WO2005091159A1 - Authentication system being capable of controlling authority based of user and authenticator. - Google Patents

Authentication system being capable of controlling authority based of user and authenticator. Download PDF

Info

Publication number
WO2005091159A1
WO2005091159A1 PCT/KR2005/000841 KR2005000841W WO2005091159A1 WO 2005091159 A1 WO2005091159 A1 WO 2005091159A1 KR 2005000841 W KR2005000841 W KR 2005000841W WO 2005091159 A1 WO2005091159 A1 WO 2005091159A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
list
access
authenticator
Prior art date
Application number
PCT/KR2005/000841
Other languages
French (fr)
Inventor
Ki-Tae Kim
Original Assignee
Exers Technologies. Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020050023318A external-priority patent/KR100707805B1/en
Application filed by Exers Technologies. Inc. filed Critical Exers Technologies. Inc.
Publication of WO2005091159A1 publication Critical patent/WO2005091159A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Definitions

  • the present invention relates to an authentication ⁇ system capable of controlling and allocating network access and usage rights based on users and/or authenticators .
  • an authentication method for user's terminals has utilized SSIDs (Service Set Identifiers) of APs (Access Points) , shared WEP (Wired Equivalent Privacy) keys, MAC (Media Access Control) addresses, or the like.
  • SSIDs Service Set Identifiers
  • APs Access Points
  • WEP Wired Equivalent Privacy
  • MAC Media Access Control
  • the same SSIDs need to be set to all the APs in order to provide.,,, an inter-cell mobility to the terminals.
  • the same WEP key and the associated algorithm need to be used to encrypt and descrlpt data. Therefore, the problem of the authentication method using the shared WEP keys is that all the same WEP keys are registered to the terminals and the APs at the time of configuration set-up thereof.
  • the authentication method using the MAC addresses Some wireless LAN providers may authenticate access of the terminals to a wireless LAN access based on the MAC addresses of the terminals.
  • the problem of the authentication method using the MAC addresses is that the authentication of the wireless LAN access is limited to only the terminals having of the wireless LAN card of which MCA addresses are registered to the APs.
  • the conventional wireless LAN authentication methods have many problems in security and Inter-cell mobility of terminals. Namely, the authentication method using the SSIDs or the shared WEP keys has a problem in that, if security of a specific one of terminals is breached, passwords of the other terminals must be changed.
  • the same SSID and WEP key of the APs must be known to a new terminal entering into the cell in order to provide a service to the newly entering terminal.
  • the conventional wireless LAN authen ication methods also have a problem in that, every time a new user enters into the cell, the MAC addresses of the terminal of the newly entering user must e registered to the APs. Therefore, if the newly entering user is a temporarily moving user or a frequently entering user, there is a difficulty in providing the service to the users.
  • a wireless LAN terminal authentication method using a log-in ID and a password utilizes EAP (Extensible Authen ication Protocol) based on IEEE 802. lx.
  • EAP Extensible Authen ication Protocol
  • a user enters ID and password through a network log-in dialog box.
  • the terminal and the authentication server perform mutual authentication based on the user's ID and password.
  • the AP allocates the same WEP key thereof to the authenticated terminal, so that the wireless LAN server can be provided to the authenticated termina 1.
  • Li_ ke this, the conventional authentication methods have a problem in that network access and usage rights are not adaptively controlled based on only the users.
  • FIG. 1 is a configuration view showing a whole configuration of an authentication system according to the present invention.
  • FIG. 2 is a flowchart for explaining a series of authentication processes of the authentication system according to the present invention.
  • the IEEE 802. lx standard defines three entities: a supplicant 100; an authenticator 110; and an authentication server 120.
  • the supplicant is an entity providing user's authentication information to the authenticator and sending authentication request to the authenticator.
  • the supplicant includes wire or wireless terminals intending to access network.
  • the authenticator is initially set to an uncontrolled port status.
  • the supplicant and authenticator can communicate with each other through the EAP (Extensible Authentication Protocol) .
  • the authenticator is an entity transferring the received authentication information and authentication request to the authentication server.
  • the authenticator transfers an authentication success message to the supplicant and converts its port status into a controlled port status.
  • the authenticator includes APs (Access Points), routers, switches, and the like.
  • the authentication server is an entity determining authentication based on the supplicant's authentication request received from the authenticator. In order to determine authentication, the authentication server uses user's authentication information stored in its internal database or received from external entities. In the IEEE 802. lx standard, any protocol for communication between trie authentication server and the authenticator is not defined.
  • an object of the present invention is to provide an authentication server capable of controlling the user's network access and usage rights in a data link layer based on the IEEE 802.
  • Another object of the present invention is to provide a method of controlling user's network access and usage rights based on users and/or authenticators, wherein policies for controlling user's network access and usage rights are implemented in an authentication server, wherein a policy for controlling authenticator-based access right is set up, wherein the set-up authenticator—based access right is allocated to the user.
