WO2016152416A1 - 通信管理システム、アクセスポイント、通信管理装置、接続制御方法、通信管理方法、及びプログラム - Google Patents
通信管理システム、アクセスポイント、通信管理装置、接続制御方法、通信管理方法、及びプログラム Download PDFInfo
- Publication number
- WO2016152416A1 WO2016152416A1 PCT/JP2016/056372 JP2016056372W WO2016152416A1 WO 2016152416 A1 WO2016152416 A1 WO 2016152416A1 JP 2016056372 W JP2016056372 W JP 2016056372W WO 2016152416 A1 WO2016152416 A1 WO 2016152416A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- terminal
- unit
- address
- connection
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/58—Caching of addresses or names
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/08—Access point devices
Definitions
- the present invention relates to a communication management system, an access point, a communication management device, a connection control method, a communication management method, and a program.
- WLC wireless LAN controller
- APs used for public wireless LAN services and the like.
- this device has a function of performing centralized authentication and access control of terminals that have made connection requests to APs using IDs and passwords.
- a technique related to a public wireless LAN using these APs is described in Patent Document 1.
- the present invention has been made in view of such circumstances, and an object thereof is to avoid a decrease in communication speed without concentrating communication traffic on a management node.
- a communication management system includes an access point that controls connection of a terminal to be connected via wireless communication, and a communication management device that manages a plurality of access points.
- a communication management system connected via a network, wherein the access point stores authorized terminal information storage means for storing authorized terminal information for identifying authorized terminals permitted to communicate with the network;
- An authentication screen for inputting connection authentication information for the connection requesting terminal to connect to the network when the connection requesting terminal information for specifying the connection requesting terminal that performs the connection request is not stored as the permitted terminal information in the permitted terminal information storage means.
- the access request terminal information and the access point identification information are included in the information for accessing the provider information provided.
- a communication management device when the connection requesting terminal tries to connect to the network based on the access information, transmits the providing source information to the connection requesting terminal and is provided based on the providing source information.
- Communication means for receiving connection authentication information input on the authentication screen from the connection requesting terminal, terminal information storage means for storing connection requesting terminal information and access point information included in the access information, and connection authentication received by the communication means Authentication means for authenticating the connection request terminal based on the information, and when the connection request terminal is authenticated by the authentication means,
- a permission terminal information transmitting means for transmitting permission terminal information for permitting communication with the network by the connection requesting terminal to the access point specified by the access point information stored in the terminal information storage means together with the connection requesting terminal information. It is characterized by.
- the terminal 1 is a communication terminal typified by a personal computer or a smartphone, and includes a wireless LAN interface unit 11, an IP unit 12, and an Internet browser unit 13.
- a wireless LAN interface unit 11 typified by a personal computer or a smartphone
- IP unit 12 includes a wireless LAN interface unit 11
- an Internet browser unit 13 includes a wireless LAN interface unit 12
- FIG. 1 only one terminal 1 is illustrated, but it is needless to say that for convenience in illustration, two or more terminals 1 may be provided.
- the AP 2 is a communication device typified by, for example, a wireless LAN access point and the like, and includes a wireless LAN interface unit 21 (referred to as “wireless LAN I / F” in FIG. 1 for convenience), an IP unit 22, Ethernet (registered trademark). ) Unit 23, redirect unit 24, control information receiving unit 25, control table 26, and ARP table 27.
- wireless LAN I / F wireless LAN interface unit 21
- IP unit 22 IP
- Ethernet registered trademark
- redirect unit 24 control information receiving unit
- control table 26 control table 27.
- FIG. 1 only one AP 2 is drawn as in the case of the terminal 1. However, it is needless to say that the number may be two or more for convenience of illustration.
- the WLC 3 is a device that centrally manages a plurality of APs 2 and is also referred to as a communication management device in this embodiment.
- the WLC 3 includes an Ethernet (registered trademark) unit 31, an IP unit 32, a login page distribution unit 33, a Radius client unit 34, a Web client unit 35, a session table 36, and an AP table 37.
- the Radius 4 is an authentication device that performs authentication using the Radius protocol, and includes an Ethernet (registered trademark) unit 41, an IP unit 42, and a Radius Server unit 43.
- the wireless LAN interface unit 11 of the terminal 1 has the following functions.
- the wireless LAN interface unit 11 obtains the most reasonable MAC address corresponding to the obtained most reasonable next hop IP address. Then, the IP packet received from the IP unit 12 is an Ethernet (registered trademark) header with the most reasonable MAC address obtained as the destination MAC address and the MAC address of the wireless LAN interface unit 11 as the source MAC address. Append. As a result, an Ethernet (registered trademark) frame is generated, and the Ethernet frame is transmitted to the destination MAC address of the Ethernet frame.
- the wireless LAN interface unit 11 When receiving the Ethernet frame from the wireless LAN interface unit 21 of AP2, the wireless LAN interface unit 11 refers to the destination MAC address of the Ethernet frame. If the referenced destination MAC address matches the MAC address of the wireless LAN interface unit 11, the frame is addressed to the wireless LAN interface unit 11, the header of the Ethernet protocol is removed, and the generated IP packet is Delivered to the IP unit 12. On the other hand, if the referenced destination MAC address does not match the MAC address of the wireless LAN interface unit 11, the frame is not addressed to the wireless LAN interface unit 11, and the received frame is discarded.
- the wireless LAN interface unit 11 has a function of holding, as an ARP (Address Resolution Protocol) table, a correspondence relationship between a MAC address and an IP address of a device existing in the same LAN segment as that of the terminal 1 and held in the memory of the terminal 1.
- ARP Address Resolution Protocol
- the wireless LAN interface unit 11 has a function of newly registering the correspondence between the MAC address and the IP address in the ARP table when communication with a MAC address not registered in the ARP table occurs. Further, the wireless LAN interface unit 11 deletes entries of MAC addresses and IP addresses that have not been communicated for a certain period of time after registration in the ARP table from the ARP table.
- the IP unit 12 generates an IP packet by adding an IP protocol header to the transmission destination IP address and data delivered from the Internet browser unit 13. At this time, the destination IP address is set to the address passed from the Internet browser unit 13, and the source IP address is set to the IP address set in the wireless LAN interface unit 11 of the terminal 1.
- the IP unit 12 refers to the destination IP address of the IP packet, compares it with the routing table held in the IP unit 12, and obtains the most reasonable next hop IP address as the next hop of the IP packet. To do. Then, the generated IP packet and the most reasonable next hop IP address are transferred to the Ethernet unit having the most reasonable reachability for the matching destination IP address, and transmission is performed. Since the terminal 1 has only one Ethernet part, the IP part 12 delivers an IP packet to the wireless LAN interface part 11.
- the IP unit 12 when receiving the IP packet from the wireless LAN interface unit 11, the IP unit 12 confirms the transmission destination IP address of the IP header. If the destination IP address of the confirmed IP header matches the IP address of the wireless LAN interface unit 11 of the terminal 1, the IP unit 12 removes the header of the IP packet received from the wireless LAN interface unit 11, The port number included in the generated data is referenced, and the data is transferred to the application corresponding to the port number. In the terminal 1, the IP unit 12 delivers data to the Internet browser unit 13.
- the Internet browser unit 13 is an application for browsing a general Web page, and communicates with the Web server of the URL specified by the operator of the terminal 1 via the IP unit 12.
- the destination IP address corresponding to the URL of the communication destination is resolved by the DNS resolver function inside the Internet browser unit 13, and the destination IP address and the data are transferred to the IP unit 12.
- the wireless LAN interface unit 21 of the AP 2 has the same functions as the frame transmission function and the ARP table management function of the wireless LAN interface unit 11 of the terminal 1.
- the wireless LAN interface unit 21 performs operations for adding and deleting entries corresponding to the MAC address and the IP address in the ARP table management function with respect to the ARP table 27.
- the wireless LAN interface unit 21 functions as an access information transmission unit that transmits a redirect URL as access information described later to the terminal 1.
- the IP unit 22 of the AP 2 sets the transfer destination of the packet or data received from any one of the wireless LAN interface unit 21, the Ethernet unit 23, the redirect unit 24, and the control information receiving unit 25 according to the procedure detailed with reference to FIG.
- the packet or data is transferred to the determined transfer destination.
- the Ethernet unit 23 has the following functions in addition to a function as a permission information receiving unit that receives permission terminal information from the WLC 3.
- Ethernet unit 23 When the Ethernet unit 23 receives the IP packet and the most reasonable next hop IP address from the IP unit 22, the Ethernet unit 23 uses the received most reasonable next hop IP address and sends a MAC address request to the ARP table 27. I do. Then, the most reasonable MAC address corresponding to the most reasonable next hop IP address obtained is obtained.
- the Ethernet unit 23 adds an Ethernet protocol header to the IP packet received from the IP unit 22 with the most reasonable MAC address obtained as the destination MAC address and the MAC address of the Ethernet unit 23 as the source MAC address. Then, an Ethernet frame is generated, and the Ethernet frame is transmitted to the destination MAC address of the Ethernet frame.
- the Ethernet unit 23 refers to the destination MAC address of the Ethernet frame when receiving the Ethernet frame from the Gateway (hereinafter referred to as “GW”) 5 that relays between the Internet 6 and the AP 2. If the referenced destination MAC address matches the MAC address of the Ethernet unit 23, it is recognized as a frame addressed to the Ethernet unit 23, the header of the Ethernet protocol is removed, and the generated IP packet is received by the IP unit 22. hand over. On the other hand, if the referenced destination MAC address does not match the MAC address of the Ethernet unit 23, the Ethernet unit 23 recognizes that the frame is not addressed to the Ethernet unit 23 and discards the received frame.
- GW Gateway
- the Ethernet unit 23 has a function of holding, as an ARP table, the correspondence between the MAC address and IP address of the device communicating with the AP 2 that the AP 2 holds in the memory.
- the Ethernet unit 23 has a function of newly registering a correspondence between a MAC address and an IP address when communication of a MAC address not registered in the ARP table occurs. Further, the Ethernet unit 23 deletes entries of MAC addresses and IP addresses that have not been communicated for a certain period of time after registration in the ARP table from the table.
- the redirect unit 24 authenticates the connection of the terminal to the network when the connection request terminal information for specifying the terminal that requests connection to the network via wireless communication is not stored in the control table 26 as the permitted terminal information. Access information (redirect) by adding connection request terminal information and access point information for specifying an access point to information (for example, URL) for accessing provider information (for example, website) that provides an authentication screen for inputting information URL) is generated.
- the redirect unit 24 has a function of generating and notifying a redirect URL to be transmitted to the terminal 1.
- the redirect unit 24 sends a MAC address request using the IP address of the terminal 1 included in the received http data as a key. To do. Thereby, the redirect unit 24 obtains the corresponding MAC address from the ARP table 27.
- the redirect unit 24 creates http data of the redirect request by adding the MAC address of the Ethernet unit 23 and the MAC address acquired from the ARP table 27 to the URL of the login page of the login page distribution unit 33 of the WLC 3. Delivered to the unit 22. It is assumed that the MAC address of the Ethernet unit 23 is stored in the internal memory of the redirect unit 24 in advance.
- the IP address set in the wireless LAN interface unit 11 of the terminal 1 is “192.168.0.11”
- the MAC address set in the wireless LAN interface unit 11 of the terminal 1 is “00:00:00”.
- the IP address set in the Ethernet unit 23 is“ 133.0.0.23 ”
- the MAC address set in the Ethernet unit 23 is“ 00: 00: 00: 00 ”.
- the redirect unit 24 transmits a MAC address request to the ARP table 27 using the IP address“ 192.168.0.11 ”included in the received http data as a key.
- the redirect unit 24 obtains a MAC address response including the corresponding MAC address “00: 00: 00: 11”. Then, the redirect unit 24 uses the URL “https://133.0.0.31/login?” Of the login page of the login page distribution unit 33 of the WLC 3. ”To which the MAC address“ 00: 00: 00: 00: 23 ”of the Ethernet unit 23 and the MAC address“ 00: 00: 00: 11 ”acquired from the ARP table 27 are added. //133.0.0.31/login?
- the control information receiving unit 25 receives the data from the Web Client unit 35 of the WLC 3 via the IP unit 22 via https, passes the MAC address included in the received data to the ARP table 27, and receives the corresponding IP from the ARP table 27. Get an address. Thereafter, the control information receiving unit 25 passes the received MAC address and the acquired IP address to the control table 26.
- control information receiving unit 25 After the data is transferred to the control table 26, the control information receiving unit 25 generates the response message data of https indicating that the data of the MAC address is received for the IP address of the Ethernet unit 23, and the IP unit 22 The HTTPS data is transmitted to the Web Client unit 35 of the WLC 3 via the.
- the control table 26 functions as a permitted terminal information storage unit that stores permitted terminal information that identifies permitted terminals that are permitted to communicate with the network. That is, the control table 26 is a table that stores a correspondence relationship between the MAC address of the terminal permitted to communicate and the permitted IP address. When the MAC address and the IP address are transferred from the control information receiving unit 25, the control table 26 adds the received MAC address and IP address to the control table 26.
- control table 26 searches for the IP address 262 of the permitted terminal using the IP address included in the reference request as a key.
