[go: up one dir, main page]

WO2006075823A1 - Internet protocol address management system co-operated with authentication server - Google Patents

Internet protocol address management system co-operated with authentication server Download PDF

Info

Publication number
WO2006075823A1
WO2006075823A1 PCT/KR2005/001004 KR2005001004W WO2006075823A1 WO 2006075823 A1 WO2006075823 A1 WO 2006075823A1 KR 2005001004 W KR2005001004 W KR 2005001004W WO 2006075823 A1 WO2006075823 A1 WO 2006075823A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
server
user
authentication
addres
Prior art date
Application number
PCT/KR2005/001004
Other languages
French (fr)
Inventor
Ki-Tae Kim
Original Assignee
Exers Technologies. Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020050028530A external-priority patent/KR100714368B1/en
Application filed by Exers Technologies. Inc. filed Critical Exers Technologies. Inc.
Publication of WO2006075823A1 publication Critical patent/WO2006075823A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to an I P ( Internet Protocol ) address management system cooperating with an authentication server , and more particularly, to an I P address management system of allocating a speci fic IP address to a user authenticated by an authentication server based on security policy .
  • I P Internet Protocol
  • an authentication process for a user accessing a network i s performed on Layer 2 that is , a data link layer
  • an IP Internet Protocol
  • Addres s allocation process for a user terminal is performed on Layer 3 , that is , a network layer .
  • Layer 3 that is , a network layer
  • the authentication and I P address allocation proces ses are performed on the different layers .
  • FIG . 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard .
  • FIG . 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG . 1.
  • the IEEE 802. Ix standard defines three entities : a supplicant 100 ; an authenticator 110 ; and an authentication server 120.
  • the supplicant 100 is an entity providing user ' s authentication information to the authenticator 110 and sending authentication request to the authenticator 110.
  • the supplicant includes wire or wireless terminals intending to access network .
  • the authenticator is initially set to an uncontrolled port status . In this status , the supplicant and authenticator can communicate with each other through the EAP (Extensible Authentication Protocol ) .
  • the authenticator 110 is an entity transferring the received authentication information and authentication request to the authentication server 120.
  • the authenticator transfers an authentication success message to the supplicant and converts its port status into a controlled port status .
  • the authenticator includes APs (Access Points ) , routers , switches , and the like .
  • the authentication server 120 is an entity determining authentication based on the supplicant ' s authentication request received from the authenticator 110. In order to determine authentication, the authentication server uses user ' s authentication information stored in its internal database or received from external entities . In the IEEE 802. Ix standard, any protocol for communication between the authentication server 120 and the authenticator 110 is not de fined .
  • a protocol used for an AAA (Authentication , Authori zation , and Accounting ) server is also recommended as the protocol between the authentication server 120 and the authenticator 110. Therefore , the RADIUS ( Remote Authentication Dial-In User Service ) protocol is used as an industrial de- facto standard protocol .
  • AAA Authentication , Authori zation , and Accounting
  • RADIUS Remote Authentication Dial-In User Service
  • the user ' s network access right can be controlled according to the determination of authentication (performed by an internal authentication algorithm of the authentication server ) and the attributes and vendor-specific attributes of the RADIUS which can be transferred together with the authentication success message .
  • the I P address allocation process for dynamically allocation I P addresses to user terminals will be described in brief .
  • Network addres s information must be set to hosts such as computers and printers in a TCP/I P based network .
  • the network addres s information includes an I P address of a user terminal , a subnet mask, a basic gateway address , an IP address of a DNS server, and an IP address of a WINS serer .
  • the network address information may be automatically or manually set to the computers .
  • the manual setup of the IP addresses in the TIC/IP network is too heavy a burden in terms of management . Therefore, in a Window 2000 server , a DHCP ( Dynamic Host Configuration Protocol ) service is used to allocate these network address information to computers .
  • the DHCP server can automatically manage a TCP/IP configuration to allocate the IP address information .
  • the DHCP is a protocol for automatically performing a basic TCP/IP configuration setup such as an IP address allocation process for individual clients .
  • the specifications and rules of the DHCP are defined in RFC 1533 , 1534 , 1541 , and 1542.
  • a DHCP server and a DHCP client are used .
  • the DHCP server manages an IP address range , which is called " Scope " to allocate the IP addresses to the DHCP clients and trace IP address usages thereof . More specifically, the DHCP server prepares the Scope to allocate the I P addresses to computers . In order to prepare the Scope , the DHCP server sets up the IP addres ses and subnet mas ks and designates start and end addresses . In addition , the DHCP server uses an option setup for a basic gateway or a DNS ( Domain Name System) .
  • DNS Domain Name System
  • the DHCP client sends an IP address request to the DHCP server .
  • the IP address is received from the DHCP server , the TCP/ I P configuration setup is initiated, so that the DHCP client can communicate with other hosts through the TCP/I P .
  • the DHCP server In response to the I P address request sent by the DHCP client , the DHCP server selects an IP address among unused I P addresses in the Scope and provides the selected I P address to the associated computer .
  • a domain controller grants a right to the DHCP server .
  • the domain controller may control all DHCP servers including additional servers .
  • the authentication of the DHCP server is performed as follows .
  • a computer serving as the DHCP server starts up , it is determined whether or not an I P address of the DHCP server exists in a list of DHCP servers authenticated by a directory service .
  • I f the I P address of the DHCP server does not exist , the DHCP server i s considered to be an unauthenticated server , and the DHCP service of the DHCP server automatically ends .
  • the DHCP server is required to operate on 0/S Window 2000.
  • a fixed I P addres s , a subnet mas k, a basic gateway address , and the like must be set up to the DHCP server .
  • the DHCP server is required to have I P address ranges , that is , the Scope , to be allocated to DHCP clients .
  • the I P addres ses may be public or private I P addresses .
  • a network address of the DHCP server that is , an I P address in the same IP address range as that of the network I D, is allocated to the DHCP clients of the network were the DHCP server exi sts .
  • the IP address information includes an I P address and a subnet mask .
  • the I P address information optionally includes a basic gateway address , an address of a DNS
  • the DNS server has a function of mapping and changing domain names used by clients in the networks .
  • the WINS server has a function of converting a NetBIOS computer name of a computer executing Windows into an I P address .
  • the DHCP server selects an IP address among unused IP addresses in the I P address range defined by the database server and provides the selected I P address information to the DHCP client .
  • I f the DHCP client accepts an I P address lending proposal the DHCP server lends the I P address information to the DHCP client for a predetermined time period .
  • the time period of lending the I P address is eight days .
