is automatically specified by specifying the electronic conference service. It is desirable that the configuration can be specified. Of course, it is easier to specify the port number even if it is specified.
  • the proxy request device 30 will receive a proxy access response from the access control device 20. Record the access control data at this time, and respond to its proxy access request at the timing specified by the user of the proxy request device 30.
  • Network access from the access requesting device 40 can be prohibited, restricted, or expanded, and network access can be performed more appropriately. Can be controlled.
  • the prohibition of network access from the access requesting device 40 prohibits the passage of information permitted until now in the access control device 20. For example, when an outside person no longer needs to access network access after an electronic conference or the like is finished, a proxy access request is executed in response to an access request from the access request device 40 used by the outside person.
  • the change temporarily prohibits network access, and can also be lifted. For example, it can be used when leaving a room in a short break.
  • the network access restriction limits the range that has been permitted so far, and the user of the proxy request device 30 notifies the access control device 20 of the network access restriction, and the corresponding access permission data of the access control device 20 It can be realized by changing. Expansion of network access expands the range permitted until now, and can be realized by changing the corresponding access permission data of the access control device 20 in the same manner.
  • a user of the proxy request device 30 restricts network access after receiving an indication from the network management that a packet has arrived at a computer that does not need access, and on the other hand, wants to receive services such as electronic conferencing.
  • the user of the proxy requesting device 30 can expand network access when the access requesting device 40 cannot receive service provision only with the designated network or computer.
  • the user of the access request device 40 may verbally inform the user of the proxy request device 30 that the service cannot be received, but the access request device 40 may transfer to the proxy request device 30. Notification may be made by an information device.
  • the proxy requesting device 30 may directly send the instruction information to the access control device 20 to prohibit, limit, and expand these network accesses. However, as shown in FIG. 17 illustrating the prohibition, authentication is performed through the authentication processing device 10.
  • the configuration may be such that the updated access control data is distributed from the authentication processing device 10 through the processing. By doing so, the access control device 20 can prohibit, limit, or control the network access from the access requesting device 40 based on the updated access control data. If it is prohibited, It is possible to use the instruction information to delete the already distributed access control data.
  • the access control data distributed from the authentication processing device 10 of the first embodiment to the access control device 20 may include an effective time, and the access control device 20 accesses the same as in the first embodiment.
  • the network access of the access requesting device 40 is controlled based on the control data, the access control data is deleted when the effective time expires from the network access of the first access requesting device 40, and the subsequent access requesting device 40 Network access from is not accepted.
  • the request from the permanent access requesting device 40 can be obtained. Network access can be prevented.
  • the valid times can all be set to the same value, or can be specified by the user of the proxy requesting device 30 when the proxy requesting device 30 receives the access request.
  • the counting of the effective time starts in addition to the time of the first access requesting device 40 network access.
  • the access requesting device 40 when the concept of valid time is adopted, if the valid time expires when services such as electronic conferencing are continued, network access from the access requesting device 40 is not accepted. The user of the access request device 40 falls into a situation where services such as electronic conferencing suddenly become unavailable. In contrast, the access requesting device 40 also counts the effective time in the access control device 20, and the effective time on the display expires to notify the user of the access requesting device 40 at least before the effective time expires. It is also possible to configure that the access control data is reacquired by requesting access to the proxy requesting device 30 again in order to extend the valid time. . By doing so, the access control data is reacquired before the valid time expires, and the valid time is extended.
  • This re-acquisition of access control data may be performed any number of times or may be limited.
  • a window with text information such as “Now that network access is about to expire. It is necessary to extend to receive teleconference service. Do you want to extend?”
  • the command buttons “extend” and “not extend” are arranged on the window, and the intention of the user of the access requesting device 40 is confirmed according to the pressed state of the button.
  • the access request device 40 In the first embodiment, it has been explained on the assumption that the access request device 40 outside the management jurisdiction is already built on an information terminal brought in by an employee who has come from another company. However, the access request device 40 is still not available. If it is not built, the company's employees, etc. hand over various storage media such as USB flash memory, CD-ROM, DVD-ROM, etc. to employees visiting from other companies, and employees visiting from other companies Is installed automatically or manually and automatically or manually activated.
