JP2006041961A - Communication system, authentication device, base station device, terminal unit, and access controlling method used for them - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication system capable of performing not only uniform access control to all users who perform data communication via a base station, but also different access control for each user. <P>SOLUTION: A radio base station 1 performs connection negotiation according to connection negotiation requests from radio terminal units 2-1, 2-2, completes the connection negotiation, and then starts authentication for network connection to the radio terminal units 2-1, 2-2. The radio base station 1 limits access for each of the radio terminal units 2-1, 2-2 following a result authenticated by an authentication device 3 for the network connection. Information on the access limitation is received by the radio base station 1 together with an authentication success request from the authentication device 3, and data communication is controlled from the radio terminal units 2-1, 2-2 authenticated based on a value received by the radio base station 1. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a communication system, an authentication device, a base station device, a terminal device, a gateway device, an access control method used therefor, and a program therefor, and more particularly to security in a wireless LAN (Local Area Network).

  In recent years, vulnerability of wireless LAN security has been pointed out. In other words, there is a possibility that data encrypted by a WEP (Wired Equivalent Privacy) key used in the wireless LAN may be analyzed, and at the same time, all data communication via the wireless LAN is performed by analyzing the WEP key. It has been pointed out that there is a risk of being analyzed.

  In order to eliminate these dangers as much as possible, user authentication is required for data communication via a wireless base station called IEEE (Institut of Electric and Electronic Engineers) 802.1X authentication (for example, non-patent literature). 1), and a method in which an encryption key for data encryption in a wireless LAN is dynamically generated and periodically changed is often used.

  In this IEEE 802.1X, in order to perform user authentication, it is possible to determine a user of a wireless terminal device to be connected in an authentication device or a wireless base station. Or, from the viewpoint of security, even when the user name is concealed, the authentication device can naturally determine the user, and the radio base station determines the domain name to which the user to be connected belongs. By including a value to be determined in the user ID (identification information), it is possible to determine the domain name. Since the domain name to which the user belongs is called a realm, it will be referred to as “remuru” hereinafter.

  In addition, with the rapid increase in the use of the Internet, the need for wireless Internet access is increasing, a low-power data communication system that does not require a radio station license, does not require wiring, and can be easily and inexpensively constructed a LAN. The use of wireless LAN systems that use the 2.4 GHz band and the like is in progress.

  On the other hand, as a method for restricting access to a device connected to a network, a management table having access permission information for each device is provided for each user in the network, and it is not desired to operate based on this access permission information. A method for restricting access to a device has been proposed (see, for example, Patent Document 1).

  As another method of restricting access, authentication information obtained by adding personal level authentication information to network level authentication information and personal level access control information are held in the network level authentication server, and the authentication result of the user terminal A method is proposed in which access control information is added to the gateway device and transferred to the gateway device, and the gateway device controls access to the information server from the user terminal based on the access control information (see, for example, Patent Document 2). .

JP 2001-251312 A JP 2003-087332 A “6. Principles of operation” (“Port-Based Network Access Control”, IEEE 802.1X, pp7-13, June 14, 2001)

  In the wireless LAN system using wireless as the conventional transmission medium described above, encryption using a WEP key is defined as a mechanism for encrypting a wireless section. Recently, wireless LAN security using a WEP key has been defined. Vulnerabilities are specified. As a method for solving this vulnerability, authentication for network connection, for example, a method that requires user authentication when a wireless terminal device performs data communication via a wireless base station (IEEE 802.1X authentication) is beginning to spread. .

  Further, in the conventional wireless LAN system, by using IEEE802.1X, the same encryption key used by all the wireless terminal devices connected to the wireless base station is used for each wireless terminal device and the wireless base station. A separate encryption key is automatically assigned every time you connect to. Therefore, in the conventional wireless LAN system, it is possible to improve security. In particular, it is considered that the use of IEEE 802.1X is an indispensable function for use of a wireless LAN system in a company.

  Furthermore, in a conventional wireless LAN system, whether or not a connection to a connected wireless terminal device can be made can be performed based on an IEEE 802.1X authentication result. However, in order to perform access restriction by filtering based on access right information depending on the content of data communication from the authenticated wireless terminal device via the wireless base station or the communication partner, a gateway device that plays a role of a firewall function is separately provided. It is necessary to install and set access right information individually. Similarly to this method, the technique of Patent Document 2 also requires the installation of a gateway device serving as a firewall function.

  Furthermore, in the conventional wireless LAN system, it is possible to restrict access in the gateway device using the IP address of the connection source wireless terminal device as a key. There is also the problem that an authentication mechanism must be required.

  There are various requests for access restrictions, such as when you cannot use the phone during classes or during lectures, or when you want to allow access to a specific user, but you do not want to access other users. It may be necessary in certain situations. This problem cannot be solved even by the technique disclosed in Patent Document 1.

  In a company, a large number of wireless base stations are installed in each base or each department, and services using a wireless LAN system such as a public wireless LAN spot connection service can be seen in many places. Yes. However, it is not easy to set access right information for each user or for each wireless terminal device in order to restrict access in a large number of places.

  The above authentication mechanism is a mechanism for restricting data communication when connecting from a wireless terminal device to a LAN line or a WAN (Wide Area Network) line via a wireless base station and a gateway device, and does not use a network connection. It is impossible to control the functions in the wireless terminal device at all.

  Therefore, the object of the present invention is to solve the above-mentioned problems and to perform not only uniform access control but also different access control for each user for all users performing data communication via a base station. A communication system, an authentication device, a base station device, a terminal device, a gateway device, an access control method used for them, and a program thereof.

  The communication system according to the present invention is a communication system that requires authentication by an authentication device when connecting to a network from a terminal device via a base station device, and in addition to the authentication success notification to the terminal device in cooperation with the authentication Means for notifying the base station apparatus of access control information for the terminal apparatus is provided in the authentication apparatus.

  An authentication apparatus according to the present invention is an authentication apparatus that performs authentication for a terminal apparatus when connecting to a network from a terminal apparatus via a base station apparatus, and the terminal together with a successful authentication notification for the terminal apparatus in cooperation with the authentication Means for notifying the base station apparatus of access control information for the apparatus.

  A base station apparatus according to the present invention is a base station apparatus that connects a terminal apparatus that requires authentication by an authentication apparatus when connected to a network to the network according to the authentication result, and authentication from the authentication apparatus Means for holding a filtering function of data passing / discarding for each terminal device based on access control information for the terminal device notified together with the success notification.

  A terminal device according to the present invention is a terminal device that requires authentication by an authentication device when connecting to a network via a base station device, and is based on access control information notified from the base station device. Means for holding the filtering function of the passing / discarding.

  The gateway device according to the present invention is a gateway device disposed between the base station device and the network in a communication system that requires authentication by an authentication device when connecting to a network from a terminal device via the base station device. And a means for holding a filtering function of data passing / discarding for each terminal device based on the access control information notified from the authentication device.

  The access control method according to the present invention is an access control method used in a communication system that requires authentication by an authentication device when connecting to a network from a terminal device via a base station device. And a process of notifying the base station device of access control information for the terminal device together with a successful authentication notification for the terminal device.

  An access control method program according to the present invention is an access control method program used in a communication system that requires authentication by an authentication device when connecting to a network from a terminal device via a base station device. The computer is caused to execute a process of notifying the base station device of access control information for the terminal device together with a successful authentication notification for the terminal device in cooperation with the authentication.

  That is, the communication system of the present invention requires user authentication when exchanging data via the base station when the access right is given according to the type of data exchanged via the base station connected to each user. In this situation, the user ID (identification information) is used to solve the problem by using, for example, a user ID of IEEE (Institute of Electrical and Electronic Engineers) 802.1X authentication.

  In the communication system of the present invention, the access right information corresponding to the user is extracted from the list of access right information corresponding to the user ID held in the authentication apparatus at the time of user authentication, and the access is notified together with the authentication success notification from the authentication apparatus to the base station. By notifying the right information to the base station, it becomes possible to restrict access in the base station.

  Alternatively, in the communication system of the present invention, it is possible to perform access restriction by acquiring access right information corresponding to a user whose base station has been successfully authenticated from a list of access right information corresponding to a user ID held in the base station. is there.

  The access restriction here is a function that, for example, inspects the header of a TCP / IP (Transmission Control Protocol / Internet Protocol) packet and allows only a packet that satisfies the condition to pass. Passing / discarding is performed based on information such as port number and packet type [TCP, UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol)], and other conditions such as packet transfer direction.

  Also, by giving access rights not only for each user ID but also for each realm (domain name to which the user belongs), creating a group, making it belong to a group for each realm, or making it belong to a group for each user It is possible to give access rights to each group.

  Furthermore, in the communication system according to the present invention, the terminal device notifies the terminal device of information on the access right set for each user in the authentication device or in the base station, thereby disabling the corresponding function in the terminal device. It is also possible.

  In the present invention, a radio base station that is connected to a LAN line or a WAN line and uses radio as a transmission medium, and a radio terminal apparatus that is connected to the LAN line or WAN line via a radio base station via a radio base station using radio And an authentication device that connects to a LAN line or a WAN line and processes an authentication request from a wireless terminal device via a wireless base station.