  • the DHCP client broadcasts . Since a router does not forward the broadcast , the DHCP servers behind the router cannot be searched . Due to the characteristics of the router , there is a need for one DHCP server per one subnet . Since the DHCP server must be provided to each subnet of the network, there is a problem in that cost for implementing the network increases . In order to solve the problem, a DHCP relay agent has been developed . In a case where one DHCP server is used for multiple subnets , a subnet having no DHCP server uses the DHCP relay agent to obtain an I P address from other DHCP servers .
  • the DHCP relay agent forwards an I P address request of a DHCP client together with a short message including information on the requesting subnet .
  • the DHCP server provides the associated IP addres s to the client in order to normally distribute the IP address to the client .
  • the DHCP relay agent it is possible to reduce the number of the DHCP servers in a network operating multiple subnets .
  • the client can access the network although the client does not know a TCP/I P configuration of the network .
  • by efficiently distribute the I P addresses clients larger than the number of available I P addresses can access the network
  • the authentication process of the authentication server and the IP addres s allocation process of the DHCP server are performed independently on different layers . Therefore , i f a user authenticated by the authentication server arbitrarily changes an I P address allocated to the user accessing the network, it is di fficult to block the access of the user .
  • an I P address management system capable of performing network security and IP address management to apply security policy of an authentication server to a DHCP server in cooperation with the authentication and DHCP servers .
  • an obj ect of the present invention is to provide an IP address management system having an IP address allocation server cooperating with an authentication server to allocate a speci fic IP address to a user authenticated by the authentication server based on the user I D .
  • another obj ect of the present invention is to provide an I P address management system having an IP address allocation server cooperating with an authentication server to allocate a speci fic I P address to a user authenticated by the authentication server based on a VLAN I D corresponding to the authenticated user .
  • another obj ect of the present invention is to provide an IP address management system having provide an I P address management system having an IP address allocation server cooperating with an authentication server to allocate a speci fic I P address to a user authenticated by the authentication server based on a relay agent of a subnet corresponding to the authenticated user .
  • an IP address management system cooperating with an authentication server , comprising : a database server for storing and managing security policy applied to registered users ; an authentication server for receiving an authentication request from a user and performing authentication of the user by using the database server ; and an I P address allocation server for forming a communication path with the authentication server to receive information on an authenticated user from the authentication server and allocating a specific IP address to the authenticated user by using the database server , thereby allocating the speci fic I P address to the user authenticated by the authentication server based on the security policy applied to the authenticated user .
  • the security policy stored in the database server may include user I P address list to set up and manage I P addresses or IP address ranges allocated to the specific users , and the I P address allocation server may allocate the I P addresses to the speci fic users by us ing the user IP address list set up by the database server .
  • the security policy stored in the database server may include a VLAN I D I P address list to set up and manage I P addresses or I P address ranges allocated corresponding to VLAN I Ds , and the I P address allocation server may allocate the I P addresses to the VLAN I Ds including users requesting for the IP addresses by using the VLAN ID I P addres s list set up by the database server .
  • the security policy stored in the database server may include a relay agent I P address list to set up and manage I P addresses or IP address ranges allocated corresponding to relay agents , and the dynamic host configuration server allocates the IP addresses corresponding to the relay agents requesting for the I P addresses to the users by using the relay agent I P address list .
  • the database server may include information on data reception and transmission rates of switches
  • the authentication server may set up the data reception and transmission rates of the switches used by the specific users based on information on data reception and transmission rates of the database server .
  • an authentication server comprising a database server for storing and managing security policy applied to users , wherein the authentication server receives an authentication request from a user , performs authentication of the user based on the security policy of the database server , and wherein , if the user is authenticated, the authentication server transmits authentication success message to the authenticated user and information on the authenticated user and the security policy applied to the authenticated user to the IP address allocation server .
  • a DHCP having a communication path with an authentication server , wherein the DHCP server cooperates with the authentication server , wherein the DHCP server receives information on a user authenticated by the authentication server and security policy applied to the authenticated user from the authentication server , and allocates a specific IP addres s to the authenticated user by using the information received from the authentication server .
  • the security policy received from the authentication server may include at least one of a user IP address list, a VLAN I D IP address list , and a relay agent I P address list .
  • the DHCP server may comprise at least two DHCP servers , wherein the DHCP servers receive an I P address information request broadcasted by a user terminal , wherein the DHCP servers communicate with each other to determine an DHCP server for providing an I P address information, wherein the determined DHCP server provides I P address information to the user terminal , wherein , i f the determined DHCP server receives a request unicasted from the user terminal , the determined DHCP server provides I P address and basic configuration parameters to the user terminal , and wherein the DHCP servers synchronize the IP address lists thereof . Effect of the Invention According to an IP address management system of the present invention , authentication and DHCP servers cooperate with each other , so that it is possible to allocate fixed I P addresses to the authenticated users based on users , user groups , and relay agents .
  • FIG . 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard .
  • FIG . 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG . 1.
  • FIG . 3 is a configuration view showing a whole configuration of an I P address management system according to a preferred embodiment of the present invention .
  • FIG . 4 is a flowchart sh'owing a series of operations of duplicated DHCP servers in the IP address management system according to the embodiment of the present invention .
  • IP Internet Protocol
  • authentication and DHCP Dynamic Host Configuration Protocol
  • VLAN Virtual LAN
  • relay agents or security policy
  • FIG . 3 is a configuration view showing a whole configuration of the IP addres s management system according to the preferred embodiment of the present invention .
  • the I P address management system at least one of wire and wireless terminals 300 and 310 , switches 302 and 320 for connecting the wire terminal 300 to a network, an access point 312 and switches 314 and 320 for connecting the wireles s terminal 310 to the network, an authentication server 330 for performing authentication, an I P address allocation server 350 for allocating I P addresses to users , and a database server 340 for storing and managing security policy applied to the users by the authentication server 330.