  • the access requesting device 40 may be temporarily constructed by reading the program from the storage medium onto the main memory and executing it without being installed.
  • the proxy requesting device 30 and the access requesting device 40 have been described as communicating in wireless LAN ad hoc mode and infrared communication, but they can also be communicated by wire.
  • the proxy requesting device 30 and the access requesting device 40 can be configured to communicate by connecting them with various communication cables by peer-to-peer.
  • the proxy requesting device 30 and the access requesting device 40 are connected to a hub or the like corresponding to the access control device 20 by wire, and the access control device 20 accesses the access request only with the information from the access requesting device 40. It can also be configured to transmit to an information terminal connected to the device 20. And receive Only the proxy requesting device 30 starts processing in the received information terminal.
  • the access control device 20 transmits only the access request using the information from the access request device 40 to the information terminal that directly transmits radio waves to the access control device 20. It is also possible to realize a configuration that is not limited to the wireless LAN ad hoc mode, but can also be realized in the infrastructure mode.
  • the access control device 20 may be configured to pass only an access request using information from the access request device 40 to a backbone port such as a hub corresponding to the access control device 20. Even in such a configuration, the access requesting device 40 is only allowed to have a limited network access, and there is almost no security problem.
  • FIG. 18 shows a system configuration of Embodiment 1 of the network access control system of the present invention.
  • information terminals A and B are authenticated by proxy requesting device 30 and access requesting device 40
  • wireless access point also called the base unit of wireless LAN system
  • the authentication server is authenticated. This corresponds to the processing device 10.
  • the authentication server may be a general RADIUS server to which the function of the present invention is added, but is not limited to this.
  • it may be an authentication server that operates on PPP (Point To Point Protocol), PPTP (Point To Point Tunneling Protocol), Kerberos, or a vendor-specific protocol.
  • PPP Point To Point Protocol
  • PPTP Point To Point Tunneling Protocol
  • Kerberos Kerberos
  • An example of application in a network designed to eliminate access to an intra-network by incomplete information terminals is shown.
  • FIG. 19 shows a configuration example of authentication management data in the authentication server.
  • a configuration example is described in which an ID and password are used as authentication data, and whether or not connection to an intra-network is used as access authorization data and permitted access authorization data.
  • FIG. 20 shows a configuration example of access control data in the access control apparatus.
  • a configuration example in which a MAC address is used as device identification data is described.
  • FIG. 21 shows a configuration example of access control data.
  • access execution data A configuration example when using IP address and subnet mask is described.
  • FIG. 22 shows an access control processing sequence according to the first embodiment.
  • the numbers in parentheses correspond to the following explanations.
  • the access request device 40 transmits an access request including the MAC address of the device 40 to the proxy request device 30.
  • the proxy request device 30 When the proxy request device 30 receives the access request, the proxy request device 30 includes the MA included in the access request.
  • the access control device 20 When receiving the proxy access request, the access control device 20 generates a permission authentication request including the ID and password included in the proxy access request, and transmits this to the authentication processing device 10.
  • the authentication processing device 10 Upon receiving the license authentication request, the authentication processing device 10 performs an authentication process based on the ID and password included in the license authentication request, and generates a license authentication response according to the authentication result. This is transmitted to the access control device 20. At this time, if the authentication result is normal, the access control data is included in the permission authentication response.
  • the access control device 20 When receiving the permission authentication response, the access control device 20 extracts the access control data included in the permission authentication response, and if the connection is permitted, the MAC address acquired in (2) is obtained. And the connection permission data are set in the access management data 23, a proxy access response including the access control data is generated, and this is transmitted to the proxy requesting device 30.
  • the proxy request device 30 When the proxy request device 30 receives the proxy access response, the proxy request device 30 generates an access response based on the proxy access response and transmits it to the access request device 40.
  • the access requesting device 40 sets the IP address and subnet mask in the access execution data from the access control data acquired by the access response, and executes a communication process based on the information.
  • the access control device 20 searches the access control processing data set in the access management data 23 based on the transmission source MAC address of the communication data, and transmits the transmission source MAC address. Extract entries that match. Here, the entry entry If the authorization data is connection permission, the received data is forwarded to the appropriate destination. [0109] (Example 2)
