JP2008042862A - Wireless lan communication system, method thereof and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve value of an advertisement and to increase advertising revenue so as to provide, as a result, free or low-priced public wireless LAN services to a user. <P>SOLUTION: A wireless LAN communication system 1 includes: an authentication means 9 which authenticates a wireless LAN device 6 when the wireless LAN device 6 requests a connection to a wireless LAN access point 5; and advertising means 11, 12, 13 each for distributing an advertisement to the wireless LAN device 6 when the wireless LAN device 6 requests the connection to the wireless LAN access point 5, wherein the authentication means 9 completes the authentication of the wireless LAN device 6 after the wireless LAN device 6 meets the display ending conditions of advertisements transmitted from the advertising means 11, 12, 13. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a wireless LAN communication system, a method and a program for performing wireless communication between a wireless LAN access point connected to a wireless LAN network and a plurality of wireless LAN devices.

In recent years, in public spaces other than homes or offices such as stations, airports, hotels, cafes, etc., using a public wireless LAN service that provides an environment for accessing a wireless LAN network, a notebook personal computer, a PDA (Personal Data Assistant) or a mobile phone Wireless LAN communication systems that perform wireless communication by telephone have become widespread, and various wireless LAN communication systems have been developed (see, for example, Patent Document 1).
Japanese Patent Laid-Open No. 2004-21547

  However, in the above-described conventional wireless LAN communication system, even though the public wireless LAN service can be used only in a limited place, even if a fixed monthly fee is set or the usage fee is charged according to the degree of use. Since a certain basic usage amount is imposed, the user is not regarded as having a balance between the service usage frequency and the usage load, which hinders the user's intention to use the public wireless LAN service.

  In addition, some public wireless LAN services are provided free of charge as part of customer service by facility owners, but such public wireless LAN services do not provide direct revenue to facility owners. For this reason, there are many cases where the use of facilities is a condition and it is difficult for users to use. In addition, the facility owner is less likely to maintain the system so that the user can use it easily. As a result, it is difficult for the user to understand the connection / authentication method, or the security level is extremely low. There were many systems that did this. Due to such a state, the wireless LAN communication system using the public wireless LAN service has not yet reached an environment where it is actively used by many users.

  In the above-described conventional wireless LAN communication system, wireless LAN connection authentication is performed in units of individual devices. However, in recent years, users have wireless LAN functions such as laptop computers, PDAs, mobile phones, and game machines. There are increasing cases of carrying multiple devices simultaneously. For this reason, when such a user wants to use a public wireless LAN service, connection authentication must be performed for each individual device, which greatly hinders user convenience.

  Furthermore, there are currently a wide variety of devices equipped with wireless LAN functions, but many of them have limited authentication methods, and such devices should use public wireless LAN services. In such a case, the SSID or encryption key set by the service provider must be obtained and input to the device, which is not convenient for the user.

  Furthermore, in the above-described conventional wireless LAN communication system, in order to access the public wireless LAN service, preparation and knowledge for accessing the SSID, encryption key, password, certificate, software, device, etc. are required in advance. It had been. Therefore, when a user accesses a public wireless LAN service for the first time, even if a wireless LAN access point can be found, a method of accessing the wireless LAN access point is not known, and eventually the user does not use the public wireless LAN service. There were many.

  In order to solve the above-described problems, a wireless LAN communication system, method, and program according to the present invention provide a service on a target network before a user connects to a public wireless LAN service or via a public wireless LAN service. By promoting users to view advertisements before reaching, and then allowing users to use the service, it increases the value of advertisements and increases advertising revenues, resulting in a free or inexpensive price for users. The purpose is to provide a public wireless LAN service.

  In addition, the wireless LAN communication system, the method and the program according to the present invention hold the devices with wireless LAN function owned by one user in the database as the same device group, and any one device is authenticated in the public wireless LAN service. In such a case, it is assumed that all devices in the same device group have been authenticated, and connection of these devices is permitted, thereby avoiding the user from having to authenticate a plurality of devices, and public wireless LAN service. The purpose is to improve the convenience of the user.

  Further, the wireless LAN communication system, method and program thereof according to the present invention call a user's mobile phone from a circuit-switched network as an advertisement distribution method as a condition for authenticating connection to a public wireless LAN service, and perform voice advertisement. By allowing the device group to which the mobile phone belongs to connect to the public wireless LAN service at the end of the listening, even if the wireless LAN device does not have an advanced function, the public wireless communication can be performed without troublesome procedures. An object is to improve convenience for the user by connecting to a LAN.