  • components of the I P address management system according to the preferred embodiment of the present invention will be described .
  • the wire and wireless terminal 300 and 310 acces s the I P addres s management system through wire or wireless communication .
  • the wire terminal 300 accesses the I P address management system via the switches 302 and 320 through the wire communication .
  • the wireless terminal 310 accesses the IP address management system via the access point 312 and the switches 312 and 320 through the wireles s communication .
  • the authentication server 330 performs authentication of a registered user .
  • the authentication server 330 applies a security policy to the authenticated user based on information of the authenticated user stored in and managed by the database server 340.
  • the authentication server 330 transmits the security policy or an I P address list corresponding to the authenticated user to the I P address allocation server 350.
  • the database server 340 stores and manages security policy applied to users or user groups . More specifically, the database server 340 stores and manages 1 ) user I P address lists of I P addres ses and IP address ranges allocated to users , 2 ) VLAN I D lists of VLAN I Ds allocated to users , 3 ) VLAN I D I P addres s lists of I P addresses and I P address ranges allocated to users based on VLAN I Ds , 4 ) relay agent IP address lists of I P addresses and IP address ranges allocated to users based on relay agents , and 5 ) information on data reception and transmis sion rates of switches in an I P address management system .
  • the database server 340 transmits these lists or information to the authentication and/or DHCP servers in response to requests of the servers .
  • the I P address allocation server 350 dynamically allocates the I P addres ses to the user terminals or other devices in the network by mainly using the DHCP server .
  • the DHCP server according to the preferred embodiment of the present invention communicates with the authentication server .
  • the DHCP server acquires user information through a tunnel authentication protocol such as EAP-TTLS and PEAP .
  • the DHCP server acquires MAC addres ses of user terminals through a RADIUS protocol .
  • the DHCP server receives information on security policy applied to authenticated users ( together with IP address lists set up to the authenticated users ) from the authentication server .
  • DHCP server may receive the security policy from the authentication server .
  • the DHCP server may access the database server 340 to directly receive the security policy by using the user information .
  • the DHCP server detects IP address allocated to the user ID based on the user information acquired through the tunnel authentication protocol .
  • the detected I P address is allocated to the MAC addres s ( of the user terminal ) acquired through the RADIUS protocol . If duplicated I P addresses are detected in the network, a warning message is generated .
  • a previously setup I P address is allocated to the MAC address of one user terminal based on the security policy applied by the authentication server , so that it is possible to allocate a fixed IP address to a specific user .
  • the DHCP server detects IP addresses or IP address ranges corresponding to the VLAN I Ds set up to the users by using the user information acquired through the tunnel authentication protocol .
  • One of the detected I P addresses or I P addres s ranges is allocated to the MAC addres s of a specific user terminal .
  • the DHCP server receives IP addresses or I P address ranges corresponding to relay agents from the authentication or database server .
  • One of the I P address or I P addres s ranges corresponding to the relay agents requesting for an I P address is allocated to the MAC addres s of a specific user terminal .
  • the DHCP server in the DHCP I P address management system includes at least two DHCP servers .
  • the two DHCP servers are referred to as first and second DHCP servers . Due to the duplicated DHCP servers , load balance can be obtained .
  • the I P addres s lending process of the duplicated DHCP servers in the DHCP IP address management system according to the pre ferred embodiment of the present invention will be described in detail with reference to FIG . 4.
  • a DHCP client requesting for allocation of an I P addres s broadcasts an I P address request message to the first and second DHCP servers to search a DHCP server ( S400 ) .
  • the IP address information which the DHCP client requests from the DHCP server includes an IP address and a subnet mask .
  • the IP address information optionally includes a basic gateway address , an address of a DNS ( Domain Name System) server , and an address of a WINS server .
  • the first and second DHCP servers receiving the addres s request message broadcasted by the DHCP client communicate with each other to determine which server lends the IP address ( S410 ) .
  • the determined DHCP server (the second server in the embodiment of the present invention ) unicasts a proposal mes sage that the second server will lend a specific I P address thereof to the DHCP client ( S420 ) .
  • the second DHCP server selects the IP addres s that the second DHCP server does not use from the I P address list .
  • the second DHCP server provides the selected I P address to the DHCP client .
  • the determined DHCP server transmits information on the DHCP client to the authentication server and receives a lendable I P addres s list from the authentication server .
  • the determined DHCP server unicasts a proposal message that the determined DHCP server will lend a speci fic I P address thereof selected from the lendable I P address list to the DHCP client .
  • the DHCP client receiving the unicasted proposal message unicasts an I P addres s lending request message to the determined DHCP server ( the second DHCP server )
  • the second DHCP server provides the I P addres s and basic configuration parameters to the DHCP client .
  • the DHCP client performs initiation of a TCP/ I P configuration by using the I P addres s .
  • the first and second servers synchronize the I P address lists thereof ( S 450 )
  • a database server includes information on data reception and transmission rates of switches .
  • An authentication server sets up the data reception and transmission rates of the switches used by specific users based on information on the data reception and transmission rates of the database server .
  • the rates set up in the authentication server is applied to the associated switch, so that it is pos sible to adj ust the network load .
  • An IP address management system can perform an IP address management based on an authentication process in accordance with the IEEE 802. Ix standard .
  • a DHCP server and an authentication server cooperate with each other, and after the authentication server authenticates user and MAC addres ses , previously allocated I P addresses are allocated to users , so that it is possible to allocate a fixed I P address to a speci fic user .
  • IP addresses of network devices are collectively managed, so that it is possible to effectively manage the I P addresses of the network devices .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An IP address management system cooperating with an authentication server is provided. The IP address management system includes: a database server for storing and managing security policy applied to registered users; an authentication server for receiving an authentication request from a user and performing authentication of the user by using the database server; and an IP address allocation server for forming a communication path with the authentication server to receive information on an authenticated user from the authentication server and allocating a specific IP address to the authenticated user by using the database server, thereby allocating the specific IP address to the user authenticated by the authentication server based on the security policy applied to the authenticated user. Accordingly, it is possible to allocate fixed IP addresses to the authenticated users based on users, user groups, and relay agents.