- the control table 26 When the IP address included in the reference request is included in the IP address 262 of the permitted terminal, the control table 26 indicates that the IP address included in the reference request exists in the IP address 262 of the permitted terminal. The reference response included as is passed to the IP unit 22. On the other hand, in the control table 26, when the IP address included in the reference request is not included in the IP address 262 of the permitted terminal, there is no IP address included in the reference request in the IP address 262 of the permitted terminal. The reference response included as a message is delivered to the IP unit 22.
- the ARP table 27 has the same configuration as the function of the wireless LAN interface unit 11 of the terminal 1 and performs the same operation as that of the wireless LAN interface unit 11, and thus the description thereof is omitted.
- the Ethernet unit 31 of the WLC 3 performs the same operation as the Ethernet unit 23 of the AP 2.
- the IP unit 32 of the WLC 3 performs the same operation as the IP unit 12 of the terminal 1, and thus the description thereof is omitted.
- the login page distribution unit 33 transmits, for example, a URL or the like as providing source information to the connection requesting terminal, and is provided based on the providing source information. It functions as a communication means for receiving connection authentication information such as a login ID and a password input in the connection request terminal.
- the login page distribution unit 33 has the following functions.
- the login page distribution unit 33 transmits the https data of the Web page serving as the https authentication screen to the Internet browser unit 13 of the terminal 1 via the IP unit 22 to the Internet browser unit 13 of the terminal 1.
- the login page distribution unit 33 When the login page distribution unit 33 receives the https data including the ID and password used for authentication, the login page distribution unit 33 delivers the received ID and password to the Radius Client unit 34. At this time, a process ID is issued when the Radius Client unit 34 is activated.
- the login page distribution unit 33 stores the transmission source IP address, the transmission source port number, and the login page distribution unit 33 in the storage area when the https data is received after passing the ID and password to the Radius Client unit 34. From the temporarily stored MAC address of the Ethernet unit 23 of the AP 2 and the MAC address of the wireless LAN interface unit 11 of the terminal 1 and the process ID issued when the data is transferred to the Radius Client unit 34 To the session table 36.
- the login page distribution unit 33 searches the session table 36 using the process ID of the Radius Client unit 34 that has transmitted the authentication result as a key. Then, the log-in page distribution unit 33 sends, as corresponding records, the transmission source IP address, the transmission source port number, the MAC address of the Ethernet unit 23 of the AP 2, and the MAC address of the wireless LAN interface unit 11 of the terminal 1. Is temporarily stored in the storage area of the login page distribution unit 33.
- the login page distribution unit 33 delivers the MAC address of the Ethernet unit 23 of AP2 temporarily stored in the storage area of the login page distribution unit 33 to the AP table 37, and the IP address of the Ethernet unit 23 of AP2 To get. Then, the login page distribution unit 33 delivers the acquired IP address of the Ethernet unit 23 of the AP 2 and the MAC address of the wireless LAN interface unit 11 of the terminal 1 to the Web Client unit 35.
- the login page distribution unit 33 When the login page distribution unit 33 receives a notification from the Web Client unit 35 that the transmission of the MAC address data of the wireless LAN interface unit 11 of the terminal 1 to the IP address of the Ethernet unit 23 of the AP 2 is completed, the session table 36, a record deletion request using the MAC address of the wireless LAN interface unit 11 of the terminal 1 as a key is transmitted, and the record related to the deletion request is deleted. Thereafter, the login page distribution unit 33 transmits Web page data indicating successful authentication to the Internet browser unit 13 of the terminal 1 via the IP unit 32 over https.
- the Radius Client unit 34 serving as an authentication unit makes an authentication request for the ID and password received from the login page distribution unit 33 to the Radius Server unit 43 of the Radius 4 via the IP unit 32. At this time, the IP address of the Radius Server unit 43 is stored in advance in a storage area in the Radius Client unit 34.
- the Radius Client unit 34 receives the authentication result from the Radius Server unit 43 via the IP unit 32, the Radius Client unit 34 passes the authentication result received from the Radius Server unit 43 to the login page distribution unit 33.
- the Web Client unit 35 When the terminal that made the connection request by the Radius 4 is authenticated, the Web Client unit 35 is connected to the access point specified by the access point information stored in the AP table 37 serving as the terminal information storage unit. It functions as a permitted terminal information transmitting means for transmitting permitted terminal information permitting communication with the Internet 6 together with terminal information that has made a connection request.
- the Web Client unit 35 receives the MAC address of the wireless LAN interface unit 11 of the terminal 1 and the IP address of AP2 from the login page distribution unit 33, the Web Client unit 35 uses the AP2 IP address as the destination and the control information receiving unit 25 of AP2 In response, the MAC address of the wireless LAN interface unit 11 of the terminal 1 is notified in https.
- the Web Client unit 35 has completed transmission of data of the MAC address of the wireless LAN interface unit 11 of the terminal 1 from the control information receiving unit 25 via the IP unit 32 to the IP address of the Ethernet unit 23 of AP2. After receiving the https response message indicating that the transmission of the MAC address data of the wireless LAN interface unit 11 to the IP address of the Ethernet unit 23 is completed, a message is transmitted to the login page distribution unit 33. To do.
- the session table 36 includes the source IP address of the terminal that has made the authentication request, the source port number of the terminal that has made the authentication request, the MAC address of the AP to which the terminal that has made the authentication request belongs, Stores record data indicating the correspondence between the MAC address of the requesting terminal and the process ID issued when the login page distribution unit 33 passes the ID and password for which the authentication request has been made to the Radius Client unit 34 It is a table that was made.
- the session table 36 does not store data in the initial operation state of the system.
- the session table 36 When the data is added, when the session table 36 receives an element addition request from the login page distribution unit 33, the session table 36 adds an entry with the process ID as a key.
- the session table 36 When the session table 36 receives the process ID as a search key from the login page distribution unit 33 when referring to the data, the session table 36 returns the data of the corresponding entry to the login page distribution unit 33.
- the session table 36 When deleting the data, when the session table 36 receives an element deletion request from the login page distribution unit 33, the session table 36 deletes the record having the received process ID as a key from the session table 36.
- the AP table 37 is a table in which the IP address of the AP corresponding to the MAC address of the AP is described. Upon receiving the AP MAC address from the login page distribution unit 33 as a search key, the AP table 37 returns the IP address of the AP to the login page distribution unit 33.
- Ethernet unit 41 of the Radius 4 performs the same operation as the Ethernet unit 23 of the AP 2, the description thereof is omitted. Also, the IP unit 42 performs the same operation as the IP unit 12 of the terminal 1, and thus the description thereof is omitted.
- the Radius Server unit 43 compares the ID and password included in the authentication request received from the Radius Client unit 34 of the WLC 3 through the IP unit 42 with the ID and password stored in the Radius Server unit 43, and matches. If it does not match, a message indicating authentication failure is returned to the Radius Client unit 35 via the IP unit 42.
- the control table 26 shown in FIG. 1 includes a MAC address 261 of the permitted terminal and an IP address 262 of the permitted terminal.
- the MAC address 261 of the permitted terminal stores the MAC address of the terminal permitted to communicate with the outside among the terminals belonging to AP2.
- the permitted terminal IP address 262 stores the IP address of a terminal that is permitted to communicate with the outside of the terminals belonging to AP2.
- the MAC address 261 “aa: bb: cc: dd: ee: ff” of the authorized terminal is associated with the IP address 262 “192.168.0.2” of the authorized terminal.
- the IP address 262 “192.168.0.3” of the authorized terminal is associated with the MAC address 261 “aa: bb: cc: dd: ef: 00” of the authorized terminal.
- the ARP table 27 shown in FIG. 1 includes a terminal MAC address 271 and a terminal IP address 272.
- the MAC address 271 of the terminal stores the MAC address of the terminal that has communicated with the wireless LAN interface unit 21 of the AP 2 during the past certain time.
- the IP address 272 of the terminal stores the IP address of the terminal that has communicated with the wireless LAN interface unit 21 of the AP 2 during the past fixed time.
- the terminal MAC address 271 “aa: bb: cc: dd: ee: ff” is associated with the terminal IP address 272 “192.168.0.2”, and the terminal MAC address 271
- the IP address 272 “192.168.0.3” of the terminal is associated with “aa: bb: cc: dd: ef: 00”.
- the authentication Web page 331 includes a text box 3311 for entering an ID, a text box 3312 for entering a password, and a send button for performing an operation for causing the login page distribution unit 33 to transmit the entered ID and password. 3313.
- an authentication result Web page 332 that is a display example of an authentication result for the login page distribution unit 33 notifying the terminal 1 that authentication has been successful will be described with reference to FIG.
- message 3321 is “Login was successful. Is displayed on the authentication result Web page 332.
- the session table 36 includes a source IP address 361, a source port number 362, an AP MAC address 363, a terminal MAC address 364, and a process ID 365.
- the transmission source IP address 361 stores the transmission source IP address of the terminal that has made the authentication request.
- the transmission source port number 362 stores the transmission source port number of the terminal that has made the authentication request.
- the AP MAC address 363 stores the MAC address of the AP to which the terminal that has issued the authentication request belongs.
- the terminal MAC address 364 stores the MAC address of the terminal that has made the authentication request.
- the process ID 365 stores a process ID issued from the OS inside the WLC 3 when the login page distribution unit 33 passes the ID and password for which the authentication request has been made to the Radius Client unit 34.
- the source IP address 361 “aaa: bbb: ccc: 1”, the source port number 362 “12345”, and the AP MAC address 363 “00: 11: 22: 33: 44: 55” Are associated with the MAC address 364 “11: 22: 33: 44: 55: 66” of the terminal and the process ID 365 “6789”.
- the MAC address 364 “11: 22: 33: 44: 55: 67” and the process ID 365 “6790” are associated with each other.
- the AP table 37 shown in FIG. 1 stores the MAC address of the AP and the IP address of the AP that are required when the Web Client unit 35 of the WLC 3 notifies the AP of the IP address of the terminal that has been successfully authenticated. 371 and the corresponding IP address 372 of the AP.
- the IP unit 22 receives a packet from the wireless LAN interface unit 21 (step S601), receives a packet from the Ethernet unit 23 (step S602), receives data from the redirect unit 24 (step S603), or When data is received from the control information receiving unit 25 (step S604), the process is started.
- the IP unit 22 adds an IP header to the data received from the redirect unit 24 or the control information receiving unit 25 (step S605).
- the IP unit 22 confirms whether the destination IP address of the IP header is the IP address of the wireless LAN interface unit 21 of the AP 2 or the IP address of the Ethernet unit 23 (step 606).
- the IP unit 22 removes the header of the IP packet (step S607). ).
- the IP unit 22 refers to the port number included in the generated data (step S608). If the destination port number is 80 (step S608, port number 80), the IP unit 22 receives the data from the redirect unit 24. Pass (step S609). On the other hand, when the transmission port number is 443 (step S608, port number 443), the IP unit 22 delivers the data to the control information receiving unit 25 (step S610).
- the IP unit 22 receives the packet from the Ethernet unit. It is confirmed whether it is 23 (step S611).
- the IP unit 22 refers to the destination IP address of the IP packet, and the IP unit 22 The collation is performed, and the most reasonable next hop IP address is acquired as the next hop of the IP packet (step S612). Then, the IP unit 22 delivers the generated IP packet and the most reasonable next hop IP address to the Ethernet unit having the most reasonable reachability to the matching destination IP address, and performs transmission. (Step S613).
- the IP unit 22 refers to the control table 26 using the transmission source IP address of the IP header as a search key (step S614).
- the IP unit 22 executes the above steps S612 and S613. On the other hand, if the source IP address of the IP header does not exist on the control table 26 (NO in step S614), the IP unit 22 refers to the control table 26 using the destination IP address of the IP header as a key (step S615). ).
- step S615 when the transmission destination IP address of the IP header exists on the control table 26 (step S615, YES), the IP unit 22 executes step S612 and step S613. On the other hand, when the transmission destination IP address of the IP header does not exist on the control table 26 (step S615, NO), the IP unit 22 delivers the packet to the redirect unit 24 (step S616).
- the MAC address of the wireless LAN interface unit 11 of the terminal 1 is “00: 00: 00: 00: 00: 11”, and the IP address is “192.168.0.11”.
- the MAC address of the wireless LAN interface unit 21 of AP2 is “00: 00: 00: 00: 00: 21”, and the IP address is “192.168.0.21”.
- the MAC address of the Ethernet part 23 of AP2 is “00: 00: 00: 00: 23”, and the IP address is “133.0.0.23”.
- the MAC address of the Ethernet part 31 of the WLC 3 is “00: 00: 00: 00: 00: 31” and the IP address is “133.0.0.31”.
- the MAC address of the Ethernet part 41 of Radius 4 is “00: 00: 00: 00: 00: 41” and the IP address is “133.0.0.41”.
- the MAC address of the Ethernet part of GW5 is “00: 00: 00: 00: 00: 51” and the IP address is “133.0.0.51”.
