U.S. patent application number 12/943216 was filed with the patent office on 2011-05-19 for apparatus and system effectively using a plurality of authentication servers.
Invention is credited to Hidemitsu HIGUCHI, Motohide Nomi.
Application Number | 20110119735 12/943216 |
Document ID | / |
Family ID | 44012319 |
Filed Date | 2011-05-19 |
United States Patent
Application |
20110119735 |
Kind Code |
A1 |
HIGUCHI; Hidemitsu ; et
al. |
May 19, 2011 |
APPARATUS AND SYSTEM EFFECTIVELY USING A PLURALITY OF
AUTHENTICATION SERVERS
Abstract
An authentication system and apparatus having an authentication
process distributing function for individually setting an
authenticating method and an authentication server on a port unit
basis of a network apparatus and selecting an authentication
processing unit which authenticates every port are provided. More
specifically speaking, there is provided a packet transfer
apparatus or system having: a plurality of connecting ports; a
plurality of authentication processing units for authenticating
apparatuses connected through the connecting ports; and an
authentication process distributing unit for selecting the
authentication processing unit to be authenticated every connecting
port, wherein any one of the plurality of authentication processing
units is made to correspond to each of the plurality of connecting
ports, and when a packet is received from the apparatus connected
to one of the connecting ports, the authentication process
distributing unit selects the authentication processing unit which
was made to correspond to the connecting port to which the
apparatus to which the packet was transmitted has been connected
and allows an authenticating process of the packet-transmitted
apparatus to be executed.
Inventors: |
HIGUCHI; Hidemitsu; (Ebina,
JP) ; Nomi; Motohide; (Kawasaki, JP) |
Family ID: |
44012319 |
Appl. No.: |
12/943216 |
Filed: |
November 10, 2010 |
Current U.S.
Class: |
726/3 |
Current CPC
Class: |
H04W 12/06 20130101;
H04L 63/205 20130101; H04L 63/08 20130101 |
Class at
Publication: |
726/3 |
International
Class: |
G06F 21/00 20060101
G06F021/00 |
Foreign Application Data
Date |
Code |
Application Number |
Nov 13, 2009 |
JP |
2009-259428 |
Claims
1. A packet transfer apparatus comprising: a plurality of
connecting ports; a plurality of authentication processing units
for authenticating apparatuses connected through said connecting
ports; and an authentication process distributing unit for
selecting the authentication processing unit to be authenticated
every said connecting port, wherein any one of said plurality of
authentication processing units is made to correspond to each of
said plurality of connecting ports, and when a packet is received
from said apparatus connected to one of said connecting ports, said
authentication process distributing unit selects the authentication
processing unit which was made to correspond to said connecting
port to which said apparatus to which the packet was transmitted
has been connected and allows an authenticating process of said
packet-transmitted apparatus to be executed.
2. An apparatus according to claim 1, wherein said plurality of
authentication processing units execute the authentication of said
packet-transmitted apparatus by using different authentication
servers.
3. An apparatus according to claim 2, wherein said connecting ports
are made to correspond to one or more authenticating methods, and
said authentication process distributing unit selects said
authentication processing unit which performs the authentication by
the authenticating method which was made to correspond to said
connecting port which received said packet.
4. An apparatus according to claim 3, wherein said authenticating
methods are made to correspond to one or more said authentication
servers, and when said received packet and information of said
connecting port which received said packet are received from said
authentication process distributing unit, said authentication
processing unit transmits an authenticating request to said
authentication server which performs the authentication of said
authenticating method corresponding to said received connecting
port information.
5. An apparatus according to claim 4, wherein in the case where two
or more said authentication servers are made to correspond to said
authenticating methods, said authentication processing unit
transmits said authenticating request to said authentication server
of a high priority.
6. An apparatus according to claim 5, wherein said plurality of
authentication processing units execute any one of Web
authentication, MAC authentication, and 802.1X authentication.
7. An apparatus according to claim 2, wherein when the apparatus
has been moved to said connecting port different from said
connecting port to which said authenticated apparatus was
connected, if said corresponding authentication server at said
connecting port before the movement and that after the movement
differ, an authenticated state of said moved apparatus is reset and
the authentication is performed again.