Description

INTERNET PROTOCOL ADDRESS MANAGEMENT SYSTEM CO-OPERATED WITH AUTHENTICATION SERVER
TECHNICAL FIELD
The present invention relates to an I P ( Internet Protocol ) address management system cooperating with an authentication server , and more particularly, to an I P address management system of allocating a speci fic IP address to a user authenticated by an authentication server based on security policy .
BACKGROUND ART
In the OSI ( Open System Interconnection ) reference model , an authentication process for a user accessing a network i s performed on Layer 2 , that is , a data link layer , and an IP ( Internet Protocol ) addres s allocation process for a user terminal is performed on Layer 3 , that is , a network layer . Namely, the authentication and I P address allocation proces ses are performed on the different layers . Now, the authentication and IP address allocation processes will be described in brief .
FIG . 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard . FIG . 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG . 1. Referring to FIGS . 1 and 2 , the IEEE 802. Ix standard defines three entities : a supplicant 100 ; an authenticator 110 ; and an authentication server 120.
The supplicant 100 is an entity providing user ' s authentication information to the authenticator 110 and sending authentication request to the authenticator 110. For example , the supplicant includes wire or wireless terminals intending to access network . When the supplicant sends the authentication request , the authenticator is initially set to an uncontrolled port status . In this status , the supplicant and authenticator can communicate with each other through the EAP (Extensible Authentication Protocol ) .
The authenticator 110 is an entity transferring the received authentication information and authentication request to the authentication server 120. When the authentication server grants the authentication, the authenticator transfers an authentication success message to the supplicant and converts its port status into a controlled port status . For example , the authenticator includes APs (Access Points ) , routers , switches , and the like . The authentication server 120 is an entity determining authentication based on the supplicant ' s authentication request received from the authenticator 110. In order to determine authentication, the authentication server uses user ' s authentication information stored in its internal database or received from external entities . In the IEEE 802. Ix standard, any protocol for communication between the authentication server 120 and the authenticator 110 is not de fined . In general , a protocol used for an AAA (Authentication , Authori zation , and Accounting ) server is also recommended as the protocol between the authentication server 120 and the authenticator 110. Therefore , the RADIUS ( Remote Authentication Dial-In User Service ) protocol is used as an industrial de- facto standard protocol .
In a case where the authenticator and the authentication server communicate with each other through the RADIUS protocol , the user ' s network access right can be controlled according to the determination of authentication (performed by an internal authentication algorithm of the authentication server ) and the attributes and vendor-specific attributes of the RADIUS which can be transferred together with the authentication success message . Now , the I P address allocation process for dynamically allocation I P addresses to user terminals will be described in brief . Network addres s information must be set to hosts such as computers and printers in a TCP/I P based network . The network addres s information includes an I P address of a user terminal , a subnet mask, a basic gateway address , an IP address of a DNS server, and an IP address of a WINS serer . The network address information may be automatically or manually set to the computers . The manual setup of the IP addresses in the TIC/IP network is too heavy a burden in terms of management . Therefore, in a Window 2000 server , a DHCP ( Dynamic Host Configuration Protocol ) service is used to allocate these network address information to computers . The DHCP server can automatically manage a TCP/IP configuration to allocate the IP address information . The DHCP is a protocol for automatically performing a basic TCP/IP configuration setup such as an IP address allocation process for individual clients . The specifications and rules of the DHCP are defined in RFC 1533 , 1534 , 1541 , and 1542. In the DHCP , a DHCP server and a DHCP client are used . The DHCP server manages an IP address range , which is called " Scope " to allocate the IP addresses to the DHCP clients and trace IP address usages thereof . More specifically, the DHCP server prepares the Scope to allocate the I P addresses to computers . In order to prepare the Scope , the DHCP server sets up the IP addres ses and subnet mas ks and designates start and end addresses . In addition , the DHCP server uses an option setup for a basic gateway or a DNS ( Domain Name System) .
When a system starts , the DHCP client sends an IP address request to the DHCP server . When the IP address is received from the DHCP server , the TCP/ I P configuration setup is initiated, so that the DHCP client can communicate with other hosts through the TCP/I P .
In response to the I P address request sent by the DHCP client , the DHCP server selects an IP address among unused I P addresses in the Scope and provides the selected I P address to the associated computer .
Under an active directory environment , a domain controller grants a right to the DHCP server . I f the DHCP server is set up or if there is an authenticated server , the domain controller may control all DHCP servers including additional servers .
On the other hand, the authentication of the DHCP server is performed as follows . When a computer serving as the DHCP server starts up , it is determined whether or not an I P address of the DHCP server exists in a list of DHCP servers authenticated by a directory service . I f the I P address of the DHCP server does not exist , the DHCP server i s considered to be an unauthenticated server , and the DHCP service of the DHCP server automatically ends . The DHCP server is required to operate on 0/S Window 2000. A fixed I P addres s , a subnet mas k, a basic gateway address , and the like must be set up to the DHCP server . In addition, the DHCP server is required to have I P address ranges , that is , the Scope , to be allocated to DHCP clients . The I P addres ses may be public or private I P addresses . In addition, a network address of the DHCP server, that is , an I P address in the same IP address range as that of the network I D, is allocated to the DHCP clients of the network were the DHCP server exi sts .
On the other hand, in order to set up a computer as a DHCP client , it is necessary to select an item for automatically setting the IP address from the TCP/I P registration information of the computer .
Now, operations of the DHCP service will be sequentially described . Firstly, every time the DHCP client starts up, the DHCP client requests I P address information from the DHCP server . The IP address information includes an I P address and a subnet mask . In addition , the I P address information optionally includes a basic gateway address , an address of a DNS
( Domain Name System) server , and an addres s of a WINS server . The DNS server has a function of mapping and changing domain names used by clients in the networks .
The WINS server has a function of converting a NetBIOS computer name of a computer executing Windows into an I P address .
Next , when the DHCP client requests an IP addres s from a speci fic DHCP server in the network, the DHCP server selects an IP address among unused IP addresses in the I P address range defined by the database server and provides the selected I P address information to the DHCP client . I f the DHCP client accepts an I P address lending proposal , the DHCP server lends the I P address information to the DHCP client for a predetermined time period . Typically, the time period of lending the I P address is eight days .
On the other hand, in order to access the DHCP servers , the DHCP client broadcasts . Since a router does not forward the broadcast , the DHCP servers behind the router cannot be searched . Due to the characteristics of the router , there is a need for one DHCP server per one subnet . Since the DHCP server must be provided to each subnet of the network, there is a problem in that cost for implementing the network increases . In order to solve the problem, a DHCP relay agent has been developed . In a case where one DHCP server is used for multiple subnets , a subnet having no DHCP server uses the DHCP relay agent to obtain an I P address from other DHCP servers .
