AUTHENTICATION SYSTEM BEING CAPABLE OF CONTROLLING AUTHORITY BASED OF USER AND AUTHENTICATOR
TECHNICAL FIELD The present invention relates to an authentication ■ system capable of controlling and allocating network access and usage rights based on users and/or authenticators .
BACKGROUND ART In a conventional wireless LAN system, an authentication method for user's terminals has utilized SSIDs (Service Set Identifiers) of APs (Access Points) , shared WEP (Wired Equivalent Privacy) keys, MAC (Media Access Control) addresses, or the like. However, there is a problem in the authentication method using the SSIDs. The SSIDs are not often used as a handle for allowing or denying access of the terminals. Since the SSIDs are designed to be broadcasted to the APs with a radio wave detector, a security problem may occur in case of using the SSIDs. In addition, the same SSIDs need to be set to all the APs in order to provide.,,, an inter-cell mobility to the terminals. There is also a problem in the authentication
method using the shared WEP key. In order to protect data stream of the wireless LAN, the same WEP key and the associated algorithm need to be used to encrypt and descrlpt data. Therefore, the problem of the authentication method using the shared WEP keys is that all the same WEP keys are registered to the terminals and the APs at the time of configuration set-up thereof. There is also a problem in the authentication method using the MAC addresses. Some wireless LAN providers may authenticate access of the terminals to a wireless LAN access based on the MAC addresses of the terminals. However, the problem of the authentication method using the MAC addresses is that the authentication of the wireless LAN access is limited to only the terminals having of the wireless LAN card of which MCA addresses are registered to the APs. Like this, the conventional wireless LAN authentication methods have many problems in security and Inter-cell mobility of terminals. Namely, the authentication method using the SSIDs or the shared WEP keys has a problem in that, if security of a specific one of terminals is breached, passwords of the other terminals must be changed. In addition, with respect to the inter-cell mobility of the terminals, since the same SSID and WEP key are set to all the terminal and APs
within one cell in the wireless LAN system, the same SSID and WEP key of the APs must be known to a new terminal entering into the cell in order to provide a service to the newly entering terminal. In addition, the conventional wireless LAN authen ication methods also have a problem in that, every time a new user enters into the cell, the MAC addresses of the terminal of the newly entering user must e registered to the APs. Therefore, if the newly entering user is a temporarily moving user or a frequently entering user, there is a difficulty in providing the service to the users. In order to solve the aforementioned problems, there are proposed a wireless LAN terminal authentication method using a log-in ID and a password. The authentication method utilizes EAP (Extensible Authen ication Protocol) based on IEEE 802. lx. A user enters ID and password through a network log-in dialog box. Next, the terminal and the authentication server perform mutual authentication based on the user's ID and password. Next, the AP allocates the same WEP key thereof to the authenticated terminal, so that the wireless LAN server can be provided to the authenticated termina 1. Li_ ke this, the conventional authentication methods
have a problem in that network access and usage rights are not adaptively controlled based on only the users. Therefore, as an improvement of the conventional non- adaptive authentication system, there is a need for an authentication system for identifying network usage rights of users on a network in accordance with the IEEE 802. lx standard and allocating the identified network usage right to the users based on authenticators which the users access, thereby controlling the network usage rights based on positions of the users on the network. In addition, there is also a need for an authentication method used for the authentication system.