8. A network authentication system comprising a packet transfer
apparatus and a plurality of authentication servers, wherein said
packet transfer apparatus has a plurality of connecting ports and,
when a packet is received from an apparatus connected to one of
said connecting ports, said packet transfer apparatus transmits an
authenticating request to said authentication server corresponding
to the connecting port which received said packet, and when said
authenticating request is received, said authentication server
makes authentication of the apparatus which transmitted said packet
and returns an authentication result to said packet transfer
apparatus.
9. A system according to claim 8, wherein said plurality of
authentication servers make authentication of said
packet-transmitted apparatus by using different authenticating
methods.
10. A system according to claim 9, wherein said connecting ports
are made to correspond to one or more said authenticating methods,
and said packet transfer apparatus transmits said authenticating
request to said authentication server which makes the
authentication by the authenticating method which was made to
correspond to said connecting port which received said packet.
11. A system according to claim 10, wherein in the case where two
or more said authentication servers are made to correspond to said
authenticating methods, said packet transfer apparatus transmits
said authenticating request to said authentication server of a high
priority.
12. A system according to claim 11, wherein said packet transfer
apparatus executes any one of Web authentication, MAC
authentication, and 802.1X authentication.
13. A system according to claim 9, wherein when the apparatus has
been moved to said connecting port different from said connecting
port to which said authenticated apparatus was connected, if said
corresponding authentication server at said connecting port before
the movement and that after the movement differ, said packet
transfer apparatus resets an authenticated state of said moved
apparatus and transmits said authenticating request again to said
authentication server corresponding to the connecting port of a
movement destination.
Description
INCORPORATION BY REFERENCE
[0001] The present application claims priority from Japanese
application JP 2009-259428 filed on Nov. 13, 2009, the content of
which is hereby incorporated by reference into this
application.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] The invention relates to a network authentication system
and, more particularly, to an apparatus and system using a
plurality of authentication servers having different databases.
[0004] 2. Description of the Related Art
[0005] In association with the infrastructure of a communication
network, various kinds of functions to fortify security have been
proposed. Network authentication is also one of those functions. A
network authentication system is mainly comprised of terminal
apparatuses such as PCs or the like, authentication switches, and
authentication servers. As a fundamental operation of the
authentication system, first, an authentication request packet is
outputted from the terminal apparatus such as a PC to the
authentication switch. When the authentication request packet is
received, on the basis of authentication information in the
reception packet, the authentication switch inquires of the
authentication server whether or not the authentication information
has been registered. When a fact that the authentication
information has been registered is notified from the authentication
server, the authentication switch enables a source MAC address of
the authentication request packet to be communicated.
[0006] In the network authentication switch, hitherto, only one
server could be designated as an authentication server to a target
PC/user (there was a redundancy forming function of the
authentication server as an existing function) and there was also a
function for designating a RADIUS server on an authenticating
method unit basis. For example, in the Official Gazette of
JP-A-2007-280221, a plurality of authentication servers are
constructed in order to authenticate one client PC.
SUMMARY OF THE INVENTION
[0007] In a network authentication environment constructed by a
plurality of authentication servers and a plurality of
authentication switches, hitherto, the authentication server has
been designated on an authentication switch unit basis and operated
and managed. At this time, if there is a movement of the user who
is managed by the different authentication server, the network
authentication management cannot be performed. For example, under
such a situation that the authentication server has been disposed
every floor and every division, it is necessary to handle a
plurality of authentication servers by one authentication
switch.
[0008] Hitherto, in the case where the enterprises which have been
operated by each authentication server are united or the business
divisions in the enterprise are united and employees exist mixedly
in the workplace, the authentication servers cannot be operated by
one authentication switch. It is, therefore, a subject to cope with
a plurality of authentication servers by one authentication
switch.
[0009] As another subject, in the case where a plurality of floors
or a plurality of divisions are managed by one authentication
switch and the Web authentication is used as an authenticating
method, in order to use an authentication display screen as a
message board, it is necessary to display the authentication
display screen on a physical port unit basis.