  • FIG. 23 shows a system configuration of Embodiment 2 of the network access control system of the present invention.
  • the information terminals A and B correspond to the proxy request device 30 and the access request device 40
  • the proxy server corresponds to the access control device 20
  • the authentication server corresponds to the authentication processing device 10, respectively.
  • the authentication server may be a general RADIUS server to which the function of the present invention is added, but is not limited thereto.
  • the Proxy server may be a general Web proxy, firewall or gateway with the function of the present invention added thereto, but is not limited to this.
  • FIG. 24 shows a configuration example of authentication management data in the authentication server.
  • a configuration example is described in which an ID and a password are used as authentication data, and whether or not access to the Internet is used as access authorization data and permission access authorization data.
  • FIG. 25 shows a configuration example of access management data in the access control apparatus.
  • FIG. 26 shows a configuration example of access control data.
  • access execution data As access execution data
  • FIG. 27 shows an access control processing sequence according to the second embodiment.
  • the numbers in parentheses correspond to the following explanations.
  • the access request device 40 transmits an access request including the IP address of the device 40 to the proxy request device 30.
  • the proxy request device 30 When the proxy request device 30 receives the access request, the proxy request device 30 generates a proxy access request including the IP address included in the access request and the ID and password stored in the device 30. It transmits to the access control device 20. (3) When the access control device 20 receives the proxy access request, the access control device 20 generates a permission authentication request including the ID and password included in the proxy access request, and transmits this request to the authentication processing device 10.
  • the authentication processing device 10 Upon receiving the license authentication request, the authentication processing device 10 performs an authentication process based on the ID and password included in the license authentication request, and generates a license authentication response according to the authentication result. This is transmitted to the access control device 20. At this time, if the authentication result is normal, the access control data is included in the permission authentication response.
  • the access control device 20 Upon receiving the permission authentication response, the access control device 20 extracts the access control data included in the permission authentication response. If the access control device 20 has access permission, the IP address obtained in (2) is acquired. And access permission data are set in the access management data 23, a proxy access response including the access control data is generated, and this is transmitted to the proxy requesting device 30.
  • the proxy request device 30 When the proxy request device 30 receives the proxy access response, the proxy request device 30 generates an access response based on the proxy access response and transmits it to the access request device 40.
  • the access requesting device 40 sets the proxy address and port number in the access execution data from the access control data acquired by the access response, and executes a communication process based on the information.
  • the access control device 20 searches the access control processing data set in the access management data 23 based on the transmission source IP address of the communication data, and transmits the transmission source IP address. Extract entries that match. Here, if the access authorization data of the entry is an access permission, the received data is transferred to an appropriate destination.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention propose un dispositif de requête d'accès (40) qui ne fait pas une requête directement à un dispositif d'authentification (10) mais demande à un dispositif de requête de serveur mandataire (30) de demander au dispositif d'authentification (10) ses données d'authentification. En réponse à quoi le dispositif d'authentification (10) distribue les données de contrôle d'accès, selon le résultat d'authentification, à un dispositif de contrôle d'accès (20). Après que le dispositif de requête d'accès (40), en tant que terminal d'informations en dehors de juridiction, ait fait une requête d'accès au dispositif de requête de serveur mandataire (30) en tant que terminal d'informations sous la juridiction et les procédés du dispositif de requête de serveur mandataire (30), le dispositif de contrôle d'accès (20) et le dispositif d'authentification (10) sont exécutés, le contrôle du dispositif de contrôle d'accès (20) pour un accès à un réseau à partir du dispositif de requête d'accès (40) est changé, et le dispositif de requête d'accès (40) peut accéder au réseau.
PCT/JP2006/310585 2006-05-26 2006-05-26 procÉdÉ de contrÔle d'accÈs au rÉseau, systÈme de contrÔle d'accÈs au rÉseau, dispositif d'authentification, dispositif de contrÔle d'accÈs, dispositif de requÊte de serveur mandataire, et dispositif de requÊte d'accÈs WO2007138663A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2006/310585 WO2007138663A1 (fr) 2006-05-26 2006-05-26 procÉdÉ de contrÔle d'accÈs au rÉseau, systÈme de contrÔle d'accÈs au rÉseau, dispositif d'authentification, dispositif de contrÔle d'accÈs, dispositif de requÊte de serveur mandataire, et dispositif de requÊte d'accÈs
JP2008517726A JP4832516B2 (ja) 2006-05-26 2006-05-26 ネットワークアクセス制御方法、ネットワークアクセス制御システム、認証処理装置、アクセス制御装置、代理要求装置およびアクセス要求装置