The DHCP relay agent forwards an I P address request of a DHCP client together with a short message including information on the requesting subnet . The DHCP server provides the associated IP addres s to the client in order to normally distribute the IP address to the client . By using the DHCP relay agent , it is possible to reduce the number of the DHCP servers in a network operating multiple subnets . By using the DHCP service , the client can access the network although the client does not know a TCP/I P configuration of the network . In addition , it is possible to avoid collision between I P addresses and control unnecessary usage of the IP addresses . In addition , by efficiently distribute the I P addresses , clients larger than the number of available I P addresses can access the network
As described above , the authentication process of the authentication server and the IP addres s allocation process of the DHCP server are performed independently on different layers . Therefore , i f a user authenticated by the authentication server arbitrarily changes an I P address allocated to the user accessing the network, it is di fficult to block the access of the user . In addition , in the present invention , there is proposed to an I P address management system capable of performing network security and IP address management to apply security policy of an authentication server to a DHCP server in cooperation with the authentication and DHCP servers .
DETAILED DESCRIPTION OF THE INVENTION Technical Goal of the Invention
In order to solve the aforementioned problems , an obj ect of the present invention is to provide an IP address management system having an IP address allocation server cooperating with an authentication server to allocate a speci fic IP address to a user authenticated by the authentication server based on the user I D .
In addition, another obj ect of the present invention is to provide an I P address management system having an IP address allocation server cooperating with an authentication server to allocate a speci fic I P address to a user authenticated by the authentication server based on a VLAN I D corresponding to the authenticated user .
In addition , another obj ect of the present invention is to provide an IP address management system having provide an I P address management system having an IP address allocation server cooperating with an authentication server to allocate a speci fic I P address to a user authenticated by the authentication server based on a relay agent of a subnet corresponding to the authenticated user .
Disclosure of the Invention
In order to achieve the aforementioned obj ects , according to an aspect of the present invention , there is provided an IP address management system cooperating with an authentication server , comprising : a database server for storing and managing security policy applied to registered users ; an authentication server for receiving an authentication request from a user and performing authentication of the user by using the database server ; and an I P address allocation server for forming a communication path with the authentication server to receive information on an authenticated user from the authentication server and allocating a specific IP address to the authenticated user by using the database server , thereby allocating the speci fic I P address to the user authenticated by the authentication server based on the security policy applied to the authenticated user .
In the aspect of the present invention, the security policy stored in the database server may include user I P address list to set up and manage I P addresses or IP address ranges allocated to the specific users , and the I P address allocation server may allocate the I P addresses to the speci fic users by us ing the user IP address list set up by the database server .
In addition , the security policy stored in the database server may include a VLAN I D I P address list to set up and manage I P addresses or I P address ranges allocated corresponding to VLAN I Ds , and the I P address allocation server may allocate the I P addresses to the VLAN I Ds including users requesting for the IP addresses by using the VLAN ID I P addres s list set up by the database server .
In addition , the security policy stored in the database server may include a relay agent I P address list to set up and manage I P addresses or IP address ranges allocated corresponding to relay agents , and the dynamic host configuration server allocates the IP addresses corresponding to the relay agents requesting for the I P addresses to the users by using the relay agent I P address list .
In addition , the database server may include information on data reception and transmission rates of switches , and the authentication server may set up the data reception and transmission rates of the switches used by the specific users based on information on data reception and transmission rates of the database server .
According to another aspect of the present invention, there is provided an authentication server comprising a database server for storing and managing security policy applied to users , wherein the authentication server receives an authentication request from a user , performs authentication of the user based on the security policy of the database server , and wherein , if the user is authenticated, the authentication server transmits authentication success message to the authenticated user and information on the authenticated user and the security policy applied to the authenticated user to the IP address allocation server .
According to another aspect of the present invention , there is provided a DHCP having a communication path with an authentication server , wherein the DHCP server cooperates with the authentication server , wherein the DHCP server receives information on a user authenticated by the authentication server and security policy applied to the authenticated user from the authentication server , and allocates a specific IP addres s to the authenticated user by using the information received from the authentication server .
In the aspect of the present invention , the security policy received from the authentication server may include at least one of a user IP address list, a VLAN I D IP address list , and a relay agent I P address list .
In addition , the DHCP server may comprise at least two DHCP servers , wherein the DHCP servers receive an I P address information request broadcasted by a user terminal , wherein the DHCP servers communicate with each other to determine an DHCP server for providing an I P address information, wherein the determined DHCP server provides I P address information to the user terminal , wherein , i f the determined DHCP server receives a request unicasted from the user terminal , the determined DHCP server provides I P address and basic configuration parameters to the user terminal , and wherein the DHCP servers synchronize the IP address lists thereof . Effect of the Invention According to an IP address management system of the present invention , authentication and DHCP servers cooperate with each other , so that it is possible to allocate fixed I P addresses to the authenticated users based on users , user groups , and relay agents .
BRIEF DESCRI PTION OF THE DRAWINGS
FIG . 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard . FIG . 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG . 1.
FIG . 3 is a configuration view showing a whole configuration of an I P address management system according to a preferred embodiment of the present invention .
FIG . 4 is a flowchart sh'owing a series of operations of duplicated DHCP servers in the IP address management system according to the embodiment of the present invention .
BEST MODE FOR CARRYING OUT THE INVENTION Now, a configuration and operations of an IP ( Internet Protocol ) address management system according to a preferred embodiment of the present invention . In the IP address management system, authentication and DHCP ( Dynamic Host Configuration Protocol ) servers cooperate with each other to allocate I P addresses to user terminals based on users , VLAN (Virtual LAN ) IDs , relay agents , or security policy .
FIG . 3 is a configuration view showing a whole configuration of the IP addres s management system according to the preferred embodiment of the present invention . Referring to FIG . 3 , the I P address management system at least one of wire and wireless terminals 300 and 310 , switches 302 and 320 for connecting the wire terminal 300 to a network, an access point 312 and switches 314 and 320 for connecting the wireles s terminal 310 to the network, an authentication server 330 for performing authentication, an I P address allocation server 350 for allocating I P addresses to users , and a database server 340 for storing and managing security policy applied to the users by the authentication server 330. Hereinafter , components of the I P address management system according to the preferred embodiment of the present invention will be described .
