WO2004045173A1 - Network access control system - Google Patents

Abstract

A network access control system comprises a reception unit for receiving an authentication request message containing a request for authentication of the use of a secondary access network, sent from a mobile host that can use a core network using a plurality of different types of access networks including a main access network and at least one secondary access network, and arriving at the core network via the main access network and includes an authentication request for the use of the secondary access network; an authentication unit for performing authentication in response to the request for authentication of the secondary access network; and a transmission unit for transmitting an authentication response message about the secondary access network that arrives st the mobile host via the main access network.

Description

 Description Network Access Control System Technical Field

 The present invention relates to a network access control system that controls access to a network for a terminal capable of performing communication using a core network using a plurality of types of access networks. Background art

 Due to the rapid development of the Internet, IP bucket traffic is increasing rapidly. Furthermore, with the spread of mobile phones, there is a movement to standardize and commercialize IP bucket traffic in the third-generation mobile phone network (International Mobile Telecommunications 2000 (IMT-2000)). It is thought that high-speed IP communication in a mopile environment will spread.

 In addition, the introduction of public wireless LAN connection services is rapidly increasing in highly public areas (eg, stations, shops, etc.). As Internet access means for fixed or mobile hosts (terminals), inexpensive and high-speed access means typified by ADSL (Asymmetric Digital Subscriber Line) are rapidly spreading.

 Most access in public areas was via circuit-switched or bucket-based mobile phones (or data communication cards). These had limitations on the communication speed due to the nature of the network. The communication speed of the so-called second-generation mobile phone network (PDC, etc.) was about 9.6 to 64 kbps, and the communication speed of the third-generation mobile phone network was about 384 kbps while moving and about 2 Mbps when stationary. This speed limitation imposes restrictions on the communication speed of the mobile host's communication environment.

On the other hand, access methods for accessing networks (such as the Internet) at high speed and at low cost are about to appear. For example, wireless public access means using various wireless LAN technologies, such as IEEE802.11b, IEEE802.11a, and Bluetooth, which are superior to mobile phones in terms of communication speed, are being provided. Some businesses are providing access to access. That is, the movement to introduce wireless public access using various wireless LAN technologies such as IEEE 802. lla / b / g is rapidly progressing. Currently, wireless LAN access operators are in actual operation, but have issues with roaming and authentication.

 Furthermore, “ubiquitous” has become a popular keyword in recent years, and it is expected that an access network using an unprecedented method suitable for this will appear in the future.

 In this context, there is a move for mobile phone carriers to provide wireless LAN access networks. For example, a chip has been developed that integrates existing mobile phone functions and wireless LAN functions. This chip will be offered to mobile carriers and is expected to appear as a dual mobile host with integrated cellular and wireless LAN features. Wireless LANs and mobile phones have their own characteristics such as line speed and stability. For this reason, it is expected that the introduction of wireless LAN will be advanced with the aim of increasing the traffic of mobile phones.

 When a mobile operator enters the wireless LAN business, there are the following issues to be resolved.

 (1) Security

 As weaknesses of general wireless LAN (IEEE 802.11 series etc.), problems related to access authentication and confidentiality during communication have been pointed out. This problem is a major problem when providing so-called “carrier-grade” services that have provided high communication security. As a solution to this problem, it is conceivable that a mobile phone operator constructs a dedicated access authentication and charging function. Mobile phone carriers have built dedicated access authentication and billing functions for mobile phone networks. These functions have higher security than wireless LAN.

 However, the authentication function is one of the most expensive functions for constructing a commercial communication network. In addition, access methods based on standards such as wireless LAN have rapid technological progress and short product life. Therefore, considering the profitability of the business, it is difficult to put a high cost on the authentication function.

In addition, multiple single units have insecure access lines (unlike mobile phones, etc., and are themselves insecure lines), each of which uses different protocols for authentication and encrypted communication. If you try to do this, you need multiple certificates to prove the legitimacy of the host, and you need an authentication server to authenticate them according to the number of certificates. This clearly indicates that high costs are incurred, as in the case above.

 (2) Linkage with existing mobile phone networks

 Unlike a new entity that builds a new access network such as a wireless LAN and operates independently, existing mobile phone carriers have an existing mobile phone network. One promising means for mobile phone carriers is to provide the existing mobile phone network and the wireless LAN link function as unique value-added services. For example, in the future of service maturity, it is conceivable that both service personnel will overlap. For this reason, it is desirable to provide the user with the function of “effective use” of both communication means.

 By the way, there is the following prior art document information related to the invention of this application.

 -If the mobile station in the area attempts to perform the authentication procedure before starting the security or other association, to obtain the final permission of the authentication procedure from the network administrator who manages the LAN. An access point device comprising: a notification unit for notifying that there is a mobile station requesting authentication; and an input unit for inputting an instruction to permit or reject authentication of the mobile station by a network administrator. (For example, Patent Document 1).

'This is a mobile communication service providing system that includes a mobile node, a foreign agent (FA), a home agent (HA), and a server system. It has control means for the HA and FA to determine the destination of the bucket. In the server system, extraction means for extracting a service profile corresponding to the mobile node from a database for managing a service profile including information for providing a service requested by the mobile node, and control means for using the extracted service profile It has a service management means for editing in a format that can be edited and a distribution means for distributing the edited service profile to HA and FA. HA and FA provide services by using control means according to the distributed service profile (for example, Patent Document 2). Further, as prior art documents related to the present application, there are techniques disclosed in Patent Documents 3 and 4 below.

 Patent Document 1

 Japanese Patent Application Laid-Open Publication No. 2001-34 5819 (Paragraph 00 15; FIG. 1 and FIG. 3) Patent Document 2

 Japanese Unexamined Patent Publication No. 2001-1327878

 Patent Document 3

 Unexamined Japanese Patent Publication No. 2000-01-16663

 Patent Document 4

 Unexamined Japanese Patent Publication No. Hei 11-210

Disclosure of the invention

 One of the objects of the present invention is to provide a network access control technology which makes it easy to introduce an access network such as a wireless LAN as an access means to a core network.

 Further, another object of the present invention is to provide a network access control technique capable of performing authentication for use of an access network such as a wireless LAN of a terminal with high security.

 Further, another object of the present invention is to provide a network access control technique capable of easily charging a terminal for use of an access network such as a wireless LAN network.

 Another object of the present invention is to provide a network access control technique capable of cooperating between access networks.

 The present invention is a network access control system,

That is, the present invention provides a method for transmitting a message from a terminal capable of using a core network using a plurality of access networks of different types including a main access network and at least one secondary access network, and passing through the main access network. Receiving means for receiving an authentication request message including an authentication request for use of the secondary access network arriving at the core network, authentication means for performing authentication processing for an authentication request of the secondary access network, and the main access network Authentication of the secondary access network reaching the terminal via the Sending means for sending a response message;

including.

 According to the network access control system of the present invention, authentication of the secondary access network is performed using the authentication system of the main access network. Therefore, the secondary access network does not need to have its own authentication system. For this reason, it is easy to introduce a secondary access network. It can also reduce operating costs.

 The main access network is a typical access network defined from among a plurality of access networks that can be used by terminals, and has an authentication RE function. On the other hand, the secondary access network is a concept relative to the primary access network, and among the multiple access networks, the remaining access networks not specified in the primary access network correspond to this. The secondary access network does not have an authentication function, or has an authentication function that is less secure than the authentication function of the main access network. Thus, according to the present invention, since the authentication of the secondary access network is authenticated by the authentication function of the main access network, the authentication of the secondary access network can be performed with high security. In addition, the main access network can further have a charging function.

 Further, in the network access control system according to the present invention, the authentication request message further includes an authentication request for use of the main access network, and the authentication unit is configured to control use of the main access network and the secondary access network. An authentication process may be performed on the authentication request, and the transmitting unit may transmit the authentication response message for the primary access network and the secondary access network to the terminal.

 In this way, the secondary access network can be authenticated simultaneously with the primary access network authentication procedure.

 The transmitting means in the system according to the present invention, when the authentication means authenticates the use of the secondary access network, transmits the authentication response message including the authorized use permission information of the secondary access network. The terminal may notify the authenticated secondary access network of information for using the authenticated secondary access network.

As a result, the terminal connects to the secondary access network and communicates using the secondary access network. It is possible to perform trust.

 The network access control system according to the present invention may further comprise a communication system using the secondary access network and the core network, in which a user of the terminal uses the secondary access network authenticated by the authentication means in accordance with usage conditions previously contracted. It is preferable to further comprise network control means for controlling the core network so that a service is provided.

 This makes it possible to provide a terminal user with a communication service using a secondary access network according to usage conditions.

 The network control means, for example, executes a communication service according to the use condition for the terminal to an edge node accommodating an access line of the authenticated secondary access network used by the mobile host. It is preferable to be configured to notify the user of control information.

 The network access control system according to the present invention may further include a pay-per-use method in a case where the terminal uses the core network using the main access network, and a method in which the terminal uses the core network using the secondary access network. It is preferable to further include a charging unit that performs a process related to both the usage-based charging and the case-based charging.

 In this way, since the usage-based charging for the use of the primary and secondary access networks is performed by the common charging system, introduction of the secondary access network becomes easy and the operation cost can be suppressed. In this case, it is preferable to apply the existing charging system to the secondary access network for the main access network in terms of cost reduction.

 The charging means notifies an edge node accommodating the access line of the authenticated secondary access network used by the terminal of a charging unit for performing metered charging for use of the terminal's secondary access network. It is preferable to include a charging unit notifying unit for calculating the charging unit based on the amount of the charging unit for the terminal measured by the edge node according to the charging unit.

Further, in the network access control system according to the present invention, the authentication unit includes: an authentication request message including an authentication request for the secondary access network from a terminal of a verbal user via the main access network. If received, said mouth An authentication process of the secondary access network for one roaming user is performed in cooperation with a roaming source authentication system, and the transmitting unit transmits an authentication response message to the roaming user authentication process via the main access network. It is preferable to configure so as to transmit to the terminal of the roaming user.

 In this way, roaming users can be provided with access to the primary and secondary access networks through the network access control system according to the present invention.

 In this case, when the authentication unit authenticates the roaming user, the network control unit performs roaming with respect to an edge node accommodating the access line of the authenticated secondary access network used by the terminal of the roaming user. It is preferable to notify the user of control information for providing a communication service in accordance with the usage conditions of the secondary access network of the user.

 Further, the network control system according to the present invention is characterized in that the authentication request message is transmitted when the number of access networks available to the terminal changes due to the terminal moving within a range where the main access network can be used. The network control means includes at least a request for authentication of the access network transmitted from the mobile host and becoming available, and the network control means uses the terminal in response to the reception of the authentication request message by the reception means. The authentication unit performs an authentication process for the access network of the switching destination, and the transmitting unit transmits an authentication response message of the access network of the switching destination authenticated by the authentication unit. Is transmitted to the terminal via the main access network.

 In this way, when another access network (secondary access network) becomes available due to the movement of the terminal, the access network can be switched.

 In this case, it is preferable that the network control means is configured to determine whether to switch the access network according to at least one of the contract contents of the user of the terminal and the current network state.

This makes it possible to avoid switching when it is not desirable to switch the access network. Further, when the network control means includes a plurality of secondary access networks that can be selected as a switching destination, the switching destination is determined based on the contract contents Z of the user of the mobile host or the current network state. It is preferable that the access network is determined.

 In this way, switching can be performed using the most appropriate switching destination access network.

 In addition, the transmitting unit transmits the authentication response message including use permission information of the switching destination access network to the terminal in response to the authentication of the switching destination access network by the authentication unit. The network control means notifies the access network of information for using the switching destination access network, and the network control means according to a usage condition contracted in advance by the user of the terminal with respect to the switching destination access network. An edge node accommodating an access line of the secondary access network of the switching destination used by the terminal is provided in accordance with the usage conditions for the terminal so that a communication service using a core network is provided. It is preferable to configure so as to notify control information for implementing the communication service.

 In this case, when the communication service is performed in cooperation with the switching source edge node and the switching destination edge node, the network control unit performs the cooperation service on the switching source and switching destination edge nodes. It is preferable to notify each of the control information for performing this.

