JP2010136014A - Mac address automatic authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an automatic authentication system for authenticating even if a terminal that does not transmit a packet in a self-reliant manner. <P>SOLUTION: The MAC (Media Access Control) address automatic authentication system in an Ethernet switch includes: an authentication state management table for storing the authentication state of a terminal in each IP address and MAC address of a terminal and information of a VLAN (Virtual LAN) to which the terminal belongs; and an authentication control part for transmitting an ARP (Address Resolve Protocol) request to the address of an unauthenticated terminal by referring to the table, and detecting presence/no presence of a reply to the ARP request, changes the terminal authentication state of the authentication state management table to "authenticated" according to a MAC address included in a detected reply upon detecting the presence of the reply, and stores the terminal in a prescribed VLAN according to the VLAN information. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a MAC address automatic authentication system, and more particularly to an automatic authentication system network in which an Ethernet (registered trademark) switch performs authentication using a MAC address in response to a response packet to a request packet.

  As a terminal authentication method for a client, a method is known in which authentication processing is performed after user information is transmitted from a client terminal to a server when there is a request for authentication such as login from the client terminal (Patent Literature). 1). Here, an unauthenticated network device cannot access other network devices via the network, and cannot access from other network devices.

There are mainly two types of MAC address authentication systems in Ethernet switches. One is a method of acquiring and authenticating the MAC address of the authentication target terminal triggered by user intervention such as inputting a user name using a Web browser or the like, and the other is a packet transmitted autonomously by the authentication target terminal. This is a packet authentication method that monitors and acquires and authenticates the MAC address in the packet.
Japanese Patent Laid-Open No. 10-336345

  In any of the above-described methods, it is necessary to generate an authentication trigger on the authentication target terminal side, such as a trigger due to user intervention or a terminal transmitting a packet autonomously. However, if the terminal is a network device that does not generate the authentication trigger, there is no authentication trigger, so that the terminal is not authenticated on the network.

  Such network devices are currently connected to the network without being authenticated. An example of such a device is an output-only network printer. In such a case, even if the network printer is a printer having a security function, it is not authenticated. For this reason, if the connection is changed to a network printer that does not have a security function, a security problem may occur.

  The present invention has been made in view of these problems, and provides an automatic authentication system that can authenticate even a terminal that does not perform packet transmission autonomously.

  In order to solve the above problems, the present invention employs the following means.

  An authentication server, a file server, and a plurality of terminals, and an Ethernet switch having an input / output terminal for connecting the authentication server, the file server, and the plurality of terminals, and switching the connection of the authentication server, the file server, and the plurality of terminals In a MAC (Media Access Control) address automatic authentication system in an Ethernet switch forming a plurality of VLANs (Virtual LANs), an authentication state storing a terminal authentication state and information of a VLAN to which the terminal belongs for each IP address and MAC address of the terminal A management table, an ARP request is transmitted to an unauthenticated terminal address with reference to the table, and an authentication control unit for detecting the presence or absence of a reply to the ARP request is provided. MAC address included in reply According to the address, the terminal authentication state of the authentication state management table is changed to “authenticated”, and the terminal is accommodated in a predetermined VLAN according to the VLAN information.

  Since the present invention has the above configuration, even a terminal that does not perform packet transmission autonomously can be authenticated.

  Hereinafter, the best embodiment will be described with reference to the accompanying drawings. 1, 2 and 3 are diagrams for explaining an authentication system according to the present embodiment. FIG. 1 is a state before authentication, FIG. 2 is a state at the time of authentication, and FIG. 3 is a diagram showing a state after authentication. .

  This system is an Ethernet switch SW1 for managing authentication, a terminal T1 connected to SW1, a printer terminal P1, and a server having an authentication DB (such as RADIUS (Remote Authentication Dial In User Service)) (abbreviated as an authentication server). S1 and file server S2 are provided.

  The terminal T1 before authentication is accommodated in the unauthenticated VLAN (V1001). Since only the authenticated terminal is connected to the network, the terminal T1 cannot access the file server S2 at this time.

  Only a printer having a security function can be connected to the network to prevent unauthorized output. The unauthenticated printer terminal P1 is accommodated in an unauthenticated VLAN (V1002) different from the terminal T1. Since the printer terminal P1 cannot be accessed from the terminal T1, unauthorized output from the printer terminal P1 can be prevented. The authentication server S1 is accommodated in the authentication server VLAN (V1010) because it is used only during authentication. For this reason, the authentication server S1 cannot be accessed from the terminal T1, the file server S2, and the printer terminal P1. The file server S2 is accommodated in the operation VLAN (V1020).

  FIG. 2 is a diagram showing a state at the time of authentication. In the present embodiment, the Ethernet switch SW1 has a function of transmitting an ARP (Address Resolve Protocol) request A300 shown in FIG. The printer terminal P1 receives the ARP request A300, and the received printer terminal P1 returns an ARP response.