  In a wireless network system that requires user authentication or mutual authentication in order to connect through a wireless base station, the wireless terminal device communicates from the wireless terminal device through the wireless base station for each wireless terminal device authenticated by user authentication. By restricting data communication to the LAN line or WAN line to be performed in the wireless base station according to the data communication content, it is possible to restrict data communication via the wireless base station depending on the content using the user ID as a key. Become.

  Further, in the present invention, by notifying the wireless terminal device of access control information in the wireless base station, it becomes possible to limit the function along the access control information in the wireless terminal device.

  The present invention is configured not only to provide uniform access control to all users who perform data communication via a radio base station, but also to perform different access control for each user by adopting the configuration and operation described below. The effect that it can be obtained.

  Next, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration of a wireless communication system according to a first embodiment of the present invention. In FIG. 1, a radio communication system according to a first embodiment of the present invention includes a radio base station 1 connected to a LAN (Local Area Network) line or a WAN (Wide Area Network) line 100, and a radio base station 1. Wireless terminal apparatuses 2-1 and 2-2 connected to a network using wireless communication are arranged as transmission media, and a wireless network system configuration that provides various other data communications such as voice and moving images is adopted.

  That is, the wireless communication system according to the first embodiment of the present invention includes a wireless base station 1, wireless terminal devices 2-1 and 2-2, and an authentication device connected to the wireless base station 1 through a LAN line or a WAN line 100. 3, a user registration database device 4 connected to the radio base station 1 via a LAN line or WAN line 100, and a terminal device 5 connected to the LAN line or WAN line 100.

  The wireless base station 1 performs an operation of relaying data communication between the wireless terminal device 2-1 and the terminal device 5 and data communication between the wireless terminal device 2-2 and the terminal device 5.

  The wireless base station 1 performs a connection negotiation in response to a connection negotiation request from the wireless terminal devices 2-1 and 2-2, and is connected to the wireless terminal devices 2-1 and 2-2 after completing the connection negotiation. Start authenticating. The wireless base station 1 can perform access restriction for each of the wireless terminal devices 2-1 and 2-2 according to the authentication result for network connection.

  Information related to access restriction is received by the wireless base station 1 together with an authentication success request from the authentication device 3, and data communication from the wireless terminal devices 2-1 and 2-2 authenticated based on the values received by the wireless base station 1 Thereafter, access control of the wireless terminal devices 2-1 and 2-2 is performed.

  The wireless terminal devices 2-1 and 2-2 can communicate with the terminal device 5 connected to the LAN line or the WAN line 100 via the wireless base station 1 using the Internet protocol [IP]. However, the wireless terminal apparatuses 2-1 and 2-2 perform connection negotiation using the wireless base station 1 and the wireless physical layer before data communication is possible. After the connection negotiation is completed, IEEE (Institut of Electrical and Electronic) (Engineers) 802.1X (see Non-Patent Document 1 above) is required, and after user authentication is completed, it operates as one terminal of this network.

  At the time of IEEE802.1X authentication, a user ID and a password may be required, or a stored user certificate may be used. Which one is used depends on the authentication method selected at the time of authentication for network connection.

  When the wireless terminal devices 2-1 and 2-2 perform authentication for network connection after the connection negotiation with the wireless base station 1, the authentication device 3 replaces the wireless base station 1 with the wireless terminal devices 2-1 and 2-2. 2 authentication is performed. In response to a user authentication request from the wireless base station 1, the authentication device 3 uses the user information held by the user authentication of the wireless terminal devices 2-1 and 2-2, or the user registration database device 4 It communicates and communicates the user authentication result to the radio base station 1.

  If the user authentication result is successful, the authentication device 3 notifies the radio base station 1 together with access control information for the user held by itself. The authentication device 3 communicates with the radio base station 1 for communication and notification of access control information to the user, and performs communication for authentication of user information with the user registration database device 4. Depending on the authentication method for network connection, the authentication device 3 performs user authentication by verifying certificates passed from the wireless terminal devices 2-1 and 2-2.

  The user registration database device 4 manages accounts and passwords of users who use the wireless terminal devices 2-1 and 2-2. This function may be included in the authentication device 3.

  FIG. 2 is a block diagram showing the configuration of the authentication device 3 of FIG. In FIG. 3, the authentication device 3 includes a setting interface unit 31, a user information storage unit 32, a parameter storage unit 33, a communication control unit 34, a wired communication interface unit 35, and a recording medium 36.

  The setting interface unit 31 makes it possible to check and set information set in the user information storage unit 32 and the parameter storage unit 33. Enables access via WEB browser, command line input via serial port connection, etc.

  The user information storage unit 32 holds a set of user names and typically passwords necessary for user authentication for the wireless terminal devices 2-1 and 2-2. The user information storage unit 32 relates to a root CA (certificate authority) certificate used when verifying a certificate passed from the wireless terminal device 2-1 or 2-2 depending on an authentication method for network connection. May hold information.

  The user information storage unit 32 is used when the communication control unit 34 determines whether or not to authenticate a user authentication request received from the radio base station 1. The value in the user information storage unit 32 is set / changed by the setting interface unit 31.

  The parameter storage unit 33 holds various parameters for the user registered in the user information storage unit 32. The various parameters include values relating to types that can perform data communication after authentication via the radio base station 1 to which the user is currently authenticated. The parameter storage unit 33 is used when the communication control unit 34 acquires information related to access control for a user who has been authenticated. The value in the parameter storage unit 33 is set / changed by the setting interface unit 31.

  The communication control unit 34 processes a user authentication request from the wireless base station 1 received from the wired communication interface unit 35. In response to the received user authentication request, the communication control unit 34 acquires user information from the user information storage unit 32 and determines whether authentication is possible. The user information may be acquired from the user registration database device 4 connected to the LAN line or the WAN line 100.

  The communication control unit 34 may generate a plurality of exchanges with the radio base station 1 depending on the authentication method for network connection from the user authentication request to the user approval determination.

  If the communication control unit 34 determines that the authentication is not possible, the communication control unit 34 notifies the radio base station 1 that the authentication is not possible. If the communication control unit 34 determines that the authentication is possible, the communication control unit 34 acquires access control information for the user from the parameter storage unit 33. The wireless base station 1 is notified of the information and the fact that authentication is possible. The point of notifying access control information when notifying that authentication is possible is different from the conventional authentication device.

  The wired communication interface unit 35 is connected to the LAN line or the WAN line 100, and performs processing for transmitting the data received from the communication control unit 34 to the LAN line or the WAN line 100. In addition, the wired communication interface unit 35 performs processing for passing the received data to the communication control unit 34.

  During IEEE802.1X authentication, communication is typically performed with the radio base station 1 and is also used for communication with the terminal device 5 connected via the LAN line or the WAN line 100.

  In the case where the authentication device 3 is a computer including a CPU (Central Processing Unit) and a RAM (Read Only Memory) (not shown), the CPU executes the program stored in the recording medium 36 to realize the processing of each unit described above. .

  FIG. 3 is a block diagram showing a configuration of the radio base station 1 of FIG. In FIG. 3, the wireless base station 1 includes a wired communication interface unit 11, an access control information storage unit 12, an access control unit 13, a communication control unit 14, a wireless communication interface unit 15, and a recording medium 16. ing.

  The wired communication interface unit 11 is connected to the LAN line or the WAN line 100, and performs processing for transmitting data received from the communication control unit 14 through the LAN line or the WAN line 100. In addition, the wired communication interface unit 11 performs processing for passing the received data to the communication control unit 14.

  The wired communication interface unit 11 communicates with the authentication device 3 at the time of authentication for network connection, and is also used for communication with the terminal device 5 connected to the wired side.

  The access control information storage unit 12 is set with the access control information from the communication control unit 14, and is read when the access control unit 13 determines whether to pass or discard data. The access control unit 13 performs an operation of passing / discarding data passed from the communication control unit 14 based on access control information set from the communication control unit 14 to the access control information storage unit 12.

  The communication control unit 14 performs control for transmitting data from the wired communication interface unit 11 or data from the wireless communication interface unit 15 from the wired communication interface unit 11 or the wireless communication interface unit 15 according to the transmission destination. The communication control unit 14 also performs a negotiation process with the wireless terminal devices 2-1 and 2-2.

  When the communication control unit 14 receives a negotiation request from the wireless terminal devices 2-1 and 2-2, the communication control unit 14 completes the authentication / association operation. After completing the association operation, the communication control unit 14 starts authentication for network connection.

  When the communication control unit 14 starts authentication for network connection, the communication control unit 14 typically transmits an EAP (Extensible Authentication Protocol) Request / Identity to the wireless terminal devices 2-1 and 2-2. EAP Response / Identity that is a response from 1 and 2-2 is received.

  The communication control unit 14 determines a user name from the received EAP Response / Identity and transmits a user authentication request to the authentication device 3. When the communication control unit 14 receives the authentication result from the authentication device 3, the communication control unit 14 notifies the wireless terminal devices 2-1 and 2-2 of whether authentication is possible. Depending on the authentication method for network connection, the communication control unit 14 may exchange a plurality of authentication data from the time when the authentication request is transmitted to the time when the authentication result is received. May occur between 3.

  The communication control unit 14 performs an operation of transferring authentication data from the wireless terminal devices 2-1 and 2-2 to the authentication device 3. When notified from the authentication device 3 that the authentication is possible, the communication control unit 14 sets the access control information notified from the authentication device 3 in the access control information storage unit 12 together with the authentication result notification.