 This makes it possible to provide cooperative services to terminal users.

 Further, the network control means transmits control information for implementing a communication service that maintains communication quality before switching even when an access network is switched, to an edge node that accommodates the switching destination access line. , So that it is preferable to configure. Thereby, deterioration of communication quality due to switching can be suppressed.

 Also, the network control means, when using the same access network of the terminal, when switching an edge node accommodating an access line of an access network used by the terminal, the control information notified to the switching source edge node; Preferably, the same control information is transmitted to the switching destination edge node.

As a result, the terminal user can switch the edge node in the same way as before switching. Service.

 Further, the network control means receives traffic information from an edge node accommodating the access line used by the terminal, and switches the access network to the terminal when the traffic exceeds a predetermined threshold. It is preferable that the request be made.

 In this way, the influence of traffic congestion or the like can be avoided by switching the access network.

 Further, the network control means monitors a position of the terminal, and when the terminal moves to a position where a predetermined subsidiary access network can be used, notifies the terminal of the movement. Is preferred.

 In this way, it is possible to appropriately switch (move) to the secondary access network without the terminal searching for the available position of the secondary access network.

 Further, the receiving means receives the authentication request message including the status information from the terminal, and the network control means determines whether to switch an access line used by the terminal based on the status information. It is preferable to make a configuration such as to judge. Further, the receiving means receives the authentication request message including designation information for designating an access network to be switched from the mobile host, and the network control means comprises: an access network designated by the designation information. Is preferably determined as the switching destination access network.

 In this way, it is possible to switch to the access network desired by the user of the terminal.

Furthermore, the present invention can be specified as an authentication server having functions as a receiving means, an authenticating means, and a transmitting means constituting the above-described network access control system, and an access control server having a function as a network controlling means. it can. In addition, it can be specified as a terminal that uses multiple types of access networks through the network access control system. Further, the present invention can be specified as a network access control method having the above-described features. Simple theory of drawing f¾ FIG. 1 is a diagram showing an example of a network configuration according to the embodiment.

 FIG. 2 is a diagram showing the structure of an access control profile.

 FIG. 3 is a diagram showing an example of an access control profile (common profile, ACP-C).

 FIG. 4 is a diagram showing an example of an access control profile (individual profile, ACP-V).

 FIG. 5 is an explanatory diagram of an operation example according to the access authentication method.

 FIG. 6 is a sequence diagram showing an example of the access control procedure.

 Figure 7 is a diagram showing an example of the format of an authentication request message when cooperating with authentication of the main access line.

 Fig. 8 is a diagram showing an example of the format of an authentication request message (unique message) when not cooperating with the authentication of the main access line.

 FIG. 9 (A) is a diagram showing an example of a functional configuration of the authentication server A A A and the access control server ACS, and FIG. 9 (B) is a diagram showing an example of a functional configuration of the access control device AAAZACS.

 FIG. 10 is a table showing an example of elements of a heterogeneous access line cooperation information database. FIG. 11 is a sequence diagram showing an example of an authentication process for a secondary access line in the authentication server AAA and the access control server ACS. Yes,

 FIG. 12 is a diagram showing an operation example of the common use of the chargeable information collection function, and FIG. 13 is a diagram showing a configuration example of the edge node device (E N).

 FIG. 14 is a sequence diagram illustrating a process of receiving an access control profile in the edge node device.

 Figure 15 is a diagram showing an example of access control for roaming from other network operators (other carriers).

 FIG. 16 is a diagram showing an operation example in the access line selection basic method, and FIG. 17 is a flowchart showing an access network selection mechanism.

 FIG. 18 is a flowchart showing an access network selection mechanism.

 FIG. 19 is a diagram showing an operation example of the access permission procedure.

FIG. 20 is an explanatory diagram of an operation example related to the service continuation cooperation of the mobile between access lines. Yes,

 Figure 21 is a table showing an example of a switch request message from an edge node to an access control server.

 Fig. 22 is a diagram showing an operation example related to switching of access lines according to the state of the peripheral network resources.

 Fig. 23 is a diagram showing an operation example related to automatic acquisition of an access line according to the user's contract conditions.

 Figure 24 is a table showing an example of mobile host information.

 Fig. 25 is a diagram showing an example of operation related to acquisition of an access line based on user terminal requirements.

 Figure 26 is a table showing examples of application function types.

 Fig. 27 is a diagram showing an operation example related to automatic switching of access lines depending on the type of application being used.

 Fig. 28 is a diagram showing an example of the configuration of a network access terminal (mobile host). Fig. 29 is a diagram showing an example of an authentication procedure for a secondary access line at the network access terminal.

 FIG. 30 is a table showing an example of billing information.

 Figure 31 shows an example of the format of an authentication response message when linking with authentication of the main access line.

 Figure 32 is a diagram showing an example of the format of an authentication response message when not cooperating with the authentication of the main access line.

 FIG. 33 is a diagram showing an example of the format of an authentication completion / access permission request message.

 FIG. 34 is a diagram showing an example of the format of the access line change request message, and FIG. 35 is a sequence diagram showing an operation example of the access control device (AAA / ACS). BEST MODE FOR CARRYING OUT THE INVENTION

Hereinafter, embodiments of the present invention will be described with reference to the drawings. Example of the configuration of the embodiment The present invention is not limited to the configuration of the embodiment.

 <1> Overview of network access control system (Fig. 1)

 FIG. 1 is a diagram showing an embodiment of a network access control system according to the present invention. The embodiment shown in FIG. 1 is generally configured as follows. A plurality of mobile access networks (Wireless Access Networks) are provided for a core network (CN: for example, BB (BackBone network)) of a certain network operator (also called a carrier (NOP (Network Operator))). Will be accommodated. CN is connected to CN of one or more other carriers (BB of another carrier) as shown in FIG. A network system consisting of a CN and multiple mobile access networks provides users (subscribers) with communication services through the use of the core network via the mobile access network.

Various wireless access networks can be applied as the mobile access network. For example, the third-generation mobile phone standard (IMT-2000 (W-CDMA , C dma2000 , etc.)) and the second-generation Mobile phones, cellular saying tongue standard (PDC (Personal Digital Cellular), cdmaOne , etc.) radio access network based on the (RAN: Radio Access Network), wireless LAN networks such as IEEE802. Lla / b / g and HiSWAN, PHS networks, Bluetooth, etc. can be applied.

 One of the mobile access networks connected to the CN is defined as a primary access network (referred to as "PAN: Primary Access Network J"), and the other mobile access networks are designated as secondary access networks ("S AN econdary"). Access Network J) PAN is an access network in which an access authentication system for at least the user's mobile access network has been constructed, but the constructed authentication system provides commercial services. It is desirable that an access network that secures sufficient security is selected as a PAN in order to provide services, for example, as an access network that is preferably selected as a PAN, provided in existing commercial services, 2nd or 3rd generation mobile phone network (P) with a secure access authentication and billing system DC, FOMA (trademark), etc.) The PAN is determined, for example, by the CN carrier.

On the other hand, a SAN is an access network that does not have an access authentication system in its network, or has an access authentication system but its security level is lower than the access network specified as PAN. In addition, SANs allow users to It has one or more areas (service areas) that can be used simultaneously with N. Hopefully all of the service area of SAN will be in the service area of PAN. The access network (PAN and SAN) for the CN may include a fixed access network such as an xDSL network.

 As terminals (fixed or mobile terminals) used by users (subscribers) for providing communication services, for example, a mobile host (MH); a mobile node (MH); a mobile node (MN); User terminal ”or“ subscriber terminal ”applies. The mobile host can be connected to various types of access networks including PAN, and a mobile terminal (Mobile Station) that can use a communication service using CN via each access network. Applied. That is, the terminal can select and use a plurality of access methods.

 The network access control system is composed of, for example, an authentication server (AAA: Authentication, Authorization and Accounting) housed in a CN and an access control server (ACS) on the network side. It controls a plurality of edge node devices (EN: Edge Node) corresponding to each mobile access network.

 In the example shown in FIG. 1, ACS and multiple ENs are connected to AAA. AAA and ACS can be configured with one or more computers that have these functions together. That is, the functions of AAA and ACS may be realized by executing one or more computers by executing various programs stored in the storage device. In other words, AAA and ACS can be configured as an access control device (AAA / ACS) by combining the functions of both.

 Note that AAA corresponds to the receiving means, authentication means, and transmitting means in the present invention, and ACS corresponds to the network control means in the present invention. However, the receiving means, the authenticating means, the transmitting means, and the network control means according to the present invention may be realized by cooperation between AAA and ACS.

The EN corresponding to each mobile access network is configured by adding a function for controlling access to users to a router or a layer 3 switch deployed in the periphery (boundary) of the CN. Functions for controlling access are, for example, router A processor (such as a CPU) mounted on the switch 3 executes the program for realizing the functions stored in the storage device.

 Each EN accommodates at least one access line of the corresponding mobile access network, and is connected to an access point (AP) installed in each mobile access network through the access line.

 That is, the EN (E N-1) connected to the PAN contains at least one PAN access line (PAL: Primary Access Line) and is connected to the S.AN. (EN-2) accommodates at least one SAN access line (Sub Access Line (SAL)).

 The mobile access networks corresponding to the PAN and the SAN respectively have one or more access points AP which also serve as base stations. The EN (EN-1) connected to PAN is connected to the AP (AP-1) of PAN, and the EN (EN-2) connected to SAN is connected to the AP (AP -Connected to 2).

 The terminal (MH) can have the following functions. The following functions are realized by, for example, a processor mounted on the MH executing a program for realizing each function stored in the storage device.

 (a) Access line control function according to multiple access methods (connection method according to access network) for connecting to CN.

 (b) A function of selecting an access line (access method) to be used according to an instruction from a user or a network.

 (c) When authenticating the connection to the access line (PAL) of a typical mobile access network (PAN) specified by the network side, among the types (access methods) of multiple access lines available to the MH. In addition, a function (authentication request control unit) that sends the authentication request to the PAL together with the authentication information about the other access line (SAN access line (SAL)).

(d) Within the MH, between the individual access line control functions (between the PAL access line control function and the SAL access line control function), received from the network side by the PAL access authentication procedure The message processing function (message processing unit) and the authentication information management function (authentication information management unit) that pass the access authentication information (use permission information) for the SAL to the corresponding access line control function. On the other hand, on the network side, AAA has at least the following functions.

(e) A function of receiving and analyzing the authentication request transmitted from the MH, and extracting authentication information on an access line that can be used by the MH (authentication information extracting unit).

 ACS has at least the following functions.

(f) An access network selection function that selects the most suitable switching destination access line type based on the user's usage conditions (for example, the type of access line to be preferentially connected on a contract) or the current network status (Access line type selection unit).

 (g) When the access line of the switching destination is recognized, an access control profile (ACP: Access Control Profile) describing individual access control information for the access line is given to the EN that accommodates the access line. Function (access control profile distribution unit).

 (h) The access control profile database (AC P-DB), which can be used by the ACS, describes the AC P for each user (which describes the use conditions of the access line generated when the service is used). Function (access control profile registration unit). On the network side, EN (EN-1) connected to AP-1 of the PAN and EN (EN-2) connected to AP-2 of the SAN each have the following functions. Can be provided.

 (i) An access control profile management function (access control profile management unit) that stores individual service information (AC P-V) delivered from AAA or ACS for a certain validity period.

 After the authentication procedure of the access line to the MH, the CN performs bucket communication, service control, and the like for the user (MH).

 The network access control system provides a user MH with a communication service using a CN by connecting to a predetermined access line. This communication service is provided on condition that the network authenticates the mobile access network used by the user, and is performed in accordance with the contents of access control (use conditions) for the mobile access network used by the user.

The main feature of the network access control system is that the SAN does not have its own authentication system by performing authentication for SAL using the PAL authentication procedure. It is configured so that it is not necessary. It is also characterized in that a user is charged for using the SAL using a PAL charging system.