  The Ethernet switch SW1 inquires the authentication server S1 via the authentication control unit 103 and the authentication DB access control unit 102 about the MAC address of the printer terminal P1 stored in the returned ARP response, and performs authentication. Details thereof will be described later.

  When there is a user at the terminal T1, the terminal T1 transmits a packet to the file server S2 in response to the user's intervention. The Ethernet switch SW1 monitors the packet from the terminal T1, uses the MAC address in the packet to make an inquiry about whether authentication is possible to the authentication server S1 or the built-in DB, and performs authentication processing.

  Even when there is no user intervention in the terminal T1, the terminal T1 receives the ARP request A300 and responds with an ARP response. Therefore, the authentication process can be performed by inquiring the authentication server S1 via the authentication control unit 103 and the authentication DB access control unit 102 for the MAC address of the terminal T1 stored in the returned ARP response.

  FIG. 3 is a diagram illustrating a state after authentication.

  The Ethernet switch SW1 authenticates the terminal T1 and the printer terminal P1 by the authentication server authentication. As a result, a VLAN is configured such that the terminal T1 and the printer terminal P1 belong to the same operation VLAN (V1020) as the file server S2. By instructing the configured new VLAN state to the hardware of the Ethernet switch SW1, mutual access between the terminal T1, the printer P1, and the file server S2 becomes possible.

  Therefore, only the authenticated terminal T1 and printer terminal P1 can be connected to the operational VLAN (V1020). In this example, since an unauthenticated terminal that can access the file server S2 is not connected to the operation VLAN (V1020), security can be maintained.

  FIG. 4 is a diagram for explaining the details of the Ethernet switch SW1. The Ethernet switch SW1 includes a parameter control unit 101, an authentication DB access control unit 102, an authentication control unit 103, a network management control unit 104, a request transmission processing unit 105, a reply reception waiting processing unit 106, and an authentication DB 201. The authentication server S1 includes a control unit, a storage unit, a communication unit, a memory, and the like, like a normal PC. An authentication DB 200 is provided in the storage unit of the authentication server S1.

  The parameter control unit 101 acquires various parameters necessary for the operation of the Ethernet switch SW1 and stores them in an internal table. The internal table stores the search start terminal IP address value and the search completion terminal IP address value for determining the IP address range of the terminal to be authenticated. The Ethernet switch SW1 retrieves various parameters from the table T100 when acquiring the IP address range to be authenticated.

  The authentication DB access control unit 102 enables the authentication control unit 103 to access the authentication DB 200 built in the authentication server S1 or the authentication DB 201 built in the Ethernet switch SW1. Note that the authentication DB access control unit 102 can switch the DB to be inquired to the DB 200 or the DB 201 depending on the parameter state.

  The authentication control unit 103 controls the overall authentication function of the Ethernet switch SW1. For example, it controls the start of authentication, the processing after successful authentication, the user name to the authentication DB, the password verification request, and the transmission request to the network.

  The network management control unit 104 creates transmission data according to the transmission instruction from the authentication control unit 103 and notifies the request transmission processing unit 105 of the transmission data. Further, the data received from the reply reception waiting processing unit 106 is analyzed, and necessary data information is notified to the authentication control unit 103.

  The request transmission processing unit 105 sends out an ARP request A300 to the network in accordance with an instruction from the network management control unit 104.

  The reply reception wait processing unit 106 is a function for receiving an ARP response from the network, and waits for the arrival of received data for a certain time after transmitting the ARP request A300.

  The authentication DB 200 built in the authentication server S1 stores a user name used for MAC address authentication, a password, and information necessary for authentication.

  The authentication DB 201 built in the Ethernet switch SW1 is a DB having the same information as the authentication DB 200 built in the authentication server S1.

  FIG. 5 is a diagram showing a table T100 that stores various parameters for the Ethernet switch SW1 to operate. This table is provided in the authentication control unit 103.

  The various parameter table T100 is a table storing various parameters necessary for limiting the authentication target terminals, and includes a search start terminal IP address T101, a search completion terminal IP address T102, and a terminal search interval T103.

  The search start terminal IP address T101 is the first address in the search target IP address range when there are a plurality of search targets. An IP address after this IP address is a transmission target of the ARP request A300. The search completion terminal IP address T102 is the last address in the search target IP address range when there are a plurality of search targets. The range from the search start terminal IP address T101 to this IP address is the transmission target of the ARP request A300. The terminal search interval T103 is a parameter that specifies an interval at which the ARP request A300 is transmitted in order to re-authenticate a terminal that could not be found by searching.

  FIG. 6 is a diagram showing a format of an authentication packet (ARP request). The authentication packet (ARP request) A300 includes an Ethernet net header A301 and ARP frame data A302. The Ethernet header A301 is a header portion that stores information necessary for the Ethernet packet. The ARP frame data A302 is a request data part of the Ethernet packet.