[0010] Hitherto, as a method of designating a plurality of RADIUS
servers and operating, a method whereby the redundant RADIUS
servers are realized by allowing a plurality of RADIUS servers to
have the same authentication data or a method whereby the different
RADIUS server is designated in the case of using the MAC
authentication and in the case of using the Web authentication
existed.
[0011] However, since a quarantine server having a quarantine
function for checking a security state of a PC is partially applied
in addition to the authentication server, in the case where it is
intended to separately operate and manage the authentication
servers in one authentication switch on a PC unit basis, on a
physical port unit basis, and the like, such a construction cannot
be realized by the conventional authentication switch.
[0012] That is, in order to provide a variety of security services
to a plurality of terminals or users by one authentication switch,
it is necessary to connect a plurality of authentication servers.
It is, therefore, an object of the invention to realize the
following functions by one authentication switch: a function for
designating a RADIUS server every physical port of the
authentication switch; a function for displaying a different
authentication display screen at each port in the case where an
authenticating method is Web authentication and in the case where
the RADIUS server is designated on a physical port unit basis; and
a function whereby the authentication server can be designated when
authentication information is inputted from a PC.
[0013] According to an aspect of the invention, there is provided a
packet transfer apparatus or system comprising: a plurality of
connecting ports; a plurality of authentication processing units
for authenticating apparatuses connected through the connecting
ports; and an authentication process distributing unit for
selecting the authentication processing unit to be authenticated
every connecting port, wherein any one of the plurality of
authentication processing units is made to correspond to each of
the plurality of connecting ports, and when a packet is received
from the apparatus connected to one of the connecting ports, the
authentication process distributing unit selects the authentication
processing unit which was made to correspond to the connecting port
to which the apparatus to which the packet was transmitted has been
connected and allows an authenticating process of the
packet-transmitted apparatus to be executed.
[0014] In the case where the enterprises which have different
authentication servers and construct a network authentication
system are united or the divisions in the enterprise are united and
construct one network authentication system, the united network
authentication system can be constructed without uniting
authentication databases of the authentication servers.
[0015] Other objects, features and advantages of the invention will
become apparent from the following descriptions of the embodiments
of the invention taken in conjunction with the accompanying
drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0016] FIG. 1 is a constructional diagram of a network
authentication system;
[0017] FIG. 2 is a functional block diagram of a network
authenticating function in an authentication switch;
[0018] FIG. 3 is a port unit authenticating method list table;
[0019] FIG. 4 is an authenticating method list table;
[0020] FIG. 5 is an authentication server group list table;
[0021] FIG. 6 is a port unit Web authentication display screen data
list table;
[0022] FIG. 7 is an authenticated terminal registration list;
[0023] FIG. 8 is a processing flow by an
authenticated/non-authentication discriminating unit;
[0024] FIG. 9 is a processing flow of an authentication process
distributing unit;
[0025] FIG. 10 is a processing flow of a 802.1X authentication
processing unit;
[0026] FIG. 11 is a processing flow of a MAC authentication
processing unit;
[0027] FIG. 12 is a processing flow of a Web authentication
processing unit;
[0028] FIG. 13 is a processing flow for selecting an authentication
server on a user ID unit basis of the Web authentication processing
unit;
[0029] FIG. 14 is a processing flow of an inter-port movement
discriminating unit;
[0030] FIG. 15 is a network authentication system before
enterprises are united; and
[0031] FIG. 16 is a network authentication system after enterprises
were united.
DESCRIPTION OF THE EMBODIMENTS
Embodiment 1
[0032] It is a feature of the invention that even if there are a
plurality of authentication servers due to an enterprise
integration or an organization integration, an authenticating
apparatus such as an authentication switch or the like can
designate a plurality of authentication servers.
[0033] Ordinarily, when terminals are connected to an in-house
network or the like, authentication is performed by a switch or the
like having an authenticating function (hereinbelow, referred to as
an authentication switch) and only the authenticated terminals can
be connected to the in-house network. The authentication switch
performs the authentication by inquiring of the authentication
server having authentication information of the terminal. The
authentication server of which the authentication switch inquires
is fixed.