- the port number of the Internet browser unit 13 of the terminal 1 is “10013”, the port number of the redirect unit 24 of AP2 is “80”, the port number of the control information receiving unit 25 of AP2 is “443”, and WLC3
- the login page distribution unit 33 has a port number “443”
- the WLC3 Radius Client unit 34 has a port number “30034”
- the WLC3 Web Client unit 35 has a port number “30035”
- the Radius4 The port number of the Radius Server unit 43 is “1812”.
- the URL of the Web server 8 and the IP address of the target page are as follows.
- the URL of the Web server 8 is “http: // www. ******. ne. jp / ”and the IP address is“ 133.0.0.1 ”.
- the user account registered in Radius 4 is as follows. Here, the login ID is “user” and the password is “musen”.
- the MAC address “00: 00: 00: 00: 23” of the Ethernet unit 23 of the AP 2 is stored in the internal memory of the redirect unit 24 in the redirect unit 24 of the AP 2.
- the permitted terminal IP address 262 “192.168.0.21” is registered in association with the permitted terminal MAC address 261 “00: 00: 00: 21” and permitted.
- the MAC address 261 “00: 00: 00: 00: 23” of the terminal is registered in association with the IP address 262 “133.0.0.23” of the permitted terminal, and the MAC of the permitted terminal is registered. It is assumed that the IP address 262 “133.0.0.31” of the permitted terminal is registered in association with the address 261 “00: 00: 00: 00: 31”.
- the terminal MAC address 271 “00: 00: 00: 00: 11” is associated with the terminal IP address 272 “192.168.0.11”, and the terminal MAC address 271 “GW5 MAC address”. It is assumed that the terminal IP address 272 “GW5 IP address” is registered in association therewith. It is assumed that there is no record registered in the session table 36 of WLC3.
- the IP address “133.0.0.23” corresponding to the MAC address “00: 00: 00: 00: 23” of the Ethernet unit 23 of AP2 is received from AP2 when AP2 is powered on.
- the AP table 37 of the WLC 3 is notified, and in the AP table 37, the MAC address “00: 00: 00: 00: 23” of the AP 2 and the IP address “133.0.0.23” of the AP 2 are registered in advance. It shall be.
- the IP unit 12 receives “192.168.0.11” as the source IP address and the Internet browser unit 13 as the destination IP address for the data received from the Internet browser unit 13.
- the IP packet is generated by adding the header of the IP protocol in which the destination IP address “133.0.0.1” is set.
- the IP unit 12 refers to the transmission destination IP address of the generated IP packet and collates with the routing table held inside. As a result of the collation, the IP unit 12 determines that the Ethernet unit having the most reasonable reachability to the destination IP address is the wireless LAN interface unit 11 and the next hop IP address is “192.168.0.21”. Then, the IP packet and the next hop IP address “192.168.0.21” are transferred to the wireless LAN interface unit 11 to be transmitted.
- the wireless LAN interface unit 11 receives the IP packet and the next hop IP address “192.168.0.21” from the IP unit 12, and receives the next hop IP address “192.168.168” from the ARP table in the wireless LAN interface unit 11. .0.21 ”to obtain the MAC address“ 00: 00: 00: 00: 21 ”corresponding to the next hop IP address“ 192.168.0.21 ”. Then, the wireless LAN interface unit 11 has an Ethernet protocol in which the source MAC address is “00: 00: 00: 00: 00: 11” and the destination MAC address is “00: 00: 00: 00: 00: 21”. Is added to the wireless LAN interface unit 21 of the AP 2 connected wirelessly, and the Ethernet frame is passed.
- the wireless LAN interface unit 21 of the AP 2 When the wireless LAN interface unit 21 of the AP 2 receives the frame from the wireless LAN interface unit 11 of the terminal 1, it refers to the destination MAC address of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 00: 21” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 21” of the wireless LAN interface unit 21, the header of the Ethernet protocol And the generated IP packet is transferred to the IP unit 22.
- the IP unit 22 receives the packet from the wireless LAN interface unit 21 and confirms whether the destination IP address of the IP header matches the IP address of the wireless LAN interface unit 21 of the AP 2 or the IP address of the Ethernet unit 23. I do. As a result, the destination IP address “133.0.0.1” of the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21 of AP2, and the IP address “133.0 of the Ethernet unit 23”. .0.23 ”, the IP unit 22 checks whether the Ethernet unit that received the packet next is the Ethernet unit 23 or not. As a result, since the packet is received from the wireless LAN interface unit 21, it does not match the Ethernet unit 23.
- the IP unit 22 next checks whether or not the source IP address “192.168.0.11” of the IP header exists on the control table 26. As a result, since the source IP address “192.168.0.11” of the IP header does not exist on the control table 26, the IP unit 22 next sends the destination IP address “133.0.0” of the IP header. .1 ”is present on the control table 26. As a result, since the destination IP address “133.0.0.1” of the IP header does not exist on the control table 26, the IP unit 22 removes the header of the IP packet and receives the data from the redirect unit 24. hand over.
- the redirect unit 24 issues an ARP request for the MAC address including the IP address “192.168.0.11” of the request source of http. Send to table 27.
- the redirect unit 24 returns a MAC address response including the MAC address “00: 00: 00: 00: 00: 11” corresponding to the IP address “192.168.0.11” from the ARP table 27. Get.
- the redirect unit 24 uses the login page URL “https://133.0.0.31/” of the login page distribution unit 33 of the WLC 3 to store the Ethernet unit 23 of the AP 2 stored in the internal memory.
- the IP unit 22 adds an IP header having a transmission source IP address “192.168.0.21” and a transmission destination IP address “192.168.0.11” to the data passed from the redirect unit 24. Then, it is confirmed whether or not the destination IP address “192.168.0.11” in the IP header is the IP address of the wireless LAN interface unit 21 of the AP 2 or the IP address of the Ethernet unit 23. As a result, the destination IP address “192.168.0.11” of the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21 of the AP 2 or the IP address “133.0.1” of the Ethernet unit 23. Therefore, the IP unit 22 confirms whether the Ethernet unit that has received the packet next is the Ethernet unit 23 or not.
- the IP unit 22 next refers to the control table 26 using the transmission source IP address “192.168.0.21” of the IP header as a search key, and transmits the transmission source IP address “192.168.0.21”. Is present on the control table 26.
- the IP unit 22 since the source IP address “192.168.0.21” exists on the control table 26, the IP unit 22 refers to the destination IP address “192.168.0.11” of the IP packet, The IP unit 22 collates with the routing table held internally, and obtains the IP address “192.168.0.11” as the most reasonable next hop IP address as the next hop of the IP packet. Then, the generated IP packet and the most reasonable next hop IP address “192.168.0.11” reach the matching destination IP address “192.168.0.11” with the most reasonable arrival. The data is transferred to the wireless LAN interface unit 21 having the characteristics.
- the wireless LAN interface unit 21 receives the IP packet and the next hop IP address “192.168.0.11” from the IP unit 22, and transmits the MAC to the ARP table 27 with the next hop IP address “192.168.0.11”.
- the MAC address “00: 00: 00: 00: 11” corresponding to the next hop IP address “192.168.0.11” is obtained.
- an Ethernet protocol header having a transmission source MAC address “00: 00: 00: 00: 21” and a transmission destination MAC address “00: 00: 00: 11” is added.
- An Ethernet frame is generated, and the Ethernet frame is transmitted to the wireless LAN interface unit 11 of the terminal 1 connected wirelessly.
- the wireless LAN interface unit 11 of the terminal 1 When the wireless LAN interface unit 11 of the terminal 1 receives the frame from the wireless LAN interface unit 21 of the AP 2, the wireless LAN interface unit 11 refers to the transmission destination MAC address “00: 00: 00: 00: 00: 11” of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 11” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 11” of the wireless LAN interface unit 11, the header of the Ethernet protocol And the generated IP packet is transferred to the IP unit 12.
- the IP unit 12 determines whether or not the transmission destination IP address of the IP header of the IP packet received from the wireless LAN interface unit 11 matches the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1. Confirm. As a result, since the destination IP address “192.168.0.11” of the IP header matches the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1, the IP header is removed. And refer to the destination port number included in the generated data. The IP unit 12 transfers data to the Internet browser unit 13 because the application corresponding to the transmission destination port number “80” is the Internet browser unit 13.
- the Internet browser unit 13 redirects the URL “https://133.0.0.31/login?” Included in the redirect request for the http data received from the IP unit 12.
- the IP unit 12 sets the IP protocol in which the transmission source IP address is set to “192.168.0.11” and the transmission destination IP address is set to “133.0.0.31” in the data delivered from the Internet browser unit 13.
- the IP packet is generated by adding the header.
- the IP unit 12 refers to the transmission destination IP address of the generated IP packet and collates with the routing table held inside. As a result of the collation, the IP unit 12 indicates that the Ethernet unit having the most reasonable reachability to the destination IP address “133.0.0.31” is the wireless LAN interface unit 11, and the next hop IP address is “192”. .168.0.21 ”, the IP packet and the next hop IP address“ 192.168.0.21 ”are transferred to the wireless LAN interface unit 11 to be transmitted.
- the wireless LAN interface unit 11 receives the IP packet and the next hop IP address “192.168.0.21” from the IP unit 12, and receives the next hop IP address “192.168.168” from the ARP table in the wireless LAN interface unit 11. .0.21 ”to obtain the MAC address“ 00: 00: 00: 00: 21 ”corresponding to the next hop IP address“ 192.168.0.21 ”. Then, the wireless LAN interface unit 11 uses the Ethernet protocol in which the source MAC address is “00: 00: 00: 00: 00: 11” and the destination MAC address is “00: 00: 00: 00: 00: 21”. An Ethernet frame is generated by adding a header, and the Ethernet frame is passed to the wireless LAN interface unit 21 of the AP 2 connected wirelessly.
- the wireless LAN interface unit 21 of the AP 2 When the wireless LAN interface unit 21 of the AP 2 receives the frame from the wireless LAN interface unit 11 of the terminal 1, it refers to the destination MAC address of the Ethernet frame.
- the destination MAC address “00: 00: 00: 00: 00: 21” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 00: 21” of the wireless LAN interface unit 21, so the wireless LAN interface unit 21 removes the header of the Ethernet protocol and passes the generated IP packet to the IP unit 22.
- the IP unit 22 checks whether the destination IP address of the IP header matches the IP address of the wireless LAN interface unit 21 of the AP 2 or the IP address of the Ethernet unit 23. I do. As a result, the destination IP address “133.0.0.31” of the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21 of AP2, and the IP address “133.0 of the Ethernet unit 23”. .0.23 ”, the IP unit 22 checks whether the Ethernet unit that has received the packet next is the Ethernet unit 23 or not. As a result, since the packet is received from the wireless LAN interface unit 21, it does not match the Ethernet unit 23.
- the IP unit 22 next checks whether or not the source IP address “192.168.0.11” of the IP header exists on the control table 26. As a result, since the source IP address “192.168.0.11” of the IP header does not exist on the control table 26, the destination IP address “133.0.0.31” of the IP header is the control table next. 26 is present. As a result, since the destination IP address “133.0.0.31” of the IP header exists on the control table 26, the destination IP address of the IP header is referred to and the routing held in the IP unit 22 is retained. Check against the table.
- the IP unit 22 determines that the Ethernet unit having the most reasonable reachability to the destination IP address is the Ethernet unit 23, and the next hop IP address is “133.0.0.51”.
- the IP part 23 and the next hop IP address “133.0.0.51” are delivered to the Ethernet unit 23 to perform transmission.
- the Ethernet unit 23 receives the IP packet and the next hop IP address “133.0.0.51” from the IP unit 22, and receives the next hop IP address “133.0.0.51” with respect to the ARP table of the Ethernet unit 23. To obtain the MAC address “00: 00: 00: 00: 51” corresponding to the next hop IP address “133.0.0.51”. The Ethernet unit 23 then sets the header of the Ethernet protocol with the source MAC address “00: 00: 00: 00: 00: 23” and the destination MAC address “00: 00: 00: 00: 51”. To generate an Ethernet frame, and pass the Ethernet frame to the GW 5 connected by wire.
- the GW 5 When the GW 5 receives the packet from the AP 2, the GW 5 refers to the routing table inside the GW 5 and passes the packet to the Internet 6 having the most reasonable reachability to the destination IP address “133.0.0.31” of the IP header. .
- the Internet 6 When the Internet 6 receives the packet from the GW 5, it refers to the routing table inside the Internet 6 and sends the packet to the HUB 7 having the most reasonable reachability to the destination IP address “133.0.0.31” of the IP header. hand over.
- the HUB 7 When the HUB 7 receives the frame from the Internet 6, the HUB 7 refers to the transmission destination MAC address “00: 00: 00: 00: 31” included in the packet and passes it to the WLC 3 having the transmission destination MAC address.
- the Ethernet unit 31 of the WLC 3 refers to the destination MAC address “00: 00: 00: 00: 31” of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 31” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 31” of the Ethernet unit 31, the Ethernet unit 31 The protocol header is removed, and the generated IP packet is transferred to the IP unit 32.