  Furthermore, the wireless LAN communication system, the method and the program according to the present invention permit only the connection to the “initial connection portal” even if the access is from a user who does not exist in the user database. The purpose is to guide a user who connects to a public wireless LAN service for the first time to use the service smoothly by downloading a program and providing information for access.

  To achieve the above object, the present invention is a wireless LAN communication system including a wireless LAN access point connected to a wireless LAN network and a plurality of wireless LAN devices that wirelessly communicate with the wireless LAN access point. When the wireless LAN device requests connection to the wireless LAN access point, authentication means for authenticating the wireless LAN device and when the wireless LAN device requests connection to the wireless LAN access point And an advertising means for delivering an advertisement to the wireless LAN device, wherein the authenticating means is configured to allow the wireless LAN device to operate after the wireless LAN device satisfies the advertisement display end condition transmitted from the advertising means. It is characterized by completing authentication.

  The wireless LAN access point may transmit the IP address of the wireless LAN access point to the wireless LAN device after the wireless LAN device satisfies the advertisement display termination condition transmitted from the advertising unit. .

  The wireless LAN access point may transmit the IP address of the wireless LAN access point to the wireless LAN device before the wireless LAN device satisfies an advertisement display termination condition transmitted from the advertising unit. .

  Furthermore, the authentication means may perform authentication in units of wireless LAN devices composed of a plurality of wireless LAN devices owned by the same registered user.

  The wireless LAN device of the unregistered user may request initial connection means for performing a registration process for the wireless LAN device of the unregistered user when the wireless LAN device requests connection to the wireless LAN access point.

  The present invention is also a wireless LAN communication method for performing wireless communication between a wireless LAN access point connected to a wireless LAN network and a plurality of wireless LAN devices, wherein the wireless LAN device performs the wireless LAN access. A step of completing authentication of the wireless LAN device after the wireless LAN device satisfies the advertisement display end condition transmitted from the advertising means when the connection to the point is requested; Features.

  The wireless LAN device may further include a step of transmitting an IP address of the wireless LAN access point to the wireless LAN device after the advertisement display end condition transmitted from the advertising unit is satisfied.

  The wireless LAN device may further include a step of transmitting an IP address of the wireless LAN access point to the wireless LAN device before the end condition of the advertisement display transmitted from the advertising unit is satisfied.

  Furthermore, the authentication unit may include a step of performing authentication in units of wireless LAN device groups including a plurality of wireless LAN devices owned by the same registered user.

  Furthermore, when a wireless LAN device of an unregistered user requests connection to the wireless LAN access point, an initial connection unit may include a step of performing registration processing for the wireless LAN device of the unregistered user.

  Furthermore, the present invention is a wireless LAN communication program for causing a computer to execute the above steps.

  According to the present invention, after the wireless LAN device satisfies the advertisement display end condition transmitted from the advertising means, the authentication of the wireless LAN device is completed, thereby increasing the value of the advertisement and increasing the advertising revenue. As a result, the public wireless LAN service can be provided to the user at a free or inexpensive price.

  Further, by performing authentication in units of wireless LAN devices composed of a plurality of wireless LAN devices owned by the same user, it is possible to avoid the user's trouble of performing authentication of a plurality of devices, and convenience for users in public wireless LAN services. Can be improved.

  When an unregistered user's wireless LAN device requests connection to the wireless LAN access point, the wireless LAN device is connected to the public wireless LAN service for the first time by providing an initial connection means for performing registration processing on the wireless LAN device of the unregistered user. The user can be guided so that the service can be used smoothly.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. First, the configuration of a wireless LAN communication system according to an embodiment of the present invention will be described with reference to FIG. Here, FIG. 1 is a network diagram showing a wireless LAN communication system according to an embodiment of the present invention.

  A wireless LAN communication system 1 according to an embodiment of the present invention includes a management server group 2 that manages data distribution destinations, and an access controller that is connected to the management server group 2 via an IP (Internet Protocol) communication network 3. 4 and a wireless LAN access point 5, and a wireless LAN device group 6 that communicates wirelessly with the wireless LAN access point 5.

  The management server group 2 includes a user database 7 in which data of users who use the system are registered, an authentication station 8, an authentication server 9, and an initial connection portal 10 respectively connected to the user database 7, and for download Advertising server 11, streaming advertising server 12, and circuit-switched voice advertising server 13.

  In the user database 7, information of the wireless LAN device group 6 possessed by a certain user is registered as a “device group” of the user, and one of the wireless LAN devices of the certain user is authenticated by the public wireless LAN service. In this case, it is possible to connect to the public wireless LAN service as if all the wireless LAN devices belonging to the same device group have completed the connection authentication.