  • an authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein an authentication policy name is designated to each of authentication policies stored in an authentication policy list of the authentication server, wherein each of the authentication polices includes at least one of an access-allowing authenticator list, an access-denying authenticator list, access-allowing supplicant list, an access-denying supplicant list, access-allowing time/week-day list, and an authenticator-based network resource usage right list, and wherein, when one of the users sends the authentication request, the authentication server checks the authentication policy name of each of the authentication polices applied to the user, determines the authentication policy corresponding to the authentication policy name from the authentication policy list, and controls user's network access and usage rights in accordance with the determined authentication policy.
  • an authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein the authentication server includes an authentication policy list having at least one authentication policy, wherein each of the authentication policies includes its authentication policy name and associated authentication information, wherein the authentication polices are applied based on users or user groups, wherein, when one of the users sends the authentication request, the authentication server perform a basic authentication process for the user based on the basic authentication information received from the user, wherein, if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server checks the authentication policy name of the authentication police applied to the user from the authentication policy list, determines authentication policy corresponding to the authentication policy name, and performs a final authentication process for the user in accordance with the determined authentication policy.
  • the authentication polices stored in the authentication policy list may include an access-allowing authenticator list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, trie authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-allowing authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access-allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator.
  • the authentication polices stored in the authentication policy list may include an access- denying authenticator list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-denying authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access-denying authenticator list, the authentication server do not transmit a final authentication success message for the user to the authenticator.
  • the authentication polices stored in the authentication policy list may include an access- allowing supplicant list, wherein if the authentication server grants a basic authentication "to the user through the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-allowing supplicant list, and wherein only if the MAC address of the user is registered in the access-allowing supplicant list, the authentication server transmits a final authentication success message for the user to the authenticator.
  • the authentication polices stored in the authentication policy list may include an access- denying supplicant list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-denying supplicant list, and wherein only if the MAC address of the user is registered in the access-denying supplicant list, the authentication server do not transmit a final authentication success message for the user to the authenticator .
  • the authentication polices stored in the authentication policy list may include an access- allowing time/week-day list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-denying authenticator list, and wherein if the access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator
  • the authentication polices stored in the authentication policy list include an authenticator- based usage right list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server grants a usage right to the user to utilizes only network resources registered in the authenticator-based usage right list.
  • the authentication server can control the user's network access and usage rights based on the authenticators as well as the users. As a result, it is possible to perform a variety of finely-identified network management in comparison to a conventional non- adaptive method of controlling user's network access and usage rights.
  • FIG. 1 is a configuration view showing a whole configuration of an authentication system according to the present invention.
  • FIG. 2 is a flowchart for explaining a series of authentication processes of the authentication system according to the present invention.
  • FIG. 3 is a view showing an authentication policy list included in an authentication server of the authentication system according to the present invention.
  • FIG. 3 is a view showing an authentication policy list included in an authentication server of the authentication system according to the present invention.
  • the authentication server receives a specific user's authentication information from an authenticator and determines authentication in response to a specific user authentication request transferred by the authenticator.
  • the authentication server includes an authentication policy list having at least one authentication policy.
  • Each of the authentication policies in the authentication policy list includes its identifiable authentication policy name and at least one of an access-allowing authenticator list, an access-denying authenticator list, an access-allowing supplicant list, an access-denying supplicant list, an access-allowing time/week-day list, an access-denying time/week-day list, an authenticator-based usage right list, and a PRL/ACL
  • the authentication policy name is an identifier for each of authentication policies.
  • One authentication policy is allocated to a user.
  • the authentication server grants a basic authentication to the associated user
  • the authentication policy corresponding to the authentication policy name allocated to the user is applied.
  • the access-allowing authenticator list is a list of authenticators from which the user obtains authentication. The authenticators are registered to the access-allowing authenticator list by allocating IP or MAC addresses to the authenticators.
  • the access-denying authenticator list is a list of authenticators from which the user cannot obtain authentication.