- the IP unit 32 confirms whether the transmission destination IP address of the IP header of the IP packet received from the Ethernet unit 31 matches the IP address “133.0.0.31” of the Ethernet unit 31 of the WLC 3. As a result, the destination IP address “133.0.0.31” of the IP header matches the IP address “133.0.0.31” of the Ethernet part 31 of the WLC 3, so that the IP part 32 Removal is performed, and the destination port number included in the generated data is referred to. Since the application corresponding to the transmission destination port number “443” is the login page distribution unit 33, the IP unit 32 delivers data to the login page distribution unit 33.
- the login page distribution unit 33 receives the MAC address “00: 00: 00: 00: 00: 23” of the Ethernet unit 23 of AP2 included in the URL in the request for https data received from the IP unit 32. And the MAC address “00: 00: 00: 00: 11” of the wireless LAN interface unit 11 of the terminal 1 are temporarily stored in a storage area inside the login page distribution unit 33. Thereafter, the login page distribution unit 33 transmits Web page data serving as an https authentication screen to the Internet browser unit 13 of the terminal 1 through the IP unit 22.
- the internet browser unit 13 of the terminal 1 receives the web page data serving as the https authentication screen from the login page distribution unit 33, and then displays the received web page on the screen of the terminal 1.
- the user inputs an ID “user” and a password “musen” used for authentication to the Internet browser unit 13.
- the internet browser unit 13 transmits the input ID “user” and password “musen” to the login page distribution unit 33 of the WLC 3 via the IP unit 12 using https.
- the login page distribution unit 33 receives the authentication ID “user” and the password “musen” from the Internet browser unit 13 via https, and the ID “user” and password received to the Radius Client unit 34. Deliver “musen”.
- the process ID 335 issued from the OS inside the WLC 3 when the Radius Client unit 34 is started is issued to the login page distribution unit 33.
- the login page distribution unit 33 temporarily stores the transmission source IP address “192.168.0.11”, the transmission source port number “10013”, and the storage area inside the login page distribution unit 33 when data is received.
- the MAC address “00: 00: 00: 00: 00: 23” of the Ethernet unit 23 of the AP 2 and the MAC address “00: 00: 00: 00: 11” of the wireless LAN interface unit 11 of the terminal 1 are stored. ”And the process ID 335 issued when the data is transferred to the Radius Client unit 34 is transferred to the session table 36.
- the Radius Client unit 34 sends the authentication request for the ID “user” and password “musen” received from the login page distribution unit 33 to the Radius Server unit 43 of the Radius 4 via the IP unit 32. Against.
- the Radius Server unit 43 of the Radius 4 includes the ID “user” and the password “musen” included in the authentication request received from the Radius Client unit 34 of the WLC 3 through the IP unit 42, and inside the Radius Server unit 43.
- the stored ID and password are compared, and since they match, an authentication success message is returned to the Radius Client unit 34 via the IP unit 42.
- the Radius Client unit 34 of the WLC 3 receives an authentication success message from the Radius Server unit 43 of the Radius 4 via the IP unit 32, and then sends the message to the login page distribution unit 33 from the Radius Server unit 43. Pass the received authentication result.
- the login page distribution unit 33 searches the session table 36 using the process ID 335 of the Radius Client unit 34 that has transmitted the authentication result as a key.
- the transmission source IP address “192.168.0.11”, the transmission source port number “10013”, and the MAC address “00: 00: 00: 00” of the Ethernet unit 23 of the AP 2 when receiving data, which is a record. : 0: 23 ”and the MAC address“ 00: 00: 00: 00: 11 ”of the wireless LAN interface unit 11 of the terminal 1 are acquired and temporarily stored in the storage area inside the login page distribution unit 33. .
- the login page distribution unit 33 sends the MAC address “00: 00: 00: 00: 23” of the Ethernet unit 23 of AP2 temporarily stored in the internal storage area to the AP table 37.
- the IP address “133.0.0.23” of the Ethernet unit 23 of AP2 is acquired.
- the login page distribution unit 33 acquires the IP address “133.0.0.23” of the Ethernet unit 23 of the acquired AP 2 and the MAC address “00: 00: 00: 00: 00: 00” of the wireless LAN interface unit 11 of the terminal 1. : 11 ”is transferred to the Web Client unit 35.
- the Web Client unit 35 determines that the IP address “133.0.2.23” of the Ethernet unit 23 of AP2 and the MAC address “00: 00: 00: 00: of the wireless LAN interface unit 11 of the terminal 1”.
- 00:11 is received from the login page distribution unit 33
- the IP address“ 133.0.0.23 ”of the Ethernet unit 23 of AP2 is set as the destination IP address
- the port number is“ 443 ”
- the control information receiving unit of AP2 25 the MAC address “00: 00: 00: 00: 11” of the wireless LAN interface unit 11 of the terminal 1 is transmitted via the IP unit 32 via https.
- control information receiving unit 25 of AP 2 passes the IP unit 22 to the MAC address “00: 00: 00: 00: 00” of the wireless LAN interface unit 11 of the terminal 1 from the Web Client unit 35 of the WLC 3. : 11 ”is received via https, the IP address request including the received MAC address“ 00: 00: 00: 00: 11 ”is transferred to the ARP table 27.
- control information receiving unit 25 obtains an IP address response including the IP address “192.168.0.11” corresponding to the MAC address “00: 00: 00: 00: 11”. .
- the control information receiving unit 25 receives the received MAC address “00: 00: 00: 00: 00: 11” and the acquired IP address “192.168.8.0” of the wireless LAN interface unit 11 of the terminal 1. .11 ”to the control table 26. After the data is transferred, the control information receiving unit 25 receives the MAC address “00:00:00” of the wireless LAN interface unit 11 of the terminal 1 against the IP address “133.0.0.23” of the Ethernet unit 23 of AP2. : 00:00:11 ”is generated, and the response data of https indicating that the transmission of data is completed is transmitted to the Web Client unit 35 of the WLC 3 through the IP unit 22.
- the Web Client unit 35 of the WLC 3 sends the IP address “133.0.0.23” of the Ethernet unit 23 of the AP 2 from the control information receiving unit 25 of the AP 2 via the IP unit 32.
- the IP of the Ethernet unit 23 of the AP 2 A message notifying that the transmission of the data of the MAC address “00: 00: 00: 00: 11” of the wireless LAN interface unit 11 of the terminal 1 is completed to the address “133.0.0.23”. It transmits to the login page distribution unit 33.
- the login page distribution unit 33 sets the MAC address “00:00:00” of the wireless LAN interface unit 11 of the terminal 1 to the IP address “133.0.0.23” of the Ethernet unit 23 of AP2. : 00: 00: 11 ”is received from the Web Client unit 35, and the MAC address“ 00:00:00: of the wireless LAN interface unit 11 of the terminal 1 is sent to the session table 36. A record deletion request with “00:00:11” as a key is transmitted to delete the record. Thereafter, the login page distribution unit 33 transmits Web page data indicating successful authentication to the Internet browser unit 13 of the terminal 1 via the IP unit 32 over https.
- the Internet browser unit 13 of the terminal 1 receives the authentication success notification screen from the login page distribution unit 33 of the WLC 3 via the IP unit 12 in https. Thereafter, when the terminal 1 performs communication for the Internet 6, the IP unit 22 of the AP 2 is not redirected, and communication can be performed as intended by the user.
- the Internet browser unit 13 of the terminal 1 has a URL “http: // www. ******. ne. Access request data for accessing jp / ”is generated.
- the DNS resolver function in the Internet browser unit 13 has a URL “http: // www. ******. ne.
- the destination IP address corresponding to “jp /” is resolved to obtain the corresponding destination IP address “133.0.0.1”. Then, the Internet browser unit 13 delivers the destination IP address “133.0.0.1” and the http data to the IP unit 12.
- the IP unit 12 sends the data delivered from the Internet browser unit 13 to the destination IP address “192.168.0.11” as the source IP address and the destination IP address delivered from the Internet browser unit 13 as the destination IP address.
- An IP packet is generated by adding an IP protocol header in which the address “133.0.0.1” is set.
- the IP unit 12 refers to the transmission destination IP address “133.0.0.1” of the generated IP packet and collates with the routing table held inside. As a result of the collation, the IP unit 12 indicates that the Ethernet unit having the most reasonable reachability to the destination IP address “133.0.0.1” is the wireless LAN interface unit 11, and the next hop IP address is “192”. .168.0.21 ”, the IP packet and the next hop IP address“ 192.168.0.21 ”are transferred to the wireless LAN interface unit 11 to be transmitted.
- the wireless LAN interface unit 11 receives the IP packet and the next hop IP address “192.168.0.21” from the IP unit 12, and the next hop IP address “192.168..21” with respect to the ARP table of the wireless LAN interface unit 11.
- the MAC address “00: 00: 00: 00: 00: 21” corresponding to the next hop IP address “192.168.0.21” is obtained by making a MAC address request at “0.21”.
- an Ethernet protocol header with the transmission source MAC address “00: 00: 00: 00: 00: 11” and the transmission destination MAC address “00: 00: 00: 00: 21” is added.
- An Ethernet frame is generated, and the Ethernet frame is passed to the wireless LAN interface unit 21 of the AP 2 connected wirelessly.
- the wireless LAN interface unit 21 of the AP 2 When the wireless LAN interface unit 21 of the AP 2 receives the frame from the wireless LAN interface unit 11 of the terminal 1, it refers to the destination MAC address of the Ethernet frame.
- the destination MAC address “00: 00: 00: 00: 00: 21” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 00: 21” of the wireless LAN interface unit 21, so the wireless LAN interface unit 21 removes the header of the Ethernet protocol and passes the generated IP packet to the IP unit 22.
- the IP unit 22 determines whether or not the destination IP address of the IP header matches the IP address of the wireless LAN interface unit 21 of the AP2 or the IP address of the Ethernet unit 23. Confirm. As a result, the destination IP address “133.0.0.1” of the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21 of AP2, and the IP address “133.0 of the Ethernet unit 23”. .0.23 ”, the IP unit 22 checks whether the Ethernet unit that has received the packet next is the Ethernet unit 23 or not. As a result, since the packet is received from the wireless LAN interface unit 21, it does not match the Ethernet unit 23.
- the IP unit 22 next checks whether or not the source IP address “192.168.0.11” of the IP header exists on the control table 26. As a result, since the transmission source IP address “192.168.0.11” of the IP header exists on the control table 26, the IP unit 22 refers to the transmission destination IP address of the IP header, and the IP unit 22 internal Compare with the routing table held in.
- the IP unit 22 determines that the Ethernet unit having the most reasonable reachability to the destination IP address is the Ethernet unit 23, and the next hop IP address is “133.0.0.51”.
- the IP part 23 and the next hop IP address “133.0.0.51” are delivered to the Ethernet unit 23 to perform transmission.
- the Ethernet unit 23 receives the IP packet and the next hop IP address “133.0.0.51” from the IP unit 22, and receives the next hop IP address “133.0.0.51” with respect to the ARP table of the Ethernet unit 23. To obtain the MAC address “00: 00: 00: 00: 51” corresponding to the next hop IP address “133.0.0.51”. The Ethernet unit 23 then sets the header of the Ethernet protocol with the source MAC address “00: 00: 00: 00: 00: 23” and the destination MAC address “00: 00: 00: 00: 51”. To generate an Ethernet frame, and deliver the Ethernet frame to the wired GW 5.
- the GW 5 When the GW 5 receives the packet from the AP 2, the GW 5 refers to the routing table inside the GW 5 and sends the packet to the Internet 6 having the most reasonable reachability to the destination IP address “133.0.0.1” of the IP header. hand over.
- the Internet 6 refers to the destination IP address “133.0.0.1” in the IP header of the packet, and receives the packet received from the GW 5 by the Web server 8 having the corresponding IP address “133.0.0.1”. Forward.
- the Web server 8 When receiving the http data from the Internet 6, the Web server 8 refers to the request URL included in the data, and requests the request URL “http: // www. ******. ne. jp / ”is obtained. The Web server 8 then sends a request URL “http: // www. ******. ne. The web page data corresponding to “jp /” is transferred to the terminal 1 through the Internet 6.
- the terminal 1 sends the URL “http: // www. ******. ne.
- the web page data “jp /” is received, the web page data is displayed on the screen provided in the terminal.
- AP2 receives information on the terminal that AP2 may flow traffic to the Internet 6 side from WLC3, and AP2 performs filtering inside AP2 based on that information, so AP2 directly does not flow traffic to WLC3. This is because user traffic can flow toward the Internet 6.
- the communication management system according to the second embodiment is different from the first embodiment in that the determination as to whether communication is possible is managed using an IP address instead of a MAC address.
- the communication management system in the second embodiment includes a terminal 1, an AP 2A, a WLC 3A, and a Radius 4. Since the terminal 1 and the Radius 4 have the same configuration as that of the first embodiment, description thereof is omitted.
- the AP 2A has a wireless LAN interface unit 21A instead of the wireless LAN interface unit 21 with respect to AP 2 of the first embodiment, has a redirect unit 24A instead of the redirect unit 24, and replaces the control information receiving unit 25.
- the control information receiving unit 25A has a control table 26A instead of the control table 26.
- the ARP table 27 that the first embodiment has is not provided.