  When the ARP frame data A302 is broadcasted with the IP address of the terminal to be authenticated, the terminal having the same IP address returns an ARP reply. Since the returned MAC address of the terminal is described in the returned ARP reply, the Ethernet switch SW1 can authenticate the terminal based on the MAC address.

  FIG. 7 is a diagram showing an authentication management table for managing the state of authentication. The authentication management table T200 is managed by the authentication control unit 103. In the authentication management table T200, information of the terminal IP address T201, the terminal MAC address T202, the terminal authentication state T203, and the VLAN number T204 to which the terminal belongs after successful authentication is recorded.

  Here, the terminal IP address T201 is the IP address of the authentication target terminal T1 or the printer terminal P1. The terminal MAC address T202 is the MAC address of the authentication target terminal T1 or the printer terminal P1. The terminal authentication state T203 is an authentication state of the authentication target terminal T1 or the printer terminal P1. The VLAN information T204 to which the terminal belongs is the number information of the operational VLAN to which the authentication target terminal T1 or the printer terminal P1 belongs after successful authentication.

  By recording and managing the terminal IP address T201, the terminal MAC address T202, the terminal authentication state T203, and the information of the VLAN number T204 to which the terminal belongs after successful authentication in the authentication management table T200, it is possible for the terminal in the authentication completed state. , ARP request A300 can be used for control not to be transmitted again.

  FIG. 8 is a diagram for explaining MAC address authentication processing by the Ethernet switch.

  First, in step S1001, a parameter table (FIG. 5) for specifying a terminal to be authenticated is acquired.

  In step S102, the IP address of the authentication target terminal is determined from the acquired parameter table (FIG. 5). Here, an IP address between the search start terminal IP address T101 and the search end terminal IP address T102 is set as an authentication target. By limiting the authentication target, transmission of the ARP request A300 to the terminal IP address that is not the authentication target can be suppressed.

  In step S103, information related to the authentication target terminal is acquired from the authentication management table T200 of FIG. Note that all IP addresses of terminals to be authenticated by the Ethernet switch SW1 are stored in the authentication management table T200.

  In step S1004, the terminal authentication state T203 of the acquired authentication management table T200 is referred to and it is determined whether or not the terminal is in an unauthenticated state. In the case of the unauthenticated state, it is further determined whether or not it is within the range of the search start terminal IP address and the search end terminal IP address in the various parameter tables T100 of FIG.

  If the terminal is in the unauthenticated state and is in the range of the search start terminal IP address and the search end terminal IP address, the process proceeds to step S1005. Otherwise, the process proceeds to step S1011 for the next terminal process.

  In step S1005, the request transmission processing unit 105 transmits an ARP request A300 for the IP address of the authentication processing target terminal.

  The ARP request A300 includes an Ethernet header A301 and ARP frame data A302. The ARP frame data A302 uses the IP address T201 (FIG. 7) of the authentication processing target terminal.

  Here, when an authentication processing target terminal having the same IP address as the destination IP address of the transmitted ARP request A300 is received, it is expected that the terminal returns an ARP reply. The returned ARP reply includes the IP address and MAC address of the terminal itself that has returned the ARP reply.

  In step S1006, an ARP reply returned from the authentication processing target terminal is waited for a predetermined time.

  In step S1007, it is determined whether an ARP reply has been received.

If there is no reply after a certain period of time, the terminal recognizes that it is not operating and does not perform authentication processing. When a packet is received within a predetermined time from the transmission of the ARP request A300, the protocol type information of the received packet data is extracted, and whether or not the ARP reply packet of the authentication target terminal is determined based on the extracted protocol type information To do. If it is not the ARP reply packet of the authentication target terminal, the packet is discarded and the process proceeds to step S1011 for the next terminal processing. In the case of an ARP reply packet of the authentication target terminal, the process proceeds to step S1008.

  In step S1008, authentication is performed using the received ARP reply. At the time of authentication, the MAC address of the terminal that returned the ARP reply is extracted from the received ARP reply data. Based on the MAC address stored in the received APR reply, the authentication DB access control unit 102 determines whether the authentication DB 200 built in the authentication server S1 or the authentication DB 201 built in the Ethernet switch SW1 can be authenticated. Inquire. Regardless of which DB is inquired, the DB returns an authentication permission to the authentication DB access control unit 102 when the conditions permit the authentication. If the condition does not permit authentication, an authentication rejection is returned to the authentication DB access control unit 102.

  In step S <b> 1009, the authentication control unit 103 determines whether or not authentication is possible according to the authentication permission / authentication rejection result returned to the authentication DB access control unit 102. If the determination result is authentication permission, the process proceeds to step S1010 after successful authentication. If the authentication is rejected, the process proceeds to step S1011 for the next terminal process.