DETAILED DESCRIPTION OF THE INVENTION Technical Goal of the Invention FIG. 1 is a configuration view showing a whole configuration of an authentication system according to the present invention. FIG. 2 is a flowchart for explaining a series of authentication processes of the authentication system according to the present invention. Referring to FIGS. 1 and 2, the IEEE 802. lx standard defines three entities: a supplicant 100; an authenticator 110; and an authentication server 120. The supplicant is an entity providing user's authentication information to the authenticator and
sending authentication request to the authenticator. For example, the supplicant includes wire or wireless terminals intending to access network. When the supplicant sends the authentication request, the authenticator is initially set to an uncontrolled port status. In this status, the supplicant and authenticator can communicate with each other through the EAP (Extensible Authentication Protocol) . The authenticator is an entity transferring the received authentication information and authentication request to the authentication server. When the authentication server grants the authentication, the authenticator transfers an authentication success message to the supplicant and converts its port status into a controlled port status. For example, the authenticator includes APs (Access Points), routers, switches, and the like. The authentication server is an entity determining authentication based on the supplicant's authentication request received from the authenticator. In order to determine authentication, the authentication server uses user's authentication information stored in its internal database or received from external entities. In the IEEE 802. lx standard, any protocol for communication between trie authentication server and the authenticator
is not defined. In general, a protocol used for an AAA (Authentication, Authorization, and Accounting) server is also recommended as the protocol between the authentication server and the authenticator. Therefore, the RADIUS (Remote Authentication Dial-In User Service) protocol is used as an industrial de-facto standard protocol . In a case where the authenticator and the authentication server communicate with each other through the RADIUS protocol, the user's network access right can be controlled according to the determination of authentication (performed by an internal authentication algorithm of the authentication server) and the attributes and the vendor-specific attributes of the RADIUS which can be transferred together with the authentication success message. Therefore, an object of the present invention is to provide an authentication server capable of controlling the user's network access and usage rights in a data link layer based on the IEEE 802. lx standard to perform a variety of finely-identified network management processes . In addition, another object of the present invention is to provide a method of controlling user's network access and usage rights based on users and/or
authenticators, wherein policies for controlling user's network access and usage rights are implemented in an authentication server, wherein a policy for controlling authenticator-based access right is set up, wherein the set-up authenticator—based access right is allocated to the user. Disclosure of the Invention In order to achieve the aforementioned objects, according to an aspect of the present invention, there is provided an authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein an authentication policy name is designated to each of authentication policies stored in an authentication policy list of the authentication server, wherein each of the authentication polices includes at least one of an access-allowing authenticator list, an access-denying authenticator list, access-allowing supplicant list, an access-denying supplicant list, access-allowing time/week-day list, and an authenticator-based network resource usage right list, and wherein, when one of the users sends the authentication request, the
authentication server checks the authentication policy name of each of the authentication polices applied to the user, determines the authentication policy corresponding to the authentication policy name from the authentication policy list, and controls user's network access and usage rights in accordance with the determined authentication policy. According to another aspect of the present invention, there is provided an authentication system comprising: an authenticator for receiving a basic authentication information from a user and transferring an authentication request; and an authentication server for receiving the user authentication request and determining authentication, wherein the authentication server includes an authentication policy list having at least one authentication policy, wherein each of the authentication policies includes its authentication policy name and associated authentication information, wherein the authentication polices are applied based on users or user groups, wherein, when one of the users sends the authentication request, the authentication server perform a basic authentication process for the user based on the basic authentication information received from the user, wherein, if the authentication server grants a basic authentication to the user through
the basic authentication process, the authentication server checks the authentication policy name of the authentication police applied to the user from the authentication policy list, determines authentication policy corresponding to the authentication policy name, and performs a final authentication process for the user in accordance with the determined authentication policy. In the aspect of the present invention, wherein the authentication polices stored in the authentication policy list may include an access-allowing authenticator list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, trie authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-allowing authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access-allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator. In addition, the authentication polices stored in the authentication policy list may include an access- denying authenticator list, wherein if the authentication server grants a basic authentication to
the user through the basic authentication process, the authentication server determines whether or not the authenticator transferring the user authentication request is registered in the access-denying authenticator list, and wherein if the authenticator transferring the user authentication request is registered in the access-denying authenticator list, the authentication server do not transmit a final authentication success message for the user to the authenticator. In addition, the authentication polices stored in the authentication policy list may include an access- allowing supplicant list, wherein if the authentication server grants a basic authentication "to the user through the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-allowing supplicant list, and wherein only if the MAC address of the user is registered in the access-allowing supplicant list, the authentication server transmits a final authentication success message for the user to the authenticator. In addition, the authentication polices stored in the authentication policy list may include an access- denying supplicant list, wherein if the authentication server grants a basic authentication to the user through
the basic authentication process, the authentication server determines whether or not an MAC address of the user is registered in the access-denying supplicant list, and wherein only if the MAC address of the user is registered in the access-denying supplicant list, the authentication server do not transmit a final authentication success message for the user to the authenticator . In addition, the authentication polices stored in the authentication policy list may include an access- allowing time/week-day list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server determines whether or not an access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-denying authenticator list, and wherein if the access time or week-day when the user accesses a network matches with the access-allowing time or week-day registered in the access-allowing authenticator list, the authentication server transmits a final authentication success message for the user to the authenticator In addition, the authentication polices stored in the authentication policy list include an authenticator-
based usage right list, wherein if the authentication server grants a basic authentication to the user through the basic authentication process, the authentication server grants a usage right to the user to utilizes only network resources registered in the authenticator-based usage right list. Effect of the Invention According to the present invention, in the IEEE 802. lx standard, the authentication server can control the user's network access and usage rights based on the authenticators as well as the users. As a result, it is possible to perform a variety of finely-identified network management in comparison to a conventional non- adaptive method of controlling user's network access and usage rights.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a configuration view showing a whole configuration of an authentication system according to the present invention. FIG. 2 is a flowchart for explaining a series of authentication processes of the authentication system according to the present invention. FIG. 3 is a view showing an authentication policy list included in an authentication server of the
authentication system according to the present invention.