- the WLC 3A has a login page unit 33A instead of the login page distribution unit 33, a Web client unit 35A instead of the Web client unit 35, and a session table 36 instead of the WLC 3 of the first embodiment. It has a session table 36A. Further, the second embodiment does not have the AP table 37 that the first embodiment has.
- the redirect unit 24A has a function of generating and notifying a redirect URL to be transmitted to the terminal 1.
- the data is http, the URL of the login page of the login page distribution unit 33A of the WLC 3A, the IP address of the Ethernet unit 23, and the received http data
- the HTTP data of the redirect request including the URL to which the IP address of the http request source with the IP address included in the URL as a key is passed to the IP unit 22. It is assumed that the MAC address of the Ethernet unit 23 is stored in advance in the internal memory of the redirect unit 24A.
- control information receiving unit 25A When the control information receiving unit 25A receives data from the Web client unit 35A of the WLC 3A via the IP unit 22 via https, the control information receiving unit 25A passes the IP address included in the received data to the control table 26A. After the data transfer, the control information receiving unit 25A generates an https response message data indicating that the IP address data has been received for the IP address of the Ethernet unit 23 of the AP 2A. The https data is transmitted to the Web Client unit 35A.
- the control table 26A is a table in which IP addresses of terminals that are permitted to communicate are described. When the IP address is delivered from the control information receiving unit 25A, the control table 26A adds the received IP address to the control table 26A.
- the control table 26A searches for the IP address 262 of the permitted terminal using the IP address included in the reference request as a key.
- the control table 26A uses a message indicating that the IP address included in the reference request exists in the IP address 262 of the permitted terminal.
- the included reference response is transferred to the IP unit 22.
- the control table 26A if the IP address included in the reference request is not included in the IP address 262 of the permitted terminal, the IP address included in the reference request does not exist in the IP address 262 of the permitted terminal.
- the reference response included as a message is delivered to the IP unit 22.
- the login page distribution unit 33A has the following functions.
- the login page distribution unit 33A receives the request for the web page of https from the terminal 1, the login page distribution unit 33A receives the IP address of the Ethernet unit 23 of the AP 2A included in the URL in the received https data request and the wireless LAN interface unit 11 of the terminal 1 The IP address is temporarily stored in a storage area inside the login page distribution unit 33A. Thereafter, the login page distribution unit 33A transmits the https data of the Web page serving as the https authentication screen to the Internet browser unit 13 of the terminal 1 through the IP unit 32 to the Internet browser unit 13 of the terminal 1.
- the login page distribution unit 33A delivers the received ID and password to the Radius Client unit 34. At this time, the process ID issued when the Radius Client unit 34 is activated is issued.
- the login page distribution unit 33A passes the ID and password to the Radius Client unit 34, and then stores the transmission source IP address, the transmission source port number, and the storage area inside the login page distribution unit 33A when the https data is received.
- the login page distribution unit 33A searches the session table unit 36A using the process ID of the Radius Client unit 34 that has transmitted the authentication result as a key, and is a corresponding record.
- the source IP address, the source port number, the IP address of the Ethernet unit 23 of the AP 2A, and the IP address of the wireless LAN interface unit 11 of the terminal 1 are acquired when data is received. Then, the login page distribution unit 33A transfers the acquired IP address of the Ethernet unit 23 of the AP 2A and the IP address of the wireless LAN interface unit 11 of the terminal 1 to the Web Client unit 35A.
- the login page distribution unit 33A receives a notification from the Web Client unit 35A that the transmission of the data of the IP address of the wireless LAN interface unit 11 of the terminal 1 is completed to the IP address of the Ethernet unit 23 of the AP 2A, the session table 36A In response to this, a record deletion request is sent using the IP address of the wireless LAN interface unit 11 of the terminal 1 as a key to delete the record. Thereafter, the login page distribution unit 33A transmits Web page data indicating successful authentication to the Internet browser unit 13 of the terminal 1 via the IP unit 32 using HTTPS.
- the Web client unit 35A When the Web client unit 35A receives the IP address of the wireless LAN interface unit 11 of the terminal 1 and the IP address of the AP 2A from the login page distribution unit 33A, the IP address of the AP 2A is used as the destination, and the control information receiving unit 25A of the AP 2 In contrast, the IP address of the wireless LAN interface unit 11 of the terminal 1 is notified in https.
- the Web Client unit 35A has completed the transmission of the data of the IP address of the wireless LAN interface unit 11 of the terminal 1 from the control information receiving unit 25A of the AP 2 to the IP address of the Ethernet unit 23 of the AP 2A through the IP unit 32.
- the login page distribution unit After receiving the https response message indicating the message, the login page distribution unit sends a message notifying that the transmission of the data of the IP address of the wireless LAN interface unit 11 of the terminal 1 to the IP address of the Ethernet unit 23 of the AP 2A is completed. Transmit to 33A.
- the session table 36A includes the source IP address of the terminal that has made the authentication request, the source port number of the terminal that has made the authentication request, the IP address of the AP to which the terminal that has made the authentication request belongs, and the authentication request 6 is a table in which the IP address of the received terminal and the process ID issued when the login page distribution unit 33A delivers the authentication request ID and password to the Radius Client unit 34 are described.
- the session table 36A does not hold data in the initial operation state of the system.
- the session table 36A When the data is added, when the session table 36A receives an element addition request from the login page distribution unit 33A, it adds an entry with the process ID as a key.
- the session table 36A When the session table 36A receives the process ID from the login page distribution unit 33A as a search key when referring to the data, the session table 36A returns the data of the corresponding entry to the login page distribution unit 33A.
- the session table 36A When deleting the data, when the session table 36A receives an element deletion request from the login page distribution unit 33A, the session table 36A deletes the record having the received process ID as a key from the session table 36A.
- the control table 26A differs from the control table 26 in the first embodiment in that it does not have the MAC address 261 of the permitted terminal, and the control table 26A is configured with the IP address 262 of the permitted terminal.
- the IP address 262 of the permitted terminal the IP address of the terminal permitted to communicate with the outside among the terminals belonging to the AP 2A is stored.
- the session table 36A includes a transmission source IP address 361, a transmission source port number 362, an AP IP address 363, a terminal IP address 364, and a process ID 365.
- the transmission source IP address 361 stores the transmission source IP address of the terminal that has made the authentication request.
- the transmission source port number 362 stores the transmission source port number of the terminal that has made the authentication request.
- the IP address 363 of the AP stores the IP address of the AP to which the terminal that has issued the authentication request belongs.
- the terminal IP address 364 stores the IP address of the terminal that has made the authentication request.
- the process ID 365 stores a process ID issued when the login page distribution unit 33A passes the authentication request ID and password to the Radius Client unit 34.
- the MAC address of the wireless LAN interface unit 11 of the terminal 1 is “00: 00: 00: 00: 00: 11”, and the IP address is “192.168.0.11”.
- the MAC address of the wireless LAN interface unit 21A of the AP 2A is “00: 00: 00: 00: 00: 21” and the IP address is “192.168.0.21”.
- the MAC address of the Ethernet part 23 of AP2A is “00: 00: 00: 00: 00: 23”, and the IP address is “133.0.0.23”.
- the MAC address of the Ethernet part 31 of the WLC 3A is “00: 00: 00: 00: 00: 31” and the IP address is “133.0.0.31”.
- the MAC address of the Ethernet part 41 of Radius 4 is “00: 00: 00: 00: 00: 41” and the IP address is “133.0.0.41”.
- the MAC address of the Ethernet part of GW5 is “00: 00: 00: 00: 00: 51” and the IP address is “133.0.0.51”.
- the port number of the Internet browser unit 13 of the terminal 1 is “10013”, the port number of the redirect unit 24A of AP2A is “80”, the port number of the redirect unit 24A of AP2 is “443”, and the login of the WLC 3A
- the port number of the page distribution unit 33A is “443”
- the port number of the Radius Client unit 34 of the WLC 3A is “30034”
- the port number of the Web Client unit 35A of the WLC 3A is “30035”
- the Radius Server of the Radius 4 It is assumed that the port number of the unit 43 is “1812”.
- the URL of the Web server 8 is “http: // www. ******. ne. jp / ”and the IP address of the target page is“ 133.0.0.1 ”.
- the URL of the login page distribution unit 33A of the WLC 3A is “https://133.0.0.31/”.
- the IP address of the Ethernet unit 23 of the AP 2A is stored in the internal memory of the redirect unit 24A.
- the registered records are “192.168.0.21”, “133.0.0.23”, and “133.0.0.31” as the IP address 262 of the permitted terminal. is there.
- sequence S001 indicating an operation before authentication of the terminal 1 will be described. Although there are procedures that overlap with those in the first embodiment, sequences subsequent to sequence S002A are given different sequence numbers from those in the first embodiment for convenience of description even if they are procedures that overlap with the first embodiment. It is said.
- the IP unit 12 sends the data delivered from the Internet browser unit 13 to the destination IP address “192.168.0.11” as the source IP address and the destination IP address delivered from the Internet browser unit 13 as the destination IP address.
- An IP packet is generated by adding an IP protocol header in which the address “133.0.0.1” is set.
- the IP unit 12 refers to the transmission destination IP address of the generated IP packet and collates with the routing table held inside. As a result of the collation, the IP unit 12 determines that the Ethernet unit having the most reasonable reachability to the destination IP address is the wireless LAN interface unit 11 and the next hop IP address is “192.168.0.21”. Then, the IP packet and the next hop IP address “192.168.0.21” are transferred to the wireless LAN interface unit 11 to be transmitted.
- the wireless LAN interface unit 11 receives the IP packet and the next hop IP address “192.168.0.21” from the IP unit 12, and receives the next hop IP address “192.168.168” from the ARP table in the wireless LAN interface unit 11. .0.21 ”to obtain the MAC address“ 00: 00: 00: 00: 21 ”corresponding to the next hop IP address“ 192.168.0.21 ”. Then, an Ethernet protocol header with the transmission source MAC address “00: 00: 00: 00: 11” and the transmission destination MAC address “00: 00: 00: 00: 21” is added. An Ethernet frame is generated, and the Ethernet frame is passed to the wireless LAN interface unit 21A of the AP 2A connected wirelessly.
- the wireless LAN interface unit 21A of the AP 2A When the wireless LAN interface unit 21A of the AP 2A receives a frame from the wireless LAN interface unit 11 of the terminal 1, it refers to the destination MAC address of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 00: 21” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 21” of the wireless LAN interface unit 21A, the header of the Ethernet protocol And the generated IP packet is transferred to the IP unit 22.
- the IP unit 22 receives the packet from the wireless LAN interface unit 21A, and checks whether the destination IP address of the IP header matches the IP address of the wireless LAN interface unit 21A of the AP 2A or the IP address of the Ethernet unit 23. I do. As a result, the destination IP address “133.0.0.1” in the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21A of AP2A, and the IP address “133.0 of the Ethernet unit 23”. .0.23 ”, the IP unit 22 checks whether the Ethernet unit that has received the packet next is the Ethernet unit 23 or not. As a result, since the packet is received from the wireless LAN interface unit 21A, the packet does not match the Ethernet unit 23.
- the IP unit 22 next checks whether or not the source IP address “192.168.0.11” of the IP header exists on the control table 26A. As a result, since the source IP address “192.168.0.11” in the IP header does not exist on the control table 26A, the IP unit 22 next sends the destination IP address “133.0.0” in the IP header. .1 ”exists on the control table 26A. As a result, since the destination IP address “133.0.0.1” of the IP header does not exist on the control table 26A, the IP unit 22 removes the header of the IP packet and receives the data from the redirect unit 24A. hand over.
- the IP unit 22 adds an IP header having a transmission source IP address “192.168.0.21” and a transmission destination IP address “192.168.0.11” to the data passed from the redirect unit 24A. Then, it is confirmed whether or not the destination IP address “192.168.0.11” of the IP header is the IP address of the wireless LAN interface unit 21A of the AP 2A or the IP address of the Ethernet unit 23. As a result, the destination IP address “192.168.0.11” in the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21A of the AP 2A or the IP address “133.0.1” of the Ethernet unit 23.
- the IP unit 22 confirms whether the Ethernet unit that has received the packet next is the Ethernet unit 23 or not. As a result, since the packet is received from the redirect unit 24A, the packet does not match the Ethernet unit 23. Therefore, next, the IP unit 22 refers to the control table 26A using the source IP address “192.168.0.21” of the IP header as a search key, and transmits the source IP address “192.168.0.21”. Is present on the control table 26A. As a result, since the source IP address “192.168.0.21” exists on the control table 26A, the IP unit 22 refers to the destination IP address “192.168.0.11” of the IP packet.
- the IP unit 22 collates with the routing table held internally, and acquires the IP address “192.168.0.11” as the most reasonable next hop IP address as the next hop of the IP packet. Then, the IP unit 22 applies the generated IP packet and the most reasonable next hop IP address “192.168.0.11” to the matching destination IP address “192.168.0.11”. The data is transferred to the wireless LAN interface unit 21A having the most reasonable reachability and transmitted.