  Thereafter, for data communication exchanged by the authenticated user via the radio base station 1, an operation is once performed from the communication control unit 14 via the access control unit 13. The authentication data is directly connected to the LAN line or WAN line 100 without going through the access control unit 13.

  The wireless communication interface unit 15 performs processing for wirelessly transmitting data received from the communication control unit 14. In addition, the wireless communication interface unit 15 performs processing for passing the received data to the communication control unit 14. The wireless communication interface unit 15 is mainly used for communication with the wireless terminal devices 2-1 and 2-2.

  In this embodiment, an access control information storage unit 12 and an access control unit 13 are provided in the configuration of the radio base station 1. The access control information storage unit 12 stores access control information notified from the authentication device 3 when the IEEE 802.1X authentication necessary to start data communication via the radio base station 1 is successfully completed. It is remembered.

  The data of the wireless terminal devices 2-1 and 2-2 relayed by the wireless base station 1 is based on access control information set in the wireless base station 1 after each IEEE 802.1X authentication. The content of data communication is controlled by filtering with. As a result, in this embodiment, it is possible to restrict access by data communication for each user in cooperation with authentication for network connection.

  Further, in this embodiment, by notifying the access control information from the wireless base station 1 to the wireless terminal devices 2-1 and 2-2, the function of each application in the wireless terminal devices 2-1 and 2-2 is determined. Access restriction can be performed.

  In the case where the wireless base station 1 is a computer including a CPU and a RAM (not shown), the CPU executes the program stored in the recording medium 16 to realize the processing of each unit described above.

  FIG. 4 is a diagram showing a configuration example of the parameter storage unit 33 of FIG. In FIG. 4, the parameter storage unit 33 includes, as parameters (330), access control information (331) for the user name “ALICE”, access control information (332) for the user name “BOB”, and access control for the user name “CHARLIE”. Information (333).

  The functions of these parameters (330) include a telephone (334), a TV (TV) telephone (335), a mail (336), and a browser (337), which can be used (“◯” or “ × ”) is held.

  FIG. 5A is a diagram showing a configuration example of an access control information format according to the first embodiment of the present invention, and FIG. 5B is a configuration example of an attribute value format according to the first embodiment of the present invention. FIG. In FIG. 5A, the access control information format A is “attribute number (26) Vendor-Specific” (A1), attribute length (A2), value (vendor ID) (A3), and value (A4). It consists of and. In FIG. 5B, the attribute value format B is composed of a plurality of sets each including “attribute number”, “attribute length”, and “value”.

  FIG. 6A is a diagram showing a list of unique attributes according to the first embodiment of the present invention, and FIG. 6B is a diagram showing values of respective attributes according to the first embodiment of the present invention. In FIG. 6 (a), the attribute C1 of the unique attribute list C has # as "1", the attribute name is "telephone", the attribute value is "ENUM", and the attribute C2 has # as "2" The attribute name is “TV phone”, the attribute value is “ENUM”, the attribute C3 is “3”, the attribute name is “mail”, the attribute value is “ENUM”, and the attribute C4 is # Is “4”, the attribute name is “browser”, and the attribute value is “ENUM”.

  In FIG. 6B, in the row D11 of the attribute D10 of the value D corresponding to each attribute value, “1” as #, “phone OK” as the value name, and “1” as the attribute number of the corresponding attribute. In the row D12, “2” is stored as #, “phone NG” is stored as the value name, and “1” is stored as the attribute number of the corresponding attribute.

  The row D21 of the attribute D20 holds “1” as #, “TV phone OK” as the value name, and “2” as the attribute number of the corresponding attribute, and the row D22 has “2” as #. "," TV phone NG "as the value name, and" 2 "as the attribute number of the corresponding attribute.

  The row D31 of the attribute D30 holds “1” as #, “Mail OK” as the value name, and “3” as the attribute number of the corresponding attribute, and “2” as # in the row D32. However, “mail NG” is held as the name of the value, and “3” is held as the attribute number of the corresponding attribute.

  The row D41 of the attribute D40 holds “1” as #, “Prowser OK” as the value name, and “4” as the attribute number of the corresponding attribute, and “2” as # in the row D42. However, “Browser NG” is held as the name of the value, and “4” is held as the attribute number of the corresponding attribute.

  FIG. 7 is a sequence chart showing the operation of the radio communication system according to the first embodiment of the present invention, and FIG. 8 is a flowchart showing the operation of the radio base station 1 of FIG. The operation of the wireless communication system according to the first embodiment of the present invention will be described with reference to FIGS. The processing shown in FIG. 8 is realized by the CPU of the computer constituting the wireless base station 1 moving the program of the recording medium 16 to the RAM and executing it.

  In order for the wireless terminal device 2-1 to connect to the LAN line or the WAN line 100 via the wireless base station 1 and perform communication, first, negotiation is performed between the wireless terminal device 2-1 and the wireless base station 1. (A1 in FIG. 7, step S1 in FIG. 8).

  When the wireless base station 1 receives the authentication frame from the wireless terminal device 2-1 from the wireless communication interface unit 15 by the communication control unit 14, the wireless base station 1 authenticates the wireless terminal device 2-1 by open authentication, and the communication control unit 14 is successful and transmits the authentication result from the wireless communication interface unit 15 to the wireless terminal device 2-1 using an authentication frame.

  Next, when the wireless base station 1 receives the association request frame from the wireless terminal device 2-1, the wireless base station 1 transmits an association response to the wireless terminal device 2-1, thereby causing the wireless base station 1 and the wireless terminal device 2-1 to communicate with each other. The association between is complete. Thereafter, data from the wireless terminal device 2-1 is processed by the communication control unit 14 via the wireless communication interface unit 15, and data to the wireless terminal device 2-1 is transmitted via the wireless communication interface unit 15.

  When the association is completed, authentication for network connection is started (a2 in FIG. 7, step S2 in FIG. 8). In authentication for network connection, EAP Request / Identity is transmitted from the wireless base station 1 to the wireless terminal device 2-1. The wireless base station 1 receives a message from the wireless terminal device 2-1 in a format including a user name such as “ALICE”. Using the received user name, the radio base station 1 completes by communicating with the authentication device 3. The authentication data is transferred between the wireless terminal device 2-1 and the authentication device 3 as necessary.

  When the wireless base station 1 receives the access control information for the user from the authentication device 3 together with a successful authentication result (steps S3 and S4 in FIG. 8), the access control information storage unit 12 sets the received access control information. (A3 in FIG. 7, step S5 in FIG. 8). In addition, the radio base station 1 notifies the radio terminal device 2-1 of whether or not authentication is possible (a4 in FIG. 7, step S6 in FIG. 8).

  Thereafter, the radio base station 1 once passes the data from the user via the radio base station 1 and the data to the user to the access control unit 13, and sends the data returned from the access control unit 13 to the wired communication interface unit 11 or An operation of transmitting from the wireless communication interface unit 15 is performed (a5, a6, a7 in FIG. 7, steps S7, S8 in FIG. 8).

  Furthermore, the access control information notified from the authentication device 3 to the radio base station 1 and the operation of the access control unit 13 in the radio base station 1 will be described with reference to FIGS.

  FIG. 4 shows a configuration example of the parameter storage unit 33 in the authentication device 3. The value stored in the parameter storage unit 33 may be stored in advance or may be set from the setting interface unit 31.

  The parameter storage unit 33 describes a user name and a function list corresponding to the user name. For example, in the case of the user “ALICE”, a phone (334), a video phone (335), a mail (336), and a browser (337) are defined as functions, and “phone OK”, “TV phone OK”, “Mail OK” and “Browser OK” are defined.

  FIG. 5 shows a format example of access control information notified from the authentication device 3 to the radio base station 1 together with the authentication result notification. In IEEE802.1X, there is no protocol defined between the wireless base station 1 and the authentication device 3, but generally a protocol called RADIUS (Remote Authentication Dial In User Service) is used.

  The access control information format A uses an attribute value for carrying a vendor-specific attribute defined as an attribute value “26”, which is one of the RADIUS protocols. In the value of the value A4 in the access control information format A, a format described by repetition of the attribute value, length, and value as shown in the attribute value format B is defined, and a unique attribute list C as shown in FIG. 6 is defined. It is used to notify values for “telephone”, “TV phone”, “mail”, “browser”, and the like.

  In the value D corresponding to each attribute value, each attribute value and the content of the value are defined, and the unique attribute number C and the value D corresponding to each attribute value are held in the authentication device 3 and the radio base station 1 in advance. This is realized by notifying the attribute value number and the attribute value in pairs when the access control information is notified from the actual authentication device 3 to the radio base station 1.

  As attribute values in the unique attribute list C, “integer (INTERGER)”, “option (ENUM)”, “character string (STRING)”, “text (TEXT)”, “IP address (IPADDR)”, “time (TIME)” ) "And the like, and various types of attribute values can be notified.

  In the case of the above “ALICE” example, the attribute value “1” is assigned to the attribute number “1”, the attribute value “1” is assigned to the attribute number “2”, and the attribute number “3” is assigned. The attribute value “1” can be notified from the authentication device 3 to the radio base station 1 by setting the attribute value “1” for the attribute number “4”.