  • the authenticators are registered to the access-denying authent-icator list by allocating the IP or MAC addresses to the authenticators.
  • the authentication server denies user's network access.
  • an attribute "Called_Station_ID" is used as information on the access-allowing and access- denying authenticator lists.
  • the attribute Called_Station_ID is one of the RADIUS attributes included in the RADIUS access request sent by the authenticators.
  • the format of the attribute Called_Station_ID preferably corresponds to the definition in the IETF RFC3580 standard.
  • the attribute Called_Station_ID of the associated authenticator is prescribed to be transm tted together with the MAC address or both of the MAC address and the SSID (in case of a wireless LAN ) .
  • the access-allowing supplicant list is a list of users which a supplicant allows to access. MAC addresses of the users' terminals are registered in the access-allowing supplicant list. Only if the MAC address of the user' s terminal satisfying the basic authentication information matches with the MAC address registered in the access-allowing supplicant list, the users can be allowed to access.
  • the authentication server grants authentication to the user and sends the final authentication success message to the authenticator.
  • the access-denying supplicant list is opposite to the access-allowing supplicant list. Therefore, although the basic authentication information received from the user matches with the information stored in the authentication server, if the MAC address of the user is included in the access-denying supplicant list, the authentication server denies authentication to the user.
  • an attribute "Calling_Station_ID" is used.
  • the attribute Calling_Station_ID is one of the RADIUS attributes included in the RADIUS access request transferred by the authenticators.
  • the format of the attribute Calling_Station_ID preferably corresponds to the definition in the IETF RFC3580 standard. According to the IETF RFC3580 standard, the attribute Calling_Station_ID of the associated authenticator is prescribed to indicate the MAC address thereof.
  • the access-allowing time/week-day list is a list of time and week-day when the user is allowed to access to the network. Although the basic authentication information received from the user matches with the information stored in the authentication server, only if the access time and week-day are included in access- allowing time/week-day list, the authentication server grants authentication to the user and sends the final authentication success message to the authenticator.
  • the access-denying time/week-day list is opposite to the access-allowing time/week-day list.
  • the access-denying time/week-day list is a list of time/week-day when the user is not allowed to access to the network. Therefore, although the basic authentication information received from the user matches with the information stored in the authentication server, if the access time/week-day is included in the access-denying time/week-day list, the authentication server denies authentication to the user, so that the user cannot be allowed to access the network.
  • the time/week-day used for the determination of access allowance is based on the time/week-day of the authentication server.
  • the time of the authentication server may be an internal system time or synchronized with a network time through an NTP (Network Time Protocol) or the like.
  • the authenticator-based usage right list is a list of network resources capable of being allocated to the authenticated users based on the authenticators. A basically-authenticated user can utilize only the network resources registered in the authenticator-based usage right list.
  • an identifier VLAN_ID or an attribute of a vendor-based usage right is preferably used.
  • identification criteria for authenticators fields such as Source_IP_Address Field, RADIUS_NAS_IP_Address Field, and NAS_IPv ⁇ _Address Field of an IP packet may be used.
  • the identifier VLAN_ID is prescribed to be transmitted together with the authentication success message though a tunnel attribute in the IETF RFC3580 standard.
  • the attribute "Tunnel-Private-Group-Id” indicates the virtual LAN identifier VLAN_ID.
  • the VLAN must be constructed on the network to which the authenticator is connected.
  • a switch in layer 3 or a router must support a function of processing VLAN-tag-attached packets. As a result, the user is allowed to access only the network though the VLAN to which the user belongs. Namely, although the user's terminal is physically connected to the other networks, the user is not allowed to access the other networks .
  • the authentication server When it receives the authentication request from the user, the authentication server firstly determinates whether or not the value RADIUS NAS_IP_Address corresponds to the attenuators registered in the access- allowing authenticator list. If the value RADIUS NAS_IP_Address corresponds to the registered authenticators, the authentication server determinates whether or not the shared secret value is correct by performing a message integrity check using the shared secret value. If the shared secret value is correct, the authentication server grants authentication to the associated user, checks the authentication policies applied to the user, allocates the usage right po licies in the authenticator-based usage right list to the IP address of the authenticator (that is, the IP address written in the value NAS_IP_Adderss Field) , and then, sends the final authentication success message to the authenticator .
  • the aforementioned attribute of a vendor-based usage right is an attribute of a usage right specific to a vendor. As an example, Ent erasys
  • the UPN policy name is included in the attribute "Filter_ID" among the RADIUS attributes, and then, transmitted together with the attribute .
  • the format of the attribute "Filter_ID” corresponds to definitions of Enterasys Networks, Inc.
  • Cisco Systems, Inc. sets up an additional user-based ACL.
  • the user-based ACL is transmitted to the authenticator through Cisco VSAs (Vendor Sp ecific Attributes).
  • VSAs Vendor Sp ecific Attributes
  • an authentication server can be used to control user's network access rights based on authenticators as well as users .