Firstly, at least one of the wire and wireless terminal 300 and 310 acces s the I P addres s management system through wire or wireless communication . The wire terminal 300 accesses the I P address management system via the switches 302 and 320 through the wire communication . The wireless terminal 310 accesses the IP address management system via the access point 312 and the switches 312 and 320 through the wireles s communication .
The authentication server 330 performs authentication of a registered user . The authentication server 330 applies a security policy to the authenticated user based on information of the authenticated user stored in and managed by the database server 340. In addition, the authentication server 330 transmits the security policy or an I P address list corresponding to the authenticated user to the I P address allocation server 350.
The database server 340 stores and manages security policy applied to users or user groups . More specifically, the database server 340 stores and manages 1 ) user I P address lists of I P addres ses and IP address ranges allocated to users , 2 ) VLAN I D lists of VLAN I Ds allocated to users , 3 ) VLAN I D I P addres s lists of I P addresses and I P address ranges allocated to users based on VLAN I Ds , 4 ) relay agent IP address lists of I P addresses and IP address ranges allocated to users based on relay agents , and 5 ) information on data reception and transmis sion rates of switches in an I P address management system . The database server 340 transmits these lists or information to the authentication and/or DHCP servers in response to requests of the servers . Next , the I P address allocation server 350 dynamically allocates the I P addres ses to the user terminals or other devices in the network by mainly using the DHCP server . The DHCP server according to the preferred embodiment of the present invention communicates with the authentication server . In cooperation with the authentication server performing authentication by using EAP packets , the DHCP server acquires user information through a tunnel authentication protocol such as EAP-TTLS and PEAP . In addition, the DHCP server acquires MAC addres ses of user terminals through a RADIUS protocol . In addition, the DHCP server receives information on security policy applied to authenticated users ( together with IP address lists set up to the authenticated users ) from the authentication server . Here , DHCP server may receive the security policy from the authentication server . Alternatively, the DHCP server may access the database server 340 to directly receive the security policy by using the user information . The DHCP server detects IP address allocated to the user ID based on the user information acquired through the tunnel authentication protocol . The detected I P address is allocated to the MAC addres s ( of the user terminal ) acquired through the RADIUS protocol . If duplicated I P addresses are detected in the network, a warning message is generated . Like thi s , a previously setup I P address is allocated to the MAC address of one user terminal based on the security policy applied by the authentication server , so that it is possible to allocate a fixed IP address to a specific user .
According to another embodiment of the present invention, the DHCP server detects IP addresses or IP address ranges corresponding to the VLAN I Ds set up to the users by using the user information acquired through the tunnel authentication protocol . One of the detected I P addresses or I P addres s ranges is allocated to the MAC addres s of a specific user terminal .
According to still another embodiment of the present invention, the DHCP server receives IP addresses or I P address ranges corresponding to relay agents from the authentication or database server . One of the I P address or I P addres s ranges corresponding to the relay agents requesting for an I P address is allocated to the MAC addres s of a specific user terminal . On the other hand, the DHCP server in the DHCP I P address management system according to the preferred embodiment of the present invention includes at least two DHCP servers . Hereinafter , the two DHCP servers are referred to as first and second DHCP servers . Due to the duplicated DHCP servers , load balance can be obtained . Now, the I P addres s lending process of the duplicated DHCP servers in the DHCP IP address management system according to the pre ferred embodiment of the present invention will be described in detail with reference to FIG . 4.
Firstly , a DHCP client requesting for allocation of an I P addres s broadcasts an I P address request message to the first and second DHCP servers to search a DHCP server ( S400 ) . Here, the IP address information which the DHCP client requests from the DHCP server includes an IP address and a subnet mask . In addition , the IP address information optionally includes a basic gateway address , an address of a DNS ( Domain Name System) server , and an address of a WINS server . Next , the first and second DHCP servers receiving the addres s request message broadcasted by the DHCP client communicate with each other to determine which server lends the IP address ( S410 ) . The determined DHCP server ( the second server in the embodiment of the present invention ) unicasts a proposal mes sage that the second server will lend a specific I P address thereof to the DHCP client ( S420 ) . The second DHCP server selects the IP addres s that the second DHCP server does not use from the I P address list . The second DHCP server provides the selected I P address to the DHCP client .
Alternatively, in the I P address management system according to the preferred embodiment of the present invention , the determined DHCP server transmits information on the DHCP client to the authentication server and receives a lendable I P addres s list from the authentication server . The determined DHCP server unicasts a proposal message that the determined DHCP server will lend a speci fic I P address thereof selected from the lendable I P address list to the DHCP client . The DHCP client receiving the unicasted proposal message unicasts an I P addres s lending request message to the determined DHCP server ( the second DHCP server )
( S430 ) . The second DHCP server provides the I P addres s and basic configuration parameters to the DHCP client . The DHCP client performs initiation of a TCP/ I P configuration by using the I P addres s . Next , the first and second servers synchronize the I P address lists thereof ( S 450 )
In an IP address allocation system according to another embodiment of the present invention , a database server includes information on data reception and transmission rates of switches . An authentication server sets up the data reception and transmission rates of the switches used by specific users based on information on the data reception and transmission rates of the database server . When network load rapidly or abnormally increases due to virus attack or the like , the rates set up in the authentication server is applied to the associated switch, so that it is pos sible to adj ust the network load .
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof , it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims . The exemplary embodiments should be considered in descriptive sense only and not for purposes of limitation . For example , detailed items of security policy stored in and managed by a database server may be modi fied in various manners in order to improve performance of a whole network or in consideration of si zes of network devices thereof . Therefore , the scope of the invention is defined not by the detailed description of the invention but by the appended claims , and all differences within the scope will be construed as being included in the present invention .
INDUSTRIAL APPLICABILITY
An IP address management system according to the present invention can perform an IP address management based on an authentication process in accordance with the IEEE 802. Ix standard . In addition , a DHCP server and an authentication server cooperate with each other, and after the authentication server authenticates user and MAC addres ses , previously allocated I P addresses are allocated to users , so that it is possible to allocate a fixed I P address to a speci fic user . In addition , according to the present invention, it is possible to allocate specific I P addresses to users or user groups based on security policy of an authentication server .
In addition, according to the present invention, when a user arbitrarily changes an IP address thereof , a network access is blocked, and a re-authentication is required, so that it is possible to prevent misuse or abuse of the I P address of the user .
In addition, according to the present invention, IP addresses of network devices are collectively managed, so that it is possible to effectively manage the I P addresses of the network devices .