  Further, the wireless LAN device group 6 includes circuit-switched voices via a personal computer 14, a PDA 15, a portable game machine 16, a wireless LAN dual cellular phone 17, and a circuit-switched network 18 owned by the same user registered in the user database 7. It comprises a plurality of wireless LAN devices such as a mobile phone 19 connected to the advertisement server 13 for use.

  In the wireless LAN communication system 1 according to the present embodiment, EAP-x-AD is used. This EAP-x-AD is a protocol that is used in the connection authentication standard “802.1X” in the wireless LAN and extends the authentication protocol “EAP” defined in RFC3748. In the final stage of EAP authentication, advertisement information is transmitted. It is improved so that it can be sent to the client and the authentication is completed upon viewing the advertisement.

  In EAP-x-AD, an IP address is given to a wireless LAN client after completion of advertisement viewing. Hereinafter, this method is referred to as “AD then IP”. On the other hand, the following description also refers to a method of distributing advertisements after assigning an IP address to a wireless LAN client. Hereinafter, this method will be referred to as “IP Homehole”. Since EAP-x-AD acts as an upward compatible protocol for various extended protocols in EAP, for example, EAP-TLS-AD, PEAP-AD, EAP-TTLS-AD, EAP-SIM-AD, EAP-AKA- There is a type of EAP-x-AD for each EAP extension protocol such as AD.

  The wireless LAN communication system 1 according to the present embodiment is a wireless LAN communication program obtained by downloading to each wireless LAN device from a storage medium such as a CD-ROM or a server on a network such as the initial connection portal 10. The wireless LAN communication program corresponds to EAP-x-AD in the AD then IP system. Further, as an important function of this program, it has a function of detecting that the advertisement display / reproduction is completed and notifying the wireless LAN access point 5, the access controller 4, and the authentication server 9 of this. Since access to the public wireless LAN service is permitted by this notification, the user surely views the advertisement, and the wireless LAN communication programs in the same device group communicate with each other as necessary. Can be done.

  In the wireless LAN communication system 1 according to the present embodiment, the authentication protocol “EAP” is extended, and multi-EAP is also used as an improved protocol that can simultaneously authenticate a plurality of wireless LAN devices. In this multi-EAP, as with EAP-x-AD, multi-EAP can be performed for each EAP extended protocol. In addition, since it is possible to use different EAP formats even for devices in the same device group, there is also a function that can apply an appropriate EAP format for each device even for the same authentication request.

  The access controller 4 is a device or software that performs connection management at the layer 3 (IP) level with respect to the wireless LAN access point 5 that performs connection management at the layer 2 (MAC) level. 1 functions as a gateway to the IP network 3. The access controller 4 also manages a plurality of wireless LAN access points 5 in the same wireless LAN hotspot, and may be provided integrally with the wireless LAN access point 5 or separately. .

  The wireless LAN access point 5 is a wireless base station that operates in accordance with the 802.11 (Wi-Fi) standard, and is a device that provides a network connection to wireless LAN clients. When the above-mentioned AD IP is adopted, , It is necessary to support EAP-x-AD. In order to simultaneously authenticate the wireless LAN device group 6 of the same device group, the wireless LAN access point 5 needs to support multi-EAP.

  The authentication server 9 is a server for authenticating the connection when the wireless LAN device requests connection to the wireless LAN access point 5, and assumes that the RADIUS protocol or Diameter protocol is used. . In the present invention, it is necessary to support multi-EAP.

  The initial connection portal 10 is a server that provides services such as user registration, download of a wireless LAN communication program, and provision of usage information to a user, and a user who has made a connection request uses an AD then IP method or an IP homehole method. If the authentication by the wireless LAN access point 5 is not successful, the wireless LAN access point 5 or the access controller 4 permits connection only to the initial connection portal 10. Further, the initial connection portal 10 may be disposed in a data center of a public wireless LAN service provider, or may be disposed in the same network as the wireless LAN access point 5 and the access controller 4. Further, the initial connection portal 10 may be integrated with the wireless LAN access point 5 and the access controller 4.

  The download advertisement server 11 is a server that distributes advertisements when the wireless LAN device requests connection to a public wireless LAN service, and handles download data. The streaming advertisement server 12 is a server that distributes advertisements when the wireless LAN device requests connection to a public wireless LAN service, and is a server that handles streaming data. Further, the advertisement server 13 for circuit-switched voice is a server that distributes advertisements when the wireless LAN device requests connection to a public wireless LAN service, and the advertisement server 13 has a function as an exchange. When a request for advertisement distribution is received, the server calls a user's telephone (mainly mobile phone 19) on a circuit switching network and transmits an advertisement by voice.