 One of the features of the network access control system is that, based on the contract conditions with the user or the carrier's own judgment, the access line that the user (MH) should use while considering the network connection status of the user (MH). Provide a means for selecting

 The original ACP is registered in the AC S-DB after the user and carrier have signed up for a communication service (service use conditions) and the authentication procedure executed when the MH uses the CN. It is delivered to the EN that houses the access line to be controlled as an opportunity. As a method of distributing ACP, for example, a method disclosed in Japanese Patent Application Laid-Open No. 2001-237788 can be applied.

 In this embodiment, the carrier of the mobile access network does not own a specific access means (mobile access network) in addition to the carrier of the CN and the carrier who owns the equipment of the mobile access network. An MVNO (Mobile Virtual Network Operator) that rents a network and provides services to subscribers is also assumed.

 <2> Access control profile (Figures 2, 3, and 4)

 Next, an access control profile (ACP) used for network control in a network access control system will be described. In the network access control system, an ACP that describes the user's usage requirements, such as the type of access line that can be used for each MH user and the selection logic such as priority order, is specified in the user-carrier subscription contract. Hold and manage on the carrier side (network side). Then, the network access control system determines the access line to be used by the user through a data set (that is, an ACP) that enables access line connection control based on the access line use condition for each user. select.

 The ACP specifies the contents of access control on a user-by-user basis. The information specified in the ACP includes the following elements, for example.

 (1) One or more available access line types

(2) Priority among access lines described in the previous section (3) Whether access line is automatically selected

 (4) Hand talent-Vallebenore

 The ACP can be composed of the following two subsets (subcategories).

 (i) ACP common part (ACP-C: Access Control Profile Common-part)

 The AC P-C specifies the types of all access lines available to the user, and the contract information of the user common to these access lines. AC P-C is stored in the ACS-DB and is referenced by AA A and / or ACS.

(ii) ACP individual part (ACP-V: Access Control Profile Variant-part)

 The AC P-V specifies, for each access line available to the user, the usage conditions of each access line and the relationship with other access lines that can be used within the contract range (priority order, cooperation details, etc.). Is done. AC P-V is stored in AC P-DB in association with AC P-C. Alternatively, the AC P-V is generated as necessary based on the specified contents of the AC P-C, network conditions, and the like. The AC P-V is delivered, stored, and held in the EN accommodating the access line used by the MH, triggered by an authentication request or the like for the MH's access line. The EN refers to the received AC P-V and controls access to the MH according to the reference. At this time, the EN can refer to the AC P-V to recognize the cooperative relationship with other access lines and perform the necessary cooperative processing.

 As described above, AC Ps (AC P-C and AC P-V) are defined for each user and stored in the AC P-DB. The AC P-V is extracted by the ACS as additional data when authenticating the connection to the MH access line, and is distributed and held by the corresponding EN. The EN has an access control function, and the access control function of the EN performs access control according to the rules specified in AC P-V.

FIG. 2 is a diagram illustrating a structure of an ACP, FIG. 3 is a diagram illustrating an example of an AC PC, and FIG. 4 is a diagram illustrating an example of an AC PV. As shown in Fig. 2, the AC P is composed of AC P-C and AC P-V. As shown in Fig. 3, the AC P-C has at least the subscriber identification information (NAI etc.) and the usage. One or more types of access lines that can be used, and the priority of selection between access lines, presence or absence of automatic selection of access lines, The information can include information on security level, validity of authentication session, validity of authentication session, and usage authority.

 On the other hand, ACP-V is prepared for each access line type, and as shown in Fig. 4, caro identification information, operation status (currently in use (packet continuity), transfer / blocking), transfer (transfer) It can include information on the leading edge device, authentication cycle, maximum bandwidth, and charging conditions. The data structure of ACP-C and ACP-V can be composed of fields of each information element and possible values.

 <3> First access authentication method (Figs. 5 and 6)

 Next, as a user access authentication method in a network access control system, processing for integrating authentication for a plurality of access lines into one authentication procedure (first access authentication method) will be described.

 The first access authentication method (hereinafter referred to as “first method”) is an MH that can use a plurality of access lines. This is the procedure for obtaining permission to connect to the line. For example, using the authentication procedure used when connecting to PAL, it is possible to perform SAL connection authentication simultaneously with PAL connection authentication.

 For this reason, the mobile host MH transmits the authentication request message for the PAL to the CN including information necessary for the authentication of the predetermined SAL. In contrast, the network access control system integrates and implements the authentication procedure for both PAL and SAL access lines.

 An MH having means for connecting to multiple access lines, when dynamically using individual access lines (migrating from one access line to another access line), when connecting to the destination line, The authentication procedure had to be performed using an authentication system prepared separately from the line before the transfer. The first method solves such a problem.

In the first method, when a certain MH can use a plurality of access lines based on a contract, the authentication procedure for the plurality of access lines is integrated into any one of the authentication procedures. For this reason, the respective devices on the user side (MH side) and the network side related to the network access control system have the following functions. The MH has an authentication request message sending function (authentication request message sending unit) and an authentication response message processing function (authentication response message processing unit).

 The authentication request message sending function is associated with an authentication protocol control function (included in the access line control function) for a certain access line (first access line; for example, PAL). The authentication information on the other coexisting access line (second access line; for example, SAL) is transmitted in the authentication request message for the access line. The MH includes a storage device that stores authentication information corresponding to each access line available to the user.

 The authentication response message processing function relates to the authentication protocol control function for an access line, receives an authentication response message from the AAA, and uses the other access lines included in the authentication response message. The permission information (for example, the packet encryption key) is extracted and stored (cached) in the storage device inside the MH. On the other hand, on the network side, AAA has an authentication request message processing function (authentication request message processing unit).

 The authentication request message processing function is part of the authentication protocol control function provided by AAA. The authentication request message processing function extracts authentication information for the second access line from the authentication request message for the first access line from the MH, performs an authentication operation, and further performs authentication for the first access line. The response message (authentication confirmation message) is accompanied by the authentication response (use permission information) for the second access line, and the response is returned to the MH.

 In addition, the network has a function to enable the MH that has been authenticated (permitted to use) for the first and second access lines to the AP accommodating the SAL to use the access line.

 FIG. 5 is a diagram illustrating an example of the first access authentication method. Fig. 5 shows an example of operation when SAL authentication is performed using the PAL authentication procedure. However, FIG. 5 shows an access control device (AAZAZCS) in which the function of AAA and the function of ACS are integrated.

In FIG. 5, first, the MH detects that it can connect to the PAL and the SAL, and generates an authentication request message for the PAL including the authentication information for the SAL. Send (Fig. 5; (1)). The MH can detect that it can be connected to them, for example, by receiving radio waves from the PAN and the SAN.

 The AAA ACS receives the authentication request message via AP-1 and EN-1 corresponding to the PAN, analyzes the authentication request message, and performs an authentication operation related to PAL and SAL. At this time, the AAA ACS detects that the MH can access the SAL (FIG. 5; (2)). This detection process can be detected based on the contents specified in the ACP of the MH user (usage conditions), the current network state (including the state of the MH), and the like.

 Next, if the authentication result of the PAL and the SAL is valid, the AAA / ACS transmits a message requesting access permission of the MH to the AP (AP-2) corresponding to the SAL ( Figure 5; (3)). This message contains the usage permission information for the AP to allow access from the MH, is transmitted to the AP-2 via EN (EN-2) corresponding to the SAL, and is managed by the AP-2 .

 On the other hand, in order to respond that the authentication result is valid for both PAL and SAL, AAAZAC S generates an authentication response message for PAL including PAL and SAL use permission information and sends it to MH. (Figure 5; (4)). This authentication response message arrives at the MH via PAL. As a result, the MH acquires the PAL and SAL use permission information and caches it. Thereafter, the MH can connect to the SAL using the cached use permission information and receive provision of a communication service using the CN (eg, bucket communication via the CN) (FIG. 5; (Five)).

 FIG. 6 is a sequence diagram showing another operation example of the first access authentication method by the network access control system. However, FIG. 6 shows an operation example in which the operation according to the first method is performed in cooperation between AAA and ACS. The operation example in FIG. 6 is as follows.

The power of the MH is turned on at the current location (PAN usable range (service area) 內) (step S l). Then, an authentication request message for PAL is generated in the MH. At this time, the authentication information for all other access lines (one or more SALs) available at the MH's location is extracted from the storage device in the MH, and the PAL authentication information is required. Request message (step S2). Next, the MH sends an authentication request message for PAL (step S3). The authentication request message is forwarded via the PAN to the CN's edge node EN-1.

 Upon receiving the PAL authentication request message, the edge node EN-1 determines the AAA capable of authenticating the MH corresponding to the request source of the authentication request message, and transfers the authentication request message to the AAA (step S). Four).

 When the AAA receives the authentication request message, the AAA performs an authentication process based on the authentication request, and determines whether the PAL and the SAL to be authenticated can be accessed by authenticating the validity of the requesting MH (step S5). ).

 When the AAA determines that the MH is valid in the authentication process, the AAA sends a message (ACS request message) requesting the ACP corresponding to the MH (user) to the ACS (step S6).

 Upon receiving the ACS request message, the access control server ACS permits access to the SAL available at the location where the MH is located. For this reason, the access control server ACS extracts the user's ACP-C from the ACP-DB and uses it at the location where the MH is located from the heterogeneous access line information database (described later). Extract possible access line type information (applicable access line information corresponding to area code indicating location). For the detection of the location, the method (location registration procedure) applied to the existing mobile phone network can be adopted.

 Then, the ACS compares the access line type of the SAL described on the AC PC with the access line type extracted from the heterogeneous access line database, thereby obtaining an access that the MH can use at the location where the MH is located. Select the line type (step S7).

 If the ACP-C includes ancillary conditions such as priority between access lines, it can be configured so that at least one SAL access line type is selected according to the ancillary conditions. For example, when there are a plurality of access line types that match between databases, the access line with the highest priority can be selected.

Thereafter, the AC S sends the AC P for the MH identified in the ACS request message. An AC response message including (AC P-C and AC P-V) is generated and returned to AAA (step S8). The AC P included in the ACS response message includes an AC P-C, an AC P-V corresponding to the PAL, and an AC PV corresponding to the selected access line type (SAL). Here, as an example, it is assumed that the ACS response message includes the PAL and the ACPV corresponding to each of the one SAL.

AAA receives the AC S reply message, AC S Chi AC P caries included in the response message, to store the management table in the storage device that holds AC PC itself (Step S 9) ₀

 Subsequently, the AAA delivers the plurality of AC P-Vs in the ACS response message to the respective ENs accommodating the access lines (access lines corresponding to the PAL and the SAL) associated with the AC P-V. That is, the AAA transmits the ACP-V of the SAL to the corresponding EN (EN-2) (step S10).

 When the EN-2 receives the AC PV of the SAL, the EN-2 stores the AC P-V in the management entry of the management table prepared on the storage device in the EN-2, and stores the AP corresponding to the EN-2. -Extract the information to be referenced in 2 (AC PV sub-information; for example, the encryption key of the bucket used in the wireless section (between MH-AP2)) and deliver it to AP-2 (Step S11).

 AP-2 under the control of EN-2 (controlling whether or not to transmit a packet to the MH) receives and stores the sub information included in the AC P-V related to the MH as use permission information. As a result, AP-2 enters a state in which access to SAL from the MH can be permitted.

The AAA also sends AC P-V corresponding to the PAL to EN_1 (step SI2). When the EN-1 receives the PAL AC P-V, it performs the same operation as the EN-2, and the information to be referred to by the AP-1 corresponding to the EN-1 (AC PV sub-information: For example, wireless The section transmits the section encryption key) to AP-1 (step S13). AP-1 under EN-1 (controlling whether to transmit a bucket with MH) receives and stores AC PV sub-information related to MH. As a result, AP-1 is in a state where access to the PAL from the MH can be permitted. The operations in steps S10 and S11 and the operations in steps S12 and S13 are a set of operations, respectively. Also, the number of AC PV transmission destinations depends on the AC S determination condition (the number of selected access lines). Further, the AC P-V may be directly transmitted from the ACS to each corresponding EN. Further, the sub information (access permission message) transmitted from the EN to the AP may be held in advance by the EN, or the sub information transmitted from the AAA may be transferred to the AP by the EN.