  Upon receiving the access control information, the radio base station 1 passes the access control information from the radio communication interface unit 15 to the communication control unit 14 and sets it in the access control information storage unit 12 by the communication control unit 14 (step S4 in FIG. 8). S5). The access control information storage unit 12 stores a value set by the communication control unit 14 as access control information for the user.

  Here, the operation when the user is “ALICE” and data communication is performed from the wireless terminal device 2-1 to the terminal device 5 connected via the LAN line or the WAN line 100 will be described.

  Data from the wireless terminal device 2-1 to the terminal device 5 is transferred via the wireless base station 1. At this time, the wireless base station 1 uses the communication control unit 14 to temporarily transfer the data to the access control unit. 13 (step S7 in FIG. 8). The access control unit 13 to which the data is passed acquires the access control information for the user from the access control information storage unit 12, and determines whether to pass or discard the data.

  For example, if the data is data from a WEB browser, the access control information acquired from the access control information storage unit 12 is “OK” in the browser access to “ALICE”. Data is transferred to the communication control unit 14 (a5 in FIG. 7).

  As an example of determining that the data is from a WEB browser, the determination can be made based on the transmission destination port number or the transmission source port number. Similarly to the above, the data from the terminal device 5 connected to the wireless terminal device 2-1 connected by the LAN line or the WAN line 100 is once accessed when passing through the communication control unit 14 in the wireless base station 1. 13 is determined to pass / discard, and is transmitted from the wireless base station 1 to the wireless terminal device 2-1 only when it is determined to pass (a5, a6, a7 in FIG. 7).

  As described above, in the present embodiment, the wireless terminal devices 2-1 and 2-2 perform the wireless communication from the authentication device 3 to the wireless base station according to the result of the IEEE 802.1X authentication that is first performed to perform data communication via the wireless base station 1. Since the access control information for the user is notified to the station 1 and the access control for the user is automatically performed in the radio base station 1, a plurality of user authentication operations are performed in the radio terminal apparatuses 2-1 and 2-2. Of course, different access control information can be set for each user in data communication via the radio base station 1. For this reason, in this embodiment, not only uniform access control for all users who perform data communication via the radio base station 1, but also different access control can be performed for each user.

  In the present embodiment, the authentication device 3 notifies the wireless base station 1 of access control information for the user together with the user authentication result, so that even when there are a plurality of wireless base stations, only the authentication device 3 Since it is only necessary to set the access control information for the user, even when there are a plurality of radio base stations, the setting for each user for each radio base station can be facilitated.

  Furthermore, in the present embodiment, the settings related to access control for each user in the radio base station 1 can be freely changed only by the settings on the authentication device 3 side, regardless of the radio terminal devices 2-1 and 2-2. Therefore, when data communication is performed via the wireless base station 1, no special device is required if the wireless terminal devices 2-1 and 2-2 are compatible with authentication for network connection. For this reason, in this embodiment, it can be used in all wireless terminal devices that support authentication for network connection.

  Furthermore, in the present embodiment, the vendor-specific attribute in the standard protocol used for authentication is used for data exchange between the radio base station 1 and the authentication device 3, so that authentication with the radio base station 1 is possible. A plurality of authentication proxy devices that can handle a standard protocol used for authentication can be installed between the devices 3. Therefore, in this embodiment, the authentication devices 3 can be distributed.

  In the present embodiment, the example in which the parameter storage unit 33 in the authentication device 3 stores information about the function corresponding to the user name and notifies the radio base station 1 in FIG. 4 is described. May hold access control information. In this case, the authentication device 3 that has received the user authentication request, from the realm included in the user ID described in a format such as “ALICE @ REALM” or “REALM ¥ ALICE” included in the request, to the realm to which the user belongs The access control information set for each realm is retrieved from the parameter storage unit 33 and notified to the radio base station 1, thereby enabling access control for each realm.

  In the present embodiment, the example in which the parameter storage unit 33 in the authentication device 3 stores information about the function corresponding to the user name and notifies the wireless base station 1 in FIG. 4 is explained. Access control information may be held for each station 1. In this case, access control information set for each radio base station 1 is stored as a parameter by judging from “NAS-Identifier”, “NAS-IP-Address”, “Called-Station-Id”, etc. included in the user authentication request. By taking out from the unit 33 and notifying the radio base station 1, access control for each radio base station 1 becomes possible.

  In this embodiment, a group is defined in the authentication device 3 and access control information is held for each group. Each group is assigned to each realm, each user is assigned to a group, and each radio base station 1 is assigned. By belonging to a group, access control for each group is also possible.

  In this embodiment, for example, “telephone”, “TV phone”, “mail”, and “browser” are defined as attributes in FIG. It is possible to describe without.

  In addition, in this embodiment, only “OK” and “NG” are defined as examples of attribute values for the attributes in FIG. 6. In other words, it is possible to perform detailed access control in the radio base station 1 by defining attribute values such as “only mail reception is OK” and “only mail transmission is OK”.

  In this case, as a detailed access control method in the radio base station 1, in the case of a telephone, it is determined from the exchange of call control data and the incoming call is allowed to pass, but the outgoing call is not allowed to pass, In other words, it can be realized by allowing a protocol used for mail reception such as POP (Post Office Protocol) to pass but not allowing a protocol used for mail transmission such as SMTP (Simple Mail Transfer Protocol) to pass. .

  In this embodiment, in FIG. 5, an access control format A for notifying access control information from the authentication device 3 to the radio base station 1 is defined, and an attribute value format B of a set of attributes and attribute values is actually used. It is realized by repeating attribute number, attribute length, value and AVP (Attribute Value Pair) pairs, but attribute value format B is described in XML (extensible Mark-up Language) format “<Attribute> <Number> 1 An existing XML parser (XML conversion software) can be used to interpret attribute values by replacing the description with a repetition of </ Number> <Value> 2 </ Value> </ Attribute >>.

  In the present embodiment, the access control information for each user, each realm, or each group determined by the authentication device 3 is notified to the radio base station 1 so that the radio base station 1 performs access control. 1 and 2-2 cannot obtain information on access control that is actually performed.

  Therefore, after communication by IP is started between the wireless terminal devices 2-1 and 2-2 and the wireless base station 1, the web access from the wireless terminal devices 2-1 and 2-2 to the wireless base station 1 is performed. By displaying the information related to access control at the wireless base station 1 currently performed by the wireless terminal devices 2-1 and 2-2, it is possible to make the information known to the user. is there.

  In this embodiment, in FIG. 3, the access control unit 13 once receives data from the communication control unit 14 in the radio base station 1, and passes the data to the communication control unit 14 after determining whether to pass or discard the data. However, since the access control unit 13 is located between the communication control unit 14 and the wired communication interface unit 11 or the wireless communication interface unit 15, the data received from the communication control unit 14 is directly transmitted to the wired communication interface unit 11 or the wireless communication interface unit 11. It is also possible to transmit and receive from the communication interface unit 15.

  FIG. 9 is a block diagram showing a configuration of a radio base station according to the second embodiment of the present invention. 9, the radio base station 6 according to the second embodiment of the present invention is the same as the first embodiment of the present invention shown in FIG. 3 except that a setting interface unit 61, a parameter storage unit 62, and a recording medium 63 are added. It has the same structure, and the same code | symbol is attached | subjected to the same component.

  FIG. 9 shows a functional configuration in which the functions of the setting interface unit 31 and the parameter storage unit 33 in the authentication device 3 are added to the radio base station 1 in the first embodiment of the present invention. However, the communication control unit 14 is partially different from the operation of the communication control unit 14 shown in FIG.

  The setting interface unit 61 can check and set information set in the parameter storage unit 62, and can be accessed via a WEB browser, command line input via a serial port connection, and the like.

  The parameter storage unit 62 holds various parameters for a user who successfully completes IEEE 802.1X authentication and performs data communication via the radio base station 6. The various parameters include values relating to types that can perform data communication after authentication via the radio base station 6 to which the user is currently authenticated.

  The parameter storage unit 62 is used when the communication control unit 14 obtains information related to access control for the authenticated user. The value in the parameter storage unit 62 is set / changed by the setting interface unit 61.

  The communication control unit 14 has the same basic function as that of the first embodiment of the present invention described above, but differs in that it has the following functions. In the first embodiment of the present invention, when the authentication apparatus 3 is notified that authentication is possible in network connection authentication, the access control information stored together with the authentication result notification is stored in the access control information storage. Part 12 is set.

  On the other hand, in the present embodiment, when the access control information for the authenticated user is obtained from the parameter storage unit 62 as the value set in the radio base station 6, and the access control information for the user exists, The access control information set in the radio base station 6 is set in the access control information storage unit 12. Thereafter, the data communication exchanged by the authenticated user via the radio base station 6 performs an operation once transferred from the communication control unit 14 to the access control unit 13.

  The authentication data is the same as the operation in the first embodiment of the present invention in that it is directly connected to the LAN line or WAN line 100 without going through the access control unit 13.

  Here, the operation of this embodiment will be described assuming that the content of the parameter storage unit 62 is the same as that of the parameter storage unit 33 shown in FIG. 4, and the attribute value and the attribute value are the same as the content shown in FIG.

  This embodiment is different from the first embodiment of the present invention described above in that the functions of the setting interface unit 61 and the parameter storage unit 62 are added and the access control information for the authenticated user in the communication control unit 14 Is different from determining. Therefore, only these different points will be described. The values stored in the parameter storage unit 62 may be stored in advance or may be set from the setting interface unit 61.