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2006/310585 WO2007138663A1 (fr) 2006-05-26 2006-05-26 procÉdÉ de contrÔle d'accÈs au rÉseau, systÈme de contrÔle d'accÈs au rÉseau, dispositif d'authentification, dispositif de contrÔle d'accÈs, dispositif de requÊte de serveur mandataire, et dispositif de requÊte d'accÈs

Publications (1)

Publication Number Publication Date
WO2007138663A1 true WO2007138663A1 (fr) 2007-12-06

Family

ID=38778192

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2006/310585 WO2007138663A1 (fr) 2006-05-26 2006-05-26 procÉdÉ de contrÔle d'accÈs au rÉseau, systÈme de contrÔle d'accÈs au rÉseau, dispositif d'authentification, dispositif de contrÔle d'accÈs, dispositif de requÊte de serveur mandataire, et dispositif de requÊte d'accÈs

Country Status (2)

Country Link
JP (1) JP4832516B2 (fr)
WO (1) WO2007138663A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009211566A (ja) * 2008-03-05 2009-09-17 Ntt Communications Kk 認証システム、情報機器、認証方法、及びプログラム
JP2010097510A (ja) * 2008-10-17 2010-04-30 Dainippon Printing Co Ltd リモートアクセス管理システム及び方法
JP2014110462A (ja) * 2012-11-30 2014-06-12 Toshiba Corp 認証装置およびその方法、ならびにコンピュータプログラム
JP2015176506A (ja) * 2014-03-17 2015-10-05 株式会社リコー 権限委譲システム、権限委譲方法及び権限委譲プログラム
JP2016045794A (ja) * 2014-08-25 2016-04-04 日本電信電話株式会社 ネットワークシステムとその端末登録方法
US9832119B2 (en) 2012-08-21 2017-11-28 Pfu Limited Communication block apparatus and communication block method
JP2020123772A (ja) * 2019-01-29 2020-08-13 Necプラットフォームズ株式会社 ルータ、ルータの制御方法、及びルータの制御プログラム

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101869347B1 (ko) * 2016-01-26 2018-06-21 한국기초과학지원연구원 네트워크 접속 제어 시스템 및 제어 방법

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004007589A (ja) * 2002-04-16 2004-01-08 Xerox Corp 文書およびサービスへの安全なアドホックアクセス
JP2004086510A (ja) * 2002-08-27 2004-03-18 Wao Corporation コンテンツサービス提供システム、コンテンツサービス用サーバおよび会員用クライアント
JP2004287784A (ja) * 2003-03-20 2004-10-14 Fuji Xerox Co Ltd アクセス制御装置および方法
JP2005050185A (ja) * 2003-07-30 2005-02-24 Sony Corp 情報処理システム、情報処理装置および方法、記録媒体、並びにプログラム

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006005879A (ja) * 2004-06-21 2006-01-05 Trend Micro Inc 通信装置、無線ネットワーク、プログラムおよび記録媒体