 By the way, when the AAA performs the authentication processing, it generates an authentication response (authentication confirmation) message including use permission information (for example, a bucket encryption key) for the PAL and the SAL, and transmits the message to the MH. The authentication response message is transferred to the MH via the EN-1 and the AP-1 (PAL) and received by the MH.

 When the MH receives the authentication response message, it extracts the use permission information from this, and stores and manages the use permission information. Then, the access line control function of the SAL in the MH can perform communication using the SAL using the use permission information of the SAL.

 FIG. 7 is a diagram showing an example of a packet (authentication request packet) of an authentication request message sent from the MH. In FIG. 7, the authentication request packet includes, as a payload, authentication information for SAL in addition to authentication information for PAL.

 The SAL authentication information can include the SAL access point number and the SAL address in addition to the user identification information (eg, user name, password, etc .; not shown). Here, if there are a plurality of SALs available at the current location, the SAL authentication information corresponding to each SAL is set as a payload.

 The SAL AP number is a number for identifying the SAL access point. The SAL address is an MH address (for example, a care-of address in the case of Mobile IP) corresponding to a bucket destination address via the SAL. The contents of the PAL authentication information are almost the same as the SAL authentication information.

 In the first access authentication method, it is sufficient that the SAL authentication information is added to the PAL authentication request message. Therefore, the type of PAL does not matter.

As described above, according to the network access control system, authentication for a specific access line is integrated with the authentication procedure for another access line, and authentication for both access lines is performed substantially simultaneously. As a result, even when a specific access network does not have its own authentication system, authentication can be performed by using an authentication system of another existing access line. Therefore, on the network side, when the access network (access line) is switched between different types, the switching can be performed without using an original authentication system for the authentication procedure for the access network to be switched. In addition, it is possible to reduce the cost required when introducing a specific access network as a core network access network.

 <4> Second access authentication method (Figs. 5 and 8)

 Next, a second access authentication method (hereinafter, referred to as a “second method”) by the network access control system according to the present invention will be described.

 The second method is processing related to SAL authentication that is not linked to PAL authentication. That is, the second method is a connection authentication means for an MH capable of using a plurality of access lines and a plurality of access lines capable of using the MH. In the second method, a connection authentication procedure for a certain access line (for example, PAL) can be commonly used with one or more other access lines (for example, SAL). Method), the authentication request for another access line can be sent as an opportunity to send an authentication request for another access line independently of this access line authentication trigger while using the authentication procedure for one access line. To the network. This makes it possible to independently execute connection authentication of a certain access line and connection authentication of another access line as needed.

 The first access authentication method integrates PAL and SAL connection authentication with, for example, the PAL authentication timing (start timing of an authentication session) and executes the PAL authentication procedure (PAL authentication protocol). This first access authentication method is an operation mode mainly when the MH newly requires PAL and SAL connection authentication (registration request), such as when the MH is turned on.

By the way, it is assumed that the validity period of the authentication session for each access line is different from each other. For example, the validity period of a PAL authentication session is 10 minutes, while the validity period of a SAL authentication session is 5 minutes. May be shorter than the validity period of the service. In this case, PAL and SAL The authentication is performed at substantially the same time, and thereafter, the validity period of the SAL authentication session expires before the MH sends the next PAL and SAL authentication request message according to the first access authentication method. , communication is possible force ^s become interrupted with SAL.

 To avoid the above problem, the MH independently generates and sends an SAL authentication request message without waiting for the next processing for sending an authentication request message to the PAL. SAL authentication is performed in the PAL authentication procedure, as in the first method.

 When the MH can use both PAL and SAL, the following method can realize the second method.

 As capabilities of the MH side (user side), the MH has an authentication request message sending function and an authentication response message processing function. The authentication request message sending function in the second method is a PAL protocol control function, which is a PAL authentication request message that contains authentication information (maintained in the MH) not only for PAL but also for other coexisting SALs. It has a function to send a different message (referred to as “unique message”) according to the PAL authentication procedure.

 The authentication response message processing function, as a PAL authentication protocol control function, receives a message including a SAL authentication response to an original message in accordance with the PAL authentication procedure, and includes information on the use of SAL included in this message (for example, The packet encryption key) is extracted and stored (cached) inside the MH.

 On the other hand, it has the following functions as network capabilities.

 -Perform authentication processing using the SAL authentication information included in the original message from the MH received in the authentication protocol control function of AAA, and if the authentication result is valid, the MH performs SAL authentication. A function to send an authentication confirmation message containing information (use permission information) according to the PAL authentication procedure.

 • A function that allows access of the authenticated MH to the access point AP (AP-2) that accommodates SAL.

 The second access authentication method will be described with reference to FIG.

When the MH detects that it can connect to the SAL, the MH uses the authentication protocol control function of the PAL to send an authentication request message (a unique message) including the authentication information for the SAL. Message to AAAZAC S (Fig. 5; (1)).

 The AAA / ACS receives the unique message from the MH and performs the SAL authentication operation. At this time, the MH senses that it can access the SAL (FIG. 5; (2)).

 If the authentication result of the SAL is valid, the AAA / ACS transmits a message requesting access permission of the MH to the access point AP-2 of the SAL via the EN-2 (FIG. 5; (3)).

 The AAAZAC S responds via the P AL that the S AL has been authenticated (FIG. 5; (4)). Thereafter, the MH can perform communication using the SAL (FIG. 55)).

 FIG. 8 is a diagram showing an example of an authentication request bucket (unique message) used in the second method. In FIG. 8, in addition to the user identification information (not shown) as the SAL authentication information, a number for identifying the AP of the SAL to be authenticated by the subscriber is described as the access point number. In addition, as the address for SAL, an address (for example, a care-of address in the case of Mobile IP) equal to the destination address of a packet passing through SAL is described.

 On the other hand, as PAL identification information, information for identifying a normal PAL (for example, a PIN (Personal Identification Number: a digit string for personal authentication) in the case of a PSTN (Public Switched Telephone Network)). , Or NAI).

 In the second method, the authentication information for SAL may be described in the format of the PAL authentication message. Therefore, the type of PAL does not matter.

 According to the second method, even if the validity period of the authentication session differs between PAL and SAL, the SAL authentication session can be updated independently of the PAL authentication cycle and the SAL can be used continuously. it can.

 <5> Authentication server access control server (Fig. 9, 10 and 11)

Next, the authentication server (AAA), the access control device (access control server: (ACS)), and the cooperation of a plurality of access lines by the cooperation of AAA and ACS are described. AAA and ACS recognize the connection between the access line currently in use and the access line that can be transferred if certain conditions related to MH are satisfied at the location where each user (MH) is located. Initiate transition between lines. These automatically generate and distribute the access control profile (AC PV) for the relevant MH to the EN that accommodates the destination access line on the CN side when the transition conditions are met.

 9 (A) and 9 (B) are functional block diagrams showing configuration examples of the authentication server AAA and the access control server ACS. FIG. 10 is a table showing the contents of the heterogeneous access line link information database j. It's a bunore.

 As shown in FIG. 9 (A), AAA includes a user authentication function (user authentication unit) 11, an access line information extraction unit 12, and an ACS message control unit 13 as authentication server functions. ing. The user authentication function 11 controls general functions (user authentication function) as an authentication server. The access line information extractor 12 includes information on the access line to be authenticated (access line information; subscriber identification information, access line type, and MH location) included in the PAL authentication request message (or original message). (Including area code). The ACS message control unit 13 composes a message (ACS request message) for notifying the extracted access line information to the ACS, and sends the message to the access control server (ACS). Also, the ACS message control unit 13 receives the ACS response message from the ACS.

 On the other hand, the ACS has an ACS message processing unit (protocol control) 14, an access control profile (ACP) generation unit 15, and an access control profile (ACP) as access control server functions. ) Transmission section 16, access control information database (AC P-DB) 17, and heterogeneous access line link information database 18.

The ACS message processing unit 14 controls a message used for receiving an ACP request message and transmitting an ACP response message and protocol with the AAA. The ACP generation unit 15 determines the conditions currently available for the access type that the MH requires use (authentication). The ACP sending section 16 performs ACP message conversion (ACP generation). AC P-DB 17 stores and manages AC P in MH units. Database function. The heterogeneous access line link information database 18 manages, as a database, a set of information on access lines that can be used in the managed unit area specified by the carrier.

 As shown in FIG. 10, the heterogeneous access line cooperation information database 18 includes, for example, an area code of PAL, an applicable access line indicating other access lines available in the corresponding area code, and It can be composed of one or more records for each area code with the number of subscribers as an element.

 Note that the functions of AAA and ACS shown in FIG. 9A can be specified by a configuration example as shown in FIG. 9B. FIG. 9 (B) shows an access control device (AAA / ACS) having AAA and ACS functions. AAAZACS has a user authentication function 19, a message processing section 20, It is specified as a device including a protocol control unit 21, an access control unit 22, and a user / terminal database 23.

 The message processing unit 20 corresponds to the ACS message processing unit 14 and the ACP transmission unit 16 shown in FIG. Still, the protocol control unit 21 and the access control unit 22 correspond to the ACP generation unit 15 and the ACP transmission unit 16 shown in FIG. 9 (A). The user's terminal database 23 corresponds to the ACP-DB 17 and the heterogeneous access line cooperation information database 18 shown in FIG. 9 (A).

 Next, it is assumed that the PAL is a third-generation mobile phone network (for example, a W-CDMA network) and the SAL is an IEEE802.lib network. An example of the operation of AAA and ACS when moving to an area accessible to both SAL will be described.

FIG. 11 is a flowchart showing the processing of AAA and ACS. In FIG. 11, first, the AAA receives an authentication request message (including the SAL authentication information) from the MH (step S001). Then, the AAA user authentication unit extracts authentication information from the authentication request message and performs an authentication process (S002). Further, the access line information extraction unit extracts access line information to be authenticated from the authentication request message (S003), and the ACS message control unit generates an ACS request message including the extracted access line information. And send it to ACS. The ACS request message is received by the ACS message processing unit of the ACS and passed to the ACS generation unit. The ACP generation unit references the ACP_DB and the heterogeneous access line link information database using the access line information included in the ACS request message, and determines the location of the user and the user's subscription contract. Based on predetermined conditions such as usage conditions (defined content in ACP), it is determined whether the user can access SAL or not (SAL availability) (S004).

 If the ACP generation unit can permit the MH to use the SAL, the ACP transmission unit generates each AC PV for the PAL and the SAL (S005), and includes an ACS response message including the generated AC PV. Generate At this time, the selection criteria of the access line according to the service content specified in the AC P-V can also be described in the AC P-V. The ACS response message is transmitted from the ACS message processing unit to AAA.

 When the ACS message control unit of the AAA receives the ACS response message, the access line information extracting unit extracts each ACPV included in the response message. AAA transmits each ACP-V to the corresponding EN, respectively (S006). In addition, the user authentication function transmits an authentication response message including the PAL and SAL use permission information to the MH via the PAL (S007). The AAA transmits a message including information for permitting the MH to use the PAL and the SAL to each AP corresponding to the message (S008).

 In the process described above, the process of transmitting the AC P-V to the EN and the process of transmitting the usage permission information to the AP may be performed on the ACS side. The AAA may perform the authentication process only for the access network (access line) permitted to access by the ACS. Also, if the ACS determines that access is not possible, the AAA may send an authentication rejection message for the access line to the MH. '

 FIG. 35 is a sequence diagram showing an operation of the access control device (AAA-no ACS) as shown in FIG. 9 (B).

In FIG. 35, first, the message processing unit (message receiving unit) 20 receives an authentication request message (see FIG. 7) from the MH (S111). Then, the message processing unit 111 passes the authentication request message to the access control unit 22. (S 1 1 2).

 Then, the access control unit 22 passes the authentication request message to the user authentication function (authentication server function) 19 (S113). Then, the user authentication function 19 refers to the user / terminal database 23 (S114) and performs a user authentication process (S115). The user authentication function 19 returns the result of the user authentication process to the access control unit 22 as a user authentication response (S116).