  The parameter storage unit 62 describes a user name and a function list corresponding to the user name. For example, in the case of the user “ALICE”, a phone (334), a video phone (335), a mail (336), and a browser (337) are defined as functions, and “phone OK”, “TV phone OK”, “Mail OK” and “Browser OK” are defined.

  The operation of the communication control unit 14 is the same as that of the first embodiment of the present invention described above until the access control information for the user is received from the authentication device 3 together with the approval for the user. In the first embodiment of the present invention, the access control information is set in the access control information storage unit 12 as it is, but in this embodiment, the access control information for the authenticated user is acquired from the parameter storage unit 62, If it exists, it is different from the first embodiment of the present invention in that an operation of setting the access control information storage unit 12 is performed.

  In this embodiment, by providing the setting interface unit 61 and the parameter storage unit 62, the access control information for the user set only by the authentication device 3 can be set also in the radio base station 6, and used in a specific place. Thus, it is possible to reflect a specific function that is not desired in the radio base station 6 in the access control.

  In addition, the access control information notified from the authentication device 3 and the access control information merged in the radio base station 6 are overwritten with the access control information in the radio base station 6 in this embodiment. When the control information is notified, an attribute such as “overwrite NG” or “overwrite OK” may be added to the attribute value to enable / disable overwriting in the radio base station 6.

  In addition, in this embodiment, it is possible to set a rule such that “OK” can be changed to “NG” in the function, but “NG” cannot be overwritten to “OK”. It is.

  Furthermore, in this embodiment, as in the first embodiment of the present invention described above, a group is defined in the radio base station 6, access control information is held for each group, and each realm belongs to a group, By making each user belong to a group, access control can be performed for each group. This embodiment can be used in combination with the first embodiment of the present invention described above.

  Next, a third embodiment of the present invention will be described. The radio base station according to the third embodiment of the present invention has the same configuration as that of the radio base station 6 according to the second embodiment of the present invention shown in FIG. 9, but the operation of the communication control unit 14 is as described above. This is partly different from the second embodiment of the invention.

  When the communication control unit 14 of the radio base station in the present embodiment acquires the access control information for the user from the parameter storage unit 62 when the user authentication request is made to the authentication device 3, the communication control unit 14 transmits the user authentication request. In addition, it is different in that it is transmitted in advance to the authentication device 3 in the access control information format shown in FIG.

  The access control information format shown in FIG. 5 is the same as the format in the first embodiment of the present invention described above. In this case, the operation of the communication control unit 14 is the access control information storage unit as it is, as in the operation of the communication control unit 14 in the first embodiment of the present invention, after the authentication is completed. Or may be set in the access control information storage unit 12 in combination with the access control information in the radio base station 6 as in the operation of the communication control unit 14 in the second embodiment of the present invention. Good.

  In FIG. 2, the authentication apparatus according to the third embodiment of the present invention has the same configuration as that of the authentication apparatus 3 according to the first embodiment of the present invention described above, but the operation of the communication control unit 34 is the first of the present invention. This is partly different from the first embodiment.

  The authentication device in the present embodiment, when notifying the successful authentication result for the user, access control information sent in advance from the wireless base station 6 at the time of user authentication request, and the access held by the authentication device This is different from the first embodiment of the present invention in that a process for determining which control information to notify or how to merge and notify is added.

  In this embodiment, there is provided a function of notifying the authentication device of desired access control information in the radio base station 6 for a user who is going to authenticate in advance, thereby providing access control information from the authentication device for the authenticated user and The wireless base station 6 can reflect the desire in the wireless base station 6 without requiring the wireless base station 6 to make a setting related to merging with the access control information set in the wireless base station 6. Also, this embodiment can be used in combination with each of the first and second embodiments of the present invention described above.

  FIG. 10 is a block diagram showing a configuration of a wireless terminal device according to the fourth embodiment of the present invention. In FIG. 10, the wireless terminal device 7 includes a communication application unit 71, an access control unit 72, an access control information storage unit 73, a communication control unit 74, a wireless communication interface unit 75, a user interface unit 76, and a recording medium. 77. The communication application unit 71 includes one or more communication applications 711 and 712.

  The present embodiment differs from the functional configuration of a normal wireless terminal device (not shown) in that the wireless terminal device 7 has an access control unit 72 and an access control information storage unit 73 in the functional configuration of the wireless terminal device 7.

  The communication application unit 71 represents an application that uses data communication in the wireless terminal device 7. Data exchanged with an external terminal (not shown) is transferred to the communication control unit 74 and transmitted from the wireless communication interface unit 75. . Further, the data received from the wireless communication interface unit 75 is transferred to the communication control unit 74 and further transferred to the communication application unit 71 to perform data communication with the outside. Note that the communication application unit 71 activates or terminates the application according to an activation or termination instruction from the user interface unit 76.

  The access control unit 72 performs an operation of passing / discarding data passed from the communication control unit 74 based on the access control information set from the communication control unit 74 to the access control information storage unit 73. The access control information storage unit 73 is set with access control information from the communication control unit 74 and is read from the access control unit 72 when data pass / discard is determined.

  The communication control unit 74 performs control for transmitting data from the communication application unit 71 from the wireless communication interface unit 75. Further, the communication control unit 74 performs control to transfer data from the wireless communication interface unit 75 to the communication application unit 71 according to the transmission destination. Furthermore, the communication control unit 74 also performs negotiation processing with the radio base station.

  In order to perform data communication via the radio base station, the communication control unit 74 transmits a negotiation request to the radio base station, thereby completing the authentication association operation. After the association operation is completed, the communication control unit 74 transmits data for starting IEEE 802.1X authentication, typically called EAPOL-Start, in order to start authentication for network connection.

  When authentication for network connection is started, the communication control unit 74 typically receives EAP Request / Identity from the radio base station, and sends the EAP Response / Identity to the radio base station including its user name. Send. By receiving the authentication result from the radio base station, the authentication for network connection is completed.

  Depending on the authentication method for network connection, a plurality of pieces of authentication data may be exchanged between the wireless terminal device 7 and the authentication device until the authentication result is received after the authentication request is transmitted. The communication control unit 74 performs necessary processing on the received authentication data and performs a response operation.

  When notified from the radio base station that authentication is possible, the communication control unit 74 then exchanges an encryption key with the radio base station and uses the encryption key and radio used with the radio base station. Encrypted communication is enabled by setting an encryption key shared with the wireless terminal devices under the base station. After the encrypted communication becomes possible, the communication control unit 74 sets the access control information notified from the radio base station in the access control information storage unit 73.

  Thereafter, the data transmitted and received from the wireless terminal device 7 according to the present embodiment performs an operation in which the data is once transferred from the communication control unit 74 to the access control unit 72. The authentication data is directly connected to the LAN line or WAN line without going through the access control unit 72.

  The wireless communication interface unit 75 performs processing to wirelessly transmit data received from the communication control unit 74. The wireless communication interface unit 75 performs a process of passing the received data to the communication control unit 74, and is mainly used when communicating with the wireless base station.

  The user interface unit 76 instructs the applications of the communication application unit 71 to start and end. Further, for example, the user interface unit 76 can display a list of applications that can be executed at present by menu display or the like, and can be activated by selecting an application that the user wants to execute.

  In the case where the wireless terminal device 7 is a computer including a CPU and a RAM (not shown), the CPU executes the program stored in the recording medium 77 to realize the processing of each unit described above.

  Although not shown, the radio base station according to the fourth embodiment of the present invention has the same configuration as that of the radio base station 6 according to the second embodiment of the present invention described above. It differs in that it notifies to the terminal device 7. The operation of this embodiment will be described with reference to FIG.

  The steps up to the point where the connection negotiation is performed between the wireless terminal device 7 and the wireless base station 6 and then the authentication for the network connection is performed are the same as in the second embodiment of the present invention described above. This embodiment does not set the access control information for the user in the access control information storage unit 12 in the radio base station 6 shown in FIG. This is different from the second embodiment.

  At this time, as an example of the format when transmitting from the wireless base station 6 to the wireless terminal device 7, the IEEE 802.1X authentication data and the data related to the encryption key are exchanged between the wireless terminal device and the wireless base station in IEEE 802.1X. EAPOL (EAP over LANs) frames exist, and EAPOL-EXT (extended) is newly defined as the EAPOL packet type, and the access control format as shown in FIG. Use what you defined.

  In order to send this access control information to the wireless terminal device 7 securely, encryption is performed using an encryption key shared by both the wireless base station 6 and the wireless terminal device 7 as a result of authentication for network connection. To send. For example, as a result of IEEE 802.1X authentication, encryption was performed using a shared encryption key, but a key shared in TLS (Transport Layer Security) in IEEE 802.1X authentication, such as a protocol used for key distribution, is used. A method may be used in which an attribute-related portion is encrypted and transmitted.

  The wireless terminal device 7 sets the received access control information in the access control information storage unit 73. The communication control unit 74 once passes the data from the communication application unit 71 or the data to the communication application unit 71 to the access control unit 72, and the access control unit 72 determines whether to pass / discard. 74 is transmitted from the wireless communication interface unit 75 to the wireless base station 6 or passed to the communication application unit 71. Data communication is generated by the communication application 71 that is activated by the user interface unit 76 in the wireless terminal device 7 and is being executed.