Abstract

An authentication system capable of controlling user's network access rights based on authenticators as well as users is provided. The authentication system includes: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein an authentication policy name is designated to each of authentication policies stored in an authentication policy list of the authentication server, wherein each of the authentication polices includes at least one of an access-allowing authenticator list, an access-denying authenticator list, access-allowing supplicant list, an access-denying supplicant list, access-allowing time/week-day list, and an authenticator-based network resource usage right list, and wherein, when one of the users sends the authentication request, the authentication server checks the authentication policy name of each of the authentication polices applied to the user, determines the authentication policy corresponding to the authentication policy name from the authentication policy list, and controls user's network access and usage rights in accordance with the determined authentication policy

Description

AUTHENTICATION SYSTEM BEING CAPABLE OF CONTROLLING AUTHORITY BASED OF USER AND AUTHENTICATOR
TECHNICAL FIELD The present invention relates to an authentication ■ system capable of controlling and allocating network access and usage rights based on users and/or authenticators .
BACKGROUND ART In a conventional wireless LAN system, an authentication method for user's terminals has utilized SSIDs (Service Set Identifiers) of APs (Access Points) , shared WEP (Wired Equivalent Privacy) keys, MAC (Media Access Control) addresses, or the like. However, there is a problem in the authentication method using the SSIDs. The SSIDs are not often used as a handle for allowing or denying access of the terminals. Since the SSIDs are designed to be broadcasted to the APs with a radio wave detector, a security problem may occur in case of using the SSIDs. In addition, the same SSIDs need to be set to all the APs in order to provide.,,, an inter-cell mobility to the terminals. There is also a problem in the authentication method using the shared WEP key. In order to protect data stream of the wireless LAN, the same WEP key and the associated algorithm need to be used to encrypt and descrlpt data. Therefore, the problem of the authentication method using the shared WEP keys is that all the same WEP keys are registered to the terminals and the APs at the time of configuration set-up thereof. There is also a problem in the authentication method using the MAC addresses. Some wireless LAN providers may authenticate access of the terminals to a wireless LAN access based on the MAC addresses of the terminals. However, the problem of the authentication method using the MAC addresses is that the authentication of the wireless LAN access is limited to only the terminals having of the wireless LAN card of which MCA addresses are registered to the APs. Like this, the conventional wireless LAN authentication methods have many problems in security and Inter-cell mobility of terminals. Namely, the authentication method using the SSIDs or the shared WEP keys has a problem in that, if security of a specific one of terminals is breached, passwords of the other terminals must be changed. In addition, with respect to the inter-cell mobility of the terminals, since the same SSID and WEP key are set to all the terminal and APs within one cell in the wireless LAN system, the same SSID and WEP key of the APs must be known to a new terminal entering into the cell in order to provide a service to the newly entering terminal. In addition, the conventional wireless LAN authen ication methods also have a problem in that, every time a new user enters into the cell, the MAC addresses of the terminal of the newly entering user must e registered to the APs. Therefore, if the newly entering user is a temporarily moving user or a frequently entering user, there is a difficulty in providing the service to the users. In order to solve the aforementioned problems, there are proposed a wireless LAN terminal authentication method using a log-in ID and a password. The authentication method utilizes EAP (Extensible Authen ication Protocol) based on IEEE 802. lx. A user enters ID and password through a network log-in dialog box. Next, the terminal and the authentication server perform mutual authentication based on the user's ID and password. Next, the AP allocates the same WEP key thereof to the authenticated terminal, so that the wireless LAN server can be provided to the authenticated termina 1. Li_ ke this, the conventional authentication methods have a problem in that network access and usage rights are not adaptively controlled based on only the users. Therefore, as an improvement of the conventional non- adaptive authentication system, there is a need for an authentication system for identifying network usage rights of users on a network in accordance with the IEEE 802. lx standard and allocating the identified network usage right to the users based on authenticators which the users access, thereby controlling the network usage rights based on positions of the users on the network. In addition, there is also a need for an authentication method used for the authentication system.
DETAILED DESCRIPTION OF THE INVENTION Technical Goal of the Invention FIG. 1 is a configuration view showing a whole configuration of an authentication system according to the present invention. FIG. 2 is a flowchart for explaining a series of authentication processes of the authentication system according to the present invention. Referring to FIGS. 1 and 2, the IEEE 802. lx standard defines three entities: a supplicant 100; an authenticator 110; and an authentication server 120. The supplicant is an entity providing user's authentication information to the authenticator and sending authentication request to the authenticator. For example, the supplicant includes wire or wireless terminals intending to access network. When the supplicant sends the authentication request, the authenticator is initially set to an uncontrolled port status. In this status, the supplicant and authenticator can communicate with each other through the EAP (Extensible Authentication Protocol) . The authenticator is an entity transferring the received authentication information and authentication request to the authentication server. When the authentication server grants the authentication, the authenticator transfers an authentication success message to the supplicant and converts its port status into a controlled port status. For example, the authenticator includes APs (Access Points), routers, switches, and the like. The authentication server is an entity determining authentication based on the supplicant's authentication request received from the authenticator. In order to determine authentication, the authentication server uses user's authentication information stored in its internal database or received from external entities. In the IEEE 802. lx standard, any protocol for communication between trie authentication server and the authenticator is not defined. In general, a protocol used for an AAA (Authentication, Authorization, and Accounting) server is also recommended as the protocol between the authentication server and the authenticator. Therefore, the RADIUS (Remote Authentication Dial-In User Service) protocol is used as an industrial de-facto standard protocol . In a case where the authenticator and the authentication server communicate with each other through the RADIUS protocol, the user's network access right can be controlled according to the determination of authentication (performed by an internal authentication algorithm of the authentication server) and the attributes and the vendor-specific attributes of the RADIUS which can be transferred together with the authentication success message. Therefore, an object of the present invention is to provide an authentication server capable of controlling the user's network access and usage rights in a data link layer based on the IEEE 802. lx standard to perform a variety of finely-identified network management processes . In addition, another object of the present invention is to provide a method of controlling user's network access and usage rights based on users