  A terminal that has not been authenticated in this way cannot connect to the network. This is the same even if the terminal is a printer having no security function. As a result, the security of the network can be maintained.

  In step S1010, the terminal authentication state of the authentication management table T200 is set to “authenticated”, and the value of the VLAN number of the operation VLAN (V1020) is set in the VLAN information T204 to which it belongs. Terminals belonging to the same VIAN can communicate by instructing the hardware of the set VLAN number last.

  As a result, the terminal T1 and the printer terminal P1 belong to the same operation VLAN as the file server S2, and can communicate with each other. In this way, since only authorized terminals and printers can communicate, network security can be maintained.

  Further, by reflecting the MAC address permitted by the authentication control unit 103 in the authentication management table T200, it is possible to prevent the ARP request from being transmitted from the next time as the authenticated terminal.

  In step S1011, the next unauthenticated terminal is waited for the authentication start time. That is, after completing the authentication process of the IP address of one terminal, the next authentication process is not performed during the search interval shown in the various parameter tables T100. As a result, the load on the Ethernet switch SW1 can be reduced.

  As described above, according to the present embodiment, even a terminal that does not perform packet transmission autonomously can be authenticated by the Ethernet switch. At that time, a special protocol is not required for the terminal to be authenticated. Also, no user intervention is required. As a result, the security of the entire network can be increased. Further, when a network device having a security function is changed to a network device having no security function, the changed network device can be authenticated, so that security can be maintained.

  In this way, even a network device that does not transmit packets autonomously can perform authentication processing, so only network devices that are permitted to authenticate are permitted to connect to the network, thus reducing network security. Can be improved.

It is a figure explaining the authentication system (state before authentication) concerning an embodiment. It is a figure explaining the authentication system (state at the time of authentication) concerning embodiment. It is a figure explaining the authentication system (state after authentication) concerning an embodiment. It is a figure explaining the detail of Ethernet switch SW1. It is a figure which shows the table which preserve | saves various parameters. It is a figure which shows the format of an authentication packet (ARP request). It is a figure which shows the authentication management table which manages the state of authentication. It is a figure explaining the MAC address authentication process by an Ethernet switch.

Explanation of symbols

SW1 Ethernet switch T1 Terminal P1 Printer terminal S1 Authentication server S2 having authentication DB File server V1001 Unauthenticated VLAN in which terminal Tl is accommodated
V1002 Unauthenticated VLAN in which printer terminal P1 is accommodated
V1010 Authentication server VLAN in which authentication server S1 is accommodated
V1020 Operational VLAN in which file server S2 is accommodated
101 Parameter control unit 102 Authentication DB access control unit 103 Authentication control unit 104 Network management control unit 105 Request transmission processing unit 106 Reply reception waiting processing unit 200 Authentication DB built in the authentication server S1
201 Authentication DB built in Ethernet switch SW1
A300 Packet data structure of ARP request for authentication A301 Ethernet header part A302 Request data part

Claims (2)

An authentication server, a file server, and a plurality of terminals, and an Ethernet switch having an input / output terminal for connecting the authentication server, the file server, and the plurality of terminals, and switching the connection of the authentication server, the file server, and the plurality of terminals In an MAC (Media Access Control) address automatic authentication system in an Ethernet switch that forms a plurality of VLANs (Virtual LANs),
An authentication status management table storing the authentication status of the terminal and the VLAN information to which the terminal belongs for each IP address and MAC address of the terminal, referring to the table, sending an ARP request to the address of the unauthenticated terminal, An authentication control unit for detecting the presence or absence of a reply to a request is provided. When the presence of the reply is detected, the terminal authentication state of the authentication state management table is changed to “authenticated” according to the MAC address included in the detected reply Then, the MAC address automatic authentication system in the Ethernet switch, wherein the terminal is accommodated in a predetermined VLAN according to the VLAN information. An authentication server, a file server, and a plurality of terminals, and an Ethernet switch having an input / output terminal for connecting the authentication server, the file server, and the plurality of terminals, and switching the connection of the authentication server, the file server, and the plurality of terminals In an MAC (Media Access Control) address automatic authentication device in an Ethernet switch forming a plurality of VLANs (Virtual LANs),
Sending an ARP request to an unauthenticated terminal address with reference to the authentication status management table storing the authentication status of the terminal and VLAN information to which the terminal belongs, for each IP address and MAC address of the terminal, An authentication control unit that detects the presence or absence of a reply to an ARP request;
The authentication control unit changes the terminal authentication state of the authentication state management table to “authenticated” according to the MAC address included in the detected reply, and accommodates the terminal in a predetermined VLAN according to the VLAN information. A MAC address automatic authentication apparatus in an Ethernet switch characterized by the above.

Images