  When the AD then IP method is used, all the advertisement servers 11, 12, 133 need to support the EAP-x-AD. Further, all the advertisement servers 11, 12, 13 may be arranged in the data center of the public wireless LAN service provider, or may be arranged in the same network as the wireless LAN access point 5 and the access controller 4. . Furthermore, all the advertisement servers 11, 12, and 13 may be integrated with the wireless LAN access point 5 and the access controller 4, and these may be designed to hold advertisement caches.

  In the embodiment of the present invention, a plurality of IP address assignment methods, authentication methods, and advertisement transmission routes are prepared, and when the service is actually deployed, it depends on the environment of the facility and the user's selection. Each method is applied in combination.

  First, as an IP address assigning method, there are the AD then IP method and the IP Homehole method. The AD then IP method is a method for assigning an IP address to a wireless LAN device only after advertisement display is completed. In this method, since the IP address is not given until the advertisement display is completed, it is certain that the user views the advertisement, and at the same time, high security can be ensured. In order to execute this method, it is necessary to incorporate procedures such as advertisement transmission / reception / display / display end notification into EAP. A protocol in which these procedures are incorporated is called EAP-x-AD and falls within the scope of the present invention.

  On the other hand, the IP format method is a method for ensuring viewing of an advertisement by performing IP level packet filtering by the access controller 4 until an advertisement display is completed after an IP address is assigned in accordance with a normal EAP procedure. In this method, an IP address is given before the advertisement viewing is completed, but access to the wireless LAN device is blocked except for the advertisement servers 11 and 12 until the access controller 4 completes the advertisement viewing. Will almost certainly see the ad. However, in this method, since an IP address is given before advertisement viewing is completed, if there is some vulnerability in the system, there is a possibility that it is possible to bypass the advertisement display and connect to the public wireless LAN service. A little remains. In this method, since the wireless LAN access point 5 or the like does not need to support EAP-x-AD, the introduction is easier than the AD then IP method. Moreover, since IP is used, it is advantageous also in the performance of advertisement distribution.

  Secondly, the authentication method follows each of the existing EAP formats, but there are two representative methods: “password-based authentication” and “certificate-based authentication”. There are PEAP and PEAP-AD for password-based authentication. PEAP is a typical protocol for verifying the identity of a user by inputting an ID and a password in various EAP-derived protocols. -AD is the PEAP corresponding to EAP-x-AD. In the case of the AD then IP method, it is necessary to use PEAP-AD, and in the case of the IP format method, the existing PEAP can be used as it is. Other similar password-based authentication protocols include EAP-TTLS. This can also be expanded as EAP-TTLS-AD so that it can be used in the AD then IP system.

  On the other hand, there are EAP-TLS and EAP-TLS-AD for certificate-based authentication, and EAP-TLS is a representative protocol that performs identity verification using digital certificates issued in advance in various EAP-derived protocols. EAP-TLS-AD is an EAP-TLS corresponding to EAP-x-AD. In the case of the AD then IP method, it is necessary to use EAP-TLS-AD, and in the case of the IP waveform method, the existing EAP-TLS can be used as it is. Similar certificate-based authentication protocols include EAP-SIM and EAP-AKA. These can be extended as EAP-SIM-AD or EAP-AKA-AD so that they can be used in the AD then IP system.

Third, there are two methods for transmitting advertisements: the “AD via IP” method and the “AD via CS” method.
The AD via IP system is a system for distributing advertisements through the IP network 3. Advertisements distributed by this method include text, still images, animated images, moving and moving files, audio files, etc. for download types, and video streaming data, audio streaming data, etc. for streaming types Is included.

  On the other hand, the AD via CS system is a system in which the advertisement server 13 for circuit-switched voice uses a circuit switching function to distribute advertisements by voice via the circuit-switched network 18, and advertisements distributed by this system are exclusively used. It will be by voice.

  Next, the operation of the wireless LAN communication system 1 according to the embodiment of the present invention will be described. First, referring to FIG. 2, in the wireless LAN communication system according to the embodiment of the present invention, the IP address assignment method is AD then IP, the authentication method is EAP-TLS-AD, and the advertisement transmission path is AD via IP. The operation of will be described. Here, FIG. 2 is a sequence diagram showing an operation flow in this case.

  When there is a connection request from any one of the wireless LAN devices in the wireless LAN device group 6 to the wireless LAN access point 5, the wireless LAN communication program controls the wireless LAN device and establishes a connection to the wireless LAN access point 5. Start (S101). It should be noted that the procedure at this time follows normal 802.11 regulations.

  In response, the wireless LAN communication program, the wireless LAN access point 5, and the authentication server 9 in the wireless LAN device start an authentication procedure using the EAP-TLS protocol and the RADIUS protocol (S102). In executing EAP-TLS, the wireless LAN communication program presents a client certificate (S103). This client certificate is issued in advance by the certificate authority 8.