and/or authenticators, wherein policies for controlling user's network access and usage rights are implemented in an authentication server, wherein a policy for controlling authenticator-based access right is set up, wherein the set-up authenticator—based access right is allocated to the user. Disclosure of the Invention In order to achieve the aforementioned objects, according to an aspect of the present invention, there is provided an authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein an authentication policy name is designated to each of authentication policies stored in an authentication policy list of the authentication server, wherein each of the authentication polices includes at least one of an access-allowing authenticator list, an access-denying authenticator list, access-allowing supplicant list, an access-denying supplicant list, access-allowing time/week-day list, and an authenticator-based network resource usage right list, and wherein, when one of the users sends the authentication request, the authentication server checks the authentication policy name of each of the authentication polices applied to the user, determines the authentication policy corresponding to the authentication policy name from the authentication policy list, and controls user's network access and usage rights in accordance with the determined authentication policy. According to another aspect of the present invention, there is provided an authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein the authentication server includes an authentication policy list having at least one authentication policy, wherein each of the authentication policies includes its authentication policy name and associated authentication information, wherein the authentication polices are applied based on users or user groups, wherein, when one of the users sends the authentication request, the authentication server perform a basic authentication process for the user based on the basic authentication information received from the user, wherein, if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server checks the authentication policy name of the authentication police applied to the user from the authentication policy list, determines authentication policy corresponding to the authentication policy name, and performs a final authentication process for the user in accordance with the determined authentication policy. In the aspect of the present invention, wherein the authentication polices stored in the authentication policy list may include an access-allowing authenticator list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, trie authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-allowing authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access-allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator. In addition, the authentication polices stored in the authentication policy list may include an access- denying authenticator list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-denying authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access-denying authenticator list, the authentication server do not transmit a final authentication success message for the user to the authenticator. In addition, the authentication polices stored in the authentication policy list may include an access- allowing supplicant list, wherein if the authentication server grants a basic authentication "to the user through the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-allowing supplicant list, and wherein only if the MAC address of the user is registered in the access-allowing supplicant list, the authentication server transmits a final authentication success message for the user to the authenticator. In addition, the authentication polices stored in the authentication policy list may include an access- denying supplicant list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-denying supplicant list, and wherein only if the MAC address of the user is registered in the access-denying supplicant list, the authentication server do not transmit a final authentication success message for the user to the authenticator . In addition, the authentication polices stored in the authentication policy list may include an access- allowing time/week-day list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-denying authenticator list, and wherein if the access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator In addition, the authentication polices stored in the authentication policy list include an authenticator- based usage right list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server grants a usage right to the user to utilizes only network resources registered in the authenticator-based usage right list. Effect of the Invention According to the present invention, in the IEEE 802. lx standard, the authentication server can control the user's network access and usage rights based on the authenticators as well as the users. As a result, it is possible to perform a variety of finely-identified network management in comparison to a conventional non- adaptive method of controlling user's network access and usage rights.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a configuration view showing a whole configuration of an authentication system according to the present invention. FIG. 2 is a flowchart for explaining a series of authentication processes of the authentication system according to the present invention. FIG. 3 is a view showing an authentication policy list included in an authentication server of the authentication system according to the present invention.
BEST MODE FOR CARRYING OUT THE INVENTION Now, an authentication system and method according to preferred embodiments of the present invention will be described with reference to the accompanying drawings. FIG. 3 is a view showing an authentication policy list included in an authentication server of the authentication system according to the present invention. The authentication server receives a specific user's authentication information from an authenticator and determines authentication in response to a specific user authentication request transferred by the authenticator.
The authentication server includes an authentication policy list having at least one authentication policy.
Each of the authentication policies in the authentication policy list includes its identifiable authentication policy name and at least one of an access-allowing authenticator list, an access-denying authenticator list, an access-allowing supplicant list, an access-denying supplicant list, an access-allowing time/week-day list, an access-denying time/week-day list, an authenticator-based usage right list, and a PRL/ACL
(port rate limit/access control) list. By using the authentication policies, the user's network access and usage rights can be controlled based on users and/or authenticators. Now, configurations and operations of the authentication server having the authentication policy lists will be described in detail . Firstly, the authentication policy name is an identifier for each of authentication policies. One authentication policy is allocated to a user. When the authentication server grants a basic authentication to the associated user, the authentication policy corresponding to the authentication policy name allocated to the user is applied. Next, the access-allowing authenticator list is a list of authenticators from which the user obtains authentication. The authenticators are registered to the access-allowing authenticator list by allocating IP or MAC addresses to the authenticators. Although the basic authentication information such as user's ID, password, and authentication documents received from the user associated with the authentication request matches with the one registered in the authentication server, only if the authenticator sending the user authentication request is registered in the access- allowing authenticator list, the authentication server grants authentication to the user and sends a final authentication success message to the authenticator. Next, the access-denying authenticator list is a list of authenticators from which the user cannot obtain authentication. The authenticators are registered to the access-denying authent-icator list by allocating the