[0034] A case where enterprises A and B having authentication
systems of different methods have been united by amalgamation is
now considered. Since a case where the employees of the companies A
and B work on the same floor of the same building is also
considered, it is necessary that the authentication switch
allocated to the floor authenticates terminals of the employees of
both of the companies. That is, it is necessary to selectively use
the authentication servers and, further, the authenticating methods
of both of the companies A and B. To solve the above problem, the
authentication switch of the invention has a function for
distributing the authentication servers or authenticating methods
in accordance with necessity.
[0035] Problems in the enterprise integration or the like in the
network authentication system in the related art and a construction
of the invention will be sequentially described hereinbelow.
[0036] A network authentication system before enterprises or
organizations are united is shown in FIG. 15. The authentication
system shown in FIG. 15 has a construction using the conventional
authentication switch. In this system, registration information in
an authentication database 1550-1 registered in an authentication
server 1510-1 and registration information in an authentication
database 1550-2 registered in an authentication server 1510-2
differ.
[0037] The authentication server 1510-1 has been registered in an
authentication switch 1500-1. The authentication server 1510-2 has
been registered in an authentication switch 1500-2. In the
authentication databases 1550-1 and 1550-2 held by the
authentication servers, authentication information of their
organizations have been registered and they are not identical. A
flow of simple network authentication will be described. As network
authentication systems, there are MAC authentication, Web
authentication, and 802.1X authentication.
[0038] First, a flow of the authentication using the MAC
authenticating method will be described. First, a terminal 1540-1
is connected to a port of a HUB 1530-1. When an arbitrary packet is
transmitted from the terminal 1540-1 to the authentication switch
1500-1, the authentication switch 1500-1 inquires of the
authentication server 1510-1 about the authentication by using a
transmitting source MAC address of the reception packet.
[0039] At this time, although a plurality of authentication servers
can be registered into the authentication switch 1500-1 in order to
realize redundancy, the switch can have only one kind of
authentication database. The authentication server which is
accessed first from one authentication switch has been fixed and
only one authentication server is accessed. In the case where the
relevant MAC address has been registered in the authentication
database 1550-1, the authentication server 1510-1 issues a
notification indicative of authentication OK to the authentication
switch 1500-1. In the authentication switch 1500-1, an
authentication permitting process is executed to the relevant MAC
address and the terminal 1540-1 can communicate.
[0040] A flow of the authentication using the Web authenticating
method will be described. The user of the terminal connects the
terminal 1540-1 to the HUB 1530-1 and makes an authenticating
request by http/https to the authentication switch 1500-1. The
authentication switch 1500-1 sends authentication information
registration display screen data to the terminal 1540-1. The user
inputs the authentication information by the registration display
screen and transmits to the authentication switch 1500-1. When the
authentication information is received, the authentication switch
1500-1 makes the authenticating request to the authentication
server 1510-1 on the basis of the authentication information.
Although a plurality of authentication servers can be registered
into the authentication switch 1500-1 in order to realize
redundancy, the switch can have only one kind of authentication
database.
[0041] The authentication server which is accessed first from one
authentication switch has been fixed and only one authentication
server is accessed. In the case where the relevant authentication
information has been registered in the authentication database
1550-1, the authentication server 1510-1 issues a notification
indicative of authentication OK to the authentication switch
1500-1. In the authentication switch 1500-1, an authentication
permitting process is executed to the MAC address of the relevant
terminal and the terminal 1540-1 can communicate. Authentication is
also performed in the 802.1X authenticating method by a similar
authenticating sequence. A similar network authenticating process
is also executed in the authentication system using the
authentication switch 1500-2.
[0042] A constructional diagram of a network authentication system
in the case where enterprises or organizations were united by using
the conventional authentication switch is shown in FIG. 16. In the
conventional authentication switch, only the authentication server
having one kind of authentication database can be registered by one
switch. Therefore, in the case where enterprises or organizations
are united and the number of authentication servers increases, the
conventional authentication switches as many as the increased
number of authentication servers are necessary.