 Then, the access control unit 22 refers to the ACP (AC P-C, AC PV) of the user requesting the authentication request message held in the user's terminal database 23 (S 1 1 7). Then, the access control unit 22 determines whether the user can access the access line Z or not (S118).

 If the user can be permitted to use the access line, the access control unit 22 notifies the protocol control unit 21 to that effect (S119). Then, the protocol control unit 21 generates an access control profile (AC P-V) to be notified to the corresponding EN and an (bucket) encryption / decryption key to be used when using the access line. (S120). Then, the protocol control unit 21 passes the generated AC P-V and the encryption / decryption key to the message processing unit 20 (S122).

 Then, the message processing unit 20 transmits the AC P-V and the encryption / decryption key to the EN accommodating the access line permitted to use (S122). Subsequently, the message processing unit 20 generates an authentication response message (see FIG. 31) including the encrypted Z-decryption key, and transmits it to the terminal (MH) of the user (S12). 3). The authentication response message arrives at the relevant MH via the primary access line (PAL).

 Details of S117 to S123 in the above-described procedure (an example of a circuit selection procedure) are as follows.

 <Procedure 1> In S118, the access control unit 22 refers to “Subscriber identification information” of item 1 of the ACPC (see FIG. 3) in the database 23, and issues the ACPC power authentication request. Check the profile of the user (terminal) that requested the message.

<Procedure 2> In step S118, if the confirmation in step 1 has been completed normally (the profile and the terminal identification information match), the access control unit 22 will return to the item No. 2 of the AC P-C. See "Available Access Lines". Here, for example, it is assumed that it is recognized that “PHS (Personal Handy phone System)” is available as a main access line and “Public wireless LAN” is available as a secondary access line.

 <Procedure 3> In S118, the access control unit 22 next refers to ACPC-C No. 3 “selection priority” and determines the priority of the line that the user wishes to connect to. For example, it recognizes that the contract content uses public wireless LAN as the first candidate and uses PHS as the second candidate. However, in the final decision of the line to which the user is allowed to connect (access), the network operator must confirm that the access line of the public wireless LAN has free space.

 <Step 4> In step 3, for example, if the conditions for judging that the user can provide (use) a public wireless LAN are met, the network encrypts the bucket for the user to the user. / Access is granted by distributing the decryption key (S119-S123). At this time, in S120, the time at which the predetermined access validity period ends from the time of the permission is set in the profile (ACP-V).

<6> Standardization of chargeable information collection function (Fig. 12)

 Next, a method of charging for the amount of use in an access line (for example, a public wireless LAN service) introduced by a carrier as a SAL (a pay-as-you-go SAL method) will be described.

 As a charging method other than the flat-rate service, a predetermined unit of measurement (access authentication time, packet transmission / reception amount, etc.) can be measured, and usage-based charging according to the authentication time and bucket volume can be performed. At this time, the charging system that the carrier has already established for PAL is used for SAL charging without preparing a dedicated charging mechanism for each SAL. This makes it easier to introduce a new access network to the CN and reduces operating costs.

In this embodiment, the following functions are added to the network side so that the PAL and SAL charging information are shared. That is, the AAA functions as an authentication server and a billing server, and has a function of transmitting MH identification information and billing conditions to an EN that accommodates the SAL during SAL authentication. Billing conditions can include billing target, billing unit, and billing unit price. it can.

 As the charging condition, for example, MH packet communication using SAL is specified as a charging target, the amount of packet transmission / reception is specified as a charging unit, and the charge per unit packet amount is specified as a charging unit price. . The EN is notified of at least the charging unit in the charging conditions. Note that a bucket according to a specific protocol can be designated as a charge target.

 On the other hand, the EN accommodating the SAL has a function to measure the amount (for example, the amount of packet transmission / reception) according to the charging unit based on the identification information of the MH received from the AAA and the charging condition (at least the charging unit). . Furthermore, the EN that accommodates the SAL has a function to periodically transmit the amount corresponding to the measured charging unit to the AAA as charging information. FIG. 12 is a diagram illustrating an operation example of the SAL pay-as-you-go. An operation example will be described with reference to FIGS.

 At the time of authentication of the SAL, the AAA transmits, to the EN (EN-2) accommodating the SAL, identification information of the corresponding MH and information indicating a charging unit (amount of transmitted / received buckets) (Fig. 12; (1)). This information can be included in the ACP-V (see Figure 4, “6. Billing conditions”).

 Thereafter, when the MH performs packet communication using the SAL, the EN-2 specifies the MH using the identification information of the MH received from the AAA, and based on the information of the charging unit related to the MH, the EN-2 specifies the MH. The bucket transmission / reception amount in the MH bucket communication is measured (FIG. 12; (2)). In this way, the edge router counts the amount based on the charging unit such as the amount of packet transmission / reception. The condition of the packet to be counted can be determined by the contents set by AC P-V.

 Then, EN-2 periodically sends accounting information (measured packet transmission / reception volume) including the packet transmission / reception volume to AAA (Fig. 12; (3)). FIG. 30 shows an example of the billing information transmitted here. As shown in FIG. 30, the billing information is configured as a record including, for example, user identification information (eg, NAI), applicable access line type, and packet transmission / reception amount (eg, number of buckets). You.

The AAA has information on the charging conditions (charging target, charging unit, and charging unit price) for the MH. When receiving the charging information from EN-2, the AAA uses the information on the charging unit price. Then, calculate the fee for using the SAL for the MH. In the example shown in FIG. 30, A AA calculates the billing amount by multiplying the number of packets by the billing unit price.

 In this way, the existing charging systems (AAA and EN) prepared for PAL perform charging processing for the use of the access line specified as SAL. Therefore, there is no need to prepare a billing system for SAL separately from PAL in advance.

 As described above, the process of transmitting the identification information and the charging condition is performed by the AAA transmitting the AC P-V for SAL to the MH user including the identification information and the charging condition to the EN-2. May be.

 <7> Edge node device (Figures 13 and 14)

 Next, the edge node device (EN) will be described. The edge node device is installed at the edge of the CN and performs access control in units of MH in addition to a general router function. At least one edge node device is provided for each access line type. However, it can be deployed in a range of subscriber areas defined by geographical or population density.

 The edge node device generally includes an edge router function, an access control profile delivery message protocol control function (ACS delivery message control function), and an access control profile retention storage function (ACS retention storage function). , An access authentication information management function, an access filter function, and an individual condition packet transfer function. The edge node function is a function that governs the functions that a router generally has (such as bucket routing and forwarding).

 The ACS delivery message protocol control function is a function to control the processing related to the message (ACS delivery message) containing the ACS of each MH delivered from the ACS or AAA, and receives the ACS delivery message. Then, this is analyzed and ACS is extracted.

The ACS holding and storing function is a storage means for holding the ACS extracted by the ACS sending message protocol control function in the EN for a certain validity period and a management function thereof. The ACS management function manages each ACS in accordance with, for example, an expiration date (eg, deletes an ACS after its expiration date). The access authentication information management function is a function for managing whether access to the MH is enabled or disabled for each MH based on the authentication information (authentication result and the like) transmitted from the AAA. The access filter function is a function that cooperates with the access authentication information management function and rejects (discards) the bucket related to the MH if access to the MH is not possible.

 The individual condition packet transfer function is a function to transfer the bucket of the applicable MH to a predetermined destination in accordance with the bucket transfer condition (transition condition) described in the ACS, in cooperation with the ACS holding and storing function.

 FIG. 13 is a diagram illustrating a configuration example of an edge node device. In FIG. 13, the edge node device (EN) includes a message transmitting / receiving unit 24, a protocol control unit 25, an access control unit 26, and a service information management unit 27. These can be realized by a processor (including a memory) mounted on the edge node device executing a predetermined program.

 The message transmitting / receiving unit 24 implements an edge node function. The message transmitting / receiving unit 24 manages an individual condition packet transfer function based on information from the service information management unit 27. The protocol control unit 25 implements an ACS delivery message protocol control function. The access control unit 26 implements an access filter function. The service information management unit 27 implements an ACS holding / storing function and an access authentication information management function.

 FIG. 14 is a sequence diagram showing an ACS reception process in the edge node device having the configuration shown in FIG. Using Fig. 14, a certain MH user moves to an area that can access PAL (for example, W-CDMA network) and an area that can access PAL and SAL (for example, IEEE802.lib network). An operation example of the edge node device in the case of the above will be described.

 When the MH performs the PAL and SAL authentication procedures and receives authentication permission for both, the AAA or ACSS sends an AC P to each edge node device accommodating the PAL and SAL, according to the MH and the access line type. Send a message containing (AC P-V) (AC P delivery message).

In each edge node device accommodating the PAL and the SAL, the message transmitting / receiving unit 24 receives the ACP delivery message (S011), and the protocol control unit 2 Pass to 5 (SO 1 2). The protocol control unit 25 analyzes the message, extracts the AC P-V from the message, and uses the access control contents (service information) described in the ACP-V as the access control unit 26 and the service information management unit. Set (store) in 27 (SO 13). For example, when the contents of the access control are forwarded to the SAL EN when the packet addressed to the MH received by the PAL EN is transmitted, the protocol control unit 25 transmits such a setting to the access control unit 26 and the service information. Set to management section 27.

 Thereafter, when the message transmitting / receiving unit 24 receives the bucket addressed to the MH (S014), the message transmitting / receiving unit 24 refers to the contents of the access control set in the access control unit 26 and / or the service information management unit 27, and The processing is performed (S0115). For example, when the PAL EN receives a packet addressed to the MH, the message transmitting / receiving unit 24 refers to the access control contents by the access control unit 26 and the service information managed by the service information management unit 27. Based on these, the packet is transferred to the SAL EN, and the SAL EN transfers the packet to the MH via the SAL. Also, depending on the contents of the access control set for each EN of PAL and SAL, for example, when inputting a password, communication is performed through PAL, and for other buckets, a bucket is sent from EN of PAL to EN of SAL. Control such as transfer can be performed.

 <8> Access control for roaming from other network operators (Fig. 15) For users who subscribe to and use wireless hosts of other carriers, as roaming users, users who are compatible with the wireless communication system In some cases, a network access line is used. As an access authentication method in this case, the access authentication of the roaming mobile host is transferred from the other carrier network to the authentication device of the own carrier network, and a temporary access control profile dedicated to the mouthing user is issued. The use of the access line of the own network is permitted.

 When MH can use both PAL and SAL, the following functions enable the authentication method in this section.

 As the capabilities of MH, MH has the following functions.

 -As a PAL protocol control function, a function to send authentication information (maintained in the MH) not only for itself but also for other coexisting SALs.

• As an authentication protocol control function of PAL, reception of authentication response message for SAL A function that extracts information (such as a bucket encryption key) related to the communication and the use of the SAL contained in it, and stores (caches) this inside the MH.

 The network side capability (roaming source) has the following functions.

 • A function that authenticates with the SAL authentication request message received by the “authentication protocol control function” of AAA and sends the SAL authentication result to the roaming destination. In addition, this function transfers the MH access permission notification received from the roaming source to the MH.

 In addition, the network side capability (roaming destination) has a function to make the authenticated MH available to the AP accommodating the SAL based on the authentication result for the SAL received from the verbal source.

 FIG. 15 is a diagram showing an operation example of access control for roaming from another N 他 P. The contents of the operation example shown in FIG. 15 are as follows.

 MH is the MH of the user who has subscribed to another carrier's network (roaming source network). When the MH detects that it is possible to connect to the SAL at a location where the PAL and SAL are available by roaming using the existing method, the MH sends the SAL authentication request message via the PAL to the source network of the roaming source. (Fig. 15; (1)). At this time, the format of the authentication message (see FIGS. 7 and 8) applied in the first and second methods described above can be applied as the authentication request message.

 The roaming source authentication server senses that the MH can also access the SAL when authenticating the SAL authentication request (FIG. 15; (2)).