  In this example, a certificate managed by the wireless LAN communication program itself is presented. However, for example, when a certificate is stored in a certificate token, the wireless LAN communication program uses a token. You may obtain and present the certificate.

  Next, as a final procedure of EAP-TLS, an EAP-Success message is sent from the authentication server 9 to the wireless LAN access point 5 (S104). In the case of normal EAP-TLS, this EAP-Success is transferred to the wireless LAN device as it is, but in EAP-TLS-AD, it is temporarily placed at the wireless LAN access point 5.

  The wireless LAN access point 5 that has received the EAP-Success from the authentication server 9 in this way transmits an EAP-Request AD-Request message to the wireless LAN device (S105). The wireless LAN communication program that has received this returns an EAP-Response AD-Request message to the wireless LAN access point 5 (S106). This EAP-Response AD-Request is transmitted over the IP protocol from the wireless LAN access point 5 to the advertisement servers 11 and 12 (S107).

  In this example, HTTP is used for communication between the wireless LAN access point 5 and the advertisement servers 11 and 12, but protocols such as FTP, SIP, and RTP other than HTTP can also be used.

  Next, the advertisement servers 11 and 12 start transmitting advertisement data to the wireless LAN access point 5 as a response to the requested IP protocol. The lower layer includes an EAP-Request AD-Transfer message as an EAP protocol (S108, S109).

  In this example, advertisement data is transmitted from the advertisement servers 11 and 12 to the wireless LAN access point 5 by HTTP. However, the advertisement data is transmitted as an EAP protocol to the wireless LAN communication program from the wireless LAN access point 5. Is transmitted (S109). In the first EAP-Request AD-Transfer packet, an advertisement type and an advertisement display end condition are described.

  Next, the wireless LAN communication program displays / reproduces the transmitted advertisement data, and determines the end of the advertisement display according to the type of the transmitted advertisement (S110). In this case, if the transmitted advertisement is a text sentence or a still image, the elapse of a predetermined time is set as an end condition, and if it is an animation image such as GIF, the display of the final frame is set as an end condition. If the transmitted advertisement is a moving image file such as WMV format or Flash, the completion of reproduction is set as an end condition, and if it is streaming data such as RTP, the arrival and reproduction of final data is set as an end condition.

  If the advertisement display end condition is satisfied, the wireless LAN communication program returns an EAP-Response AD-Transfer message to the wireless LAN access point 5 (S111). In response to this, the wireless LAN access point 5 transmits the EAP-Success reserved at this time to the wireless LAN device (S112), whereby the 802.1X authentication is completed.

  When the authentication procedure according to 802.11i is adopted, a 4-way handshake process for delivering the encryption key from the wireless LAN access point 5 to the wireless LAN device is subsequently executed.

  Next, in the wireless LAN communication system according to the embodiment of the present invention, the operation when the IP address assignment method is IP Home, the authentication method is PEAP, and the advertisement transmission path is AD via IP will be described with reference to FIG. To do. Here, FIG. 3 is a sequence diagram showing an operation flow in this case.

  In this example, the access controller 4 plays the role of a gateway in each wireless LAN hot spot, and in the initial state, the connection with the wireless LAN device other than the advertisement servers 11 and 12 and the initial connection portal 10 is blocked. In addition, an IP packet filtering rule is set (S201).

  In this setting state, the wireless LAN communication program controls the wireless LAN device and starts connection to the wireless LAN access point 5 (S202). This procedure follows the normal 802.11 standard.

  In response to this, the wireless LAN communication program in the wireless LAN device, the wireless LAN access point 5, and the authentication server 9 execute an authentication procedure using a normal PEAP protocol (S203).

  In this case, unlike the above-mentioned IP the IP method, the wireless LAN access point 5 does not hold the EAP-Success message transfer in the IP Wormole method, as in the normal 802.1X authentication process (in this case). Complete authentication (if using PEAP).

  When the authentication procedure according to 802.11i is adopted, a 4-way handshake process for delivering the encryption key from the wireless LAN access point to the wireless LAN device is subsequently executed.

  Since access to the advertisement servers 11 and 12 is permitted by the access controller, the wireless LAN communication program accesses the advertisement servers 11 and 12 and makes a transmission request for advertisement data (S204). In response to this transmission request, the advertisement servers 11 and 12 transmit advertisement data to the wireless LAN communication program, and the wireless LAN program displays and reproduces the advertisement data (S205).