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004007589A (ja) * 2002-04-16 2004-01-08 Xerox Corp 文書およびサービスへの安全なアドホックアクセス
JP2004086510A (ja) * 2002-08-27 2004-03-18 Wao Corporation コンテンツサービス提供システム、コンテンツサービス用サーバおよび会員用クライアント
JP2004287784A (ja) * 2003-03-20 2004-10-14 Fuji Xerox Co Ltd アクセス制御装置および方法
JP2005050185A (ja) * 2003-07-30 2005-02-24 Sony Corp 情報処理システム、情報処理装置および方法、記録媒体、並びにプログラム

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009211566A (ja) * 2008-03-05 2009-09-17 Ntt Communications Kk 認証システム、情報機器、認証方法、及びプログラム
JP2010097510A (ja) * 2008-10-17 2010-04-30 Dainippon Printing Co Ltd リモートアクセス管理システム及び方法
US9832119B2 (en) 2012-08-21 2017-11-28 Pfu Limited Communication block apparatus and communication block method
JP2014110462A (ja) * 2012-11-30 2014-06-12 Toshiba Corp 認証装置およびその方法、ならびにコンピュータプログラム
JP2015176506A (ja) * 2014-03-17 2015-10-05 株式会社リコー 権限委譲システム、権限委譲方法及び権限委譲プログラム
JP2016045794A (ja) * 2014-08-25 2016-04-04 日本電信電話株式会社 ネットワークシステムとその端末登録方法
JP2020123772A (ja) * 2019-01-29 2020-08-13 Necプラットフォームズ株式会社 ルータ、ルータの制御方法、及びルータの制御プログラム

Also Published As

Publication number Publication date
JP4832516B2 (ja) 2011-12-07
JPWO2007138663A1 (ja) 2009-10-01

Similar Documents

Publication Publication Date Title
JP7035163B2 (ja) ネットワークセキュリティ管理方法および装置
JP5813790B2 (ja) 分散型無線ネットワークサービスを提供するための方法およびシステム
JP4754964B2 (ja) 無線網制御装置及び無線網制御システム
US8041815B2 (en) Systems and methods for managing network connectivity for mobile users
US7257636B2 (en) Inter-working method of wireless internet networks (gateways)
JP4832516B2 (ja) ネットワークアクセス制御方法、ネットワークアクセス制御システム、認証処理装置、アクセス制御装置、代理要求装置およびアクセス要求装置
KR101971167B1 (ko) 이주자에 의해 야기된 코어 네트워크 트래픽의 감소
US20060173844A1 (en) Automatic configuration of client terminal in public hot spot
JP2008500607A (ja) デバイス組分け及び組分けデバイス同士の会話を実現する方法
CN110140380A (zh) 紧急呼叫的开放接入点
JP3987539B2 (ja) セッション情報管理方法およびセッション情報管理装置
WO2005088909A1 (fr) Systeme de controle d’acces, dispositif de controle d’acces utilise pour celui-ci et dispositif de fourniture de ressource
CA2647684A1 (fr) Acces securise d'un invite a un reseau sans fil
JP2009512368A (ja) 通信システムおよび通信方法
CN113411286B (zh) 基于5g技术的访问处理方法及装置、电子设备、存储介质
KR20030053280A (ko) 공중 무선랜 서비스를 위한 망접속 및 서비스 등록 방법
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
JP2005167580A (ja) 無線lanシステムにおけるアクセス制御方法と装置
JP3668648B2 (ja) セッション情報管理方法およびセッション情報管理装置
JP2003318939A (ja) 通信システムおよびその制御方法
JP5423320B2 (ja) 無線通信システム及び方法
JP3953963B2 (ja) 認証機能付きパケット通信装置、ネットワーク認証アクセス制御サーバ、および分散型認証アクセス制御システム
KR100590698B1 (ko) 동일 id를 이용한 다중 로그인을 방지하기 위한 인증 방법, 시스템 및 서버
JP4878043B2 (ja) アクセス制御システム、接続制御装置および接続制御方法
KR101049635B1 (ko) 공중 무선랜과 기업 무선랜간의 로밍 서비스 제공 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06746914

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2008517726

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06746914

Country of ref document: EP

Kind code of ref document: A1