 The roaming source authentication server sends an authentication complete message to the roaming destination network (CN) authentication server (AAA) (Fig. 15; (3)). Note that the message format as shown in Fig. 31 can be applied as a message requesting (requesting) access permission. The message may include an encryption / decryption key between the terminal and the access point.

 The roaming destination AAA sends a message requesting access permission of the corresponding MH to the EN and AP accommodating the SAL (Fig. 15; (4)).

The roaming destination AAA authenticates the SAL to the roaming source authentication server. (Fig. 15; (5)), and the roaming source authentication server responds to the MH that the SAL has been authenticated via PAL by sending an authentication response message (Fig. 15; (5)). 6)). Thereafter, the MH can perform communication using the SAL (Fig. 15; (7)).

 <9> Basic access line selection method (Fig. 16)

 In the network access control system, the authentication service control device determines and permits the access line to be connected from the contents of the access control profile for the user to be authenticated and the state of the network, and notifies the user of this. Specifically, the access line to be connected is selected based on the priority of coordination of multiple access lines (variable depending on time, location, etc.).

 This section describes the basic procedure for selecting an access line in the access control server (ACS). The ACS is a part of the authentication server or a device that cooperates with the authentication server, and has a function of selecting an access line to be assigned to the user (MH).

 The access line selection logic executed in the ACS will be described.

(9-1) Initial registration:

 This case corresponds to the case where the authentication session does not exist (the latest authentication session has expired) at the time when the MH sends the authentication request message (at the time of sending the registration request for the mobile host).

 1. When the authentication of the user (MH) is successfully completed by AAA, AAA sends an access line selection request (ACS request message) to ACS.

 2. The ACS references the ACP for the user, drawn from the ACP-DB in conjunction with the MH's authentication procedure.

 3. At this time, as an optional function, the communication status (network status) is transmitted to the ACS together with the communication status (communication parameters) such as the received radio wave intensity of the MH transmitted from the MH in the authentication procedure. It can be used as a parameter of access line selection logic in ACS.

 4. The ACS selects the destination access line based on the ACP (and communication parameters).

5. If the communication parameters are used as parameters of the selection logic, the ACS shall: First, determine the destination access line, and then refer to the communication parameters as necessary.

 6. For the selected destination access line, generate an access control individual profile (AC P-V) that includes this communication parameter.

 7. The generated AC P-V is delivered to the corresponding edge node (EN) by profile delivery message and used for access control.

 8. If the selected line is SAL, the ACS will also deliver the corresponding AC P-V to the EN containing the PAL. However, the control state (operating state) in AC P-V at this time is “blocked state”, that is, it indicates that EN of PAL is not provided for data transfer of the corresponding MH at this time.

 9. On the other hand, the AC P-V is distributed by a profile delivery message to the EN that houses the source access line. However, the “operating state” of the AC P-V is “forwarding” for the transfer source. This is because the bucket to the mobile host, which had passed through the edge node before the migration, was transferred to the edge node of the migration destination, so that the mobile host currently accommodated in the access line of the migration destination was transferred to the mobile host. The bucket is delivered.

 (9-12) At the time of line transfer

 This case corresponds to the case where the MH has an authentication session before expiration of the validity period and is already using some access line.

 1. The ACS in the CN detects (selects) the transition of the access line under certain conditions for the MH. This operates as a periodic monitoring program in the ACS.However, at this point, since the latest state of the MH is not known, the ACS detects the access line of the migration destination to be detected only as a candidate for the migration destination. Detected as

 2. When the candidate for the destination access line is determined, the ACS waits for the arrival of the next authentication request message among the periodic authentication request messages of the MH.

 3. When the MH sends a periodic authentication message, the communication status (received radio field strength, etc.) of both the PAL and SAL related to the MH at this time is incorporated as a parameter in the authentication request message, and reaches the AAA.

4. The AAA extracts the MH communication state parameter and sends it to the ACS. 5. The ACS receiving the MH communication state parameter uses the communication state parameter to determine whether the previously detected migration destination candidate is available. If the migration is possible (for example, the area code of the selected destination access line matches the MH location information), the AAA authenticates the access line migration instruction (including the destination access line type) in an authentication response. Notify the MH in the message.

 6. Upon receiving the authentication response message for the periodic registration, the MH recognizes that the access line transfer has been instructed. For this reason, the protocol control function in the MH switches the valid access line to the migration destination access line included in the authentication response message. As a result, thereafter, communication on the access line of the transfer destination becomes possible.

7. On the other hand, in the CN, the corresponding AC PV is distributed to the EN accommodating the destination access line selected by the ACS and the EN accommodating the source access line by profile delivery message. . However, the “operating state” of the AC P-V delivered to the source EN is in the “forwarding” state. This is because packets to the MH that passed through the relevant EN before the transfer of the access line are transferred to the target EN to reach the relevant MH currently accommodated in the target access line. It is to make it.

 FIG. 16 is a diagram showing an example of the control procedure in this section, and FIGS. 17 and 18 are flowcharts showing an access network selection mechanism.

 In FIGS. 17 and 18, the AAA receives the authentication request message from the MH (S021), and performs a normal authentication process (user authentication message process; S022). In order to determine the access network (access line type) to be permitted to use, it requests the ACS to determine the access line type.

Specifically, the AAA extracts the AC P-C prepared for each MH from the AC P-DB (S023). At this time, if the AC PC is obtained (S024; YES), the mobile host information (communication state parameter; radio wave) included in the authentication request message sent from the MH to the extracted AC PC is transmitted. State, etc.) and notify the ACS. That is, the AAA gives the ACS an access line selection request including the AC P-C, the state of the authentication session, the radio wave condition of the terminal, and the like. If there is no AC P-C (S 0 24; NO), the process proceeds to S 0 25. Thereafter, the AAA waits for a response to the access line selection request from the ACS. Upon receiving the response message from the ACS, the AAA updates the authentication session management information (S025) and generates an authentication response message (S026). That is, the AAA sends the access network information included in the response message (access control information including the access network (access line type) assigned to the MH) included in the authentication response message to the terminal (S 0 2 7). Then, the AAA returns to the message waiting state.

 On the other hand, when the ACS receives a request to determine an access network (access line selection request; access control request message) from the AAA, the ACS determines whether or not there is an authentication session for the MH from the communication state parameter included in the request message. (S032). At this time, if an authentication session exists (periodic update) (S032; NO), the ACS has previously generated access authentication information for this MH and holds it in conjunction with the authentication session. Will be. For this reason, if the authentication session of the mobile host is valid, the ACS retrieves the currently used access line type from the management table (access control management table) in the ACS (S034), and executes the latest mobile communication. The access network is determined (S036) in comparison with the host status (access line in use) (S036). At this time, the AAA changes the type of access line being used if necessary.

 On the other hand, if there is no authentication session (S032; YES), that is, in the case of initial registration, the information is transmitted from AAA simply by referring to the MH communication status parameters (such as radio wave status) transmitted from MH. Based on the judgment rule described in the AC PC, the access line type (access network) is selected or determined (S033).

When the access network is determined, the determination processing of S037 is performed, and based on the determination result, the access network-specific control information (AC P-V) is transmitted to the determined access network side EN. I do. In other words, if the AC S makes a NO determination in S 037 (if the selected candidate is not a secondary access line), the AC S executes the AC P with respect to the PAL as the main access line profile distribution processing. -Generate V (S041), generate an access control profile delivery message (S042), and send it to the corresponding EN (S043). On the other hand, if the selected access network is SAN (SA L) In (S 037; YE S), as a secondary access line profile distribution process, an AC P-V for the SAL is generated (S 0 38), and an access control profile delivery message is generated (S 0 3 9), and send it out to the corresponding EN (S040). In this case, profile distribution processing for the main access line (S041 to S043) is performed, and ACP-V is also transmitted to EN on the PAN (PAL) side. However, the content of the operation status indication in this AC PV is “blocking (non-use) J of the relevant line”.

 After the processing of S043, an access line selection response (determined access network) is returned to AAA. After that, the ACS stores the AC P-C in the AC P-DB and returns to the message waiting state.

 Alternatively, instead of the operations shown in FIGS. 17 and 18, the AC P-V may be transmitted to the corresponding EN via AAA.

 When the access line type used by the MH shifts from PAL to SAL, the operation after the operation example shown in FIGS. 17 and 18 is as shown in FIG. 16, for example. That is, as shown in FIG. 16, after the authentication by AAA is completed, the AC P-V is delivered to each EN corresponding to the PAL and the SAL (FIG. 16; (1)).

 Upon receiving the bucket addressed to the MH, the EN accommodating each of the PAL and the SAL interprets the operation state of the packet with reference to the AC P-V. At this time, if the access line accommodated by the EN is not an access line suitable for transmitting the packet, the EN transfers the packet to the other EN. The destination EN sends the packet received from the source EN to the MH via its own access line (Fig. 16; (2)).

 On the other hand, the MH sends a bucket to the CN via the access line corresponding to the transfer destination according to the transfer instruction included in the authentication response message (to the host accommodated by the BB of another carrier connected to the CN). Bucket) (Fig. 16; (3)).

 <10) Access permission procedure (Fig. 19)

Next, an access permission procedure in the network access control system will be described. After deciding the type of access line to be used for the MH network connection via the authentication / access line, the following method is used as a means to allow MH access. Use order.

 When the AC P-V is delivered to the EN that houses the SAL, the EN will be based on the authentication information previously exchanged between the MH and the network by the PAL authentication procedure for the containing access line. To allow data communication via SAL.

 That is, based on the authentication information, the authentication information of the MH is transmitted to the EN accommodating the SAL. This authentication information is included in the AC P-V. Upon receiving the authentication information, the EN recognizes the contents of the AC P-V and performs an operation of permitting access with respect to the MH. This permissible procedure corresponds to, for example, an operation of registering the MAC address of a registered MH in the case of a wireless LAN access point.

 On the MH side, the received authentication information is notified to the SAL protocol control device, and when it is received, the state becomes the same as the completion of various authentication procedures on the normal access line.

 The functions and procedures necessary for the access permission procedure in this section are as follows. That is, A A A has an authentication information generation function. The authentication information generation function is to generate the authentication information of the SAL after the validity of the MH itself for the SAL is guaranteed in the authentication procedure using the PAL of the MH.

 ACS has a function of transmitting authentication information. This delivery function is a function to deliver the authentication information of the SAL that is going to newly start use (migrate from the migration source) to the MH by the authentication procedure using PAL (transmission of the authentication response message via PAL). It is.

 The MH has a function of extracting authentication information. The MH that has received the authentication information extracts authentication information (for example, a bucket encryption key) related to the SAL included in the authentication response message, and notifies the SAL protocol control function inside the MH of the extracted authentication information. In addition, the protocol control function of the SAL in the MH that has received the notification of the authentication information stores the authentication information and uses it in the subsequent data communication.

EN has a function to release access restrictions on the network side. On the network side, the authentication information generated by the ACS is delivered by an access control information delivery message (the message for delivery of the ACPV) to the EN that contains the SAL that the MH wants to start communication. The EN that received this message sends the SA The authentication information of L is extracted and held, and based on this authentication information, the bucket is subjected to the forwarding control so as to pass the bucket transmitted from the MH to the SAL.

 FIG. 19 is a diagram illustrating an operation example according to the access permission procedure. The contents of the access permission procedure shown in Figure 19 are as follows.

 If it is authenticated that the MH to be authenticated has the access right in SAL, the AAA sends an authentication completion message (authentication confirmation message) to the AP accommodating the MH. This authentication completion message includes the SAL use permission information (for example, information such as the encryption key between the MH and the AP) (Fig. 19; (1)). At this time, an authentication completion message having a format as shown in FIG. 33 can be applied.

 A A A sends an authentication confirmation (authentication response) message to the corresponding MH via PAL. This authentication confirmation message includes the SAL use permission information (for example, information such as the encryption key between the mobile host and the access point) (Fig. 19; (2)). At this time, an authentication response message having a format as shown in FIGS. 31 and 32 can be applied.

 Thereafter, the MH can perform secure communication via the SAL using the use permission information (encryption key, etc.) distributed to the MH and the AP (FIG. 19; (3)).