  Next, the wireless LAN communication program determines the end of advertisement display according to the type of advertisement that has been transmitted (FIG. S206). In this case, if the transmitted advertisement is a text sentence or a still image, the elapse of a predetermined time is set as an end condition, and if it is an animation image such as GIF, the display of the final frame is set as an end condition. If the transmitted advertisement is a moving image file such as WMV format or Flash, the completion of reproduction is set as an end condition, and if it is streaming data such as RTP, the arrival and reproduction of final data is set as an end condition.

  When the advertisement display end condition is satisfied in this way, the wireless LAN communication program transmits an IP packet filtering rule change request to the access controller 4 (S207). Since the access controller 4 is a gateway for the wireless LAN device, the wireless LAN communication program can know the IP address of the access controller 4. Then, the access controller 4 that has received the IP packet filtering rule change request gives access permission to all the IP networks 3 only to the wireless LAN device that has transmitted the change request (S208). Thereby, the authentication of the wireless LAN device is completed, and the wireless LAN device can freely use the public wireless LAN service.

  Next, with reference to FIG. 4, the operation when the advertisement transmission path is AD via CS in the wireless LAN communication system according to the embodiment of the present invention will be described. Here, FIG. 4 is a sequence diagram showing an operation flow in this case. In this example, the IP address assignment method is IP Homehole, and the authentication method is EAP-TLS, but other methods can be combined.

  In this example, in the initial state, the IP packet filtering rule is set so that the access controller 4 blocks connection to the wireless LAN device other than the advertisement server 13 and the initial connection portal 10 (S301).

  In this setting state, the wireless LAN communication program controls the wireless LAN device and starts connection to the wireless LAN access point 5 (S302). This procedure follows the normal 802.11 standard.

  In response, the wireless LAN communication program in the wireless LAN device, the wireless LAN access point 5, and the authentication server 9 execute an authentication procedure using a normal EAP-TLS protocol (S303).

  When the authentication procedure according to 802.11i is adopted, a 4-way handshake process for delivering the encryption key from the wireless LAN access point 5 to the wireless LAN device is subsequently executed.

  Next, the wireless LAN communication program accesses the advertisement server 13 for circuit-switched voice and makes a transmission request for the advertising voice (S304). Upon receiving this call request, the circuit-switched voice advertisement server 13 makes a call to the mobile phone 19 of the wireless LAN device group 6 belonging to the same device group (S305), and when the mobile phone 19 rings, the user Performs the incoming call operation of the mobile phone (S306).

  Next, the advertisement server 13 for circuit-switched voice transmits advertisement voice to the user's mobile phone 19 (S307). This advertising sound includes passcode information consisting of only a single digit. In this case, in order to avoid the user's act of “reproducing the advertisement and releasing the handset from the ear”, the user may be requested to input a pass code included in the advertisement voice (S308). The input passcode is transmitted as a DTMF signal to the advertisement server 13 for circuit switched voice (S309). The advertisement server 13 for circuit-switched voice that has confirmed that the passcode is correct transmits an IP packet filtering rule change request to the access controller 4 (S310).

  From the viewpoint of service development, when the public wireless LAN service provider makes it unnecessary to input a passcode from the user, it is not necessary to confirm the passcode, and the advertisement server 13 for circuit-switched voice can receive the advertisement voice. When the transmission is completed, an IP packet filtering rule change request is transmitted to the access controller 4.

  In this way, the access controller 4 that has received the IP packet filtering rule change request gives access permission to all IP networks 3 only to the wireless LAN device that originally made the connection request (S311). Thereby, the authentication of the wireless LAN device is completed, and the wireless LAN device can freely use the public wireless LAN service.

  Next, referring to FIG. 5, in the wireless LAN communication system according to the embodiment of the present invention, a user who is not registered in the user database 7 connects to the initial connection portal 10 and performs user registration to perform a wireless LAN communication program. The operation when downloading is described. Here, FIG. 5 is a sequence diagram showing an operation flow in this case.

  In the initial state, the access controller 4 is set with an IP packet filtering rule so as to block the connection to the wireless LAN device other than the advertisement servers 11 and 12 and the initial connection portal 10 (S401).

  The wireless LAN device searches for a wireless LAN access point 5 to access a public wireless LAN service. The wireless LAN access point 5 according to the present invention uses an SSID for unregistered users separately from the SSID for this service. keeping. Unregistered users are permitted to connect using the SSID for unregistered users (S402). When connecting to an SSID for an unregistered user, no certificate or encryption key is required, and the connection procedure conforms to the normal 802.11 rules.

  However, the access controller 4 arranged immediately after the wireless LAN access point 5 blocks all communications except connecting to the initial connection portal 10 using HTTP (or other protocol if necessary). All HTTP communications performed to Web servers other than the initial connection portal 10 are redirected to the initial connection portal 10 (S403).