Claims

1. An I P address management system cooperating with an authentication server , comprising : a database server for storing and managing security policy applied to registered users ; an authentication server for receiving an authentication request from a user and performing authentication of the user by using the database server ; and an I P address allocation server for forming a communication path with the authentication server to receive information on an authenticated user from the authentication server and allocating a specific IP address to the authenticated user by using the database server, thereby allocating the specific IP address to the user authenticated by the authentication server based on the security policy applied to the authenticated user .
2. The I P address management system according to claim 1 , wherein the security policy stored in the database server include a user I P address list to set up and manage I P addresses or I P address ranges allocated to the specific users , and wherein the I P address allocation server allocates the I P addresses to the specific users by using the user IP address list set up by the database server .
3. The I P address management system according to claim
1 , wherein the security policy stored in the database server includes a VLAN I D I P address list to set up and manage I P addresses or IP address ranges allocated corresponding to VLAN I Ds , and wherein the IP address allocation server allocates the I P addresses to the VLAN I Ds including users requesting for the IP addresses by using the VLAN ID IP address list set up by the database server .
4. The I P address management system according to claim
1 , wherein the security policy stored in the database server includes a relay agent IP address list to set up and manage I P addres ses or IP address ranges allocated corresponding to relay agents , and wherein the I P address allocation server allocates the IP addres s corresponding to the relay agents requesting for the I P addres s to the user terminal by using the relay agent IP address list .
5. The IP address management system according to claim
1 , wherein the database server includes information on data reception and transmission rates of switches , and wherein the authentication server sets up the data reception and transmi ssion rates of the switches used by the speci fic users based on information on data reception and transmi ssion rates of the database server .
6. The I P address management system according to any one of claims 1 to 5 , wherein the I P addres s allocation server uses a dynamic host configuration protocol .
7. The I P address management system according to any one of claims 1 to 5 , wherein the I P address allocation server comprises first and second servers , wherein the first and second I P addres s allocation servers receive an I P address information request broadcasted by a user terminal , wherein the first and second I P address allocation servers communicate with each other to determine an IP address allocation server for providing an I P address information, wherein the determined IP address allocation server provides I P addres s and basic configuration parameters to the user terminal , and wherein the first and second I P addres s allocation servers synchronize the IP address lists thereof .
8. An authentication server comprising a database server for storing and managing security policy applied to users , wherein the authentication server receives an authentication request from a user and performs authentication of the user based on the security policy of the database server, and wherein , if the user is authenticated, the authentication server transmits authentication success mes sage to the authenticated user and information on the authenticated user and the security policy applied to the authenticated user to the I P address allocation server .
9. An I P address allocation server cooperating with an authentication server, wherein the IP address allocation server receives information on a user authenticated by the authentication server and security policy applied to the authenticated user from the authentication server and allocates a speci fic I P addres s to the authenticated user by using the information and the security policy received from the authentication server .
10. The I P address allocation server according to claim 9 , wherein the security policy received from the authentication server include at least one of a user I P address list , a VLAN I D I P address list , and a relay agent I P address list .
11. The I P address allocation server according to claim 9 or 10 , wherein the I P address allocation server detects an I P addres s set up to a user I D acquired from a tunnel authentication protocol and allocates the detected I P addres s to an MAC address of a user terminal .
12. The I P address allocation server according to claim 9 or 10 , comprising at least two I P address allocation servers , wherein the I P address allocation servers receive an I P address information request broadcasted by a user terminal , wherein the IP address allocation servers communicate with each other to determine an IP address allocation server for providing an I P address information , wherein the determined IP address allocation server provides I P address information to the user terminal , wherein , if the determined I P address allocation server receives a request unicasted from the user terminal , the determined I P address allocation server provides I P address and basic configuration parameters to the user terminal , and wherein the IP address allocation servers synchroni ze the IP address lists thereof .
13. The I P address allocation server according to claim 9 or 10 , wherein the IP address allocation server uses a dynamic host configuration protocol .
PCT/KR2005/001004 2004-04-12 2005-04-07 Internet protocol address management system co-operated with authentication server WO2006075823A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2004-0024806 2004-04-12
KR20040024806 2004-04-12
KR1020050028530A KR100714368B1 (en) 2004-04-12 2005-04-06 Internet protocol address management system co-operated with authentication server
KR10-2005-0028530 2005-04-06