 <11> “Heterogeneous” service continuity cooperation between access lines when moving between access lines (Figure 20)

 Next, a configuration in the network access control system for detecting the movement of the MH on the network side and enabling connection setting to the destination will be described.

 When the MH moves between heterogeneous access lines, there may be differences in the characteristics (for example, line speed) of the access network before and after the move, depending on the judgment of the ACS in the CN. For example, suppose that the MH using the public wireless LAN service has moved out of the area where the public wireless LAN service is provided by physical movement to an area where only the PDC is provided.

When such an access-to-access-network movement occurs, the ACS recognizes this, and With regard to the quality of the application used in the access network, the priority of the quality content is specified in advance, and the AC P-V including the content that maintains the high-priority quality item as much as possible is delivered to the destination EN .

 For example, suppose that a user who was browsing the Web using a wireless LAN moved to another wireless access line of a different system due to the movement of a user who was browsing the Web, and a reduction in communication speed was unavoidable. .

 In such a case, as a usage requirement on the user side, for example, there may be a case where the user desires to maintain the communication speed (response time) at the same level as before the transition (within the limits of the line characteristics). On the other hand, for example, in accessing image data, there is a method of avoiding a decrease in response time by reducing the number of colors or improving a compression ratio without changing the display size. Other users may want to maintain the quality of the acquired content regardless of the response time.

 In response to such usage conditions, the ACS compares the difference between the access line type of the transfer destination and the control content of the current access line (the transfer source) in the access line switching procedure, and according to the user, Extract items (based on contract conditions) that prioritize quality maintenance, and generate AC PV for the destination line that has contents (parameters) that can maintain quality regardless of line transfer for this item, Deliver to the EN that houses the access line at the transition destination.

 According to the contents of the AC PV, the EN of the transfer destination receives the MH for the access line to be transferred to the relevant MH based on the specified priority items and parameters described in the AC PV. Perform control.

 FIG. 20 is an explanatory diagram of an operation example according to a control procedure of service continuation cooperation between access lines. The contents of the operation example shown in FIG. 20 are as follows.

After the authentication of the destination access line by AAA is completed, the ACS controls access control for the EN (old EN) that accommodates the source access line and the EN (new EN) that accommodates the destination access line. An AC PV (service information) containing the contents is transmitted (FIG. 20; (1)). At this time, the AAA can transmit an access permission request message having a format as shown in Fig. 33 to each EN.If the packet addressed to the MH reaches the old EN, the old EN AC P- V (service The bucket is forwarded to the new EN according to the contents of the new information (Fig. 20; (2)).

 The old EN notifies the applicable MH that the service content of the bucket addressed to the relevant MH is different from the content described in the APC-V (Fig. 20; (3)). At this time, the old EN can notify the MH using the message format as shown in Figure 33.

 The corresponding MH requests the correspondent node (CN: Correspondent Node) to change the setting of the transmission packet as needed (Fig. 20; (4)). At this time, the MH transmits an application-dependent message to the other node such that a request message according to the protocol of the application (eg, streaming) to be applied is transmitted.

 <12> `` Same type '' when moving between access lines Continuing service coordination between access lines Next, the network access control system detects the movement of the mobile host on the network side and can set the connection to the destination Will be described.

 When the MH moves between access lines of the same type with different ENs accommodated by the judgment of the ACS in the CN, the ACS in the CN transfers the AC P-V generated for the MH to the migration destination. Distribute to EN. This makes it possible to distribute the AC P-V at a higher speed than when the AC P-V is generated for the first time.

 <13> Switching method 1 (switching of access lines depending on the state of peripheral network resources; Figs. 21 and 22)

 Next, if the currently used access line in the network access control system approaches the limit of the number of accommodated subscribers, and if performance degradation is expected, subscribers who meet certain contract conditions will be given extra capacity. A configuration that enables reconnection to another access line with a link will be described.

The network access control system can switch and shift access lines based on resource status that depends on traffic conditions in the network. For example, when the MH is performing data communication using a PDC network as an access line, the voice circuit switching network in the PDC network may be temporarily congested (due to special events such as year-end). . In such a case, call switching is generally performed on the exchange side. Similarly, the EN that accommodates each access line has traffic The EN monitors the status of the traffic and exceeds a certain threshold value. Ask to initiate a line transfer.

 The ACS receiving this request selects a transferable MH according to the line transfer logic, and switches the access line for this MH.

 FIG. 21 is a table showing an example of a switching occurrence request message. The message No. 1 in Fig. 21 is a request message sent from the EN to the ACS to request movement to another access network.Because the access network accommodated by the EN is congested, Includes request to transfer MH to another access network. On the other hand, the message of No. 2 is a request message for transmitting a movable notification from another access network sent from EN to ACS, and is sent to the access network (traffic accommodated by EN). Includes that MH contained in another access network can be transferred to its own access network because there is room.

 FIG. 22 is a diagram showing an operation example according to a control procedure for switching access lines in this section. The contents of the operation example shown in FIG. 22 are as follows.

 The EN that accommodates the MH via the SAL (connected to the SAN) monitors the status of the SAL, and when the SAL status exceeds a certain threshold (for example, the threshold for the number of access lines), the AAAZAC S To that effect (Fig. 22; (1)). At this time, the EN can be configured to transmit a message having a format as shown in FIG. The fact that the threshold value has been exceeded is set in a field such as service information.

 The AAAS ACS searches for the MH contained in the other EN (the MH contained in the EN corresponding to the PAN as shown in Fig. 22) among the MHs contained in the EN. Then, the corresponding MH is notified to switch the access line (Fig. 22; (2)). At this time, for example, a message as shown in FIG. 33 can be applied.

The AAA / AC S is the EN that accommodates the access line before switching (old EN: EN-2 in Fig. 22), while the EN that accommodates the access line after switching (new EN: the one in Fig. 22) Notify EN-3) of ACP-V for transferring the bucket addressed to the MH (Fig. 22; (3)). At this time, the message shown in Fig. 33 can be applied. it can.

 The MH switches the access line. As the access line switching method, the first method described above can be applied. In the example shown in FIG. 22, the SAL of SAN-I is switched to the SAL of SAN-2. From then on, the MH uses the switched access line (SAL of SAN-2) (Fig. 22; (4)).

 When the old EN receives a packet addressed to the MH that has switched the access line, it transfers the packet to the new EN (Fig. 22 (5)).

 <14> Switching method 2 (automatic acquisition of access line based on user contract conditions; Fig. 23)

 For a user (MH) communicating using a certain access line, if another access line specified in this user's ACP becomes available for a predetermined reason (improvement of radio wave condition, etc.) The network access control system detects the state of this other access line on the network side, automatically seizes the line (permits communication), notifies the user of this, and enables connection.

 As an example, it is assumed that the PAN is a general mobile phone network (such as a PDC) and the SAN is a wireless LAN network constituting a public wireless LAN service. It is also assumed that PANs are available in almost all areas of the user's activities, whereas the use areas of SAN are scattered.

 It is natural that MH users who can use both PAN and SAN consciously search for places where SAN can be used. It is also desirable to be able to provide a function that, when a user using the PAN moves to a place where the SAN can be used, the network recognizes this change and automatically switches the access network from the PAN to the SAN.

 In order to realize the above functions, the network access control system can detect the location of the MH, and the AAAZA CS can also detect the PAN's cell identification information (area code) and the available location of the SAN (for example, the public). It has a correspondence table with the locations where wireless LAN services can be used, and can recognize that the location of the MH has moved from an area where only PAN can be used to an area where PAN and SAN can be used. .

FIG. 23 is a diagram illustrating an example of a control procedure of the switching method in this section. The contents of the control procedure shown in Fig. 23 are as follows. When the location of the MH moves from an area where only PAN is available to an area where PAN and SAN are available, AAAZAC S notifies the MH that the SAN is available. For this notification, for example, a message format as shown in FIG. 33 can be applied. When the user wants to use SAN, it sends an access line switching request to AAA / ACS (Fig. 23; (1)). For this request, for example, a message format as shown in FIG. 34 can be applied.

 The AAAZAC S, upon receiving the access line switching request from the MH, recognizes that the user wants to use the SAN, and executes the access authentication procedure of the SAN and the generation process of the AC P-V. Then, the generated AC PV is transmitted to each EN (EN-1 and EN-2) corresponding to PAL and SAL, respectively (Fig. 23; (2)). At this time, the AC P-V is notified by a message as shown in FIG. 33, for example. Thereafter, packets destined for the MH are interpreted by EN-1 and EN-2, respectively. At this time, EN-1 determines that the PAN is not appropriate for packet transfer, and transfers the packet to EN-2. On the other hand, EN-2 determines that the SAN is appropriate for the transfer of the packet, and transmits the packet (including the packet transferred from EN-1) addressed to the MH to the MH via the SAN. Also, the MH sends a packet addressed to the other node via the SAN.

 <15) Switching method 3 (acquisition of access line based on user mobile host requirements; Figs. 24, 25)

 The MH on the user side has a function of feeding back its own state, for example, the reception radio wave condition, etc., to the network side.The network access control system uses an access line that the MH can use depending on the MH state information. Select and capture.

 Generally, the communication speed of wireless LAN devices is higher than that of mobile communication systems such as PDC. However, depending on the number of MHs in the same access point and the distance of the MH from the access point, there is a large communication speed deviation even in the same type of wireless LAN system. As described above, in a communication method having a parameter (communication speed or the like) having a large fluctuation range, the communication speed of the MH is a dominant factor with respect to the throughput of the CN, which affects the perceived speed of the application executed on the MH. I do.

The network access control system performs the transition operation between access lines, A decision is made as to whether or not the transfer is possible in consideration of the state of the access line at the transfer destination. Specifically, if the access line of the transfer destination candidate is congested (the capacity is large and the throughput is low, etc.), the transfer is not performed. Conversely, if the currently used access line is congested or the signal condition deteriorates, the access line is shifted to the destination access line.

 The network access control system switches the access line when requested by the MH. For this reason, the MH has a function (communication parameter addition function) of including reception quality data (communication parameters) such as radio field intensity in a wireless section, which the MH itself grasps, in a PAL authentication request message. Thereby, the reception quality data can be transmitted to AA AACS of CN. On the other hand, the AAAZACS refers to the reception quality data from the MH when deciding on the selection of the access line of the migration destination, and uses it for the selection decision.

 FIG. 24 is a table showing an example of communication parameters (mobile host information) held in the MH. As shown in Fig. 24, radio field intensity, throughput, and a service area (location) can be applied as communication parameters.

 FIG. 25 is a diagram showing an example of the control procedure in this section. The control procedure shown in Fig. 25 is as follows. The MH detects that the secondary access line S AL is available, and sends an authentication request for the secondary access line to the authentication server AAAZAC S (Fig. 25; (1)). For the authentication request at this time, for example, the message format shown in FIGS. 7 and 8 can be applied.

 AAAZAC S, after the end of authentication,? An AC P-V corresponding to each EN-2 containing £ 1 ^ -1 and 51 ^ containing 1 ^ is transmitted (Fig. 25; (2)). The ACP-V at this time can be transmitted, for example, according to a message format as shown in FIG.

 After this, the MH can communicate using SAL (Fig. 25; (3)).

When EN-1 receives a packet addressed to MH, it forwards this packet to EN-2 according to the contents of AC P-V.

 <16> Switching method 4 (automatic switching of access circuits depending on the type of application being used; Figs. 26, 27)

The MH currently connected to the network using the specified access line When using an application, this application may require the use of a specific access line as a usage condition. The network access control system detects such a request from the application, and notifies the MH of the notification as needed when switching the access line.

 In general, mobile communication systems such as PDC are inferior to wireless LANs in terms of communication speed, but are said to have higher security. Also, some applications executed on the MH require higher security than the communication speed. In addition, there is a user request to transmit a password / credit card number using a secure communication channel. In addition to security, applications may require certain network capabilities (bandwidth, etc.) for smooth execution.

 The network access control system controls access line switching so that the access line used by the MH can be switched to the access line corresponding to the application request in response to a request from the application.