  In the present embodiment, the wireless base station 6 is provided with a function of notifying the wireless terminal device 7 of access control information for the user, and the wireless terminal device 7 is provided with an access control unit 72 and an access control information storage unit 73, thereby The effect that the access control in the terminal device 7 can be made is obtained. Moreover, this embodiment can be used in combination with each of the first to third embodiments of the present invention described above.

  FIG. 11 is a block diagram showing a configuration of a wireless terminal device according to the fifth embodiment of the present invention. In FIG. 11, the wireless terminal device 8 according to the fifth embodiment of the present invention has the configuration of the wireless terminal device 7 according to the fourth embodiment of the present invention shown in FIG. 10 except that an application unit 81 and a storage medium 82 are added. The same components are denoted by the same reference numerals.

  In the fourth embodiment of the present invention described above, only the communication applications 711 and 712 are provided. However, in the present embodiment, not only the communication application 812 but also the application 811 that does not use the network is included. This is different from the fourth embodiment.

  Further, in the present embodiment, the access control unit 72 is located between the user interface unit 76 and the application unit 81, and is greatly different from the above-described fourth embodiment of the present invention. The operation is also different from the above-described fourth embodiment of the present invention. Only functions and operations different from those of the fourth embodiment of the present invention will be described below.

  The application unit 81 represents an application in the wireless terminal device 8, and starts or ends the application 811 by notifying the start or end instruction from the user interface unit 76 via the access control unit 72.

  A communication application 812 using data communication is used when data exchanged with an external terminal (not shown) is transferred to the communication control unit 74 and transmitted from the wireless communication interface unit 75. Further, data received from the wireless communication interface unit 75 is transferred to the communication control unit 74 and is transferred to the communication application 812, whereby data communication with the external terminal is performed.

  The access control unit 72 acquires the access control information from the access control information storage unit 73, restricts the application 811 that can be executed from the user interface unit 76 based on the acquired value, and controls whether or not the application 811 can be executed. Is possible.

  The processing until the communication control unit 74 sets the access control information received from the radio base station in the access control information storage unit 73 is the same as that in the fourth embodiment of the present invention described above. The transferred data is transmitted via the wireless communication interface unit 75 without passing through the access control unit 72, and the data received from the wireless communication interface unit 75 is passed to the communication application 812 without passing through the access control unit 72. Different.

  The user interface unit 76 instructs the application 811 to start and end via the access control unit 72. For example, the user interface unit 76 can display a list of applications that can be executed currently by menu display or the like, and can be activated by selecting an application that the user wants to execute.

  When the wireless terminal device 8 is a computer including a CPU and a RAM (not shown), the CPU executes the program stored in the recording medium 82 to realize the processing of each unit described above.

  Hereinafter, the operation of this embodiment will be described. The wireless terminal device 8 negotiates to perform data communication with the wireless base station, and then starts authentication for network connection, and the encryption key is set in the wireless terminal device 8 and the wireless base station. Is notified from the radio base station, and the operation from the communication control unit 74 to setting in the access control information storage unit 73 is the same as the operation of the fourth embodiment of the present invention described above.

  The access control unit 72 acquires the access control information from the access control information storage unit 73, and blocks the activation request from the user interface unit 76 to the application 811 according to the value. Alternatively, access control information is passed from the access control unit 72 to the user interface unit 76, and the user interface unit 76 performs an operation that disables selection of the application, and performs an operation that disables execution of the application.

  For example, to describe an example of the above-described user name “BOB”, as shown in FIG. 4, the access control information storage unit 73 stores “phone NG”, “TV phone NG”, “mail OK”, “browser OK”. Is memorized. The access control unit 72 notifies the access control information to the user interface unit 76. In the user interface unit 76, for example, a mail or a browser can be selected by menu display or the like, but an executable application and an inexecutable application can be realized by disabling selection of a telephone or a TV phone. It becomes possible.

  Thereafter, in the data communication in the executed communication application, the communication control unit 74 performs data communication by performing the operation received from the wireless communication interface unit 75 to the communication application 812 or vice versa.

  In the present embodiment, by providing the access control unit 72 between the user interface unit 76 and the application unit 81, it is possible to enable access control even in the application 811 in the wireless terminal device 8 that does not use the network. An effect is obtained. Moreover, this embodiment can be used in combination with each of the first to fourth embodiments of the present invention.

  FIG. 12 is a block diagram showing a configuration of a wireless terminal apparatus according to the sixth embodiment of the present invention. In FIG. 12, the wireless terminal device 9 according to the sixth embodiment of the present invention has the same configuration as that of the fifth embodiment of the present invention, but exchanges with the application section 81 in the access control section 72. The operation is partially different. The application unit 81 is different from the previous embodiment in that it has a function related to access control. In the following, components that are different in operation from the previous embodiment will be described.

  The application unit 81 represents an application 811 in the wireless terminal device 9, and starts or ends the application 811 when notified of an activation or termination instruction from the user interface unit 76. The application unit 81 is different from the fifth embodiment of the present invention described above in that it receives access control information from the access control unit 72 and operates according to the received access control information.

  A communication application 812 using data communication passes data exchanged with an external terminal to the communication control unit 74 and is transmitted from the wireless communication interface unit 75. Further, the data received from the wireless communication interface unit 75 is transferred to the communication control unit 74 and transferred to the communication application 812, thereby performing data communication with the external terminal.

  The access control unit 72 acquires access control information from the access control information storage unit 73 and sets the acquired access control information corresponding to each application 811 for each application 811.

  The user interface unit 76 instructs activation and termination of each application 811 of the application unit 81. Further, for example, the user interface unit 76 can display a list of applications that can be executed at present by menu display or the like, and can be activated by selecting an application that the user wants to execute.

  In the case where the wireless terminal device 9 is a computer including a CPU and a RAM (not shown), the CPU executes the program stored in the recording medium 91 to realize the processing of each unit described above.

  FIG. 13 is a diagram showing a list of unique attributes according to the sixth embodiment of the present invention, and FIG. 14 is a diagram showing values of respective attributes according to the sixth embodiment of the present invention. In FIG. 13, the attribute E1 of the unique attribute list E is # is “1”, the attribute name is “telephone”, the attribute value is “ENUM”, the attribute E2 is # is “2”, and the attribute name Is "TV phone", the attribute value is "ENUM", the attribute E3 is "3", the attribute name is "mail", the attribute value is "ENUM", and the attribute E4 is # 4 ”, the attribute name is“ Browser ”, the attribute value is“ ENUM ”, the attribute E5 is“ # ”, the attribute name is“ Camera ”, and the attribute value is“ ENUM ”. For attribute E6, # is “6”, the attribute name is “video”, the attribute value is “ENUM”, attribute E7 is # “7”, the attribute name is “recording”, and the attribute value is “ENUM”.

  In FIG. 14, the row F11 of the attribute F10 of the value F corresponding to each attribute value holds “1” as #, “phone OK” as the name of the value, and “1” as the attribute number of the corresponding attribute. In the row F12, “2” is stored as #, “phone NG” is stored as the value name, “1” is stored as the attribute number of the corresponding attribute, and “3” is stored as the value “#” in the row F13. "Incoming OK / Outgoing NG" is held as the name of "1", and "1" is held as the attribute number of the corresponding attribute.

  In the row F21 of the attribute F20, “1” is stored as #, “TV phone OK” is stored as the value name, “2” is stored as the attribute number of the corresponding attribute, and “2” is stored as # in the row F22. , “TV phone NG” is stored as the value name, “2” is stored as the attribute number of the corresponding attribute, “3” is stored as # in the row F23, and “incoming OK / outgoing NG” is stored as the value name. , “2” is held as the attribute number of the corresponding attribute.

  In the row F31 of the attribute F30, “1” is stored as #, “Mail OK” is stored as the value name, “3” is stored as the attribute number of the corresponding attribute, and “2” is stored as # in the row F32. “Mail NG” is stored as the value name, “3” is stored as the attribute number of the corresponding attribute, “3” is stored as # in the row F33, and “Reception OK / Transmission NG” is stored as the value name. "3" is held as the attribute number of the attribute to be stored, "4" as # in the row F34, "Only save mail BOX browsing is OK" as the value name, and "3" as the attribute number of the corresponding attribute Each is held.

  In the row F41 of the attribute F40, “1” is stored as #, “Prowser OK” is stored as the value name, “4” is stored as the attribute number of the corresponding attribute, and “2” is stored as # in the row F42. “Browser NG” is stored as the value name, “4” is stored as the attribute number of the corresponding attribute, “3” is stored as # in the row F43, and “Browse OK / Save NG” is stored as the value name. "4" is held as the attribute number of the attribute to be assigned, "4" as the # in the row F44, "Browse OK / Print NG" as the value name, and "4" as the attribute number of the corresponding attribute. Is retained.

  In the row F51 of the attribute F50, “1” is stored as #, “Camera OK” is stored as the value name, “5” is stored as the attribute number of the corresponding attribute, and “2” is stored as # in the row F52. “Camera NG” is stored as the value name, “5” is stored as the attribute number of the corresponding attribute, “3” is stored as # in the row F53, and “Shooting OK / Save NG” is stored as the value name. "5" is held as the attribute number of the attribute to be performed, "4" is stored as the # in the row F54, "Shooting OK / Transfer NG" as the value name, and "5" as the attribute number of the corresponding attribute. Is retained.