[0043] A flow of the network authentication will be simply
described. In the case of using the Web authentication as a network
authentication system, the user of the terminal 1540-1 connects the
terminal 1540-1 to the HUB 1530-1 and makes an authenticating
request by http/https to the authentication switch 1500-1. The
authentication switch 1500-1 sends authentication information
registration display screen data to the terminal 1540-1. The user
inputs the authentication information from the registration display
screen and transmits to the authentication switch 1500-1.
[0044] When the authentication information is received, the
authentication switch 1500-1 makes the authenticating request to
the authentication server 1510-1 on the basis of the authentication
information. The authenticating request is not performed to the
authentication server 1510-2. Similarly, in the case where a
terminal 1540-3 which is connected to a HUB 1530-3 which is
connected to the authentication switch 1500-2 performs
authentication, the authentication switch 1500-2 makes the
authenticating request only to the authentication server 1510-2 and
does not makes the authenticating request only to the
authentication server 1510-1.
[0045] As mentioned above, in the case where the conventional
switches were used, since it is necessary to change over the
authentication switches by the user to be authenticated, if a
network authentication system is comprised of enterprise
integration, organization integration, or the like, operation and
construction costs increase.
[0046] An embodiment of the invention will be described hereinbelow
with reference to FIGS. 1 to 14. A construction of a network
authentication system will now be described with reference to FIG.
1, FIG. 1 is a hardware block diagram of the authentication system.
In FIG. 1, the network authentication system is comprised of: an L3
switch 120; two authentication servers 110 and two authentication
switches 100 connected to the L3 switch 120; HUBs 130 connected to
the authentication switches 100; and terminals 140 connected to the
HUBs 130.
[0047] A construction of processing units for realizing the network
authenticating function of the authentication switch 100 is shown
in FIG. 2. Each of the processing units and databases which are
used will now be described. An authenticated/non-authentication
discriminating unit 240 has functions for receiving a packet from
the terminal and discriminating whether a transmitting source MAC
address of the reception packet has already been authenticated or
is not authenticated yet. An inter-port movement discriminating
unit 250 checks a state before the authenticated terminal is moved
and a state after it was moved, thereby discriminating whether or
not roaming of the authentication state can be performed.
[0048] An authentication distributing unit 200 discriminates the
authentication processing units to be distributed on the basis of
the reception packet and reception port information which were
received, and transmits the reception packet and reception port
information to the authentication processing units. Each of the
authentication processing units (a 802.1X authentication processing
unit 210, a Web authentication processing unit 220, a MAC
authentication processing unit 230) searches for the relevant
authentication server from an authentication server group list
table on the basis of the reception port information and executes
an authenticating process to the relevant authentication
server.
[0049] Tables which are used in the authentication switch 100 are
shown in FIGS. 3 to 7. A port unit authenticating method list table
300 is a correspondence table of a port number of the
authentication switch and an authenticating method list name. A
constructional example is shown in FIG. 3.
[0050] An authenticating method list table 400 is a correspondence
list of an authenticating method list and an authentication group
server having an authenticating method list name, an authenticating
method list, and an authentication server group list number as
component elements. A constructional example is shown in FIG.
4.
[0051] An authentication server group list table 500 is a list
table having a list number and authentication server information as
component elements. As authentication server information, an IP
address, MAC address information, and the like of the
authentication server are registered. A constructional example is
shown in FIG. 5.
[0052] A port unit Web authentication display screen data list
table 600 is a table having a port number of the authentication
switch and Web authentication display screen data information as
elements. As Web authentication display screen data information,
position information (directory information and the like) of the
Web authentication display screen data) stored in the
authentication switch is stored. A constructional example is shown
in FIG. 6.
[0053] An authenticated terminal registration list 700 is a
correspondence table of the port number of the authentication
switch and an authenticated MAC address. In a constructional
example shown in FIG. 7, a state where MAC addresses MAC-1 and
MAC-2 have been registered in the port No. 1 of the authentication
switch is shown.
[0054] By referring to the port unit authenticating method list
table 300, authenticating method list table 400, and authentication
server group list table 500, the information of the registered
authentication server can be obtained for each of ports of the
authentication switches. An explanation will be made with reference
to FIGS. 3 to 5.