  Unregistered users voluntarily or forcibly access the user registration page of the initial connection portal 10 (S404). Then, the unregistered user inputs necessary information on the user registration page of the initial connection portal 10 and attempts user registration (S406).

  Next, the initial connection portal 10 performs identity verification processing to check whether the input information is valid (S407). In this case, it is common to send an e-mail to the e-mail address of the input wireless LAN device and request access to the URL contained therein for confirmation. High identity verification is also possible.

  When the identity is confirmed in this way, the initial connection portal 10 registers the user information in the user database 7 (S408). Then, the initial connection portal 10 notifies the user that the user registration is completed, and prompts the user to download the wireless LAN communication program (S409).

  At this time, if the wireless LAN device is not registered, but another wireless LAN device of the user is already registered, the wireless LAN device is registered as a member of the user's device group in the user database 7. Registered in

  Next, the user makes a download request for the wireless LAN communication program (S410), and the initial connection portal 10 makes a digital certificate issuance request to the certificate authority 8 (S411). The certificate authority 8 generates a digital certificate while also collecting information in the user database 7, and transmits the digital certificate to the initial connection portal 10 (S412). The initial connection portal 10 includes the acquired certificate in the template wireless LAN communication program, generates a wireless LAN communication program for the user (S413), and the wireless LAN communication program stores the wireless LAN communication program for the user. Downloaded to the device.

  Then, the user installs a wireless LAN communication program on the wireless LAN device (S415), and thereafter, the public wireless LAN can be easily used by the wireless LAN communication program.

  As described above, according to the embodiment of the present invention, the economic burden on the user accompanying the use of the public wireless LAN service is greatly reduced, and depending on the business model, the public wireless LAN service is provided to the user completely free of charge. It is also possible to do. In addition, a business model in which a wireless LAN service provider and a facility owner who arranges an access point can make a profit while being free of charge is possible. In addition, the public wireless LAN service can be properly maintained with the profits obtained, so that appropriate security measures are provided to the public wireless LAN service, and at the same time, capital investment is made for future technologies as needed. It is possible to go.

  In addition, the wireless LAN communication system according to the embodiment of the present invention basically uses IEEE 802.1X or 802.11i as a connection authentication method for public wireless LAN services, and uses EAP-TLS. If such a certificate-based authentication method is used, the user can immediately access the public wireless LAN service without any troublesome settings. Even when a password-based authentication method such as PEAP is used, the user only needs to memorize only one combination of an ID and a password, and there is no need to bother with handling complicated encryption keys that differ for each access point. .

  Furthermore, since the wireless LAN communication system according to the embodiment of the present invention allows all wireless LAN devices possessed by a single user to connect to the public wireless LAN service with one authentication, authentication is performed for each wireless LAN device individually. This eliminates the need to do so, improving user convenience.

  Furthermore, in the wireless LAN communication system according to the embodiment of the present invention, a voice advertisement is transmitted to the mobile phone owned by the user via the circuit switching network, and connection to the public wireless LAN service is permitted after the voice advertisement is completed. Therefore, even for wireless LAN devices that do not have sufficient performance for image and video display, it is possible to access a simple and secure public wireless LAN service by allowing users to listen to advertisements. be able to.

  Furthermore, the wireless LAN communication system according to the embodiment of the present invention is for the unregistered user who does not know the existence of the public wireless LAN service and knows the existence of the service for the first time when visiting a store or the like that is providing the service. However, by registering the user by a simple procedure and downloading and installing the wireless LAN communication program, it becomes possible to connect to the public wireless LAN service thereafter, so that the use of the user can be further promoted. .

  In addition, the current public wireless LAN service is operated in a state where vulnerability is still left even if appropriate encryption and authentication are not performed at all in order to keep the connection by the user simple. However, if a public wireless LAN service based on the wireless LAN communication system according to the embodiment of the present invention is introduced, a secure wireless LAN connection according to IEEE 802.1X or 802.11i is naturally established. It can be provided and can greatly contribute to the spread of 802.1X and 802.11i.

  The free public wireless LAN service enabled by the wireless LAN communication system according to the embodiment of the present invention promotes the user's intention to use and accelerates the installation of the access point corresponding to the present invention. A synergistic effect of improving user convenience will be produced, and this synergistic effect will promote the creation of a ubiquitous network in Japan, enabling the realization of a true ubiquitous society ahead of the world.

  The wireless LAN communication system according to the embodiment of the present invention can be applied to any region in the world, and the wireless LAN communication system according to the embodiment of the present invention is spread all over the world. , Which can provide accessibility to the Internet in all parts of the world, while at the same time greatly enhancing Japan's international competitiveness in the information industry.