  FIG. 15 is a diagram showing a configuration example of a parameter storage unit according to the sixth embodiment of the present invention. In FIG. 15, the parameter storage unit 21 has access control information (211) for the user name “ALICE”, access control information (212) for the user name “BOB”, and access control for the user name “CHARLIE” as parameters (210). Information (213).

  The functions of these parameters (210) include telephone (214), videophone (215), mail (216), browser (217), camera (218), video (219), and recording (220). The attribute number is held corresponding to.

  Hereinafter, the operation of this embodiment will be described. The wireless terminal device 9 negotiates to perform data communication with the wireless base station, and then starts authentication for network connection, the encryption key is set in the wireless terminal device 9 and the wireless base station, and access control information Is notified from the radio base station and the operation from the communication control unit 74 to the access control information storage unit 73 is the same as the operation of the fourth and fifth embodiments of the present invention described above.

  The access control unit 72 acquires access control information from the access control information storage unit 73, extracts settings for each application 811 from the acquired access control information, and sets the settings for each application 811.

  For example, it is assumed that the wireless terminal device 9, the wireless base station, and the authentication device hold in advance a list in which the attribute list E shown in FIG. 13 and the value F of each attribute shown in FIG. 14 are defined. As shown in FIG. 15, the authentication apparatus holds parameters (210) relating to access control information for each function as shown in FIG. 15, and as a result of authenticating the user name “BOB”, access to the user name “BOB” is performed. The operation when the control information (212) is notified to the wireless terminal device 9 and the information stored in the access control information storage unit 73 in the wireless terminal device 9 is the access control information (212) will be described.

  The access control unit 72 sets the value acquired from the access control information storage unit 73 for the application 811 for each function. That is, “Incoming OK / Outgoing NG” with “3” for the telephone application, “Incoming OK / Outgoing NG” with “3” for the TV phone application, for the mail application. Is “Mail OK” with # = “1”, “Browse OK / Save NG” with # = “3” for browser applications, and “Camera NG” with 3 = “2” for camera applications For video applications, “video NG” (not shown in FIG. 14) with “2” is shown, and for recording applications “recording NG” (not shown in FIG. 14) with “2”. Z)).

  Each set application performs detailed access control by performing an operation according to the set access control, regardless of whether or not the network is used or not, and for each application, whether it can be activated or not.

  In the present embodiment, it is possible to set detailed access control for each application in the wireless terminal device 9 by allowing the access control unit 72 to set access control information for each application. The effect is obtained. Further, this embodiment can be used in combination with each of the first to fifth embodiments of the present invention described above.

  FIG. 16 is a block diagram showing a system configuration of a wireless communication system according to the seventh embodiment of the present invention. In FIG. 16, in the seventh embodiment of the present invention, in the above-described system configuration example of the wireless communication system of the first to sixth embodiments of the present invention, the LAN line or WAN line 100 is connected via the wireless base station 1. It differs from each of the first to sixth embodiments of the present invention in that a gateway device 40 is provided between the terminal device 5 to be connected and the wireless terminal devices 2-1 and 2-1 that exchange data communication.

  The gateway device 40 is called a firewall, and has a function of inspecting a header of a TCP / IP (Transmission Control Protocol / Internet Protocol) packet, for example, and passing only a packet that satisfies the condition.

  The gateway device 40 transfers information and packets such as IP (Internet Protocol) addresses, port numbers, packet types [TCP, UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol)], and the like. Pass / discard based on conditions such as direction.

  The above condition is set from a device external to the gateway device 40, and further has a feature that access control information can be set dynamically for each user, each realm, each group, and the like.

  In each of the first to sixth embodiments of the present invention described above, the authentication device 3 notifies the wireless base station 1 of access control information along with the notification of successful authentication to the wireless terminal devices 2-1 and 2-2. In this embodiment, a notification of successful authentication is sent to the radio base station 1, but the authentication device 3 notifies the gateway device 40 of access control information.

  Hereinafter, the operation of this embodiment will be described. In order to perform data communication with the terminal device 5 connected to the LAN line or the WAN line 100 via the wireless base station 1, a connection negotiation is performed between the wireless terminal devices 2-1 and 2-2 and the wireless base station 1. Thereafter, the operations are the same as those in the first to sixth embodiments of the present invention described above until the authentication for network connection is performed.

  When the authentication is successful, the authentication device 3 notifies the wireless base station 1 of the authentication success, so that the wireless terminal devices 2-1 and 2-2 can perform data communication via the wireless base station 1.

  Next, in each of the first to sixth embodiments of the present invention described above, access control information for the wireless terminal devices 2-1 and 2-2 that have been successfully authenticated and have been notified from the authentication device 3 to the wireless base station 1 This point is different from the first to sixth embodiments of the present invention described above in that the authentication device 3 notifies the gateway device 40 of the above.

  When the gateway device 40 receives the access control information for the wireless terminal devices 2-1 and 2-2, the gateway device 40 subsequently performs an operation of filtering data communication of the wireless terminal devices 2-1 and 2-2 based on the access control information. Do.

  In this embodiment, by providing a gateway device between the radio base station 1 and the communication path for connecting to the LAN line or the WAN line 100, access control can be performed without requiring a special radio base station. The effect that it can do is acquired. In addition, this embodiment can be used in combination with each of the first to sixth embodiments of the present invention described above.

  Moreover, although the present Example is described in the system which used radio | wireless as a transmission medium between the radio | wireless terminal apparatuses 2-1 and 2-2, and the radio base station 1, even when using a wired transmission medium, The access control method of the present invention can also be applied to a system that requires authentication for network connection when data communication is performed between a wired base station and a wired terminal device.

  INDUSTRIAL APPLICABILITY The present invention is applicable to a device that requires authentication for network connection before performing data communication by wireless LAN in a terminal device or base station of wireless LAN or wired LAN.

It is a block diagram which shows the structure of the radio | wireless communications system by 1st Example of this invention. It is a block diagram which shows the structure of the authentication apparatus of FIG. FIG. 2 is a block diagram showing a configuration of a radio base station in FIG. 1. It is a figure which shows the structural example of the parameter memory | storage part of FIG. (A) is a figure which shows the structural example of the access control information format by the 1st Example of this invention, (b) is a figure which shows the structural example of the attribute value format by the 1st Example of this invention. (A) is a figure which shows the original attribute list by the 1st Example of this invention, (b) is a figure which shows the value of each attribute by the 1st Example of this invention. It is a sequence chart which shows the operation | movement of the radio | wireless communications system by 1st Example of this invention. 4 is a flowchart showing an operation of the radio base station of FIG. 3. It is a block diagram which shows the structure of the wireless base station by the 2nd Example of this invention. It is a block diagram which shows the structure of the radio | wireless terminal apparatus by the 4th Example of this invention. It is a block diagram which shows the structure of the radio | wireless terminal apparatus by the 5th Example of this invention. It is a block diagram which shows the structure of the radio | wireless terminal apparatus by the 6th Example of this invention. It is a figure which shows the original attribute list by 6th Example of this invention. It is a figure which shows the value of each attribute by the 6th Example of this invention. It is a figure which shows the structural example of the parameter memory | storage part by the 6th Example of this invention. It is a block diagram which shows the system configuration | structure of the radio | wireless communications system by the 7th Example of this invention.

Explanation of symbols

1,6 Wireless base station 2-1, 2-2, 7, 8, 9 Wireless terminal equipment
3 Authentication device
4 User registration database device
5 Terminal equipment
11, 35 Wired communication interface
12, 73 Access control information storage unit
13,72 Access control unit
14, 34, 74 Communication control unit
15 Wireless communication interface section 16, 36, 63, 77,
82,91 recording medium
22, 33, 62 Parameter storage unit
31, 61 Setting interface part
32 User information storage unit
40 Gateway device
71 Communication application section
75 Wireless communication interface
76 User interface
81 Application Department
100 LAN line or WAN line 711,712,812 Communication application
811 Application

Claims (64)