BEST MODE FOR CARRYING OUT THE INVENTION Now, an authentication system and method according to preferred embodiments of the present invention will be described with reference to the accompanying drawings. FIG. 3 is a view showing an authentication policy list included in an authentication server of the authentication system according to the present invention. The authentication server receives a specific user's authentication information from an authenticator and determines authentication in response to a specific user authentication request transferred by the authenticator.
The authentication server includes an authentication policy list having at least one authentication policy.
Each of the authentication policies in the authentication policy list includes its identifiable authentication policy name and at least one of an access-allowing authenticator list, an access-denying authenticator list, an access-allowing supplicant list, an access-denying supplicant list, an access-allowing time/week-day list, an access-denying time/week-day list, an authenticator-based usage right list, and a PRL/ACL
(port rate limit/access control) list. By using the authentication policies, the user's network access and
usage rights can be controlled based on users and/or authenticators. Now, configurations and operations of the authentication server having the authentication policy lists will be described in detail . Firstly, the authentication policy name is an identifier for each of authentication policies. One authentication policy is allocated to a user. When the authentication server grants a basic authentication to the associated user, the authentication policy corresponding to the authentication policy name allocated to the user is applied. Next, the access-allowing authenticator list is a list of authenticators from which the user obtains authentication. The authenticators are registered to the access-allowing authenticator list by allocating IP or MAC addresses to the authenticators. Although the basic authentication information such as user's ID, password, and authentication documents received from the user associated with the authentication request matches with the one registered in the authentication server, only if the authenticator sending the user authentication request is registered in the access- allowing authenticator list, the authentication server grants authentication to the user and sends a final authentication success message to the authenticator.
Next, the access-denying authenticator list is a list of authenticators from which the user cannot obtain authentication. The authenticators are registered to the access-denying authent-icator list by allocating the IP or MAC addresses to the authenticators. Although the basic authentication information such as user's ID, password, and authentication documents received from the user associated with the a-uthentication request matches with the one registered in the authentication server, if the authenticator sending the user authentication request is registered in the access-denying authenticator list, the authentication server denies user's network access. As information on the access-allowing and access- denying authenticator lists, an attribute "Called_Station_ID" is used. The attribute Called_Station_ID is one of the RADIUS attributes included in the RADIUS access request sent by the authenticators. The format of the attribute Called_Station_ID preferably corresponds to the definition in the IETF RFC3580 standard. According to the IETF RFC3580 standard, the attribute Called_Station_ID of the associated authenticator is prescribed to be transm tted together with the MAC address or both of the MAC address and the SSID (in case
of a wireless LAN ) . Next, the access-allowing supplicant list is a list of users which a supplicant allows to access. MAC addresses of the users' terminals are registered in the access-allowing supplicant list. Only if the MAC address of the user' s terminal satisfying the basic authentication information matches with the MAC address registered in the access-allowing supplicant list, the users can be allowed to access. Therefore, although the basic authentication information received from the user matches with the information stored in the authentication server, only if the MAC address of the user is included in access-allowing supplicant list, the authentication server grants authentication to the user and sends the final authentication success message to the authenticator. On the other hand, the access-denying supplicant list is opposite to the access-allowing supplicant list. Therefore, although the basic authentication information received from the user matches with the information stored in the authentication server, if the MAC address of the user is included in the access-denying supplicant list, the authentication server denies authentication to the user. As information on the access-allowing and access-
denying supplicant lists, an attribute "Calling_Station_ID" is used. The attribute Calling_Station_ID is one of the RADIUS attributes included in the RADIUS access request transferred by the authenticators. The format of the attribute Calling_Station_ID preferably corresponds to the definition in the IETF RFC3580 standard. According to the IETF RFC3580 standard, the attribute Calling_Station_ID of the associated authenticator is prescribed to indicate the MAC address thereof. The access-allowing time/week-day list is a list of time and week-day when the user is allowed to access to the network. Although the basic authentication information received from the user matches with the information stored in the authentication server, only if the access time and week-day are included in access- allowing time/week-day list, the authentication server grants authentication to the user and sends the final authentication success message to the authenticator. On the other hand, the access-denying time/week-day list is opposite to the access-allowing time/week-day list. The access-denying time/week-day list is a list of time/week-day when the user is not allowed to access to the network. Therefore, although the basic authentication information received from the user
matches with the information stored in the authentication server, if the access time/week-day is included in the access-denying time/week-day list, the authentication server denies authentication to the user, so that the user cannot be allowed to access the network. Here, the time/week-day used for the determination of access allowance is based on the time/week-day of the authentication server. The time of the authentication server may be an internal system time or synchronized with a network time through an NTP (Network Time Protocol) or the like. The authenticator-based usage right list is a list of network resources capable of being allocated to the authenticated users based on the authenticators. A basically-authenticated user can utilize only the network resources registered in the authenticator-based usage right list. Here, as information on the authenticator-based usage right list, an identifier VLAN_ID or an attribute of a vendor-based usage right is preferably used. In addition, as identification criteria for authenticators, fields such as Source_IP_Address Field, RADIUS_NAS_IP_Address Field, and NAS_IPvβ_Address Field of an IP packet may be used. Here, the identifier VLAN_ID is prescribed to be transmitted together with the authentication success
message though a tunnel attribute in the IETF RFC3580 standard. Among the RADIUS attributes, the attribute "Tunnel~Type=13" indicates the VLAN, the attribute "Tunnel-Medium-Type=β" indicates the IEEE 802 standard, and the attribute "Tunnel-Private-Group-Id" indicates the virtual LAN identifier VLAN_ID. In this case, the VLAN must be constructed on the network to which the authenticator is connected. In addition, a switch in layer 3 or a router must support a function of processing VLAN-tag-attached packets. As a result, the user is allowed to access only the network though the VLAN to which the user belongs. Namely, although the user's terminal is physically connected to the other networks, the user is not allowed to access the other networks . When it receives the authentication request from the user, the authentication server firstly determinates whether or not the value RADIUS NAS_IP_Address corresponds to the attenuators registered in the access- allowing authenticator list. If the value RADIUS NAS_IP_Address corresponds to the registered authenticators, the authentication server determinates whether or not the shared secret value is correct by performing a message integrity check using the shared secret value. If the shared secret value is correct,
the authentication server grants authentication to the associated user, checks the authentication policies applied to the user, allocates the usage right po licies in the authenticator-based usage right list to the IP address of the authenticator (that is, the IP address written in the value NAS_IP_Adderss Field) , and then, sends the final authentication success message to the authenticator . In addition, the aforementioned attribute of a vendor-based usage right is an attribute of a usage right specific to a vendor. As an example, Ent erasys
Networks, Inc., utilizes a policy manager namecL "UPN
(User Personalized Network) " to set up QoS (Quality of
Service), PRL (Port Rate Limit), ACL (Access Control List), and the like. The UPN policy name is included in the attribute "Filter_ID" among the RADIUS attributes, and then, transmitted together with the attribute . The format of the attribute "Filter_ID" corresponds to definitions of Enterasys Networks, Inc. As a other example, Cisco Systems, Inc., sets up an additional user-based ACL. The user-based ACL is transmitted to the authenticator through Cisco VSAs (Vendor Sp ecific Attributes). Like this, attributes of venders are different between the venders. Although there is no standardized attribute, the formats of the attr ibutes
are individually provided based on the vendors. Therefore, by allocating specific attributes to the venders, the network access and usage right control can be improved. While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. The exemplary embodiments should be considered in descriptive sense only and not for purposes of limitation. For example, information on accessing-allowing authenticators and supplicants and the associated attributes may be modified in various manners in order to improve efficiency of an authentication system or to optimize characteristics for vendors. Therefore, the scope of the invention is defined not by the detailed description of the invention but by the appended claims, and all differences within the scope will be construed as being included in the present invention.
INDUSTRIAL APPLICABILITY Accordingly, an authentication server according to
the present invention can be used to control user's network access rights based on authenticators as well as users .