Publications (1)

Publication Number Publication Date
WO2006075823A1 true WO2006075823A1 (en) 2006-07-20

Family

ID=36677830

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/001004 WO2006075823A1 (en) 2004-04-12 2005-04-07 Internet protocol address management system co-operated with authentication server

Country Status (1)

Country Link
WO (1) WO2006075823A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009065357A1 (en) * 2007-11-20 2009-05-28 Huawei Technologies Co., Ltd. A method, system and device for dhcp authentication
WO2009140910A1 (en) * 2008-05-19 2009-11-26 Zheng Kuanyong A method and system of active allocation of ip address
CN102771149A (en) * 2009-11-26 2012-11-07 三星Sds株式会社 Systems and methods for managing IPv6 addresses and access policies

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6587468B1 (en) * 1999-02-10 2003-07-01 Cisco Technology, Inc. Reply to sender DHCP option
US6625645B1 (en) * 1997-08-28 2003-09-23 Cisco Technology, Inc. Automatic static to dynamic IP address and DNS address management for remote communications network access
KR20030093869A (en) * 2002-06-05 2003-12-11 공인엽 Web-based server system using dynamic ip address

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6625645B1 (en) * 1997-08-28 2003-09-23 Cisco Technology, Inc. Automatic static to dynamic IP address and DNS address management for remote communications network access
US6587468B1 (en) * 1999-02-10 2003-07-01 Cisco Technology, Inc. Reply to sender DHCP option
KR20030093869A (en) * 2002-06-05 2003-12-11 공인엽 Web-based server system using dynamic ip address

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009065357A1 (en) * 2007-11-20 2009-05-28 Huawei Technologies Co., Ltd. A method, system and device for dhcp authentication
WO2009140910A1 (en) * 2008-05-19 2009-11-26 Zheng Kuanyong A method and system of active allocation of ip address
CN102771149A (en) * 2009-11-26 2012-11-07 三星Sds株式会社 Systems and methods for managing IPv6 addresses and access policies
EP2506613A4 (en) * 2009-11-26 2013-06-19 Samsung Sds Co Ltd SYSTEM AND METHOD FOR IPV6 ADDRESS MANAGEMENT AND ACCESS POLICY

Similar Documents

Publication Publication Date Title
US8195950B2 (en) Secure and seamless wireless public domain wide area network and method of using the same
US8966075B1 (en) Accessing a policy server from multiple layer two networks
US8605582B2 (en) IP network system and its access control method, IP address distributing device, and IP address distributing method
EP2234343B1 (en) Method, device and system for selecting service network
US6907470B2 (en) Communication apparatus for routing or discarding a packet sent from a user terminal
US7342906B1 (en) Distributed wireless network security system
US8484695B2 (en) System and method for providing access control
EP1987629B1 (en) Techniques for authenticating a subscriber for an access network using dhcp
CN103534994B (en) The method, apparatus and system of communication are realized after a kind of virtual machine (vm) migration
US20100223655A1 (en) Method, System, and Apparatus for DHCP Authentication
EP2317690B1 (en) A method and device for distributed security control in communication network system
US20040196977A1 (en) Conveying wireless encryption keys upon client device connecting to network in non-wireless manner
CN101141253A (en) Authentication method and authentication system
WO2012051868A1 (en) Firewall policy distribution method, client, access server and system
CN101621433B (en) Method, device and system for configuring access equipment
US20080134315A1 (en) Gateway, Network Configuration, And Method For Conrtolling Access To Web Server
JP2001326696A (en) Method for controlling access
CN110445889A (en) Switch ip address management method and system under a kind of ethernet environment
US20230239283A1 (en) Destination-based policy selection and authentication
JP3994412B2 (en) Network system, network identifier setting method, network connection point, network identifier setting program, and recording medium
KR100714368B1 (en) Internet protocol address management system co-operated with authentication server
CN109120738B (en) DHCP server and method for managing network internal equipment
WO2006075823A1 (en) Internet protocol address management system co-operated with authentication server
CN102577299B (en) The Access Network authentication information bearing protocol simplified
CN114500094A (en) Access method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase