JP2010063000A - Wireless lan network device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network control means for performing optimal control, while monitoring authentication of a wireless terminal device and accesses state of a wireless LAN access point by a signal in a port of a switching hub. <P>SOLUTION: In this wireless LAN network device comprising a plurality of wireless terminal devices 40 to 51 and wireless LAN access points 30 to 32, a switching hub 10 is provided with a network control means 20 having a means 64 for authenticating a wireless terminal device for preregistered personal information 62 for authentication and authentication information subjected to an authentication request from the wireless terminal device and acquiring device identification information of the authenticated wireless terminal device; and an access monitoring means 68 for monitoring an operating state of a wireless terminal device in each port of the switching hub, on the basis of the acquired device identification information. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a wireless LAN network apparatus for maintaining an appropriate wireless communication state by performing authentication of a wireless terminal device and monitoring of an operating state in a wireless LAN (Local Area Network) system having a plurality of access points. .

With the development of communication technology, network construction in the office has become an indispensable requirement for business. Terminal devices in the office are connected by a local area network, and are connected to external communication lines to use the Internet, e-mail, etc. ing.
In order to create an environment in which a local area network (LAN) can be used, it is necessary to connect the terminal device and the switching hub. However, if each terminal device is connected by a wired LAN cable, many LAN cables are wired. The environment construction becomes complicated. In addition, it is difficult to cope with rearrangement of wireless LAN access points due to environmental changes.

  Under such circumstances, the introduction of a wireless LAN network that does not require wiring to each terminal device is progressing due to the improvement in speed and security functions due to advances in wireless technology. The wireless LAN system allows a wireless terminal device having a wireless function to access a wireless LAN access point and connect to an in-house intranet or an external server.

  In order for a wireless terminal device to access a wireless LAN access point and perform data communication or the like, it is necessary to set communication control information necessary for communication control with the access point in the own terminal before performing wireless communication. is there. Connection processing and communication processing in the wireless LAN system are standardized by IEEE 802.11 (international standardization standard by the American Electrical and Electronic Engineers Church Regulations), and an open system authentication method (Open System Authentication) and WEP ( There is a secret key cryptosystem using a Wired Equivalent Privacy) algorithm. The setting information includes an access point group identifier ESSID (Extended Service Set Identifier), a wireless communication channel, a transmission rate, and, in the case of a secret key encryption method, an encryption key for encrypted communication with the access point, For example, there is a TKIP (Temporal Key Integrity Protocol) key.

  The wireless LAN access point has a wireless transmission / reception function with a wireless terminal device, and is connected to the switching hub by a wired LAN cable. Normally, a wireless LAN access point sets a common ESSID and encryption key for transmission / reception with a specific wireless terminal device, and is also provided with an authentication function (see, for example, Patent Document 1).

  As an authentication function, there is a MAC (Media Access Control) address authentication method. The MAC address of the wireless terminal device to be used is registered in advance in the wireless LAN access point. The MAC address is present in the unencrypted header portion of the packet, and only the signal of the wireless terminal device having the registered MAC address is permitted.

When it is desired to collectively perform authentication of wireless terminal devices using another server, a remote authentication service using a RADIUS (Remote Authentication Dial In User Service) protocol is used. By connecting to a RADIUS server from a plurality of wireless terminal devices, user authentication can be centrally managed in one place. In Windows (registered trademark) Server, authentication by the RADIUS protocol can be used by introducing a network service called “Internet Authentication Service (IAS)” (for example, refer to Patent Document 2).
JP 2004-304824 A JP 2007-208816 A

  A network system using a wireless LAN has an advantage of not requiring a wired LAN cable. However, as described above, it is necessary to perform authentication settings for the wireless LAN access point and the wireless terminal device, and the user of the wireless terminal device is required. Must be set individually. However, device authentication settings and device information settings are difficult, and the construction of a wireless LAN network is often performed by a specialist. For this reason, the initial introduction cost was high and became a bottleneck for popularization.

  In a wireless LAN network system, a wireless terminal device accesses a wireless LAN access point wirelessly. However, in the wireless LAN access point, access is restricted only to wireless terminal devices registered at the wireless LAN access point, and There was a problem that the wireless terminal device could move only within the reachable range.

  Further, although the authentication of the wireless terminal device is performed, the operation status of each wireless LAN access point is not monitored. For monitoring, it is necessary to provide a maintenance server and grasp the operation status. In order to perform authentication and monitoring, a maintenance server must be installed in addition to the authentication server to monitor the operation status of each wireless LAN access point of the wireless LAN network system.

  The present invention provides a system for easily realizing a wireless LAN environment, and is a wireless system that performs optimum control by monitoring authentication information setting, wireless terminal device authentication, and operating status of each wireless LAN access point. The object is to provide a LAN control device.

  (1) A plurality of wireless terminal devices are connected to a wireless LAN access point by wireless communication means, the wireless LAN access point is connected to distribution means of a switching hub, and the wireless LAN access point and the distribution means are wireless A wireless LAN network device used in a communication system connected to a LAN control means and connected to an external communication line by the wireless LAN control means, and a cable connecting a switching hub and a wireless LAN access point A power transmission means for supplying power to the wireless LAN access point by using the wireless terminal device with respect to personal information registered in advance and authentication information requested from the wireless terminal device; Authentication means and device identification of the authenticated wireless terminal device Means for acquiring and storing information, monitoring means for monitoring the operating status of the wireless terminal device at each port of the switching hub based on the acquired device identification information, and the wireless LAN accessed by the wireless terminal device A wireless LAN network device comprising: network control means having means for changing an access point; and means for stopping power supply to the wireless LAN access point.

  In the invention described in (1), a wireless LAN access point accessed by a plurality of wireless terminal devices is connected by a wired LAN cable to a switching hub that transmits and receives signals to and from an external server via a communication line. A wireless LAN system having means for supplying power to a wireless LAN access point by using a network control device is provided for optimal control. A network control device detects a signal transmission / reception state at each port provided in a switching hub, performs authentication of a wireless terminal device, monitors an operation status of a wireless LAN access point, and accesses a wireless LAN access point Restricts devices and controls wireless LAN access points.

  The personal authentication information of the user is registered in advance in the network control means. Based on the personal authentication information, the personal authentication information input by the user to the wireless terminal device is transmitted when the wireless terminal device accesses the wireless LAN access point. Since the network control device monitors the signal at the port at the switching hub, the signal from the wireless LAN access point is determined to match with the personal authentication information registered in advance, and if they match, The device identification information of the wireless terminal device that transmitted the signal is stored, and the wireless terminal device is authenticated. Thereafter, the signal from the authenticated wireless terminal device is connected to the communication line via the wireless LAN access point, and the signal can be transmitted and received. The wireless LAN access point does not have an authentication function or a secret key setting function, and is all performed by the network control means.

  For POE (Power On Ethernet (registered trademark)) as a means for supplying power to a wireless LAN access point using a LAN cable, the network control means turns on / off the power supply depending on the operating status of the wireless LAN access point. Control. Normally, power is supplied to the wireless LAN access point. However, if the wireless LAN access point has not been operated for a long time or a signal from the network control means is not accepted, The power supply to the LAN access point is stopped.

  The network control means stores the identification information when authenticating the wireless terminal device. By storing the identification information of the wireless terminal device in the network control means, it becomes possible to access any of the plurality of wireless LAN access points. This is because the signal monitored by the network control means is detected at each port of the switching hub, and can be authenticated from any wireless LAN access point. As a result, even if a user moves and uses a wireless terminal device, it can be accessed if radio waves from any wireless LAN access point can be received. Therefore, network control is performed by a signal from the accessed wireless LAN access point. The wireless terminal device is authenticated by the means, and the wireless LAN network can be used.

  In addition, since the network control unit can monitor which wireless terminal device is accessing which wireless LAN access point using the wireless terminal identification information stored in the network control unit, the access of the wireless LAN access point is concentrated. If the restricted access is exceeded, control is performed to change the wireless terminal device to another access point.

(2) In (1), the personal authentication information is an ID and a password used when logging in to the wireless terminal device, and the device identification information of the wireless terminal device is a wireless LAN network device that is a MAC address.

According to the invention described in (2), since the personal authentication information is an ID and a password that are input on the login screen when the wireless terminal device is started up, the user starts up the wireless terminal device without performing any setting. Only the authentication at the wireless LAN access point is performed. Since the device identification information is a MAC (Media Access Control) address, the packet transmitted from the wireless terminal device is included and can be acquired from the information of the packet. The acquired MAC address is stored in the network control means. Setting information such as a secret key is sent from the network control means to the authenticated wireless terminal device, and the wireless terminal device can be accessed by being set in the wireless terminal device.

  (3) The wireless LAN network device according to (1) or (2), further comprising means for registering personal authentication information registered in advance in the authentication server in the network control means.

  According to the invention of (3), even if an authentication server is separately provided, the switching hub can be used by allowing the network control means to register the personal identification information registered in the authentication server. Wireless terminal equipment can be authenticated. For this reason, the processing speed is improved as compared with the case where the authentication server performs centralized authentication. Further, the wireless terminal device can be authenticated even when the authentication server breaks down or the communication line is disconnected.

  (4) In the wireless LAN network device according to any one of (1) to (3), the operating status of the wireless terminal device is monitored based on signal information at each port of the switching hub, and the wireless LAN access point is accessed. Means for detecting an ID and password input to a wireless terminal device; means for transmitting the detected ID and password to an authentication server connected by an electric communication line; and the ID and password authenticated by the authentication server A wireless LAN network apparatus comprising: network control means further comprising: means for storing identification information of the wireless terminal device that has received the input.

  According to the invention described in (4), the network control means can also be used as an authentication proxy server in a wireless network system including an authentication server.

  (5) The wireless LAN network device according to any one of (1) to (4), wherein the switching hub is monitored by network control means using SNMP as a protocol.

  In the invention described in (5), the protocol is SNMP (Simple Network Management Protocol). SNMP is a network management protocol advocated in RFC1157, and has a function of managing and managing a network control apparatus, and therefore installs an SNMP manager and an SNMP agent. MIB (Management Information Base) information, which is a management information area, is acquired from input / output signals at each port of the switching hub. Thereby, the communication status of each wireless LAN access point can be monitored. That is, the wireless terminal device information accessible to each wireless LAN access point, the device identification information of the wireless terminal device, the accessing wireless terminal device, the packet capacity from the accessing wireless terminal device, the communication time, and the like. By acquiring these MIB information, the network control means is actually controlled.

  According to the present invention, in a wireless network device having a power supply means via a LAN cable in a switching hub, it is easy to provide a network control means for performing user authentication and monitoring / control of a wireless LAN access point and a wireless terminal device. In addition, the wireless LAN environment can be constructed.

  Hereinafter, the best mode for carrying out the present invention will be described with reference to the drawings. This is merely an example, and the technical scope of the present invention is not limited to this.

  FIG. 1 is a diagram showing an overall configuration of a wireless LAN system using a wireless LAN network device of the present invention. FIG. 2 shows the configuration of the network control means. FIG. 3 shows the configuration of the wireless communication unit of the wireless terminal device. FIG. 4 is a communication status monitoring table.

  In FIG. 1, the switching hub 10 and network control means constitute a wireless LAN network device. The switching hub 10 is provided with a wireless LAN control unit 12, a power transmission unit 14, and a distribution unit 16. A wireless LAN access point A30, a wireless LAN access point B32, and a wireless LAN access point C34 are connected to each port of the distribution means 16 by a LAN cable. A plurality of wireless terminal devices 40 to 51 access each wireless LAN access point wirelessly. Control of the radio wave intensity emitted from the wireless LAN access point is performed by the network control means 20, and the number of accesses is limited to a design in which up to four wireless terminal devices access the wireless LAN access point. This is because, in the wireless LAN access point, since communication of each wireless terminal device is performed by time sharing, if many wireless terminal devices can be accessed, the communication speed is reduced. The network control unit 20 controls power supply from the power transmission unit 14 to each wireless LAN access point, and monitors a communication signal at each port in the distribution unit 16.

  FIG. 2 shows the configuration of the network control means. The personal information storage means 62 stores user identification information in advance. In the present invention, the same ESSID (Extended Service Set Identifier) is set in each wireless LAN access point and each wireless terminal device so that the user can access any wireless LAN access point wirelessly. Then, a login ID and password of a user's wireless terminal device, for example, a personal computer, and a login ID and password of Windows (registered trademark) when the OS (Operating System) is Windows (registered trademark) are stored in the personal information storage means 62. Remember. Since the login ID and password are input when the user starts the personal computer, the input login ID and password are transmitted when accessing the wireless LAN access point, and the network control means 20 detects the signal. If the ID and password stored in the personal information storage means 62 match, the personal computer is authenticated and the MAC address is acquired. The acquired MAC address is stored in the identification information storage unit 64. Then, the communication information setting means 66 in the network control means 20 transmits an encryption key or the like to the personal computer to set access for the wireless LAN. Thereafter, transmission and reception of signals through the wireless LAN access point becomes possible. Control of these authentication, address acquisition, storage, and the like is performed via a CPU (Central Processing Unit) 60.

  The present invention acquires the MAC address of the wireless terminal device by authentication with the login ID and password of the wireless terminal device, and performs authentication at the layer 2 level. As a technology for authenticating at the layer 2, WPA (WiFi) Protection Access) and PPPoE (Point to Point Protocol over Ethernet). WPA is a protocol that encrypts the IEEE 802.11 communication path, which has been standardized by the WiFi Alliance. Since WPA updates the common key used for encryption at regular intervals, it is possible to construct a more secure wireless network against WEP (Wired Equivalent Privacy) that continues to use a single common key. In WPA, user authentication is also possible on a layer 2 network using EAP (Extensible Authentication Protocol) defined in IEEE 802.11. This makes it possible to manage users who use the wireless network.

  The communication setting unit 66 in the network control unit 20 can use IEEE 802.11, which is a standardized standard necessary for connection processing and communication processing in a wireless LAN network system, and is used for communication control with a wireless LAN access point. Necessary communication control information is set in the wireless terminal device. This communication control information includes a group identifier ESSID of a wireless LAN access point, a wireless communication channel, a transmission rate, an encryption key (for example, a WEP key) for encrypted communication with the access point, and the like.

  After storing the MAC address and enabling access to the wireless LAN access point, the wireless LAN access of the personal computer is performed based on the MAC address by the access monitoring means 68 in the network control means 20 based on the signal at the wireless LAN access point. The access status to the point and the number of accesses of each wireless LAN access point are monitored. A monitoring table 70 records the communication status of the monitored wireless terminal device. Then, as the access limit number, for example, the access number to the wireless LAN access point is set to 4. Since the access monitoring means 68 in the network control means 20 monitors the signal of the switching hub, the access status at each wireless LAN access point is known, and four or more wireless terminal devices have accessed the same wireless LAN access point Performs control to change access to another wireless LAN access point by restricting access to the wireless terminal device accessed last.

  This access change control is performed after detecting the radio wave intensity of the wireless terminal device at another wireless LAN access point and determining whether the access is possible. In the present invention, since the same ESSID is set, since communication control information that enables access to any wireless LAN access point is set, the number of accesses is changed to a wireless LAN access point within the limit. Is possible. The wireless LAN access point itself performs everything in the network control means 20 without performing any processing such as access restriction.

  Since the access monitoring means 68 can also monitor the operating status of each wireless LAN access point, the wireless LAN access point 68 can be controlled by the network control means 20 when there is no access to the wireless LAN access point or when the wireless LAN access point cannot be changed. When the access point becomes uncontrollable, it is determined that the wireless LAN access point is out of order, and the power supply control unit 72 stops the power supply from the power transmission unit 14. When power supply is stopped, an alert may be transmitted to the administrator.