  A communication system that requires authentication by an authentication device when connecting to a network from a terminal device via a base station device, wherein access control information for the terminal device is sent together with an authentication success notification to the terminal device in cooperation with the authentication A communication system characterized in that the authentication device has means for notifying the base station device.   The communication system according to claim 1, wherein the means for notifying the access control information notifies information indicating whether the application in the terminal device can be activated or not as the access control information.   2. The communication system according to claim 1, wherein the means for notifying the access control information notifies different access control information different for each application in the terminal device as the access control information.   The communication system according to claim 2 or 3, wherein the authentication device manages a plurality of access control information.   5. The communication system according to claim 4, wherein the authentication device dynamically changes access control information for the terminal device in cooperation with information obtained from an authentication request from the terminal device.   6. The communication system according to claim 5, wherein as information obtained from the authentication request, access control information for the terminal device is dynamically changed in cooperation with a user name of the terminal device.   The information obtained from the authentication request dynamically changes access control information for the terminal device in cooperation with a domain name to which the terminal device belongs, which is included in a user name of the terminal device. 5. The communication system according to 5.   6. The access control information for the terminal device is dynamically changed as the information obtained from the authentication request in cooperation with a base station device that the terminal device is attempting to perform data communication. Communication system.   As the information obtained from the authentication request, the authentication device defines the user unit of the authentication, the domain name unit to which the terminal device belongs, and the group unit to which the base station device belongs, and holds the group unit. 6. The communication system according to claim 5, wherein access control information for the terminal apparatus is dynamically changed using control information.   10. The base station apparatus according to claim 6, further comprising means for holding a filtering function of data passing / discarding for each terminal apparatus based on access control information notified from the authentication apparatus. Any one of the communication systems.   7. The base station apparatus includes means for holding a filtering function for data passing / discarding for each terminal apparatus based on access control information for each terminal apparatus set in the base station apparatus. The communication system according to claim 9.   The communication system according to claim 11, wherein the base station apparatus notifies the authentication apparatus in advance of access control information for the terminal apparatus set by itself.   The base station apparatus determines whether to provide the filtering function based on access control information notified from the authentication apparatus or access control information set in the own apparatus. Or the communication system of Claim 11.   The base station device adds information on whether or not the contents can be changed to each item in the access control information notified from the authentication device, and determines whether or not the filtering function is provided. The communication system according to claim 13.   15. The communication system according to claim 10, wherein the base station apparatus notifies the access control information to the terminal apparatus.   16. The communication system according to claim 15, wherein the terminal device holds a filtering function for data passage / discard for each application based on access control information notified from the base station device.   16. The communication system according to claim 15, wherein the terminal device is enabled / disabled from a user interface based on at least a corresponding menu for each application based on access control information notified from the base station device.   The terminal device controls functions that can be used in the application in the device by setting individual detailed access control information for each application based on the access control information notified from the base station device. The communication system according to claim 15, characterized in that:   Means for holding a filtering function of data passing / discarding for each terminal device based on access control information notified from the authentication device to a gateway device arranged between the base station device and the network The communication system according to any one of claims 6 to 9, further comprising:   The communication system according to any one of claims 1 to 19, wherein the terminal device is connected to a transmission medium via the base station device using radio.   An authentication device that performs authentication for the terminal device when connecting to the network from the terminal device via a base station device, the access control information for the terminal device together with a successful authentication notification for the terminal device in cooperation with the authentication An authentication apparatus comprising means for notifying a base station apparatus.   23. The authentication apparatus according to claim 21, wherein the means for notifying the access control information notifies information indicating whether the terminal device can be activated or not as the access control information.   The authentication device according to claim 21, wherein the means for notifying the access control information notifies the access control information of different detailed access control information for each application in the terminal device.   The authentication device according to claim 22 or 23, wherein a plurality of access control information is managed.   25. The authentication apparatus according to claim 24, wherein access control information for the terminal apparatus is dynamically changed in cooperation with information obtained from an authentication request from the terminal apparatus.   26. The authentication apparatus according to claim 25, wherein as the information obtained from the authentication request, access control information for the terminal apparatus is dynamically changed in cooperation with a user name of the terminal apparatus.   The information obtained from the authentication request dynamically changes access control information for the terminal device in cooperation with a domain name to which the terminal device belongs, which is included in a user name of the terminal device. 25. Authentication apparatus according to 25.   26. The information obtained from the authentication request dynamically changes access control information for the terminal device in cooperation with a base station device that the terminal device is attempting to perform data communication. Authentication device.   As the information obtained from the authentication request, the authentication user unit, the domain name unit to which the terminal device belongs, and the group unit to which the base station device unit belongs are defined, and access control information held in the group unit is used. 26. The authentication apparatus according to claim 25, wherein access control information for the terminal apparatus is dynamically changed.   30. The authentication apparatus according to claim 21, wherein the terminal apparatus connects to a transmission medium via the base station apparatus using radio.   A base station device that connects a terminal device that requires authentication by an authentication device when connected to the network to the network according to the authentication result, the terminal being notified together with a notification of successful authentication from the authentication device A base station apparatus comprising means for holding a filtering function of data passing / discarding for each terminal apparatus based on access control information for the apparatus.   A base station device that connects a terminal device that requires authentication by an authentication device when connecting to the network to the network according to the authentication result, and access control information for each terminal device set by the device itself And a means for holding a filtering function for data passing / discarding for each terminal device based on the base station device.   The base station apparatus according to claim 32, wherein access control information for the terminal apparatus set by the own apparatus is notified to the authentication apparatus in advance.   33. The method according to claim 31, wherein the filtering function is determined based on access control information notified from the authentication device or access control information set in the own device. Base station device.   The information in the access control information notified from the authentication device is added with information indicating whether the contents can be changed or not to be used as a criterion for determining whether or not the filtering function is provided. Item 34. The base station apparatus according to Item 34.   The base station apparatus according to any one of claims 31 to 35, wherein the access control information is notified to the terminal apparatus.   The base station apparatus according to any one of claims 31 to 36, wherein the terminal apparatus is connected to a transmission medium via the own apparatus by radio.   A filtering function for passing / discarding data for each application based on access control information notified from the base station apparatus, which is a terminal apparatus that requires authentication by an authentication apparatus when connecting to a network via the base station apparatus A terminal device comprising means for holding the terminal.   39. The terminal apparatus according to claim 38, wherein the terminal apparatus is enabled / disabled from a user interface based on a menu corresponding at least for each application based on access control information notified from the base station apparatus.   The function that can be used in the application in the own device is controlled by setting individual detailed access control information for each application based on the access control information notified from the base station device. 38. The terminal device according to 38.   41. The terminal apparatus according to claim 38, wherein the terminal apparatus is connected to a transmission medium via the base station apparatus using radio.   In a communication system that requires authentication by an authentication device when connecting to a network from a terminal device via a base station device, the gateway device is disposed between the base station device and the network, and the authentication device A gateway device comprising a means for holding a filtering function for data passing / discarding for each terminal device based on access control information notified from the terminal device.   43. The gateway apparatus according to claim 42, wherein the terminal apparatus is connected to a transmission medium via the base station apparatus using radio.   An access control method used in a communication system that requires authentication by an authentication device when connecting to a network from a terminal device via a base station device, wherein the authentication device is connected to the terminal device in cooperation with the authentication. An access control method comprising a process of notifying the base station device of access control information for the terminal device together with an authentication success notification.   45. The access control method according to claim 44, wherein in the process of notifying the access control information, start enable / disable information for an application in the terminal device is notified as the access control information.   45. The access control method according to claim 44, wherein the process of notifying the access control information notifies different detailed access control information for each application in the terminal device as the access control information.   The access control method according to claim 45 or 46, wherein the authentication device manages a plurality of access control information.   48. The access control method according to claim 47, wherein the authentication device dynamically changes access control information for the terminal device in cooperation with information obtained from an authentication request from the terminal device.   49. The access control method according to claim 48, wherein as the information obtained from the authentication request, access control information for the terminal device is dynamically changed in cooperation with a user name of the terminal device.   The information obtained from the authentication request dynamically changes access control information for the terminal device in cooperation with a domain name to which the terminal device belongs, which is included in a user name of the terminal device. 48. The access control method according to 48.   49. The access control information for the terminal device is dynamically changed in cooperation with a base station device that the terminal device is attempting to perform data communication as information obtained from the authentication request. Access control method.   As the information obtained from the authentication request, the authentication device defines the user unit of the authentication, the domain name unit to which the terminal device belongs, and the group unit to which the base station device belongs, and holds the group unit. 49. The access control method according to claim 48, wherein access control information for the terminal apparatus is dynamically changed using control information.   The base station apparatus holds a filtering function for data passing / discarding for each terminal apparatus based on the access control information notified from the authentication apparatus. The access control method described.   50. The base station apparatus holds a filtering function for data passing / discarding for each terminal apparatus based on access control information for each terminal apparatus set in the base station apparatus. Item 53. The access control method according to any one of Items 52.   55. The access control method according to claim 54, wherein the base station apparatus notifies the authentication apparatus in advance of access control information for the terminal apparatus set by the base station apparatus.   The base station apparatus determines whether to provide the filtering function based on access control information notified from the authentication apparatus or access control information set in the base station apparatus. 55. The access control method according to claim 53 or 54.   The base station device adds information on whether or not the contents can be changed to each item in the access control information notified from the authentication device, and determines whether or not the filtering function is provided. 57. The access control method according to claim 56, wherein:   The access control method according to any one of claims 53 to 57, wherein the base station apparatus notifies the access control information to the terminal apparatus.   59. The access control method according to claim 58, wherein the terminal apparatus holds a filtering function for data passage / discard for each application based on access control information notified from the base station apparatus.   59. The access control method according to claim 58, wherein the terminal device enables / disables activation from a user interface based on a menu corresponding at least for each application based on access control information notified from the base station device.   The terminal device controls functions that can be used in the application in the terminal device by setting individual detailed access control information for each application based on the access control information notified from the base station device. 59. The access control method according to claim 58.   A gateway device disposed between the base station device and the network holds a filtering function for data passing / discarding for each terminal device based on access control information notified from the authentication device. 53. The access control method according to any one of claims 49 to 52, wherein:   The access control method according to any one of claims 44 to 62, wherein the terminal apparatus connects to a transmission medium via the base station apparatus using radio. A program of an access control method used in a communication system that requires authentication by an authentication device when connecting to a network from a terminal device via a base station device, the computer of the authentication device in cooperation with the authentication The program for performing the process which notifies the access control information with respect to the said terminal device to the said base station apparatus with the authentication success notification with respect to a terminal device.

Images