  In addition to the above-described password and certificate methods, for example, biometrics authentication can be considered as an authentication method. Even if such a method is adopted, the AD the IP of the present invention is performed after the normal authentication procedure. A method or an IP homehole method can be applied.

  In the method described in the above embodiment, the public wireless LAN service provider itself operates the certificate authority, but uses a certificate issued by a publicly trusted certificate authority. By doing so, a higher security level can be provided. For example, a virtual in-house network service for a company can be constructed.

  In addition, if a public wireless LAN service provider has equipment such as an HLR as a mobile phone operator at the same time, the smart card “SIM” or “USIM” attached to the mobile phone can be used as a standard. The procedure of the present invention may be added to the protocol EAP-SIM / EAP-AKA. (In the case of the AP the IP method, EAP-SIM-AD and EAP-AKA-AD are used.)

  Furthermore, since SIM / USIM, which is a certificate already owned by many users, can be used, users can use a simpler and more secure public wireless LAN service while reducing the economic burden by displaying advertisements. Can be provided.

  1 is a network diagram showing a wireless LAN communication system according to an embodiment of the present invention.   It is a sequence diagram which shows an example of the operation | movement flow of the wireless LAN communication system which concerns on embodiment of this invention.   It is a sequence diagram which shows another example of the operation | movement flow of the wireless LAN communication system which concerns on embodiment of this invention.   It is a sequence diagram which shows another example of the operation | movement flow of the wireless LAN communication system which concerns on embodiment of this invention.   It is a sequence diagram which shows the initial connection flow of the unregistered user of the operation | movement flow of the wireless LAN communication system which concerns on embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Wireless LAN communication system 5 Wireless LAN access point 6 Wireless LAN equipment group 9 Authentication server 10 Initial connection server 11 Advertising server for download 12 Advertising server for streaming 13 Advertising server for circuit switching voice

Claims (11)

A wireless LAN communication system comprising a wireless LAN access point connected to a wireless LAN network and a plurality of wireless LAN devices wirelessly communicating with the wireless LAN access point,
Authentication means for authenticating the wireless LAN device when the wireless LAN device requests connection to the wireless LAN access point;
Advertising means for delivering an advertisement to the wireless LAN device when the wireless LAN device requests connection to the wireless LAN access point;
The wireless LAN communication system is characterized in that the authentication unit completes authentication of the wireless LAN device after the wireless LAN device satisfies an advertisement display end condition transmitted from the advertising unit. The wireless LAN access point transmits an IP address of the wireless LAN access point to the wireless LAN device after the wireless LAN device satisfies an advertisement display end condition transmitted from the advertising unit. Wireless LAN communication system. The wireless LAN access point transmits the IP address of the wireless LAN access point to the wireless LAN device before the wireless LAN device satisfies an advertisement display termination condition transmitted from the advertising unit. Wireless LAN communication system. The wireless LAN communication system according to any one of claims 1 to 3, wherein the authentication unit performs authentication in units of a wireless LAN device group including a plurality of wireless LAN devices owned by the same registered user. 5. The apparatus according to claim 1, further comprising an initial connection unit configured to perform registration processing for the wireless LAN device of the unregistered user when a wireless LAN device of the unregistered user requests connection to the wireless LAN access point. A wireless LAN communication system according to claim 1. A wireless LAN communication method for performing wireless communication between a wireless LAN access point connected to a wireless LAN network and a plurality of wireless LAN devices,
When the wireless LAN device requests connection to the wireless LAN access point, the authentication unit authenticates the wireless LAN device after the wireless LAN device satisfies the advertisement display end condition transmitted from the advertising unit. A wireless LAN communication method comprising a step of completing. The wireless LAN device according to claim 6, further comprising a step of transmitting an IP address of the wireless LAN access point to the wireless LAN device after the wireless LAN device satisfies an advertisement display end condition transmitted from the advertising unit. LAN communication method. The wireless LAN device according to claim 6, further comprising a step of transmitting an IP address of the wireless LAN access point to the wireless LAN device before the wireless LAN device satisfies an end condition for displaying an advertisement transmitted from the advertising unit. LAN communication method. The wireless device according to any one of claims 6 to 8, further comprising a step in which the authentication unit performs authentication in units of wireless LAN device groups including a plurality of wireless LAN devices owned by the same registered user. LAN communication method. 10. The method according to claim 6, further comprising a step of performing registration processing for the wireless LAN device of the unregistered user when the wireless LAN device of the unregistered user requests connection to the wireless LAN access point. The wireless LAN communication method according to any one of claims. A wireless LAN communication program for causing a computer to execute the steps according to any one of claims 6 to 10.

Images