 For this reason, the MH has a function (application request information addition function) that puts the information (application request information) indicating the type of access line requested by the application, which is recognized by the MH itself, in the PAL authentication request message. Have. As a result, the application request information can be transmitted to the AAA / ACS of the CN. On the other hand, the AAA / ACS refers to the application request information when deciding the selection of the destination access line, and uses it to determine the access line.

 Figure 26 is a table showing examples of the types of applications that want to use a specific access line. As shown in Fig. 26, examples of applications include password input, credit card number input, streaming, and software download.

 FIG. 27 is a diagram showing an example of a series of control procedures in this section. The control procedure shown in Fig. 27 is as follows. In the control procedure shown in Fig. 27, when the MH uses a SAN, when using a certain application, this application requests the use of the PAN (the application has instructed via the PAL) It is a case.

If the application instructs via a specific access network (PAN), the MH Sends a PAL authentication request message containing application request information (including at least the PAL access line type) to AAA / ACS (access line designation specification) (Fig. 27; (1)).

 After the authentication process for the authentication request message, the AAA / ACS sends the AC P-V, which instructs only the bucket in accordance with the instruction from the application, to pass through the PAL to the E N-1 Each is sent to the EN-2 that contains the SA L (Fig. 27; (2)).

 After that, packets according to the instructions from the application are transmitted and received using PAL (Fig. 27; (3)).

 When a packet arrives at EN-2 in accordance with an instruction from the application, EN-2 forwards the packet to EN-1 containing PAL, and the transmitted packet is EN-1 Sent to MH via PAL.

 <17) Network access terminal (Figures 28 and 29)

 Next, the terminal will be described. Here, a mobile host (MH) will be described as an example of a terminal.

 The mobile host performs the authentication request message sending function and authentication response message processing function described in section <3> above, the communication parameter addition function described in section <15>, and the application request described in section <16>. An information adding function can be provided. FIG. 28 is a diagram illustrating a configuration example of a mobile host MH as an example of a network access terminal. The mobile host shall consist of a primary access line (PAL) message transmitting / receiving unit 25, a secondary access line (SAL) message transmitting / receiving unit 26, a protocol control unit 27, and an access means selecting unit 28. Can be. In addition, the mobile host can send an authentication request message as shown in Figs. 7 and 8 (see section <3>).

 FIG. 29 is a sequence diagram illustrating an operation example of the mobile host. As an example, a case where the MH moves from an area where only PAN is available to an area where both PAN and SAN are available will be described.

1. The PAL message transmitting / receiving unit 25 and the SAL message transmitting / receiving unit 26 detect that the PAN and the SAN can be accessed, respectively, and print this. The notification is made to the col control unit 27 (S051, S052).

 2. The protocol control unit 27 creates an authentication request message for SAL (or for PAL and SAL) (S053), and passes it to the PAL message transmitting / receiving unit 25 (S054). The PAL message transmitting / receiving unit 25 transmits this authentication request message to the AAA in the CN via the PAN (S055).

 3. Thereafter, the PAL message transmitting / receiving unit 25 receives the SAL authentication response message via the PAN (S056), and passes it to the protocol control unit 27 (S057). The protocol control unit 27 extracts information (use permission information) necessary for the MH to use the SAL, such as a bucket encryption key included in the authentication response message (S058), and transmits and receives the SAL message. Hand over to the department (S060). The SAL message transmitting / receiving unit 26 stores and manages the SAL use permission information in a predetermined storage area. Further, the protocol control unit 27 notifies the access unit selection unit 28 that both access units (PAL and SAL) are available (S059).

 4. Thereafter, for example, when an MH application attempts to perform packet communication, an appropriate access line is selected in the access means selection unit 28, and an appropriate process such as encryption is performed using a held key or the like. After that, bucket transmission is performed.

 The operation when the access line used by the MH application is specified is as follows.

 1. The protocol control unit 27 creates an authentication request message for the specified access line, and transmits it from the PAL message transmitting / receiving unit 25 via PAN. With this authentication procedure, the network detects that the access line specified by the application is used.

 2. The PAL message transmitting / receiving unit 25 receives the authentication response for the specified access line via the PAN, and the protocol control unit 27 uses the access line specified in the access means selecting unit 28. Instruct In addition, it extracts the use permission information such as the key included in the authentication response message and stores it in the message transmission / reception unit corresponding to the specified access line.

3. When an application attempts to communicate, an appropriate access line is selected in the access means selection unit 28, and encryption or the like is performed using the stored key or the like. The transmission is performed after the timely processing.

 According to the present embodiment, it is possible to easily introduce an access network such as a wireless LAN as an access means to a core network. Further, according to the present invention, cooperation between access networks such as switching of access networks can be achieved.

 Further, according to the present embodiment, all users who use the mobile carrier and the existing access network can link with the existing infrastructure network service while ensuring the security of the new access network at low cost. Network resources can be used effectively.

Claims

The scope of the claims 1. A plurality of access networks of different types including a main access network and at least one secondary access network, each of which is transmitted from a terminal capable of using a core network and transmitted via the main access network to the core network. Receiving means for receiving an authentication request message including an authentication request for use of the secondary access network arriving at  Authentication means for performing an authentication process for the authentication request of the secondary access network,  Transmitting means for transmitting an authentication response message of the secondary access network reaching the terminal via the main access network; Network access control system including 2. The authentication request message further includes an authentication request for use of the main access network,  The authentication means performs an authentication process for an authentication request for use of the primary and secondary access networks,  The transmitting means transmits the authentication response message for the primary access network and the secondary access network to the terminal The network access control system according to claim 1. 3. The transmitting means, when the authentication means authenticates use of the secondary access network, transmits the authentication response message including the authorized use permission information of the secondary access network, A terminal notifies the authenticated secondary access network of information for using the authenticated secondary access network 3. The network access control system according to claim 1 or 2. 4. The core network so that a user of the terminal can provide a communication service using the secondary access network and the core network in accordance with use conditions pre-contracted for the secondary access network authenticated by the authentication means. 2. The network access control system according to claim 1, further comprising network control means for controlling the network access control. 5. The network control means executes a communication service according to the use condition for the terminal to an edge node that accommodates the access line of the authenticated secondary access network used by the terminal. Notification of control information for The network access control system according to claim 4. 6. The processing related to both the pay-per-use when the terminal uses the core network using the main access network and the pay-per-use when the terminal uses the core network using the secondary access network. Including billing means to perform A network access control system according to any one of claims 1 to 5. 7. The charging means is a charging unit for charging an edge node accommodating the access line of the authenticated secondary access network used by the terminal with a usage-based charging for the use of the secondary access network of the terminal. A charging unit notifying unit for notifying a unit; and a calculating unit calculating a charging amount based on an amount of the charging unit for the terminal measured by the edge node according to the charging unit. The network access control system according to claim 6. 8. The authentication unit, when the receiving unit receives an authentication request message including an authentication request for the secondary access network from a roaming user terminal via the main access network, The secondary access network authentication process is performed in cooperation with the roaming source authentication system.  The network access control system according to any one of claims 1 to 7, wherein the transmitting unit transmits an authentication response message to the roaming user authentication process to the roaming user terminal via the main access network. 9. The network control means, when the authentication means authenticates the roaming user, provides a roaming user to an edge node accommodating the access line of the authenticated secondary access network used by the terminal of the roaming user. Of control information for providing a communication service according to the usage conditions of the secondary access network The network access control system according to claim 8. 10. The authentication request message is transmitted from the terminal when the number of access networks available to the terminal changes due to the terminal moving within a range where the main access network is available, and At least include the authentication request for the access network that has become available,  The network control unit determines whether or not to switch an access network used by the terminal in response to the reception of the authentication request message by the reception unit, and the authentication unit authenticates the access network to be switched to. Do the processing,  The transmitting unit transmits an authentication response message of the access network of the switching destination authenticated by the authentication unit to the terminal via the main access network. The network access control system according to claim 4. 11. The network control means determines whether to switch the access network according to at least one of the contract contents of the user of the terminal and the current network state. 10. The network access control system according to claim 10. 12. If there are a plurality of secondary access networks that can be selected as a switching destination, the network control means determines the access network of the switching destination based on the contract contents of the user of the terminal and Z or the current network state. Determine The network access control system according to claim 10 or 11. 13. The transmitting unit transmits, to the terminal, the authentication response message including the use permission information of the access network of the switching destination in response to the authentication of the access network of the switching destination by the authentication unit. Informs the access network of the switching destination to the access network, The network control means may be used by the terminal such that a communication service using the access network and the core network is provided in accordance with a usage condition previously contracted by the user of the terminal with respect to the access network to be switched to. Sub-acquisition of the switching destination To the edge node accommodating the access line of the access network, the control information for implementing the communication service according to the use condition for the terminal. A network access control system according to any one of claims 10 to 12. 14. In the case where the communication service is implemented by cooperation between the switching source edge node and the switching destination edge node, the network control means performs the cooperation service on the switching source and switching destination edge nodes. 14. The network access control system according to claim 13, wherein each of the control information is notified. 15. The network control means transmits control information for implementing a communication service that maintains communication quality before switching even when an access network is switched, to an edge node accommodating the switching destination access line. Do 15. The network access control system according to claim 13 or 14. 16. The network control means, when using the same access network of the terminal, switches the edge node accommodating the access line of the access network used by the terminal, the control information notified to the switching source edge node. Sends the same control information to the edge node as the switching destination A network access control system according to any one of claims 13 to 15. 17. The network control means receives traffic information from an edge node accommodating the access line used by the terminal, and if the traffic exceeds a predetermined threshold value, the network control means Request switching, A network access control system according to any one of claims 13 to 16. 18. The network control means monitors the position of the terminal, and when the terminal moves to a position where a predetermined secondary access network can be used, notifies the terminal to that effect. 18. The network access control system according to any one of claims 17 to 17. 19. The receiving means receives the authentication request message including the status information from the terminal,  The network control means determines whether to switch an access line used by the terminal based on the state information. 10. The network access control system according to claim 10. 20. The receiving means receives the authentication request message including designation information for designating a switching destination access network from the terminal,  The network control means determines an access network specified by the specification information as a switching destination access network. 10. The network access control system according to claim 10. 2 1. A plurality of access networks of different types including a main access network and at least one secondary access network, each of which is transmitted from a terminal capable of using a core network and transmitted through the main access network to the core. Receiving means for receiving an authentication request message including an authentication request for use of the secondary access network reaching the network;  Authentication means for performing an authentication process for the authentication request of the secondary access network; transmission means for transmitting an authentication response message of the secondary access network reaching the terminal via the main access network; An authentication server for an access network including: 22. The core is transmitted from a terminal capable of using a core network using a plurality of access networks of different types including a main access network and at least one secondary access network, and the core is transmitted via the main access network. Upon receiving an authentication request message including an authentication request for use of the secondary access network arriving at the network, receiving information relating to the user of the terminal and information relating to the secondary access network to be authenticated. Means, and when authentication is performed for the secondary access network to be authenticated, the user of the terminal accesses the secondary access network authenticated by the authentication means in accordance with the usage conditions previously contracted. Network and communication services using the core network As provided, for an edge node that accommodates an access line of the authenticated secondary access network used by the terminal, control information for implementing a communication service according to the usage condition for the terminal is provided. An access control server including: 23. A core network can be used by using a plurality of access networks of different types including a main access network and at least one secondary access network,  Authentication request transmitting means for transmitting an authentication request message including an authentication request for using the secondary access network of the own device which reaches the core network from the own device via the main access network,  Authentication response receiving means for receiving an authentication response message for the authentication request from the core network via the main access network;  Means for using the core network via the secondary access network using the secondary access network use permission information included in the authentication response message. Terminal that contains. 24. Transmitted from a terminal capable of using a core network using a plurality of access networks of different types including a main access network and at least one secondary access network, and transmitted via the main access network to the core. Receiving an authentication request message including an authentication request for use of the secondary access network reaching the network;  Performing an authentication process for the authentication request of the secondary access network,  Sending an authentication response message of the secondary access network arriving at the terminal via the primary access network A network access control method.