- the wireless LAN interface unit 21A receives the IP packet and the next hop IP address “192.168.0.11” from the IP unit 22, and the next hop IP address “192.168.16” with respect to the AP table in the wireless LAN interface unit 21A. .0.11 ”to obtain a MAC address“ 00: 00: 00: 00: 11 ”corresponding to the next hop IP address“ 192.168.0.11 ”. Then, the wireless LAN interface unit 21A sets the Ethernet protocol with the transmission source MAC address “00: 00: 00: 00: 00: 21” and the transmission destination MAC address “00: 00: 00: 00: 11”. Is added to the wireless LAN interface unit 11 of the terminal 1 connected wirelessly, and the Ethernet frame is transmitted.
- the wireless LAN interface unit 11 When the wireless LAN interface unit 11 receives the frame from the wireless LAN interface unit 21A of the AP 2A, the wireless LAN interface unit 11 refers to the transmission destination MAC address “00: 00: 00: 00: 11” of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 11” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 11” of the wireless LAN interface unit 11, the wireless LAN interface unit 11 removes the header of the Ethernet protocol, and passes the generated IP packet to the IP unit 12.
- the IP unit 12 determines whether or not the transmission destination IP address of the IP header of the IP packet received from the wireless LAN interface unit 11 matches the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1. Confirm. As a result, since the destination IP address “192.168.0.11” in the IP header matches the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1, the IP unit 12 The IP header is removed, and the destination port number included in the generated data is referenced. The IP unit 12 transfers data to the Internet browser unit 13 because the application corresponding to the transmission destination port number “80” is the Internet browser unit 13.
- the IP unit 12 sets the IP protocol in which the transmission source IP address is set to “192.168.0.11” and the transmission destination IP address is set to “133.0.0.31” in the data delivered from the Internet browser unit 13.
- the IP packet is generated by adding the header.
- the IP unit 12 refers to the transmission destination IP address of the generated IP packet and collates with the routing table held inside. As a result of the collation, the IP unit 12 indicates that the Ethernet unit having the most reasonable reachability to the destination IP address “133.0.0.31” is the wireless LAN interface unit 11, and the next hop IP address is “192”. .168.0.21 ”, the IP packet and the next hop IP address“ 192.168.0.21 ”are transferred to the wireless LAN interface unit 11 to be transmitted.
- the wireless LAN interface unit 11 receives the IP packet and the next hop IP address “192.168.0.21” from the IP unit 12, and receives the next hop IP address “192.168.168” from the ARP table in the wireless LAN interface unit 11. .0.21 ”to obtain the MAC address“ 00: 00: 00: 00: 21 ”corresponding to the next hop IP address“ 192.168.0.21 ”. Then, an Ethernet protocol header with the transmission source MAC address “00: 00: 00: 00: 11” and the transmission destination MAC address “00: 00: 00: 00: 21” is added. An Ethernet frame is generated, and the Ethernet frame is passed to the wireless LAN interface unit 21A of the AP 2A connected wirelessly.
- the wireless LAN interface unit 21A of the AP 2A When the wireless LAN interface unit 21A of the AP 2A receives a frame from the wireless LAN interface unit 11 of the terminal 1, it refers to the destination MAC address of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 00: 21” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 21” of the wireless LAN interface unit 21A, the header of the Ethernet protocol And the generated IP packet is transferred to the IP unit 22.
- the IP unit 22 determines whether the destination IP address of the IP header matches the IP address of the wireless LAN interface unit 21A of the AP 2A or the IP address of the Ethernet unit 23. Confirm. As a result, the destination IP address “133.0.0.31” of the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21A of the AP 2A, and the IP address “133.0 of the Ethernet unit 23. .0.23 ”, the IP unit 22 checks whether the Ethernet unit that has received the packet next is the Ethernet unit 23 or not. As a result, since the packet is received from the wireless LAN interface unit 21A, the packet does not match the Ethernet unit 23.
- the IP unit 22 next checks whether or not the source IP address “192.168.0.11” of the IP header exists on the control table 26A. As a result, since the source IP address “192.168.0.11” in the IP header does not exist on the control table 26A, the IP unit 22 next sends the destination IP address “133.0.0” in the IP header. .31 ”exists on the control table 26A. As a result, since the destination IP address “133.0.0.31” of the IP header exists on the control table 26A, the IP unit 22 refers to the destination IP address of the IP header, and the IP unit 22 internal Compare with the routing table held in.
- the IP unit 22 determines that the Ethernet unit having the most reasonable reachability to the destination IP address is the Ethernet unit 23, and the next hop IP address is “133.0.0.51”.
- the IP part 23 and the next hop IP address “133.0.0.51” are delivered to the Ethernet unit 23 to perform transmission.
- the Ethernet unit 23 receives the IP packet and the next hop IP address “133.0.0.51” from the IP unit 22, and receives the next hop IP address “133.0.0.51” with respect to the ARP table in the Ethernet unit 23. ] To obtain the MAC address “00: 00: 00: 00: 51” corresponding to the next hop IP address “133.0.0.51”. Then, an Ethernet protocol header with the transmission source MAC address “00: 00: 00: 00: 23” and the transmission destination MAC address “00: 00: 00: 00: 51” is added to the Ethernet. A frame is generated, and an Ethernet frame is passed to the GW 5 connected by wire.
- the GW 5 When the GW 5 receives the packet from the AP 2 A, the GW 5 refers to the routing table inside the GW 5 and passes the packet to the Internet 6 having the most reasonable reachability to the destination IP address “133.0.0.31” of the IP header. .
- the Internet 6 When the Internet 6 receives the packet from the GW 5, it refers to the routing table inside the Internet 6 and sends the packet to the HUB 7 having the most reasonable reachability to the destination IP address “133.0.0.31” of the IP header. hand over.
- the HUB 7 When the HUB 7 receives the frame from the Internet 6, the HUB 7 refers to the transmission destination MAC address “00: 00: 00: 00: 00: 31” included in the packet and passes it to the WLC 3A having the transmission destination MAC address.
- the Ethernet unit 31 of the WLC 3 A refers to the destination MAC address “00: 00: 00: 00: 31” of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 31” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 31” of the Ethernet unit 31, the header of the Ethernet protocol is removed. The generated IP packet is transferred to the IP unit 32.
- the IP unit 32 checks whether the destination IP address of the IP header of the IP packet received from the Ethernet unit 31 matches the IP address “133.0.0.31” of the Ethernet unit 31 of the WLC 3A. As a result, since the destination IP address “133.0.0.31” of the IP header matches the IP address “133.0.0.31” of the Ethernet part 31 of the WLC 3A, the IP part 32 Removal is performed, and the destination port number included in the generated data is referred to. Since the application corresponding to the transmission destination port number “443” is the login page distribution unit 33A, the IP unit 32 transfers data to the login page distribution unit 33A.
- the login page distribution unit 33A transmits the IP address “133.0.0.23” of the Ethernet unit 23 of the AP 2A included in the URL in the request for data received from the IP unit 32 and the wireless communication of the terminal 1.
- the IP address “192.168.0.11” of the LAN interface unit 11 is temporarily stored in the storage area inside the login page distribution unit 33A.
- the https data of the Web page that is the authentication screen of https is transmitted from the Internet browser unit 13 of the terminal 1 via the IP unit 23.
- sequence S005A after the Internet browser unit 13 of the terminal 1 receives the data of the Web page serving as the https authentication screen from the login page distribution unit 33A, the user uses the ID “user” used for authentication to the Internet browser unit 13. And password “musen”.
- the Internet browser unit 13 transmits the input ID “user” and password “musen” to the login page distribution unit 33A of the WLC 3A via the IP unit 12 using https.
- the login page distribution unit 33A receives the authentication ID “user” and the password “musen” from the Internet browser unit 13 via https, and the ID “user” and password received by the Radius Client unit 34. Deliver “musen”.
- the process ID 335 issued from the OS inside the WLC 3A when the Radius Client unit 34 is started is issued to the login page distribution unit 33A.
- the login page distribution unit 33A temporarily stores the transmission source IP address “192.168.0.11”, the transmission source port number “10013”, and the storage area inside the login page distribution unit 33A when data is received.
- the IP address “133.0.0.23” of the Ethernet unit 23 of the AP 2A, the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1, and the data to the Radius Client unit 34 The process ID 335 issued at the time of delivery is delivered to the session table 36A.
- the Radius Client unit 34 sends the authentication request for the ID “user” and the password “musen” passed from the login page distribution unit 33A via the IP unit 32 to the Radius Server unit 43 of Radius 4. To do.
- the Radius Server unit 43 of the Radius 4 includes the ID “user”, the password “musen”, and the Radius Server unit 43 included in the authentication request received from the Radius Client unit 34 of the WLC 3A via the IP unit 42.
- the ID and password stored in the server are compared with each other, and since they match, an authentication success message is returned to the Radius Client unit 34 via the IP unit 42.
- the Radius Client unit 34 of the WLC 3A receives an authentication success message from the Radius Server unit 43 of the Radius 4 via the IP unit 32, and then sends the Radius Server unit 43 to the login page distribution unit 33A. Pass the authentication result received from.
- the login page distribution unit 33A searches the session table 36A by using the process ID 335 of the Radius Client unit 34 that has transmitted the authentication result as a key.
- the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1 is acquired and temporarily stored in a storage area inside the login page distribution unit 33A.
- the login page distribution unit 33A obtains the IP address “133.0.0.23” of the Ethernet unit 23 of the acquired AP 2A and the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1. Delivered to the Web Client unit 35A.
- the Web Client unit 35A sets the IP address “133.0.0.23” of the Ethernet unit 23 of the AP 2A and the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1. Is received from the login page distribution unit 33A, the IP address “133.0.0.23” of the Ethernet unit 23 is set as the destination IP address and the port number is “443”, and the terminal 1 is sent to the control information receiving unit 25A of the AP 2A. The IP address “192.168.0.11” of the wireless LAN interface unit 11 is transmitted through the IP unit 32 via https.
- the control information receiving unit 25A of the AP 2A obtains the IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1 from the Web Client unit 35A of the WLC 3A via the IP unit 22. After receiving at https, the received IP address “192.168.0.11” of the wireless LAN interface unit 11 of the terminal 1 is transferred to the control table 26A.
- control information receiving unit 25A After the data is transferred, the control information receiving unit 25A performs the IP address “192.168.8.0” of the wireless LAN interface unit 11 of the terminal 1 with respect to the IP address “133.0.0.23” of the Ethernet unit 23 of AP2A. .11 ”data is generated, and https data is transmitted to the Web Client unit 35A of the WLC 3A via the IP unit 22.
- the Web Client unit 35A of the WLC 3A sends the terminal 1 to the IP address 133.0.0.23 of the Ethernet unit 23 of the AP 2A via the IP unit 32 from the control information receiving unit 25A of the AP 2A.
- the IP address “133.0.0. 23 ” is transmitted to the login page distribution unit 33A to notify that the transmission of the data of the IP address“ 192.168.0.11 ”of the wireless LAN interface unit 11 of the terminal 1 is completed.
- the login page distribution unit 33A makes the IP address “192.168.8.0” of the wireless LAN interface unit 11 of the terminal 1 with respect to the IP address “133.0.0.23” of the Ethernet unit 23 of AP2A. .11 ”data transmission completion notification from the Web Client unit 35A, then a record with the IP address“ 192.168.0.11 ”of the wireless LAN interface unit 11 as a key for the session table 36A Send delete request to delete record. Then, the login page distribution unit 33A transmits Web page data indicating successful authentication to the Internet browser unit 13 of the terminal 1 via the IP unit 32 using https.
- the Internet browser 13 of the terminal 1 receives the notification of successful authentication from the login page distribution unit 33A of the WLC 3A via the IP unit 12 in https. Thereafter, when the terminal 1 performs communication for the Internet 6, the IP unit 22 of the AP 2A is not redirected, and communication can be performed as intended by the user.
- the IP unit 12 sends the data delivered from the Internet browser unit 13 to the destination IP address “192.168.0.11” as the source IP address and the destination IP address delivered from the Internet browser unit 13 as the destination IP address.
- An IP packet is generated by adding an IP protocol header in which the address “133.0.0.1” is set.
- the IP unit 12 refers to the transmission destination IP address of the generated IP packet and collates with the routing table held inside. As a result of the collation, the IP unit 12 determines that the Ethernet unit having the most reasonable reachability to the destination IP address is the wireless LAN interface unit 11 and the next hop IP address is “192.168.0.21”. Then, the IP packet and the next hop IP address “192.168.0.21” are transferred to the wireless LAN interface unit 11 to be transmitted.
- the wireless LAN interface unit 11 receives the IP packet and the next hop IP address “192.168.0.21” from the IP unit 12, and receives the next hop IP address “192.168.168” from the ARP table in the wireless LAN interface unit 11. .0.21 ”to obtain the MAC address“ 00: 00: 00: 00: 21 ”corresponding to the next hop IP address“ 192.168.0.21 ”. Then, an Ethernet protocol header with the transmission source MAC address “00: 00: 00: 00: 11” and the transmission destination MAC address “00: 00: 00: 00: 21” is added. An Ethernet frame is generated, and the Ethernet frame is passed to the wireless LAN interface unit 21A of the AP 2A connected wirelessly.