IP or MAC addresses to the authenticators. Although the basic authentication information such as user's ID, password, and authentication documents received from the user associated with the a-uthentication request matches with the one registered in the authentication server, if the authenticator sending the user authentication request is registered in the access-denying authenticator list, the authentication server denies user's network access. As information on the access-allowing and access- denying authenticator lists, an attribute "Called_Station_ID" is used. The attribute Called_Station_ID is one of the RADIUS attributes included in the RADIUS access request sent by the authenticators. The format of the attribute Called_Station_ID preferably corresponds to the definition in the IETF RFC3580 standard. According to the IETF RFC3580 standard, the attribute Called_Station_ID of the associated authenticator is prescribed to be transm tted together with the MAC address or both of the MAC address and the SSID (in case of a wireless LAN ) . Next, the access-allowing supplicant list is a list of users which a supplicant allows to access. MAC addresses of the users' terminals are registered in the access-allowing supplicant list. Only if the MAC address of the user' s terminal satisfying the basic authentication information matches with the MAC address registered in the access-allowing supplicant list, the users can be allowed to access. Therefore, although the basic authentication information received from the user matches with the information stored in the authentication server, only if the MAC address of the user is included in access-allowing supplicant list, the authentication server grants authentication to the user and sends the final authentication success message to the authenticator. On the other hand, the access-denying supplicant list is opposite to the access-allowing supplicant list. Therefore, although the basic authentication information received from the user matches with the information stored in the authentication server, if the MAC address of the user is included in the access-denying supplicant list, the authentication server denies authentication to the user. As information on the access-allowing and access- denying supplicant lists, an attribute "Calling_Station_ID" is used. The attribute Calling_Station_ID is one of the RADIUS attributes included in the RADIUS access request transferred by the authenticators. The format of the attribute Calling_Station_ID preferably corresponds to the definition in the IETF RFC3580 standard. According to the IETF RFC3580 standard, the attribute Calling_Station_ID of the associated authenticator is prescribed to indicate the MAC address thereof. The access-allowing time/week-day list is a list of time and week-day when the user is allowed to access to the network. Although the basic authentication information received from the user matches with the information stored in the authentication server, only if the access time and week-day are included in access- allowing time/week-day list, the authentication server grants authentication to the user and sends the final authentication success message to the authenticator. On the other hand, the access-denying time/week-day list is opposite to the access-allowing time/week-day list. The access-denying time/week-day list is a list of time/week-day when the user is not allowed to access to the network. Therefore, although the basic authentication information received from the user matches with the information stored in the authentication server, if the access time/week-day is included in the access-denying time/week-day list, the authentication server denies authentication to the user, so that the user cannot be allowed to access the network. Here, the time/week-day used for the determination of access allowance is based on the time/week-day of the authentication server. The time of the authentication server may be an internal system time or synchronized with a network time through an NTP (Network Time Protocol) or the like. The authenticator-based usage right list is a list of network resources capable of being allocated to the authenticated users based on the authenticators. A basically-authenticated user can utilize only the network resources registered in the authenticator-based usage right list. Here, as information on the authenticator-based usage right list, an identifier VLAN_ID or an attribute of a vendor-based usage right is preferably used. In addition, as identification criteria for authenticators, fields such as Source_IP_Address Field, RADIUS_NAS_IP_Address Field, and NAS_IPvβ_Address Field of an IP packet may be used. Here, the identifier VLAN_ID is prescribed to be transmitted together with the authentication success message though a tunnel attribute in the IETF RFC3580 standard. Among the RADIUS attributes, the attribute "Tunnel~Type=13" indicates the VLAN, the attribute "Tunnel-Medium-Type=β" indicates the IEEE 802 standard, and the attribute "Tunnel-Private-Group-Id" indicates the virtual LAN identifier VLAN_ID. In this case, the VLAN must be constructed on the network to which the authenticator is connected. In addition, a switch in layer 3 or a router must support a function of processing VLAN-tag-attached packets. As a result, the user is allowed to access only the network though the VLAN to which the user belongs. Namely, although the user's terminal is physically connected to the other networks, the user is not allowed to access the other networks . When it receives the authentication request from the user, the authentication server firstly determinates whether or not the value RADIUS NAS_IP_Address corresponds to the attenuators registered in the access- allowing authenticator list. If the value RADIUS NAS_IP_Address corresponds to the registered authenticators, the authentication server determinates whether or not the shared secret value is correct by performing a message integrity check using the shared secret value. If the shared secret value is correct, the authentication server grants authentication to the associated user, checks the authentication policies applied to the user, allocates the usage right po licies in the authenticator-based usage right list to the IP address of the authenticator (that is, the IP address written in the value NAS_IP_Adderss Field) , and then, sends the final authentication success message to the authenticator . In addition, the aforementioned attribute of a vendor-based usage right is an attribute of a usage right specific to a vendor. As an example, Ent erasys
Networks, Inc., utilizes a policy manager namecL "UPN
(User Personalized Network) " to set up QoS (Quality of
Service), PRL (Port Rate Limit), ACL (Access Control List), and the like. The UPN policy name is included in the attribute "Filter_ID" among the RADIUS attributes, and then, transmitted together with the attribute . The format of the attribute "Filter_ID" corresponds to definitions of Enterasys Networks, Inc. As a other example, Cisco Systems, Inc., sets up an additional user-based ACL. The user-based ACL is transmitted to the authenticator through Cisco VSAs (Vendor Sp ecific Attributes). Like this, attributes of venders are different between the venders. Although there is no standardized attribute, the formats of the attr ibutes are individually provided based on the vendors. Therefore, by allocating specific attributes to the venders, the network access and usage right control can be improved. While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. The exemplary embodiments should be considered in descriptive sense only and not for purposes of limitation. For example, information on accessing-allowing authenticators and supplicants and the associated attributes may be modified in various manners in order to improve efficiency of an authentication system or to optimize characteristics for vendors. Therefore, the scope of the invention is defined not by the detailed description of the invention but by the appended claims, and all differences within the scope will be construed as being included in the present invention.
INDUSTRIAL APPLICABILITY Accordingly, an authentication server according to the present invention can be used to control user's network access rights based on authenticators as well as users .