[0055] An authenticating method list name List-1 registered in the
port No. 1 of the authentication switch is obtained from the port
unit authenticating method list table 300 shown in FIG. 3. The
relevant authentication server group list No. 1 is extracted from
the authenticating method list table 400 shown in FIG. 4 by using
List-1. Finally, by extracting the relevant authentication server
information "server 1, server 2" from the authentication server
group list table 500 shown in FIG. 5, the authentication server
information corresponding to the port No. 1 of the authentication
switch can be obtained.
[0056] Separately from the tables shown in FIGS. 3 to 5, a table
having the port number information of the authentication switch and
the authentication server information as component elements can be
also used.
[0057] Subsequently, a processing flow of each processing unit in
the authentication switch 100 will be described with reference to
FIGS. 8 to 14. First, a flow of processes of the
authenticated/non-authentication discriminating unit 240 will be
described with reference to FIG. 8. When an arbitrary packet is
received (800) from the terminal 140, the
authenticated/non-authentication discriminating unit 240 searches
the authenticated terminal registration list 700 on the basis of
the transmitting source MAC address of the reception packet.
[0058] If the relevant MAC address is not registered in the table,
the MAC address which is not authenticated yet is discriminated,
the reception port information is added to the reception packet,
and the resultant packet is transferred to the authentication
distributing unit 200 (830). If the relevant MAC address has been
registered in the table, the reception port number in the
authentication switch of the reception packet and the port number
of the registered MAC address are compared (840). If they coincide,
the reception packet is determined as a packet from the
authenticated terminal and an ordinary packet transferring process
is executed (860). If they do not coincide, it is determined that
the terminal having the authenticated MAC address has been moved,
the reception port information and the port information of the
registered MAC are added to the reception packet, and the resultant
packet is transferred to the inter-port movement discriminating
unit (870).
[0059] Subsequently, a flow of processes of the inter-port movement
discriminating unit 250 will be described with reference to FIG.
14. When the reception packet, the reception port information of
the reception packet, and the port information of the registered
MAC are received from the authenticated/non-authentication
discriminating unit 240, the inter-port movement discriminating
unit 250 searches the authentication server group list table 500 on
the basis of the reception port information and obtains the server
group information after the terminal was moved (1400). The unit 250
searches the authentication server group list table 500 on the
basis of the reception port information of the registered MAC and
obtains the server group information before the terminal is moved
(1410). Subsequently, the server group before the movement and the
server group after the movement are compared (1420). If they do not
coincide, the authentication state of the relevant terminal is
reset (1440). If they coincide, the ordinary transferring process
is executed.
[0060] By comparing the server group information before the
movement of the terminal and that after the movement as mentioned
above, such a situation that the authenticated terminal is moved
between the ports at which the different authentication servers
have been registered can be inhibited, and authentication security
can be assured.
[0061] The inter-port movement discriminating unit in the related
art has such a function that when a connection destination of the
authenticated terminal is changed (moved) from the port in the
connected authentication switch to another port, VLAN-ID before the
movement and VLAN-ID after the movement are compared, if they
differ, the authentication is cancelled, and if they are identical,
the authentication state is continued (roaming).
[0062] A network in which in order to allocate the same VLAN-ID to
a plurality of ports and uniform traffics, the users are limited on
a port unit basis will be described here. To construct such a
network, the operation to set the authentication servers on a port
unit basis according to the invention is necessary.
[0063] Subsequently, a case of applying the inter-port movement
discriminating unit to the present network will be described. If
the inter-port movement discriminating unit in the related art is
used, in the case where VLAN-ID of the destination to which the
authenticated terminal has moved when it moves between the ports is
the same as VLAN-ID before the movement, the roaming is permitted.
Therefore, the traffics cannot be controlled every port. On the
other hand, according to the inter-port movement discriminating
unit of the invention, since the type of authentication server
before the movement of the terminal and that after the movement are
compared, the roaming discrimination which is made in the
inter-port movement discriminating unit in the related art is not
performed. That is, if the type of authentication server set in the
port before the movement of the terminal and that after the
movement are different, after the terminal was moved, the apparatus
enters the authentication cancelling state and the traffics can be
separated.
[0064] Subsequently, a flow of processes of the authentication
distributing unit 200 will be described with reference to FIG. 9.
When the reception packet and the reception port information are
received from the authenticated/non-authentication discriminating
unit 240, the authentication distributing unit 200 obtains the
authenticating method information of the relevant port from the
port unit authenticating method list table 300 (900) and
discriminates whether the network authenticating process is
executed by using which authenticating method on the basis of the
type of reception packet (910). If it is determined that the
authenticating method is the MAC authentication, the reception
packet and the reception port information are transferred to the
MAC authentication processing unit (940). If it is determined that
the authenticating method is the web authentication, the reception
packet and the reception port information are transferred to the
Web authentication processing unit (950). If it is determined that
the authenticating method is the 802.1X authentication, the
reception packet and the reception port information are transferred
to the 802.1X authentication processing unit (930).
[0065] Subsequently, a flow of processes of the MAC authentication
processing unit 230 will be described with reference to FIG. 11.
When the reception packet and the reception port information are
received from the authentication distributing unit 200, the MAC
authentication processing unit 230 obtains the authentication
server group information from the reception port information by
using the port unit authenticating method list table 300,
authenticating method list table 400, and authentication server
group list table 500 (1100). The authentication information is
inquired sequentially from the authentication server of the high
priority in the authentication server group information (1110). In
this manner, the authentication server is selected on an
authentication port unit basis and the network authentication can
be made.
[0066] Subsequently, a flow of processes of the Web authentication
processing unit 220 will be described with reference to FIG. 12.
When the reception packet and the reception port information are
received from the authentication distributing unit 200, the Web
authentication processing unit 220 obtains the authentication
server group information from the reception port information by
using the port unit authenticating method list table 300,
authenticating method list table 400, and authentication server
group list table 500 (1200). The unit 220 extracts the Web
authentication display screen data information from the port unit
Web authentication display screen data list table 600 by using the
reception port information and outputs the Web authentication
display screen to the terminal (1210). When the authentication
information is received from the terminal, the authentication
information is inquired sequentially from the authentication server
of the high priority in the authentication server group information
which has previously been obtained (1220). In this manner, by
outputting the Web authentication display screen on an
authentication port unit basis and selecting the authentication
server, the network authentication can be made.
[0067] Subsequently, a flow of processes of the 802.1X
authentication processing unit 210 will be described with reference
to FIG. 10. When the reception packet and the reception port
information are received from the authentication distributing unit
200, the 802.1X authentication processing unit 210 obtains the
authentication server group information from the reception port
information by using the port unit authenticating method list table
300, authenticating method list table 400, and authentication
server group list table 500 (1000). The authentication information
is inquired sequentially from the authentication server of the high
priority in the authentication server group information (1010). In
this manner, the authentication server is selected on an
authentication port unit basis and the network authentication can
be made.
[0068] Subsequently, a case where a plurality of authenticating
methods have been combined will be described. When an arbitrary
packet is received from the terminal 140 connected to the port of
the port No. 2, the authenticated/non-authentication discriminating
unit discriminates whether the transmitting source MAC address of
the reception packet has already been authenticated or is not
authenticated yet. In the present description, it is assumed that
the transmitting source MAC address is not authenticated yet.
[0069] Subsequently, since it is necessary to authenticate the
transmitting source MAC address which is not authenticated yet, on
the basis of the received reception packet and the reception port
information, the authentication distributing unit 200 discriminates
the authentication processing unit which is distributed, and
transfers the reception packet and the reception port information
to the authentication processing unit. Specifically speaking, the
authentication distributing unit 200 obtains an authenticating
method list name List-2 corresponding to the port No. 2 with
reference to the port unit authenticating method list table
300.
[0070] Subsequently, the authenticating methods MAC and Web
corresponding to List-2 are obtained with reference to the
authenticating method list table 400. Subsequently, the
authentication distributing unit 200 transfers the reception packet
and the reception port information to the MAC authentication
processing unit 230 and the Web authentication processing unit 220
corresponding to the obtained authenticating methods. The MAC
authentication processing unit 230 and the Web authentication
processing unit 220 obtain the corresponding authentication server
information "server 3, server 4" from the port unit authenticating
method list table 300, authenticating method list table 400, and
authentication server group list table 500.
[0071] In the case where a plurality of servers are included in the
authentication server information, their priorities have been
predetermined. The servers having the second and subsequent
priorities are used as spare authentication servers. In the present
description, it is assumed that the smaller the number of the
server is, the higher the priority is. Therefore, the MAC
authentication processing unit 230 and the Web authentication
processing unit 220 issue the authenticating request to "server 3".
If there is no response, they issue the authenticating request to
"server 4". This is true of the case where there is only one
authenticating method. Subsequently, an embodiment of an
authentication server selecting method by the user ID in the case
where the Web authentication has been selected as network
authentication will be described.
[0072] A flow of processes for selecting the authentication server
on a user ID unit basis in the Web authentication processing unit
220 will be described with reference to FIG. 13. When the reception
packet is received from the authentication distributing unit 200,
the Web authentication processing unit 220 extracts the user ID
information from the reception packet. Then, the unit 220 extracts
server group information from the user ID information (1300). The
server group information included in the user ID information
indicates, for example, information partitioned by a special
character such as "@" or the like. Assuming that there is user ID
information of "user A@ server 1", it shows the authentication
information at the time when "user A" makes the network
authentication and "server 1" partitioned by "@" becomes the server
group information.
[0073] Subsequently, the authentication server group list table 500
is searched on the basis of the server group information and the
relevant authentication server information is extracted (1310).
[0074] The authentication information is inquired sequentially from
the authentication server of the high priority registered in the
relevant authentication server information (1320). In this manner,
the authentication server is selected on a user ID unit basis and
the network authentication can be made.
[0075] In the case of newly introducing the authentication server
having the quarantine function into the network authentication
system, the authentication server having the quarantine function
can be introduced step by step while leaving the conventional
authentication servers. The authentication system having the
partial quarantine function can be introduced into the
authentication network using only the conventional authentication
servers.
[0076] In the network authentication system using the Web
authentication, in the case where additional information such as a
division or the like of the connection destination has been
displayed on an authentication information input display screen
which is outputted to the terminal apparatus and the system is
operated, according to the invention, the authentication system can
be constructed for a plurality of divisions by one authentication
switch.
[0077] In the case where the enterprises which have the different
authentication servers and construct the network authentication
system are united or the divisions in the enterprise are united and
one network authentication system is constructed as mentioned above
by introducing the present invention, the united network
authentication system can be constructed without combining the
authentication databases of the authentication servers.
[0078] In the case where the quarantine system associated with the
network authentication and the Web authentication is allowed to
exist mixedly, since the Web authentication display screen can be
changed on a port unit basis, the erroneous input of the user can
be prevented by changing the Web authentication display screen
which is used only for the network authentication and the Web
authentication display screen associated with the quarantine.
[0079] In the case where the Web authentication system is operated
by using a plurality of authentication servers by the organization
integration or the like, such an operation that identification
information of each authentication server is displayed onto the Web
authentication display screen which is displayed to the terminal
apparatus can be realized. Therefore, to which authentication
server (organization) the non-authenticated person belongs can be
known.
[0080] In the case where the authentication system is constructed
by using one authentication switch to a plurality of floors where a
plurality of organizations exist, the authentication servers on the
respective floors differ. In the invention, since such a situation
that the authenticated terminal is moved between the ports at which
the different authentication servers have been registered can be
inhibited, the authentication security between the floors can be
assured.
[0081] By setting one authentication server to an apparatus such as
a printer or the like which is used at a fixed port and by setting
the authentication servers for the users at other ports, even if
the PC is connected to the port to which the printer is connected
and it is intended to allow the user authentication to be made,
since the authentication server differs, it cannot be connected.
Consequently, the authentication security is improved.
[0082] It should be further understood by those skilled in the art
that although the foregoing description has been made on
embodiments of the invention, the invention is not limited thereto
and various changes and modifications may be made without departing
from the spirit of the invention and the scope of the appended
claims.
* * * * *