- the wireless LAN interface unit 21A of the AP 2A When the wireless LAN interface unit 21A of the AP 2A receives a frame from the wireless LAN interface unit 11 of the terminal 1, the AP 2A refers to the destination MAC address of the Ethernet frame. Since the destination MAC address “00: 00: 00: 00: 00: 21” of the Ethernet frame matches the MAC address “00: 00: 00: 00: 21” of the wireless LAN interface unit 21A, the wireless LAN interface unit 21A removes the header of the Ethernet protocol and passes the generated IP packet to the IP unit 22.
- the IP unit 22 determines whether the destination IP address of the IP header matches the IP address of the wireless LAN interface unit 21A of the AP 2A or the IP address of the Ethernet unit 23. Confirm. As a result, the destination IP address “133.0.0.1” in the IP header is the IP address “192.168.0.21” of the wireless LAN interface unit 21A of AP2A, and the IP address “133.0 of the Ethernet unit 23”. .0.23 ”, the IP unit 22 checks whether the Ethernet unit that has received the packet next is the Ethernet unit 23 or not. As a result, since the packet is received from the wireless LAN interface unit 21A, the packet does not match the Ethernet unit 23.
- the IP unit 22 next checks whether or not the source IP address “192.168.0.11” of the IP header exists on the control table 26A. As a result, since the source IP address “192.168.0.11” of the IP header exists on the control table 26A, the IP unit 22 refers to the destination IP address of the IP header, and the IP unit 22 Check against the routing table held internally. As a result of the collation, the IP unit 22 determines that the Ethernet unit having the most reasonable reachability to the destination IP address is the Ethernet unit 23, and the next hop IP address is “133.0.0.51”. The IP part 23 and the next hop IP address “133.0.0.51” are delivered to the Ethernet unit 23 to perform transmission.
- the Ethernet unit 23 receives the IP packet and the next hop IP address “133.0.0.51” from the IP unit 22, and receives the next hop IP address “133.0.0.51” with respect to the ARP table in the Ethernet unit 23. ] To obtain the MAC address “00: 00: 00: 00: 51” corresponding to the next hop IP address “133.0.0.51”. The Ethernet unit 23 then sets the header of the Ethernet protocol with the source MAC address “00: 00: 00: 00: 00: 23” and the destination MAC address “00: 00: 00: 00: 51”. To generate an Ethernet frame, and deliver the Ethernet frame to the wired GW 5.
- the GW 5 When the GW 5 receives the packet from the AP 2A, the GW 5 refers to the routing table inside the GW 5 and sends the packet to the Internet 6 having the most reasonable reachability to the destination IP address “133.0.0.1” of the IP header. hand over.
- the Internet 6 refers to the destination IP address “133.0.0.1” in the IP header of the packet, and receives the packet received from the GW 5 by the Web server 8 having the corresponding IP address “133.0.0.1”. Forward.
- the Web server 8 When the Web server 8 receives the http data from the Internet 6, the Web server 8 refers to the request URL included in the data, and requests the request URL “http: // www. ******. ne. jp / ”is obtained. The Web server 8 then sends a request URL “http: // www. ******. ne. Web page data corresponding to “jp /” is transferred to the terminal 1 via the Internet 6.
- the terminal 1 receives the URL “http: // www. ******. ne.
- the web page data “jp” is displayed on the display screen of the terminal 1.
- AP2A receives information from the WLC 3A on the terminal that can flow traffic to the Internet 6 side, and AP2A performs filtering inside AP2A based on that information, so traffic does not flow to WLC3A and the Internet directly from AP2A. This is because it becomes possible to flow communication traffic toward 6.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
本発明の第1実施形態における通信管理システムの概略構成について図1を参照して説明する。本実施形態における通信管理システムは、端末1、AP2、WLC3、Radius4がネットワークを介して接続されている。
無線LANインタフェース部11は、IP部12からIPパケットと最も合理的なネクストホップIPアドレスを受け渡された場合には、受信した最も合理的なネクストホップIPアドレスを利用し、ARPテーブルにMACアドレス要求を行う。
無線LANインタフェース部11は、端末1がメモリ上に保持している、端末1と同じLANセグメントに存在する機器のMACアドレスとIPアドレスの対応関係をARP(Address Resolution Protocol)テーブルとして保持する機能を有する。
無線LANインタフェース部11は、上記のARPテーブルに登録のないMACアドレスの通信が発生した際に、MACアドレスとIPアドレスの対応をARPテーブルへ新たに登録する機能を有する。また、無線LANインタフェース部11は、ARPテーブルへの登録が行われてから一定時間通信がないMACアドレスとIPアドレスのエントリについてはARPテーブルから削除する。
Ethernet部23は、IP部22からIPパケットと最も合理的なネクストホップIPアドレスを受け渡された場合には、受信した最も合理的なネクストホップIPアドレスを利用し、ARPテーブル27にMACアドレス要求を行う。そして、得られた最も合理的なネクストホップIPアドレスに対応する最も合理的なMACアドレスを得る。
Ethernet部23は、AP2がメモリ上に保持している、AP2と通信を行っている機器のMACアドレスとIPアドレスの対応関係をARPテーブルとして保持する機能を有する。
Ethernet部23は、上記ARPテーブルに登録のないMACアドレスの通信が発生した際に、MACアドレスとIPアドレスの対応を新たに登録する機能を有する。またEthernet部23は、ARPテーブルへの登録が行われてから一定時間通信がないMACアドレスとIPアドレスのエントリについてはテーブルから削除を行う。
ログインページ配信部33は、端末1からhttpsでのWebページリクエストを受け取ると、受信したhttpsデータにおけるリクエスト内のURLに含まれるAP2のEthernet部23のMACアドレスと端末1の無線LANインタフェース部11のMACアドレスとをログインページ配信部33の記憶領域に一時的に格納する。
ログインページ配信部33は、Radius Client部34から認証結果を受信した際には、認証結果を送信してきたRadius Client部34のプロセスIDをキーにセッションテーブル36を検索する。そして、ログインページ配信部33は、対応するレコードとして、データを受信した際の送信元IPアドレス、送信元ポート番号、AP2のEthernet部23のMACアドレス、端末1の無線LANインタフェース部11のMACアドレスを取得し、ログインページ配信部33の記憶領域に一時的に格納する。
ログインページ配信部33は、AP2のEthernet部23のIPアドレスに対して端末1の無線LANインタフェース部11のMACアドレスのデータの送信が完了した旨の通知をWeb Client部35より受信すると、セッションテーブル36に対し、端末1の無線LANインタフェース部11のMACアドレスをキーとしたレコードの削除要求を送信し、削除要求に係るレコードを削除する。その後、ログインページ配信部33は認証成功を示すWebページのデータをhttpsで端末1のインターネットブラウザ部13に対しIP部32を介して送信する。
本手順開始前の初期状態について説明する。ここでは、ユーザは端末1をAP2に対して無線で接続している状態とし、各装置のEthernet部のMACアドレスと対応するIPアドレスは以下のものが設定されているものとする。
次に、端末1の認証前の動作を示すシーケンス001について説明する。まず、ユーザがサーバ8内のURL『http://www.******.ne.jp/』で検索されるWebページにアクセスする操作を端末1のインターネットブラウザ部13に対して行うと、端末1のインターネットブラウザ部13は、ユーザが指定したURL『http://www.******.ne.jp/』にアクセスするアクセス要求のデータを生成する。そしてインターネットブラウザ部13内部のDNSリゾルバ機能は通信先のURL『http://www.******.ne.jp/』に対応する宛先IPアドレスの解決を行い、対応する宛先IPアドレス『133.0.0.1』を得る。そして、インターネットブラウザ部13は、宛先IPアドレス『133.0.0.1』とhttpデータをIP部12に対して受け渡す。
次に、認証後の動作について説明する。認証成功の通知の受信後、ユーザがサーバ8内のURL『http://www.******.ne.jp/』のWebページにアクセスする操作を端末1のインターネットブラウザ部13に対して行うものとする。
そして、Webサーバ8は、要求URL『http://www.******.ne.jp/』に対応したWebページのデータをインターネット6を通して端末1へと受け渡す。
次に、本発明の第2実施形態における通信管理システムについて説明する。第2実施形態における通信管理システムは、通信可否の判断をMACアドレスの代わりにIPアドレスで管理するところが第1実施形態と異なる。
ログインページ配信部33Aは、端末1からhttpsのWebページのリクエストを受け取ると、受信したhttpsデータのリクエスト内のURLに含まれるAP2AのEthernet部23のIPアドレスと端末1の無線LANインタフェース部11のIPアドレスをログインページ配信部33A内部の記憶領域に一時的に格納する。その後、ログインページ配信部33Aは、端末1のインターネットブラウザ部13に対し、httpsの認証画面となるWebページのhttpsのデータを、IP部32を通じて端末1のインターネットブラウザ部13へと送信する。
ログインページ配信部33Aは、Radius Client部34から認証結果を受信した際には、認証結果を送信してきたRadius Client部34のプロセスIDをキーにセッションテーブル部36Aを検索し対応するレコードである、データを受信した際の送信元IPアドレス、送信元ポート番号、AP2AのEthernet部23のIPアドレス、端末1の無線LANインタフェース部11のIPアドレスを取得する。そして、ログインページ配信部33Aは、取得したAP2AのEthernet部23のIPアドレスと端末1の無線LANインタフェース部11のIPアドレスをWeb Client部35Aに受け渡す。
ログインページ配信部33Aは、AP2AのEthernet部23のIPアドレスに対して端末1の無線LANインタフェース部11のIPアドレスのデータの送信が完了したという通知をWeb Client部35Aより受信すると、セッションテーブル36Aに対し、端末1の無線LANインタフェース部11のIPアドレスをキーとしたレコードの削除要求を送信しレコードを削除する。その後、ログインページ配信部33Aは、認証成功を示すWebページのデータをHTTPSで端末1のインターネットブラウザ部13に対し、IP部32を介して送信する。
本手順開始前の初期状態について説明する。ここでは、ユーザは、端末1をAP2Aに対して無線で接続している状態とし、各装置のEthernet部のMACアドレスと対応するIPアドレスは以下のものとする。
次に、端末1の認証前の動作を示すシーケンスS001について説明する。なお、第1実施形態と重複する手順があるが、シーケンスS002A以降は、第1実施形態と重複する手順であっても、記載上の便宜のため、第1実施形態と異なるシーケンス番号を付すものとしている。
認証成功の通知の受信後、ユーザがWebサーバ8内のURL『http://www.******.ne.jp/』のWebページにアクセスする操作を端末1のインターネットブラウザ部13に対して行うと、インターネットブラウザ部13は、ユーザが指定したURL『http://www.******.ne.jp/』にアクセスするアクセス要求のデータを生成する。そしてインターネットブラウザ部13内部のDNSリゾルバ機能は通信先のURL『http://www.******.ne.jp/』に対応する宛先IPアドレスの解決を行い、対応する宛先IPアドレス『133.0.0.1』を得る。そして、宛先IPアドレス『133.0.0.1』とhttpデータをIP部12に対して受け渡す。
この出願は、2015年3月23日に出願された日本出願、特願2015-059488を基礎とする優先権を主張し、その開示の全てをここに取り込む。
2、2A AP
3、3A WLC
4 Radius
5 GW
6 インターネット
7 HUB
8 Webサーバ
11、21、21A 無線LANインタフェース部
12、22、32、42 IP部
13 インターネットブラウザ部
23、31、41 Ethernet部
24、24A リダイレクト部
25、25A 制御情報受信部
26、26A 制御テーブル
27 ARPテーブル
33、33A ログインページ配信部
34 Radius Client部
35、35A Web Client部
36、36A セッションテーブル
37 APテーブル
43 Radius Server部
Claims (10)
- 無線通信を介して接続しようとする端末の接続制御を行うアクセスポイントと、複数の前記アクセスポイントを管理する通信管理装置と、がネットワークを介して接続された通信管理システムであって、
前記アクセスポイントは、
前記ネットワークとの通信が許可された許可端末を特定する許可端末情報を記憶する許可端末情報記憶手段と、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末を特定する接続要求端末情報が前記許可端末情報として前記許可端末情報記憶手段に記憶されていないとき、前記接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報を生成するアクセス情報生成手段と、
前記アクセス情報生成手段により生成されたアクセス情報を前記接続要求端末に送信するアクセス情報送信手段と、
前記許可端末情報を前記通信管理装置から受信する許可情報受信手段と、
を備え、
前記通信管理装置は、
前記接続要求端末が前記アクセス情報に基づいて前記ネットワークへ接続しようとするとき、前記提供元情報を前記接続要求端末に送信し、前記提供元情報に基づいて提供される認証画面に入力された前記接続認証情報を前記接続要求端末から受信する通信手段と、
前記アクセス情報に含まれる前記接続要求端末情報と前記アクセスポイント情報を記憶する端末情報記憶手段と、
前記通信手段により受信した前記接続認証情報に基づいて前記接続要求端末を認証する認証手段と、