Claims

1. An authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferrring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein the authentication server includes an authentication policy list having at least one authentication policy, wherein each of the authentication poli_cies includes its authentication policy name and associ_ated authentication information, wherein the authentication polices are applied based on users or user groups, wherein, when one of the users sends the authentication request, the authentication server perform a basic authentication process for the user based on the basic authentication information received from the user, wherein, if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server chiecks the authentication policy name of the authentication police applied to the user from the authentication policy list, determines authentication policy corresponding to the authentication policy name, and performs a final authentication process for the user in accordance with the determined authentication policy.
2. The authentication system according to claim 1, wherein the authentication polices stored in the authentication policy list include an access-allowing authenticator list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-allowing authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access- allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator.
3. The authentication system according to claim 1, wherein the authentication polices stored in the authentication policy list include an access-denying authenticator list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-denying authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access- denying authenticator list, the authentication server do not transmit a final authentication success message for the user to the authenticator.
4. The authentication system according to claim 2 or 3, wherein information on the authenticator is transmitted to the authentication server by using an attribute "Called_Station_ID" among RADIUS (Remote Authentication Dial-In User Service) attributes.
5. The authentication system according to claim 2 or 3, wherein the authenticator list includes IP or MAC addresses of the authenticators.
6. The authentication system according to claim 1, wherein the authentication polices stored in the authentication policy list include an access-allowing supplicant list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-allowing supplicant list, and wherein only if the MAC address of the user is registered in the access-allowing supplicant list, the authentication server transmits a final authentication success message for the user to the authenticator.
7. The authentication system according to claim 1, wherein the authentication polices stored in the authentication policy list include an access-denying supplicant list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-denying supplicant list, and wherein only if the MAC address of the user is registered in the access-denying supplicant list, the authentication server do not transmit a final authentication success message for the user to the authenticator .
8. The authentication system according to claim 6 or 7 , wherein information on the supplicant is transmitted to the authentication server by using an attribute "Calling_Station_ID" among RADIUS (Remote Authentication Dial-In User Service) attributes.
9. The authentication system according to claim 6 or 7, wherein the supplicant list includes IP or MAC addresses of the supplicants.
10. The authentication system according to claim 1, wherein the authentication polices stored in the authentication policy list include an access-allowing time/week-day list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-denying authenticator list, and wherein if the access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator
11. The authentication system according to claim 1, wherein the authentication polices stored in the authentication policy list include an authenticator- based usage right list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server grants a usage right to the user to utilizes only network resources registered in the authenticator-based usage right list.
12. The authentication system according to claim 11, wherein a virtual LAN identifier VLAN_ID or an attribute of a vendor-based usage right is used for the authenticator-based usage right list.
13. An authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein an authentication policy name is designated to each of authentication policies stored in an authentication policy list of the authentication server, wherein each of the authentication polices includes at least one of an access-allowing authenticator list, an access-denying authenticator list, access-allowing supplicant list, an access-denying supplicant list, access-allowing time/week-day list, and an authenticator-based network resource usage right list, and wherein, when one of the users sends the authentication request, the authentication server checks the authentication policy name of each of the authentication polices applied to the user, determines the authentication policy corresponding to the authentication policy name from the authentication policy list, and controls user's network access and usage rights in accordance with the determined authentication policy.
PCT/KR2005/000841 2004-03-24 2005-03-23 Authentication system being capable of controlling authority based of user and authenticator. WO2005091159A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2004-0020015 2004-03-24
KR20040020015 2004-03-24
KR1020050023318A KR100707805B1 (en) 2004-03-24 2005-03-21 Authentication system being capable of controlling authority based of user and authenticator
KR10-2005-0023318 2005-03-21