  FIG. 3 is a configuration diagram illustrating the communication unit 90 provided in the main body 100 of the wireless terminal device 80. In the communication unit 90, signal transmission / reception is performed by the signal transmission / reception unit 93 via the antenna 91 and the wireless communication unit 92. Further, the radio wave intensity is measured from the radio communication unit 92 via the radio wave receiving unit 94 in order to monitor the radio wave intensity from each wireless LAN access point and select which wireless LAN access point to access. There is an intensity measuring unit 95. Then, from the result of measuring the radio field intensity from the wireless LAN access point, the channel selection processing unit 98 performs control to select to access the wireless LAN access point having the strongest radio field intensity.

  FIG. 4 shows a specific example 110 of a monitoring table for recording the communication status at each wireless LAN access point in the network control means. In the wireless terminal device column 130 accessible in the wireless LAN access point of each wireless LAN access point column 120, the MAC address of the wireless terminal device is recorded, and further in the currently accessing wireless terminal device column 140 that is in communication. The MAC address of the wireless terminal device is recorded. Is the wireless terminal device accessible at each wireless LAN access point capable of changing the access of the wireless terminal device by detecting the beacon signal transmitted from each wireless terminal device and recording the accessible wireless terminal device? Judgment is made. These recorded MAC addresses are authenticated only when the MAC address stored in the identification information storage means matches the MAC address recognized by the packet signal from the wireless terminal device, and only the authenticated wireless terminal device is monitored. Record in table 110.

  FIG. 5 shows a flowchart of wireless terminal device authentication by the network control means 20 in the wireless LAN network device according to the present invention. First, the user registers and stores the login ID and password for the wireless terminal device in the personal information storage means of the network control means (S200). A case where the wireless terminal device is a personal computer will be described. The login ID and password for Windows (registered trademark) are used. Then, the wireless terminal device is turned on (S210), the login ID and password are input (S220), and the wireless terminal device is activated. At this time, a signal including a login ID and a password is transmitted from the wireless terminal device to access the wireless access point. Then, the network control means 20 detects a signal at the port of the switching hub 10 via the wireless LAN access point, and determines whether or not it matches the pre-registered login ID and password (S230). If they do not match, the wireless terminal device is prohibited from accessing the wireless LAN access point (S240). If they match, the MAC address of the wireless terminal device that has accessed the identification information storage means 62 is registered (S250). Then, based on the registered MAC address, the access status to each wireless LAN access point is monitored from the signal at the port of the switching hub (S260).

  A flowchart of the monitoring and control of the access status of the wireless terminal device by the network control means 20 is shown in FIG. The wireless terminal device authenticated by the login ID and password is placed in a monitoring state based on the MAC address by the access monitoring means 68 (S300). The access status of the wireless terminal device to each wireless LAN access point is stored in the monitoring table 72 (S310). Then, while monitoring the signal at the port by the network control means, the number of accesses to the wireless LAN access point is monitored (S320). If the number of accesses is 4 or less, the communication status is further monitored. When the access of the wireless terminal device to the wireless LAN access point becomes 4 or more, whether or not the wireless terminal device attempting to access the wireless LAN access point can access another wireless LAN access point is accessed from the monitoring table 70. The monitoring means 68 determines (S330), and if possible, controls to change access to another wireless LAN access point (S340). If access to another wireless LAN access point is not possible, the network control unit 20 controls to wait until the wireless terminal device being accessed ends communication (S350).

  The control described so far is specifically performed by SNMP. MIB management information is acquired from input / output signals at each port of the switching hub 10. Thereby, the communication status of each wireless LAN access point can be monitored, and actual control by the network control means 20 is performed.

  In a wireless LAN environment constructed by a user, an office in a room is generally used, and a plurality of people use a wireless terminal device by arranging desks. Normally, the radio wave emitted by the wireless LAN access point is 40 to 50 meters away, and when a large number of wireless terminal devices are used in an office environment, one wireless LAN access point can be accessed as in this embodiment. When the number of wireless terminal devices is limited to four, there are many cases where all wireless terminal devices are within a range where a plurality of wireless LAN access points can be accessed. Then, if the wireless terminal device accesses the wireless LAN access point with the strongest radio wave, there is a high possibility that four or more wireless terminal devices will access the wireless LAN access point. In this case, the network control means 20 controls the wireless LAN access point to be accessed by the wireless terminal device, and the access to the wireless LAN access point in the other accessible radio wave range is changed for the fourth or more wireless terminal devices having a predetermined number of accesses. The optimum number of accesses is controlled. Therefore, the user can easily establish a wireless LAN environment without individually setting the wireless environment.

  As mentioned above, although demonstrated using embodiment of this invention, the technical scope of this invention is not limited to the range as described in the said embodiment. Various modifications or improvements can be added to the above embodiment. It is apparent from the scope of the claims that the embodiments added with such changes or improvements can be included in the technical scope of the present invention.

It is a figure which shows the whole structure of the wireless LAN system using the wireless LAN network apparatus of this invention. It is a figure which shows the structure of the network control means of this invention. It is a figure which shows the structure of the radio | wireless communication part which selects a wireless LAN access point in a wireless terminal device. It is a figure which shows the specific example of the monitoring table which records the communication condition in the access monitoring means in the network control means of this invention. It is a figure which shows the authentication flowchart of the wireless terminal device in the wireless LAN system of this invention. It is a figure which shows the flowchart for performing the communication condition monitoring and control of the wireless terminal device in the wireless LAN system of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Switching hub 12 Wireless LAN control means 14 Power supply transmission means 16 Distribution means 20 Network control means 30, 32, 34 Wireless LAN access points 40-51, 80 Wireless terminal equipment 60 CPU
62 Personal Information Storage Unit 64 Identification Information Storage Unit 66 Communication Setting Unit 68 Access Monitoring Unit 70 Monitoring Table 72 Power Supply Control Unit 90 Wireless Terminal Device Communication Unit 110 Specific Example of Monitoring Table

Claims (5)

A plurality of wireless terminal devices are connected to a wireless LAN access point by wireless communication means, the wireless LAN access point is connected to distribution means of a switching hub, and the wireless LAN access point and the distribution means are wireless LAN control means A wireless LAN network device used in a communication system in which the wireless terminal device is connected to an external communication line by the wireless LAN control means,
Power transmission means for supplying power to the wireless LAN access point using a cable connecting the switching hub and the wireless LAN access point;
Means for authenticating the wireless terminal device against pre-registered personal information for authentication and authentication information requested for authentication from the wireless terminal device;
Means for acquiring and storing device identification information of the authenticated wireless terminal device;
Monitoring means for monitoring the operating status of the wireless terminal device at each port of the switching hub based on the acquired device identification information;
Means for changing the wireless LAN access point accessed by the wireless terminal device;
Means for stopping power supply to the wireless LAN access point;
Network control means comprising:
A wireless LAN network device. In claim 1,
The personal authentication information is an ID and password used to log in to the wireless terminal device, and the device identification information of the wireless terminal device is a MAC address.
Wireless LAN network device. In the wireless LAN network device according to claim 1 or 2,
Means for registering personal authentication information registered in advance in the authentication server in the network control means;
A wireless LAN network device further comprising: The wireless LAN network device according to any one of claims 1 to 3,
Means for monitoring the operating status of the wireless terminal device based on the signal information at each port of the switching hub, and detecting the ID and password input to the wireless terminal device that has accessed the wireless LAN access point;
Means for transmitting the detected ID and password to an authentication server connected by a telecommunication line;
Means for storing identification information of a wireless terminal device that has entered the ID and password authenticated by the authentication server;
Network control means further comprising:
A wireless LAN network device. In the wireless LAN network device according to any one of claims 1 to 4,
The switching hub monitoring is a network control means using SNMP as a protocol,
A wireless LAN network device characterized by the above.

Images