前記認証手段により前記接続要求端末が認証されたとき、前記端末情報記憶手段に記憶された前記アクセスポイント情報により特定されるアクセスポイントに前記接続要求端末による前記ネットワークとの通信を許可する許可端末情報を前記接続要求端末情報とともに送信する許可端末情報送信手段と、
を備えることを特徴とする通信管理システム。 - 前記アクセスポイントは、MACアドレスとIPアドレスとの対応関係を記憶するARPテーブルを備え、
前記アクセス情報生成手段は、前記接続要求端末情報がIPアドレスであるとき、前記ARPテーブルを参照して該IPアドレスに対応するMACアドレスを前記接続要求端末情報として取得することを特徴とする請求項1記載の通信管理システム。 - 前記通信管理装置は、前記アクセスポイントのMACアドレスとIPアドレスとの対応関係を記憶するAPテーブルを備え、
前記許可端末情報送信手段は、前記端末情報記憶手段に記憶された前記アクセスポイント情報がMACアドレスであるとき、前記APテーブルを参照して該MACアドレスに対応するIPアドレスを前記アクセスポイント情報として取得することを特徴とする請求項1又は2記載の通信管理システム。 - 無線通信を介して接続しようとする端末の接続制御を行うアクセスポイントであって、
前記アクセスポイントが接続されるネットワークとの通信が許可された許可端末を特定する許可端末情報を記憶する許可端末情報記憶手段と、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末を特定する接続要求端末情報が前記許可端末情報として前記許可端末情報記憶手段に記憶されていないとき、前記接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報を生成するアクセス情報生成手段と、
前記アクセス情報生成手段により生成されたアクセス情報を前記接続要求端末に送信するアクセス情報送信手段と、
前記ネットワークを介して接続された、複数の前記アクセスポイントを管理する通信管理装置から前記許可端末情報を受信する許可情報受信手段と、
を備えることを特徴とするアクセスポイント。 - 無線通信を介して接続しようとする端末の接続制御を行う複数のアクセスポイントをネットワークを介して管理する通信管理装置であって、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末を特定する接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報に基づいて前記ネットワークへ接続しようとするとき、前記提供元情報を前記接続要求端末に送信し、前記提供元情報に基づいて提供される認証画面に入力された前記接続認証情報を前記接続要求端末から受信する通信手段と、
前記アクセス情報に含まれる前記接続要求端末情報と前記アクセスポイント情報を記憶する端末情報記憶手段と、
前記通信手段により受信した前記接続認証情報に基づいて前記接続要求端末を認証する認証手段と、
前記認証手段により前記接続要求端末が認証されたとき、前記端末情報記憶手段に記憶された前記アクセスポイント情報により特定されるアクセスポイントに前記接続要求端末による前記ネットワークとの通信を許可する許可端末情報を前記接続要求端末情報とともに送信する許可端末情報送信手段と、
を備えることを特徴とする通信管理装置。 - 無線通信を介して接続しようとする端末の接続制御を行うアクセスポイントと、複数の前記アクセスポイントを管理する通信管理装置と、がネットワークを介して接続されたシステムの通信管理方法であって、
前記アクセスポイントは、
前記ネットワークとの通信が許可された許可端末を特定する許可端末情報を記憶部に記憶するステップと、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末を特定する接続要求端末情報が前記許可端末情報として前記記憶部に記憶されていないとき、前記接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報を生成するステップと、
生成された前記アクセス情報を前記接続要求端末に送信するステップと、
前記許可端末情報を前記通信管理装置から受信するステップと、
を含み、
前記通信管理装置は、
前記接続要求端末が前記アクセス情報に基づいて前記ネットワークへ接続しようとするとき、前記提供元情報を前記接続要求端末に送信し、前記提供元情報に基づいて提供される認証画面に入力された前記接続認証情報を前記接続要求端末から受信するステップと、
前記アクセス情報に含まれる前記接続要求端末情報と前記アクセスポイント情報を端末情報記憶部に記憶するステップと、
受信した前記接続認証情報に基づいて前記接続要求端末を認証するステップと、
前記接続要求端末が認証されたとき、前記端末情報記憶部に記憶された前記アクセスポイント情報により特定されるアクセスポイントに前記接続要求端末による前記ネットワークとの通信を許可する許可端末情報を前記接続要求端末情報とともに送信するステップと、
を含むことを特徴とする通信管理方法。 - 無線通信を介して接続しようとする端末の接続制御を行うアクセスポイントの接続制御方法であって、
前記アクセスポイントが接続されるネットワークとの通信が許可された許可端末を特定する許可端末情報を記憶部に記憶するステップと、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末を特定する接続要求端末情報が前記許可端末情報として前記記憶部に記憶されていないとき、前記接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報を生成するステップと、
生成された前記アクセス情報を前記接続要求端末に送信するステップと、
前記ネットワークを介して接続された、複数の前記アクセスポイントを管理する通信管理装置から前記許可端末情報を受信するステップと、
を含むことを特徴とする接続制御方法。 - 無線通信を介して接続しようとする端末の接続制御を行う複数のアクセスポイントをネットワークを介して管理する通信管理装置の通信管理方法であって、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末を特定する接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報に基づいて前記ネットワークへ接続しようとするとき、前記提供元情報を前記接続要求端末に送信し、前記提供元情報に基づいて提供される認証画面に入力された前記接続認証情報を前記接続要求端末から受信するステップと、
前記アクセス情報に含まれる前記接続要求端末情報と前記アクセスポイント情報を記憶部に記憶するステップと、
受信した前記接続認証情報に基づいて前記接続要求端末を認証するステップと、
前記接続要求端末が認証されたとき、前記記憶部に記憶された前記アクセスポイント情報により特定されるアクセスポイントに前記接続要求端末による前記ネットワークとの通信を許可する許可端末情報を前記接続要求端末情報とともに送信するステップと、
を含むことを特徴とする通信管理方法。 - 無線通信を介して接続しようとする端末の接続制御を行うアクセスポイントに実行させるコンピュータ読取可能なプログラムであって、
前記アクセスポイントが接続されるネットワークとの通信が許可された許可端末を特定する許可端末情報を記憶部に記憶する処理と、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末を特定する接続要求端末情報が前記許可端末情報として前記記憶部に記憶されていないとき、前記接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報を生成する処理と、
生成された前記アクセス情報を前記接続要求端末に送信する処理と、
前記ネットワークを介して接続された、複数の前記アクセスポイントを管理する通信管理装置から前記許可端末情報を受信する処理と、
を含むことを特徴とするプログラム。 - 無線通信を介して接続しようとする端末の接続制御を行う複数のアクセスポイントをネットワークを介して管理するコンピュータに実行させるプログラムであって、
無線通信を介して前記ネットワークへの接続要求を行う接続要求端末が前記ネットワークへ接続するための接続認証情報を入力させる認証画面を提供する提供元情報にアクセスするための情報に前記接続要求端末を特定する接続要求端末情報と前記アクセスポイントを特定するアクセスポイント情報を加えたアクセス情報に基づいて前記ネットワークへ接続しようとするとき、前記提供元情報を前記接続要求端末に送信し、前記提供元情報に基づいて提供される認証画面に入力された前記接続認証情報を前記接続要求端末から受信する処理と、
前記アクセス情報に含まれる前記接続要求端末情報と前記アクセスポイント情報を記憶部に記憶する処理と、
受信した前記接続認証情報に基づいて前記接続要求端末を認証する処理と、
前記接続要求端末が認証されたとき、前記記憶部に記憶された前記アクセスポイント情報により特定されるアクセスポイントに前記接続要求端末による前記ネットワークとの通信を許可する許可端末情報を前記接続要求端末情報とともに送信する処理と、
を含むことを特徴とするプログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017508142A JP6678160B2 (ja) | 2015-03-23 | 2016-03-02 | 通信管理システム、アクセスポイント、通信管理装置、接続制御方法、通信管理方法、及びプログラム |
US15/560,736 US10505913B2 (en) | 2015-03-23 | 2016-03-02 | Communication management system, access point, communication management device, connection control method, communication management method, and program |
CN201680017874.5A CN107431925A (zh) | 2015-03-23 | 2016-03-02 | 通信管理***、接入点、通信管理设备、连接控制方法、通信管理方法和程序 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015059488 | 2015-03-23 | ||
JP2015-059488 | 2015-03-23 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016152416A1 true WO2016152416A1 (ja) | 2016-09-29 |
Family
ID=56979085
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2016/056372 WO2016152416A1 (ja) | 2015-03-23 | 2016-03-02 | 通信管理システム、アクセスポイント、通信管理装置、接続制御方法、通信管理方法、及びプログラム |
Country Status (4)
Country | Link |
---|---|
US (1) | US10505913B2 (ja) |
JP (1) | JP6678160B2 (ja) |
CN (1) | CN107431925A (ja) |
WO (1) | WO2016152416A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2018207218A (ja) * | 2017-05-31 | 2018-12-27 | サイレックス・テクノロジー株式会社 | 無線基地局 |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11259186B2 (en) * | 2019-01-10 | 2022-02-22 | Verizon Patent And Licensing Inc. | Systems and methods for validating a device and authenticating a user |
EP3893463A1 (en) * | 2020-04-06 | 2021-10-13 | Telia Company AB | Setting up a connection |
CN112040564B (zh) * | 2020-08-25 | 2023-02-28 | 北京大米科技有限公司 | 信息传输方法、可读存储介质和电子设备 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004207820A (ja) * | 2002-12-24 | 2004-07-22 | Sony Corp | 通信システム、通信方法、基地局装置、通信プログラムおよび記録媒体 |
JP2014235439A (ja) * | 2013-05-30 | 2014-12-15 | キヤノン株式会社 | 通信装置、制御方法、及びプログラム |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100470303B1 (ko) | 2002-04-23 | 2005-02-05 | 에스케이 텔레콤주식회사 | 공중 무선 근거리 통신망에서 이동성을 갖는 인증 시스템및 방법 |
JP5112806B2 (ja) * | 2007-10-15 | 2013-01-09 | ソフィア総合研究所株式会社 | 無線lanの通信方法及び通信システム |
CN101621802B (zh) * | 2009-08-13 | 2012-02-08 | 杭州华三通信技术有限公司 | 一种无线网络中的入口认证方法、***和装置 |
JP5921460B2 (ja) | 2013-02-20 | 2016-05-24 | アラクサラネットワークス株式会社 | 認証方法、転送装置及び認証サーバ |
JP5848467B2 (ja) * | 2014-01-17 | 2016-01-27 | 株式会社ナビック | 中継機、無線通信システムおよび無線通信方法 |
-
2016
- 2016-03-02 CN CN201680017874.5A patent/CN107431925A/zh active Pending
- 2016-03-02 WO PCT/JP2016/056372 patent/WO2016152416A1/ja active Application Filing
- 2016-03-02 JP JP2017508142A patent/JP6678160B2/ja active Active
- 2016-03-02 US US15/560,736 patent/US10505913B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004207820A (ja) * | 2002-12-24 | 2004-07-22 | Sony Corp | 通信システム、通信方法、基地局装置、通信プログラムおよび記録媒体 |
JP2014235439A (ja) * | 2013-05-30 | 2014-12-15 | キヤノン株式会社 | 通信装置、制御方法、及びプログラム |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2018207218A (ja) * | 2017-05-31 | 2018-12-27 | サイレックス・テクノロジー株式会社 | 無線基地局 |
Also Published As
Publication number | Publication date |
---|---|
JP6678160B2 (ja) | 2020-04-08 |
US10505913B2 (en) | 2019-12-10 |
US20180083942A1 (en) | 2018-03-22 |
CN107431925A (zh) | 2017-12-01 |
JPWO2016152416A1 (ja) | 2017-11-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110800331B (zh) | 网络验证方法、相关设备及*** | |
US11743728B2 (en) | Cross access login controller | |
US10178095B2 (en) | Relayed network access control systems and methods | |
US9113332B2 (en) | Method and device for managing authentication of a user | |
WO2015101125A1 (zh) | 网络接入控制方法和设备 | |
US9549318B2 (en) | System and method for delayed device registration on a network | |
WO2016152416A1 (ja) | 通信管理システム、アクセスポイント、通信管理装置、接続制御方法、通信管理方法、及びプログラム | |
JP4852379B2 (ja) | パケット通信装置 | |
US8769623B2 (en) | Grouping multiple network addresses of a subscriber into a single communication session | |
US20130100857A1 (en) | Secure Hotspot Roaming | |
JP5261432B2 (ja) | 通信システム、パケット転送方法、ネットワーク交換装置、アクセス制御装置、及びプログラム | |
WO2017084322A1 (zh) | 一种基于路由器的网络访问控制方法、***及相关设备 | |
CN108076164B (zh) | 访问控制方法及装置 | |
CN110138796B (zh) | 组播控制方法和装置 | |
WO2013067911A1 (zh) | 一种接入认证方法、***及设备 | |
JP5626900B2 (ja) | 無線通信システムおよびアクセスポイント | |
JP2018029233A (ja) | クライアント端末認証システム及びクライアント端末認証方法 | |
JP5815486B2 (ja) | 中継装置、通信システム及び認証方法 | |
JP6270383B2 (ja) | アクセス制御装置、アクセス制御方法、及びプログラム | |
JP2019102928A (ja) | 認証スイッチ装置、ネットワークシステムおよび認証方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16768319 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2017508142 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15560736 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16768319 Country of ref document: EP Kind code of ref document: A1 |