Publications (1)

Publication Number Publication Date
WO2005091159A1 true WO2005091159A1 (en) 2005-09-29

Family

ID=34993899

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/000841 WO2005091159A1 (en) 2004-03-24 2005-03-23 Authentication system being capable of controlling authority based of user and authenticator.

Country Status (1)

Country Link
WO (1) WO2005091159A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924636A (en) * 2010-08-16 2010-12-22 北京星网锐捷网络技术有限公司 Relevant authentication information issuing method, device and network equipment
WO2015181431A1 (en) * 2014-05-29 2015-12-03 Tecteco Security Systems, S.L. Method and network element for improved access to communication networks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100334128B1 (en) * 2000-03-24 2002-04-26 전창오 Sequrity policy system
US20030145094A1 (en) * 2000-08-04 2003-07-31 Sebastian Staamann Method and system for session based authorization and access control for networked application objects
US6678733B1 (en) * 1999-10-26 2004-01-13 At Home Corporation Method and system for authorizing and authenticating users

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6678733B1 (en) * 1999-10-26 2004-01-13 At Home Corporation Method and system for authorizing and authenticating users
KR100334128B1 (en) * 2000-03-24 2002-04-26 전창오 Sequrity policy system
US20030145094A1 (en) * 2000-08-04 2003-07-31 Sebastian Staamann Method and system for session based authorization and access control for networked application objects

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924636A (en) * 2010-08-16 2010-12-22 北京星网锐捷网络技术有限公司 Relevant authentication information issuing method, device and network equipment
WO2015181431A1 (en) * 2014-05-29 2015-12-03 Tecteco Security Systems, S.L. Method and network element for improved access to communication networks
AU2015265782B2 (en) * 2014-05-29 2018-12-06 Tecteco Security Systems, S.L. Method and network element for improved access to communication networks
US10257186B2 (en) 2014-05-29 2019-04-09 Tecteco Security Systems, S.L. Method and network element for improved access to communication networks

Similar Documents

Publication Publication Date Title
US7945777B2 (en) Identification information protection method in WLAN inter-working
US7673146B2 (en) Methods and systems of remote authentication for computer networks
AU2008213766B2 (en) Method and system for registering and verifying the identity of wireless networks and devices
US8316142B2 (en) Subnet box
US8555344B1 (en) Methods and systems for fallback modes of operation within wireless computer networks
US7325246B1 (en) Enhanced trust relationship in an IEEE 802.1x network
US7342906B1 (en) Distributed wireless network security system
KR100707805B1 (en) Authentication system being capable of controlling authority based of user and authenticator
US8509440B2 (en) PANA for roaming Wi-Fi access in fixed network architectures
US20050254652A1 (en) Automated network security system and method
EP2352323A1 (en) Method and system for controlling context-based wireless access to secured network resources
US20080141360A1 (en) Wireless Linked Computer Communications
US8254882B2 (en) Intrusion prevention system for wireless networks
KR100819942B1 (en) Method for access control in wire and wireless network
WO2005091159A1 (en) Authentication system being capable of controlling authority based of user and authenticator.
EP1547299A1 (en) Method and system for providing multiple encryption in a multi-band multi-protocol hybrid wired/wireless network
JP2005086656A (en) Authentication discrimination bridge, program, wireless lan communication system, and wireless lan communication method
KR100654441B1 (en) Method and apparatus for controlling wireless network access
Tanizawa et al. A wireless LAN architecture using PANA for secure network selection
Nagesha et al. A Survey on Wireless Security Standards and Future Scope.
WO2005026976A1 (en) Subnet box

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69 (1) EPC (EPO FORM 1205A DATED 06.12.06)

122 Ep: pct application non-entry in european phase